You are on page 1of 111

BCMSN

Building Cisco Multilayer Switched Networks

Cisco CCNP

© Train Signal, Inc., 2002-2007

Welcome To Your BCMSN Video Boot Camp!
Topics: • LAN Switching Basics • Virtual LANs (VLANs) • VLAN Trunking Protocol (VTP) • Spanning Tree Protocol (STP) • Advanced Spanning Tree Protocol Features • Etherchannels • Securing Switches • Multilayer Switching • IP Telephony & Cisco IP Phones • Wireless Networking • Network Design and Models • Queueing (Bonus Video)
© Train Signal, Inc., 2002-2007

Your Instructor:
• • • • Chris Bryant, CCIE #12933 Earned my CCIE on February 26, 2004 Founded The Bryant Advantage in June of that year My Video Boot Camps and other study materials place an emphasis on clearly explained theory and plenty of work on REAL CISCO routers and switches • Real Education + Real Equipment = Real CCNAs and CCNPs • A+, Network+, Security+, and Microsoft Vista Certification tutorials and study tools • Visit the website: www.thebryantadvantage.com
© Train Signal, Inc., 2002-2007

PDF Created with deskPDF PDF Writer - Trial :: http://www.docudesk.com

1

Exam Prep Tips: • Take your time and master the material. • Get some hands-on work with the BCMSN-level protocols. • Do not practice debugs on a production network at any time. • Get plenty of rest the day before exam. By that time, the die is cast. • Don't cram for the exam. Prepare.
© Train Signal, Inc., 2002-2007

LAN Switching Basics

• • • •

Ethernet, Fast Ethernet, Gig Ethernet Quick cabling overview Basic Switch Operation Filenames and autorecovery

© Train Signal, Inc., 2002-2007

Ethernet
• Good old "basic" Ethernet is based on IEEE 802.3, and offers a bandwidth of 10 MB to end users. The more users there are on an Ethernet segment, the higher the chance of collisions, which render signals sent by the hosts to an unusable state. When the hosts are connected to their own individual switch ports, they will each get a dedicated 10 MB and the chance of collisions is eliminated. Each port on a switch is its own collision domain. • Ethernet uses UTP cabling (Unshielded Twisted Pair), and this cable type has a length limit of 100 meters. Referring to the Cisco three-layer networking model, Ethernet is generally going to be found at the access layer, connecting end users to the network.
© Train Signal, Inc., 2002-2007

PDF Created with deskPDF PDF Writer - Trial :: http://www.docudesk.com

2

Fast Ethernet – Part 1
• Fast Ethernet is defined in IEEE 802.3u, and operates at 100 MB. FE can use UTP or fiber-optic wiring. When full-duplex FE is in operation, the effective bandwidth is 200 MBPS, since FE ports can send and receive at the same time. • You'll see "10/100" ports on many switches. This means that the port will work with an Ethernet or Fast Ethernet connection, and the port speed can be negotiated between the switch and the connected device. To allow this negotiation, both end devices should be set for "auto", short for autonegotiation. And as you know, if you're connecting a server, router, or workstation to a switch, you'll need a straight-through cable.
© Train Signal, Inc., 2002-2007

Fast Ethernet – Part 2
• Fast Ethernet ports can also be used to create a Fast EtherChannel. An Etherchannel, or EC, is a logical bundling of physical connections between switches. A Fast EC can bundle up to eight physical connections, resulting in throughput of up to 1600 MBPS! • As with Ethernet, Fast Ethernet connections can connect end users to the access-layer switches. FE ports can also be used to form a trunk between the access and distributionlayer switches, but hopefully we've got some Gigabit Ethernet ports to handle that.

© Train Signal, Inc., 2002-2007

Gigabit Ethernet
• The next logical step is Gigabit Ethernet, often referred to as "Gig Ethernet". Gig Ethernet will support speeds up to 1000 MBPS, or 1 Gigabit Per Second (GBPS). • The cabling you use with your Gig Ethernet ports is going to vary widely. The necessary cable is determined by the Gigabit Ethernet standard in use on your particular switch. Some of the more common cable types to use with Gigabit Ethernet are Shielded Twisted-Pair (STP), Multimode Fiber (MMF) cable with either a 50- or 62.5 micron core, and Single-Mode Fiber (SMF) with an 8-, 9-, or 50-micron core. • Make sure to check your switch's documentation before you start buying cables!
© Train Signal, Inc., 2002-2007

PDF Created with deskPDF PDF Writer - Trial :: http://www.docudesk.com

3

com 4 . you'll need a straight-through cable.10 Gigabit Ethernet • Often referred to in documentation as 10GbE. If the router has an AUI port. The transceiver connects to the router and the cable connects to the transceiver. Inc. Many laptops no longer have a DB9 port.. Inc. you'll also need a transceiver for the router. © Train Signal. 2002-2007 PDF Created with deskPDF PDF Writer . Inc.Trial :: http://www. Check your PC in advance to make sure you don't need an adapter for the rollover cable. (That's the only way all that speed can be used!) © Train Signal.. • To connect a router. The available speed is dependent on the cable length . 2002-2007 Long Range Ethernet • No. © Train Signal. LRE isn't faster than 10 Gig Ethernet! LRE can use preexisting wiring to provide Ethernet service to a building that might not otherwise have it. you'll need a crossover cable. 10Gig Ethernet will only work on fiber-optic and in full-duplex mode. The preexisting wiring is usually going to be the phone wires. • To connect two switches. you must have a rollover cable.docudesk. the less bandwidth that's available.the longer the wire. 2002-2007 A Quick Cable Review • To connect your PC to the console port of a switch. or server to a switch. PC..

Inc.Trial :: http://www. its MAC address table is empty. While a MAC table can be populated with static MAC entries.What's A "Geebic"? • A GBIC. Inc. the frame will be sent out only the port leading to the host with the proper destination MAC.. it's more efficient to have the switch learn the addresses dynamically. © Train Signal. 2002-2007 PDF Created with deskPDF PDF Writer . © Train Signal.docudesk. In this case. These modules are hot-swappable for easier migration to a new media type. If not. 2002-2007 MAC Table • A switch uses Layer 2 addresses. When a switch is first powered on. This frame will be flooded it will be sent out every switch port except the one it came in on. more commonly referred to as MAC addresses. to forward or filter frames as needed.. Inc. is a module that fits into a Gig Ethernet port. – The destination MAC is a unicast and there is an entry for the address in the MAC table. pronounced "geebic". • When a switch examines the source MAC of a frame. the switch adds that address to its MAC table along with the port used to reach that address.com 5 .. There are four possibilities for that destination MAC: – The destination MAC is a unicast and there is no entry for the address in the MAC table. 2002-2007 Destination MAC – Part 1 • The switch will then check its MAC table for the destination MAC. © Train Signal. The switch does this by examining the source MAC address before deciding how to get the frame to the destination MAC address. the switch checks its MAC table to see if there's an entry for that address.

Inc.. ever wonder what a Cisco filename means? Look at the IOS image filename on the switch we've been using in this section: • c2950-i6q4l2-mz. in which case the frame will be sent out every port except the one it was received upon. 2002-2007 PDF Created with deskPDF PDF Writer . 2002-2007 Cisco Filename – Part 1 • Speaking of which.. 2002-2007 Content Addressable Memory Table • The official terminology for the MAC table is the CAM table.Destination MAC – Part 2 – The destination MAC is a unicast. This frame will be filtered . Inc. Depending on who you talk to..EA1.bin • Believe it or not. © Train Signal..Trial :: http://www. © Train Signal. and there is an entry for the address in the MAC table. © Train Signal.121-19. – The destination MAC is a broadcast or multicast. Inc. you'll hear this table called… – the MAC address table – the CAM table – the bridging table • .. AND the source and destination address are found off the same port. but they're all the same thing. that mix of numbers and letters actually means something. or Content Addressable Memory table.docudesk. remember that you can use this method to do so with any IOS filename.it will not be forwarded at all by the switch. There is a standard for IOS filenames. since we're working on a Catalyst 2950 switch.com 6 .This one's easy. • c2950 . so as we decipher this filename.

the z indicates a zip-compressed image.The m indicates that the image is running in RAM. A indicates the interim build level. 2002-2007 Virtual LANs (VLANs) • • • • • • • • • • • Why use VLANs Static and Dynamic VLANs Trunking ISL and Dot1q Troubleshooting Trunks The Native VLAN Dynamic Trunking Protocolynamic Trunking Protocol Trunking Modes VLAN Database Mode Design Guidelines End-to-end and Local VLANs © Train Signal. • mz . • 121-19. and finally the .com 7 . The 1 indicates the first build of that level..1. under certain circumstances such as a violation of port security. The 19 is the maintenance release.bin indicates that the image file is a binary executable. Before doing so.The 121 indicates the major IOS release version.docudesk.This part describes the switch's feature set. 12. you must define the causes from which the port can recover automatically. a port in errdisabled state has to be manually reopened. referred to on the switch as err-disabled.Trial :: http://www..Cisco Filename – Part 2 • i6q4l2 . © Train Signal. 2002-2007 Autorecovery From An Err-Disabled State • A switch port will be placed into error-disabled state.EA1 . Inc. a green LED indicates an active port. The i at the beginning of this feature set description indicates a switch running an IP feature set. in this case the first one ("A"). We'll use the "all" option here to allow the port to autorecover from any err-disabled state. Inc. By default. The E indicates an Early Deployment of features. Inc. (The port LED will go out as well. and this can be configured with the errdisable recovery interval command.. 2002-2007 PDF Created with deskPDF PDF Writer . though. as you'd suspect.) • You may have a situation where you want the port to reenable itself after a certain period of time. © Train Signal.

Reasons for VLANs – Part 1 • The most common reason for creating VLANs is to prevent the excess traffic caused by a switch's default behavior when it receives a broadcast.. Unless you then make them known to the rest of the network via router-on-a-stick or a Layer 3 switch. When a switch receives a broadcast packet from a host in one particular VLAN. just put these hosts into their own VLAN. © Train Signal. Inc. If you have a network segment with hosts whose very existence should not be known by the rest of the network.com 8 . that switch will forward that broadcast only via ports that are in the same VLAN. Inc.docudesk. 2002-2007 Reasons for VLANs – Part 2 • We can use Virtual LANs (VLANs) to restrict broadcasts by creating logical groups of hosts. One of the first switching concepts you learned was that a switch that receives a broadcast will forward it out every other port on the switch except the one that it was originally received on. © Train Signal. because these are virtual local area networks.. you create multiple broadcast domains while also lowering the number of multicasts sent throughout the network. Inc. • By creating VLANs. these hosts will not be known or reachable by hosts in other VLANs. 2002-2007 PDF Created with deskPDF PDF Writer . • Cisco's best practice is to have one VLAN per IP subnet. The physical location of the hosts does not matter. 2002-2007 Reasons for VLANs – Part 3 • There's one more reason that may lead you to create VLANs. and this is a best practice that works very well in the real world..Trial :: http://www. © Train Signal.

check the MAC table on the switch and make sure the hosts in question have an entry in the table to begin with.. because the port's VLAN membership is decided by the source MAC address of the device connected to that port. you have to change the configuration of the switch to reflect these changes. Second. Inc.) © Train Signal. Inc.Static VLAN • It's easy to put a port into a static VLAN. Inc. The configuration of dynamic VLANs is far out of the scope of the BCMSN exam.docudesk. 2002-2007 PDF Created with deskPDF PDF Writer . but there are two commands needed to do so.. and we want to put this port into a single VLAN only.Trial :: http://www. 2002-2007 VLAN Membership Policy Server – Part 1 • If we have "static VLANs". meaning that the port is actively attempting to form a trunk with a remote switch. The problem is that a trunk port belongs to all VLANs by default. these ports are running in dynamic desirable trunking mode. Using VMPS results in these changes being performed dynamically. but as a CCNP you need to know the basics of VMPS . 2002-2007 Speed and Duplex Settings • What if Hosts 1 and 2 still couldn't ping each other. it follows that there is such a thing as a "dynamic VLAN".com 9 . First. © Train Signal. (Yet another reason that the first value a switch looks at on an incoming frame is the source MAC address. © Train Signal.. even though they're obviously in the same subnet and the same VLAN? There are two places you should look that might not occur to you right away.a VLAN Membership Policy Server. check speed and duplex settings on the switch ports. • When you move a user from one port to another using static VLANs. By default.

that feature must be turned off before configuring a port as dynamic.. • What if we had to move Host 1's connection to the switch to port 0/6? With static VLANs. and the VMPS would dynamically place that port into VLAN 12. With VMPS. A database on the TFTP server that maps source MAC addresses to VLANs is downloaded to the VMPS server. Inc.docudesk. the only thing we'd have to do is reconnect the cable to port 0/6.com 10 . © Train Signal.the MAC address of the host connected to the port is the deciding factor regarding VLAN membership. but keep in mind that PortFast will run on a dynamic VLAN port by default. © Train Signal.. Inc. • VMPS uses UDP to listen to client requests. © Train Signal. the port number isn't important . and that downloading occurs every time you power cycle the VMPS server. 2002-2007 Some things to watch out for when configuring VMPS: • The VMPS server has to be configured before configuring the ports as dynamic. PortFast is enabled by default when a port receives a dynamic VLAN assignment. Inc. • If a port is configured with port security. we'd have to connect to the switch. 2002-2007 PDF Created with deskPDF PDF Writer .Trial :: http://www. PortFast is automatically enabled for that port! There's no problem with PortFast being turned off on that port if you feel it necessary. 2002-2007 VLAN Membership Policy Server – Part 3 • An interesting default of VMPS is that when a port receives a dynamic VLAN assignment. and then place the port into VLAN 12. since by definition trunking ports must belong to all VLANs.. configure the port as an access port.VLAN Membership Policy Server – Part 2 • VMPS uses a TFTP server to help in this dynamic port assignment scheme. • When dynamic VLANs are in use. • Again. • Trunking ports cannot be made dynamic ports. Trunking must be disabled to make a port a dynamic port.

the ports must agree on the speed.1q .com 11 . and the encapsulation type. That's one drawback.docudesk. • For a trunk to form successfully. so traffic for any and all VLANs can travel across this trunk.Trial :: http://www. ISL will place both a header and trailer onto the frame. • By default. the 4-byte trailer contains a Cyclic Redundancy Check (CRC) value. so let's review those before we examine a third trunking protocol that you didn't learn during your CCNA studies.. © Train Signal. encapsulating it. • You know that the default VLAN is also known as the "native VLAN". regardless of the VLAN the traffic is destined for.Trunk – Part 1 • A trunk is a point-to-point connection between two physically connected switches that allows traffic to flow between the switches.. © Train Signal. that switch will examine this ID and then forward the frame appropriately. making it unsuitable for a multivendor environment.. • The 26-byte header that is added to the frame by ISL contains the VLAN ID. This increases the overhead on the trunk line. a trunk port is a member of all VLANs. When the frame arrives at the remote switch. and another drawback to ISL is that ISL does not use the concept of the native VLAN. the duplex setting. but there are others. 2002-2007 Trunk – Part 2 • You may have had a CCNA flashback when I mentioned "dot1q"! There were quite a few differences between the trunking protocols ISL and dot1q. reflecting the number of the VLAN whose member ports should receive this frame. 2002-2007 PDF Created with deskPDF PDF Writer . 2002-2007 ISL – Part 1 • ISL is Cisco-proprietary. Inc. Many Cisco switches offer the choice of ISL and IEEE 802. Inc. That includes broadcast traffic! • How does the receiving switch know what VLAN the frame belongs to? The frames are tagged by the transmitting switch with a VLAN ID. © Train Signal.and I can practically guarantee your BCMSN exam just might discuss these encap types! Let's take a detailed look at each right now. This means that every single frame transmitted across the trunk will be encapsulated. Inc. The CRC is a frame validity scheme that checks the frame's integrity.

resulting in less overhead than ISL and resulting in a maximum frame size of 1522 bytes. A 4-byte header is added to the frame. ISL encapsulation adds 30 bytes total to the size of the frame. potentially making them too large for the switch to handle. When the remote port receives an untagged frame. the switch knows that these untagged frames are destined for the native VLAN. • Since the dot1q header is only 4 bytes in size. using dot1q lessens the chance of oversized frames..docudesk. dot1q does not encapsulate frames. Inc. and isn't even placed on every frame. Inc. 2002-2007 Dot1q – Part 2 • Other dot1q facts you should be familiar with: – Dot1q actually embeds the tagging information into the frame itself.) • For that reason. Inc. © Train Signal. – Dot1q does not change the destination MAC address in any way. even that small header isn't added. 2002-2007 PDF Created with deskPDF PDF Writer .com 12 . Frames larger than that are called giants. You'll occasionally hear this referred to as internal tagging. this encapsulation leads to another potential issue. if one trunking switch is using ISL and its remote partner is not.. © Train Signal. © Train Signal. the remote partner will consider the ISLencapsulated frames as giants. If the frame is destined for hosts residing in the native VLAN.. 2002-2007 Dot1q – Part 1 • In contrast. (The maximum size for an Ethernet frame is 1518 bytes. – Dot1q is the "open standard" or "industry standard" trunking protocol and is suitable for a multivendor environment.ISL – Part 2 • In turn.Trial :: http://www.

the maximum frame length can be extended to 1522 bytes. 2002-2007 Gotchas – Part 2 – Dot1q does add 4 bytes to the frame. 2002-2007 PDF Created with deskPDF PDF Writer . (The opposite of a giant is a runt.3ac. – If you're working on a multilayer switch (also called a "Layer 3 switch"). • Also notice that there's a 4-byte addition in both ISL and dot1q . since by definition a trunk only has two endpoints. While giants are too large to be successfully transmitted. the port speed and port duplex setting should be the same on the two trunking ports. Inc.) – Both switches must be in the same VTP domain . make sure the port you want to trunk is a Layer 2 port by configuring the interface-level command switchport on it. – Changing the native VLAN on one switch does not dynamically change the native VLAN on a remote trunking partner. and I've bumped into quite a few "gotchas" that you might not think to look at in a production network. – Giants are frames that are larger than 1518 bytes. ISL switches don't care about the native VLAN setting. © Train Signal. and these can occur on ISL since they add 30 bytes to the frame. because they don't use the native VLAN to begin with. © Train Signal.com 13 . runts are frames less than 64 bytes in size.make sure to have them straight: • ISL: 4-byte trailer (with CRC value) • dot1q: 4-byte header inserted into the frame © Train Signal. 2002-2007 Gotchas – Part 1 • I've created a lot of trunks over the years.docudesk.. or 1000 MBPS interface as a trunk. Check the documentation for your switch to see if this is the case for your model.just like ISDN. – You can configure a 10.Point-to-point Protocols • Believe it or not. Inc. they're case-sensitive..watch those domain names. ISL and dot1q actually have something in common! They're both considered point-to-point protocols.. but thanks to IEEE 802. and that's it .Trial :: http://www. Inc. 100. Some Catalyst switches have Cisco-proprietary hardware that allows them to handle the larger frames. – For trunks to work properly.

com 14 . We'll change the native vlan setting on fast 0/11 on one side of an existing trunk and see what happens. regardless of whether it once was a trunk port.docudesk. but you should be prepared for an error message very quickly after configuring it on one side of the trunk. 2002-2007 PDF Created with deskPDF PDF Writer . • By the way. If the negotiating ports support both protocols. the native VLAN is VLAN 1. Inc.. • Changing the native VLAN on one switch in a trunk does not automatically change it for the other switch! © Train Signal.Native VLAN • By default.1q trunking encapsulation when trunking isl Interface uses only ISL trunking encapsulation when trunking negotiate Device will negotiate trunking encapsulation with peer on interface © Train Signal. and there aren't any.Trial :: http://www. negotiate.. The native VLAN is the VLAN the port will belong to when it is not trunking. 2002-2007 switchport trunk encapsulation command – Part 1 • To manually configure a trunk port to run ISL or dot1q. Inc. if you use IOS Help to display your switch's encapsulation choices. ISL will be selected. use the switchport trunk encapsulation command. that's a pretty good sign that your switch supports only dot1q! SW1(config)#interface fast 0/11 SW1(config-if)#switchport trunk encapsulation ? % Unrecognized command © Train Signal. Rack1SW1(config-if)#switchport trunk encapsulation ? dot1q Interface uses only 802. • The native vlan can be changed with the switchport trunk native vlan command.. Inc. The trunk ports will then negotiate between ISL and dot1q. and naturally it must be a protocol that both ports support. 2002-2007 switchport trunk encapsulation command – Part 2 • Notice that there's a third option.

if there's a device on the other end of the line that can't trunk at all . it's standard procedure to place the remote port in trunk mode. because there's no use in sending negotiation frames every 30 seconds if no negotiation is necessary! • Dynamic desirable is the default setting for most Cisco switch ports today. Since this port cannot negotiate. • If you connect two 2950s with a crossover cable. but will accept negotiation begun by the remote switch. there's no need for the port to send DTP frames. Inc. • If you decide to configure a port as a non-negotiable trunk port. The Ciscoproprietary Dynamic Trunking Protocol actively attempts to negotiate a trunk line with the remote switch. 2002-2007 Trunk mode • Trunk mode means just that . a trunk line will form. but as you see below. a trunk will form. you cannot turn DTP off until the port is no longer in dynamic desirable trunking mode.DTP frames are transmitted every 30 seconds.. and the trunk would come up. © Train Signal. 2002-2007 PDF Created with deskPDF PDF Writer . As long as the remote trunk port is configured as dynamic desirable or trunk. A port configured as dynamic auto (often called simply "auto") will not actively negotiate a trunk.com 15 . This sounds great.this port is in unconditional trunk mode and cannot be an access port. One port could be in dynamic desirable and the other in trunk mode.a firewall. Inc.there's no need to send DTP frames. • Is there a chance that two ports that are both in one of these three modes will not successfully form a trunk? Yes .if they're both in dynamic auto mode. 2002-2007 Dynamic auto mode • Dynamic auto is the "oddball" trunking mode.docudesk. © Train Signal. • It's important to note that this setting does not have to match between two potential trunk ports.. Also. • DTP can be turned off at the interface level with the switchport nonegotiate command. but there's a third trunking protocol involved as well. Turning off DTP when you place a port in trunk mode is a great idea. for example . Inc. dynamic desirable. This is because a port in dynamic desirable mode is sending and responding to DTP frames..Trial :: http://www. If the local switch port is running dynamic desirable and the remote switch port is running in trunk. a trunk will form in less than 10 seconds with no additional configuration needed. © Train Signal. but there is a cost in overhead . or dynamic auto.Dynamic Trunking Protocol • You learned about ISL and dot1q in your CCNA studies.

What works well for "Network A" may be inefficient for "Network B". because like snowflakes. and that's using VLAN database mode. • In my BSCI Study Guide's discussion of Cisco's Three-Layer Hierarchical Networking Model. © Train Signal. because it's very easy to save your changes incorrectly .Trial :: http://www... Inc. There is a second way to do so.switch! © Train Signal. though. You need to know about the following VLAN design types for both the exam and the real world. 2002-2007 Snowflakes – Part 1 • Learning to design anything from a class or study guide can be frustrating. so let's take a look at this mode. 2002-2007 VLAN database mode • You'll notice that all of the configurations in this study guide use the CLI commands to configure VLANs. no two networks are alike. You enter this mode by typing vlan database at the command prompt. 2002-2007 PDF Created with deskPDF PDF Writer . © Train Signal.Naming VLANs • You can give your VLAN a more intuitive name with the name command. I mention that it's important to let the Distribution layer handle the "little things" in order to allow the core switches to do what they do best .docudesk.. • I personally don't like using this mode. but as always you've got to be able to apply your knowledge to your network's needs. Inc.which of course means that your changes aren't saved! It's always a good idea to know how to do something more than one way in Ciscoland.com 16 . Inc.

I can tell you that this VLAN type is a real pain in the butt to configure. end-to-end and local.. Inc. © Train Signal. and that VLAN will remain the same no matter where the user is. If we don't control broadcast and multicast traffic. but you didn't even want your other hosts to know of the existence of that resource. The physical location of the user does not matter. particularly if we allow it to flow through the core switches. Inc. © Train Signal.. we're looking at much the same scenario. Your VLAN scheme should keep as many broadcasts and multicasts away from the core switches as is possible.docudesk. 2002-2007 End-to-End and Local VLANs – Part 1 • With end-to-end VLANs. • End-to-end VLANs can come in handy as a security tool and/or when the hosts have similar resource requirements for example. Inc. the name is the recipe as end-to-end VLANs will span the entire network. 2002-2007 End-to-End and Local VLANs – Part 2 • End-to-end VLANs should be designed with the 80/20 rule in mind. if you had certain hosts across the network that needed access to a particular network resource. :) © Train Signal. where 80 percent of the local traffic stays within the local area and the other 20 percent will traverse the network core en route to a remote destination. 2002-2007 PDF Created with deskPDF PDF Writer .com 17 . • • There are two major VLAN designs. Watch the details here. as one is following the 80/20 rule and the other is following the 20/80 rule.Trial :: http://www. as a user is assigned to a single VLAN. it can soon affect our network negatively. However.Snowflakes – Part 2 • With VLAN design. • End-to-end VLANs must be accessible on every access-layer switch to accommodate mobile users..

while the other 80 percent will traverse the network core. the end user must go across a WAN to reach the server farm. • More and more networks are using centralized data depositories..docudesk. Inc. While physical location is unimportant in end-to-end VLANs. such as server farms .Local VLANs • Local VLANs are designed with the 20/80 rule in mind. Inc. VTP also allows network administrators to restrict the switches upon which VLANs can be created. © Train Signal. © Train Signal... deleted. users are grouped by location in Local VLANs.and even in the simplified network diagram above.com 18 . Inc.DAT File VTP Secure Mode © Train Signal. 2002-2007 PDF Created with deskPDF PDF Writer . 2002-2007 VTP • VLAN Trunking Protocol (VTP) allows each switch in a network to have an overall view of the active VLANs. another reason that 80/20 traffic patterns aren't seen as often as they were in the past.Trial :: http://www. Local VLANs assume that 20 percent of traffic is local in scope. or modified. 2002-2007 VLAN Trunking Protocol (VTP) • • • • • • • • Why use VTP? Configuring VTP VTP Modes VTP Advertisement Process Synchronization & Advertisement Details VTP Features & Versions The VLAN.

they don't even advertise their own VLAN information! Therefore. or VLAN creation will not be possible.com 19 . Inc.. • VTP Version 2: The Transparent switch will forward VTP advertisements via its trunk port(s) even if the domain name does not match. • VTP Transparent mode actually means that the switch isn't participating in VTP. and the main difference between the two versions affects how a VTP Transparent switch handles an incoming VTP advertisement. Before working with VTP in a home lab or production network. • VTP Version 1: The Transparent switch will forward that advertisement's information only if the VTP version number and domain name on that switch is the same as that of downstream switches. V1 and V2. (The official term for a VTP domain is "management domain". the major feature of VTP is the transmission of VTP advertisements that notify neighboring switches in the same domain of any VLANs in existence on the switch sending the advertisements. © Train Signal.) Transparent VTP switches don't synchronize their VTP databases with other VTP speakers. any VLANs created on a Transparent VTP switch will not be advertised to other VTP speakers in the domain.. making them locally significant only. and delete VLANs. but we'll just call them domains in this section. Inc. Cisco switches are not in a VTP domain. © Train Signal. This means that a VTP deployment has to have at least one Server. 2002-2007 VTP Versions • There are two versions of VTP.Trial :: http://www.docudesk.. 2002-2007 Server mode • In Server mode. a VTP switch can be used to create. • The key phrase there is "in the same domain". Clients do listen for VTP advertisements and act accordingly when VTP advertisements notify the Client of VLAN changes. This is the default setting for Cisco switches.) © Train Signal. modify.Major Feature of VTP • Luckily. The only place you'll probably see that full phrase is on the exam. run show vtp status. By default. Inc. modify. 2002-2007 PDF Created with deskPDF PDF Writer . (Bear with me here. • Switches running in Client mode cannot be used to create. or delete VLANs.

Inc. 2002-2007 The VTP Advertisement Process • VTP Advertisements are multicasts. © Train Signal. but I will share a simple method that's always worked for me . If multiple admins will have access to the switch. Which Should Be Clients? – You have to decide this for yourself in your production network. Inc. VTP advertisements are sent when there has been a change in a switch's VLAN database. so VTP advertisements are sent out trunk ports only.Switches • Which Switches Should Be Servers. The hosts in VLAN 10 in the following exhibit would not receive VTP advertisements. Inc. and this configuration revision number increments by one before it is sent. The only devices that need the VTP advertisements are other switches that are trunking with the local switch. © Train Signal.. you may consider making that switch a VTP Client in order to minimize the chance of unwanted or unauthorized changes being made to your VLAN scheme.docudesk.if you can absolutely secure a switch.Trial :: http://www. but they are not sent out every port on the switch. 2002-2007 Configuration revision – Part 1 • Along with the VTP domain name. VTP advertisements carry a configuration revision number that enables VTP switches to make sure they have the latest VLAN information.. 2002-2007 PDF Created with deskPDF PDF Writer ..com 20 . © Train Signal. make it a VTP server.

2002-2007 Revision number • I've seen this happen with switches that were brought it to swap out with a downed switch.. In this case.and that goes for Clients as well as Servers. Inc.Configuration revision – Part 2 • SW1 received a VTP advertisement from SW2. 2002-2007 PDF Created with deskPDF PDF Writer . © Train Signal. If the answer is yes.Trial :: http://www. SW1 compares the revision number in the advertisement to its own revision number. © Train Signal..docudesk. • This indicates to SW11 that the information contained in this VTP advertisement is more recent than its own VLAN information. the advertisement would have been ignored. but the switches are all functional. When you introduce a new switch into a VTP domain. © Train Signal. Inc. the revision number on the incoming advertisement was 2 and R1's revision number was 1. • If SW1's revision number had been higher than that in the VTP advertisement from SW2.com 21 . 2002-2007 Potential issue • This brings up a potential issue that I've seen more than once in the real world. Inc. I can practically guarantee that the revision number is the issue. That revision number has to be reset to zero! If you ever see VLAN connectivity suddenly lost in your network.. Before accepting the changes reflected in the advertisement. you have to make sure that its revision number is zero . you should immediately check to see if a new switch was recently installed. so the advertisement is accepted.

deleted..here's what they are and what they do. 2002-2007 Subset Advertisements • Subset Advertisements are transmitted by VTP servers upon a VLAN configuration change. activated. including: – Whether the VLAN was created. Token Ring. Inc. © Train Signal.Cisco Theory • Cisco theory holds that there are two ways to reset a switch's revision number to zero: – Change the VTP domain name to a nonexistent domain. or upon a change in the VLAN database. Information included in the summary advertisement: – – – – – VTP domain name and version Configuration revision number MD5 hash code Timestamp Number of subset advertisements that will follow this ad © Train Signal.. • Summary Advertisements are transmitted by VTP servers every 5 minutes. or suspended – The new name of the VLAN – The new Maximum Transmission Unit (MTU) – VLAN Type (Ethernet. Keep in mind that Cisco switches only accept VTP advertisements from other switches in the same VTP domain.Trial :: http://www. then change it back to the original name. Inc. FDDI) © Train Signal. Inc. 2002-2007 PDF Created with deskPDF PDF Writer .docudesk..com 22 . then change it back to Server. 2002-2007 VTP Advertisements • There are three major types of VTP advertisements . – Change the VTP mode to Transparent. Subset ads give specific information regarding the VLAN that's been changed.

. © Train Signal. regardless of whether the remote switch actually has ports in that VLAN or not! © Train Signal. but it's unnecessary. Why would a client request this information? Most likely because the VLAN database has been corrupted or deleted. which leads to an issue involving broadcasts and multicasts.Client Advertisement Requests • Client Advertisement Requests are just that ...a request for VLAN information from the client. Inc. but I wanted to show you that a switch has to be in Server mode to have pruning enabled. 2002-2007 VTP Pruning • Trunk ports belong to all VLANs. 2002-2007 PDF Created with deskPDF PDF Writer . It doesn't hurt anything to enter the command vtp pruning on all Servers in the domain.docudesk. The VTP Server will respond to this request with a series of Summary and Subset advertisements. A trunk port will forward broadcasts and multicasts for all VLANs it knows about. © Train Signal. 2002-2007 Enabling pruning • Enabling pruning on one VTP Server actually enables pruning for the entire domain.com 23 .Trial :: http://www. Inc. Inc.

and that is the default of some older Cisco switches. VTP v2 has several advantages over VTPv1. • Version 2 supports Token Ring VLANs and Token Ring switching. and that's the default on many newer models. reload them. The next version was Version 2.show vtp status • By now. You run a write erase on your routers. routing protocols. Inc. 2002-2007 Consistency check • When changes are made to VLANs or the VTP configuration at the command-line interface (CLI). Inc. static routes . 2002-2007 PDF Created with deskPDF PDF Writer .docudesk.Trial :: http://www.everything's gone... © Train Signal. This helps to prevent incorrect / inaccurate names from being propagated throughout the network. All IP addressing.com 24 . © Train Signal. So what's being checked? VLAN names and numbers. including the 2950. where Version 1 does not. and since NVRAM is now empty. you're prompted to go into setup mode. Version 2 will perform a consistency check. • A switch running VTPv2 and Transparent mode will forward VTP advertisements received from VTP Servers in that same domain. Inc. 2002-2007 write erase • Those of you with switches in your home labs have probably run into this situation.. you've probably noticed that the first field in the readout of show vtp status is the VTP version. © Train Signal. • As RIPv2 has advantages over RIPv1. The first version of VTP was VTP Version 1.

you place the entire VTP domain into Secure Mode..com 25 . :) • Some campus networks will have switches that can be easily secured . © Train Signal.the ones in your network control room.. 2002-2007 PDF Created with deskPDF PDF Writer . 2002-2007 Spanning Tree Protocol (STP) • • • • • Switching Basics BPDUs & the Root Bridge Election Root Port Selection & Cost STP Port States & Timers Making a Nonroot Switch the Root – Why and How • TCN BPDUs • Load Sharing with the port-priority command • Extended System ID Failure © Train Signal. Inc. but it causes less confusion in the future for other network admins who don't understand Transparent mode as well as you do. or you've made it possible to create and delete VLANs on every switch in your network.. stick with Server and Client. Every switch in the domain must have a matching password. Not only does this ensure that the VTP databases in your network will be synchronized.VTP password • By setting a VTP password. Inc. for example . © Train Signal.Trial :: http://www. Your VTP Servers should be the switches that are accessible only by you and a trusted few.and others that may be more accessible to others. Inc. Don't leave every switch in your VTP domain at the default of Server. 2002-2007 VTP Configuration Tips • Unless you have a very good reason to put a switch into Transparent mode.docudesk.

• Known unicast frames are frames destined for a particular host. the non-root bridges will forward copies of that BPDU. Therefore. but for now it's enough to know that the name is the recipe . Inc.768 and a MAC address of 11-22-33-44-55-66. if a Cisco switch has the default priority value of 32.. • This BID is a combination of a default priority value and the switch's MAC address. more commonly referred to as a BID. but there is no MAC address table entry for that destination. only that root bridge will originate Configuration BPDUs. © Train Signal. © Train Signal. • BPDUs also carry out the election to decide which switch will be the Root Bridge. © Train Signal. and this destination host has an entry in the switch's MAC table. if the switch priority is left at the default on all switches.Unknown unicast frames • Unknown unicast frames are frames destined for a particular host.a switch sends a TCN when there is a change in the network topology. 2002-2007 PDF Created with deskPDF PDF Writer . The Root Bridge is the "boss" of the switching network .com 26 . 2002-2007 Configuration BPDUs • Configuration BPDUs are used for the actual STP calculations. Each switch will have a Bridge ID Priority value... with the priority value listed first. while multicast frames are destined for a specific group of hosts.Trial :: http://www. For example. Broadcast and multicast frames are also forwarded out every port except the one they came in on. Once a root bridge is elected. Inc. 2002-2007 The Role Of BPDUs • BPDUs are transmitted every two seconds to the wellknown multicast MAC address 01-80-c2-00-00-00. the MAC address is the deciding factor in the root bridge election. • Broadcast frames are destined for all hosts. Such a frame would be forwarded only out the appropriate port. (It might not have been well-known to you before.this is the switch that decides what the STP values and timers will be. Inc. but it is now!) We've actually got two different BPDU types: – Topology Change Notification (TCN) – Configuration • We'll talk about TCNs later in this section. the BID would be 32768:11-22-3344-55-66. Under no circumstances will a switch send a frame back out the same port it came in on. Unknown unicast frames are forwarded out every port except the one they came in on.docudesk.

© Train Signal. • The BPDU actually carries the Root Path Cost. A port's Path Cost is locally significant only and is unknown by downstream switches. and it wasn't selected at random.. SW3 doesn't have any idea what the Path Cost on SW2 is.Trial :: http://www. © Train Signal. Root Path Cost increments as BPDUs are received. Inc. and this Path Cost is used to arrive at the Root Path Cost.. that switch adds the cost of the port the BPDU was received on to the incoming Root Path Cost. That new root path cost value will be reflected in the BDPU that switch then sends out.docudesk. the Root Path Cost. Inc. In the previous example. 2002-2007 The root bridge • The root bridge will transmit a BPDU with the Root Path Cost set to zero. 2002-2007 PDF Created with deskPDF PDF Writer . not sent. © Train Signal. No switch downstream of SW3 will know of any Path Costs on SW2 or SW3 the downstream switches will only see the cumulative cost. and doesn't particularly care.com 27 . Inc. When a neighboring switch receives this BDPU. 2002-2007 The Path Cost • The Path Cost is locally significant only. Each switch port has an assigned Path Cost. and this cost increments as the BPDU is forwarded throughout the network.Root port • The port that SW2 is using to reach the root bridge is called the root port..

. we mean the one with the lowest BID. still 100 100 MBPS Port: Originally 10. © Train Signal. that's a tie here as well. Inc. 2002-2007 PDF Created with deskPDF PDF Writer . Make sure to add up the Root Path Cost for other available paths before changing a port's Path Cost to ensure you're getting the results you want . now 4 10 GBPS Port: Originally 1. now 2 © Train Signal. and how these steps factored into SW2's decision-making process. These path costs have changed from their original values. this is another command that you should have a very good reason for configuring before using it.so this is a tie. Since the same switch is sending both BPDUs.Process of choosing a Root Port • Here's the process of choosing a Root Port. © Train Signal. Inc. too. That was the tiebreaker here. – – – – 10 MBPS Port: Originally 100. 2002-2007 Changing A Port's Path Cost • Like other STP commands and features. now 19 1 GBPS Port: Originally 1. so you'll be shown both here. – Choose the port with the lowest Root Path Cost to the root bridge. 2002-2007 How Root Path Costs Are Determined • The default STP Path Costs are determined by the speed of the port. – Choose the lowest Port ID.com 28 . SW2 shows a Path Cost of 19 for both ports 0/11 and 0/12. The costs we'll see on the switches in this section are the revised costs. By "superior BPDU". – Choose the port receiving the superior BPDU..docudesk. Inc..or perhaps avoid results you don't want! • In the following example.Trial :: http://www. That's a tie here. The BPDUs are coming from the same switch .SW1 . – Choose the port receiving the BPDU with the lowest Sender BID.

About the only thing this port can do is accept BPDUs from neighboring switches.no frame forwarding. no frame receiving. © Train Signal. but it's not even officially taking place in STP. a port enters forwarding mode. 2002-2007 STP port state – Part 2 • Once the port is opened. but the port is learning MAC addresses by adding them to the switch's MAC address table. © Train Signal. you're not going to look into the STP table of a VLAN and see "DIS" next to a port. A disabled port is one that is administratively shut down.and this port can now send BPDUs as well. The port still can't forward or receive data frames. Cisco does officially consider this to be an STP state. • A port will then go from blocking mode into listening mode.docudesk. • To see the STP mode of a given interface. © Train Signal. though. 2002-2007 learning mode • When the port goes into learning mode. use the show spanning-tree interface command.. Inc. the port will go into blocking state. A disabled port obviously isn't forwarding frames.Trial :: http://www. and the MAC address table is not yet being updated. and therefore no learning of MAC addresses.. This allows a port to forward and receive data frames. send and receive BPDUs. The obvious question is "listening for what?" Listening for BPDUs . • Finally. and place MAC addresses in its MAC table.STP port state – Part 1 • Disabled isn't generally thought of as an STP port state. Inc..com 29 . it's not yet forwarding frames. the port can't do much in this state . As the name implies. 2002-2007 PDF Created with deskPDF PDF Writer . Inc.

de00 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 24596 (priority 24576 sys-id-ext 20) Address 0011.9375. let's review the STP timer basics. The default is 20 seconds. with a default value of 15 seconds.Trial :: http://www. and you should also remember that these timers should not be changed lightly. Inc. What you might not have known is that if you decide to change any and all of these timers. Right now. By default. • Maximum Age.docudesk. referred to by the switch as MaxAge. this is set to 2 seconds. 2002-2007 Example 1 SW3(config)#spanning vlan 20 root primary SW3#show spanning vlan 20 VLAN0020 Spanning tree enabled protocol ieee Root ID Priority 24596 Address 0011. • Forward Delay is the length of both the listening and learning STP stages. © Train Signal. 2002-2007 PDF Created with deskPDF PDF Writer . Inc. 2002-2007 Timers – Part 2 • Hello Time defines how often the Root Bridge will originate Configuration BPDUs.de00 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 15 © Train Signal.Timers – Part 1 • You may remember these timers from your CCNA studies as well.9375. that change must be configured on the root bridge! The root bridge will inform the nonroot switches of the change via BPDUs. • Don't believe me? :) We'll prove that very shortly..com 30 . © Train Signal.. is the amount of time a switch will retain the superior BPDU's contents before discarding it. Inc..

com 31 .19c7.de00 Cost 38 Port 15 (FastEthernet0/13) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32788 (priority 32768 sys-id-ext 20) Address 0019. Inc..de00 Cost 19 Port 24 (FastEthernet0/22) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32788 (priority 32768 sys-id-ext 20) Address 0018.8880 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 © Train Signal. 2002-2007 Example 3 SW1#show spanning vlan 20 VLAN0020 Spanning tree enabled protocol ieee Root ID Priority 32788 Address 0011.docudesk.Example 2 SW2#show spanning vlan 20 VLAN0020 Spanning tree enabled protocol ieee Root ID Priority 32788 Address 0011.557d.9375.Trial :: http://www.9375. Inc. Inc.557d.9375.8880 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 © Train Signal...de00 Cost 38 Port 15 (FastEthernet0/13) Hello Time 2 sec Max Age 20 sec Bridge ID Forward Delay 15 sec Priority 28692 (priority 28672 sys-id-ext 20) Address 0019.2700 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 © Train Signal. 2002-2007 Example 4 SW1(config)#spanning vlan 20 root secondary SW1#show spanning vlan 20 VLAN0020 Spanning tree enabled protocol ieee Root ID Priority 24596 Address 0011. 2002-2007 PDF Created with deskPDF PDF Writer .

we're not configuring an exact priority with that command.docudesk. The TCN doesn't say exactly what happened. Distribution. © Train Signal. You saw that in the previous example.. © Train Signal. Ideally..spanning-tree vlan root • Ever wondered how the STP process decides what priority should be set when the spanning-tree vlan root command is used? After all. which lists the three layers of a switching network .Core. which allows for the highest optimization of STP. – If the current root bridge's priority is less than 24.com 32 . and Access.Trial :: http://www. the switch subtracts 4096 from the root bridge's priority in order to become the root. and the root bridge should not be an access-layer switch. the switch sets its priority to 24576 in order to become the root. 2002-2007 Topology Change Notifications (TCNs) • Configuration BPDUs are originated only by the root bridge. © Train Signal. 2002-2007 Where Should The Root Bridge Be Located? • I'm sure you remember the Cisco Three-Layer Hierarchical Model. it doesn't give the other switches a lot of detail.576. Here's how the STP process handles this: – If the current root bridge's priority is greater than 24.. Inc. but a TCN BPDU will be generated by any switch in the network when one of two things happen: – A port goes into Forwarding mode – A port goes from Forwarding or Learning mode into Blocking mode • While the TCN BPDU is important. 2002-2007 PDF Created with deskPDF PDF Writer . Inc. Inc. Access switches are those found closest to the end users.576. just that something happened. the root bridge should be a core switch.

) • A natural question is "How long will the aging time for the MAC table stay at the Forward Delay value?" Here's the quick formula for the answer: • (Forward Delay) + (Max Age) • Assuming the default settings. that's a total of 35 seconds. © Train Signal. which makes perfect sense. there's no need to alert the entire network about it. Inc. SW1 is the root for all ten VLANs. • I've created ten VLANs. using your knowledge of switching. to start adjusting STP timers.. that's 15 seconds. Inc. and since such a port going into Forwarding mode doesn't impact STP operation. 2002-2007 Load Sharing With The portpriority Command • We can actually change a port's priority for some VLANs and leave it at the default for other VLANs in order to perform load balancing over a trunk. Inc... Let's take a look at the default behavior of a trunk between to switches when we have ten VLANs...20.docudesk.by default. (Another reason to be careful. and then change this behavior just a bit with the port-priority command.Default aging time • This indicates to all receiving switches that the default aging time for their MAC tables should be changed from the default of 5 minutes to whatever the Forward Delay value is . Before we go forward.com 33 . how many port or ports in this example will be in STP Blocking mode? Which one(s)? © Train Signal. and yet another reason to consider leaving the STP timers at their defaults! © Train Signal. 11 . 2002-2007 TCNs And The Portfast Exception • Cisco switching veterans just know that Portfast has to get involved here somewhere! Portfastenabled ports cannot result in TCN generation. if not downright hesitant.Trial :: http://www. for this example. 2002-2007 PDF Created with deskPDF PDF Writer . The most common usage of Portfast is when a single PC is connected directly to the switch port.

. it's called STP MAC Address Reduction.1t. Backbonefast Root Guard.The Extended System ID Feature • Earlier in this section. we took a look at part of a switch's configuration and saw this line: spanning-tree extend system-id • Defined in IEEE 802.4096. 2002-2007 The BID priority • The BID priority is the default priority of 32768 plus the System ID Extension value (sys-id-ext). Inc. It is enabled by default on 2950 and 3550 switches with an IOS version of 12. © Train Signal. MST © Train Signal. • You can't use this feature on all Cisco switches. PVST. • Some switches running CatOS can support this feature. The extended VLANs will be numbered 1025 .) © Train Signal.1(8)EA or later.IOS-based switches use the CLI commands you see throughout this book.Trial :: http://www.docudesk. which equals 32788. though. so the BID priority is 32768 + 20. Disabled by default. BPDU Skew Detection Rapid STP. (set commands are run on CatOS switches only .. Inc. Loop Guard UDLD. which in turn allows the switch to support up to 4096 VLANs. The sys-id-ext value just happens to be the VLAN number. PVST+. Uplinkfast. 2002-2007 PDF Created with deskPDF PDF Writer . it can be enabled with the set spantree macreduction command. with those switches. BPDU Guard. CST. the Extended System ID feature greatly extends the number of STP instances that can be supported by the switch. Inc.com 34 .. 2002-2007 Advanced STP Features • • • • Portfast.

Portfast allows a port running STP to go directly from blocking to forwarding mode.. Inc.3 seconds. but again. 2002-2007 PDF Created with deskPDF PDF Writer .com 35 . 2002-2007 Uplinkfast • When a port goes through the transition from blocking to forwarding. © Train Signal.it actually takes 1 . Inc. © Train Signal. 2002-2007 Details regarding Uplinkfast • Some additional details regarding Uplinkfast: – The actual transition from blocking to forwarding isn't really "immediate" . What if the device connected to a port is another switch? © Train Signal.Portfast • You should remember this one from your CCNA studies! Suitable only for switch ports connected directly to a single host. you're looking at a 50second delay before that port can actually begin forwarding frames. You can't run Uplinkfast on some ports or on a per-VLAN basis . that certainly seems immediate! – Uplinkfast cannot be configured on a root switch.. – When Uplinkfast is enabled.it's all or nothing.Trial :: http://www. Next to a 50-second delay. Inc. Configuring a port with Portfast is one way to get around that..docudesk. you can only use it when a single host device is found off the port. it's enabled globally and for all VLANs residing on the switch.

. The switch uses the following formula to determine how long to wait before transitioning the original root port back to the forwarding state: • ( 2 x FwdDelay) + 5 seconds © Train Signal. Inc. making it highly unlikely that this switch will be used to reach the root switch by any downstream switches. it's not enough to know the definition of Uplinkfast and what it does you've got to know where to configure it for best results.actually. and the switches that are farthest away from the root switches will be the access switches. Inc. 2002-2007 Where To Apply Uplinkfast • As with all the topics in this section. • Uplinkfast is a wiring-closet switch feature . © Train Signal. This does not take place immediately..docudesk. 2002-2007 PDF Created with deskPDF PDF Writer .com 36 . Inc. which means that if all other switches are still at their default priority. the switch priority will be set to 49. – Additionally..it's not recommended for core and distribution-layer switches.Trial :: http://www. Uplinkfast should be configured only on access-layer switches. 2002-2007 Immediate action • Uplinkfast will take immediate action to ensure that a switch cannot become the root switch -. the STP Port Cost will be increased by 3000. © Train Signal.152. The access switches will be the ones closest to the end users. It's a safe bet that the root switches are going to be found in the core layer. two immediate actions! – First.Root port • The original root port will become the root port again when it detects that its link to the root switch has come back up. they'd all have to go down before this switch can possibly become the root switch.

com 37 . a switch will answer immediately under one of two conditions: – The receiving switch is indeed the root bridge named in the RLQ request – The receiving switch has no connectivity to the root bridge named in the RLQ request. 2002-2007 Root Link Query • BackboneFast uses the Root Link Query (RLQ) protocol. and the RLQ response will identify the root bridge that can be accessed via that port. but the 15-second Listening and Learning stages still have to run. 2002-2007 RLQ Request • Upon receiving a RLQ request. because it considers another switch to be the root bridge • The third possibility is that the receiving switch is not the root.docudesk. In that case. everything's fine. but the Cisco-proprietary feature Backbonefast can be used to help recover from indirect link failures. • The key word there is indirect. this process skips the MaxAge stage. © Train Signal. Inc.. • This indirect link failure is detected when an inferior BPDU is received.Trial :: http://www. The RLQ request identifies the bridge that is considered the root bridge. You definitely can't run either one in a network backbone..Backbonefast • Uplinkfast and Portfast are great. • RLQ requests are transmitted via the ports that would normally be receiving BPDUs. • When BackboneFast is configured. but considers the root switch named in the RLQ request to indeed be the root switch. but the delay is cut from 50 seconds to 30. © Train Signal. the RLQ request is relayed toward the root switch by sending it out the root port. 2002-2007 PDF Created with deskPDF PDF Writer . (MaxAge's default value is 20 seconds. but they've got limitations on when they can and should be run. If a core switch detects an indirect link failure . While this does not eliminate delays as efficiently as PortFast and UplinkFast. The purpose of these RLQ requests is to ensure that the local switch still has connectivity to the root switch. Inc..) © Train Signal. Inc. RLQ uses a series of requests and responses to detect indirect link outages.Backbonefast goes into action.a failure of a link that is not directly connected to the core switch in question . If they're one and the same.

and respond to RLQ requests. the port will be shut down and placed into error disabled state. • Root Guard will actually block that superior BPDU. relay..BackboneFast into action • To put BackboneFast into action in our network. © Train Signal. every switch in the network should be configured for BackboneFast when using this feature. If any BPDU comes in on a port that's running BPDU Guard. Inc. When those superior BPDUs stop coming.docudesk. and RLQ is enabled by enabling BackboneFast.. Inc. Since all switches in the network have to be able to send. Inc. and disqualifies any switch that is downstream from that port from becoming the root or secondary root. 2002-2007 BPDU Guard • BPDU Guard protects against this disastrous possibility. SW3 will allow that port to transition normally through the STP port states. 2002-2007 PDF Created with deskPDF PDF Writer . and put the port into rootinconsistent state. © Train Signal..Trial :: http://www. shown on the switch as err-disabled. we have to know more than the command! We've got to know where to configure it as well. 2002-2007 Root Guard • Root Guard is configured at the port level. discard it.com 38 . © Train Signal.

Trial :: http://www. Inc. © Train Signal. UDLD generates a syslog message but does not shut the port down. and the port will not send any BPDUs in return. Inc. © Train Signal. • In aggressive mode. 2002-2007 Normal mode • When a unidirectional link is detected in normal mode. – Enabling BPDU Filtering on a specific port or ports.PortFast BPDU Filtering • What if you don't want the port to be put into err-disabled state when it receives a BPDU? You can use BPDU Filtering. rather than enabling it globally. the port will be put into error disabled state ("err-disabled") after eight UDLD messages receive no echo from the remote switch. UDLD generates a syslog message but does not shut the port down. there are situations where a physical layer issue disables data transfer in one direction. will result in received BPDUs being quietly ignored.this feature works differently when it's configured globally as opposed to configuring it on a per-interface level. Inc. but you have to be careful how you configure it . 2002-2007 Unidirectional Link Detection (UDLD) • Most problems involving the physical link will make data transfer in either direction impossible.docudesk. normal and aggressive.. – Globally enabling BPDU Filtering will have a PortFastenabled port stop running PortFast when the port receives a BPDU. 2002-2007 PDF Created with deskPDF PDF Writer ..com 39 . • UDLD has two modes of operation. but not the other. Particularly with fiber optic. Those incoming BPDUs will be dropped.. When a unidirectional link is detected in normal mode. Why is it called "aggressive"? Because the UDLD messages will go out at a rate of one per second when a potential unidirectional link is found. © Train Signal.

hears nothing.. but if you change one switch port's duplex setting.Duplex Mismatches And Switching Loops • A duplex mismatch between two trunking switches isn't quite a unidirectional link. the port will go from blocking to loop-inconsistent. which is basically still blocking mode.com 40 .. © Train Signal. "What is a BPDU Skew. Root Guard. 2002-2007 Loop Guard • We've had BPDU Guard.docudesk. and why do I want to detect it?" What we're actually attempting to detect are BPDUs that aren't being relayed as quickly as they should be. and a switching loop will not form © Train Signal... This should happen quickly all around. 2002-2007 PDF Created with deskPDF PDF Writer . Inc. 2002-2007 BPDU Skew Detection • You may look at that feature's name and think. change that of any trunking partner! • Believe it or not.. the switching loop potential is caused by CSMA/CD! The full-duplex port will not perform CSMA/CD. Inc. You're not often going to change switch duplex settings. and the non-root switches relay that BPDU down the STP tree.. the root bridge transmits BPDUs. • After the root bridge election.. especially on trunk ports. but how does Loop Guard prevent switching loops? Let's revisit an earlier example to see how the absence of BPDUs can result in a switching loop. and now. and sends frames as it normally would under CSMA/CD rules. and the switches should relay the BDPUs fast enough so every switch is seeing a BPDU every two seconds.. • Loop Guard does not allow a port to go from blocking to forwarding in this situation.. The problem comes in when the half-duplex port listens to the segment. since the root bridge will be sending a BPDU every two seconds by default ("hello time").Trial :: http://www. Loop Guard! You can probably guess that the "loop" being guarded against is a switching loop. Inc. but it can indeed lead to a switching loop. With Loop Guard enabled. but the half-duplex port will. © Train Signal.

Inc.com 41 . or Rapid Spanning Tree Protocol. An edge port will operate just like an STP port that is running Portfast. and you've got all these STP features down . • Root bridges are still elected with RSTP.and now here's another kind of STP! Specifically. 2002-2007 PDF Created with deskPDF PDF Writer .. © Train Signal.Trial :: http://www.1w. In this case. © Train Signal. Note that SW3 has multiple connections to the ethernet segment. You know what a root port is. 2002-2007 Port types unique to RSTP • There are other port types unique to RSTP. it's RSTP. • A point-to-point port is any port that is connected to another switch and is running in full-duplex mode. but the port roles themselves are different between STP and RSTP. most likely an end user's PC. Let's take a look at the RSTP port roles in the following three-switch network. it's a switch port that is connected to a single host. where SW1 is the root.1d.docudesk. RSTP is defined by IEEE 802. Inc. and is considered an extension of 802..a port on the edge of the network. An edge port is just what it sounds like .Rapid Spanning Tree Protocol • So you understand STP. but RSTP also has edge ports and point-to-point ports. Inc.. 2002-2007 Transition States • Let's compare the transition states: • STP: disabled > blocking > listening > learning > forwarding • RSTP: discarding > learning > forwarding © Train Signal.

but discovery of link failures is faster. © Train Signal.. 2002-2007 Difference between STP and RSTP • Another major difference between STP and RSTP is the way BPDUs are handled. • RSTP-enabled switches generate a BPDU every two seconds. the interval at which switches send BPDUs. only the root bridge is sending BPDUs every two seconds..Trial :: http://www.) © Train Signal. Why? Because every switch expects to see a BPDU from its neighbor every two seconds.docudesk. Inc. that switch sends BPDUs with the Topology Change (TC) bit set © Train Signal. When an edge port moves into Forwarding mode. and if three BPDUs are missed. since only a single host will be connected to that particular port.. This cuts the error detection process from 20 seconds in STP to 6 seconds in RSTP.unless that port is an edge port. 2002-2007 Detecting Link Failures • This change not only allows all switches in the network to have a role in detecting link failures. the nonroot bridges simply forward. I should say that they don't play a role. RSTP doesn't consider that a topology change. 2002-2007 PDF Created with deskPDF PDF Writer . is two seconds in both STP and RSTP. With STP. Rather. Inc. regardless of whether they have received a BPDU from the root switch or not. (The default value of hello time. Inc.Edge Ports And RSTP Topology Changes • Edge ports play a role in when RSTP considers a topology change to have taken place. that BPDU when they receive it. the link is considered down. The switch then immediately ages out all information concerning that port.com 42 . because RSTP considers a topology change to have taken place when a port moves into Forwarding mode . or relay. • When a topology change is discovered by a switch running RSTP.

ISL. which allows an RSTP-enabled switch to detect older switches. well. but RSTP uses all flag bits available in the BPDU for various purposes including state negotiation between neighbors. and Backbonefast are built-in to RSTP. • Switching features we looked at earlier in this section Uplinkfast. • The RSTP BPDU is also of a totally different type (Type 2. Since the default hello-time is 2 seconds for both STP and RSTP. © Train Signal. Portfast. • When a switch running RSTP misses three BPDUs.. 2002-2007 BPDU format • The BPDU format is the same for STP and RSTP. • The Ugly: PVST is Cisco-proprietary.Trial :: http://www.com 43 . 2002-2007 PDF Created with deskPDF PDF Writer .MaxAge timer • When a switch running STP misses a BPDU.docudesk. runs a separate instance of STP for each VLAN! • The Good: PVST does allow for much better fine-tuning of spanning-tree performance than does regular old STP.. The details of this negotiation are out of the scope of the BCMSN exam. it will immediately are out the superior BPDU's information and begin the STP recalculation process.. 2002-2007 Per-VLAN Spanning Tree Versions (PVST and PVST+) • The ultimate "the name is the recipe" protocol. This timer dictates how long the switch will retain the last BPDU before timing it out and beginning the STP recalculation process. the MaxAge timer begins. the Ciscoproprietary PVST. By default. but can easily be found on the Internet by searching for "RSTP" in your favorite search engine. © Train Signal. © Train Signal. MaxAge is 20 seconds. it takes an RSTP-enabled switch only 6 seconds overall to determine that a link to a neighbor has failed. Inc. so it must run over the Cisco-proprietary trunking protocol . but STP uses only the Topology Change (TC) and Topology Change Ack (TCA) flags. • The Bad: Running PVST does mean extra work for your CPU and memory. Inc. Inc. Version 2).

so while it can be very useful in the right environment. rather than having an instance for every VLAN in the network. with the + version using dot1q rather than ISL. Inc. © Train Signal. The good news is that the command is very simple. – If you configure a switch running PVST+ to use RSTP. 2002-2007 PDF Created with deskPDF PDF Writer . Multiple Spanning Tree gets its name from a scheme that allows multiple VLANs to be mapped to a single instance of STP. Using PVST+ along with CST and PVST can be a little difficult to fine-tune at first.. PVST+ is Ciscoproprietary as well.Rapid Per-VLAN Spanning Tree Plus.com 44 . otherwise. Inc.docudesk. 2002-2007 Rapid Per-VLAN Spanning Tree Plus (RPVST +) • Now there's a mouthful! – Cisco being Cisco. so Cisco came up with PVST+. you just know they have to have their own version of STP! Per-VLAN Spanning Tree Plus (PVST+) is just what it sounds like . PVST has an instance for every VLAN. 2002-2007 Multiple Spanning Tree • Defined by IEEE 802.and working fine! © Train Signal. • MST was designed with enterprise networks in mind.1s. PVST+ allows per-VLAN load balancing and is also Cisco-proprietary. it's not for every network. • PVST+ can serve as an intermediary between groups of PVST switches and switches running CST. PVST+ is described by Cisco's website as having the same functionality as PVST. you end up with RPVST+ . but this combination is running in many a network right now . and MST allows you to reduce the number of STP instances without knocking it all the way back to one.every VLAN has its own instance of STP running. the groups wouldn't be able to communicate.PVST • PVST doesn't play well at all with CST.Trial :: http://www. • CST (Common Spanning Tree) uses a single instance of STP. and we'll use IOS Help to look at some other options: © Train Signal. MST serves as a middle ground between STP and PVST... Inc.

docudesk. 2002-2007 IST • The "IST" in each region stands for Internal Spanning Tree.there's no such thing as "VTP For MST". and it's MST's job to keep a loop-free topology in the MST region. CST is going to maintain a loop-free network only with the links connecting the MST network subnets. • Up to 16 MST instances (MSTIs) can exist in a region.. keep the central point in mind . • Here's the good part -.. and the switches in any given region must agree of the following: – The MST configuration name – The MST instance-to-VLAN Mapping table – The MST configuration revision number • If any of these three values are not agreed upon by two given switches. (No.the purpose of MST is to map multiple VLANs to a lesser number of STP instances. you've got to configure every switch in your network with those mappings .they're not advertised.Trial :: http://www. revision number. and a digest value derived from the mapping table. © Train Signal. Switches send MST BPDUs that contain the configuration name. they are in different regions. Each and every switch in your MST deployment must be configured manually. These are not hex values . however. © Train Signal. numbered 0 through 15. Inc.they're regular old decimals. and MST is a "subset" of the network. • Occasionally the first ten MST instances are referred to as "00" . MSTI 0 is reserved for the IST instance.Configuration of MST • The configuration of MST involves logically dividing the switches into regions. Inc. 2002-2007 PDF Created with deskPDF PDF Writer . Inc. I'm not kidding!) When you create VLAN mappings in MST. and only the IST is going to send MST BPDUs."09". No matter the size of the network. and it doesn't want to know. 2002-2007 MST configurations • MST configurations can become quite complex and a great deal of planning is recommended before implementing it. CST doesn't know what's going on inside the region.. and it's the IST instance that is responsible for keeping communications in the MST Region loop-free.com 45 . • A good way to get a mental picture of the interoperability of MST and CST is that CST will cover the entire network. © Train Signal.

docudesk. UDP argument from your CCNA studies. for example) © Train Signal. When mapping VLANs. • STP: 100 VLANs results in one STP process • PVST: 100 VLANs results in 100 STP processes. Inc..Enabling MST – Part 1 • A good place to start is to enable MST on the switch: SW2(config)# spanning-tree mode mst • The name and revision number must now be set.Trial :: http://www. SW2(config)# spanning-tree mode mst configuration SW2(config-mst)# name REGION1 SW2(config-mst)# revision 1 © Train Signal. 14-20 • Note that I could use commas to separate individual VLANs or use a hyphen to indicate a range of them.13. © Train Signal.com 46 . 2002-2007 Why Does Anyone Run STP Instead Of PVST? • Like the TCP vs. this seems like a bit of a nobrainer... Inc. 2002-2007 PDF Created with deskPDF PDF Writer . remember that by default all VLANs will be mapped to the IST. 2002-2007 Enabling MST – Part 2 • To map VLANs to a particular MST instance: SW2(config-mst)# instance 1 10. allowing for greater flexibility with trunk usage (per-VLAN load balancing. Inc.

2002-2007 Etherchannels • Etherchannels aren't just important for your BCMSN studies. • After that review.docudesk. there is no STP reconfiguration. • Spanning-Tree Protocol (STP) considers an Etherchannel to be one link. so we're going to begin this section with a review of what an Etherchannel is and why we would configure one.. but many CCNA books either leave Etherchannels out entirely or mention them briefly. Inc. Inc. they're a vital part of many of today's networks. • If one of the physical links making up the logical Etherchannel should fail. STP sees only the Etherchannel. Knowing how to configure and troubleshoot them is a vital skill that any CCNP must have. and I'll show you some real-world examples of common Etherchannel configuration errors to help you master this skill for the BCMSN exam and for the real world. © Train Signal. This provides greater throughput. • Etherchannels are part of the CCNA curriculum. You may not have even seen an Etherchannel question on your CCNA exam. we'll begin an in-depth examination of how Etherchannels work. and is another effective way to avoid the 50-second wait between blocking and forwarding states in case of a link failure.Trial :: http://www.Etherchannels © Train Signal. 2002-2007 PDF Created with deskPDF PDF Writer .com 47 . Inc. since STP doesn’t know the physical link went down.. • Etherchannels use the Exclusive OR (XOR) algorithm to determine which channel in the EC to use to transmit data to the remote switch. and a single link failure will not bring an Etherchannel down. © Train Signal.. 2002-2007 Logical Bundling • An Etherchannel is the logical bundling of two to eight parallel Ethernet trunks. This bundling of trunks is also referred to as aggregation.

the logical link itself stays up. Inc. that would defeat the purpose of configuring an etherchannel! © Train Signal. 2002-2007 PDF Created with deskPDF PDF Writer . • PAgP packets are sent between Cisco switches via ports that have the capacity to be placed into an etherchannel.. 2002-2007 Negotiating An Etherchannel • There are two protocols that can be used to negotiate an etherchannel. and the Ciscoproprietary option is the Port Aggregation Protocol (PAgP). While some bandwidth is obviously lost. 2002-2007 Remote Port Group • The remote port group number must match the number configured on the local switch • The device ID of all remote ports must be the same . the PAgP packets will check the capabilities of the remote ports against those of the local switch ports.com 48 . The remote ports are checked for two important values. STP will not recalculate. if the remote ports are on separate switches..docudesk. First. Inc.it will happen so fast that you won't even hear about it from your end users! © Train Signal.Logical Link • If one of the three physical links goes down. Data that is traveling over the downed physical link will be rerouted to another physical link in a matter of milliseconds .after all..Trial :: http://www. Inc. The industry standard is the Link Aggregation Control Protocol (LACP). © Train Signal.

3ad. this is the one I use in real-world networks. which means that there is no negotiation at all.docudesk. LACP assigns a priority value to each port that has etherchannel capability. Inc. © Train Signal. "auto" and "passive" if the remote port is going to initiate the EC. 2002-2007 PAgP and LACP • PAgP and LACP use different terminology to express the same modes."active" and "desirable" for the local port to initiate the EC.com 49 . • To verify both PAgP and LACP neighbors. on. • The industry standard bundling protocol defined in 802. A port in dynamic mode will initiate bundling with a remote switch. while a port in auto mode waits for the remote switch to do so. but it's a real good idea to know all about PAgP and LACP. where active ports initiate bundling and passive ports wait for the remote switch to do so.if both ports are set to auto. If you change the speed of one of the ports in an etherchannel. if both ports are set to "passive". PAgP will allow the etherchannel to dynamically adapt to this change. • For an EC to form. LACP must have at least one of the two ports on each physical link set for "active".PAgP • PAgP also has the capability of changing a characteristic of the etherchannel as a whole if one of the ports in the etherchannel is changed..Trial :: http://www.. The same can be said for PAgP and the settings "auto" and "desirable" .. 2002-2007 Initiating EC • You can see the different terminology LACP and PAgP use for the same results . Personally. the link won't join the EC. PAgP has a dynamic mode and auto mode. The other ports will be bundled only if one or more of the bundled ports fails. 2002-2007 PDF Created with deskPDF PDF Writer . you can use the show pagp neighbor and show lacp neighbor commands. but only the eight ports with the lowest port priority will be bundled. © Train Signal. You can actually assign up to 16 ports to belong to an LACP-negotiated etherchannel. Inc. no EC will be built. Inc. © Train Signal. To enable the etherchannel with no negotiation. LACP uses active and passive modes. • There's a third option. use the on option.

2002-2007 EC Error • When I remove the original command.Trial :: http://www. Here's a reenactment of an EC issue I ran into once.. • The allowed range of VLANs for the EC must match that of the ports. Inc. Here's the error message that occurs in a scenario like this: 02:46:10: %EC-5-CANNOT_BUNDLE2: Fa0/12 is not compatible with Fa0/11 and will be suspended (vlan mask is different) © Train Signal. That will prevent an EC from working correctly. SW1(config)#int fast 0/12 SW1(config-if)#no switchport trunk allowed vlan 100. but notice that the allowed VLANs on these two ports is different. Inc. 2002-2007 Error Message interface FastEthernet0/11 switchport trunk allowed vlan 10.. 2002-2007 PDF Created with deskPDF PDF Writer . Inc.20 no ip address channel-group 1 mode on ! interface FastEthernet0/12 switchport trunk allowed vlan 100.200 02:51:15: %EC-5-CANNOT_BUNDLE2: Fa0/12 is not compatible with Fa0/11 and will be suspended (vlan mask is different) 02:51:15: %EC-5-CANNOT_BUNDLE2: Fa0/12 is not compatible with Fa0/11 and will be suspended (vlan mask is different) SW1(config-if)#switchport trunk allowed vlan 10. From personal experience. Ports configured for dynamic VLAN assignment from a VMPS cannot remain or become part of an EC. here are a few things to watch out for: • Changing the VLAN assignment mode to dynamic. changed state to up © Train Signal.. but once I change port 0/12's config to match 0/11's. I get the EC error message again.20 02:51:25: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/12. the EC forms.Troubleshooting EtherChannels • Once you get an EC up and running. The configuration of the channel-group looked just fine… © Train Signal.200 no ip address channel-group 1 mode on ..com 50 . it generally stays that way .unless a port setting changes.docudesk.

• Grant remote access only to those who absolutely. native VLAN.lock those servers. Inc. Inc. Dynamic ARP Inspection. Ports need to be running the same speed. 2002-2007 Physical security • Physical security .com 51 . positively need it. routers.. duplex.docudesk. change 'em on occasion (and that occasion should not be the Millennium) • Different privilege levels . and it's also the most ignored.Trial :: http://www. and just about any other value you can think of! If you change a port setting and the EC comes down. and switches up! This is the most basic form of network security. © Train Signal. Inc.change the port setting back! © Train Signal..Changing Port Attribute • Changing a port attribute. 2002-2007 PDF Created with deskPDF PDF Writer .set 'em.. • Passwords .not every user needs the same level of access to potentially destructive commands. 2002-2007 Securing the Switches • • • • • • Introduction to AAA Port Security & Dot1x Port-Based Authentication SPAN VLAN ACLs Private VLANs DHCP Snooping. you know what to do . IP Secure Guard • MAC Address Flooding & VLAN Hopping Attacks © Train Signal.

and we've already configured a little of that as well. We can also use RADIUS servers (Remote Authentication Dial-In User Service. Inc. and this local database of passwords is just one method of authenticating users.. we've got to enable AAA on the switch. "A". but you're already working with AAA.com 52 . Well. 2002-2007 Authorization • The second A is Authorization.. a method list must be defined: © Train Signal. Assigning the right to perform given tasks is Authorization. 2002-2007 PDF Created with deskPDF PDF Writer . Authorization. anyway! • The passwords we've set here are part of Authentication. As in. a TCP service). As with the previous AAA services.Trial :: http://www. © Train Signal.. This stands for Authentication.and you didn't know it. 2002-2007 Accounting • For some of us. and when we granted one of our Telnet users privilege level 15.Accounting. • Both RADIUS and TACACS+ offer a lot of options. (This is not required if only the local database will be used. TACACS+ can be configured to force the user to be authenticated for any of the tasks seen here in IOS Help. and Accounting .docudesk. this is the best part of AAA . We're going to look at a basic switch config that could get us started with either. While RADIUS is limited in the different levels of authorization. a UDP service) or TACACS+ servers (Terminal Access Controller Access Control System.) © Train Signal. Inc. we authorized that user to pretty much do what they want to do. First. Inc. "holding people accountable for what they do!" • Accounting will use a RADIUS or TACACS+ server to track user activity.AAA • You may have heard or read the acronym AAA in Cisco switch documentation.

© Train Signal. What if you allow for more secure MAC address than you actually configure manually.Port Security • Here's another basic security feature that's regularly overlooked. You can specify the number of secure MAC addresses. Inc. Inc.. and if a device with a different MAC address sends frames to the switch on that port.com 53 . as shown below? SW1(config-if)#switchport SW1(config-if)#switchport SW1(config-if)#switchport aaaa. 2002-2007 Little “gotcha” • There is a little "gotcha" with port security that you need to be aware of.1x ports © Train Signal. but is very powerful.cccc.docudesk. it will shut down.Trial :: http://www..aaaa. There are a few port types that you can't configure with port security: – – – – trunk ports ports placed in an Etherchannel destination SPAN port 802. Port security uses a host's MAC address as a password.by default. 2002-2007 PDF Created with deskPDF PDF Writer . 2002-2007 Port Security Feature • Port security is a great feature.aaaa SW1(config-if)#switchport cccc.cccc port-security port-security maximum 3 port-security mac-address port-security mac-address © Train Signal. Inc. and you can specify secure MAC addresses as well. the port will take action . but you can't run it on all ports..

even clients who could otherwise successfully authenticate! • The auto setting enables dot1x on the port.you can't use TACACS or TACACS+. normal transmission and receiving can begin. this is the most common setting. Inc. but authentication is not required.. the standard upon which this feature is based. the default. which will begin the process as unauthorized. and doesn't need to know. Basically. once the user authenticates. the Cisco authentication server must be RADIUS . 2002-2007 EAPOL. Only the necessary EAPOL frames will be sent and received while the port's unauthorized. there is no authentication on this port type.1x. but we can take it a step further with dot1x port-based authentication. Inc.Trial :: http://www.it forces the port to authorize any host attempting to use the port. all traffic can be received and transmitted through this port.Dot1x Port-Based Authentication • Port security is good. Inc. Not surprisingly..docudesk. Not this time! © Train Signal. STP and CDP • Until the user is authenticated. The name refers to IEEE 802. Unusually enough. 2002-2007 PDF Created with deskPDF PDF Writer . • A port in force-unauthorized state literally has the port unable to authorize any client . © Train Signal. Once the authentication is complete. does just what it sounds like . Usually the PC isn't aware of what the switch is doing. 2002-2007 Force-authorized • Force-authorized. only the following protocols can travel through the port: – EAPOL – STP – CDP • By default.1x EAPOL (Extensible Authentication Protocol over LANs). © Train Signal.. That's a major departure from many of the switch features we've studied to date. • One major difference between dot1x port-based authentication and port security is that both the host and switch port must be configured for 802. since most other switch features don't require anything of the host.com 54 .

VLAN-based SPAN (VSPAN) would be in effect. and the basic operation is simple. Inc. the destination port is referred to as the monitor port. because there are several different versions of SPAN. (In some Cisco documentation. 2002-2007 Command monitor session • The command monitor session starts a SPAN session. Inc. though.Trial :: http://www. the real difference comes in when you define the source ports. we're running Local SPAN. The versions are much the same. © Train Signal. © Train Signal. The sessions are totally separate operations. Cat 3550s and 2950s support only two. though.) • SPAN works very well.com 55 . If the source was a VLAN rather than a collection of physical ports. © Train Signal..docudesk.SPAN • SPAN allows the switch to mirror the traffic from the source port(s) to the destination port to which the network analyzer is attached.. Inc. 2002-2007 PDF Created with deskPDF PDF Writer . Studying SPAN for exams and network usage can seem complicated at first. but more powerful switches can run as many as 64 sessions at once. It's the location of the source ports that determines the SPAN version that needs to run on the switch. but the number of simultaneous sessions you can run differs from one switch platform to another. 2002-2007 Local SPAN • In the previous example. along with allowing the configuration of the source and destination.. since the destination and source ports are all on the same switch.

– The source and destination must be defined on both the switch with the source port and the switch connected to the network analyzer. – VTP treats the RSPAN VLAN like any other VLAN. Inc.com 56 . they would all need to be RSPAN-capable. It will be propagated throughout the VTP domain if configured on a VTP server. it's got to be manually configured on every switch along the intermediate path. • A source port can be any port type .docudesk. © Train Signal. 2002-2007 RSPAN Configuration Part 2 – MAC address learning is disabled for the RSPAN VLAN. • A source port can be part of an Etherchannel. VTP Pruning will also prune the RSPAN VLAN under the same circumstances that it would prune a "normal" VLAN. but the commands are not the same on each..Trial :: http://www. simultaneous SPAN sessions.. FastEthernet. • A source port cannot be configured as a destination port. Otherwise..RSPAN Configuration – Part 1 • RSPAN configuration is simple. but there are some factors you need to consider when configuring RSPAN: – If there were intermediate switches between the two shown in the above example. © Train Signal. etc. 2002-2007 PDF Created with deskPDF PDF Writer . 2002-2007 Source port notes: • A source port can be monitored in multiple. Inc. Inc.Ethernet. © Train Signal.

you're very familiar with access lists and their many. 2002-2007 ESPAN • Finally.com 57 .cuts down on the number of lookups required to compare a packet against an ACL. 2002-2007 PDF Created with deskPDF PDF Writer . You'll still see it occasionally. © Train Signal. but it doesn't refer to any specific addition or change to SPAN. • A destination port cannot be part of an Etherchannel.. many uses! Access lists do have their limitations. PaGP. Inc.. • A destination port cannot be a source port. • A destination port can participate in only one SPAN session. VTP. but the TCAM . © Train Signal. though. Inc. many. you may see the term "ESPAN" in some SPAN documentation. 2002-2007 Access lists • At this point in your Cisco studies. While an ACL can filter traffic traveling between VLANs.docudesk. This is Enhanced SPAN. or DTP.Ternary Content Addressable Memory .Trial :: http://www. LACP. You know that the CAM (Content Addressable Memory) table holds the MAC addresses that the switch has learned. © Train Signal. and some of Cisco's documentation mentions that this term has been used so often to describe different additions that the term has lost meaning.. CDP.Destination port notes: • A destination port can be any port type. Inc. • A destination port doesn't participate in STP. • Why not? It relates to how ACLs are applied on a multilayer switch. it can't do anything about traffic from one host in a VLAN to another host in the same VLAN.

If traffic is not expressly forwarded.they're applied in global configuration mode. Inc. as shown in the previous example. and it's ugly. • A routing ACL can be applied to a SVI to filter inbound and/or outbound traffic just as you would apply one to a physical interface. 2002-2007 PDF Created with deskPDF PDF Writer . Inc. Inc. I mentioned that ACL processing in multilayer switches is performed in hardware.. and that forwarding rate is much lower than the rate for the traffic forwarded by the switch hardware. The VACL equivalent of "permit all" is an "action forward" clause with no match criterion. resulting in even more packets begin sent to the CPU.com 58 . as well as non-IP and non-IPX traffic. (I've seen that. it's implicitly dropped! © Train Signal. and run until a match occurs • VACLs have an implicit deny at the end.Trial :: http://www.docudesk. They are still active while being edited. If the hardware hits its storage limit for ACL configs.. There will still be some traffic that is sent to the CPU for software processing. Avoid it.Additional notes and tips regarding VACLs – Part 1 • Bridged traffic. 2002-2007 Additional notes and tips regarding VACLs – Part 2 • Only one VACL can be applied to a VLAN • The sequence numbers allow you to go back and add lines without rewriting the entire VACL. © Train Signal. the switch performance can degrade. should be filtered with VACLs • VACLs run from top to bottom. 2002-2007 Possible Side Effect – Part 1 • A Possible Side Effect Of Performing ACL Processing In Hardware – At the beginning of the VACL section. but VACLs are not applied in that way .) © Train Signal..

Possible Side Effect – Part 2 – Cisco's website lists two other factors that may result in too many packets being sent to the CPU. including other hosts in its own secondary VLAN -this is an isolated private VLAN © Train Signal. 2002-2007 Example • In the following example. and can communicate with devices found off other promiscuous ports.. the router is located off a switch port that has been configured as a private VLAN port. and they may surprise you: • Excessive logging • Use of ICMP Unreachable messages – Use the log option with care. the host can also communicate with other hosts in that private VLAN. not the hardware. such as the router seen below.Trial :: http://www. 2002-2007 Private VLANs • This may well be the ultimate in filtering VLAN traffic! Hosts can be placed into a secondary VLAN.this is promiscuous mode. Logging must be performed by the switch software. © Train Signal. – The host connected to the port is on either type of private VLAN (isolated or community). Inc. Inc. There are options here as well: – The device connected to the private VLAN port can communicate with any device connected to any primary or secondary VLAN . but with no other hosts. but not with hosts in other secondary VLANs .this is a community private VLAN – The host can communicate with the primary VLAN.docudesk.com 59 .. This is the recommended mode for ports connected to gateway devices. © Train Signal. Inc. 2002-2007 PDF Created with deskPDF PDF Writer .. If the host is configured as part of a community private VLAN. which is going to have one of two results: – The host will be able to communicate with other hosts in the secondary VLAN and with the primary VLAN.

the interface itself will be placed into err-disabled state. 2002-2007 DHCP Snooping – Part 2 • DHCP Snooping allows the switch to serve as a firewall between hosts and untrusted DHCP servers...in this case.and as we know.com 60 .docudesk. 2002-2007 Dynamic ARP Inspection • Just as we must protect against rogue DHCP servers.Trial :: http://www. 2002-2007 PDF Created with deskPDF PDF Writer . through the basic ARP process on a switch.DHCP Snooping – Part 1 • It may be hard to believe. we have to be wary of rogue ARP users as well. DHCP Snooping classifies interfaces on the switch into one of two categories . This happens through ARP Cache Poisoning. Inc. Inc. the switch considers all ports untrusted . the host will accept the first Offer it gets! © Train Signal.. Inc. • DHCP messages received on trusted interfaces will be allowed to pass through the switch.which means we better remember to configure the switch to trust some ports when we enable DHCP Snooping! © Train Signal. © Train Signal.be aware of both names for your exam.) • ARP Cache Poisoning starts innocently enough . you know all about Address Resolution Protocol and how it operates. A rogue device can overhear part of the ARP process in action and make itself look like a legitimate part of the network. it listens for DHCPOffer packets . but something as innocent as DHCP can be used for network attacks. • From your CCNA studies. • By default. Not only will DHCP messages received on untrusted interfaces be dropped by the switch. The potential for trouble starts when a host sends out a DHCPDiscovery packet. (This is also known as ARP Spoofing .trusted and untrusted.

2002-2007 Trusted and untrusted ports • DAI uses the concept of trusted and untrusted ports.docudesk. This database is the same database that is built by the DHCP Snooping process. Inc.The rogue host • The rogue host has effectively placed itself into the middle of the communication.. • There is no problem with running DAI on trunk ports or ports bundled into an Etherchannel. the ARP message is dropped. all communications between Host A and Host B will actually be going through the rogue host. and static ARP configurations can be used by DAI as well. DAI allows the ARP message to pass through without checking the database of trusted mappings. 2002-2007 PDF Created with deskPDF PDF Writer . not transmitted. if not. Inc. • Once the IP-MAC address database is built. DAI is performed as ARP messages are received.Trial :: http://www.com 61 . © Train Signal. 2002-2007 Trusted/untrusted port configuration • Cisco's recommended trusted/untrusted port configuration is to have all ports connected to hosts run as untrusted and all ports connected to switches as trusted. this configuration scheme ensures that every ARP packet is checked once. but no more than that.. • Enabling Dynamic ARP Inspection (DAI) prevents this behavior by building a database of trusted MAC-IP address mappings. If the ARP message has an approved MAC-IP address mapping. every single ARP Request and ARP Reply received on an untrusted interface is examined. untrusted ports in DAI do not automatically drop ARP Requests and Replies. just as DHCP Snooping does. When the rogue host does the same for an ARP Request being sent from Host B to Host A. Since DAI runs only on ingress ports. Inc. © Train Signal. © Train Signal.. However. • If the interface has been configured as trusted. leading to the term man in the middle for this kind of network attack. the message is forwarded appropriately.

2002-2007 MAC Address Flooding Attacks • Since ARP. • The intruder can easily intercept packets with a packet sniffer.docudesk. preventing legitimate entries from being made.and this results in those valid frames being broadcast instead of unicast. and uses the DHCP Snooping database to carry out this operation. IP Source Guard works in tandem with DHCP Snooping. • The intruder generates a large number of frames with different source MAC addresses .including the port the intruder is using. 2002-2007 PDF Created with deskPDF PDF Writer . IP addresses. all unpleasant: • As mentioned.all of them invalid. 2002-2007 This has three side effects. © Train Signal. the MAC address table fills to capacity. the switch makes a note of this IP address assignment.com 62 . Inc. © Train Signal. • As with DAI. the only traffic that can reach that host are DHCP packets.. and DHCP all have potential security issues.. Inc. When the client successfully acquires an IP address from the DHCP Server.Trial :: http://www. When the host first comes online and connects to an untrusted port on the switch. Inc. • The large number of unnecessary broadcasts quickly consumes bandwidth as well as overall switch resources. As the switch's MAC address table capabilities are exhausted. valid entries cannot be made . DHCP Snooping must be enabled before enabling IP Source Guard. © Train Signal. since the unnecessarily broadcasted packets will be sent out every port on the switch .IP Source Guard • We can use IP Source Guard to prevent a host on the network from using another host's IP address.. we can't leave MAC addresses out because network attackers sure won't do so! • A MAC Address Flooding attack is an attempt by a network intruder to overwhelm the switch memory reserved for maintenance of the MAC address table.

Inc. but it's quite the opposite. • The term "native VLAN" tips us off to the third requirement . That's why you often see the native VLAN of a network such as the one above set to a VLAN that no host on the network is a member of . The key isn't to fight the intruder once they're in our network .. 2002-2007 Double Tagging • One form of VLAN Hopping is double tagging.com 63 . Inc. 2002-2007 VLAN Hopping • VLAN Hopping seems innocent enough. © Train Signal.Trial :: http://www.dot1q must be the trunking protocol in use.. Inc. 2002-2007 PDF Created with deskPDF PDF Writer . © Train Signal.port-based authentication and port security.docudesk.MAC Address Flooding • You can combat MAC Address Flooding with two of the features we addresses earlier in this section . we reduce the potential for an intruder to unleash a MAC Address Flooding attack on our network. By making sure our host devices are indeed who we think they are.that stops this version of VLAN Hopping right in its tracks.the key is to keep them out in the first place.. since ISL doesn't use the native VLAN. VLAN Hopping has been used for network attacks ranging from Trojan horse virus propagation to stealing bank account numbers and passwords. As you'll see in our example. © Train Signal. so named because the intruder will transmit frames that are "double tagged" with two separate VLAN IDs. • The VLAN used by that access port must be the native VLAN. certain circumstances must exist for a double tagging attack to be successful: • The intruder's host device must be attached to an access port.

docudesk. VRRP. 2002-2007 PDF Created with deskPDF PDF Writer .Switch Spoofing • Notice that I said "this version".Trial :: http://www. which means that a port is sending out Dynamic Trunking Protocol frames in an aggressive effort to form a trunk.com 64 .. because this version allows the rogue to pretend to be a member of *all* VLANs in your network.. To make this hardware-based packet processing happen. GLBP) • Server Load Balancing (SLB) © Train Signal. This processor must download routing information to the hardware itself. Inc. • When it comes to Cisco Catalyst switches. A good phrase to describe a multilayer switch is "pure performance" these switches can perform packet switching up to ten times as fast as a pure L3 router.um.. Cisco Express Forwarding Inter-VLAN Routing & SVIs Fallback Bridging Router Redundancy Protocols (HSRP. this hardware switching is performed by a router processor (or L3 engine)... A potential problem exists. 2002-2007 Multilayer Switching • • • • Route Caching. Cat switches will run either the older. Inc. or the newer Cisco Express Forwarding (CEF). © Train Signal. since the switch doesn't really know what kind of device is receiving the DTP frames. Switch spoofing is another variation of VLAN Hopping that is even worse than double tagging. © Train Signal. • Many Cisco switch ports now run in dynamic desirable mode by default. I mean "legacy" Multilayer Switching (MLS). IRDP. 2002-2007 What Is Multilayer Switching? • Multilayer switches are devices that switch and route packets in the switch hardware itself. Inc..

That is. and that improvement is Cisco Express Forwarding. there are actually two flows of traffic. 2002-2007 PDF Created with deskPDF PDF Writer . though. and packets on the same flow will share the same protocol. The routing processor routes a flow's first packet. what exactly does a "flow" consist of? A flow is a unidirectional stream of packets from a source to a destination.. With multilayer switching. so it's not available on all L3 switches. • Now. The MLS cache entries support such unidirectional flows.. but you will see it on 3550s and several other higher-numbered series. • There's always room for improvement from the first implementation of anything. This method may be more familiar to you as NetFlow switching.ASICs • Application-Specific Integrated Circuits (ASICs) will perform the L2 rewriting operation of these packets.. if a source is sending both WWW and TFTP packets to the same destination.the Forwarding Information Base and the Adjacency Table. 2002-2007 Cisco Express Forwarding • Cisco Express Forwarding (CEF) is a highly popular method of multilayer switching. 2002-2007 Route Caching • The first multilayer switching (MLS) method is route caching. • CEF has two major components . Inc. Inc.docudesk. © Train Signal. the L2 source and addresses may and probably will. and is also easier on a switch's CPU than route caching. Inc. Route caching devices have both a routing processor and a switching engine. it's the ASICs that perform this L2 address overwriting. Primarily designed for backbone switches.com 65 . the switching engine snoops in on that packet and the destination. CEF is highly scalable. this topology-based switching method requires special hardware. You know from your CCNA studies that while the IP source and destination address of a packet will not change during its travels through the network.Trial :: http://www. and the switching engine takes over and forwards the rest of the packets in that flow. • CEF can't be configured on 2950 switches. © Train Signal. © Train Signal.

. but what of the L2 information we need? That's found in the Adjacency Table (AT). that next-hop L2 information is kept in this table for CEF switching. 2002-2007 Enabling DEF • Enabling CEF is about as simple as it gets. There's no such command! • A multilayer switch must have IP routing enabled for CEF to run.docudesk. Inc. their masks. Inc. • Once the appropriate L3 and L2 next-hop addresses have been found.Trial :: http://www.DEF-Enabled Devices • CEF-enabled devices the same routing information that a router would.and CEF will use the FIB to make L3 prefix-based decisions.. (The L2 source address will change as well.that's going to be changed to the next-hop destination. CEF is hardware-based. You can view the FIB with the show ip cef command. © Train Signal. As adjacent hosts are discovered via ARP. The L3 destination will remain the same. Remember. CEF-enabled switches keep a Forwarding Information Base (FIB) that contains the usual routing information . the next-hop IP addresses. Inc. the MLS is just about ready to forward the packet. so it's not a situation where running "no cef" on a switch will disable CEF. as I'm sure you remember from your CCNA studies. and you can't turn it off. the FIB is really just the IP routing table in another format. but it's not found in a typical routing table. CEF is on by default on any and all CEF-enabled switches. • The FIB's contents will mirror that of the IP routing table actually. however. 2002-2007 FIB • The FIB takes care of the L3 routing information..the destination networks.. © Train Signal. The MLS will make the same changes to the packet as a router normally would. and that includes changing the L2 destination MAC address .com 66 . not software-based.. 2002-2007 PDF Created with deskPDF PDF Writer .) © Train Signal. to the MAC address on the MLS switch interface that transmits the packet. Trying to view the FIB of a switch with IP routing not enabled results in this console readout. etc .

and then after enabling IP routing..0/4 drop 224..255/32 receive Interface © Train Signal. the data plane is also called by several different names: – – – "data plane" "hardware engine" "ASIC" © Train Signal. Be sure to check your switch's capabilities before purchasing. Inc. © Train Signal. Inc.. and I know you won't be surprised to find they are also referred to by several different names. which makes the FIB and AT creation possible. Keep in mind that switches that do support CEF do so by default. For instance.. and CEF can't be turned off on those switches! • CEF does support per-packet and perdestination load balancing. Inc..0.0/24 receive 255. 2002-2007 The Control Plane And The Data Plane • These are both logical planes found in CEF multilayer switching.255.255.0. the 2900XL and 3500XL do not support CEF.0.Example SW2#show ip cef %IPv4 CEF not running .0/32 receive 224. but again does not do so on all multilayer switches. • These all refer to the control plane: – – – "CEF control plane" "control plane" "Layer 3 engine" or "Layer 3 forwarding engine" • The control plane's job is to first build the ARP and IP routing tables.docudesk.0.com 67 . 2002-2007 PDF Created with deskPDF PDF Writer .0. not every L3 switch can run CEF.0. SW2(config)#ip routing SW2#show ip cef Prefix Next Hop 0. • In turn. 2002-2007 L3 Switching • As with several advanced L3 switching capabilities.Trial :: http://www.

Fast Switching 4. According to Cisco's website.3 Ethernet packets – – • Note that packets with TCP header options are still switched in hardware. That Is) • Exception packets are packets that cannot be hardware switched. © Train Signal. and then performs any necessary encapsulation before forwarding the data to the next hop.docudesk. Here are just a few of the packet types that must be software switched: Packets with IP header options Packets that will be fragmented before transmission (because they're exceeding the MTU) – 802. and so on.Trial :: http://www. it's the IP header options that cause trouble! © Train Signal.. 2002-2007 PDF Created with deskPDF PDF Writer . 2002-2007 Switching Options • With so many switching options available today... CEF 3.software switching! Comparing hardware switching to software switching is much like comparing the hare to the tortoise . Inc.com 68 . then nextfastest. here's the order: 1. The name is the recipe the CEF workload is distributed over multiple CPUs. Inc. 2002-2007 Exceptions To The Rule (Of L3 Switching.Tables for L3 Switching • The control plane builds the tables necessary for L3 switching. Distributed CEF (DCEF). Inc. it's hard to keep up with which option is fastest. 2. but it's the data plane that does the actual work! It's the data plane that places data in the L3 switch's memory while the FIB and AT tables are consulted. which leaves us only one option . Process Switching © Train Signal.but these tortoises are not going to win a race.

com 69 . © Train Signal. Inc. Depending on how many VLANs are involved in this configuration. Configuring router-on-a-stick is one way to get inter-VLAN communication going.. but it does have its drawbacks..) • Having configured router-on-a-stick many times. For example. a Catalyst 5000 switch's RSM takes the place of an external router . remember. © Train Signal. I can tell you that it works beautifully. you also learned that a router has to get involved for interVLAN communication.docudesk.no router-on-a-stick needed! © Train Signal. (The port on the router needs to be a FastEthernet port. so you have to be careful as to which router in your network you select for this job. 2002-2007 PDF Created with deskPDF PDF Writer . but we also have the option of using a switch with an internal route processor or Route Switch Module (RSM). If that FastEthernet port goes down. Inc. that's the end of your inter-VLAN traffic. and it requires only a single physical connection from the router to the switch. 2002-2007 Inter-VLAN Communication – Part 2 • Router-on-a-stick does put an extra load on the router's processor as well. they may not get all the bandwidth they need.. 2002-2007 Configuring traffic • Bringing an external router into the picture is one method of configuring inter-VLAN traffic.Inter-VLAN Communication – Part 1 • Since you learned in your CCNA studies that switching only happens on switches and routing only happens on routers. Inc.Trial :: http://www. • The biggest concern I have personally with ROAS is that the router becomes a single point of failure.

the ports on a multilayer switch will all be running in L2 mode by default. Inc.. 2002-2007 PDF Created with deskPDF PDF Writer .Trial :: http://www.com 70 .Step One • Step One In L3 Switching Troubleshooting: • Make Sure IP Routing Is On! © Train Signal. Inc. 2002-2007 L2 Mode • Remember. © Train Signal. © Train Signal. – You need to create the VLAN before the SVI..docudesk. you need to open the SVI with no shut just as you would open a physical interface after configuring an IP address – Remember that the VLAN and SVI work together. To configure a port as a routing port. there are some simple but important details to keep in mind when configuring SVIs. but they're not the same thing. 2002-2007 Important Details • As always. followed by the appropriate IP address. Inc.. and that VLAN must be active at the time of SVI creation – Theoretically. use the no switchport command. and creating an SVI doesn't create a VLAN. Creating a VLAN doesn't create an SVI.

Hosts are relying on that router as a gateway to send packets to remote networks. • Fallback bridging involves the creation of bridge groups.. are nonroutable protocols.. Inc.Trial :: http://www. If you're running any of these on an CEF-enabled switch. you'll need fallback bridging to get this traffic from one VLAN to another. in the case of SNA and LAT. CEF has a limitation in that IPX. Inc.Fallback Bridging • Odds are that you'll never need to configure fallback bridging. © Train Signal.com 71 . we need two things: – A secondary router to handle the load when the primary goes down – A protocol to get the networks using that secondary protocol as soon as possible © Train Signal. but it falls under the category of "it couldn't hurt to know it". For true network redundancy. If a router goes down.docudesk. LAT. and AppleTalk are either not supported by CEF or. SNA.. and the SVIs will have to be added to these bridge groups. we've obviously got real problems. we'll take as much redundancy as we can get. 2002-2007 PDF Created with deskPDF PDF Writer . 2002-2007 Commands • To create a bridge group: MLS(config)# bridge-group 1 • To join a SVI to a bridge group: MLS(config)#interface vlan 10 MLS(config-if)#bridge-group 1 © Train Signal. 2002-2007 Redundancy – Part 1 • In networking. Inc.

just use the ip irdp command.1. it is the ICMP Router Discovery Protocol! • IRDP routers will generate Router Advertisement packets that will be heard by hosts on that segment. it will choose one as its primary and will start using the other router if the primary goes down.2 as their default gateway. • Hosts may also generate Router Solicitation messages.after all. physical router as the default gateway. usually at startup. © Train Signal. they will be using the IP and MAC address of a real. but how they get there is another story. © Train Signal. Inc.when hosts transmit data. IRDP is an extension of ICMP .1. not the IP and MAC address of a virtual router. asking IRDP routers to send Router Advertisement packets.com 72 .Trial :: http://www. MLS(config)# interface serial0 MLS(config-if)# ip irdp © Train Signal. Inc. If a host hears from more than one IRDP router. so let's get to work and hit the details of these four redundancy strategies. the PCs will choose either 172..12. These methods have much the same end result. In the following example. Inc.. 2002-2007 IRDP • IRDP does not involve a virtual router of any kind . 2002-2007 ICMP Router Discovery Protocol • Defined in RFC 1256. It's a story you can expect to be asked about quite a bit on your exam. but you do see it in Cisco routers as well.Redundancy – Part 2 • That second point is so important that Cisco currently offers four separate protocols to expedite the cutover to the secondary router. 2002-2007 PDF Created with deskPDF PDF Writer .12. IRDP is commonly used by Windows DHCP clients and several Unix variations.docudesk.1 or 172.. • To enable IRDP on a router's interface.

© Train Signal. but not a MAC address. HSRP load balancing can be achieved. one unit of 1. the group number is 5. • In this example. Inc. and xx is the group number in hexadecimal. there is a MAC address under the show standby output on R3. They're communicating with a pseudorouter. This virtual router will have a virtual MAC and IP address as well.docudesk.Trial :: http://www. and that primary will handle the routing while the other routers are in standby. we'd see 11 at the end of the MAC address . since all three have an almost immediate cutover to a secondary path when the primary path is unavailable.one unit of 16. How did the HSRP process arrive at a MAC of 00-00-0c-07-ac-05? • Well. That's a good skill to have for the exam. However. HSRP is a Cisco-proprietary protocol in which routers are put into an HSRP router group. the active router. Along with dynamic routing protocols and STP.com 73 . Inc. ready to handle the load if the primary router becomes unavailable. If the group number had been 17. • One of the routers will be selected as the primary. HSRP ensures a high network uptime. HSRP is considered a high-availability network service. a "virtual router" created by the HSRP configuration. most of the work is already done before the configuration is even begun.. which is expressed as 05 with a two-bit hex character. 2002-2007 HSRP – Part 2 • The hosts using HSRP as a gateway don't know the actual IP or MAC addresses of the routers in the group.. The MAC address 00-00-0c-07ac-xx is HSRP's well-known virtual MAC address. Inc. though! By configuring multiple HSRP groups on a single interface. In this fashion. so make sure you're comfortable with hex conversions. 2002-2007 PDF Created with deskPDF PDF Writer . • The standby routers aren't just going to be sitting there.HSRP – Part 1 • Defined in RFC 2281. 2002-2007 IP Address and Virtual Router • An IP address was assigned to the virtual router. since it routes IP traffic without relying on a single router.. © Train Signal. © Train Signal.

you just have to use the preempt option on the standby priority command.the primary. Inc. Inc. but HSRP speakers in the same group should have the same timers.HSRP Speakers • The output of the show standby command also tells us that the HSRP speakers are sending Hellos every 3 seconds. Show standby confirms that R2. R3 is now the standby. © Train Signal. but it's doubtful you'll ever need to do that. a message appears that the local state has changed from standby to active. Inc. © Train Signal. These values can be changed with the standby command. You can even tie down the hello time to the millisecond. © Train Signal.. is now the active router .Trial :: http://www. The preempt command is strictly intended to allow a router to take over as the active router without the current active router going down. with a 10-second holdtime. That's the default behavior of HSRP. with the router with the highest IP address on an HSRP-enabled interface becoming the primary if there is a tie on priority. The default is 100. they're wrong .docudesk. 2002-2007 PDF Created with deskPDF PDF Writer . 2002-2007 Priority • Another key value in the show standby command is the priority. 2002-2007 Local State Change • In just a few seconds... We'll raise the default priority on R2 and see the results.com 74 . The router with the highest priority will be the primary HSRP router. So if anyone tells you that you have to take a router down to change the Active router. • What you do not have to do is configure the preempt command if you want the standby to take over as the active router if the current active router goes down. as shown in both show standby outputs. the local router.

The SMI can be upgraded to the EMI. there will be two HSRP groups created for the one VLAN. Not for free. © Train Signal. because not all hardware platforms support multiple groups.docudesk. This is done with the standby mac-address command. Token Ring. R2 will be the primary for Group 1 and R3 will be the primary for Group 2. 2002-2007 PDF Created with deskPDF PDF Writer . SVIs. you may have to change the MAC address assigned to the virtual router. Gig Ethernet switches will have that image. For HSRP load balancing. Inc.Trial :: http://www. you'll need to check the documentation for your software. and FDDI LANs.com 75 . though! • HSRP can run on Ethernet. and Layer 3 portchannels (an Etherchannel with an IP address). Inc.. • HSRP requires the Enhanced Multilayer Software Image (EMI) to run on an L3 switch.. Some HSRP documentation states that Token Ring interfaces can support a maximum of three HSRP groups. 2002-2007 Load Balancing with HSRP • We can do some load balancing with HSRP. but Fast Ethernet switches will have either the EMI or Standard Multilayer Image (SMI). Let's say we have six hosts and two separate HSRP devices. 2002-2007 Some other HSRP notes • HSRP updates can be authenticated by using the standby command with the authentication option. you can configure HSRP on routed ports. • If you're configuring HSRP on a multilayer switch.) © Train Signal. but it's not quite the load balancing you've learned about with some dynamic protocols. Inc. Check your documentation. Just make sure you're not duplicating a MAC address that's already on your network! © Train Signal.Standby macaddress command • On rare occasions.. (In production networks.

3000. It will continue to send Hellos in the Standby and Active states as well. Disabled means that the interface isn't running HSRP yet.. does not yet know which router is the active router.. Other than that. 2002-2007 Multiple HSRP Groups • Note that an HSRP router doesn't send Hellos until it reaches the Speak state. It's listening for hello packets from those routers. and sends Hello messages.The router is now forwarding packets sent to the group's virtual IP address. © Train Signal. Inc. 2002-2007 Speak.The router goes into this state when an HSRPenabled interface first comes up.HSRP States • Disabled . • Initial (Init) -. © Train Signal. • There's also no problem with configuring an interface to participate in multiple HSRP groups on most Cisco routers. HSRP is not yet running on a router in Initial state.) • Listen -. I don't consider it one. but is not the primary or the standby router. Always verify with show standby. • Standby -. but Cisco may.Some HSRP documentation lists this as a state. • Learn -.docudesk. and 4000 routers do not have this capability. .At this point. Standby and Active • Speak -. and it doesn't know the IP address of that router. 2002-2007 PDF Created with deskPDF PDF Writer ..The router is now sending Hello messages and is active in the election of the primary and standby routers. and note that this command indicates that there's a problem with one of the virtual IP addresses! © Train Signal. Inc. • Active -. others do not. Inc.The router now knows the virtual IP address.com 76 . the router has a lot to learn! A router in this state has not yet heard from the active router. it's pretty bright.Trial :: http://www. Some 2500. either.The router is now a candidate to become the active router.

.ac01 (v1 default) Hello time 3 sec. Inc.ac05 (v1 default) Hello time 3 sec. When that interface's line protocol shows as "down".com 77 . This can lead to another HSRP router on the network becoming the active router . hold time 10 sec Preemption disabled Active router is unknown Standby router is unknown Priority 100 (default 100) IP redundancy name is "hsrp-Fa0/0-5" (default) © Train Signal.10 Active virtual MAC address is unknown Local virtual MAC address is 0000. hold time 10 sec Preemption disabled Active router is unknown Standby router is unknown Priority 100 (default 100) IP redundancy name is "hsrp-Fa0/0-1" (default) FastEthernet0/0 .12.34. Inc. but it's a feature that can really come in handy.but that other router must be configured with the preempt option.Show Standby Command – Part 1 R1#show standby FastEthernet0/0 . 2002-2007 PDF Created with deskPDF PDF Writer . 2002-2007 HSRP Interface Tracking • Using interface tracking can be a little tricky at first.23. Inc.Trial :: http://www. the status of this interface will dynamically change the HSRP priority for a specified group. the HSRP priority of the router is reduced.0c07... this feature enables the HSRP process to monitor an additional interface.12. 2002-2007 Show Standby Command – Part 2 State is Init (virtual IP in wrong subnet) Virtual IP address is 172. © Train Signal.Group 1 State is Listen Virtual IP address is 172.Group 5 © Train Signal. Basically.0c07.docudesk.10 (wrong subnet for this interface) Active virtual MAC address is unknown Local virtual MAC address is 0000.

2002-2007 Example – Part 1 R1#show standby FastEthernet0/0 .12. R2 will therefore be handling all the traffic sent to the virtual router's IP address of 172.Trial :: http://www.23..ac01 (v1 default) Hello time 3 sec. R3 has the default priority of 100. making R3 the primary router.0c07. hold time 10 sec Next hello sent in 2. Inc.) © Train Signal. (The default decrement in the priority when the tracked interface goes down is 10. Inc. R2 is the primary due to its priority of 105. the hosts will be unable to reach the server farm.23. last state change 01:08:58 Virtual IP address is 172. 2002-2007 Priority/decrement value Problem • The #1 problem with an HSRP Interface Tracking configuration that is not working properly is a priority / decrement value problem.872 secs Preemption disabled Active router is local Standby router is unknown Priority 100 (default 100) IP redundancy name is "hsrp-Fa0/0-1" (default) © Train Signal.10 Active virtual MAC address is 0000. © Train Signal.12.ac01 Local virtual MAC address is 0000. but there is a potential single point of failure. 2002-2007 PDF Created with deskPDF PDF Writer ..Group 1 State is Active 2 state changes.Default Priority • In the following network. That's fine.10.0c07. Inc.. If R2's Serial0 interface fails.docudesk.com 78 . HSRP can be configured to drop R2's priority if the line protocol of R2's Serial0 interface goes down.

.541: HSRP: Fa0/0 API Software interface coming up *Apr 9 20:15:12.485: HSRP: Fa0/0 Grp 1 Init: a/HSRP enabled *Apr 9 20:15:14.542: HSRP: Fa0/0 API MAC address update *Apr 9 20:15:10.docudesk. changed state to up R1# *Apr 9 20:15:12.554: HSRP: Fa0/0 API Add active HSRP addresses to ARP table R1# *Apr 9 20:15:11.. Inc.541: HSRP: API Hardware state change *Apr 9 20:15:12. Inc.483: HSRP: Fa0/0 Starting minimum interface delay (1 secs) *Apr 9 20:15:13.550: HSRP: Fa0/0 API Add active HSRP addresses to ARP table *Apr 9 20:15:10.Trial :: http://www.12.ac05 (v1 default) Hello time 3 sec.485: HSRP: Fa0/0 Interface min delay expired *Apr 9 20:15:14.34. 2002-2007 Debug Example – Part 2 *Apr 9 20:15:13.0c07.com 79 .483: HSRP: Fa0/0 Interface up *Apr 9 20:15:13.Example – Part 2 FastEthernet0/0 .541: %LINK-3-UPDOWN: Interface FastEthernet0/0.648: %SYS-5-CONFIG_I: Configured from console by console *Apr 9 20:15:12.Group 5 State is Init (virtual IP in wrong subnet) Virtual IP address is 172.546: HSRP: Fa0/0 API Software interface coming up *Apr 9 20:15:10.545: HSRP: Fa0/0 API Add active HSRP addresses to ARP table © Train Signal. 2002-2007 Debug Example – Part 1 R1#debug standby *Apr 9 20:15:10. changed state to up R1# *Apr 9 20:15:14. Inc.543: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0.485: HSRP: Fa0/0 Grp 1 Init -> Listen *Apr 9 20:15:14.485: HSRP: Fa0/0 Grp 1 Redundancy "hsrpFa0/0-1" state Init ->Backup © Train Signal. 2002-2007 PDF Created with deskPDF PDF Writer ..10 (wrong subnet for this interface) Active virtual MAC address is unknown Local virtual MAC address is 0000. hold time 10 sec Preemption disabled Active router is unknown Standby router is unknown Priority 75 (default 100) Track interface Serial0/0 state Down decrement 25 IP redundancy name is "hsrp-Fa0/0-5" (default) © Train Signal.

2002-2007 VRRP – Part 2 – The physical routers in a VRRP Group combine to form a Virtual Router.Trial :: http://www. VRRP works very much like HSRP. I'm sure you can tell that the primary purpose of the Gateway Load Balancing Protocol (GLPB) is just that . GLBP allows every router in the group to handle some of the load in a round-robin format. and is suited to a multivendor environment.. With GLBP. © Train Signal. – VRRP Advertisements are multicast to 224. Similar to HSRP's Interface Tracking feature. VRRP now has an Object Tracking feature. the hosts think they're sending all of their data to a single gateway. • As with HSRP and VRRP.com 80 . who will all have their gateway address set to the virtual router's address . The operation of the two is so similar that you basically learned VRRP while going through the HSRP section! There are a few minor differences. – "preempt" is a default setting for VRRP routers. but actually multiple gateways are in use at one time. Inc. • GLBP also allows standard configuration of the hosts.VRRP – Part 1 • Defined in RFC 2338.0. – The MAC address of VRRP virtual routers is 00-00-5e-00-01-xx. but accurate load balancing is not among them. (Some VRRP documentation refers to this router as the IP Address Owner. because GLBP is Ciscoproprietary.docudesk. Inc. – As of IOS Version 12. 2002-2007 HSRP and VRRP • HSRP and its open-standard relation VRRP have some great features. some hosts point to gateway B" business we had with HSRP load balancing.the xx is the group number in hexadecimal. © Train Signal. rather than having a primary router handle all of it while the standby routers remain idle. © Train Signal. 2002-2007 PDF Created with deskPDF PDF Writer .) This is the router that has the virtual router's IP address as a real IP address on the interface it will receive packets on.0. a few of which are: – VRRP's equivalent to HSRP's Active router is the Master router.18..3(2)T. Inc. However. – VRRP's equivalent to HSRP's Standby router state is the Backup state. a WAN interface can be tracked and a router's VRRP priority dropped when that interface goes down.none of this "some hosts point to gateway A. VRRP is the open-standard equivalent of the Cisco-proprietary HSRP. and you guessed it .. While both allow a form of load sharing. it's not truly load balancing. GLBP routers will be placed into a router group.load balancing! It's also suitable for use only on Cisco routers.

(If the routers all have the same GLBP priority.com 81 . and this router will send back ARP responses containing virtual MAC addresses. Inc..docudesk. © Train Signal..Trial :: http://www.Key to GLBP • The key to GLBP is that when a host sends an ARP request for the MAC of the virtual router. accomplishing the desired load balancing while allowing standard configuration on the hosts. • Weighted MAC assignments affect the percentage of traffic that will be sent to a given AVF.. the default being round-robin. Inc. host-dependent load balancing is the way to go. The host will then have the IP address of the virtual router and the MAC address of a physical router in the group. The three hosts will have the same Layer 3 address for their gateway. one of the physical routers will answer.) © Train Signal. but a different L2 address. a host that sends an ARP request will receive a response containing the next virtual MAC address in line. © Train Signal. With round-robin assignments. Inc. the more often that particular router's virtual MAC will be sent to a requesting host. the three hosts send an ARP request for the MAC of the virtual router. GLBP offers three different forms of MAC address assignment. • In the following illustrations. the router with the highest IP address will become the AVG. 2002-2007 Active Virtual Gateway • The Active Virtual Gateway (AVG) will be the router with the highest GLBP priority. The virtual MAC addresses are assigned by the AVG as well. 2002-2007 PDF Created with deskPDF PDF Writer . The higher the assigned weight. • If a host or hosts need the same MAC gateway address every time it sends an ARP request. 2002-2007 GLBP’s load balancing • GLBP's load balancing also offers the opportunity to finetune it to your network's needs.

10 • To change the interface priority. Server Load Balancing. 2002-2007 Server Load Balancing • We've talked at length about how Cisco routers and multilayer switches can work to provide router redundancy .1. We'll first add 210. • In the following illustration. © Train Signal. They're represented to the hosts as the virtual server 210. VRRP. MLS(config-if)# glbp 5 ip 172. Inc.Trial :: http://www.1. and also serves to hide the actual IP addresses of the servers in ServFarm. and CLBP all represent multiple physical routers to hosts as a single virtual router.1. not knowing that they're actually communicating with the routers in ServFarm. three physical servers have been placed into the SRB group ServFarm. • The basic operations of SLB involves creating the server farm.1.1.1. Inc.but there's another helpful service. This allows quick cutover if one of the physical servers goes down.1. To allow the local router to preempt the current AVG. 2002-2007 Hosts communication • The hosts will seek to communicate with the server at 210.1.14. The following command will assign the address 172. followed by creating the virtual server.11 MLS(config-slb-real)# inservice © Train Signal.by assigning an IP address to the virtual router. Inc.Command examples • GLBP is enabled just as VRRP and HSRP are . use the glbp preempt command.1.10 to group 5.1.11 to the server farm: MLS(config)# ip slb serverfarm ServFarm MLS(config-slb-sfarm)# real 210. While HSRP. that does the same for servers.com 82 . MLS(config-if)# glbp 5 priority 150 MLS(config-if)# glbp 5 preempt © Train Signal.14.. use the glbp priority command. SLB represents multiple physical servers to hosts as a single virtual server.1.1.docudesk... 2002-2007 PDF Created with deskPDF PDF Writer .

MLS(config-slb-vserver)# client 210. Inc.. The inservice command is required by SLB to consider the server as ready to handle the server farm's workload. The real and inservice commands should be repeated for each server in the server farm.1.Creating Server Farm • The first command creates the server farm.1. 2002-2007 Controlling connections • You may also want to control which of your network hosts can connect to the virtual server.0 0. 2002-2007 PDF Created with deskPDF PDF Writer .255 © Train Signal. If hosts or subnets are named with the client command.com 83 . Inc.Trial :: http://www. The following configuration would allow only the hosts on the subnet 210. Note that this command uses wildcard masks. 2002-2007 IP Telephony & Cisco IP Phones • • • • • • • IP Phone Basics Voice VLANs Voice QoS DiffServ at L2 & L3 Trusting Incoming Values Basics of AVVID Power Over Ethernet © Train Signal.1..docudesk. • To create the virtual server: MLS(config)# ip slb vserver VIRTUAL_SERVER MLS(config-slb-vserver)# serverfarm ServFarm MLS(config-slb-vserver)# virtual 210.0.0.1.14 MLS(config-slb-vserver)# inservice © Train Signal. those will be the only clients that can connect to the virtual server.1.0 /24 to connect to the virtual server.1. Inc. with the real command specifying the IP address of the real server..

2002-2007 PDF Created with deskPDF PDF Writer . 2002-2007 Link between switch and IP phone • The link between the switch and the IP phone can be configured as a trunk or an access link.docudesk. either. The problem isn’t that the voice traffic will not get to the switch – it simply may take too long. © Train Signal. Inc. I urge you to look into a Cisco voice certification. • Configuring the link as an access link results in voice and data traffic being carried in the same VLAN.. and another will be an access port that will connect to a PC. • Voice and security are the two fastest-growing sectors of our business. They’re not going to slow down anytime soon. you’re okay for now – you’ll be able to understand this chapter with no problem. • Most Cisco IP phones will have three ports..1p – Configure the link tag voice traffic – Configure the link Voice VLAN as an access link as a trunk link and use as a trunk link and do not as a trunk link and specify a © Train Signal. giving the delay-sensitive voice traffic priority over “regular” data handled by the switch. Once you’re done with your CCNP. There are plenty of good vendor-independent VoIP books on the market as well. © Train Signal. Inc. 2002-2007 Four Choices • When it comes to the link between switch and the IP Phone. another to the phone ASIC.com 84 .Voice over IP • If you don’t have much (or any) experience with Voice Over IP (VoIP) yet. we’ve got four choices: – Configure the link – Configure the link 802. Voice traffic is much more delay-sensitive than data traffic.. Inc.Trial :: http://www. which can lead to delivery problems with the voice traffic. Configuring this link as a trunk gives us the advantage of creating a voice VLAN that will carry nothing but voice traffic while allowing the highest Quality of Service Possible. One will be connected to a Catalyst switch. I say “for now” because all of us need to know some basic VoIP.

That inclues video. 2002-2007 Details you should know about – Part 1 • As always. – CDP must be running on the port leading to the IP phone. respectively..Dot1p Option • The dot1p option has two effects: – The IP Phone grants voice traffic high priority – Voice traffic is sent through the default voice native VLAN. 2002-2007 Details you should know about – Part 2 – You can configure voice VLANs on ports running port security or 802. Portfast is NOT automatically disabled.. – Voice VLANs are supported only on L2 access ports. The commands to perform these tasks are mls qos and the interfacelevel command mls qos trust cos.1x authentication. © Train Signal. – Particularly when implementing video conferencing. and data! Cisco also recommends that voice and video combined not exceed 33% of a link’s bandwidth.. Inc. there are just a few details you should be aware of when configuring: – When Voice VLAN is configured on a port. Inc.Trial :: http://www. CDP should be globally enabled on all switch ports. voice.com 85 . Portfast is automatically enabled – but if you remove the Voice VLAN. This allows for network control traffic to flow through the network and helps to prevent jitter as well. make sure your total overall traffic doesn’t exceed 75% of the overall available bandwidth. – Cisco recommends that QoS be enabled on the switch and the switch port connected to the IP phone be set to trust incoming CoS values. VLAN 0 © Train Signal. but take a few seconds to make sure with show cdp neighbor.docudesk. It is recommended that port security be set to allow more than one secure MAC address. 2002-2007 PDF Created with deskPDF PDF Writer . Inc. © Train Signal.

© Train Signal. The device that wants to transmit the traffic does not do so until a reserved path exists from source to destination..Trial :: http://www. Inc. instead. 2002-2007 PDF Created with deskPDF PDF Writer . but we’ve got three main enemies when it comes to successful voice transmission: – Jitter – Delay – Packet Loss © Train Signal. is far superior to best-effort. © Train Signal. Where IntServ reserves an entire path in advance for the entire voice packet flow to use. and that reservation involves creating a high-priority path in advance of the voice traffic’s arrival. DiffServ makes its QoS decisions on a per-hop basis as the flow traverses the network. Inc. or IntServ.com 86 . or DiffServ. DiffServ does not reserve bandwidth for the flow. • The Integrated Services Model. Best-effort works fine for UDP. but not for voice traffic. The creation of this path is sometimes referred to as Guaranteed Rate Service (GRS) or simple Guaranteed Service.. I grant you that’s a poor excuse for a compliment! IntServ uses the Resource Reservation Protocol (RSVP) to do its job. 2002-2007 DiffServ • That issue is address with the Differentiated Services Model..docudesk. 2002-2007 QoS • Best-effort delivery is the QoS you have when you have no explicit QoS configuration – the packets are simply forwarded in the order in which they came into the router. Inc.Three Main Enemies • I mentioned jitter earlier.

with all the differences between these two that you’ve already mastered.com 87 . 2002-2007 PDF Created with deskPDF PDF Writer . • The dot1q tag has a User field as well. as you’ll see.1p priority bits that make up the CoS value. the CoS is used by the switch to make decisions on what QoS. Inc. You might not know that another value – a Code of Service (CoS) value – can also be placed on that frame. this is easy! © Train Signal.Trial :: http://www.. but this field is built a little differently. and classification is taking the appropriate approach to queueing and transmitting that data according to that value. Inc. 2002-2007 Code of Service – Part 1 • You know that the physical link between two switches is a trunk. This process is Per-Hop Behavior (PHB). • The core tasks of DiffServ QoS are marking and classification. Inc.. (They are two separate operations. and you know that the VLAN ID is tagged on the frame before it goes across the trunk. 2002-2007 Code of Service – Part 2 • The ISL tag includes a 4-bit User field. ISL and IEEE802.. the last three bits of that field indicated the CoS value. • It certainly won’t surprise you to find that our trunking protocols.) Marking is the process of tagging data with a value.DiffServ Model • The DiffServ model allows each network device along the way to make a separate decision on how best to forward the packet towards its intended destination.1Q (“dot1q”) handle CoS differently. I know I don’t have to tell you this. but three binary bits give us a range of decimal values of 0 – 7. if any. and again that gives us a decimal range of 0-7. but they work very closely together. Dot1q’s User fields has three 802. © Train Signal. Where the VLAN ID indicates the VLAN whose hosts should receive the frame. the frame should receive. rather than having all forwarding decisions made in advance. Hey. © Train Signal.docudesk.

ToS
• The IP ToS byte consists of...
– an IP precedence value, generally referred to as IP Prec (3 bits) – a Type Of Service Value (4 bits) – a zero (1 bit)

• DiffServ uses this 8-bit field as well, but refers to this as the Differentiated Services (DS) field. The DS byte consists of...
– a Differentiated Service Code Point value (DSCP, 6 bits, RFC 2474) – an Explicit Congestion Notification value (ECN, 2bits, RFC 2481)

• The 6-bit DSCP value is itself divided into two parts
– a Class Selector value, (3 bits) – a Drop Precedence value (3 bits)
© Train Signal, Inc., 2002-2007

Class Selector Values
• Here’s a quick description of the Class Selector values and their meanings:
– Class 7 (111) – Network Control, and the name is the recipe – this value is reserved for network control traffic (STP, routing protocol traffic, etc.) – Class 6 (110) – Internetwork Control, same purpose as Network Control – Class 5 (101) – Expedited Forwarding (EF, RFC 2598) – Reserved for voice traffic and other time-critical data. Traffic in this class is practically guaranteed not to be dropped. – Classes 1-4 (001 – 100) – Assured Forwarding (AF, RFC 2597) – These classes allow us to define QoS for traffic that is not as time-critical as that in Class 5, but that should not be left to besteffort forwarding, which is... – Class 0 (000) – Best-effort forwarding. This is the default.
© Train Signal, Inc., 2002-2007

Assured Forwarding classes
• We’ve got four different classes in Assured Forwarding, and RFC 2597 defines three Drop Precedence values for each of those classes:
– High – 3 – Medium – 2 – Low – 1

• The given combination of any class and DP value is expressed as follows: AF (Class Number)(Drop Precedence) • That is, AF Class 2 with a DP of “high” would be expressed as: “AF23”
© Train Signal, Inc., 2002-2007

PDF Created with deskPDF PDF Writer - Trial :: http://www.docudesk.com

88

Other Techniques
• We’ve talked at length about using a priority queue for voice traffic, but there are some other techniques we can use as well. As with any other QoS, the classification and marking of traffic should be performed as close to the traffic source as possible. Access-layer switches should always perform this task, not only to keep the extra workload off the core switches but to ensure the end-to-end QoS you wanted to configure is the QoS you’re getting. • Another method of improving VoIP quality is to configure RTP Header Compression. This compression takes the IP/UDP/RTP header from its usual 40 bytes down to 2-4 bytes. • RTP header compression is configured with the interface-level ip rtp header-compression command, with one option you should know about – passive. If the passive option is configured, outgoing packets are subject to RTP compression only if incoming packets are arriving compressed.
© Train Signal, Inc., 2002-2007

AVVID – Part 1
• Cisco’s Architecture for Voice, Video, and Integrated Data (AVVID) is a comprehensive network architecture approach which integrates Voice and Video into an existing Data network. (But you knew that from the name, right?) • A PDF available on Cisco’s website lists these five AVVID components as primary concerns:
– – – – – High Availability Quality of Service Security Enterprise Mobility Scalability
© Train Signal, Inc., 2002-2007

AVVID – Part 2
• Basically, AVVID is designed to take an organization’s existing infrastructures and combine them into one large infrastructure. Cisco’s theory holds that doing so will reduce overall costs while preparing the infrastructure to run the latest and greatest Cisco technologies. Storage Networking is becoming more and more important every day, and is also an important part of an AVVID design.
© Train Signal, Inc., 2002-2007

PDF Created with deskPDF PDF Writer - Trial :: http://www.docudesk.com

89

Wide-Ranging AVVID
• To show you how wide-ranging AVVID is, a single AVVID infrastructure is designed to hold all of the following hardware:
– – – – – – – Cisco routers Cat switches IP phones Voice trunking Cisco Call Manager Analog and digital gateways to the PSTN Voice modules
© Train Signal, Inc., 2002-2007

POE
• With POE, the electricity necessary to power the IP Phone is actually transferred from the switch to the phone over the UTP cable that already connects the two devices. • Not every switch is capable of running POE. Check your particular switch’s documentation for POE capabilities and details. • The IEEE standard for POE is 802.3af. There is also a proposed standard for High-Power POE, 802.3at. To read more than you’d ever want to know about POE, visit http://www.poweroverethernet.com.
© Train Signal, Inc., 2002-2007

POE-capable switches – Part 1
• By default, ports on POE-capable switches do attempt to find a device needing power on the other end of the link. We’ve got a couple of options for POE as well: SW4(config)#int fast 1/0/1 SW4(config-if)#power inline ? auto Automatically detect and power inline devices consumption Configure the inline device consumption never Never apply inline power static High priority inline power interface
© Train Signal, Inc., 2002-2007

PDF Created with deskPDF PDF Writer - Trial :: http://www.docudesk.com

90

where a Wireless Access Point (WAP) is used to allow multiple devices to intercommunicate. The area of coverage the WAP provides is called a cell. so check your switch’s documentation ‘carefully’ before using POE.com 91 . The SSID is the public name of the wireless network. 2002-2007 WLAN • A common wireless topology is an Infrastructure Wireless Local Area Network (WLAN) .Trial :: http://www.POE-capable switches – Part 2 • The Auto setting is the Default.. the never option disables POE on that port.. A SSID is simply a string of text. The consumption option allows you to set the level of power sent to the advice: SW4(config-if)#power inline consumption ? • And naturally.. Inc. also called a Basic Service Set (BSS). Forming this association usually requires the host to present required authentication and/or the correct Service Set Identifier (SSID). 2002-2007 Wireless Networking • • • • • • Wireless Basics and Standards Antenna Types and Usage CSMA/CA CCX Program The Lightweight Access Point Protocol Aironet System Tray Utility © Train Signal. SSIDs are case-sensitive and can be up to 32 characters in length. POE options and capabilities differ from one device to the next. Inc. and as any of us who have used wireless networks know.docudesk. © Train Signal. that cell can shrink and grow without warning! • Hosts successfully connecting to the WAP in a BSS are said to have formed an association with the WAP. © Train Signal. Inc. 2002-2007 PDF Created with deskPDF PDF Writer .

2002-2007 Active and Passive scanning • What we do know is that there are two different methods the client can use to find the next AP . or roaming user.docudesk. I'll call it an AP for the rest of this section. • Passive scanning is just what it sounds like . wireless vendors keep us guessing on this one.active scanning and passive scanning. • Open system is basically one station asking the receiving station "Hey.11 WLAN standards have two different authentication schemes open system and shared key.. Inc. © Train Signal. keep wondering. 2002-2007 WLAN Authentication (And Lack of Same) • Of course. shared key is the authentication system you're more familiar with. With active scanning. © Train Signal. will (theoretically) always be in the provider's coverage area.AP vs. :) Seriously. 2002-2007 PDF Created with deskPDF PDF Writer . WAP • Cisco uses the term AP instead of WAP in much of their documentation. just be prepared to see this term expressed either way on your exam and in network documentation. since open system is a little too open! Shared key uses Wired Equivalent Privacy (WEP) to provide a higher level of security than open system.Trial :: http://www. Those of us who are roaming users understand the "theoretical" part! • Speaking as a roaming user. • APs can also be arranged in such a way that a mobile user. If multiple Probe Responses are heard. No Probe Request frames are sent. Inc..the client listens for beacon frames from APs.. since they all use different standards on when that cutover needs to be performed. the client chooses the most appropriate WAP to use in accordance with vendor standards. did you ever wonder how your wireless card decides to quit using its current AP and start using the next one in line? Well. © Train Signal. Inc. They're both pretty much what they sound like. do you recognize me?" • Hopefully. • A BSS operates much like a hub-and-spoke network in that all communication must go through the hub.com 92 . the client sends Probe Request frames and then waits to hear Probe Responses. which in this case is the AP. you don't want just any wireless client connecting to your WLAN! The 802.

the Wi-Fi Alliance (their home page is http://wi-fi. the Lightweight Extensible Authentication Protocol. • Cisco's proprietary version of EAP is LEAP. but not with all early APs. WPA was adopted by many wireless equipment vendors while the IEEE was working on a higher standard as well.A Giant LEAP Forward • The Extensible Authentication Protocol (EAP) was actually developed originally for PPP authentication. a higher standard for wireless security. not static. so a different key is generated upon every authentication © Train Signal. both WPA and WPA2 are major improvements over WEP. 802.. 2002-2007 Wi-Fi Alliance • Recognizing the weaknesses inherent in WEP. but has been successfully adapted for use in wireless networks. RFC 3748 defines EAP. Many wireless devices. Inc.docudesk.Trial :: http://www. the Wi-Fi Alliance improved the original WPA standards.but it wasn't adopted by every vendor. As you might expect. particularly those designed for home use. 2002-2007 WPA and WPA2 • To put it lightly. 2002-2007 PDF Created with deskPDF PDF Writer ..com 93 . Inc. As a result. LEAP has several advantages over WEP: – There is two-way authentication between the AP and the client – The AP uses a RADIUS server to authenticate the client – The keys are dynamic. • Basically. © Train Signal. and came up with WPA2.11i. Inc. offer WEP as the default protection . not all older wireless cards will work with WPA2. Their answer was Wi-Fi Protected Access (WPA).so don't just click on all the defaults when you're setting up a home wireless network! The WPA or WPA2 password will be longer as well they're actually referred to as passphrases.org) saw the need for stronger security features in the wireless world. WPA is considered to work universally with wireless NICs. • When the IEEE issued 802. © Train Signal..11i . Sadly. many users will prefer WEP simply because the password is shorter.

11b/g".4 GHz. Indoor range is 100 feet. and the presence of a microwave in an office can actually cause connectivity issues. but it couldn't hurt to keep the official name in mind for your exam. © Train Signal.11g are compatible to the point where many wireless routers and cards that use these standards are referred to as "802. Operating frequency is 2. 802. you'll almost always here them call ad hoc networks. In the real world. not directly. The official name for an ad hoc WLAN is an Independent Basic Service Set (IBSS).11g and 802.4 GHz band. but microwave ovens also share the 2.11a.11a has a typical data rate of 25 MBPS. Indoor range is 100 feet. 2002-2007 802..11n has a typical data rate of 200 MBPS. Operating frequency is either 2. 802.Trial :: http://www.4 GHz or 5 GHz. • 802.com 94 .11b has a typical data rate of 6. and an indoor range of 160 feet. In an ad hoc WLAN ("wireless LAN").11n • You can have trouble with 802. the wireless devices communicate with no AP involved.5 MBPS. Operating frequency is 5 GHz.IBSS • APs are not required to create a wireless network. but can reach speeds of 11 MBPS. 2002-2007 PDF Created with deskPDF PDF Writer .docudesk. a peak data rate of 54 MBPS. © Train Signal.. • 802. Inc.11g has a typical data rate of 25 MBPS. Inc. but can reach speeds of 54 MBPS.11g • 802. or just "b/g"..4 GHz. 2002-2007 802.11b. (And you thought they were just annoying when people burn popcorn in the office microwave!) Solid objects such as walls and other buildings can disturb the signal in any bandwidth. • 802. © Train Signal. 802. Inc. Operating frequency is 2.11g from an unexpected source – popcorn! Well.11b and 802. a peak data rate of 540 MBPS. and an indoor range of 100 feet.

The transmission speed was greatly improved with IrDA 1. and even that might not be enough . we can't just call these antennae by one name! Yagis are also known as pointto-point and directional antenna. Inc. which means it must be aligned correctly and kept that way. • Keep in mind that neither IrDA standard has anything to do with radio frequencies . © Train Signal. 2002-2007 PDF Created with deskPDF PDF Writer .like the ones who connect to the Net while eating lunch! © Train Signal..docudesk. Inc. • In contrast. The unidirectional signal a Yagi antenna sends makes it particularly helpful in bridging the distance between APs. but the IrDA is concerned with standards for transmitting data over infrared light. the hardware must be 1. Yagi antennas are sometimes called directional antennas. Omni antennas are also known as omnidirectional and point-to-multipoint antenna. The multidirectional signal sent by Omni antennas help connect hosts to APs.com 95 . © Train Signal. • Both Yagi and Omni antennas have their place in wireless networks. Inc. including roaming laptop users -. Which doesn't sound like fun..0 only allowed for a range of 1 meter and transmitted data at approximately 115 KBPS.1.1 compliant. 2002-2007 Antenna Types – Part 1 • A Yagi antenna (technically. The two standards are compatible.. 2002-2007 Antenna Types – Part 2 • Since this is networking.Trial :: http://www. • The IrDA notes that to reach that 4 MBPS speed. the full name is "Yagi-Uda antenna") sends its signal in a single direction.the software may have to be modified as well. IrDA 1. an Omni ("omnidirectional") antenna sends a signal in all directions on a particular plane.only infrared light streams. which has a theoretical maximum speed of 4 MBPS. since they send their signal in a particular direction.Infrared Data Association (IrDA) • The IrDA is another body that defines specifications.

wireless LANs will use IEEE standard 802.11. • The website name is a little long to put here.Cisco also certifies wireless devices that are guaranteed to run a desired wireless feature.com 96 . and you’ll see where the “avoidance” part of CSMA/CA comes in.they're half-duplex so traditional collision detection techniques cannot work. Instead. © Train Signal. The formula for computing Backoff Time is beyond the scope of the BCMSN exam. and it may well change.. • "How The $&!(*% Can I Figure Out Which Equipment Supports Which Features?" • A valid question! :) • Thankfully. Inc.the Cisco Compatible Extension (CCX) website. • Let’s walk through an example of Wireless LAN access. The key rule of DCF is that when a station wants to send data.. but don't trust them to verify wireless capabilities! © Train Signal. I'm sure they're great at what they do. Cisco's got a great tool to help you out . • The foundation of CSMA/CA is the Distributed Coordination Function (DCF). you may just wonder. 2002-2007 DCF-speak • In DCF-speak. 2002-2007 PDF Created with deskPDF PDF Writer . Inc. and that random value helps avoid collisions. but the computation does involve a random number.. and then sends frames.. CSMA/CA. In our example. waits for the DIFS timer to expire.CSMA/CA • With "Wireless LANs". Wireless LANs can't listen and send at the same time .you'll get the Chicago Climate Exchange. Don't just enter "CCX" in there . (Carrier Sense Multiple Access with Collision Avoidance). © Train Signal. so I recommend you simply enter "Cisco compatible extension" into your favorite search engine .. Inc. 2002-2007 The Cisco Compatible Extensions Program • When you're looking to start or add to your wireless network.. Host A finds the wireless channel to be idle. the station must wait for the Distributed Interframe Space (DIFS) time interval to expire before doing so. this random amount of time is the Backoff Time.you'll find the site quickly. life isn't so simple. Cisco certification isn't just for you and I .docudesk.Trial :: http://www.

the WLAN Controller. Quality of Service (QoS) policies. we really need some kind of central authority to ensure that a consistent access policy is successfully implemented.make sure to do your research before purchasing! © Train Signal. This communication takes place via LWAPP. the icon will change color to indicate signal strength and other important information. the colors aren't exactly intuitive. ensuring that each LAP is consistently enforcing the same set of wireless network access rules and regulations. which communicates with Lightweight Access Points (LAP). 2002-2007 PDF Created with deskPDF PDF Writer .. The Aironet System Tray Utility (ASTU) gives us that information and a lot more. The WLAN Controller than informs the LAPs of these policies and procedures. Inc. • Problem is.Trial :: http://www. © Train Signal. • Many Cisco Aironet access points can operate autonomously or as an LAP. with the LAPs serving as the other players. 2002-2007 WLAN Controller • The WLAN Controller is basically the quarterback of the WLAN. Here are a few of those models: – 1230 AG Series – 1240 AG Series – 1130 AG Series • Some other Aironet models have circumstances under which they cannot operate as LAPs . Inc. The WLAN Controller will be configured with security procedures. so we better know what they mean! Here's a list of ASTU icon colors and their meanings.com 97 .. and more. mobile user policies.. • By no small coincidence. 2002-2007 Aironet System Tray Utility • We're all familiar with the generic icon on a laptop or PC that shows us how strong (or weak) our wireless signal is. © Train Signal.The Lightweight Access Point Protocol (LWAPP) • As our wireless networks get larger and larger. the LightWeight Access Point Protocol. Inc. Cisco has developed such an authority as part of their Cisco Unified Wireless Network .docudesk. Instead of just indicating how strong the wireless signal is.

Connection to AP is present. and you are authenticated via EAP if necessary. and signal strength is very good. Inc. • Dark Gray . but you are *not* EAP-authenticated. and white means the adapter is disabled.Connection to AP is present. 2002-2007 PDF Created with deskPDF PDF Writer . Inc. • Yellow . • Green .Red. Inc. • Light Gray . Distribution. light gray indicates a lack of EAP authentication.Trial :: http://www. 2002-2007 Network Design and Models • • • • • • Core.docudesk. Yellow and Green • Red . but signal strength is fair.com 98 . you are connected to an AP and are authenticated if necessary. just substitute "remote client" for "AP" in the above list..Client adapter is disabled. 2002-2007 EAP Authentication • If you're connecting to an ad hoc network. green. • White . but that the signal strength is low. Access Layers Enterprise Composite Network Model Server Farm Block Network Management Block Enterprise Edge Block Service Provider Edge Block © Train Signal.No connection to AP is present.Again. dark gray means there is no connection to an AP or remote client.. © Train Signal. The key is to know that red. © Train Signal..This does not mean that you don't have a connection to an access point! It means that you do have connectivity to an AP. and yellow are referring to signal strength. EAP authentication is in place if necessary.

© Train Signal. and let distribution-layer switches handle routing. It's vital to keep any extra workload off the core switches.Trial :: http://www.switches that can handle both the routing and switching of data. We'll go into much more detail regarding QoS in another section.The Core Layer • The term core switches refers to any switches found here. and allow them to do what they need to do . 2002-2007 Core Switches – Part 2 • Core layer switches are usually the most powerful in your network. so examine your particular network's requirements and switch documentation thoroughly before making a decision on purchasing core switches.docudesk.. © Train Signal. 2002-2007 Core Switches – Part 1 • Today's core switches are generally multilayer switches . 2002-2007 PDF Created with deskPDF PDF Writer . Switches at the core layer allow switches at the distribution layer to communicate. Inc. so we've got to optimize data transport. and this is more than a full-time job. Advanced QoS is generally performed at the core layer. so we're going to leave most frame manipulation and filtering to other layers. Remember. The throughput of core switches must be high.switch! • The core layer is the backbone of your entire network. That's it! The core layer is the backbone of our network. © Train Signal. capable of higher throughput than any other switches in the network. the core layer. know that QoS is basically high-speed queueing where special consideration can be given to certain data in certain queues. Inc. Leave ACLs and other filters for other parts of the network.com 99 . • The exception is Cisco QoS. but for now.. so we're interested in high-speed data transfer and very low latency. or Quality of Service. Inc. everything we do on a Cisco router or switch has a cost in CPU or memory.. We want our core switches to handle switching.

© Train Signal. 2002-2007 PDF Created with deskPDF PDF Writer . That's one reason you'll find powerful multilayer switches at this layer .so redundant uplinks are vital. VLAN membership is handled at this layer. © Train Signal. Inc.switches that work at both L2 and L3. they've got to have quite a few to connect to both the access and core switches. so fault tolerance needs to be as high as you can possibly get it.Part 1 • End users communicate with the network at this layer. This is the nerve center of your entire network. The accesslayer switches are all going to have their uplinks connecting to these switches. • Distribution-layer switches must be able to handle redundancy for all links as well.hey.. 2002-2007 The Access Layer .com 100 . The uplinks should also be scalable to allow for future network growth.Redundancy • We always want redundancy. but you want a lot of redundancy in your core layer. Inc. © Train Signal. since the access layer is busy with end users and we want the core layer to be concerned only with switching. so not only do the distribution-layer switches have to have high-speed ports and links. The distribution layer is also where routing should take place when utilizing multilayer switches. not routing.Trial :: http://www. Examine your network topology closely and check vendor documentation before making purchasing decisions on distribution-layer switches.docudesk. when isn't redundancy important? . Inc. 2002-2007 The Distribution Layer • The demands on switches at this layer are high.. Root bridges should also be located in the core layer whenever possible. as well as traffic filtering and basic QoS. • Redundancy is important at this layer as well ..

) Collision domains are also formed at the access layer..docudesk. high switchport-to-user ratio". © Train Signal. © Train Signal. A good rule of thumb for access switches is "low cost. Inc. Devices in a switch block work together to bring network access to a unit of the network.Trial :: http://www. such as a single building on a college campus or in a business park. and again. A campus network is basically a series of LANs that are interconnected by a backbone. 2002-2007 PDF Created with deskPDF PDF Writer . but a month from now you might just wish you had bought a 24-port switch. © Train Signal. This is particularly true of the Enterprise Composite Network Model. 2002-2007 Switch blocks • Switch blocks are units of access-layer and distribution-layer devices. Don't assume that today's sufficient port density will be just as sufficient tomorrow! • You can perform MAC address filtering at the access layer.The Access Layer . Inc. which is one popular model used to design campus networks.Part 2 • You also want your access layer switches to have as many ports as possible. Inc. I want to remind you that networking models are guidelines. 2002-2007 The Enterprise Composite Network Model • This model is much larger than the Cisco threelayer model. These layers contain both the traditional L2 switches (found at the access layer) and multilayer switches. although hopefully there are easier ways for you to perform the filtering you need. plan for future growth... which have both L2 and L3 capabilities (found at the distribution layer). A 12-port switch may be fine one week.com 101 . (MAC filtering is a real pain to configure. and should be used as such. as you'll see in just a moment.

switch. © Train Signal. The core block is the collection of core switches.docudesk. which is the backbone mentioned earlier. and it's the major reason that I'll keep mentioning that we want the access and distribution layers to handle as many of the "extra" services in our network whenever possible.. 2002-2007 Few Factors • The design of such a network is going to depend on quite a few factors .Core blocks • Core blocks consist of the high-powered core switches. again) • In turn. the physical layout of the building or buildings involved being just two of them .so again. This is a tremendous responsibility. Inc. We want the core switches to be left alone as much as possible so they can concentrate on what they do best . Inc. Inc. the Campus Infrastructure module consists of these modules: – Building Access module (Access-layer devices) – Building Distribution module (Distribution-layer devices) – Campus Backbone (Interconnects multiple Distribution modules) © Train Signal.com 102 .Trial :: http://www.the number of LANs involved. The access and distribution layer switches are referred to as the switch blocks. remember that these models are guidelines. © Train Signal.. Helpful guidelines.. and these core blocks allow the switch blocks to communicate. 2002-2007 Model Parts • Overall. there are three main parts of this model: – The Enterprise Campus – The Enterprise Edge – The Service Provider Edge • The Enterprise Campus consists of the following modules: – – – – Campus Infrastructure module Server Farm module Network Management module Enterprise Edge (yes. 2002-2007 PDF Created with deskPDF PDF Writer . though! • The Enterprise Composite Network Model uses the term block to describe the three layers of switches we just described.

© Train Signal.com 103 . and intruder detection tools are found in almost every campus network today.. Inc. syslog servers. we're not going to have much of a network without servers! In a campus network. Inc. Smaller networks can use a collapsed core. where certain switches will perform both as distribution and core switches.in today's networks. the network management block. the server farm block will be a separate switch block. or frankly..Trial :: http://www. The point at which the switch block ends and the core block begins is very clear. network monitoring tools. © Train Signal. © Train Signal.Dual Core • The core design shown here is often referred to as dual core. 2002-2007 The Network Management Block • Network management tools are no longer a luxury . 2002-2007 Server Farm Block • As much as we'd like to get rid of them sometimes. and core layers shown here is sometimes referred to as the Campus Infrastructure. Inc. they're a necessity. referring to the redundant fashion in which the switch blocks are connected to the core block. may not be able to afford such a setup..docudesk. The combination of access. All of these devices can be placed in a switch block of their own. complete with access and distribution layer switches. • A smaller network may not need switches to serve only as core switches. AAA servers. distribution. 2002-2007 PDF Created with deskPDF PDF Writer .

Trial :: http://www. 2002-2007 Bonus Video: Queueing • • • • Weighted Fair Queueing Class Maps & Policy Maps Priority Queueing Custom Queueing © Train Signal.. and this block of the routers and switches needed to give the needed WAN connectivity to the rest of the campus network.Internet and WAN connectivity – Part 1 • Internet and WAN connectivity for a campus network is a two-block job . 2002-2007 Internet and WAN connectivity – Part 2 • While the Service Provider Edge Block is considered part of the campus network model. Now you know why we want to dedicate as much of these switches' capabilities to pure switching we're going to need it! © Train Signal.. Inc. the other we do not. 2002-2007 PDF Created with deskPDF PDF Writer . and is the final piece of the Internet connectivity puzzle for our campus network. © Train Signal..one block we have control over. Inc.com 104 . Inc. we have no control over the actual structure of this block.docudesk. we don't really care! The key here is that this block borders the Enterprise Edge Block. And frankly. The Enterprise Edge Block is indeed the edge of the campus network. • Take a look at all the lines leading to those core switches.

and CBWFQ does involve access list configuration. First Out • FIFO is just what it sounds like . © Train Signal. © Train Signal. but shouldn't the network administrator be deciding which flows should be transmitted first. low-bandwidth conversations. Class-Based Weighted Fair Queueing (CBWFQ) that allows manual configuration of queueing . rather than the router?" Good question! There's an advanced form of WFQ. If you've got traffic that's especially timesensitive such as voice and video. 2002-2007 WFQ • What's so "fair" about Weighted Fair Queueing (WFQ)? WFQ prevents one particular stream of network traffic. • Flow-Based WFQ takes these packet flows and classifies them into conversations.com 105 . from using most or all of the available bandwidth while forcing other streams of traffic to sit and wait. high-bandwidth conversations. These flows are defined by WFQ and require no access list configuration.Trial :: http://www. Inc.there is no priority traffic. and then splits the remaining bandwidth fairly between the noninteractive.. Inc. FIFO may be all you need. no traffic classes.. 2002-2007 First Reaction to WFQ • The first reaction to WFQ is usually something like this: "That sounds great. Inc. FIFO is not your best choice. FIFO is fine for many networks. © Train Signal. or flow. and if you have no problem with network congestion.. WFQ gives priority to the interactive. no queueing decision for the router to make.First In.docudesk. Flow-based WFQ is the default queueing scheme for Serial interfaces running at E1 speed or below. 2002-2007 PDF Created with deskPDF PDF Writer .

We can assign only 1158 kbps of a T1 interface's bandwidth in the policy map.Trial :: http://www.CBWFQ • CBWFQ configuration does have its limits. Inc.it's a very common error with CBWFQ configurations. Always go with a minimum of 75% of available bandwidth. 2002-2007 Available Bandwidth • Why is 358 Kbps all that's available? Start with the bandwidth of a serial interface. 2002-2007 PDF Created with deskPDF PDF Writer . Don't jump to the conclusion that bandwidth 64 is the proper command to use when you've got a 64 kbps link and you want to enable voice traffic to use all of it.com 106 . We have already assigned 800 kbps to class 17210100. 2002-2007 Reservable bandwidth • The "reservable bandwidth" referenced in this command isn't just the bandwidth assigned in CBWFQ. Only 75% of that bandwidth can be assigned through CBWFQ. It also includes bandwidth allocated for the following: – – – – – Low Latency Queueing (LLQ) IP Real Time Protocol (RTP) Priority Frame Relay IP RTP Priority Frame Relay PVC Interface Priority Queueing Resource Reservation Protocol (RSVP) © Train Signal. By default. Inc..docudesk. © Train Signal. because 25% is reserved for network control and routing traffic. • Keep this 75% rule in mind . you can't assign over 75% of an interface's bandwidth via CBWFQ. and don't forget all the other services that will need bandwidth as well! © Train Signal. and 1544 x .75 = 1158. Inc. 1544 kbps... leaving only 358 kbps for other classes.

© Train Signal. Basically.. What if this were voice traffic that needed to go to the head of the line? Tail drop offers no mechanism to look at a packet and decide that a packet already in the queue should be dropped to make room for it. Inc. When the TCP senders all increase their transmission rate at the same time. First.Trial :: http://www. this isn't a very discriminating way to drop traffic. © Train Signal. • As the transmission slows. the senders are either sending too little or too much traffic at any given time. 2002-2007 PDF Created with deskPDF PDF Writer . 2002-2007 Dropped packets • Packets dropped due to tail drop result in the TCP senders reducing their transmission rate. and the entire process begins all over again. © Train Signal. • All TCP senders will gradually increase their transmission speed as a result of the reduced congestion . but there are two major issues with it. • The other issue with tail drop is TCP global synchronization. 2002-2007 TCP Global Synchronization • The result of TCP global synchronization? When the TCP sender simultaneously slow their transmission... Inc.which results in congestion occurring all over again. Inc.docudesk. packets are dropped and must be retransmitted.Tail Drop • Tail drop may be the default. the bandwidth is oversubscribed. the congestion is reduced. This is a result of TCP's behavior when packets are lost. that results in underutilization of the bandwidth.com 107 .

allowing us to avoid the jitter that comes with voice traffic that is not given the needed priority queueing. © Train Signal. so the queue-limit and priority commands are mutually exclusive. Inc. Low Latency Queueing (LLQ) is an "add-on" to CBWFQ that creates such a strict priority queue for such traffic. Inc. but the decision of which packets will be dropped is still random. – By its very nature. The random-detect and priority commands can't be used in the same class. it shouldn't surprise you to learn that the command to enable LLQ is priority. but what we're looking for is a guarantee (or something close to it) that data adversely affected by delays is given the highest priority possible. primarily voice traffic. there are a couple of commands and services we've mentioned that don't play well with LLQ: – WRED and LLQ can't work together. WRED will drop packets from other queues before dropping any from the priority queue. (Cisco recommends that you use an LLQ priority queue only to transport Voice Over IP traffic. and the voice traffic that will use LLQ's priority queue is UDP-based. If the priority queue becomes full.RED and WRED • To avoid the TCP Global Synchronization problems. WRED uses either a packet's IP Precedence or Differentiated Services Code Point (DSCP) to decide which packets should be dropped. 2002-2007 PDF Created with deskPDF PDF Writer ... LLQ doesn't have strict queue limits. 2002-2007 Before LLQ Configuration • Before we configure LLQ. RED will proactively drop packets before the queue gets full. 2002-2007 CBWFQ • CBWFQ is definitely a step in the right direction.docudesk. • WRED gives the best service it can to packets in a priority queue.. Inc.com 108 .Trial :: http://www. Why? Because WRED is effective only with TCP-based traffic. Random Early Detection (RED) or Weighted Random Early Detection (WRED) can be used in place of Tail Drop. © Train Signal. – Finally.) • Since we're mentioning "priority" so often here. © Train Signal. the bandwidth and priority commands are also mutually exclusive.

.1. 2002-2007 Priority Queueing • The "next level" of queueing is Priority Queueing (PQ).com 109 .Example R2#show access-list Extended IP access list 155 permit udp 210. where four predefined queues exist: High.0. © Train Signal. and Low.0 0. Traffic is placed into one of these four queues through the use of access lists and priority lists.1.1. 2002-2007 Predefined queues – Part 1 • These four queues are predefined..1. Medium.0 0.0.255 220.0. Normal. 2002-2007 PDF Created with deskPDF PDF Writer .0.0.0.0 0.255 range 20000 21000 R2(config)#class-map VOICE_TRAFFIC_PRIORITY R2(config-cmap)#match access-group 155 R2(config)#policy-map VOICE R2(config-pmap)#class VOICE_TRAFFIC_PRIORITY R2(config-pmap-c)#priority 45 R2(config-pmap-c)#class class-default R2(config-pmap-c)#fair-queue R2(config-pmap-c)#interface serial0 R2(config-if)#service-policy output VOICE © Train Signal. as are their limits: – High-Priority Queue: 20 Packets – Medium-Priority Queue: 40 Packets – Normal-Priority Queue: 60 Packets – Low-Priority Queue: 80 Packets © Train Signal.0.1.1. making HQ and LLQ the queueing solutions to use when a priority queue is needed.255 range 17000 18000 permit udp 210.docudesk.Trial :: http://www. Inc. The High queue is also called the strict priority queue.0 0. Inc. Inc..0.1.255 220.1.

Trial :: http://www.com 110 . Inc. Before we configure PQ and change these limits. the packet limit for each configurable queue is 20 packets and each will send 1500 bytes when it's that queue's turn to transmit.. IGRP. 2002-2007 Network Control Traffic • The phrase "network control traffic" in regards to Queue Zero covers a lot of traffic. with queues 1 . when there are packets in the High queue. – Hello packets for EIGRP. Inc.. • Queue Zero carries network control traffic and cannot be configured to carry additional traffic. ISIS – Syslog messages – STP keepalives © Train Signal. © Train Signal.CQ actually allows you to define how many bytes will be forwarded from every queue when it's that queue's turn to transmit.docudesk. but the last thing we need is a third name for it. • If too many traffic types are configured to go into the High and Medium queues. (I personally think it's more like queue starvation. OSPF. 2002-2007 Custom Queueing • Custom Queueing (CQ) takes PQ one step further . they're going to be sent before any packets in the lower queues. PQ is not round-robin. Traffic that uses Queue Zero includes….16 being configurable. packets in the Normal and Low queues may never be sent! This is sometimes referred to as traffic starvation or packet starvation. By default.Predefined queues – Part 2 • It won't surprise you to learn that these limits can be changed. though. CQ doesn't have the same queues that PQ has. 2002-2007 PDF Created with deskPDF PDF Writer . Inc. there's one very important concept that you must keep in mind when developing a PQ strategy.) © Train Signal.. CQ has 17 queues.

Round-Robin System • CQ uses a round-robin system to send traffic.com 111 . When it's a queue's turn to send.. that queue will transmit until it's empty or until the configured byte limit is reached. • Configuring CQ is basically a three-step process: – Define the size of the queues – Define what packets should go in each queue – Define the custom queue list by applying the list to the appropriate interface © Train Signal. Inc. 2002-2007 PDF Created with deskPDF PDF Writer . By configuring a byte-limit. CQ allows you to allocate the desired bandwidth for any and all traffic types.Trial :: http://www.docudesk.