You are on page 1of 128

9000235254

P. NAGABABU

NAGACISCO@GMAIL.COM

9553.9553.07

CCNP – CISCO CERTIFIED NETWORK PROFESSIONAL- SWITCH

P. NAGABABU nagacisco@gmail.com 9553.9553.07
CCNP-Cisco Certified Network Professional
Prepared by Nagababu Polisetti

9000235254

CISCO CERTIFIED NETWORK PROFESSIONAL – CCNP SWITCH
This material is valid till 31st November 2011. New material is available on 1st December 2011 1|Page

9000235254

P. NAGABABU

NAGACISCO@GMAIL.COM

9553.9553.07

INDEX
Lesson 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 Topic Switch Operation Ethernet Port Configuration VLANs and Trunks VTP Link Aggregation Switch Functioning Traditional STP STP configuration Protect STP Advanced STP MLS Campus Network Design L3 Availability- Load balancing Supervisor – Power Redundancy IP Telephony Secure Switch Access Secure VLANs WLANs Page No 3 9 14 21 26 31 34 42 48 53 61 68 74 89 98 105 113 118

This material is valid till 31st November 2011. New material is available on 1st December 2011

2|Page

9000235254

P. NAGABABU

NAGACISCO@GMAIL.COM

9553.9553.07

LESSON 1 : SWITCH OPERATION
L2 Switch Operation

• • • • • • • • • • • • • • •

It gets the data from one port It reads source MAC and destination MAC from L2 Header Looks into CAM table finds the outgoing port information Then unicasts the data to outgoing port If there is no outgoing port information then do unknown unicast flooding It enters source MAC, incoming port information in MAT If CAM table already has that entry refreshe refreshes it Switch can work at full duplex or half duplex Switch has dedicated circuits between ports (Micro segmentation) (Every port has dedicated bandwidth) Switch has specialized hardware called ASICS, provides faster switching L2Switch can read L2 header. It t can’t read L3 header, L4 Header L2 Header contains source MAC, destination MAC information L3 Header contains source IP, destination IP information L4 Header contains source Port, destination Port information

This material is valid till 31st Nov November 2011. New material is available on 1st Decem ecember 2011

3|Page

Route Caching • The first generation of MLS requires Route processor (RP) and Switch Engine (SE) • RP process a traffic flow’s first packet to determine the destination • SE listens to the first packet to the resulting destination and sets up a shortcut entry in its MLS cache • SE forwards subsequent packets in the same traffic flow based on cache entries • Net flow LAN switching. flow-based. switch many • • • • MLS. L3. provides faster switching L2 forwarding table • The frame’s destination MAC address is used as index • If the address is found.07 When a frame arrives at switch port. the new routing information is updated in FIB database dynamically without performance effect • Topology based MLS is also known as CEF (Cisco Express forwarding) This material is valid till 31st November 2011. NAGABABU NAGACISCO@GMAIL.COM 9553. it is placed into one of the port’s ingress queues Queues have different priority levels to process important frames first Switch hardware decides where to and how to forward the frame by making three fundamental decisions All decisions are made simultaneously by independent portions of switching hardware. demand-based switching • Also called as route once. the egress switch port and appropriate vlan-id are read from the table • If there is no destination MAC.9553.9000235254 • • • • P. New material is available on 1st December 2011 4|Page . unicast flooding happens at egress ports Security ACL • TCAM contains ACL in compiled form in a single table lookup • It takes decision to permit or deny the frame Qos ACL • TCAM contains Qos ACL in compiled form in a single table lookup • It takes the decisions to prioritize the traffic and to mark Qos parameters in outbound frames MultiLayer Switch Operation L2 switches forward frames based on L2 header MLS forwards the frames based on L2. L4 headers So named as Multi Layer switch or MLS Two types of MLS (Multi layer switch) o Route Caching o Topology based MLS.Topology Based • The second generation of MLS utilizes a specialized hardware • FIB – forward information base (area of hardware) • L3 routing information builds and populates into FIB database • This database has efficient table lookups • so packets can be forwarded at high speed • If a network topology changes.

L3 addresses are known. This material is valid till 31st Nov November 2011.9553. New material is available on 1st Decem ecember 2011 5|Page . This occurs when both source-destination destination L2.07 • • • • • When a frame arrives at switch port. destination MAC are rewritten • New Source MAC is MLS interface L2 address • New Destination MAC is next hop L2 address • L2 checksums are recalculated CEF can directly forward most IP packets between hosts hosts. NAGABABU NAGACISCO@GMAIL. it is placed into one of the port’s ingress queues Each packet is pulled off an ingress queue and inspected for both L2 and L3 destination addresses Decision of where to forward the packet is based on two address tables FIB and CAM Decision of how to forward the packet is based on ACL and QoS All these actions are performed simultaneously in hardware L2 forwarding table • The destination MAC is used as an index to the CAM table • If the frame contains packet to be forwarded. policing and marking all can be performed as single table lookups in Qos TCAM L3 rewrite • The packet is put into L3 rewrite • The TTL (time to live) decremented by 1 and L3 checksums are recalculated • L2 header source MAC.COM 9553. vlan-id • So single table lookups are enough Security ACLs • ACLs are compiled into TCAM entries to filter packets in a single table lookup Qos ACLs • Packet classification. destinatio destination MAC is L3 port’s MAC • In this case CAM table results are used L3 forwarding table • The destination IP is used as an index in FIB table • The longest match is found and next next-hop L3 address is obtained • FIB also has each next-hop hop L2 address and egress switch po port.9000235254 P.

MTU exceeded.9553.1(11)EA1. IP helper-address address functions) • Routing protocol updates • Cisco Discovery protocol updates • IPX routing protocol and service updates • Packets needs encryption • Packets triggering NAT • Non-IP IP and Non Non-IPX protocol packets (appletalk. if they are special packet types or if there is any special spec process needed. it generates an error message “flapping between interfaces” TCAM TABLES • • • • • • TCAM – ternary CAM TCAMs have compiled information TCAM evaluates a packet against an entire ACL in a single table lookup Switches can have multiple TCAMs to process the packet against security ACLs and Qos ACL in parallel with L2 L2-L3 forwarding decisions IOS has two components that are part of the TCAM 1. decnet etc) CAM TABLES • • • Switches generally have large CAM tables so that many addresses can be looked up for frame forwarding Its not possible to maintain every possible host MAC address in large networks CAM table entry expires after 300 seconds by default if no frames are seen on that port To change CAM entry aging time To make static entry in CAM table table. Feature Manager (FM) o if the ACL is created FM software compiles and merges the ACL entries (ACE) in the TCAM 2. New material is available on 1st Decem ecember 2011 6|Page • • .07 CEF can not directly forward some IP packets packets. Switching Database Manager (SDM) o SDM software configures or tunes the TCAM partitions to perform different functions. fragmentation) • IP broadcasts relayed as unicast (DHCP reque requests. Before IOS version 12. They are 0 1 X 0 1 are binary values used to define a key This material is valid till 31st Nov November 2011.COM 9553. These packets are flagged for further processing The packets require further process are • ARP requests and replies • IP packets require router response (TTL expired. can’t be repartitioned Three (Ternary) input values are used in TCAM TCAM. 6500 platforms. NAGABABU NAGACISCO@GMAIL. if needed o TCAMs are fixed in 4500.9000235254 P. mac-address-table table command works Switch purges CAM table entry if the port is down or if the same MAC is learned on a different switchport If the switch notices that a MAC is being learned on alternating switch ports.

Mask. or other protocol information given in an ACE Masks • • • Masks are 134 bit quantities. New material is available on 1st Decem ecember 2011 7|Page . or bit order. and so on Results • • • • • • • The TCAM always is organized by masks. that represent what action should be taken after TCAM lookup TCAM offers a number of possible ssible results or actions The result can be permit or deny decision or an index to a QoS policer or a pointer to a next-hop next routing table. consisting of source and destination addresses and other relevant protocol information all patterns to be matched Values in the TCAM come directly from any address.9000235254 • • • • P.9553. in exactly the same format. re revealing vealing the best or longest match in a single table lookup This material is valid till 31st Nov November 2011. as the values Masks define which value bits should be considered and which should be neglected The masks from ACE are compiled and fed into TCAMs Results are numeric values. Result (VMR) combinations Fields from frame or packet are fed into the TCAM They are matched against value and mask pairs to yield a result Values Values are 134 bit quantities. NAGABABU NAGACISCO@GMAIL.07 X (don’t care) is a mask value to define which bits of the key are relevant TCAM entries are composed of Value.COM 9553. where each unique mask has 8 value patterns associated with it If a mask is filled up with 8 value patterns. the next pattern is placed as new mask 6500 platforms have multiple TCAMs (security ACLs and QoS ACL) can hold upto 4096 masks and 32768 value patterns Each of the mask value pairs is evaluated simultaneously. port.

mask3 and so on These mask bits ts must be set for matching For each unique mask.9000235254 P. NAGABABU NAGACISCO@GMAIL.07 • • • • • • • • The access-list list is compiled and merged into TCAM First all possible unique masks are identified for each ACE and fed into TCAM MASKS starting from mask1.COM 9553. the header is checked against the TCAM entries very quickly and appropriate action will be taken This material is valid till 31st Nov November 2011.9553. mask2. they are referenced in the TCAM entries that need them When a frame/packet arrives at ingress port. New material is available on 1st Decem ecember 2011 8|Page . all possible value pattern are identified and fed into TCAM VALUE PATTERN Actions are fed into RESULTS (permit or deny) IOS Feature Manager checks all ACEs for L4 operations and places them in LOU (logical operation unit) register pairs After the LOUs are loaded.

New material is available on 1st Decem ecember 2011 9|Page . and scalability to higher bandwidths Ethernet – 10Mbps • LAN technology based on IEEE 802.07 LESSON 2 : ETHERNET PORT CONFIGURATION LAN media technologies • Ethernet • FDDI – Fiber distribution data interface • CDDI – Copper distribution data interface • ATM – Asynchronous transfer mode • Token ring Ethernet is the e most popular choice because of its low cost.3u standard • Offers speed at 100Mbps • Full duplex/ half duplex communication • 200Mbps total throughput at full duplex • • 100 Mbps fast ethernet also supports 10Mbps to be compatible with legacy ethernet With auto negotiation feature the ports can be set to maximum available bandwidth as a common understanding This material is valid till 31st Nov November 2011.9000235254 P.9553.COM 9553.3 standard • Offers speed at 10Mbps • Ethernet is a shared medium that becomes both a collision and a broadcast domain • Ethernet is based on CSMA/CD technology • Half duplex communication with hubs • Half/full duplex communication with switches • 10BASE-T T ethernet cabling (UTP) is restricted to an end end-to-end end distance of 100mts (328 feet) • 10BASE2. market availability. 10BASE5. NAGABABU NAGACISCO@GMAIL. 10BASE-F F etc are other ethernet applications use different cabling Fast Ethernet – 100Mbps • LAN technology based on IEEE 802.

3ab standard Gigabit ethernet supports backward compatibility for fast ethernet and legacy ethernet These ports are called as “10/100/1000” ports which denotes triple speed In Cisco switches gigabit ethernet (1000Mbps) is supported only at full duplex Duplex auto negotiation is not possible But speed auto to negotiation is possible 10 Gigabit Ethernet – 10Gbps • LAN technology based on IEEE 802. SDH (synchronous Digital hierarchy) networks in Metropolitan area ne networks This material is valid till 31st Nove ovember 2011.3z • Offers ers speed at 1000Mbps (1Gbps) • Supports only full duplex communication • Gigabit ethernet supports several cabling types referred to as 1000BASE 1000BASE-X • • • • • • Gigabit over copper (1000BASE (1000BASE-T) is based on IEEE 802.9553.3ae • 10Gigabit ethernet is also known as 10GbE • Offers speed at 10Gbps • It operates only at full duplex • This standard defines several different transceivers that can be used as PMD (physical media dependent) interfaces • These are classified as o LAN PHY Interconnects switches in a campus network (at core layer) o WAN PHY SONET (synchronous optical network). New material is available on 1st Decem cember 2011 10 | P a g e .07 Gigabit Ethernet – 1000 Mbps / 1Gbps • LAN technology based on IEEE 802.COM 9553.9000235254 P. NAGABABU NAGACISCO@GMAIL.

COM 9553.connectors • Catalyst switches with Gigabit Ethernet ports have standardized rectangular openings that can accept gigabit interface converter (GBIC) GBIC) or small form factor pluggable (SFP) modules • The GBIC and SFP modules provide the media personality for the port so that various cable media can connect • GBIC modules can use SC fiber optic and RJ RJ-45 UTP connectors • SFP modules can use LC and MT MT-RJ fiber-optic and RJ-45 UTP connectors • GBIC and SFP modules are available for the Gigabit Ethernet media 1000BASE-SX SC fiber connectors and MMF for distances up to 550m 1000BASE-LX/LH SC fiber connectors and either MMF or SMF for distances up to 10km 1000BASE-ZX SC fiber connectors and SMF for distances up to 70km to 100km GIGASTACK Provides a GBIC to GBIC connection between stacking Catalyst switches or between any two gigabit switch ports over a short distance 1000BASE-T Supports an RJ-45 45 connector f for four-pair pair UTP cabling for distances up to 100m This material is valid till 31st Nove ovember 2011. The remaining PMDs can be used as LAN PHY or a WAN PHY Ethernet Port cables.9000235254 P. NAGABABU NAGACISCO@GMAIL. New material is available on 1st Decem cember 2011 11 | P a g e . including all forms of ethernet • They support several types of cabling.9553.connectors • Catalyst switches support a variety of network connections.07 10BASE-LX4 LX4 is only a LAN PHY PHY. including UTP and optical fiber • Fast ethernet (100BASE-FX) FX) ports use two two-strand MMF with MT-RJ or SC connectors to provide connectivity • All catalyst switch families support 10/100 autosensing for fast ethernet and 10/100/1000 autosensing for Gigabit ethernet • These ports use RJ-45 45 connectors on Category 5 UTP cabling (4 pairs) Gigabit Ethernet Port cables.

It’s very dangerous to have a direct look at connectors SwitchPort Error conditions • Catalyst switch detects an error condition on every switchport for every possible cause • If an error condition is detected.COM 9553.07 The fiber base modules always have receive fiber on left connector and transmit fiber on right connector while facing the connector These modules produce invisible laser radiation from the transmit connector. the switchport is put into errdisable state and is disabled This material is valid till 31st Nove ovember 2011.9553. NAGABABU NAGACISCO@GMAIL. New material is available on 1st Decem cember 2011 12 | P a g e .9000235254 • • P.

9000235254 P.07 This material is valid till 31st Nove ovember 2011. NAGABABU NAGACISCO@GMAIL. New material is available on 1st Decem cember 2011 13 | P a g e .COM 9553.9553.

1q standard • The extended range is enabled only when the switch is configured for VTP transparent • VTP versions 1 and 2 do not replicate extended vlans • VTP version 3 can replicate extended vlans • Switches maintain VLAN definitions and VTP configuration information in a separate file called vlan. communicating as logical network segment • Devices in a vlan can see broadcast packets sent by same vlan members • Inter vlan communication is not possible in L2 networks VLAN.dat in flash memory This material is valid till 31st November 2011. NAGABABU NAGACISCO@GMAIL.COM 9553. New material is available on 1st December 2011 14 | P a g e . network is subdivided into logical areas.07 LESSON 3 : VLANs AND TRUNKs Flat Network • A full Layer 2 – only switched network is called as flat network topology • A flat network is a single broadcast domain • Every device can see every broadcast packet • To overcome problems with flat network topology.9000235254 P.Virtual LAN • VLANs are identified with numbers called VLAN id • Vlan id range is 1-1005 • Vlan 1 is default vlan • By default all the ports assigned to vlan 1 • Vlans 1002-1005 are reserved for legacy functions related to token ring.4094 for compatibility with IEEE 802.9553. called vlans • Vlan is a single broadcast domain • Vlan consists of hosts defined as members. FDDI • Catalyst switches also support extended range of vlans range from 1 .

9553. NAGABABU NAGACISCO@GMAIL.9000235254 P. it queries vmps about vlan membership o Finally end device gets the vlan membership o VMPS can be configured with cisco works application Deploying VLANs • Cisco recommends one to one correspondence between vlans and IP subnets • As per Cisco. New material is available on 1st Decem cember 2011 15 | P a g e .COM 9553.07 Vlan Membership • The ports can gain membership into a vlan in two ways • Static vlan configuration o Manual configuration of ports into vlans o Port based vlan membership o End user devices become vlan members based on physical switchport o Each port receives Port vlan vlan-id (PVID) that associated with vlan number o End user device is not aware of vlan membership o Static vlan membership is handled in hardware with ASIC • Dynamic vlan configuration o Dynamic configuration of ports into vlans o End user mac based vlan membership o VMPS – vlan membership policy server needed to handle mac database o When a system connected to switchport. the no of devices in a broadcast domains should be less than 254 (/24) • Limiting the devices in a broadcast domain increases network performance • Vlans should not be allowed to extend beyond the L2 domain of the distribution switch • Means vlans should not reach networks core layer This material is valid till 31st Nove ovember 2011.

9000235254 • • P. NAGABABU NAGACISCO@GMAIL. do not span entire switch fabric of a network o Vlans are local to a specific switch block o Follows 20/80 rule (20% local. 20% remote traffic) o Not recommended in ECNM.COM 9553. 80% remote traffic) o Recommended in ECNM o Provides maximum manageability Trunk Links • • • • • • • • Vlan connectivity is possible by connecting access access-links between switches Its not possible to connect access access-links if more vlans exist in the network Multiple access-links links can be replaced with single trunk link A trunk link can transport more than one VLAN through a single switchport So Switchports are categorized into access ports and trunk ports Access ports can be associated with a single vlan Trunk ports can be associated with one. gigabit ethernet and aggregated links This material is valid till 31st Nove ovember 2011. many or all active vlans Cisco supports trunking on both fast ethernet. spans entire switch fabric of a network o Supports maximum flexibility and end user moment o This vlan is available at the access layer in every switch block in the campus o Follows 80/20 rule (80% local.07 • VLANs can be scaled in the switch block by using two basic methods End to End vlans o Called as Campus wide Vlans. because broadcast traffic is carried over till far ends o Difficult to maintain Local vlans o Local Vlans.9553. New material is available on 1st Decem cember 2011 16 | P a g e .

New material is available on 1st Decem cember 2011 17 | P a g e .9000235254 P.COM 9553.07 Frame Tagging • • • • • • • As trunk links carry multiple vlans data. NAGABABU NAGACISCO@GMAIL.9553. the switches must identify from which vlan the data is coming The vlan-id id should be attached to the frames while travelling through trunk links Trunk port adds vlan-id id to the normal ethernet frame before sending it through trunk link This frame is called tagged ethernet frame Trunk port removes vlan-id id from the tagged ethernet frame before sending it to the system System can identify only the normal frame Attaching vlan identifier to the normal ethernet frame is called frame-tagging tagging or frame-encapsulation frame Frame tagging can be done in two methods • ISL • Dot1Q This material is valid till 31st Nove ovember 2011.

1.1q trunking method • ISL do not support native vlans • Native vlans must match at both the ends on the trunk link • By default vlan 1 is native vlan • Native vlans are very useful if ethernet segments are connected between trunk links This material is valid till 31st Nove ovember 2011.07 • • • • • The first two bytes are TPID and last two bytes are TCI (Tag control information) TPID always has a value of 0x8100 to signify 802. • In case of ISL. NAGABABU NAGACISCO@GMAIL. New material is available on 1st Decem cember 2011 18 | P a g e .3ac standard. Catalyst switches use proprietary hardware • In case of 802.1q.4095 are reserved Frame tagging Errors • Normal ethernet frame size is 1518 bytes • Frame-tagging tagging methods increase frame size to 1522 bytes or 1548 bytes • Generally these frames exceed MTU size and reported as baby giant frames • Switches usually report these frames as ethernet errors or oversize frames • But Switches have to forward these frames anyway. but vlans 0. which can accept t the he frames with 1522 bytes Native VLANs • Native vlan is the vlan from which the frames are not tagged • Native vlans are supported only with IEEE 802. switches comply with IEEE 802.1q tag TCI contains 3 bit priority used to implement CoS (class of service) 1 bit of TCI is CFI(canonical ical format indicator).COM 9553.9553. identifies whether MAC address is in ethernet or token ring format CFI is also called as little-endian endian or big big-endian format • • The last 12 bits are VLAN-ID ID to indicate source vlan for the frame The vlan-id id can have values from 0 t to 4095.9000235254 Dot1Q Frame tagging P.

ISL is preferred DTP is enabled by default Trunk Negotiation Local switchport state Access Trunk Desirable Auto Auto Nonegotiate Far end switchport state Access. desirable. desirable Trunk. NAGABABU NAGACISCO@GMAIL.1q. trunk. only if they belong to same VTP management domain or anyone of the switch set to NULL domain If two switches belong to different VTP management domains negotiation is not possible Then trunk mode should be set to ON with manual intervention By default DTP frames are sent out every 30 seconds to keep neighboring switchports informed of the link mode The trunk encapsulation method is negotiated to select either ISL or IEEE 802.9553.9000235254 DTP • • • • • • • • • • P.07 DTP – Dynamic Trunking Protocol DTP is Cisco proprietary point-to to-point protocol Used to negotiate common trunking mode between two switches A trunk link can be negotiated between two switches. desirable Auto Access.COM 9553. auto Trunk negotiation No Trunk Trunk Trunk Trunk No Trunk No Trunk This material is valid till 31st Nove ovember 2011. New material is available on 1st Decem cember 2011 19 | P a g e . auto Trunk. desirable. desirable. whichever whichev both ends of the trunk support If both ends support both types. auto Trunk. trunk. auto.

9000235254 P.07 This material is valid till 31st Nove ovember 2011.9553. New material is available on 1st Decem cember 2011 20 | P a g e .COM 9553. NAGABABU NAGACISCO@GMAIL.

COM 9553. deletion and renaming of vlans across the network from a central point of control VTP. VLAN information is stored in vlan.dat file located at flash VLANs replication VTP Domains • VTP is organized into management domains • Switches in same VTP domain share vlan information • Switches with different VTP domains can’t share vlan information • By default domain name is “NULL” • the entire VTP operations are controlled by VTP advertisements • VLAN replication is bounded by VTP domain VTP Modes VTP works in three modes • Server mode • Client mode • Transparent mode Server Mode Vlan configuration is possible Server is master Vlan replication VTP information is synchronized Default mode Network needs at least one server Works like VTP relay Client Mode Vlan configuration is not possible Client follows server Vlan replication VTP information is synchronized Not a default mode No of clients depends on requirement Works like VTP relay Transparent Mode Vlan configuration is possible Transparent does not follow server No vlan replication VTP information is not synchronized Not a default mode No of transparents depends on requirement Works like VTP relay in version 2 21 | P a g e This material is valid till 31st Nove ovember 2011. New material is available on 1st Decem cember 2011 .07 LESSON 4 : VTP VTP • • • • • • • • Since campus network contains more number of switches.9000235254 P.9553. management of vlans is not easy in general Cisco developed a method to manage vlans easily in campus networks VTP – Vlan Trunking Protocol VTP carries vlan information from one switch to other switch automatically VTP allows the switches s to replicate vlan information dynamically VTP uses L2 trunk frames to communicate VLAN information among a group of switches VTP manages the addition. NAGABABU NAGACISCO@GMAIL.

COM 9553. NAGABABU NAGACISCO@GMAIL. it may collapse the network with VTP advertisements Every switch thinks that new server is added.07 VTP Advertisements • Entire VTP operations are maintained by VTP advertisements • VTP advertisements are sent as multicast frames • By default VTP advertisement are sent as non non-secure advertisements. VTP password must be same on every switch to share VTP advertisements • VTP switches use an index called VTP configuration revision number to keep a track of most recent information configuration revision number • Every switch stores latest VTP c • VTP process always starts with “0” as VTP configuration revision number • If there is any change in server configuration revision number will be incremented by 1 • • • • • • If a new server switch is added to network with highest revision number. New material is available on 1st Decem cember 2011 22 | P a g e . may delete existing vlan information This is called VTP synchronization problem To avoid this. without password • If secure mode is enabled. try to synchronize.9000235254 P. revision number must be set to “0” To reset revision number o Change the switch VTP mode to transparent and then back to server (Or) o Change switch’s VTP domain to a bogus name and then change back to the original name VTP advertisements can occur in three forms • Summary advertisements o Sent by server for every 300 seconds or vlan database change occurs o Includes summary information • Subset advertisements o Sent by servers if vlan configuration change occurs o They contain information rmation about every vlan • Advertisement requests from clients o Sent by client as a query if it needs any vlan information o Subset advertisements are sent by server as reply Summary Advertisements This material is valid till 31st Nove ovember 2011.9553.

length.9000235254 Summary Advertisements P.9553.07 Advertisements Request VTP Modes Version 1 Default version Transparent mode does not work as VTP relay Supports only 1-1005 vlan id Can coexist with version 2 No Consistency check on VTP to prevent errors Doesn’t support token ring Doesn’t support unrecognized TLVs (Type. value) Version 3 Not default version Transparent mode works as VTP relay Supports 1-4095 1 vlan id Future version If a VTP version is set in server switch. value) Version 2 Not default version Transparent mode works as VTP relay Supports only 1-1005 vlan id Can coexist with version 1 Consistency check on VTP to prevent errors Supports token ring Supports unrecognized TLVs (Type. length.COM 9553. New material is available on 1st Decem cember 2011 23 | P a g e . automatically it populates to client switches. if they support that version This material is valid till 31st Nove ovember 2011. NAGABABU NAGACISCO@GMAIL.

COM 9553. manual configuration requires to prune vlans from trunk links No VTP Pruning This material is valid till 31st Nove ovember 2011.07 VTP Pruning • VTP pruning reduces unnecessary flooded traffic • It makes more efficient use of trunk bandwidth • With VTP pruning.9553.9000235254 VTP Configuration P. NAGABABU NAGACISCO@GMAIL. 1002-1005 1005 are not eligible for pruning Vlans 2-1001 are re eligible for pruning VTP pruning has no effect on transparent switches. New material is available on 1st Decem cember 2011 24 | P a g e . broadcast and unknown unicast flooding are forwarded over a trunk link only if the receiving switch has active ports in that vlan • VTP pruning improves network performance and consumes less processing cycles of switch • By default VTP is disabled on IOS IOS-based switches • • • • Vlan 1 carries management information and control information Vlan 1.

New material is available on 1st Decem cember 2011 25 | P a g e .COM VTP Pruning 9553. NAGABABU NAGACISCO@GMAIL.9000235254 P.9553.07 VTP Pruning Configuration This material is valid till 31st Nove ovember 2011.

This algorithm can use o Source IP o Destination IP o Source IP-Destination Destination IP o Source MAC o Destination MAC o Source MAC-Destination Destination MAC o Source Port o Destination Port o Source Port-Destination Destination Port This material is valid till 31st Nove ovember 2011. Failover occurs in less than few w milliseconds Etherchannel Traffic Distribution • In etherchannel traffic is not distributed equally on all links • The traffic distribution is based on a hashing algorithm algorithm.9000235254 P. supports 8Gbps speed (16Gbps throughput) 10GEC : 10Gigabit Ether Channel o 10 Gbps links are bundled together.9553.COM 9553. NAGABABU NAGACISCO@GMAIL. Etherchannel selects one of the links to forward the traffic The physical link with same speed and properties can be bundled The Etherchannel can be access link or trunk link Etherchannel supports redundancy If one of the link is failed within the channel. supports 80Gbps speed (160Gbps throughput Generally L2 loops will occur by connecting parallel links between switch But Etherchannel will combine them to a single logical link On Etherchannel. the traffic will be moved to another adjacent link. supports 800Mbps speed (1600Mbps throughput) GEC : Gigabit Ether Channel o 1 Gbps links inks are bundled together. New material is available on 1st Decem cember 2011 26 | P a g e .07 LESSON 5 : LINK AGGREGATION Etherchannel • Individual physical links are bundled together to aggregate the bandwidth • • • • • • • • • • • • • • Individual physical links can be bundled together to aggregate the bandwidth between switches This works like single logical channel between switches called ETHERCHANNEL 2 to 8 physical links can be bundled together in an Etherchannel FEC : Fast Ether Channel o 100 Mbps links are bundled together. traffic load is not distributed equally among the individual links With load-balancing balancing algorithm.

New material is available on 1st Decem cember 2011 27 | P a g e .if only one address is used in distribution algorithm Link selections – if two addresses are used in distribution algorithm • A conversation between two devices always is sent through the same Etherchannel link because two endpoint addresses stay the same This material is valid till 31st Nove ovember 2011.9553. algorithm performs XOR (exclusive OR) operation on one or more low-order-bits Link selections . algorithm takes one or more low-order order-bits If two addresses or port number are used.07 The hash algorithm computes a binary pattern that selects a link number in the bundle to carry each frame If only one address or port number is us used. NAGABABU NAGACISCO@GMAIL.COM 9553.9000235254 • • • P.

the traffic can be distributed on several etherchannel links based on distribution algorithm Etherchannel load balancing method Src-ip Dst-ip Src-dst-ip Src-mac Dst-mac Src-dst-mac Src-port Dst-port Src-dst-port • • Hash input Source ip Destination ip Source and destination ip Source mac Destination mac Source and destination mac Source port Destination port Source and destination port Hash Operation Bits Bits XOR Bits Bits XOR Bits Bits XOR Switch model All models All models All models All models All models All models 6500. New material is available on 1st Decem cember 2011 28 | P a g e . NAGABABU NAGACISCO@GMAIL. Source-Destination Destination ports can be used as load balancing method When a device talks to multiple devices.07 If there is a high data conversation between two servers. they always use same Etherchannel link as a result of distribution algorithm.COM 9553. It may lead to load imbalance To avoid this.9553.4500 6500.9000235254 • • • P.4500 6500.4500 For L2 switching the default load balance method is src src-mac For L3 switching the default load balance method is src src-dst-ip Etherchannel Protocols • Etherchannel negotiation protocols are used to provide dynamic link configuration • Two protocols are available to negotiate bundled links in catalyst switches o PAgP Port Aggregation Protocol Cisco Proprietary solution o LACP Link aggregation control protocol Open standard solution Negotiation Mode PAgP On Auto Desirable LACP On Passive Active Negotiation packets sent No Yes Yes Characteristics All ports channeling Waits to channel until asked Actively asks to form a channel This material is valid till 31st Nove ovember 2011.

3ad (Clause 43) LACP packets are exchanged between switches over Etherchannel capable ports The switch with lowest system priority (2B priority priority-6B 6B switch MAC) makes decisions about what ports actively are participating in the Etherchannel Ports are selected and become active according to their lowest port priority (2B priority-2B priority port number) A set of up to 16 potential links can be defined for each etherchannel 8 ports with lowest priorities are grouped together.9000235254 PAgP • • • • • P. NAGABABU NAGACISCO@GMAIL.07 PAgP packets are exchange between switches over Etherchannel capable ports PAgP forms an Etherchannel only on ports that are configured for identical static VLANs or trunking PAgP dynamically modifies parameters of the Etherchannel if one of the bundled ports is modified (vlan-id.9553. (vlan speed. New material is available on 1st Decem cember 2011 29 | P a g e . duplex) PAgP configured in desirable mode asks a far-end end switch to negotiate Etherchannel PAgP configured in auto mode (default) waits to be asked by far far-end end switch to negotiate Etherchannel LACP • • • • • • • • Defined in IEEE 802.COM 9553. remaining are stand stand-by LACP configured in active mode asks far far-end switch to negotiate Etherchannel LACP configured in passive ssive mode waits to be asked by far far-end end switch to negotiate Etherchannel This material is valid till 31st Nove ovember 2011.

07 This material is valid till 31st Nove ovember 2011. NAGABABU NAGACISCO@GMAIL.COM 9553.9553. New material is available on 1st Decem cember 2011 30 | P a g e .9000235254 Etherchannel Status P.

New material is available on 1st Decem cember 2011 31 | P a g e . NAGABABU NAGACISCO@GMAIL.07 LESSON 6 : SWITCH FUNCTIONING Example 1: Example 2: This material is valid till 31st Nove ovember 2011.COM 9553.9000235254 P.9553.

in various paths p Broadcast Storm • If a system broadcasts (or unknown uni cast flooding) t the he data in the loop network.COM 9553. NAGABABU NAGACISCO@GMAIL. New material is available on 1st Decem cember 2011 32 | P a g e . a single frame goes to all the systems as multiple copies in various paths • It consumes switch processing cycles and memory • Finally Network performance comes down • This situation is called broadcast storm Avoiding Loops Ensure the switches have only one path to reach every other switch This material is valid till 31st Nove ovember 2011.07 In L3 Networks multiple paths to destination offer redundancy or load balancing In L2 Networks multiple paths to destination create loops In switching Networks Loops occur if a switch has multiple paths to another switch This is the situation where a single frame propagates between switches multiple times.9000235254 Loops • • • • P.9553.

9000235254 P. New material is available on 1st Decem cember 2011 33 | P a g e .COM 9553.07 Loop Prevention • Redundancy is required between switches to avoid network outages • Backup paths are required to achieve 100% network uptime • At the same time loops must be avoided • This can be done spanning tree protocol (STP) dynamically • STP blocks some ports automatically which are causing loops This material is valid till 31st Nove ovember 2011. NAGABABU NAGACISCO@GMAIL.9553.

the links are given with a number called cost • Cost is used to suspend slowest links than high speed links to avoid loops • High speed links have low cost • To support high speed links.COM 9553.9000235254 P.9553. NAGABABU NAGACISCO@GMAIL.07 LESSON 7 : TRADITIONAL STP BPDU • • • • • • BPDU. New material is available on 1st Decem cember 2011 34 | P a g e .01-00-5e-7f-ff-ff) Two types of BPDU o Configuration BPDU Used for Spanning tree computation o TCN BPDU Topology Change Notification BPDU Used to announce changes in the network topology CONFIGURATION BPDU Bridge ID STP Link Cost • In STP process. STP cost standards are modified • New STP cost is in use at present This material is valid till 31st Nove ovember 2011.Bridge Protocol Data Unit STP operations are performed by exchanging BPDU messages between switches By default BPDUs are sent for every 2 seconds A switch sends BPDU frames to other switches using its own MAC as Source MAC and 01-80-c2-00-00-00 01 as destination MAC 01-80-c2-00-00-00 00 is STP multicast MAC address address(IP Multicast MAC : 01-00-5e-00-00 00-00 .

The links have different speeds as shown in figure.COM Old STP cost 250 100 63 22 10 6 2 1 0 New STP cost 250 100 62 39 19 14 6 4 2 9553. The result will be logically loop free topology This material is valid till 31st Nove ovember 2011.Electing Root port per switch • 3.9000235254 P.9553.Electing Electing Designated port per segment • 4. New material is available on 1st Decem cember 2011 35 | P a g e . STP can be explained by using this physically loop topology.Electing Electing Non designated ports Reference STP Topology for Analysis This topology has multiple switches and multiple loops.07 STP Terminology BPDU RB NRB RP DP NDP Bridge Protocol data Unit Root Bridge Non Root Bridge Root Port Designated Port Non Designated Port Fundamental message in STP process Switch with lowest bridge ID Switches other than RB Port on NRB that has best cost path to RB Goes to forwarding state Port on LAN segment that has best cost path to RB Goes to forwarding state Port neither RP nor DP. NAGABABU Link Bandwidth 4 Mbps 10 Mbps 16 Mbps 45 Mbps 100 Mbps 155 Mbps 622 Mbps 1 Gbps 10 Gbps NAGACISCO@GMAIL.Electing Root Bridge • 2. Goes to blocking state (BLK) STP Process • 1.

Cost is inversely proportional to speed • Only one Root Port exists per switch.07 1. Electing Root Ports • Switch may have multiple paths to reach root bridge • The port with best cost path to RB is elected as Root Port • High speed ports have best cost paths.COM 9553. the switch with lowest MAC becomes Root Bridge 2. It prefers the link from the switch with lowest Bridge ID • Still there is a tie. New material is available on 1st Decem cember 2011 36 | P a g e .9553. the port with least port id is preferred This material is valid till 31st Nove ovember 2011.9000235254 P. then looks at Port ID. Root Port goes to forwarding state • If there is a tie in selecting RP. NAGABABU NAGACISCO@GMAIL. Electing Root Bridge • All ports on all switches are in blocked state initially • Every switch treats itself as Root Bridge when STP process starts • Every switch sends BPDU U to the remaining switches • BPDUs carry bridge id information to select root bridge • Finally only one switch with lowest Bridge ID is elected as Root Bridge • If priority is same.

It prefers the link fr from om the switch with lowest Bridge ID • Still there is a tie. the port with least port id is preferred • Tie Break: Lowest Root Bridge ID/Lowest root path cost/Lowest Sender Bridge ID/ Lowest sender Port ID 4. Electing Designated Port Per Segment • The port on the segment that has best cost path to RB is elected as designated Port (DP) • Only one DP exists per segment (switch to switch link). NDP is also called as Blocked port (BLK) • These ports have the chances to become active if operational link fails • STP rebuilds the topology gy if something goes wrong with active links • STP rebuilds the new topology by activating some blocked ports ensuring loop free topology all the time This material is valid till 31st Nove ovember 2011. New material is available on 1st Decem cember 2011 37 | P a g e .07 3.COM 9553. NAGABABU NAGACISCO@GMAIL. Electing Non-Designated Ports • The port neither RP nor DP becomes Non designated port • Non designated port goes to blocking state.9553. DP goes to forwarding state • All the ports on Root Bridge are Designated Ports • If there is a tie in selecting DP. then looks at Port ID.9000235254 P.

NAGABABU NAGACISCO@GMAIL.COM 9553. each switch port progress through 5 states • Disable • Blocking • Listening • Learning • Forwarding Disable Disable state is shutdown state and not a part of normal STP progression Blocked • When a port initializes. the port is moved to learning state • The port can send/receive BPDU and learns MAC addresses to add them to MAT • The Port stays in Learning state for 15sec. New material is available on 1st Decem cember 2011 38 | P a g e .07 STP Physical and Logical topologies STP States To participate in STP. forward delay Learning • After forward delay(15sec) in listening state. the port is moved to forwarding state • Only RPs and DPs are moved to forwarding state • The port can send/receive BPDU.9000235254 P. forward delay Forwarding • After forward delay(15sec) in learning sta state. it begins in the blocking state so that no loops can form • The port is allowed only to send and receive BPDU • The ports that are put into standby mode to remove a loop enter the blocking state Listening • A port is moved from Blocking to Listening if the switch thinks that the port can be selected as a root port or designated port • In listening state port the port is allowed to send/receive BPDUs • If the port loses its RP or DP status in STP process. learn MAC and send/receive data • Now the port is fully functioning switch port in STP topology This material is valid till 31st Nove ovember 2011. it returns to the blocking state • The port stays in Listening state for 15 sec.9553.

07 STP States Disabled Blocking Listening Learning Forwarding Port properties Shutdown Receive BPDUs Send & Receive BPDUs Send & Receive BPDUs .1d standard standard. careful network consideration is required to change the values This material is valid till 31st Nove ovember 2011. it learned The BPDU ages out if the switch loses contact with BPDU’s source The default Max ag age time is 20 sec • • • The default STP timers are designed based on a reference model of L2 network with 7 switches diameter including Root Bridge (as shown in above diagram) STP timers can be changed from default values But. New material is available on 1st Decem cember 2011 39 | P a g e .9000235254 P.Learn MAC address Send & Receive BPDUs . NAGABABU NAGACISCO@GMAIL.default Hello time is 2sec o Forward delay The port spending time in Listening and Learni Learning states Default is 15 sec o Maximum Age The time interval that a switch stores a BPDU before discarding it In STP process every switch keeps a copy of best BPDU.COM 9553.9553.Learn MAC addresses Send & Receive data Duration Indefinite if loop has been detected (20 seconds) Forward delay (15seconds) Forward delay (15seconds) Indefinite as long as port is up and loop is not detected STP Timers • • • STP uses three timers to make sure that a network converges properly before a bridging loop can form STP timers provide facility for the switches to have time to receive network changes STP three timers o Hello Time The time interval between configuration BPDUs sent by Root Bridge IEEE 802.

then also it generates TCN BPDU. New material is available on 1st Decem cember 2011 40 | P a g e . the switches can’t forward the frames and avoids loops Any systems actively ely communicating this time are kept in MAT for 35 sec (forward-delay (forward 15+Max age 20) If a system connected to switchport goes down. only informs topology change • • • • • • • • • • Topology change occurs when a switchport goes down or up (goes to forwarding state or blocking state) Switch sends TCN BPDU out of RP. spanning spanning-tree tree port fast feature can be used on switch ports where the end devices connected This material is valid till 31st Nove ovember 2011. floods in the network.9553. which finally causes the switches to flush their MAT To avoid these se undesired situations.COM 9553.9000235254 • • • P. NAGABABU NAGACISCO@GMAIL. Learning states The time BPDU stored without receiving an update Default Value 2 seconds 15 seconds 20 seconds TCN BPDU • TCN BPDU. if it notices topology change Switches keep on sending TCN BPDU until acknowledgment is received Finally TCN BPDU reaches Root Bridge Root Bridge then sets TCN flag in Configuration BPDU and sends to all switches All switches receive this configuration BPDU.Topology Change Notification BPDU • Used to announce a change in active network topology • TCN BPDU does not carry any data. root bridge calculates new timers for all three timers automatically that gives best results for large networks Timer Hello Forward delay Max Age Function Interval between configuration BPDUs Time spent in Listening. understand topology change and shorten their MAT aging time to forward delay (15sec) default is 300sec If MATs are flushed out.07 STP default timers work efficiently at most of the times Switches diameter size (default 7) can be configured on root switch In this case.

9553. NAGABABU NAGACISCO@GMAIL.1q based Per-Vlan Spanning Tree One instance of STP per vlan Cisco ISL based Per-Vlan Spanning Tree plus Provides interoperability between CST and PVST Operate over both 802. over the native vlan IEEE 802.9000235254 P. New material is available on 1st Decem cember 2011 41 | P a g e .07 Topology Changes STP TYPES 3 Types of STP STP Types CST Function Common Spanning Tree One instance of STP.1q and ISL PVST PVST+ This material is valid till 31st Nove ovember 2011.COM 9553.

9553.07 LESSON 8 : STP CONFIGURATION STP Configuration By default. the extended system id enabled by default This material is valid till 31st Nove ovember 2011. STP is enable for all active VLANs and on all ports of a switch Inefficient Root Bridge Election STP has elected RB with default procedure and blocked high speed links which resulted poor STP converged network • • • • • STP is fully automatic and converges STP topology in best way most of the times In some networks.COM 9553.9000235254 P. followed by unique switch MAC address of the vlan o 802. traditional method enabled by default • If the switch can’t support 1024 unique MAC addresses for its own use. New material is available on 1st Decem cember 2011 42 | P a g e .1D bridge priority value (16bits). STP may elect a slower switch as Root Bridge Which leads to slow STP convergence and poor performance In this case Root Bridge can be configured statically The method to elect a specific ecific switch as root bridge is Change the default priority 32768 to a lower value Root Bridge Configuration • Two formats to configure STP Bridge ID o Traditional 802. NAGABABU NAGACISCO@GMAIL.1t extended system id (4bit Priority multiplier x4096 + 12bit vlan id) followed by a nonunique switch MAC address for the vlan • If the switch supports 1024 unique MAC addresses for its own use.

NAGABABU NAGACISCO@GMAIL.07 Root Path Cost Configuration Port ID • • • • Port ID is 16 bit quantity 8 bits for port priority and 8 bits for port number By default Port priority is 128 (range: 0 0-255) Port number range is 0-255 255 represents ports actual physical mapping This material is valid till 31st Nove ovember 2011. New material is available on 1st Decem cember 2011 43 | P a g e .9553.COM 9553.9000235254 P.

New material is available on 1st Decem cember 2011 44 | P a g e .9000235254 STP Timers P.07 Methods allow faster STP convergence in the event of link failure • PortFast Allows fast connectivity to be established on access access-layer switchports to hosts • UplinkFast Enables fastuplink failover on an access access-layer layer switch when dual uplinks are connected to distribution-layer distribution • BackboneFast Enables fast convergence in the network backbone (core) after a spanning-tree tree topology change occurs PortFast This material is valid till 31st Nove ovember 2011.9553.COM 9553. NAGABABU NAGACISCO@GMAIL.

neglecting forward-delay forward timers UplinkFast • • • • • • • • • • If access-layer layer switch is connected to two distribution switches with two uplinks.COM 9553. NAGABABU NAGACISCO@GMAIL. a port initialization delay can be up to 50 sec (20 sec PAgP negotiation + 15 sec Listening state + 15 sec Learning state) The ports connected to end user devices need not follow STP convergence and timers as loops do not occurs at these ports With port fast feature the port is immediately moved to forwarding state.0ccd. second is in blocking state If primary goes down. New material is available on 1st Decem cember 2011 45 | P a g e .9553. STP takes 50 sec time to converge But with uplink fast feature.cdcd as destination These multicast frames are sent out at a rate specified by max max-update-rate rate parameter The default is 150 packets per second.07 Because of Spanning-tree tree convergence.9000235254 • • • • P. Range is 0 0-65535 pps No dummy multicast packets are sent if va value set to 0 pps This material is valid till 31st Nove ovember 2011. One uplink is in forwarding state. the secondary uplink immediately comes up without waiting for STP timers Uplink fast works by keeping a track of possible paths to root bridge This feature is not allowed in root bridge Uplink fast feature provides a facility for upstream switches to learn MAC addresses on new uplink by sending dummy multicast packets These packets contain ontain CAM addresses as source MAC and 0100.

COM 9553.9553. switch considers RP and other BLKs are alternate paths to the Root Bridge If inferior BPDU received on RP itself.07 BackboneFast • • • • • • • • • • • • Backbone fast works by having a switch actively determine whether alternative paths exist to root bridge. NAGABABU NAGACISCO@GMAIL. if it lost connectivity with root bridge Normally switch waits for max age time before responding to inferior BPDU Backbone fast begins to determine etermine whether other alternate paths to the root bridge exist exis If inferior BPDU received on BLK port. New material is available on 1st Decem cember 2011 46 | P a g e . Backbone fast feature allows the switch to become a Root Bridge before max age timer expires Backbone fast uses Root Link Query (RLQ) protocol to see if upstream switches have stable connections to root bridge RLQ requests and RLQ replies are sent between switches Backbone fast operates by shorting Max age timer when needed Backbone fast can reduce the maximum convergence delay only from 50 sec to 30 sec This material is valid till 31st Nove ovember 2011. switch considers all BLKs are alternate paths to the Root Bridge If inferior BPDU received on RP and no BLKs are on switch.9000235254 P. in case the switch detects indirect link failure (link not connected directly) A switch detects an indirect link failure when it receives inferior BPDU Inferior BPDU generated by designated bridge announcing itself as new root.

New material is available on 1st Decem cember 2011 47 | P a g e .COM 9553.9000235254 STP Verification P.07 This material is valid till 31st Nove ovember 2011. NAGABABU NAGACISCO@GMAIL.9553.

New material is available on 1st Decem cember 2011 48 | P a g e . Ports with end user devices Rogue Route Bridge • If a rogue switch with lowest Bridge ID is joined in the network by mistake. it will not allow the new switch to become the root • As long as the superior BPDUs are being received on the port. which is undesired • BPDU guard is used to prevent al all BPDUs on switchport that effect RB • The BPDU guard enabled port will be put into errdisable state if it receives BPDU This material is valid till 31st Nove ovember 2011.07 LESSON 9 : PROTECT STP Switch ports are assigned with specific roles after STP convergence Root Port Designated Port Blocking Port Alternate Port Forwarding Port Port on a switch that has best cost path to RB Port on a LAN segment that has best cost path to RB Port neither RP nor DP Ports that are candidate Root Ports but in blocking state Used by STP uplink fast feature for fast convergence Ports where no STP activity is running. the port will be kept in root-inconsistent STP state • No data can be sent or received in that state. but can listen to BPDUs received • Root guard d enabled port is used to forward or relay BPDU. sends BPDUs. try to converge the network.9553.COM 9553. which is an undesired situation • To prevent a switch to become RB. • It will be elected as RB and try to converge the network. normally BPDUs are not expected • If a rogue switch with lowest Bridge ID connected to a switchport by mistake.9000235254 P. NAGABABU NAGACISCO@GMAIL. two features can be used on switchports o Root guard prevents a switch to become RB by not considering superior BPDUs Can receive legitimate BPDUs o BPDU guard Prevents all BPDUs on a switchport that effect Root Bridge Root Guard • If root guard is enabled on a switchport and if it receives superior BPDU. not to receive BPDU • By default root guard is disabled on all switchports • It can be enabled only on per-port port basis • Root guard should be used only on the ports where root bridge is not expected BPDU Guard • If the port is access port and port fast is enabled.

even though there is no topology change • To prevent unexpected loss of BPDUs. the port is moved to loop inconsistent state • The port is effectively blocking at this point to keep it in NDP.9553. two features can be used o Loop guard o UDLD Loop guard • BPDUs may be blocked some times.COM 9553. NAGABABU NAGACISCO@GMAIL. which could receive legitimate BPDUs Loss of BPDUs • If BPDUs are not received in timely manner. timers expire and try to converge the topology. creating loops • Loop guard can be used to prevent unexpected loss of BPDU BPDUs • If loop guard is enabled on a port. even though no changes in network • STP try to activate NDP. New material is available on 1st Decem cember 2011 49 | P a g e .9000235254 • • • P. no further loops • When BPDUs are received on the port again.07 By default. it keeps a track of the BPDU activity on NDPs • If BPDUs are missed. BPDU guard is disabled on all switchports BPDU guard should be used only on the ports where port fast enabled BPDU guard should not enabled on the ports where uplinks connected. the port is moved through normal STP states • By default loop guard is disabled on all switchports UDLD • UDLD – Uni directional link detection o Unidirectional link : the link transfers the data only in one way o Bidirectional link : the link transfers the data in both directions This material is valid till 31st Nove ovember 2011.

causing loops because the link is not really down UDLD is used to detect these unidirectional links This is cisco proprietary solution UDLD should be enabled on both ports of a link Port sends special L2 UDLD frames and expects far far-end end switch to echo those frames If echo frames received. if one physical link is found as unidirectional. STP timers expire This leads to activate NDPs. to avoid a loop before forming STP takes 50 seconds time to move an NDP to forwarding state (20sec Max age + 15sec listening + 15sec forwarding) UDLD take 45 seconds (3 times UDLD interval) time to detect unidirectional link UDLD has two modes of operation o Normal Mode When unidirectional condition is detected. BPDUs pass only in one direction. NAGABABU NAGACISCO@GMAIL. it can’t be used When UDLD is configured for the first time on the link. SFP) If the link is unidirectional. the switch takes action to re-establish re link This time UDLD messages are sent out once a second for 8 seconds If no echos are received. New material is available on 1st Decem cember 2011 50 | P a g e .COM 9553.9553. it will not disable the link before the far-end end is configured.07 In campus network all the switches use bidirectional links Sometimes they become unidirectional links because of physical layer problems Uni directional link problems occur mostly at fiber optic media ports (GBIC. the port is allowed to continue its operation The port is marked as undetermined state and gener generates ates a syslog message o Aggressive Mode When unidirectional condition is detected. It indefinitely waits for the neighbor to be configured In Etherchannel bundle. the other end can’t receive the BPDUs. link is bidirectional otherwise unidirectional UDLD frames are sent nt for every 15 seconds by default UDLD link detection time should be less than STP convergence time. UDLD disables only that link.9000235254 • • • • • • • • • • • • • • • • P. not the entire channel This material is valid till 31st Nove ovember 2011. the port is put in errdisable state.

9000235254 P.07 BPDU Filtering • BPDU filtering feature is used to filter BPDUs on switchports • Switchports with BPDU filtering enabled can not send or receive BPDUs • BPDU filtering can be enabled on switchports where there is no chance for loops • The ports with end user devices connected are eligible for BPDU filtering • This feature is disabled on all switchports.9553. by default STP Protection Verification STP Protection features Root guard: Apply to ports where root is never expected BPDU guard: Apply to all user ports where Port fast is enabled This material is valid till 31st Nove ovember 2011. New material is available on 1st Decem cember 2011 51 | P a g e . NAGABABU NAGACISCO@GMAIL.COM 9553.

New material is available on 1st Decem cember 2011 52 | P a g e .07 Loop guard: Apply to non designated ports (can be applied to all ports also) UDLD: Apply to all fiber fiber-optic optic links between switches (must be enabled on both ends) STP Protection features combinations • Permissible combinations on a switchport o Loop guard and UDLD o Root guard and UDLD Not Permissible combinations on a switchport o Root guard and loop guard o Root guard and BPDU guard • This material is valid till 31st Nove ovember 2011.9000235254 P.COM 9553. NAGABABU NAGACISCO@GMAIL.9553.

07 LESSON 10 : ADVANCED STP RSTP • • • • • • • • • • RSTP – Rapid Spanning Tree Protocol Typically STP takes 30 seconds to 50 seconds time for topology change In production networks it has become unbearable time RSTP uses STP’s principle concepts and make the resulting convergence must faster IEEE 802.1D (STP). each switch interacts with its neighbors through each port Interactive process is performed based on port role o o o Root Port The port on each switch that has best cost path to RB (same as STP) Designated Port The port on network segment that has best cost path to RB (same as STP) Alternate Port Standby Root Port The port that has alternate path to RB (second best path) Backup Port Standby Designated Port The port on network segment that has alternate path to RB (second best path) STP port roles Root Port Designated Port Alternate Port (uplinkfast) Blocking RSTP port roles Root Port Designated Port (P2P) Alternate Port Backup Port Discarding o RSTP Port States • RSTP has 3 port states Discarding.9553.9000235254 P. Forwarding • A port role can have one of these states o Discarding Incoming frames are dropped. blocked. RSTP’s basic functionality can be applied as single instance or multiple instances RSTP is only the underlying mechanism It can’t be implemented as an individual It can be implemented with PVST+ resulting RPVST+ RSTP is used as a part of MST (IEEE 802.COM 9553.1S) RSTP Port Roles • Root Bridge is elected in the same manner as with STP (lowest bridge id) • In RSTP.1W standard As with 802. NAGABABU NAGACISCO@GMAIL. New material is available on 1st December 2011 53 | P a g e . no MACs are learned Combines disable. listening states of 802.1D This material is valid till 31st November 2011. Learning.

goes to forwarding state o Point to Point Port (P2P) Port that connects to another switch and becomes DP P2P ports are decided with quick handshake between switches by exchanging proposal and agreement messages This material is valid till 31st November 2011.1D BPDUs • Switches can differentiate BPDUs with the help of version information RSTP Convergence RSTP convergence includes two stage process • Common root bridge election • STP domain Switch ports moment from discarding to appropriate state to prevent loops RSTP Port types • RSTP has three types of ports o Edge Port The port where single host is connected. regardless of RB BPDUs • Any switch anywhere in the network can play an active role in maintaining the topology • Switches expect BPDUs from neighbors • Neighbor is assumed to be down if three consecutive BPDUs are missed (6sec default) • If neighbor is down.9000235254 o o P. all information related to the port connected to neighbor is aged out • RSTP BPDUs can co-exist with 802.1D BPDU format for backward compatibility • Some unused bits in the Message type field are used (interactive process) • BPDU version set to 2 (802. but MACs are learned Forwarding Incoming frames are forwarded.COM 9553.07 Learning Incoming frames are dropped. BPDUs are never expected If switch receives BPDU on edge port.1D BPDU version 0) • BPDUs are sent out every switchport at hello time intervals. New material is available on 1st December 2011 54 | P a g e . MACs are learned STP port states Disable Blocked Listening Learning Forwarding Learning Forwarding Discarding RSTP port states RSTP BPDU • RSTP uses the 802.9553. the port looses its edge port status o Root Port The port with best cost path to RB. NAGABABU NAGACISCO@GMAIL.

9553.COM 9553.1D convergence method is used in this case • RSTP handles the complete STP convergence of the network as a propagation of handshakes over point to point links • When a switch needs to make STP decision. entire network point to point links Synchronization • To Participate in RSTP convergence. New material is available on 1st Decem cember 2011 55 | P a g e . the switch exchanges a proposal proposal-agreement agreement handshake to decide port states of links at each end This material is valid till 31st Nove ovember 2011. all the port states must be decided • Non-edge edge ports begin in discarding stat state • After BPDU exchange between neighbor switches. a handshake is made with the nearest neighbor and so on.07 RSTP Point to Point Links • Point to Points automatically are determined by the duplex mode in use • Full duplex ports are considered point to point (only two ports on the link) • Half duplex ports are considered shared medium and 802.9000235254 P. that port becomes the RP • For each non-edge edge port. NAGABABU NAGACISCO@GMAIL. RB can be identified • If a port receives a superior BPDU from a neighbor.

New material is available on 1st Decem cember 2011 56 | P a g e .9000235254 P. learning and forwarding Topology Changes • RSTP detects a topology change only when a non non-edge edge port transitions to forwarding state • When a topology change is detected.COM 9553.9553. . listening. that is moving the port from blocked. BPDUs with TC bit set are sent out all of the nonedge designated ports • Switch propagates TC message (topology change) to other switches in the network so that they can correct their MATs RSTP Configuration RAPID PVST This material is valid till 31st Nove ovember 2011.1D convergence will occur on the link. if a port is failed to send agreement message. NAGABABU NAGACISCO@GMAIL.07 Because of RSTP problems or non-P2P P2P links issues. 802.

remaining are blocked STP Topologies PVST+ PVST+ Per vlan spanning tree one instance of STP is used for each active vlan If 500 vlans are exist in the network.COM 9553.07 MST • • MST – Multiple Spanning Tree IEEE 802. New material is available on 1st Decem cember 2011 57 | P a g e . 500 STP instances run More overhead on the switch Load balancing – every instance can use one of the available links MST MST – Multiple Spanning Tree Multiple instances of STP are used A set of vlans are allowed on every instance Less overhead on the switch Load balancing – every instance can use one of the available links • • MST works by mapping one or more vlans to a single STP instance MST implementation includes o Identifying the number of STP instances needed to support desired topologies o Mapping a set of Vlans to each instance This material is valid till 31st Nove ovember 2011.9000235254 P. NAGABABU NAGACISCO@GMAIL.9553.1S standard CST-PVST-MST comparisons CST CST common spanning tree only one instance of STP is used for all vlans If 500 vlans are exist in the network. only one STP instance runs Less overhead on the switch No load balancing – instance uses only one link.

COM 9553. NAGABABU NAGACISCO@GMAIL. IST is an instance that presents entire region as a virtual bridge to CST BPDUs are exchanged at the region boundary only over the native vlan IST is called as MST Instance 0 MST Instances • MST instances exist within the MST region • Vlan sets are mapped to MST instances • Cisco supports a 16 MSTIs in each region • IST always exists as MSTI number 0 • By default all the vlans are mapped to IST • Only IST (MSTI 0) sends and receive MST BPDUs • Only one BPDU is s needed to carry all MSTI information • Other MSTI information is appended to BPDUs as M-record • Other MST regions can be combined with IST only at region boundary This material is valid till 31st Nove ovember 2011.9000235254 P. If not they belong to different independent regions • MST attributes are exchanged between switches with MST BPDUs IST • • • • • IST – Internal spanning tree MST can interoperate roperate with all other forms of STP In MST region.9553.07 MST Region • MST regions are created to manage MST operations • MST attributes o MST configuration name (32 characters) o MST config revision number ( 0 to 65535) o MST instance to vlan mapping table (4096 entries) • MST attributes must match on all switches to belong to same region region. New material is available on 1st Decem cember 2011 58 | P a g e .

RSTP mechanism is applied by default This material is valid till 31st Nove ovember 2011.9553. NAGABABU NAGACISCO@GMAIL. New material is available on 1st Decem cember 2011 59 | P a g e .07 MSTP Configuration • • • Switch can’t run both PVST+ and MST at same Switch can be configured to use o PVST+ (spanning-tree tree mode pvst) or o RPVST+ (spanning-tree tree mode rapid rapid-pvst) or o MST (spanning-tree tree mode mst) If MST is configured on the switch.COM 9553.9000235254 P.

NAGABABU NAGACISCO@GMAIL.9553.07 This material is valid till 31st Nove ovember 2011.9000235254 P. New material is available on 1st Decem cember 2011 60 | P a g e .COM 9553.

NAGABABU NAGACISCO@GMAIL.9000235254 P. all the ports are L2 ports (most of the platforms) 6500 ports are L3 ports by default o SVI switched virtual interface Logical L3 interface that represents entire vlan This becomes default gateway for all hosts in that vlan All L3 interfaces (SVI and L3 physical ports) can be configured with IP addresses This material is valid till 31st Nove ovember 2011.07 LESSON 11: MLS Intervlan Routing • Communication between different vlans is called inter vlan routing • Intervlan routing is possible only with L3 capable device • Inter VLAN routing methods o Connect access links to router interfaces o Router on a stick (switch trunk port to router) o Multi Layer Switching MultiLayer Switch • • • • Multilayer switch can perform both L2 switching and L3 routing L2 switching occurs between interfaces (switch ports) that are assigned to L2 Vlans or L2 trunks L3 routing can occur between L3 in interfaces terfaces (non switch ports or SVI) that has been configured with L3 address MLS has two types of L3 interfaces o L3 Port Physical port with L3 functionality enabled (no switchport configuration) By default.9553. New material is available on 1st Decem cember 2011 61 | P a g e .COM 9553.

New material is available on 1st Decem cember 2011 62 | P a g e .COM 9553.9553.07 MLS Configuration This material is valid till 31st Nove ovember 2011.9000235254 P. NAGABABU NAGACISCO@GMAIL.

9000235254 P.2950 CEF runs by default (ip routing) • CEF Packet Flow CEF Verification This material is valid till 31st Nove ovember 2011.4 and 5 o Fixed switches 3750. NAGABABU NAGACISCO@GMAIL. CEF is introduced CEF feature allows high-performance performance packet forwarding through the use of dynamic lookup tables Switch platforms that perform CEF in hardware o Catalyst 6500 supervisor 720 (with an integrated MSFC3) o Catalyst 6500 supervisor 2/ MSFC2 combination o Catalyst 4500 Supervisor 3. New material is available on 1st Decem cember 2011 63 | P a g e .9553.3560.3550.07 CEF • • • • • CEF – Cisco Express Forwarding In first generation of MLS netflow switching was used In second generation of MLS.COM 9553.

FIB entry is marked as “CEF g glean” • In CEF glean state.COM 9553. then they are marked as “CEF Punt” and sent to L3 engine for further processing • CEF punt packets are o Entry can’t be located in FIB o FIB table is full o IP TTL has expired o MTU is exceeded. NAGABABU NAGACISCO@GMAIL. This part of FIB is called adjacency table • Adjacency table consists of MAC addresses of nodes that can be reached in single L2 hop • Adjacency table information is built from the ARP table • Adjacency table is updated when next next-hop receives a valid ARP entry • If an ARP entry doesn’t exist.9000235254 P. using CEF techniques • There are two types of CEF Techniques o Accelerated CEF – aCEF L3 forwarding Engines don’t have self self-contained FIB Every L3 forwarding Engine can have a part of FIB FIB is downloaded when it is required FIB is accelerated on L3 Engines o Distributed CEF – dCEF L3 forwarding Engines have self self-contained FIB FIB is replicated on all L3 forwarding Engines Provide greater performance Adjacency Table • For each entry FIB contains Next Next-hop L3 address • FIB also contains L2 information for every next next-hop entry.3750) • CEF can be optimized through the use of s specialized forwarding hardware. compression or encryption operation o ACL with log option is triggered o NAT operations ons triggered CEF Techniques • CEF operations can be handled on a single hardware platform (3560. fragmentation needed o Encapsulation type not supported o ICMP redirect is involved o Packets tunneled.07 CEF Punt Packets • CEF can forward most of the IP packets • Some packets can’t be forwarded by CEF. FIB hardware cant forward those packets until ARP addresses are resolved This material is valid till 31st Nove ovember 2011. New material is available on 1st Decem cember 2011 64 | P a g e .9553.

because of encapsulation failure. to forward the packets in FIB hardware Adjacency Table Verification Adjacency Entries • Adjacency entry types o Null adjacency The packets destined for the null interface o Drop adjacency The packets that can’t be forwarded.9553. NAGABABU NAGACISCO@GMAIL.9000235254 • • P. unresolved address. unsupported protocol. This is called as ARP throttling or throttling adjacency After ARP resolution.07 L3 engine sends ARP request for every two seconds until it gets resolved. FIB adjacency is updated. no routing information. New material is available on 1st Decem cember 2011 65 | P a g e .COM 9553. checksum error etc o Discard adjacency The packets discarded because of ACL or other policy action o Punt adjacency The packets must be sent to L3 engine for further pr processing This material is valid till 31st Nove ovember 2011.

07 L3 Packet Rewrite Multi Layer Switches have additional functional block L3 rewrite. that changes L3 packet contents before forwarding The frame/packet fields changed by L3 rewrite are • L2 destination address : changed to next next-hop device’s MAC address • L2 source address : changed to outbound L3 interface’s MAC address • L3 IP TTL : decremented by one . New material is available on 1st Decem cember 2011 66 | P a g e . 4500 switches run CEF by default.9000235254 P.9553. NAGABABU NAGACISCO@GMAIL. crossed one L3 hop • L3 IP checksum : recalculated as L3 fields are modified • L2 frame checksum : recalculated as L2 fields are modified CEF Configuration • CEF is enabled on all CEF – capable switches by default • 6500 switches run CEF by default.COM 9553. can never be disabled (sup 720-integrated integrated MSFC3 or sup 2-MSFC2) 2 • 3750. but can be disabled per interface basis MultiLayer Switch Verification DHCP Process • MLS can function like a DHCP server • It can relay DHCP broadcast messages as Unicast messages to specified IP address This material is valid till 31st Nove ovember 2011.

New material is available on 1st Decem cember 2011 67 | P a g e .9000235254 P.9553.07 DHCP Configuration This material is valid till 31st Nove ovember 2011. NAGABABU NAGACISCO@GMAIL.COM 9553.

that degrades network performance • • • • • • Routers and vlans break broadcast domains Cisco suggests. a single broadcast message spreads the entire network • Every system process the incoming frames.9000235254 P.07 LESSON 12: CAMPUS NETWORK DESIGN Network Design • If more number of systems exists in a broadcast domain.COM 9553. there should be no more than 254 computers in a broadcast domain Limiting the systems in a broadcast domain upgrades network performance Network segmentation should be done to enhance network performance Network segmentation can be done by using vlans in the networks Routers and L3 switches can be used to route the traffic between network segments Broadcast Domains – No VLANs This material is valid till 31st Nove ovember 2011. New material is available on 1st Decem cember 2011 68 | P a g e . NAGABABU NAGACISCO@GMAIL.9553.

07 Broadcast Domains – With VLANs Network Hierarchy Two Layer Network Hierarchy Three Layer Network Hierarchy Three Layer Network Hierarchy Service Type Local Remote Enterprise Location of Service Same segment/vlan as user Different segment/vlan as user Central to all campus users Extent of Traffic flow Access layer only Access to distribution layers Access to distribution to core layers This material is valid till 31st Nove ovember 2011.9553. NAGABABU NAGACISCO@GMAIL. New material is available on 1st Decem cember 2011 69 | P a g e .COM 9553.9000235254 P.

traffic and protocol through ACL filtering Qos features availability Resiliency through multiple uplinks Scalable and resilient high-speed link Advanced Qos functions to the core and access layers Modular Network Design Fully Redundant Network This material is valid till 31st Nove ovember 2011.9000235254 P.07 Three Layer Network Hierarchy.COM 9553. New material is available on 1st Decem cember 2011 70 | P a g e . NAGABABU NAGACISCO@GMAIL.Comparisons Access Layer End users connectivity Vlan membership Distribution Layer Intervlan routing Traffic policies. ACL.9553. QoS Core Layer High performance switching Backbone connectivity Aggregation of multiple access-layer Low cost per switch port Very high throughput at Layer3 devices No unnecessary packet High port density High Layer3 throughput for packet Scalable uplinks to higher layers manipulations handling No ACL or packet p filtering User access functions as vlan Security and policy based connectivity Redundancy and resiliency for high membership.

New material is available on 1st Decem cember 2011 71 | P a g e .COM 9553.07 Organized Networks Switch Block and Core Block This material is valid till 31st Nove ovember 2011. NAGABABU NAGACISCO@GMAIL.9000235254 Disorganized Networks P.9553.

Policing • Broadcast and multicast traffic slows the switches in switch block Switch Block Designs This material is valid till 31st Nove ovember 2011.9000235254 P. New material is available on 1st Decem cember 2011 72 | P a g e . ACL.07 Switch Block • • • • • • • Switch block is A set of distribution switches and their accompanying access layer switches Typically 2 distribution switches are placed in a switch block Switch blocks contain a balanced mix of Layer 2 and Layer 3 functionality VLANs should not extend beyond switch block Broadcast roadcast should not propagate from switch block to core block STP is confined to each switch block (STP boundary) Typically 2000 users can be placed in a switch block Switch Block Sizing Switch block size depends on • Traffic types and patterns • L3 switching capacity at distribution layer • Number of users connected to access access-layer switches (typically <2000 users) • Vlan boundaries and subnets • Size of STP domains Large Switch Blocks The problems with large switch blocks • The routing at distribution layer becomes traffic bottlenecks • Intensive CPU processing because of inter vlan routing.9553.COM 9553. NAGABABU NAGACISCO@GMAIL.

9553.07 Core Block • • • • • • Core block connects two or more switch blocks in a campus network The links from distribution to core are L3 links Core block is meant for high speed connectivity between switch blocks The links between core switches should be good enough to carry aggregated data GEC or 10GbEC can be used to aggregate the traffic Two core block designs o Collapsed core o Dual core Collapsed Core Collapsed core design can be used for smaller campus networks Dual Core Design Dual Core Design can be used for larger campus networks • • • • • • • • Dual core design connects two or more switch blocks with redundancy The core is scalable with more switch blocks This design uses two identical switches at core block The core block should be ready to handle 100% traffic from switch blocks Switch blocks connected to core block with L3 links. So bridging loops will not occur Multiple L3 links can offer redundancy and load load-balancing The vlans will not extend to core layer This is most versatile design for enterprise campus networks This material is valid till 31st Nove ovember 2011.9000235254 P. NAGABABU NAGACISCO@GMAIL.COM 9553. New material is available on 1st Decem cember 2011 73 | P a g e .

6.2. DIP-10.0.2222.1111 1111. DMAC-1111.168.0.168.168.1.0.1.168.1 to 192. SMAC. DMAC-4444. DMAC-? • 192. NAGABABU NAGACISCO@GMAIL.100.4444.4444.1 192. SMAC-4444.1111.0.0. SMAC-6666. SMAC.COM 9553.168.168.2. Because it has SMAC.? • 10. DIP-192.0.1 is aware of DMAC • Now 192.168.100)sends broadcas broadcast ARP request to know DMAC o SIP-10.6.168.0.3333.1111 • Now 192. SMAC-4444.6.168. DMAC router sends data to the destination o SIP-192. DMAC-? • 192.1111 1111.168.0.6. Router rewrites SMAC and DMAC • After rewriting SMAC.1111 • Now 192.1 is aware of DMAC • Now 192.0. DIP DIP-192.4444. SMAC – 1111.6.6.6.1.0.07 LESSON 1 13: L3 AVAILABILITY Packet Forwarding Examples Example 1: Data flow from 192.6.0.1 sends broadcast ARP request to know DMAC o SIP-192.6.6.2. DIP-10.1 can send data to 192.1111.1.1 to 10.0.6.6666. DIP-192.100. SIP.6. .1111. DMAC-6666.100.4444.6.168.6666 • • • • Devices maintain ARP information in cache memory ARP entry expires dynamically.6666.6. DMAC.2 10.168.1. Finds exit interface to destination • Now router(10.6. New material is available on 1st Decem cember 2011 74 | P a g e .2.0. DMAC.0. DIP -10.6.6.9000235254 P.168.1111.3333.168. DMAC.0. DIP information • ARP Requests and replies are sent to resolve MAC address for IP address Example 2: Data flow from 192.4444 • Now router is aware of DMAC.1111. if there is no active communication Systems : arp -a (dos) Router : show ip arp This material is valid till 31st Nove ovember 2011.6666.100.2 192.6.168. DIP-192.100 192.0.4444 4444.6.2 sends unicast ARP reply o SIP – 10.1111.2.4444. SIP.0.0.0.6666 6666.1111. DIP information • Router then checks routing table table.2 sends unicast ARP reply o SIP -192.168.6666.168.168.9553.3333. DMAC-1111.168.2222.2 • 192.1111.0.1 can send data to default gateway Because it has SMAC.6.4444.2 10.6.168.0.168.6.168.168.2222.2 • 192.100 sends unicast ARP reply o SIP -192.0.6.100 10. SMAC – 1111.1 sends broadcast ARP request to know DMAC of gateway o SIP-192.2.168.6.

three protocols are available for router redundancy.0. the router with highest IP address on HSRP interface becomes active router This material is valid till 31st Nove ovember 2011. NAGABABU NAGACISCO@GMAIL. New material is available on 1st Decem cember 2011 75 | P a g e .COM 9553.9553. range 0-255) • The router with highest priority value becomes the active router for the group • If all routers have same priority. load balancing • HSRP o Hot Standby Router Protocol • VRRP o Virtual Router Redundancy Protocol • GLBP o Gateway Load Balancing Protocol HSRP HSRP • • • • • • • • • • HSRP – Hot Standby Router Protocol Cisco proprietary (RFC 2281) Provides gateway redundancy by allowing routers or MLS to appear as single gateway IP Gateway IP is assigned to common HSRP group (not for single router) One router is elected as primary or active router( with high priority) Another router is elected as standby router (second best priority) All the remaining routers are in listening state All routers exchange HSRP hello messages for every 3 seconds to know the status of each other Hello messages are sent to the multicast destination 224.9000235254 Router Redundancy P.0.07 For high availability.2 using UDP port 1985 Maximum 16 HSRP groups can be supported (group range : 0 0-255) HSRP Election • HSRP election is based on priority value (default 100.

the active router is assumed to be down and standby router turns its state to active • The listening router with best priority becomes new standby router • If a router is configured with highest priority. New material is available on 1st Decem cember 2011 76 | P a g e . NAGABABU NAGACISCO@GMAIL. by default • If 3 consequent hellos are missed (10 sec hold time). it can’t pickup active role immediately.COM 9553. if it has high priority HSRP Pre-empt HSRP Timers HSRP Authentication • HSRP supports authentication to prevent unauthorized routers participate in HSRP • HSRP supports both plain-text text and MD5 authentication • Authentication key word must match in every router to participate in HSRP • By default cisco is authentication key word • HSRP plain-text text authentication key string can be up to 8 characters This material is valid till 31st Nove ovember 2011.9553. immediately because active router is already in working state in HSRP group • Pre-empt feature can be used to allow a router to take active role at any time.07 HSRP Active Role • The Active router sends hello messages for every 3 seconds.9000235254 HSRP States HSRP routers states • Disabled • Init • Listen • Speak • Standby • Active P.

9000235254 P. if the pre pre-empt empt is already configured Without preemption. NAGABABU NAGACISCO@GMAIL.07 HSRP MD5 Authentication HSRP MD5 authentication supports key string up to 64 characters HSRP MD5 authentication method can be configured with a key chain HSRP Election • • • • • HSRP can detect external link failures and allow the other routers to take active role It can be done by tracking a router interface and decrease the priority incase of link failure Router decreases its own priority by 10 (default) for every link failure The other routers have a chance to take active role. New material is available on 1st Decem cember 2011 77 | P a g e .COM 9553. the active role can’t be g given to any other router HSRP Gateway • Each router in HSRP group has its own unique IP address assigned to L3 interface • In HSRP group every router has a common gateway IP address • It is virtual router address.9553. kept alive by HSRP • This address known as HSRP address or Standby address • All the clients use this HSRP address as gateway This material is valid till 31st Nove ovember 2011.

That is 0000.07 HSRP group routers keep this address always up • • • • HSRP has special MAC address for HSRP address .0C07.9000235254 • P. New material is available on 1st Decem cember 2011 78 | P a g e .0C07.ACFF If HSRP group 16 is configured. NAGABABU NAGACISCO@GMAIL.ACXX XX represents HSRP group number (two (two-digit hex value) MAC address range : 0000. it can use 0000.9553.0C07.AC00 – 0000.COM 9553.0C07.AC10 as MAC address HSRP Process This material is valid till 31st Nove ovember 2011.

COM 9553. New material is available on 1st Decem cember 2011 79 | P a g e .9000235254 HSRP Load balancing P.9553. NAGABABU NAGACISCO@GMAIL.07 This material is valid till 31st Nove ovember 2011.

it can use 0000. active router is called as Master router All other routers are in backup state The router with highest priority becomes master router priority range 1-254. by default VRRP sends its advertisements to the multicast address 224.0110 as MAC address VRRP has no mechanism to track interfaces connected to external links This material is valid till 31st Nove ovember 2011. default is 100 VRRP P group number range is from 0 to 255 VRRP advertisements are sent for every 1 second.5E00. NAGABABU NAGACISCO@GMAIL.9553.0.9000235254 HSRP Verification P. That is 0000.0.COM 9553. 254. New material is available on 1st Decem cember 2011 80 | P a g e .5E00.01XX XX represents VRRP group number (two digit hex hex-value) If VRRP group 16 is configured.18 using IP protocol 112 Pre-empting empting is the default feature in VRRP So the router with highest priority can become master at any time VRRP uses special MAC address for virtual router IP address.07 VRRP • • • • • • • • • • • • • • • • • VRRP – Virtual router redundancy Protocol VRRP is similar to HSRP in operation Open standard protocol Defined in RFC 2338 In VRRP.

9000235254 VRRP Process P.COM 9553. NAGABABU NAGACISCO@GMAIL.9553. New material is available on 1st Decem cember 2011 81 | P a g e .07 This material is valid till 31st Nove ovember 2011.

COM 9553.07 This material is valid till 31st Nove ovember 2011. New material is available on 1st Decem cember 2011 82 | P a g e .9000235254 VRRP Load balancing P.9553. NAGABABU NAGACISCO@GMAIL.

New material is available on 1st Decem cember 2011 83 | P a g e .9000235254 VRRP Configuration P.COM 9553. VRRP provide load balancing by assigning multiple gateways to the host groups GLBP provides load balancing efficiently.9553. different MAC addresses are sent as ARP replies Traffic go through one of the routers associated with that MAC address This material is valid till 31st Nove ovember 2011. in which all the hosts can use a single gateway GLBP is cisco proprietary protocol All routers assigned to a common GLBP group GLBP provides load balancing by allo allowing wing all routers to forward a portion of overall traffic For the same gateway IP address. NAGABABU NAGACISCO@GMAIL.07 VRRP Verification GLBP • • • • • • • • GLBP – Gateway Load Balancing Protocol HSRP.

range is 1 to 255 If priority is same. by default This material is valid till 31st Nove ovember 2011. NAGABABU NAGACISCO@GMAIL. New material is available on 1st Decem cember 2011 84 | P a g e . pre-empting empting feature is not default without pre-empting.COM 9553.9000235254 P.9553. it is assumed to be down • Timers can be configured on AVG (not necessary on AVFs) • AVFs can learn timers from AVG. router with highest active IP becomes AVG AVG coordinates GLBP process The routers participating in GLBP are called AVFs AVG assigns virtual MAC addresses to each of the routers (AVFs) participating in GLBP Maximum 4 MAC addresses can be used in any group Only AVG answers all ARP requests AVG also plays AVF role GLBP group range is 0 – 1023 In GLBP.07 GLBP Router Roles Router roles in GLBP • AVG o Active virtual gateway • AVF o Active virtual forwarder AVG • • • • • • • • • • • • The router with highest priority becomes AVG Default priority is 100. empting. AVG role can’t be given any other router (if AVG is active) AVG Timers • To know AVF status. AVG sends Hello messages periodically for every 3 seconds by default • If hellos are not received from a peer within hold hold-time time (10 sec) .

range is 1 to 254 • In weight adjustment. NAGABABU NAGACISCO@GMAIL.9000235254 P.COM 9553. router gains its AVF role • By default weight is 100. Because no AVF will answer to that MAC Clients will get new MAC address as ARP reply Redirect timer is 600 seconds conds (10 min) by default Timeout timer is 14400 seconds (4 hours) by default GLBP Weight • GLBP weight is used to define. the clients using this MAC in ARP cache must clear the entry. AVF must loose its role • If weight increases above the upper threshold. the AVF role and MAC address are given to another AVF temporarily AVF handles two MAC addresses to function like two AVFs Redirect timer is used to determine when AVG will flush the old MAC address (assigned to another AVF temporarily) Timeout timer is used to determine ermine how long GLBP peers wait before flushing old MAC When timeout timer expires.07 AVF • • • • • • • • • AVF obtain MAC addresses from AVG If an AVF fails in GLBP group. object-number number is used with a range of 1 1-500 This material is valid till 31st Nove ovember 2011. New material is available on 1st Decem cember 2011 85 | P a g e . which router can become AVF • Interfaces can be tracked to provide dynamic weight • If an interface goes down AVF decreases its weight and • If interface comes up AVF increases its weight • Two weight thresholds can be configured in GLBP • If weight decreases below the lower threshold.9553.

9000235254

P. NAGABABU

NAGACISCO@GMAIL.COM

9553.9553.07

GLBP Load Balancing • AVG assigns virtual MAC addresses for each of the AVFs in GLBP group • GLBP load balancing methods o Round robin ARP replies are sent with next available virtual MAC address Traffic load distributed evenly across all AVFs It is default load balancing method in GLBP o Weighted GLBP weight decides load balancing Higher weight value res results in more frequent ARP replies GLBP weight is used to set the relative proportions among AVFs o Host-dependent Each client always gets same MAC address as ARP reply This method is used if the client needs consistent gateway MAC

GLBP Gateway

This material is valid till 31st Nove ovember 2011. New material is available on 1st Decem cember 2011

86 | P a g e

9000235254 GLBP Load balancing

P. NAGABABU

NAGACISCO@GMAIL.COM

9553.9553.07

This material is valid till 31st Nove ovember 2011. New material is available on 1st Decem cember 2011

87 | P a g e

9000235254 GLBP Verification

P. NAGABABU

NAGACISCO@GMAIL.COM

9553.9553.07

Gateway Redundancy HSRP Show standby brief Show standby type mod/num VRRP Show vrrp brief all Show vrrp interface type mod/num GLBP Show glbp [group=0-1023] 1023] [brief] Router Redundancy Protocols Property Standard Router roles Load balance Interface tracking Default pre-empt Virtual MAC HSRP Cisco proprietary Active , standby routers Multiple groups Different gateways Yes No 0000.0c07.acxx VRRP Open standard Master, backup routers Multiple groups Different gateways No Yes 0000.5e00.01xx GLBP Cisco proprietary AVG, AVF Single group Single gateway Yes No Assigned by AVG Displays status of a GLBP group Displays VRRP status Displays VRRP on an interface Displays HSRP status Displays HSRP on an interface

This material is valid till 31st Nove ovember 2011. New material is available on 1st Decem cember 2011

88 | P a g e

9000235254

P. NAGABABU

NAGACISCO@GMAIL.COM

9553.9553.07

LESSON 14: SUPERVISOR SUPERVISOR-POWER POWER REDUNDANCY
Modular Switch Chassis

Switch Supervisors • Modular switches have multiple modules and are controlled by supervisor engines • Supervisor Engines contain console port, startup-configuration, IOS image etc • If supervisor Engine fails, packets will not be routed and interfaces will go down

Redundant Supervisors • Catalyst 4500R, 6500 switches accept two SUP modules installed in a single chassis • The first sup module boot up and becomes active supervisor for the chassis • The second sup module remains in standby mode • If first sup fails, the standby sup becomes activ active

This material is valid till 31st Nove ovember 2011. New material is available on 1st Decem cember 2011

89 | P a g e

New material is available on 1st December 2011 90 | P a g e . but only one is active at any time o DRM Dual Router Mode Two route processors are used and both are active at any time This material is valid till 31st November 2011.9553.07 Supervisor Redundancy Modes • Redundant Supervisor modules can be configured in 3 modes o RPR Route Processor Redundancy o RPR+ Route Processor Redundancy Plus o SSO Stateful Switch Over • These modes indicate the readiness of standby supervisor • The failover time depends on readiness of standby supervisor • These modes affect how the two supervisors handshake and synchronize information RPR • • • • RPR+ • • • • • • SSO • • • • • • • • SSO – Stateful Switch Over The redundant supervisor is fully booted and initialized Both startup-config. the standby sup must reload every other module in the switch and then initialize all the supervisor functions Takes more time ( around 2 minutes) RPR+ Route Processor Redundancy Plus The redundant supervisor is booted.9000235254 P. the supervisor and route engines are initialized Layer 2 or Layer 3 functions are not started When active sup fails. NAGABABU NAGACISCO@GMAIL. the standby module completely initializes without reloading other switch modules Switchports remains in their states Takes average time (around 30 seconds) Router Processing Modes (SRM-DRM) • Router Processing Modes o SRM Single Router Mode Two route processors are used. running-config are synchronized between the sup modules L2 information is maintained on both supervisors So hardware switching can continue during a failover Links do not flap during a failover With NSF options.COM 9553. L3 routing protocols initialization and convergence also synchronize Takes less time (around 1 sec) RPR – Route Processor Redundancy The redundant supervisor is only partially booted and initialized When active sup fails.

9553. Catalyst 4500R supervisors 4 and 5 Failover time Good > 2 minutes Better >30 seconds Best >1 second This material is valid till 31st Nove ovember 2011. that brings up the standby route processor.9000235254 • • • P. New material is available on 1st Decem cember 2011 91 | P a g e . RPR+ have only one active supervisor. This is called as SRM with SSO Redundancy Modes Mode RPR RPR+ SSO Standby Mode Readiness Supported Platforms Catalyst 6500 supervisors 2 and 720. SRM is inherent with SSO. RPR. The route processor portion is not initialized or used on the standby unit SRM uses two route processors (one is active).COM 9553. RPR+ use only one route processor. catalyst 4500R supervisors 4 and 5 Catalyst 6500 supervisors 2 and 720 Catalyst 6500 supervisors 720.07 RPR . So SRM is not compatible with RPR or RPR+ SSO uses two route processors. NAGABABU NAGACISCO@GMAIL.

that allows to build RIB quickly NSF is cisco proprietary feature NSF is supported along with SSO on catalyst 4500R supervisors 3. the active supervisor synchronizes its startup startup-config and config-register register values with the standby supervisor Configuration required to synchronize other information NSF • • • • • • • • • • NSF – Non Stop Forwarding NSF is used to quickly rebuild routing information base (RIB) table after supervisor switchover RIB is used to generate FIB for CEF FIB is downloaded to any switch modules or hardware that perform CEF NSF gets assistance from other NSF NSF-aware neighbors These neighbors provide routing information to the standby supervisor.2 (20)EWA or later NSF is supported by the BGP. OSPF.07 • • By default.COM 9553. 4. New material is available on 1st Decem cember 2011 92 | P a g e . 5 and 6500 supervisor 720 (integrated MSFC3) NSF is supported on IOS 12.9000235254 Supervisor Redundancy P. NAGABABU NAGACISCO@GMAIL.9553. EIGRP. IS IS-IS routing protocols This material is valid till 31st Nove ovember 2011.

without powering down any module • Redundant mode is default mode • Its not possible to identify which power supply is actually powering the switch.9553. New material is available on 1st Decem cember 2011 93 | P a g e . until one of them is turned off or fails This material is valid till 31st Nove ovember 2011. 4500R platforms can accept two power supply modules in a single chassis • The power supplies must be identical. having the same power input and max power output ratings • Two possible power modes o Combined mode Both power modules work together to share the total power load for all modules Used for large power requirements like PoE for IP tel telephones It doesn’t provide power redundancy If power supply fails. the other can carry the total power load. until power supply requirement is met by one functioning power supply o Redundant mode Each of the installed power supplies can supply the total power load that is required by the whole switch chassis If one power supply fails. switch powers down some of the modules. NAGABABU NAGACISCO@GMAIL.9000235254 NSF Configuration P.COM 9553.07 Redundant Power Supply • 6500.

wireless APs) These devices request a power budget when they initialize (more budget later times) The power budget requests are sent on CDP exchanged between devices and switch This material is valid till 31st Nove ovember 2011.COM 9553.07 • • • Some devices need inline power (PoE) to operate (cisco IP phones. NAGABABU NAGACISCO@GMAIL.9553.9000235254 P. New material is available on 1st Decem cember 2011 94 | P a g e .

4 W 4. NAGABABU NAGACISCO@GMAIL. switch knows presence of powered device IEEE 802.0 W 15.4 W Notes Default class Optional class Optional class Optional class Reserved for future use Switch determines to which power class.9000235254 P. 6500 PoE methods o ILP Inline Power Cisco proprietary method o IEEE 802.3af Open standard method Vendor interoperability • • • • • Detecting a Power Device • In cisco ILP method. switch sends 340KHz test tone on the transmit pair of the twisted pair Ethernet cable • A Powered device (IP phone) loops the 340KHz test tone • The switch port can hear its test tone looped back • Then switch knows the presence of powered device and offers inline power • • • • In IEEE 802.3af power classes Power class 0 1 2 3 4 Max power offered at 48V DC 15. switch supplies a small voltage across transmit and receive pairs of the copper twisted pair connection Then resistance is measured If 25Kohm resistance is measured.07 LESSON 1 15: IP TELEPHONY PoE • • • PoE – Power Over Ethernet Cisco IP phone must have power to operate Power can come from two sources o External AC adapter Wall warts provide 48V DC power o PoE 48V DC Inline power that comes from catalyst switch over the network cable PoE has the benefit that it can be managed. because they don’t send any power request PoE is available on many plat forms like 3750 . monitored and offered to IP phone The end device has to send power budget request in order to get PoE Switch can’t offer PoE for PC.COM 9553. New material is available on 1st Decem cember 2011 95 | P a g e .3af. the powered device belongs This material is valid till 31st Nove ovember 2011.9553. catalyst 4500.0 W 7.

inline power is provided over data pairs 2 and 3 (RJ-45 pins 1-2.9553.4 W (0.3af. power is provided over data pairs 2 and 3 (RJ (RJ-45 pins 1-2. 3-6) 6) at 48V DC • For IEEE 802.COM 9553.9000235254 P. IP phone receives 15. NAGABABU NAGACISCO@GMAIL. 3-6) or over pairs 1 and 4 (RJ-45 pins 4-5.32 Amps at 48V DC) • For cisco ILP.07 Supplying Power to a device • A switch first offers default power allocation to the powered device • On 3750-24-PWR. PWR. 7-8) • Later the power budget can be changed from default to more appropriate value • Cisco ILP uses CDP for power budget decision • IEEE 802.3af uses power classes for power budget decision PoE configuration PoE Switchports • A catalyst switch waits for 4 seconds after inline power is applied to a port • Don’t connect a non-powered powered device (PC) i immediately mmediately to the port after disconnecting a powered device from the port • Wait for 10 seconds before connecting anything back into the same port Otherwise power delivery may damage the device This material is valid till 31st Nove ovember 2011. New material is available on 1st Decem cember 2011 96 | P a g e .

1p 802. a special case trunk is negotiated by DTP and CDP Voice VLAN Modes Mode Vlan-id Dot1p Untagged none (default) Native VLAN (untagged) PC data PC data PC data / voice PC data / voice (access vlan) Voice VLAN VLAN vlan-id VLAN 0 Voice QoS (CoS Bits) 802.COM 9553.9553.1p 802. link. NAGABABU NAGACISCO@GMAIL. only the switchport need to be configured w with ith selected mode Switch instructs the phone to follow the selected mode In case of trunk-link.9000235254 P.07 Voice VLAN • Cisco IP phone can provide data connection for PC.1p 97 | P a g e This material is valid till 31st Nove ovember 2011. along with voice stream • Single Ethernet IO (information outlet) is enough to provide connectivity for both PC and cisco IP phone • • • • • • With trunk mode the voice traffic is encapsulated over a unique voice VLAN called as voice VLAN ID or VVID With access mode the voice traffic is encapsulated over regular data VLAN called as native vlan or port VLAN ID or PVID The QoS information from the voice packets must be carried To configure IP phone uplink. New material is available on 1st Decem cember 2011 .

9553.COM 9553.07 This material is valid till 31st Nove ovember 2011. New material is available on 1st Decem cember 2011 98 | P a g e . NAGABABU NAGACISCO@GMAIL.9000235254 P.

9000235254 • • • P.07 The most versatile mode uses the vlan-id Voice and User data are carried over separate vlans VOIP packets in the voice vlan also carry the Cos bits in 802. little loss and little delay • Generally users can’t tolerate if there is delay in voice or video traffic Packet flow • Factors that influence packet flow o Delay The time required for a router or switch to perform table lookups The total delay from source to destination is called latency o Jitter The variation in delay is called jitter With jitter.9553. the PC can still operate because the data vlan appear as the access vlan IP phone special-case case 802. NAGABABU NAGACISCO@GMAIL.1p Voice VLAN – Data VLAN • The trunk contains only two vlans • A voice vlan (tagged vvid) and the data vlan • The switch port’s access vlan is used as the data vlan (for PC) • If IP phone is removed and a PC is connected to the same switch port. New material is available on 1st Decem cember 2011 99 | P a g e .COM 9553. consecutive packets reach at different time intervals Audio and video streams are easily affected with jitter o Loss The packets dropped without delivery because of congested or error-prone error network This material is valid till 31st Nove ovember 2011.1Q trunk is not shown as trunk port in the switch configuration • STP runs with two instances for both Voice vlan and Da Data vlan Voice QoS • QoS – Quality of Service • It is the method used in network to protect and prioritize time time-critical critical or important traffic • QoS need to be implemented for voice traffic and video traffic • Voice packets need to be delivered in the most timely fashion with little jitter.

9553. NAGABABU NAGACISCO@GMAIL. QoS can be implemented To protect packets from delay-jitter 3 Basic types of QoS o Best-effort delivery o Integrated services model o Differentiated services model Best Effort Delivery • The intermediate devices like switches and routers forward the traffic with “Best “Best-effort” effort” • There is no real QoS • The interested traffic must stay along with the remaining traffic Integrated Services (IntServ) • Path is reserved in advance from source to destination by RSVP • RSVP.COM 9553.07 jitter-loss.Resource Reservation Protocol • The source application requests QoS parameters through RSVP • Each network device along the path checks whether it supports the QoS request • QoS is applied per-flow basis • No scalability Differentiated Services (DiffServ) • No advance path reservation • Packet headers contain QoS information • Each device handles packets individually based on QoS bits • Devices prioritize the interested traffic by holding back the normal traffic • QoS is applied per-hop basis • Offers QoS scalability • DiffServ model can offer premium services to voice traffic This material is valid till 31st Novem ovember 2011.9000235254 QoS • • P. New material is available on 1st Decemb ember 2011 100 | P a g e .

9553.COM 9553.9000235254 P.07 • • • DiffServ is per-hop behavior Each router or switch checks QoS information in every packet to decide how to forward the packet The packet headers contain some flags. classi classifications. or markings that can be used to make forwarding decision based on QoS policies that are configured on each router or switch along the path L2 QoS Classification • L2 Switches follow Best-effort effort to forward the frames • No QoS mechanism for normal Ethernet frames • QoS occurs between switches for tagged Ethernet frames • Tagged Ethernet frames carry CoS (Class of Service) bits • CoS bits are lost when the frame is untagged at far far-end switch This material is valid till 31st Novem ovember 2011. fications. NAGABABU NAGACISCO@GMAIL. New material is available on 1st Decemb ember 2011 101 | P a g e .

New material is available on 1st Decemb ember 2011 102 | P a g e .COM 9553.9553.9000235254 P. NAGABABU NAGACISCO@GMAIL.Differentiated Service Code Point DSCP value is examined by DiffServ Network device DS and ToS Bytes are same (occupying same location in IP header) DSCP bits are arranged for compatibility with the 3bit IP precedence So non-DiffServ DiffServ devices still can int interpret some QoS information IP Precedence (3-bits) Name Routine Priority Value 0 1 Bits 000 001 Per-Hop Class Behavior Selector Default AF 1 DSCP (6-bits) Drop Precedence 1: Low 2: Medium 3: High 1: Low 2: Medium 3: High 1: Low 2: Medium 3: High 1: Low 2: Medium 3: High Code-Point Name Default AF11 AF12 AF13 AF21 AF22 AF23 AF31 AF32 AF33 AF41 AF42 AF43 EF DSCP Bits (Decimal) 000 000 (0) 001 010 (10) 001 100 (12) 001 110 (14) 010 010 (18) 010 100 (20) 010 110 (22) 011 010 (26) 011 100 (28) 011 110 (30) 100 010 (34) 100 100 (36) 100 110 (38) 101 110 (46) 40-47:only 40 46 is used 48-55 56-63 Immediate 2 010 AF 2 Flash Flash Override Critical Internetwork control Network control 3 011 AF 3 4 5 6 7 100 101 110 111 AF EF 4 This material is valid till 31st Novem ovember 2011.07 • • • • • • bit DS value is known as DSCP This 6-bit DSCP.

DS3) classify packets into eight classes • Class 0 is the default class offers only best best-effort forwarding • Classes 1. DS4. EF is given iven for time-critical time data such as voice traffic • Class 6 is for internetwork control • Class 7 is for network control • Routers and switches use classes 6 and 7 for STP and routing protocols offers timely delivery of packets for network stability • • Three bits (DS2. New material is available on 1st Decemb ember 2011 103 | P a g e . a switch must identify which level of service each packet should receive This is called classification of packets Each packet is classified according to type of traffic (TCP/UDP) Each switch must decide whether to trust incoming QoS values (QoS bits) If Switch trusts QoS values.9553.4 are called AF (assured forwarding) service levels levels. NAGABABU NAGACISCO@GMAIL. DS0) are drop precedence bits.9000235254 P. Higher AF class numbers indicate high-priority high traffic • Class 5 is known as EF (Expedited forwarding) indicates premium service.COM 9553. DS1. DS0 is always 0 3 levels of drop precedence o Low (1) o Medium (2) o High (3) Lower drop precedence value gives better service AF21 means AF level 2 with drop precedence 1 To manipulate packets according to QoS policies. they are carried over and used to make QoS decisions If switch doesn’t trust QoS values.07 L3 QoS Classification • Three class selector bits (DS5. they are reassigned or overruled • • • • • • • • This material is valid till 31st Novem ovember 2011.

COM 9553.9000235254 QoS Configuration P. NAGABABU NAGACISCO@GMAIL.9553. New material is available on 1st Decemb ember 2011 104 | P a g e .07 Auto QoS • Auto QoS feature automatically configures advanced QoS parameters • Auto QoS feature is enabled by a macro command • Auto QoS handles o Enabling QoS DSCP mapping for QoS marking o CoS-to-DSCP o Ingress and Egress queue tuning o Strict priority queues for egress voice traffic o Establishing an interface QoS trust boundary This material is valid till 31st Novem ovember 2011.

9000235254

P. NAGABABU

NAGACISCO@GMAIL.COM

9553.9553.07

LESSON SSON 16: SECURE SWITCH ACCESS
Switch Port Security

• • • • •

Catalyst switches offer port security feature based on MAC addresses of connected system Unauthorized MAC addresses can’t gain access and disconnected from the network Port Security is not enabled by default In switches, Port security can be enabled on per interface basis Port-security security is applied only for access ports

• • •

By default sticky feature is used for port security. So that ports learn MAC addresses from the connected systems dynamically By default ault no aging occurs for sticky mac mac-addresses

Port-Security Violation • Security violation occurs if more than specified mac mac-addresses addresses are learned on the port • Port security defines, what action the port has to take in case of security violation

This material is valid till 31st Novem ovember 2011. New material is available on 1st Decemb ember 2011

105 | P a g e

9000235254

P. NAGABABU

NAGACISCO@GMAIL.COM

9553.9553.07

Port-Security

Port-Based Authentication • • • • • • • Catalyst switches support port-based based authentication, a combination of AAA authentication and port security IEEE 802.1x standard The switches will not accept the data until user is authenticated For Port-based authentication, both Switch and PC must support 802.1x standard 802.1x uses EAPOL – Extensible Authentication Protocol Over LANs (L2 Protocol) The client PC must have 802.1x capable software in order to initiate authentication session with switch Authentication ation session closes when the user logs out

802.1x based authentication can be handled by RADIUS servers • Port-based • RADIUS – Remote Authentication Dial In User Service • Only RADIUS is supported for 802.1x

This material is valid till 31st Novem ovember 2011. New material is available on 1st Decemb ember 2011

106 | P a g e

9000235254 Port-Based Authentication

P. NAGABABU

NAGACISCO@GMAIL.COM

9553.9553.07

This material is valid till 31st Novem ovember 2011. New material is available on 1st Decemb ember 2011

107 | P a g e

COM 9553. New material is available on 1st Decemb ember 2011 108 | P a g e . NAGABABU NAGACISCO@GMAIL. This database contains client MAC.9000235254 P.9553. ports are categorized into trusted and untrusted ports • Legitimate DHCP servers should be connected at trusted ports • If DHCP reply comes from any unt untrusted rusted port is discarded and offending switch port is automatically shut down in the errdisable state • DHCP snooping can keep a track of the completed DHCP bindings bindings. lease time etc This material is valid till 31st Novem ovember 2011. attacker can glean information from packets before forwarding them normally • Switches can be protected from these spoofing atta attacks • Switch features to mitigate spoofing attacks o DHCP snooping o IP Source Guard o Dynamic ARP inspection DHCP Snooping • The attacker may bring up rogue DHCP server that assigns a spoofed gateway to the hosts • Then hosts try to send information to this spoofed gateway • Switches can be configured with DHCP snooping feature to mitigate these attacks • With DHCP snooping. IP address offered.07 Mitigating Spoofing Attacks in-the-middle to work like a rogue gateway • The attacker can become man-in • Hosts send packets to this rogue gateway.

switch drops the frames coming from the ports Before configuring IP source guard.COM 9553. the return traffic will not find the way • spoofed IP addresses are used to disguise the origin of Denial Denial-of-Service attacks • Switches tches use IP Source guard feature to mitigate Spoofed IP address attacks • • • • • IP Source Guard feature uses DHCP snooping database and static IP source binding entries to mitigate spoofed IP attacks The source IP must be matched to the IP address learned by DHC DHCP P snooping or static entry The source MAC address must be matched to the MAC address learned on the switch port If the addresses are not matched.07 IP Source Guard • A host can use spoofed IP addresses to misguide other hosts in a subnet or vlan • If a host uses random spoofed IP addresses.9553. NAGABABU NAGACISCO@GMAIL.9000235254 P. New material is available on 1st Decemb ember 2011 109 | P a g e . o First DHCP snooping should be enabled to detect spoofed IP addresses o and Port-security security should be enabled to detect spoofed MAC addresses This material is valid till 31st Novem ovember 2011.

COM 9553. switch compares IP and MAC against its legitimate ARP database If switch finds invalid or conflict values. no DHCP snooping database exists So an ARP ACL should be configured to permit the static IP IP-MAC combinations This material is valid till 31st Novem ovember 2011. New material is available on 1st Decemb ember 2011 110 | P a g e .9553. NAGABABU NAGACISCO@GMAIL.07 Dynamic ARP Inspection man-in-the the-middle • The attacker can send spoofed ARP replies to the Requests and becomes man • The hosts will add this bogus ARP information in their cache and sends packets to attacker • This attack is called ARP poisoning or ARP spoofing • Catalyst switches have DIA (Dynamic ARP Inspection) feature to mitigate these attacks • • • • • • The ports are categorized into trusted ports and u untrusted ports ARP inspection is done only on untrusted ports No Inspection is done on trusted ports Switch gets legitimate ARP database from static entries or DHCP snooping If an ARP reply arrives on untrusted port. drops the frame and generates a log message • • For the hosts with static IP addresses.9000235254 P.

COM 9553.5 Secure SNMP access o To prevent unauthorized configuration changes RW SNMP access can be disabled snmp-server community string RW o RO SNMP access can be configured with access-list to limit the source addresses that have read-only access • • • • • • This material is valid till 31st November 2011. New material is available on 1st December 2011 111 | P a g e . NAGABABU NAGACISCO@GMAIL.9000235254 P.9553.07 Securing Switches • Configure secure passwords o Configure switches with secure passwords o Protect all the lines o Enable secret password for privilege mode o Service password-encryption for password encryption o AAA servers can be used for authentication Use system banners o Banners display message at the time of user login o This message can be used to warn unauthorized users o As a welcome message to authorized users o Banner motd configures login message Secure the web interface o Web interface can be disabled by no ip http server o switches can be accessed with https web interface if it supports ip http secure server access-list acl-no permit ip-address match ip http access-class acl-no Secure the switch console o Switch console connectivity need to be secured even though physical security is implemented at wiring closets and datacenter Secure virtual terminal access o Only authorized hosts should be allowed to access switch vty lines access-list acl-no permit ip-address match line vty 0 15 access-class acl-no in show user all Use SSH whenever possible o telnet sessions are not secure because session data go as clear text characters o SSH uses strong encryption to secure session data o Its always better to use SSH as transport input o SSHv2 is very secure than v1 and v1.

07 Secure unused switch ports o Every unused switchport should be disabled to prevent users to use them o Every user switchport should configured as access port. so that trunk negotiation can’t happen o switchport host can be applied to support only one PC on a switchport Secure STP operation o Malicious users can inject STP BPDUs to disrupt STP loop-free topology o BPDU guard feature can be enabled to prevent unexpected BPDUs Secure CDP usage o CDP packets are sent out for every 60 seconds o Its recommended to enable CDP. NAGABABU NAGACISCO@GMAIL.9553. where IP phones appear o no cdp enable to disable cdp on an interface • • This material is valid till 31st November 2011.COM 9553.9000235254 • P. only on the ports where trusted cisco devices are connected o This prevents advertising unnecessary information to listening attackers o CDP must be enabled on ports. New material is available on 1st December 2011 112 | P a g e .

New material is available on 1st Decemb ember 2011 113 | P a g e . NAGABABU NAGACISCO@GMAIL.9553.COM 9553.07 LESSON 17: SECURE VLANS VACLs • • • • • • • • • • VACL – VLAN ACL The traffic between VLANs can be filtered with ACLs ACLs (Router ACLs – RACL) are compiled and fed into TCAM VLAN ACLs are filters that can control traffic within a VLAN VACLs are also compiled and fed into TCAMs VACLs are similar to route-maps maps (with a series of matching conditions and actions to take) First VLAN access map is created that consists statements with sequence numbers Each statement can contain one or more matching conditions. IPX or MAC address ACLs They are evaluated in sequence with sequence number This material is valid till 31st Novem ovember 2011.9000235254 P. followed by an action Matching conditions can be verified by IP.

9553.COM 9553. firewall or common gateway device o Host The switchport connects to a regular host that resides on isolated or community vlan This port communicates with a promiscuous port or same community vlan ports This material is valid till 31st Novem ovember 2011. NAGABABU NAGACISCO@GMAIL.07 Private VLANs • In some cases. the hosts in a vlan need not communicate with each other • But they need to communicate with common gateway • Private Vlans can be used to solve these issues • Private vlans are special vlans that allows traffic only between specified vlans • Private vlans are two types o Primary vlan o Secondary vlan • Secondary vlans must be associated with Primary vlans • Secondary vlans can not communicate with each other • Secondary vlans can communicate only with associated Primary vlans • VTP do not carry any information about private vlans • Private vlans are locally specific to switch • Secondary vlans are two types o Isolated o Community Communication with same vlan ports No Yes Communication with other secondary vlan ports No No Communication with Primary vlan ports Yes Yes Ports associated with Isolated Community • Private vlan port types o Promiscuous The switchport communicates with anything else connected to primary or secondary Typically connected to a router. New material is available on 1st Decemb ember 2011 114 | P a g e .9000235254 P.

30 Switch(config-vlan)# exit Switch(config)# interface range fa 0/1 – 5 Switch(config-if)# if)# switchport private private-vlan host Switch(config-if)# if)# switchport private private-vlan host-association 100 10 This material is valid till 31st Novem ovember 2011.9553.07 Private VLAN configuration – Example 1 Configuring Ports with Private Vlans Switch(config)# vlan 10 Switch(config-vlan)# private-vlan vlan community Switch(config)# vlan 20 Switch(config-vlan)# private-vlan vlan community Switch(config)# vlan 30 vlan isolated Switch(config-vlan)# private-vlan Switch(config)# vlan 100 Switch(config-vlan)# private-vlan vlan primary Switch(config-vlan)# private-vlan vlan association 10. NAGABABU NAGACISCO@GMAIL.20.COM 9553.9000235254 Private VLAN Configuration P. New material is available on 1st Decemb ember 2011 115 | P a g e .

07 Switch(config)# interface range fa 0/6 – 10 Switch(config-if)# if)# switchport private private-vlan host Switch(config-if)# if)# switchport private private-vlan host-association 100 20 Switch(config)# interface range fa 0/11 – 16 Switch(config-if)# if)# switchport private private-vlan host Switch(config-if)# switchport private private-vlan host-association 100 30 Switch(config)# interface fa 0/24 Switch(config-if)# if)# switchport mode private private-vlan promiscuous Switch(config-if)# if)# switchport private private-vlan mapping 100 10.0 Switch(config-if)# private-vlan vlan mapping 40 .COM 9553.255.9000235254 P. 50 Securing VLAN trunks • • • • • If the switch port is left to default configuration (dynamic desirable).20. if PC is connected DTP negotiation will not happen if port is set to access mode This material is valid till 31st Novem ovember 2011.30 Private VLAN configuration – Example 2 Associating secondary vlans to primary vlan SVI Switch(config)# vlan 40 Switch(config-vlan)# private-vlan vlan isolated Switch(config-vlan)# vlan 50 Switch(config-vlan)# private-vlan vlan community Switch(config-vlan)# vlan 200 Switch(config-vlan)# private-vlan vlan pri primary Switch(config-vlan)# private-vlan vlan association 40.200. NAGABABU NAGACISCO@GMAIL.9553.1 255.255. New material is available on 1st Decemb ember 2011 116 | P a g e . switchport should be config configured ured to access mode. the attacker PC may send DTP packets to negotiate trunk and port becomes trunk port So attacker may get access to other vlans data To avoid these attacks.168. 50 Switch(config-vlan)# exit Switch(config)# interface vlan 200 Switch(config-if)# if)# ip address 192.

CDP. NAGABABU NAGACISCO@GMAIL. even though native vlan is not in the list of allowed vlans VLAN Hopping Attacks.9000235254 VLAN Hopping Attack P.Security Configuration Example Configuring 802. PAgP.9553. DTP still carry management information as a special case Switch carries management information on the native vlan.1q trunk to carry only vlans 10 and 20 Switch(config)# vlan 800 Switch(config-vlan)# vlan)# name bogus_native Switch(config-vlan)# exit Switch(config)# interface gig 0/2 Switch(config-if)# if)# switchport trunk encapsulation dot1q Switch(config-if)# if)# switchport trunk native vlan 800 Switch(config-if)# if)# switchport trunk allowed vlan remove 800 Switch(config-if)# switchport t mode trunk • Another method to avoid vlan hopping attacks is to force native vlan to be tagged This material is valid till 31st Novem ovember 2011.07 • • • • Vlan hopping attacks occur because the use of untagged native vlans These attacks can be avoided by o Set the native vlan of a trunk to a bogus or unused vlan id o Prune the native vlan at both ends of the trunk link Even though native vlan is pruned from the trunk link. New material is available on 1st Decemb ember 2011 117 | P a g e .COM 9553.

NAGABABU NAGACISCO@GMAIL.07 LESSON 18: WLANS Wireless • Shared Ethernet segment works at half duplex • Switched Ethernet segment works at full duplex • WLAN operates at half duplex • Full duplex is possible in WLAN.3 uses CSMA/CD mechanism. if transmitting and receiving frequencies are different • 802.9553.11 uses CSMA/CA mechanism Collisions • When transmitting Wireless station transmits a frame.11 every station has to wait for a short amount of time called DIFS (DCF interframe space) before transmitting anything DCF Process This material is valid till 31st Novem ovember 2011.COM 9553.9000235254 P.11 standards permit only half half-duplex • 802. 802. New material is available on 1st Decemb ember 2011 118 | P a g e .11 uses CSMA/CA mechanism that try to avoid collisions by setting some random back off timer • WLAN uses DCF (distributed coordination function) process th that at try to avoid collisions • In 802. the r receiving eceiving wireless station must send an acknowledgement to confirm the frame is received error error-free • 802.

9000235254 RTS/CTS Mechanism P. clients can communicate with intermediate AP (access point) • AP matches some parameters before accepting any client association o SSID o Compatible Wireless Data rate o Authentication Credentials • SSID is Service Set Identifier.07 WLAN • In WLAN. New material is available on 1st Decemb ember 2011 119 | P a g e .COM 9553. a text string included in every wireless frame • Generally SSID is AP’s Wireless c card MAC address • SSID is similar to Vlan ID in switching networks IBSS BSS This material is valid till 31st Novem ovember 2011.9553. NAGABABU NAGACISCO@GMAIL.

9553. New material is available on 1st Decemb ember 2011 120 | P a g e .COM 9553. NAGABABU NAGACISCO@GMAIL.9000235254 ESS P.07 AP Operation • AP is responsible to maintain the WLAN • It can cover a limited number of clients • Multiple APs can be used to cover more number of clients • AP can connect wireless network with wired network • AP supports open authentication or shared key authentication Mapping VLANs to SSID This material is valid till 31st Novem ovember 2011.

9553. more number of APs can be used Adjacent APs can use different frequencies to avoid interference at overlapping area Moving client association from AP to AP is called roaming If the client has same IP while roaming is called L2 roaming If the client changes it IP while roaming is called L3 roaming Traditional WLAN architecture • In traditional WLAN. quality All the clients must be placed within the cell for AP association Small cells are called as microcells and very small cells are picocells Roaming • • • • • To cover a wide area.07 AP uses multiple SSIDs and maps them to vlans End users will use the appropriate SSID that has been mapped to respective vlan Cell is the coverage area of AP Cell range defined by AP capacity and antenna pattern Cell pattern is 3 dimensional AP location must be carefully planned with live measurements of signal strength. New material is available on 1st Decemb ember 2011 121 | P a g e . NAGABABU NAGACISCO@GMAIL. AP works as autonomous AP having it its own security policies • It becomes very difficult to manage the network if more number of Autonomous APs exist This material is valid till 31st Novem ovember 2011.9000235254 • • CELL • • • • • • P.COM 9553.

9553. NAGABABU NAGACISCO@GMAIL.07 Cisco Unified WLAN Architecture • Cisco Unified WLAN architecture provides centralized capabilities o WLAN Security o WLAN deployment o WLAN management o WLAN control WLAN Architectures Comparison This material is valid till 31st Novem ovember 2011.9000235254 P.COM 9553. New material is available on 1st Decemb ember 2011 122 | P a g e .

11 related messages and client data LAP and WLC need not be on the same subnet or VLAN Tunnel encapsulates the data between the LAP and WLC within new IP packets The tunneled data can be switched or routed across the campus network This material is valid till 31st Novem ovember 2011.07 Cisco Unified WLAN Architecture Features • LAP – Lightweight Access Point o LAP performs only the real real-time 802.9000235254 P.11 operation • WLC – Wireless LAN Controller o All management functions are performed on WL WLC o LAP totally depends on WLC o WLC is common for many LAPs • • • • LAP and WLC form a tunnel between them to carry 802. NAGABABU NAGACISCO@GMAIL.COM 9553. New material is available on 1st Decemb ember 2011 123 | P a g e .9553.

load balancing occurs • RF monitoring o Gathers information about RF interference.11 RFID tags can be deployed to track objects as they move around in the wireless coverage area This material is valid till 31st Novem ovember 2011. 50. 12. 25. NAGABABU NAGACISCO@GMAIL. 25 LAPs Handles up to 12. signals from surrounding APs • Security Management o WLC negotiates security parameters before accepting client association WLC Platforms Model 2100 4402 4404 5500 WiSM WLC module for ISR routers Catalyst 3750G integrated WLC WCS • • • • Interface 8 10/100 TX 2 GigE 4 GigE 8 GigE 4 GigE bundled in an etherchannel for each controller Can be integrated in 2800 and 3800 routers Integrated in 24 24-port 10/100/1000 TX switch Attribute Handles up to 6.COM 9553. noise. 100. Up to 200 LAPs per switch stack WCS – Wireless Control System WCS is an optional server platform that can be used as a single GUI front front-end end to all WLCs in a campus network WCS can locate wireless client by triangulating the client’s signal as received by multiple APs 802. 50 LAPs Handles up to 100 LAPs Handles up to 12. 25 LAPs Handles up to 50 LAPs per switch.07 WLC Functions • Dynamic Channel assignment o Chooses and configures RF channel used by each LAP • Transmit Power Optimization o Sets the transmit power of each LAP based on the coverage area needed • Self-healing healing Wireless Coverage o If LAP radio dies.9000235254 P. New material is available on 1st Decemb ember 2011 124 | P a g e . 8. 25. 250 LAPs Catalyst 6500 module with two WLCs Handles up to 300 LAPs (150 per controller) Up to 5 WiSMs in a single chassis Handles up to 6. 12.9553. the coverage area is healed by turning up the surrounding LAP • Flexible Client Roaming o Client can have L3 or L2 roaming with very fast roaming times • Dynamic Client Load balancing o If more LAPs cover same area.

where LAPs are separated from WLC with WAN link HREAP works like autonomous AP Traffic Pattern This material is valid till 31st Novem ovember 2011. tertiary) LAP is always joined and bound to one WLC at any time If WLC is failed.07 touch configuration LAP is designed to be a zero-touch The LAP finds WLC and obtain configuration parameters from WLC • • • • • • LAP can maintain a list of up to three WLCs (primary.COM 9553. NAGABABU NAGACISCO@GMAIL. New material is available on 1st Decemb ember 2011 125 | P a g e .9000235254 LAP • • P. LAP reboots and search for live WLC again Client associations are dropped and no data pass during this time HREAP (Cisco Hybrid Remote Edge Access Point) is a special case.9553. secondary.

07 Roaming • To make client roaming faster and easier.9000235254 P.9553. all client associations can be managed in a central location • LAP supports L2 and L3 roaming with the help of WLC • The client association is always contained within LWAPP or CAPWAP tunnel Intra Controller Roaming Inter Controller Roaming.L2 This material is valid till 31st Novem ovember 2011. New material is available on 1st Decemb ember 2011 126 | P a g e . NAGABABU NAGACISCO@GMAIL.COM 9553.

9000235254 Inter Controller Roaming-L3 P. WLC drops the session information.07 Mobility Groups • In inter controller roaming. NAGABABU NAGACISCO@GMAIL.9553. New material is available on 1st Decemb ember 2011 127 | P a g e . WLCs must exchange client association information • For this WLCs are configured into logical mobility groups • Client can roam to any LAP and associated WLC.COM 9553. within the mobility group • If the client moves to LAP with different mobility group. client association and IP address • A mobility group can have up to 24 WLCs of any platform • The number of LAPs in a mobility group depends on number of WLCs Autonomous AP This material is valid till 31st Novem ovember 2011.

NAGABABU NAGACISCO@GMAIL.9000235254 Light Weight AP P.07 This material is valid till 31st Novem ovember 2011. New material is available on 1st Decemb ember 2011 128 | P a g e .COM 9553.9553.