Cisco CCNP Switch ( ) LearnSmart Exam Manual Copyright 2011 by LearnSmart, LLC. Product ID: Production Date: November 10, 2011

Size: px

Start display at page:

Dwight Malcolm Barrett
5 years ago
Views:

2 Maual Cisco Cisco CCNP Switch ( ) LearSmart Maual Copyright 2011 by LearSmart, LLC. Product ID: Productio Date: November 10, 2011 All rights reserved. No part of this documet shall be stored i a retrieval system or trasmitted by ay meas, electroic, mechaical, photocopyig, recordig, or otherwise, without writte permissio from the publisher. No patet liability is assumed with respect to the use of the iformatio cotaied herei. Warig ad Disclaimer Every effort has bee made to make this documet as complete ad as accurate as possible, but o warraty or fitess is implied. The publisher ad authors assume o resposibility for errors or omissios. The iformatio provided is o a as is basis. The authors ad the publisher shall have either liability or resposibility to ay perso or etity with respect to ay loss or damages arisig from the iformatio cotaied i this documet. LearSmart Cloud Classroom, LearSmart Video Traiig, Pritables, Lecture Series, Quiz Me Series, Awdeeo, PrepLogic ad other PrepLogic logos are trademarks or registered trademarks of PrepLogic, LLC. All other trademarks ot owed by PrepLogic that appear i the software or o the Web Site (s) are the property of their respective owers. Volume, Corporate, ad Educatioal Sales Favorable discouts are offered o all products whe ordered i quatity. For more iformatio, please cotact us directly: solutios@learsmartsystems.com Iteratioal Cotact Iformatio Iteratioal: +1 (813) Uited Kigdom: (0) LearSmart Cloud Classroom: Video Traiig Mauals

3 Maual Cisco Abstract This Maual is meat to prepare you for the ew Cisco CCNP (Cisco Certified Network Professioal) SWITCH exam ( ) that couts towards CCNP ad CCDP (Cisco Certified Desig Professioal) certificatios. It is assumed that the cadidate ad reader have a CCNA level kowledge of switchig, although most chapters will start with a small overview of the topics see i the CCNA studies. I this ew curriculum (versio 6) Cisco has limited a umber of topics, such as wireless LANs, Quality of Service (QoS) ad certai security topics. You still eed a basic uderstadig of each of these topics as well as how to cofigure a route ad switch etwork to icorporate video, voice, wireless ad security devices. At the same time, Cisco has added some desig guidelies, especially the plaig part of the desig process. It also covers more i-depth routig ad switchig i geeral. I short, the CCNP is ow more specialized towards routig ad switchig. It is our recommedatio that dedicated CCNP cadidates periodically check Cisco s website to fid out about the curret exam blueprit, as Cisco reserves the right to chage it without otice. What to Kow The curriculum for the ew CCNP Track (Versio 6) has drastically chaged the way Cisco measures a Cisco Certified Network Professioal. You ll otice, if you review the objectives we ve listed below, that issues dealig explicitly with Quality of Service (QoS) ad Wireless LANs are o loger a part of the switchig portio of the CCNP curriculum (i the previous versio, switchig was covered by the Buildig a Cisco Multilayer Switched Network, exam). At the same time, Cisco has added a umber of plaig ad desig tasks to the curriculum, mirrorig the actual job role of a CCNP. The official objectives for the exam are: 1. Implemet VLAN Based Solutio 2. Implemet a Security Extesio of a Layer 2 Solutio 3. Implemet Switch Based Layer 3 Services 4. Prepare Ifrastructure to Support Advaced Services 5. Implemet High Availability I geeral, successful cadidates should itimately kow ad uderstad the switchig process, especially as it pertais to plaig ad desigig scalable eviromets where Virtual LANs are used extesively, as the first domai, Implemet a VLAN-based Solutio cotais a high percetage of tested material. Tips As has always bee the case with Cisco tests, ad especially with the CCNP-level exams, a large amout of hads-o experiece with Cisco switches is vital to passig the exam. Be prepared to offer setup ad cofiguratio routies for a umber of differet situatios, uderstad the is ad outs of multilayer switchig ad be able to provide plas ad outlies for a scalable, switched etwork. LearSmart Cloud Classroom: Video Traiig Mauals

4 Maual Cisco Plaig Tasks The word pla appears several times i the SWITCH exam ( ) blueprit. It is a ew topic icluded i the recetly itroduced curriculum that makes the CCNP certified professioal a more routig- ad switchig-specialized professioal. Cisco expects the ew CCNPs ad SWITCH exam takers to be able to perform the followig tasks: Aalyze etwork desig documetatio ad be able to extract the iformatio ecessary for a detailed implemetatio pla that icludes cofiguratio of etwork devices. Aalyze desig documets ad discover missig parts that are required before a implemetatio ca be completed. Perform peer review of aother egieer s implemetatio pla, to discover weakesses ad omissios i the plaed cofiguratios ad update the implemetatio pla. Build a verificatio pla that lists the required show commads ad essetial iformatio that cofirms or verifies whether each plaed feature has bee implemeted correctly. Write a verificatio pla that ca be uderstood ad used by a less experieced worker, allowig that worker to implemet chages ad to verify the chages worked, off-shift, whe you are ot o-site. Perform a peer review o aother egieer s verificatio pla, to discover which key desig features are ot verified by that pla, ad to discover iaccuracies i the pla. The plaig tasks of the exam are those tasks i the blueprit that do t require the use of the CLI. Those topics are the oes startig with the words determie, create ad documet. Your approach to these topics is to make sure you really uderstad the cocepts behid the actual CLI commads, master the verificatio commads ad most importatly, sped time thikig about the cocepts, cofiguratio, ad verificatio commads as if you were writig a etwork desig documet, project implemetatio or verificatio pla. The specific tools desiged to aid i the etwork desig process are explaied i guides ad traiig for the Cisco Certified Desig Associate (CCDA) ad Cisco Certified Desig Professioal certificatios (CCDP) ad are ot ecessary to uderstad for the SWITCH exam. I essece, you should be ready for the plaig topics of the SWITCH exam whe you ca do the followig: Read desig goals extracted from a desig documet, develop a cofiguratio that meets those goals, ad discover missig iformatio that eeds to be gathered before you ca complete the cofiguratio. Read a extract from the desig or implemetatio plas to determie what is wrog or missig. Read a cofiguratio ad desig goal stated as beig correct ad create verificatio steps to cofirm whether the feature works. Aalyze a extract from a verificatio pla, alog with the stated cofiguratio ad desig goals, ad determie ay problems or missig elemets i the verificatio pla. With those cocepts i mid ad the iformatio provided i this guide, you should be able to perform the plaig duties required to pass the exam ad also be ready to perform those duties i real life scearios. LearSmart Cloud Classroom: Video Traiig Mauals

5 Maual Cisco Table of Cotets Abstract...3 What to Kow...3 Tips...3 Plaig Tasks...4 Domai 1: Switch Operatio...9 Address Learig ad Forward/Filter Decisios...9 Address Learig...9 Forward/filter Decisios...10 Loop Avoidace...10 Switchig Tables...10 Cotet-Addressable Memory...10 Switchig Table Commads...11 TCAM Operatio...13 The Switch Forwardig Process...14 Multilayer Switch Operatio...14 Multilayer Switchig Methods...15 Switch Cofiguratio...16 Etheret...16 Fast Etheret...16 Gigabit Etheret Gigabit Etheret...18 Switch Port Cofiguratio Describig Ports...19 Port Speeds...19 Errors o Switch Ports...20 Virtual LANs...21 Truk Liks...23 Truk Cofiguratio...24 Troubleshootig VLANs ad Truk ports...26 VLAN Trukig Protocol (VTP)...28 VTP Cofiguratio...29 LearSmart Cloud Classroom: Video Traiig Mauals

6 Maual Cisco VTP Pruig...31 VTP Troubleshootig...32 Spaig Tree Protocol (STP)...32 STP States...35 STP Timers...36 Topology Chages i STP...36 STP Types...37 STP Cofiguratio...37 Root Bridge Switch Placemet ad Cofiguratio...38 Cofigurig Cost ad Port-Priority to Maipulate Path Selectio...39 Cofigurig STP Timers...39 Redudat Lik Covergece...40 Protectig the STP Process...42 Istabilities Due of Loss of BPDUs...43 Advaced Spaig Tree Protocol...45 Rapid Spaig Tree Protocol (RSTP) IEEE 802.1w...45 BPDUs i RSTP...46 RSTP Covergece...46 Topology Chage Detectio i RSTP...47 Topology Covergece Propagatio i RSTP...48 RSTP Cofiguratio...48 Multiple Spaig Tree Protocol (MST)...49 Aggregatig Switch Liks...52 Distributig Traffic i EtherChael...53 EtherChael Negotiatio Protocols ad Cofiguratio...55 Port Aggregatio Protocol...55 Lik Aggregatio Cotrol Protocol...56 Troubleshootig EtherChaels...57 Domai 2: Implemetig a Security Extesio for a Layer 2 Solutio...59 Port Security...59 Port-Based Autheticatio...62 Mitigatig Spoofig Attacks...64 DHCP Spoofig; Descriptio ad Mitigatio...65 LearSmart Cloud Classroom: Video Traiig Mauals

7 Maual Cisco IP Source Guard Cofiguratio Guidelies as proposed by Cisco Systems Dyamic ARP Ispectio (DAI)...67 Best s for Securig Cisco Switches...69 VLAN Security...71 Private VLANs...72 Truk Security...75 Switch Spoofig...75 VLAN Hoppig...75 Domai 3: Implemetig Switch-based Layer 3 Services IterVLAN Routig...76 SVI Ports...77 Adjacecy Table...80 Cofigurig CEF...82 Usig DHCP with a Multilayer Switch...85 DHCP Relay Aget...86 Domai 4: Preparig the Ifrastructure to Support Advaced Services...87 Voice over IP (VoIP) IP Telephoy...87 PoE Cofiguratio...88 Voice VLANs...89 Quality of Service (QOS)...92 Layer 2 QoS Classificatio...93 Layer 3 Quality of Service (QoS)...94 QoS for Voice traffic...95 Cofigurig QoS trust Boudaries...95 Simplifyig QoS Cofigurig with Auto-QOS...97 Verifyig VoIP QoS Implemetatios...97 Itegratig Wireless LANs to the Wired Network...99 Wireless LANs...99 Avoidig Collisios i the WLANs WAP Operatio Wireless LAN Cells The WLAN Architecture Cisco Uified Wireless Network Architecture Lightweight AP operatio LearSmart Cloud Classroom: Video Traiig Mauals

8 Maual Cisco Roamig i a Cisco Uified Wireless Network Mobility Groups Cofigurig Switch Ports for WLAN Use Cofigurig Support for LAPs Cofigurig Switch Port Support for a WLC Domai 5: High Availability Hot Stadby Router Protocol (HSRP) HSRP Router Electio Process HSRP Autheticatio MD5 Autheticatio HSRP Addressig Load Balacig with HSRP Virtual Router Redudacy Protocol (VRRP) Gateway Load Balacig Protocol (GLBP) Active Virtual Gateway Active Virtual Forwarders (AVFs) GLBP Load Balacig Eablig GLBP Supervisor ad Route Processor Redudacy Redudat Switch Supervisors Cofigurig the Route Processor Redudacy mode: Cofigurig Supervisor Sychroizatio Eterprise Campus Network Desig Hierarchical Network Desig Questios Explaatios LearSmart Cloud Classroom: Video Traiig Mauals

9 Maual Cisco Domai 1: Switch Operatio As you remember from your CCNA studies, a switch is a etwork device that operates i layer 2 of the OSI model (switches have evolved dramatically i the past years, ad they ow provide icredible etwork services; this defiitio is the most basic ad is ow cosidered legacy. We will explai the operatios of the Multilayer Switch (MLS) briefly later i this chapter ad thoroughly i domai 3 of this guide). It breaks collisio domais, which are simply physical etwork segmets where data frames ca collide whe they are trasmitted at the same time o a shared broadcast medium such as Etheret. A collisio happes whe two or more hosts trasmit data at the same time over this medium. The Carrier Sese Multiple Access Collisio Detect is the mechaism used withi Etheret where hosts determie who trasmits data i Etheret etworks. A host is a Etheret coected device such as a PC. Oe host listes o the wire ad if it does t hear a trasmissio it starts sedig frames. At that poit if aother host or hosts trasmit, a collisio occurs ad a backoff timer is automatically set for a radom period of time i every host ivolved i the collisio. Whe the timer is doe the host listes ad if the medium is available it trasmits agai. Every switch port is a separate collisio domai, meaig that two hosts coected to differet switch ports do t have to share the badwidth of the media as they had whe coected to hubs. We lear i the CCNA studies that the mai fuctios of a switch are address learig, forward/filter decisios, ad loop avoidace. Switches also provide the followig: Hosts ca operate i full duplex mode, meaig they ca talk ad liste at the same time. If the host is ot able to operate i full duplex mode, the switch ca commuicate i half duplex mode where the switch ad host ca oly sed or receive data at ay give time. Each access port offers a dedicated badwidth to the host coected to it (or group of hosts if a hub or aother switch is coected). Uplik ports to other switches ca be truked to sed data from multiple hosts ad multiple VLANs. This topic will be discussed i detail later i this guide. Errors i frames are ot propagated because every frame received i a port is ispected for errors. If the switch fids errors the frame is discarded. Other types of layer 2 filterig based advaced features are possible (QoS, CoS, etc). Address Learig ad Forward/Filter Decisios Address Learig Switches are cosidered to be smart devices compared to Hubs because they keep a table of devices locatios o their ports. A switch receives a frame ad checks its Forward Table, also called MAC Address Table ad Cotet Addressable Memory (CAM), to see if it has a etry for the frame. If it does t, it adds the MAC address, switchport where the frame was received ad virtual LAN of the port to the table. It will flood the frame out of all ports o the switch, except for the port the frame was received o. The CAM table helps to make the switch much more efficiet whe forwardig frames. LearSmart Cloud Classroom: Video Traiig Mauals

10 Maual Cisco Forward/filter Decisios Forwardig decisios of a layer 2 switch are exclusively based i the destiatio MAC Address of the icomig frame. The switch looks for the MAC address i the CAM table ad forwards the frame out the port associated with it. If it does t fid a etry for the destiatio MAC address, the switch floods the frame out all ports associated with the VLAN of the frame that was received, excludig the port where the frame was received. This is called ukow uicast floodig. Similarly, broadcast ad multicast frames are also flooded. Loop Avoidace This is the mechaism by which the switches prevet a frame from takig more tha oe path to a destiatio. If a loop formed, the flooded frame would ed up beig replicated ad retrasmitted over ad over i the looped path, creatig a real mess i our etworks. The Spaig Tree Protocol was developed to prevet switchig loops from happeig. We will devote a lot of time to very powerful optios cofiguratios of STP ad the variatios of STP. Pay close attetio to this topic as STP is a extremely importat ad icredibly powerful protocol. The meas that provide loop avoidace are explaied i great detail later i this sectio. Switchig Tables More advaced switches utilize several tables for the switchig process ad ot just the CAM table. The tables are desiged for Layer 2 or multi-layer switchig ad are maitaied i very fast memory i order to be able to check several fields i the tables at the same time. Cotet-Addressable Memory As metioed previously, this is also kow as the MAC Address or Forward Table. It is used to register ad associate a MAC address with a specific port o which the device or devices are last kow to reside. Whe a frame is received i a port, the source MAC address, the VLAN ID ad the time stamp is associated with the port that received the frame. Whe a host moves to aother port, the CAM table will be updated with the ew etry, with the correspodig time stamp. After a established period of time, the older etry will be deleted. If a frame is received ad the source address is already i the CAM table, oly the time stamp will be updated. To deal with the size of the CAM tables ad also to optimize resources, if a switch does t hear from a host after a period of time, its CAM etry will be deleted. By default, this period is 300 secods, but this ca be chaged with the MAC address-table agig-time secods, cofiguratio commad, as follows: Switch(cofig)# MAC address-table agig-time secods You ca also cofigure static CAM table etries with the followig commad: Switch(cofig)# MAC address-table static MAC-address vla vla-id iterface type mod/um Whe a switch detects a MAC address that is already registered as belogig to aother port, the switch purges the old record. This is a correct procedure, because MAC addresses are uique ad should t be available o more tha oe port. If the switch detects a MAC address has bee leared i alteratig ports, a error message is geerated ad the address is flagged as flappig betwee iterfaces. There are several causes for this ad we will see the mechaism to prevet it i the Spaig Tree Protocol sectio. LearSmart Cloud Classroom: Video Traiig Mauals

11 Maual Cisco Terary Cotet-Addressable Memory (TCAM) thik of TCAM as the mechaism, a table, implemeted i hardware that allows a multilayer switch (MLS) to match all ACLs for security ad QoS features. Most switches have several TCAMs i order to be able to match all iboud ad outboud security ad QoS ACLs i a sigle lookup, with the resultig L2 or L3 forwardig decisio. The Cisco Catalyst Switch has two compoets of TCAM operatio: Feature Maager (FM) This compiles the Access Cotrol Etities (Access Cotrol List etities are ACLs statemets) ito the TCAM table. At this poit the TCAM ca be cosulted (at wire speed) ad ca forward packets at wire speed. Switchig Database Maager (SDM) The SDM is used to partitio ad tue the TCAM partitios. Some switches do t allow this fuctio. Besides the table-lookup operatio, the TCAM is also desiged to allow a more graular, abstract operatio. This feature is provided by a terary combiatio that is defied by the biary values ad a mask value, resultig i keys or etries with three iput values: 0,1,X (does t matter) bit values. Etries i the TCAM cosist of Value, Mask ad Result (VMR) combiatios. The cosultatio process whe a packet or frame is received goes like this: Certai fields withi the frame/packet (MAC or IP address, TCP or UDP port umbers) header are matched to the TCAM value ad mask ad this yields a result that is used for the forwardig decisio. I essece the TCAM is orgaized by masks, ad after a mask is matched, there are 8 values used for security ad QoS cosideratios. These values ad mask pairs ca be evaluated simultaeously with the use of specialized hardware, to produce a result, ad the fial forwardig decisio. The amout of masks that ca be compiled ito the TCAM varies i differet equipmet, but the values are always eight per mask. The TCAM is a hardware chip ad therefore has a limited amout of memory for etries, therefore there are istaces where it overflows. This geerates a log error message to alert the etwork admiistrator. This ca result i some packets beig forwarded utilizig the CPU, which meas the wire speed provided by the specialized hardware, Applicatio Specific Itegrated Circuits, will ot be achieved for those packets/frames. I other words, it will slow dow the forwardig of packets. The TCAM is orgaized by masks, ad each uique mask has eight value patters associated with it. The value patters are 134 bits log ad they cosist of source ad destiatio addresses ad other iformatio relevat to the layer 2 or 3 protocol used ad the ACL type that is beig compiled to the TCAM. Switchig Table Commads There are several commads that allow us to ispect the cotets of the differet switchig tables. Oe reaso to check the CAM would be to fid out about the locatio of a ed device usig its MAC address. To do this, you ca use the followig EXEC commad to fid out the port o which a certai MAC address was leared: show MAC address-table dyamic [address MAC-address iterface type mod/um vla vla-id] LearSmart Cloud Classroom: Video Traiig Mauals

Maual Cisco Figure 1: Output from the show MAC address-table Commad From this output you ca see the host with MAC address 1111.1111.1111 is coected to port Fast Etheret 1/0/1, ad is i VLAN 5.

This commad is useful whe you eed to detect if a host has L2 coectivity to a uplik switch. That is a switch that is closer to the etwork core.

12 Maual Cisco Figure 1: Output from the show MAC address-table Commad From this output you ca see the host with MAC address is coected to port Fast Etheret 1/0/1, ad is i VLAN 5. The dyamic specifies that the switch leared the MAC address dyamically as opposed to a MAC address that has bee maually cofigured ito the switch. This commad is useful whe you eed to detect if a host has L2 coectivity to a uplik switch. That is a switch that is closer to the etwork core. You ca use it to kow where the host was leared if it was leared. The other possibility is you might eed to kow what MAC addresses have bee leared o certai ports. For that issue the followig show EXEC commad: show MAC address-table dyamic iterface type umber The actual output i the switch is as follows: Figure 2: Showig Leared MAC Addresses by Iterface From this output you ca see that host with MAC address is coected to port Fast Etheret 1/0/2 which belogs to VLAN 7. If you see more tha oe MAC address that meas the port is coected to aother switch or a hub with more hosts coected to them. As with the previous commad this ca be used to see the host or list of hosts that have bee leared i a port. A commo use is to track host associatios of wireless cliets usig APs coected to certai switch ports. Suppose you use show MAC address-table dyamic iterface fastetheret1/0/2 commad ad there is a AP coected to that port. You will see the MAC address of the AP ad all wireless cliets associated to the AP. LearSmart Cloud Classroom: Video Traiig Mauals

Maual Cisco As your etwork grows it might be ecessary to kow how may hosts are coected to a certai switch. You ca fid this iformatio with the show MAC address-table cout commad.

13 Maual Cisco As your etwork grows it might be ecessary to kow how may hosts are coected to a certai switch. You ca fid this iformatio with the show MAC address-table cout commad. The output is show here: Figure 3: The show MAC address-table cout Commad CAM table etries ca also be deleted maually with the followig EXEC commad: Switch# clear MAC address-table dyamic [address MAC-address iterface type mod/um vla vla-id] You clear out the CAM etry to allow ew MAC addresses to be leared immediately. Waitig for the etry to age out could be uacceptable at times because of the eed to coect a ew host ad provide coectivity immediately. This is especially true whe chagig switch ports of a heavily used server. TCAM Operatio I essece, there is o eed to cofigure TCAM tables, as they are populated with ACEs (Access Cotrol Etries) as you create ACLs (Access Cotrol Lists). The oly importat cosideratio is that as your etwork grows ad you implemet QoS ad security features the TCAM tables might overflow. Whe this happes, a log message is geerated ad the overflow is flagged. If the TCAM overflows, the ACL will simply be processed by the CPU. Agai, this meas that the packet wo t be forwarded at wire speed with the use of Applicatio Specific Itegrated Circuits (ASICs). LearSmart Cloud Classroom: Video Traiig Mauals

14 Maual Cisco The Switch Forwardig Process Whe a switch receives a frame i oe of its ports, it places the frame i oe of the port s igress queues. At this poit, the switch has three decisios to make: Where to forward the frame, whether to forward the frame or ot, ad how to forward the frame. All decisios are made simultaeously usig differet portios of the switch hardware. Basically, the switch eeds to fid the egress port, ad examie the forwardig policies cocerig Quality of Service (QoS) (the priority the frame has to be set i compariso to others) ad security. Here is a descriptio of the three separate processes ad the mechaism i charge of each decisio: L2 forwardig table The frame s destiatio MAC address is looked up i the CAM table; if it is foud, the frame will be set to the appropriate egress port with its VLAN id. If it is ot foud, the frame will be flooded out all ports o the VLAN it was received, except the port it was received. Security ACLs These are compiled ito the TCAM ad are used by the switch hardware to idetify ad make decisios based o criteria icludig IP address, MAC address, protocol types ad layer 4 port umbers (applicatios). QoS ACLs These ACLs cotai markigs or QoS parameters that defie ad police the traffic flow. The idea here is to give specific traffic (such as voice ad video) priority over other data flows that are more resistat to etwork delays. These ACLs also cotai iformatio used to mark outboud frames. MLS switches have dedicated hardware for this operatio. This provides the ability to process frames simultaeously, i parallel, ad at wire speed. The egress queues are serviced based o the importace or priority assiged by the etwork admiistrator ad/or desiger; these criteria, i tur, are based o the time criticality of the commuicatio type. Quality of Service is part of the CCVP ad CCIP certificatios ad is a importat part of the CCIE Routig ad Switchig certificatio. Multilayer Switch Operatio Layer 3 switches are powerful. They forward frames based o layer 3 ad layer 4 iformatio cotaied i packets. This is called Multilayer switchig (MLS). Oe of the key differeces betwee L3 switches ad (most) routers is that L3 switches route packages based o hardware, just like they do i the L2 switchig. L3 switches ca perform packet switchig up to te times faster tha traditioal L3 routers. The use ad performace advatages of the MLS come at a cost: they are expesive. Other tha that they are i geeral a great improvemet ad a major upgrade over traditioal routers ad layer 2 switches withi the LAN. They perform all the fuctios of a router, a regular layer 2 switch plus aother fuctio at layer 4, ad ca iteract i the etwork with such devices. Cisco Catalyst Switches perform packet switchig, or L3 switchig, usig a router processor or L3 egie. This processor is i charge of dowloadig routig iformatio to the hardware itself. LearSmart Cloud Classroom: Video Traiig Mauals

15 Maual Cisco Multilayer Switchig Methods There are two types of multilayer switchig: Route cachig ad topology based. Route cachig The first geeratio of multilayer switchig (MLS), also called NetFlow switchig (ow cosidered legacy). Route cachig capable devices utilize a route processor ad a switchig egie. It requires several flows for every port i use, makig it a processor itesive method ad it does t exactly provide hardware speed routig. This method is ofte referred to as the route oce, switch may method. Topology-based The secod geeratio of MLS ad a defiite improvemet over the first. Cisco s implemetatio is called Cisco Express Forwardig (CEF), ad requires special hardware chips, which is why it is ot available i all L3 switches. CEF is very scalable ad requires less mai CPU resources tha the Route cachig mechaism. This optimizatio is achieved by the use of applicatio specific itegrated circuits (ASIC), to forward packets ad make several decisios at the same time, providig packet forwardig at wire speed. CEF has two major compoets, the Forwardig Iformatio Base (FIB) ad the Adjacecy Table. The FIB is practically aother form of a routig table, cotaiig the traditioal routig iformatio (destiatio etworks, etwork masks, ext hop address, etc). The efficiecy i this mechaism is achieved because it is maitaied i hardware, givig the speed of L2 switchig to L3 ad L4 switchig. The routig iformatio cotaied i the FIB is updated automatically whe the etwork chages (hece the ame topology-based). The path a packet follows whe switched i a L3 switch is determied by the multilayer mechaisms, ad they are all performed simultaeously: L2 forwardig table As usual, the destiatio MAC address is used to determie the path. If a IP is ecapsulated i the frame, the switch seds the frame to a L3 port of the switch, so it ca be processed at L3. L3 Forwardig table The FIB is cosulted usig the destiatio IP address, just like a regular routig table. After the logest match is foud, the ext hop address is obtaied ad the packet is set out the appropriate iterface. The FIB table also has the MAC addresses of each ext hop, ad the switch egress port, which prevets the switch from lookig up the iformatio every time a packet eeds to be forwarded (remember the FIB is updated based o topology chages). Security ACLs These are compiled ito the TCAM ad are used by the switch hardware to idetify ad make decisios based o criteria icludig IP address, MAC address, protocol types ad layer 4 port umbers (applicatios). QoS ACLs These are also compiled ito the TCAM ad the associated values allow the switch to perform traffic classificatio, policig ad markig at wire speed i a sigle table lookup. The packet is the placed i the appropriate egress queue o the appropriate egress port. After this poit, the procedure is basically the same as a regular switch ad router, with the efficiecy provided by the hardware-based architecture. The ext hop IP address obtaied from the FIB table has a associatio with a layer 2 address, which is the address that will be used to forward the frame to the ext hop. This chages the time-to-live (TTL) values i the L3 packet, therefore the checksum must be recalculated. The TTL is a couter withi the packet that couts dow. After every layer 3 hop, the TTL decreases util it reaches 0. If the packet has a TTL of 0 ad reaches aother layer 3 device before gettig to its destiatio, the packet is discarded. This prevets packets from traversig a etwork forever. Sice the frame is also chaged i this process, the layer 2 checksum must be recalculated too. Oce agai, this calculatio is performed i hardware. LearSmart Cloud Classroom: Video Traiig Mauals

16 Maual Cisco There are several exceptios to the MLS process that take place i the L3 switch. For CEF to process the packet with the advatages of hardware processig, the packet must be MLS-ready, with o further decisios required to be made about it. Packets that require a more detailed hadlig are set to the switch CPU for process switchig, or the traditioal switchig performed i software. The followig packets ca t be processed by CEF: ARP request ad replies IP packets requirig a respose from a router (TTL has expired, MTU is exceeded, etc) IP broadcasts ad multicasts that will be relayed as uicast (first reply packet i EIGRP adjacecy formatio, DHCP requests, IP helper-address fuctios). Routig protocol updates CDP packets Packets that require ecryptio IPX routig advertisemets Packets triggerig NAT The MLS process oly works for IP ad IPX. Other o-ip ad o IPX protocol packets (AppleTalk, DECet, ad so o) are ot processed usig MLS methods. Switch Cofiguratio Etheret Etheret is a LAN techology defied by the Istitute of Electrical ad Electroics Egieers (IEEE) stadard. It operates with CSMA/CD, as described earlier, which requires that each statio liste to the wire ad wait util o trasmissios are beig made before beig allowed to trasmit. This is half-duplex operatio, ad as explaied before, it is very iefficiet. A switch takes care of this problem by allocatig a dedicated badwidth to each of its ports. A switch ca remove the possibility of collisios, ad statios do t have to liste before trasmittig, but ca actually trasmit ad receive at the same time. This mode of operatio is called full duplex. Full duplex icreases etwork performace dramatically, effectively doublig the et throughput. For example, i 10Mbps Etheret, you get 10Mbps i each directio, for a total combied theoretical throughput of 20Mbps o each port. Fast Etheret Fast Etheret is defied i the IEEE 802.3u stadard. Fast Etheret maitais the same layer 2 (frames remai the same) compoets, ad merges them with ew layer 1 compoets (physical cablig ad wirig). The whole operatio is essetially the same, but the speed is icreased to 100Mbps (half duplex). Fast Etheret is curretly ofte foud i the access ad distributio layers of the campus etwork, whe there are o other higher speed liks available. Fast Etheret is most commoly used to coect user statios to the etworks (access layer switches) ad also to icrease throughput i the coectio to servers. LearSmart Cloud Classroom: Video Traiig Mauals

17 Maual Cisco Fast Etheret ca also support full duplex operatio, givig etwork devices a combied theoretical throughput of 200Mbps. This maximum speed is oly possible whe a device is directly coected to a switch port ad all devices (router, edpoit, aother switch) support full duplex operatio. Fast Etheret is fully compatible with older Etheret techology. Switch ports are ofte refereced as 10/100Mbps, to deote compatibility with both specificatios. This capability is provided by the possibility of auto-egotiatio. Whe Auto-egotiatio is cofigured at each ed, devices will select the maximum possible speed (of the slowest device) ad the duplex operatio. Switches will exchage iformatio to determie the duplex mode. If for ay reaso this process fails, both switches will use half duplex, the default switch port settig. Whe auto-egotiatio is ot set, or whe oe side is hard-coded ad the other side is set for autoegotiatio, a duplex mismatch ca occur. This is the cause of major etwork problems, such as commuicatio slowdows, which will be explaied later. This ca also cause other etwork istabilities because if oe switch is i full duplex mode, it wo t stop to hear if there are trasmissios, while the other ed, i half duplex, does, ad keeps waitig for the other ed to stop trasmittig. The priority i the auto-egotiatio process is as follows: Priority Etheret Mode 7 100BASE-T2 (full duplex) 6 100BASE-TX (full duplex) 5 100BASE-T2 (half duplex) 4 100BASE-T BASE-TX 2 10BASE-T (full duplex) 1 10BASE-T Figure 4: Etheret Auto-Negotiatio Priorities Cisco recommeds that switch ports are cofigured with speed ad duplex mode maually. This prevets the very troublig duplex mismatch ad lik speed issues. You must remember to set both eds with the same speed ad duplex mode. To cofigure the duplex mode use the duplex [ auto full half ] iterface cofiguratio commad. The commad is pretty much self-explaatory. Gigabit Etheret Gigabit Etheret is defied i the IEEE 802.3z stadard. It provides 1000Mbps (1Gbps) usig the same data lik layer (same frame format) ad ew layer 1 capabilities ad specificatios. This meas ew coectios ad hardware but iteroperability with older stadards, like fast Etheret ad Etheret. The stadard was the product of the merger of the stadard (layer 2 characteristics) ad the America Natioal Stadards Istitute (ANSI) X3T11 FiberChael (provided the layer 1, hardware mechaisms). I campus etworks Gigabit Etheret is commoly foud coectig ed devices such as servers to switches ad switch to switch upliks. It ca be foud i all three layers of the campus etwork. LearSmart Cloud Classroom: Video Traiig Mauals

18 Maual Cisco 10-Gigabit Etheret Just as Fast Etheret ad Gigabit Etheret, 10-Gigabit Etheret preserves all layer 2 characteristics (frame format ad size, MAC addresses). 10-Gigabit Etheret is also kow as 10GbE ad is defied i the IEEE 802.3ae stadard. It operates exclusively i full duplex. May large Eterprise etworks ad ISPs are ruig 10-Gigabit i their distributio ad core. Switch Port Cofiguratio To eter switch cofiguratio mode, eter the followig commad: Switch(cofig)# iterface type module/umber Type refers to the Etheret types defied: Etheret, fastetheret, gigabitetheret, tegigabitetheret or vla, if we are cofigurig remote access to the switch. Module is the slot i which the iterface is withi the switch ad umber is the actual port umber. Here is a example: Switch(cofig)# iterface fastetheret 0/1 Switch(cofig)# iterface gigabitetheret 1/2 There we eter iterface cofiguratio mode for the fastetheret module 0 port 1. There are certai types of switches, like the Catalyst 3750 that ca be stacked with other switches of the same family. I that sceario you might see iterface etheret 2/0/10. That meas the switch i positio 2 of the stack, module 0 ad port 10. I the secod lie after pressig eter we go to the iterface cofiguratio mode for the Gigabit Etheret module 1 port 2. You ca also eter iterface cofiguratio mode for more tha oe port or a rage of ports with the iterface rage global cofiguratio mode commad. This commad will prove very useful whe implemetig a lot of idetical switchig fuctios. This is the commad to be used i global cofiguratio mode: Switch(cofig)# iterface rage fastetheret 1/0/1 48 This will select the switch stacked i positio oe, module 0 ad fast etheret ports from 1 to 48. You ca also select a group of ports that are ot i the same switch or ot exactly i a rage, by dividig the ports you wat by commas. Here is a example: Switch(cofig)# iterface rage fastetheret 1/0/1, fastetheret 1/0/3, fastetheret 1/0/5, fastetheret 1/0/24 36 The previous commad will eter iterface cofiguratio mode for ports 1, 3, 5, ad 24 to 36 of stacked switch 1, slot 0. Notice the rage is always a closed rage, meaig both eds are icluded. I this case, port 24 ad 36 will be icluded i the rage. LearSmart Cloud Classroom: Video Traiig Mauals

19 Maual Cisco Aother very importat ad useful feature is the rage macro. It allows you to save certai rages that you will likely eed to use ofte (like all ports belogig to certai VLAN). Switch(cofig)# defie iterface-rage macro-ame type module/umber [ type module/ umber...] [type module/first-umber last-umber] [...] Macro-ame is the ame you will assig to the macro. The other rage defiitios are exactly as you would eter i a iterface rage commad. A example: Switch(cofig)# defie iterface-rage vla10ports fastetheret 1/0/1, fastetheret 1/0/3, fastetheret 1/0/5, fastetheret 1/0/24 36 Switch(cofig)# iterface rage macro vla10ports This is very useful whe you eed to cofigure o-cotiguous ports with the same settigs, like VLAN associatios or port aggregatio i the form of EtherChael budles. At that poit you will eter iterface cofiguratio mode for the rage defied with the defie iterface-rage commad. Describig Ports You ca describe ports usig the descriptio iterface cofiguratio mode commad. This is helpful to etwork admiistrators whe they wat to idetify the fuctio of the port, describe the device attached to the port, or whe takig otes durig maiteace outages. The descriptio is locally sigificat to the port. I the followig example we will add a descriptio to the iterface fast Etheret 0/2, sayig Applicatio Server, Buildig C : Switch(cofig)# iterface fastetheret 0/2 Switch(cofig-if)# descriptio Applicatio Server, Buildig C Port Speeds You ca maually assig specific port speeds to some Etheret iterfaces usig iterface cofiguratio commad speed. Fast Etheret ports ca be assiged speeds of 10Mbps, 100Mbps ad Auto, the default, for auto-egotiatio. Gigabit Etheret GBIC ports are always set to 1000Mbps. It is ot possible to cofigure them with aother speed. 1000BASE-T ports, o the other had, ca be cofigured as 10, 100 ad 1000Mbps ad Auto, the default. Here is a example: Switch(cofig-if)# speed { auto} If a 10/100 or a 10/100/1000 port is cofigured with Auto as its speed, both speed ad duplex mode will be auto-egotiated. This ca cause problems o your etwork. LearSmart Cloud Classroom: Video Traiig Mauals

20 Maual Cisco Port Duplex Mode You ca assig the lik mode of specific switch ports. The possibilities offered i the cofiguratio are half duplex, full duplex ad auto-egotiatio. Auto-egotiatio is oly allowed i Fast Etheret ad Gigabit Etheret ports. I this mode, the ports try to use full duplex operatio first, ad if that fails, fall back to half duplex mode. Auto-egotiatio starts every time oe of the liks status chages. Cisco recommeds that you set both speed ad duplex mode maually i each switch port. Here are a couple cofiguratio examples: Switch(cofig)# iterface fastetheret 0/1 Switch(cofig-if)# speed auto Switch(cofig-if)# duplex auto Switch(cofig-if)# iterface fastetheret 0/10 Switch(cofig-if)# speed 100 Switch(cofig-if)# duplex full I this case Fast Etheret 0/1 was cofigured to auto-egotiate both speed ad duplex mode. Fast Etheret 0/10 was assiged a lik speed of 100Mbps ad full duplex operatio. Errors o Switch Ports Switches have mechaisms to detect errors i practically ay possible way. You ca cofigure a switch port to be shut dow automatically whe certai error coditios are detected. Network maagemet applicatios ca also be used to iform etwork admiistrators of the occurrece of certai types of errors. Whe a switch detects a error i a port, it is put i the errdisable state ad is shutdow. This ca be maually tued so that the switch oly puts the port i errdisable ad shut dow coditio for certai types of errors that the etwork admiistrator determies is importat. You ca also cofigure this fuctio with the followig commad: Switch(cofig)# errdisable detect cause [all cause-ame] Cause-ame is oe of the several possibilities that could occur. They are the followig: all Detects every possible cause. arp-ispectio Detects errors with dyamic ARP ispectio. bpduguard Detects whe a spaig-tree bridge protocol data uit (BPDU) is received o a port cofigured for STP PortFast. chael-miscofig Detects a error with a EtherChael budle. dhcp-rate-limit Detects a error with DHCP soopig. dtp-flap Detects whe trukig ecapsulatio is chagig from oe type to aother. gbic-ivalid Detects the presece of a ivalid GBIC or SFP module. ilpower Detects a error with offerig ilie power. l2ptguard Detects a error with Layer 2 Protocol Tuelig. lik-flap Detects whe the port lik state is flappig betwee the up ad dow states. LearSmart Cloud Classroom: Video Traiig Mauals

21 Maual Cisco loopback Detects whe a iterface has bee looped back. pagp-flap Detects whe a EtherChael budle s ports o loger have cosistet cofiguratios. psecure-violatio Detects coditios that trigger port security cofigured o a port. rootguard Detects whe a STP BPDU is received from the root bridge o a uexpected port. security-violatio Detects errors related to port security. storm-cotrol Detects whe a storm cotrol threshold has bee exceeded o a port. udld Detects whe a lik is see to be uidirectioal (data passig i oly oe directio). uicast-flood Detects coditios that trigger uicast flood blockig o a port. vmps Detects errors whe assigig a port to a dyamic VLAN through VLAN membership policy server (VMPS). The most commo violatios are security violatios such as a MAC address leared i a port with the maximum amout of MAC addresses leared through it. Aother very commo cause is the BPDUguard violatio. This oe will be explaied i detail later i this domai. By default, switch ports eed to be maually re-eabled whe they are put i the errdisable state by issuig shutdow ad the o shutdow o the offedig switch port usig the CLI. You ca cofigure a switch so it does t put the port i the errdisable state whe certai situatios happe. The switch actually puts the port i errdisable state ad the it re-eables the port, after a specified period of time. 300 secods is the default time, but it ca also be modified. Here are the commads that achieve this: Switch(cofig)# errdisable recovery cause [all cause-ame] Switch(cofig)# errdisable recovery iterval secods I the first lie, the cause-ame is the list of possible error coditios described above, ad all meas exactly that: all coditios will be recovered after the recovery iterval. The secod lie is to specify the amout of time the port will remai i the errdisable state. As stated earlier, the default period is 300 secods. To troubleshoot port states, speed ad duplex mode use the show iterfaces EXEC mode commad. It will show you a lot of iformatio, such as layer 1 ad 2 operatioal status, speed of the lik, duplex mode, MTU, ecapsulatio, Etheret type ad several other errors. Virtual LANs A virtual LAN or VLAN is switched etwork provided by the logical segmetatio of a etwork, cosistig of a sigle broadcast domai, regardless of the physical locatio of the hosts. VLANs have the same characteristics as a physical LAN as if they were o their ow separate switch. If a switch port belogs to a VLAN, ukow destiatio uicasts, multicasts ad broadcasts for that VLAN (etwork segmet) are set out that port, just as if it were a physical LAN. Ay switch port ca be assiged to a VLAN. Uicast, multicast ad broadcast set from a port assiged to certai VLAN will oly be flooded to ports belogig to the same VLAN. This segmetatio of broadcast domais helps to make the etwork more efficiet. I order for a host to commuicate with aother outside its VLAN, the packet must be routed with a router or Layer 3 switch. As a idepedet logical etwork, it cotais its ow Maagemet Iformatio Base (MIB) iformatio ad has the capability to support its ow implemetatio of spaig tree protocol. Spaig tree protocol will be covered i detail later. LearSmart Cloud Classroom: Video Traiig Mauals

Maual Cisco VLANs have come to solve all the problems associated with the problems of the flat etwork topology, which is othig more tha a big switched etwork, a sigle broadcast domai.

22 Maual Cisco VLANs have come to solve all the problems associated with the problems of the flat etwork topology, which is othig more tha a big switched etwork, a sigle broadcast domai. This type of etwork is very iefficiet ad ot exactly scalable. I the flat etwork, broadcasts are received by all hosts, dramatically affectig etwork performace by cosumig uecessary badwidth ad provokig a uecessary use of router ad switch processig resources. VLANs segmet the etwork so hosts that do t require costat access to others stay i differet VLANs, ad are preveted from receivig broadcasts that might ot be ecessary for them. Equally, hosts i the same VLANs are geerally performig similar fuctios ad therefore require ad work costatly with the same resources. For a host to commuicate with aother i a differet VLAN, routig must take place, exactly as it would be required if the commuicatio was betwee hosts i differet physical etworks. As stated, ay port i a switch ca belog to a VLAN. You ca cofigure a port for a certai type of VLAN membership, which determies the kid of traffic the port will carry. These memberships are static access, dyamic access, truk ad tuel (dot1q tuel). A static-access port ca belog to oe VLAN ad is cofigured maually (hece the term static). By default, all ports belogig to VLAN 1, the ative or admiistratio VLAN, are set to type Etheret VLAN ad have a maximum trasmissio uit (MTU) of It is also importat to kow that VLAN memberships are kept i hardware, which provides great efficiecy because it does t require complex table lookups. But it also meas that you ca cofigure a fiite amout of VLANs o a switch. Every switch model has a maximum limit as to the umber of VLANs that it ca maitai. To assig a VLAN, you must first create it. Issue the vla vla-id global cofiguratio mode commad, to create the VLAN. Be aware that Cisco IOS Switches support VLANs from 1 to 1005, with 1002 to 1005 reserved ad automatically created for special uses. Cisco IOS switches ca also use exteded VLANs, with IDs from 1006 to I order for the switch to accept VLANs i this rage, VLAN Trukig Protocol (VTP) must be cofigured ad the mode should be set to trasparet. VTP will be covered i detail later. After you create the VLAN, you assig the port to the VLAN. Here is a example: Figure 5: Assigig Ports to a VLAN I the above example, we created VLAN 2 ad 3, ad the told the switch the fast Etheret 0/1 was goig to be a switch port (ot used for routig, this is oly ecessary i multilayer switches) with the switchport iterface cofiguratio mode commad. The we cofigured the iterface to be a access port with the switchport mode access iterface cofiguratio mode commad, ad fially assiged the port to VLAN 2 with the switchport access vla 2, iterface cofiguratio commad. LearSmart Cloud Classroom: Video Traiig Mauals

23 Maual Cisco Dyamic VLANs provide membership to hosts based o their MAC addresses. VTP ad VLAN Membership Policy Server (VMPS) are required to use this type of VLAN assigmet. Dyamic VLANs ad their cofiguratio are out of the scope of the SWITCH exam ad course, but it is a very importat feature worth learig. Cisco has a very detailed itroductio to the cocept of VMPS, alog with step-by-step istructios o settig oe up, at their website. Some cosideratios you must take before deployig VLANs are: the umber of VLANs depedig o traffic patters, applicatio types, segmetatio of commo workgroups ad etwork maagemet requiremets. There are also importat desig cosideratios that must be observed. Cisco recommeds that VLAN data should t move beyod the distributio layer switch. If you are draggig VLANs betwee distributio blocks, you have a poorly desiged etwork. Also, VLANs should ever reach the etwork s core accordig to curret best-practices. I essece, we must desig our VLANs to keep broadcast ad multicast traffic away from the core. Core switches are meat to switch packets at very fast speeds. By elimiatig broadcast traffic, we make our core extremely efficiet. The IP addressig scheme must allow for all hosts i the VLAN. That is, if you have a etwork mask, you should t require more tha 254 hosts i that VLAN. Also cosider etwork cotiuity, sice it allows more efficiet route summarizatio, which allows for a much more efficiet routig ad geeral resource utilizatio. There are two major VLAN desigs: Ed-to-Ed ad Local. They follow the 80/20 rule ad the 20/80 rule respectively. 1. Ed-to-Ed VLANs will spa the etire etwork regardless of the physical locatio of the user. This type of VLAN should be desiged with the 80/20 rule i mid, which meas that 80% of the traffic will be local ad 20% will traverse the etwork core to a remote destiatio. Ed-to-Ed VLANs must group users with commo etwork resource requiremets. They must be accessible from every access layer switch to accommodate mobile users. Ed-to-Ed VLANs are rarely foud i today s eterprise etworks because their data must be allowed to traverse the core etwork. That meas broadcasts ad multicast traffic will pass through it, creatig the possibility of a asty broadcast storm or switchig loop that spas the etire etwork. It also uecessarily uses etwork resources i the core, which ca cause major etwork disruptios. These types of problems are very difficult to troubleshoot because of their potetially huge scope. Cisco recommeds avoidig Ed-to-Ed VLANs wheever possible because of these possible issues. 2. Local VLANs cosider the 20/80 rule, 20% of the traffic remais local while 80% will traverse the etwork core. Local VLANs group users by physical locatio, ad their size varies from oe switch to a etire buildig. This kid of VLAN allows for easier maagemet ad better scalability. Truk Liks Truk liks are switch ports that allow trasit from several VLANs. Truk liks are useful ad most ofte foud coectig switches to switches ad switches to routers. The truk ca support oe, several or all active VLANs i the switch. Cisco switches support trukig o the fast Etheret iterfaces ad up. You caot truk a 10 Mbps Etheret iterface. Whe creatig truks that trasport multiple VLANS, switches eed a method to idetify data from differet VLANs passig through the truk. This is kow as VLAN taggig. Switches o both eds must have the same method of idetificatio. Cisco uses 802.1Q protocol ad ISL protocol to idetify these frames with their correspodig VLANs. LearSmart Cloud Classroom: Video Traiig Mauals

24 Maual Cisco Iter-Switch Lik Protocol (ISL) is Cisco s proprietary protocol that ecapsulates Etheret frames betwee a header ad a trailer, addig 26 bytes i the header ad 4 bytes i the trailer. The source VLAN is idetified i the 15-byte VLAN ID field i the header, while the trailer cotais a cyclic redudacy check for the ew re-ecapsulated frame. The switch does t add ISL ecapsulatio whe the frame arrives at its destiatio port (ISL is oly used i truk liks). ISL is oly supported i older IOS versios. It is o loger supported i Cisco Catalyst Switches. ISL is almost ever foud o etworks today ad ewer switch IOS trais have completely removed the use of the taggig protocol. IEEE 802.1Q Protocol is the idustry stadard used to idetify VLANs passig through a truk lik Q does t ecapsulate the Etheret frame as ISL does; it simply tags the frame with the VLAN iformatio. This method is also called frame taggig, sigle taggig or iteral taggig. The VLAN iformatio is tagged ext to the address field Q adds 4 bytes to the Etheret frame Q also uses the cocept of a ative VLAN, which is basically a way to allow hosts to be coected to a truk lik. Whe a frame is received i the switch ad set to a host coected to a truk lik, the switch forwards the frame out the truk port without addig ay tags. Whe traffic is set alog a truk that belogs to a ative VLAN, those frames pass through the truk utagged. Sice both VLAN idetificatio protocols icrease the size of the Etheret frames, this creates a problem related to the MTU, maximum trasmissio uit, which caot exceed 1518bytes. ISL has Cisco proprietary mechaisms to deal with this issue, ad there is a IEEE stadard, the IEEE 802.1ac, that exteds the maximum frame size to 1522 bytes. Dyamic Trukig Protocol (DTP) is aother Cisco proprietary protocol that egotiates a commo trukig mode betwee two coected switches. The egotiatio ivolves the ecapsulatio (ISL or 802.1Q) ad whether the lik becomes a truk or ot. If the two switches are ISL-capable this will be the ecapsulatio preferred. DTP is activated by default o Cisco switch ports, ad DTP frames are set out every 30 secods. DTP is tured off whe you cofigure a port as a access port, or set it to o-egotiate with the iterface cofiguratio mode commad switchport oegotiate. You should disable DTP i ports coected to o-trukig routers, firewall iterfaces or hosts. This saves badwidth ad switch resources. Switches ca oly perform auto-egotiatio if both belog to the same VLAN trukig protocol domai (VTP will be covered later) or if the VTP domai has t bee defied. Truk Cofiguratio Switch ports are access ports by default, but they try actively to form a truk (switchport mode dyamic desirable) as log as the other agrees o formig the truk. The followig are the commads required to cofigure a port as a truk: Switch(cofig)# iterface type mod/port Switch(cofig-if)# switchport Switch(cofig-if)# switchport truk ecapsulatio {isl dot1q egotiate} Switch(cofig-if)# switchport truk ative vla vla-id Switch(cofig-if)# switchport truk allowed vla {vla-list all {add except remove} vla-list} Switch(cofig-if)# switchport mode {truk dyamic {desirable auto}} LearSmart Cloud Classroom: Video Traiig Mauals

25 Maual Cisco Iterface type mod/port global cofiguratio mode commad eters iterface cofiguratio mode. Switchport defies the port as a layer 2 port, meat for switchig. Switchport truk ecapsulatio {isl dot1q egotiate} defies the ecapsulatio. If egotiate is chose, ad both formats are available, ISL is preferred. Negotiate is the default. Switchport truk ative vla vla-id defies the ative VLAN. Be careful with this optio! The ative VLAN is crucial iformatio for the truk ad its egotiatio. Improper cofiguratio ca result i VLAN leakage ad several types of security vulerabilities that will be explaied i detail i the security sectio of this guide. Switchport truk allowed vla {vla-list all {add except remove} vla-list}. By default all active VLANs are allowed i a truk. That ca be chaged with this commad. vla-list is a list of VLANs, ad is defied exactly as we defied a rage with the iterface rage commad: to add VLANs 1, 3, 5, 7 ad from , use: 1, 3, 5, 7, Sice all active VLANs are allowed by default, use add or except to specify a rage of VLANs ot allowed to pass through the truk. Use remove to remove oe or a list of VLANs from the allowed list of VLANs. Remember all active VLANs are allowed by default. A active VLAN is oe that has ports assiged to it i the switch. The truk ca be formed with ay of the followig commads: Switchport mode truk iterface cofiguratio commad: The port automatically becomes a truk. The ecapsulatio is egotiated by default, but if you wat to prevet this egotiatio from takig place, maually cofigure the ecapsulatio. Remember that if both ecapsulatio protocols are available, ISL will be preferred. Also remember curret versios of the IOS do t support ISL. DTP frames are set out by default if the port is ot cofigured with the switchport oegotiate iterface cofiguratio commad. Switchport mode dyamic desirable iterface cofiguratio commad: This is the default. This port will try to actively egotiate a truk with the other ed. The oly time this port wo t become a truk is whe the other ed is cofigured as a access port. Switchport mode dyamic auto iterface cofiguratio commad: A port with this cofiguratio will form a truk but it will ot actively attempt to do it. This meas that the port will form a truk with aother port cofigured as a truk or as dyamic desirable, but ot with aother dyamic auto or a access port. It is a Cisco recommeded practice that you cofigure all o-trukig ports as access ports. It is also a best practice to avoid the auto settigs, or ay other settig that ivolves some kid of automatic egotiatio. It wides the platform of attack (gives possible attackers ew vulerabilities that ca be exploited) ad ca result i suboptimal etwork performace if the egotiatio is affected ad the best optios are ot agreed. LearSmart Cloud Classroom: Video Traiig Mauals

26 Maual Cisco Troubleshootig VLANs ad Truk ports There are several useful commads whe verifyig ad troubleshootig VLANs ad truk ports. Here are the oes you eed to kow for the exam: The show iterface type mod/umber switchport iterface cofiguratio mode commad provides a lot of iformatio that should be used for VLAN cofiguratio verificatio. Here is a example: Figure 6: VLAN Verificatio Let s ru through some of the key poits i this output: Switchport: Eabled, refers to the layer 2 operatioal status of the port (for MLS). Admiistrative Mode: Dyamic auto, refers to the trukig mode cofigured o the port. Operatioal Mode: static access, refers to the actual operatio mode of the port. I this case, eve after this port was cofigured as dyamic auto, the port became a access port. This is because of several causes. The most commo is whe the port at the other ed is a access port or was also cofigured as dyamic auto (remember this kid of dyamic egotiatio does t actively try to form a truk, but forms oe if the other ed is tryig, for which it must be cofigured as a truk or as dyamic desirable). Admiistrative trukig ecapsulatio: dot1q, verifies that the port is cofigured to use 802.1q as its trukig ecapsulatio. Negotiatio of trukig: o, verifies that DTP frames are beig set every 30 secods o the iterface. Trukig Native mode VLAN: 1 (default), simply verifies that the ative VLAN for 802.1q trukig is 1, which is the default. Trukig VLANs eabled: All, this is also a default settig. All VLANs are curretly allowed o the truk port. No exceptios have bee cofigured. LearSmart Cloud Classroom: Video Traiig Mauals

Maual Cisco Some of the other iformatio provided with this output will be examied later i the guide. Aother very useful commad is the show vla id vla-id EXEC commad.

You ca also see a lot of valuable iformatio ad verify cofiguratio with the show iterface [type mod/ umber] truk EXEC commad.

27 Maual Cisco Some of the other iformatio provided with this output will be examied later i the guide. Aother very useful commad is the show vla id vla-id EXEC commad. Here is a sample output: Figure 7: Output from the show vla id Commad The output shows that various ports o module 2 ad 4 are cofigured to ru o VLAN 2. You ca also see a lot of valuable iformatio ad verify cofiguratio with the show iterface [type mod/ umber] truk EXEC commad. Here is a sample output: Figure 8: Output from the show iterface truk Commad To see if Dyamic Trukig Protocol (DTP) is beig used ad how it is beig used, use the show dtp [iterface type mod/um] commad. You ca issue the commad as show dtp, but specifyig a iterface will display a lot more DTP iformatio. LearSmart Cloud Classroom: Video Traiig Mauals

28 Maual Cisco VLAN Trukig Protocol (VTP) VTP was developed by Cisco to maage VLANs belogig to switches i the eterprise etwork or withi the same admiistratio domai. VTP allows every switch i their domai to have a overall view of the active VLANs. VTP also allows etwork admiistrators to create, edit, delete or restrict the VLANs ad propagate this iformatio to all switches i the etwork. It also allows the etwork admiistrator to defie which switches i the etwork will be allowed to create, modify ad edit VLAN settigs. A switch ca oly participate i oe domai or maagemet domai. Switches belogig to differet domais do ot share VTP iformatio. VTP allows etwork admiistrators to make cofiguratio chages cetrally i certai switches ad have those chages replicated to all other switches i the domai. Careful plaig of which switches are server, cliet or trasparet is eeded to properly use this protocol. VTP uses layer 2 frames to commuicate VTP iformatio betwee switches i the same domai. These frames are called VTP advertisemets ad they let other switches i the same maagemet domai kow about active VLANs ad specific VLAN parameters. There are three VTP operatig modes. 1. Server Mode The default mode. Allows a switch full cotrol of the VTP domai. A switch i server mode is allowed to create, modify or delete VLANs ad the propagate these chages to the rest of the switches i the maagemet domai. There must be at least oe switch ruig i server mode i every VTP maagemet domai. A switch i server mode should be physically secure. 2. Cliet mode Switches i this mode receive ad propagate VTP iformatio, but are ot allowed to create, modify or delete VLANs. 3. Trasparet mode Switches i this operatig mode will be allowed to create, modify or delete VLANs but they will be locally sigificat, meaig they will ot sed VTP advertisemets to the domai with their VLANs iformatio. There are two versios of VTP, versio 1 ad versio 2. The mai differece betwee the two is that i versio 2, a switch i trasparet mode receives ad propagates VTP advertisemets from other switches (eve if the maagemet domai ame does t match), while i versio 1 they do t. VTP advertisemets are multicasts set out the switch uplik ports. The multicast MAC address is C-CC-CC-CC. VTP advertisemets carry the VTP maagemet domai ame, VLANs iformatio ad VTP cofiguratio revisio umber, which is used to verify if the switch is receivig a updated advertisemet. If the switch has the cofiguratio revisio umber 3, ad receives a VTP advertisemet with cofiguratio umber 1, it does t accept the chages reflected i the advertisemet. If the umber is 4, it accepts the chages i the advertisemet ad updates the switch VLAN cofiguratio (VLAN database), while updatig the cofiguratio revisio umber to the match the oe received i the advertisemet. The higher the revisio umber, the more trusted the iformatio is. Whe you istall a ew switch, you must make sure the cofiguratio revisio umber is set to a umber below what is curretly beig advertised. This prevets the VTP Sychroizatio problem, which happes whe a ew switch (with icorrect VLAN database cofiguratio) has a higher cofiguratio revisio umber tha the oe i other switches i the VTP domai. To reset the cofiguratio revisio umber to zero, you ca take oe of the followig steps: 1. Chage the VTP domai ame to a arbitrary ame ad the chage it back to the VTP domai ame. At that poit the cofiguratio revisio umber should be reset to zero (0). 2. Chage the switch to trasparet mode ad the chage it back to server or cliet mode. LearSmart Cloud Classroom: Video Traiig Mauals

29 Maual Cisco By default, advertisemets are set i o-secure mode. You ca setup a password i order to make the trasmissios secure. You eed to cofigure the password i every switch i the maagemet domai. Keep i mid that the VTP passwords shared betwee switches are set i clear text. VTP advertisemets are set out whe VLAN chages occur i a switch i VTP server mode, or whe a switch cofigured as a cliet requests the advertisemet whe it boots. The differet advertisemets are: Summary advertisemets These advertisemets are set periodically every 300 secods ad they are also triggered whe a chage is made to the VLAN cofiguratio i the switch. The summary advertisemet cotais iformatio ecessary for other switches to make the proper chages ad also security features. The iformatio foud i summary advertisemets is the followig; domai ame, cofiguratio revisio umber, time stamp, password, MD5 code, ad the umber of subset advertisemets (defied ext) that will follow. Subset advertisemet These are set whe a VLAN cofiguratio chage occurs, such as the creatio of a ew VLAN, port assigmets, reamig of a VLAN, MTU size, VLAN type (Etheret, toke rig, etc.), VLAN umber, security associatio idetifier (SAID) ad VLAN ame. Iformatio from each VLAN is set idepedetly i sequetial subset advertisemets. Advertisemet requests from cliets Whe a cliet switch hears a summary advertisemet with a higher revisio umber, or it has bee reset, or the VTP domai ame has bee chaged, it seds a advertisemet request to server switches. The server the respods with a summary advertisemet ad subsequet subset advertisemets for each existig VLAN. Catalyst switches cofigured with VTP i server mode store VLAN ad VTP iformatio i the vla.dat file i the flash memory file system. This is to prevet the switch from losig its VLAN ad VTP cofiguratio whe it is restarted. Eve if the ruig cofig is erased ad the router is rebooted, the VLAN cofiguratio remais. I order to clear out the VLAN cofiguratio, the vla.dat file must be deleted. For most fixed cofiguratio switches, such as the 3560, issue the delete flash:vla.dat privileged Exec commad. VTP Cofiguratio By default, Cisco Switches are i VTP server operatioal mode for the maagemet domai NULL, which meas the mode is left blak, with o password cofigured. If it hears a VTP advertisemet, it lears the VTP domai ame, VLANs ad cofiguratio revisio umber. The problem arises whe the ew switch for some reaso comes with a cofiguratio revisio umber that is higher tha the oe ruig i the cofiguratio revisio umber of the VTP domai of the etwork. To avoid this, it is a recommeded practice that you first start your switch out of the productio etwork ad cofigure the VTP domai ame ad also reset the cofiguratio revisio umber to 0, prior to coectig the switch to the productio etwork. LearSmart Cloud Classroom: Video Traiig Mauals

Maual Cisco The show vtp status EXEC commad gives a lot of useful iformatio to verify the switch VTP parameters such as vtp domai ame, vtp cofiguratio revisio umber, maximum VLANs supported, umber of

30 Maual Cisco The show vtp status EXEC commad gives a lot of useful iformatio to verify the switch VTP parameters such as vtp domai ame, vtp cofiguratio revisio umber, maximum VLANs supported, umber of existig VLANs, VTP operatig mode (server, cliet or trasparet), if the VTP pruig is o or off (cocept defied later), MD5 digest, ad the IP address of the seder of the last advertisemet that produced a cofiguratio chage. The followig is a sample output: Figure 9: Output from the show vtp status Commad Here is a sample cofiguratio: Switch(cofig)# vtp domai preplogic Switch(cofig)# vtp mode server Switch(cofig)# vtp password cisco Switch(cofig)# vtp versio 2 The first lie cofigures the VTP domai preplogic. The secod lie sets the VTP mode as server (this is the default). The third lie sets the password to cisco. Remember that VTP uses MD5 as its hashig type for security. The last lie sets the VTP to versio 2. There are a few cosideratios with VTP versio 2: 1. VTP trasparet mode propagates received advertisemets from server ad cliet switches. The VTP trasparet switch does t check the revisio umber prior to forwardig the VTP advertisemets. 2. VTP v2 is ot iteroperable with v1. A v2 capable switch ca coexist with v1 but it will operate i v1 mode. 3. If you decide to ru v2 i a maagemet domai, after makig sure all your switches are v2 capable, you oly eed to cofigure the versio 2 i oe of the server switches i the maagemet domai, ad the iformatio of the ew settig will be propagated to the remaiig switches, automatically eablig v2 i all capable switches. 4. VTP v2 supports Toke Rig switchig ad Toke Rig VLANs. If two switches are ot passig VTP iformatio betwee each other, verify that the VTP domai ad passwords are idetical. To view the VTP password, you ca issue the show vtp password commad. LearSmart Cloud Classroom: Video Traiig Mauals

Maual Cisco Fially there is a very useful troubleshootig commad that presets VTP messages ad error couters. The show vtp couters EXEC commad provides this iformatio.

31 Maual Cisco Fially there is a very useful troubleshootig commad that presets VTP messages ad error couters. The show vtp couters EXEC commad provides this iformatio. The followig is a sample output: Figure 10: Output from the show vtp couters Commad VTP Pruig Truk ports belog to all VLANs by default. Truks forward all broadcasts ad multicasts received i the switch. Sometimes a broadcast or multicast gets forwarded out a truk port eve whe the switch o the other ed does t have the VLAN where the broadcast was geerated. VLAN pruig was created to address this issue. Whe VTP pruig is tured o, broadcast, multicast ad ukow uicast from certai VLANs are trasmitted through a truk lik oly if the VLAN is preset i the switch i the other ed. This offers ehaced security because user data wo t be travellig across the etwork i parts where it has o use. A possible attacker wo t be able to reach portios of the etwork that would be accessible to him if VTP pruig is ot i use. It s importat to otice that eve whe VTP pruig is o ad has determied a certai VLAN is ot eeded i a truk, a istace of Spaig Tree Protocol must be ru per VLAN allowed o the truk. To prevet a uecessary istace of STP to ru i the lik you must maually elimiate that VLAN from the truk with the switchport truk allowed vla remove vla-list. LearSmart Cloud Classroom: Video Traiig Mauals

32 Maual Cisco VTP pruig is disabled by default o Cisco switches. To eable it, you must type vtp pruig global cofiguratio commad. You should use this commad i a VTP server, ad it will advertise that pruig has bee eabled, which eables VTP pruig i the rest of the switches i the domai, except switches i trasparet mode. For switches i trasparet mode you eed to maually prue VLANs from ueeded truks because VTP pruig is trasparet to them. Use switchport truk pruig vla {{{add except remove}vla-list} oe} iterface cofiguratio commad to add or remove VLANs from truk liks. By default all VLANs are eligible for pruig whe you activate VLAN pruig with vtp pruig global cofiguratio commad. VLANs are eligible for pruig by default. VLAN 1 is commoly used as the maagemet VLAN ad for this it s ot eligible for pruig because it is ofte propagated throughout the distributio block. VLANs are also ot eligible for pruig sice these are special, reserved VLANs for other types of etworks. VTP Troubleshootig It is really importat to make sure you do t itroduce a switch cofigured i VTP server mode with a higher cofiguratio revisio umber tha the curret i the domai. As we said before, it is recommeded that you test the switch out of the productio etwork ad reset the cofiguratio revisio umber with oe of the two methods described earlier before pluggig it ito your productio etwork. Itroducig a server switch to the domai that is cofigured with a higher revisio umber ca delete all of your productio VLANs if you are t careful. There are several reasos why a switch might ot receive VTP advertisemets ad iformatio. These are the most commo: The VTP domai ame is icorrect or misspelled compared to the other switches withi the domai. The cliet switch eeds to have the same VTP domai ame as the VTP Server. The domai ame is case sesitive. The VTP versio is ot the same as the VTP server. The VTP password does ot match the oe cofigured i the domai. The switch is cofigured as a VTP cliet ad there are o VTP servers i the domai. Oe of the liks coected to the VTP server is ot a truk port. The switch is cofigured i trasparet mode. Remember that i trasparet mode the switch is basically ioperative i the VTP domai. If you are usig VTP versio 2 the switch will forward advertisemets but it wo t create, delete or modify VLAN iformatio based o the advertisemets received. Spaig Tree Protocol (STP) Spaig Tree Protocol was created to solve the problem of bridgig loops, defied i the Switchig Operatio sectio earlier. STP is defied i the IEEE 802.1D stadard. Without STP, switches are trasparet to each other (they do t modify Etheret frames), ad they ca t do aythig about redudat paths. That meas that they will sed frames out all uplik ports to the same destiatio. STP makes switches aware of each other ad allows them to egotiate ad block some ports from forwardig frames which creates a loop-free path to locatios with redudat liks or paths. LearSmart Cloud Classroom: Video Traiig Mauals

33 Maual Cisco STP commuicates with all switches i the etwork ad selects a switch as a referece poit (root bridge), ad detects all redudat paths to it. STP the selects the best paths ad blocks the less tha optimal oe or oes. STP maitais commuicatios betwee all switches i the etwork segmet (subet) i order to compute the best path amog blocked liks, whe the active path lik fails. STP uses Bridge Protocol Data Uits (BPDU) to commuicate switches. A switch seds a BPDU frame out a port ad uses its uique MAC address as the source address ad the well-kow STP multicast address c as destiatio. There are two types of BPDUs: 1. Cofiguratio BPDU Used to compute the spaig-tree. 2. Topology chage Notificatio (TCN) (BPDU) Aouce topology chages i the etwork. By default, BPDUs are set out every two secods to esure topology chages ad etwork coditios are updated promptly ad loops are idetified, preveted or corrected. BPDUs carry all iformatio ecessary for the electio of the commo referece poits of the etwork segmet, alog with iformatio such as switch idetificatio, lik iformatio helpful to determie the optimal path (path cost) whe more tha oe is available. The cetral poit we have metioed a couple times; it s a switch called the root bridge. The term bridge remais from the times whe bridges where doig the fuctios ow performed by switches. Whe you hear root bridge thik of root switch. The mai characteristic of a root bridge is that all its ports are forwardig frames, which is the same as sayig that oe of its ports are i the blockig state. STP port states (Blockig, Listeig, Learig ad Forwardig) are defied later. The root bridge is elected for a etwork segmet by aalyzig the bridge ID, which is a 8 byte value composed by the bridge priority ad the MAC address of the port. The lowest Bridge ID is elected as the root bridge. The bridge priority is a 2 byte value that is used to establish the priority of a switch i relatio to the others switches i the domai. The default o Cisco Catalyst switches is 37,768 or 0x8000. The Bridge ID takes the form of Bridge Priority: MAC address. As you ca see, sice the bridge priority is the same i all switches by default, the MAC address is the value used to determie the root bridge. The lowest MAC address wis the electio. As you should remember from the CCNA studies, the MAC address is a uique 48 bit value used to idetify etwork adapters ad devices. I Cisco Switches, the MAC address used comes from the supervisor module or the backplae, from a pool of 1024 addresses assiged to oe of these parts. The default selectio method is far from optimal because we caot cotrol MAC addresses as they are set by the maufacturer. This is why the etwork admiistrator must cofigure all switches ad decide which oe is elected as the root bridge. The bridge ID ca also be cofigured as a exteded system ID, defied i the IEEE 802.1t stadard. It is a 4bit priority multiplier, plus a 12bit VLAN ID followed by a o-uique MAC address for the VLAN. If the switch does t support 1024 uique MAC addresses for its ow use, the exteded system ID is used by default. To use the exteded system ID use the followig commad: Switch(cofig)# spaig-tree exted system-id LearSmart Cloud Classroom: Video Traiig Mauals

34 Maual Cisco Whe every switch boots up, it automatically assumes it is the root bridge. The it starts sedig BPDUs with its bridge ID as the root bridge ID. It also receives BPDUs from other switches i the same process, ad updates the root bridge ID i its BPDUs whe it receives oe with the lowest bridge ID. All switches i the segmet do the same ad as BPDUs with lowest root bridge ID are received, the BPDUs are set with a updated root bridge ID. Util they all agree with a root bridge ID ad root bridge. At that poit, STP is cosidered coverged. The electio process is cotiuous, with BPDUs set every 2 secods. If a ew switch with a lower Bridge ID eters the etwork, BPDUs with a lower root bridge ID are propagated ad the computatio begis, edig with the electio of the switch as the root bridge. Root ports are ports i o-root switches that provide the lowest cost to the root bridge/switch. A switch selects its root port usig the cocept of the root path cost, which is the cumulative cost of all liks leadig to the root bridge. The cost of a certai lik is called path cost. These ports are also always forwardig. You must be careful to lear the differece betwee path cost ad root path cost. Root Path Cost is a cumulative value, that is added to the BPDUs ad they move through switches i the etwork segmet, while path cost is simply the cost associated with a port i a switch. The term cost was origially defied i the IEEE 802.1D stadard as 1000Mbps divided by the lik badwidth i Mbps. Sice the popularity of Gigabit Etheret the IEEE ow defies cost with a oliear equatio. Note that the old scale is rarely used, ad ca easily be calculated. The ew costs values are the oes show i the followig table: Lik Badwidth 4 Mbps Mbps Mbps Mbps Mbps Mbps Mbps 6 1 Gbps 4 10 Gbps 2 Figure 11: STP Costs New STP Cost The official SWITCH exam guide establishes that old cost values are ow legacy ad that the ew values are the oes that must be used i both productio etworks ad o the exam. The Root Path Cost is determied i the followig maer: 1. The root bridge origiates a BPDU with a root path cost value of 0. This is because its port does t have to travel through a lik i order to reach the root, which is the switch itself. 2. The ext switch that receives the BPDU adds the cost of the lik based o the cofigured badwidth iterface parameter. 3. This secod switch seds out BPDUs with this ew cumulative root path cost value. 4. The process is repeated every time a eighborig switch receives a BPDU: The cost of the traversig lik is added to the cost advertised by the eighborig switch. LearSmart Cloud Classroom: Video Traiig Mauals

35 Maual Cisco It is very importat to ote that the root path cost is icremeted as the BPDUs are received, ot as they are set. Whe the switch receives a BPDU with a root path cost ad adds its lik cost, it saves the value i volatile memory so it ca later compare other BPDU s root path cost to the oe it has saved. Whe a BPDU with lower root path cost is received, it kows that path is better to the root, immediately becomig the ew root path cost. The process costatly looks for better paths to the root ad that is how the root port is elected. Desigated Ports: These are forwardig ports coected to a etwork segmet. If more tha oe port is coected to a etwork segmet or two differet switches share the same etwork segmet, oly oe port will be elected to forward frames i order to avoid loops. This port is the desigated port. The other port will be placed ito a blockig state as described below. Desigated ports electio. The process is as follows: 1. Lowest root bridge ID. 2. The lowest root path cost. 3. Lowest seder bridge ID. 4. Lowest seder port ID. STP States Whe a switch is powered o, before it is able to forward frames trasparetly as it should, its ports go through several stages or states: Disabled These are ports that are shut dow by the admiistrator or that have bee disabled by some kid of error coditio (errdisabled state). This is a special state ad is ot a part of the regular STP progressio. Blockig I this state a port is uable to sed or receive data. It oly receives BPDUs to start learig about the spaig tree topology. Ports that are put i the stadby mode also eter the Blockig state. Listeig A port trasitios from blockig to listeig whe the switch thiks the port ca become a desigated or root port. At this state the port starts acceptig frames but it does t populate the MAC Address table or forwards frames received. The port is allowed to actively participate i the spaig tree process, by sedig ad receivig BPDUs. The port is also allowed to become a desigated or root port because it seds BPDUs of its ow. Learig After a period of time called Forward Delay, the switch trasitios from the listeig state to the learig state. The port still seds ad receives BPDUs, but ow also populates the MAC address table with the source address of frames received. The fuctio of this state is to give the switch a little time of participatio i the spaig tree process ad computatios without givig the ability to forward frames. Forwardig After aother Forward Delay period, the port is allowed to move to the forwardig state. Now the port seds ad receives BPDUs, populates the MAC address table, forwards frames. It is a fully fuctioal port i the spaig tree loop free topology. You ca watch the STP process as it trasitios betwee the differet STP states by issuig the show spaig-tree iterface type mod/port EXEC commad multiple times. LearSmart Cloud Classroom: Video Traiig Mauals

36 Maual Cisco STP Timers STP uses timers to guaratee that a etwork coverges before a loop ca occur. These timers are: Hello Time This is the time the root bridge takes to sed a cofiguratio BPDU. The default as we said earlier is 2 secods. You oly eed to cofigure this settig i the root bridge because o-root bridges oly relay root bridge cofiguratio BPDUs. Forward Delay The period of time, a default of 15 secods, durig which a switch speds i listeig ad learig states. Max Age This is the time that a switch uses a BPDU before cosiderig it dated. While STP is beig executed a switch keeps a BPDU from the best source or best BPDU. The max age idicates to the switch the maximum time the switch will keep the BPDU after it last received it. The default Max Age value is 20 secods. These timers should oly be chaged after serious cosideratio. These chages should be made o the root bridge switch ad it will propagate the chages throughout the switches participatig i the spaig tree process. If you chage STP timers tryig to improve covergece time switchig loops ca occur. Topology Chages i STP Switches sed a topology chage otice (TCN) BPDU whe they detect a topology chage. There are two types of topology chages. Oe refers to the chages that occur whe a port goes from the forwardig or learig state to blockig state or whe it moves a port to the forwardig state. Whe ay of this happes, the switch seds a TCN BPDU out its root port so that the root bridge switch receives it. Every time a uplik switch receives the TCN BPDU it forwards towards the root switch ad seds back to the seder a ackowledgemet. Fially, the root bridge receives the otificatio that a topology chage has occurred ad seds the ackowledgemet to the origiatig switch. It the marks the topology chage flag i the cofiguratio BPDU, which is the propagated to all the switches i the etwork or switched domai. Whe the cofiguratio BPDU is received by every o-root switch i the etwork, they shorte their bridge table agig times from the default to the Forward Delay time. This is doe to force a faster purgig of the MAC table i order to prevet problems associated with the chage i the topology. Here are the three differet types of topology chages: Direct Topology Chage The chage produced because of lik failure. What happes here is a recalculatio of the spaig tree, but the chages will be mostly i the switches that have a problem with the lik. The whole STP process does t go through a massive recalculatio. Idirect Topology Chage This is the topology chage that is detected i a lik that appears up i both eds. The kid of disruptio is usually created by a firewall, aother switch, a service provider s switch, etc. This kid of failure is associated with the use of the switch s agig timers. Whe the BPDUs are ot received i the port sufferig from the frame filterig that will ed up producig the idirect topology chage, the o-root bridge will flush its best BPDUs after the Max Age timer is up. This makes it accept a better BPDU i a port that is i the blockig state. This allows the port to trasitio from Blockig, Listeig, Learig ad fially Forwardig state. Isigificat Topology Chage This is a topology chage that does t cause the spaig tree to make ay kid of recalculatio. This happes whe hosts are tured o ad off. What happes is the lik chages ad seds the TCN BPDU to the root bridge. The root bridge respods with the cofiguratio BPDU with the topology chage flag, that causes a faster tha usual flush of the CAM table cotets. Whe you thik of this, there is really o problem with STP as o computatio is required. The problem here is that i a large etwork, this costat flushig of the MAC address table sigificatly impacts etwork performace, because you will have a lot of ukow uicast floodig. Portfast is a spaig tree protocol feature that allows a switch coectig to hosts to be excluded for the active participatio i STP. Ports cofigured with Portfast do t sed BPDUs. Portfast will be explaied ad cofigured later i this sectio. LearSmart Cloud Classroom: Video Traiig Mauals

37 Maual Cisco STP Types Spaig Tree Protocol (STP) was developed to prevet switchig loops by providig a loop-free logical etwork topology ad to provide rapid recovery from topology chages. Provisios have bee take to adapt STP to the chagig ad evolvig structures ad features of the switched etworks. STP was origially developed to work i bridged etworks, with basically oe istace of STP for the whole segmet. Today etworks offer features that require more powerful solutios ad STP has evolved offerig several possibilities. The differet types of STP ecoutered i today s etworks are: Commo Spaig Tree (CST) This is the IEEE 802.1D stadard. The biggest limitatio of the origial STP is that there is a sigle istace of it ruig for all VLANs. This keeps CPU loads low durig STP calculatios but has several limitatios, like the iability to load balace based o traffic for differet VLANs. CST BPDUs are trasmitted with utagged frames over the ative VLAN. Per VLAN Spaig Tree (PVST) Cisco s proprietary implemetatio of STP. It provided the powerful feature of oe istace of STP for each VLAN. Load Balacig is possible. PVST requires ISL Cisco proprietary VLAN idetificatio frame ecapsulatio. Sice ISL is o loger supported i curret Cisco IOS switches, you wo t fid PVST i a lot of etworks. Per VLAN Spaig Tree Plus (PVST+) A more advaced Cisco Proprietary versio of STP. It offers the advatages of PVST ad also iteroperates with CST. It offers the flexibility of workig with both ISL ad 802.1Q ecapsulatio methods. STP Cofiguratio Switches ru a istace of STP by every active VLAN o them by default. I some cases you ca fid STP has bee shut dow for a specific VLAN or iterface. Use the followig commads to eable STP: Switch(cofig)# spaig-tree vla 5 Switch(cofig)#iterface fastetheret 0/1 Switch(cofig-if)#spaig-tree vla 10 I the first lie we use spaig-tree vla 5 global cofiguratio commad to eable spaig tree protocol i the switch for VLAN 5. This effectively starts a istace of STP for VLAN 5 i case it had bee previously shut dow. The third lie eables STP at the iterface level for the VLAN 10. We used spaig-tree vla 10 iterface cofiguratio commad. Root bridge selectio should ot be left to the methods of the protocol as was discussed earlier. It should be cotrolled by the etwork admiistrator. As we explaied earlier, the criterio is far from optimal. Remember the root bridge switch is the oe with the lowest bridge ID i the etwork segmet. The Bridge ID is the combiatio of the bridge priority ad the MAC address. Default bridge priority is 32,768, which makes the decidig factor the lowest MAC address. With this criterio the slowest switch could ed up becomig the root switch, which is far from optimal. We ca cofigure the switch ad maipulate the electio so we ca have the root bridge of our choice. There is also a secodary root bridge, which is othig more tha the switch that would take the place of the root bridge if the root fails. Before we eter cofiguratio commads, it is importat to kow the placemet of the root bridge switch should be as close to the ceter or core layer of the switched etwork. I case we have a server farm, the maximum load will be i the exit/etry poit to the farm ad that is the poit where the root should be. LearSmart Cloud Classroom: Video Traiig Mauals

38 Maual Cisco Root Bridge Switch Placemet ad Cofiguratio There are two methods to force the electio of a root bridge: 1. Assig a bridge ID lower tha the default bridge ID if the rest of the switches i the etwork are left to their default or simply make sure the switch you wat to become the switch has a lower bridge ID tha the rest of the switches i the etwork. The commad to achieve this is the followig: Switch(cofig)# spaig-tree vla vla-list priority bridgepriority-value Vla-list uses the same rages used with the rage global cofiguratio commad ad bridgepriority-value is simply the priority ad the value rages from 0 to 61,440 i multiples of Set the switch to automatically select a priority that makes it the root switch: Switch(cofig)# spaig-tree vla vla-id root {primary secodary} [diameter diameter] This commad is a macro that executes several other commads. The switch modifies the values of the bridge ID depedig o the values received from other switches. It will use the lowest ID if you set it to be the primary root ad the secod lowest if set to secodary. Notice the switch will use oe 4096 multiple below the lowest bridge ID advertised i the etwork. The diameter specifies the legth (the amout or switches) of the switched etwork from the core to the access layer switch coectig edpoits. The default diameter is 7 ad this is the value used to calculate the BPDU timers. To display the STP Bridge Priority values use the show spaig-tree vla vla-id EXEC commad. The followig is a sample output: Figure 12: Output from the show spaig-tree vla Commad LearSmart Cloud Classroom: Video Traiig Mauals

39 Maual Cisco Whe the switch is the root switch for the STP process, you will see the This is the Root Bridge message uder MAC address o some Cisco switches. Otherwise, you ca compare the Root ID MAC address ad the Bridge ID MAC address. If these two match, tha you are lookig at the root bridge. Notice that whe you use the spaig-tree vla vla-id root global cofiguratio commad the macro that rus does t guaratee the switch will become the root. It is possible that aother switch has already bee cofigured with a lower bridge priority. I this case you eed to maually cofigure the switch to bridge priority of zero (0) or a value lower tha the curret root. It is recommeded that you do this ad set the priority to a very low value i order to prevet other switches from beig elected as root. Spaig-tree vla vla-id priority priority-value is the global cofiguratio commad you should use to achieve this. Cofigurig Cost ad Port-Priority to Maipulate Path Selectio You ca maipulate how the frames are forwarded i a per-vlan ad/or per-iterface basis with spaig-tree commads. This allows the etwork admiistrator or desiger to load balace traffic betwee available liks. You ca modify the path cost associated with a lik if you eed to make it the preferred route to a destiatio with the spaig-tree [vla vla-id] cost cost iterface cofiguratio commad. Notice the optioal coditio of the vla commad. IF you do t specify the VLAN the cost assiged will be used i all istaces of STP, which is the same as sayig it will be used i all VLANs. The cost value ca rage from 1 to 65,535. Switch(cofig-if)# spaig-tree vla 10 cost 100 I that lie we cofigure the iterface to set its path cost to 100 for VLAN 10 trasit. You ca see the cost of a iterface with the show spaig-tree iterface type mod/um [cost] EXEC commad. The Port ID is a 16 bit value composed of the port priority ad the port priority plus the port umber. Remember it is used as a tie breaker i the criteria STP uses to choose a path. The other importat commad we metioed is the spaig-tree [vla vla-list] port-priority port-priority. Cofigurig STP Timers You ca also maipulate the amout of time the switch speds i differet STP states ad the iterval betwee the Hello BPDUs. These are the STP timers ad they ca be customized to the differet requiremets of etworks. The default timers are determied cosiderig a etwork diameter of 7. If this value is differet, you ca maipulate both the diameter ad the timers to improve covergece. If the etwork diameter is bigger, the timers should be icreased, while smaller etworks ca have improved STP covergece time by reducig the STP timers. Remember the etwork diameter must be determied ad cosidered prior to modifyig these timers. The etwork diameter is the quatity of switches from the etwork core to the outmost access layer switch. Here are the commads: Switch(cofig)# spaig-tree [vla vla-id] hello-time secods Switch(cofig)# spaig-tree [vla vla-id] forward-time secods Switch(cofig)# spaig-tree [vla vla-id] max-age secods LearSmart Cloud Classroom: Video Traiig Mauals

40 Maual Cisco If you do t use the vla portio the commads are applied to all istaces of STP ruig o the switch. You ca also chage all STP timers o a sigle switch with the followig commad: Switch(cofig)# spaig-tree vla vla-list root {primary secodary} [diameter] diameter [hello-time hello-time]] After you eter this commad ad use the optioal diameter ad hello-time cofiguratio, the Max Age ad Forward Delay timers will be recofigured automatically to a appropriate value. Notice the vla is madatory i order to have this automatic STP timers cofiguratio feature take place. Redudat Lik Covergece Spaig Tree Protocol offers several features that allow faster covergece i certai special situatios. PortFast allows a switch to immediately trasitio a port from the blockig state to forwardig state. This feature ca oly be used i access ports i the access layer switches. The switch keeps ruig STP i the port ad it is put i the blockig state if a loop is detected. Portfast is disabled by default, ad you ca chage to make it the default i all o-trukig ports with the spaig-tree portfast default global cofiguratio commad. To eable Portfast at the iterface level, use the spaig-tree portfast iterface cofiguratio commad. Aother big beefit comes from the optimizatio provided by the commad because it does t sed TCN BPDUs whe the edpoits come up or dow, savig valuable badwidth ad switch resources (CPU utilizatio). You ca also use the switchport host iterface cofiguratio commad to start a macro that will eable port fast at the switchport level. Uplikfast allows a switch with more tha oe uplik to the root switch to trasitio oe of the blocked ports to forwardig state i case the root port fails. The uplik that will trasitio to the forwardig state will be the oe with the lowest root path cost. There are three thigs to keep i mid whe usig Uplikfast: 1. The trasitio from blockig to forwardig does t happe istatly. It actually takes 1-3 secods, but whe compared to the stadard process without the uplikfast cofigured, which takes approximately 50secods, it sure feels like it s istat. 2. Uplik is eabled globally ad ca t be cofigured i a per-vlan or per-iterface basis. 3. Uplikfast caot be cofigured i a root switch. Whe the origial root port comes back up it will take its place as root port ad the uplik port activated by the Uplikfast feature will go back to the blockig state. This does t happe automatically. The switches use the followig formula to determie how log they should wait whe they detect the root port has come up: (2 x Forward Delay) + 5 secods. Whe Uplikfast eters ad a blocked port assumes the fuctio of the root port because of a root port failure, the switch takes actios to prevet becomig the root switch: 1. The switch priority is set to 49,152 to esure that all other switches with their default priorities eed to go dow before this ca become the root bridge. 2. STP port cost is icreased by This makes it very ulikely that this switch will be actively forwardig frames to the root bridge. LearSmart Cloud Classroom: Video Traiig Mauals

41 Maual Cisco To eable Uplikfast use the followig commad: Switch(cofig)# spaig-tree uplikfast [max-update-rate update-value] The max-update-rate establishes how may multicast frames are set to the c-cd-cd-cd MAC address i packets per secods (pps). These frames are set with the source address of all eighbors that happe to be i the CAM table at that time. The itetio is to make these frames flow ad go through the ew uplik port, lettig the other switches kow about the ewly activated path to those source addresses. You should use UplikFast i access layer switches coectig to distributio layer switches. It should ever use them i core layer switches. The risk of havig a switchig loop across the etwork core ad the impact of its occurrece makes it a bad risk maagemet propositio to use uplikfast i the etwork core. It is better to let the root switch or a desigated switch i the etwork core recalculate the STP process ad coverge, eve if this meas a few secods of dowtime. A switchig loop crossig the etwork core will mea a lot more trouble ad dowtime tha the 50 secods that STP will take to coverge. If you wat to see the status of the STP UplikFast use the EXEC commad show spaig-tree uplikfast. BackboeFast is the feature used i the etwork core switches to speed up STP covergece. Whe a switch loses its idirect coectio to the root switch, it starts sedig BPDUs lettig the domai kow it is the root switch. Whe aother switch receives this iferior BPDU, it must wait util the Max Age timer i the port leadig to the iferior BPDU expires, before it starts sedig the superior BPDUs it has received or geerates if it is the root switch. Whe BackboeFast is eabled, the switch does t have to wait for the Max Ager timer to expire before it seds the superior BPDU. BackboeFast uses Root Lik Query (RLQ) protocol. RLQ uses a series of requests ad resposes to detect lik failures. There are two types of RLQ messages: RLQ Query ad RLQ Respose. The purpose of the RLQ request is to check coectivity to a root bridge. The RLQ Request is, for this reaso, almost always set out ports receivig BPDUs. The root bridge is specified i the RLQ Request. Whe the RLQ respose is received, it specifies the root bridge that origiated the respose. If the two roots (the oe i the RLQ request ad the oe i the RLQ Respose) are the same, coectivity is still alive, else, it is lost. The RLQ query is oly replied by the root. If a o-root switch receives a RLQ query it forwards the frame towards the root switch, floodig the frame through its desigated ports. To prevet the RLQ respose frames from beig propagated to segmets where it is ot ecessary, the switch origiatig the RLQ query adds its bridge ID to the frame. That way, whe it receives a respose it kows the iformatio is oly useful to itself ad the frame is ot forwarded to the other desigated ports. RLQ must be ruig i all switches i the etwork segmet participatig i the STP process. That is why BackboeFast must be cofigured i all switches i the etwork segmet. To eable BackboeFast use spaig-tree backboefast global cofiguratio commad i all switches. Make sure you ru the commad i all switches or BackboeFast will ot work properly. You ca check if BackboeFast has bee eabled with the show spaig-tree backboefast EXEC commad. The switch will display a message idicatig whether or ot the feature has bee eabled. Switch# show spaig-tree backboefast BackboeFast is eabled Switch# LearSmart Cloud Classroom: Video Traiig Mauals

42 Maual Cisco Protectig the STP Process I this sectio we ll lear the features that help us maitai a switched etwork ad STP processes ruig without disruptios caused by security breaches like rogue switches. Root Guard is used at the port level to prevet a switch dowstream of the port from becomig the root switch for the etwork segmet. Whe a switch receives a superior BPDU i a port that has bee cofigured with Root Guard, the switch discards the BPDU frame ad puts the port i the root-icosistet STP state. Root-icosistet is operatioally equal to the listeig state, ad o frames are forwarded. Sice Root Guard is cofigured at the port level, you eed to use it i switches uplik ports that will ever be allowed to become a root, because you caot disable the root guard feature i a per-vlan basis. Cofigure root guard at the iterface level, as follows: Switch(cofig-if)# spaig-tree guard root You ca also check the ports i the root-icosistet state usig the show spaig-tree icosistet ports privileged EXEC commad. BPDU Guard is used to prevet rogue switches coected to productio switches. Typically this commad is used o access ports because this is likely where a rogue switch will be placed o the etwork. BPDU Guard is used i ports cofigured with Portfast. If a BPDU is received i the port cofigured with BPDU Guard, the port is automatically shut dow ad put i the err-disabled state. You ca cofigure BPDU Guard at both the iterface level ad i global cofiguratio mode. The followig cofigures BPDU Guard i all ports i the switch (remember that it will oly be activated i portfast eabled ports): Switch(cofig)# spaig-tree portfast bpduguard default To cofigure at the iterface level: Switch(cofig-if)# spaig-tree bpduguard [eable disable] It is very importat to kow ad uderstad the differece betwee cofigurig BPDUGUARD at the iterface level or at the global level: BPDUGUARD at the global level: cofigures all PortFast eabled ports to shut dow if a BPDU is received. BPDU cofigured at the iterface level: the port is shut dow if a BPDU is received, but the port does t have to be portfast eabled. I both cases the shut-dow port eeds to be maually re-eabled, from the errdisabled state. PortFast BPDU Filterig is a very useful feature because it allows you to filter BPDUs i PortFast-eabled ports without effectively shuttig dow the port or puttig it i the errdisabled state. You eed to be very careful because this feature works very differetly whe cofigured locally ad whe cofigured globally. Whe cofigured globally it will disable PortFast from PortFast-eabled ports if a BPDU is received i the port or ports. You have to be very careful with this commad because it ca create switchig loops if a trukig switch is coected. As a geeral rule, bpdufilter should ot be globally eabled i physically isecure switches. Whe cofigured at the iterface level it will simply quietly drop the BPDU frames received. The port will ot sed or receive BPDUs. LearSmart Cloud Classroom: Video Traiig Mauals

43 Maual Cisco To eable PortFast BPDU filterig at the global level use the followig commad: Switch(cofig)# spaig-tree portfast bpdufilter default To eable BPDU filterig at the iterface level use the followig commad: Switch(cofig-if)# spaig-tree bpdufilter eable There is a very useful show commad that displays a lot of valuable iformatio regardig Spaig Tree Protocol ad its features, icludig if the BPDU Filter has bee eabled. That is the show spaig-tree summary totals EXEC commad. We ll come back to this commad later ad will see a sample output. Istabilities Due of Loss of BPDUs BPDUs are used by STP to kow about the switched etwork topology. STP relies o BPDUs to maitai a loop-free topology ad etwork itegrity. There are coditios where oe or more BPDUs might ot be received or relayed at certai switches, causig the switch to recalculate or try to coverge to a differet etwork topology eve whe a chage has t really occurred. This is commoly a physical layer problem with copper ad eve more so with fiber optic iterfaces. To prevet this from happeig we have Loop Guard ad Uidirectioal Lik Detectio (UDLD). Loop Guard moitors the BPDU activity i o-desigated ports (blockig state). While BPDUs are beig received, everythig stays the same. Whe BPDUs are ot received ad the Max Age timer is up, Loop Guard prevets the port from goig through the STP port states ad puts it i the loop-icosistet state, which is operatioally the same as Blockig. Whe BPDUs are received agai, the port goes back to ormal STP states without ay maual itervetio. You ca eable Loop Guard at the iterface level or globally. To eable it at the iterface level, use the followig commad: Switch(cofig-if)# spaig-tree guard loop To eable Loop Guard i all o-desigated ports globally, use the followig global cofiguratio commad: Switch(cofig)# spaig-tree loopguard default Loop Guard is cofigured at the iterface level but it works i a per-vlan basis. This meas that if the port has Loop Guard eabled, it will oly use it for STP istaces or VLANs for which the port is i the Blockig state. As a etwork desiger or admiistrator you must decide if you require loopguard eabled i all STP istaces ruig i the switch (i this case you will eable it globally) or if you wat to select specific iterfaces ad their associated VLANs (i this case you will eable it at the iterface level). Uidirectioal Lik Detectio (UDLD) Is a Cisco proprietary STP feature that detects liks with uilateral coectivity problems. This problem is commo i fiber optic Etheret liks where two circuits work idepedetly i trasmissio or receivig. If oe of those circuits is damaged ad commuicatio is oly workig uidirectioally, the STP topology ca be damaged because the port ot receivig BPDUs will try to trasitio to the forwardig state ad a loop ca form. The worst problem that ca arise with this situatio is that if the bidirectioal commuicatio is damaged, the rest of the topology might ever kow what is happeig at the other ed of the lik. To prevet this situatio UDLD costatly moitors the bidirectioal situatio of a lik. It seds a special UDLD frame ad expects to receive a respose from the other ed. If the reply is received, the lik is operatig as it should, but if a respose is ot received, the lik is uidirectioal ad actio must be take. LearSmart Cloud Classroom: Video Traiig Mauals

44 Maual Cisco UDLD must be eabled at both eds ad its Message iterval time should be set to a value less tha the Max age timer. This is the whole poit of the feature: to prevet a loop from formig because of actio take i a port before it purges its BPDUs because of a lik failure. You ca cofigure UDLD globally ad also at the iterface level. If you eable UDLD globally all gigabit Etheret fiber ports will eable UDLD. Sice the ature of the twisted pair ad copper wire do t suffer from the layer 1 coditios that are suited for the uidirectioal lik problems, the UDLD is ot eabled o them by default. You CAN cofigure UDLD for such ports but you eed to eable it maually. Here are examples of globally eablig UDLD ad iterface level UDLD cofiguratio: Switch(cofig)# udld {eable aggressive message time secods} Switch(cofig)# iterface gigabitetheret 0/1 Switch(cofig-if)# udld {eable aggressive disable} I the first lie we eable UDLD globally. Remember that at this poit all the fiber optic ports will eable UDLD. Copper Etheret ports require that you eable it maually at the iterface level, as was doe i the third lie. UDLD has two operatig modes: Stadard ad aggressive. Normal mode: The port cotiues its operatio ormally after detectig a lik failure. The port is oly marked as havig a problem ad a syslog message is created. Aggressive mode: Whe a bidirectioal lik is broke, UDLD detects the issue ad attempts to restore bidirectioal activity. Every 8 secods, UDLD seds messages that, if ot received ad replied to put the port i errdisabled state. The port caot be used util it is admiistratively shut dow ad the tured back o. The message time is the timer iterval betwee UDLD frames. Remember the message timer must be lower tha the Max Age timer. Earlier we metioed a show commad with a very iterestig output. It s the show spaig-tree summary totals EXEC commad. Here is a sample output: Figure 13: Output from the show spaig-tree summary Commad LearSmart Cloud Classroom: Video Traiig Mauals

45 Maual Cisco Advaced Spaig Tree Protocol The IEEE 802.1D stadard, CST (Commo Spaig Tree Protocol), is ow cosidered a legacy protocol because of its covergece periods, which are ow cosidered too log for most etwork applicatios. The ew protocols are based o the 802.1D stadard techology but focused o faster covergece to suit the icreasig demads of moder etworks. These ew stadards are the Rapid STP (RSTP), ad Multiple STP (MST or MSTP). These will be defied i this sectio. Rapid Spaig Tree Protocol (RSTP) IEEE 802.1w RSTP (802.1w) was developed with STP 802.1D cocepts to atted the eeds of smaller covergece periods. That is why it is cosidered a extesio of the 802.1D stadard. RSTP elects a root switch with the same criteria used i STP 802.1D, usig the Bridge ID cocept. I additio, may of the legacy STP features we discussed that were maual optios with STP are built-i to RSTP by default as you will see by readig below. Most of the cocepts used i STP are used i RSTP, but the port roles are differet betwee both protocols. The port roles i RSTP are: Root port. Desigated port. Blockig port. The root port has the same fuctio that it had i STP, which was frame forwardig to the root switch usig the lowest root path cost available. The root switch does t have ay root port. The desigated port is the port i a etwork segmet that has the best root path cost. This might be cofusig. The key to uderstad the differece betwee root port ad desigated ports is the cocept etwork segmet. The root port is the port i the switch with the best root path cost. The desigated port is the port with the best root path cost i a etwork segmet. Thik of two switches both coected to the same etwork segmet. RSTP will block oe of them. The cocept of the desigated port is related to the segmet, ot the switch. It s the best route from a etwork segmet to the root port. Whe several switches have ports i the same etwork segmet, oly oe will be the desigated port if the etwork segmet is oly receivig traffic from oe VLAN (thik of the etwork segmet as a subet). The blockig port or ports: This ca be further divided ito two ew roles: The alterate port ad the backup port. 1. Alterate port: This is a alterate route to the root port. This is the port with the secod best root path cost. Remember that the root path cost refers specifically to the best route the switch itself has to the root. This port is effectively i the blockig state ad will forward frames oly whe the root port fails. It is the secod best alterative to the root bridge. 2. Backup port: This role relates to the desigated port. This is a backup route that frames will take i case the desigated port fails. Thik of it as the backup route from a etwork segmet. This port is effectively i the blockig state ad will forward frames oly whe the desigated port fails. RSTP port roles are root port, desigated port, alterate port ad backup port (the alterate ad backup are blockig ports ad root ad desigated are i the forwardig state). LearSmart Cloud Classroom: Video Traiig Mauals

46 Maual Cisco The port states are also differet i RSTP. RSTP classifies the port states depedig o what the switch does with the frames received. The followig are the port states i RSTP: Discardig This state resembles the disabled, blockig ad listeig port states of CST. Learig I this state, frames are dropped but MAC addresses are leared usig the source MAC address of the frames. Forwardig I this state the port is operatioally active, which meas frames are beig forwarded ad MAC addresses are beig leared. BPDUs i RSTP The mai differece with STP ad RSTP, whe it comes to BPDUs, is that i STP, the BPDUs are set by the root bridge ad relayed by other switches. I RSTP, BPDUs are part of a iteractive process that takes place betwee switches i order to egotiate a port role. BPDUs are set at Hello Time itervals regardless of if superior BPDUs from the root switch have bee received or ot. This ew behavior gives all the switches i the RSTP process the power to ifluece ad maitai the switched etwork topology. Sice BPDUs are expected every two secods (the default Hello Timer for both STP ad RSTP) actio ca be take faster i case of a lik failure. By default, the lik is cosider dow whe the switch does t hear from the other ed i three Hello itervals (6 secods) ad the iformatio regardig that assumed ureachable ed is aged out. This is a great ehacemet with respect to STP which takes the Max Age timer (20 secods by default) to be able to react to etwork chages. RSTP ca coexist with BPDUs geerated by switches operatig STP 802.1D. A port operates i the mode of the first received BPDU ad by default locks that mode for a cofigurable time iterval. This is to prevet a costat chage from oe mode to aother whe a migratio is i place or simply whe there are two modes i operatio i the STP domai. RSTP Covergece Covergece is the state i which all switches i the switched etwork have agreed o certai fuctios ad paths to provide a loop free topology. As we kow, RSTP was developed to coverge faster tha its predecessor, STP 802.1D. A STP process has coverged whe a root switch has bee elected, all switches i the STP domai kow about it ad all ports i all participatig switches are either i the forwardig or blockig state. RSTP speeds up the covergece process by elimiatig the kow STP timers that make the switches wait for a certai period before trasitioig to aother port state. RSTP elimiates this process ad istead makes decisios about port states based o port types. The covergece time is usually 30 secods faster tha i CST, because Forward Delay timer is ot used. LearSmart Cloud Classroom: Video Traiig Mauals

47 Maual Cisco Port Types Root port The port with the best path to the Root switch of the etwork ad there ca oly be oe per switch. Edge port A port located i the edge of the etwork, coectig ed users. This port operates exactly as a portfast eabled port i STP. This port assumes that a loop caot be formed because there is oly oe host directly coected. If a BPDU is received i a edge port, its edge port coditio is lost. The port the becomes a poit-to-poit port. Poit-to-poit port A port that coects two switches operatig i full duplex ad is a desigated port. RSTP achieves faster covergece by propagatig hadshakes over poit-to-poit liks. The hadshakes take place with the earest eighbor ad oce successful, the process moves outward towards the edge switches. While this process ufolds every participatig switch must take actios to prevet loops from formig. This is doe with a sychroizatio process. Sychroizatio is the process that takes place i order for RSTP to coverge. The o-edge ports start i the discardig state, ad after receivig BPDUs decide the root port. The process ufolds from the core to the edge. Whe the superior BPDU is received, the switch seds a agreemet BPDU lettig the other kow it has agreed to have the coected port become the root port. While this happes, other o-edge ports are i the blockig state, ad whe the decisio about forwardig or blockig the port towards the root bridge is fiished, the other o-edge ports leadig towards the access switches or etwork edges start the selectio process, leadig to the electio of desigated ports ad blocked ports. This happes util the process reaches the edge ports, where this process is ot required, sice these ports are i the forwardig state as soo as they detect the lik is up. Topology Chage Detectio i RSTP I RSTP, a topology chage is oly geerated whe a o-edge port moves to the forwardig state. All other port chages are ot cosidered a topology chage aymore. Whe a RSTP bridge detects a topology chage, the followig happes: It kicks off the topology chage while timer with a value equal to twice the hello-time for all its o-edge desigated ports ad its root port, if ecessary. The switch starts the topology chage while timer, with a default time of twice the hello-time. The timer rus for all the switch s oedge desigated ports ad its root port. It clears all CAM table etries (MAC addresses) associated with those ports. BPDUs set out while the topology chage while timer is ruig have the TC bit set. BPDUs are also set out the root port. LearSmart Cloud Classroom: Video Traiig Mauals

Maual Cisco Topology Covergece Propagatio i RSTP Whe a bridge receives a BPDU with the TC bit set from a eighbor, the followig occurs: The switch clears all leared MAC addresses except the oe that

48 Maual Cisco Topology Covergece Propagatio i RSTP Whe a bridge receives a BPDU with the TC bit set from a eighbor, the followig occurs: The switch clears all leared MAC addresses except the oe that receives the topology chage. It starts the TC while timer ad seds BPDUs with TC set for as log as the timer is ruig, o all its desigated ports ad root port. RSTP o loger uses the specific TCN BPDU, uless a switch ruig a legacy STP eeds to be otified. This ew topology chage procedure makes the propagatio covergece much faster compared to 802.1D. I STP the switch that suffered the lik outage had o direct ivolvemet i the propagatio process, as oly the root bridge did this, while ow i RSTP the switch that detects the problem is i charge of the propagatio of the iformatio. Sice there is o eed to wait for the root bridge to be aware of the chages, the covergece to a ew topology is faster. RSTP Cofiguratio Cisco switches operate i Per-VLAN Spaig Tree Plus (PVST+) by default, which is why before RSTP ca be used it has to be eabled globally with MST or RPVST+. I order to eable RPVST+ you eed to use the followig global cofiguratio commad: Switch(cofig)# spaig-tree mode rapid-pvst To revert back to the default PVST+, with the ow legacy 802.1D STP, you oly eed oe global cofiguratio commad: Switch(cofig)# spaig-tree mode pvst You ca see i which STP mode the switch is operatig with the show spaig-tree vla vla-id EXEC cofiguratio commad. The followig is a actual switch output: Figure 14: Verifyig STP Mode Operatio LearSmart Cloud Classroom: Video Traiig Mauals

49 Maual Cisco You also eed to cofigure edge ports ad poit-to-poit ports i RSTP. To cofigure a edge port, simply eable PortFast: Switch(cofig-if) spaig-tree portfast To cofigure a port as a poit-to-poit iterface, use the followig iterface cofiguratio commad: Switch(cofig-if)# spaig-tree lik-type poit-to-poit I this output you ca see the STP mode, Bridge ID, timers, ports that belog to the VLAN, their roles, port priorities ad port types. Multiple Spaig Tree Protocol (MST) CST had the limitatios of havig oly oe process of STP for all VLANs i the domai. A small problem i sigle istace of STP ca cause etwork problems i multiple areas. PVST was developed to ackowledge this issue ad allow oe STP istace for every VLAN i the domai. PVST solved oe problem but also created aother i some very large deploymets. The PVST ca create issues related to switch CPU ad memory resources. As the etwork grows ad requires more ad more VLANs, it might be less tha optimal ad redudat to have oe istace of STP per VLAN, sice it is likely that oly a few redudat paths are available for eve dozes of VLANs. To solve this problem, Multiple Spaig Tree (MST) was developed. MST allows a etwork admiistrator to use oe or more STP istaces with every STP istace able to hadle a group of VLANs as opposed to oe istace for a sigle VLAN. The etwork admiistrator ca group VLANs ito oe STP istace or more. MST is defied i IEEE 802.1s. There are importat desig cosideratios prior to implemetig MST i a etwork: Determie the amout of possible logical topologies with the existig physical etwork ad coectios, ad determie how may istaces of STP are required to support such topologies. Determie which VLANs will be mapped to which STP istace. The criterio is based i security ad traffic type ad amout cosideratios. MST Regios are groups of switches ruig MST with a set of commo parameters. Cisco compares a MST regio with a BGP Autoomous System, which is basically a group of etwork devices uder a commo admiistratio. Most etworks do t eed more tha oe regio, but multiple regios are also supported. All switches withi the regio must ru the istace of MST with the followig attributes: MST cofiguratio ame (32 characters) MST cofiguratio revisio umber (0 to 65535) MST istace-to-vlan mappig table (4096 etries) LearSmart Cloud Classroom: Video Traiig Mauals

50 Maual Cisco The etwork admiistrator should propagate the cofiguratio ad attributes throughout the regio. This has to be doe maually or with Simple Network Maagemet Protocol (SNMP). SNMP is outside the scope of the SWITCH exam but as a etwork egieer it is extremely importat to be proficiet i that techology. You ca fid a lot of iformatio ad very good books o the subject. If for ay reaso two switches have a MST differet attribute, the switches believe that they belog to differet regios. Most of the regios iformatio is propagated iside BPDU frames. The revisio umber, regio ame ad a digest umber of the VLAN-to-istace mappig are set. The digest is umerical value calculated usig a mathematical fuctio (the details of this calculatio are outside the scope of the SWITCH exam). Whe a eighborig switch receives the BPDU it checks for this digest value ad compares it to its ow. If they are the same, the BPDU belogs to the same regio. Else it kows the port o which it was received is a regio boudary. This meas the switch belogs to more tha oe regio. A MST switch ca hadle oly oe Iteral Spaig Tree (IST) ad oe or more Multiple Spaig Tree Istaces (MSTI). This is defied i the IEEE 802.1s stadard. The Cisco implemetatio of MST happes to curretly support 16 istaces: Oe IST istace ad 15 MSTIs. IST Istaces MST was desiged to iteroperate with legacy STP protocols. The IST istace is simply a RSTP istace iside the MST regio. Its fuctio is to represet the etire MST regio as a CST switch to the outside world. The IST istace commuicates by sedig BPDUs through the ative VLAN of the CST truks to the rest of the CST switches/topology. The exact mechaism through which IST makes the participatig switches appear as oe CST bridge is out of the scope of the SWITCH exam ad this guide. MST Istaces MST Istaces (MSTIs) are RSTP istaces that exist exclusively iside a MST regio. Ulike ISTs, MSTIs ever iteract with switches outside the regio. MST uses oly oe Spaig Tree istace outside of the regio. MSTIs do t have a outside couterpart, ad they ever sed BPDUs to the outside; that is a IST role. Iside the MST regio, MSTIs do t sed idepedet BPDUs. They sed a RSTP BPDU for the whole regio (IST BPDU or MSTI 0 BPDU) ad apped particular iformatio about a specific istace additioally. This iformatio for specific MSTIs is placed i the M record, which is where additioal iformatio pertaiig to specific MSTI is placed iside the BPDU. Remember that a MSTI istace is oly valid iside the MST regio. It does t matter if a adjacet regio has the same MSTI i use, The MSTI iformatio is oly locally sigificat. MST ca oly ru with RSTP iside the regio ad CST o the outside. A MST ca oly iteract with oe CST istace o the outside. That creates a problem whe the outside switches are ruig PVST+. Cisco addressed that problem by havig the IST replicate its CST BPDU to all PVST+ istaces, to simulate a PVST+ behavior. Cisco switches automatically detect the PVST+ eighbor whe they receive multiple BPDUs for several istaces. LearSmart Cloud Classroom: Video Traiig Mauals

51 Maual Cisco The followig are the commads required to cofigure MST i a switch: Switch(cofig)# spaig-tree mode mst Switch(cofig)# spaig-tree mst cofiguratio Switch(cofig-mst)# ame ame Switch(cofig-mst)# revisio versio Switch(cofig-mst)# istace istace-id vla vla-list Switch(cofig-mst)# show pedig Switch(cofig-mst)# exit I the first lie MST is selected as the STP mode. I the secod lie we eter MST cofiguratio mode. The ame MST cofiguratio mode commad sets the regio cofiguratio ame. The revisio MST cofiguratio commad is used to track chages to the MST cofiguratio. Just like VTP, the cofiguratio ame, ad revisio umber must match i all switches i the MST regio. Istace istace-id vla vla-list maps VLANs to a MST istace. Istace-id takes the value from 0-15 ad carries topology iformatio for the VLANs specified with the vla-list. The show pedig MST cofiguratio commads show all the chages you have made ad have ot yet saved. Please remember that all cofiguratio commads ad chages made i the MST cofiguratio mode oly take effect ad are saved to the ruig-cofiguratio file whe the exit commad is used. After MST is cofigured, PVST+ ceases ad RSTP starts operatig, sice a switch caot operate with both Spaig Tree versios at the same time. All stadard STP parameters are also preset i MST ad their respective commads are practically the same, with the differece that you should ow use the mst commad ad istace-id before most parameters. Here is a list of the most commo commads: To set the root bridge: Switch(cofig)# spaig-tree mst istace-id root {primary secodary} [diameter diameter] To set the bridge priority: Switch(cofig)# spaig-tree mst istace-id priority bridge-priority To set the port cost: Switch(cofig)# spaig-tree mst istace-id cost cost To set port priority: Switch(cofig)# spaig-tree mst istace-id port-priority port-priority To set STP timers: Switch(cofig)# spaig-tree mst hello-time secods Switch(cofig)# spaig-tree mst forward-time secods Switch(cofig)# spaig-tree mst max-age secods LearSmart Cloud Classroom: Video Traiig Mauals

52 Maual Cisco Aggregatig Switch Liks EtherChael is the techology developed to allow etwork admiistrators to scale lik badwidth by aggregatig, or combiig, up to 8 Fast Etheret, Gigabit Etheret or 10-Gigabit Etheret liks. This allows for easier expasio ad growth without requirig expesive equipmet every time more throughput is ecessary. EtherChael also solves the issues with redudat parallel paths ad switchig loops, because it creates a logical lik out of two to eight idividual liks. These logical liks ca be used as access ports or truk ports. Ad if there is a physical layer problem o oe of the coectios, the ed-user is ot affected because traffic will simply be redistributed over the remaiig liks i the EtherChael budle. Accordig to Cisco, the mai beefits of the EtherChael techology are: Stadards-based EtherChael was developed to be compatible with the IEEE stadard. It uses Etheret mechaisms to provide some of the features preset i this techology. Multiple platforms EtherChael is flexible ad ca be used aywhere i the etwork that bottleecks are likely to occur. It ca be used i etwork desigs to icrease badwidth betwee switches ad betwee routers ad switches as well as providig scalable badwidth for etwork servers, such as large UNIX servers or PC-based Web servers. Flexible icremetal badwidth EtherChael provides badwidth aggregatio i multiples of 100 Mbps, 1 Gbps, or 10 Gbps, depedig o the speed of the aggregated liks. For example, etwork maagers ca deploy EtherChael techology that cosists of pairs of full-duplex Fast Etheret liks to provide more tha 400 Mbps betwee the wirig closet ad the data ceter. I the data ceter, badwidths of up to 800 Mbps ca be provided betwee servers ad the etwork backboe to provide large amouts of scalable icremetal badwidth. Load balacig EtherChael is composed of several Fast Etheret liks ad is capable of load balacig traffic across those liks. Uicast, broadcast, ad multicast traffic is evely distributed across the liks, providig higher performace ad redudat parallel paths. Whe a lik fails, traffic is redirected to the remaiig liks withi the chael without user itervetio ad with miimal packet loss. Resiliecy ad fast covergece Whe a lik fails, EtherChael provides automatic recovery by redistributig the load across the remaiig liks. This is doe i less tha oe secod. This covergece is trasparet to the ed user o host protocol timers expire, so o sessios are dropped. Ease of maagemet EtherChael takes advatage of Cisco experiece developed over the years i troubleshootig ad maitaiig Etheret etworks. Existig etwork probes ca be used for traffic maagemet ad troubleshootig, ad maagemet applicatios such as CiscoWorks ad other third-party etwork maagemet applicatios are ow EtherChael-aware. Trasparet to etwork applicatios EtherChael does ot require chages to etworked applicatios. Whe EtherChael is used withi the campus, switches ad routers provide load balacig across multiple liks trasparetly to etwork users. To support EtherChael o eterprise-class servers ad etwork iterface cards, smart software drivers ca coordiate distributio of loads across multiple etwork iterfaces. Compatible with Cisco IOS EtherChael coectios are fully compatible with Cisco IOS virtual LAN (VLAN) ad routig techologies. The Iter-Switch Lik (ISL) VLAN Trukig Protocol (VTP) ca carry multiple VLANs across a EtherChael lik, ad routers attached to EtherChael truks ca provide full multiprotocol routig with support for hot stadby usig the Hot Stadby Router Protocol (HSRP). LearSmart Cloud Classroom: Video Traiig Mauals

53 Maual Cisco 100 Megabit, 1 Gigabit, ad 10 Gigabit Etheret-ready EtherChael is available i all Etheret lik speeds. EtherChael techology allows etwork maagers to deploy etworks that will scale smoothly with the availability of ext-geeratio, stadards-based Etheret lik speeds. Iteroperability with Coarse Wavelegth Divisio Multiplexig (CWDM) Gigabit Iterface Coverters (GBICs) By simultaeously implemetig Gigabit EtherChael ad CWDM techologies, etwork maagers ca icrease the badwidth of their liks without havig to ivest i ew log rus of fiber. CWDM techologies allow the traffic aggregated by the Cisco EtherChael lik to be multiplexed o to a sigle strad of fiber. EtherChael must be formed budlig up to eight liks of the same type meaig the same speed ad media type. Fast Etheret budles form Fast EtherChaels, Gigabit Etheret form Gigabit EtherChaels, etc. All aggregated ports must belog to the same VLAN if they are access ports. If they are truks, they must have the same ative VLAN ad allow the same set of VLANs to traverse them. All ports i the budle must be cofigured with the same duplex mode (full duplex) ad speed. They also must use the same STP type ad have idetical STP settigs. Distributig Traffic i EtherChael Load is ot automatically balaced across all liks i the EtherChael. Frames are forwarded based o the result of a hashig algorithm. This hashig algorithm ca use a wide variety of iformatio to calculate load ad act o it, icludig IP addresses, physical addresses ad port umbers. The hashig algorithm selects the specific port to be used for forwardig specific frames to specific ports. If two addresses or ports are hashed, the selectio will require a exclusive-or (XOR) operatio with the rightmost bit(s) of the address(es) or port(s). If oly oe address is to be hashed, the rightmost bits will dictate the port i the budle that is to be used to forward frames. This is importat ad must be uderstood. The amout of bits selected are the oes required to represet the port umber (iside the budle) i biary. If you have 8 ports budled, the first port is port 0 ad last is port 7. You eed 3 bits to represet 7 i biary; you will eed those bits to idetify which port is goig to be forwardig the frames or packets. For example, 010 i biary is 2. That meas that traffic will be set across Chael 3 i the budle. If we assume you are usig source IP address as the load balacig method, ad the source IP address is = We eed to use the three rightmost bits which are 011 (3 i decimal). The port that will be used is lik 3 i the budle. I case two addresses are beig hashed, the XOR operatio must be doe. Remember that i XOR two differet bits will produce 0 ad equal bits will produce 1. As you ca see, this form of load balacig/distributio based o source ad destiatio addresses ca cause a lik to hadle a lot more trasit tha others, creatig a load imbalace. This is what happes, for istace, whe you have a EtherChael coected to a server ad use the destiatio address as the load balacig method. All the traffic o the heavily used server will always go across oe specific lik ad ever be load balaced. To solve this issue it is recommeded that you use a combiatio of source ad destiatio addresses ad port umbers. That way you ca distribute traffic accordig to ot oly hosts or destiatio but also applicatios i certai hosts. LearSmart Cloud Classroom: Video Traiig Mauals

54 Maual Cisco The hashig operatio ca be performed with MAC or IP addresses or the combiatio of both. The commad to cofigure load balacig is the followig: Switch(cofig)# port-chael load-balace method Notice the load balacig is set globally. You caot set the load balacig method o a per port basis. The method variable ca take several values, ad they are listed i the followig table: method Value Hash Iput Hash Operatio Switch Model src-ip Source IP address bits All models dst-ip Destiatio IP address bits All models src-dst-ip Source ad destiatio IP address XOR All models src-mac Source MAC address bits All models dst-mac Destiatio MAC address bits All models src-dst-mac Source ad destiatio MAC XOR All models src-port Source port umber bits 6500, 4500 dst-port Destiatio port umber bits 6500, 4500 src-dst-port Source ad destiatio port XOR 6500, 4500 Figure 15: Types of EtherChael Load-Balacig Methods The default method for pure Layer 2 switches is source MAC address (src-mac). If Layer 3 switchig is beig used o the switch, the source ad destiatio IP address (src-dst-ip) method is recommeded. Whe IP is ot the Layer 3 protocol i use, you must use MAC addresses to determie the lik to be used to forward traffic. As etwork admiistrator, you should check if the curret cofiguratios are producig load (traffic) imbalaces ad correct them with oe of the methods provided. To see what load balacig method is i use ad the amout of traffic that has goe through each lik, use the show EtherChael port-chael EXEC cofiguratio commad. A importat situatio to otice is whe EtherChaels are cofigured to coect routers. Both MAC addresses ad IP addresses will always be the same, makig both methods forward through the same liks. To address this issue, you should cofigure the chaels to load balace usig port umbers to forward frames based o applicatios. Please ote that whe IP load-balacig is selected ad there are o IP packets to forward, the switch or router will fall back to MAC address idexig. As we metioed earlier, EtherChaels also help etwork admiistrators deal with switchig loops ad multicast/broadcast traffic. Whe a iboud multicast or broadcast traffic is received i a lik of a EtherChael, the multicast/broadcast is ever set back through ay of the budled liks. This is because the multiple budled liks are treated as if they were a sigle physical lik. Equally, outboud multicast or broadcast traffic is load balaced like ay other frame or packet: the broadcast or multicast frame or packet is part of a hashig calculatio to determie the lik through which it is goig to be forwarded. LearSmart Cloud Classroom: Video Traiig Mauals

55 Maual Cisco EtherChael Negotiatio Protocols ad Cofiguratio There are meas to provide EtherChaels egotiatio ad dyamic lik cofiguratio. There are two protocols available to egotiate budled liks betwee switches: Port Aggregatio Protocol (PAgP), which is a Cisco proprietary, ad Lik Aggregatio Cotrol Protocol (LACP). Port Aggregatio Protocol This is Cisco s Proprietary lik aggregatio protocol. Cisco switches exchage PAgP packets over Ether Chael capable liks. The protocol lears dyamically the capable ports i the LAN ad the iforms the other LAN ports. Oce it has idetified the liks, it provides the meas to group the ports ito a Ether Chael. The Ether Chael is the added to the spaig tree topology as a sigle lik. PAgP packets are oly exchaged betwee ports cofigured as desirable or auto modes. Ports with the same eighbor ID ad port capability are grouped together as a bidirectioal poitto-poit Ether Chael. These capabilities are trukig state, duplex mode ad speed. If the ports are trukig, they must have the same ative VLAN, ad must allow the same VLANs through them. Switch ports ca form Ether Chaels if they are i a compatible mode (these modes are very similar to the dyamic trukig modes). A port cofigured as desirable actively tries to form a ether chael, sedig PAgP packets ad iitiatig the egotiatio, with other ports cofigured as desirable ad also with ports cofigured as auto. Ports cofigured as auto do t form Ether Chaels with other ports i auto because they do t iitiate egotiatio. Auto is the default. PAgP egotiatio is the default. To cofigure it o Cisco Catalyst Switches use the followig commads: Switch (cofig) # iterface type mod/um Switch (cofig-if) # chael-protocol pagp Switch (cofig-if) # chael-group umber mode {o {{auto desirable} [o-silet]}} The aggregatio protocol is defied with the chael-protocol iterface cofiguratio commad. The EtherChael must be cofigured with a uique umber, from 1 to 64, ad the operatio mode must be defied too. O makes the Ether Chael ucoditioally ad o egotiatio takes place; auto waits for the other ed to ask to form the Ether chael ad accepts if PAgP packets are received ad fially desirable actively tries to form the Ether Chael startig egotiatio ad sedig PAgP packets. The o-silet submode meas the port will be required to hear PAgP packets i order to attempt to form a Ether Chael. The default submode i auto or desirable is silet, i which the port does t have to wait for PAgP packets i order to attempt to become a part of a Ether Chael. LearSmart Cloud Classroom: Video Traiig Mauals

56 Maual Cisco The followig is a sample cofiguratio: Switch# cofigure termial Switch (cofig)# port-chael load-balace src-dst-port Switch(cofig )# iterface port-chael 1 Switch(cofig-if)# ip address Switch(cofig-if)# iterface rage fastetheret 0/1-5 Switch(cofig-if)# o ip address Switch(cofig-if)# chael-protocol pagp Switch(cofig-if)# chael-group 1 mode desirable Switch(cofig-if)# ed We first establish the load-balacig method with port-chael load-balace src-dst-port global cofiguratio commad ad the create the port-chael or EtherChael 1. I the fourth lie we assig a IP address to the EtherChael. I the followig lie we use the iterface rage to eter iterface cofiguratio commad for several iterfaces. We the defie the EtherChael egotiatio protocol. Fially we add them to the chael-group 1 ad use the desirable mode. The idividual liks caot have IP addresses assiged to them. Agai, this is because the multiple budled liks are treated as if they are a sigle physical lik. The iterface that ca be cofigured for this budle is the virtual port-chael iterface ad ot the actual idividual liks withi the budle. Remember the default sub-mode is silet, ad does t have to be specified. Lik Aggregatio Cotrol Protocol LACP is the IEEE stadards-based lik aggregatio protocol. LACP is defied i the IEEE 802.3ad ad is also kow as the clause 43, lik aggregatio. Just like PAgP, LACP eighbors are idetified ad port group capabilities are compared, with the exchage of LACP packets. LACP also assigs roles to EtherChael s ports. The switch with the lowest system priority, a 2-byte value followed by a 6-byte switch MAC address, is allowed to make decisios about what ports are actively participatig i the EtherChael at a give time. The LACP port priority is used to select which port becomes active i the budle. The port priority is a 4 byte value, 2 byte priority ad 2 byte port umber, ad i the aggregated lik, a lower value meas a more preferred priority. This is very importat because up to 16 liks ca be defied i the EtherChael budle but oly 8 will be actively forwardig frames. The 8 liks with the lowest priority values are selected as active ad the remaiig liks are put i a stadby state ad become active if oe of the active liks fails at the physical layer. After the EtherChael is up ad ruig with the best liks budled it eters the STP topology as oe sigle port. Similar to PAgP, LACP ca select ports to actively try to become part of the EtherChael (active mode i LACP ad desirable i PAgP), ad passive (auto i PAgP ad passive i LACP) i which switches oly egotiate a EtherChael if the other ed starts the egotiatio. LearSmart Cloud Classroom: Video Traiig Mauals

57 Maual Cisco The LACP cofiguratio is very similar to PAgP. A example: You ca use the followig cofiguratio commads to accomplish this: Switch(cofig)# lacp system-priority 100 Switch(cofig)# iterface rage gig 2/1 4, gig 3/1 4 Switch(cofig-if)# chael-protocol lacp Switch(cofig-if)# chael-group 1 mode active Switch(cofig-if)# lacp port-priority 100 Switch(cofig-if)# exit Switch(cofig)# iterface rage gig 2/5 8, gig 3/5 8 Switch(cofig-if)# chael-protocol lacp Switch(cofig-if)# chael-group 1 mode active We first set the system priority, i this case 100. The we eter iterface cofiguratio mode with the it rage commad, ad use LACP as the EtherChael egotiatio protocol with the chael-protocol lacp commad. The port priority is set to 100 i ports 1 through 4 of slot 2, ad 1 through 4 of slot 3. Those same iterfaces belog to the EtherChael 1 ad are set to active mode (the ports will try actively to egotiate a EtherChael by sedig LACP packets). The Gigabit iterfaces 2/5 8 ad 3/5 8 are cofigured i the same maer with the exceptio that the port priority is left to the default, 32,768. I this sceario, the port umbers will be the tie breakers i the electio of the active liks i the EtherChael. The lower port umbers will be more preferred. Troubleshootig EtherChaels The most commo cause of problems i EtherChaels comes from liks with differet port settigs ad abilities. If you ecouter problems, check that all the required settigs match o both eds. The followig are importat poits to have i mid whe troubleshootig EtherChael liks: PAgP whe set to desirable mode, actively tries to form the EtherChael, but the other ed eeds to be cofigured as desirable or auto. LACP tries to brig up a EtherChael whe oe side of the budle is cofigured as active. The other ed of the budle must be cofigured as passive or active i order for the EtherChael to come up. EtherChael auto (PAgP) or passive (LACP) modes participate i chael protocol passively, which meas they eed to hear from a eighbor tryig to actively (desirable or active modes) brig a EtherChael up. PAgP desirable ad auto modes default to the silet sub-mode, which meas they will actively try to form a EtherChael without hearig PAgP packets. If the o-silet submode is selected, PAgP packets must be received i order for the EtherChael to form. LearSmart Cloud Classroom: Video Traiig Mauals

Maual Cisco There are several importat commads whe troubleshootig EtherChaels: Show etherchael summary EXEC commad will show you the ports i the chael.

58 Maual Cisco There are several importat commads whe troubleshootig EtherChaels: Show etherchael summary EXEC commad will show you the ports i the chael. They will be flagged to idicate the curret port state. Figure 16: Verifyig EtherChael Operatio Uder port chael, the (SU) message should appear (layer 2, i use) whe the EtherChael is operatioal. The I (stad-aloe) meas the lik is up but it is ot part of the EtherChael. Basically the remaiig flags ad parameters are self-explaatory. The show etherchael port EXEC commad gives a lot of iformatio, from egotiatio protocol (PAgP or LACP) ad mode, to priority settigs. You ca also see iformatio of the other ed, such as the MAC addresses of the other ed s port, module ad port umber, ad parter s ame. The show iterface type mod/um etherchael EXEC commad shows all active EtherChael cofiguratio settigs for a port. This commad will display errors regardig the EtherChael formatio, such as duplex or speed mismatches, differet ative VLANs set i both eds, differet set of allowed VLANs i the truk or trukig state mismatch. The show etherchael load-balace shows the hashig algorithm or EtherChael loadbalacig method i use. LearSmart Cloud Classroom: Video Traiig Mauals

59 Maual Cisco The followig table shows a list of very useful show commads whe troubleshootig EtherChaels ad their display: Display Fuctio Curret EtherChael status of each member port Time stamps of EtherChael chages Detailed status about each EtherChael compoet Load-balacig hashig algorithm Load-balacig port idex used by hashig algorithm EtherChael eighbors o each port LACP system ID Commad Sytax show etherchael summary show etherchael port show etherchael port-chael show etherchael detail show etherchael load-balace show etherchael port-chael show {pagp lacp} eighbor show lacp sys-id Figure 17: EtherChael Troubleshootig Commads Domai 2: Implemetig a Security Extesio for a Layer 2 Solutio As etworks have grow, so have their requiremets. Corporatios ow ru missio critical applicatios i a etwork eviromet ad the meas to protect data have become crucial. Securig etwork iformatio while guarateeig access of said data to allowed users has ow become a major field i the realm of Iformatio Techology, Network Egieerig ad Admiistratio. As techology develops, attacks to steal data ad disrupt operatios become icreasigly more dagerous ad eve easier for attackers. Protectig the etwork eviromet from attacks from the iside ad from the outside is a everyday challege for Iformatio Security Aalysts ad egieers. As a CCNP you are required to kow how to protect the etwork from commo ad sophisticated attacks. Cisco switches are equipped with powerful meas to prevet such attacks, ad we will be reviewig some of them i this sectio. We ll review the methods available to secure switches i geeral, from best practices to specific prevetio ad mitigatio of some of the most commo ad disruptig attacks. Port Security Cisco Catalyst switches offer the port security feature to cotrol access to switch ports based o MAC addresses. Port security is most ofte cofigured i access layer switches, where users coect to the etwork. It is eabled i a per-iterface basis. LearSmart Cloud Classroom: Video Traiig Mauals

60 Maual Cisco After the port is cofigured with port security, it will lear ad keep track of oe or more MAC addresses ad will expect oly them to coect to the switch port. This is called the sticky feature. By default, port security eabled iterfaces will oly accept oe MAC address, but the port ca be cofigured to accept up to 1024 MAC addresses. Leared addresses ca also be aged out if they are ot heard o the iterface after a specified period. Agig does ot occur by default. MAC addresses ca also be statically defied. A violatio occurs whe more tha the allowed maximum MAC addresses are leared o the port or whe a uspecified, uauthorized MAC address is leared o the port. Whe a violatio occurs, three actios are possible: Shutdow The port is put i the errdisable state which effectively shuts the port dow. The etwork admiistrator must be activated with a shutdow ad the o shutdow iterface cofiguratio commad or with the errdisable recovery cofiguratio feature. Restrict The port is kept up but all frames from the violatig MAC address are dropped. The switch keeps track of the amout of violatios ad ca be cofigured to register the violatios i SNMP ad a syslog message. Protect This works exactly as restrict but o record from the violatio is kept. The followig are the commads used to cofigure the differet features of port security. These eable port security o the iterface: Switch(cofig-if)# switchport port-security The followig commad specifies how may addresses are allowed i the iterface. Remember by default, port security eabled iterfaces will oly lear oe address ad cosider the appearace of a secod MAC address a violatio: Switch(cofig-if)# switchport port-security maximum max-addr The max-addr value rages from 1 to To statically cofigure a port security allowed MAC address use the followig iterface cofiguratio commad: Switch(cofig-if)# switchport port-security MAC-address MAC-addr The MAC-addr value must be give i triplet-dotted (xxxx.xxxx.xxxx) format. You eed to defie the port security violatio actio. The default optio is shutdow. To chage it, use the followig commad: Switch(cofig-if)# switchport port-security violatio {shutdow restrict protect} You ca ecouter a situatio whe you eed to clear the port cache i order to allow a ew set of hosts ad their MAC addresses to be allowed i the port. You ca do this with the followig commad: Switch# clear port-security dyamic [address MAC-addr iterface type mod/um] LearSmart Cloud Classroom: Video Traiig Mauals

61 Maual Cisco The followig is a sample cofiguratio where we will use the port security feature i a Fast Etheret port. We ll statically cofigure a allowed MAC address ad will set the maximum hosts allowed at 5. The violatio will be set to restrict, which will cause the uauthorized MAC address frames to be dropped ad a log message issued to the cosole or syslog server if oe is cofigured, while keepig the lik up for authorized hosts: Switch(cofig)# fastetheret 0/1 Switch(cofig-if)# switchport access vla 10 Switch(cofig-if)# switchport mode access Switch(cofig-if)# switchport port-security Switch(cofig-if)# switchport port-security violatio restrict Switch(cofig-if)# switchport port-security maximum 5 Switch(cofig-if)# switchport port-security MAC-address 0022.ff7d.b77c I this cofiguratio the port is a access port that belogs to VLAN 10. Port security will lear 4 additioal MAC addresses besides the 0022.ff7d.b77c host that was statically cofigured, makig a total of 5 allowed MAC addresses. If a fifth MAC address appears i the source address of a frame, the frame will be dropped ad a log message will appear o the cosole. The log message is the followig: Apr 5 10:18: EDT: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violatio occurred, caused by MAC address e01 o port FastEtheret0/1. There are several troubleshootig commads that you ca use to verify the port security status (violatio pealty, Agig Time if ay, cofigured MAC addresses, ports i the errdisabled state, ad a summary of port security status i the system (switch)). The followig are the commads ad their outputs: Figure 18: Verifyig Port Security Status with show port-security iterface LearSmart Cloud Classroom: Video Traiig Mauals

62 Maual Cisco For a system-wide summary of ports with port security eabled, use the show port-security EXEC commad. This commad is useful to see the maximum allowed MAC addresses per port ad the violatio settig. You ca also see how may addresses have bee leared o the port: Figure 19: Verifyig System-Wide Port Security You ca also display a summary of ports i the errdisabled state with the followig commad: Figure 20: Verifyig Ports i the errdisable State There are two ways to re-eable a port i the errdisable state. You ca maually shut it dow ad the eable it with the o shutdow iterface cofiguratio commad, or you ca cofigure the switch to automatically recover errdisabled ports after a specified period of time. To maually make a errdisabled port active, use the followig commads: Switch(cofig)# iterface type mod/um Switch(cofig-if)# shutdow Switch(cofig-if)# o shutdow Port-Based Autheticatio AAA stads for autheticatio, authorizatio ad accoutig withi Cisco IOS devices. Port-based autheticatio is a catalyst switch fuctio that itegrates AAA autheticatio ad port security features. Whe it is eabled, the user must be autheticated before a port ca forward ay kid of traffic. After the user is autheticated the switch makes the port fully fuctioal. Port-based autheticatio is defied i the IEEE 802.1x stadard. I order for hosts to use features, both the switch ad ed user s device must support the 802.1x stadard usig the Extesible Autheticatio Protocol over LAN (EAPOL). I order for a port-based autheticatio eabled switch to allow a user to trasmit to the etwork the user must autheticate. If the switch does t support the 802.1x ad the PC does, the user will be able to coect, as the PC will stop the protocol. If for example, the switch has portbased autheticatio ad the edpoit does t support it, the port will remai i the uauthorized state ad the edpoit (the switch port to which the host is coected) wo t be allowed to trasmit. LearSmart Cloud Classroom: Video Traiig Mauals

63 Maual Cisco 802.1x EAPOL is a layer 2 protocol, ad that is why the PC or edpoit requires compatibility before beig able to coect to the etwork. The PC wo t get a IP address from a DHCP server or access ay other etwork service before it is autheticated i the switch x EAPOL cofiguratio: The 802.1x protocol uses Remote Autheticatio Dial-I User Service (RADIUS) servers to hadle autheticatio. The Cisco access cotrol server (ACS) ca be used as a RADIUS server. RADIUS server cofiguratio is out of the scope of the SWITCH exam. Cisco defies a six step procedure to cofigure 802.1x port-based autheticatio: Step 1:Eable AAA o the switch: Switch(cofig)# aaa ew-model AAA is ot eabled by default. This commad eables AAA ad disables ay old AAA models o the switch. This will wipe out ay existig AAA cofiguratios o the switch. Step 2: Defie exteral RADIUS servers. First, defie each sever with its secret shared password. This key is trasparet to the port-based autheticatio cliet. It is oly kow by the switch ad the server. Use the followig commad to defie the RADIUS server: Switch(cofig)# radius-server host {hostame ip-address} [key strig] You ca defie redudat RADIUS servers by repeatig the previous commad. Step 3: Defie the autheticatio method for 802.1x: The followig commad makes all RADIUS autheticatio servers defied i the switch to be used for 802.1x autheticatio: Switch(cofig)# aaa autheticatio dot1x default group radius Step 4: Eable 802.1x o the switch: Switch(cofig)# dot1x system-auth-cotrol Step 5: Cofigure each switch port that will use/require 802.1x autheticatio: Switch(cofig)# iterface type mod/um Switch(cofig-if)# dot1x port-cotrol {force-authorized forceuauthorized auto} LearSmart Cloud Classroom: Video Traiig Mauals

64 Maual Cisco The possible 802.1x states are: Force-authorized The port is forced to always authorize ay coected device without ay autheticatio required. This is the default state for switch ports whe 802.1x is eabled. Force-uauthorized The port is ever allowed to authorize a coected cliet. The port caot move to the authorized state regardless of the coected host or hosts, which makes it the same as if it was shut dow. Auto The port uses 802.1x to autheticate a coected host ad move from the uauthorized state to the authorized stated. This requires a 802.1x capable cliet. Notice that the default port state is force-authorized, which allows ay cliet to pass traffic ad access the etwork without ay autheticatio. To effectively require autheticatio, you eed to explicitly set each port to the auto state by issuig the dot1x port-cotrol auto commad. Step 6:Allow multiple hosts i a switch port: If the switch is goig to expect more tha a host i a certai switch port (the port is coected to aother switch or hub), you eed to use a commad to allow this behavior. By default the switch port is cosidered a access port with a sigle host coected. If you have a additioal hub hagig off the access port you eed to modify the default behavior. To chage this, use the followig commad: Switch(cofig-if)# dot1x host-mode multi-host To verify 802.1x operatio i each switch port you should use the show dot1x all EXEC commad. The followig is a cofiguratio example: Switch(cofig)# aaa ew-model Switch(cofig)# radius-server host key PrepLogic Switch(cofig)# radius-server host key PrepLogicSWITCH Switch(cofig)# aaa autheticatio dot1x default group radius Switch(cofig)# dot1x system-auth-cotrol Switch(cofig)# iterface rage FastEtheret0/1-10 Switch(cofig-if)# switchport access vla 10 Switch(cofig-if)# switchport mode access Switch(cofig-if)# dot1x port-cotrol auto Mitigatig Spoofig Attacks Oe of the most commo forms of attacks i today s etworks are ma i the middle attacks, performed by spoofig iformatio to make switches ad etwork devices believe there are authorized, kow hosts or etwork devices. The attacker tries to spoof a router ad the becomes the ma i the middle, receivig packets destied to the router ad the forwardig them, i order to make the attack trasparet to the user. LearSmart Cloud Classroom: Video Traiig Mauals

Maual Cisco DHCP Spoofig; Descriptio ad Mitigatio Attackers take advatage of the DHCP process whe a cliet broadcasts a DHCP request out o their subet.

65 Maual Cisco DHCP Spoofig; Descriptio ad Mitigatio Attackers take advatage of the DHCP process whe a cliet broadcasts a DHCP request out o their subet. What ca happe is that the attacker will attempt to reply to the DHCP request before the real DHCP server does. The attackig device will sed a respose to the cliet makig the request specifyig its IP address as the default gateway. By doig that, the attacker receives every packet destied to aother etwork ad ca ispect ad maipulate iformatio before forwardig it. Cisco switches use DHCP soopig to prevet this type of attacks. DHCP soopig cosists of categorizig switch ports as trusted or utrusted. Whe a DHCP reply message is received i a utrusted port, the packet is discarded ad the port put immediately i the errdisabled state, effectively shut dow. DHCP reply messages are oly allowed o defied trusted ports whe DHCP soopig is eabled. DHCP soopig keeps track of MAC addresses, IP addresses leased, lease time ad other iformatio about trusted, legitimate replies. This iformatio ca be used to keep track of a lot of etwork activity betwee authorized hosts ad etwork devices. DHCP soopig is geerally used at the access layer. DHCP soopig ca be activated i a per-vlan basis. Whe it is active i a VLAN, the switch builds a table of IP addresses to MAC-address bidigs for the DHCP cliets o that VLAN. To eable DHCP soopig, you eed to first eable it globally, ad the idetify the VLANs where the DHCP soopig will be implemeted. Fially, you eed to defie the trusted ports. Notice that the default state is utrusted, which meas that if you do t set certai ports as trusted ad coect a DHCP server, or DHCP traffic goes through the switch, the ports will be put to the errdisable state. DHCP optio 82, Subscriber Idetificatio, is a very helpful feature, defied i the RFC3046. Whe a DHCP request is heard i a utrusted port, the switch adds its ow MAC address ad the port idetifier i the Optio 82 field ad forwards the frame out a trusted port so that it ca reach a trusted DHCP server. The Optio 82 is eabled by default whe DHCP soopig is eabled. To cofigure DHCP soopig use the followig commads: Switch(cofig)# ip dhcp soopig Switch(cofig)# ip dhcp soopig vla vla-id [vla-id] Switch(cofig)# iterface type mod/um Switch(cofig-if)# ip dhcp soopig trust You ca use the show ip dhcp soopig [bidig] EXEC commad to display the DHCP soopig status. Here is a sample output: Figure 21: Verifyig DHCP Soopig If you wat to display all the DHCP bidigs that have bee overheard use the show ip dhcp soopig bidig EXEC commad. LearSmart Cloud Classroom: Video Traiig Mauals

66 Maual Cisco IP Source Guard IP source guard is a security feature that restricts IP traffic o o-routed, Layer 2 iterfaces by filterig traffic based o the DHCP soopig bidig database ad o maually cofigured IP source bidigs. You ca use IP source guard to prevet traffic attacks caused whe a host tries to use the IP address of aother device o the same VLAN to trick others ito sedig traffic destied to the real PC. This is a classic spoofig sceario. IP Source Guard ca be eabled o iterfaces with DHCP soopig eabled. What it does is block ay IP address that is ot part of a mappig i the DHCP Soopig database or a static etry. A switch with IP Source guard eabled will filter both layer 3 or layer 2 ukow addresses. The mechaism to achieve this is a port access cotrol list (PACL) applied to the iterface. Note that the port ACL (PACL) takes precedece over ay router ACLs or VLAN maps that affect the iterface. This is because the PACL is applied to the layer 2 iterface which is the first poit the etwork has a chace to apply ay type of access cotrol. Basically whe IP Source Guard is eabled i the port, the switch tests packets received i the port agaist oe or both of the followig coditios: The source IP address must be idetical to the IP address leared by DHCP soopig or a static etry. A dyamic port ACL is used to filter traffic. The switch automatically creates this ACL, adds the leared source IP address to the ACL, ad applies the ACL to the iterface where the address is leared. The source MAC address must be idetical to the MAC address leared o the switch port ad by DHCP soopig. Port security is used to filter Layer 2 traffic. If the address is somethig else tha addresses leared by DHCP soopig or statically cofigured, the switch drops the packet or frame. To statically cofigure a address bidig (this is doe for hosts with static IP addresses those that are ot usig DHCP) use the followig commad: Switch(cofig)# ip source bidig mac-address vla vla-id ip-address iterface type mod/um IP Source Guard cofiguratio is very simple. You oly eed to eter oe commad i the iterface you eed to perform the IP source guard: Switch(cofig-if)# ip verify source [port-security] The port-security optioal keyword is used to ispect source MAC addresses too. Remember IP Source Guard ispects oly source IP addresses if this optio is ot used. LearSmart Cloud Classroom: Video Traiig Mauals

67 Maual Cisco IP Source Guard Cofiguratio Guidelies as proposed by Cisco Systems. This sectio describes the guidelies for cofigurig IP source guard i your etwork: IP source guard is supported o the policy feature card (PFC) 3 ad later versios. IP source guard is ot recommeded o truk ports. IP source guard caot coexist with PACLs. IP source guard is ot supported o EtherChael-eabled ports, ad EtherChael is ot supported o IP source guard-eabled ports. VLAN-based ACL features, such as static ARP ispectio, are disabled whe you eable IP source guard. It is recommed that you eable high availability whe usig dyamic ARP ispectio (DAI), DHCP soopig, ad IP source guard. If high availability is ot eabled, cliets have to reew their IP addresses for these features to work after a switchover. A switchover is the maual process of trasferrig the switchig fuctios to a secod redudat switch. This is doe mostly to perform etwork upgrades. DAI will be explaied i more detail, ext. High Availability will be explaied i detail i its ow domai i this guide. There are two troubleshootig commads that you should kow: Switch# show ip verify source [iterface type mod/um] This commad shows the IP Source Guard status. The ext commad should be used whe the etwork admiistrator eeds to kow the iformatio i the IP source bidig database. There you ca see both dyamically ad statically cofigured bidigs: Switch# show ip source bidg [ip-address] [MAC-address] [dhcpsoopig static] [iterface type mod/um] [vla vla-id] Dyamic ARP Ispectio (DAI) Address Resolutio Protocol (ARP) is the protocol used whe a host has a eighbor IP address ad eeds its MAC address to commuicate i Layer 2. The host trasmits a ARP request ad waits for a ARP reply from the host with the aouced IP address. This fuctios perfectly betwee trusted users, but also gives a chace for attackers to reply with their ow MAC address ad start receivig frames that were supposed to be set to aother etwork user. This is aother form of ma-i-the-middle attack. This attack is called ARP poisoig or ARP spoofig. The attacker receives frames destied to aother user ad forwards them after usig for differet purposes, makig the attack trasparet to ed users. To prevet this, Cisco Catalyst Switches use Dyamic ARP Ispectio (DAI). DAI works very similarly to DHCP soopig. It classifies ports as trusted ad utrusted ad keeps a database of MAC-IP bidigs. If a ARP reply is received i a utrusted port, the packet is ispected ad if the MAC-IP bidig does t appear as a kow ad trusted bidig, the packet is dropped ad a cosole log message is geerated. No ispectio takes place whe ARP replies are received i trusted ports. A switch gathers iformatio from trusted MAC-IP bidigs, from maually cofigured bidigs ad also from the DHCP soopig database. LearSmart Cloud Classroom: Video Traiig Mauals

68 Maual Cisco To eable DAI, use the followig commad: Switch(cofig)# ip arp ispectio vla vla-rage By default, all switches associated with the VLAN-rage specified will be i the utrusted state. You eed to defie the trusted ports with the followig commads: Switch(cofig)# iterface type mod/um Switch(cofig-if)# ip arp ispectio trust The maually cofigured bidigs that we metioed earlier refer to those bidigs that are ot obtaied from the DHCP soopig, or hosts with static IP addresses ot leased by a DHCP server. I order to allow these kids of MAC-IP bidigs ad ARP replies, you eed to defie a ARP ACL that defies the static MAC-IP bidigs that are permitted. Use the followig commads to do this: Switch(cofig)# arp access-list acl-ame Switch(cofig-acl)# permit ip host seder-ip mac host seder-mac [log] [The previous commad must be repeated as may times as ecessary util all permitted MAC addresses are permitted] Switch(cofig-acl)# exit Switch(cofig)# ip arp ispectio filter arp-acl-ame vla vla-rage [static] The ip apr ispectio filter commad is used to apply the ARP ACL to the DAI. The static optioal keyword is used to prevet the router from checkig the DHCP soopig database agaist the ARP Reply, ad use oly the ARP ACL. Fially, you ca further validate the cotets of the ARP Reply. The ARP Reply has MAC ad IP fields, ad by default, these are the oly fields checked ad validated. This is a problem because you ca have a attacker sedig corrupt MAC-IP bidigs, that do t belog to them ad could somehow get iserted i the DHCP soopig database. To prevet this, you ca use DAI to ispect the actual source address of the Etheret frame i which the ARP Reply is ecapsulated. To do that, use the followig commad: Switch(cofig)# ip arp ispectio validate {[src-mac] [dst-mac] [ip]} The src-mac checks the source MAC address of the frame ad verifies it correspods with the MAC address iside the ARP Reply. The dst-mac keyword checks the destiatio MAC address i the Etheret header ad verifies it correspods with the target MAC address i the ARP reply. The ip keyword checks the seder s IP address i all ARP requests. It verifies the seder s IP address agaist the target IP address i all ARP Replies. LearSmart Cloud Classroom: Video Traiig Mauals

69 Maual Cisco Best s for Securig Cisco Switches As a CCNP cadidate, you are required to be very kowledgeable about etwork security. Sice the poit of etry to our etworks is geerally a switch, it is extremely importat to abide by certai rules that harde our security ad make the job of the attackers a paiful oe. These rules are as much logical, software based security, as they are physical. Two basic recommedatios are that you physically secure switches i secure closets where oly the etwork admiistrator has access. Secodly, you should limit the umber of services ruig o your productio Cisco equipmet. This refers to limitig the platform of attack that broades whe a ew service is provided. For istace, if etwork admiistrators are proficiet at the commad lie iterface, ad there is o eed to use the switch as a web server, you should ot set the switch as a web server. Allowig the switch as a web server provides a service, ad also opes ports or allows certai ports to be listeig for iformatio. This coditio ca be exploited by attackers, ad that is what the cocept of platform of attack refers to, ad that is why it is importat to limit it, or, better yet, ot make it uecessarily bigger. Cisco has some recommedatios for securig Cisco Switches that you must be aware of as a CCNP ad for the SWITCH exam: Cofigure secure passwords: Use eable secret as opposed to eable password to set the privileged-level password. Eable secret offers a stroger password ecryptio, ad whe used with the service password-ecryptio commad, the password caot be see i clear text whe you use the show ru commad. You should also use the service password ecryptio o passwords that are ot usig eable secret passwords. The use of exteral AAA servers is recommeded. AAA servers should be used to autheticate admiistrative users, ad to keep passwords ad userames safe i a secure locatio. This also provides for more cetralized, scalable etwork maagemet tha havig all user credetials locally i every switch. AAA is a very powerful tool. Its cofiguratio ad details are out of the scope of this guide ad the SWITCH exam, but you should lear about it. The CCNA Security Official Certificatio Guide by Cisco Press has a very comprehesive itroductio to it. Use system baers: They should be used to let users kow about acceptable use policies ad also to let uauthorized users kow they are ot welcome, ad that they are breakig the law ad might be prosecuted. You eed to avoid welcomig messages. There are judicial precedets of hackers beig acquitted because of a poorly crafted system baer. The baer motd global cofiguratio commad is used to preset a message of the day to autheticated users, after logo. Never divulge iformatio about your etwork that a malicious user could use to the orgaizatio s dismay. You should advise possible itruders that uauthorized access is a violatio of a law ad that violators will be prosecuted. You must ever use welcome messages with the baer motd commad. There have bee cases where attackers have bee acquitted or simply ot prosecuted because of a friedly MOTD that implies that access to the device is allowed. Secure web iterface: Remember that if you do t eed the web iterface to maage ad moitor the switch, you should simply ot activate it or deactivate the service. Remember the cocept of attack platform, ad how offerig more services tha ecessary makes your system more vulerable. You disable the web iterface with the o ip http server ad/or the o ip http secure server global cofiguratio commad. LearSmart Cloud Classroom: Video Traiig Mauals

70 Maual Cisco If you eed to ru a web server for whatever reaso, it is recommeded that you ru a secure web server (https). It offers data ecryptio, which makes it a much more secure protocol tha traditioal HTTP. You start the secure web server with the ip http secure server global cofiguratio commad, istead of the ip http server. Aother security measure recommeded by Cisco is that you authorize web access oly from certai authorized hosts or etworks. You do that by defiig a access list permittig traffic from the previously established authorized IP address or addresses. Let s make a sample cofiguratio that allows oly hosts with IP address to access the secure web server: Switch(cofig)# access-list 10 permit Switch(cofig)# ip http secure server Switch(cofig)# ip http access-class 10 Secure Switch cosole: Regardless of physical security, you should always cofigure a password for cosole access to the switch. Secure virtual termial access: Always cofigure autheticatio to access through termial (vty) lies. This type of access uses either Telet (clear-text) or SSH (ecrypted) tools to remotely access the Cisco IOS commad lie. It is also recommeded that you allow access oly to certai authorized IP addresses usig access lists, just like we did i the web server example. Be sure to apply the access list ad restrictios to ALL vty lies. The followig is a sample cofiguratio: Switch(cofig)# access-list 10 permit Switch(cofig)# lie vty 0 4 Switch(cofig-lie)# access-class 10 i Switch(cofig-lie)# password 0 PrepLogic Switch(cofig-lie)# logi Switch(cofig-lie)# logi-timeout 30 secods Switch(cofig-lie)# motd-baer eabled Use SSH wheever possible: Telet is ot secure. Every trasmitted character is set without ecryptio, i the clear. That is why it is easy for a attacker to itercept packets ad get a hold of userames ad password. SSH offers strog ecryptio ad protects from this kid of attack. You should use the highest available versio of SSH i the switch. Versio 1 ad 1.5 are ow cosidered weak with kow security flaws. It is recommeded that you use versio 2 wheever possible. Switch(cofig)# crypto key geerate rsa Switch(cofig)# access-list 10 permit Switch(cofig)# lie vty 0 4 Switch(cofig-lie)# access-class 10 i Switch(cofig-lie)# password 0 PrepLogic Switch(cofig-lie)# trasport iput ssh LearSmart Cloud Classroom: Video Traiig Mauals

71 Maual Cisco I the first lie of this cofiguratio we geerate the keys used to provide ecryptio to the SSH coectio. Secure SNMP access Read/write access must be disabled i order to prevet uauthorized cofiguratio chages. It is also recommeded that SNMP access be restricted to certai kow IP addresses. Also remember that SNMP data is trasmitted without ecryptio, i the clear. Secure uused ports Uused ports must be admiistratively shut dow. They should also be cofigured as access ports to prevet the described VLAN hoppig attacks. Their ative VLAN must be set to some bogus umber too, so that i case a user gais access to the port, it ca be isolated to a bogus VLAN ad therefore ca t access the etwork. The switchport host macro is useful, because it sets the port as a access port ad also uses Portfast i the iterface, which also provides certai STP security. Securig the STP Process You should always use STP BPDU guard to protect from a bogus switch tryig to disrupt the STP process by isertig BPDUs ad tryig to become the root switch for the STP domai. Remember the BPDU guard feature is cofigured i portfast iterfaces ad puts the port i the errdisabled state, which is effectively shut dow, if a BPDU is received i the port. Secure the use of CDP Cisco Discovery Protocol (CDP) is a very hady feature for etwork discovery of eighborig devices. It also has other uses i more advaced situatios. While iformatio that ca be a life saver for etwork admiistrators or a requiremet for some etwork equipmet, it ca also be used by malicious users to craft their attacks o your etwork platforms. CDP should oly be ruig i ports coectig other trusted etwork devices, preferably truk ports. CDP must also be eabled i iterfaces coectig Cisco IP phoes. Remember you ca disable CDP globally usig the o cdp eable global cofiguratio commad or o a per-iterface basis with the o cdp eable iterface cofiguratio commad. VLAN Security I the past, traffic ispectio ad security measures where exclusively setup at the router boudaries, where packets could be ispected before beig forwarded, but ow we ca also ispect ad apply filterig ad other security measures iside our logical etworks, VLANs. This is achieved with the use of VLAN Access Cotrol Lists (VACLs). Cisco Catalyst Switches ca also logically divide a VLAN ito multiple groups that share the same subet ad default gateway ad are able or uable to commuicate with each other based i a set criteria. Private VLANs (PVLANs) provide this capability ad are a very powerful meas to secure ad isolate certai users ad resources from others without requirig a differet logical etwork (iside the same VLAN). They also allow for more efficiet etwork resource utilizatio, because broadcasts ad multicasts are ot trasmitted to isolated hosts i the VLAN. VLAN truks are used to coect switches carryig differet VLANs, ad this provides a dagerous ad vulerable poit of attack whe they are ot physically secure. I this domai we will examie some methods to prevet the most commo attacks to truk ports ad VLANs. VACLs: VLAN Access Cotrol Lists are access lists used to filter traffic that does t move beyod the VLAN. They are merged ito the TCAM just as stadard ACLs, which meas they are ways to filter traffic with o switchig pealty, as they are performed at wire speed, i hardware. VACLs are cofigured like route maps, meaig they are a series of match statemets ad the actio statemets that are the route map equivalet of the set statemets. LearSmart Cloud Classroom: Video Traiig Mauals

72 Maual Cisco Whe cofigurig a VACL, the first thig you must do is defie the VACL with a ame. Next you must defie oe or more matchig coditios ad the the subsequet actio, with a actio statemet. Fially you must attach the VACL to a specific VLAN, just like you attach regular ACLs to termial lies, services, iterfaces, etc. Here is a sample cofiguratio: Switch(cofig)# vla access-map map-ame [sequece-umber] Switch(cofig-access-map)# match ip address {acl-umber acl-ame} Switch(cofig-access-map)# match ipx address {acl-umber acl-ame} Switch(cofig-access-map)# match mac address acl-ame Switch(cofig-access-map)# actio {drop forward [capture] redirect type mod/um} Switch(cofig)# vla filter map-ame vla-list vla-list It is importat to uderstad that VACLs are applied globally to oe or more VLANs, ot VLAN iterfaces (SVIs). These are layer 2 ACLs ad SVI s are layer 3 logical router iterfaces. Remember that VLAN iterfaces are poits where data leaves the VLANs, ad sice VACLs are meat to filter data withi the VLANs, it does t make sese to apply them to the SVI. VACLs do t have ay iboud or outboud directio because they operate at Layer 2. Private VLANs Private VLANs (PVLAN) are simply the logical segmetatio of regular VLANs. This meas that a private VLAN will have hosts i the same subet that will ot receive broadcasts from each other. I some istaces the hosts will be able to commuicate with each other ad i some istaces they simply wo t. Thik of a dataceter or a server farm. The etwork is usig a sigle subet for the farm. Each server should be able to commuicate with the router or L3 switch, its default gateway, but it would be very hady ad a resource saver if all servers did t have to liste to each other s broadcasts. That is exactly what private VLANs provide: PVLANs provide Layer 2 isolatio betwee ports withi the same broadcast domai, ad the security iheret to blockig the access to areas of the etwork that do t require it. The regular VLAN is divided i several logical groups or segmets. The resultig etwork is the Private VLAN, composed of a primary VLAN ad oe or more secodary VLANs. Thik of the primary VLAN as the regular VLAN before segmetatio, ad secodary VLANs are the ew logical segmets that you eed to provide security or simply prevet traffic ad broadcasts from beig trasmitted to. Hosts i secodary VLANs ca commuicate with hosts i the primary VLANs, but caot commuicate with hosts i aother secodary VLAN. The secodary VLANs ca be cofigured as oe of the followig types: Isolated This type of PVLAN ca oly commuicate with hosts i the primary PVLAN. Hosts coected to a isolated secodary PVLAN caot commuicate with hosts i the same secodary PVLAN. Isolated ports are isolated from the rest of the etwork, except the primary PVLAN. Commuity Ay switch port belogig to a commo commuity ca commuicate with each other ad with the primary PVLAN. They caot commuicate with ports/hosts belogig to aother PVLAN. Isolated secodary PVLANs are used frequetly i the ISP to isolate cliets. Oe cliet does t have to hear a broadcast from aother customer of the ISP, thus makig them ideal for this type of cofiguratio. The Commuity PVLAN is used i the ISP to provide coectivity betwee a cliet s remote sites. LearSmart Cloud Classroom: Video Traiig Mauals

73 Maual Cisco Secodary VLANs must be associated with a primary VLAN. VTP does t trasmit PVLAN iformatio to switches i the VTP domai. PVLANs are oly locally sigificat to a switch. There are two types of PVLAN ports: Promiscuous A promiscuous port effectively igores the PVLAN rules, because it ca commuicate with the primary VLAN ad aythig coected to it, be it a secodary VLAN, isolated or commuity. Host This switch port coects to a host ad is oly able to commuicate with ports i primary VLAN, its ow commuity VLAN or promiscuous ports. Private VLAN cofiguratio Steps: 1. Determie how may secodary VLANs are required ad which oes are goig to be commuities ad which will be isolated. Also determie if there will be hosts coected to promiscuous ports, that is hosts that will require commuicatio with all VLANs, primary ad secodary (commuicatio with all hosts i the subet, regardless of PVLAN cofiguratio limitatios). Create the VLANs ad defie them (isolated or commuity): Switch(cofig)# vla vla-id Switch(cofig-vla)# private-vla {isolated commuity} 2. Defie the Primary VLAN ad make the associatios with secodary VLANs: Switch(cofig)# vla vla-id Switch(cofig-vla)# private-vla primary Switch(cofig-vla)# private-vla associatio {secodary-vlalist add secodary-vla-list remove secodary-vla-list} 3. Associate Switch ports with their correspodig PVLAN. First defie the port as promiscuous or host ad the you must associate host ports with their primary ad secodary VLANs. If the port is promiscuous, you eed to make a mappig of the primary to secodary VLANs allowed. Here are both possibilities: Switch(cofig-if)# switchport mode private-vla {host promiscuous} Now if you cofigured a host port, you eed to associate the host s primary ad secodary VLANs with the followig commad: Switch(cofig-if)# switchport private-vla host-associatio primary-vla-id secodary-vla-id If the port was cofigured for promiscuous mode operatio with the switchport mode privatevla promiscuous iterface cofiguratio commad, you eed to map the ports to a primary ad oe or more secodary VLANs. You ca also remove or add ew secodary VLANs i case they are eeded. Use the followig commad to achieve this: Switch(cofig-if)# switchport private-vla mappig primary-vlaid secodaryvla-list {add secodary-vla-list} {remove secodary-vla-list} LearSmart Cloud Classroom: Video Traiig Mauals

74 Maual Cisco The followig is a cofiguratio example: Switch(cofig)# vla 10 Switch(cofig-vla)# private-vla commuity Switch(cofig)# vla 20 Switch(cofig-vla)# private-vla commuity Switch(cofig)# vla 30 Switch(cofig-vla)# private-vla isolated Switch(cofig)# vla 100 Switch(cofig-vla)# private-vla primary Switch(cofig-vla)# private-vla associatio 10,20,30 Switch(cofig-vla)# exit Switch(cofig)# iterface rage fastetheret 1/1,2 Switchcofig# switchport private-vla host Switch(cofig-if)# switchport private-vla host-associatio Switch(cofig)# iterface rage fastetheret 1/4-5 Switchcofig# switchport private-vla host Switch(cofig-if)# switchport private-vla host-associatio Switch(cofig)# iterface fastetheret 1/3 Switchcofig# switchport private-vla host Switch(cofig-if)# switchport private-vla host-associatio Switch(cofig)# iterface fastetheret 2/1 Switch(cofig-if)# switchport mode private-vla promiscuous Switch(cofig-if)# switchport private-vla mappig ,20,30 I the previous cofiguratio, VLANs 10, 20 ad 30 are secodary VLANs, with 10 ad 20 beig commuities, which simply meas that hosts i the same commuity will be able to commuicate with each other (hosts i VLAN 10 will be able to commuicate with each other regardless of their locatio, ad they will be trasparet to hosts i ay other VLAN iside the PVLAN). Sice VLAN 30 is a isolated VLAN, a host that belogs to it will oly be able to commuicate with the primary VLAN ad promiscuous ports. We the create the VLAN 100 ad defie it as the primary VLAN, ad the associate it with the secodary VLANs that we have already created. After that we go to the specific ports ad defie them as host ports ad associate them with their correspodig primary ad secodary VLANs. Fially we defie the promiscuous ports ad map the primary VLAN ad all the secodary VLANs that the port will be able to commuicate with. The termiology ca look cofusig at first because of the multiple associatios ad mappigs, but it is quite simple. The first thig you must have i mid is that you eed to associate secodary VLANs to their primary VLAN. The you eed to defie the ports that oly require commuicatio with the primary VLAN (ad the promiscuous ports) ad defie them as host ports, while associatig them with the proper primary ad secodary VLAN. Fially the ports that will effectively be iside the PVLAN but will ot abide by its rules, the promiscuous ports, eed to be defied, ad mapped with those VLANs that they ll be allowed to commuicate to. LearSmart Cloud Classroom: Video Traiig Mauals

75 Maual Cisco Private VLANs ad Switched Virtual Iterfaces Whe you have a SVI (a VLAN cofigured with a Layer 3 address o a multi-layer switch) routig traffic from private VLANs, you are required to map additioal private VLANs with the SVI, because the mappigs ad associatios defied so far have bee doe at the Layer 2 level. Everythig is cofigured for Layer 2 operatio as we described earlier. You are oly required to add the mappig for the VLAN iterface or SVI, with the followig commad: Switch(cofig-if)# private-vla mappig {secodary-vla-list add secodaryvla-list remove secodary-vla-list} If we assume the secodary VLANs 10 ad 20 have bee created, the layer 2 associatios ad mappigs defied, ad the SVI VLAN 100 is properly cofigured with its IP address, the required cofiguratio to map the secodary VLANs to the SVI ad allow routig is the followig: Switch(cofig)# iterface vla 100 Switch(cofig-if)# private-vla mappig 10,20 Truk Security As we said i the itroductio to this domai, it is commo for etwork admiistrators to grow overcofidet about truk ports because they are usually physically secure. There are several weak poits that attackers ca exploit to gai uauthorized access to etwork resources. We will examie these possibilities ad see how we ca prevet ad mitigate these attacks. Switch Spoofig The most commo exploit of this kid happes whe a switch is left to its default DTP status, which is auto. I this state the port will wait for aother port to start egotiatio to form a truk. If a PC is coected the port will become a access port with access oly to the ative VLAN. But this opes the possibility of security breach if the attacker emulates or spoofs a switch ad starts sedig DTP frames ad a truk is formed. I the default settig, all VLANs i the switch are allowed through the truk, which i essece gives access to the itruder to all etworks that cross the switch. The solutio to this problem is to cofigure the switch port to ot sed DTP frames, ad this is achieved by cofigurig it as a access port. Truk ports coectig the access switch to the distributio switch must be cofigured with a bogus ative VLAN that is ot i use i the etwork. Let s assume Fast Etheret ports from 1 to 24 are left uused. The followig cofiguratio puts all ports i VLAN 10 i access mode: Switch(cofig)# iterface rage fastetheret 0/1 24 Switch(cofig)# switchport access vla 5 Switch(cofig)# switchport mode access I this cofiguratio the Fast Etheret ports 1 24 are defied as access ports ad will ot egotiate a truk uder ay circumstace. VLAN Hoppig I this attack frames are set with multiple 802.1Q tags, which make the switch or switches sed malicious frames to hosts i differet VLANs without the use of a router. The attacker uses double taggig with its ow VLAN tag o the outside. Whe the frame is forwarded out of a truk, the first tag is stripped off ad the switch o the other ed receives the frame with the 802.1Q tag for the VLAN the attacker iteded to reach. LearSmart Cloud Classroom: Video Traiig Mauals

76 Maual Cisco Several coditios must be met i the etwork ad switch cofiguratio i order for this attack to be possible. The mitigatio ad prevetio of this type of attack is give by prevetig this situatio. First, the attacker must be coected to a switch port ad the truk uplik must be a 802.1Q truk with its ative VLAN beig the same as the oe used by the attackers access port. So if the ative VLAN is 10, the attacker must also be coected to a switch port cofigured for VLAN 10. As we explaied, the first tag give to the frame is the oe with the VLAN the attacker wats to reach. The a secod tag uses the attacker s VLAN, the ative VLAN. Whe the switch receives this frame, it realizes the frame is tagged with its ative VLAN, ad whe it forwards the frame out the truk it strips off the first tag ad assumes the frame is goig out utagged, as it should be, to the truk, whe i reality the spoofed tag is left exposed to the truk ad will be received by the other truk port i the other switch. If the switch has a host i this VLAN it will forward the frame out the correspodig port ad hosts will receive the frames as if they were from legit users. The solutio to this type of attacks is to use to set the ative VLAN i truk ports to a uused VLAN. You should also prue the ative VLAN from the truk, which cofies a possible attacker (who fids out about the uused VLAN) to the truk lik. A secod method to prevet the double taggig VLAN Hoppig attack is to force the switch to tag frames destied to the ative VLAN. As you kow, the ative VLAN frames are utagged by default. You ca chage this behavior ad make the switch tag frames for the ative VLAN, which reders the double taggig attack useless, as the switch will put the frame i the truk exactly as it was set by the attacker, with the ative VLAN tag o the outside. To make the switch tag ative VLAN traffic, use the followig commad: Switch(cofig)# vla dot1q tag ative Domai 3: Implemetig Switch-based Layer 3 Services IterVLAN Routig I the past, a router was required to provide layer 3 coectivity. The router eeded to have oe physical or logical iterface coected to the subets that it had to provide commuicatio to. Now this Layer 3 commuicatio ca be performed withi the LAN by a multilayer Switch. Whe the router or multilayer switch coects to a truk port i the switch ad has multiple logical iterfaces, the itervlan routig is ofte called router o a stick because it has a sigle brach from the multi-vlan switch to the router that has multiple logical layer 3 iterfaces cofigured o a sigle physical port. All VLANs go through the truk ad the router/layer 3 switch is cofigured with subiterfaces that are meat to receive traffic from the differet VLANs/subets. As we explaied i the itroductio i domai 1, a multilayer switch ca perform the fuctio of commuicatig with hosts i differet VLANs, routig, i hardware, with the Applicatio Specific Itegrated Circuits (ASICs) at wire speed, just as if it were performig Layer 2 switchig. A multilayer switch ca forward traffic from Layer 2 or Layer 3. Layer 3 forwardig ca be implemeted assigig a physical iterface or a logical iterface amed switched virtual iterface (SVI). Whe a iterface is give a Layer 3 address, a IP address, it becomes the default gateway of ay host coected to the iterface or VLAN. LearSmart Cloud Classroom: Video Traiig Mauals

77 Maual Cisco IterVLAN routig requires that you defie the switch iterface as a Layer 3 iterface. By default, switch ports are cofigured to be Layer 2 iterfaces. You cofigure ports for Layer 3 operatio with the o switchport iterface cofiguratio commad. Equally, if you eed to chage a layer 3 port to operate as a Layer 2 iterface, use the switchport iterface cofiguratio commad. Not all Cisco Catalysts switches are multilayer switches. You ca display the curret operatio mode of a iterface with the show iterface type mod/um switchport EXEC commad. The output of the commad is the followig: Figure 22: Verifyig a Switchport s Operatio Mode Switchport refers to Layer 2. If you see Switchport: eabled, this meas the iterface is operatig at Layer 2, the default. I this case, the o switchport commad was used ad the port is a Layer 3 iterface, that must be cofigured with a IP address ad etwork mask. Sice Layer 2 operatio is trasparet to the user (o cofiguratio such as IP address or routig protocol is ecessary i order to make the port operatioal), o additioal cofiguratio is required to coect hosts or aother switch to the port. O the other had, if you set the port as a Layer 3 cofiguratio, the followig is the miimum cofiguratio required i order for the port to be able to commuicate with hosts: Switch(cofig)# iterface type mod/um Switch(cofig-if)# o switchport Switch(cofig-if)# ip address ip-address mask [secodary] If several ports are part of a EtherChael, ad it is cofigured as a Layer 3 iterface, the IP address must be cofigured uder the port-chael iterface. You should ever give a idividual port a IP address if it is part of a budled, EtherChael. For istructios o how to set a IP address to a EtherChael refer to domai 1. SVI Ports As we metioed earlier, you ca give Layer 3 forwardig fuctioality to a VLAN with a MLS. For this you must assig a IP address to the VLAN. This is especially useful whe you have several ports uder the same VLAN ad routig is ecessary out of the VLAN. Istead of requirig several iterfaces with their ow default gateways or requirig a additioal router or Layer 3 device, you use the SVI as your poit of etry ad exit i ad out of the VLAN for all hosts. I the followig example we will create the VLAN 10 ad will ame it Sales. We will the defie it as a SVI by assigig a IP address to it: SwitchA(cofig)# vla 10 SwitchA(cofig-vla)# ame Sales SwitchA(cofig-vla)# exit SwitchA(cofig)# iterface vla 10 SwitchA(cofig-if)# ip address SwitchA(cofig-if)# o shutdow LearSmart Cloud Classroom: Video Traiig Mauals

78 Maual Cisco Now, to better uderstad the fuctio of a SVI, suppose you have 8 ports usig VLAN 10, Sales i the Switch A. If the SVI did t exist, we would require a additioal router or Layer 3 switch coected to a truk port of Switch A, i order to route traffic i or out of the subet assiged to VLAN 10. The SVI allows the switch to forward all Layer 3 traffic outside the IP subet withi the VLAN by cofigurig the hosts with the SVI as their default gateways. Multilayer Switchig: Cisco Express Forwardig Cisco Express Forwardig (CEF) is Cisco s proprietary method of layer 3 packet forwardig. It is a route cache switchig method. CEF provides wire speed performace with the use of dyamic lookup tables that are kept i hardware ad Applicatio Specific itegrated Circuits (ASICs). CEF performs packet switchig with the use of two fuctioal blocks: The Layer 3 Egie ad the Layer 3 Forwardig Egie. The Layer 3 Egie acts as a router keepig the routig iformatio based i iformatio maually cofigured or leared from dyamic routig protocols. The Layer 3 Forwardig Egie is used to forward packets i hardware to the destiatios leared ad kept by the Layer 3 Egie. The Forwardig Iformatio Base (FIB) is basically the ew routig table as we uderstad from traditioal routers, with a ew format ad with a couple mior differeces. The FIB cotais a ordered list of IP destiatios with the most specific, logest-prefix address first ad its associated ext hop IP address. The most specific possible route is the host route, or routes with the etwork mask. That meas the FIB kows the exact route to the destiatio. These are preset i the FIB, ad differetly from the traditioal routig table, they do t have to be maually cofigured. They are used for directly coected routes. This mechaism provides for higher efficiecy i the table lookup ad forwardig process. The FIB receives the routes from the Layer 3 Egie, which is the oe ruig the routig protocols. Chages made to the IP routig table or ARP Table i the Layer 3 Egie must be immediately reflected i the FIB, because it is the oe that provides the packet forwardig at wire speed ad the preferred fuctioal block for this task, wheever possible. You ca display the cotets of the FIB table etries to a specific VLAN or iterface with the show ip cef [type mod/um vla vla-id] [detail] EXEC commad. Here is a sample output: Figure 23: Displayig the Cotets of the FIB Table LearSmart Cloud Classroom: Video Traiig Mauals

79 Maual Cisco You ca also view FIB etries for specific IP addresses ad etwork masks with the followig commad: Switch# show ip cef [prefix-ip prefix-mask] [loger-prefixes] [detail] Ca you chage cofiguratio settigs that alter the FIB? Yes, but it is outside the scope of the SWITCH exam, as is the mechaism used to add certai ad specific IP routes to the FIB. There are situatios where some etries are ot processed by the ASICs, ad are hadled by the CPU for coditios that are explaied later. The logest-prefixes optioal parameter withi the show commad is used to display logest match etries i the FIB table. The detail optioal parameter is used to display additioal route iformatio, such as the versio umber, epoch ad other iformatio. The versio umber shows the amout of times the router has bee updated sice the FIB was created. The epoch umber is the umber of times the FIB table has bee cleared ad built agai. There are certai istaces whe packets caot be forwarded by the Layer 3 Forwardig Egie with the Applicatio Specific Itegrated Circuits that provide wire speed. I these cases, the packet is marked as CEF put ad is set (or puted) to the Layer 3 Egie to be processed ad routed usig traditioal software-based processor-itesive processig. Some of the most commo coditios that ca cause the multilayer switch to mark a packet as CEF-put iclude: A etry for the destiatio etwork caot be foud i the FIB table. The FIB table is full. The remedy has more to do with proper etwork desig ad a IP addressig scheme (cotiguous etworks that allow proper route summarizatio ad such thigs), that allows a more efficiet dyamic routig ad eve the additio of default routes to big etwork segmets. The packet has to be fragmeted because the MTU has bee exceeded. The IP Time-To-Live (TTL) has expired. The ecapsulatio type is ot supported. The oly Etheret ecapsulatio supported by hardware switchig is ARPA. The packet has bee subject of security mechaisms such as tuelig, ecryptio, compressio or has triggered the log optio i a local access list. The packet is destied out a iterface cofigured with the ip at outside iterface cofiguratio commad, which meas a Network Address Traslatio (NAT) operatio is required. Oly a few high-ed MLSs ca provide NAT operatio i hardware. I short, a packet is marked as CEF-put whe its route to the destiatio is ot foud i the FIB table or whe the packet requires some special hadlig or features that are ot curretly supported or performed i hardware at wire speed. LearSmart Cloud Classroom: Video Traiig Mauals

80 Maual Cisco So far we ve discussed the sceario where the FIB is maitaied completely i oe MLS platform. There is the possibility of splittig the load amog several switches i order to improve efficiecy whe forwardig packets. Specialized hardware is required for this ad there are two CEF methods that allow this behavior: 1. Accelerated CEF (acef) I this mode CEF is distributed i multiple Layer 3 Forwardig Egies, curretly i the form of lie cards. Oly a portio of the FIB is dowloaded to the egie because they geerally do t have the capability to receive ad hold the etire table. The routes that are kept i the partial FIB tables are the oes that are more likely to be used agai. If a route is ot foud a request is made to the Layer 3 Egie ad the FIB table is updated. As you ca see, the resultig operatio is very fast forwardig but ot ecessarily at wire speed. 2. Distributed CEF (dcef) I this method the CEF is fully distributed amog several Layer 3 Forwardig Egies. This provides for cosiderably icreased performace. Sice the whole FIB table is replicated, there ca be as may Layer 3 Forwardig Egies as ecessary. A cetral Layer 3 Egie is used with this method to maitai a routig table ad populate the FIB tables i Layer 3 Forwardig Egies i the lie cards. Adjacecy Table The CEF adjacecy table is the Layer 3 Forwardig Egie equivalet of the ARP table i a stadard router. It s the part of the FIB table where the Layer 3 to Layer 2 mappigs are kept. This is specifically for each Layer 3 ext hop address, which ca always be accessed at Layer 2. To display the adjacecy table cotets use the followig commad: Switch# show adjacecy [type mod/um vla vla-id] [summary detail] You ca view the adjacecies i a certai iterface or a VLAN. You ca also display the umber of adjacecies stored of both physical ad VLAN iterfaces usig the summary optioal keyword as follows: Switch# show adjacecy summary I additio, you ca see a lot more iformatio with the detail keyword. The followig example shows a actual output: Figure 24: Showig Iterface Adjacecies LearSmart Cloud Classroom: Video Traiig Mauals

81 Maual Cisco As you ca see, there are both Layer 3 ad Layer 2 addresses i that output of this show commad. The MAC addresses are the equivalet of the first 3 octets i the log hex strig below each IP address. The remaider of the strig is the hex values that are a combiatio of the device IP address ad EtherType value. As we metioed, the adjacecy table is built from the ARP table of the Layer 3 Egie. If the FIB table does t have a ARP associated to a IP address etry, the switch ca t forward the packet at wire speed, ad the packet is set to ad processed by the Layer 3 Egie. Whe the Layer 3 Forwardig Egie ca t forward frames because the ARP etry does t exist i the adjacecy table, the FIB etry is marked as CEF Glea. The packet is set to the Layer 3 Egie which will sed a ARP request. After receivig a ARP reply it will be able to forward the packet. While i the CEF glea state, ad i order to prevet the Layer 3 Egie from beig overwhelmed with ARP request duplicates, the multilayer switch drops all packets destied for etry i which adjacecy is i the glea state. This feature is called ARP throttlig or throttlig adjacecy. The ARP throttlig makes the Multi-layer switch wait for a ARP reply for 2 secods before sedig a ew ARP request. Whe a ARP Reply is received, the ARP throttlig is released ad ARP requests are set whe eeded. The FIB table is updated ad the Layer 3 packet forwardig with the Layer 3 Forwardig Egie, at wire speed, is resumed. There are several types of adjacecy possible i the adjacecy table. They are helpful to the forwardig process. Here are some of the more importat types: Null adjacecy Used for the routes poitig to the ull iterface. Drop adjacecy Used for packets meat to be dropped by the switch, due to a usupported protocol, a ecapsulatio failure, uresolved address, or a checksum error amog others. Discard adjacecy Used whe packets must be discarded because of a access list dey match or other policy. Put adjacecy Used whe the packet caot be forwarded with the Layer 3 Forwardig egie ad must be puted to the Layer 3 Egie. You ca aalyze the CEF put activity with the show cef ot-cef-switched EXEC commad. You will fid the reasos of the cef put coditio. The possible CEF put reasos are the followig: No_adj A icomplete adjacecy. No_ecap A icomplete ARP resolutio. Usupp ted Usupported packet features. Redirect ICMP redirect. Received Packets destied for Layer 3 Egie iterfaces. Optios IP optios that caot be aalyzed i hardware preset. Access Access list evaluatio failure. Frag Fragmetatio failure. LearSmart Cloud Classroom: Video Traiig Mauals

82 Maual Cisco After the FIB etry has bee foud i the table, oe fial step is take before actually forwardig the packet. The Layer 2 frame header cotais the MAC address of the receivig switch iterface, ad it must be rewritte as the MAC address foud for the destiatio etry i the adjacecy table. This is the same thig that a stadard layer 2 switch would do whe forwardig frames. Remember that durig the trasport of a packet, the IP addresses ever chage while traversig the etwork but the layer 2 MAC addresses are costatly beig rewritte to idicate the ext source ad destiatio MAC address alog the path. The same happes with the source address that has to become the MAC address of the port through which the packet is goig to be forwarded. After the frame addresses are chaged, the checksum eeds to be recalculated, ad the same happes at Layer 3, because the TTL value eeds to be decreased by oe, ad the checksum eeds to be recalculated accordigly. The packet rewrite is doe very efficietly with the used of specialized hardware, the applicatio Specific Itegrated Circuits (ASICs). Cofigurig CEF CEF is eabled by default i all CEF capable Catalyst Switches. I some Catalyst Switches, the CEF rus with the IOS ad ca ever be disabled. You ca disable CEF o a per-iterface basis o switches that allow it, with the o ip route-cache cef or o ip cef iterface cofiguratio commads, depedig o the Catalyst switch model. The first thig to do is verify that the port is cofigured as a Layer 3 port with the followig commad: Switch# show iterface type mod/um switchport Remember, whe you see switchport thik Layer 2. I this case, disabled meas the port is disabled for Layer 2 switchig, ad eabled for Layer 3 switchig. If the port is cofigured for Layer 2 operatio, the commad will display VLAN iformatio, if it is a access or trukig port, trukig mode ad ative VLAN. To verify the cofiguratio i a SVI, use the followig commad: Switch# show iterface vla vla-id If there is o output that meas the VLAN iterface is shutdow or the VLAN has t bee created i the switch. Use the show vla EXEC commad to view all cofigured VLANs. You will see all the VLAN ames ad the ports associated to each VLAN. To display iformatio regardig the IP cofiguratio of a iterface use the show ip iterface commad. LearSmart Cloud Classroom: Video Traiig Mauals

83 Maual Cisco Here is a sample output: Figure 25: Output from the show ip iterface Commad LearSmart Cloud Classroom: Video Traiig Mauals

Maual Cisco You ca also use the show ip iterface brief EXEC commad to display some iformatio about Layer 3 iterfaces. This is a very well-kow commad from the CCNA studies.

84 Maual Cisco You ca also use the show ip iterface brief EXEC commad to display some iformatio about Layer 3 iterfaces. This is a very well-kow commad from the CCNA studies. It displays the physical iterfaces ad SVIs IP addresses ad their operatioal status at both Layer 1 ad Layer 2. To verify CEF operatio use the show ip cef EXEC cofiguratio commad. The followig is a sample output: Figure 26: Verifyig CEF Operatio The etries marked with the ext hop receive are the oes that are directly coected ad will be hadled by the Layer 3 Egie (CPU, ot wire speed). The oes attached are those packets that must be routed through a SVI. You usually eed to check this iformatio if you are havig performace issues ad you thik the MLS is ot routig at wire speed. You ca cofirm this by checkig the FIB table ad/or by checkig the previous output. You ca also display the FIB table cotets based o the iterface, with the followig commad: Switch# show ip cef type mod/um [detail] LearSmart Cloud Classroom: Video Traiig Mauals

85 Maual Cisco Usig DHCP with a Multilayer Switch Whe a port of a multilayer switch is cofigured as a Layer 3 iterface, hosts coected to it should be cofigured with the IP address of the iterface as their default gateway. Hosts ca be maually cofigured, but that is very iefficiet from a etwork maagemet perspective as the etwork grows. That is whe the Dyamic Host Cofiguratio Protocol (DHCP) plays a role. As we leared i the CCNA studies, DHCP is a service where a remote server assigs IP addresses, default gateway ad DNS servers IP addresses to hosts requestig the cofiguratio with a DHCP Discover message. Other parameters ca also be set to the requestig device. Whe a host eeds a IP address it attempts to cotact a DHCP server ad the procedure is as follows: 1. The cliet seds a DHCP Discover broadcast message. The cliet seds the broadcast at Layer 2, usig its MAC address as the source address ad sice the message is a broadcast, ffff.ffff.ffff is the destiatio address. 2. A DHCP server preset i the subet respods with a DHCP Offer message: This offer message cotais a IP address, subet mask, default gateway, DNS server or servers ad other parameters. The DHCP server also seds its ow IP address to idetify itself because there could be more tha oe DHCP server i the subet. Sice the cliet does t have a IP address, the DHCP offer is set as a broadcast. 3. The cliet seds a DHCP Request : I this message the cliet is acceptig the parameters for cofiguratio that the DHCP server set i the DHCP Offer message. This message is also set as a broadcast because the cliet still does t have a valid IP address. 4. Fially, the DHCP server replies with a DHCP ACK message: The offered IP address ad parameters i the DHCP Offer message are set agai as a cofirmatio that they are available ad approved for the host to use i the subet. This message is also set as a broadcast. DHCP servers were origially desiged to operate i the same broadcast domai (subet/vlan) of the hosts they were meat to serve. Now you ca cofigure DHCP Relay agets o layer 3 devices such as a multilayer switch. You ca the cofigure oe (or a pair for redudacy) cetrally located DHCP server for dyamic cofiguratio of hosts i several subetworks. Without the use of the DHCP Relay aget, DHCP servers would oly be able to provide cofiguratio parameters iside their broadcast domai. A router or a multilayer switch ca also be used as a DHCP Server. The cofiguratio is as follows: Switch(cofig)# ip dhcp excluded-address start-ip ed-ip Switch(cofig)# ip dhcp pool pool-ame Switch(cofig-dhcp)# etwork ip-address subet-mask Switch(cofig-dhcp)# default-router ip-address [ip-address2] [ip-address3]... Switch(cofig-dhcp)# lease {ifiite {days [hours [miutes]]}} Switch(cofig-dhcp)# exit LearSmart Cloud Classroom: Video Traiig Mauals

86 Maual Cisco We first cofigure the excluded rage of addresses. These are the IP addresses that will be used i hosts that require a static IP address i the subet or if you simply wat to reserve a group of addresses o the subet that you do t wish to had out to ed devices. Network devices such as switches, routers, access poits ad servers all require static IP addresses. We defie ad ame a DHCP pool ad i DHCP cofiguratio mode defie the etwork we will be gratig IP addresses from, the default gateway, ad lease time. The lease time if ot defied is 1 day by default. Hosts egotiate their IP addresses i about half the lease expiratio time ad decide if they will keep the leased IP address. DHCP Relay Aget As was explaied earlier, most productio DHCP server deploymets are cetralized for all or most subets where cliets require DHCP services. As we explaied, DHCP messages are set as broadcasts, which mea they are cotaied by router or Layer 3 MLS iterfaces ad are kept iside the VLAN. The DHCP Relay Aget allows us to place the DHCP server i a cetralized place i the etwork ad provide DHCP parameters to hosts i more tha oe IP subet. The DHCP relay aget listes to the DHCP Discover broadcast from cliets, itercepts it ad the forwards a packet as a uicast to the DHCP server. There is a field where the router adds the IP address of the iterface that received the DHCP broadcast. That is how the DHCP server kows from what IP subet (DHCP pool) it should sed the DHCP offer. The respose is obviously set back to the relay aget ad it forwards the offer to the host that issued the DHCP Discover message. To cofigure a MLS as a DHCP Relay aget use the ip helper-address iterface cofiguratio commad i the Layer 3 iterface coected to the IP subet that hosts the edpoits that require DHCP cofiguratio. This will either be a router iterface or a logical layer 3 VLAN iterface o a multilayer switch. You ca use the ip helper-address commad as much as you wat, ad this causes the router or MLS actig as a DHCP relay aget to forward the DHCP request to all cofigured addresses uder the commad. All DHCP servers will reply to the relay aget ad it will forward all DHCP offers to the host, which will have to decide which oe to accept ad use. The followig is a sample cofiguratio of a DHCP relay aget: Switch(cofig)# iterface vla 10 Switch(cofig-if)# ip address Switch(cofig-if)# ip helper-address Switch(cofig-if)# exit I this cofiguratio the SVI acts as the default gateway of hosts coected to ports that belog to VLAN 10. A DHCP server must be properly cofigured with the address LearSmart Cloud Classroom: Video Traiig Mauals

87 Maual Cisco Domai 4: Preparig the Ifrastructure to Support Advaced Services Today s etworks ot oly carry data as they used to; there are ow more requiremets as campus etworks carry a great deal of voice ad video commuicatios. The switched campus etwork must be desiged ad properly cofigured to hadle the curret demads for voice, video ad wireless traffic. With VoIP IP telephoy -- the mai cosideratio ivolves etwork cogestio avoidace with a set of techiques kow as Quality of Service (QoS). VoIP traffic caot compete with data for available badwidth because of the ature of live voice commuicatios. There are also security cosideratios that must be addressed. I this domai we will explore the optios ad features i the Cisco Catalyst switches that allow our switched etworks to operate efficietly carryig ad deliverig data, voice ad video. Voice over IP (VoIP) IP Telephoy Cisco Telephoy devices, IP phoes ad the like, require power to fuctio. Most Cisco IP phoes ca be plugged directly ito a wall s power outlet. May times this is ot the best solutio as it requires every phoe to have a available AC power outlet earby. A better alterative is Power over Etheret (PoE). PoE is how low voltage electricity is set to the IP phoes ad other etwork devices over stadard Etheret cables. PoE ca also resolve the problem of VoIP phoes beig out durig a power outage. Now with PoE there is a cetralized poit, the wirig closet where the IP phoes coect to the access layer switch, to offer a backup i case of electricity failures. Istead of requirig a UPS i every sigle poit where a IP phoe is preset, you ca guaratee that all IP phoes will remai operatioal i cases of a power outage by providig a backup to the access layer switch. The PoE also saves moey because a additioal AC adapter is ot required. Power over Etheret is available i two methods i Cisco Catalyst switches: Cisco Ilie Power (ILP) The Cisco-proprietary method that was the first method of deliverig power to etwork devices through data cables. IEEE 802.3af The IEEE stadard allows Cisco switches to provide power over Etheret to o- Cisco etwork devices. Some older Cisco phoes ad wireless access poits oly operate usig ILP. Therefore Cisco switch ports ca detect either ILP-oly PoE devices or oes that are capable of 802.3af. I additio, some older switches oly offer ILP power. If that is the case, they may ot be able to power some 802.3af devices. You will eed to do some research to make sure your PoE switch operates with the PoE ed device. Fortuately, ILP is quickly becomig a thig of the past ad most switches ad ed devices i productio today are 802.3af capable. Cisco switches do t offer power costatly to the lie. They try to detect if there is a coected device that requires power usig two differet methods, for each of the PoE methods. LearSmart Cloud Classroom: Video Traiig Mauals

88 Maual Cisco Whe usig the IEEE 802.3af stadard, the switch applies a small voltage to both sedig ad receivig twisted pair cables, ad if it measures a 25K ohm i the lie, it meas a IP phoe is coected ad the proceeds to apply power. The IEEE 802.3af defies 4 power classes, ad there is a ew oe that ewer Cisco Switches ca idetify ad use, defied i the IEEE 802.3at stadard. Depedig o the resistace measured, the Cisco switch applies the proper power to the etwork device, i this case a IP phoe. Remember that this ca also be a wireless access poit (WAP), a video surveillace system or ay other etwork device compatible with the 802.3af. The followig is a table of the 802.3af power classes: Power Class Maximum Power Offered at 48V DC Notes W Default class W Optioal class W Optioal class W Optioal class 4 Up to 50 W Optioal class (802.3at) Figure 27: 802.3af Power Classes For Cisco Ilie Power (ILP) the switch seds a toe pulse called Fast Lik Pulse (FLP) ad oly a Cisco prestadard, ILP capable IP phoe will be able to loop back the toe. Whe the switch receives the toe back, it kows a ILP capable IP phoe is coected ad the applies a very small amout of power (6.3W) to the lie. The IP phoe powers up ad ask for its correct power requiremets usig Cisco Discovery Protocol (CDP) messages. If CDP is tured off i the switch or the iterface, the maximum power (15.4W) is applied to the port. You must cosider PoE whe desigig your campus etwork because IP phoes will oly use the amout of power they eed ad the remaiig will be lost. Most switches caot provide the maximum amout of power to all their ports. I case the maximum power output is reached, the switch will oly power the lower ports util it has o more power. This is called oversubscriptio. Usig a hypothetical example, if a switch has 24 ports ad is capable of providig 100W, ad has IP phoes coected from ports 0-9, ad CDP is tured off i the switch, 15.4W are goig to be applied to every port, which meas we will see a oversubscriptio case. Sice oly 6 ports will be able to be powered with 15.4W, oly ports 0-5 will be powered while others will remai without power. Remember oversubscriptio issues ad its possibilities whe desigig the access layer switches ad features. Cisco recommeds as a best practice that you maually cofigure the amout of power supplied through to the port. PoE Cofiguratio By default, Cisco Switch ports automatically detect if PoE devices are coected ad automatically detect their power requiremets. You ca cofigure switch ports to ever provide power to coected devices or to provide a fixed amout of power. To do that, use the followig iterface cofiguratio commad: Switch(cofig-if)# power ilie {auto [max milli-watts] static [max milli-watts] ever} LearSmart Cloud Classroom: Video Traiig Mauals

Maual Cisco Theoretically it is possible that a malicious user spoofs a IP phoe or ay other PoE device ad requires the maximum amout of power, takig away uecessary resources that could lead to

89 Maual Cisco Theoretically it is possible that a malicious user spoofs a IP phoe or ay other PoE device ad requires the maximum amout of power, takig away uecessary resources that could lead to depletio ad to a form of deial of service attack. This is why it is recommeded that you maually cofigure the amout of power supplied to the port wheever possible. May specialists use that as a geeral rule i the Cisco world: ever use a auto optio if there is aother feasible optio. Auto is the default optio. You ca use the static keyword to use a fixed or static amout of power regardless of what the IP (or ay other coected PoE device) tries to obtai. You ca also use the max keyword to defie the maximum amout of power to be provided through the port. To disable PoE, use the ever keyword. To display the power over Etheret status of a switch use the show power ilie EXEC commad. Figure 28: Verifyig PoE To display the PoE status of a specific port, use the iterface type mod/um optioal parameter. The commad to display, for istace, the PoE of the Fast Etheret 0/5 is show power ilie fastetheret 0/5. Voice VLANs Whe a IP phoe is coected to a access layer switch, the data stream comig from a coected PC (from the IP phoe Etheret port) ad the voice stream from the phoe ca be cofigured to use the same or separate VLANs. The VLAN where the voice stream is assiged is called Voice VLAN. The mai fuctio of the voice VLAN is to allow etwork devices like switches ad routers to classify traffic accordig to certai parameters, offerig security ad the ability to prioritize voice traffic above data traffic, through the use of Quality of Service traffic egieerig. The security aspect provided with the voice VLAN is give by effectively separatig data traffic from voice traffic, which i essece makes it impossible for attackers to itercept ad capture voice traffic whe they gai access to the data VLAN, be it by accessig a authorized edpoit or by accessig a physically isecure access layer switch port. LearSmart Cloud Classroom: Video Traiig Mauals

90 Maual Cisco If the voice VLAN is ot used, both voice ad data traffic will be i the ative VLAN ad Quality of Service features wo t be used. This ca result i voice quality issues, because all traffic will be competig for both switch ad/or router limited resources ad also limited badwidth. Cisco IP phoes usually have oe or more ports that you ca coect a user PC to, givig access to the upstream switch. They ca hadle traffic from two VLANs, the voice VLAN ad the data VLAN. The coectio from the Cisco IP phoe to the switch ca be cofigured as a 802.1Q truk, a access port, ad ow as somethig very useful ad secure sometimes refereced as a quasi-access port or miitruk. The quasi-access port or miitruk offers the added beefit of icreased security. The miitruk cofiguratio is as follows: Switch(cofig-if)# switchport mode access Switch(cofig-if)# switchport access vla 10 Switch(cofig-if)# switchport voice vla 20 You cofigure the switch port as a access port with the switchport mode access iterface cofiguratio commad, ad the assig the port to the access VLAN 10, the data VLAN. You the specify ad allow the voice VLAN 20 i the port. All used VLANs must be previously created. This icreases security because before a truk had to be cofigured i the uplik to the switch, ad a user oly had to use the cable coectig to the IP phoe to gai access to the truk port, which could result i a VLAN hoppig attack. Stragely, Cisco does t metio this recet feature i the official material for the SWITCH exam, ad probably you should t expect the cocept or cofiguratio i the exam, but we cosider the iformatio way too importat to ot metio. This is the way you must cofigure ports coectig to IP phoes i productio etworks, for the optimal security architecture ad desig. For the exam, we have four scearios made possible with the use of the followig commad: Switch(cofig-if)# switchport voice vla {vla-id dot1p utagged oe} 1. Switchport voice vla vla-id (VVID) Here, both data ad voice will use their ow VLAN. Data traffic will use the ative VLAN, utagged frames. Traffic will be separated ad QoS features (Class of Sevice CoS bits i the 802.1p ecapsulatio) ca be implemeted. The voice VLAN vvid will be tagged. The special-truk case is created i this sceario if the switch port is cofigured as a access port. Oly two VLANs will be allowed to cross this special truk, the vvid ad ative VLAN frames. A voice VLAN has to be previously created. QoS is possible (tagged with Layer 2 CoS priority value). 2. Switchport voice vla dot1p I this sceario, the special truk is also created. The voice VLAN will be the VLAN 0. No previous VLAN must be created because voice frames will be set i the VLAN 0 ad data frames will be set i the ative VLAN. QoS ca be used (tagged with Layer 2 CoS priority value). 3. Switchport voice vla utagged Just like dot1p ecapsulatio, the special case truk is created, but o voice VLAN is used. All traffic is set usig the ative VLAN. No QoS possible (No layer CoS priority value). 4. Switchport voice vla oe Here, o special truk is created. Traffic is udifferetiated betwee voice ad data. Both use the ative VLAN ad o QoS Layer 2 CoS taggig or ay other taggig is possible. LearSmart Cloud Classroom: Video Traiig Mauals

91 Maual Cisco Cisco switches istruct Cisco IP phoes of the operatio ad ecapsulatio mode through CDP messages. This meas that i order to properly coect ad use a IP phoe you must make sure that CDP is eabled globally ad that the specific iterface does ot have CDP disabled. By default Cisco switches ru CDP i all iterfaces. There is a metio of the security threats ad most commo mitigatio methods available i Cisco switches i the Security Domai of this guide. To verify the voice VLAN operatio, use the show iterface switchport EXEC commad: Figure 29: Verifyig Voice VLAN Operatio LearSmart Cloud Classroom: Video Traiig Mauals

92 Maual Cisco Quality of Service (QOS) Quality of Service is the method used to prioritize time-sesitive traffic above less importat traffic. Whe etwork resources are plety ad badwidth is huge, there is practically o eed to use these methods of traffic egieerig, because switches ca forward frames as soo as they are received. Essetially, there is o queuig performed so QoS will ever be used. Eve packets at Layer 3 ca be forwarded at wire speed with MLS, providig a outstadig level of performace. The problems start whe etwork resources, like badwidth ad switch capabilities start to suffer because of etwork cogestio. The packets are too may for the switch to forward ad some of them eed to eter a waitig list or queue before beig forwarded. Quality of Service forces etwork desigers ad admiistrators to decide what type of traffic to prioritize based o some established criteria. Differet applicatios have differet requiremets. Voice ad video traffic require the most prompt delivery possible because ay variatio i delay or large amouts of packet loss ca cause the quality of the commuicatio to suffer to the poit that commuicatio ca fail. O the other had, a FTP dowload ca have some delay without the user eve oticig it. Therefore, FTP would have a lower QoS priority compared to voice/video whe etwork admiistrators prioritize their data. Whe a packet is beig forwarded by a switch, QoS ca help with three commo packet queuig problems that ca appear: Delay The amout of time the delivery of a packet takes from the source to the destiatio withi a etwork. The total amout of time it takes a packet to be trasported from the source to the destiatio is called latecy. The causes of delay are the amout of time a router or switch speds i table lookups, processig, ad the amout of time it takes for the packet to be trasported over physical medium i the form of light (fiber-optic coectios) or electricity pulses (Etheret ad copper WAN coectios such as a T1 or DS3). Jitter The variatio of delay of multiple packets from the same source to the same destiatio. Some types of commuicatios require streams of data, ad the quality of the commuicatio is heavily depedet o the order of this stream. If the delay variatio, jitter, is too big, the stream caot be recostructed i the destiatio. The IP services that are most susceptible to jitter are video ad audio streams. Packet Loss Sometimes etwork cogestio ca cause packets to be dropped without beig forwarded. Whe the applicatio uses coectio-orieted, reliable protocols such as TCP, some loss is acceptable because such protocols use retrasmissio. But whe ureliable, best effort delivery protocols like UDP are used, packet loss results i data loss. Loss is also especially uacceptable i video ad audio commuicatios. Sice voice ad video packet streams are trasported i real-time, they caot use TCP s retrasmissio fuctio because the reset packet will be out of order ad too late to be useful. Therefore, most voice ad video commuicatios are set usig UDP. LearSmart Cloud Classroom: Video Traiig Mauals

93 Maual Cisco To mitigate these issues, etwork admiistrators have the followig types of Quality of Service (QoS): Best-effort delivery No priorities are set, makig QoS effectively ioperative. Switches ad routers i ruig this QoS type simply make a best effort to deliver packets, without establishig ay priorities. Itegrated services model (ItServ) With this QoS, a path is prearraged for the priority data. The path is from ed-to-ed, from the source to destiatio. The Resource Reservatio Protocol (RSVP) is the mechaism that schedules ad reserves proper path badwidth for the required applicatio. The source applicatio requests QoS parameters through RSVP. Each etwork device must check to see if it ca meet the miimum requiremets, ad whe the complete path is checked ad approved, the source applicatio is sigaled with cofirmatio that it ca trasmit. Differetiated services model (DiffServ) This method was developed to address the limitatios of the itegrated services model. The limitatio was basically scalability. Whe several applicatios requirig QoS, usig the ItServ model badwidth was reserved i every etwork device alog the path to the destiatio. As you ca see, it is likely that as the demad for QoS grows, etwork devices start to leave practically o resources to regular traffic. DiffServ allows each etwork device to hadle packets o a idividual basis, as soo as they show. Each etwork device ca be cofigured to follow specific QoS policies idepedetly. No advace reservatios are required, ad this provides scalability. While ItServ applies QoS policies i a per flow basis, DiffServ applies QoS decisios i a per hop basis. This meas the QoS decisios are made depedig o packet header iformatio ad is idepedet i each hop from the source to the destiatio as log as QoS is cofigured at each of these hops. DiffServ QoS offers a per hop behavior. Each router or switch that receives the packet ispects its header ad idetifies certai parameters that will let them kow how to proceed about forwardig the packet. The packet caot chage the switch or router behavior i respect to its forwardig decisio. It simply presets certai criteria ad depedig o the switch or router s cofiguratio, a forwardig decisio is made. This happes, as we have metioed, with each etwork device (router or switch) alog the path to the destiatio of the packet. Layer 2 QoS Classificatio Layer 2 QoS is possible because whe a frame exits out a truk port, a frame tag is added to idetify the VLAN the frame belogs to. The ecapsulatio to provide the tag also icludes a Class of Service (CoS) field that ca be used at switch boudaries to makes some prioritizatio ad QoS decisios i geeral. There are two frame taggig ecapsulatios ad they both hadle Class of Service differetly: IEEE 802.1Q With VLAN taggig, each frame is tagged with a 32-bit field situated betwee the source MAC address ad the EtherType fields. The first 16 bits of the field is the Tag Protocol Idetifier, which actually idetifies the frame as a IEEE 802.1Q frame. The ext 3 bits comprise the Priority Code Poit field, which idicates 802.1p priority values from 0 to 7; 0 is the lowest priority ad 7 the highest. After the PCP, there s a 1 bit CFI field ad the 12 bit VLAN ID. Iter-Switch Lik (ISL) These frames are tagged with a 15 bit VLAN ID ad 4 bit USER field. The lowest 3 bits of the user field are used as the CoS value. Although ISL is ot stadard-based, Cisco switches take the CoS values from oe ecapsulatio ad add it to aother as they pass the switch. This makes both ecapsulatio types iteroperable from the QoS perspective. The poit of havig QoS at both Layer 2 ad Layer 3 is that as a packet travels through our etwork it will move through routers, switches ad MLS that could be operatig as a Layer 3 or Layer 2 device. The CoS ad ToS markigs allow these devices to filter traffic ad prioritize time-sesitive ad missio critical applicatios, at both Layer 2 ad 3. If Layer 2 QoS did ot exist o etworks that experieces etwork cogestio, the crucial traffic could suffer i those poits where a Layer 2 forwardig decisio eeds to be made. LearSmart Cloud Classroom: Video Traiig Mauals

94 Maual Cisco Layer 3 Quality of Service (QoS) IP packets have a 1 byte Type of Service (ToS) field i the header that has always bee used to mark the packet. The field is divided ito a 3-bit IP precedece, the actual bits used for QoS markigs, ad a 4-bit ToS. To provide a more scalable method, DiffServ reformats the same 1-byte field. Uderstad that what chaged was the way the routers ad switches process the packet after readig the markigs, the actual fields remai the same. The field is ow called Differetiated Services (DS) field. The old ad ew formats are represeted i the followig figure: Tos Byte: P2 P1 P0 T3 T2 T1 T0 Zero DS Byte: DS5 DS4 DS3 DS2 DS1 DS0 ECN1 ECN0 (Class Selector) (Drop Precedece) Figure 30: Type of Service/Differetiated Services Compariso Notice that oly 6 bits are used for markigs. That 6-bit DS value, kow as Differetiated Services code poit (DSCP) is the value examied for QoS markigs i DiffServ etwork devices. The Class Selector takes the place of the old IP precedece value, ad the Drop Precedece 3-bit value is ow added ad used i the QoS DiffServ. Bits represeted by DS5-DS3 are the class selector ad as you should kow, its value rages from 0 to 7. The drop precedece is a bit differet, with values ragig from 0-3. Be careful with this because it is cofusig at first. What you must uderstad is that the DS0 value is always 0, ot 1, ad that is why the value rage is 0-3. As you might have oticed, there is some level of backward compatibility with DSCP ad ToS, IP Precedece. Whe a o-diffserv receives a IP packet it recogizes the Class Selector bits as IP precedece bits ad ca classify ad apply QoS criteria ad traffic egieerig whe decidig whe ad how to forward the packet. Bits DS5 to DS3, the class selector bits, classify packets i 8 categories (3 bits = [0-7]): Class 0 No QoS is used ad oly best-effort delivery is esured. This class should be used for stadard data that ca withstad latecy, delay ad jitter such as FTP traffic. Class 1 through 4 Assured forwardig (AF) service levels, which allows for four priority levels ad the higher the level, the higher the priority of the traffic. Class 5 Expedited forwardig (EF) could be cosidered packets give premium service ad are the least likely to be dropped. Class 5 is useful for time-critical data, such as voice ad live video. Classes 6 ad 7 Iteretwork cotrol ad etwork cotrol, respectively ad are reserved for cotrol-based traffic, such as iter-router ad iter-switch commuicatio, like STP or routig protocol commuicatios. As we ca see i the figure, each Class Selector represeted i the DSCP has 3 levels of drop precedece (3 bits, but remember DS0 = 0, that meas DS1 = 1 ad DS3 = 2, the maximum decimal value is 0+1+2=3). I the case of the drop precedece, high meas worse. Agai, if two packets arrive at a router ad they are both marked as class 5, the tie breaker is the drop precedece ad high drop precedece will be dropped before lower drop precedece. ple: A packet marked class 5, drop precedece 1 will be forwarded faster tha aother class 5, drop precedece 2 or 3, ad it s less likely to be dropped. Remember, a lower drop precedece will receive a better ad faster service (will have priority) over a higher drop precedece, give that they are both from the same class. Drop precedece ca be: Low = 1 Medium = 2 High = 3 LearSmart Cloud Classroom: Video Traiig Mauals

95 Maual Cisco QoS for Voice traffic The first thig to do whe QoS is implemeted is classify the level of service the switch should give to the packets it receives. This process of classificatio uses criteria such as type of traffic based o Layer 4 protocol ad port umber (applicatio), or accordig to parameters matched ad defied by a access list. The switch or router must first decide if it trusts the QoS markig whe it receives a packet i oe of its ports. If the cliet device (such as a IP phoe) ca mark packets, you have to decide if it ca be trusted or rewritte by the switch. If it decides it trusts the packet, the QoS markigs are used to make a decisio. Network desigers ad admiistrators must defie the poits i the etwork that will receive trusted packets from the QoS perspective. The perimeter formed by etwork devices that do t trust QoS markigs i packets is called trust boudary. Usually trust boudaries exted from access layer switches to the poits where the etwork admiistrator loses cotrol of the data, the WAN or ISP demarcatio poits. Whe the boudary has bee idetified ad established, pretty much everythig iside of it should be cofigured to trust ay QoS settigs/markigs received i packets/frames. Also ote that the QoS markigs ca be modified at ay poit iside your etwork or outside your etwork if you lose admiistrative cotrol of the destiatio. Cofigurig QoS Trust Boudaries As the result of the ew CCNP curriculum, a lot of the QoS material that used to be part of the CCNP was removed. Quality of Service ad traffic egieerig i geeral is a complex subject, worth its ow course ad eve specializatio. As a CCNP you must have a basic uderstadig of the techology ad accordig to the exam blueprit (always check Cisco s Website for the most updated iformatio regardig exams), you must be able to cofigure a basic implemetatio, with the use of a set of very useful macro commads, with Auto-QoS. The QOS exam certifies mastery of QoS i Cisco devices. The traiig available for those exams will defiitely make you a expert i the subject, ad some of the books are recommeded readigs for those with a CCIE i mid. The trust boudary should be cofigured at the edges of our etworks. These are the poits where data eters ad leaves our admiistrative cotrol. Kowig that imagiary lie that defies the trust boudary ad that it is a recommeded practice to defie the switch ports from the IP phoes as utrusted, we ca cofigure the trust boudary. First, let s uderstad the reaso why data comig from ports of the IP phoe should t be trusted. Those ports are available for ayoe to coect ad ofte times, they are ot physically secure. Access ports are commoly the source poit of attacks or malicious use. I this case, a malicious use could be a user settig a higher QoS priority for these packets, which could result i the etwork devices droppig truly sesitive data before droppig packets maliciously marked with higher priority. With this defied, we are almost ready to proceed with the steps to cofigure the boudary. LearSmart Cloud Classroom: Video Traiig Mauals

96 Maual Cisco A switch commuicates iitially with the IP phoe through CDP messages. That is the same mechaism used by the switch to istruct the IP phoe that it should exted the QoS trust to its switch port. The procedure to achieve this is the followig: Step 1: Step 2: Step 3: Eable QoS i the switch: Switch(cofig)# mls qos Defie the QoS parameters that will be trusted: Switch(cofig)# iterface type mod/um Switch(cofig-if)# mls qos trust {cos ip-precedece dscp} Istruct the IP phoe to exted the trust boudary: Switch(cofig-if)# switchport priority exted {cos value trust} 1. Eable QoS with mls qos. 2. Defie trusted QoS parameters: a. iterface mod/um b. mls qos trust {cos ip-precedece dscp} 3. Cofigure the IP phoe to exted the trust boudary: switchport priority exted {cos value trust} As we metioed previously, the packets comig from the switch port of the IP phoe should t be trusted from a QoS perspective, because a user ca easily spoof CoS settigs i order to have premium etwork service, at the expese of really critical applicatios such as the oes providig voice services. If the icomig packets ca t be trusted, the CoS value=0 must be chose. Notice that this has the same effect of simply leavig the default, which is utrusted, ad makes the IP phoe set the value to 0 whe it receives packets before sedig them i the uplik to the switch. There are istaces where the port must be trusted. The trust parameter must be used. I other cases we eed to defie the QoS markigs/priority values ad i those cases the value parameter must be set accordigly (a higher value tha 0). All other ports iside the trust boudary must be cofigured as trusted ports. Everythig iside the trust boudary is cosidered a part of a trust domai. The poit where QoS are igored ad rewritte is the trust boudary. After it eters the domai, QoS values must be used for priority decisios. To cofigure a switchport to be trusted, use the followig commads: Switch(cofig)# iterface type mod/um Switch(cofig-if)# mls qos trust cos With this cofiguratio the switch will trust all CoS settigs received i the port. I the ext sectio we will show how we ca cofigure a basic yet powerful QoS deploymet with the use of the Auto-QoS feature. LearSmart Cloud Classroom: Video Traiig Mauals

Maual Cisco Simplifyig QoS Cofigurig with Auto-QOS QoS is a huge topic, worth its ow course ad exam i the world of Cisco. The Cisco QOS 642-642 exam is part of the CCIP ad CCVP certificatios.

97 Maual Cisco Simplifyig QoS Cofigurig with Auto-QOS QoS is a huge topic, worth its ow course ad exam i the world of Cisco. The Cisco QOS exam is part of the CCIP ad CCVP certificatios. The huge scope of Quality of Service features is the reaso why the subject was mostly cut from the CCNP curriculum. More emphasis is ow give to actual routig ad switchig. Auto-QoS was developed precisely to simplify QoS cofiguratios ad deploymets. It cosists of a series of macro commads that are ru i specific poits o the etworks. Give the ature of the macro commads it is recommeded that you oly use Auto-QoS i switches that have default QoS settigs. If the switch has already bee cofigured with o default settigs, the commads ru by the macros could alter the previously cofigured settigs ad this could result i etwork istabilities ad malfuctios. Auto-QoS is meat to be used mostly i access layer switches, i ports coectig the IP phoes to the etwork, ot ecessarily the etwork core. Auto-QoS automatically cofigures ad sets up the followig QoS features: Eables QoS. CoS to DSCP mappigs for QoS markigs. Igress ad egress queue tuig. Strict priority queues for egress voice traffic. Establishig a iterface QoS trust boudary. To cofigure Auto-QoS, idetify a iterface at the trust boudary ad use the auto qos voip {ciscophoe cisco-softphoe trust} iterface cofiguratio commad. The rest is extremely simple. If a Cisco IP phoe is coected to the port, the cisco-phoe keyword must be used. If a PC ruig Cisco Commuicator IP softphoe is coected, use the cisco-softphoe keyword. If the switch is coected to aother switch or router iside the trust domai use the trust keyword. The auto qos voip is a macro commad that uses several commads i the iterface that are ot displayed util you look at the ruig cofiguratio. If you eed to see the commads i real-time after you use the auto qos voip iterface cofiguratio commad, you must first use the debug auto qos EXEC commad. Whe you are doe watchig the commads beig geerated remember to tur off the debuggig with the o debug auto qos privileged EXEC commad. Verifyig VoIP QoS Implemetatios You ca verify the QoS trust settig of a port with the show mls qos iterface type mod/um EXEC commad. The followig is a actual switch output: Figure 31: Verifyig QoS Cofiguratio LearSmart Cloud Classroom: Video Traiig Mauals

I this case, a IP phoe is coected ad frames comig to the port that are tagged with QoS settigs are beig trusted by the switch ad used to properly queue the packets based o priority.

98 Maual Cisco There you ca see the trust state ad trust mode settig. This particular switch port i our example was cofigured to trust icomig frames ad the trust state: trust cos idicates that it is operatig as expected. I this case, a IP phoe is coected ad frames comig to the port that are tagged with QoS settigs are beig trusted by the switch ad used to properly queue the packets based o priority. Remember this meas their CoS markigs wo t be chaged ad the frames will be hadled accordigly. Aother importat commad is show iterface type mod/um switchport. It is used to display whether or ot the IP phoe s coected devices are trusted. That is, if the switchport priority exted {cos value trust} iterface cofiguratio commad was used to exted the trust boudary to the IP phoe s coected devices. Figure 32: Showig Trust Boudaries I this example, the coected PC is ot iside the trust boudary. Whe it is, you will see the message Appliace trust: trusted. Whe you cofigure Auto-QoS i a iterface, the commads associated with the macro will be executed i the iterface. To display the iterface cofiguratio commads use the show ruig-cofig iterface type mod/um EXEC commad. Here is a sample output: Figure 33: Verifyig QoS with ruig-cofig LearSmart Cloud Classroom: Video Traiig Mauals

99 Maual Cisco As we said, you ca verify if the IP phoe is coected ad trust status with the show mls qos iterface type mod/um EXEC commad. Figure 34: Verifyig QoS Trust Status Take a look at the fourth lie of the output, trust eabled flag: dis. This meas the trust parameter is ot eabled (disabled). Fially, you ca verify Auto-QoS iterface cofiguratio with the show auto qos [iterface type mod/um] EXEC commad. Itegratig Wireless LANs to the Wired Network I this sectio we will itroduce the basics of wireless etworks ad how the eterprise ad campus switched etworks eed to be prepared i order to provide security, scalability ad reliable wireless access to its resources. Wireless etworks are here to stay. Every day the demad for wireless etwork coectivity icreases. At the begiig, wireless coectios were exclusive for laptops, ad they themselves were ot very commo. Now i the Uited States laptops outsell desktop computers by large umbers. O top of that, smart phoes, PDAs, tablets, video game cosoles ad eve IP phoes are ow beig coected to our wired etwork wirelessly through Access Poits. As a CCNP you should be familiar with wireless techologies ad must be ready to implemet the mechaisms that allow our wired etworks to serve wireless cliets reliably while protectig data. Wireless LANs Wireless etworks provide coectivity to the traditioal etwork ad its resources. It exteds the physical layer capabilities to provide for coectio that has bee traditioally achieved through wires, without them. There are differeces betwee wireless ad wired etworks. As you might remember from the CCNA studies, the Etheret mechaism to deal with collisios i a shared media is the Carrier sese collisio detectio (CSMA/CD) which basically is a method to detect ad prevet collisios ad provide the meas for recovery whe they do occur. I the wired etwork, the physical layer guaratees that oly a certai amout of users coect to the media. The collisio problems were solved with the implemetatio of the full duplex mode. LearSmart Cloud Classroom: Video Traiig Mauals

100 Maual Cisco O the other had, a wireless etwork s physical layer is provided by a specific wireless frequecy rage where the sigals are trasferred ad received. These frequecies are set by the IEEE stadards board with agreemets with various govermets where these ope wireless stadards ca be used withi a wireless spectrum. Wireless etworks for this reaso are a shared physical medium, where a ulimited umber of users ca use the shared media, the ope frequecies, at ay time. Collisios are simply a fact i wireless etworks, ad somethig to be dealt with, because every sigle coectio is i half-duplex. Although it would be practical ad implemetable to give wireless etworks the full duplex capability, the curret stadard IEEE does t permit it. Full duplex operatio could be provided by usig differet frequecies to trasmit ad receive data. Avoidig Collisios i the WLANs Whe two or more cliets i the wireless etwork trasmit at the same time, ad usig the same frequecies, sigals become mixed. The receivig ed sees the resultig product as garbled data ad oise. Statios wo t otice it because their receivers must be tured off whe they are trasmittig. To prevet data loss because of collisios, ackowledgemets must be set by the receivig statio for the frames received. This provides for a collisio detectio tool but does t prevet the collisio from actually happeig. The IEEE stadard defied ad uses the Carrier Sese Multiple Access / Collisio Avoidace (CSMA/ CA) method to prevet collisios from happeig. CSMA/CA requires that all statios liste before trasmittig. Whe a statio eeds to trasmit, there are two ad oly two possibilities: 1. No other device is trasmittig: The seder ca trasmit immediately. The receivig statio must sed ackowledgemet of the frames received to cofirm that the data was delivered without the effects of a collisio. 2. Aother device is trasmittig: The statio must wait util the other trasmittig statio fiishes ad the wait a radom amout of time before attemptig to trasmit. The amout of time the statios must wait before attemptig a trasmissio is dictated by the frame size, which is the determiig factor of the size of the DCF iterframe space (DIFS). I additio to the duratio timer (DIFS), every wireless ed statio must implemet a radom back off time, which will have to ru off before the statio trasmits its frame. The idea is that all statios i the wireless domai wait a period of time before tryig to trasmit beyod the DIFS, i order to miimize the chaces of a collisio because the backoff timers ra off at the same time. This process is called the Distributed Coordiatio Fuctio (DCF). Also ote that the more ed statios you have o a wireless etwork, the more likely collisios will occur. If too may devices try to coect to the same etwork ad try to sed ad receive data, the wireless etwork will be so overru with collisios ad broadcast messages that the wireless etwork will become useless. IEEE defies ay group of wireless cliets as a service set. Devices i the same service set must share a service set idetifier (SSID), which is othig more tha a text strig icluded i every frame set. The SSID must match betwee hosts (seder ad receiver) before they ca commuicate. A PC or ay ed-user device must have a compatible wireless etwork adapter ad software that iteracts with the wireless protocols or a supplicat. The IEEE stadard also allows two or more hosts to directly coect with each other without a AP or ay other gateway. This is kow as a idepedet basic service set (IBSS) or ad-hoc wireless etwork. LearSmart Cloud Classroom: Video Traiig Mauals

101 Maual Cisco A IEEE BBS cetralizes access ad cotrol over a group of wireless devices with a Wireless Access Poit (WAP) as the hub of the service set. Wireless cliets who wish to coect must agree with the WAP o the followig parameters: A matchig SSID Compatible wireless data rate Autheticatio type ad credetials The cliet starts the associatio process with a associatio request message. The AP must respod with a associatio reply, gratig or deyig the associatio. After the cliet is associated with the AP, all traffic to ad from the cliet must pass through the AP. Cliets coected to the same AP caot directly coect or chage data without the itervetio of the AP. WAP Operatio The APs mai fuctio is to coect wireless cliets to the wired etwork. It provides access to the wired etwork ad maages the wireless etwork, givig access to wireless cliets just as if they were directly coected to the wired etwork. A WAP ca also act as a wireless bridge to form a sigle wireless lik betwee oe LAN to aother over short or log distaces depedig o the hardware beig used. Cisco eve has a WAP platform that allows the bridgig of wireless LAN traffic from AP to AP. This allows for a big wireless WAN without the use of cables: Each AP picks the other s sigal ad forms a big mesh, providig a big WLAN exclusively through wireless coectios. WAPs act as bridges that take etwork iformatio from two differet media (Layer 1) ad merge them i Layer 2. APs are i charge of mappig VLAN iformatio to a SSID. The WAP uses a 802.1Q tag to map the VLAN to the SSID. Whe a AP must map more tha oe VLAN to more tha oe SSID (the AP has wireless cliets coected to differet VLANs/subets) it must be coected to the switch by a truk ad it must allow the required VLANs. Wireless LAN Cells The Wireless LAN cell is the imagiary volume surroudig the WAP s atea i which hosts ca access the wireless LAN. It is simply the coverage area of the WAP. Geerally, the closer you are to a WAP, the stroger the sigal. Notice the word volume. It is a commo mistake to forget that WAP s coverage is three-dimesioal ad affects floors above ad below i a buildig. The cell is geerally represeted i a floor pla as a two-dimesioal circle i very basic sigal stregth diagrams. Careful thought must be give to the AP s placemet withi a buildig or exteral positio so that it ca provide the coverage area that is eeded. Remember the ature of the WLAN will make it operate uder costatly chagig coditios. The best approach to determie the AP placemet is to coduct a wireless site survey. I a site survey a AP is placed i a desirable place ad oe or more possible cliets move i the expected coverage area takig measuremets of the sigal stregth ad quality. The poit is to plot the AP rage usig the actual iterferig equipmet ad also the usual host devices. LearSmart Cloud Classroom: Video Traiig Mauals

102 Maual Cisco To provide a wider coverage area, it is commo to overlap cell areas by a small percetage. That provides coectivity to users that might move aroud i the overlappig cells. If two AP s coverage must overlap i order to provide a bigger WLAN coverage, they must ever use the same frequecy. If they did, they would oly iterfere with each other, because they would be usig the same medium to commuicate, icreasig the likelihood of a collisio. Movig from oe AP to aother is called wireless roamig. Wireless roamig ca be at layer 2 or layer 3. Layer 3 roamig occurs whe the cliet chages its associatio to a ew AP ad chages its curret VLAN ad IP subet to a differet oe. Layer 2 wireless roamig occurs whe the cliet associates to a ew WAP ad maitais its IP address. Whe desigig a WLAN, providig the largest coverage area per WAP might seem like the most viable optio, because i a big deploymet, a icrease coverage area per AP could represet big savigs, but there are may cosideratios to have i mid. A larger cell also opes the possibility of overcrowdig. Remember the WLAN operates i a shared medium eviromet, where collisios ca occur. If too may associatios are provided, cliets will costatly be competig for the limited resources thus badwidth ad airtime could be limited. It is ofte beeficial to reduce the size of the cell by reducig the trasmit power of the WAP sigal set out through the attached atea. This smaller area guaratees that fewer hosts associate with the WAP ad badwidth will be available at the highest rate. This is a especially soud policy whe hosts will be usig missio critical applicatios ad badwidth itesive traffic such as voice or video. The WLAN Architecture A autoomous mode WAP is a stadaloe AP that is cetrally positioed to support its cliets. These are ofte referred to as a aap. It is isolated, cofigured idividually, hadles its ow use of radio frequecy (RF) ad eforces its ow security policies ad so o. Sice all aaps are autoomous, maagig security ad other policies such as quality of service, badwidth policig ad so o, are very difficult, because each aap must be cofigured ad maaged idividually. Maagig the RF operatio is also a big problem uder this architecture because the etwork admiistrator must select ad cofigure maually each chael. The power output must be maaged too i order to prevet blid spots or coverage holes, or o the opposite side, that the sigals overlap too much. Recogizig the issues ad shortcomigs of the aap, Cisco developed the Cisco Uified Wireless Network Architecture. Cisco Uified Wireless Network Architecture The Cisco Uified Wireless Network Architecture is a collectio of equipmet that performs a set of fuctios that are a itegral part of a wireless etwork. As we metioed earlier, the ew architecture solves all the issues geerated by the autoomous AP idividual maagemet requiremets. The ew architecture offers cetralized maagemet where all WAPs ca be maaged, moitored ad compared from oe locatio. The cetralized features i this ew model iclude: WLAN maagemet WLAN security WLAN cotrol WLAN deploymet LearSmart Cloud Classroom: Video Traiig Mauals

103 Maual Cisco The cetralizatio of the fuctios of the idividual autoomous APs, is achieved by relayig its fuctios to a cetral poit. This cetral poit is the WLAN cotroller. The fuctios of the AP ca be classified as real time processig ad maagemet. The real time processig activities are the followig: RF trasmit ad receive MAC maagemet Ecryptio The AP s maagemet activities are the followig: RF Maagemet Associatio ad Roamig maagemet Cliet autheticatio Quality of Service Security Maagemet The real time processes ivolve sedig ad receivig frames, AP beacos ad probe messages ad data ecryptio. These fuctios must be close to the cliets because they are performed at the Layer 2 of the OSI model, the MAC layer. For this reaso these fuctios remai performed at the AP i the Cisco Uified Wireless Network Architecture. The type of WAP used i a Cisco Uified Wireless Architecture is called Lightweight AP (LAP) i the ew architecture ad performs oly the real time fuctios. The lightweight term is give because the code image ad, most importatly, the local itelligece are stripped dow. The lighter ature of the ew fuctios whe compared to the legacy model is the reaso for its ame. The maagemet fuctios do t ivolve hadlig frames over the RF chaels. These should be cetrally maaged by a Wireless LAN Cotroller (WLC). A WLC maages several LAPs scattered aroud the switched etwork. The LAPs becomes totally depedet of the WLC for maagemet fuctios. This separatio of fuctios is called split-mac architecture, ad occurs for every LAP i the etwork, that must register with its WLC at boot up to get operatig iformatio such as RF chaels to be used, autheticatio, ad security ad so o. The LAP remais hadlig the real time operatios. The bidig of the LAP ad the WLC occurs whe the LAP boots up, ad it s a required step before the LAP becomes a fuctioal Access poit. They do this by creatig a tuel where the related data travels betwee the devices. The WLC ad LAP ca be i the same VLAN or IP subet or i a differet oe. This is made possible by the tuel, by ecapsulatig the data betwee the WCL ad the LAP withi a ew IP packet. To create ad support the tuelig system, the WLC ad LAP use the Lightweight Access Poit protocol (LWAPP), developed by Cisco, or the Cotrol ad Provisioig Wireless Access Poits protocol (CAPWAP, defied i RFC 4118). Both protocols utilize two differet tuels, oe for actual cliet data ad aother for cotrol messages. LearSmart Cloud Classroom: Video Traiig Mauals

104 Maual Cisco Cotrol messages are the oes used to cotrol ad maaged the LAP. They use autheticatio ad ecryptio to provide security. Data are the packets to ad from the wireless cliets. The data is ecapsulated i LWAPP or CAPWAP IP packets but o ecryptio or other method of security is provided for this commuicatio. LWAPP uses UDP destiatio ports ad o the WLC ed. Similarly, CAPWAP uses UDP ports 5246 ad Both protocols use digital certificates istalled at the momet of the purchase. The certificates are used to autheticate the devices before the tuels are created. WLC fuctios: Dyamic chael assigmet The WLC chooses ad assigs RF chaels to each of its LAPs based i the previous assigmets to other surroudig LAPs. Trasmit power optimizatio The WLC decides the trasmit power of each LAP based o the coverage eeded. It also rus periodic checks to adjust trasmit power ad the compares these checks with eighborig LAPs. The WLC the corrects sigal stregth of the LAPs to get the optimal sigal stregth overlap. Self healig wireless coverage If a LAP dies, the trasmit power of surroudig LAPs is icreased to cover the coverage hole as best as it possibly ca. Flexible roamig Cliets ca roam at Layer 2 or Layer 3 with very fast roamig times. Dyamic cliet load balacig If two or more LAPs are cofigured to cover the same area, the WLC ca associate cliets with the least used LAP. This provides for efficiet load balacig. RF moitorig The WLC istructs the LAP to moitor the RF chaels usage. By receivig RF iformatio, the WLC ca decide later RF assigmets based o the state of the differet chaels: level of oise, iterferece, rogue APs, etc. Security Maagemet. I large wireless deploymets, maagig the WLC ca be a dautig task. That is why Cisco developed the Wireless Cotrol System (WCS), a optioal server platform that ca be used to cotrol multiple WLCs deployed i the etwork with the great easiess provided by a GUI. The WCS ca be used to perform most WLAN maagemet tasks. It is possible to display dyamic represetatios of the wireless coverage provided by the APs, usig buildig floor plas. The WCS ca be used to locate ay wireless cliet by triagulatig its positio usig the cliet s sigal as received by multiple LAPs. This is very useful whe tryig to fid a malicious user or a rogue device. WCS ca also be optioally coected to the Cisco Wireless Locatio Appliace to track the locatio of all your coected wireless cliets o your etwork. This trackig is doe with the use of the MAC address ad it s very useful whe trackig corporate assets that are mobile i the WLAN is required. Lightweight AP operatio The LAP was desiged so that o direct cofiguratio was required to operate it. This meas that o cofiguratio or maagemet is performed directly to the LAP through the cosole port or by ay other meas. Essetially, it is a dumb device with a wireless radio ad Etheret coectio. The LAP must coect to the WLC ad get all its cofiguratio parameters. LearSmart Cloud Classroom: Video Traiig Mauals

105 Maual Cisco There are several steps that the LAP has to go through before it becomes operatioal: 1. LAP receives a IP address from the DHCP server. 2. LAP lears available WLC IP addresses. 3. LAP jois the first WLC i its address list, or moves dow the list i the evet of a coectio failure. This process repeats util LAP is coected to a WLC. 4. The WLC compares LAP code images with the LAP. If the WLC possesses ewer code, the LAP dowloads the image ad reboots itself. 5. The WLC ad LAP build two secure tuels betwee each other, oe for maagemet traffic ad a secod for wireless cliet data. Wireless cliet data is ot secured o the LWAPP or CAPWAP tuel. The LAP ca lear the list of addresses to WLCs through DHCP, through the use of the optio 43, or broadcastig a joi request message. Keep i mid that you must specifically cofigure your DHCP server to sed the IP addresses of the WLC(s) usig optio 43. For this secod optio the LAP ad WLC must be i the same IP subet/vlan. If the LAP loses coectio to the WLC, all wireless cliets coected to the LAP lose coectivity. Cisco developed the Hybrid Remote Edge Access Poit, to allow a LAP to maitai etwork coectivity to wireless cliets eve if the coectio to the WLC is lost. This is used i cases where the LAP is coected to the WLC through a slow lik WAN. This allows wireless cliets to remai commuicated withi the remote etwork util the WAN lik is restored. Roamig i a Cisco Uified Wireless Network I the ew architecture, the LAP deals exclusively with the real time operatios. However, a wireless cliet eeds to associate with the LAP, but it is the WLC who hadles the associatios. This provides a cetralized, faster ad easier maagemet of the associatios. With autoomous APs, roamig is performed at the Layer 2, ad Layer 3 roamig requires special equipmet. Whe the cliet moves, it has to egotiate the roam with every AP alog the way. O the other had, with LAPs, the roamig occurs from WLC to WLC, although from a wireless cliet perspective the associatio is beig moved from AP to AP. I the ew architecture, the cliet ca maitai its IP address eve whe roamig betwee cotrollers. Itracotroller Roamig: This happes whe the wireless cliet moves from the coverage area of oe AP to the coverage of aother AP, but both are cotrolled by the same WLC. The WLC oly eeds to update its tables to begi usig the LWAPP ad CAPWAP tuels i the lik coected to the AP associated to the cliet. Itercotroller Roamig: This happes whe the cliet moves to a area covered by a AP that is maaged by a differet WLC tha the oe it was associated to. There are two possibilities: 1. Both WLC are i the same IP subet / VLAN The cliet associates to both the ew AP ad the ew WLC ad the chage is commuicated usig mobility message exchage where the iformatio from the cliet is trasferred from oe WLC to aother. This process is totally trasparet to the user. 2. WLCs are i differet VLANs / IP subets Whe the cliet moves to a AP-WLC that is i a differet VLAN tha the oe it is comig from, the two WLCs must create a Ether-IP tuel to coect each other ad sed the roamig cliet data to the origial WLC. The tuel provides ecapsulatio of a Layer 2 frame iside a IP packet, usig protocol 97. To move packets to ad from the cliet, oe cotroller ecapsulates packets ad the other receivig cotroller deecapsulates them, where they appear i their origial form. Ay cotroller servig the cliet from a differet subet is called a foreig aget. As the cliet roams to aother LAP-WLC combo, the achor WLC will follow its track creatig Ether-IP tuels as ecessary. LearSmart Cloud Classroom: Video Traiig Mauals

106 Maual Cisco Mobility Groups Mobility groups are logical groups of WLCs ad LAPs. Its characteristic is that a cliet ca roam through each ad every oe of the members of the group. A mobility group ca cotai up to 24 WLCs, ad the umber of LAPs depeds o the capabilities of the WLCs. A wireless cliet ca move to a LAP that is part of a differet mobility group, but its IP address will have to be reewed ad all the sessio iformatio cotaied i the previous WLC will be dropped. Cofigurig Switch Ports for WLAN Use The actual cofiguratio of the APs ad WLCs was removed from the ew CCNP SWITCH exam. The ew CCNP is a routig ad switchig professioal, ad he/she should cofigure the wired LAN to support the WLAN ad the wireless specialist should hadle the actual WLAN ad equipmet cofiguratio. I this guide we will lear how to cofigure switch ports to support the WLCs ad APs ad the wireless etwork i geeral. Cofigurig Port Support for Autoomous APs APs are usually coected to a access layer switch. Every SSID is mapped to a VLAN. I the case the AP offers more tha oe SSID, several VLANs must be mapped to the switch port. I this case, the port coectig to the AP must be cofigured as a truk ad the VLANs that will be used must be allowed. If we assume the AP is coected to the Fast Etheret 0/6 port of a switch ad VLAN 100, 200 ad 300 are goig to be used for three differet SSID, the cofiguratio must be as follows: Switch(cofig)# iterface fastetheret 0/1 Switch(cofig-if)# switchport truk ecapsulatio dot1q Switch(cofig-if)# switchport truk allowed vla 100,200,300 Switch(cofig-if)# switchport mode truk Cofigurig Support for LAPs As we said, WLCs are desiged to be zero-touch devices, meaig they are almost always operatioal right out of the box. The WLC maages almost all fuctios ad operatios of the LAP. The LAP must be coected to a access port, ever a truk. As explaied, the VLANs required will travel across the LWAPP or CAPWAP tuels that will be created betwee the WLC ad the LAP. LearSmart Cloud Classroom: Video Traiig Mauals

107 Maual Cisco The followig is a sample cofiguratio of a switch access port coected to a LAP. We will use VLAN 10 as a access VLAN i the port coected to the LAP. Switch(cofig)# vla 10 Switch(cofig-vla)# ame wifi-maagemet Switch(cofig-vla)# exit Switch(cofig)# iterface fastetheret 0/10 Switch(cofig-if)# switchport Switch(cofig-if)# switchport access vla 10 Switch(cofig-if)# switchport mode access Switch(cofig-if)# spaig-tree portfast Switch(cofig-if)# power ilie auto Switch(cofig-if)# exit I this cofiguratio we used the VLAN 10. We cofigured the port as a access port ad use the spaig-tree portfast iterface cofiguratio commad to allow the port to be up immediately without extesive ad time-cosumig spaig tree calculatios. The power ilie auto will provide PoE to the LAP egotiatig the amout of power to be provided. Cofigurig Switch Port Support for a WLC WLCs must be i the distributio layer of the campus etwork, because they aggregate WLAN traffic from the LAPs. The mai thig you must have i mid is that all VLANs that will be tueled to the LAPs must be accessible by the WLC. This meas the liks from the switch that are used to coect to the WLC must be truks. This is oe of those rare situatios where draggig VLANs betwee distributio blocks may be ecessary. The followig is a sample cofiguratio: Switch(cofig)# iterface rage fastetheret 0/10 Switch(cofig-if)# switchport Switch(cofig-if)# switchport ecapsulatio dot1q Switch(cofig-if)# switchport truk allowed vla 100,200,300 Switch(cofig-if)# switchport mode truk Switch(cofig-if)# spaig-tree portfast truk Switch(cofig-if)# o shutdow Switch(cofig-if)# exit LearSmart Cloud Classroom: Video Traiig Mauals

108 Maual Cisco Domai 5: High Availability As we have studied, Multilayer switches ca act as default gateway for hosts i the same VLAN with the use of SVIs. They ca switch packets at Layer 3 (routig). High availability refers to the provisio of the redudacy of routig services provided by routers or multilayer switches. The redudacy ca be provided by addig duplicate hardware such as a additioal router or multilayer switch cofigured for that purpose. We will discuss several approaches ad methods of providig router redudacy. The so called first hop redudacy protocols (FHRP). Hot Stadby Router Protocol (HSRP) Hot Stadby Router Protocol (HSRP) is a Cisco Proprietary protocol developed to allow several routers or Layer 3 multilayer switch iterfaces to appear with oly oe IP address. RFC 2281 defies this protocol i detail. The HSRP group ca be composed by MLS ad routers at the same time. All the routers that will provide redudacy will be part of a HSRP group. There will be a primary router, also called active router, a secodary router is elected as a stadby router ad other participatig routers will be i the liste state. Routers i the HSRP group commuicate exchagig hello messages usig the multicast destiatio (all routers). The messages are set at a regular iterval i order to let each other kow of their existece ad which oe is the active router. The hello messages are set usig UDP port Oly active ad stadby routers exchage messages oce the active ad stadby routers have bee elected. A HSRP group ca be assiged a uique group umber from 0 to 255, but most Cisco Catalyst switches support oly 16 uique group umbers. For this reaso it is recommeded that you use the same group umber for every iterface i the same VLAN. The HSRP umber is oly locally sigificat o a iterface. HSRP Router Electio Process The HSRP router electio is based i a priority value that rages from 0 to 255. It is cofigured i a per iterface basis ad the default i Cisco catalyst switches is 100. If the value is left to the default, the tie breaker is the IP address: the router with the highest IP address i the group becomes the active router. The secod highest priority becomes the stadby router while the other participatig routers eter the liste state. You will wat to chage the priority o the switch that you wish to be the active HSRP gateway. The stadby router is the oly that should be costatly moitorig hellos from the active router. Whe HSRP is cofigured i a router, it must pass through several states. First it must exchage hello messages with the other participatig routers to determie its fuctio i the HSRP group. All devices participatig i HSRP must progress through the followig states util they become either Active or Stadby: 1. Disabled 2. Iit 3. Liste 4. Speak 5. Stadby 6. Active LearSmart Cloud Classroom: Video Traiig Mauals

109 Maual Cisco To cofigure a router to participate i a HSRP group, use the followig iterface cofiguratio commad: Switch(cofig-if)# stadby group priority priority If you pla to make this router the active router for group 1, assumig the other participatig routers are left with the default priority, 100, you oly eed to use a higher umber, from 101 to 255, as follows: Switch(cofig-if)# stadby 1 priority 200 The hello timer default is 3 secods, ad the holdtime timer is usually three times the hello. The default is 10 secods. If the stadby router does t hear a hello for the holdtime timer period, the active router is cosidered dow ad the stadby ca take its fuctios. A router i the liste state the becomes the stadby router. Remember the holdtimer should be 3 times the hello timer as maximum. Use the followig commad to cofigure both timers: Switch(cofig-if)# stadby group timers [msec] hello [msec] holdtime If you use the msec keyword, the value ca be a rage from millisecods. By default, the active router electio is ot preemptive. This meas that if a active router fails, it will ot preempt to oce agai become the active router whe it comes back up. This also meas that whe routers are powered up or added to a etwork, the first router to brig up its iterface will be the oe that becomes the HSRP active router. You ca chage this behavior ad make the layer 3 iterface with the highest priority become the active router as soo as it jois the HSRP group if it has the lowest priority. You ca achieve this with the followig commad: Switch(cofig-if)# stadby group preempt [delay [miimum secods] [reload secods]] After usig this commad the router ca preempt aother router with the active router fuctio. The delay keyword is used to cofigured a amout of time specified i a value represeted i the word secods(ragig from 0 to 3600 secods) before attemptig to preempt the curret active router it fids after its iterface comes up or whe the router jois the HSRP group. The reload keyword is used to force the router to wait for secods after it has joied the group or restarted. This is useful because routig protocols usually take some time to populate the routig table ad a router should ot act as the default gateway-first hop- util it has all the ecessary routes the host might eed to reach. LearSmart Cloud Classroom: Video Traiig Mauals

110 Maual Cisco HSRP Autheticatio Autheticatio ca be used to prevet rogue devices from takig part i the HSRP group. All devices i the group must be cofigured with the same autheticatio method ad key. You ca use MD5 autheticatio or plai text. Plai text autheticatio offers the most basic form of autheticatio. The HSRP messages are set with a plai text key strig of up to 8 characters. If the key strig i the message matches the oe cofigured i the router the message is accepted. Use the followig iterface cofiguratio commad: Switch(cofig-if)# stadby group autheticatio strig Remember that the autheticatio strig is set i the clear. No ecryptio is provided. This meas that if a packet is itercepted, the attacker ca see the key strig ad could sed its ow malicious HSRP message ad effectively gai access to the etwork, probably actig as a default gateway. This is why this method is cosidered basic ad mostly isecure. MD5 autheticatio is recommeded. MD5 Autheticatio A MD5 hash is computed o a portio of each HSRP message usig a shared secret key kow oly by legitimate HSRP group peers. Every HSRP message set by a participatig router has the MD5 hash. Whe a router receives the HSRP message it recalculates the message ad compares it to its secret key. If the hash are idetical message is validated ad accepted, else the message is deied. To cofigure MD5 autheticatio i the HSRP router, use the followig iterface cofiguratio commad: Switch(cofig-if)# stadby group autheticatio md5 key-strig [0 7] strig The strig value ca be a chai of up to 64 characters. The default key-strig value is 0, which meas the key will be commuicated plai text. After the key is etered it is show as a ecrypted value i the switch cofiguratio. You ca also cofigure a MD5 key strig as a key o a key chai. The followig are the commads required to cofigure the key ad the MD5 autheticatio for the HSRP group. Switch(cofig)# key chai chai-ame Switch(cofig-keychai)# key key-umber Switch(cofig-keychai-key)# key-strig [0 7] strig Switch(cofig)# iterface type mod/um Switch(cofig-if)# stadby group autheticatio md5 key-chai chai-ame This optioal cofiguratio is ot available i all catalyst switches. You ca cofigure a HSRP router to decremet its priority if certai liks go dow. This is useful because a certai router ca have several liks to the outside world, ad as it loses those liks, there might be other routers i the HSRP group that could become more desirable to route packets. You ca cofigure a router to decremet its priority value if a iterface goes dow with the followig iterface cofiguratio commad: Switch(cofig-if)# stadby group track type mod/um [decremetvalue] The default decremetvalue value is 10. Remember that it is ot the HSRP router iterface the oe that should affect the priority. This is mostly useful ad was developed maily to evaluate the usefuless of the router as a default gateway. That meas you should cofigure that commad i those iterfaces that are geerally to coect to the outside world (outside of the VLAN of IP subet). Remember that a router will oly become the active router i a HSRP group if it has a higher HSRP priority ad if it is usig preempt i its HSRP cofiguratio. LearSmart Cloud Classroom: Video Traiig Mauals

111 Maual Cisco HSRP Addressig Each iterface of the HSRP router must be cofigured with a IP address that is meat to be used by routig protocols ad maagemet traffic of the router. It is also cofigured with the virtual router IP address, the oe used as a default gateway ad shared by all participatig router iterfaces i the HSRP group. This address is also called the HSRP address or the stadby address. The stadby address is the oe that must be cofigured as default gateway for hosts i the subet. The HSRP will always have oe active router providig routig services i the HSRP address. To cofigure the HSRP address use the followig iterface cofiguratio commad: Switch(cofig-if)# stadby group ip ip-address [secodary] The ip-address must be from the excluded rage of addresses for the subet i the DHCP server. It is very importat to have i mid that both the routers physical iterface IP address ad the virtual router / HSRP address must be i the same IP subet. HSRP defies a special MAC address for the virtual router. This is ecessary for hosts commuicatig with the virtual router i the subet. The MAC address is c07.acxx, where xx is the two digit hex value for the group umber that the etwork admiistrator chose for this HSRP group. For example, group 15 would have the MAC address c07.ac0f. 0f =15. The followig is a sample cofiguratio where we use VLAN 10 as a SVI ad the cofigure it to participate i the HSRP group 1, ad assig a IP address i the same subet to the group. We use preempt to allow this particular iterface to become the active router if it is the oe with the highest priority i the group. Switch1 (cofig)# iterface vla 10 Switch1 (cofig-if)# ip address Switch1 (cofig-if)# stadby 1 priority 200 Switch1 (cofig-if)# stadby 1 preempt Switch1(cofig-if)# stadby 1 ip Load Balacig with HSRP Load balacig with oe HSRP group is ot possible. But there s a techique that allows you to cofigure load balacig usig HSRP. You must cofigure two groups ad do the followig: 1. Oe group assigs oe active router to a switch. 2. Oe group assigs the other active router to the switch. Doig this, two differet routers ca be used as gateways out of the subet simultaeously. Aother very importat step is to make each router the stadby router for the group it is ot the active router. I short, you have two groups; each router is active i oe group ad stadby i the other, thus providig load balacig!!! This is a very useful trick!! Keep i mid however that all the traffic from oe subet will always go to the same switch. So if oe subet is much more heavily used tha the other, tha load balacig really has t bee achieved. But it is better tha forcig all VLANs to use oe switch ad leave the other completely i stadby. I additio, as a etwork desiger you must try to avoid havig a sigle poit of failure i the etwork wheever possible. This is especially true i poits of exits of the subets. HSRP successfully accomplishes this desig requiremet. LearSmart Cloud Classroom: Video Traiig Mauals

112 Maual Cisco The followig is a sample cofiguratio of two multilayer switches: Switch 1: Switch1(cofig)# iterface vla 10 Switch1(cofig-if)# ip address Switch1(cofig-if)# stadby 1 priority 200 Switch1(cofig-if)# stadby 1 preempt Switch1(cofig-if)# stadby 1 ip Switch1(cofig-if)# stadby 1 autheticatio PrepLogic Switch1(cofig-if)# stadby 2 priority 100 Switch1(cofig-if)# stadby 2 ip Switch1(cofig-if)# stadby 2 autheticatio PrepLogic Switch 2: Switch2(cofig)# iterface vla 10 Switch2(cofig-if)# ip address Switch2(cofig-if)# stadby 1 priority 100 Switch2(cofig-if)# stadby 1 ip Switch2(cofig-if)# stadby 1 autheticatio PrepLogic Switch2(cofig-if)# stadby 2 priority 200 Switch2(cofig-if)# stadby 2 preempt Switch2(cofig-if)# stadby 2 ip Switch2(cofig-if)# stadby 2 autheticatio PrepLogic To display iformatio regardig the status of oe or more HSRP groups use the followig commad: Router# show stadby [brief] [vla vla-id type mod/um] This commad displays the groups the router is part of, the role of the iterface (active or stadby), the HSRP priority, hello timer ad holdtime ad if it ca preempt the existig active router ad the autheticatio key. Virtual Router Redudacy Protocol (VRRP) Virtual Router Redudacy Protocol (VRRP) is a stadards-based alterative to HSRP defied i the RFC VRRP is very similar to HSRP, to the poit that oly slight differeces i operatio ad termiology must be leared. VRRP provides oe redudat gateway address from a group of routers. The active router is called the master router, whereas all others are i the backup state. The master router is the oe with the highest priority i the VRRP group. VRRP groups umbers rage from 0 to 255 ad router priorities rage from 0 to is the default, just like HSRP. Very similarly to HSRP, the virtual router MAC address is i the form of 000.0e00.11xx, where xx is the two digit hex VRRP group umber. VRRP advertisemets are set at 1 secod itervals. Backup routers optioally ca lear the advertisemet iterval from the master router. The VRRP routers are cofigured to preempt the master router if they are cofigured with a higher priority. VRRP routers do t have ay mechaism to track iterfaces to allow other more capable routers to become the master router (the track keyword preset i HSRP is ot available i VRRP). LearSmart Cloud Classroom: Video Traiig Mauals

113 Maual Cisco To assig a VRRP router priority use the followig iterface cofiguratio commad: Switch(cofig-if)# vrrp group priority level You ca alter the advertisemet timer (the HSRP equivalet of the hello timer) with the followig commad: Switch(cofig-if)# vrrp group timers advertise [msec] iterval You ca also cofigure the VRRP router to lear the advertisemet timer from other VRRP peers: Switch(cofig-if)# vrrp group timers lear VRRP routers preempt the master router if they have a higher priority by default. To disable the preemptig capability, use the o keyword with the followig iterface cofiguratio commad: Switch(cofig-if)# [o] vrrp group preempt [delay secods] Use the delay keyword followed by a value i secods to chage the preempt delay. The default is 0 secods. That meas the preemptio will take place immediately after a VRRP router with a higher priority jois the group. Autheticatio is also very similar to the oe provided for HSRP, ad very simple to cofigure. Use the followig iterface cofiguratio commad (remember the strig value must be the same i all VRRP routers i the group): Switch(cofig-if)# vrrp group autheticatio strig Just like i HSRP, you ca cofigure quasi-load balacig i VRRP, usig the same trick we used i the HSRP cofiguratio. Switch 1: Switch1(cofig)# iterface vla 10 Switch1(cofig-if)# ip address Switch1(cofig-if)# vrrp 1 priority 200 Switch1(cofig-if)# o vrrp 1 preempt Switch1(cofig-if)# vrrp 1 ip Switch1(cofig-if)# vrrp 1 autheticatio PrepLogic Switch1(cofig-if)# vrrp 2 priority 100 Switch1(cofig-if)# vrrp 2 ip Switch1(cofig-if)# vrrp 2 autheticatio PrepLogic Switch 2: Switch2(cofig)# iterface vla 10 Switch2(cofig-if)# ip address Switch2(cofig-if)# vrrp 1 priority 100 Switch2(cofig-if)# vrrp 1 ip Switch2(cofig-if)# vrrp 1 autheticatio PrepLogic Switch2(cofig-if)# vrrp 2 priority 200 Switch2(cofig-if)# o vrrp 2 preempt Switch2(cofig-if)# vrrp 2 ip Switch2(cofig-if)# vrrp 2 autheticatio PrepLogic LearSmart Cloud Classroom: Video Traiig Mauals

114 Maual Cisco As we metioed, VRRP is a alterative, stadards-based high availability protocol to HSRP. This meas that if your etwork pairs use a mix of Cisco ad a differet vedor s route/switch gear, you must use the ope stadard VRRP. You ca display iformatio about the VRRP status with the followig show commad: Switch(cofig-if)# show vrrp [brief] The followig is the actual output of the two switches cofigured with the previous VRRP cofiguratio: Figure 35: VRRP Status o SWITCH1 Figure 36: VRRP Status o SWITCH2 Gateway Load Balacig Protocol (GLBP) Cofigurig Load Balacig usig HSRP or VRRP ca be cosidered labor itesive. Gateway Load Balacig Protocol is a Cisco Proprietary protocol developed to expad o the limitatios of previous High Availability methods, HSRP ad VRRP. Some of the cocepts i GLBP are the same a HSRP or VRRP, defied with differet termiology. GLBP is much more powerful ad a big step forward from previous techologies. Just like with previous techologies, GLBP assigs several routers to a commo group ad uses a virtual router to provide gateway/routig services to the VLAN / IP subet. Differetly tha HSRP or VRRP, all routers i the group ca actively participate i packet forwardig at the same time, providig true load balacig by forwardig a portio of the total traffic. This helps to better distribute actual traffic loads across two paths. This is achieved by the way GLBP operates ad assigs the virtual router s MAC address. Every time a host seds a ARP request, GLBP replies with the MAC address of a selected router i the group. This allows GLBP to use the same IP address to forward packets, but actually usig several routers i the group. GLBP is Cisco proprietary ad is ot supported i older routers ad MLS that caot support multiple MAC addresses o the physical iterfaces. Always remember that the oly high availability protocol available for etworks with multivedor routers ad MLS is VRRP. LearSmart Cloud Classroom: Video Traiig Mauals

Building Converged Cisco Multilayer Switched Networks (BCMSN) LearnSmart Exam Manual

Building Converged Cisco Multilayer Switched Networks (BCMSN) LearnSmart Exam Manual Maual BCMSN Buildig Coverged Cisco Multilayer Switched Networks (BCMSN) LearSmart Maual Copyright 2011 by PrepLogic, LLC Product ID: 011242 Productio Date: July 19, 2011 All rights reserved. No part of