CCNP Switch: CCNP-Cisco Certified Network Professional Prepared by Nagababu Polisetti

9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
CCNP CISCO CERTIFIED NETWORK PROFESSIONAL- SWITCH
P. NAGABABU nagacisco@gmail.com 9553.9553.07

CCNP-Cisco Certified Network Professional
Prepared by Nagababu Polisetti
9000235254
CISCO CERTIFIED NETWORK PROFESSIONAL CCNP SWITCH

This material is valid till 31st November 2011. New material is available on 1st December 2011 1|Page
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
INDEX
Lesson 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 Topic Switch Operation Ethernet Port Configuration VLANs and Trunks VTP Link Aggregation Switch Functioning Traditional STP STP configuration Protect STP Advanced STP MLS Campus Network Design L3 Availability- Load balancing Supervisor Power Redundancy IP Telephony Secure Switch Access Secure VLANs WLANs Page No 3 9 14 21 26 31 34 42 48 53 61 68 74 89 98 105 113 118
This material is valid till 31st November 2011. New material is available on 1st December 2011
2|Page
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
LESSON 1 : SWITCH OPERATION

L2 Switch Operation
It gets the data from one port It reads source MAC and destination MAC from L2 Header Looks into CAM table finds the outgoing port information Then unicasts the data to outgoing port If there is no outgoing port information then do unknown unicast flooding It enters source MAC, incoming port information in MAT If CAM table already has that entry refreshe refreshes it Switch can work at full duplex or half duplex Switch has dedicated circuits between ports (Micro segmentation) (Every port has dedicated bandwidth) Switch has specialized hardware called ASICS, provides faster switching L2Switch can read L2 header. It t cant read L3 header, L4 Header L2 Header contains source MAC, destination MAC information L3 Header contains source IP, destination IP information L4 Header contains source Port, destination Port information
This material is valid till 31st Nov November 2011. New material is available on 1st Decem ecember 2011
3|Page
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
When a frame arrives at switch port, it is placed into one of the ports ingress queues Queues have different priority levels to process important frames first Switch hardware decides where to and how to forward the frame by making three fundamental decisions All decisions are made simultaneously by independent portions of switching hardware, provides faster switching
L2 forwarding table The frames destination MAC address is used as index If the address is found, the egress switch port and appropriate vlan-id are read from the table If there is no destination MAC, unicast flooding happens at egress ports Security ACL TCAM contains ACL in compiled form in a single table lookup It takes decision to permit or deny the frame Qos ACL TCAM contains Qos ACL in compiled form in a single table lookup It takes the decisions to prioritize the traffic and to mark Qos parameters in outbound frames
MultiLayer Switch Operation

L2 switches forward frames based on L2 header MLS forwards the frames based on L2, L3, L4 headers So named as Multi Layer switch or MLS Two types of MLS (Multi layer switch) o Route Caching o Topology based MLS- Route Caching The first generation of MLS requires Route processor (RP) and Switch Engine (SE) RP process a traffic flows first packet to determine the destination SE listens to the first packet to the resulting destination and sets up a shortcut entry in its MLS cache SE forwards subsequent packets in the same traffic flow based on cache entries Net flow LAN switching, flow-based, demand-based switching Also called as route once, switch many MLS- Topology Based The second generation of MLS utilizes a specialized hardware FIB forward information base (area of hardware) L3 routing information builds and populates into FIB database This database has efficient table lookups so packets can be forwarded at high speed If a network topology changes, the new routing information is updated in FIB database dynamically without performance effect Topology based MLS is also known as CEF (Cisco Express forwarding)
4|Page
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
When a frame arrives at switch port, it is placed into one of the ports ingress queues Each packet is pulled off an ingress queue and inspected for both L2 and L3 destination addresses Decision of where to forward the packet is based on two address tables FIB and CAM Decision of how to forward the packet is based on ACL and QoS All these actions are performed simultaneously in hardware
L2 forwarding table The destination MAC is used as an index to the CAM table If the frame contains packet to be forwarded, destinatio destination MAC is L3 ports MAC In this case CAM table results are used L3 forwarding table The destination IP is used as an index in FIB table The longest match is found and next next-hop L3 address is obtained FIB also has each next-hop hop L2 address and egress switch po port, vlan-id So single table lookups are enough Security ACLs ACLs are compiled into TCAM entries to filter packets in a single table lookup Qos ACLs Packet classification, policing and marking all can be performed as single table lookups in Qos TCAM L3 rewrite The packet is put into L3 rewrite The TTL (time to live) decremented by 1 and L3 checksums are recalculated L2 header source MAC, destination MAC are rewritten New Source MAC is MLS interface L2 address New Destination MAC is next hop L2 address L2 checksums are recalculated CEF can directly forward most IP packets between hosts hosts. This occurs when both source-destination destination L2, L3 addresses are known.
5|Page
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
CEF can not directly forward some IP packets packets, if they are special packet types or if there is any special spec process needed. These packets are flagged for further processing The packets require further process are ARP requests and replies IP packets require router response (TTL expired, MTU exceeded, fragmentation) IP broadcasts relayed as unicast (DHCP reque requests, IP helper-address address functions) Routing protocol updates Cisco Discovery protocol updates IPX routing protocol and service updates Packets needs encryption Packets triggering NAT Non-IP IP and Non Non-IPX protocol packets (appletalk, decnet etc)
CAM TABLES
Switches generally have large CAM tables so that many addresses can be looked up for frame forwarding Its not possible to maintain every possible host MAC address in large networks CAM table entry expires after 300 seconds by default if no frames are seen on that port
To change CAM entry aging time
To make static entry in CAM table table, Before IOS version 12.1(11)EA1, mac-address-table table command works Switch purges CAM table entry if the port is down or if the same MAC is learned on a different switchport If the switch notices that a MAC is being learned on alternating switch ports, it generates an error message flapping between interfaces
TCAM TABLES
TCAM ternary CAM TCAMs have compiled information TCAM evaluates a packet against an entire ACL in a single table lookup Switches can have multiple TCAMs to process the packet against security ACLs and Qos ACL in parallel with L2 L2-L3 forwarding decisions IOS has two components that are part of the TCAM 1. Feature Manager (FM) o if the ACL is created FM software compiles and merges the ACL entries (ACE) in the TCAM 2. Switching Database Manager (SDM) o SDM software configures or tunes the TCAM partitions to perform different functions, if needed o TCAMs are fixed in 4500, 6500 platforms, cant be repartitioned Three (Ternary) input values are used in TCAM TCAM. They are 0 1 X 0 1 are binary values used to define a key This material is valid till 31st Nov November 2011. New material is available on 1st Decem ecember 2011 6|Page
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
X (dont care) is a mask value to define which bits of the key are relevant TCAM entries are composed of Value, Mask, Result (VMR) combinations Fields from frame or packet are fed into the TCAM They are matched against value and mask pairs to yield a result
Values
Values are 134 bit quantities, consisting of source and destination addresses and other relevant protocol information all patterns to be matched Values in the TCAM come directly from any address, port, or other protocol information given in an ACE
Masks
Masks are 134 bit quantities, in exactly the same format, or bit order, as the values Masks define which value bits should be considered and which should be neglected The masks from ACE are compiled and fed into TCAMs Results are numeric values, that represent what action should be taken after TCAM lookup TCAM offers a number of possible ssible results or actions The result can be permit or deny decision or an index to a QoS policer or a pointer to a next-hop next routing table, and so on
Results

The TCAM always is organized by masks, where each unique mask has 8 value patterns associated with it If a mask is filled up with 8 value patterns, the next pattern is placed as new mask 6500 platforms have multiple TCAMs (security ACLs and QoS ACL) can hold upto 4096 masks and 32768 value patterns Each of the mask value pairs is evaluated simultaneously, re revealing vealing the best or longest match in a single table lookup
7|Page
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
The access-list list is compiled and merged into TCAM First all possible unique masks are identified for each ACE and fed into TCAM MASKS starting from mask1, mask2, mask3 and so on These mask bits ts must be set for matching For each unique mask, all possible value pattern are identified and fed into TCAM VALUE PATTERN Actions are fed into RESULTS (permit or deny) IOS Feature Manager checks all ACEs for L4 operations and places them in LOU (logical operation unit) register pairs After the LOUs are loaded, they are referenced in the TCAM entries that need them When a frame/packet arrives at ingress port, the header is checked against the TCAM entries very quickly and appropriate action will be taken
8|Page
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
LESSON 2 : ETHERNET PORT CONFIGURATION

LAN media technologies Ethernet FDDI Fiber distribution data interface CDDI Copper distribution data interface ATM Asynchronous transfer mode Token ring Ethernet is the e most popular choice because of its low cost, market availability, and scalability to higher bandwidths Ethernet 10Mbps LAN technology based on IEEE 802.3 standard Offers speed at 10Mbps Ethernet is a shared medium that becomes both a collision and a broadcast domain Ethernet is based on CSMA/CD technology Half duplex communication with hubs Half/full duplex communication with switches 10BASE-T T ethernet cabling (UTP) is restricted to an end end-to-end end distance of 100mts (328 feet) 10BASE2, 10BASE5, 10BASE-F F etc are other ethernet applications use different cabling Fast Ethernet 100Mbps LAN technology based on IEEE 802.3u standard Offers speed at 100Mbps Full duplex/ half duplex communication 200Mbps total throughput at full duplex
100 Mbps fast ethernet also supports 10Mbps to be compatible with legacy ethernet With auto negotiation feature the ports can be set to maximum available bandwidth as a common understanding
9|Page
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
Gigabit Ethernet 1000 Mbps / 1Gbps LAN technology based on IEEE 802.3z Offers ers speed at 1000Mbps (1Gbps) Supports only full duplex communication Gigabit ethernet supports several cabling types referred to as 1000BASE 1000BASE-X
Gigabit over copper (1000BASE (1000BASE-T) is based on IEEE 802.3ab standard Gigabit ethernet supports backward compatibility for fast ethernet and legacy ethernet These ports are called as 10/100/1000 ports which denotes triple speed In Cisco switches gigabit ethernet (1000Mbps) is supported only at full duplex Duplex auto negotiation is not possible But speed auto to negotiation is possible
10 Gigabit Ethernet 10Gbps LAN technology based on IEEE 802.3ae 10Gigabit ethernet is also known as 10GbE Offers speed at 10Gbps It operates only at full duplex This standard defines several different transceivers that can be used as PMD (physical media dependent) interfaces These are classified as o LAN PHY Interconnects switches in a campus network (at core layer) o WAN PHY SONET (synchronous optical network), SDH (synchronous Digital hierarchy) networks in Metropolitan area ne networks
This material is valid till 31st Nove ovember 2011. New material is available on 1st Decem cember 2011
10 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
10BASE-LX4 LX4 is only a LAN PHY PHY. The remaining PMDs can be used as LAN PHY or a WAN PHY Ethernet Port cables- connectors Catalyst switches support a variety of network connections, including all forms of ethernet They support several types of cabling, including UTP and optical fiber Fast ethernet (100BASE-FX) FX) ports use two two-strand MMF with MT-RJ or SC connectors to provide connectivity All catalyst switch families support 10/100 autosensing for fast ethernet and 10/100/1000 autosensing for Gigabit ethernet These ports use RJ-45 45 connectors on Category 5 UTP cabling (4 pairs) Gigabit Ethernet Port cables- connectors Catalyst switches with Gigabit Ethernet ports have standardized rectangular openings that can accept gigabit interface converter (GBIC) GBIC) or small form factor pluggable (SFP) modules The GBIC and SFP modules provide the media personality for the port so that various cable media can connect GBIC modules can use SC fiber optic and RJ RJ-45 UTP connectors SFP modules can use LC and MT MT-RJ fiber-optic and RJ-45 UTP connectors GBIC and SFP modules are available for the Gigabit Ethernet media 1000BASE-SX SC fiber connectors and MMF for distances up to 550m 1000BASE-LX/LH SC fiber connectors and either MMF or SMF for distances up to 10km 1000BASE-ZX SC fiber connectors and SMF for distances up to 70km to 100km GIGASTACK Provides a GBIC to GBIC connection between stacking Catalyst switches or between any two gigabit switch ports over a short distance 1000BASE-T Supports an RJ-45 45 connector f for four-pair pair UTP cabling for distances up to 100m
11 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
The fiber base modules always have receive fiber on left connector and transmit fiber on right connector while facing the connector These modules produce invisible laser radiation from the transmit connector. Its very dangerous to have a direct look at connectors
SwitchPort Error conditions Catalyst switch detects an error condition on every switchport for every possible cause If an error condition is detected, the switchport is put into errdisable state and is disabled
12 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
13 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
LESSON 3 : VLANs AND TRUNKs

Flat Network A full Layer 2 only switched network is called as flat network topology A flat network is a single broadcast domain Every device can see every broadcast packet To overcome problems with flat network topology, network is subdivided into logical areas, called vlans Vlan is a single broadcast domain Vlan consists of hosts defined as members, communicating as logical network segment Devices in a vlan can see broadcast packets sent by same vlan members Inter vlan communication is not possible in L2 networks
VLAN- Virtual LAN VLANs are identified with numbers called VLAN id Vlan id range is 1-1005 Vlan 1 is default vlan By default all the ports assigned to vlan 1 Vlans 1002-1005 are reserved for legacy functions related to token ring, FDDI Catalyst switches also support extended range of vlans range from 1 - 4094 for compatibility with IEEE 802.1q standard The extended range is enabled only when the switch is configured for VTP transparent VTP versions 1 and 2 do not replicate extended vlans VTP version 3 can replicate extended vlans Switches maintain VLAN definitions and VTP configuration information in a separate file called vlan.dat in flash memory
14 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
Vlan Membership The ports can gain membership into a vlan in two ways Static vlan configuration o Manual configuration of ports into vlans o Port based vlan membership o End user devices become vlan members based on physical switchport o Each port receives Port vlan vlan-id (PVID) that associated with vlan number o End user device is not aware of vlan membership o Static vlan membership is handled in hardware with ASIC Dynamic vlan configuration o Dynamic configuration of ports into vlans o End user mac based vlan membership o VMPS vlan membership policy server needed to handle mac database o When a system connected to switchport, it queries vmps about vlan membership o Finally end device gets the vlan membership o VMPS can be configured with cisco works application
Deploying VLANs Cisco recommends one to one correspondence between vlans and IP subnets As per Cisco, the no of devices in a broadcast domains should be less than 254 (/24) Limiting the devices in a broadcast domain increases network performance Vlans should not be allowed to extend beyond the L2 domain of the distribution switch Means vlans should not reach networks core layer
15 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
VLANs can be scaled in the switch block by using two basic methods End to End vlans o Called as Campus wide Vlans, spans entire switch fabric of a network o Supports maximum flexibility and end user moment o This vlan is available at the access layer in every switch block in the campus o Follows 80/20 rule (80% local, 20% remote traffic) o Not recommended in ECNM, because broadcast traffic is carried over till far ends o Difficult to maintain Local vlans o Local Vlans, do not span entire switch fabric of a network o Vlans are local to a specific switch block o Follows 20/80 rule (20% local, 80% remote traffic) o Recommended in ECNM o Provides maximum manageability
Trunk Links
Vlan connectivity is possible by connecting access access-links between switches Its not possible to connect access access-links if more vlans exist in the network Multiple access-links links can be replaced with single trunk link A trunk link can transport more than one VLAN through a single switchport So Switchports are categorized into access ports and trunk ports Access ports can be associated with a single vlan Trunk ports can be associated with one, many or all active vlans Cisco supports trunking on both fast ethernet, gigabit ethernet and aggregated links
16 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
Frame Tagging
As trunk links carry multiple vlans data, the switches must identify from which vlan the data is coming The vlan-id id should be attached to the frames while travelling through trunk links Trunk port adds vlan-id id to the normal ethernet frame before sending it through trunk link This frame is called tagged ethernet frame Trunk port removes vlan-id id from the tagged ethernet frame before sending it to the system System can identify only the normal frame Attaching vlan identifier to the normal ethernet frame is called frame-tagging tagging or frame-encapsulation frame
Frame tagging can be done in two methods ISL Dot1Q
17 | P a g e
9000235254 Dot1Q Frame tagging
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
The first two bytes are TPID and last two bytes are TCI (Tag control information) TPID always has a value of 0x8100 to signify 802.1q tag TCI contains 3 bit priority used to implement CoS (class of service) 1 bit of TCI is CFI(canonical ical format indicator), identifies whether MAC address is in ethernet or token ring format CFI is also called as little-endian endian or big big-endian format
The last 12 bits are VLAN-ID ID to indicate source vlan for the frame The vlan-id id can have values from 0 t to 4095, but vlans 0,1,4095 are reserved
Frame tagging Errors Normal ethernet frame size is 1518 bytes Frame-tagging tagging methods increase frame size to 1522 bytes or 1548 bytes Generally these frames exceed MTU size and reported as baby giant frames Switches usually report these frames as ethernet errors or oversize frames But Switches have to forward these frames anyway, In case of ISL, Catalyst switches use proprietary hardware In case of 802.1q, switches comply with IEEE 802.3ac standard, which can accept t the he frames with 1522 bytes Native VLANs Native vlan is the vlan from which the frames are not tagged Native vlans are supported only with IEEE 802.1q trunking method ISL do not support native vlans Native vlans must match at both the ends on the trunk link By default vlan 1 is native vlan Native vlans are very useful if ethernet segments are connected between trunk links
18 | P a g e
9000235254 DTP
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
DTP Dynamic Trunking Protocol DTP is Cisco proprietary point-to to-point protocol Used to negotiate common trunking mode between two switches A trunk link can be negotiated between two switches, only if they belong to same VTP management domain or anyone of the switch set to NULL domain If two switches belong to different VTP management domains negotiation is not possible Then trunk mode should be set to ON with manual intervention By default DTP frames are sent out every 30 seconds to keep neighboring switchports informed of the link mode The trunk encapsulation method is negotiated to select either ISL or IEEE 802.1q, whichever whichev both ends of the trunk support If both ends support both types, ISL is preferred DTP is enabled by default
Trunk Negotiation Local switchport state Access Trunk Desirable Auto Auto Nonegotiate Far end switchport state Access, trunk, desirable, auto Trunk, desirable, auto Trunk, auto, desirable Trunk, desirable Auto Access, trunk, desirable, auto Trunk negotiation No Trunk Trunk Trunk Trunk No Trunk No Trunk
19 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
20 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
LESSON 4 : VTP
VTP
Since campus network contains more number of switches, management of vlans is not easy in general Cisco developed a method to manage vlans easily in campus networks VTP Vlan Trunking Protocol VTP carries vlan information from one switch to other switch automatically VTP allows the switches s to replicate vlan information dynamically VTP uses L2 trunk frames to communicate VLAN information among a group of switches VTP manages the addition, deletion and renaming of vlans across the network from a central point of control VTP, VLAN information is stored in vlan.dat file located at flash
VLANs replication VTP Domains VTP is organized into management domains Switches in same VTP domain share vlan information Switches with different VTP domains cant share vlan information By default domain name is NULL the entire VTP operations are controlled by VTP advertisements VLAN replication is bounded by VTP domain VTP Modes VTP works in three modes Server mode Client mode Transparent mode Server Mode Vlan configuration is possible Server is master Vlan replication VTP information is synchronized Default mode Network needs at least one server Works like VTP relay Client Mode Vlan configuration is not possible Client follows server Vlan replication VTP information is synchronized Not a default mode No of clients depends on requirement Works like VTP relay Transparent Mode Vlan configuration is possible Transparent does not follow server No vlan replication VTP information is not synchronized Not a default mode No of transparents depends on requirement Works like VTP relay in version 2 21 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
VTP Advertisements Entire VTP operations are maintained by VTP advertisements VTP advertisements are sent as multicast frames By default VTP advertisement are sent as non non-secure advertisements, without password If secure mode is enabled, VTP password must be same on every switch to share VTP advertisements VTP switches use an index called VTP configuration revision number to keep a track of most recent information configuration revision number Every switch stores latest VTP c VTP process always starts with 0 as VTP configuration revision number If there is any change in server configuration revision number will be incremented by 1 If a new server switch is added to network with highest revision number, it may collapse the network with VTP advertisements Every switch thinks that new server is added, try to synchronize, may delete existing vlan information This is called VTP synchronization problem To avoid this, revision number must be set to 0 To reset revision number o Change the switch VTP mode to transparent and then back to server (Or) o Change switchs VTP domain to a bogus name and then change back to the original name
VTP advertisements can occur in three forms Summary advertisements o Sent by server for every 300 seconds or vlan database change occurs o Includes summary information Subset advertisements o Sent by servers if vlan configuration change occurs o They contain information rmation about every vlan Advertisement requests from clients o Sent by client as a query if it needs any vlan information o Subset advertisements are sent by server as reply Summary Advertisements
22 | P a g e
9000235254 Summary Advertisements
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
Advertisements Request
VTP Modes Version 1 Default version Transparent mode does not work as VTP relay Supports only 1-1005 vlan id Can coexist with version 2 No Consistency check on VTP to prevent errors Doesnt support token ring Doesnt support unrecognized TLVs (Type, length, value) Version 2 Not default version Transparent mode works as VTP relay Supports only 1-1005 vlan id Can coexist with version 1 Consistency check on VTP to prevent errors Supports token ring Supports unrecognized TLVs (Type, length, value) Version 3 Not default version Transparent mode works as VTP relay Supports 1-4095 1 vlan id
Future version
If a VTP version is set in server switch, automatically it populates to client switches, if they support that version
23 | P a g e
9000235254 VTP Configuration
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
VTP Pruning VTP pruning reduces unnecessary flooded traffic It makes more efficient use of trunk bandwidth With VTP pruning, broadcast and unknown unicast flooding are forwarded over a trunk link only if the receiving switch has active ports in that vlan VTP pruning improves network performance and consumes less processing cycles of switch By default VTP is disabled on IOS IOS-based switches Vlan 1 carries management information and control information Vlan 1, 1002-1005 1005 are not eligible for pruning Vlans 2-1001 are re eligible for pruning VTP pruning has no effect on transparent switches, manual configuration requires to prune vlans from trunk links No VTP Pruning
24 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM VTP Pruning
9553.9553.07
VTP Pruning Configuration
25 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
LESSON 5 : LINK AGGREGATION

Etherchannel Individual physical links are bundled together to aggregate the bandwidth
Individual physical links can be bundled together to aggregate the bandwidth between switches This works like single logical channel between switches called ETHERCHANNEL 2 to 8 physical links can be bundled together in an Etherchannel FEC : Fast Ether Channel o 100 Mbps links are bundled together, supports 800Mbps speed (1600Mbps throughput) GEC : Gigabit Ether Channel o 1 Gbps links inks are bundled together, supports 8Gbps speed (16Gbps throughput) 10GEC : 10Gigabit Ether Channel o 10 Gbps links are bundled together, supports 80Gbps speed (160Gbps throughput Generally L2 loops will occur by connecting parallel links between switch But Etherchannel will combine them to a single logical link On Etherchannel, traffic load is not distributed equally among the individual links With load-balancing balancing algorithm, Etherchannel selects one of the links to forward the traffic The physical link with same speed and properties can be bundled The Etherchannel can be access link or trunk link Etherchannel supports redundancy If one of the link is failed within the channel, the traffic will be moved to another adjacent link. Failover occurs in less than few w milliseconds
Etherchannel Traffic Distribution In etherchannel traffic is not distributed equally on all links The traffic distribution is based on a hashing algorithm algorithm. This algorithm can use o Source IP o Destination IP o Source IP-Destination Destination IP o Source MAC o Destination MAC o Source MAC-Destination Destination MAC o Source Port o Destination Port o Source Port-Destination Destination Port This material is valid till 31st Nove ovember 2011. New material is available on 1st Decem cember 2011 26 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
The hash algorithm computes a binary pattern that selects a link number in the bundle to carry each frame If only one address or port number is us used, algorithm takes one or more low-order order-bits If two addresses or port number are used, algorithm performs XOR (exclusive OR) operation on one or more low-order-bits
Link selections - if only one address is used in distribution algorithm
Link selections if two addresses are used in distribution algorithm
A conversation between two devices always is sent through the same Etherchannel link because two endpoint addresses stay the same This material is valid till 31st Nove ovember 2011. New material is available on 1st Decem cember 2011 27 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
If there is a high data conversation between two servers, they always use same Etherchannel link as a result of distribution algorithm. It may lead to load imbalance To avoid this, Source-Destination Destination ports can be used as load balancing method When a device talks to multiple devices, the traffic can be distributed on several etherchannel links based on distribution algorithm
Etherchannel load balancing
method Src-ip Dst-ip Src-dst-ip Src-mac Dst-mac Src-dst-mac Src-port Dst-port Src-dst-port
Hash input Source ip Destination ip Source and destination ip Source mac Destination mac Source and destination mac Source port Destination port Source and destination port
Hash Operation Bits Bits XOR Bits Bits XOR Bits Bits XOR
Switch model All models All models All models All models All models All models 6500,4500 6500,4500 6500,4500
For L2 switching the default load balance method is src src-mac For L3 switching the default load balance method is src src-dst-ip
Etherchannel Protocols Etherchannel negotiation protocols are used to provide dynamic link configuration Two protocols are available to negotiate bundled links in catalyst switches o PAgP Port Aggregation Protocol Cisco Proprietary solution o LACP Link aggregation control protocol Open standard solution Negotiation Mode PAgP On Auto Desirable LACP On Passive Active Negotiation packets sent No Yes Yes Characteristics All ports channeling Waits to channel until asked Actively asks to form a channel
28 | P a g e
9000235254 PAgP
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
PAgP packets are exchange between switches over Etherchannel capable ports PAgP forms an Etherchannel only on ports that are configured for identical static VLANs or trunking PAgP dynamically modifies parameters of the Etherchannel if one of the bundled ports is modified (vlan-id, (vlan speed, duplex) PAgP configured in desirable mode asks a far-end end switch to negotiate Etherchannel PAgP configured in auto mode (default) waits to be asked by far far-end end switch to negotiate Etherchannel
LACP
Defined in IEEE 802.3ad (Clause 43) LACP packets are exchanged between switches over Etherchannel capable ports The switch with lowest system priority (2B priority priority-6B 6B switch MAC) makes decisions about what ports actively are participating in the Etherchannel Ports are selected and become active according to their lowest port priority (2B priority-2B priority port number) A set of up to 16 potential links can be defined for each etherchannel 8 ports with lowest priorities are grouped together, remaining are stand stand-by LACP configured in active mode asks far far-end switch to negotiate Etherchannel LACP configured in passive ssive mode waits to be asked by far far-end end switch to negotiate Etherchannel
29 | P a g e
9000235254 Etherchannel Status
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
30 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
LESSON 6 : SWITCH FUNCTIONING

Example 1:
Example 2:
31 | P a g e
9000235254 Loops
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
In L3 Networks multiple paths to destination offer redundancy or load balancing In L2 Networks multiple paths to destination create loops In switching Networks Loops occur if a switch has multiple paths to another switch This is the situation where a single frame propagates between switches multiple times, in various paths p
Broadcast Storm If a system broadcasts (or unknown uni cast flooding) t the he data in the loop network, a single frame goes to all the systems as multiple copies in various paths It consumes switch processing cycles and memory Finally Network performance comes down This situation is called broadcast storm
Avoiding Loops Ensure the switches have only one path to reach every other switch
32 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
Loop Prevention Redundancy is required between switches to avoid network outages Backup paths are required to achieve 100% network uptime At the same time loops must be avoided This can be done spanning tree protocol (STP) dynamically STP blocks some ports automatically which are causing loops
33 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
LESSON 7 : TRADITIONAL STP

BPDU BPDU- Bridge Protocol Data Unit STP operations are performed by exchanging BPDU messages between switches By default BPDUs are sent for every 2 seconds A switch sends BPDU frames to other switches using its own MAC as Source MAC and 01-80-c2-00-00-00 01 as destination MAC 01-80-c2-00-00-00 00 is STP multicast MAC address address(IP Multicast MAC : 01-00-5e-00-00 00-00 - 01-00-5e-7f-ff-ff) Two types of BPDU o Configuration BPDU Used for Spanning tree computation o TCN BPDU Topology Change Notification BPDU Used to announce changes in the network topology
CONFIGURATION BPDU
Bridge ID
STP Link Cost In STP process, the links are given with a number called cost Cost is used to suspend slowest links than high speed links to avoid loops High speed links have low cost To support high speed links, STP cost standards are modified New STP cost is in use at present This material is valid till 31st Nove ovember 2011. New material is available on 1st Decem cember 2011
34 | P a g e
9000235254
P. NAGABABU Link Bandwidth 4 Mbps 10 Mbps 16 Mbps 45 Mbps 100 Mbps 155 Mbps 622 Mbps 1 Gbps 10 Gbps
NAGACISCO@GMAIL.COM Old STP cost 250 100 63 22 10 6 2 1 0 New STP cost 250 100 62 39 19 14 6 4 2
9553.9553.07
STP Terminology BPDU RB NRB RP DP NDP Bridge Protocol data Unit Root Bridge Non Root Bridge Root Port Designated Port Non Designated Port Fundamental message in STP process Switch with lowest bridge ID Switches other than RB Port on NRB that has best cost path to RB Goes to forwarding state Port on LAN segment that has best cost path to RB Goes to forwarding state Port neither RP nor DP. Goes to blocking state (BLK)
STP Process 1.Electing Root Bridge 2.Electing Root port per switch 3.Electing Electing Designated port per segment 4.Electing Electing Non designated ports Reference STP Topology for Analysis
This topology has multiple switches and multiple loops. The links have different speeds as shown in figure. STP can be explained by using this physically loop topology. The result will be logically loop free topology This material is valid till 31st Nove ovember 2011. New material is available on 1st Decem cember 2011 35 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
1. Electing Root Bridge All ports on all switches are in blocked state initially Every switch treats itself as Root Bridge when STP process starts Every switch sends BPDU U to the remaining switches BPDUs carry bridge id information to select root bridge Finally only one switch with lowest Bridge ID is elected as Root Bridge If priority is same, the switch with lowest MAC becomes Root Bridge
2. Electing Root Ports Switch may have multiple paths to reach root bridge The port with best cost path to RB is elected as Root Port High speed ports have best cost paths. Cost is inversely proportional to speed Only one Root Port exists per switch. Root Port goes to forwarding state If there is a tie in selecting RP, It prefers the link from the switch with lowest Bridge ID Still there is a tie, then looks at Port ID, the port with least port id is preferred
36 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
3. Electing Designated Port Per Segment The port on the segment that has best cost path to RB is elected as designated Port (DP) Only one DP exists per segment (switch to switch link). DP goes to forwarding state All the ports on Root Bridge are Designated Ports If there is a tie in selecting DP, It prefers the link fr from om the switch with lowest Bridge ID Still there is a tie, then looks at Port ID, the port with least port id is preferred Tie Break: Lowest Root Bridge ID/Lowest root path cost/Lowest Sender Bridge ID/ Lowest sender Port ID
4. Electing Non-Designated Ports The port neither RP nor DP becomes Non designated port Non designated port goes to blocking state. NDP is also called as Blocked port (BLK) These ports have the chances to become active if operational link fails STP rebuilds the topology gy if something goes wrong with active links STP rebuilds the new topology by activating some blocked ports ensuring loop free topology all the time
37 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
STP Physical and Logical topologies
STP States
To participate in STP, each switch port progress through 5 states Disable Blocking Listening Learning Forwarding Disable Disable state is shutdown state and not a part of normal STP progression Blocked When a port initializes, it begins in the blocking state so that no loops can form The port is allowed only to send and receive BPDU The ports that are put into standby mode to remove a loop enter the blocking state Listening A port is moved from Blocking to Listening if the switch thinks that the port can be selected as a root port or designated port In listening state port the port is allowed to send/receive BPDUs If the port loses its RP or DP status in STP process, it returns to the blocking state The port stays in Listening state for 15 sec, forward delay Learning After forward delay(15sec) in listening state, the port is moved to learning state The port can send/receive BPDU and learns MAC addresses to add them to MAT The Port stays in Learning state for 15sec, forward delay Forwarding After forward delay(15sec) in learning sta state, the port is moved to forwarding state Only RPs and DPs are moved to forwarding state The port can send/receive BPDU, learn MAC and send/receive data Now the port is fully functioning switch port in STP topology
38 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
STP States Disabled Blocking Listening Learning Forwarding
Port properties Shutdown Receive BPDUs Send & Receive BPDUs Send & Receive BPDUs - Learn MAC address Send & Receive BPDUs - Learn MAC addresses Send & Receive data
Duration Indefinite if loop has been detected (20 seconds) Forward delay (15seconds) Forward delay (15seconds) Indefinite as long as port is up and loop is not detected
STP Timers
STP uses three timers to make sure that a network converges properly before a bridging loop can form STP timers provide facility for the switches to have time to receive network changes STP three timers o Hello Time The time interval between configuration BPDUs sent by Root Bridge IEEE 802.1d standard standard- default Hello time is 2sec o Forward delay The port spending time in Listening and Learni Learning states Default is 15 sec o Maximum Age The time interval that a switch stores a BPDU before discarding it In STP process every switch keeps a copy of best BPDU, it learned The BPDU ages out if the switch loses contact with BPDUs source The default Max ag age time is 20 sec
The default STP timers are designed based on a reference model of L2 network with 7 switches diameter including Root Bridge (as shown in above diagram) STP timers can be changed from default values But, careful network consideration is required to change the values This material is valid till 31st Nove ovember 2011. New material is available on 1st Decem cember 2011 39 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
STP default timers work efficiently at most of the times Switches diameter size (default 7) can be configured on root switch In this case, root bridge calculates new timers for all three timers automatically that gives best results for large networks Timer Hello Forward delay Max Age Function Interval between configuration BPDUs Time spent in Listening, Learning states The time BPDU stored without receiving an update Default Value 2 seconds 15 seconds 20 seconds
TCN BPDU TCN BPDU- Topology Change Notification BPDU Used to announce a change in active network topology TCN BPDU does not carry any data, only informs topology change
Topology change occurs when a switchport goes down or up (goes to forwarding state or blocking state) Switch sends TCN BPDU out of RP, if it notices topology change Switches keep on sending TCN BPDU until acknowledgment is received Finally TCN BPDU reaches Root Bridge Root Bridge then sets TCN flag in Configuration BPDU and sends to all switches All switches receive this configuration BPDU, understand topology change and shorten their MAT aging time to forward delay (15sec) default is 300sec If MATs are flushed out, the switches cant forward the frames and avoids loops Any systems actively ely communicating this time are kept in MAT for 35 sec (forward-delay (forward 15+Max age 20) If a system connected to switchport goes down, then also it generates TCN BPDU, floods in the network, which finally causes the switches to flush their MAT To avoid these se undesired situations, spanning spanning-tree tree port fast feature can be used on switch ports where the end devices connected
40 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
Topology Changes
STP TYPES
3 Types of STP STP Types CST Function Common Spanning Tree One instance of STP, over the native vlan IEEE 802.1q based Per-Vlan Spanning Tree One instance of STP per vlan Cisco ISL based Per-Vlan Spanning Tree plus Provides interoperability between CST and PVST Operate over both 802.1q and ISL
PVST
PVST+
41 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
LESSON 8 : STP CONFIGURATION

STP Configuration By default, STP is enable for all active VLANs and on all ports of a switch
Inefficient Root Bridge Election
STP has elected RB with default procedure and blocked high speed links which resulted poor STP converged network STP is fully automatic and converges STP topology in best way most of the times In some networks, STP may elect a slower switch as Root Bridge Which leads to slow STP convergence and poor performance In this case Root Bridge can be configured statically The method to elect a specific ecific switch as root bridge is Change the default priority 32768 to a lower value
Root Bridge Configuration Two formats to configure STP Bridge ID o Traditional 802.1D bridge priority value (16bits), followed by unique switch MAC address of the vlan o 802.1t extended system id (4bit Priority multiplier x4096 + 12bit vlan id) followed by a nonunique switch MAC address for the vlan If the switch supports 1024 unique MAC addresses for its own use, traditional method enabled by default If the switch cant support 1024 unique MAC addresses for its own use, the extended system id enabled by default
42 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
Root Path Cost Configuration
Port ID Port ID is 16 bit quantity 8 bits for port priority and 8 bits for port number By default Port priority is 128 (range: 0 0-255) Port number range is 0-255 255 represents ports actual physical mapping
43 | P a g e
9000235254 STP Timers
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
Methods allow faster STP convergence in the event of link failure PortFast Allows fast connectivity to be established on access access-layer switchports to hosts UplinkFast Enables fastuplink failover on an access access-layer layer switch when dual uplinks are connected to distribution-layer distribution BackboneFast Enables fast convergence in the network backbone (core) after a spanning-tree tree topology change occurs PortFast
44 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
Because of Spanning-tree tree convergence, a port initialization delay can be up to 50 sec (20 sec PAgP negotiation + 15 sec Listening state + 15 sec Learning state) The ports connected to end user devices need not follow STP convergence and timers as loops do not occurs at these ports With port fast feature the port is immediately moved to forwarding state, neglecting forward-delay forward timers
UplinkFast
If access-layer layer switch is connected to two distribution switches with two uplinks, One uplink is in forwarding state, second is in blocking state If primary goes down, STP takes 50 sec time to converge But with uplink fast feature, the secondary uplink immediately comes up without waiting for STP timers Uplink fast works by keeping a track of possible paths to root bridge This feature is not allowed in root bridge Uplink fast feature provides a facility for upstream switches to learn MAC addresses on new uplink by sending dummy multicast packets These packets contain ontain CAM addresses as source MAC and 0100.0ccd.cdcd as destination These multicast frames are sent out at a rate specified by max max-update-rate rate parameter The default is 150 packets per second. Range is 0 0-65535 pps No dummy multicast packets are sent if va value set to 0 pps
45 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
BackboneFast
Backbone fast works by having a switch actively determine whether alternative paths exist to root bridge, in case the switch detects indirect link failure (link not connected directly) A switch detects an indirect link failure when it receives inferior BPDU Inferior BPDU generated by designated bridge announcing itself as new root, if it lost connectivity with root bridge Normally switch waits for max age time before responding to inferior BPDU Backbone fast begins to determine etermine whether other alternate paths to the root bridge exist exis If inferior BPDU received on BLK port, switch considers RP and other BLKs are alternate paths to the Root Bridge If inferior BPDU received on RP itself, switch considers all BLKs are alternate paths to the Root Bridge If inferior BPDU received on RP and no BLKs are on switch, Backbone fast feature allows the switch to become a Root Bridge before max age timer expires Backbone fast uses Root Link Query (RLQ) protocol to see if upstream switches have stable connections to root bridge RLQ requests and RLQ replies are sent between switches Backbone fast operates by shorting Max age timer when needed Backbone fast can reduce the maximum convergence delay only from 50 sec to 30 sec
46 | P a g e
9000235254 STP Verification
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
47 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
LESSON 9 : PROTECT STP

Switch ports are assigned with specific roles after STP convergence Root Port Designated Port Blocking Port Alternate Port Forwarding Port Port on a switch that has best cost path to RB Port on a LAN segment that has best cost path to RB Port neither RP nor DP Ports that are candidate Root Ports but in blocking state Used by STP uplink fast feature for fast convergence Ports where no STP activity is running. Ports with end user devices
Rogue Route Bridge If a rogue switch with lowest Bridge ID is joined in the network by mistake, It will be elected as RB and try to converge the network, which is an undesired situation To prevent a switch to become RB, two features can be used on switchports o Root guard prevents a switch to become RB by not considering superior BPDUs Can receive legitimate BPDUs o BPDU guard Prevents all BPDUs on a switchport that effect Root Bridge Root Guard If root guard is enabled on a switchport and if it receives superior BPDU, it will not allow the new switch to become the root As long as the superior BPDUs are being received on the port, the port will be kept in root-inconsistent STP state No data can be sent or received in that state, but can listen to BPDUs received Root guard d enabled port is used to forward or relay BPDU, not to receive BPDU By default root guard is disabled on all switchports It can be enabled only on per-port port basis Root guard should be used only on the ports where root bridge is not expected
BPDU Guard If the port is access port and port fast is enabled, normally BPDUs are not expected If a rogue switch with lowest Bridge ID connected to a switchport by mistake, sends BPDUs, try to converge the network, which is undesired BPDU guard is used to prevent al all BPDUs on switchport that effect RB The BPDU guard enabled port will be put into errdisable state if it receives BPDU This material is valid till 31st Nove ovember 2011. New material is available on 1st Decem cember 2011 48 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
By default, BPDU guard is disabled on all switchports BPDU guard should be used only on the ports where port fast enabled BPDU guard should not enabled on the ports where uplinks connected, which could receive legitimate BPDUs
Loss of BPDUs If BPDUs are not received in timely manner, timers expire and try to converge the topology, even though there is no topology change To prevent unexpected loss of BPDUs, two features can be used o Loop guard o UDLD Loop guard BPDUs may be blocked some times, even though no changes in network STP try to activate NDP, creating loops Loop guard can be used to prevent unexpected loss of BPDU BPDUs If loop guard is enabled on a port, it keeps a track of the BPDU activity on NDPs If BPDUs are missed, the port is moved to loop inconsistent state The port is effectively blocking at this point to keep it in NDP, no further loops When BPDUs are received on the port again, the port is moved through normal STP states By default loop guard is disabled on all switchports
UDLD UDLD Uni directional link detection o Unidirectional link : the link transfers the data only in one way o Bidirectional link : the link transfers the data in both directions This material is valid till 31st Nove ovember 2011. New material is available on 1st Decem cember 2011 49 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
In campus network all the switches use bidirectional links Sometimes they become unidirectional links because of physical layer problems Uni directional link problems occur mostly at fiber optic media ports (GBIC, SFP) If the link is unidirectional, BPDUs pass only in one direction, the other end cant receive the BPDUs, STP timers expire This leads to activate NDPs, causing loops because the link is not really down UDLD is used to detect these unidirectional links This is cisco proprietary solution UDLD should be enabled on both ports of a link Port sends special L2 UDLD frames and expects far far-end end switch to echo those frames If echo frames received, link is bidirectional otherwise unidirectional UDLD frames are sent nt for every 15 seconds by default UDLD link detection time should be less than STP convergence time, to avoid a loop before forming STP takes 50 seconds time to move an NDP to forwarding state (20sec Max age + 15sec listening + 15sec forwarding) UDLD take 45 seconds (3 times UDLD interval) time to detect unidirectional link UDLD has two modes of operation o Normal Mode When unidirectional condition is detected, the port is allowed to continue its operation The port is marked as undetermined state and gener generates ates a syslog message o Aggressive Mode When unidirectional condition is detected, the switch takes action to re-establish re link This time UDLD messages are sent out once a second for 8 seconds If no echos are received, the port is put in errdisable state, it cant be used When UDLD is configured for the first time on the link, it will not disable the link before the far-end end is configured. It indefinitely waits for the neighbor to be configured In Etherchannel bundle, if one physical link is found as unidirectional, UDLD disables only that link, not the entire channel
50 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
BPDU Filtering BPDU filtering feature is used to filter BPDUs on switchports Switchports with BPDU filtering enabled can not send or receive BPDUs BPDU filtering can be enabled on switchports where there is no chance for loops The ports with end user devices connected are eligible for BPDU filtering This feature is disabled on all switchports, by default
STP Protection Verification
STP Protection features
Root guard: Apply to ports where root is never expected BPDU guard: Apply to all user ports where Port fast is enabled This material is valid till 31st Nove ovember 2011. New material is available on 1st Decem cember 2011 51 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
Loop guard: Apply to non designated ports (can be applied to all ports also) UDLD: Apply to all fiber fiber-optic optic links between switches (must be enabled on both ends) STP Protection features combinations Permissible combinations on a switchport o Loop guard and UDLD o Root guard and UDLD Not Permissible combinations on a switchport o Root guard and loop guard o Root guard and BPDU guard
52 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
LESSON 10 : ADVANCED STP

RSTP
RSTP Rapid Spanning Tree Protocol Typically STP takes 30 seconds to 50 seconds time for topology change In production networks it has become unbearable time RSTP uses STPs principle concepts and make the resulting convergence must faster IEEE 802.1W standard As with 802.1D (STP), RSTPs basic functionality can be applied as single instance or multiple instances RSTP is only the underlying mechanism It cant be implemented as an individual It can be implemented with PVST+ resulting RPVST+ RSTP is used as a part of MST (IEEE 802.1S)
RSTP Port Roles Root Bridge is elected in the same manner as with STP (lowest bridge id) In RSTP, each switch interacts with its neighbors through each port Interactive process is performed based on port role o o o Root Port The port on each switch that has best cost path to RB (same as STP) Designated Port The port on network segment that has best cost path to RB (same as STP) Alternate Port Standby Root Port The port that has alternate path to RB (second best path) Backup Port Standby Designated Port The port on network segment that has alternate path to RB (second best path) STP port roles Root Port Designated Port Alternate Port (uplinkfast) Blocking RSTP port roles Root Port Designated Port (P2P) Alternate Port Backup Port Discarding
RSTP Port States RSTP has 3 port states Discarding, Learning, Forwarding A port role can have one of these states o Discarding Incoming frames are dropped, no MACs are learned Combines disable, blocked, listening states of 802.1D This material is valid till 31st November 2011. New material is available on 1st December 2011 53 | P a g e
9000235254 o o
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
Learning Incoming frames are dropped, but MACs are learned Forwarding Incoming frames are forwarded, MACs are learned STP port states Disable Blocked Listening Learning Forwarding Learning Forwarding Discarding RSTP port states
RSTP BPDU RSTP uses the 802.1D BPDU format for backward compatibility Some unused bits in the Message type field are used (interactive process) BPDU version set to 2 (802.1D BPDU version 0) BPDUs are sent out every switchport at hello time intervals, regardless of RB BPDUs Any switch anywhere in the network can play an active role in maintaining the topology Switches expect BPDUs from neighbors Neighbor is assumed to be down if three consecutive BPDUs are missed (6sec default) If neighbor is down, all information related to the port connected to neighbor is aged out RSTP BPDUs can co-exist with 802.1D BPDUs Switches can differentiate BPDUs with the help of version information RSTP Convergence RSTP convergence includes two stage process Common root bridge election STP domain Switch ports moment from discarding to appropriate state to prevent loops RSTP Port types RSTP has three types of ports o Edge Port The port where single host is connected, BPDUs are never expected If switch receives BPDU on edge port, the port looses its edge port status o Root Port The port with best cost path to RB, goes to forwarding state o Point to Point Port (P2P) Port that connects to another switch and becomes DP P2P ports are decided with quick handshake between switches by exchanging proposal and agreement messages
54 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
RSTP Point to Point Links Point to Points automatically are determined by the duplex mode in use Full duplex ports are considered point to point (only two ports on the link) Half duplex ports are considered shared medium and 802.1D convergence method is used in this case RSTP handles the complete STP convergence of the network as a propagation of handshakes over point to point links When a switch needs to make STP decision, a handshake is made with the nearest neighbor and so on, entire network point to point links Synchronization To Participate in RSTP convergence, all the port states must be decided Non-edge edge ports begin in discarding stat state After BPDU exchange between neighbor switches, RB can be identified If a port receives a superior BPDU from a neighbor, that port becomes the RP For each non-edge edge port, the switch exchanges a proposal proposal-agreement agreement handshake to decide port states of links at each end
55 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
Because of RSTP problems or non-P2P P2P links issues, if a port is failed to send agreement message, 802.1D convergence will occur on the link, , that is moving the port from blocked, listening, learning and forwarding
Topology Changes RSTP detects a topology change only when a non non-edge edge port transitions to forwarding state When a topology change is detected, BPDUs with TC bit set are sent out all of the nonedge designated ports Switch propagates TC message (topology change) to other switches in the network so that they can correct their MATs RSTP Configuration
RAPID PVST
56 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
MST
MST Multiple Spanning Tree IEEE 802.1S standard
CST-PVST-MST comparisons
CST
CST common spanning tree only one instance of STP is used for all vlans If 500 vlans are exist in the network, only one STP instance runs Less overhead on the switch No load balancing instance uses only one link, remaining are blocked STP Topologies
PVST+
PVST+ Per vlan spanning tree one instance of STP is used for each active vlan If 500 vlans are exist in the network, 500 STP instances run More overhead on the switch Load balancing every instance can use one of the available links
MST
MST Multiple Spanning Tree Multiple instances of STP are used A set of vlans are allowed on every instance Less overhead on the switch Load balancing every instance can use one of the available links
MST works by mapping one or more vlans to a single STP instance MST implementation includes o Identifying the number of STP instances needed to support desired topologies o Mapping a set of Vlans to each instance
57 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
MST Region MST regions are created to manage MST operations MST attributes o MST configuration name (32 characters) o MST config revision number ( 0 to 65535) o MST instance to vlan mapping table (4096 entries) MST attributes must match on all switches to belong to same region region, If not they belong to different independent regions MST attributes are exchanged between switches with MST BPDUs IST IST Internal spanning tree MST can interoperate roperate with all other forms of STP In MST region, IST is an instance that presents entire region as a virtual bridge to CST BPDUs are exchanged at the region boundary only over the native vlan IST is called as MST Instance 0
MST Instances MST instances exist within the MST region Vlan sets are mapped to MST instances Cisco supports a 16 MSTIs in each region IST always exists as MSTI number 0 By default all the vlans are mapped to IST Only IST (MSTI 0) sends and receive MST BPDUs Only one BPDU is s needed to carry all MSTI information Other MSTI information is appended to BPDUs as M-record Other MST regions can be combined with IST only at region boundary
58 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
MSTP Configuration
Switch cant run both PVST+ and MST at same Switch can be configured to use o PVST+ (spanning-tree tree mode pvst) or o RPVST+ (spanning-tree tree mode rapid rapid-pvst) or o MST (spanning-tree tree mode mst) If MST is configured on the switch, RSTP mechanism is applied by default
59 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
60 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
LESSON 11: MLS

Intervlan Routing Communication between different vlans is called inter vlan routing Intervlan routing is possible only with L3 capable device Inter VLAN routing methods o Connect access links to router interfaces o Router on a stick (switch trunk port to router) o Multi Layer Switching
MultiLayer Switch
Multilayer switch can perform both L2 switching and L3 routing L2 switching occurs between interfaces (switch ports) that are assigned to L2 Vlans or L2 trunks L3 routing can occur between L3 in interfaces terfaces (non switch ports or SVI) that has been configured with L3 address MLS has two types of L3 interfaces o L3 Port Physical port with L3 functionality enabled (no switchport configuration) By default, all the ports are L2 ports (most of the platforms) 6500 ports are L3 ports by default o SVI switched virtual interface Logical L3 interface that represents entire vlan This becomes default gateway for all hosts in that vlan All L3 interfaces (SVI and L3 physical ports) can be configured with IP addresses
61 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
MLS Configuration
62 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
CEF
CEF Cisco Express Forwarding In first generation of MLS netflow switching was used In second generation of MLS, CEF is introduced CEF feature allows high-performance performance packet forwarding through the use of dynamic lookup tables Switch platforms that perform CEF in hardware o Catalyst 6500 supervisor 720 (with an integrated MSFC3) o Catalyst 6500 supervisor 2/ MSFC2 combination o Catalyst 4500 Supervisor 3,4 and 5 o Fixed switches 3750,3560,3550,2950 CEF runs by default (ip routing)
CEF Packet Flow
CEF Verification
63 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
CEF Punt Packets CEF can forward most of the IP packets Some packets cant be forwarded by CEF, then they are marked as CEF Punt and sent to L3 engine for further processing CEF punt packets are o Entry cant be located in FIB o FIB table is full o IP TTL has expired o MTU is exceeded, fragmentation needed o Encapsulation type not supported o ICMP redirect is involved o Packets tunneled, compression or encryption operation o ACL with log option is triggered o NAT operations ons triggered CEF Techniques CEF operations can be handled on a single hardware platform (3560,3750) CEF can be optimized through the use of s specialized forwarding hardware, using CEF techniques There are two types of CEF Techniques o Accelerated CEF aCEF L3 forwarding Engines dont have self self-contained FIB Every L3 forwarding Engine can have a part of FIB FIB is downloaded when it is required FIB is accelerated on L3 Engines o Distributed CEF dCEF L3 forwarding Engines have self self-contained FIB FIB is replicated on all L3 forwarding Engines Provide greater performance Adjacency Table For each entry FIB contains Next Next-hop L3 address FIB also contains L2 information for every next next-hop entry. This part of FIB is called adjacency table Adjacency table consists of MAC addresses of nodes that can be reached in single L2 hop Adjacency table information is built from the ARP table Adjacency table is updated when next next-hop receives a valid ARP entry If an ARP entry doesnt exist, FIB entry is marked as CEF g glean In CEF glean state, FIB hardware cant forward those packets until ARP addresses are resolved This material is valid till 31st Nove ovember 2011. New material is available on 1st Decem cember 2011 64 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
L3 engine sends ARP request for every two seconds until it gets resolved. This is called as ARP throttling or throttling adjacency After ARP resolution, FIB adjacency is updated, to forward the packets in FIB hardware
Adjacency Table Verification
Adjacency Entries Adjacency entry types o Null adjacency The packets destined for the null interface o Drop adjacency The packets that cant be forwarded, because of encapsulation failure, unresolved address, unsupported protocol, no routing information, checksum error etc o Discard adjacency The packets discarded because of ACL or other policy action o Punt adjacency The packets must be sent to L3 engine for further pr processing
65 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
L3 Packet Rewrite Multi Layer Switches have additional functional block L3 rewrite, that changes L3 packet contents before forwarding The frame/packet fields changed by L3 rewrite are L2 destination address : changed to next next-hop devices MAC address L2 source address : changed to outbound L3 interfaces MAC address L3 IP TTL : decremented by one , crossed one L3 hop L3 IP checksum : recalculated as L3 fields are modified L2 frame checksum : recalculated as L2 fields are modified CEF Configuration CEF is enabled on all CEF capable switches by default 6500 switches run CEF by default, can never be disabled (sup 720-integrated integrated MSFC3 or sup 2-MSFC2) 2 3750, 4500 switches run CEF by default, but can be disabled per interface basis
MultiLayer Switch Verification
DHCP Process MLS can function like a DHCP server It can relay DHCP broadcast messages as Unicast messages to specified IP address This material is valid till 31st Nove ovember 2011. New material is available on 1st Decem cember 2011 66 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
DHCP Configuration
67 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
LESSON 12: CAMPUS NETWORK DESIGN

Network Design If more number of systems exists in a broadcast domain, a single broadcast message spreads the entire network Every system process the incoming frames, that degrades network performance
Routers and vlans break broadcast domains Cisco suggests, there should be no more than 254 computers in a broadcast domain Limiting the systems in a broadcast domain upgrades network performance Network segmentation should be done to enhance network performance Network segmentation can be done by using vlans in the networks Routers and L3 switches can be used to route the traffic between network segments
Broadcast Domains No VLANs
68 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
Broadcast Domains With VLANs
Network Hierarchy Two Layer Network Hierarchy Three Layer Network Hierarchy
Three Layer Network Hierarchy
Service Type Local Remote Enterprise
Location of Service Same segment/vlan as user Different segment/vlan as user Central to all campus users
Extent of Traffic flow Access layer only Access to distribution layers Access to distribution to core layers
69 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
Three Layer Network Hierarchy- Comparisons Access Layer End users connectivity Vlan membership Distribution Layer Intervlan routing Traffic policies, ACL, QoS Core Layer High performance switching Backbone connectivity
Aggregation of multiple access-layer Low cost per switch port Very high throughput at Layer3 devices No unnecessary packet High port density High Layer3 throughput for packet Scalable uplinks to higher layers manipulations handling No ACL or packet p filtering User access functions as vlan Security and policy based connectivity Redundancy and resiliency for high membership, traffic and protocol through ACL filtering Qos features availability Resiliency through multiple uplinks Scalable and resilient high-speed link Advanced Qos functions to the core and access layers
Modular Network Design
Fully Redundant Network
70 | P a g e
9000235254 Disorganized Networks
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
Organized Networks
Switch Block and Core Block
71 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
Switch Block
Switch block is A set of distribution switches and their accompanying access layer switches Typically 2 distribution switches are placed in a switch block Switch blocks contain a balanced mix of Layer 2 and Layer 3 functionality VLANs should not extend beyond switch block Broadcast roadcast should not propagate from switch block to core block STP is confined to each switch block (STP boundary) Typically 2000 users can be placed in a switch block
Switch Block Sizing Switch block size depends on Traffic types and patterns L3 switching capacity at distribution layer Number of users connected to access access-layer switches (typically <2000 users) Vlan boundaries and subnets Size of STP domains Large Switch Blocks The problems with large switch blocks The routing at distribution layer becomes traffic bottlenecks Intensive CPU processing because of inter vlan routing, ACL, Policing Broadcast and multicast traffic slows the switches in switch block Switch Block Designs
72 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
Core Block
Core block connects two or more switch blocks in a campus network The links from distribution to core are L3 links Core block is meant for high speed connectivity between switch blocks The links between core switches should be good enough to carry aggregated data GEC or 10GbEC can be used to aggregate the traffic Two core block designs o Collapsed core o Dual core
Collapsed Core Collapsed core design can be used for smaller campus networks
Dual Core Design Dual Core Design can be used for larger campus networks
Dual core design connects two or more switch blocks with redundancy The core is scalable with more switch blocks This design uses two identical switches at core block The core block should be ready to handle 100% traffic from switch blocks Switch blocks connected to core block with L3 links. So bridging loops will not occur Multiple L3 links can offer redundancy and load load-balancing The vlans will not extend to core layer This is most versatile design for enterprise campus networks This material is valid till 31st Nove ovember 2011. New material is available on 1st Decem cember 2011 73 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
LESSON 1 13: L3 AVAILABILITY

Packet Forwarding Examples
Example 1: Data flow from 192.168.6.1 to 192.168.6.2 192.168.6.1 sends broadcast ARP request to know DMAC o SIP-192.168.6.1, DIP-192.168.6.2 192.168.6.2, SMAC 1111.1111.1111, DMAC-? 192.168.6.2 sends unicast ARP reply o SIP -192.168.6.2, DIP-192.168.6.1 192.168.6.1, SMAC- 2222.2222.2222, DMAC-1111.1111.1111 1111.1111.1111 Now 192.168.6.1 is aware of DMAC Now 192.168.6.1 can send data to 192.168.6.2. Because it has SMAC, DMAC, SIP, DIP information ARP Requests and replies are sent to resolve MAC address for IP address Example 2: Data flow from 192.168.6.1 to 10.0.0.2 192.168.6.1 sends broadcast ARP request to know DMAC of gateway o SIP-192.168.6.1, DIP-192.168.6.100 192.168.6.100, SMAC 1111.1111.1111, DMAC-? 192.168.6.100 sends unicast ARP reply o SIP -192.168.6.100, DIP DIP-192.168.6.1, SMAC- 3333.3333.3333, DMAC-1111.1111.1111 1111.1111.1111 Now 192.168.6.1 is aware of DMAC Now 192.168.6.1 can send data to default gateway Because it has SMAC, DMAC, SIP, DIP information Router then checks routing table table, Finds exit interface to destination Now router(10.0.0.100)sends broadcas broadcast ARP request to know DMAC o SIP-10.0.0.100, DIP-10.0.0.2 10.0.0.2, SMAC-4444.4444.4444, DMAC- ? 10.0.0.2 sends unicast ARP reply o SIP 10.0.0.2, DIP -10.0.0.100 10.0.0.100, SMAC-6666.6666.6666, DMAC-4444.4444.4444 4444.4444.4444 Now router is aware of DMAC, , Router rewrites SMAC and DMAC After rewriting SMAC, DMAC router sends data to the destination o SIP-192.168.6.1, DIP-10.0.0.2 10.0.0.2, SMAC-4444.4444.4444, DMAC-6666.6666.6666 6666.6666.6666 Devices maintain ARP information in cache memory ARP entry expires dynamically, if there is no active communication Systems : arp -a (dos) Router : show ip arp This material is valid till 31st Nove ovember 2011. New material is available on 1st Decem cember 2011 74 | P a g e
9000235254 Router Redundancy
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
For high availability, three protocols are available for router redundancy, load balancing HSRP o Hot Standby Router Protocol VRRP o Virtual Router Redundancy Protocol GLBP o Gateway Load Balancing Protocol
HSRP
HSRP HSRP Hot Standby Router Protocol Cisco proprietary (RFC 2281) Provides gateway redundancy by allowing routers or MLS to appear as single gateway IP Gateway IP is assigned to common HSRP group (not for single router) One router is elected as primary or active router( with high priority) Another router is elected as standby router (second best priority) All the remaining routers are in listening state All routers exchange HSRP hello messages for every 3 seconds to know the status of each other Hello messages are sent to the multicast destination 224.0.0.2 using UDP port 1985 Maximum 16 HSRP groups can be supported (group range : 0 0-255)
HSRP Election HSRP election is based on priority value (default 100, range 0-255) The router with highest priority value becomes the active router for the group If all routers have same priority, the router with highest IP address on HSRP interface becomes active router
75 | P a g e
9000235254 HSRP States HSRP routers states Disabled Init Listen Speak Standby Active
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
HSRP Active Role The Active router sends hello messages for every 3 seconds, by default If 3 consequent hellos are missed (10 sec hold time), the active router is assumed to be down and standby router turns its state to active The listening router with best priority becomes new standby router If a router is configured with highest priority, it cant pickup active role immediately, immediately because active router is already in working state in HSRP group Pre-empt feature can be used to allow a router to take active role at any time, if it has high priority HSRP Pre-empt
HSRP Timers
HSRP Authentication HSRP supports authentication to prevent unauthorized routers participate in HSRP HSRP supports both plain-text text and MD5 authentication Authentication key word must match in every router to participate in HSRP By default cisco is authentication key word HSRP plain-text text authentication key string can be up to 8 characters
76 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
HSRP MD5 Authentication HSRP MD5 authentication supports key string up to 64 characters
HSRP MD5 authentication method can be configured with a key chain
HSRP Election
HSRP can detect external link failures and allow the other routers to take active role It can be done by tracking a router interface and decrease the priority incase of link failure Router decreases its own priority by 10 (default) for every link failure The other routers have a chance to take active role, if the pre pre-empt empt is already configured Without preemption, the active role cant be g given to any other router
HSRP Gateway Each router in HSRP group has its own unique IP address assigned to L3 interface In HSRP group every router has a common gateway IP address It is virtual router address, kept alive by HSRP This address known as HSRP address or Standby address All the clients use this HSRP address as gateway This material is valid till 31st Nove ovember 2011. New material is available on 1st Decem cember 2011 77 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
HSRP group routers keep this address always up
HSRP has special MAC address for HSRP address . That is 0000.0C07.ACXX XX represents HSRP group number (two (two-digit hex value) MAC address range : 0000.0C07.AC00 0000.0C07.ACFF If HSRP group 16 is configured, it can use 0000.0C07.AC10 as MAC address
HSRP Process
78 | P a g e
9000235254 HSRP Load balancing
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
79 | P a g e
9000235254 HSRP Verification
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
VRRP
VRRP Virtual router redundancy Protocol VRRP is similar to HSRP in operation Open standard protocol Defined in RFC 2338 In VRRP, active router is called as Master router All other routers are in backup state The router with highest priority becomes master router priority range 1-254, 254, default is 100 VRRP P group number range is from 0 to 255 VRRP advertisements are sent for every 1 second, by default VRRP sends its advertisements to the multicast address 224.0.0.18 using IP protocol 112 Pre-empting empting is the default feature in VRRP So the router with highest priority can become master at any time VRRP uses special MAC address for virtual router IP address. That is 0000.5E00.01XX XX represents VRRP group number (two digit hex hex-value) If VRRP group 16 is configured, it can use 0000.5E00.0110 as MAC address VRRP has no mechanism to track interfaces connected to external links
80 | P a g e
9000235254 VRRP Process
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
81 | P a g e
9000235254 VRRP Load balancing
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
82 | P a g e
9000235254 VRRP Configuration
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
VRRP Verification
GLBP
GLBP Gateway Load Balancing Protocol HSRP, VRRP provide load balancing by assigning multiple gateways to the host groups GLBP provides load balancing efficiently, in which all the hosts can use a single gateway GLBP is cisco proprietary protocol All routers assigned to a common GLBP group GLBP provides load balancing by allo allowing wing all routers to forward a portion of overall traffic For the same gateway IP address, different MAC addresses are sent as ARP replies Traffic go through one of the routers associated with that MAC address This material is valid till 31st Nove ovember 2011. New material is available on 1st Decem cember 2011 83 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
GLBP Router Roles Router roles in GLBP AVG o Active virtual gateway AVF o Active virtual forwarder AVG
The router with highest priority becomes AVG Default priority is 100, range is 1 to 255 If priority is same, router with highest active IP becomes AVG AVG coordinates GLBP process The routers participating in GLBP are called AVFs AVG assigns virtual MAC addresses to each of the routers (AVFs) participating in GLBP Maximum 4 MAC addresses can be used in any group Only AVG answers all ARP requests AVG also plays AVF role GLBP group range is 0 1023 In GLBP, pre-empting empting feature is not default without pre-empting, empting, AVG role cant be given any other router (if AVG is active)
AVG Timers To know AVF status, AVG sends Hello messages periodically for every 3 seconds by default If hellos are not received from a peer within hold hold-time time (10 sec) , it is assumed to be down Timers can be configured on AVG (not necessary on AVFs) AVFs can learn timers from AVG, by default This material is valid till 31st Nove ovember 2011. New material is available on 1st Decem cember 2011 84 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
AVF
AVF obtain MAC addresses from AVG If an AVF fails in GLBP group, the AVF role and MAC address are given to another AVF temporarily AVF handles two MAC addresses to function like two AVFs Redirect timer is used to determine when AVG will flush the old MAC address (assigned to another AVF temporarily) Timeout timer is used to determine ermine how long GLBP peers wait before flushing old MAC When timeout timer expires, the clients using this MAC in ARP cache must clear the entry, Because no AVF will answer to that MAC Clients will get new MAC address as ARP reply Redirect timer is 600 seconds conds (10 min) by default Timeout timer is 14400 seconds (4 hours) by default
GLBP Weight GLBP weight is used to define, which router can become AVF Interfaces can be tracked to provide dynamic weight If an interface goes down AVF decreases its weight and If interface comes up AVF increases its weight Two weight thresholds can be configured in GLBP If weight decreases below the lower threshold, AVF must loose its role If weight increases above the upper threshold, router gains its AVF role By default weight is 100, range is 1 to 254 In weight adjustment, object-number number is used with a range of 1 1-500
85 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
GLBP Load Balancing AVG assigns virtual MAC addresses for each of the AVFs in GLBP group GLBP load balancing methods o Round robin ARP replies are sent with next available virtual MAC address Traffic load distributed evenly across all AVFs It is default load balancing method in GLBP o Weighted GLBP weight decides load balancing Higher weight value res results in more frequent ARP replies GLBP weight is used to set the relative proportions among AVFs o Host-dependent Each client always gets same MAC address as ARP reply This method is used if the client needs consistent gateway MAC
GLBP Gateway
86 | P a g e
9000235254 GLBP Load balancing
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
87 | P a g e
9000235254 GLBP Verification
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
Gateway Redundancy HSRP Show standby brief Show standby type mod/num VRRP Show vrrp brief all Show vrrp interface type mod/num GLBP Show glbp [group=0-1023] 1023] [brief] Router Redundancy Protocols Property Standard Router roles Load balance Interface tracking Default pre-empt Virtual MAC HSRP Cisco proprietary Active , standby routers Multiple groups Different gateways Yes No 0000.0c07.acxx VRRP Open standard Master, backup routers Multiple groups Different gateways No Yes 0000.5e00.01xx GLBP Cisco proprietary AVG, AVF Single group Single gateway Yes No Assigned by AVG Displays status of a GLBP group Displays VRRP status Displays VRRP on an interface Displays HSRP status Displays HSRP on an interface
88 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
LESSON 14: SUPERVISOR SUPERVISOR-POWER POWER REDUNDANCY

Modular Switch Chassis
Switch Supervisors Modular switches have multiple modules and are controlled by supervisor engines Supervisor Engines contain console port, startup-configuration, IOS image etc If supervisor Engine fails, packets will not be routed and interfaces will go down
Redundant Supervisors Catalyst 4500R, 6500 switches accept two SUP modules installed in a single chassis The first sup module boot up and becomes active supervisor for the chassis The second sup module remains in standby mode If first sup fails, the standby sup becomes activ active
89 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
Supervisor Redundancy Modes Redundant Supervisor modules can be configured in 3 modes o RPR Route Processor Redundancy o RPR+ Route Processor Redundancy Plus o SSO Stateful Switch Over These modes indicate the readiness of standby supervisor The failover time depends on readiness of standby supervisor These modes affect how the two supervisors handshake and synchronize information RPR RPR+ SSO SSO Stateful Switch Over The redundant supervisor is fully booted and initialized Both startup-config, running-config are synchronized between the sup modules L2 information is maintained on both supervisors So hardware switching can continue during a failover Links do not flap during a failover With NSF options, L3 routing protocols initialization and convergence also synchronize Takes less time (around 1 sec)
RPR Route Processor Redundancy The redundant supervisor is only partially booted and initialized When active sup fails, the standby sup must reload every other module in the switch and then initialize all the supervisor functions Takes more time ( around 2 minutes)
RPR+ Route Processor Redundancy Plus The redundant supervisor is booted, the supervisor and route engines are initialized Layer 2 or Layer 3 functions are not started When active sup fails, the standby module completely initializes without reloading other switch modules Switchports remains in their states Takes average time (around 30 seconds)
Router Processing Modes (SRM-DRM) Router Processing Modes o SRM Single Router Mode Two route processors are used, but only one is active at any time o DRM Dual Router Mode Two route processors are used and both are active at any time This material is valid till 31st November 2011. New material is available on 1st December 2011 90 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
RPR , RPR+ have only one active supervisor, The route processor portion is not initialized or used on the standby unit SRM uses two route processors (one is active). RPR, RPR+ use only one route processor. So SRM is not compatible with RPR or RPR+ SSO uses two route processors. SRM is inherent with SSO, that brings up the standby route processor. This is called as SRM with SSO
Redundancy Modes Mode RPR RPR+ SSO Standby Mode Readiness Supported Platforms Catalyst 6500 supervisors 2 and 720, catalyst 4500R supervisors 4 and 5 Catalyst 6500 supervisors 2 and 720 Catalyst 6500 supervisors 720, Catalyst 4500R supervisors 4 and 5 Failover time Good > 2 minutes Better >30 seconds Best >1 second
91 | P a g e
9000235254 Supervisor Redundancy
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
By default, the active supervisor synchronizes its startup startup-config and config-register register values with the standby supervisor Configuration required to synchronize other information
NSF NSF Non Stop Forwarding NSF is used to quickly rebuild routing information base (RIB) table after supervisor switchover RIB is used to generate FIB for CEF FIB is downloaded to any switch modules or hardware that perform CEF NSF gets assistance from other NSF NSF-aware neighbors These neighbors provide routing information to the standby supervisor, that allows to build RIB quickly NSF is cisco proprietary feature NSF is supported along with SSO on catalyst 4500R supervisors 3, 4, 5 and 6500 supervisor 720 (integrated MSFC3) NSF is supported on IOS 12.2 (20)EWA or later NSF is supported by the BGP, EIGRP, OSPF, IS IS-IS routing protocols
92 | P a g e
9000235254 NSF Configuration
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
Redundant Power Supply 6500, 4500R platforms can accept two power supply modules in a single chassis The power supplies must be identical, having the same power input and max power output ratings Two possible power modes o Combined mode Both power modules work together to share the total power load for all modules Used for large power requirements like PoE for IP tel telephones It doesnt provide power redundancy If power supply fails, switch powers down some of the modules, until power supply requirement is met by one functioning power supply o Redundant mode Each of the installed power supplies can supply the total power load that is required by the whole switch chassis If one power supply fails, the other can carry the total power load, without powering down any module Redundant mode is default mode Its not possible to identify which power supply is actually powering the switch, until one of them is turned off or fails
93 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
Some devices need inline power (PoE) to operate (cisco IP phones, wireless APs) These devices request a power budget when they initialize (more budget later times) The power budget requests are sent on CDP exchanged between devices and switch
94 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
LESSON 1 15: IP TELEPHONY

PoE PoE Power Over Ethernet Cisco IP phone must have power to operate Power can come from two sources o External AC adapter Wall warts provide 48V DC power o PoE 48V DC Inline power that comes from catalyst switch over the network cable PoE has the benefit that it can be managed, monitored and offered to IP phone The end device has to send power budget request in order to get PoE Switch cant offer PoE for PC, because they dont send any power request PoE is available on many plat forms like 3750 , catalyst 4500, 6500 PoE methods o ILP Inline Power Cisco proprietary method o IEEE 802.3af Open standard method Vendor interoperability
Detecting a Power Device In cisco ILP method, switch sends 340KHz test tone on the transmit pair of the twisted pair Ethernet cable A Powered device (IP phone) loops the 340KHz test tone The switch port can hear its test tone looped back Then switch knows the presence of powered device and offers inline power
In IEEE 802.3af, switch supplies a small voltage across transmit and receive pairs of the copper twisted pair connection Then resistance is measured If 25Kohm resistance is measured, switch knows presence of powered device IEEE 802.3af power classes Power class 0 1 2 3 4 Max power offered at 48V DC 15.4 W 4.0 W 7.0 W 15.4 W Notes Default class Optional class Optional class Optional class Reserved for future use
Switch determines to which power class, the powered device belongs This material is valid till 31st Nove ovember 2011. New material is available on 1st Decem cember 2011 95 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
Supplying Power to a device A switch first offers default power allocation to the powered device On 3750-24-PWR, PWR, IP phone receives 15.4 W (0.32 Amps at 48V DC) For cisco ILP, inline power is provided over data pairs 2 and 3 (RJ-45 pins 1-2, 3-6) 6) at 48V DC For IEEE 802.3af, power is provided over data pairs 2 and 3 (RJ (RJ-45 pins 1-2, 3-6) or over pairs 1 and 4 (RJ-45 pins 4-5, 7-8) Later the power budget can be changed from default to more appropriate value Cisco ILP uses CDP for power budget decision IEEE 802.3af uses power classes for power budget decision
PoE configuration
PoE Switchports A catalyst switch waits for 4 seconds after inline power is applied to a port Dont connect a non-powered powered device (PC) i immediately mmediately to the port after disconnecting a powered device from the port Wait for 10 seconds before connecting anything back into the same port Otherwise power delivery may damage the device
96 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
Voice VLAN Cisco IP phone can provide data connection for PC, along with voice stream Single Ethernet IO (information outlet) is enough to provide connectivity for both PC and cisco IP phone
With trunk mode the voice traffic is encapsulated over a unique voice VLAN called as voice VLAN ID or VVID With access mode the voice traffic is encapsulated over regular data VLAN called as native vlan or port VLAN ID or PVID The QoS information from the voice packets must be carried To configure IP phone uplink, only the switchport need to be configured w with ith selected mode Switch instructs the phone to follow the selected mode In case of trunk-link, link, a special case trunk is negotiated by DTP and CDP
Voice VLAN Modes Mode Vlan-id Dot1p Untagged none (default) Native VLAN (untagged) PC data PC data PC data / voice PC data / voice (access vlan) Voice VLAN VLAN vlan-id VLAN 0 Voice QoS (CoS Bits) 802.1p 802.1p 802.1p 97 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
98 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
The most versatile mode uses the vlan-id Voice and User data are carried over separate vlans VOIP packets in the voice vlan also carry the Cos bits in 802.1p
Voice VLAN Data VLAN The trunk contains only two vlans A voice vlan (tagged vvid) and the data vlan The switch ports access vlan is used as the data vlan (for PC) If IP phone is removed and a PC is connected to the same switch port, the PC can still operate because the data vlan appear as the access vlan
IP phone special-case case 802.1Q trunk is not shown as trunk port in the switch configuration STP runs with two instances for both Voice vlan and Da Data vlan
Voice QoS QoS Quality of Service It is the method used in network to protect and prioritize time time-critical critical or important traffic QoS need to be implemented for voice traffic and video traffic Voice packets need to be delivered in the most timely fashion with little jitter, little loss and little delay Generally users cant tolerate if there is delay in voice or video traffic Packet flow Factors that influence packet flow o Delay The time required for a router or switch to perform table lookups The total delay from source to destination is called latency o Jitter The variation in delay is called jitter With jitter, consecutive packets reach at different time intervals Audio and video streams are easily affected with jitter o Loss The packets dropped without delivery because of congested or error-prone error network This material is valid till 31st Nove ovember 2011. New material is available on 1st Decem cember 2011 99 | P a g e
9000235254 QoS
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
jitter-loss, QoS can be implemented To protect packets from delay-jitter 3 Basic types of QoS o Best-effort delivery o Integrated services model o Differentiated services model
Best Effort Delivery The intermediate devices like switches and routers forward the traffic with Best Best-effort effort There is no real QoS The interested traffic must stay along with the remaining traffic
Integrated Services (IntServ) Path is reserved in advance from source to destination by RSVP RSVP- Resource Reservation Protocol The source application requests QoS parameters through RSVP Each network device along the path checks whether it supports the QoS request QoS is applied per-flow basis No scalability
Differentiated Services (DiffServ) No advance path reservation Packet headers contain QoS information Each device handles packets individually based on QoS bits Devices prioritize the interested traffic by holding back the normal traffic QoS is applied per-hop basis Offers QoS scalability DiffServ model can offer premium services to voice traffic This material is valid till 31st Novem ovember 2011. New material is available on 1st Decemb ember 2011 100 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
DiffServ is per-hop behavior Each router or switch checks QoS information in every packet to decide how to forward the packet The packet headers contain some flags, classi classifications, fications, or markings that can be used to make forwarding decision based on QoS policies that are configured on each router or switch along the path
L2 QoS Classification L2 Switches follow Best-effort effort to forward the frames No QoS mechanism for normal Ethernet frames QoS occurs between switches for tagged Ethernet frames Tagged Ethernet frames carry CoS (Class of Service) bits CoS bits are lost when the frame is untagged at far far-end switch
This material is valid till 31st Novem ovember 2011. New material is available on 1st Decemb ember 2011
101 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
bit DS value is known as DSCP This 6-bit DSCP- Differentiated Service Code Point DSCP value is examined by DiffServ Network device DS and ToS Bytes are same (occupying same location in IP header) DSCP bits are arranged for compatibility with the 3bit IP precedence So non-DiffServ DiffServ devices still can int interpret some QoS information IP Precedence (3-bits) Name Routine Priority Value 0 1 Bits 000 001 Per-Hop Class Behavior Selector Default AF 1 DSCP (6-bits) Drop Precedence 1: Low 2: Medium 3: High 1: Low 2: Medium 3: High 1: Low 2: Medium 3: High 1: Low 2: Medium 3: High Code-Point Name Default AF11 AF12 AF13 AF21 AF22 AF23 AF31 AF32 AF33 AF41 AF42 AF43 EF DSCP Bits (Decimal) 000 000 (0) 001 010 (10) 001 100 (12) 001 110 (14) 010 010 (18) 010 100 (20) 010 110 (22) 011 010 (26) 011 100 (28) 011 110 (30) 100 010 (34) 100 100 (36) 100 110 (38) 101 110 (46) 40-47:only 40 46 is used 48-55 56-63
Immediate
010
AF
Flash Flash Override Critical Internetwork control Network control
011
AF
4 5 6 7
100 101 110 111
AF EF
102 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
L3 QoS Classification Three class selector bits (DS5, DS4, DS3) classify packets into eight classes Class 0 is the default class offers only best best-effort forwarding Classes 1- 4 are called AF (assured forwarding) service levels levels. Higher AF class numbers indicate high-priority high traffic Class 5 is known as EF (Expedited forwarding) indicates premium service. EF is given iven for time-critical time data such as voice traffic Class 6 is for internetwork control Class 7 is for network control Routers and switches use classes 6 and 7 for STP and routing protocols offers timely delivery of packets for network stability Three bits (DS2, DS1, DS0) are drop precedence bits. DS0 is always 0 3 levels of drop precedence o Low (1) o Medium (2) o High (3) Lower drop precedence value gives better service AF21 means AF level 2 with drop precedence 1 To manipulate packets according to QoS policies, a switch must identify which level of service each packet should receive This is called classification of packets Each packet is classified according to type of traffic (TCP/UDP) Each switch must decide whether to trust incoming QoS values (QoS bits) If Switch trusts QoS values, they are carried over and used to make QoS decisions If switch doesnt trust QoS values, they are reassigned or overruled
103 | P a g e
9000235254 QoS Configuration
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
Auto QoS Auto QoS feature automatically configures advanced QoS parameters Auto QoS feature is enabled by a macro command Auto QoS handles o Enabling QoS DSCP mapping for QoS marking o CoS-to-DSCP o Ingress and Egress queue tuning o Strict priority queues for egress voice traffic o Establishing an interface QoS trust boundary
104 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
LESSON SSON 16: SECURE SWITCH ACCESS

Switch Port Security
Catalyst switches offer port security feature based on MAC addresses of connected system Unauthorized MAC addresses cant gain access and disconnected from the network Port Security is not enabled by default In switches, Port security can be enabled on per interface basis Port-security security is applied only for access ports
By default sticky feature is used for port security. So that ports learn MAC addresses from the connected systems dynamically By default ault no aging occurs for sticky mac mac-addresses
Port-Security Violation Security violation occurs if more than specified mac mac-addresses addresses are learned on the port Port security defines, what action the port has to take in case of security violation
105 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
Port-Security
Port-Based Authentication Catalyst switches support port-based based authentication, a combination of AAA authentication and port security IEEE 802.1x standard The switches will not accept the data until user is authenticated For Port-based authentication, both Switch and PC must support 802.1x standard 802.1x uses EAPOL Extensible Authentication Protocol Over LANs (L2 Protocol) The client PC must have 802.1x capable software in order to initiate authentication session with switch Authentication ation session closes when the user logs out
802.1x based authentication can be handled by RADIUS servers Port-based RADIUS Remote Authentication Dial In User Service Only RADIUS is supported for 802.1x
106 | P a g e
9000235254 Port-Based Authentication
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
107 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
Mitigating Spoofing Attacks in-the-middle to work like a rogue gateway The attacker can become man-in Hosts send packets to this rogue gateway, attacker can glean information from packets before forwarding them normally Switches can be protected from these spoofing atta attacks Switch features to mitigate spoofing attacks o DHCP snooping o IP Source Guard o Dynamic ARP inspection DHCP Snooping The attacker may bring up rogue DHCP server that assigns a spoofed gateway to the hosts Then hosts try to send information to this spoofed gateway Switches can be configured with DHCP snooping feature to mitigate these attacks With DHCP snooping, ports are categorized into trusted and untrusted ports Legitimate DHCP servers should be connected at trusted ports If DHCP reply comes from any unt untrusted rusted port is discarded and offending switch port is automatically shut down in the errdisable state DHCP snooping can keep a track of the completed DHCP bindings bindings. This database contains client MAC, IP address offered, lease time etc
108 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
IP Source Guard A host can use spoofed IP addresses to misguide other hosts in a subnet or vlan If a host uses random spoofed IP addresses, the return traffic will not find the way spoofed IP addresses are used to disguise the origin of Denial Denial-of-Service attacks Switches tches use IP Source guard feature to mitigate Spoofed IP address attacks IP Source Guard feature uses DHCP snooping database and static IP source binding entries to mitigate spoofed IP attacks The source IP must be matched to the IP address learned by DHC DHCP P snooping or static entry The source MAC address must be matched to the MAC address learned on the switch port If the addresses are not matched, switch drops the frames coming from the ports Before configuring IP source guard, o First DHCP snooping should be enabled to detect spoofed IP addresses o and Port-security security should be enabled to detect spoofed MAC addresses
109 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
Dynamic ARP Inspection man-in-the the-middle The attacker can send spoofed ARP replies to the Requests and becomes man The hosts will add this bogus ARP information in their cache and sends packets to attacker This attack is called ARP poisoning or ARP spoofing Catalyst switches have DIA (Dynamic ARP Inspection) feature to mitigate these attacks The ports are categorized into trusted ports and u untrusted ports ARP inspection is done only on untrusted ports No Inspection is done on trusted ports Switch gets legitimate ARP database from static entries or DHCP snooping If an ARP reply arrives on untrusted port, switch compares IP and MAC against its legitimate ARP database If switch finds invalid or conflict values, drops the frame and generates a log message
For the hosts with static IP addresses, no DHCP snooping database exists So an ARP ACL should be configured to permit the static IP IP-MAC combinations
110 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
Securing Switches
Configure secure passwords o Configure switches with secure passwords o Protect all the lines o Enable secret password for privilege mode o Service password-encryption for password encryption o AAA servers can be used for authentication Use system banners o Banners display message at the time of user login o This message can be used to warn unauthorized users o As a welcome message to authorized users o Banner motd configures login message Secure the web interface o Web interface can be disabled by no ip http server o switches can be accessed with https web interface if it supports ip http secure server access-list acl-no permit ip-address match ip http access-class acl-no Secure the switch console o Switch console connectivity need to be secured even though physical security is implemented at wiring closets and datacenter Secure virtual terminal access o Only authorized hosts should be allowed to access switch vty lines access-list acl-no permit ip-address match line vty 0 15 access-class acl-no in show user all Use SSH whenever possible o telnet sessions are not secure because session data go as clear text characters o SSH uses strong encryption to secure session data o Its always better to use SSH as transport input o SSHv2 is very secure than v1 and v1.5 Secure SNMP access o To prevent unauthorized configuration changes RW SNMP access can be disabled snmp-server community string RW o RO SNMP access can be configured with access-list to limit the source addresses that have read-only access
111 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
Secure unused switch ports o Every unused switchport should be disabled to prevent users to use them o Every user switchport should configured as access port, so that trunk negotiation cant happen o switchport host can be applied to support only one PC on a switchport Secure STP operation o Malicious users can inject STP BPDUs to disrupt STP loop-free topology o BPDU guard feature can be enabled to prevent unexpected BPDUs Secure CDP usage o CDP packets are sent out for every 60 seconds o Its recommended to enable CDP, only on the ports where trusted cisco devices are connected o This prevents advertising unnecessary information to listening attackers o CDP must be enabled on ports, where IP phones appear o no cdp enable to disable cdp on an interface
112 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
LESSON 17: SECURE VLANS

VACLs VACL VLAN ACL The traffic between VLANs can be filtered with ACLs ACLs (Router ACLs RACL) are compiled and fed into TCAM VLAN ACLs are filters that can control traffic within a VLAN VACLs are also compiled and fed into TCAMs VACLs are similar to route-maps maps (with a series of matching conditions and actions to take) First VLAN access map is created that consists statements with sequence numbers Each statement can contain one or more matching conditions, followed by an action Matching conditions can be verified by IP, IPX or MAC address ACLs They are evaluated in sequence with sequence number
113 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
Private VLANs In some cases, the hosts in a vlan need not communicate with each other But they need to communicate with common gateway Private Vlans can be used to solve these issues Private vlans are special vlans that allows traffic only between specified vlans Private vlans are two types o Primary vlan o Secondary vlan Secondary vlans must be associated with Primary vlans Secondary vlans can not communicate with each other Secondary vlans can communicate only with associated Primary vlans VTP do not carry any information about private vlans Private vlans are locally specific to switch
Secondary vlans are two types o Isolated o Community Communication with same vlan ports No Yes Communication with other secondary vlan ports No No Communication with Primary vlan ports Yes Yes
Ports associated with Isolated Community
Private vlan port types o Promiscuous The switchport communicates with anything else connected to primary or secondary Typically connected to a router, firewall or common gateway device o Host The switchport connects to a regular host that resides on isolated or community vlan This port communicates with a promiscuous port or same community vlan ports
114 | P a g e
9000235254 Private VLAN Configuration
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
Private VLAN configuration Example 1
Configuring Ports with Private Vlans Switch(config)# vlan 10 Switch(config-vlan)# private-vlan vlan community Switch(config)# vlan 20 Switch(config-vlan)# private-vlan vlan community Switch(config)# vlan 30 vlan isolated Switch(config-vlan)# private-vlan Switch(config)# vlan 100 Switch(config-vlan)# private-vlan vlan primary Switch(config-vlan)# private-vlan vlan association 10,20,30 Switch(config-vlan)# exit Switch(config)# interface range fa 0/1 5 Switch(config-if)# if)# switchport private private-vlan host Switch(config-if)# if)# switchport private private-vlan host-association 100 10 This material is valid till 31st Novem ovember 2011. New material is available on 1st Decemb ember 2011 115 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
Switch(config)# interface range fa 0/6 10 Switch(config-if)# if)# switchport private private-vlan host Switch(config-if)# if)# switchport private private-vlan host-association 100 20 Switch(config)# interface range fa 0/11 16 Switch(config-if)# if)# switchport private private-vlan host Switch(config-if)# switchport private private-vlan host-association 100 30 Switch(config)# interface fa 0/24 Switch(config-if)# if)# switchport mode private private-vlan promiscuous Switch(config-if)# if)# switchport private private-vlan mapping 100 10,20,30 Private VLAN configuration Example 2
Associating secondary vlans to primary vlan SVI Switch(config)# vlan 40 Switch(config-vlan)# private-vlan vlan isolated Switch(config-vlan)# vlan 50 Switch(config-vlan)# private-vlan vlan community Switch(config-vlan)# vlan 200 Switch(config-vlan)# private-vlan vlan pri primary Switch(config-vlan)# private-vlan vlan association 40, 50 Switch(config-vlan)# exit Switch(config)# interface vlan 200 Switch(config-if)# if)# ip address 192.168.200.1 255.255.255.0 Switch(config-if)# private-vlan vlan mapping 40 , 50 Securing VLAN trunks
If the switch port is left to default configuration (dynamic desirable), the attacker PC may send DTP packets to negotiate trunk and port becomes trunk port So attacker may get access to other vlans data To avoid these attacks, switchport should be config configured ured to access mode, if PC is connected DTP negotiation will not happen if port is set to access mode This material is valid till 31st Novem ovember 2011. New material is available on 1st Decemb ember 2011 116 | P a g e
9000235254 VLAN Hopping Attack
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
Vlan hopping attacks occur because the use of untagged native vlans These attacks can be avoided by o Set the native vlan of a trunk to a bogus or unused vlan id o Prune the native vlan at both ends of the trunk link Even though native vlan is pruned from the trunk link, CDP, PAgP, DTP still carry management information as a special case Switch carries management information on the native vlan, even though native vlan is not in the list of allowed vlans
VLAN Hopping Attacks- Security Configuration Example
Configuring 802.1q trunk to carry only vlans 10 and 20 Switch(config)# vlan 800 Switch(config-vlan)# vlan)# name bogus_native Switch(config-vlan)# exit Switch(config)# interface gig 0/2 Switch(config-if)# if)# switchport trunk encapsulation dot1q Switch(config-if)# if)# switchport trunk native vlan 800 Switch(config-if)# if)# switchport trunk allowed vlan remove 800 Switch(config-if)# switchport t mode trunk Another method to avoid vlan hopping attacks is to force native vlan to be tagged
117 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
LESSON 18: WLANS

Wireless Shared Ethernet segment works at half duplex Switched Ethernet segment works at full duplex WLAN operates at half duplex Full duplex is possible in WLAN, if transmitting and receiving frequencies are different 802.11 standards permit only half half-duplex 802.3 uses CSMA/CD mechanism, 802.11 uses CSMA/CA mechanism Collisions When transmitting Wireless station transmits a frame, the r receiving eceiving wireless station must send an acknowledgement to confirm the frame is received error error-free 802.11 uses CSMA/CA mechanism that try to avoid collisions by setting some random back off timer WLAN uses DCF (distributed coordination function) process th that at try to avoid collisions In 802.11 every station has to wait for a short amount of time called DIFS (DCF interframe space) before transmitting anything DCF Process
118 | P a g e
9000235254 RTS/CTS Mechanism
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
WLAN In WLAN, clients can communicate with intermediate AP (access point) AP matches some parameters before accepting any client association o SSID o Compatible Wireless Data rate o Authentication Credentials SSID is Service Set Identifier, a text string included in every wireless frame Generally SSID is APs Wireless c card MAC address SSID is similar to Vlan ID in switching networks IBSS
BSS
119 | P a g e
9000235254 ESS
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
AP Operation AP is responsible to maintain the WLAN It can cover a limited number of clients Multiple APs can be used to cover more number of clients AP can connect wireless network with wired network AP supports open authentication or shared key authentication
Mapping VLANs to SSID
120 | P a g e
9000235254 CELL
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
AP uses multiple SSIDs and maps them to vlans End users will use the appropriate SSID that has been mapped to respective vlan
Cell is the coverage area of AP Cell range defined by AP capacity and antenna pattern Cell pattern is 3 dimensional AP location must be carefully planned with live measurements of signal strength, quality All the clients must be placed within the cell for AP association Small cells are called as microcells and very small cells are picocells
Roaming
To cover a wide area, more number of APs can be used Adjacent APs can use different frequencies to avoid interference at overlapping area Moving client association from AP to AP is called roaming If the client has same IP while roaming is called L2 roaming If the client changes it IP while roaming is called L3 roaming
Traditional WLAN architecture In traditional WLAN, AP works as autonomous AP having it its own security policies It becomes very difficult to manage the network if more number of Autonomous APs exist
121 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
Cisco Unified WLAN Architecture Cisco Unified WLAN architecture provides centralized capabilities o WLAN Security o WLAN deployment o WLAN management o WLAN control WLAN Architectures Comparison
122 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
Cisco Unified WLAN Architecture Features LAP Lightweight Access Point o LAP performs only the real real-time 802.11 operation WLC Wireless LAN Controller o All management functions are performed on WL WLC o LAP totally depends on WLC o WLC is common for many LAPs LAP and WLC form a tunnel between them to carry 802.11 related messages and client data LAP and WLC need not be on the same subnet or VLAN Tunnel encapsulates the data between the LAP and WLC within new IP packets The tunneled data can be switched or routed across the campus network
123 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
WLC Functions Dynamic Channel assignment o Chooses and configures RF channel used by each LAP Transmit Power Optimization o Sets the transmit power of each LAP based on the coverage area needed Self-healing healing Wireless Coverage o If LAP radio dies, the coverage area is healed by turning up the surrounding LAP Flexible Client Roaming o Client can have L3 or L2 roaming with very fast roaming times Dynamic Client Load balancing o If more LAPs cover same area, load balancing occurs RF monitoring o Gathers information about RF interference, noise, signals from surrounding APs Security Management o WLC negotiates security parameters before accepting client association WLC Platforms Model 2100 4402 4404 5500 WiSM WLC module for ISR routers Catalyst 3750G integrated WLC WCS Interface 8 10/100 TX 2 GigE 4 GigE 8 GigE 4 GigE bundled in an etherchannel for each controller Can be integrated in 2800 and 3800 routers Integrated in 24 24-port 10/100/1000 TX switch Attribute Handles up to 6, 12, 25 LAPs Handles up to 12, 25, 50 LAPs Handles up to 100 LAPs Handles up to 12, 25, 50, 100, 250 LAPs Catalyst 6500 module with two WLCs Handles up to 300 LAPs (150 per controller) Up to 5 WiSMs in a single chassis Handles up to 6, 8, 12, 25 LAPs Handles up to 50 LAPs per switch, Up to 200 LAPs per switch stack
WCS Wireless Control System WCS is an optional server platform that can be used as a single GUI front front-end end to all WLCs in a campus network WCS can locate wireless client by triangulating the clients signal as received by multiple APs 802.11 RFID tags can be deployed to track objects as they move around in the wireless coverage area
124 | P a g e
9000235254 LAP
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
touch configuration LAP is designed to be a zero-touch The LAP finds WLC and obtain configuration parameters from WLC
LAP can maintain a list of up to three WLCs (primary, secondary, tertiary) LAP is always joined and bound to one WLC at any time If WLC is failed, LAP reboots and search for live WLC again Client associations are dropped and no data pass during this time HREAP (Cisco Hybrid Remote Edge Access Point) is a special case, where LAPs are separated from WLC with WAN link HREAP works like autonomous AP
Traffic Pattern
125 | P a g e
9000235254
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
Roaming To make client roaming faster and easier, all client associations can be managed in a central location LAP supports L2 and L3 roaming with the help of WLC The client association is always contained within LWAPP or CAPWAP tunnel Intra Controller Roaming
Inter Controller Roaming- L2
126 | P a g e
9000235254 Inter Controller Roaming-L3
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
Mobility Groups In inter controller roaming, WLCs must exchange client association information For this WLCs are configured into logical mobility groups Client can roam to any LAP and associated WLC, within the mobility group If the client moves to LAP with different mobility group, WLC drops the session information, client association and IP address A mobility group can have up to 24 WLCs of any platform The number of LAPs in a mobility group depends on number of WLCs Autonomous AP
127 | P a g e
9000235254 Light Weight AP
P. NAGABABU
NAGACISCO@GMAIL.COM
9553.9553.07
128 | P a g e

CCNP Switch: CCNP-Cisco Certified Network Professional Prepared by Nagababu Polisetti

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

CCNP Switch: CCNP-Cisco Certified Network Professional Prepared by Nagababu Polisetti

Transféré par

Droits d'auteur :

Formats disponibles

9000235254

CCNP CISCO CERTIFIED NETWORK PROFESSIONAL- SWITCH

P. NAGABABU nagacisco@gmail.com 9553.9553.07

CISCO CERTIFIED NETWORK PROFESSIONAL CCNP SWITCH

LESSON 1 : SWITCH OPERATION

MultiLayer Switch Operation

To change CAM entry aging time

LESSON 2 : ETHERNET PORT CONFIGURATION

LESSON 3 : VLANs AND TRUNKs

Frame tagging can be done in two methods ISL Dot1Q

9000235254 Dot1Q Frame tagging

9000235254 Summary Advertisements

9000235254 VTP Configuration

NAGACISCO@GMAIL.COM VTP Pruning

VTP Pruning Configuration

LESSON 5 : LINK AGGREGATION

Link selections - if only one address is used in distribution algorithm

Link selections if two addresses are used in distribution algorithm

Etherchannel load balancing

9000235254 Etherchannel Status

LESSON 6 : SWITCH FUNCTIONING

LESSON 7 : TRADITIONAL STP

STP Physical and Logical topologies

STP States Disabled Blocking Listening Learning Forwarding

LESSON 8 : STP CONFIGURATION

Inefficient Root Bridge Election

Root Path Cost Configuration

9000235254 STP Timers

9000235254 STP Verification

LESSON 9 : PROTECT STP

STP Protection Verification

STP Protection features

LESSON 10 : ADVANCED STP

LESSON 11: MLS

CEF Packet Flow

Adjacency Table Verification

MultiLayer Switch Verification

LESSON 12: CAMPUS NETWORK DESIGN

Broadcast Domains No VLANs

Broadcast Domains With VLANs

Three Layer Network Hierarchy

Service Type Local Remote Enterprise

Modular Network Design

Fully Redundant Network

9000235254 Disorganized Networks

Switch Block and Core Block

LESSON 1 13: L3 AVAILABILITY

9000235254 Router Redundancy

HSRP MD5 authentication method can be configured with a key chain

HSRP group routers keep this address always up

9000235254 HSRP Load balancing

9000235254 HSRP Verification

9000235254 VRRP Process

9000235254 VRRP Load balancing

9000235254 VRRP Configuration

9000235254 GLBP Load balancing

9000235254 GLBP Verification

LESSON 14: SUPERVISOR SUPERVISOR-POWER POWER REDUNDANCY

9000235254 Supervisor Redundancy

9000235254 NSF Configuration

LESSON 1 15: IP TELEPHONY

Flash Flash Override Critical Internetwork control Network control

100 101 110 111