Académique Documents
Professionnel Documents
Culture Documents
Introduction
Before you start reading these notes, you should have completed the following course or have
equivalent networking experience:
Icon
The following table lists the specific icons Cisco uses to represent network devices and
connections.
Represents
Hub
Bridge
Switch
Layer 3 Switch
Router
Access point
Network cloud
Ethernet connection
Serial Line
connection
Wireless connection
Virtual Circuit
What is the difference between Fast Ethernet, Gigabit Ethernet, and 10-Gigabit Ethernet?
What are the three common submodules in a Cisco hierarchical network design?
Which submodule is designed to provide fast failure recovery?
What is a hierarchical network?
Where can you find distribution-layer and access-layer switches in a hierarchical network?
Description
Current Layer 2 switches:
Layer 2
Switching
Layer 7
Switching
Description
Building
Access
The Building Access submodule, also known as the Access layer, contains end-user
workstations, IP phones, and the Layer 2 access switches that connect devices to the
Building Distribution submodule.
Building
Distribution
The Building Distribution submodule, also known as the Distribution layer, provides
aggregation of the Building Access devices. It contains Layer 3 switches which
perform IP routing and implement QoS and access control. This submodule is
intended for fast failure recovery because it has two equal-cost paths to the core
layer.
Campus
Backbone
The Campus Backbone submodule, also known as the Core layer, provides
redundant and fast-converging paths between the distribution layer. This submodule
is intended to route and switch traffic as fast as possible from one module to
another.
10-Gigabit Ethernet has a bandwidth of 10,000 Mbps (half duplex) 20,000 Mbps (full
duplex)
Gigabit Ethernet has a bandwidth of 1,000 Mbps (half duplex) 2,000 Mbps (full duplex)
Fast Ethernet has a bandwidth of 100 Mbps (half duplex) 200 Mbps (full duplex)
The following image displays which Ethernet categories would be implemented in a hierarchal
network design:
Standard
Bandwidth
10Base5
10 Mbps
Maximum Segment
Length
Coaxial (thicknet) 500 meters
10Base2
10 Mbps
10BaseT
10 Mbps (half
duplex)
20 Mbps (full
duplex)
Twisted pair
(Cat3, 4, or 5)
100BaseTX
100 meters
100BaseT4
100 meters
100BaseFX
1000BaseSX (short)
1,000 Mbps
Ethernet
Fast
Ethernet
Gigabit
Cable Type
Fiber optic
100 meters
Ethernet
10-Gigabit
Ethernet
(half duplex)
2,000 Mbps
(full duplex)
depending on cable
quality
1000BaseLX (long)
1,000 Mbps
(half duplex)
2,000 Mbps
(full duplex)
Fiber optic
1000BaseZX
1,000 Mbps
(half duplex)
2,000 Mbps
(full duplex)
Fiber optic
(Single-mode)
70 to 100 km depending
on cable quality
1000BaseCX (short
copper)
1,000 Mbps
(half duplex)
2,000 Mbps
(full duplex)
Special copper
1000BaseT
1,000 Mbps
(half duplex)
2,000 Mbps
(full duplex)
Twisted pair
(Cat5e)
100 meters
10GBaseSR (short
range)
10,000 Mbps
(full duplex)
Fiber optic
26 to 82 meters with
multi-mode cable
10GBaseLR (long
range)
10,000 Mbps
(full duplex)
Fiber optic
10 km with single-mode
cable
10GBaseLRM (long
reach multimode)
10,000 Mbps
(full duplex)
Fiber optic
10GBaseER
(extended range)
10,000 Mbps
(full duplex)
Fiber optic
40 km with single-mode
cable
10GBaseLX4
10,000 Mbps
(full duplex)
Fiber optic
10GBaseCX4
10,000 Mbps
(full duplex)
Copper
15 meters
10GBaseKX4
10GBaseKR
10,000 Mbps
(full duplex)
Copper
<1 meter
10GBaseT
10,000 Mbps
(full duplex)
Twisted pair
55 meters with Cat6
(Cat6)
100 meters with Cat6
Twisted pair
partitioned
(Cat6 partitioned)
What is the difference between the config-vlan mode and the VLAN configuration mode?
What is the difference between using exit or Ctrl + Z when changing configuration modes?
What three different duplex modes can be set on the interface?
What will be the result of disabling the Auto-MDIX?
Mode
User EXEC
To Exit
Details
Prompt
To Enter
Switch>
config
Global
Switch(config)#
terminal
Configuration
exit, ^Z*
Line
exit, ^Z*
Privileged
EXEC
Switch#
Switch(config-
enable
line
line)#
<type>
<number>
Interface
Switch(configif)#
interface
<type>
exit, ^Z*
<number>
Config-vlan
Switch(configvlan)#
vlan <14094>
exit, ^Z*
vlan
database
exit, ^Z*
VLAN configuration
mode do not take
effect until you save
the changes, either
before or while exiting
the configuration
mode.
Changes made in the
VLAN configuration
mode are not stored in
the regular switch
configuration file.
To...
Change the host name of the Switch
Switch(config)#enable password
<password>
Switch(config)#line con 0
Switch(config-line)#password
Switch(config-line)#login
Switch(config)#service passwordencryption
Switch#show running-config
Switch#show startup-config
or
Switch#show config
To...
switch(config)#interface
<number>
switch(config)#interface
0/14 - 24
switch(config)#interface
gigabitethernet 0/1 - 4
switch(config)#interface
- 10
switch(config)#interface
gi 0/1 - 2
range <type>
range fastethernet
range
range fa 0/1 - 4 , 7
range fa 0/8 - 9 ,
switch(config-if)#speed
switch(config-if)#speed
switch(config-if)#speed
switch(config-if)#speed
10
100
1000
auto
switch(config-if)#duplex half
switch(config-if)#duplex full
switch(config-if)#duplex auto
switch(config-if)#no shutdown
switch(config-if)#shutdown
using auto-negotiation, a mismatch will occur, resulting in very poor performance and
Layer 2 error frames. This is because the auto-negotiating link partner did not receive autonegotiation parameters from the other link partner and consequently defaulted to half duplex
as defined in the IEEE 802.3u specification.
Always manually configure the speed and duplex settings for critical connections. Use autonegotiation for connections to user workstations.
VLANs
As you study this section, answer the following questions:
After finishing this section, you should be able to complete the following tasks:
VLAN Facts
A virtual LAN (VLAN) can be defined as:
Using VLANs lets you assign devices on different switch ports to different logical (or virtual)
LANs. The following graphic shows a single-switch VLAN configuration.
In the graphic above, FastEthernet ports 0/1 and 0/2 are members of VLAN 1. FastEthernet
ports 0/3 and 0/4 are members of VLAN 2.
In the graphic above, workstations in VLAN 1 will not be able to communicate with
workstations in VLAN 2, even though they are connected to the same physical switch.
Defining VLANs creates additional broadcast domains. The above example has two
broadcast domains, each of which corresponds to one of the VLANs.
By default, switches come configured with several default VLANs:
o VLAN 1
o VLAN 1002
o VLAN 1003
o VLAN 1004
o VLAN 1005
On Cisco switches, the default VLAN configuration on a single port is VLAN 1. If no
configuration changes are made on the switch, all ports have VLAN 1 as their native
VLAN.
You can isolate network failures to a particular subnet (within a single VLAN)
You can simplify device moves (devices are moved to new VLANs by modifying the port
assignment)
You can control broadcast traffic and create collision domains based on logical criteria
You can control security (isolate traffic within a VLAN)
You can load-balance network traffic (divide traffic logically rather than physically)
Description
End-to-end VLANs are VLANs that span throughout the entire network. End-toEnd VLANs:
End-to-End
VLANs
Local VLANs are VLANs that are local to a specific domain, such as the building
access submodule. Local VLANs (data and voice):
Local VLANs
Are limited to a single access switch within a wiring closet (the single switch
should be configured with a limited amount of VLANs)
Should not be extended beyond the building distribution submodule
Result in user traffic crossing a Layer 3 device to reach network resources
Are easier to troubleshoot because they isolate traffic to a particular network
segment
Note: When designing the VLAN configuration in a hierarchical network, the local
VLAN concept is recommended.
VLANs are created through one of the following:
Type
Description
Static
Static VLANs are manually configured on the switch's physical interface using the
command line. Static VLANs work well when network additions, changes, and moves
are rare.
Note: By default, all ports are static-access ports assigned to VLAN 1.
Dynamic VLANs are created through a VLAN Management Policy Server (VMPS). The
VMPS has a database of MAC addresses mapped to specific VLANs. When an incoming
frame is first received on a port, the VMPS views the MAC address, compares it to the
database, and assigns the port to a particular VLAN. Be aware of the following Dynamic
VLAN details:
Dynamic
The VMPS database should be created by the network engineer and then
uploaded to the switch.
A dynamic port can only belong to one VLAN at a time.
Multiple hosts may be active on a dynamic port only if they all belong to the same
VLAN.
Note: Only some Cisco Catalyst switches support VMPS and dynamic VLANs.
To...
switch(config)#vlan <1-4094>
switch(config-vlan)#name
WORD
Define a VLAN
Giving the VLAN a name is optional. VLAN names must be
unique.
switch(config)#no vlan
<1-4094>
Delete a VLAN
When you delete a VLAN, all ports assigned to the VLAN
remain associated with the deleted VLAN, and are therefore
inactive. You must reassign the ports to the appropriate
VLAN.
switch(config-if)#switchport
access vlan <1-4094>
switch(configif)#switchport mode
access
switch#show vlan
switch#show vlan brief
Example
The following commands create VLAN 12 named IS_VLAN, identifies port 0/12 as having only
workstations attached to it, and assigns the port to VLAN 12.
switch#config t
switch(config)#vlan 12
switch(config-vlan)#name IS_VLAN
switch(config-vlan)#interface fast 0/12
switch(config-if)#switchport access vlan 12
To manage the Layer 2 switch from a remote network, you will need to give VLAN 1 (the default
management VLAN) an IP address, as well as configure the default gateway on the switch. Keep in
mind the following facts about IP addresses configured on switches:
Basic switches operate at Layer 2, and therefore do not need an IP address to function. In
fact, a switch performs switching functions just fine without an IP address set.
You only need to configure a switch IP address if you want to manage the switch from a
Telnet or Web session.
A Layer 2 switch itself has only a single (active) IP address. Each switch port does not have
an IP address (unless the switch is performing Layer 3 switching). The IP address identifies
the switch as a host on the network but is not required for switching functions.
To configure the switch IP address, you set the address on the VLAN 1 interface. This is a logical
interface defined on the switch to allow management functions. Use the following commands to
configure the switch IP address:
switch#config terminal
switch(config)#interface vlan 1
switch(config-if)#ip address 1.1.1.1 255.255.255.0
switch(config-if)#no shutdown
To enable management from a remote network, you will also need to configure the default
gateway. Use the following command in global configuration mode:
switch(config)#ip default-gateway 1.1.1.254
Note: You can use the ip address dhcp command to configure a switch to get its IP address from a
DHCP server. The DHCP server can be configured to deliver the default gateway and DNS server
addresses to the Cisco device as well. The manually-configured default gateway address overrides
any address received from DHCP.
VLAN Trunking
As you study this section, answer the following questions:
When does the trunking protocol not tag the frame over a trunk link, and how does it handle
the frame?
When does dynamic trunking configure a trunk link?
What happens if two switches on a VLAN trunk are both configured for auto dynamic
trunking?
After finishing this section, you should be able to complete the following tasks:
103. Explain and configure VLAN trunking (i.e., IEEE 802.1Q and ISL)
105. Verify or troubleshoot VLAN configurations.
In the above graphic, each switch has two VLANs. Each VLAN is assigned to a single port
(The port is known as an access port.).
Workstations in VLAN 1 can only communicate with workstations in VLAN 1. This means
that the two workstations connected to the same switch cannot communicate with each
other. Communications within the VLAN must pass through the trunk link to the other
switch.
Trunk ports identify which ports are connected to other switches.
Trunk ports can automatically carry traffic for all VLANs defined on the switch. You can
prevent traffic from a specific VLAN from being carried on the trunk through a specific
configuration.
Typically, Gigabit Ethernet ports are used for trunk ports, although any port can be a
trunking port.
When trunking is used, frames that are sent over a trunk port are tagged with the VLAN ID number
so that the receiving switch knows to which VLAN the frame belongs.
Tags are appended by the first switch in the path, and removed by the last.
Only VLAN-capable devices understand the frame tag.
Tags must be removed before a frame is forwarded to a non-VLAN-capable device.
The trunking protocol describes the format that switches use for tagging frames with the VLAN ID.
Cisco devices support two trunking protocols:
Trunking
Protocol
Characteristics
Inter-Switch Link (ISL) trunking protocol details include the following:
Inter-Switch
Link (ISL) Be aware of the following facts regarding the trunking protocols:
802.1Q
Note: When using multiple vendors in a switched network, be sure each switch
supports the 802.1Q standards if you want to implement VLANs.
Cisco switches have the ability to automatically detect ports that are trunk ports, and to negotiate
the trunking protocol used between devices. Switches use the Dynamic Trunking Protocol (DTP) to
detect and configure trunk ports. For example, when you connect two switches together, they will
automatically recognize each other and select the trunking protocol to use.
VLAN Trunking Command List
The following table lists important commands for configuring and monitoring trunking on a switch.
Use...
Switch(configif)#switchport mode
trunk
Switch(configif)#switchport trunk
encapsulation dot1q
Switch(configif)#switchport trunk
encapsulation isl
Switch(configif)#switchport trunk
encapsulation negotiate
Switch(configif)#switchport trunk native
vlan <vlan id>
Switch(configif)#switchport trunk
allowed vlan all
Switch(configif)#switchport trunk
allowed vlan add <vlan id>
Switch(configif)#switchport trunk
allowed vlan remove <vlan
id>
Switch(configif)#switchport mode
dynamic auto
To...
Enable unconditional trunking on the interface. The port will
not use Dynamic Trunking Protocol (DTP) on the interface.
Set the trunking protocol, or allows the trunking protocol to be
negotiated.
Note: Not all Catalyst switches allow configuration of the
trunking protocol.
Configure the VLAN that is sending and receiving untagged
traffic on the trunk port when the interface is in 802.1Q
trunking mode.
Set which VLANs are allowed to communicate over the trunk.
Remove which VLANs are not allowed to communicate over
the trunk.
Note: The default allows all VLANs in the VLAN database to
communicate over the trunk.
Enable automatic trunking discovery and configuration. The
switch uses DTP to configure trunking.
Enable dynamic trunking configuration.
Switch(configif)#switchport mode
dynamic desirable
Switch(configif)#switchport mode
access
Mode
Encapsulation
Trunking status
VLAN assignments
Two switches both configured to use auto dynamic trunking will not trunk. At least one of
the switches must be set to manually trunk or to use desirable dynamic trunking.
To avoid auto-negotiation on trunk ports, manually configure the speed and duplex.
What two conditions on switches will not allow you to modify the VLAN configuration?
What is the easiest way to recover from losing the only VTP server?
Which type of VTP message is the most frequently sent by switches?
What happens when you add a switch to the network with a higher revision number to your
VTP configuration?
How do you remove a VTP domain name?
After finishing this section, you should be able to complete the following tasks:
VTP Facts
The VLAN Trunking Protocol (VTP) simplifies VLAN configuration on a multi-switch network by
propagating configuration changes to other switches. With the VTP, switches are placed in one of
the following three configuration modes.
Mode
Server
Characteristics
A switch in server mode is used to modify the VLAN configuration. On a server:
A switch in client mode receives changes from a VTP server and passes VTP
information to other switches. On a client:
Client
A switch in transparent mode allows for local configuration of VLANs, but does not
update its configuration based on the configuration of other switches. On a transparent
switch:
Transparent
Description
Summary
Subset
Subset advertisements are sent after a VLAN has been added, deleted, or changed
on a switch in server mode. One or several subset advertisements follow the
summary advertisement. A subset advertisement contains a list of VLAN
information. If there are several VLANs, more than one subset advertisement can
be required in order to advertise all the VLANs.
Advertisement requests from switches configured as clients. A switch needs a
VTP advertisement request in these situations:
Advertisement
Request
By default, switches are preconfigured in server mode. If you do not intend to use VTP,
configure each switch to use transparent mode.
A VTP Domain is one or several switches that share the same VTP environment. Catalyst
switches only support a single VTP domain per switch.
You can have multiple VTP servers in the same domain on the network. Changes made to
any server are propagated to other client and server switches.
To make VLAN changes on a switch, the switch must be in either server or transparent
mode. You cannot modify the VLAN configuration if:
o The switch is in client mode
o The switch is in server mode and without a configured domain name.
VTP uses the following process for communicating updates:
1. VTP summary advertisement packets contain the domain name, MD5 version of the
password, and the revision number.
2. When a switch receives a summary packet, it compares the domain name and
password in the packet with its own values. If the domain name and password do not
match, the packet is dropped.
3. If the domain name and password match, the switch compares the revision number
in the packet.
4. If the revision number in the packet is lower or equal, the packet is ignored. If it is
higher, the switch sends an advertisement request for the latest updates.
5. When the updates are received, the VLAN configuration and the revision number is
updated.
If you lose your only VTP server, the easiest way to recover is to change one of the VTP
clients to server mode. VLAN information and revision numbers remain the same.
Switches must meet the following conditions before VTP information can be exchanged:
o The switches must be connected by a trunk link (VTP is not used on access ports).
Switches must be in the same domain. Switches in different domains do not share or
forward VTP information. Transparent switches must be in the same domain or have
a null domain name to pass VTP information to other switches.
o Passwords on each device must match. The password is included in each VTP
advertisement. The receiving switch compares the password in the advertisement
with its configured password. It will only accept information in the packet if the
passwords match. The password provides a method of authenticating the packet
contents that they came from a trusted source.
Connecting two switches with different VTP domains works only if you manually turn
trunking on. VTP information is carried in DTP packets, so only switches in the same
domain can use DTP for automatic trunking configuration. However, when two switches
with different domains are connected, VTP information will not be passed between the
switches.
When you change the VLAN configuration on a server, the revision number is incremented.
The revision number on a transparent switch remains at 0, even when changes are made to
the VLAN configuration.
All devices in the domain must use the same VTP version. By default, VTP version 2 is
disabled. Only enable VTP version 2 if all devices support version 2.
VTP pruning is a feature that eliminates or prunes unnecessary broadcast traffic. For
instance, VTP pruning will only forward broadcast messages to switches which have ports
assigned to a particular VLAN ID.
o
To...
Configure the VTP mode of the switch.
Note: The default mode is server.
Configure VTP domain of the switch.
Switch(config)#vtp
domain WORD
Switch(config)#vtp
pruning
If you add a switch to the network with a higher revision number, the VLAN configuration
on that switch will update (modify) the existing VLAN configuration on all other switches
in the domain. This is true even if the switch you add is a client. Client switches pass their
configuration information on to other switches. This information can be used to update
server or client switches with lower revision numbers.
If you add a switch to the network with a lower revision number, the switch's configuration
will be modified to match the configuration currently used on the network. This is true even
if the switch you add is a server.
To prevent disruptions to the existing configuration when adding new switches, reset the
revision number on all new switches before adding them to the network. The revision
number resets to 0 each time you:
o Change the domain name.
o Change the VTP mode to transparent.
Before adding a switch back into the network, change the domain name or the mode to
transparent, then change it back to its original setting.
Be sure to place switches in the same domain adjacent to each other through trunk links. If
you insert a switch with a different domain name between two switches, VTP information
will not be passed through the new switch. To correct this problem, use one of the following
solutions:
o Modify the domain name on the new switch to match the existing switches.
o Move the new switch so that switches in the same domain are connected directly
together.
Note: Once set, you cannot completely remove a domain name. In other words, once you
have configured a VTP domain name, you can only change the name, you cannot remove it
completely.
When examining the output from the show interfaces fa 0/1 trunk command, what does
the n- in front of the protocol designate?
How can you determine which VLANs are allowed to communicate over a trunk link?
How can you determine when an interface is operating as an access port or a trunk port?
Which command displays an overview of VLAN and trunking information of an interface?
After finishing this section, you should be able to complete the following tasks:
Description
Name
Displays the port name. This is the interface specified in the command.
Switchport
Administrative Mode
Operational Mode
switchport
switchport
switchport
switchport
mode
mode
mode
mode
access
trunk
dynamic auto
dynamic desirable
The operational mode is how the port is actually operating. In this output,
the port is in dynamic auto administrative mode, but the port is operating
as an access port.
Administrative
Trunking
Encapsulation
Operational Trunking
Encapsulation
Negotiation of
Trunking
Lists the VLAN ID of the trunk that is in native mode. This is configured
Trunking Native Mode
with the switchport trunk native vlan <vlan id> interface configuration
VLAN
command.
Lists the allowed VLANs on the trunk. This is configured with the
following interface configuration commands:
Trunking VLANs
Enabled
In the output above, all VLANs are permitted to communicate on the trunk
if it was in trunking mode.
Pruning VLANs
Enabled
Lists the VLANs which have been pruned from the interface.
The following is output generated from the show interfaces fa 0/1 trunk command and a table
describing the output values.
Port
Native vlan
Fa0/1
Mode
Encapsulation
Status
on
n-802.1q
trunking
Port
Fa0/1
Port
Fa0/1
Port
pruned
Fa0/1
Value
Description
This is the administrative mode on the interface. The administrative
mode is configured with the following interface configuration
commands:
Mode
switchport
switchport
switchport
switchport
mode
mode
mode
mode
access
trunk
dynamic auto
dynamic desirable
Native VLAN
The native VLAN is the VLAN which will not be tagged with 802.1Q
tags. Frames from all other VLANs are tagged.
Lists the allowed VLANs on the trunk. This is configured with the
following interface configuration commands:
Lists the VLANs which are configured on the switch and allowed over
the trunk link.
Note: If the VLANs are configured on the switch but are not permitted
to communicate on the trunk, they will not be listed here.
Lists the VLANs that are pruning-eligible.
Note: If you do not specify an interface with the switchport interfaces trunk command, only
information for active trunking ports appears.
After finishing this section, you should be able to complete the following tasks:
201. Explain the functions and operations of the Spanning Tree protocols (i.e., RSTP,
PVRST, MISTP).
STP Facts
To provide for fault tolerance, many networks implement redundant paths between devices using
multiple switches. However, providing redundant paths between segments causes packets to be
passed between the redundant paths endlessly. This condition is known as a bridging loop.
To prevent bridging loops, the IEEE 802.1d committee defined a standard called the spanning tree
algorithm (STA), or spanning tree protocol (STP). With this protocol, one bridge (or switch) for
each route is assigned as the designated bridge. Only the designated bridge can forward packets.
Redundant bridges (and switches) are assigned as backups.
The spanning tree algorithm provides the following benefits:
The spanning tree algorithm calculates the best loop-free path through a network by assigning a
role to each bridge or switch and by assigning roles to the ports of each bridge or switch. The
bridge role determines how the device functions in relation to other devices, and whether the device
forwards traffic to other segments.
Role
Characteristics
The root bridge is the master or controlling bridge.
Root bridge
There is only one root bridge in the network. The root bridge is the logical
center of the spanning-tree topology in a switched network.
The root bridge is determined by the switch with the lowest bridge ID (BID).
o The bridge ID is composed of two parts: a bridge priority number and
the MAC address assigned to the switch.
o The default priority number for all switches is 32,768 (0x8000 in
hexadecimal). This means that for unconfigured switches, the switch
Note: Newer switches add the VLAN number to the priority value. For example, if
you configure a priority value of 4096, the switch will use the priority of 4097 for
VLAN 1, 4098 for VLAN 2, and so on.
A designated bridge is any other device that participates in forwarding packets
through the network.
Designated
bridge
Backup bridges listen to network traffic and build the bridge database.
However, they will not forward packets.
A backup bridge can take over if the root bridge or a designated bridge fails.
Switches send special packets called Bridge Protocol Data Units (BPDUs) out each port to the
multicast address 01:80:C2:00:00:00. BPDUs sent and received from other bridges are used to
determine the bridge roles and port states, verify that neighbor devices are still functioning, and
recover from network topology changes. STP uses the following types of BPDUs:
A Configuration BPDU is sent by the root bridge on all its ports. Each BPDU contains STP
parameters which are critical to STP stability. Only the root bridge generates the
configuration BPDU, guaranteeing that there is no mismatching STP information. If
configuration BPDUs are not received by root ports on other bridges, a topology change
may occur.
A Topology Change (TC) BPDU is generated by the switch when it detects a topology
change, such as the following:
o A port in forwarding or listening transitions to blocking
o A port moves to forwarding state, and the bridge already has a designated port
o A Non-root bridge receives a TC on its designated port (a propagation TC is sent)
During the negotiation process and normal operations, each switch port is in one of the following
states:
Port State Description
A port in the disabled state is powered on but does not participate in listening to
Disabled network messages or forwarding them. A bridge must be manually placed in the
disabled state.
Blocking
When a device is first powered on, its ports are in the blocking state. In addition,
backup bridge ports are always in the blocking state. Ports in the blocking state receive
packets and BPDUs sent to all bridges, but will not process any other packets.
Listening
The listening state is a transitionary state between blocking and learning. The port
remains in the listening state for a specific period of time. This time period allows
network traffic to settle down after a change has occurred. For example, if a bridge
goes down, all other bridges go to the listening state for a period of time. During this
A port in the learning state is receiving packets and building the bridge database
(associating MAC addresses with ports). A timer is also associated with this state. The
port goes to the forwarding state after the timer expires.
The root bridge and designated bridges are in the forwarding state when they can
Forwarding receive and forward packets. A port in the forwarding state can both learn and forward.
All ports of the root switch are in forwarding mode.
The following timers affect STP performance and state changes:
The hello time is the time between each BPDU that is sent on a port by the root bridge and
forwarded by other designated bridges. It is 2 seconds by default, but can be configured
between 1 and 10 seconds.
The forward delay is the time spent in the listening and learning states. It is 15 seconds by
default, but can be configured between 4 and 30 seconds.
The max age timer controls the maximum length of time a bridge port saves its
configuration BPDU information. It is 20 seconds by default, but can be configured
between 6 and 40 seconds.
Note: Although it is possible to tune spanning-tree timers, the recommendation is to leave the
spanning tree timers at their default values.
During the configuration process, ports on each switch are configured as one of the following
types:
Port type
Description
The port on the designated switch with the lowest port cost back to the root bridge is
identified as the root port.
Root port
Each designated switch has a single root port (a single path back to the route
bridge).
Root ports are in the forwarding state.
The root bridge does not have a root port.
One port on each segment is identified as the designated port. The designated port
identifies which port on the segment is allowed to send and receive frames onto that
segment. Designated ports are selected based on the lowest path cost to get back to the
root switch.
Designated
port
Blocking
port
All ports on the root bridge are designated ports (unless a switch port loops
back to a port on the same switch).
Designated ports are selected based on the lowest path cost to get back to the
root switch.
Designated ports are used to send frames back to the root bridge.
Designated ports are in the forwarding state.
A blocking port is any port that is not a root or a designated port. A blocking port is in
the blocking state.
When determining both the root port and designated ports on non-root bridge switches, the
switches use the following criteria to select the port that is closest to the root bridge.
1. The port with the lowest cost to get back to the root bridge becomes the root or designated
port. Default IEEE port costs include the following:
10 Mbps = 100
100 Mbps = 19
1 Gbps = 4
10 Gbps = 2
2. If two paths have the same cost, the bridge ID of the next switches in each path is
compared. The path with the switch with the lowest bridge ID becomes the path back to the
root. Remember that the bridge ID is composed of two parts:
o The priority number assigned to the switch.
o The MAC address used by the switch.
o
o
o
o
If the priority numbers are the same on both switches, the switch with the lowest MAC
address is the path back to the root.
3. If the switch has two ports that have the same cost back to the root (for example, if two
connections exist to the same switch), the port on the switch with the lowest port ID
becomes the designated port.
o The port ID is derived from two numbers: the port priority and the port number.
o The port priority ranges from 0-255, with a default of 128.
o The port number is the number of the port. For example, the port number for Fa0/3
is 3.
o With the default port priority setting, the lowest port number becomes the
designated port.
Spanning Tree Example
By default, spanning tree is enabled on all Cisco switches. When you add switches to the network,
spanning tree operates automatically to identify the root bridge and configure each port to prevent
loops. In a small environment, you can probably rely on the switches to configure themselves. In a
large environment, however, you will need to plan the network so that you can control which
switch becomes the root bridge, and so you can identify ports that should be blocking or
forwarding.
To identify how spanning tree will configure switches in a network, you will need to know the
bridge ID for each bridge (which includes the priority value and the MAC address). If no priority
value is included, assume the default priority of 32768. With the bridge ID and MAC addresses,
use the following process to identify the state of each port:
1. Identify the root bridge. The root bridge is the switch with the lowest bridge ID.
o The switch with the lowest priority value is the root bridge.
o If two or more switches have the same priority value, the switch with the lowest
MAC address is the root bridge.
2. On the root bridge, label each port as a designated port.
3. For every other bridge, identify its root port. The root port is the port with the lowest cost
back to the root bridge.
o To identify the cost, add the cost for each segment back to the root bridge.
o If two paths have the same cost, then look at the bridge ID of the next switch in the
path.
4. After labeling each root port, identify a designated port for each segment that does not
already have a designated port.
o The designated port will be the port that connects to the path with the lowest cost
back to the root bridge.
o If two paths have the same cost, compare the bridge ID of the next switch in the
path.
5. At this point, each segment should have a designated port identified. For any ports not
labeled as a root port or a designated port, indicate that the port is a blocking port.
The following graphic illustrates a switched network with redundant paths. The priority values and
MAC addresses for each switch are identified. Numbers on each link are used to identify the link.
Each link has the same cost value.
If all switches had the same priority value, then switch B would have been the root bridge
because its MAC address is the lowest. Changing the root bridge would also change several
other port states.
Changing the priority on switch D to 8192 would have the following effects:
o The root port on switch C would change to Fa0/1. The path through switch D would
be preferred over the path through switch B because of the lower priority number.
o The designated port for segment 5 would change to Fa0/2 on switch D, while Fa0/2
on switch B would be blocking.
o Fa0/2 on switch C would change to blocking.
Assuming the default cost value of 19 for FastEthernet links, changing the cost of segment 1
to 100 would have the following effects:
o The root port on switch D would be Fa0/2. The total cost of that path would be 38.
o The designated port for segment 4 would be Fa0/1 on switch C. Port Fa0/3 on switch
D would now be blocking.
o Port Fa0/1 on switch D would be blocking because Fa0/2 would be used to reach the
root bridge.
Modifying the spanning tree mode if a mode other than Per-VLAN Spanning Tree Plus
(PVST+) is desired.
Changing the bridge priority to control which switch becomes the root bridge.
Designating edge ports (ports with no attached switches).
The following table lists commands you would use to configure spanning tree:
Use...
To...
Switch(config)#spanning-tree
mode pvst
Switch(config)#spanning-tree
mode rapid-pvst
Switch(config)#spanning-tree
mode mst
Manually set the bridge priority number.
Switch(config)#spanning-tree
vlan <1-4094> priority <061440>
Switch(config)#spanning-tree
vlan <1-4094> root primary
Switch(config)#spanning-tree
vlan <1-4094> root secondary
Switch(config)#no spanning-tree
Disables spanning tree on the selected VLAN.
vlan <1-4094>
Examples
The following command sets the bridge priority for a VLAN 20:
Switch(config)#spanning-tree vlan 20 priority 4096
The following command configures this switch with a bridge priority of 4096 for VLAN 15 if the
existing root bridge has a priority of 8092:
Switch(config)#spanning-tree vlan 15 root primary
After finishing this section, you should be able to complete the following tasks:
201. Explain the functions and operations of the Spanning Tree protocols (i.e., RSTP,
PVRST, MISTP).
202. Configure RSTP (PVRST) and MISTP.
STP Port
State*
Disabled
Blocking
Description
A port in discarding state:
Listening
Learning
Learning
Forwarding
In addition to the port roles, RSTP uses the port type to determine whether to use advanced features
that provide rapid convergence. These port types are:
Port Type Description
A point-to-point link is a port that connects only to another switch.
Point-topoint
Edge
Because the edge port does not have a switch, the possibility of a loop is
eliminated.
Edge ports can be put into the forwarding state immediately.
If the port receives a BPDU, it treats the port as a point-to-point or shared link.
When any RSTP port receives legacy 802.1d BPDU, it falls back to legacy STP and the
inherent fast convergence benefits of 802.1w are lost.
The rapid convergence features of RSTP combined with PVST+ form Rapid PVST+. Rapid
PVST+ is one of the three STP modes available on Cisco switches.
An MSTP region is a group of interconnected bridges that have the same MSTP configuration. The
configuration includes the name of the region, the revision number, and the MSTP VLAN-toinstance assignment map. There is no limit on the number of MSTP regions in the network. If you
connect two MSTP regions with different MSTP configurations, the MSTP regions do the
following:
Load balance across redundant paths in the network. If two MSTP regions are redundantly
connected, all traffic flows on a single connection with the MSTP regions in a network.
Provide an RSTP handshake to enable rapid connectivity between regions. However, the
handshaking is not as fast as between two bridges. To prevent loops, all the bridges inside
the region must agree upon the connections to other regions. This situation introduces a
delay.
The switch supports up to 65 MSTP instances. Instances can be identified by any number in
the range from 0 to 4094.
A VLAN assignment can be to only one spanning tree instance at a time.
MSTP instances are significant to the local region only, and is independent of other MSTP
regions.
Instance 0, the Internal Spanning-Tree (IST), is reserved for interacting with other
Spanning-Tree Protocols and other MSTP regions. An IST instance is capable of
representing the entire MSTP region to external networks.
When the switch is in the MSTP mode, the Rapid Spanning Tree Protocol (RSTP) is
automatically enabled.
RSTP and MSTP Command List
The following table lists commands you would use to configure RSTP (RPVST+) and
MST:
Use...
To...
Switch(config)#spanning-tree mode
rapid-pvst
Switch(config)#spanning-tree mode
mst
Switch(config)#spanning-tree vlan
<1-4094> priority <0-61440>
Switch(config)#spanning-tree vlan
<1-4094> root primary
Switch(config)#spanning-tree vlan
<1-4094> root secondary
Switch(config)#spanning-tree mst
configuration
Switch(config-mst)#name <WORD>
Switch(config)#spanning-tree mst
<instance id> root primary
Switch(config)#spanning-tree mst
<instance id> root secondary
Examples
The following commands enable Rapid PVST+ for the switch and set the bridge priority to
a lower value than the default:
Switch(config)#spanning-tree mode rapid-pvst
Switch(config)#spanning-tree vlan 1 priority 4096
The following commands create the Sales MSTP region, map VLANs 2, 5, and 10 to
instance 3, map VLANs 6, 7, and 8 to instance 4, and provide a revision number of 1 to the
region:
Switch(config)#spanning-tree mode mst
Switch(config)#spanning-tree mst configuration
Switch(config-mst)#name Sales
Switch(config-mst)#revision 1
Which optional STP feature helps to prevent loops on a port where Port Fast is enabled?
What will be the response if a switch receives a BPDU after being globally enabled with
BPDU guard?
What is the difference between globally-enabled BDPU filtering and per-port-enabled
BDPU filtering?
Which optional STP feature provides an alternate path back to the root bridge if the root
port or link goes down?
How does BackboneFast detect failures on indirect links or connections?
What happens when a switch sends a superior BPDU to a root guard enabled interface?
Which UDLD mode will make up to eight attempts before changing the port state to the errdisabled state?
After finishing this section, you should be able to complete the following tasks:
203. Describe and configure STP security mechanisms (i.e., BPDU Guard, BPDU Filtering,
Root Guard).
204. Configure and Verify UDLD and Loop Guard.
Port Fast
Description
Port Fast forces access or trunk ports to immediately transition to the spanning tree
forwarding state. When ports do not have a switch or hub attached, bridging loops
on that port are eliminated and therefore do not need to enter the spanning tree
listening and learning states. Port Fast is globally enabled on the switch or perinterface.
Note: Port Fast affects all VLANs on an interface.
BPDU guard disables (moves to the err-disable state) an interface when a BPDU is
received on the interface. The BPDU guard feature should be configured in a
service-provider network to prevent an access port from participating in the
BPDU guard spanning tree. BPDU guard is globally enabled on the switch or per-interface:
configured interfaces are meant for workstations and servers, devices which
do not generate BPDUs.
If enabled on an interface, the interface is also configured to shut down if a
BPDU is received. The difference is that the interface does not need to be
Port Fast-enabled.
Note: You must manually re-enable the port that is put into err-disable state or
configure errdisable-timeout.
BPDU filtering keeps switches from sending and receiving BPDUs on
interfaces. This allows the workstation or server, which is connected to the
interface, from receiving unnecessary traffic. BPDU filtering is globally enabled on
the switch or per-interface:
BPDU
filtering
UplinkFast enables a switch to maintain an alternate path back to the root bridge. If
the root port or link goes down, the alternate port can be used to quickly re-establish
communication with the root bridge. The alternate port transitions to the forwarding
state immediately without going through the listening and learning states. Be aware
of the following details:
UplinkFast
Note: UplinkFast is useful in network access layer switches with a limited number
of active VLANs. UplinkFast should not be enabled on backbone or distribution
layer switches.
BackboneFast detects failures on indirect links or connections in the core (or
backbone) layer of a hierarchical network. Be aware of the following details:
BackboneFast
switch, causes the maximum aging time on the root port to expire,
and becomes the root switch according to normal spanning-tree rules.
Root guard secures the STP topology by forcing an interface to become a
designated port to prevent surrounding switches from becoming a root switch during
network anomalies (such as adding a new switch to the topology). Be aware of the
following details:
Root Guard
Loop guard prevents alternate or root ports from becoming designated ports because
of a failure that leads to a unidirectional link. A port in blocking state relies on the
continuous reception of BPDUs from the root bridge. If the BPDUs are not received
according to STP timers, STP conceives the topology as loop-free and will
transition the port through the listening, learning, and forwarding states. If a nondesignated port stops receiving BPDUs when loop guard is enabled, STP places the
port into the loop-inconsistent state instead of moving through the listening,
learning, and forwarding states.
Be aware of the following details:
Loop Guard
UDLD Facts
Unidirectional Link Detection (UDLD) is a Layer 2 protocol which detects and may disable ports
when traffic transmitted by the local device over a link is received by the neighbor but traffic
transmitted from the neighbor is not received by the local device. This situation typically arises in
the case of a faulty Gigabit Interface Converter (GBIC) or interface, software malfunction,
hardware failure, or other anomalous behavior.
UDLD works with the Layer 1 mechanisms to learn the physical status of a link. At Layer 1, autonegotiation takes care of physical signaling and fault detection. UDLD performs tasks that autonegotiation cannot perform, such as detecting the identities of neighbors and shutting down
misconnected ports. When you enable both auto-negotiation and UDLD, the Layer 1 and Layer 2
detections work together to prevent physical and logical unidirectional connections and the
malfunctioning of other protocols.
UDLD supports two modes of operation:
Mode
Description
In normal mode, UDLD can detect unidirectional links due to misconnected ports on
fiber-optic connections. The Layer 1 mechanisms do not detect this misconnection.
While operating in normal mode:
Normal
In aggressive mode, UDLD can also detect and disable unidirectional links due to one
or both of the following:
Aggressive
To...
switch(config)#udld enable
switch(config)#udld aggressive
switch(config-if)#udld port
configuration command.
switch(config-if)#udld port
aggressive
switch(config)#errdisable recovery
cause udld
switch(config)#errdisable recovery
interval <value>
switch#udld reset
Reset all the ports that are shut down by UDLD and
permit traffic to begin passing through them again.
switch#show udld
When configuring the mode (normal or aggressive), make sure that the same mode is
configured on both sides of the link.
Globally enabling UDLD on the switch only affects fiber-optic ports. For twisted-pair ports,
UDLD must be configured on the interface.
To...
Configure the Port Fast feature on a specific interface.
switch(config-if)#spanningtree portfast
switch(config)#spanning-tree
portfast default
switch(config)#spanning-tree
portfast bpdufilter default
switch(config)#spanning-tree
portfast bpduguard default
switch(config)#spanning-tree
uplinkfast
switch(config)#spanning-tree
backbonefast
switch(config)#spanning-tree
loopguard default
Examples
The following commands set the bridge priority for a VLAN, enable Port Fast on two ports and
globally enables BPDU guard:
Switch(config)#int fa0/12
Switch(config-if)#spanning-tree portfast
Switch(config-if)#int fa0/13
Switch(config-if)#spanning-tree portfast
Switch(config-if)#exit
Switch(config)#spanning-tree portfast bpduguard default
Which command displays whether Loopguard, UplinkFast, BPDU Filter, and BPDU Guard
are enabled?
How can you verify that spanning tree is working?
How can you determine the root bridge within a STP topology?
Where can you discover the root bridge's priority and MAC address?
After finishing this section, you should be able to complete the following tasks:
To...
Show spanning tree configuration information including the
following:
switch#show spanning-tree
switch#show spanning-tree
detail
switch#show spanning-tree
interface <type> <number>
switch#show spanning-tree
interface <type> <number>
detail
switch#show spanning-tree
summary
switch#show spanning-tree
vlan <1-4094>
switch#show spanning-tree
vlan <1-4094> root
The root bridge ID, including the priority number and the
MAC address
Switch#show spanning-tree
vlan <1-4094> bridge
switch#show spanning-tree
backbonefast
switch#show spanning-tree
uplinkfast
EtherChannel
As you study this section, answer the following questions:
What will happen to redundant links between switches when EtherChannel is configured?
What are the differences between LACP and PAgP?
When would you choose LACP over PAgP when configuring EtherChannel?
After finishing this section, you should be able to complete the following tasks:
EtherChannel Facts
EtherChannel combines multiple switch ports into a single, logical link between two switches. With
EtherChannel:
Cisco Catalyst switches use one of the following protocols for EtherChannel configuration:
Protocol
Description
Auto places the port into a passive negotiating state and forms an
EtherChannel if the port receives PAgP packets. While in this mode, the
port does not initiate the negotiation.
Note: This is the default mode.
Desirable places the port in a negotiating state to form an EtherChannel
by sending PAgP packets. A channel is formed with another port group
in either the auto or desirable mode.
Passive places the port into a passive negotiating state and forms an
EtherChannel if the port receives LACP packets. While in this mode, the
port does not initiate the negotiation.
Note: This is the default mode.
Active places the port in a negotiating state to form an EtherChannel by
sending LACP packets. A channel is formed with another port group in
either the active or passive mode.
Note: An on mode forces a port to join an EtherChannel without negotiations. The on mode can be
useful if the remote device does not support PAgP or LACP. In the on mode, a usable
EtherChannel exists only when the switches at both ends of the link are configured in the on mode.
Be aware of the following EtherChannel details:
All ports in an EtherChannel must use the same protocol (PAgP or LACP).
All ports in an EtherChannel must have the same speed and duplex mode. LACP requires
that the ports operate only in full-duplex mode.
A port cannot belong to more than one channel group at the same time.
All ports in an EtherChannel must be configured to be in the same access VLAN
configuration or be configured as VLAN trunks with the same allowable VLAN list and the
same native VLAN.
All ports in an EtherChannel require the same trunk mode (i.e. ISL or IEEE 802.1Q) to
avoid unexpected results.
If you do not configure EtherChannel, the spanning tree algorithm will identify each link as
a redundant path to the other bridge and will put one of the ports in blocking state.
Do not try to configure more than 6 EtherChannels on the switch.
Configure a LACP EtherChannel with up to 16 Ethernet ports of the same type. Up to eight
ports can be active, and up to eight ports can be in standby mode.
Enable all ports in an EtherChannel. A port in an EtherChannel that is disabled by using the
shutdown interface configuration command is treated as a link failure, and its traffic is
transferred to one of the remaining ports in the EtherChannel.
EtherChannel Command List
The following table shows common commands to configure EtherChannel.
Use...
To...
Switch(config-if)#channelprotocol lacp
Switch(config-if)#channelprotocol pagp
Switch(config-if)#channel-group
<1-8> mode auto
Switch(config-if)#channel-group
<1-8> mode desirable
Switch(config-if)#channel-group
<1-8> mode active
Switch(config-if)#channel-group
<1-8> mode passive
Switch(config-if)#channel-group
<1-8> mode on
Switch#show etherchannel
Note: Each channel group has its own number. All ports assigned to the same channel group
will be viewed as a single logical link.
Examples
The following commands configure GigabitEthernet 0/1 and 0/2 interfaces to actively
initiate the negotiation of an EtherChannel with the PAgP protocol and with a channel
group of 5:
Switch>ena
Switch#conf t
Switch(config)#int range gi 0/1 - 2
Switch(config-if-range)#channel-protocol pagp
Switch(config-if-range)#channel-group 5 mode desirable
The following commands configure FastEthernet 0/1 through 0/4 interfaces to from an
EtherChannel with the LACP protocol only if the other device actively initiates the
EtherChannel connection:
Switch>ena
Switch#conf t
Switch(config)#int range ga 0/1 - 4
Switch(config-if-range)#channel-protocol lacp
Switch(config-if-range)#channel-group 3 mode passive
Switch(config-if-range)#duplex full
Inter-VLAN Routing
As you study this section, answer the following questions:
301. Explain and configure Inter-VLAN routing (i.e., SVI and routed ports).
302. Explain and enable CEF operation.
Description
A router (or a group of routers) is capable of inter-VLAN routing. Either two or more
interfaces or a single interface can be used to communicate between the VLANs. When a
single physical interface is used, it must be divided into two logical interfaces called
subinterfaces. This configuration is also called a router on a stick. In each case, the
router interfaces are connected to switch trunk ports. The router interfaces or
subinterfaces must be running a trunking protocol (either ISL or 802.1Q).
Router
A multilayer switch is a switch which can have the interfaces configured for Layer 2 and
Layer 3 functionality. Layer 3 (logical) switch interfaces are configured as one of the
following:
Multilay
er switch
Cisco routers and Layer 3 switches can be configured to forward DHCP requests when clients try to
locate or communicate with DHCP servers. To enable the DHCP relay agent feature, use the ip
helper-address command on the client VLAN interfaces (for SVIs) and subinterfaces (for router
on a stick). The ip helper-address command not only forwards DHCP requests, but also forwards
TFPT, DNS, Time, NetBIOS, name server, and BOOTP packets by default.
MLS Facts
Multi-Layer Switching (MLS) combines Layer 2, 3, and 4 switching technologies to provide highspeed packet rewriting and forwarding. Another name for traditional MLS is NetFlow-based
switching. The major difference between the packet switching operation of a router and that of a
Layer 3 switch is the physical implementation. In general-purpose routers, packet switching takes
place using a microprocessor, whereas a Layer 3 switch uses Application-Specific Integrated
Circuit (ASIC) hardware. This is known as hardware-based packet switching.
Multi-layer switching can move traffic at wire speed and also provide Layer 3 routing, which can
remove the bottleneck from the network routers. This technology is based on the idea of route once,
switch many. Multi-layer switching can make routing and switching decisions based on the
following:
Description
Forwarding
Information Base
(FIB)
CEF-based MLS scales to large networks and is not limited on the number of traffic flows.
CEF-based MLS is the default on all Cisco multilayer switches that support CEF.
CEF-based MLS is topology-based. The control plane downloads the routing table
information (i.e. FIB and adjacency table) to the data plane for hardware switching.
CEF-based MLS uses either centralized switching or distributed switching. Distributed
switching provides higher performance than centralized switching.
Switches use Ternary Content Addressable Memory (TCAM) and other hardware-switching
components not only for CEF but also for applying Quality of Service (QoS) and access
lists to packets routed and switched using hardware switching.
The following commands you would use to configure CEF and view a brief display of all FIB
entries:
Switch(config)#interface fa0/1
Switch(config-if)#ip cef
Switch(config-if)#end
Switch#show ip cef
Why shouldn't you set up an IP address on a router's subinterface for an inter-VLAN routing
configuration?
How does a router know which subinterface to use within inter-VLAN routing?
How do you display the networks connected to a Layer 3 switch?
When does a Layer 2 switch need a default gateway IP address?
After finishing this section, you should be able to complete the following tasks:
301. Explain and configure Inter-VLAN routing (i.e., SVI and routed ports).
302. Explain and enable CEF operation.
303. Verify or troubleshoot Inter-VLAN routing configurations.
To...
Enable the interface.
Create a subinterface
and enter the
subinterface
configuration mode
for a router-on-astick configuration.
Set the trunking
encapsulation
method for the
VLAN on the
subinterface for a
router-on-a-stick
configuration.
Note: Only some
switches support ISL
encapsulation. You
need to configure the
router with the
supported trunking
encapsulation.
Configure the VLAN
that is sending and
receiving untagged
traffic on the trunk
port when the
interface is in
802.1Q trunking
Switch(config)#ip routing
Enable IP routing on
the multilayer switch
for a SVI
configuration.
Switch(config)#vlan <id>
Create a VLAN in
the VLAN database
and enter the VLAN
configuration mode.
Enable a specified
routing protocol on
the multilayer switch
for a SVI
configuration.
Enter VLAN
interface
configuration mode
for the specified
VLAN for a SVI
configuration.
Specify an IP address
and subnet mask on
the VLAN interface
for a SVI
configuration.
Switch(config-if)#no shutdown
Switch(config-if)#ip helper-address
Switch#show running-config
Switch#ping a.b.c.d
Test connectivity to
the hosts, VLAN
interfaces, and
VLAN subinterfaces.
Switch#show ip route
Switch#show ip protocols
Display information
about the routing
protocols that are
enabled on the
switch or router.
Switch#show ip cef
Display brief
information of all
FIB entries.
Switch#show ip adjacency
Verify that an
adjacency exists for a
connected device,
that the adjacency is
valid, and that the
MAC header rewrite
string is correct. The
information
displayed by the
show adjacency
commands includes
the following:
Protocol
Interface
Type of
routed
protocol
traffic using
this
adjacency
Next hop
address
Examples
The following commands configure a router with a single interface (a router-on-a-stick
configuration) to perform inter-VLAN routing for VLAN 1 and VLAN 20:
Router(config)#interface fa0/1
Router(config-if)#no shutdown
Router(config-if)#no ip address
Router(config-if)#interface fa0/1.1
Router(config-subif)#description subinterface for VLAN 1
Router(config-subif)#encapsulation dot1Q 1
Router(config-subif)#ip address 192.168.1.1 255.255.255.0
Router(config-subif)#interface fa0/1.20
Router(config-subif)#description subinterface for VLAN 20
Router(config-subif)#encapsulation dot1Q 20
Router(config-subif)#ip address 192.168.2.1 255.255.255.0
The following commands configure a Switch Virtual Interface (SVI) to perform inter-VLAN
routing for VLAN 1 and VLAN 12 on a multilayer switch when the VLANs already exist in the
VLAN database:
Switch(config)#ip routing
Switch(config)#router rip
Switch(config)#interface vlan 1
Switch(config-if)#ip address 192.168.1.1 255.255.255.0
Switch(config-if)#no shutdown
Switch(config-if)#interface vlan 12
Switch(config-if)#ip address 192.168.2.1 255.255.255.0
Switch(config-if)#no shutdown
After finishing this section, you should be able to complete the following tasks:
The following table describes important information shown in the command output:
Component Description
The first characters of a routing table entry identifies the source or type of the route.
Route type
All SVIs are shown as directly connected, because the switch treats each interface as a
physical link through which it can route traffic.
Network
Following the route type is the network address and subnet mask. This identifies the
specific subnet address for the route.
VLAN ID
The VLAN ID indicates which VLAN interface is associated with the IP route. In the
example above, VLAN 1 and VLAN 2 are configured with SVIs.
The following is a portion of the output generated from the show run command and a table
describing the associated fields relating to inter-VLAN routing on a Layer 3 switch.
output omitted
!
interface Vlan10
ip address 192.168.10.1 255.255.255.0
!
interface Vlan20
ip address 192.168.20.1 255.255.255.0
shutdown
!
Field
Description
VLAN
This is the VLAN ID found in the VLAN database.
Interface ID
IP address
This is the IP address of the Switch Virtual Interface (SVI). An IP address and subnet
mask must be assigned to the interface before inter-VLAN routing can occur.
Enabled
The shutdown and no shutdown commands enable the interface. In the example
above, the omission of the shutdown command on the VLAN 10 interface indicates
that the SVI is enabled and routing may occur through the SVI.
Gateway Redundancy
As you study this section, answer the following questions:
How does a virtual router help to protect against single point of failure?
If there are three routers in a HSRP group, how many virtual IP addresses would be
assigned to that group of routers?
What are the main differences between HSRP and VRRP, and are they compatible?
What is the maximum number of routers that can act as active IP default gateways in a
GLBP group?
If there are two routers in a GLBP group, how many virtual MAC addresses are assigned to
routers in that group?
401. Explain the functions and operations of gateway redundancy protocols (i.e., HSRP,
VRRP, and GLBP).
Active
Router
Standby
Router
A standby router which will become the active router should the existing active router
fail (see the illustration below).
Virtual
Router
A virtual router which is not an actual router. It is a concept of the entire HSRP group
acting as one virtual router. It is assigned its own IP address and MAC address;
however, the active router acting as the virtual router actually forwards the packets.
Additiona
l HSRP
member
routers
Additional HSRP member routers are neither active nor standby, but they are configured
to participate in the same HSRP group. These routers forward any packets addressed to
their assigned interface IP addresses but do not forward packets destined for the virtual
router because they are not the active router.
Initial is the starting state of HSRP. All routers begin in this state. This state indicates that
HSRP is not yet fully operational.
Learn is when the router has not determined the virtual IP address and has not yet received
a hello message from the active router.
Listen is when the router knows the virtual IP address, but is neither the active router nor the
standby router. This is the state for additional HSRP member routers. The router in this state
listens for hello messages, participating only if the holdtime expires.
Speak is when the routers in the HSRP group are in the election process for the active and
standby routers.
Standby is when the HSRP router is a candidate to become the next active router and sends
periodic hello messages to inform other routers in the HSRP group of its status.
Active is when the router forwards packets assigned to the virtual MAC and IP address of
the HSRP group. It also sends periodic hello messages to inform other routers in the HSRP
group of its status.
Hello
The active router assumes and maintains its role through the use of hello messages. When
the active router fails, the other HSRP routers stop receiving the hello messages. The
standby router assumes the role of active router when the holdtime expires. The holdtime
is the time between the receipt of a hello message and the presumption that the sending
router has failed. HSRP timer details include the following:
Both timers can be configured with an msec parameter for faster failover times.
Note: All routers in the HSRP group should use the same timer values.
Coup
A coup message is sent by a standby router which wants to assume the function of the
active router.
Resign
The active router sends the resign message when it is about to shut down or when a router
that has a higher priority sends a hello or coup message.
On a per-group basis, the HSRP router can be configured with a priority value. The default
is 100. It can be between 0-255. The router with the highest priority becomes the active
router if it initializes first.
Note: If several routers have the same priority, the physical IP address of the router's
interface is used. The router with the highest IP address becomes the active router.
A preemption configuration will force a specific router to be an active router if it has the
highest priority for the group. If the preempted active router fails, the standby router
becomes the active router. If the preempted active router regains service, it will become the
active router again. Be aware of the following details:
o If preemption is not enabled, the standby router which takes over for a failed router
will remain the active router even if the former active router regains service.
o If preemption is enabled, the former active router regains service immediately after
it receives a hello message from the active router with a lower priority by sending a
coup message. When a lower priority active router receives a coup message from an
active, higher priority router, the router changes to the Speak state and sends a resign
message.
Note: The transition through HSRP states is displayed with the debug standby EXEC
command.
The virtual MAC address is XXXX.XX07.ACxx. The first six values in the address
(XXXX.XX) represent the vendor code. The last two values (xx) represent the HSRP group
number in hexadecimal. For example, a virtual MAC address for HSRP group 79 would be
XXXX.XX07.AC4F
If a host sends an ARP request with the virtual router's IP address, the active router will
return the virtual router's MAC address.
One or more HSRP groups need to be configured for each VLAN or subnet. HSRP is not
configured globally.
Using the VLAN ID as the HSRP group number makes troubleshooting easier. However,
the group number is limited to a value between 0 and 255.
To configure HSRP load sharing, configure at least two routers to participate in two HSRP
groups.
o Configure the first router to serve as the active router for the first HSRP group and
the backup router for the second HSRP group.
o Configure the second router to serve as the active router for the second HSRP group
and the backup router for the first HSRP group.
An HSRP tracking feature monitors the active router's interface that is used to forward
traffic from the hosts. If that interface goes down, the priority of the HSRP group is reduced
to allow the HSRP standby router to become the active router.
o The HSRP group priority of the active router is decreased by 10 by default, but can
be configured. Careful planning of standby priorities for all routers is needed to
ensure that the HSRP standby tracking feature lowers priorities enough for standby
routers to take active roles.
If preemption is not enabled on the standby router, it will not send a coup message
to become the active router for the group.
When configuring routers in the HSRP group, at least one router in the group must be
configured with the virtual IP address. Other routers in the group will learn the virtual IP
address because it is forwarded in the hello messages.
o
The physical router that is currently forwarding data on behalf of the virtual router is called
the master router.
Physical routers standing by to take over from the master router are called backup routers.
Backup routers do not send advertisements like standby routers do in an HSRP group.
Values used to determine the VRRP priority range between 1-254. The default priority
value is 100.
If the configured virtual IP address is the same IP address as the router's physical interface,
the router is known as the IP address owner and becomes the master router.
Similar to HSRP, preemption allows a failed router to return as the VRRP master router if it
has the highest priority for the VRRP group. However, in VRRP, an IP address owner of the
VRRP group will always preempt.
Each router in the VRRP group must be configured with the virtual IP address.
In the illustration below, if the VRRP virtual IP address is 10.0.1.1, then RouterA is the IP address
owner and serves as the master router. RouterB and RouterC would be backup routers.
The advertisement interval is the interval between when the advertisements are sent. The
default is 1 second and can be configured.
The master-down interval is the time for a backup to declare the master is down. The
master-down interval can not be configured directly, but is calculated as three times the
value of the advertisement interval.
The virtual MAC address is 0000.5E00.01xx. The last two values (xx) is the Virtual Router
IDentifier (VRID) and represents the VRRP group number in hexadecimal.
HSRP and VRRP are not routing protocols as they do not advertise IP routes or affect the
routing table in any way.
Routers in a GLBP group elect one gateway to be the Active Virtual Gateway (AVG) for
that group.
o The AVG assigns a virtual MAC address to each router of the GLBP group.
o The AVG is responsible for answering Address Resolution Protocol (ARP) requests
for the virtual IP address.
o Load balancing is achieved by the AVG replying to the host's ARP requests with
different virtual MAC addresses.
A GLBP group can have up to four member routers acting as IP default gateways. The
gateways are known as Active Virtual Forwarders (AVFs). Each AVF assumes
responsibility for forwarding packets sent to the virtual MAC address assigned to it by the
AVG.
o A virtual forwarder that is assigned a virtual MAC address by the AVG is known as
a primary virtual forwarder.
o A virtual forwarder that has learned the virtual MAC address (from hello messages)
is referred to as a secondary virtual forwarder.
o An AVG can assign itself with a MAC address, and assume the responsibilities of
the AVF as well.
GLBP operates virtual gateway redundancy in the same way as HSRP. The gateway with
the highest priority for the group is elected as the AVG, another gateway is elected as the
standby virtual gateway, and the remaining gateways are placed in a listen state. If an AVG
fails, the standby virtual gateway will assume responsibility for the virtual IP address. A
new standby virtual gateway is then elected from the gateways in the listen state.
Description
Roundrobin
In the round-robin scheme, when a host sends an ARP request, the AVG returns a
virtual MAC address based on its table of MAC addresses assigned to AVF. When
another host sends an ARP request, the AVG replies with the next MAC address in its
table, and so on.
Note: This is the default method.
In the weighted scheme, the AVF advertises how much traffic the interface can handle
to the AVG. The AVG then directs traffic according to the advertised amounts.
Weighted
Initial weighting values can be set and optional thresholds specified. Interface
states can be tracked and a decrement value set to reduce the weighting value if
the interface goes down.
When the GLBP router weighting drops below a specified value, the router will
no longer be an active virtual forwarder.
When the weighting rises above a specified value, the router can resume its
role as an active virtual forwarder.
In the host-dependent scheme, the host will always use the same virtual MAC address
Hostand same VFG (as long as that address and gateway is participating in the GLBP
dependent
group).
Be aware of the following details:
GLBP members communicate between each other through hello messages sent every 3
seconds.
Group numbers range from 0-1023.
AVG states match the HSRP active router states.
The default gateway on each host device must be configured as the GLBP group's virtual IP
address.
HSRP Configuration
As you study this section, answer the following questions:
Which router in a HSRP group will be the active router if all the routers in a HSRP group
are assigned the same priority?
What is the function of preemption?
What is interface tracking and how does it affect the HSRP priority value?
How many routers in a HSRP group need to be configured with the virtual IP address?
When does a router in a HSRP group send a coup message?
How is the HSRP group number identified in the virtual MAC address?
After finishing this section, you should be able to complete the following tasks:
To...
Enter interface
configuration mode
and enable HSRP
with a group number.
Specifying 0
means the key
value is
unencrypted.
Specifying 7
means the key
value is
encrypted.
The keystring
authentication
key is
automatically
encrypted if
the service
passwordencryption
global
configuration
command is
enabled.
Note: If you
configure
authentication, all
routers within the
GLBP group must
use the same
authentication string.
Router#show standby
Router#debug standby
transmission and
receipt of Hot
Standby Protocol
packets. Use this
command to
determine whether
hot standby routers
recognize one another
and take the proper
actions.
Examples
The following table provides example gateway redundancy configurations and descriptions:
Commands
Description
VRRP Configuration
As you study this section, answer the following questions:
After finishing this section, you should be able to complete the following tasks:
Use...
To...
Enable a VRRP
group with a
specified group
number and a virtual
IP address.
Configure the
advertisement
interval VRRP.
Router#show vrrp
status of the
configured
interfaces.
Examples
The following command set configures a VRRP group on VLAN 7, a virtual address of
10.0.1.1, a priority of 110, and preemption:
RouterA>ena
RouterA#conf t
RouterA(config)#interface vlan 7
RouterA(config-if)#vrrp 7 ip 10.0.1.1
RouterA(config-if)#vrrp 7 priority 110
RouterA(config-if)#vrrp 7 preempt
GLBP Configuration
As you study this section, answer the following questions:
After finishing this section, you should be able to complete the following tasks:
Configure two routers in a GLBP group to form a virtual default gateway, and implement a
load balancing method.
To...
Router(config-if)#glbp <0-1023> ip
Enable a GLBP
group with a
specified group
number.
Configure the
interface of a
member of the
virtual group with
the identified virtual
IP address.
Configure the
priority of the
configured router
(same as HSRP).
Configure an
interface to be
tracked.
The lineprotocol
keyword
tracks
whether the
interface is
up.
The ip
routing
keywords
also check
that IP
routing is
enabled on
the interface,
and an IP
address is
configured.
Configure GLBP
weighting values:
Router#show glbp
Specify the
initial
weighting
value, and the
upper and
lower
thresholds.
Specify an
object to be
tracked and
specify a
weighting
reduction of a
GLBP
gateway
when a
tracked object
fails.
Examples
The following command set configures a GLBP group on VLAN 7, a virtual address of 10.0.2.1, a
priority of 110, and host-dependent load balancing:
Router(config)#interface vlan 7
Router(config-if)#glbp 7 ip 10.0.2.1
How can you tell when an interface is participating in a gateway redundancy configuration?
How does the tracking feature affect a gateway redundancy configuration?
Which commands allow you to verify a HSRP gateway redundancy configuration?
After finishing this section, you should be able to complete the following tasks:
The following table describes important information shown in the command output:
Component
Description
Interface type
Interface type and number and Hot Standby group number for the interface.
- Group
This is the current state of the local router. It can be one of the following:
State is
HSRP groups configured on other routers on the network that are learned
via snooping are displayed as being in the Init state. Locally configured
groups with an interface that is down or groups without a specified interface
IP address appear in the Init state. For these cases, the Active addr and
Standby addr fields will show "unknown."
Note: The state is listed as disabled in the fields when the standby ip command has
not been specified.
Virtual IP
address is
Active virtual Virtual MAC address being used by the current active router. The last two digits are
MAC address the HSRP group number in hexadecimal format.
Local virtual
Virtual MAC address that would be used if this router became the active router.
MAC address
Hello time,
hold time
The hello time is the time between hello packets (in seconds) based on the standby
timers command. The hold time is the time (in seconds) before other routers declare
the active or standby router to be down, based on the standby timers command.
Next hello
sent in
Time at which the Cisco IOS software will send the next hello packet (in a
hours:minutes:seconds format).
Preemption
enabled
Active router
is
This can be "local," "unknown," or an IP address. Address (and the expiration date
of the address) of the current active Hot Standby router. In the example above, it is
the IP address of the other router participating in the HSRP group.
This can be "local," "unknown," or an IP address. Address (and the expiration date
Standby router
of the address) of the "standby" router (the router that is next in line to be the Hot
is
Standby router). In the example above, it is the local router.
Priority
The configured and operating HSRP group priority. This operating value may be
different than the configured value if the track command has been configured and
the tracked interface is down.
Tracking
List of interfaces that are being tracked and their corresponding states. Based on the
standby track command. In the example above, the tracked interface is DOWN,
decrementing the priority from its default of 100 to 75.
The following is output generated from the show glbp command and a table describing the
associated fields relating GLBP configuration and operating details.
FastEthernet0/1 - Group 100
State is Standby
1 state change, last state change 1w0d
Virtual IP address is 10.0.0.5 (learnt)
Hello time 3 sec, hold time 10 sec
Next hello sent in 0.508 secs
Redirect time 600 sec, forwarder time-out 14400 sec
Preemption disabled
Active is 10.0.0.3, priority 100 (expires in 7.224 sec)
Standby is local
Priority 200 (configured)
Weighting 100 (default 100), thresholds: lower 1, upper 100
Load balancing: round-robin
Group members:
000d.bd8e.0781 (10.0.0.2) local
001a.6ca7.b473 (10.0.0.3)
There are 2 forwarders (1 active)
Forwarder 1
State is Listen
MAC address is 0007.b400.6401 (learnt)
Owner ID is 001a.6ca7.b473
Time to live: 14397.224 sec (maximum 14400 sec)
Preemption enabled, min delay 30 sec
Active is 10.0.0.3 (primary), weighting 100 (expires in 7.828 sec)
Forwarder 2
State is Active
1 state change, last state change 1w0d
MAC address is 0007.b400.6402 (default)
Owner ID is 000d.bd8e.0781
Preemption enabled, min delay 30 sec
Active is local, weighting 100
The following table describes important information shown in the command output:
Component
Description
Interface type
and group
number
Interface type and number and GLBP group number for the interface.
State of the virtual gateway or virtual forwarder. For a virtual gateway, the state
can be one of the following:
State is
Virtual IP
address is
Active indicates that the gateway is the active virtual gateway (AVG) and
is responsible for responding to Address Resolution Protocol (ARP)
requests for the virtual IP address.
Disabled indicates that the virtual IP address has not been configured or
learned yet, but another GLBP configuration exists.
Initial indicates that the virtual IP address has been configured or learned,
but virtual gateway configuration is not complete. An interface must be up
and configured to route traffic, and an interface IP address must be
configured.
Listen indicates that the virtual gateway is receiving hello packets and is
ready to change to the "speak" state if the active or standby virtual
gateway becomes unavailable.
Speak indicates that the virtual gateway is attempting to become the active
or standby virtual gateway.
Standby indicates that the gateway is next in line to be the AVG.
The hello time is the time between hello packets (in seconds) based on the
Hello time, hold standby timers command. The hold time is the time (in seconds) before other
time
routers declare the active or standby router to be down, based on the standby
timers command.
Next hello sent
in
Preemption
enabled
Time at which the Cisco IOS software will send the next hello packet (in a
hours:minutes:seconds format).
Indicates whether preemption is enabled with the glbp preempt command. If
enabled, the minimum delay is the time for which a higher-priority non-active
router will wait before preempting the lower-priority active router.
This field is also displayed under the forwarder section where it indicates GLBP
forwarder preemption.
Active is
Standby is
Priority
The configured and operating GLBP group priority. This operating value may be
different than the configured value if the track command has been configured and
the tracked interface is down.
Weighting
The initial weighting value with lower and upper threshold values.
The load balancing method in the group. This can be one of the following:
Load balancing
Round-robin
Host-dependent
Weighted
Track object
The list of objects that are being tracked and their corresponding states.
Group members
This lists the actual IP address and MAC address of the routers participating in
the GLBP group. GLBB may use these as AVFs.
For a virtual forwarder, the state can be one of the following:
Forwarders
Active indicates that the gateway is the active virtual forwarder (AVF)
and is responsible for forwarding packets sent to the virtual forwarder
MAC address.
Disabled indicates that the virtual MAC address has not been assigned or
learned. This is a transitory state because a virtual forwarder changing to a
disabled state is deleted.
Initial indicates that the virtual MAC address is known, but virtual
forwarder configuration is not complete. An interface must be up and
configured to route traffic, an interface IP address must be configured, and
the virtual IP address must be known.
Listen indicates that the virtual forwarder is receiving hello packets and is
ready to change to the "active" state if the AVF becomes unavailable.
In the example above, the local router is the only active virtual forwarder.
MAC address is This is the Virtual MAC address being used within the GLBP group.
Owner ID is
VoIP Overview
As you study this section, answer the following questions:
The voice carrier stream, consisting of Real-Time Transport Protocol (RTP) packets
containing the actual voice samples
The call control signaling, consisting of one of several protocols which set up, maintain,
teardown, and redirect the call. Protocols used in call control include the following:
o H.323
o Session Initiation Protocol (SIP)
o Media Gateway Control Protocol (MGCP)
Properly provisioning the network bandwidth is a major component of designing a successful Cisco
VoIP solution (also called Telephony). When implementing VoIP, you should consider the
following:
Reserve enough bandwidth for the maximum amount of calls crossing a link. The sum of
the calculated bandwidth of all applications (such as those for voice, video, and data) should
not exceed 75% of the total bandwidth on the link. This is the recommended threshold.
Even when the total required bandwidth for all applications is under 75% of the available
bandwidth, always enable Quality of Service (QoS) features. This ensures that voice traffic
will flow properly.
Voice codecs compress the voice samples and affect the amount of bandwidth required for
each VoIP call and the payload size. Popular voice codecs include G.711 and G.729, which
use a total bandwidth of 87.2 Kbps and 31.2 Kbps for a payload size of 160 bytes or 20
bytes, respectively.
VoIP headers make up a considerable amount of overhead and bandwidth consumption.
You should be aware of the following VoIP header sizes:
o 18 bytes for the Ethernet header, including the Frame Check Sequence (FCS) or
Cyclic Redundancy Check (CRC).
o 20 bytes for the IP header
o 8 bytes for the UDP header
o 12 bytes for the RTP header
Note: To calculate the total packet size, add the Ethernet, IP, UDP, RTP headers, and voice
payload.
VoIP requires a well-engineered, end-to-end network that provides little latency for data stream
transmission. Fine-tuning the network to adequately support VoIP involves overcoming the
following issues:
Issue
Description
Delay (or latency) is the amount of time required for the spoken voice to be carried to the
receiver's ear.
Delay
Delays cause long pauses between speaking and receiving, and might result in
callers continually interrupting each other.
Callers notice roundtrip delays of 250 milliseconds (ms) or more.
International standards call for a delay of 150 ms or less.
Fixed-network delay refers to the time it takes a device to encode and decode
traffic and the time required for electrical and optical signals to travel the media en
route to the receiver.
Variable-network delay refers to network conditions, such as congestion, which
affect the overall time it takes a packet to reach its destination.
Packet
loss
Echo is hearing your own voice in the telephone receiver while you are talking.
Echo
Voice VLANs
As you study this section, answer the following questions:
In a typical Cisco IP Phone daisy chain configuration, you configure a switch port to send CDP
packets to the phone. The CDP packets will instruct the IP phone on how to send the voice traffic.
The following steps describe how a voice VLAN is created and then operates in a typical Cisco IP
Phone daisy chain configuration:
1. The switch interface is configured using the switchport voice vlan <vlan id> command.
This signals to the switch that it will be using 802.1q tagging with the specified VLAN ID.
2. The Cisco IP phone is connected to the switch interface.
3. Once connected, the switch sends Cisco Discover Protocol (CDP) packets to the phone
which include the voice VLAN ID information.
4. The Cisco IP phone receives the CDP packets, interprets the voice VLAN ID, and begins
sending VoIP traffic with the 802.1q tags for the specified voice VLAN.
5. The IP phone also sends data traffic to the same interface but does not include 802.1q tags,
effectively sending traffic to the native (access) VLAN. If configured, the switch could then
tag the data traffic with 802.1q tags for the respective VLAN.
Note: In daisy chain configurations which include other IP phones that do not interpret CDP
information, configure the switch to use 802.1p with the switchport voice vlan dot1p command.
802.1p is a protocol which allows traffic to be prioritized with Quality of Service (QoS) markings.
By using 802.1p, non-Cisco IP phones can elevate the priority of voice traffic. This configuration is
useful for trusting the priority markings from IP phones without using a separate voice VLAN. You
can also use the switchport voice vlan dot1p command on a Cisco IP phone to tag the voice
traffic, but instead of placing the traffic on a voice VLAN, it will use the access VLAN to carry the
voice traffic.
Be aware of the following details when configuring voice VLANs:
If the Cisco IP Phone and a device attached to the phone are in the same VLAN, they must
be in the same IP subnet.
You must enable CDP on the switch port connected to the Cisco IP Phone to send the
configuration to the phone. CDP is globally enabled by default on all switch interfaces.
The Port Fast feature is automatically enabled when voice VLAN is configured. When you
disable voice VLAN, the Port Fast feature is not automatically disabled.
Do not configure voice VLAN on private VLAN ports.
You should configure voice VLAN on Layer 2, switch access ports. Voice VLANs are not
supported on trunk ports.
What QoS technologies are available to prevent delay and/or jitter in a VoIP network?
What is the difference between Auto-QoS and standard QoS methods?
Where is the best location to set the trust boundary?
What is the problem with extending the trust boundary too far?
QoS Facts
Quality of Service (QoS) is the ability to guarantee a certain level of performance to a data flow.
QoS-enabled infrastructures allow you to do the following:
Classify and mark traffic such that network devices can differentiate traffic flows
Condition (police) traffic to tailor traffic flows to specific traffic behavior and throughput.
Mark traffic rates above specified thresholds as lower priority traffic.
Drop packets when rates reach specified thresholds.
Schedule packets such that higher-priority packets transmit from output queues before
lower-priority packets.
Manage output queues such that lower-priority packets awaiting transmission do not
monopolize buffer space.
Integrated
services
(IntServ)
Description
Integrated services, also known as Hard QoS, explicitly reserve services for traffic
flows. Network devices make service reservation requests before sending data, and
once a request is confirmed, the network device sends the data. Through integrated
services, bandwidth and data transmission below the traffic's delay requirements
are guaranteed for the traffic flow.
Note: Integrated services are not scalable and require continuous signaling from
network devices.
Differentiated services, also known as Soft QoS, provides QoS depending on the
data traffic class. As incoming frames enter the switch, differentiated services
categorize the traffic and then sort it into queues of various efficiencies. The
switch directly marks the packet for classification at Layer 2 or Layer 3:
Differentiated
services
(DiffServ)
Layer 2 Class of Service (CoS) uses three bits in the Ethernet header for
QoS classification. The bits allow for up to eight distinct values: 0 through
7, with 7 as high-priority.
A Layer 3 Type of Service (ToS) byte contains a 6-bit Differentiated
Services Code Points (DSCP) value used for QoS classification. The DSCP
field allows for up to 64 (0-63) distinct values. Packets can be marked with
a standard DSCP value or user defined class. For instance, the default
DSCP standard value for all traffic has a value of 0. This is the value for
untrusted traffic.
Note: The first 3 bits (0-2) of the DSCP value define the traffic class. These
DSCP bits are known as the IP Precedence. IP Precedence values range
from 0 through 7.
Be aware of the following differentiated services details:
Description
Classification
Marking
Marking is when the switch changes the DSCP, CoS, or IP Precedence values on
incoming frames or packets.
Traffic conditioning refers to the switch's ability to regulate traffic. Traffic
conditioning a combination of the following:
Traffic
conditioning
Congestion
Management
and Avoidance
First In, First Out (FIFO) queuing packets are forwarded in the same order
in which they arrive at the interface. This is a Best-effort type of service.
Although this is a form of congestion management, it does not implement
QoS features.
Weighted Fair Queuing (WFQ) is a flow-based queuing algorithm that does
two things simultaneously: It schedules interactive traffic to the front of the
queue to reduce response time, and it fairly shares the remaining bandwidth
between high bandwidth flows.
Priority Queuing (PQ) ensures that important traffic gets the fastest
handling at each point where it is used. It was designed to give strict
priority to important traffic.
Custom Queuing (CQ) reserves a percentage of available bandwidth for an
interface for each selected traffic type. If a particular type of traffic is not
using the reserved bandwidth, other queues and types of traffic may use the
remaining bandwidth.
Weighted Random Early Detection (WRED) attempts to avoid congestion
by randomly dropping packets with a certain classification when output
buffers reach a specific threshold.
Internet Protocol Real-Time Protocol Priority (IP RTP Priority) provides a
strict priority queuing scheme on a Frame Relay permanent virtual circuit
Auto-QoS is a feature which simplifies the deployment of existing QoS features. Auto-QoS makes
assumptions about the network, so the switch can prioritize different traffic flows and appropriately
use the incoming and outgoing queues instead of using the default QoS behavior. This includes
QoS requirements for VoIP traffic. The appropriate QoS features and optimal QoS values that
pertain to each feature are automatically configured (from a Cisco template of best practices) to
meet voice requirements; however, the template configuration generated by auto-QoS can be
modified if desired.
Trust Boundary Facts
The trust boundary is a perimeter in the networks where devices are configured to check and reset
the DSCP, IP Precedence, or CoS classification values of the traffic received from the untrusted
devices (devices outside the trust boundary). Be aware of the following details:
Markings that devices make outside the trust boundary are often reset, or at least checked
and modified if necessary.
The trust boundary should be configured on devices as close to the traffic source as possible
(i.e. the edge of the network). For example, an access-layer switch or a Cisco IP phone
could be configured to form the trust boundary (see the illustration below).
The devices that form the trust boundary forward classified traffic toward the interior of the
network. The switches located at the interior of the network should have all interfaces
configured for trusting the classified traffic because there is no need to classify the packets.
The trust boundary forms what is known as a QoS domain. The QoS domain includes the
switch, the interior of the network, and edge devices that can classify incoming traffic for
QoS (see the illustration below).
When configuring a Cisco IP phone to form the perimeter of the trusted boundary, Cisco
Discovery Protocol (CDP) must be globally enabled on the switch and on the port
connected to the IP phone. CDP is used to detect the Cisco IP phone. The switch will only
extend the trust boundary when the incoming traffic comes from the phone. For example, if
users disconnect their PCs from networked Cisco IP Phones and connect them to the switch
port to take advantage of trusted CoS or DSCP settings, the switch disables the trusted
setting on the switch or routed port and prevents misuse.
VoIP Configuration
As you study this section, answer the following questions:
How far should you extend the trust boundary and how is it done?
How do you configure a switch to instruct an IP phone to separate voice traffic from data
traffic?
How do you configure the switch to trust incoming QoS markings on voice traffic?
Which command will instruct the IP phone to elevate the priority of voice traffic, but still
send all traffic on the access VLAN?
Which commands will instruct the IP phone to trust or overwrite incoming QoS markings
from the workstation?
After finishing this section, you should be able to complete the following tasks:
Configure a switch to instruct the IP phone to separate voice traffic to another VLAN.
Configure a switch to instruct the IP phone to give voice traffic priority and keep all traffic
on the access VLAN.
Configure QoS settings for VoIP with 802.1p and trust CoS values for traffic.
Configure a trust boundary on the network edge and set trust configurations within the
network.
Configure Auto-QoS on switches for a VoIP configuration.
To...
switch(config)#vlan <1-4094>
Define a VLAN
Note: The voice VLAN should be present and active on the
switch for the IP phone to correctly communicate on the
voice VLAN.
Configure a Voice VLAN on the interface and instruct the
IP phone to separate voice and data traffic into different
VLANs.
Switch(config-if)#switchport
voice vlan <vlan id>
Switch(config-if)#switchport
voice vlan untagged
Examples
The following commands create VLAN 5 and 770, and instruct a Cisco IP phone to tag the voice
traffic with the VLAN 770 ID and the data traffic with the VLAN 5 ID:
Switch(config)#vlan 5
Switch(config-vlan)#vlan 770
Switch(config-vlan)#interface range fa 0/12 - 13
Switch(config-if-range)#switchport mode access
Switch(config-if-range)#switchport access vlan 5
Switch(config-if-range)#switchport voice vlan 770
The following commands create VLAN 5, instruct the phones connected to FastEthernet 0/2 and
0/8 to use the 802.1p protocol to tag the voice traffic and use the access VLAN to carry all traffic:
Switch(config)#vlan 5
Switch(config-vlan)#interface range fa 0/2 , fa 0/8
Switch(config-if-range)#switchport mode access
Switch(config-if-range)#switchport access vlan 5
Switch(config-if-range)#switchport voice vlan dot1p
QoS Command List
The following table lists commands used to configure and verify QoS settings on a switch:
Use...
To...
Switch(config)#mls qos
Switch(config-if)#mls qos
trust cos
Switch(config-if)#mls qos
trust
Switch(config-if)#mls qos
trust dscp
The port will then assign the same DSCP value to the
packet.
For an untagged packet, the default port CoS value is
used.
Switch(config-if)#mls qos
trust ip-precedence
Switch(config-if)#mls qos
trust device cisco-phone
Switch(configif)#switchport priority
extend cos trust
Examples
The following commands configure FastEthernet 0/5 and FastEthernet 0/6 to trust CoS markings on
all incoming frames:
Switch(config)#mls qos
Switch(config)#interface range fa 0/5 - 6
Switch(config-if-range)#mls qos trust cos
The following commands configure FastEthernet 0/12 and FastEthernet 0/13 to trust CoS markings
from Cisco IP phones and enable the trusted boundary feature:
Switch(config)#cdp run
Switch(config)#interface range fa 0/12 - 13
Switch(config-if-range)#cdp enable
The following table lists commands used to configure and verify auto-QoS on a switch:
Use...
To...
Configure a port at the edge of the network to trust the QoS label
received in the packet if the packet comes from a Cisco IP phone.
Examples
The following commands configure auto-QoS for FastEthernet0/12 and FastEthernet 0/13 and
enable the trusted boundary feature:
Switch(config)#cdp run
Switch(config)#interface range fa 0/12 - 13
Switch(config-if-range)#cdp enable
Switch(config-if-range)#auto qos voip cisco-phone
The following commands configure auto-QoS on FastEthernet0/5, enable the trusted boundary
feature, and allow the IP phone to tag voice traffic with the VLAN 700 ID:
Switch(config)#cdp run
Switch(config)#interface range fa 0/5
Switch(config-if)#cdp enable
Switch(config-if)#auto qos voip cisco-phone
Switch(config-if)#switchport voice vlan 700
The following commands configure auto-QoS trusting for an interior link between
GigabitEthernet0/1 and GigabitEthernet0/0 on SwitchA and SwitchB, respectively:
SwitchA(config)#interface gi 0/1
SwitchA(config-if)#auto qos voip trust
SwitchB(config)#interface gi 0/0
SwitchB(config-if)#auto qos voip trust
After finishing this section, you should be able to complete the following tasks:
Configure a switch to use PoE for IP phones and for devices which do not need PoE.
PoE Facts
Switches with Power over Ethernet (PoE) capability provide electrical power through the Cat 5
cable. This eliminates the need to have a separate power cable for the phone. 802.3af is the IEEE
standard for PoE, whereas Cisco Inline Power is Cisco-proprietary. Catalyst switches include the
following PoE features:
The ability to provide power to devices if the switch detects that there is no power on the
circuit.
The device and the switch negotiate through power-negotiation CDP messages for an
agreed power-consumption level. The negotiation allows a high-power Cisco powered
device to operate at its highest power mode.
The device notifies the switch of the amount of power that it is consuming through CDP
packets.
The switch maintains a power budget, monitors and tracks requests for power, and grants
power only when it is available.
Description
In auto mode, the switch automatically detects if the connected device
requires power. If the switch discovers a powered device connected to the
port and if the switch has enough power, it grants power, updates the power
budget, and turns on power to the port on a first-come, first-served basis. Be
aware of the following details:
Switch(configif)#power inline
auto
Switch(configif)#power inline
In static mode, the switch pre-allocates power to the port (even when no
powered device is connected) and guarantees that power will be available
static
Switch(configif)#power inline
never
Switch(configif)#no power
inline
Use the no power inline interface command to reset the PoE setting to the
defaults.
Note: Example
The following commands configure auto PoE for FastEthernet0/12 and FastEthernet 0/13, and no
PoE for FastEthernet 0/5:
Switch(config)#interface range fa 0/12 - 13
Switch(config-if-range)#power inline auto
Switch(config-if-range)#int fa 0/5
Switch(config-if)#power inline never
What type of attack causes a switch to act like a hub and send all incoming packets out each
port?
What is the difference between MAC Flooding and MAC Address Spoofing?
How does ARP Spoofing confuse the network devices?
How does VLAN hopping allow attackers to gain access to unauthorized VLANs?
601. Describe common Layer 2 network attacks (e.g., MAC Flooding, Rogue Devices,
VLAN Hopping, DHCP Spoofing, etc.)
Description
MAC
Flooding
MAC flooding is when a switch is flooded with packets, each containing different
source MAC addresses. MAC flooding consumes the limited memory set aside in
the switch to store the MAC address-to-physical port translation table. The result of
this attack causes the switch to enter a state called failopen mode, in which all
incoming packets are broadcasted out on all ports (as with a hub), instead of just
down the correct port as per normal operation.
VLAN hopping is when an attacking host on a VLAN attempts to gain access to
traffic on other VLANs that would normally not be accessible. There are two
primary methods of VLAN hopping:
VLAN
Hopping
DHCP
Address
Exhaustion
and
DHCP Server
Spoofing
ARP
Spoofing
MAC
Address
Spoofing
Fake or spoofed ARP messages are sent to an Ethernet LAN which contain
false MAC addresses.
Network devices such as switches become confused and either:
o Send frames to the wrong host which allows the frames to be sniffed.
o Send frames to unreachable hosts which will cause a DoS.
MAC address spoofing is when an attacking device spoofs the MAC address of a
valid host currently in the MAC address table of the switch. The switch then
forwards frames destined for that valid host to the attacking device.
Port Security
As you study this section, answer the following questions:
What is the main difference between a SecureDynamic address and a SecureSticky address?
When configuring a Port Security maximum on a port with a voice VLAN, how many MAC
addresses should you account for?
What is the difference between port security and MAC filtering?
After finishing this section, you should be able to complete the following tasks:
602. Explain and configure Port Security, 802.1x, VACLs, Private VLANs, DHCP
Snooping, and DAI.
603. Verify Catalyst switch (IOS-based) security configurations (i.e., Port Security, 802.1x,
VACLs, Private VLANs, DHCP Snooping, and DAI).
Port security uses the MAC address to identify allowed and denied devices.
By default, port security allows only a single device to connect through a switch port. You
can, however, modify the maximum number of allowed devices.
MAC addresses are stored in RAM in a table, and are identified with the port and by a
MAC address type. Port security uses the following three MAC address types:
Type
Description
SecureDynamic
SecureSticky
A port violation occurs when the maximum number of MAC addresses has been seen on the
port, and an unknown MAC address is then seen.
You can configure the switch to take one of the following actions when a violation occurs:
o Shut down the port. This is the default setting.
o Drop all frames from unauthorized MAC addresses.
o Drop all frames and generate an SMNP trap.
You cannot configure static secure or sticky secure MAC addresses on the voice VLAN. If
any type of port security is enabled on the access VLAN, dynamic port security is
automatically enabled on the voice VLAN.
The port security feature specifies which MAC addresses are allowed. A separate, but
related feature, called MAC filtering prevents a host with a specific MAC address from
sending traffic into the network. MAC filtering uses the MAC address to VLAN access
maps to specify which MAC addresses are restricted.
Port Security Command List
Each switch port has its own port security settings. To configure port security, take the following
general actions:
switch(config-if)#switchport
port-security
Function
Identifies the port as an access port.
Note: You can only configure port security after
explicitly making the port an access port.
Enables port security.
Note: You can enter port security commands for an
interface without port security being enabled.
However, port security will not be enforced (enabled)
if this entry is missing.
Configures the maximum number of MAC addresses
that can be allowed for a port. The default allows
only a single MAC address per port.
switch(config-if)#switchport
port-security maximum <1-8320>
switch(config-if)#switchport
port-security mac-address
sticky
switch(config-if)#switchport
port-security mac-address
h.h.h
switch(config-if)#switchport
port-security mac-address
sticky h.h.h
switch(config)#errdisable recovery
cause psecure-violation
Note: You cannot configure more MAC addresses for a port than the maximum allowed number.
To add more MAC addresses to an interface after the limit has been reached, increase the maximum
number first or delete existing MAC addresses. This limitation applies to MAC addresses with or
without the sticky parameter.
Examples
The following commands configure switch port security to allow only host 5ab9.0012.02af to use
FastEthernet 0/12:
switch(config)#interface fast 0/12
switch(config-if)#switchport mode access
switch(config-if)#switchport port-security
switch(config-if)#switchport port-security mac-address 5ab9.0012.02af
The following commands configure FastEthernet 0/15 to accept the first MAC address it receives
as the allowed MAC address for the port:
switch(config)#interface fast 0/15
switch(config-if)#switchport mode access
switch(config-if)#switchport port-security
switch(config-if)#switchport port-security mac-address sticky
The following commands configure port security for voice VLAN configurations on FastEthernet
0/1 through 0/4:
switch(config)#interface range fa 0/1 - 4
switch(config-if-range)#switchport port-security
switch(config-if-range)#switchport port-security maximum 3
Port Security Monitoring Facts
Use the following commands to verify port security operations:
Command
switch#show portsecurity
Description
Shows a summary of port security settings for enabled
interfaces. Information includes:
Listed below is a sample output from the show port-security interface command:
switch#show port-security interface fa0/3
Port Security
: Enabled
Port Status
: Secure-shutdown
Violation Mode
: Shutdown
Aging Time
: 0 mins
Aging Type
: Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses
: 2
Total MAC Addresses
: 2
Configured MAC Addresses
: 1
Sticky MAC Addresses
: 0
Last Source Address:Vlan
: 0800.46f5.491c:1
Security Violation Count
: 1
Individual entries are explained in the following table:
Entry
Description
Shows the enabled or the disabled state of port security.
Port Security
Port Status
The port status indicates the operational status of the port as viewed by port
security. A status of Secure-down could mean any of the following conditions:
A status of Secure-up indicates that the line is operational and port security is
being enforced.
Violation Mode
Identifies the configured violation mode for the interface (shutdown, protect, or
restrict).
Maximum MAC
Identifies the configured maximum number of allowed devices.
Addresses
Total MAC
Addresses
Identifies the total number of known MAC addresses on this port. This includes
all addresses in the running-config file (including sticky addresses) and all
dynamic addresses that have been learned.
Configured
Identifies the number of addresses configured with the switchport port-security
MAC Addresses mac-address command (excluding sticky addresses).
Sticky MAC
Addresses
Identifies the number of addresses in the running-config file identified with the
switchport port-security mac-address sticky entries.
Security
Identifies the number of violations detected. If this value is anything other than 1,
Violation Count then the port has already taken the action specified by the Violation Mode line.
After finishing this section, you should be able to complete the following tasks:
602. Explain and configure Port Security, 802.1x, VACLs, Private VLANs, DHCP
Snooping, and DAI.
603. Verify Catalyst switch (IOS-based) security configurations (i.e., Port Security, 802.1x,
VACLs, Private VLANs, DHCP Snooping, and DAI).
IP Source Guard (IPSG) is a security feature that restricts IP traffic on non-routed, Layer 2
interfaces. IPSG filters traffic based on the DHCP snooping binding database and on manually
configured IP source bindings. IPSG prevents traffic attacks caused when a host tries to use the IP
address of its neighbor. IPSG details include the following:
IPSG blocks all IP traffic received on the interface, except for DHCP packets allowed by
DHCP snooping.
A port access control list (PACL) is applied to the interface. The port ACL allows only IP
traffic with a source IP address in the IP source binding table and denies all other traffic.
The IP source binding table has bindings that are learned by DHCP snooping or are
manually configured. An entry in the table has an IP address, its associated MAC address,
and its associated VLAN number.
Note: The switch uses the IP source binding table only when IPSG is enabled.
IPSG is supported only on Layer 2 ports, including access and trunk ports. You can
configure IP source guard with the following options:
o With the source IP address filtering option, IP traffic is filtered based on the source
IP address. The switch forwards IP traffic when the source IP address matches an
entry in the DHCP snooping binding database or a binding in the IP source binding
table.
o With the source IP and MAC address filtering option, IP traffic is filtered based on
the source IP and MAC addresses. The switch forwards traffic only when the source
IP and MAC addresses match an entry in the IP source binding table.
When IPSG with source IP filtering is enabled on an interface, DHCP snooping must be
enabled on the access VLAN to which the interface belongs.
Use the following commands to configure DHCP Snooping and IP Source Guard:
Use...
switch(config)#ip dhcp
snooping
To...
Enable DHCP snooping globally.
Enable DHCP snooping on a VLAN or range of VLANs.
switch(config)#ip dhcp
snooping vlan <vlan id>
switch(config)#ip dhcp
snooping information
option
switch(config-if)#ip dhcp
snooping trust
switch(config-if)#no ip
dhcp snooping trust
switch(config-if)#ip
verify source vlan dhcpsnooping port security
switch#show ip dhcp
snooping binding
Examples
The following commands globally configure IP DHCP snooping on the switch and enable IP
DHCP snooping on VLAN 20:
switch(config)#ip dhcp snooping
switch(config)#ip dhcp snooping vlan 20
The following commands configure IPSG on FastEthernet 0/5 with the source IP address filtering
option:
switch(config)#int fa 0/5
switch(config-if)#ip verify source
The client is typically a workstation requesting authentication to the network using 802.1X.
The authentication server is responsible for validating request from clients forwarded by the
switch. Authentication servers are RADIUS servers which support EAP (Extensible
Authentication Protocol).
The switch is responsible for forwarding the 802.1X requests from the client to the
authentication server and granting access to the network based on a successful
authentication. The switch is acting as a proxy in the 802.1X authentication process.
The switch port state determines whether the client is granted access to the network. The switch
port states for 802.1X include the following:
In the unauthorized state, the port drops all traffic except for the 802.1X protocol packets.
This is the initial port state.
In the authorized state, the port forwards traffic as normal. The port transitions to authorized
after the client has been successfully authenticated.
To control the 802.1X port authorization state, Catalyst switches support the following options:
Option
Description
ForceAuthorized
The force-authorized option disables 802.1X port based authentication and causes
the port to transition to the authorized state without requiring the authentication
exchange. The port transmits and receives normal traffic without authenticating the
client.
Note: This is the default setting.
ForceUnauthorized
The force-unauthorized option forces the port to remain in the unauthorized state,
dropping all traffic, including all attempts by the client to authenticate. The switch
cannot provide authentication services to the client through this port.
Auto
The auto option enables 802.1X port-based authentication and causes the port to
begin in the unauthorized state, allowing only 802.1X protocol packets.
To...
switch(config)#aaa new-model
switch(config)#dot1x system-auth-control
Examples
The following commands globally enable 802.1X and then configure the FastEthernet 0/12 switch
port with the 802.1X auto option:
switch(config)#aaa new-model
switch(config)#aaa authentication dot1x
switch(config)#dot1x system-auth-control
switch(config)#interface fast 0/12
switch(config-if)#switchport mode access
switch(config-if)#dot1x port-control auto
Description
VLAN Access
Control List
(VACL)
VACLs support filtering based on Ethertype and MAC addresses. VACLs are
order-sensitive, similar to Cisco-based route maps. Switches support the
following VACL actions:
QoS Access
QoS ACLs define packets that are to be applied to QoS classification, marking,
Control List (QoS
policing, and scheduling.
ACL or QACL)
PACLs are applied at Layer 2 to control traffic entering or leaving a port.
PACLs apply to a switch port, trunk port, or EtherChannel port. The following
ACLs are supported on Layer 2 interfaces using PACLs:
Port Access
Control List
(PACL)
When the PACL is applied to trunk ports, the ACL filters traffic on all
VLANs present on the trunk port.
When the PACL is applied to a port with a voice (auxiliary) VLAN, the
ACL filters traffic on both data and voice VLANs.
IP traffic is filtered by using IP ACLs and non-IP traffic is filtered by
using MAC ACLs.
Packets arriving on trusted interfaces bypass all dynamic ARP inspection validation checks.
Packets arriving on untrusted interfaces undergo the dynamic ARP inspection validation
process (described below). By default, all interfaces are untrusted.
In a typical network configuration, you configure all switch ports connected to host ports as
untrusted and configure all switch ports connected to switches as trusted. With this configuration,
all ARP packets entering the network from a DAI-enabled switch bypass the security check and no
other validation is needed at any other place in the VLAN or in the network.
When DAI is enabled, the switch performs the following activities on an untrusted port:
1. All ARP requests and responses are intercepted.
2. Each intercepted packet is verified that it has a valid IP-to-MAC address binding. Valid IPto-MAC address bindings are stored in the DHCP snooping binding database (the database
is built when DHCP snooping is enabled on the VLANs and on the switch).
o If the packet has a valid binding, the switch forwards the packet to the appropriate
destination.
o If the packet has an invalid binding, the switch drops the ARP packet and generates
system messages on a rate-controlled basis.
The switch's CPU performs DAI validation checks; therefore, the number of incoming ARP packets
is rate-limited to prevent a denial-of-service attack. Be aware of the following details:
The default rate for untrusted interfaces is 15 ARP packets per second (pps). The rate-limit
can be configured.
When the limit is exceeded, the switch places the port in the error-disabled state. The port
remains in that state until manually enabled, or after a specified timeout period.
Note: Trusted interfaces are not rate-limited.
DAI does not prevent hosts in other portions of the network from poisoning the caches of
the hosts connected to a switch running DAI.
In cases in which some switches in a VLAN run DAI and other switches do not, configure
the interfaces connecting such switches as untrusted.
DAI is supported on access ports, trunk ports, and EtherChannel ports. It is not supported on
private VLAN ports.
When DHCP snooping is disabled or in non-DHCP environments, use ARP ACLs to permit
or to deny packets.
In cases in which some switches in a VLAN run dynamic ARP inspection and other
switches do not, configure the interfaces connecting such switches as untrusted.
To...
Enable dynamic ARP inspection on a per-VLAN
basis.
Note: By default, dynamic ARP inspection is
disabled on all VLANs.
Configure the interface as trusted.
switch(config)#int gi 0/1
switch(config-if)#ip arp inspection
trust
switch(config-if)#no ip arp
inspection trust
switch(config)#errdisable recovery
cause arp-inspection
switch(config)#errdisable recovery
cause arp-inspection interval <3086400>
A promiscuous port communicates with all other PVLAN ports. The promiscuous port is
the port that you typically use to communicate with external routers, network management
devices, backup servers, administrative workstations, and other devices.
An isolated port has complete Layer 2 separation from other ports within the same PVLAN.
This separation includes broadcasts, and the only exception is the promiscuous port.
Isolated ports can only forward traffic to promiscuous ports.
A community port can communicate with other ports in the same community and with the
promiscuous ports. These ports have Layer 2 isolation from all other ports in other
communities, or isolated ports within the PVLAN. Broadcasts are forwarded only between
associated community ports and the promiscuous port.
Isolated and community ports are secondary VLANs. Every secondary PVLAN is mapped to one
primary PVLAN. A primary VLAN carries traffic from promiscuous ports to isolated, community,
and other promiscuous ports. A PVLAN will only have one primary VLAN, but may have several
secondary VLANS.
In a switched environment, assign an individual private VLAN and associated IP subnet to each
individual or common group of workstations. The workstations only need to communicate with a
default gateway to gain access outside the private VLAN. When implementing private VLANs,
consider the following:
You can configure PVLANs and normal VLANs on the same switch.
PVLANs cannot include VLANs 1 or 10021005.
You can only designate a VLAN as a PVLAN if that VLAN has no current access port
assignments. Remove any ports in that VLAN before you make the VLAN a PVLAN.
Do not configure PVLAN ports as EtherChannels.
If you delete a VLAN that you use in the PVLAN configuration, the ports that associate
with the VLAN become inactive.
You can extend PVLANs across switches with the use of trunks. You must set VLAN
Trunk Protocol (VTP) mode to transparent.
Note: You must manually enter the same PVLAN configuration on every switch because
VTP in transparent mode does not propagate this information.
Switch Hardening
As you study this section, answer the following questions:
Why should you disable CDP on all interfaces with a connection outside the network?
How does a banner with a warning that displays when a user logs into the router protect the
network?
What different ways can you use to secure passwords?
What processes can you use to control remote access?
602.Explain and configure Port Security, 802.1x, VACLs, Private VLANs, DHCP
Snooping, and DAI.
Description
Physical
security
Secure
passwords
Set the enable secret password instead of the enable password. Make sure
that the two passwords are different.
Use the service password-encryption command to encrypt other
passwords in the configuration file. This provides a low level of security,
but passwords can be easily broken.
Use the banner command to provide a warning banner to users who try to log into
the router. Be aware of the following:
Banner
Unused
Services
Console
Password
Set the password with the password command while in line configuration mode
(for either console or VTY access). This will prevent access to the console when
someone gains physical access to the device.
access
Secure SNMP
Message integrity, or ensuring that a packet has not been tampered with intransit.
Authentication, or determining the message is from a valid source.
Encryption, or the scrambling the contents of a packet prevents it from
being seen by an unauthorized source.
Use SNMPv3 with an encrypted password and ACL to limit SNMP from only
trusted workstations and subnets.
Unused Ports
Use the shutdown command on all unused interfaces. This will disable the
interface and prevent a connection if someone where to gain physical access to a
device with unused ports.
Use the following features to prevent changes in the STP topology:
Secure STP
topology
CDP
Use no cdp run on the device or no cdp enable on an interface to avoid sharing
information about the Cisco device with neighboring devices. This helps to reduce
exposure due to reconnaissance attacks.
The three main components of access control are referred to as the AAA:
AAA
Authentication
authentication.
Terminal Access Controller Access Control System (TACACS) is an
alternative to RADIUS that allows the use of multi-factor authentication
by separating the authorization, accounting, and authentication features.
802.1X is an IEEE protocol that defines a client/server access control and
authentication to restrict unauthorized clients form connecting to a LAN
through accessible ports.
Note: Be careful when configuring AAA because you may lock yourself out of the
switch, which would require you to initiate the password recovery sequence to
return the switch to an accessible state.
Use access lists to control incoming or outgoing traffic with the following criteria:
Access lists
HTTP Server
The Cisco IOS provides an HTTP server to configure the device via a web
interface. The recommendation is to disable the feature because a user may gain
access and make configuration changes or send multiple HTTP requests resulting
in a DoS-type attack. Use the no ip http server command while in global
configuration mode to disable the server.
Wireless Overview
As you study this section, answer the following questions:
501.Describe the components and operations of WLAN topologies (i.e., AP and Bridge).
Wireless Facts
Wireless networks use radio waves for data transmission instead of electrical signals on Ethernet
cables. In order to use radio waves as the medium for transmission, specific characteristics of radio
waves are defined:
Characteristic
Description
Many radio devices operate within a specified frequency range which limits the
frequencies on which it is allowed to transmit. In the United States, radio
frequency wireless LANs use one of two frequency ranges defined by the FCC:
Frequency
range or band
Channel
The frequency range is divided into equal segments called channels. Wireless
networking channels are much like television channels, where each channel allows
for separate data transmission. However, channels within the range overlap with
adjacent channels. By using specific channels and not others, you can ensure that
the channels do not overlap, eliminating interference caused by wireless devices
operating on different channels.
In the 5 GHz range, there are 23 total channels. 12 channels are nonoverlapping channels.
In the 2.4 GHz range, there are 11 total channels, with 3 non-overlapping
channels.
When a device sends data over a wireless network, it can change (or modulate) the
radio signal's specifications. The three common modulation techniques used in
wireless networking include:
Modulation
technique
Wireless networks use Carrier Sense, Multiple Access/Collision Avoidance (CSMA/CA) to control
media access and avoid (rather than detect) collisions. CSMA/CA uses the following process:
1. The sending device listens to make sure that no other device is transmitting. If another
device is transmitting, the device waits a random period of time (called a backoff period)
before attempting to send again.
2. If no other device is transmitting, the sending device broadcasts a Request-to-send (RTS)
message to the receiver or access point. The RTS includes the source and destination, as
well as information on the duration of the requested communication.
3. The receiving device responds with a Clear-to-send (CTS) packet. The CTS also includes
the communication duration period. Other devices use the information in the RTS and CTS
packets to delay attempting to send until the communication duration period (and
subsequent acknowledgement) has passed.
4. The sending device transmits the data. The receiving device responds with an
acknowledgement (ACK). If an acknowledgement is not received, the sending device
assumes a collision and retransmits the affected packet.
5. After the time interval specified in the RTS and CTS has passed, other devices can start the
process again to attempt to transmit.
Note: Using RTS and CTS (steps 2 and 3 above) is optional and depends on the capabilities of the
wireless devices. Without RTS/CTS, collisions are more likely to occur.
Wireless communication operates in half-duplex (shared, two-way communication). Devices can
both send and receive, but not at the same time. Devices must take turns using the transmission
channel. Typically, once a party begins receiving a signal, it must wait for the transmitter to stop
transmitting before replying.
The image below illustrates several natural causes that impact broadcasted radio waves:
Absorption occurs when radio waves are absorbed by an object, such as a wall or furniture.
Reflection occurs when radio waves bounces off objects, such as metal or glass surfaces.
Scattering occurs when radio waves strike an uneven surface and are reflected in many
directions.
Refraction occurs when radio waves pass through objects and change direction, such as
glass surfaces.
Multipath occurs when radio waves are echoed off a physical object, creating two signals
received at the same detector. The signals arrive at the detector out of phase with each other
because one signal traveled a different length.
Diffraction occurs when radio waves strike sharp edges, such as external corners for
buildings, and the waves are bent.
Description
An ad hoc network works in peer-to-peer mode. The wireless NICs in each host
communicate directly with one another. An ad hoc network:
Ad Hoc
You will typically only use an ad hoc network to create a direct, temporary
connection between two hosts.
An infrastructure wireless network employs an access point (AP) that functions like
a hub on an Ethernet network. With an infrastructure network:
Infrastructure
You should implement an infrastructure network for all but the smallest of wireless
networks.
The following diagram shows a sample enterprise wireless network operating in infrastructure
mode:
The various components of a wireless network are described in the following table.
Component
Description
Station (STA)
Access Point
(AP)
An access point (AP), sometimes called a wireless access point, is the device that
coordinates all communications between wireless devices as well as the
connection to the wired network. It acts as a hub on the wireless side and a
bridge on the wired side. It also synchronizes the stations within a network to
minimize collisions.
A BSS, also called a cell, is the smallest unit of a wireless network. All devices
in the BSS can communicate with each other. The devices in the BSS depend on
the operating mode:
Basic Service
Set (BSS)
Independent
Basic Service
Set (IBSS)
Extended
Service Set
(ESS)
An ESS consists of multiple BSSs with a distribution system (DS). The graphic
above is an example of an ESS.
Distribution
System (DS)
The distribution system (DS) is the backbone or LAN that connects multiple APs
(and BSSs) together. The DS allows wireless clients to communicate with the
wired network and with wireless clients in other cells.
Description
The Service Set Identifier (SSID), also called the network name, groups wireless
devices together into the same logical network.
Service Set
Identifier
(SSID)
All devices on the same network (within the BSS and ESS) must have the
same SSID.
The SSID is a 32-bit value that is inserted into each frame. The SSID is
case-sensitive.
The SSID is sometimes called the BSS ID (Basic Service Set ID) or the
ESS ID (Extended Service Set ID). In practice, each term means the same
thing.
Access points can be organized in a mesh topology known as a wireless mesh network. The
wireless mesh network is a coverage area of access points working as a single network. Access to
the mesh is dependent on the access points working in harmony with each other to create the
network. A wireless mesh network is reliable and offers redundancy. When placing access points in
a wireless mesh network, Cisco's Adaptive Wireless Path Protocol (AWPP) establishes an optimal
path to a wired gateway. AWPP details include the following:
AWPP dynamically discovers neighboring radios and calculates the quality of all possible
paths to the wired network.
The calculations are continuously updated, allowing network connectivity and paths to
change as the traffic patterns on wireless links change.
The ability of AWPP to quickly adapt to changing links eliminates any single point of
failure and increases the networks reliability.
Directional antenna:
o Creates a narrow, focused signal in a particular direction.
o Focuses signal provides greater signal strength increasing the transmission distance.
o Provides a stronger point-to-point connection, better equipping them to handle
obstacles.
o Can be highly-directional or semi-directional.
Omni-directional antenna:
o Disperses the RF wave in an equal 360-degree pattern.
o Provides access to clients in a radius.
Details
International Telecommunication
Union Radiocommunications Sector
(ITU-R)
Wi-Fi Alliance
The original 802.11 specification operated in the 2.4 GHz range and provided up to 2 Mbps.
Additional IEEE subcommittees have further refined wireless networking. Three of the most
common standards as well as a new standard in draft stage are listed in the following table:
Specification
Standard
802.11g
802.11a
802.11b
5 GHz
(U-NII)
11 Mbps
54 Mbps
600 Mbps
300 Ft.
300 Ft.
1200 Ft.
Channels
23 (12)
(non-overlapped)
11 (3)
11 (3)
Modulation
technique
OFDM
DSSS, CCK,
DQPSK,
DBPSK
Backwardscompatibility
N/A
No
With 802.11b
Frequency
802.11n
With 802.11a/b/g,
depending on
implementation
The actual speed depends on several factors including distance, obstructions (such as walls),
and interference.
The actual maximum distance depends on several factors including obstructions, antenna
strength, and interference. For example, for communications in a typical environment (with
one or two walls), the actual distance would be roughly half of the maximums.
The speed of data transmission decreases as the distance between the transmitter and
receiver increases. In other words, in practice, you can get the maximum distance or the
maximum speed, but not both.
Some newer 802.11a or 802.11g devices provide up to 108 Mbps using 802.11n pre-draft
technologies (MIMO and channel bonding).
The ability of newer devices to communicate with older devices depends on the capabilities
of the transmit radios in the access point. For example:
Some 802.11n devices can transmit at either 2.4 GHz or 5 GHz. This means that the
radio is capable of transmitting at either frequency. However, a single radio cannot
transmit at both frequencies at the same time.
Most 802.11g devices can transmit using DSSS, CCK, DQPSK, and DBPSK for
backwards compatibility with 802.11b devices. However, the radio cannot transmit
using both DSSS and OFDM at the same time.
This means that when you connect a legacy device to the wireless network, all devices on
the network operate at the legacy speed. For example, connecting an 802.11b device to an
802.11n or 802.11g access point slows down the network to 802.11b speeds.
A dual band access point can use one radio to transmit at one frequency, and a different
radio to transmit at a different frequency. For example, you can configure many 802.11n
devices to use one radio to communicate at 5 GHz with 802.11a devices, and the remaining
radios to use 2.4 GHz to communicate with 802.11n devices. Dual band 802.11a and
802.11g devices are also available.
Multipath interference is less of an issue for OFDM implementations because the frequency
is selective.
o DSSS comprises a single signal, whereas OFDM comprises multiple signals.
o Multiple interference affects an entire DSSS signal, yet it affects only a subset of the
OFDM signals.
Note: Multiple antennas can also reduce multipath interference.
Description
WEP is an optional component of the 802.11 specifications and was deployed in
1997. WEP was designed to provide wireless connections with the same security
as wired connections. WEP has the following weaknesses:
Wired Equivalent
Privacy (WEP)
Static Pre-shared Keys (PSK) were given to the access point and client
and could not be dynamically changed or exchanged without
administration. As a result, every host on large networks usually use the
same key.
Because it doesn't change, the key can be captured and easily broken.
The key values were short, making it easy to predict.
Cisco's interim solution was deployed in 2001 to address the problems of WEP.
The solution included the following:
Cisco interim
solution
Wi-Fi Protected
Access (WPA)
WPA is the implementation name for wireless security based on initial 802.11i
drafts and was deployed in 2003. It was intended as an intermediate measure to
take the place of WEP while a fully secured system (802.11i) was prepared.
WPA:
Wi-Fi Protected
Access 2
(WPA2) or
802.11i
Note: WPA2 has the same advantages over WEP as WPA. While more secure
than WPA, its main disadvantage is that it requires new hardware for
implementation.
Authentication on a wireless network is provided by one of the following methods.
Method Description
Open
Open authentication requires that clients provide a MAC address to connect to the
wireless network. Access can be controlled on a limited basis by performing MAC
address filtering where devices whose addresses are listed can connect. Because MAC
addresses are easily spoofed, this provides little practical security.
Shared
secret
Shared secret authentication, also called pre-shared key authentication, configures clients
and access points with a shared key (or password). Only devices with the correct shared
key can connect to the wireless network.
802.1x is an authentication standard for wired Ethernet networks that allows for user
authentication. The 802.1x standards have been adapted for use in wireless networks to
provide secure authentication. 802.1x authentication requires the following components:
802.1x
What is the difference between an autonomous access point and a lightweight access point?
How does a WLAN controller communicate with a lightweight access point?
What type of traffic is encrypted and encapsulated between a lightweight access point and a
WLAN controller?
What WLAN management devices are found within a Unified Wireless Network
infrastructure?
What is the process used by the lightweight access point to associate with a WLAN
controller?
What are the benefits of using ADU profiles?
When does a client begin to roam to another access point?
What does it mean when the ADU tray icon is red?
How can you enable AES with the ADU?
In what order should multiple WEP keys be configured on wireless devices?
502. Describe the features of Client Devices, Network Unification, and Mobility Platforms
(i.e., CCX, LWAPP).
503. Configure a wireless client (i.e., ADU).
Description
The Cisco Wireless LAN Controller (WLAN controller) is a network device
which centrally controls wireless functions in the LAN. The WLAN
controller allows the network administrator to manage the wireless network
from one centralized console. Management functions include the following:
Wireless LAN
Controller (WLAN
controller)
Autonomous Access
Point
Client adaptors
Wireless Bridge
Bridges must maintain a line of sight, known as the Fresnel zone. If the
Fresnel zone is obstructed, then the line of sight is not clear and the link
might be unreachable.
The following are WLAN management devices found within a Unified Wireless Network
infrastructure:
Cisco Wireless Control System (WCS) is a platform for wireless LAN planning,
configuration, management, and troubleshooting. The WCS is recommended when two or
more WLAN controllers are deployed in the network.
Cisco Wireless Services Module (WiSM) is a WLAN controller services module for the
Cisco Catalyst 6500 Series modular switches and Cisco 7600 Series routers. The WCS can
control the WiSM.
Cisco Wireless LAN Controller Module (WLCM) is also a controller module, but for small
to medium business networks. The WCS can control the WLCM.
CiscoWorks Wireless LAN Solution Engine (WLSE) is a control engine which centrally
manages autonomous access points. The WLSE can be converted to a WCS to mange
LAPs.
In the Cisco Unified Wireless Network, clients should have the Cisco Aironet Desktop Utility
(ADU) installed on the local or client machine. The ADU is a GUI diagnostic and configuration
utility. The ADU organizes wireless client adapter configuration settings in a profile. Profile details
include the following:
Among many ADU configurations, there are two parameters that affect the client's roaming
capabilities between multiple access points:
BSS aging interval is the amount of time (in seconds) that the ADU keeps an access point in
its roaming scan list after it can no longer communicate to that device. The higher the value,
the greater the number of access points to which the client may roam.
Scan valid interval is amount of time (in seconds) before the ADU starts scanning for a
better access point after reaching a low signal strength threshold or missing beacons. The
higher the value, the less time the client spends scanning for a better access point and the
more time it has to send data.
Note: The client does not scan for a new access point as long as it has a good connection
and is passing data. The client stays connected to an access point as long as it can. However,
when the transfer of data packets needs to be retried or beacons are missed, the station
automatically searches for and associates to another access point. This process is referred to
as seamless roaming.
The Cisco ADU has a tray icon which displays status of the wireless signal received from the
access point and if the client is authenticated. Be aware of the following ADU tray icons and what
they represent:
Icon Description
A white icon indicates that the client adapter's radio is disabled.
A dark gray icon indicates that the client adapter is not associated to an access point (in
infrastructure mode) or another client (in ad hoc mode).
A light gray icon indicates that the client adapter is associated to an access point (in
infrastructure mode) or another client (in ad hoc mode) but the user is not EAP authenticated.
A green icon indicates that the client adapter is associated to an access point (in infrastructure
mode) or another client (in ad hoc mode), the user is authenticated if the client adapter is
configured for EAP authentication, and the signal strength is excellent or good.
A yellow icon indicates that the client adapter is associated to an access point (in
infrastructure mode) or another client (in ad hoc mode), the user is authenticated if the client
adapter is configured for EAP authentication, and the signal strength is fair
A red icon indicates that the client adapter is associated to an access point (in infrastructure
mode) or another client (in ad hoc mode), the user is authenticated if the client adapter is
configured for EAP authentication, and the signal strength is poor.