1.0 Layer 2 Technologies

1.
1 Configure and verify switch administration

Saturday, December 10, 2016 10:52 AM
1.1.a SDM templates

Switch Database Management (SDM) is used to configure system resources in a switch to make it better suited for
certain functions in a network. SDM makes use of the Ternary Content Addressable Memory (TCAM) to allocate
resources for certain features. The following templates can be used to optimize for certain situations.
- Default. The default template gives balance to all functions

- Access . The access template maximizes system resources for access control lists to accommodate a large number
of ACL's
- Routing. The routing template maximizes system resources for IPv4 unicast routing, typically required for a router
or aggregator in the center of a network
- VLANs. The VLAN template disables routing in hardware and supports the maximum number of unicast MAC
addresses. It would typically be selected for a Layer 2 switch
- Dual Stack. By default, IPv6 is not supported on a switch with the default SDM template active. To enable IPv6
capabilities on the device, one of the three following dual stack templates should be enabled.
Default. More space is reserved for IPv6 routing and security. There is less reserved spare for L2 unicast.
Routing. More space is reserved for IPv6 routing than IPv4 routing
VLANs. Suitable for when you are running a dual-stack environment with lots of VLANs
There are two versions of each template. A desktop one and a aggregator template. Aggregator templates are used by
default on switches that support larger TCAM sizes. All other switches use the desktop version. Note that the keyword
"desktop" must be named, otherwise the aggregator version is used on switches that support it. In a stack, all switches
use the same template which is stored within the stack master. When a new switch is added. The individual SDM
template is overridden by the master.
Templates should not be changed without good reason. One of those reasons can be if you feel the current resources
are not being used properly. To verify the current use of resources and how much resources may be used, try:
Switch# show platform tcam utilization
To select a preferred template. A reload of the switch is needed after.
Switch(config)# sdm prefer [template]

Switch# reload
To verify what template is in use:
Switch# show sdm prefer
1.0 Layer 2 Technologies Pagina 1

It will also show the template that will be active after a reboot if it was changed.
1.1.b Managing MAC address table

MAC addresses are standardized data link layer addresses that are required for every port or device that connects to a
LAN. Other devices in the network devices in the network use these addresses to locate specific ports in the network and
to create routing tables and data structures. The IEEE 802.3 standard defines a basic data frame format that is required
for all MAC implementations.

When a frame is sent through the switch, the switch will inspect the source and destination mac-addresses. If the source
is not known, an entry will be made in the CAM table for future reference so that it is known behind what port a certain
mac-address is living, plus a timestamp for when it was learned. Also if a source MAC address is learnt behind another
port. The entry is changed and the old entry is deleted. The destination MAC address that was found will be checked
against that same CAM table to see where it should go. There are three possibilities:
- MAC address is known and sent out of the corresponding port. This is called forwarding.
- MAC address is unknown. Frames is sent out of every port except the port it was received on. This is called
flooding.
- Associated port found in CAM table is same port as the frame was received. No need to do anything with it so the
frame is discarded. This is called filtering.
A CAM table can hold a lot of mac-addresses but not always all. Therefore it can be a good idea to place an aging-timer,
so that entries that have not been heard for a while can be deleted. By default, an entry is deleted after 300 seconds.
NOTE! The learning process for finding mac-addresses and binding them to ports in a table is only done for ports when
STP has deemed them stable for normal use.
Switch(config)# mac address-table aging-time [seconds]
By default addresses are learnt dynamically, but you can also add static entries.
Switch(config)# mac address-table static [mac-address] vlan [vlan-id] interface [type mod/num]
Verify:
Switch# show mac address-table count

Switch# show mac address-table dynamic [address]
Switch# clear mac address-table dynamic [address]
It is possible for a device to move between ports when it has been disconnected and reconnected. It's also possible that
there's a loop in the network. To make it easier to find out, you can enable mac moving messages. A syslog message will
be generated when a mac-address moves between ports.
Switch(config)# mac-address-table notification mac-move
1.1.c Troubleshoot Err-disable recovery

Ports are set to "err_disable" mode when an error is detected. There can be an errors for multiple reasons. Several
reasons for the error disabled state can be ARP inspection, storm contol, BPDU Guard and many more. You can turn on
this feature (or off) with:
Switch(config)# [no] errdisable detect cause [all | cause-name]
To recover a port from this mode, you can either disable and enable the port, or do it automatically with error disable
recovery. By default, the timer to recover is 300 seconds.
Switch(config) errdisable recovery cause [all | cause-name]
You can also change the timer for when the port should be recovered.
Switch(config) errdisable recovery interval [seconds]
To troubleshoot error disabled issues or to verify the configuration. Use the following commands:
Switch# show interface status [err-disabled]

Switch# show errdisable detect
Switch# show errdisable recovery
Switch# show log

Switch# show log
1.1.d CAM and TCAM

CAM and TCAM operations are not explicitly mentioned in the study guide, but are explained in the book. Here's a brief
explanation.
It was mentioned before, but when a switch receives a frame, it places the frame in an ingress queue and has to decide
what to do with it. To do this, the switch asks three questions:
1. Where should the frame be forwarded?

- Layer 2 Forwarding
2. Are there any restrictions preventing the forwarding of the frame?
- Security ACLs: ACLs can be used to identify frames according to the MAC addresses, protocol types (for non-
IP frames), IP addresses, protocols and L4 port numbers. The ternary content-addressable memory (TCAM)
contains ACLs in a compiled form so that a decision can be made whether to forward a framed in a single
lookup.
3. Is there any prioritization or marking that needs to be applied to the frame?
- QoS-ACLs: Other ACLs can classify incoming frames according to quality of service (QoS) parameters in
outbound frames. The TCAM is also used to make these decisions in a single table lookup.
To answer the first question, the CAM table is used. It contains MAC addresses, destination ports, VLANs and the way a
certain entry was learned.
Switches use specialized hardware to house the CAM table. CAM support two results 0 and 1. Therefore, CAM is useful
for Layer 2 forwarding results.
For question number two and three another form of memory is needed. TCAM provides three results, 0, 1 and "don't
care". TCAM is most useful for building tables for searching on longest matches, such as IP routing tables organized by IP
prefixes. The TCAM stores ACL, QoS and other information generally associated with upper-layer processing. With this in
mind, applying ACL's no longer affects performance since TCAM is just as fast as the normal CAM table.

1.2 Configure and verify Layer 2 protocols
1.2.a CDP, LLDP

When you're not onsite, but you still want to know what's on the other side of a cable. You can use
CDP and/or LLDP to obtain information of that remote site.
CDP
CDP is a Cisco proprietary technique and will only work on Cisco devices. It's enabled on all Cisco
device interfaces by default and they all send out CDP advertisements every 60-seconds. This
information is sent with the MAC-address 01:00:0C:CC:CC:CC as the destination. Information sent
out through the periodic messages will be held for 180 seconds.
Note! CDP is a L2 protocol, so only the device on other side of the cable is learnt. That means that if
your router has a "direct" connection with another router based on the subnet, but a L2 switch is in
between, you will only see the data from the switch.
To display that received information, use:
Switch# show cdp neighbors [type member/module/number] [detail]
With this command the Cisco device platform model is displayed, along with the port identifier on
the connected device.
When the option "detail" is added, extra information is available like software release, duplex mode
and power requirements.

For security reasons you might want to disable CDP, since attackers might be able to obtain
knowledge of your network. To do this globally, use:
Switch(config)# no cdp run
To do this on a single interface, like an outside interface:
Switch(config-if) [no] cdp enable
NOTE! It is advised to use CDP version 2 instead of version 1. It has a lot more features to obtain
information to decrease downtime. For example, CDPv2 has rapid error tracking that can give
information about native VLAN and duplex mismatches.
LLDP
The globally available counterpart of CDP is the open standaard LLDP (802.ab). It works similar to
CDP, but is disabled by default on Catalyst switches. To see if it's running, do:
Switch# show lldp
Enabling or disabling globally it can be done with:
Switch(config)# [no] lldp run
For just one interface, use:
Switch(config-if)# [no] lldp {recieve | transmit}
LLDP works based on Type-Lenght-Values (TLV). These TLV's group information into structures and
each of these TLV's can hold another form of data. For example, one for the system name, one for
the power requirements etc. To check this information, use:
Switch# show lldp neighbors [type member/module/number] [detail]

Here are a few important implementation features of LLDP:
- Unidirectional
- Only operates in advertising mode
- Does not solicit for information or monitor state changes between LLDP nodes
- Leverages a L2 multicast frame to notify neighbors of itself and its properties.
01:80:c2:00:00:0e
01:80:c2:00:00:03
01:80:c2:00:00:00
NOTE! The "01" at the start indicates that it's multicast
- Will receive and record all information it receives about it neighbors.
There is an important extension for LLDP called LLDP-MED, where MED stands for Media Endpoint
Discovery. This enhancement was designed with voice applications in mind and works as an
extension between endpoint and network devices. The most used features of LLDP-MED are:
- Auto-discovery of LAN policies to enable plug-and-play networking

- Device location discovery to create location databases
- Extended and automated PoE to endpoints
- Inventory management to allow administrators to track network devices and determine their
characteristics
1.2.b UDLD
UDLD (Unidirectional Link Detection) is a Cisco proprietary L2 protocol that enables devices to
monitor the physical status of links and detect unidirectional failures. UDLD is disabled by default.
Except for fiber ports.
A unidirectional link occurs when traffic is transmitted between neighbors in one direction only.
Normally L1 mechanism build into Ethernet will prevent a link from coming up when it's not
functioning properly, but there can be cases when L1 is working fine, but L2 is not, which can cause
an unidirectional link. This can cause a disaster in the network, since spanning tree might open up
the wrong port causing a loop, or traffic is sent to a black hole.
NOTE! Unidirectional links are not very common. Most of the times they are caused by hardware
defects in SFP's or switches.
UDLD can operate in two modes:
- Normal. When an unidirectional link is detected, the port is allowed to continue its operation.

- Normal. When an unidirectional link is detected, the port is allowed to continue its operation.
UDLD just marks the port as having an undetermined state. A syslog message is generated.
- Aggressive. When an unidirectional link is detected the switch tries to reestablish the link. It
sends one message a second, for 8 seconds. If none of these messages are sent back, the port
is placed in error disabled state. This is the recommended mode.
Cisco catalyst switches support UDLD on a per-port basis. However there is an option to enable
UDLD on fiber-optic ports globally.
Normal mode:
Switch(config)# udld enable
Aggressive mode:
Switch(config)# udld aggressive
To display the UDLD status of neighbors and specific interfaces:
Switch# show udld neighbors

Switch# show udld [interface]
To reset all interfaces that were shut down because of UDLD you can use:
Switch(config)# udld reset
To do this on a per-port basis, you can toggle the port with the shutdown command or enable err-
disable recovery:
Switch(config)# errdisable recovery cause udld

Switch(config)# errdisable recovery interval 30

1.3 Configure and verify VLANs
1.3.a Access ports

To statically assign a switchport to a vlan, use the following command:
Switch(config-if)# switchport mode access

Switch(config-if)# switchport access mode vlan-num
By default a catalyst port is a switchport in the default vlan, but on some devices it can be needed to
use the following command to make a L2-port:
Switch(config-if)# switchport
To verify in what vlan a port is, use:
Switch# show vlan (brief)
NOTE! When a port is placed in a VLAN, but the VLAN is deleted. The ports are brought down until
reassigned to another VLAN.
It is also possible to dynamically assign ports to a certain VLAN. This is done based on the MAC-
address of a user and the VLAN database. However this topic is not part of the exam.
1.3.b VLAN database

All normal VLANs are automatically stored in the VLAN database, long with a descriptive test string
defined by vlan-name. VTP uses this database within the network so that VLAN definitions can be
advertised and shared between switches over trunk links.
An important note is that this VLAN database does not support extended VLANs. When extended
VLANs are created, they are not stored in the database. This is not an issue for a switch as long as
the switch operates in transparent mode. However when a switch with extended VLANs wants to
work with other switches over VTP, these VLAN's will have to be deleted.
An "erase startup-config" does not affect the VLAN database. Use the following command to delete
the VLAN database.
Switch# delete vlan.dat
1.3.c Normal, extended VLAN, voice VLAN

To use a VLAN, it must be created on the switch if it does not already exist. By default, VLAN1
already exist as default VLAN and VLAN 1002 to 1005 are in used for legacy features. Catalyst
switches also support VLAN 1006 - 4094.
A normal VLAN is a VLAN with a number between 1 and 1005. It can be created with the following
command (except for the defaults on)
Switch(config)# vlan vlan-num

Switch(config-vlan)# name vlan-name
A extended VLAN is created the same way, but just with a higher number. Also it's not saved to the
VLAN database, but only to the running config.

A switchport may also be provisioned for voice and data. You can also enable a voice vlan on a port.
This might be needed, when a workstation is connected behind an IP-phone.
Switch(config-if)# switchport voice vlan vlan-num
NOTE! When a voice VLAN is configured, portfast is automatically enabled on the interface, however
when the voice vlan is removed, portfast is not.
1.3.d Inter-VLAN Routing

This topic is not mentioned in the study guide, but it is explained in the books. Here's a brief
explanation.
Because VLANs isolate traffic to a defined broadcast domain and subnet, network devices in
different VLANs cannot communicate with each other natively. To communicate with someone in
another VLAN, a Layer 3 routing device is needed. A very common way to obtain routing is a router-
on-a-stick configuration. In that case, a trunk link is setup between the router and the switch. On the
router side of the trunk link there are several virtual VLAN sub-interfaces configured that can handle
the traffic in different VLANs. This is not the best course of actions since you have a single point of
failure. Another option is to work with multilayer switches.
Multilayer switches can use routed ports and virtual interfaces to handle the routing themselves
instead of sending the traffic to an external device. To use routed ports, go to a switchport and use:
Switch(config-if) no switchport
After doing this, you can used the routed port for point-to-point links, like for a WAN connection to
your ISP.
To route VLAN traffic in the hardware of the multilayer switch you can use switch virtual interfaces
(SVI) to do the job. To configure these, use the following commands:
Switch(config)# interface vlan [vlan-id]

Switch(config-if)# ip address [ip addr] [subnet]
Switch(config-if)# no shutdown
The SVI performs a lot like a routed port and can be used just like it. For example it can be used as
the default gateway for underlying devices.

1.4 Configure and verify trunking
1.4.a VTPv1, VTPv2, VTPv3, VTP pruning

VTP is a protocol that can manage VLAN management domain access a network with command
VLAN requirements. A switch can be sharing information about its VLANs with other switches in the
domain. For example, when a VLAN is added on one switch, all other switch in the domain are
notified.
1. An administrator add a new VLAN definition

2. VTP propagates the VLAN information to all switches in the VTP domain
3. Each switch synchronizes it's configuration to incorporate the new VLAN data
VTP advertisement are sent as multicast frames. A switch intercepts frames and processes them
locally. These advertisement can also be relayed or forwarded out trunk links toward neighboring
switches in all VTP modes, except off mode. VTP sends these advertisement every 5 minutes to
destination mac-address 01-00-0C-CC-CC-CC on vlan 1 by default.
Advertisements:
- Summary Advertisements: Sent every 300 seconds and/or when there has been a change and
contains information about the management domain.
- Subset Advertisements: Sent after a change and hold information about that change.
- Advertisement Request: Request from a client when it lacks information
VTP keeps track of changes based on a revision number which always starts with 0. After each
change, the number is incremented. A greater number is assumed to be better and changes are
applied. By default, there is no security enabled on the advertisements.
NOTE! Revision numbers are not reset when a switch reloads, so if you implement a new switch,
make sure it does not have an older revision number that is higher than the current one. It will
replace all your data.
- To reset the revision number, set the switch to VTP transparent mode
VTP Modes:
- Server. VTP servers have full control over VLAN creation and modification for their domains.
All VTP information is advertised to other switches in the domain, while all received
information is synchronized with the other switches. By default, a switch is in server mode.
- Client: Cannot create, change or delete a VLAN. Instead the listen to advertisements from
other switches and modify their VLAN configuration accordingly. This is a passive mode. All
received information is forwarded over the trunk links to other switches.
- Transparent: Switches do not participate in transparent mode. A switch does not advertise its
own information and it does not synchronize received information. In VTP version 1, a
transparent switch does not even relay the information. It does in version 2
- Off: Nothing is done. No synchronization or relay of information.
Versions:
- By default, VTP version 1 is used

- VTP version 1 and 2 support VLANs up to number 1005, however only 1001 VLANs can be used
to carry user traffic, while version 3 supports 1 to 4094.
- Version 2 offers the following features that version 1 does not:
Version-dependent transparent mode. VTP version 2 forwards all advertisements when
in transparent mode. Version 1 only does this if the version and domain name match
Consistency check. Information added through the CLI and SNMP are checked on

Consistency check. Information added through the CLI and SNMP are checked on
consistency, such as VLAN names and values. These checks are not done for information
coming from the NVRAM and VTP messages
Token Ring Support. Version 2 support token ring LAN switching and VLANs
Unrecognized type-length-value support. Version 2 switches propagate received
configuration change messages out other trunk links, even if they cannot understand the
message instead of dropping the message. Also a copy is saved in the NVRAM
- VTP version 3 has the following extra options:
Extended VLAN support. VLANs 1017-4094 (1006-1017 and 4095-2096 are reserverd)
Domain name is not automatically learned. With VTP version 2 a factory default switch
that receives a VTP message with adapt the new VTP domain name. VTPv3 forces
manual configuration
Better security. VTP domain password is secure during transmission and in the switch
database
Better database propagation. Only the primary server is allowed to update other devices
and only one server per VTP domain is allow to have this role
MST-support. VTPv3 adds support for propagation of MST instances
- VTPv3 is not compatible with VTPv1. VTPv3 is compatible with VTPv2 as long as you do not use
extended VLANs
Configuration:
- VTP version
Switch(config)# vtp version {1 | 2 | 3}
- Domain
Switch(config)# vtp domain domain-name
- Mode
Switch(config)# vtp mode {server | client | transparent | off}
- Password, used for secure VTP. Start with a password on the servers and move on to the
clients.
Switch(config)# vtp password password {hidden | secret}
Hidden only support on v3
Status:
- Switch# show vtp status
Pruning:
- VTP pruning occurs as an extension to version 1, using an additional VTP message type. When
a switch has a port associated with a VLAN, the switch sends an advertisement to its neighbor
switches that have an active port in that VLAN. The neighbor keeps that information, enabling
them to decide whether flooded traffic from a VLAN should be allowed on the trunk links.
- To enable pruning
Switch(config)# vtp pruning
If this option is enabled on a server, it will announce to all switches to enable this
feature.
- VLAN 1 and VLAN 1002-1005 cannot be pruned. Extended VLAN 1005+ can also not be pruned
1.4.b dot1Q
Next to Cisco's proprietary standard ISL, there is dot1q for tagging frames on a link. It's an open
standard that is supported by almost all vendors.
Instead of encapsulating a header on each frame, dot1q embeds its tagging information within the
L2 frame, more specifically there is a 4-byte VLAN tag in the Ethernet Header. This method is
referred to as single tagging or internal tagging.

referred to as single tagging or internal tagging.
To configure a dot1q trunk port:
Switch(config-if)# switchport
Switch(config-if)# switchport mode {trunk | dyanmic {disirable | auto}}
Switch(config-if)# switchport trunk encapsulation {isl | dot1q | negotiate}
Switch(config-if)# switchport trunk native vlan vlan-id
Switch(config-if)# switchport trunk allow vlan {vlan-list | all} {add | except | remove}
1.4.c Native VLAN

Dot1q also introduces the concept of a native VLAN. Frames belonging to this VLAN are not
encapsulated with any tagging information at all, as if a trunk link was not being used. If an end
station is connected to an dot1q trunk link, the end station can receive and understand only the
native frames because they are not tagged. This provides a simple way to offer full trunk
encapsulation to the devices that can understand it, while giving normal access stations some
inherent connectivity over the trunk.
Also, if you would like to tag native VLAN traffic to, you can use the following command.
Switch(config)#vlan dot1q tag native
This is used when you want all control traffic (CDP, VTP, STP, etc) to be tagged to.
1.4.d Manual pruning

When pruning is enabled, all general purpose VLANs become eligible for pruning on all trunk links, if
needed. However, you can modify the default list of pruning eligibility with the following interface-
configuration command:
Switch(config-if)# switchport trunk pruning vlan {{{add | except | remove} vlan-list | none}
You can also manually prune networks by changing the trunk allow list on a trunk link
Switch(config-if)# switchport trunk allowed vlans remove [vlan-id]

1.5 Configure and verify EtherChannels
1.5.a LACP, PAgP, manual

Etherchannel is a technology that was originally developed by Cisco as a LAN switch-to-switch
technique of grouping several Fast or Gigabit Ethernet ports into one logical channel. This
technology has many benefits:
- It relies on the existing switch ports, so there is no need to upgrade to new hardware
- Most of the configuration task can be done on the Etherchannel interface instead of each on
the individual ports, thus enforcing configuration consistency
- Load balancing is possible between the links of the same Etherchannel
LACP
LACP (Link Aggregation Control Protocol) is part of an IEEE specification (802.3ad) that allows several
ports to be bundled together to form a single logical channel. LACP allows a switch to negotiate an
automatic bundle by sending LACP packets to the peer. LACP checks for consistency and manages
additions and failures between switches. In ensures that when EtherChannel is created, all ports
have the same type of configuration speed, duplex setting and VLAN information. Any change made
on a port will also trigger a change on all other ports.
- Open standard negotiation protocol

- 16 ports in LACP-channel, but only 8 active
- Each port has a port priority. The lowest value has the highest priority
- Priority can be defined through cli or automatically
- Each port must have an administrative key. This key is needed to define the capability of a port
to aggregate with others. Think of data rates, duplex settings, etc.
Modes:
Active Passive
Active Yes Yes
Passive Yes No
Configuration parameters:
- System Priority. Each switch running LACP must have a system priority which is based on the
MAC address automatically or set through the CLI.
- Port Priority. Each port in the must have a port priority which is set automatically based on the
port identifier or through the CLI. This priority is needed to determine which ports will be
standby and which will not.
- Administrative key. Each port in the switch must have an administrative key value, which can
be specified automatically or through CLI. The administrative key determines the capability of
a port to aggregate with other ports.
PAgP
PAgP (Port Aggregation Protocol) provides the same negotiation benefits as LACP, but is Cisco
proprietary.
- Cisco negotiation protocol

- Same negotiation benefits as LACP, however they do not work together

Desirable Auto
Desirable Yes Yes
Auto Yes No
Manual
- No negotiation
1.5.b Layer 2, Layer 3

To configure EtherChannel on Layer 2, follow these steps:
1. Identify the ports you want to use

2. Identify the appropriate protocol (LACP or PAgP)
3. Make sure both sides have formed well
Guidelines:
- All Ethernet interfaces on all modules support EtherChannel, with no requirements.

- All speed and duplex settings must match on all ports
- All interfaces in the bundle must be assigned to the same VLAN
- If the bundle is a trunk, the same range of allowed VLANs must be allowed on all interfaces
- Interfaces with different STP port path cost can form an EtherChannel as long as they are
compatibly configured. Setting different STP port path costs does not, by itself, makes
interfaces incompatible for formation.
- After you configure and EtherChannel, make all changes on the EtherChannel instead of on the
interface.
Configuration:
Switch(config)# interface range Ethernet 1/1-2

Switch(config-if-range)# channel-group 1 mode [mode {on | active | passive | auto | desirable}]
Switch(config)# interface port-channel 1

Switch(config-if) switchport trunk encapsulation dot1q
Switch(config-if) switchport mode trunk
Verify:
Switch# show etherchannel summary
Layer 3:
- On layer 3 switches, you can convert switched ports to routed ports. You can also create
EtherChannel links on layer 3 links.
Switch(config)# interface range Ethernet 1/1-2

Switch(config-if-range)# channel-group 1 mode [mode {on | active | passive | auto | desirable}]
Switch(config)# interface port-channel 1

Switch(config-if) no switchport
Switch(config-if) ip address 10.1.20.1 255.255.255.0
1.5.c Load balancing

EtherChannel load balances traffic across links in the bundle. However, traffic is not necessarily

EtherChannel load balances traffic across links in the bundle. However, traffic is not necessarily
distributed equally among all the links. Frames are forwarded over an EtherChannel link that is
based on results of a hashing algorithm. A switch has the following options:
Hash Input Code Hash Input Decision Switch Model

Dst-ip Destination IP address All
Dst-mac Destination Mac address All
Src-dst-ip Source and destination IP All
Src-dsp-mac Source and destination MAC All
Src-ip Source IP address All
Src-mac Source Mac address ALL
Src-port Source port number 4500,6500
Dst-port Destination port number 4500,6500
Src-dst-port Source and destination port 4500,6500
Default configuration can differ from switch to switch, but most of the time the load balancing
method src-dst-ip is chosen.
NOTE! A load balancing method is chosen globally for all EtherChannels!
To configure:
Switch(config)# [no] port-channel load-balance {options}
To verify:
Switch# show etherchannel load-balance
The hash algorithm calculates a binary pattern that selects a link within the bundle to forward the
traffic over. Traffic between to devices will always be sent over the same link. Furthermore, if only
one address or port is hashed, a switch looks at one or more low-order bits of the hash value. The
switch then uses those bits as index values to decide over which links in the bundle to send the
frames. The more addresses or ports there are, the more bits are used.
Example:
Source 192.168.1.2 Source:xxxxxx0 XOR result Forward frames over link 0

Destination 192.168.1.4 Destination: xxxxxx0 xxxxxx0
1.5.d EtherChannel misconfiguration guard

Switch(config)# spanning-tree etherchannel guard misconfig
Enabling this feature (is on by default) you will see syslog messages when there is a configuration
mismatch
To verify if it's on:
Switch# show spanning-tree summary

1.6 Configure and verify spanning tree
1.6.a PVST+, RPVST+, MST

Redundancy is a must in a network. Therefore on most occasions redundant lines are connected
between switches to make a failover possible upon failure. However this technique has the potential
to create a disaster, since it creates bridging loops. To work against bridging loops the original
Spanning Tree Protocol (STP) was created (802.1d) which provides a loop-free topology in a network.
This technology was created for one bridging network and therefore only supports a single LAN or
one VLAN. This wasn't enough for current network, so several new protocol were developed.
Standard Resources Covergence VLANs

CST 802.1d Low Slow All
PVST+ Cisco High Slow Per VLAN
RSTP 802.1w Medium Fast All
RPVST+ Cisco Very High Fast Per VLAN
MST 802.1s Medium or High Fast VLAN list
STP provides loop resolution by managing the physical path to the given network segment, by
performing three steps:
1. Elect the root bridge

- The root bridge is the logical center of the spanning-tree topology. The root bridge is chosen
with an election. In STP, each switch has a unique bid that consist of the bridge priority and
MAC address. The lowest BID wins.
2. Selects the root port on the non-root bridge

- A switch must know where it stand in the network related to the root bridge. The root port is
the port with the best path to the root bridge. When path cost is a tie between two or more
ports. The port priority (default 128) breaks the tie. If that's the same, the lowest port
identifier wins.
- Based on path cost and port priority
3. Selects the designated port on each segment

- Root ports face upstream to the root bridge, while designated ports forward traffic
downstream into in the network
To participate in the spanning tree process, a switch port must go through several states. A port will
always start in the disabled state and will move through several states when it is enabled.
Port state Receive Send Learn Receive Send Duration

BPDU BPDU MACs data data
Blocking Y N N N N As long as there is a
loop
Listening Y Y N N N Forward delay (15sec)
Learning Y Y Y N N Forward delay (15sec)
Forwardin Y Y Y Y Y As long as there is a
g loop
Disabled N N N N N Until enabled
- Blocking. Ensures no loops occur. Only receives BPDU's

- Blocking. Ensures no loops occur. Only receives BPDU's
- Listening. Moved to this state when there is a possibility that it's needed as designated or root
port. Can send and receive BPDU's to actively take part in the topology
- Learning. After a while (forward delay) the port is moved to learning state. It's allowed to learn
MAC addresses, but cannot send or receive data.
- Forwarding. Considered a part in the active topology and can send and receive data
When a switch moves a port into a forwarding or blocking state it means the topology is changing.
The switch announces that change with a TCN BPDU out from the root port. This advertisement does
not contain data on the change, it just tells them it's coming. When the root receives this message it
first sends an acknowledgement and then signals all other switches to change to topology. There are
three forms of change:
- Direct topology change is when a link failure is detected and a TCN is sent. All switches lower
shorten the bridge again timer and with two times the forward delay convergence is run.
Normally the aging timer is 300 seconds.
- Indirect topology change is when the device connected to a port like a firewalls starts filtering
the traffic of whatever and no BPDUs are received. Then it takes about 50 seconds, since no
TCN is sent to let everyone know that something happened. Everyone just has to wait for the
timers to run out since no BPDU's are received.
- Insignificant topology changes. For example when a PC is turned off. This does not affect the
STP topology.
PVST+
By default Cisco switches use PVST+. This is a Cisco proprietary protocol that allows one spanning-
tree instance per VLAN. Each VLAN can have a different root, which allows for load balancing over
redundant links when they are assigned to different VLANs. To do this you need a new BID for
switches. The BIDs in PVST+ contain:
- Bridge priority. A 4-bit field used to carry bridge priority. The default priority is 32.768. The
priority can be altered in steps of 4096.
- Extended system ID. 12-bit field carrying the VLAN ID
- MAC address. 6-byte field with the MAC address of the switch
RSTP
Rapid Spanning Tree Protocol (RSTP) is an evolution (802.1w) of the default STP, but with faster
convergence timers. It also has a few new post role and state to help with that faster convergence.
RSTP is also backwards compatible with the old STP variant. It can operates with legacy bridges on a
per-port basis. The benefits of RSTP do obviously not work on those ports.
RSTP introduces some new port roles:
- Root. The root port is the switch port on every non-root bridge that holds the path to the root
bridge.
- Designated. Downstream port. One for each segment.
- Alternate. Offers alternate port to root. It assumes the discarding state in an active topology.
- Backup, alternate port to designated switch. Also has the discarding state.
RSTP loses the listening and blocking state and only works with discarding, learning and forwarding:
- Discarding, prevents forwarding of data frames

- Learning, accepts data frames to populate mac table
RSTP only initiates a topology change when a non-edge port transitions to the forwarding state. This
means that loss of connectivity is no longer a reason in contrary to normal STP. A switch sends out a
BPDU with its TC bit set out of all non-edge designated ports. When a switch receives the message it

BPDU with its TC bit set out of all non-edge designated ports. When a switch receives the message it
clears the MAC addresses of all ports except the one it received the message on. This way there is no
need to notify the root bridge and wait for acknowledgement, making it much faster.
To identify the network better, RSTP uses link types:
- Point-to-point. Operating in full duplex mode, assumes it's connected to one device
- Shared. Operating in half duplex mode, assumes it's connected to multiple devices
- Edge port link. Ports connected to end devices
For example, edge port link can be transitioned to the forwarding state immediately.
When you want to use RSTP, configure this with:
Switch(config)# spanning-tree mode rapid-pvst
RPVST+
RPVST+ is a Cisco implementation that is based of PVST+.
MST
Multiple Spanning Tree (MST) extends the RST algorithm to multiple spanning trees. The purpose of
MST is to reduce the total number of spanning-tree instances to match the physical topology of the
network and thus reduce the CPU cycles needed for a switch. Where PVST+ runs a spanning tree
instance for all VLANs, MST only uses a minimal set of instances.
MST allows for the building of multiple spanning trees over trunks by grouping and associating
VLANs to spanning-tree instances. Each instance may have a topology that is independent of other
spanning-tree instances. This architecture provides multiple forwarding paths for data traffic and
enables load balancing. A failure in one instance, does not affect others.
MST works with the concept of regions. Switches that are configured to use MST need to find out if
their neighbors are running MST.
When switches have the same attributes they will be in the same region. It's possible to have one or
more regions and do to so, the following attributes must match:
- MST configuration name

- MST configuration revision
- MST instance-to-VLAN mapping table
Within the MST region we will have one instance of spanning tree that will create a loop free
topology within the region. When you configure MST there is always one default instance used to

topology within the region. When you configure MST there is always one default instance used to
calculate the topology within the region. We call this the Internal Spanning Tree (IST). By default,
instance 0 will be used to run the IST. Also, RSTP is run within the MST.
This special instance is designed to carry all STP related information.
To summarize the concept of MST:
- Decide how many instances are needed in the switched topology, and keep in mind that an
instance translates to a logical topology
- Decide what VLANs to map onto those instances, and select a primary and secondary root
- Choose a configuration name, revision number that will be common to all switched in the
network.
- Avoid mapping VLANs in instance 0
Configuration:
Switch(config)# spanning-tree mode mst
Switch(config)# spanning-tree mst configuration

Switch(config-mst)# name CCNP
Switch(config-mst)# revision 1
Switch(config-mst)# instance [instance number] vlan [vlan-list]
Switch(config)# spanning-tree mst [instance-number] root {primary | secondary}

Switch(config-if)# spanning-tree mst [instance number] cost [value]
Switch(config-if)# spanning-tree mst [instance number] port-priority [value]
To verify:
Switch# show spanning-tree summary
Switch(config) spanning-tree mst configuration

Switch(config-mst) show current
1.6.b Switch priority, port priority, path cost, STP timers

Switch Priority
- Done by using BPDU's

Configuration BPDU's for calculating STP
Topology change notification BPDU to inform of changes
- Sent out every two seconds
Source mac of port
Destination mac of STP multicast (01-80-c2-00-00-00)
- To choose a root bridge, BPDU are filled with a BID. This BID consist of switch priority a.k.a
bridge priority. This is a value between 0 and 65535. Default is 32768 and the MAC-address.
- A decision is made based on the lowest BID. When two switches have the same priority, the
MAC address is used.
Configuration can be done in two ways:
Switch(config)# spanning-tree vlan [vlan-id] root { primary | secondary}
The command above learns the current root priority and lowers it by 4096. The other way to set the
priority manually:
Switch(config)# spanning-tree vlan [vlan-id] priority [value]
Port priority
- If two possible root ports have the same cost, port priority is used to break the tie.
Port priority (128 by default)
If the priority is the same, port ID is used. Lowest wins
Note! Port ID selection is based on the port ID of the advertised neighboring switch
- Designated ports are based on:
Lowest root BID
Lowest root path cost to root bridge
Lowest sender BID
Lowest sender port ID
To configure the port priority use,
Switch(config-if)# spanning-tree vlan [vlan-id] port-priority [value]
Path cost
- Ports with the lowest path cost to the root bridge are called root ports
To determine path costs. Bandwidth is used
10 Gbpps = 1

10 Gbpps = 1
1 Gbps = 4
100 Mbps = 19
10 Mbps = 100
To configure path cost, use the following commands:
Switch(config-if)# spanning-tree vlan [vlan-id] cost [cost-value]
STP timers
STP uses three timers to ensure proper loop-free convergence:
- Hello time. The time between each BPDU that is sent on a port.
2 seconds by default
Can be changed between 1 and 10 seconds
- Forward delay. The time that is spent in the listening and learning state.
15 seconds by default, per state!
- Maximum age. Controls the length of time that passes before a bridge port saves its
configuration BPDU information.
20 seconds by default
When changing timers, you should do so on the root bridge. The root bridge will tell the rest of the
network.
To configure other timers, use:
Switch(config)# spanning-tree vlan [vlan-id] {hello-time | forward-time | max-age} [seconds]
To verify:
Switch# show spanning-tree vlan [vlan-id]
1.6.c PortFast, BPDUguard, BPDUfilter

PortFast
When a device on an access port comes online, it takes about 30 seconds to go through blocking,
listening and learning state until it becomes forwarding. When PortFast is enabled. This can be done
much faster. Ports transition immediately from blocking to forwarding.
NOTE! Do not enable this on ports between switches. This can cause bridging loops.
PortFast is disabled by default, but can be enabled on an interface and globally. The global option
will only work for devices defined as access ports. If you want PortFast on a trunk link. You will have
to do it manually. Also, only do this when the trunk link is connected to a server or something. Not a
switch.
Switch(config-if)# spanning-tree portfast [trunk]
Switch(config)# spanning-tree portfast default
To verify:
Switch# show spanning-tree interface <interface> portfast

Switch# show spanning-tree interface <interface> portfast
NOTE! When a BPDU is received on a PortFast ports, this port immediately is set to a blocking state.
BPDU Guard
Like I said in the last topic. When a BPDU is received on a PortFast port, it is placed in a blocking
state. However this does not always protect the network against bridging loops, since a loop cannot
always be detected (in time). BPDU Guard is a feature that helps with this. Instead of just placing a
port in a blocking state. The port is placed in an error disable state when a BDPU is received. The
port will have to be manually recovered or through error disable recovery.
NOTE! This technique only works when a BPDU is detected. Unmanaged switch that do not send
BPDUs can still create a loop
Configuration can be done on an interface or on all ports that have PortFast enabled.
Switch(config-if)# spanning-tree bpduguard enable
Switch(config)# spanning-tree portfast bpduguard default
To verify:
Switch# show spanning-tree summary totals
BPDU Filter
Sometimes it can be useful to not always shut a port when a BPDU is enabled. For example, Service
Providers with customer networks connected all over do not want to share their spanning tree
topology with them. For situation like this, there is a BDPU filter that simply filters out all BDPU
when received on a PortFast port.
BDPU Filter can be configured globally or on a per-port basis, but do note, both situations have
different effects. When enabling the filter on a port:
- Ignores all BPDUs received

- It sends no BPDUs
When configured globally:
- It affects all operational PortFast ports

- When BPDUs are detected, the port loses it PortFast status, BDPU Filter is disabled and the STP
sends and received BDPUs on the port as it would with any other STP port on the switch.
- Upon startup, the port transmits 10 BPDUs. If the port receives any BPDUs during this time,
PortFast and BDPU Filter are disabled.
To configure:
Switch(config-if)# spanning-tree bpdufilter enable
Switch(config)# spanning-tree portfast bpdufilter default
To verify:
Switch# show spanning-tree totals
Extra features that are Cisco proprietary:

UplinkFast
When a forwarding uplink fails. It can take 30-50 seconds for another uplink to become active. To do
this, UplinkFast uses an uplink group. That group consists of the root and all alternate ports. When
the root port fails, the next port in the group with the lowest path cost is made active. To accelerate
the recovery time, the access switch will send dummy frames to the new forwarding port with all
MAC addresses as source, to populate the CAM table fast. Recovery time is therefore less than a
second.
It is recommended to only enable this feature on access switch with redundant links to the
distribution layer. Also RSTP has also integrated this feature by default.
Switch(config)# spanning-tree uplinkfast
BackboneFast
In the backbone, core and distribution layer BackboneFast can be used for fast convergence in non-
RSTP networks. When link fails, BackboneFast looks for an alternate path to the root bridge The
switch does this by declaring itself root when its uplink to the root bridge fails. It start by sending a
lot of BPDUs to all switches. However these BPDU's are inferior to the "real" root bridge ones.
Normally switches will not respond to inferior ones until the max aging time has passed, but when
an inferior frame is received on a block port. The switch assumes that it lost connectivity to the root
bridge.
After the switch identifies potential alternative ports, it starts sending Request Link Queries (RLQ).
These messages are fowarded until they reach the root bridge or a switch that has a connection to
the root bridge. In that case, a reply is sent. With this information, a switch that lost its connection
with the root bridge can find a new root fast.
Switch(config)# spanning-tree backbonefast
1.6.d Loopguard and Rootguard

LoopGuard
When one of the ports in a physically redundant topology no longer receives BPDUs, the STP
conceives that the topology is loop free. Eventually, the blocking port from the alternate or backup
port becomes designated and moves to a forwarding state. This situation creates a loop.
The LoopGuard feature makes additional checks. If BPDUs are not received on a non-designated
port, and LoopGuard is enabled, that port is moved into a blocking state. Without the LoopGuard
feature, this port would have become forwarding and created a loop.
Configuration:
Switch(config-if)# spanning-tree guard loop
RootGuard
RootGuard is useful in avoiding Layer 2 loops during network anomalies. The RootGuard feature
forces an interface to become a designated port to prevent surrounding switches from becoming the
root bridge. To do this, when a superior BPDU is received on a RootGuard port, the port moves to a
STP-inconsistent state.
Configuration:
Switch(config-if)# spanning-tree guard root

Switch(config-if)# spanning-tree guard root

1.7 Configure and verify other LAN switching
technologies
1.7.a SPAN, RSPAN

The SPAN feature allows you to instruct a switch to send copies of packets seen on one port,
multiple ports or a VLAN to another port on the same switch. To do this, you must first specify a
source ports that you want to inspect. After that you must select a destination port where your
sniffer is connected.
NOTE!
- A destination port cannot also be a source port
- Some platforms allow for more than one destination port
- Destination ports do not act as normal ports and do not participate in spanning-tree and so on.
Normal traffic flows through a destination.
Configuration:
Switch(config)# monitor session 1 source interface <interface>

Switch(config)# monitor session 1 destination interface <interface>
Verify:
Switch# show monitor
SPAN also supports monitoring traffic from an entire VLAN. In a single switch, this feature can be
useful, but do note that having an entire VLAN as a source might be to much for a switch to handle.
Next to the local SPAN feature above, you also have remote SPAN (RSPAN). With this feature you
can take traffic beyond a single switch to the network. It enables you to capture traffic on different
switch in the network. This can be helpful in a large network were you don't always have access to a
local sniffer. To do this you will need a special VLAN dedicated to trafficking the SPAN traffic.
Switch1(config)# vlan 100

Switch1(config-vlan)# name RSPAN-VLAN
Switch1(config-vlan)# remote-span
Switch1(config-vlan)# exit
Switch1(config)#monitor session 2 source interface <interface>
Switch1(config)#monitor session 2 destination remote vlan 100
Switch2(config)# vlan 100

Switch2(config-vlan)# name RSPAN-VLAN
Switch2(config-vlan)# remote-span
Switch2(config-vlan)# exit
Switch2(config)# monitor session 2 destination interface <interface>
Switch2(config)# monitor session 2 source remote vlan 100
Verify:
Switch# show monitor
Filter
When you have a trunk port as the source of your SPAN session and you want only to see traffic for

When you have a trunk port as the source of your SPAN session and you want only to see traffic for
certain VLANs, you can use a filter
Switch(config)# monitor session 1 filter vlan <vlan-id>

1.8 Describe chassis virtualization and aggregation
technologies
1.8.a Stackwise
Cisco StackWirse technology provides a method for collectively utilizing the capabilities of a stack of
switches. Configuration and routing information is shared by every switch in the stack, creating a
single switching unit. Switches can be added to and deleted from a working stack without affecting
performance.
Switches can be stacked into a single logical unit, using special stack interconnect cables that create
a bidirectional closed-loop path. This bidirectional path acts as a switch fabric for all connected
switches. You can reach up to 32Gbps in both directions in the stack ring.
NOTE! All switches share almost everything except for STP. Each switch has their own spanning trees
for the VLANs they support. The master switch keeps a copy of all spanning tree tables for each
VLAN in the stack. When a VLAN is removed or added, all the switches are notified to update.
Cisco 3750-E, 3750-X and 3850 series switches support StackWise and you can support up to 9
switches. Catalyst 2960-S series support FlexStack, which is tailored for L2 switches and support up
to four switches.
Benefits:
- Managed as single unit

- Hot-swappable switches. New switches are provided a configuration by the master.
- Redundancy. When a stack cable fails, traffic is sent the other way. Do note that you have a
50% performance loss when a cable breaks
- Multiple switches in a stack can create an EtherChannel connection.
Verify:
Switch# show switch

Switch# show switch stack-ports
Switch# show platform stack manager all
1.8.b VSS
This topic is not on the study guide, but is in the book. VSS (Virtual Switching System) is a network
system virtualization technology the combines a pair of Catalyst 4500 or 6500 switches into one
virtual switch. This helps with:
- Operational efficiency
- Boosting nonstop communications
- Scaling the system bandwidth capacity
- Simplifies network configuration and operation by reducing the number of Layer 3 routing
neighbors and providing a loop-free Layer 2 topology.
To setup a VSS you need a dedicated link between the two units, the Virtual switching link (VSL).
When this link is up, only one of the control places is active. Both chassis are kept in sync at all times,
so that a failover is possible upon failure. When all links in a VSL fail, the VSS transitions to the dual
active recovery mode, and only the new active virtual switch continues to forward traffic. To do this,
all interfaces are shut down on the formerly active virtual switch member, but the new active switch

all interfaces are shut down on the formerly active virtual switch member, but the new active switch
forwards traffic on all links.
NOTE! Neighbors see the VSS as a single L2 switching or L3 routing node, thus reducing control plane
traffic. There is also no need for a FHRP like HSRP.
Verify:
Switch# show switch virtual

Switch# show switch virtual link
Switch# show switch virtual role
Switch# show switch virtual link port-channel
1.8.b Redundant Switch Supervisors

This topic is not on the study guide, but is in the book. Some platforms can accept two supervisors
modules that are installed in a single chassis, thus removing a single point of failure. The first
supervisor to boot should become the primary module.
Redundancy modes:
- RPR, the redundant supervisor is only partially booted and initialized. When the active
modules fails, the standby module must reload every module in the switch and then initialize
all the supervisor functions. Takes >2 minutes.
- RPR+. The redundant supervisor is booted, allowing the supervisor and route engine to
initialize. No layer2 or layer3 functions are started. When the active modules fails, the standby
modules finishes initializing without reloading other swichs modules. This allows switch ports
to retain their state. Takes >30 seconds
- SSO. The redundant supervisor is fully booted and initialized. Both the startup and running
configuration contents are synchronized so that hardware switching can continue during a
failover. The state of the switch interfaces is also maintained on both supervisors so that links
do not flap during a failover. Takes > 1 second
You can enable another redundancy feature along with SSO. NSF is an interactive method that
focuses on quickly rebuilding the routing information base (RIB) table after a supervisor failover. The
RIB is used to generate the Forwarding information base (FIB) for CEF. With this you can provide
nonstop forwarding in the event of a failure of one of the supervisors.

1.0 Layer 2 Technologies

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

1.0 Layer 2 Technologies

Transféré par

Droits d'auteur :

Formats disponibles

1.

1 Configure and verify switch administration

1.1.a SDM templates

- Default. The default template gives balance to all functions

Switch# show platform tcam utilization

To select a preferred template. A reload of the switch is needed after.

Switch(config)# sdm prefer [template]

To verify what template is in use:

Switch# show sdm prefer

1.0 Layer 2 Technologies Pagina 1

1.1.b Managing MAC address table

1.0 Layer 2 Technologies Pagina 2

Switch(config)# mac address-table aging-time [seconds]

Switch# show mac address-table count

Switch(config)# mac-address-table notification mac-move

1.1.c Troubleshoot Err-disable recovery

Switch(config)# [no] errdisable detect cause [all | cause-name]

Switch(config) errdisable recovery cause [all | cause-name]

Switch(config) errdisable recovery interval [seconds]

Switch# show interface status [err-disabled]

1.0 Layer 2 Technologies Pagina 3

1.1.d CAM and TCAM

1. Where should the frame be forwarded?

1.0 Layer 2 Technologies Pagina 4

1.2.a CDP, LLDP

To display that received information, use:

Switch# show cdp neighbors [type member/module/number] [detail]

1.0 Layer 2 Technologies Pagina 5

Switch(config)# no cdp run

To do this on a single interface, like an outside interface:

Switch(config-if) [no] cdp enable

Switch# show lldp

Enabling or disabling globally it can be done with:

Switch(config)# [no] lldp run

For just one interface, use:

Switch(config-if)# [no] lldp {recieve | transmit}

Switch# show lldp neighbors [type member/module/number] [detail]

1.0 Layer 2 Technologies Pagina 6

- Auto-discovery of LAN policies to enable plug-and-play networking

UDLD can operate in two modes:

1.0 Layer 2 Technologies Pagina 7

Switch(config)# udld enable

Switch(config)# udld aggressive

To display the UDLD status of neighbors and specific interfaces:

Switch# show udld neighbors

Switch(config)# udld reset

Switch(config)# errdisable recovery cause udld

1.0 Layer 2 Technologies Pagina 8

1.3.a Access ports

Switch(config-if)# switchport mode access

To verify in what vlan a port is, use:

Switch# show vlan (brief)

1.3.b VLAN database

Switch# delete vlan.dat

1.3.c Normal, extended VLAN, voice VLAN

Switch(config)# vlan vlan-num

1.0 Layer 2 Technologies Pagina 9

Switch(config-if)# switchport voice vlan vlan-num

1.3.d Inter-VLAN Routing

Switch(config)# interface vlan [vlan-id]

1.0 Layer 2 Technologies Pagina 10

1.4.a VTPv1, VTPv2, VTPv3, VTP pruning

1. An administrator add a new VLAN definition

- By default, VTP version 1 is used