CCNP Switch 300-115 - Course Slides 2016

CCNP
CISCO CERTIFIED NETWORK PROFESSIONAL
AHMED ABDELFATAH
CCNP R&S Switch 300-115 / ILT Course 2016
a.abdelfatah91@gmail.com

COURSE INTRO

COURSE CONTENTS

SCHEDULE
Saturday
Monday
Wednesday
6 pm : 10 pm
Course duration 40 Hours (Switch)

LEARNING MATERIAL
Cisco official
- CCNP Switch 300-115 official Cert Guide
Additional Materials
- Cisco Switching Black Book
- Cisco LAN Switching

PART 1
Introduction to Switching

CAMPUS NETWORK
• an enterprise network consisting of many LANs in one or
more buildings, all connected and all usually in the same
geographic area
• If the Campus has only one LAN then we might Have a
performance issue due to the large quantity of nodes in a
single broadcast domain.
• To eliminate the Performance impact we prefer to divide
the big LAN to smaller segments.
• The broadcast will be limited from the sourced segment

CAMPUS NETWORK ELEMENTS
• Hierarchy Switching
• Bandwidth Capacity Planning
• Proper Cabling
• Proper Switch choose
• VLANs

HIERARCHY SWITCHING DESIGN
• 2 Models offer hierarchy in Network Design
- 3 Layers (Core distribution Access)
- 2 Layers (Core Access)
* The chosen will be based on the size of the network & use
case

3 LAYERS DESIGN

2 LAYERS DESIGN

ACCESS TO SERVICE
Type of Network Services
- Local
- Remote
- Enterprise

ACCESS LAYER
• exists where the end users are connected to the network
• provide Layer 2 (VLAN) connectivity between users
• Devices in this layer, sometimes called Edges
• Lower cost Switches
• High port desnity
• Security features & QoS features

DISTRIBUTION LAYER
• provides interconnection between the campus network’s access and
core layers.
• Scalable and redundant high-speed links to the core and access
layers
• High Layer 3 routing throughput for packet handling
• Security and policy-based connectivity functions
• The distribution layer switches must be capable of processing the
total volume
of traffic from all the connected devices.
• Routing between VLANs occur in this Layer

CORE LAYER
• Core Layer is the Backbone for the campus network
• Connect building together
• Must have high Layer 3 routing throughput
• No Packet manipulation should occur in this Layer (ACLs or
Filtering)
• High availability

SWITCH BLOCK
• A group of access layer switches, together with their
distribution switches. This is also called an access
distribution block, named for the two switch layers that it
contains.
• Core: The campus network’s backbone, which connects all
switch blocks.

DISTRIBUTION LAYER
SIZING
The distribution layer must be sized according to the number
of access layer switches that are aggregated or brought into
a distribution device.
• Traffic types and behavior
• Size and number of users connected to access switches
** Because of the dynamic nature of networks, you can size a
switch block too large to handle the load that is placed on it.
Also, the number of users and applications on a network tends
to grow over time. A provision to break up or downsize a
switch block might be

SWITCH BLOCK
REDUNDANCY
Redundant Links L2 stackingRedundant Links L3

CORE LAYER SIZING
• We the core switch depending on the ability to match the
incoming load.
• each core switch must handle switching each of its incoming
distribution links at 100 percent capacity.
• Core Switch can be (Redundant – Multi Node) or even
collapsed core “ in small environments”

ACCESS LAYER SWITCHES
- Recommended switches
- Most of designs relay
on 2960-x
- 2960 has two editions
(X-XR)
- 3650 & 3850 can be
used as Distribution
- The Switching Capacity
is based on higher
model so it need to be
more investigated

CORE – DIST LAYER SWITCHES
- Redundancy can be
achieved using the dual
supervisors, VSS
“different”
- Those switches use
IOS-XE
- 4500R+E is the latest
edition of 4500 Series
- Recommended IOS
software License is (IP
BASE or Enterprise
Base)

IOS – IOSXE – NXOS
www.cisco.com/c/en/us/support/docs/switches/catalyst-
4500-series-switches/116470-configure-product-00.html

RESOURCES
http://www.cisco.com/c/en/us/products/collateral/switches/catalyst
-4500-series-switches/product_data_sheet0900aecd801792b1.html
-2960-x-series-switches/data_sheet_c78-728232.html
-3750-series-switches/eos-eol-notice-c51-736302.html
http://www.cisco.com/c/en/us/products/collateral/interfaces-
modules/catalyst-4500-series-line-
cards/product_data_sheet0900aecd802109ea.pdf

PART 1
Switch operation

SWITCH
Layer 2 Switch Is a transparent bridge
With multi-ports
Switch Relay in Mac address to determine
how frame will be forwarded
Switch use mac address table for this
Purpose

SWITCH VS HUB
• Switch doesn’t use CSMA-CD anymore
• Unlike the HUB switch doesn’t broadcast all frames
• The switch broadcast only the following
- Explicit Broadcast (ffff.fffff.ffff)
- Multicast frame (01xx)
- unknown unicast frames

LAYER 2 SWITCH
OPERATION
The following tasks can be
described as following :-
• one concerned with
finding the egress
switch port.
• two concerned with
forwarding policies.
• All these decisions are
madesimultaneously by
independent portions
of switching hardware
a4

a4 abdelfatah, 4/2/2016

BUFFERING
- Switch Put the incoming traffic into ingress queue before
making the forwarding decision
- Switch Put the outgoing traffic into Egress queue after
making the forwarding decision
- Why buffering?
* FCS lookup, MAC lookup
- Buffer Size (depend on H.W) – shared <found in Datasheet>
- Switch Methods
(Store-Forward,Cut-Through,Fragment-Free)

SWITCHING METHODS
• The store-and-forward was much higher latency through the
switch. Then Cisco came out with "Fragment Free" switching -
meaning that the switch would accept the first 64 bytes,
evaluate it, then forward it.
• By getting at least 64 bytes, the switch could guarantee the
the frame was not a runt (runt is a frame < 64bytes, the
minimum permissible Ethernet frame size), and could make
sure that the addresses were not corrupt.
• the catalyst 1924 is set for fragment-free switching which
was very old switch.
• But presently the switches are operating with Store-and-
forward and cut-through switching

SWITCH FORWARDING
METHODS

STORE & FORWARD

CUT THROUGH

SWITCHING METHODS
There is no need to configure the switching method. Most of the
access switches will support "store-and-forward"
Example:
Store-and-forward
Catalyst 2960 and 2960-S
Catalyst 3750-X and 3560-X
Cut-through
The Cisco Nexus 5000 Series access-layer switch is an example
of a low-latency cut-through single-stage fabric implementation

LAYER 3 SWITCH
OPERATION
• Many Cisco Catalyst switches can also forward frames based on
Layers 3 and 4 information contained in packets. This is known as
multilayer switching (MLS).
• Catalyst switches have supported two generations of MLS:-
- route caching (first gen.)
- topology based (second gen.)

LAYER 3 SWITCH
OPERATION .CONT
Route Caching Topology Based
First generation Second generation
Need Route Processor &
Switching engine
Utlize special H.W , also use RP
& SE
Known as route-once switch
many or Flow based or netflow
lan switching
Known as CEF switching, the
builded DB called FIB
RP route first packet – the SE
listen and create shortcut for
the traffic stream
Packets forwarded using the
High Line rate SE and checked
in the FIB to find the longest
much, if L3 information
changed the update will occur
dynamically

LAYER 3 SWITCH
OPERATION .CONT
• RP is in control plane
& SE is in Data Plane
• The frame is
rewritten when
routing occur (L2
frame modified
(SRC-DST)– also
Layer 3 TTL)

MLS EXCEPTIONS
• Data Must be (MLS ready) to be utilized by CEF in multi-
layer switch.
• (MLS ready) mean packet doesn’t need extra decisions to
be forwarded.
• CEF can directly forward most IP & IPv6 Traffic.
• Packets that (Not-MLS ready) must be process switched
• Example of (Not-MLS ready) is
- ARP, IP packets require response from router, IP helper
functions, routing updates, CDP, Legacy Protocols, Packets
need encryption/Natting

SWITCH TABLES
1. Content-Addressable Memory
“mac address table”
more about CAM Logic
en.wikipedia.org/wiki/Content-addressable_memory
2. Ternary Content-Addressable Memory
“ match ACLs & so on”
ACLs on Switches?
- used in VLAN security or DACL (ISE – CCNP Sec Scope)

CAM TABLE
1. All Catalyst switch models use a CAM table for Layer 2 switching.
2. If a MAC address learned on one switch port has moved to a
different port, the MAC address and time stamp are recorded for
the most recent arrival port. Then, the previous entry is deleted.
3. Switches generally have large CAM tables so that many addresses
can be looked up
4. idle CAM table entries are kept for 300 seconds before they are
deleted.
5. By default, MAC addresses are learned dynamically from incoming
frames. You also can configure static CAM table entries that contain
MAC addresses that might not be learned

MANAGING CAM
• Applied in configuration mode
• Modify Aging time
mac address-table aging-time seconds
• Add static entry
mac address-table static mac-address vlan vlan-id interface type mod/num

MANAGING CAM
List for commonly used Show commands
# show mac-address table
# show mac-address table dynamic interface gi0/0
# show mac-address table size
# show mac-address table | include <VLAN-ID> ***
# show mac-address table aging-time
** note in older IOS (until 12.1(11)EA1) the key word was
mac-address-table

TCAM TABLE
• In traditional routing ACLs contain several ACEs (Access-
list entries), the ACEs are evaluated in sequential order,
evaluating an ACL can take up additional time and increase
delay.
• In MLS, all matching process that ACLs provide is
implemented in hardware called a TCAM.
• In TCAM packet is evaluated against an entire ACL within a
single Table lookup.
• Most L3 switches has multiple TCAM table to evaluate
inbound & outbound traffic simultaneously

TCAM CONTENT
Feature Manager (FM) Switching Database Manager
(SDM)
After an access list has been
created or configured, the
Feature Manager software
compiles, or merges, the ACEs into
entries in the TCAM
table.
On some Catalyst switch models,
the TCAM is partitioned into
several areas that support
different functions. The SDM
software configures or tunes the
TCAM partitions, if needed, to
provide ample space for specific
switching functions.
(The TCAM is fixed on Catalyst
4500 and 6500 platforms
and cannot be repartitioned.)

TCAM STRUCTURE
• TCAM uses a table-lookup operation but is greatly
enhanced to allow a more abstract operation.
For example, binary values (0s and 1s) make up a key into
the table, but a mask value also is used to decide which bits
of the key are actually relevant.
• This effectively makes a key consisting of three input
values: 0, 1, and X (do not care) bit values—a threefold or
ternary combination.

TCAM ENTRIES
• TCAM entries are composed of Value, Mask, and Result
(VMR) combinations.
Value 134-bit, consist of source-dest, protocol
come up from the ACE address
Mask Also 134-bit, exactly in same Value format,
come from ACE mask
Result Can be permit-deny, Next Hop, QoS value

TCAM VALUE FORMATS

HOW TCAM BUILD FROM
ACL

TCAM OPERATION –
SHOW UTILIZATION

MANAGE TABLE SIZES

MANAGE TABLE SIZES
Switch(config)# sdm prefer template
The are many available tamplates
- IPv4 (Default/Access/vlan/routing)
- Dual IPv4 –IPv6 (Default/vlan/routing)

IPV4 SDM

IPV4-IPV6 SDM

PART 1
Managing Switch Port

ETHERNET SPEEDS

CABLE CATEGORIES
100 M
1G

FIBER CHANNEL

SMF VS MMF
MMF SMF
Multi-mode fiber has a relatively
large light carrying core, usually
62.5 microns or larger in
diameter. It is usually used for
short distance transmissions with
LED based fiber optic equipment.
Single-mode fiber has a small
light carrying core of 8 to 10
microns in diameter. It is
normally used for long distance
transmissions with laser diode
based fiber optic transmission
equipment.
always keep unused connectors covered with the rubber plugs,
and do not ever look directly into the connectors.

FC – 1G
Meter = 3.28 feet

FC – 1G

FC – 10G

SFP & SFP+
http://www.cisco.com/c/en/us/products/collate
ral/interfaces-modules/gigabit-ethernet-gbic-
sfp-
modules/product_data_sheet0900aecd8033f88
5.html
http://www.cisco.com/c/en/us/products/collate
ral/interfaces-modules/transceiver-
modules/data_sheet_c78-455693.html

PORT SPEED & DUPLEX
• The link speed is determined by electrical signaling so that
either end of a link can deter
mine what speed the other end is trying to use. If both ends
of the link are configured to
auto negotiate, they will use the highest speed that is common
to them.
• A link’s duplex mode, however, is negotiated through an
exchange of information. This
means that for one end to successfully autonegotiate the
duplex mode, the other end also
must be set to autonegotiate.
• autonegotiation resides in the physical layer & for twisted pair
only

PORT SPEED & DUPLEX
• If duplex auto negotiation fails, a switch port always falls back to
its default setting—half-duplex—
because it offers the safety of collision detection.
• IF ONE END IS FULL & OTHER IS HALF
the half-duplex station will detect a collision when both ends transmit;
it will back off appropriately. The full-duplex station, however, will
assume that it has the right to transmit at any time. It will not stop
and wait for any reason
• Speed and duplex mode can be configured or negotiated only on
switch ports that support twisted-pair cabling. Fixed speed Gigabit
and 10-Gigabit Ethernet ports always use full-duplex mode.

HOW AUTO NEGOTIATION
OCCUR
• LIT or NLP
• FLP

LINK CODE WORD (LCW)

ERR-DISABLE

ERR-DISABLE
CONFIGURATION
• By default, ports put into the errdisable state must be re-enabled
manually. This is done by issuing the shutdown command in
interface configuration mode, followed by the
no shutdown
• You can auto-recover the port after specific time using the
following
Switch(config)# errdisable recovery cause [all | cause-name]
errdisable recovery interval seconds

CDP
• automated method for Cisco devices to advertise their existence to other
neighboring devices
• CDP is a Cisco proprietary protocol
• CDP advertisements are sent at the data link layer (Layer 2)
• CDP advertisements are sent out every active interface at 60-second
intervals , hold time 180
• By Default CDP v2 used and on by default on all cisco switches & routers
• CDP v1 is the initial version of CDP used only for neighbor discovery
• CDP v2 provide visibility for Native-VLAN, Duplex Missmatching & VTP

CDP COMMANDS
Tlv can be app/location/server-location

LLDP
• based on the IEEE 802.1ab standard. As a result, LLDP works in
multivendor networks.
• Extensible protocol (include TLVs)
• a device can advertise its system name with one TLV, its
management address in another TLV, its port description in
another TLV, its power requirements
in another TLV, and so on.
• LLDP also supports additional TLVs that are unique to audio-visual
devices such as VoIP phones. The LLDP Media Endpoint Device
(LLDP-MED) TLVs carry useful device information like a network
policy with VLAN numbers and quality of service information
needed for voice traffic, power management, inventory
management, and physical location data.

LLDP
• LLDP supports the LLDP-MED TLVs by default, but it cannot
send both basic and MED TLVs simultaneously on a switch
port. Instead, LLDP sends only the basic TLVs to connected
devices. If a switch receives LLDP-MED TLVs from a device, it
will begin sending LLDP-MED TLVs back to the device.
• By default, LLDP is globally disabled on a Catalyst switch. To
see if it is currently running or not, use the show lldp
command. You can enable or disable LLDP with the lldp
run and no lldp run global configuration commands,
respectively.

LLDP VS CDP
• LLDP is standards-based so devices from different vendors
can discover each other. Switches that use LLDP can also
collect detailed location information from connected
devices.

CDP & LLDP TLV

POE
Many device support POE
Include
• IP-Phones
• Access Points
• IP Cams

POE METHODS
Cisco Property include :- UPOE & ILP

HOW POE WORK ?
• A switch always keeps the power disabled when a switch port
is down; however, the switch must continually try to detect
whether a powered device is connected to a port.
• The switch begins by supplying a small voltage across the
transmit and receive pairs of the copper twisted-pair
connection.
• It then can measure the resistance across the pairs to detect
whether current is being drawn by the device. For example, if
a 25K ohm resistance is measured, a powered device is indeed
present.

HOW POE WORK ?
• The switch also can apply several predetermined voltages
to test for corresponding resistance values.
• These values are applied by the powered device to indicate
which of the five PoE power classes it belongs to. Knowing
this, the switch can begin allocating the appropriate
maximum power needed by the device.

HOW POE WORK ?
• The default class 0 is used if either the switch or the powered
device does not support or does not attempt the optional
power class discovery. Class 4 represents the highest power
range (up to 30W) that can be offered to a device.
• If additional power is needed, the device can inform the
switch through CDP or LLDP advertisements and request up to
the full 30W allowed for PoE class 4.
• On a Catalyst switch that can support the Cisco proprietary
UPoE feature, a powered device can request more than 30W
of power. The device can use special TLVs with either CDP or
LLDP to request UPoE up to a maximum of 60W. At press time,
only the Catalyst 4500 offers UPoE.

CONFIGURATION &
VERIFICATION
Switch(config-if)# power inline {auto | static} [max milliwatts]
note 1000 mean 1W
Switch1# show power inline
Module Available Used Remaining
(Watts) (Watts) (Watts)
------ --------- -------- ---------
1 710.0 110.4 599.6
Switch1# show power inline gigabitethernet1/0/5 detail

DHCP (SUPPORT IP-PHONE)
!
IP DHCP POOL (VLAN_10)
NETWORK 10.10.10.0 /24
DNS 10.10.100.100 10.10.100.101
DEFAULT-ROUTER 10.10.0.254
NTP 10.10.100.100
OPTION 150 IP 10.10.100.254
DOMAIN-NAME ALEX.COM
LEASE 0 8 0
!

HELPER ADDRESS
INTERFACE VLAN 10
IP HELPER-ADDRESS (DHCP SERVER)

PART 2
VLANs

WHAT IS VLAN
1. VLAN is a logical partition of a Layer 2 Network
2. You can partition Layer 2 as many as you need using it
3. Partitioning occur inside the Layer 2 Device (Switch)
4. Each VLAN has it own broadcast domain and its own IP
network
5. Hosts inside the VLAN are unaware of the VLAN’s
existence

VLAN BENEFITS
• Separate Broadcast domain
• Provide better security
• Provide Hierarchical Subnet usage

CONFIGURING VLAN
You have two ways to configure VLAN
1. From the VLAN Database / Privilege Exec Mode
!
SW# vlan database
SW(vlan)# vlan 21
!vlan creation through database may not be supported on
specific platform of Cisco Switches (old-way)
2. From the Configuration Mode
!
SW(Config)# vlan 21
!

VERIFY VLAN CREATED
• Use command ( # show vlan brief )
you can define name for VLAN by using (Name command)

JOIN PORT TO VLAN
• By default all switch ports are joined to VLAN 1
• After create vlan and verify it’s created use the following
command to join specific port to this vlan
!
Switch(config)# int fa0/0
Switch(conf-if)# Switchport mode access
Switch(conf-if)# Switchport access vlan 22
!
Optionally you can add description below each interface to tell
you then port connected to which device
Switch(conf-if)# Description (TO_PC_1)

ACCESS PORT
• Switchport statically assigned to VLAN
• This port is assigned only to single vlan
• Connected with end host (PC-ROUTER-PRINTER) not
switch
• Example
# switchport mode access
# switchport access vlan 14
• How to know if it
static access

VERIFY INTERFACE
• You need to verify if switch already joined vlan or not , you
may do it through the command
# show vlan brief
• Or you can use more specific command like
# show interface <type/number> switchport

EXTENDING VLAN
• VLAN can be distributed across 2 or more switches
• In order to allow the same VLAN member across switches
to communicate , uplink should carry more than VLAN
• Carrying more than single data vlan on uplink called trunking

TRUNKING
• Can have two or more VLANs configured
• Carry tagged frame with more than one VLAN
• Used between switches , as each switch may have more
than vlan and we need to allow those vlan users to
communicate
• The VLAN-ID addition require modification in the Layer 2
Frame
• The modification is controlled according to the VLAN
Protocol used :-
ISL or 802.1Q

PART 2
Trunking

FRAME TYPES

ISL
• Inter-Switch-Link
• Cisco implementation (For Cisco only)
• Not supported in newer Switches (2960x … )
• 26-byte Header + 4 trailer , and encapsulate the original
Ethernet frame inside (add overhead to data size)
• Link from both side should be ISL

ISL
• The ISL method of VLAN identification or trunking
encapsulation no longer is supported across all Cisco
Catalyst switch platforms.
• The ISL add extra 30 byte to the data, where is the
Ethernet Frame = 18 byte & IPv4 Packet MTU 1500, so
instead of total size of 1518, the new Size will be 1548
• Catalyst Switches use special property hardware that can
accommodate this type of Giant Frame.

802.1Q
• Open standard
• All traffic except native vlan is inserted with 802.1Q tag
• Support native vlan , vlan with any other tag is accepted
and forwarded to the native vlan broadcast domain
• 802.1Q insert 4-byte header into the frame , right after
the source-mac and contain the TAG field which carry the
vlan tag

802.1Q
• This method is referred to as single tagging or internal
tagging.
• In an Ethernet frame, 802.1Q adds a 4-byte (32bit) tag
just after the Source Address field.
• The first two bytes are used as a tag protocol identifier
(TPID) and always have a value of 0x8100 to signify an
802.1Q tag.
• The remaining two bytes are used as a Tag Control
Information (TCI) field. The TCI information contains a
three-bit Priority field, which is used to implement class of
service (CoS) functions

802.1Q
• The last 12 bits are used as a VLAN identifier (VID) to
indicate the source VLAN for the frame.
• The VID can have values from 0 to 4095, but VLANs 0, 1,
and 4095 are reserved.
• The 802.1Q add overhead of 4 Bytes so the total size of
Frame will be 1522, catalyst switches comply with 802.3ac
which state that the max size of frame can be 1522.

CONFIGURE TRUNK
! ISL
sw(config)# interface fa0/0
sw(config-if)# switchport trunk encapsulation dot1
sw(config-if)# switchport mode trunk
! 802.1Q
sw(config-if)# switchport trunk encapsulation ISL
sw(config-if)# switchport mode trunk

ALLOW SPECIFIC VLAN ON
TRUNK
sw(config-if)# switchport trunk allowed vlan 1,10,20,30
sw(config-if)# switchport trunk allowed vlan add 40

ALLOW SPECIFIC VLANS
• vlan-list: An explicit list of VLAN numbers, separated by
commas or dashes.
• all: All active VLANs (1 to 4094) will be allowed.
add vlan-list: A list of VLAN numbers will be added to the
already configured list;
this is a shortcut to keep from typing a long list of numbers.
• except vlan-list: All VLANs (1 to 4094) will be allowed, except
for the VLAN numbers listed; this is a shortcut to keep from
typing a long list of numbers.
• remove vlan-list: A list of VLAN numbers will be removed from
the already configured list; this is a shortcut to keep from
typing a long list of numbers.

VERIFY THE TRUNK
• Use the command
# show interface trunk

VLAN TYPES
1. Default VLAN
2. Data VLAN
3. Management VLAN
4. VOICE VLAN
5. Guest VLAN
6. Native VLAN

NATIVE VLAN
• Supported with IEEE 802.1Q Encapsulation VLAN
• Frame without tag is considered native VLAN traffic
• Must match on both ends
• Native vlan is 1 by default
• Frames received untagged remain untagged and are placed
in the native VLAN when forwarded.
• CDP messages use Native VLAN as it don’t able to be
tagged.

NATIVE VLAN
• Used to handle untagged traffic or traffic with unknown
tags
• Need to be matched between 2 switches
• CDP or LLDP report the mismatching of Native vlan
• # switchport trunk native vlan <ID>

SWITCH PORT TYPES
Switchport types could be one of the following
• Access Port
• Trunk Port
• Dynamic Port

DYNAMIC INTERFACE
• Can be access of trunk depending on the negotiation results
• The default mode of the switchport
• The dynamic mode has two options
- Dynamic Auto :- prefer to be access
- Dynamic Desirable :- prefer to be trunk
• You can disable the dynamic mode by define if the switch
will be static access or static trunk

DTP & TRUNK

PORT NEGOTIAITION
OPTIONS

DTP
• Work only between switches
• The 2 switches should be in same VTP domain
• If VTP domain mismatched set the trunk mode ON &
disable the auto negotiation.
• By Default Switch VTP domain is NULL
• DTP frames are sent out every 30 seconds to keep
neighboring switch ports informed of the link’s mode.

DTP WIRESHARK

VOICE VLAN

VOICE VLAN CONFIG
!
SW(config)# switchport voice vlan 10
SW(config)# switchport mode access
SW(config)# switchport access vlan 100
!
Note , Voice VLAN must exist in VLAN database.

VOICE VLAN
• Use Special Link Type to allow both voice & vlan in special trunk type
• Require CDP & DTP
• Various options for How Voice VLAN will work
Switch(config-if)# switchport voice vlan {vlan-id | dot1p | untagged | none}

VERIFY VOICE VLAN

VERIFY VOICE VLAN &
ACCESS VLAN & STP

TOKEN RING – FDDI VLAN

RESERVED FOR INTERNAL
FUNCTIONS

VLAN ALLOCATION POLICY
• When you create routed interface or SVI the IOS allocate
special vlan for it between the port & control plane
• By default IOS use (Ascending from 1006>>>)
• You can change it to (descending from 4094 >>>)
# vlan internal allocation descending

DELETE VLAN

VERIFY VLAN

VERIFY VLAN INFO

REMEMBER !
• VLAN can be created with 3 Methods
- vlan
- vlan database
- switchport access vlan <VLAN-ID>

VLAN INTERFACE
• VLAN Interface
• VLAN
• Different – usage
!
Interface vlan 100
no shut
ip address 1.1.1.1 255.255.255.0
!

SHOW INTERFACE

VERIFY ACCESS PORT

VERIFY TRUNK PORT

WIRELESS VLAN
Cisco APs can operate in one of the two following modes:
Autonomous mode:
The AP operates independently and directly connects VLANs to
WLANs on a one-to-one basis.
Lightweight mode:
The AP must join and cooperate with a wireless LAN controller
located elsewhere on the network. The AP connects each of its
own WLANs with a VLAN connected to the controller. All of the
VLAN-WLAN traffic is encapsulated and carried over a special
tunnel between the AP and the controller.

STAND-ALONE AP

LW – ACCESS POINT
• Sometimes called Controller Based APs.

INTER-VLAN ROUTING
CCNAX-200-120

HOW TO CONNECT TWO VLANS
OPTION 1
1. Single router , switch , 2 links
from the switch to the router ,
each link in different vlan , and
router interfaces have ip
addresses on both vlans.
2. This isn’t ideal solution as it
consume many router ports.
3. The Ports density in routers are
very limited

CONFIGURATION
Switch configuration Router Configuration

ROUTER ON A STICK OPTION 2
1. Single router , switch , 1 links from the switch to the
router , switch uplink in trunk mode , router port is active
and sub-interfaces created – each in different vlan
2. Each sub-interface has different network , the Sub-if IP
will be the gateway
3. This option eliminate the physical limitation of router
ports
ROUTER ON A STICK

CONFIGURATION
ROUTER ON A STICKa.abdelfatah91@gmail.com

USING MULTI-LAYER SWITCH
OPTION 3
1. Switch only , support L3 routing (called MLS- Multi layer
switch)
2. On the MLS create all VLANs then create interface VLAN
to associate it with the broadcast domain created
3. The interface-vlan also called SVI (Switched virtual
interface) , each SVI has IP address in the associated
vlan , this IP will act as a users gateway.
4. This option eliminate the need of packet to travel to
router and back again to the switch in regular VLAN
communication

MULTI-LAYER SWITCH
• Usually must be 4500 or 6500 series in order to function well in Layer 3
routing between VLANS
• For Small-medium business , 3750 & 3850 & 3650 Series will be efficient.
CAT 3850
CAT 3750
CAT 3650
CAT 6500CAT 4500
CAT 4500-
Xa.abdelfatah91@gmail.com

CONFIGURATION
!
Ip routing
!
Interface vlan 10
ip address 192.168.10.1 255.255.255.0
no shut
!
Vlan 10
!
Interface vlan 20
ip address 192.168.20.1 255.255.255.0
no shut
!
Vlan 20

VERIFY ROUTING
You can test routing is function by the following methods :-
• Ping utility
cmd> ping x.x.x.x
Reply from x.x.x.x: bytes=32 time=1717ms TTL=58
pc send icmp-echo , destination reply with icmp-echo-reply
• Trace-route utility
cmd> tracert x.x.x.x
1 2 ms 1 ms 3 ms 192.168.1.1 [192.168.1.1]
2 65 ms 32 ms 32 ms x.x.x.x

PART 2
VTP

ABOUT VTP.
• Simplify add & create VLANs
• Organized in Management domain, switches in same
management domain can exchange vtp advertisement with
each other.
• Operate only on trunk links only.
• Switches running VTP store the vlan data in vlan.dat file
• By default VTP is enabled on Cisco Switches.

VTP MODES
** Network can contain more than Server
** in transparent mode the VLAN configuration save in running-config

VTP
• VTP relay on Revision number to track the information
about the VLANs
• The configuration revision number is a 32-bit number
• VTP is on by default , mode is server , domain is null as well
as the password (Can work without password)
• Vtp use destination multicast mac address 01-00-0C-CC-
CC-CC “also used for CDP DTP Pagp UDLD
• Reset VTP revision number by change domain name or set
mode to transparent

SWITCH DEFAULT VTP

VTP ADVERTISEMENT.
• VTP enabled switch send VTP messages to exchange
information with other switches in the Network.
• Cisco Switches support 3 version of VTP, however those
version isn’t backward compatible.
• By Default Switches Support VTP version 1
• VTP v1 & v2 support vlan 1-1005
• VTP v3 support Normal VLANs + Extended VLANs

VTP ADVERTISEMENT
VTP advertisements usually originate from server mode
switches as VLAN configuration changes occur and are
announced. Advertisements can also originate as requests
from client mode switches that want to learn about the VTP
database as they boot.
VTP advertisement can be the following :-
1. Summary advertisements
2. Subset advertisements
3. Advertisement requests from clients

SUMMARY ADV.
• VTP domain servers send summary advertisements every
300 seconds and every time a VLAN database change occurs.
• lists information about the management domain, including VTP
version & MD5 Hash ,and the number of subset
advertisements to follow
• For VLAN configuration changes, summary advertisements are
followed by one or more subset advertisements with more
specific VLAN configuration data

SUMMARY ADV.

SUBSET ADV.
• VLANs are listed individually in
sequential subset advertisements.

ADV. REQUEST FROM
CLIENT
• A VTP client can request any VLAN information it lacks.
For example, a client switch might be reset and have its
VLAN database cleared, and its VTP domain membership
might be changed, or it might hear a VTP summary
advertisement with a higher revision number than it
currently has.
• The server respond with VTP Advertisement & Subset adv.

VTP SYNCHRONIZATION
The VTP revision number is stored in NVRAM and is not altered
by a power cycle of the switch; therefore, the revision number
can be initialized to 0 only by using one of the following methods:
1. Change the switch’s VTP mode to transparent and then
change the mode back to server.
2. Change the switch’s VTP domain to a bogus name (a
nonexistent VTP domain), and then change the VTP domain
back to the original name.

VTP SYNCHRONIZATION
• Note that if any of VTP client have higher revision number
than VTP server it will update the VLAN db on servers.
• When the client bootup it will send summary-adv, & will
notice that his Revision number is higher and other are
inferior, so the client (With higher Rev.Num) will send
subset adv. & update the topology.
• Make sure to delete vlan.dat file & reset the config-
revision number to zero.

VTP VERSION 2

VTP VERSION 3
• Supports extended VLANs (1006 - 4094)
• Support for propagating Private VLANs
• Support for propagating Multiple Spanning Tree
• Support for flagging VLANs as RSPAN (disables MAC learning on the
VLAN)
• Fixes the bane of VTP v1/2, the accidental-high-configuration-
revision-wipes-out-your-network issue.
• VTP can now be turned off completely, as opposed to just transparent
mode
• Support for hidden passwords
• VTP now can be enabled per-port (exclude from some trunks)

VTP VERSION 3
# use command VTP under interface to enable vtp
# use command no vtp under interface to disable vtp
operation modes
Store vlans in permeant local storage
Store vlans in temp local storage – ask srv

HIGHER REVISION NUMBER
ISSUE

VTP MODE OFF
• The big difference with disabling VTP as opposed to using
transparent mode is that the switch won't even pass VTP
messages in "off" mode, it deliberately filters them. The
benefit would be for a network administrative boundary,
like connecting trunks between two carriers.
• Transparent & Server & Client Still exist
RECOMMENDED MODE FOR THE FOLLOWING ALSO
UNKNOWN ( TO DEAL WITH UNKOWN TYPES OF VLANS
Recommended mode is OFF / TRANSPARENT)

VTPV3 & MST
** later on In STP we will talk about MST
** VTP can work as (server-client-transparent) for
feature vlans | MST | Unknown vlans
FEATURE VLANS (1-4094)
MST (INSTANCES OF MST)
DEFAULT MODE FOR FEATURE IS SERVER
MST & UNKNOWN IS TRANSPARENT

VTPV3 & MST
CONFIGURATION
SW – 1
---------------
Conf t
Spanning-tree mode mst
Spanning-tree mst config
Revision 1
Name Region_1
Instance 1 vlan 10,20
!
VTP version 3
VTP mode Server MST
!
Do VTP primary MST
SW – 2
----------------
Conf t
Spanning-tree mode mst
Spanning-tree mst config
!
VTP version 3
VTP mode client MST
!
VERIFICATION
----------------
SHOW SPANNING-TREE MST CONFIGURATION
Name [R_1]
Revision 1 Instances configured 2
Instance Vlans mapped
-------- ----------------------------
0 1-29,31-39,41-4094
1 10,20
--------------------------------------

RSPAN & VTP
The purpose here is to tell all the switches in the forwarding path
of the remote SPAN not to learn MAC addresses on that VLAN.
SW1(config)#vlan 150
SW1(config-vlan)#remote-span
SW2#show vlan remote-span
Remote SPAN VLANs
-------------------------------------------------------
150

VTP V3 MESSAGE
SECURITRY
• VTP in general relay on MD5 hash to insure no changes
occur or false insertion of VLAN information inside the
VTP domain.
• VTP Password <PASS> --- the password in config+vlan.dat is shown
you can use service password-encryption but the pass will only hided in
config.
• VTP Password <PASS> hidden --- the password in
config+vlan.dat is totally hidden
only in VTPv3

VTP CONFIGURATION –
VERSION 2
•VTP Configuration version 2 or 1 :
Switch#config terminal
Switch(config)#vtp version [1-2]
Switch(config)#vtp mode server
Switch(config)#vtp domain cisco
Switch(config)#vtp password mypassword <hide>
•VTP Configuration version 3 :
Switch#vtp primary vlan
Switch(config)#vtp version 3
Switch(config)#vtp mode server <secondary server>
Switch(config)#vtp domain cisco
Switch(config)#vtp password mypassword secret
.

VERIFY VTP

VTP PRUNNING
FLOODING
PRUNNING ENABLED

VTP PRUNIGN
• VTP pruning makes more efficient use of trunk bandwidth by
reducing unnecessary flooded traffic. Broadcast, multicast,
and unknown unicast frames on a VLAN are forwarded over a
trunk link only if the switch on the receiving end of the trunk
has ports in that VLAN.
• VTP pruning occurs as an extension to VTP version 1, using an
additional VTP message type. When a Catalyst switch has a
port associated with a VLAN, the switch sends an
advertisement to its neighbor switches that it has active
ports on that VLAN. The neighbors keep this information,
enabling them to decide whether flooded traffic from a
VLAN should be allowed on the trunk links.

VTP PRUNIGN
• Even when VTP pruning has determined that a VLAN is not
needed on a trunk, an instance of the Spanning Tree
Protocol (STP) will run for every VLAN that is allowed
on the trunk link. To reduce the number of STP instances,
you should manually “prune” unneeded VLANs from the
trunk and allow only the needed ones. Use the switchport
trunk allowed vlan command to identify the VLANs that
should be added or removed from a trunk.
# switchport trunk allowed vlan

VTP PRUNING
CONSIDERATIONS
• Be aware that VTP pruning has no effect on switches in the
VTP transparent mode.
• those switches must be configured manually to “prune”
VLANs from trunk links.
By default, VLANs 2 to 1001 are eligible for pruning.
• VLAN 1 has a special meaning because it is sometimes used
for control traffic and is the default access VLAN on
switch
ports, VLAN 1 is never eligible for pruning.
• VLANs 1002 through 1005 are reserved for Token Ring and
FDDI VLANs and are never eligible for pruning

SHOW INT SWITCHPORT

CONFIGURE PRUNING
# vtp pruning
• All general purpose vlans (2-1001) will be eligible for pruning
• You can modify the vlans eligible for purnning using
swithcport trunk pruning vlan {{{add | except | remove}vlan-list} | none}

IMPORTANT NOTE ABOUT
VTP
• VTP can work without Password
• VTP can be configured on one switch and the configuration
will be replicated to all switches (assume there are on
default config & no password is configured)
• The replicated configuration will be the version + the
domain name & will be replicated right after raising to the
config-revision number.

COMPATIBILITY
Version V1 V2 V3
SEND V1 Y Y* X
SEND V2 Y* Y X
SEND V3 X Y**client Y
• Vtp version 2 update switches running vtp version 1 by changing
the version to 2
• Vtp version 1 update switches running vtp version 2 by changing
the version to 1

DEBUG VTP
# debug sw-vlan vtp

PART 3
STP Basics

BASICS OF STP
• STP is loop prevention Mechanism
• A loop formed between switches where frames circulate endlessly
• STP prevent the switched network against the Bridging Loop
• STP work effectively on Redundant Links & multi-switches
environment
• A form of STP Enabled by default on Cisco Switches
• Developed by IEEE
• Have many IEEE versions (3)
• Cisco have 2 special version (property)

HOW STP WORK
• STP computes a tree structure that spans all switches in a subnet or
network.
• Redundant paths are placed in a Blocking or Standby state to prevent
frame forwarding. The switched network is then in a loop-free
condition.
• if a forwarding port fails or becomes disconnected, the spanning-tree
algorithm recomputes the spanning-tree topology so that the
appropriate blocked links can be reactivated.
• Switches exchange Messages called (BPDU) to discover redundant
links and create loop free network

THE STP BPDU
• A switch sends a BPDU frame out a port, using the unique
MAC address of the port itself as a source address.
• BPDU frames are sent with a destination address of the
well-known STP multicast address 01-80-c2-00-00-00
• BPDU has two types
- configuration
- topology change notification

STP BPDU

STP TIMERS

STP TIMERS
• the timer values never should be changed from the
defaults without careful consideration.
• the values should be changed only on the root bridge
switch. Recall that the timer values are advertised in
fields within the BPDU.
• The default STP timers based on Network with 7
Switches (diameter) from end to end, the consumed time
to traverse Hello message will be 2 seconds.

PORT STATES
• 802.1d STP port states
Disabled > Blocking > Listen > Learn > Forward

STP COMPUTATION

STP WORK FLOW

STP – ROOT BRIDGE
ELECTION
• Elect Root Bridge
BASED ON BPDU INFORMATION AS FOLLOWING

STP – ROOT BRIDGE
ELECTION
• Every switch begins by sending out BPDUs with a root
bridge ID equal to its own bridge ID and a sender bridge
ID that is its own bridge ID.
• After a root bridge is decided on, configuration BPDUs are
sent only by the root bridge.
• All other bridges must forward or relay the BPDUs, adding
their own sender bridge IDs to the message.

STP – ROOT BRIDGE
ELECTION
• if a new switch with a lower bridge priority powers up, it
begins advertising itself as the root bridge. Because the
new switch does indeed have a lower bridge ID, all the
switches soon reconsider and record it as the new
root bridge.
• also happen if the new switch has a bridge priority equal to
that of the existing root bridge but has a lower MAC
address.

STP – ROOT BRIDGE
ELECTION

ELECTING ROOT PORT
• STP uses the concept of cost to determine many things.
Selecting a root port involves evaluating the root path cost.
• This value is the cumulative cost of all the links leading to
the root bridge.
• the root Path cost is carried inside the BPDU.
• the higher the bandwidth of a link, the lower the cost

DEFAULT COSTS
Old Cost divided on 100 Mbps 10^7
New Cost divided on 1000 Mbps 10^9

CALCULATE ROOT PATH
COST

CONFIGURING COST
# Int fa0/0
spanning-tree cost <1-200000000>
Or
# change speed of the interface

PORT PRIORITY
Assume switch have 2 ports are equal in root path cost
the Lowest sender port ID will be the root port
# Spanning-tree Port-priority < 0 – 192>
The port priority by default is 128.(Interface.id) – facing IF

TOPOLOGY CHANGE BPDU

TCN FLOW
• A topology change occurs when a switch either moves a port
into the Forwarding state or moves a port from the
Forwarding or Learning states into the Blocking state.
• the TCN BPDU carries no data about the change but informs
recipients only that a change has occurred.
• The switch sends a TCN BPDU out its root port so that,
ultimately, the root bridge receives news of the topology
change
• the switch will not send TCN BPDUs if the port has been
configured with Port Fast enabled.
• The switch will send the TCN every Hello Interval until hear
ACK.

TCN FLOW
• the upstream neighbors receive the TCN BPDU, they propagate
it on toward the root bridge and send their own ack.
• When the root bridge receives the TCN BPDU, it also sends out
an acknowledgment.
• the root bridge sets the Topology Change flag in its
Configuration BPDU, which is relayed to every other bridge in
the network
• other bridges will shorten their bridge table aging times from
the default (300 seconds) to the forward delay value (default 15
seconds).

TYPES OF TOPOLOGY
CHANGE
1. Direct
when port fail physically
2. Indirect
when Data filtered (bpdu filter ..etc)
3. Insignificant
port to pc goes up & down (too bad)

DIRECT CHANGE

INDIRECT CHANGE

INSIGNIFICANT CHANGE

STP
a.abdelfatah91@gmail.com Above image are from packetlife.com “blog”

STP TYPES
When switch run 10 vlans, 10 pvst+ instance will be created in
addition to 1 CST instance.

PART 3
STP Configuration

STP OPERATION
• By Default STP is running on all ports of the switch
• STP instance can be disabled for specific vlans using
( no spanning-tree vlan <VLAN-ID>)
• STP can also be disabled but per port using
( interface fa0/1)
( no spanning-tree vlan <VLAN-ID)
• No Need to disable STP.

ELECT THE ROOT BRIDGE
A Catalyst switch can be configured to use one of the
following formats for its STP Bridge ID:
• If the switch cannot support 1024 unique MAC addresses
for its own use, the extended system ID is always enabled
by default.

SETTING THE BRIDGE PRIORITY
Switch(config)# spanning-tree vlan vlan-list priority bridge-priority

STP MACRO (PRIM&SEC)
• The Macro is a command on the switch that executes several
other commands.
Switch(config)# spanning-tree vlan vlan-id root {primary |secondary} [diameter diameter]
• Use the primary keyword to make the switch attempt to become
the primary root bridge. This command modifies the switch’s
bridge priority value to become less than the bridge priority of
the current root bridge.
• By default the Root Priority will be 24,576 – “if the current root
Is higher that 24,576”

STP MACRO (PRIM&SEC)
• If the current root priority is less that 24K the Switch will
set the priority to 4096.
• If the current Root Priority is 4096, the command will fail,
the only option here to set the priority manual to 0.
• The Backup root bridge will set the priority to 28,672 as
fixed value (no option to query like the root did)

TUNING STP COST
• Tuning the Root Path Cost
! Can be done on interface level
! STP use the cost of Egress Port
Can be configured using
#spanning-tree cost (1-200,000,000)

TUNING PORT-ID
• a 16-bit quantity: 8 bits for the port priority, and 8 bits
for the port number.
• default to 128 for all ports
• ports that are bundled into an EtherChannel or port
channel interface always have a higher port ID than they
would if they were not bundled.
• Port Priority can influence the decision from the upstream
switch
• Port Priority can be configured per-vlan

TUNING STP TIMERS
• Remember that the timers need to be modified only on the
root bridge because the root bridge propagates all three
timer values throughout the network as fields in the
configuration BPDU.
• Hello can be between 1-10 seconds ,FD (4-30),MA (6-40)
• Those timers are configured for diameter of 7 switches

TUNING STP CONVERGENCE
• PortFast: Enables fast connectivity to be established on
access layer switch ports to workstations that are booting
• UplinkFast: Enables fast-uplink failover on an access layer
switch when dual uplinks are connected into the
distribution layer
• BackboneFast: Enables fast convergence in the network
backbone or core layer switches after a spanning-tree
topology change occurs

PORTFAST
• By default, PortFast is disabled on all switch ports
• You can configure PortFast as a global default which will
affect all ports in access mode.
• TCN message isn’t sent if portfast enabled on failed link
• Should be enabled only between switch & endpoint.
• Switch(config)# spanning-tree portfast default
or
Switch(config-if)# switchport host
• Show spanning-tree vlan 5 interface e0/0 portfast

UPLINK FAST
• UplinkFast keeps a record of all parallel pathsto the root
bridge “cannot be enabled on root bridge”
• All uplink ports but one are kept in the Blocking state.
• If the root port fails, the uplink with the next-lowest root
path cost is unblocked and used without delay.
• UPLINK fast only allowed to be configured on Leaf-Node
switches, for this reason the bridge priority raised to
49,152 & port cost incremented to 3000

UPLINK FAST .CONT
• UplinkFast makes it easy for the local switch to update its
bridging table of MAC addresses to point to the new uplink.
• UplinkFast also provides a mechanism for the local switch
to notify other upstream switches that stations
downstream (or within the access layer) can be reached
over the newly activated uplink.
• The switch accomplishes this by sending dummy multicast
frames to destination 0100.0ccd.cdcd on behalf of the
stations contained in its CAM table. The source mac will be
the mac address of Station listed in the CAM

UPLINK FAST .CONT
• These multicast frames are sent out at a rate specified by
the max-update-rate parameter in PPS.
• The default is 150 packets per second but the range can be
configured between 0-65535.
• When set value to 0 this mean to dummy multicast will be
sent
• The UPLINK fast work well to mitigate the direct change.

VERIFY UPLINKFAST

BACKBONE FAST
• Backbonefast help in indirect change case
• If designated switch loos the cable with the root switch,
he will state himself as root bridge.
• When other switch receive the new BPDU (it will called
inferior BPDU as it originated from the Designated switch),
the default behavior is to wait till max-age time to erase
the stored superior BPDU.
• Backbonefast will save time by enabling faster convergence
for the root port.

BACKBONE FAST & RLQ
• If the local switch has blocked ports, the backbonefast will
begin send (root-link-query) to check if the upstream
switch have stable connections to the root bridge.
• If RLQ reply received on non-root port, the max age time
expired on the original root-port to allow faster-
convergence.
• Backbonefast should be enabled on all switches
Switch(config)# spanning-tree backbonefast

VERIFY BACKBONE FAST

MONITOR STP –SH STP DET

SHOW SPAN VLAN 1 SUM

SHOW SPAN –ROOT-BRIDGE

PART 3
STP Protection

PORT TYPES
• Root port: The one port on a switch that is closest (with the
lowest root path cost) to the root bridge.
• Designated port: The port on a LAN segment that is closest to
the root. This port relays, or transmits, BPDUs down the tree.
• Blocking port: Ports that are neither root nor designated
ports.
• Alternate port: Ports that are candidate root ports.
• Forwarding port: Ports where no other STP activity is
detected or expected. These are ports with normal end-user
connections.

ROOT GUARD
• Enabled on Ports toward the access layer
• If superior bpdu received the port will be blocked (put in
root-inconsistent) until this superior bpdu stop propagating
• Root Guard designates that a port can only forward or
relay BPDUs.
• Enabled per-interface (spanning-tree guard root)
• Verify ports
show spanning-tree iconsistentports

BPDU GUARD
• Portfast doesn’t disable the STP on port
• Bridge loop could occur if connected with other switch
• You can enable BPDU guard to detect the switch if
connected to portfast port.
• BPDU guard prevent against loop caused by connected
switch but doesn’t prevent in case you connect hub
• BPDU guard stop receiving BPDU
• Enable per port or default.

BPDU FILTER
• BPDU filter effectively disable STP on Switchport
• BPDU guard stop sending or receiving BPDU
Switch(config)# spanning-tree portfast bpdufilter default
Switch(config-if)# spanning-tree bpdufilter {enable | disable}
• Enable per port or default.

LOOPGUARD
Case
In case of choose root port & alternate port, if the BPDU
stopped cause of software problem on the root port but link is up,
because of UPLINK FASTthe alternate port will be root port
which will cause a loop.
FIX
LOOP Guard keeps track of the BPDU activity on nondesignated
ports. While BPDUs are received, the port is allowed to behave
normally. When BPDUs go missing, Loop Guard moves the port into
the loop-inconsistent state.

LOOPGUARD
• Enabled globally or per-switch port
• Applied for copper & fc ports
• Loop guard work per vlan.
• Product against problem caused by software issues
• Enable
# Spanning-tree loopguard default (global)
# Spanning-tree guard loop (per-if)

UDLD

UDLD
• Cisco Proprietary
• UDLD interactively monitors a port to see whether the link
is truly bidirectional.
• A switch sends special Layer 2 UDLD frames identifying its
switch port at regular intervals. UDLD expects the far-end
switch to echo those frames back across the same link,
with the far-end switch port’s identification added.

UDLD .CONT
AGGRESSIVE PORT CAN BE ENABLED USING UDLD RESET

CONFIGURE UDLD
ENABLE GLOBALLY
Switch(config)# udld {enable | aggressive | message time seconds}
The command will affect only FC ports
the default message time is 7 seconds, can be between 1-90 seconds
The default UDLD message interval times differ among Catalyst switch platforms.
Although two neighbors might have mismatched message time values, UDLD still
works correctly. This is because each of the two neighbors simply echoes UDLD
messages back as they are received, without knowledge of their neighbor’s own
time interval.
ENABLE PER-PORT
Switch(config-if)# udld {enable | aggressive | disable}

LOOPGUARD VS UDLD

SUMMARY

SUMMARY
• BPDU Guard
• BPDU Filter
• Port Fast
• Uplink Fast
• Backbone Fast
• Loop Guard
• Unidirectional Link detection

COMMANDS

PART 3
Rapid-STP

RAPID STP
• RSTP defined as 802.1w,802.1d-2004 IEEE standard
• RSTP port roles are as following
- Root Port
the port that has the best root path cost to the root,
root bridge has no root ports.

RAPID STP
- Designated Port
The designated port is the port that sends the best BPDU on
the segment.
- Alternate Port
A port that has an alternative path to the root, different
from the path the root port takes. This path is less desirable
than that of the root port.

RAPID STP
Backup port
A port that provides a redundant (but less desirable)
connection to a segment where another switch port already
connects. If that common segment is lost, the switch might or
might not have a path back to the root.

RAPID STP PORT STATS
Discarding:
Incoming frames simply are dropped; no MAC addresses are
learned.
Learning:
Incoming frames are dropped, but MAC addresses are learned.
Forwarding:
Incoming frames are forwarded according to MAC addresses that
have been (and are being) learned.

RSTP BPDU
• STP 802.1D (version 0)
In 802.1D, BPDUs basically originate from the root bridge and are
relayed by all switches down through the tree. Because of this
propagation of BPDUs, 802.1D convergence must wait for steady-
state conditions before proceeding.
RSTP use STP 802.1D BPDU for compatibility
Depending on Received BPDU the port operate accordingly

RSTP CONVERGENCE
• a switch can detect a neighbor failure in three Hello
intervals (default 6 seconds), versus the Max Age timer
interval (default 20 seconds) for 802.1D.
• Unlike STP, RSTP enabled switch participate in election
depend on the port mode
• The port type can be
Edge
Point to Point (connected to switch Full Duplex)
Root Port

RSTP SYNC
• For each nonedge port, the switch exchanges a
proposal-agreement handshake to decide the
state of each end of the link. Each switch
assumes that its port should become the
designated port for the segment, and a proposal
message (a configuration BPDU) is sent
to the neighbor suggesting this.

SYNC PROCESS
When Switch receive proposal the following occur
1. If the sender has superior bpdu the receive port become
the new root port.
2. Before agree the switch must first synchronize itself
3. All nonedge ports immediately are moved into the
discarding state
4. The switch send (agreement message) to tell the neighbor
that the own ports are currently in the process of sync

SYNC PROCESS CONT
5. The root port move to forwarding state
6. On all non-edge ports the switch send proposal to the
neighbor.
7. An agreement is expected to be received on all non-edge
ports
8. After receive agreement the non-edge ports move to
forwarding status
** it’s recommended to use portfast

RSTP CONVERGENCE

TOPOLOGY CHANGE IN
RSTP
1. RSTP detects a topology change only when a nonedge port
transitions to the Forwarding state
2. When a topology change is detected, a switch must propagate
news of the change to other switches in the network.
3. BPDUs, with their TC bit set, are sent out all the nonedge
designated ports.
4. all MAC addresses associated with the nonedge designated
ports are flushed from the CAM
5. All neighboring switches that receive the TC messages also
must flush the MAC addresses learned on all ports except
the one that received the TC message.

RSTP CONFIGURATION
• Configure Port as Edge
# spanning-tree portfast
• Configure Port as Point to Point (if half-duplex) – per if.
# spanning-tree link-type point-to-point
If port is shared (Cause of half-duplex) this will slow the
convergence process

RAPID-PVST+
To enable R-PVST+
# spanning-tree mode rapid-pvst
Hello 2
Max 20
Forward 15
Discard – Learn - Forward

PART 3
MST

MST OVERVIEW
1. MST is built on the concept of mapping one or more
VLANs to a single STP instance.
2. Defined as IEEE standard 802.1s, 802.1q-2003
3. MST rules are based on Rapid-STP
4. MST Reduce the Number of STP instances running
effectively reduce the load on the switches unlike the
PVST+

ABOUT MST
Like VTP, Bridges running MST must have certain compatible
parameters:
• MST Region Name
• MST Revision Number (not dynamic)
• VLAN-to-Instance Mapping Configuration Digest
All VLANs mapped to Instance-0 by default
Creating separate STP topologies involves tuning STP
variables (cost, priority, etc) per instance, not per
VLAN

MST REGIONS
• MST is different from 802.1Q and PVST+, although it can
interoperate with them. If a switch is configured to use
MST, it somehow must figure out which of its neighbors
are using which type of STP
• This is done by configuring switches into common MST
regions, where every switch in a region runs MST with
compatible parameters.
• Within the region, all switches must run the instance of
MST

MST REGIONS
Single MST REGION should match the following :-
■ MST configuration name (32 characters)
■ MST configuration revision number (0 to 65535)
■ MST instance-to-VLAN mapping table (4096 entries)
• The entire MST instance-to-VLAN mapping table is not
sent in the BPDUs because the instance mappings must be
configured on each switch. Instead, a digest, or a hash
code computed from the table contents, is sent

STP WITHIN MST
• MST was designed to interoperate with all other forms of
STP. Therefore, it also must support STP instances from
each STP type.
• an Internal Spanning Tree (IST) instance runs to work out
a loop-free topology between the links where CST meets
the region boundary and all
switches inside the region.
• The IST presents the entire region as a single virtual
bridge to the CST outside. BPDUs are exchanged at the
region boundary only over the native VLAN of trunks, as if
a sningle CST were in operation

STP WITHIN MST
• the actual MST instances (MSTI) exist alongside the IST.
Cisco supports a maximum of 16 MSTIs in each region. The
IST always exists as MSTI number 0, leaving MSTIs 1
through 15 available for use.

CONFIGURE MST

PART 3
Link Aggregation

SCALE UP BANDWIDTH

ETHERCHANNEL
• Cisco offer Etherchannel Feature which can increase the
bandwidth by aggregating parallel links.
• Can bundle up to 8 links – give speed 1600M,16G,160G –
Full Duplex.

ETHERCHANNEL
• Etherchannel must be configured between 2 switches.
• MCE (multi-chassis etherchannel) can be configured
between 3 switches (2 running VSS or similar).
• The bundled ports must be same (media-duplex-speed-
STP-VLAN-Mode)

TRAFFIC DISTRIBUTION
• the load is not necessarily balanced equally across all
the links.
• frames are forwarded on a specific link as a result of a
hashing algorithm.
• The algorithm can use source IP address, destination IP
address, or a combination of source and destination IP
addresses, source and destination MAC addresses, or
TCP/UDP port numbers.

TRAFFIC DISTRIBUTION
• If only one address or port number is hashed, a switch
forwards each frame by using one or more low-order
bits of the hash value.
• If two addresses or port numbers are hashed, a switch
perform an exclusive-OR (XOR) operation on one or
more low-order bits.
•

PART 4
Layer 2 Security

LAYER 2 SECURITY
• Port Security
• Dynamic Arp inspection
• DHCP Snooping
• Source Guard
• 802.1x
• Storm Control

PORT SECURITY
• Limit the number of Mac Addresses that Mac address
table can learn through this port
• When enable this switch will add extra feature which is
examining the frame upon received from the end point

PORT SECURITY .CONT
SW(config)# switchport mode (access|trunk)
SW(config)# switchport port-security maximum <max>
SW(config)# switchport port-securirt mac-address
<h.h.h>
SW(config)# switchport poer-security mac-address sticky
SW# show port-security interface fa0/0
SW# show port-security address

PORT SECURITY .CONT
• Learning the MAC address can be done with one of the
following options
1. Limit the number of MAC addresses
2. Limit the actual Mac address
- Static configuration
- Dynamic learning up to maximum, , lost upon reload
- Dynamic learning up to maximum , but switch save those
entries to use it after reload “Sticky”
- Note that mac addresses are stored in config file , config
files need the admin to do WR to save the configuration
before reload

PORT SECURITY .CONT
SW(config)# switchport port-security violation
- protect > enable port security
- restrict > enable port security and send SNMP trap
- shutdown > enable port security , send trap , shutdown
Shutdown put the port is Error-disable mode which require
shut / no shut to enable it again

DHCP SNOOPING
• MITM attack can also be performed via Legitimate DHCP
server

DHCP SNOOPING
• DHCP snooping protect such attacks by allow all DHCP
messages on trusted ports , but it filter DHCP messages on
untrusted ports
• DHCP client should only exist behind untrusted ports
SW1(config)# ip dhcp snooping vlan <id>
SW1(config-if) # ip dhcp snooping trust
SW1(config-if)# ip dhcp snooping limit <number>
SW1(config)# ip dhcp snooping verify mac-address
SW1# ip dhcp snooping binding (MAC) vlan (ID) (IP) interface
(name) expiry (seconds)

DYNAMIC ARP INSPECTION
• Prevent against Man_in_the_middle attack
• Attacker send gratuitous ARPs , gratuitous ARP is the
reply occur when no request seen , also the ARP
destination will be in broadcast , so all hosts gonna know
the ARP result

DAI
DAI has the ability to block such types of inappropriate
ARP by the following :
1. the source IP address isn’t DHCP assigned to a device
off that port , DAI filter the ARP Reply
2. DAI can use statically defined IP/MAC address for
comparison
3. DAI can compare Source/Destination MAC listed in ARP
4. DAI check for unexpected IP address like 0.0.0.0
255.255.255.255 and multicast

DAI
• DHCP snooping need to be enabled before configuring
DAI to look at the DHCP assigned ip addresses
SW1(config)# ip arp inspection vlan <vlan_range>
SW1(config)# ip arp inspection filter <arp-acl> vlan <id>
SW1(config)# arp access-list PERMIT_HOST
# permit host 192.168.100.1 mac
host a.a.a
SW1(config)# ip arp inspection validate (src-dst-mac)
(ip)
SW1(config-if)# ip arp inspection trust
# ip arp inspection limit rate
<number_of_req>
Default limit is 15 ARP request to not Make DDoSa.abdelfatah91@gmail.com

IP SOURCE GUARD
• Add one more check to dhcp snooping.
• Check the source-ip of received packet against DHCP
binding source-ip , it check both source-ip & source-mac
• Configuration are per port-subcommand
SW1(config-if)# ip verify source
SW2(config-if)# ip verify source port-security
SW2(config)# ip source binding M.M.M vlan ID IP interface
<name>

COMPARISON
DAI > prevent against ARP attacks , spoofed ARP
entries
DHCP snooping > prevent against roughed DHCP
servers
Source Guard > prevent attacker from spoofing the
ip address or mac address

STORM CONTROL
• Rate limit layer 2 traffic
• Can be configured for unicast – multicast –broadcast
• Configured by per port basis
• Support only physical interfaces not port-channel
(Config-if)
# storm-control broadcast level pps 100 50
# storm-control multicast level 0.50 0.40
# storm-control unicast level 80.0
# storm-control action trap

802.1X AUTHENTICATION
• Perform user authentication per port
• Require user to supply username & password
• Need Radius server
• EAP is running between end point & switch
• Switch communicate with radius server

802.1X BASIC
CONFIGURATION
# aaa new-model
# aaa authentication dot1x default group radius
# dot1x system-auth-control
# radius-server host <ip> auth-port 1812 acct-port 1646
# radius-server host <ip> auth-port 1645 acct-port 1646
# radius-server key cisco
# int fa0/0
# authentication port-control (auto , force-un , force-
auth)

ON WINDOWS
Run the wired autoconfig service

ON WINDOWS

VLAN ACL
RACL (Routed Access-List)
• Used for routed traffic only
• Applied to L3 interfaces
VACL (VLAN Access-List)
• Used for bridged or routed traffic
• Applied to VLANs
• Configured similar to Route Maps
• Match IP/IPX/MAC traffic (unlike MAC ACL)

VACL .CONT
Configurable Actions
• Forward
• Drop
• Redirect
• Capture (on some platforms)
Used in VLAN span feature ( to capture all traffic pass
for specific vlan on trunk link )

VACL CONFIGURATION
(config)# vlan access-map <map-name> [sequence-number]
(config-access-map)# match ip address {acl-number | acl-name}
(config-access-map)# match ipx address {acl-number | acl-name}
(config-access-map)# match mac address acl-name
(config-access-map)# action {drop | forward [capture] | redirect
type {mod/num}
!
(config)# vlan filter map-name vlan-list <vlan-id’s>

PRIVATE VLAN
A PVLAN is actually a combination of two VLANs working
together :-
• Primary VLAN – Controls IP Subnet reachability
• Secondary VLANs – Controls Security within Primary VLAN
Secondary VLANs come in two types:-
• Community
• Isolated

SECONDARY VLAN
All members of same community VLAN:
• Reside in same IP subnet as Primary VLAN
• Reside in same L2 Broadcast Domain
• Cannot access members of other Secondary VLANs
All members of same Isolated VLAN:
• Reside in same IP subnet as Primary VLAN
• Cannot access members of the same Isolated VLAN
• Cannot access members of any other secondary VLANs

PRIVATE VLAN

PROMISCUOUS PORT
• PVLAN members can only access other hosts within their own
PVLAN community.
• A configured Promiscuous Port allows PVLAN hosts to reach
their default gateway and be routed.
• Promiscuous Port can be:
- Physical interface leading to a router or multilayer switch
- Switched Virtual Interface.

RESTRICTIONS OF PVLAN
• Switches must be in VTP Transparent mode
- VTP v.3 supports Private VLANs
• Must select unused VLANs for Primary and Secondary
assignment.
• Private VLAN types and associations must be consistent
across switches if trunking PVLANs.
• Etherchannels must not have any PVLAN configuration
applied.

CONFIGURING PVLAN
! Create secondary PVLAN
(config)# vlan 10
(config-vlan)# private-vlan <Community|isolated>
! Configure Primary PVLAN
(config)# vlan 50
(Config-vlan)# private-vlan primary
(Config-vlan)# private-vlan association 10

ASSIGN PVLAN TO HOST
! GO TO SWITCHPORT
(config-if)# switchport mode private-vlan host
(config-if)#switchport private-vlan host association 10 50

CONFIGURE PROMISCUOUS PORT
! Go to Switchport lead to the common resource
--- If physical port
(config-if)#switchport mode private-vlan promiscuous
switchport private-vlan mapping <primary><secondary>
--- If SVI
(config-if)#private-vlan mapping <secondary>

PVLAN VERIFICATION

PART 5
Implementing HA

SUPERVISOR ENGINE 7-E
• Optimized for Large Campus
• 848 Gbps Switching Capacity
• 4x10G SFP+/SFP uplinks
• 250 MPPS
• Flexible Netflow
FIBER LINE CARD PORTFOLIO
High
Density
Low
Density
WS-X4624-SFP-E WS-X4712-SFP+E
WS-X4612-SFP-E WS-X4606-X2-E
1G 10G
COPPER LINE CARD PORTFOLIO
48G
24G
Data Only PoE+
WS-X4748-UPOE+EWS-X4748-RJ45-E
WS-X4648-RJ45V+EWS-X4648-RJ45-E
SUPERVISOR ENGINE 7L-E
• Optimized for Small/Mid Size Campus
• 520 Gbps (48G/slot)
• 2x10G (SFP/SFP+) or 4x1G SFP Uplinks
• 225 MPPS
• Flexible Netflow
4503-E 4507R+E 4510R+E 4506-E
POWER SUPPLIES
PWR-C45-1300ACV PWR-C45-2800ACV PWR-C45-4200ACV PWR-C45-6000ACV PWR-C45-9000ACV
SUPERVISOR ENGINE 8-E
• 928 Gbps Switching Capacity
• UADP ASIC
• 20G Wireless capacity (50 APs,
2K clients)
• 8 x 10GE Uplinks

Catalyst 2960-X
10G/1G SFP+/SFP
80G FlexStack+
Full PoE, PoE+
IPv6 FHS
NetFlow Lite
Advanced Layer 2
STACKABLE
Catalyst 2960-XR
2960-X Features plus:
IP Lite – L3/Routing
Redundant PSU
Advanced Layer 2/3
STACKABLE + RESILIENT
THE NEW CATALYST 2960 FAMILY
Feature Leadership and Cisco Quality at Competitive Prices
EASE-OF-USE
ROBUST
SECURITY
ENHANCED
LIFETIME WARRANTY
ENERGY
EFFICIENCY
LOWER
TCO
Catalyst 2960-Plus
1G SFP/BASE-T Uplinks
802.3af PoE
Layer 2
Stand-alone
Catalyst 2960-SF
1G SFP Uplinks
40G FlexStack
Full PoE, PoE+
IPv6 FHS
Advanced Layer 2
STACKABLE
Fast Ethernet Gigabit Ethernet

SRPR
• Supervisor router processor redundancy

RPR
• Redundant Sup partially booted and initialized. Technically
in “Standby” mode.
• Any uplinks on Standby are active and usable.
• Both Supervisors should have same IOS image, but not
required.
• Changes to Startup-Config and Config-Register settings on
Active are replicated to Standby
• Takes a minimum of 2-minutes to complete switchover
process.
• Sup that boots first is Active , 2 minutes to failover
• # redundancy
# mode rpr

RPR+
• Both Sups MUST have same IOS version
• Standby Sup fully initialized and configured
• 30-60 second switchover
• Installed modules don’t need to be reloaded
• FIB tables are cleared during a switchover, so routed
traffic will be temporarily dropped…but static routes are
maintained.
# redundancy
mode rpr-plus

SSO
• Stateful switchover
• Maintain FIB and adjacency table and STP information
• Faster than RPR+ take 0-3 seconds
• The rest is same as RPR+
# redundancy
mode sso
# Show redundancy states

STACKING “STACKWISE”
• Provide ease of management
• Virtual chassis capability
• Add support for multi-chassis ether channel
• Get the needed port-count on single virtual switch

VSS
• Virtual switching system
• Applied on High end Cisco Switches with the restrictions
of the supervisor engine
• Allow 2 switches to share the same adjacency and FIB
and routing table , unlike FHRP , VSS allow for real
“zero” down time.

FHRP

1. HSRP

HSRP
• Hot Standby Router Protocol
• Cisco proprietary
• Uses UDP port 1985 and multicast address 224.0.0.2
• Two roles: Active and Standby , highest win def 100
• MAC address: 0000.0c07.acxx where xx is group id in hex
• No preemption by default preemption enabled to allow routing
table convergence , no load sharing but can use MHSRP to achieve
this
• Hello each 3 seconds , dead each 10 seconds
• Support plain-text & md5 authentication

HSRP STATE
• Disabled
• Initial (INIT)
• Learn
• Listen
• Speak
• Standby / Active

CONFIGURING HSRP
• Configuration
Switch(config-if)# standby <group-id> ip <virtual-ip>
Switch(config-if)# standby <group-id> priority <priority>
Switch(config-if)# standby <group-id> preempt [delay]
• Verifications
Switch# show standby
Switch# show standby brief

HSRP AUTHENTICATION
• Authentication supported
• Plain text
• MD5
• Plain-text configuration
• Sw1(config-if)#standby <group-id> authentication <password>
• MD5 configuration
Sw1(config-if)#standby <group-id> authentication md5 key-string [0|7] string
- MD5 KEY CAN BE RETRIEVED FROM KEY CHAIN

HSRP & TRACKING
• HSRP can track objects (typically interfaces)
• If tracked object fails, HSRP priority is reduced by
configurable amount (default=10)
• Configuration
- create a “track object” globally
# track 1 interface <if-name>
- # standby (1) track (1) decrement 100

2. VRRP

VRRP
• Open standard rfc 5798
• Built-in transport protocol: 112
• Multicast address: 224.0.0.18
• Master router replies to ARP request for virtual IP addres
• Preemption enabled by default
• Higher priority win – default is 100
• Advertisement each 1 second , down 3.6 seconds
• MAC address: 0000.5e00.01xx where xx refer to group id
• No load sharing support , timers should be matched
• Support both plain text and md5 authentication

CONFIGURING VRRP
• Configuring
Sw1(config-if)# vrrp <group-id> <virtual IP>
SW1(config-if)# vrrp <group-id> <virtual IP> priority <priority>
Sw1(config-if)#vrrp <group-id> authentication (md5) <password>
! Authentication can be based on Key-Chain
• Verification
Sw1# show vrrp
Sw1# show vrrp brief

CHANGING VRRP TIMERS
• Note that all Router in VRRP group must have the same hello
timers
• VRRP routers can learn the new timers (but not by default)
# Vrrp (group-id) timers learn
• Configuring advertise timer
Sw1(config-if)# vrrp <group-id> timers advertise msec <value>
• VRRP hello packet cannot advertise millisecond timers
• If configuring sub-second timers, must be configured on all
VRRP routers in group.

3. GLBP

GLBP
• Gateway Load-Balancing Protocol
• Cisco Proprietary , work on high end switches
• Provides gateway redundancy AND load balancing per host ,
support object tracking
• AVG (Active Virtual Gateway) in charge of determining
host-to-gateway allocations.
• Preemption for role of AVG on by default
• Gateways capable of forwarding packets in GLBP are called
AVF (max of 4 per group , AVG is AVF)
• hello timers is 3 seconds

AVG & AVF
• AVG replies to the ARP request sent to the virtual IP
• Single AVG per group (highest priority or highest IP)
• AVG is also AVF
• Each AVF has virtual mac as following
0007.b4xx:xxyy where XXXX is GLBP group & YY is the AVF
• AVFs request their AVF# and virtual MAC from AVG

HOW GLBP WORK

CONFIGURING THE GLBP
• Configuration
Sw1(config-if)# glbp <group-id> ip <virtual-ip>
Sw1(config-if)# glbp <group-id> priority <priority>
Sw1(config-if)# glbp <group-id> timers <hello time> <hold time>
• Verification
Sw1#show glbp
Sw1#show glbp brief

GLBP LOAD BALANCE
• Load-balancing algorithms:
• Round-robin (default)
• Host dependent
• Weighted
• Can be modified using
glbp <group-id> load-balancing <weighted | round | host>

CONFIGURE WEIGHTED LOAD
BALANCE
Configured on AVG:
# glbp <group-id> load-balancing weighted
Configured on AVFs
# glbp <group-id> weighting <value> lower <value> upper <value>

AVF OBJECT TRACKING
• Every router has default AVF weight = 100 (maximum value)
• Beneath “lower” weight, router can no longer participate as
AVF.
• Object tracking can be used to dynamically decrement weight
value if tracked object fails.
! The same logic in VRRP & HSRP imply here
! Tracking can be done per interface or IP SLA instance

CONFIGURE GLBP TIMERS
Configuring hello and hold timers
# Sw1(config-if)# glbp <group-id> timers <hello time> <hold time>
More about GLBP
https://cisconinja.wordpress.com/2009/02/11/glbp-weights-load-
balancing-and-redirection/

END OF THE SWITCH
COURSE

CCNP Switch 300-115 - Course Slides 2016

More Related Content

What's hot (20)

Similar to CCNP Switch 300-115 - Course Slides 2016 (20)

Recently uploaded (20)

CCNP Switch 300-115 - Course Slides 2016