BCMSN: Cisco CCNP

BCMSN
Building Cisco Multilayer Switched Networks
Cisco CCNP
Train Signal, Inc., 2002-2007
Welcome To Your BCMSN Video Boot Camp!

Topics: LAN Switching Basics Virtual LANs (VLANs) VLAN Trunking Protocol (VTP) Spanning Tree Protocol (STP) Advanced Spanning Tree Protocol Features Etherchannels Securing Switches Multilayer Switching IP Telephony & Cisco IP Phones Wireless Networking Network Design and Models Queueing (Bonus Video)
Your Instructor:
Chris Bryant, CCIE #12933 Earned my CCIE on February 26, 2004 Founded The Bryant Advantage in June of that year My Video Boot Camps and other study materials place an emphasis on clearly explained theory and plenty of work on REAL CISCO routers and switches Real Education + Real Equipment = Real CCNAs and CCNPs A+, Network+, Security+, and Microsoft Vista Certification tutorials and study tools Visit the website: www.thebryantadvantage.com
PDF Created with deskPDF PDF Writer - Trial :: http://www.docudesk.com
Exam Prep Tips: Take your time and master the material. Get some hands-on work with the BCMSN-level protocols. Do not practice debugs on a production network at any time. Get plenty of rest the day before exam. By that time, the die is cast. Don't cram for the exam. Prepare.
LAN Switching Basics
Ethernet, Fast Ethernet, Gig Ethernet Quick cabling overview Basic Switch Operation Filenames and autorecovery
Ethernet
Good old "basic" Ethernet is based on IEEE 802.3, and offers a bandwidth of 10 MB to end users. The more users there are on an Ethernet segment, the higher the chance of collisions, which render signals sent by the hosts to an unusable state. When the hosts are connected to their own individual switch ports, they will each get a dedicated 10 MB and the chance of collisions is eliminated. Each port on a switch is its own collision domain. Ethernet uses UTP cabling (Unshielded Twisted Pair), and this cable type has a length limit of 100 meters. Referring to the Cisco three-layer networking model, Ethernet is generally going to be found at the access layer, connecting end users to the network.
Fast Ethernet Part 1

Fast Ethernet is defined in IEEE 802.3u, and operates at 100 MB. FE can use UTP or fiber-optic wiring. When full-duplex FE is in operation, the effective bandwidth is 200 MBPS, since FE ports can send and receive at the same time. You'll see "10/100" ports on many switches. This means that the port will work with an Ethernet or Fast Ethernet connection, and the port speed can be negotiated between the switch and the connected device. To allow this negotiation, both end devices should be set for "auto", short for autonegotiation. And as you know, if you're connecting a server, router, or workstation to a switch, you'll need a straight-through cable.
Fast Ethernet Part 2

Fast Ethernet ports can also be used to create a Fast EtherChannel. An Etherchannel, or EC, is a logical bundling of physical connections between switches. A Fast EC can bundle up to eight physical connections, resulting in throughput of up to 1600 MBPS! As with Ethernet, Fast Ethernet connections can connect end users to the access-layer switches. FE ports can also be used to form a trunk between the access and distributionlayer switches, but hopefully we've got some Gigabit Ethernet ports to handle that.
Gigabit Ethernet
The next logical step is Gigabit Ethernet, often referred to as "Gig Ethernet". Gig Ethernet will support speeds up to 1000 MBPS, or 1 Gigabit Per Second (GBPS). The cabling you use with your Gig Ethernet ports is going to vary widely. The necessary cable is determined by the Gigabit Ethernet standard in use on your particular switch. Some of the more common cable types to use with Gigabit Ethernet are Shielded Twisted-Pair (STP), Multimode Fiber (MMF) cable with either a 50- or 62.5 micron core, and Single-Mode Fiber (SMF) with an 8-, 9-, or 50-micron core. Make sure to check your switch's documentation before you start buying cables!
10 Gigabit Ethernet
Often referred to in documentation as 10GbE. 10Gig Ethernet will only work on fiber-optic and in full-duplex mode. (That's the only way all that speed can be used!)
Long Range Ethernet

No, LRE isn't faster than 10 Gig Ethernet! LRE can use preexisting wiring to provide Ethernet service to a building that might not otherwise have it. The preexisting wiring is usually going to be the phone wires. The available speed is dependent on the cable length - the longer the wire, the less bandwidth that's available.
A Quick Cable Review

To connect your PC to the console port of a switch, you must have a rollover cable. Check your PC in advance to make sure you don't need an adapter for the rollover cable. Many laptops no longer have a DB9 port. To connect a router, PC, or server to a switch, you'll need a straight-through cable. If the router has an AUI port, you'll also need a transceiver for the router. The transceiver connects to the router and the cable connects to the transceiver. To connect two switches, you'll need a crossover cable.
What's A "Geebic"?
A GBIC, pronounced "geebic", is a module that fits into a Gig Ethernet port. These modules are hot-swappable for easier migration to a new media type.
MAC Table
A switch uses Layer 2 addresses, more commonly referred to as MAC addresses, to forward or filter frames as needed. When a switch is first powered on, its MAC address table is empty. While a MAC table can be populated with static MAC entries, it's more efficient to have the switch learn the addresses dynamically. The switch does this by examining the source MAC address before deciding how to get the frame to the destination MAC address. When a switch examines the source MAC of a frame, the switch checks its MAC table to see if there's an entry for that address. If not, the switch adds that address to its MAC table along with the port used to reach that address.
Destination MAC Part 1

The switch will then check its MAC table for the destination MAC. There are four possibilities for that destination MAC:
The destination MAC is a unicast and there is no entry for the address in the MAC table. This frame will be flooded it will be sent out every switch port except the one it came in on. The destination MAC is a unicast and there is an entry for the address in the MAC table. In this case, the frame will be sent out only the port leading to the host with the proper destination MAC.
Destination MAC Part 2

The destination MAC is a unicast, and there is an entry for the address in the MAC table, AND the source and destination address are found off the same port. This frame will be filtered - it will not be forwarded at all by the switch. The destination MAC is a broadcast or multicast, in which case the frame will be sent out every port except the one it was received upon.
Content Addressable Memory Table

The official terminology for the MAC table is the CAM table, or Content Addressable Memory table. Depending on who you talk to, you'll hear this table called
the MAC address table the CAM table the bridging table
... but they're all the same thing.
Cisco Filename Part 1

Speaking of which, ever wonder what a Cisco filename means? Look at the IOS image filename on the switch we've been using in this section: c2950-i6q4l2-mz.121-19.EA1.bin Believe it or not, that mix of numbers and letters actually means something. There is a standard for IOS filenames, so as we decipher this filename, remember that you can use this method to do so with any IOS filename. c2950 - This one's easy, since we're working on a Catalyst 2950 switch.
Cisco Filename Part 2

i6q4l2 - This part describes the switch's feature set. The i at the beginning of this feature set description indicates a switch running an IP feature set. mz - The m indicates that the image is running in RAM; the z indicates a zip-compressed image. 121-19.EA1 - The 121 indicates the major IOS release version, 12.1. The 19 is the maintenance release. The E indicates an Early Deployment of features. A indicates the interim build level, in this case the first one ("A"). The 1 indicates the first build of that level, and finally the .bin indicates that the image file is a binary executable.
Autorecovery From An Err-Disabled State

A switch port will be placed into error-disabled state, referred to on the switch as err-disabled, under certain circumstances such as a violation of port security. By default, a port in errdisabled state has to be manually reopened. (The port LED will go out as well; as you'd suspect, a green LED indicates an active port.) You may have a situation where you want the port to reenable itself after a certain period of time, and this can be configured with the errdisable recovery interval command. Before doing so, though, you must define the causes from which the port can recover automatically. We'll use the "all" option here to allow the port to autorecover from any err-disabled state.
Virtual LANs (VLANs)

Why use VLANs Static and Dynamic VLANs Trunking ISL and Dot1q Troubleshooting Trunks The Native VLAN Dynamic Trunking Protocolynamic Trunking Protocol Trunking Modes VLAN Database Mode Design Guidelines End-to-end and Local VLANs
Reasons for VLANs Part 1

The most common reason for creating VLANs is to prevent the excess traffic caused by a switch's default behavior when it receives a broadcast. One of the first switching concepts you learned was that a switch that receives a broadcast will forward it out every other port on the switch except the one that it was originally received on.

We can use Virtual LANs (VLANs) to restrict broadcasts by creating logical groups of hosts. The physical location of the hosts does not matter, because these are virtual local area networks. When a switch receives a broadcast packet from a host in one particular VLAN, that switch will forward that broadcast only via ports that are in the same VLAN. By creating VLANs, you create multiple broadcast domains while also lowering the number of multicasts sent throughout the network. Cisco's best practice is to have one VLAN per IP subnet, and this is a best practice that works very well in the real world.
There's one more reason that may lead you to create VLANs. If you have a network segment with hosts whose very existence should not be known by the rest of the network, just put these hosts into their own VLAN. Unless you then make them known to the rest of the network via router-on-a-stick or a Layer 3 switch, these hosts will not be known or reachable by hosts in other VLANs.
Static VLAN
It's easy to put a port into a static VLAN, but there are two commands needed to do so. By default, these ports are running in dynamic desirable trunking mode, meaning that the port is actively attempting to form a trunk with a remote switch. The problem is that a trunk port belongs to all VLANs by default, and we want to put this port into a single VLAN only.
Speed and Duplex Settings

What if Hosts 1 and 2 still couldn't ping each other, even though they're obviously in the same subnet and the same VLAN? There are two places you should look that might not occur to you right away. First, check speed and duplex settings on the switch ports. Second, check the MAC table on the switch and make sure the hosts in question have an entry in the table to begin with.
VLAN Membership Policy Server Part 1

If we have "static VLANs", it follows that there is such a thing as a "dynamic VLAN". The configuration of dynamic VLANs is far out of the scope of the BCMSN exam, but as a CCNP you need to know the basics of VMPS - a VLAN Membership Policy Server. When you move a user from one port to another using static VLANs, you have to change the configuration of the switch to reflect these changes. Using VMPS results in these changes being performed dynamically, because the port's VLAN membership is decided by the source MAC address of the device connected to that port. (Yet another reason that the first value a switch looks at on an incoming frame is the source MAC address.)
VLAN Membership Policy Server Part 2 VMPS uses a TFTP server to help in this dynamic port assignment scheme. A database on the TFTP server that maps source MAC addresses to VLANs is downloaded to the VMPS server, and that downloading occurs every time you power cycle the VMPS server. VMPS uses UDP to listen to client requests.
VLAN Membership Policy Server Part 3

An interesting default of VMPS is that when a port receives a dynamic VLAN assignment, PortFast is automatically enabled for that port! There's no problem with PortFast being turned off on that port if you feel it necessary, but keep in mind that PortFast will run on a dynamic VLAN port by default. What if we had to move Host 1's connection to the switch to port 0/6? With static VLANs, we'd have to connect to the switch, configure the port as an access port, and then place the port into VLAN 12. With VMPS, the only thing we'd have to do is reconnect the cable to port 0/6, and the VMPS would dynamically place that port into VLAN 12. When dynamic VLANs are in use, the port number isn't important - the MAC address of the host connected to the port is the deciding factor regarding VLAN membership.
Some things to watch out for when configuring VMPS:

The VMPS server has to be configured before configuring the ports as dynamic. Again, PortFast is enabled by default when a port receives a dynamic VLAN assignment. If a port is configured with port security, that feature must be turned off before configuring a port as dynamic. Trunking ports cannot be made dynamic ports, since by definition trunking ports must belong to all VLANs. Trunking must be disabled to make a port a dynamic port.
10
Trunk Part 1
A trunk is a point-to-point connection between two physically connected switches that allows traffic to flow between the switches, regardless of the VLAN the traffic is destined for. By default, a trunk port is a member of all VLANs, so traffic for any and all VLANs can travel across this trunk. That includes broadcast traffic! How does the receiving switch know what VLAN the frame belongs to? The frames are tagged by the transmitting switch with a VLAN ID, reflecting the number of the VLAN whose member ports should receive this frame. When the frame arrives at the remote switch, that switch will examine this ID and then forward the frame appropriately.
Trunk Part 2
You may have had a CCNA flashback when I mentioned "dot1q"! There were quite a few differences between the trunking protocols ISL and dot1q, so let's review those before we examine a third trunking protocol that you didn't learn during your CCNA studies. For a trunk to form successfully, the ports must agree on the speed, the duplex setting, and the encapsulation type. Many Cisco switches offer the choice of ISL and IEEE 802.1q - and I can practically guarantee your BCMSN exam just might discuss these encap types! Let's take a detailed look at each right now.
ISL Part 1
ISL is Cisco-proprietary, making it unsuitable for a multivendor environment. That's one drawback, but there are others. ISL will place both a header and trailer onto the frame, encapsulating it. This increases the overhead on the trunk line. You know that the default VLAN is also known as the "native VLAN", and another drawback to ISL is that ISL does not use the concept of the native VLAN. This means that every single frame transmitted across the trunk will be encapsulated. The 26-byte header that is added to the frame by ISL contains the VLAN ID; the 4-byte trailer contains a Cyclic Redundancy Check (CRC) value. The CRC is a frame validity scheme that checks the frame's integrity.
11
ISL Part 2
In turn, this encapsulation leads to another potential issue. ISL encapsulation adds 30 bytes total to the size of the frame, potentially making them too large for the switch to handle. (The maximum size for an Ethernet frame is 1518 bytes. Frames larger than that are called giants.) For that reason, if one trunking switch is using ISL and its remote partner is not, the remote partner will consider the ISLencapsulated frames as giants.
Dot1q Part 1
In contrast, dot1q does not encapsulate frames. A 4-byte header is added to the frame, resulting in less overhead than ISL and resulting in a maximum frame size of 1522 bytes. If the frame is destined for hosts residing in the native VLAN, even that small header isn't added. Since the dot1q header is only 4 bytes in size, and isn't even placed on every frame, using dot1q lessens the chance of oversized frames. When the remote port receives an untagged frame, the switch knows that these untagged frames are destined for the native VLAN.
Dot1q Part 2
Other dot1q facts you should be familiar with:

Dot1q actually embeds the tagging information into the frame itself. You'll occasionally hear this referred to as internal tagging. Dot1q is the "open standard" or "industry standard" trunking protocol and is suitable for a multivendor environment. Dot1q does not change the destination MAC address in any way.
12
Point-to-point Protocols
Believe it or not, ISL and dot1q actually have something in common! They're both considered point-to-point protocols, since by definition a trunk only has two endpoints, and that's it - just like ISDN. Also notice that there's a 4-byte addition in both ISL and dot1q - make sure to have them straight: ISL: 4-byte trailer (with CRC value) dot1q: 4-byte header inserted into the frame
Gotchas Part 1
I've created a lot of trunks over the years, and I've bumped into quite a few "gotchas" that you might not think to look at in a production network.
For trunks to work properly, the port speed and port duplex setting should be the same on the two trunking ports. ISL switches don't care about the native VLAN setting, because they don't use the native VLAN to begin with. Giants are frames that are larger than 1518 bytes, and these can occur on ISL since they add 30 bytes to the frame. Some Catalyst switches have Cisco-proprietary hardware that allows them to handle the larger frames. Check the documentation for your switch to see if this is the case for your model.
Gotchas Part 2
Dot1q does add 4 bytes to the frame, but thanks to IEEE 802.3ac, the maximum frame length can be extended to 1522 bytes. (The opposite of a giant is a runt. While giants are too large to be successfully transmitted, runts are frames less than 64 bytes in size.) Both switches must be in the same VTP domain - watch those domain names, they're case-sensitive. If you're working on a multilayer switch (also called a "Layer 3 switch"), make sure the port you want to trunk is a Layer 2 port by configuring the interface-level command switchport on it. You can configure a 10, 100, or 1000 MBPS interface as a trunk. Changing the native VLAN on one switch does not dynamically change the native VLAN on a remote trunking partner.
13
Native VLAN
By default, the native VLAN is VLAN 1. The native VLAN is the VLAN the port will belong to when it is not trunking, regardless of whether it once was a trunk port. The native vlan can be changed with the switchport trunk native vlan command, but you should be prepared for an error message very quickly after configuring it on one side of the trunk. We'll change the native vlan setting on fast 0/11 on one side of an existing trunk and see what happens. Changing the native VLAN on one switch in a trunk does not automatically change it for the other switch!
switchport trunk encapsulation command Part 1

To manually configure a trunk port to run ISL or dot1q, use the switchport trunk encapsulation command.
Rack1SW1(config-if)#switchport trunk encapsulation ? dot1q Interface uses only 802.1q trunking encapsulation when trunking isl Interface uses only ISL trunking encapsulation when trunking negotiate Device will negotiate trunking encapsulation with peer on interface
switchport trunk encapsulation command Part 2

Notice that there's a third option, negotiate. The trunk ports will then negotiate between ISL and dot1q, and naturally it must be a protocol that both ports support. If the negotiating ports support both protocols, ISL will be selected. By the way, if you use IOS Help to display your switch's encapsulation choices, and there aren't any, that's a pretty good sign that your switch supports only dot1q!
SW1(config)#interface fast 0/11 SW1(config-if)#switchport trunk encapsulation ? % Unrecognized command
14
Dynamic Trunking Protocol

You learned about ISL and dot1q in your CCNA studies, but there's a third trunking protocol involved as well. The Ciscoproprietary Dynamic Trunking Protocol actively attempts to negotiate a trunk line with the remote switch. This sounds great, but there is a cost in overhead - DTP frames are transmitted every 30 seconds. If you decide to configure a port as a non-negotiable trunk port, there's no need for the port to send DTP frames. Also, if there's a device on the other end of the line that can't trunk at all - a firewall, for example - there's no need to send DTP frames. DTP can be turned off at the interface level with the switchport nonegotiate command, but as you see below, you cannot turn DTP off until the port is no longer in dynamic desirable trunking mode.
Trunk mode
Trunk mode means just that - this port is in unconditional trunk mode and cannot be an access port. Since this port cannot negotiate, it's standard procedure to place the remote port in trunk mode. Turning off DTP when you place a port in trunk mode is a great idea, because there's no use in sending negotiation frames every 30 seconds if no negotiation is necessary! Dynamic desirable is the default setting for most Cisco switch ports today. If the local switch port is running dynamic desirable and the remote switch port is running in trunk, dynamic desirable, or dynamic auto, a trunk will form. This is because a port in dynamic desirable mode is sending and responding to DTP frames. If you connect two 2950s with a crossover cable, a trunk will form in less than 10 seconds with no additional configuration needed.
Dynamic auto mode

Dynamic auto is the "oddball" trunking mode. A port configured as dynamic auto (often called simply "auto") will not actively negotiate a trunk, but will accept negotiation begun by the remote switch. As long as the remote trunk port is configured as dynamic desirable or trunk, a trunk line will form. It's important to note that this setting does not have to match between two potential trunk ports. One port could be in dynamic desirable and the other in trunk mode, and the trunk would come up. Is there a chance that two ports that are both in one of these three modes will not successfully form a trunk? Yes - if they're both in dynamic auto mode.
15
Naming VLANs
You can give your VLAN a more intuitive name with the name command.
VLAN database mode

You'll notice that all of the configurations in this study guide use the CLI commands to configure VLANs. There is a second way to do so, and that's using VLAN database mode. I personally don't like using this mode, because it's very easy to save your changes incorrectly - which of course means that your changes aren't saved! It's always a good idea to know how to do something more than one way in Ciscoland, though, so let's take a look at this mode. You enter this mode by typing vlan database at the command prompt.
Snowflakes Part 1
Learning to design anything from a class or study guide can be frustrating, because like snowflakes, no two networks are alike. What works well for "Network A" may be inefficient for "Network B". You need to know about the following VLAN design types for both the exam and the real world, but as always you've got to be able to apply your knowledge to your network's needs. In my BSCI Study Guide's discussion of Cisco's Three-Layer Hierarchical Networking Model, I mention that it's important to let the Distribution layer handle the "little things" in order to allow the core switches to do what they do best - switch!
16
Snowflakes Part 2
With VLAN design, we're looking at much the same scenario. If we don't control broadcast and multicast traffic, it can soon affect our network negatively, particularly if we allow it to flow through the core switches. Your VLAN scheme should keep as many broadcasts and multicasts away from the core switches as is possible. There are two major VLAN designs, end-to-end and local. Watch the details here, as one is following the 80/20 rule and the other is following the 20/80 rule.
End-to-End and Local VLANs Part 1

With end-to-end VLANs, the name is the recipe as end-to-end VLANs will span the entire network. The physical location of the user does not matter, as a user is assigned to a single VLAN, and that VLAN will remain the same no matter where the user is. End-to-end VLANs can come in handy as a security tool and/or when the hosts have similar resource requirements for example, if you had certain hosts across the network that needed access to a particular network resource, but you didn't even want your other hosts to know of the existence of that resource. However, I can tell you that this VLAN type is a real pain in the butt to configure. :)
End-to-End and Local VLANs Part 2

End-to-end VLANs should be designed with the 80/20 rule in mind, where 80 percent of the local traffic stays within the local area and the other 20 percent will traverse the network core en route to a remote destination. End-to-end VLANs must be accessible on every access-layer switch to accommodate mobile users.
17
Local VLANs
Local VLANs are designed with the 20/80 rule in mind. Local VLANs assume that 20 percent of traffic is local in scope, while the other 80 percent will traverse the network core. While physical location is unimportant in end-to-end VLANs, users are grouped by location in Local VLANs. More and more networks are using centralized data depositories, such as server farms - and even in the simplified network diagram above, the end user must go across a WAN to reach the server farm, another reason that 80/20 traffic patterns aren't seen as often as they were in the past.
VLAN Trunking Protocol (VTP)

Why use VTP? Configuring VTP VTP Modes VTP Advertisement Process Synchronization & Advertisement Details VTP Features & Versions The VLAN.DAT File VTP Secure Mode
VTP
VLAN Trunking Protocol (VTP) allows each switch in a network to have an overall view of the active VLANs. VTP also allows network administrators to restrict the switches upon which VLANs can be created, deleted, or modified.
18
Major Feature of VTP

Luckily, the major feature of VTP is the transmission of VTP advertisements that notify neighboring switches in the same domain of any VLANs in existence on the switch sending the advertisements. The key phrase there is "in the same domain". By default, Cisco switches are not in a VTP domain. Before working with VTP in a home lab or production network, run show vtp status. (The official term for a VTP domain is "management domain", but we'll just call them domains in this section. The only place you'll probably see that full phrase is on the exam.)
Server mode
In Server mode, a VTP switch can be used to create, modify, and delete VLANs. This means that a VTP deployment has to have at least one Server, or VLAN creation will not be possible. This is the default setting for Cisco switches. Switches running in Client mode cannot be used to create, modify, or delete VLANs. Clients do listen for VTP advertisements and act accordingly when VTP advertisements notify the Client of VLAN changes. VTP Transparent mode actually means that the switch isn't participating in VTP. (Bear with me here.) Transparent VTP switches don't synchronize their VTP databases with other VTP speakers; they don't even advertise their own VLAN information! Therefore, any VLANs created on a Transparent VTP switch will not be advertised to other VTP speakers in the domain, making them locally significant only.
VTP Versions
There are two versions of VTP, V1 and V2, and the main difference between the two versions affects how a VTP Transparent switch handles an incoming VTP advertisement. VTP Version 1: The Transparent switch will forward that advertisement's information only if the VTP version number and domain name on that switch is the same as that of downstream switches. VTP Version 2: The Transparent switch will forward VTP advertisements via its trunk port(s) even if the domain name does not match.
19
Switches
Which Switches Should Be Servers, Which Should Be Clients?

You have to decide this for yourself in your production network, but I will share a simple method that's always worked for me - if you can absolutely secure a switch, make it a VTP server. If multiple admins will have access to the switch, you may consider making that switch a VTP Client in order to minimize the chance of unwanted or unauthorized changes being made to your VLAN scheme.
The VTP Advertisement Process
VTP Advertisements are multicasts, but they are not sent out every port on the switch. The only devices that need the VTP advertisements are other switches that are trunking with the local switch, so VTP advertisements are sent out trunk ports only. The hosts in VLAN 10 in the following exhibit would not receive VTP advertisements.
Configuration revision Part 1
Along with the VTP domain name, VTP advertisements carry a configuration revision number that enables VTP switches to make sure they have the latest VLAN information. VTP advertisements are sent when there has been a change in a switch's VLAN database, and this configuration revision number increments by one before it is sent.
20
Configuration revision Part 2

SW1 received a VTP advertisement from SW2. Before accepting the changes reflected in the advertisement, SW1 compares the revision number in the advertisement to its own revision number. In this case, the revision number on the incoming advertisement was 2 and R1's revision number was 1. This indicates to SW11 that the information contained in this VTP advertisement is more recent than its own VLAN information, so the advertisement is accepted. If SW1's revision number had been higher than that in the VTP advertisement from SW2, the advertisement would have been ignored.
Potential issue
This brings up a potential issue that I've seen more than once in the real world. When you introduce a new switch into a VTP domain, you have to make sure that its revision number is zero - and that goes for Clients as well as Servers.
Revision number
I've seen this happen with switches that were brought it to swap out with a downed switch. That revision number has to be reset to zero! If you ever see VLAN connectivity suddenly lost in your network, but the switches are all functional, you should immediately check to see if a new switch was recently installed. If the answer is yes, I can practically guarantee that the revision number is the issue.
21
Cisco Theory
Cisco theory holds that there are two ways to reset a switch's revision number to zero:
Change the VTP domain name to a nonexistent domain, then change it back to the original name. Change the VTP mode to Transparent, then change it back to Server.
VTP Advertisements
There are three major types of VTP advertisements - here's what they are and what they do. Keep in mind that Cisco switches only accept VTP advertisements from other switches in the same VTP domain. Summary Advertisements are transmitted by VTP servers every 5 minutes, or upon a change in the VLAN database. Information included in the summary advertisement:
VTP domain name and version Configuration revision number MD5 hash code Timestamp Number of subset advertisements that will follow this ad
Subset Advertisements
Subset Advertisements are transmitted by VTP servers upon a VLAN configuration change. Subset ads give specific information regarding the VLAN that's been changed, including:
Whether the VLAN was created, deleted, activated, or suspended The new name of the VLAN The new Maximum Transmission Unit (MTU) VLAN Type (Ethernet, Token Ring, FDDI)
22
Client Advertisement Requests

Client Advertisement Requests are just that - a request for VLAN information from the client. Why would a client request this information? Most likely because the VLAN database has been corrupted or deleted. The VTP Server will respond to this request with a series of Summary and Subset advertisements.
VTP Pruning
Trunk ports belong to all VLANs, which leads to an issue involving broadcasts and multicasts. A trunk port will forward broadcasts and multicasts for all VLANs it knows about, regardless of whether the remote switch actually has ports in that VLAN or not!
Enabling pruning
Enabling pruning on one VTP Server actually enables pruning for the entire domain, but I wanted to show you that a switch has to be in Server mode to have pruning enabled. It doesn't hurt anything to enter the command vtp pruning on all Servers in the domain, but it's unnecessary.
23
show vtp status
By now, you've probably noticed that the first field in the readout of show vtp status is the VTP version. The first version of VTP was VTP Version 1, and that is the default of some older Cisco switches. The next version was Version 2, and that's the default on many newer models, including the 2950. As RIPv2 has advantages over RIPv1, VTP v2 has several advantages over VTPv1. Version 2 supports Token Ring VLANs and Token Ring switching, where Version 1 does not.
Consistency check
When changes are made to VLANs or the VTP configuration at the command-line interface (CLI), Version 2 will perform a consistency check. So what's being checked? VLAN names and numbers. This helps to prevent incorrect / inaccurate names from being propagated throughout the network. A switch running VTPv2 and Transparent mode will forward VTP advertisements received from VTP Servers in that same domain.
write erase
Those of you with switches in your home labs have probably run into this situation. You run a write erase on your routers, reload them, and since NVRAM is now empty, you're prompted to go into setup mode. All IP addressing, routing protocols, static routes - everything's gone.
24
VTP password
By setting a VTP password, you place the entire VTP domain into Secure Mode. Every switch in the domain must have a matching password.
VTP Configuration Tips

Unless you have a very good reason to put a switch into Transparent mode, stick with Server and Client. Not only does this ensure that the VTP databases in your network will be synchronized, but it causes less confusion in the future for other network admins who don't understand Transparent mode as well as you do. :) Some campus networks will have switches that can be easily secured - the ones in your network control room, for example - and others that may be more accessible to others. Your VTP Servers should be the switches that are accessible only by you and a trusted few. Don't leave every switch in your VTP domain at the default of Server, or you've made it possible to create and delete VLANs on every switch in your network.
Spanning Tree Protocol (STP)

Switching Basics BPDUs & the Root Bridge Election Root Port Selection & Cost STP Port States & Timers Making a Nonroot Switch the Root Why and How TCN BPDUs Load Sharing with the port-priority command Extended System ID Failure
25
Unknown unicast frames

Unknown unicast frames are frames destined for a particular host, but there is no MAC address table entry for that destination. Unknown unicast frames are forwarded out every port except the one they came in on. Under no circumstances will a switch send a frame back out the same port it came in on. Broadcast frames are destined for all hosts, while multicast frames are destined for a specific group of hosts. Broadcast and multicast frames are also forwarded out every port except the one they came in on. Known unicast frames are frames destined for a particular host, and this destination host has an entry in the switch's MAC table. Such a frame would be forwarded only out the appropriate port.
The Role Of BPDUs

BPDUs are transmitted every two seconds to the wellknown multicast MAC address 01-80-c2-00-00-00. (It might not have been well-known to you before, but it is now!) We've actually got two different BPDU types:
Topology Change Notification (TCN) Configuration
We'll talk about TCNs later in this section, but for now it's enough to know that the name is the recipe - a switch sends a TCN when there is a change in the network topology.
Configuration BPDUs
Configuration BPDUs are used for the actual STP calculations. Once a root bridge is elected, only that root bridge will originate Configuration BPDUs; the non-root bridges will forward copies of that BPDU. BPDUs also carry out the election to decide which switch will be the Root Bridge. The Root Bridge is the "boss" of the switching network - this is the switch that decides what the STP values and timers will be. Each switch will have a Bridge ID Priority value, more commonly referred to as a BID. This BID is a combination of a default priority value and the switch's MAC address, with the priority value listed first. For example, if a Cisco switch has the default priority value of 32,768 and a MAC address of 11-22-33-44-55-66, the BID would be 32768:11-22-3344-55-66. Therefore, if the switch priority is left at the default on all switches, the MAC address is the deciding factor in the root bridge election.
26
Root port
The port that SW2 is using to reach the root bridge is called the root port, and it wasn't selected at random. Each switch port has an assigned Path Cost, and this Path Cost is used to arrive at the Root Path Cost. The BPDU actually carries the Root Path Cost, and this cost increments as the BPDU is forwarded throughout the network. A port's Path Cost is locally significant only and is unknown by downstream switches.
The root bridge
The root bridge will transmit a BPDU with the Root Path Cost set to zero. When a neighboring switch receives this BDPU, that switch adds the cost of the port the BPDU was received on to the incoming Root Path Cost. Root Path Cost increments as BPDUs are received, not sent. That new root path cost value will be reflected in the BDPU that switch then sends out.
The Path Cost
The Path Cost is locally significant only. In the previous example, SW3 doesn't have any idea what the Path Cost on SW2 is, and doesn't particularly care. No switch downstream of SW3 will know of any Path Costs on SW2 or SW3 the downstream switches will only see the cumulative cost, the Root Path Cost.
27
Process of choosing a Root Port

Here's the process of choosing a Root Port, and how these steps factored into SW2's decision-making process.
Choose the port receiving the superior BPDU. By "superior BPDU", we mean the one with the lowest BID. The BPDUs are coming from the same switch - SW1 - so this is a tie. Choose the port with the lowest Root Path Cost to the root bridge. That's a tie here, too. Choose the port receiving the BPDU with the lowest Sender BID. Since the same switch is sending both BPDUs, that's a tie here as well. Choose the lowest Port ID. That was the tiebreaker here.
How Root Path Costs Are Determined The default STP Path Costs are determined by the speed of the port. These path costs have changed from their original values, so you'll be shown both here. The costs we'll see on the switches in this section are the revised costs.
10 MBPS Port: Originally 100, still 100 100 MBPS Port: Originally 10, now 19 1 GBPS Port: Originally 1, now 4 10 GBPS Port: Originally 1, now 2
Changing A Port's Path Cost
Like other STP commands and features, this is another command that you should have a very good reason for configuring before using it. Make sure to add up the Root Path Cost for other available paths before changing a port's Path Cost to ensure you're getting the results you want - or perhaps avoid results you don't want! In the following example, SW2 shows a Path Cost of 19 for both ports 0/11 and 0/12.
28
STP port state Part 1
Disabled isn't generally thought of as an STP port state; you're not going to look into the STP table of a VLAN and see "DIS" next to a port. Cisco does officially consider this to be an STP state, though. A disabled port is one that is administratively shut down. A disabled port obviously isn't forwarding frames, but it's not even officially taking place in STP.
STP port state Part 2

Once the port is opened, the port will go into blocking state. As the name implies, the port can't do much in this state - no frame forwarding, no frame receiving, and therefore no learning of MAC addresses. About the only thing this port can do is accept BPDUs from neighboring switches. A port will then go from blocking mode into listening mode. The obvious question is "listening for what?" Listening for BPDUs - and this port can now send BPDUs as well. The port still can't forward or receive data frames, and the MAC address table is not yet being updated.
learning mode
When the port goes into learning mode, it's not yet forwarding frames, but the port is learning MAC addresses by adding them to the switch's MAC address table. Finally, a port enters forwarding mode. This allows a port to forward and receive data frames, send and receive BPDUs, and place MAC addresses in its MAC table. To see the STP mode of a given interface, use the show spanning-tree interface command.
29
Timers Part 1
You may remember these timers from your CCNA studies as well, and you should also remember that these timers should not be changed lightly. What you might not have known is that if you decide to change any and all of these timers, that change must be configured on the root bridge! The root bridge will inform the nonroot switches of the change via BPDUs. Don't believe me? :) We'll prove that very shortly. Right now, let's review the STP timer basics.
Timers Part 2
Hello Time defines how often the Root Bridge will originate Configuration BPDUs. By default, this is set to 2 seconds. Forward Delay is the length of both the listening and learning STP stages, with a default value of 15 seconds. Maximum Age, referred to by the switch as MaxAge, is the amount of time a switch will retain the superior BPDU's contents before discarding it. The default is 20 seconds.
Example 1
SW3(config)#spanning vlan 20 root primary SW3#show spanning vlan 20 VLAN0020 Spanning tree enabled protocol ieee Root ID Priority 24596 Address 0011.9375.de00 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 24596 (priority 24576 sys-id-ext 20) Address 0011.9375.de00 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 15
30
Example 2
SW2#show spanning vlan 20 VLAN0020 Spanning tree enabled protocol ieee Root ID Priority 32788 Address 0011.9375.de00 Cost 19 Port 24 (FastEthernet0/22) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32788 (priority 32768 sys-id-ext 20) Address 0018.19c7.2700 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300
Example 3
SW1#show spanning vlan 20 VLAN0020 Spanning tree enabled protocol ieee Root ID Priority 32788 Address 0011.9375.de00 Cost 38 Port 15 (FastEthernet0/13) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32788 (priority 32768 sys-id-ext 20) Address 0019.557d.8880 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300
Example 4
SW1(config)#spanning vlan 20 root secondary SW1#show spanning vlan 20 VLAN0020 Spanning tree enabled protocol ieee Root ID Priority 24596 Address 0011.9375.de00 Cost 38 Port 15 (FastEthernet0/13) Hello Time 2 sec Max Age 20 sec Bridge ID
Forward Delay 15 sec
Priority 28692 (priority 28672 sys-id-ext 20) Address 0019.557d.8880 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300
31
spanning-tree vlan root

Ever wondered how the STP process decides what priority should be set when the spanning-tree vlan root command is used? After all, we're not configuring an exact priority with that command. Here's how the STP process handles this:
If the current root bridge's priority is greater than 24,576, the switch sets its priority to 24576 in order to become the root. You saw that in the previous example. If the current root bridge's priority is less than 24,576, the switch subtracts 4096 from the root bridge's priority in order to become the root.
Where Should The Root Bridge Be Located?
I'm sure you remember the Cisco Three-Layer Hierarchical Model, which lists the three layers of a switching network - Core, Distribution, and Access. Access switches are those found closest to the end users, and the root bridge should not be an access-layer switch. Ideally, the root bridge should be a core switch, which allows for the highest optimization of STP.
Topology Change Notifications (TCNs)
Configuration BPDUs are originated only by the root bridge, but a TCN BPDU will be generated by any switch in the network when one of two things happen:
A port goes into Forwarding mode A port goes from Forwarding or Learning mode into Blocking mode
While the TCN BPDU is important, it doesn't give the other switches a lot of detail. The TCN doesn't say exactly what happened, just that something happened.
32
Default aging time
This indicates to all receiving switches that the default aging time for their MAC tables should be changed from the default of 5 minutes to whatever the Forward Delay value is - by default, that's 15 seconds. (Another reason to be careful, if not downright hesitant, to start adjusting STP timers.) A natural question is "How long will the aging time for the MAC table stay at the Forward Delay value?" Here's the quick formula for the answer: (Forward Delay) + (Max Age) Assuming the default settings, that's a total of 35 seconds... and yet another reason to consider leaving the STP timers at their defaults!
TCNs And The Portfast Exception
Cisco switching veterans just know that Portfast has to get involved here somewhere! Portfastenabled ports cannot result in TCN generation, which makes perfect sense. The most common usage of Portfast is when a single PC is connected directly to the switch port, and since such a port going into Forwarding mode doesn't impact STP operation, there's no need to alert the entire network about it.
Load Sharing With The portpriority Command

We can actually change a port's priority for some VLANs and leave it at the default for other VLANs in order to perform load balancing over a trunk. Let's take a look at the default behavior of a trunk between to switches when we have ten VLANs, and then change this behavior just a bit with the port-priority command. I've created ten VLANs, 11 - 20, for this example. SW1 is the root for all ten VLANs. Before we go forward, using your knowledge of switching, how many port or ports in this example will be in STP Blocking mode? Which one(s)?
33
The Extended System ID Feature

Earlier in this section, we took a look at part of a switch's configuration and saw this line: spanning-tree extend system-id Defined in IEEE 802.1t, the Extended System ID feature greatly extends the number of STP instances that can be supported by the switch, which in turn allows the switch to support up to 4096 VLANs. The extended VLANs will be numbered 1025 - 4096. You can't use this feature on all Cisco switches, though. It is enabled by default on 2950 and 3550 switches with an IOS version of 12.1(8)EA or later.
The BID priority
The BID priority is the default priority of 32768 plus the System ID Extension value (sys-id-ext). The sys-id-ext value just happens to be the VLAN number, so the BID priority is 32768 + 20, which equals 32788. Some switches running CatOS can support this feature; with those switches, it's called STP MAC Address Reduction. Disabled by default, it can be enabled with the set spantree macreduction command. (set commands are run on CatOS switches only - IOS-based switches use the CLI commands you see throughout this book.)
Advanced STP Features
Portfast, Uplinkfast, Backbonefast Root Guard, BPDU Guard, Loop Guard UDLD, BPDU Skew Detection Rapid STP, PVST, PVST+, CST, MST
34
Portfast
You should remember this one from your CCNA studies! Suitable only for switch ports connected directly to a single host, Portfast allows a port running STP to go directly from blocking to forwarding mode.
Uplinkfast
When a port goes through the transition from blocking to forwarding, you're looking at a 50second delay before that port can actually begin forwarding frames. Configuring a port with Portfast is one way to get around that, but again, you can only use it when a single host device is found off the port. What if the device connected to a port is another switch?
Details regarding Uplinkfast
Some additional details regarding Uplinkfast:

The actual transition from blocking to forwarding isn't really "immediate" - it actually takes 1 - 3 seconds. Next to a 50-second delay, that certainly seems immediate! Uplinkfast cannot be configured on a root switch. When Uplinkfast is enabled, it's enabled globally and for all VLANs residing on the switch. You can't run Uplinkfast on some ports or on a per-VLAN basis - it's all or nothing.
35
Root port
The original root port will become the root port again when it detects that its link to the root switch has come back up. This does not take place immediately. The switch uses the following formula to determine how long to wait before transitioning the original root port back to the forwarding state: ( 2 x FwdDelay) + 5 seconds
Immediate action
Uplinkfast will take immediate action to ensure that a switch cannot become the root switch -- actually, two immediate actions!
First, the switch priority will be set to 49,152, which means that if all other switches are still at their default priority, they'd all have to go down before this switch can possibly become the root switch. Additionally, the STP Port Cost will be increased by 3000, making it highly unlikely that this switch will be used to reach the root switch by any downstream switches.
Where To Apply Uplinkfast

As with all the topics in this section, it's not enough to know the definition of Uplinkfast and what it does you've got to know where to configure it for best results. Uplinkfast is a wiring-closet switch feature - it's not recommended for core and distribution-layer switches. Uplinkfast should be configured only on access-layer switches. It's a safe bet that the root switches are going to be found in the core layer, and the switches that are farthest away from the root switches will be the access switches. The access switches will be the ones closest to the end users.
36
Backbonefast
Uplinkfast and Portfast are great, but they've got limitations on when they can and should be run. You definitely can't run either one in a network backbone, but the Cisco-proprietary feature Backbonefast can be used to help recover from indirect link failures. The key word there is indirect. If a core switch detects an indirect link failure - a failure of a link that is not directly connected to the core switch in question - Backbonefast goes into action. This indirect link failure is detected when an inferior BPDU is received. When BackboneFast is configured, this process skips the MaxAge stage. While this does not eliminate delays as efficiently as PortFast and UplinkFast, but the delay is cut from 50 seconds to 30. (MaxAge's default value is 20 seconds, but the 15-second Listening and Learning stages still have to run.)
Root Link Query
BackboneFast uses the Root Link Query (RLQ) protocol. RLQ uses a series of requests and responses to detect indirect link outages. RLQ requests are transmitted via the ports that would normally be receiving BPDUs. The purpose of these RLQ requests is to ensure that the local switch still has connectivity to the root switch. The RLQ request identifies the bridge that is considered the root bridge, and the RLQ response will identify the root bridge that can be accessed via that port. If they're one and the same, everything's fine.
RLQ Request
Upon receiving a RLQ request, a switch will answer immediately under one of two conditions:
The receiving switch is indeed the root bridge named in the RLQ request The receiving switch has no connectivity to the root bridge named in the RLQ request, because it considers another switch to be the root bridge
The third possibility is that the receiving switch is not the root, but considers the root switch named in the RLQ request to indeed be the root switch. In that case, the RLQ request is relayed toward the root switch by sending it out the root port.
37
BackboneFast into action

To put BackboneFast into action in our network, we have to know more than the command! We've got to know where to configure it as well. Since all switches in the network have to be able to send, relay, and respond to RLQ requests, and RLQ is enabled by enabling BackboneFast, every switch in the network should be configured for BackboneFast when using this feature.
Root Guard
Root Guard is configured at the port level, and disqualifies any switch that is downstream from that port from becoming the root or secondary root. Root Guard will actually block that superior BPDU, discard it, and put the port into rootinconsistent state. When those superior BPDUs stop coming, SW3 will allow that port to transition normally through the STP port states.
BPDU Guard
BPDU Guard protects against this disastrous possibility. If any BPDU comes in on a port that's running BPDU Guard, the port will be shut down and placed into error disabled state, shown on the switch as err-disabled.
38
PortFast BPDU Filtering

What if you don't want the port to be put into err-disabled state when it receives a BPDU? You can use BPDU Filtering, but you have to be careful how you configure it - this feature works differently when it's configured globally as opposed to configuring it on a per-interface level.
Globally enabling BPDU Filtering will have a PortFastenabled port stop running PortFast when the port receives a BPDU. Enabling BPDU Filtering on a specific port or ports, rather than enabling it globally, will result in received BPDUs being quietly ignored. Those incoming BPDUs will be dropped, and the port will not send any BPDUs in return.
Unidirectional Link Detection (UDLD)

Most problems involving the physical link will make data transfer in either direction impossible. Particularly with fiber optic, there are situations where a physical layer issue disables data transfer in one direction, but not the other. UDLD has two modes of operation, normal and aggressive. When a unidirectional link is detected in normal mode, UDLD generates a syslog message but does not shut the port down.
Normal mode
When a unidirectional link is detected in normal mode, UDLD generates a syslog message but does not shut the port down. In aggressive mode, the port will be put into error disabled state ("err-disabled") after eight UDLD messages receive no echo from the remote switch. Why is it called "aggressive"? Because the UDLD messages will go out at a rate of one per second when a potential unidirectional link is found.
39
Duplex Mismatches And Switching Loops
A duplex mismatch between two trunking switches isn't quite a unidirectional link, but it can indeed lead to a switching loop. You're not often going to change switch duplex settings, especially on trunk ports, but if you change one switch port's duplex setting, change that of any trunking partner! Believe it or not, the switching loop potential is caused by CSMA/CD! The full-duplex port will not perform CSMA/CD, but the half-duplex port will. The problem comes in when the half-duplex port listens to the segment, hears nothing, and sends frames as it normally would under CSMA/CD rules...
Loop Guard
We've had BPDU Guard, Root Guard, and now... Loop Guard! You can probably guess that the "loop" being guarded against is a switching loop... but how does Loop Guard prevent switching loops? Let's revisit an earlier example to see how the absence of BPDUs can result in a switching loop. Loop Guard does not allow a port to go from blocking to forwarding in this situation. With Loop Guard enabled, the port will go from blocking to loop-inconsistent, which is basically still blocking mode, and a switching loop will not form
BPDU Skew Detection

You may look at that feature's name and think, "What is a BPDU Skew, and why do I want to detect it?" What we're actually attempting to detect are BPDUs that aren't being relayed as quickly as they should be. After the root bridge election, the root bridge transmits BPDUs, and the non-root switches relay that BPDU down the STP tree. This should happen quickly all around, since the root bridge will be sending a BPDU every two seconds by default ("hello time"), and the switches should relay the BDPUs fast enough so every switch is seeing a BPDU every two seconds.
40
Rapid Spanning Tree Protocol

So you understand STP, and you've got all these STP features down - and now here's another kind of STP! Specifically, it's RSTP, or Rapid Spanning Tree Protocol. RSTP is defined by IEEE 802.1w, and is considered an extension of 802.1d. Root bridges are still elected with RSTP, but the port roles themselves are different between STP and RSTP. Let's take a look at the RSTP port roles in the following three-switch network, where SW1 is the root. Note that SW3 has multiple connections to the ethernet segment.
Transition States
Let's compare the transition states: STP: disabled > blocking > listening > learning > forwarding RSTP: discarding > learning > forwarding
Port types unique to RSTP
There are other port types unique to RSTP. You know what a root port is, but RSTP also has edge ports and point-to-point ports. An edge port is just what it sounds like - a port on the edge of the network. In this case, it's a switch port that is connected to a single host, most likely an end user's PC. An edge port will operate just like an STP port that is running Portfast. A point-to-point port is any port that is connected to another switch and is running in full-duplex mode.
41
Edge Ports And RSTP Topology Changes

Edge ports play a role in when RSTP considers a topology change to have taken place. Rather, I should say that they don't play a role, because RSTP considers a topology change to have taken place when a port moves into Forwarding mode - unless that port is an edge port. When an edge port moves into Forwarding mode, RSTP doesn't consider that a topology change, since only a single host will be connected to that particular port. When a topology change is discovered by a switch running RSTP, that switch sends BPDUs with the Topology Change (TC) bit set
Difference between STP and RSTP
Another major difference between STP and RSTP is the way BPDUs are handled. With STP, only the root bridge is sending BPDUs every two seconds; the nonroot bridges simply forward, or relay, that BPDU when they receive it. RSTP-enabled switches generate a BPDU every two seconds, regardless of whether they have received a BPDU from the root switch or not. (The default value of hello time, the interval at which switches send BPDUs, is two seconds in both STP and RSTP.)
Detecting Link Failures
This change not only allows all switches in the network to have a role in detecting link failures, but discovery of link failures is faster. Why? Because every switch expects to see a BPDU from its neighbor every two seconds, and if three BPDUs are missed, the link is considered down. The switch then immediately ages out all information concerning that port. This cuts the error detection process from 20 seconds in STP to 6 seconds in RSTP.
42
MaxAge timer
When a switch running STP misses a BPDU, the MaxAge timer begins. This timer dictates how long the switch will retain the last BPDU before timing it out and beginning the STP recalculation process. By default, MaxAge is 20 seconds. When a switch running RSTP misses three BPDUs, it will immediately are out the superior BPDU's information and begin the STP recalculation process. Since the default hello-time is 2 seconds for both STP and RSTP, it takes an RSTP-enabled switch only 6 seconds overall to determine that a link to a neighbor has failed.
BPDU format
The BPDU format is the same for STP and RSTP, but RSTP uses all flag bits available in the BPDU for various purposes including state negotiation between neighbors, but STP uses only the Topology Change (TC) and Topology Change Ack (TCA) flags. The details of this negotiation are out of the scope of the BCMSN exam, but can easily be found on the Internet by searching for "RSTP" in your favorite search engine. The RSTP BPDU is also of a totally different type (Type 2, Version 2), which allows an RSTP-enabled switch to detect older switches. Switching features we looked at earlier in this section Uplinkfast, Portfast, and Backbonefast are built-in to RSTP.
Per-VLAN Spanning Tree Versions (PVST and PVST+)

The ultimate "the name is the recipe" protocol, the Ciscoproprietary PVST, well, runs a separate instance of STP for each VLAN! The Good: PVST does allow for much better fine-tuning of spanning-tree performance than does regular old STP. The Bad: Running PVST does mean extra work for your CPU and memory. The Ugly: PVST is Cisco-proprietary, so it must run over the Cisco-proprietary trunking protocol - ISL.
43
PVST
PVST doesn't play well at all with CST, so Cisco came up with PVST+. PVST+ is described by Cisco's website as having the same functionality as PVST, with the + version using dot1q rather than ISL. PVST+ is Ciscoproprietary as well. PVST+ can serve as an intermediary between groups of PVST switches and switches running CST; otherwise, the groups wouldn't be able to communicate. Using PVST+ along with CST and PVST can be a little difficult to fine-tune at first, but this combination is running in many a network right now - and working fine!
Rapid Per-VLAN Spanning Tree Plus (RPVST +)

Now there's a mouthful!
Cisco being Cisco, you just know they have to have their own version of STP! Per-VLAN Spanning Tree Plus (PVST+) is just what it sounds like - every VLAN has its own instance of STP running. PVST+ allows per-VLAN load balancing and is also Cisco-proprietary. If you configure a switch running PVST+ to use RSTP, you end up with RPVST+ - Rapid Per-VLAN Spanning Tree Plus. The good news is that the command is very simple, and we'll use IOS Help to look at some other options:
Multiple Spanning Tree

Defined by IEEE 802.1s, Multiple Spanning Tree gets its name from a scheme that allows multiple VLANs to be mapped to a single instance of STP, rather than having an instance for every VLAN in the network. MST serves as a middle ground between STP and PVST. CST (Common Spanning Tree) uses a single instance of STP, PVST has an instance for every VLAN, and MST allows you to reduce the number of STP instances without knocking it all the way back to one. MST was designed with enterprise networks in mind, so while it can be very useful in the right environment, it's not for every network.
44
Configuration of MST
The configuration of MST involves logically dividing the switches into regions, and the switches in any given region must agree of the following:
The MST configuration name The MST instance-to-VLAN Mapping table The MST configuration revision number
If any of these three values are not agreed upon by two given switches, they are in different regions. Switches send MST BPDUs that contain the configuration name, revision number, and a digest value derived from the mapping table.
MST configurations
MST configurations can become quite complex and a great deal of planning is recommended before implementing it. No matter the size of the network, however, keep the central point in mind - the purpose of MST is to map multiple VLANs to a lesser number of STP instances. A good way to get a mental picture of the interoperability of MST and CST is that CST will cover the entire network, and MST is a "subset" of the network. CST is going to maintain a loop-free network only with the links connecting the MST network subnets, and it's MST's job to keep a loop-free topology in the MST region. CST doesn't know what's going on inside the region, and it doesn't want to know.
IST
The "IST" in each region stands for Internal Spanning Tree, and it's the IST instance that is responsible for keeping communications in the MST Region loop-free. Up to 16 MST instances (MSTIs) can exist in a region, numbered 0 through 15. MSTI 0 is reserved for the IST instance, and only the IST is going to send MST BPDUs. Occasionally the first ten MST instances are referred to as "00" - "09". These are not hex values - they're regular old decimals. Here's the good part -- there's no such thing as "VTP For MST". Each and every switch in your MST deployment must be configured manually. (No, I'm not kidding!) When you create VLAN mappings in MST, you've got to configure every switch in your network with those mappings - they're not advertised.
45
Enabling MST Part 1

A good place to start is to enable MST on the switch: SW2(config)# spanning-tree mode mst The name and revision number must now be set. SW2(config)# spanning-tree mode mst configuration SW2(config-mst)# name REGION1 SW2(config-mst)# revision 1
Enabling MST Part 2

To map VLANs to a particular MST instance: SW2(config-mst)# instance 1 10,13, 14-20 Note that I could use commas to separate individual VLANs or use a hyphen to indicate a range of them. When mapping VLANs, remember that by default all VLANs will be mapped to the IST.
Why Does Anyone Run STP Instead Of PVST? Like the TCP vs. UDP argument from your CCNA studies, this seems like a bit of a nobrainer. STP: 100 VLANs results in one STP process PVST: 100 VLANs results in 100 STP processes, allowing for greater flexibility with trunk usage (per-VLAN load balancing, for example)
46
Etherchannels
Etherchannels
Etherchannels aren't just important for your BCMSN studies, they're a vital part of many of today's networks. Knowing how to configure and troubleshoot them is a vital skill that any CCNP must have. Etherchannels are part of the CCNA curriculum, but many CCNA books either leave Etherchannels out entirely or mention them briefly. You may not have even seen an Etherchannel question on your CCNA exam, so we're going to begin this section with a review of what an Etherchannel is and why we would configure one. After that review, we'll begin an in-depth examination of how Etherchannels work, and I'll show you some real-world examples of common Etherchannel configuration errors to help you master this skill for the BCMSN exam and for the real world.
Logical Bundling
An Etherchannel is the logical bundling of two to eight parallel Ethernet trunks. This bundling of trunks is also referred to as aggregation. This provides greater throughput, and is another effective way to avoid the 50-second wait between blocking and forwarding states in case of a link failure. Spanning-Tree Protocol (STP) considers an Etherchannel to be one link. If one of the physical links making up the logical Etherchannel should fail, there is no STP reconfiguration, since STP doesnt know the physical link went down. STP sees only the Etherchannel, and a single link failure will not bring an Etherchannel down. Etherchannels use the Exclusive OR (XOR) algorithm to determine which channel in the EC to use to transmit data to the remote switch.
47
Logical Link
If one of the three physical links goes down, STP will not recalculate. While some bandwidth is obviously lost, the logical link itself stays up. Data that is traveling over the downed physical link will be rerouted to another physical link in a matter of milliseconds - it will happen so fast that you won't even hear about it from your end users!
Negotiating An Etherchannel
There are two protocols that can be used to negotiate an etherchannel. The industry standard is the Link Aggregation Control Protocol (LACP), and the Ciscoproprietary option is the Port Aggregation Protocol (PAgP). PAgP packets are sent between Cisco switches via ports that have the capacity to be placed into an etherchannel. First, the PAgP packets will check the capabilities of the remote ports against those of the local switch ports. The remote ports are checked for two important values.
Remote Port Group
The remote port group number must match the number configured on the local switch The device ID of all remote ports must be the same - after all, if the remote ports are on separate switches, that would defeat the purpose of configuring an etherchannel!
48
PAgP
PAgP also has the capability of changing a characteristic of the etherchannel as a whole if one of the ports in the etherchannel is changed. If you change the speed of one of the ports in an etherchannel, PAgP will allow the etherchannel to dynamically adapt to this change. The industry standard bundling protocol defined in 802.3ad, LACP assigns a priority value to each port that has etherchannel capability. You can actually assign up to 16 ports to belong to an LACP-negotiated etherchannel, but only the eight ports with the lowest port priority will be bundled. The other ports will be bundled only if one or more of the bundled ports fails.
PAgP and LACP

PAgP and LACP use different terminology to express the same modes. PAgP has a dynamic mode and auto mode. A port in dynamic mode will initiate bundling with a remote switch, while a port in auto mode waits for the remote switch to do so. LACP uses active and passive modes, where active ports initiate bundling and passive ports wait for the remote switch to do so. There's a third option, on, which means that there is no negotiation at all. Personally, this is the one I use in real-world networks, but it's a real good idea to know all about PAgP and LACP.
Initiating EC
You can see the different terminology LACP and PAgP use for the same results - "active" and "desirable" for the local port to initiate the EC, "auto" and "passive" if the remote port is going to initiate the EC. To enable the etherchannel with no negotiation, use the on option. For an EC to form, LACP must have at least one of the two ports on each physical link set for "active"; if both ports are set to "passive", no EC will be built. The same can be said for PAgP and the settings "auto" and "desirable" - if both ports are set to auto, the link won't join the EC. To verify both PAgP and LACP neighbors, you can use the show pagp neighbor and show lacp neighbor commands.
49
Troubleshooting EtherChannels
Once you get an EC up and running, it generally stays that way - unless a port setting changes. From personal experience, here are a few things to watch out for: Changing the VLAN assignment mode to dynamic. Ports configured for dynamic VLAN assignment from a VMPS cannot remain or become part of an EC. The allowed range of VLANs for the EC must match that of the ports. Here's a reenactment of an EC issue I ran into once. The configuration of the channel-group looked just fine
Error Message
interface FastEthernet0/11 switchport trunk allowed vlan 10,20 no ip address channel-group 1 mode on ! interface FastEthernet0/12 switchport trunk allowed vlan 100,200 no ip address channel-group 1 mode on
.. but notice that the allowed VLANs on these two ports is different. That will prevent an EC from working correctly. Here's the error message that occurs in a scenario like this:
02:46:10: %EC-5-CANNOT_BUNDLE2: Fa0/12 is not compatible with Fa0/11 and will be suspended (vlan mask is different)
EC Error
When I remove the original command, I get the EC error message again, but once I change port 0/12's config to match 0/11's, the EC forms.
SW1(config)#int fast 0/12 SW1(config-if)#no switchport trunk allowed vlan 100,200 02:51:15: %EC-5-CANNOT_BUNDLE2: Fa0/12 is not compatible with Fa0/11 and will be suspended (vlan mask is different) 02:51:15: %EC-5-CANNOT_BUNDLE2: Fa0/12 is not compatible with Fa0/11 and will be suspended (vlan mask is different) SW1(config-if)#switchport trunk allowed vlan 10,20 02:51:25: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/12, changed state to up
50
Changing Port Attribute
Changing a port attribute. Ports need to be running the same speed, duplex, native VLAN, and just about any other value you can think of! If you change a port setting and the EC comes down, you know what to do - change the port setting back!
Securing the Switches

Introduction to AAA Port Security & Dot1x Port-Based Authentication SPAN VLAN ACLs Private VLANs DHCP Snooping, Dynamic ARP Inspection, IP Secure Guard MAC Address Flooding & VLAN Hopping Attacks
Physical security
Physical security - lock those servers, routers, and switches up! This is the most basic form of network security, and it's also the most ignored. Passwords - set 'em, change 'em on occasion (and that occasion should not be the Millennium) Different privilege levels - not every user needs the same level of access to potentially destructive commands. Grant remote access only to those who absolutely, positively need it.
51
AAA
You may have heard or read the acronym AAA in Cisco switch documentation. This stands for Authentication, Authorization, and Accounting - and you didn't know it, but you're already working with AAA. Well, "A", anyway! The passwords we've set here are part of Authentication, and this local database of passwords is just one method of authenticating users. We can also use RADIUS servers (Remote Authentication Dial-In User Service, a UDP service) or TACACS+ servers (Terminal Access Controller Access Control System, a TCP service). Both RADIUS and TACACS+ offer a lot of options. We're going to look at a basic switch config that could get us started with either. First, we've got to enable AAA on the switch. (This is not required if only the local database will be used.)
Authorization
The second A is Authorization, and we've already configured a little of that as well. Assigning the right to perform given tasks is Authorization, and when we granted one of our Telnet users privilege level 15, we authorized that user to pretty much do what they want to do. While RADIUS is limited in the different levels of authorization, TACACS+ can be configured to force the user to be authenticated for any of the tasks seen here in IOS Help.
Accounting
For some of us, this is the best part of AAA - Accounting. As in, "holding people accountable for what they do!" Accounting will use a RADIUS or TACACS+ server to track user activity. As with the previous AAA services, a method list must be defined:
52
Port Security
Here's another basic security feature that's regularly overlooked, but is very powerful. Port security uses a host's MAC address as a password, and if a device with a different MAC address sends frames to the switch on that port, the port will take action - by default, it will shut down.
Little gotcha
There is a little "gotcha" with port security that you need to be aware of. You can specify the number of secure MAC addresses, and you can specify secure MAC addresses as well. What if you allow for more secure MAC address than you actually configure manually, as shown below?
SW1(config-if)#switchport SW1(config-if)#switchport SW1(config-if)#switchport aaaa.aaaa.aaaa SW1(config-if)#switchport cccc.cccc.cccc port-security port-security maximum 3 port-security mac-address port-security mac-address
Port Security Feature
Port security is a great feature, but you can't run it on all ports. There are a few port types that you can't configure with port security:
trunk ports ports placed in an Etherchannel destination SPAN port 802.1x ports
53
Dot1x Port-Based Authentication

Port security is good, but we can take it a step further with dot1x port-based authentication. The name refers to IEEE 802.1x, the standard upon which this feature is based. Unusually enough, the Cisco authentication server must be RADIUS - you can't use TACACS or TACACS+. One major difference between dot1x port-based authentication and port security is that both the host and switch port must be configured for 802.1x EAPOL (Extensible Authentication Protocol over LANs). That's a major departure from many of the switch features we've studied to date, since most other switch features don't require anything of the host. Usually the PC isn't aware of what the switch is doing, and doesn't need to know. Not this time!
EAPOL, STP and CDP

Until the user is authenticated, only the following protocols can travel through the port:
EAPOL STP CDP
By default, once the user authenticates, all traffic can be received and transmitted through this port.
Force-authorized
Force-authorized, the default, does just what it sounds like - it forces the port to authorize any host attempting to use the port, but authentication is not required. Basically, there is no authentication on this port type. A port in force-unauthorized state literally has the port unable to authorize any client - even clients who could otherwise successfully authenticate! The auto setting enables dot1x on the port, which will begin the process as unauthorized. Only the necessary EAPOL frames will be sent and received while the port's unauthorized. Once the authentication is complete, normal transmission and receiving can begin. Not surprisingly, this is the most common setting.
54
SPAN
SPAN allows the switch to mirror the traffic from the source port(s) to the destination port to which the network analyzer is attached. (In some Cisco documentation, the destination port is referred to as the monitor port.) SPAN works very well, and the basic operation is simple. Studying SPAN for exams and network usage can seem complicated at first, though, because there are several different versions of SPAN. The versions are much the same, though; the real difference comes in when you define the source ports. It's the location of the source ports that determines the SPAN version that needs to run on the switch.
Local SPAN
In the previous example, we're running Local SPAN, since the destination and source ports are all on the same switch. If the source was a VLAN rather than a collection of physical ports, VLAN-based SPAN (VSPAN) would be in effect.
Command monitor session

The command monitor session starts a SPAN session, along with allowing the configuration of the source and destination. The sessions are totally separate operations, but the number of simultaneous sessions you can run differs from one switch platform to another. Cat 3550s and 2950s support only two, but more powerful switches can run as many as 64 sessions at once.
55
RSPAN Configuration Part 1

RSPAN configuration is simple, but there are some factors you need to consider when configuring RSPAN:
If there were intermediate switches between the two shown in the above example, they would all need to be RSPAN-capable. VTP treats the RSPAN VLAN like any other VLAN. It will be propagated throughout the VTP domain if configured on a VTP server. Otherwise, it's got to be manually configured on every switch along the intermediate path. VTP Pruning will also prune the RSPAN VLAN under the same circumstances that it would prune a "normal" VLAN.
RSPAN Configuration Part 2

MAC address learning is disabled for the RSPAN VLAN. The source and destination must be defined on both the switch with the source port and the switch connected to the network analyzer, but the commands are not the same on each.
Source port notes:

A source port can be monitored in multiple, simultaneous SPAN sessions. A source port can be part of an Etherchannel. A source port cannot be configured as a destination port. A source port can be any port type - Ethernet, FastEthernet, etc.
56
Destination port notes:
A destination port can be any port type. A destination port can participate in only one SPAN session. A destination port cannot be a source port. A destination port cannot be part of an Etherchannel. A destination port doesn't participate in STP, CDP, VTP, PaGP, LACP, or DTP.
ESPAN
Finally, you may see the term "ESPAN" in some SPAN documentation. This is Enhanced SPAN, and some of Cisco's documentation mentions that this term has been used so often to describe different additions that the term has lost meaning. You'll still see it occasionally, but it doesn't refer to any specific addition or change to SPAN.
Access lists
At this point in your Cisco studies, you're very familiar with access lists and their many, many, many uses! Access lists do have their limitations, though. While an ACL can filter traffic traveling between VLANs, it can't do anything about traffic from one host in a VLAN to another host in the same VLAN. Why not? It relates to how ACLs are applied on a multilayer switch. You know that the CAM (Content Addressable Memory) table holds the MAC addresses that the switch has learned, but the TCAM - Ternary Content Addressable Memory - cuts down on the number of lookups required to compare a packet against an ACL.
57
Additional notes and tips regarding VACLs Part 1 Bridged traffic, as well as non-IP and non-IPX traffic, should be filtered with VACLs VACLs run from top to bottom, and run until a match occurs VACLs have an implicit deny at the end. The VACL equivalent of "permit all" is an "action forward" clause with no match criterion, as shown in the previous example. If traffic is not expressly forwarded, it's implicitly dropped!
Additional notes and tips regarding VACLs Part 2
Only one VACL can be applied to a VLAN The sequence numbers allow you to go back and add lines without rewriting the entire VACL. They are still active while being edited. A routing ACL can be applied to a SVI to filter inbound and/or outbound traffic just as you would apply one to a physical interface, but VACLs are not applied in that way - they're applied in global configuration mode.
Possible Side Effect Part 1

A Possible Side Effect Of Performing ACL Processing In Hardware
At the beginning of the VACL section, I mentioned that ACL processing in multilayer switches is performed in hardware. There will still be some traffic that is sent to the CPU for software processing, and that forwarding rate is much lower than the rate for the traffic forwarded by the switch hardware. If the hardware hits its storage limit for ACL configs, resulting in even more packets begin sent to the CPU, the switch performance can degrade. (I've seen that, and it's ugly. Avoid it.)
58
Possible Side Effect Part 2

Cisco's website lists two other factors that may result in too many packets being sent to the CPU, and they may surprise you:
Excessive logging Use of ICMP Unreachable messages
Use the log option with care. Logging must be performed by the switch software, not the hardware.
Private VLANs
This may well be the ultimate in filtering VLAN traffic! Hosts can be placed into a secondary VLAN, which is going to have one of two results:
The host will be able to communicate with other hosts in the secondary VLAN and with the primary VLAN, but not with hosts in other secondary VLANs - this is a community private VLAN The host can communicate with the primary VLAN, but with no other hosts, including other hosts in its own secondary VLAN -this is an isolated private VLAN
Example
In the following example, the router is located off a switch port that has been configured as a private VLAN port. There are options here as well:
The device connected to the private VLAN port can communicate with any device connected to any primary or secondary VLAN - this is promiscuous mode. This is the recommended mode for ports connected to gateway devices, such as the router seen below. The host connected to the port is on either type of private VLAN (isolated or community), and can communicate with devices found off other promiscuous ports. If the host is configured as part of a community private VLAN, the host can also communicate with other hosts in that private VLAN.
59
DHCP Snooping Part 1
It may be hard to believe, but something as innocent as DHCP can be used for network attacks. The potential for trouble starts when a host sends out a DHCPDiscovery packet, it listens for DHCPOffer packets - and as we know, the host will accept the first Offer it gets!
DHCP Snooping Part 2

DHCP Snooping allows the switch to serve as a firewall between hosts and untrusted DHCP servers. DHCP Snooping classifies interfaces on the switch into one of two categories - trusted and untrusted. DHCP messages received on trusted interfaces will be allowed to pass through the switch. Not only will DHCP messages received on untrusted interfaces be dropped by the switch, the interface itself will be placed into err-disabled state. By default, the switch considers all ports untrusted - which means we better remember to configure the switch to trust some ports when we enable DHCP Snooping!
Dynamic ARP Inspection

Just as we must protect against rogue DHCP servers, we have to be wary of rogue ARP users as well. From your CCNA studies, you know all about Address Resolution Protocol and how it operates. A rogue device can overhear part of the ARP process in action and make itself look like a legitimate part of the network. This happens through ARP Cache Poisoning. (This is also known as ARP Spoofing - be aware of both names for your exam.) ARP Cache Poisoning starts innocently enough - in this case, through the basic ARP process on a switch.
60
The rogue host
The rogue host has effectively placed itself into the middle of the communication, leading to the term man in the middle for this kind of network attack. When the rogue host does the same for an ARP Request being sent from Host B to Host A, all communications between Host A and Host B will actually be going through the rogue host. Enabling Dynamic ARP Inspection (DAI) prevents this behavior by building a database of trusted MAC-IP address mappings. This database is the same database that is built by the DHCP Snooping process, and static ARP configurations can be used by DAI as well.
Trusted and untrusted ports

DAI uses the concept of trusted and untrusted ports, just as DHCP Snooping does. However, untrusted ports in DAI do not automatically drop ARP Requests and Replies. Once the IP-MAC address database is built, every single ARP Request and ARP Reply received on an untrusted interface is examined. If the ARP message has an approved MAC-IP address mapping, the message is forwarded appropriately; if not, the ARP message is dropped. If the interface has been configured as trusted, DAI allows the ARP message to pass through without checking the database of trusted mappings. DAI is performed as ARP messages are received, not transmitted.
Trusted/untrusted port configuration
Cisco's recommended trusted/untrusted port configuration is to have all ports connected to hosts run as untrusted and all ports connected to switches as trusted. Since DAI runs only on ingress ports, this configuration scheme ensures that every ARP packet is checked once, but no more than that. There is no problem with running DAI on trunk ports or ports bundled into an Etherchannel.
61
IP Source Guard
We can use IP Source Guard to prevent a host on the network from using another host's IP address. IP Source Guard works in tandem with DHCP Snooping, and uses the DHCP Snooping database to carry out this operation. As with DAI, DHCP Snooping must be enabled before enabling IP Source Guard. When the host first comes online and connects to an untrusted port on the switch, the only traffic that can reach that host are DHCP packets. When the client successfully acquires an IP address from the DHCP Server, the switch makes a note of this IP address assignment.
MAC Address Flooding Attacks
Since ARP, IP addresses, and DHCP all have potential security issues, we can't leave MAC addresses out because network attackers sure won't do so! A MAC Address Flooding attack is an attempt by a network intruder to overwhelm the switch memory reserved for maintenance of the MAC address table. The intruder generates a large number of frames with different source MAC addresses - all of them invalid. As the switch's MAC address table capabilities are exhausted, valid entries cannot be made - and this results in those valid frames being broadcast instead of unicast.
This has three side effects, all unpleasant:

As mentioned, the MAC address table fills to capacity, preventing legitimate entries from being made. The large number of unnecessary broadcasts quickly consumes bandwidth as well as overall switch resources. The intruder can easily intercept packets with a packet sniffer, since the unnecessarily broadcasted packets will be sent out every port on the switch - including the port the intruder is using.
62
MAC Address Flooding
You can combat MAC Address Flooding with two of the features we addresses earlier in this section - port-based authentication and port security. By making sure our host devices are indeed who we think they are, we reduce the potential for an intruder to unleash a MAC Address Flooding attack on our network. The key isn't to fight the intruder once they're in our network - the key is to keep them out in the first place.
Double Tagging
One form of VLAN Hopping is double tagging, so named because the intruder will transmit frames that are "double tagged" with two separate VLAN IDs. As you'll see in our example, certain circumstances must exist for a double tagging attack to be successful: The intruder's host device must be attached to an access port. The VLAN used by that access port must be the native VLAN. The term "native VLAN" tips us off to the third requirement - dot1q must be the trunking protocol in use, since ISL doesn't use the native VLAN.
VLAN Hopping
VLAN Hopping seems innocent enough, but it's quite the opposite. VLAN Hopping has been used for network attacks ranging from Trojan horse virus propagation to stealing bank account numbers and passwords. That's why you often see the native VLAN of a network such as the one above set to a VLAN that no host on the network is a member of - that stops this version of VLAN Hopping right in its tracks.
63
Switch Spoofing
Notice that I said "this version". Switch spoofing is another variation of VLAN Hopping that is even worse than double tagging, because this version allows the rogue to pretend to be a member of *all* VLANs in your network. Many Cisco switch ports now run in dynamic desirable mode by default, which means that a port is sending out Dynamic Trunking Protocol frames in an aggressive effort to form a trunk. A potential problem exists, since the switch doesn't really know what kind of device is receiving the DTP frames.
Multilayer Switching
Route Caching, Cisco Express Forwarding Inter-VLAN Routing & SVIs Fallback Bridging Router Redundancy Protocols (HSRP, IRDP, VRRP, GLBP) Server Load Balancing (SLB)
What Is Multilayer Switching?

Multilayer switches are devices that switch and route packets in the switch hardware itself. A good phrase to describe a multilayer switch is "pure performance" these switches can perform packet switching up to ten times as fast as a pure L3 router. When it comes to Cisco Catalyst switches, this hardware switching is performed by a router processor (or L3 engine). This processor must download routing information to the hardware itself. To make this hardware-based packet processing happen, Cat switches will run either the older....um, I mean "legacy" Multilayer Switching (MLS), or the newer Cisco Express Forwarding (CEF).
64
ASICs
Application-Specific Integrated Circuits (ASICs) will perform the L2 rewriting operation of these packets. You know from your CCNA studies that while the IP source and destination address of a packet will not change during its travels through the network, the L2 source and addresses may and probably will. With multilayer switching, it's the ASICs that perform this L2 address overwriting.
Route Caching
The first multilayer switching (MLS) method is route caching. This method may be more familiar to you as NetFlow switching. Route caching devices have both a routing processor and a switching engine. The routing processor routes a flow's first packet, the switching engine snoops in on that packet and the destination, and the switching engine takes over and forwards the rest of the packets in that flow. Now, what exactly does a "flow" consist of? A flow is a unidirectional stream of packets from a source to a destination, and packets on the same flow will share the same protocol. That is, if a source is sending both WWW and TFTP packets to the same destination, there are actually two flows of traffic. The MLS cache entries support such unidirectional flows. There's always room for improvement from the first implementation of anything, though, and that improvement is Cisco Express Forwarding.
Cisco Express Forwarding

Cisco Express Forwarding (CEF) is a highly popular method of multilayer switching. Primarily designed for backbone switches, this topology-based switching method requires special hardware, so it's not available on all L3 switches. CEF can't be configured on 2950 switches, but you will see it on 3550s and several other higher-numbered series. CEF is highly scalable, and is also easier on a switch's CPU than route caching. CEF has two major components - the Forwarding Information Base and the Adjacency Table.
65
DEF-Enabled Devices
CEF-enabled devices the same routing information that a router would, but it's not found in a typical routing table. CEF-enabled switches keep a Forwarding Information Base (FIB) that contains the usual routing information - the destination networks, their masks, the next-hop IP addresses, etc - and CEF will use the FIB to make L3 prefix-based decisions. The FIB's contents will mirror that of the IP routing table actually, the FIB is really just the IP routing table in another format. You can view the FIB with the show ip cef command.
FIB
The FIB takes care of the L3 routing information, but what of the L2 information we need? That's found in the Adjacency Table (AT). As adjacent hosts are discovered via ARP, that next-hop L2 information is kept in this table for CEF switching. Once the appropriate L3 and L2 next-hop addresses have been found, the MLS is just about ready to forward the packet. The MLS will make the same changes to the packet as a router normally would, and that includes changing the L2 destination MAC address - that's going to be changed to the next-hop destination, as I'm sure you remember from your CCNA studies. The L3 destination will remain the same. (The L2 source address will change as well, to the MAC address on the MLS switch interface that transmits the packet.)
Enabling DEF
Enabling CEF is about as simple as it gets. CEF is on by default on any and all CEF-enabled switches, and you can't turn it off. Remember, CEF is hardware-based, not software-based, so it's not a situation where running "no cef" on a switch will disable CEF. There's no such command! A multilayer switch must have IP routing enabled for CEF to run, however. Trying to view the FIB of a switch with IP routing not enabled results in this console readout...
66
Example
SW2#show ip cef %IPv4 CEF not running ... and then after enabling IP routing. SW2(config)#ip routing SW2#show ip cef Prefix Next Hop 0.0.0.0/32 receive 224.0.0.0/4 drop 224.0.0.0/24 receive 255.255.255.255/32 receive
Interface
L3 Switching
As with several advanced L3 switching capabilities, not every L3 switch can run CEF. For instance, the 2900XL and 3500XL do not support CEF. Keep in mind that switches that do support CEF do so by default, and CEF can't be turned off on those switches! CEF does support per-packet and perdestination load balancing, but again does not do so on all multilayer switches. Be sure to check your switch's capabilities before purchasing.
The Control Plane And The Data Plane

These are both logical planes found in CEF multilayer switching, and I know you won't be surprised to find they are also referred to by several different names. These all refer to the control plane:
"CEF control plane" "control plane" "Layer 3 engine" or "Layer 3 forwarding engine"
The control plane's job is to first build the ARP and IP routing tables, which makes the FIB and AT creation possible. In turn, the data plane is also called by several different names:
"data plane" "hardware engine" "ASIC"
67
Tables for L3 Switching The control plane builds the tables necessary for L3 switching, but it's the data plane that does the actual work! It's the data plane that places data in the L3 switch's memory while the FIB and AT tables are consulted, and then performs any necessary encapsulation before forwarding the data to the next hop.
Exceptions To The Rule (Of L3 Switching, That Is)

Exception packets are packets that cannot be hardware switched, which leaves us only one option - software switching! Comparing hardware switching to software switching is much like comparing the hare to the tortoise - but these tortoises are not going to win a race. Here are just a few of the packet types that must be software switched:
Packets with IP header options Packets that will be fragmented before transmission (because they're exceeding the MTU) 802.3 Ethernet packets
Note that packets with TCP header options are still switched in hardware; it's the IP header options that cause trouble!
Switching Options
With so many switching options available today, it's hard to keep up with which option is fastest, then nextfastest, and so on. According to Cisco's website, here's the order:
1.
Distributed CEF (DCEF). The name is the recipe the CEF workload is distributed over multiple CPUs. 2. CEF 3. Fast Switching 4. Process Switching
68
Inter-VLAN Communication Part 1

Since you learned in your CCNA studies that switching only happens on switches and routing only happens on routers, you also learned that a router has to get involved for interVLAN communication. Configuring router-on-a-stick is one way to get inter-VLAN communication going, and it requires only a single physical connection from the router to the switch. (The port on the router needs to be a FastEthernet port, remember.) Having configured router-on-a-stick many times, I can tell you that it works beautifully, but it does have its drawbacks. Depending on how many VLANs are involved in this configuration, they may not get all the bandwidth they need.
Inter-VLAN Communication Part 2 Router-on-a-stick does put an extra load on the router's processor as well, so you have to be careful as to which router in your network you select for this job. The biggest concern I have personally with ROAS is that the router becomes a single point of failure. If that FastEthernet port goes down, that's the end of your inter-VLAN traffic.
Configuring traffic
Bringing an external router into the picture is one method of configuring inter-VLAN traffic, but we also have the option of using a switch with an internal route processor or Route Switch Module (RSM). For example, a Catalyst 5000 switch's RSM takes the place of an external router - no router-on-a-stick needed!
69
Step One Step One In L3 Switching Troubleshooting: Make Sure IP Routing Is On!
L2 Mode Remember, the ports on a multilayer switch will all be running in L2 mode by default. To configure a port as a routing port, use the no switchport command, followed by the appropriate IP address.
Important Details
As always, there are some simple but important details to keep in mind when configuring SVIs.
You need to create the VLAN before the SVI, and that VLAN must be active at the time of SVI creation Theoretically, you need to open the SVI with no shut just as you would open a physical interface after configuring an IP address Remember that the VLAN and SVI work together, but they're not the same thing. Creating a VLAN doesn't create an SVI, and creating an SVI doesn't create a VLAN.
70
Fallback Bridging
Odds are that you'll never need to configure fallback bridging, but it falls under the category of "it couldn't hurt to know it". CEF has a limitation in that IPX, SNA, LAT, and AppleTalk are either not supported by CEF or, in the case of SNA and LAT, are nonroutable protocols. If you're running any of these on an CEF-enabled switch, you'll need fallback bridging to get this traffic from one VLAN to another. Fallback bridging involves the creation of bridge groups, and the SVIs will have to be added to these bridge groups.
Commands
To create a bridge group: MLS(config)# bridge-group 1 To join a SVI to a bridge group: MLS(config)#interface vlan 10 MLS(config-if)#bridge-group 1
Redundancy Part 1
In networking, we'll take as much redundancy as we can get. If a router goes down, we've obviously got real problems. Hosts are relying on that router as a gateway to send packets to remote networks. For true network redundancy, we need two things:
A secondary router to handle the load when the primary goes down A protocol to get the networks using that secondary protocol as soon as possible
71
Redundancy Part 2
That second point is so important that Cisco currently offers four separate protocols to expedite the cutover to the secondary router. These methods have much the same end result, but how they get there is another story. It's a story you can expect to be asked about quite a bit on your exam, so let's get to work and hit the details of these four redundancy strategies.
ICMP Router Discovery Protocol

Defined in RFC 1256, IRDP is commonly used by Windows DHCP clients and several Unix variations, but you do see it in Cisco routers as well. IRDP is an extension of ICMP - after all, it is the ICMP Router Discovery Protocol! IRDP routers will generate Router Advertisement packets that will be heard by hosts on that segment. If a host hears from more than one IRDP router, it will choose one as its primary and will start using the other router if the primary goes down. In the following example, the PCs will choose either 172.12.1.1 or 172.12.1.2 as their default gateway.
IRDP
IRDP does not involve a virtual router of any kind - when hosts transmit data, they will be using the IP and MAC address of a real, physical router as the default gateway, not the IP and MAC address of a virtual router. Hosts may also generate Router Solicitation messages, usually at startup, asking IRDP routers to send Router Advertisement packets. To enable IRDP on a router's interface, just use the ip irdp command. MLS(config)# interface serial0 MLS(config-if)# ip irdp
72
HSRP Part 1
Defined in RFC 2281, HSRP is a Cisco-proprietary protocol in which routers are put into an HSRP router group. Along with dynamic routing protocols and STP, HSRP is considered a high-availability network service, since all three have an almost immediate cutover to a secondary path when the primary path is unavailable. One of the routers will be selected as the primary, and that primary will handle the routing while the other routers are in standby, ready to handle the load if the primary router becomes unavailable. In this fashion, HSRP ensures a high network uptime, since it routes IP traffic without relying on a single router.
HSRP Part 2
The hosts using HSRP as a gateway don't know the actual IP or MAC addresses of the routers in the group. They're communicating with a pseudorouter, a "virtual router" created by the HSRP configuration. This virtual router will have a virtual MAC and IP address as well. The standby routers aren't just going to be sitting there, though! By configuring multiple HSRP groups on a single interface, HSRP load balancing can be achieved.
IP Address and Virtual Router

An IP address was assigned to the virtual router, but not a MAC address. However, there is a MAC address under the show standby output on R3, the active router. How did the HSRP process arrive at a MAC of 00-00-0c-07-ac-05? Well, most of the work is already done before the configuration is even begun. The MAC address 00-00-0c-07ac-xx is HSRP's well-known virtual MAC address, and xx is the group number in hexadecimal. That's a good skill to have for the exam, so make sure you're comfortable with hex conversions. In this example, the group number is 5, which is expressed as 05 with a two-bit hex character. If the group number had been 17, we'd see 11 at the end of the MAC address - one unit of 16, one unit of 1.
73
HSRP Speakers The output of the show standby command also tells us that the HSRP speakers are sending Hellos every 3 seconds, with a 10-second holdtime. These values can be changed with the standby command, but HSRP speakers in the same group should have the same timers. You can even tie down the hello time to the millisecond, but it's doubtful you'll ever need to do that.
Priority
Another key value in the show standby command is the priority. The default is 100, as shown in both show standby outputs. The router with the highest priority will be the primary HSRP router, with the router with the highest IP address on an HSRP-enabled interface becoming the primary if there is a tie on priority. We'll raise the default priority on R2 and see the results.
Local State Change

In just a few seconds, a message appears that the local state has changed from standby to active. Show standby confirms that R2, the local router, is now the active router - the primary. R3 is now the standby. So if anyone tells you that you have to take a router down to change the Active router, they're wrong - you just have to use the preempt option on the standby priority command. What you do not have to do is configure the preempt command if you want the standby to take over as the active router if the current active router goes down. That's the default behavior of HSRP. The preempt command is strictly intended to allow a router to take over as the active router without the current active router going down.
74
Standby macaddress command
On rare occasions, you may have to change the MAC address assigned to the virtual router. This is done with the standby mac-address command. Just make sure you're not duplicating a MAC address that's already on your network!
Load Balancing with HSRP

We can do some load balancing with HSRP, but it's not quite the load balancing you've learned about with some dynamic protocols. Let's say we have six hosts and two separate HSRP devices. For HSRP load balancing, there will be two HSRP groups created for the one VLAN. R2 will be the primary for Group 1 and R3 will be the primary for Group 2. (In production networks, you'll need to check the documentation for your software, because not all hardware platforms support multiple groups.)
Some other HSRP notes

HSRP updates can be authenticated by using the standby command with the authentication option. If you're configuring HSRP on a multilayer switch, you can configure HSRP on routed ports, SVIs, and Layer 3 portchannels (an Etherchannel with an IP address). HSRP requires the Enhanced Multilayer Software Image (EMI) to run on an L3 switch. Gig Ethernet switches will have that image, but Fast Ethernet switches will have either the EMI or Standard Multilayer Image (SMI). Check your documentation. The SMI can be upgraded to the EMI. Not for free, though! HSRP can run on Ethernet, Token Ring, and FDDI LANs. Some HSRP documentation states that Token Ring interfaces can support a maximum of three HSRP groups.
75
HSRP States
Disabled - Some HSRP documentation lists this as a state, others do not. I don't consider it one, but Cisco may. Disabled means that the interface isn't running HSRP yet. Initial (Init) -- The router goes into this state when an HSRPenabled interface first comes up. HSRP is not yet running on a router in Initial state. Learn -- At this point, the router has a lot to learn! A router in this state has not yet heard from the active router, does not yet know which router is the active router, and it doesn't know the IP address of that router, either. Other than that, it's pretty bright. ;) Listen -- The router now knows the virtual IP address, but is not the primary or the standby router. It's listening for hello packets from those routers.
Speak, Standby and Active

Speak -- The router is now sending Hello messages and is active in the election of the primary and standby routers. Standby -- The router is now a candidate to become the active router, and sends Hello messages. Active -- The router is now forwarding packets sent to the group's virtual IP address.
Multiple HSRP Groups

Note that an HSRP router doesn't send Hellos until it reaches the Speak state. It will continue to send Hellos in the Standby and Active states as well. There's also no problem with configuring an interface to participate in multiple HSRP groups on most Cisco routers. Some 2500, 3000, and 4000 routers do not have this capability. Always verify with show standby, and note that this command indicates that there's a problem with one of the virtual IP addresses!
76
Show Standby Command Part 1

R1#show standby FastEthernet0/0 - Group 1 State is Listen Virtual IP address is 172.12.23.10 Active virtual MAC address is unknown Local virtual MAC address is 0000.0c07.ac01 (v1 default) Hello time 3 sec, hold time 10 sec Preemption disabled Active router is unknown Standby router is unknown Priority 100 (default 100) IP redundancy name is "hsrp-Fa0/0-1" (default) FastEthernet0/0 - Group 5
Show Standby Command Part 2

State is Init (virtual IP in wrong subnet) Virtual IP address is 172.12.34.10 (wrong subnet for this interface) Active virtual MAC address is unknown Local virtual MAC address is 0000.0c07.ac05 (v1 default) Hello time 3 sec, hold time 10 sec Preemption disabled Active router is unknown Standby router is unknown Priority 100 (default 100) IP redundancy name is "hsrp-Fa0/0-5" (default)
HSRP Interface Tracking

Using interface tracking can be a little tricky at first, but it's a feature that can really come in handy. Basically, this feature enables the HSRP process to monitor an additional interface; the status of this interface will dynamically change the HSRP priority for a specified group. When that interface's line protocol shows as "down", the HSRP priority of the router is reduced. This can lead to another HSRP router on the network becoming the active router - but that other router must be configured with the preempt option.
77
Default Priority
In the following network, R2 is the primary due to its priority of 105. R3 has the default priority of 100. R2 will therefore be handling all the traffic sent to the virtual router's IP address of 172.12.23.10. That's fine, but there is a potential single point of failure. If R2's Serial0 interface fails, the hosts will be unable to reach the server farm. HSRP can be configured to drop R2's priority if the line protocol of R2's Serial0 interface goes down, making R3 the primary router. (The default decrement in the priority when the tracked interface goes down is 10.)
Priority/decrement value Problem
The #1 problem with an HSRP Interface Tracking configuration that is not working properly is a priority / decrement value problem.
Example Part 1
R1#show standby FastEthernet0/0 - Group 1 State is Active 2 state changes, last state change 01:08:58 Virtual IP address is 172.12.23.10 Active virtual MAC address is 0000.0c07.ac01 Local virtual MAC address is 0000.0c07.ac01 (v1 default) Hello time 3 sec, hold time 10 sec Next hello sent in 2.872 secs Preemption disabled Active router is local Standby router is unknown Priority 100 (default 100) IP redundancy name is "hsrp-Fa0/0-1" (default)
78
Example Part 2
FastEthernet0/0 - Group 5 State is Init (virtual IP in wrong subnet) Virtual IP address is 172.12.34.10 (wrong subnet for this interface) Active virtual MAC address is unknown Local virtual MAC address is 0000.0c07.ac05 (v1 default) Hello time 3 sec, hold time 10 sec Preemption disabled Active router is unknown Standby router is unknown Priority 75 (default 100) Track interface Serial0/0 state Down decrement 25 IP redundancy name is "hsrp-Fa0/0-5" (default)
Debug Example Part 1

R1#debug standby *Apr 9 20:15:10.542: HSRP: Fa0/0 API MAC address update *Apr 9 20:15:10.546: HSRP: Fa0/0 API Software interface coming up *Apr 9 20:15:10.550: HSRP: Fa0/0 API Add active HSRP addresses to ARP table *Apr 9 20:15:10.554: HSRP: Fa0/0 API Add active HSRP addresses to ARP table R1# *Apr 9 20:15:11.648: %SYS-5-CONFIG_I: Configured from console by console *Apr 9 20:15:12.541: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up R1# *Apr 9 20:15:12.541: HSRP: API Hardware state change *Apr 9 20:15:12.541: HSRP: Fa0/0 API Software interface coming up *Apr 9 20:15:12.545: HSRP: Fa0/0 API Add active HSRP addresses to ARP table
Debug Example Part 2

*Apr 9 20:15:13.483: HSRP: Fa0/0 Interface up *Apr 9 20:15:13.483: HSRP: Fa0/0 Starting minimum interface delay (1 secs) *Apr 9 20:15:13.543: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up R1# *Apr 9 20:15:14.485: HSRP: Fa0/0 Interface min delay expired *Apr 9 20:15:14.485: HSRP: Fa0/0 Grp 1 Init: a/HSRP enabled *Apr 9 20:15:14.485: HSRP: Fa0/0 Grp 1 Init -> Listen *Apr 9 20:15:14.485: HSRP: Fa0/0 Grp 1 Redundancy "hsrpFa0/0-1" state Init ->Backup
79
VRRP Part 1
Defined in RFC 2338, VRRP is the open-standard equivalent of the Cisco-proprietary HSRP. VRRP works very much like HSRP, and is suited to a multivendor environment. The operation of the two is so similar that you basically learned VRRP while going through the HSRP section! There are a few minor differences, a few of which are:
VRRP's equivalent to HSRP's Active router is the Master router. (Some VRRP documentation refers to this router as the IP Address Owner.) This is the router that has the virtual router's IP address as a real IP address on the interface it will receive packets on.
VRRP Part 2
The physical routers in a VRRP Group combine to form a Virtual Router. VRRP Advertisements are multicast to 224.0.0.18. VRRP's equivalent to HSRP's Standby router state is the Backup state. The MAC address of VRRP virtual routers is 00-00-5e-00-01-xx, and you guessed it - the xx is the group number in hexadecimal. "preempt" is a default setting for VRRP routers. As of IOS Version 12.3(2)T, VRRP now has an Object Tracking feature. Similar to HSRP's Interface Tracking feature, a WAN interface can be tracked and a router's VRRP priority dropped when that interface goes down.
HSRP and VRRP

HSRP and its open-standard relation VRRP have some great features, but accurate load balancing is not among them. While both allow a form of load sharing, it's not truly load balancing. I'm sure you can tell that the primary purpose of the Gateway Load Balancing Protocol (GLPB) is just that - load balancing! It's also suitable for use only on Cisco routers, because GLBP is Ciscoproprietary. As with HSRP and VRRP, GLBP routers will be placed into a router group. However, GLBP allows every router in the group to handle some of the load in a round-robin format, rather than having a primary router handle all of it while the standby routers remain idle. With GLBP, the hosts think they're sending all of their data to a single gateway, but actually multiple gateways are in use at one time. GLBP also allows standard configuration of the hosts, who will all have their gateway address set to the virtual router's address - none of this "some hosts point to gateway A, some hosts point to gateway B" business we had with HSRP load balancing.
80
Key to GLBP The key to GLBP is that when a host sends an ARP request for the MAC of the virtual router, one of the physical routers will answer. The host will then have the IP address of the virtual router and the MAC address of a physical router in the group. In the following illustrations, the three hosts send an ARP request for the MAC of the virtual router.
Active Virtual Gateway

The Active Virtual Gateway (AVG) will be the router with the highest GLBP priority, and this router will send back ARP responses containing virtual MAC addresses. The virtual MAC addresses are assigned by the AVG as well. The three hosts will have the same Layer 3 address for their gateway, but a different L2 address, accomplishing the desired load balancing while allowing standard configuration on the hosts. (If the routers all have the same GLBP priority, the router with the highest IP address will become the AVG.)
GLBPs load balancing

GLBP's load balancing also offers the opportunity to finetune it to your network's needs. GLBP offers three different forms of MAC address assignment, the default being round-robin. With round-robin assignments, a host that sends an ARP request will receive a response containing the next virtual MAC address in line. If a host or hosts need the same MAC gateway address every time it sends an ARP request, host-dependent load balancing is the way to go. Weighted MAC assignments affect the percentage of traffic that will be sent to a given AVF. The higher the assigned weight, the more often that particular router's virtual MAC will be sent to a requesting host.
81
Command examples
GLBP is enabled just as VRRP and HSRP are - by assigning an IP address to the virtual router. The following command will assign the address 172.1.1.10 to group 5. MLS(config-if)# glbp 5 ip 172.1.1.10 To change the interface priority, use the glbp priority command. To allow the local router to preempt the current AVG, use the glbp preempt command. MLS(config-if)# glbp 5 priority 150 MLS(config-if)# glbp 5 preempt
Server Load Balancing

We've talked at length about how Cisco routers and multilayer switches can work to provide router redundancy - but there's another helpful service, Server Load Balancing, that does the same for servers. While HSRP, VRRP, and CLBP all represent multiple physical routers to hosts as a single virtual router, SLB represents multiple physical servers to hosts as a single virtual server. In the following illustration, three physical servers have been placed into the SRB group ServFarm. They're represented to the hosts as the virtual server 210.1.1.14.
Hosts communication
The hosts will seek to communicate with the server at 210.1.1.14, not knowing that they're actually communicating with the routers in ServFarm. This allows quick cutover if one of the physical servers goes down, and also serves to hide the actual IP addresses of the servers in ServFarm. The basic operations of SLB involves creating the server farm, followed by creating the virtual server. We'll first add 210.1.1.11 to the server farm: MLS(config)# ip slb serverfarm ServFarm MLS(config-slb-sfarm)# real 210.1.1.11 MLS(config-slb-real)# inservice
82
Creating Server Farm

The first command creates the server farm, with the real command specifying the IP address of the real server. The inservice command is required by SLB to consider the server as ready to handle the server farm's workload. The real and inservice commands should be repeated for each server in the server farm. To create the virtual server: MLS(config)# ip slb vserver VIRTUAL_SERVER MLS(config-slb-vserver)# serverfarm ServFarm MLS(config-slb-vserver)# virtual 210.1.1.14 MLS(config-slb-vserver)# inservice
Controlling connections
You may also want to control which of your network hosts can connect to the virtual server. If hosts or subnets are named with the client command, those will be the only clients that can connect to the virtual server. Note that this command uses wildcard masks. The following configuration would allow only the hosts on the subnet 210.1.1.0 /24 to connect to the virtual server. MLS(config-slb-vserver)# client 210.1.1.0 0.0.0.255
IP Telephony & Cisco IP Phones IP Phone Basics Voice VLANs Voice QoS DiffServ at L2 & L3 Trusting Incoming Values Basics of AVVID Power Over Ethernet
83
Voice over IP
If you dont have much (or any) experience with Voice Over IP (VoIP) yet, youre okay for now youll be able to understand this chapter with no problem. I say for now because all of us need to know some basic VoIP. Voice and security are the two fastest-growing sectors of our business. Theyre not going to slow down anytime soon, either. Once youre done with your CCNP, I urge you to look into a Cisco voice certification. There are plenty of good vendor-independent VoIP books on the market as well. Most Cisco IP phones will have three ports. One will be connected to a Catalyst switch, another to the phone ASIC, and another will be an access port that will connect to a PC.
Link between switch and IP phone

The link between the switch and the IP phone can be configured as a trunk or an access link. Configuring this link as a trunk gives us the advantage of creating a voice VLAN that will carry nothing but voice traffic while allowing the highest Quality of Service Possible, giving the delay-sensitive voice traffic priority over regular data handled by the switch. Configuring the link as an access link results in voice and data traffic being carried in the same VLAN, which can lead to delivery problems with the voice traffic. The problem isnt that the voice traffic will not get to the switch it simply may take too long. Voice traffic is much more delay-sensitive than data traffic.
Four Choices When it comes to the link between switch and the IP Phone, weve got four choices:
Configure the link Configure the link 802.1p Configure the link tag voice traffic Configure the link Voice VLAN as an access link as a trunk link and use as a trunk link and do not as a trunk link and specify a
84
Dot1p Option
The dot1p option has two effects:

The IP Phone grants voice traffic high priority Voice traffic is sent through the default voice native VLAN, VLAN 0
Details you should know about Part 1 As always, there are just a few details you should be aware of when configuring:
When Voice VLAN is configured on a port, Portfast is automatically enabled but if you remove the Voice VLAN, Portfast is NOT automatically disabled. Cisco recommends that QoS be enabled on the switch and the switch port connected to the IP phone be set to trust incoming CoS values. The commands to perform these tasks are mls qos and the interfacelevel command mls qos trust cos, respectively.
Details you should know about Part 2

You can configure voice VLANs on ports running port security or 802.1x authentication. It is recommended that port security be set to allow more than one secure MAC address. CDP must be running on the port leading to the IP phone. CDP should be globally enabled on all switch ports, but take a few seconds to make sure with show cdp neighbor. Voice VLANs are supported only on L2 access ports. Particularly when implementing video conferencing, make sure your total overall traffic doesnt exceed 75% of the overall available bandwidth. That inclues video, voice, and data! Cisco also recommends that voice and video combined not exceed 33% of a links bandwidth. This allows for network control traffic to flow through the network and helps to prevent jitter as well.
85
Three Main Enemies I mentioned jitter earlier, but weve got three main enemies when it comes to successful voice transmission:
Jitter Delay Packet Loss
QoS
Best-effort delivery is the QoS you have when you have no explicit QoS configuration the packets are simply forwarded in the order in which they came into the router. Best-effort works fine for UDP, but not for voice traffic. The Integrated Services Model, or IntServ, is far superior to best-effort. I grant you thats a poor excuse for a compliment! IntServ uses the Resource Reservation Protocol (RSVP) to do its job, and that reservation involves creating a high-priority path in advance of the voice traffics arrival. The device that wants to transmit the traffic does not do so until a reserved path exists from source to destination. The creation of this path is sometimes referred to as Guaranteed Rate Service (GRS) or simple Guaranteed Service.
DiffServ That issue is address with the Differentiated Services Model, or DiffServ. Where IntServ reserves an entire path in advance for the entire voice packet flow to use, DiffServ does not reserve bandwidth for the flow; instead, DiffServ makes its QoS decisions on a per-hop basis as the flow traverses the network.
86
DiffServ Model
The DiffServ model allows each network device along the way to make a separate decision on how best to forward the packet towards its intended destination, rather than having all forwarding decisions made in advance. This process is Per-Hop Behavior (PHB). The core tasks of DiffServ QoS are marking and classification. (They are two separate operations, but they work very closely together, as youll see.) Marking is the process of tagging data with a value, and classification is taking the appropriate approach to queueing and transmitting that data according to that value.
Code of Service Part 1

You know that the physical link between two switches is a trunk, and you know that the VLAN ID is tagged on the frame before it goes across the trunk. You might not know that another value a Code of Service (CoS) value can also be placed on that frame. Where the VLAN ID indicates the VLAN whose hosts should receive the frame, the CoS is used by the switch to make decisions on what QoS, if any, the frame should receive. It certainly wont surprise you to find that our trunking protocols, ISL and IEEE802.1Q (dot1q) handle CoS differently. Hey, with all the differences between these two that youve already mastered, this is easy!
Code of Service Part 2

The ISL tag includes a 4-bit User field; the last three bits of that field indicated the CoS value. I know I dont have to tell you this, but three binary bits give us a range of decimal values of 0 7. The dot1q tag has a User field as well, but this field is built a little differently. Dot1qs User fields has three 802.1p priority bits that make up the CoS value, and again that gives us a decimal range of 0-7.
87
ToS
The IP ToS byte consists of...
an IP precedence value, generally referred to as IP Prec (3 bits) a Type Of Service Value (4 bits) a zero (1 bit)
DiffServ uses this 8-bit field as well, but refers to this as the Differentiated Services (DS) field. The DS byte consists of...
a Differentiated Service Code Point value (DSCP, 6 bits, RFC 2474) an Explicit Congestion Notification value (ECN, 2bits, RFC 2481)
The 6-bit DSCP value is itself divided into two parts

a Class Selector value, (3 bits) a Drop Precedence value (3 bits)
Class Selector Values

Heres a quick description of the Class Selector values and their meanings:
Class 7 (111) Network Control, and the name is the recipe this value is reserved for network control traffic (STP, routing protocol traffic, etc.) Class 6 (110) Internetwork Control, same purpose as Network Control Class 5 (101) Expedited Forwarding (EF, RFC 2598) Reserved for voice traffic and other time-critical data. Traffic in this class is practically guaranteed not to be dropped. Classes 1-4 (001 100) Assured Forwarding (AF, RFC 2597) These classes allow us to define QoS for traffic that is not as time-critical as that in Class 5, but that should not be left to besteffort forwarding, which is... Class 0 (000) Best-effort forwarding. This is the default.
Assured Forwarding classes

Weve got four different classes in Assured Forwarding, and RFC 2597 defines three Drop Precedence values for each of those classes:
High 3 Medium 2 Low 1
The given combination of any class and DP value is expressed as follows: AF (Class Number)(Drop Precedence) That is, AF Class 2 with a DP of high would be expressed as: AF23
88
Other Techniques
Weve talked at length about using a priority queue for voice traffic, but there are some other techniques we can use as well. As with any other QoS, the classification and marking of traffic should be performed as close to the traffic source as possible. Access-layer switches should always perform this task, not only to keep the extra workload off the core switches but to ensure the end-to-end QoS you wanted to configure is the QoS youre getting. Another method of improving VoIP quality is to configure RTP Header Compression. This compression takes the IP/UDP/RTP header from its usual 40 bytes down to 2-4 bytes. RTP header compression is configured with the interface-level ip rtp header-compression command, with one option you should know about passive. If the passive option is configured, outgoing packets are subject to RTP compression only if incoming packets are arriving compressed.
AVVID Part 1
Ciscos Architecture for Voice, Video, and Integrated Data (AVVID) is a comprehensive network architecture approach which integrates Voice and Video into an existing Data network. (But you knew that from the name, right?) A PDF available on Ciscos website lists these five AVVID components as primary concerns:
High Availability Quality of Service Security Enterprise Mobility Scalability
AVVID Part 2
Basically, AVVID is designed to take an organizations existing infrastructures and combine them into one large infrastructure. Ciscos theory holds that doing so will reduce overall costs while preparing the infrastructure to run the latest and greatest Cisco technologies. Storage Networking is becoming more and more important every day, and is also an important part of an AVVID design.
89
Wide-Ranging AVVID
To show you how wide-ranging AVVID is, a single AVVID infrastructure is designed to hold all of the following hardware:
Cisco routers Cat switches IP phones Voice trunking Cisco Call Manager Analog and digital gateways to the PSTN Voice modules
POE
With POE, the electricity necessary to power the IP Phone is actually transferred from the switch to the phone over the UTP cable that already connects the two devices. Not every switch is capable of running POE. Check your particular switchs documentation for POE capabilities and details. The IEEE standard for POE is 802.3af. There is also a proposed standard for High-Power POE, 802.3at. To read more than youd ever want to know about POE, visit http://www.poweroverethernet.com.
POE-capable switches Part 1

By default, ports on POE-capable switches do attempt to find a device needing power on the other end of the link. Weve got a couple of options for POE as well: SW4(config)#int fast 1/0/1 SW4(config-if)#power inline ? auto Automatically detect and power inline devices consumption Configure the inline device consumption never Never apply inline power static High priority inline power interface
90
POE-capable switches Part 2

The Auto setting is the Default. The consumption option allows you to set the level of power sent to the advice: SW4(config-if)#power inline consumption ? And naturally, the never option disables POE on that port. POE options and capabilities differ from one device to the next, so check your switchs documentation carefully before using POE.
Wireless Networking Wireless Basics and Standards Antenna Types and Usage CSMA/CA CCX Program The Lightweight Access Point Protocol Aironet System Tray Utility
WLAN
A common wireless topology is an Infrastructure Wireless Local Area Network (WLAN) , also called a Basic Service Set (BSS), where a Wireless Access Point (WAP) is used to allow multiple devices to intercommunicate. The area of coverage the WAP provides is called a cell, and as any of us who have used wireless networks know, that cell can shrink and grow without warning! Hosts successfully connecting to the WAP in a BSS are said to have formed an association with the WAP. Forming this association usually requires the host to present required authentication and/or the correct Service Set Identifier (SSID). The SSID is the public name of the wireless network. A SSID is simply a string of text. SSIDs are case-sensitive and can be up to 32 characters in length.
91
AP vs. WAP
Cisco uses the term AP instead of WAP in much of their documentation; just be prepared to see this term expressed either way on your exam and in network documentation. I'll call it an AP for the rest of this section. A BSS operates much like a hub-and-spoke network in that all communication must go through the hub, which in this case is the AP. APs can also be arranged in such a way that a mobile user, or roaming user, will (theoretically) always be in the provider's coverage area. Those of us who are roaming users understand the "theoretical" part! Speaking as a roaming user, did you ever wonder how your wireless card decides to quit using its current AP and start using the next one in line? Well, keep wondering. :) Seriously, wireless vendors keep us guessing on this one, since they all use different standards on when that cutover needs to be performed.
Active and Passive scanning

What we do know is that there are two different methods the client can use to find the next AP - active scanning and passive scanning. With active scanning, the client sends Probe Request frames and then waits to hear Probe Responses. If multiple Probe Responses are heard, the client chooses the most appropriate WAP to use in accordance with vendor standards. Passive scanning is just what it sounds like - the client listens for beacon frames from APs. No Probe Request frames are sent.
WLAN Authentication (And Lack of Same)

Of course, you don't want just any wireless client connecting to your WLAN! The 802.11 WLAN standards have two different authentication schemes open system and shared key. They're both pretty much what they sound like. Open system is basically one station asking the receiving station "Hey, do you recognize me?" Hopefully, shared key is the authentication system you're more familiar with, since open system is a little too open! Shared key uses Wired Equivalent Privacy (WEP) to provide a higher level of security than open system.
92
A Giant LEAP Forward

The Extensible Authentication Protocol (EAP) was actually developed originally for PPP authentication, but has been successfully adapted for use in wireless networks. RFC 3748 defines EAP. Cisco's proprietary version of EAP is LEAP, the Lightweight Extensible Authentication Protocol. LEAP has several advantages over WEP:
There is two-way authentication between the AP and the client The AP uses a RADIUS server to authenticate the client The keys are dynamic, not static, so a different key is generated upon every authentication
Wi-Fi Alliance
Recognizing the weaknesses inherent in WEP, the Wi-Fi Alliance (their home page is http://wi-fi.org) saw the need for stronger security features in the wireless world. Their answer was Wi-Fi Protected Access (WPA), a higher standard for wireless security. Basically, WPA was adopted by many wireless equipment vendors while the IEEE was working on a higher standard as well, 802.11i - but it wasn't adopted by every vendor. As a result, WPA is considered to work universally with wireless NICs, but not with all early APs. When the IEEE issued 802.11i, the Wi-Fi Alliance improved the original WPA standards, and came up with WPA2. As you might expect, not all older wireless cards will work with WPA2.
WPA and WPA2

To put it lightly, both WPA and WPA2 are major improvements over WEP. Many wireless devices, particularly those designed for home use, offer WEP as the default protection - so don't just click on all the defaults when you're setting up a home wireless network! The WPA or WPA2 password will be longer as well they're actually referred to as passphrases. Sadly, many users will prefer WEP simply because the password is shorter.
93
IBSS APs are not required to create a wireless network. In an ad hoc WLAN ("wireless LAN"), the wireless devices communicate with no AP involved. The official name for an ad hoc WLAN is an Independent Basic Service Set (IBSS). In the real world, you'll almost always here them call ad hoc networks, but it couldn't hurt to keep the official name in mind for your exam.
802.11a, 802.11b, 802.11g

802.11a has a typical data rate of 25 MBPS, but can reach speeds of 54 MBPS. Indoor range is 100 feet. Operating frequency is 5 GHz. 802.11b has a typical data rate of 6.5 MBPS, but can reach speeds of 11 MBPS. Indoor range is 100 feet. Operating frequency is 2.4 GHz. 802.11g has a typical data rate of 25 MBPS, a peak data rate of 54 MBPS, and an indoor range of 100 feet. Operating frequency is 2.4 GHz. 802.11b and 802.11g are compatible to the point where many wireless routers and cards that use these standards are referred to as "802.11b/g", or just "b/g".
802.11g and 802.11n

You can have trouble with 802.11g from an unexpected source popcorn! Well, not directly, but microwave ovens also share the 2.4 GHz band, and the presence of a microwave in an office can actually cause connectivity issues. (And you thought they were just annoying when people burn popcorn in the office microwave!) Solid objects such as walls and other buildings can disturb the signal in any bandwidth. 802.11n has a typical data rate of 200 MBPS, a peak data rate of 540 MBPS, and an indoor range of 160 feet. Operating frequency is either 2.4 GHz or 5 GHz.
94
Infrared Data Association (IrDA)

The IrDA is another body that defines specifications, but the IrDA is concerned with standards for transmitting data over infrared light. IrDA 1.0 only allowed for a range of 1 meter and transmitted data at approximately 115 KBPS. The transmission speed was greatly improved with IrDA 1.1, which has a theoretical maximum speed of 4 MBPS. The two standards are compatible. Keep in mind that neither IrDA standard has anything to do with radio frequencies - only infrared light streams. The IrDA notes that to reach that 4 MBPS speed, the hardware must be 1.1 compliant, and even that might not be enough - the software may have to be modified as well. Which doesn't sound like fun.
Antenna Types Part 1

A Yagi antenna (technically, the full name is "Yagi-Uda antenna") sends its signal in a single direction, which means it must be aligned correctly and kept that way. Yagi antennas are sometimes called directional antennas, since they send their signal in a particular direction. In contrast, an Omni ("omnidirectional") antenna sends a signal in all directions on a particular plane.
Antenna Types Part 2

Since this is networking, we can't just call these antennae by one name! Yagis are also known as pointto-point and directional antenna; Omni antennas are also known as omnidirectional and point-to-multipoint antenna. Both Yagi and Omni antennas have their place in wireless networks. The unidirectional signal a Yagi antenna sends makes it particularly helpful in bridging the distance between APs. The multidirectional signal sent by Omni antennas help connect hosts to APs, including roaming laptop users -- like the ones who connect to the Net while eating lunch!
95
CSMA/CA
With "Wireless LANs", life isn't so simple. Wireless LANs can't listen and send at the same time - they're half-duplex so traditional collision detection techniques cannot work. Instead, wireless LANs will use IEEE standard 802.11, CSMA/CA, (Carrier Sense Multiple Access with Collision Avoidance). Lets walk through an example of Wireless LAN access, and youll see where the avoidance part of CSMA/CA comes in. The foundation of CSMA/CA is the Distributed Coordination Function (DCF). The key rule of DCF is that when a station wants to send data, the station must wait for the Distributed Interframe Space (DIFS) time interval to expire before doing so. In our example, Host A finds the wireless channel to be idle, waits for the DIFS timer to expire, and then sends frames.
DCF-speak In DCF-speak, this random amount of time is the Backoff Time. The formula for computing Backoff Time is beyond the scope of the BCMSN exam, but the computation does involve a random number, and that random value helps avoid collisions.
The Cisco Compatible Extensions Program

When you're looking to start or add to your wireless network, you may just wonder.... "How The $&!(*% Can I Figure Out Which Equipment Supports Which Features?" A valid question! :) Thankfully, Cisco's got a great tool to help you out - the Cisco Compatible Extension (CCX) website. Cisco certification isn't just for you and I - Cisco also certifies wireless devices that are guaranteed to run a desired wireless feature. The website name is a little long to put here, and it may well change, so I recommend you simply enter "Cisco compatible extension" into your favorite search engine - you'll find the site quickly. Don't just enter "CCX" in there - you'll get the Chicago Climate Exchange. I'm sure they're great at what they do, but don't trust them to verify wireless capabilities!
96
The Lightweight Access Point Protocol (LWAPP) As our wireless networks get larger and larger, we really need some kind of central authority to ensure that a consistent access policy is successfully implemented. By no small coincidence, Cisco has developed such an authority as part of their Cisco Unified Wireless Network - the WLAN Controller, which communicates with Lightweight Access Points (LAP). This communication takes place via LWAPP, the LightWeight Access Point Protocol.
WLAN Controller
The WLAN Controller is basically the quarterback of the WLAN, with the LAPs serving as the other players. The WLAN Controller will be configured with security procedures, Quality of Service (QoS) policies, mobile user policies, and more. The WLAN Controller than informs the LAPs of these policies and procedures, ensuring that each LAP is consistently enforcing the same set of wireless network access rules and regulations. Many Cisco Aironet access points can operate autonomously or as an LAP. Here are a few of those models:
1230 AG Series 1240 AG Series 1130 AG Series
Some other Aironet models have circumstances under which they cannot operate as LAPs - make sure to do your research before purchasing!
Aironet System Tray Utility

We're all familiar with the generic icon on a laptop or PC that shows us how strong (or weak) our wireless signal is. The Aironet System Tray Utility (ASTU) gives us that information and a lot more. Instead of just indicating how strong the wireless signal is, the icon will change color to indicate signal strength and other important information. Problem is, the colors aren't exactly intuitive, so we better know what they mean! Here's a list of ASTU icon colors and their meanings.
97
Red, Yellow and Green

Red - This does not mean that you don't have a connection to an access point! It means that you do have connectivity to an AP, and you are authenticated via EAP if necessary, but that the signal strength is low. Yellow - Again, you are connected to an AP and are authenticated if necessary, but signal strength is fair. Green - Connection to AP is present, EAP authentication is in place if necessary, and signal strength is very good. Light Gray - Connection to AP is present, but you are *not* EAP-authenticated. Dark Gray - No connection to AP is present. White - Client adapter is disabled.
EAP Authentication If you're connecting to an ad hoc network, just substitute "remote client" for "AP" in the above list. The key is to know that red, green, and yellow are referring to signal strength, light gray indicates a lack of EAP authentication, dark gray means there is no connection to an AP or remote client, and white means the adapter is disabled.
Network Design and Models Core, Distribution, Access Layers Enterprise Composite Network Model Server Farm Block Network Management Block Enterprise Edge Block Service Provider Edge Block
98
The Core Layer
The term core switches refers to any switches found here, the core layer. Switches at the core layer allow switches at the distribution layer to communicate, and this is more than a full-time job. It's vital to keep any extra workload off the core switches, and allow them to do what they need to do - switch! The core layer is the backbone of your entire network, so we're interested in high-speed data transfer and very low latency. That's it! The core layer is the backbone of our network, so we've got to optimize data transport.
Core Switches Part 1

Today's core switches are generally multilayer switches - switches that can handle both the routing and switching of data. The throughput of core switches must be high, so examine your particular network's requirements and switch documentation thoroughly before making a decision on purchasing core switches. We want our core switches to handle switching, and let distribution-layer switches handle routing.
Core Switches Part 2

Core layer switches are usually the most powerful in your network, capable of higher throughput than any other switches in the network. Remember, everything we do on a Cisco router or switch has a cost in CPU or memory, so we're going to leave most frame manipulation and filtering to other layers. The exception is Cisco QoS, or Quality of Service. Advanced QoS is generally performed at the core layer. We'll go into much more detail regarding QoS in another section, but for now, know that QoS is basically high-speed queueing where special consideration can be given to certain data in certain queues. Leave ACLs and other filters for other parts of the network.
99
Redundancy
We always want redundancy, but you want a lot of redundancy in your core layer. This is the nerve center of your entire network, so fault tolerance needs to be as high as you can possibly get it. Root bridges should also be located in the core layer whenever possible.
The Distribution Layer

The demands on switches at this layer are high. The accesslayer switches are all going to have their uplinks connecting to these switches, so not only do the distribution-layer switches have to have high-speed ports and links, they've got to have quite a few to connect to both the access and core switches. That's one reason you'll find powerful multilayer switches at this layer - switches that work at both L2 and L3. Distribution-layer switches must be able to handle redundancy for all links as well. Examine your network topology closely and check vendor documentation before making purchasing decisions on distribution-layer switches. The distribution layer is also where routing should take place when utilizing multilayer switches, since the access layer is busy with end users and we want the core layer to be concerned only with switching, not routing.
The Access Layer - Part 1 End users communicate with the network at this layer. VLAN membership is handled at this layer, as well as traffic filtering and basic QoS. Redundancy is important at this layer as well - hey, when isn't redundancy important? - so redundant uplinks are vital. The uplinks should also be scalable to allow for future network growth.
100
The Access Layer - Part 2

You also want your access layer switches to have as many ports as possible, and again, plan for future growth. A 12-port switch may be fine one week, but a month from now you might just wish you had bought a 24-port switch. A good rule of thumb for access switches is "low cost, high switchport-to-user ratio". Don't assume that today's sufficient port density will be just as sufficient tomorrow! You can perform MAC address filtering at the access layer, although hopefully there are easier ways for you to perform the filtering you need. (MAC filtering is a real pain to configure.) Collision domains are also formed at the access layer.
The Enterprise Composite Network Model This model is much larger than the Cisco threelayer model, as you'll see in just a moment. I want to remind you that networking models are guidelines, and should be used as such. This is particularly true of the Enterprise Composite Network Model, which is one popular model used to design campus networks. A campus network is basically a series of LANs that are interconnected by a backbone.
Switch blocks
Switch blocks are units of access-layer and distribution-layer devices. These layers contain both the traditional L2 switches (found at the access layer) and multilayer switches, which have both L2 and L3 capabilities (found at the distribution layer). Devices in a switch block work together to bring network access to a unit of the network, such as a single building on a college campus or in a business park.
101
Core blocks
Core blocks consist of the high-powered core switches, and these core blocks allow the switch blocks to communicate. This is a tremendous responsibility, and it's the major reason that I'll keep mentioning that we want the access and distribution layers to handle as many of the "extra" services in our network whenever possible. We want the core switches to be left alone as much as possible so they can concentrate on what they do best - switch.
Few Factors
The design of such a network is going to depend on quite a few factors - the number of LANs involved, the physical layout of the building or buildings involved being just two of them - so again, remember that these models are guidelines. Helpful guidelines, though! The Enterprise Composite Network Model uses the term block to describe the three layers of switches we just described. The core block is the collection of core switches, which is the backbone mentioned earlier. The access and distribution layer switches are referred to as the switch blocks.
Model Parts
Overall, there are three main parts of this model:
The Enterprise Campus The Enterprise Edge The Service Provider Edge
The Enterprise Campus consists of the following modules:

Campus Infrastructure module Server Farm module Network Management module Enterprise Edge (yes, again)
In turn, the Campus Infrastructure module consists of these modules:

Building Access module (Access-layer devices) Building Distribution module (Distribution-layer devices) Campus Backbone (Interconnects multiple Distribution modules)
102
Dual Core
The core design shown here is often referred to as dual core, referring to the redundant fashion in which the switch blocks are connected to the core block. The point at which the switch block ends and the core block begins is very clear. A smaller network may not need switches to serve only as core switches, or frankly, may not be able to afford such a setup. Smaller networks can use a collapsed core, where certain switches will perform both as distribution and core switches.
Server Farm Block

As much as we'd like to get rid of them sometimes, we're not going to have much of a network without servers! In a campus network, the server farm block will be a separate switch block, complete with access and distribution layer switches. The combination of access, distribution, and core layers shown here is sometimes referred to as the Campus Infrastructure.
The Network Management Block
Network management tools are no longer a luxury - in today's networks, they're a necessity. AAA servers, syslog servers, network monitoring tools, and intruder detection tools are found in almost every campus network today. All of these devices can be placed in a switch block of their own, the network management block.
103
Internet and WAN connectivity Part 1
Internet and WAN connectivity for a campus network is a two-block job - one block we have control over, the other we do not. The Enterprise Edge Block is indeed the edge of the campus network, and this block of the routers and switches needed to give the needed WAN connectivity to the rest of the campus network.
Internet and WAN connectivity Part 2
While the Service Provider Edge Block is considered part of the campus network model, we have no control over the actual structure of this block. And frankly, we don't really care! The key here is that this block borders the Enterprise Edge Block, and is the final piece of the Internet connectivity puzzle for our campus network. Take a look at all the lines leading to those core switches. Now you know why we want to dedicate as much of these switches' capabilities to pure switching we're going to need it!
Bonus Video: Queueing
Weighted Fair Queueing Class Maps & Policy Maps Priority Queueing Custom Queueing
104
First In, First Out FIFO is just what it sounds like - there is no priority traffic, no traffic classes, no queueing decision for the router to make. FIFO is fine for many networks, and if you have no problem with network congestion, FIFO may be all you need. If you've got traffic that's especially timesensitive such as voice and video, FIFO is not your best choice.
WFQ
What's so "fair" about Weighted Fair Queueing (WFQ)? WFQ prevents one particular stream of network traffic, or flow, from using most or all of the available bandwidth while forcing other streams of traffic to sit and wait. These flows are defined by WFQ and require no access list configuration. Flow-based WFQ is the default queueing scheme for Serial interfaces running at E1 speed or below. Flow-Based WFQ takes these packet flows and classifies them into conversations. WFQ gives priority to the interactive, low-bandwidth conversations, and then splits the remaining bandwidth fairly between the noninteractive, high-bandwidth conversations.
First Reaction to WFQ

The first reaction to WFQ is usually something like this: "That sounds great, but shouldn't the network administrator be deciding which flows should be transmitted first, rather than the router?" Good question! There's an advanced form of WFQ, Class-Based Weighted Fair Queueing (CBWFQ) that allows manual configuration of queueing - and CBWFQ does involve access list configuration.
105
CBWFQ
CBWFQ configuration does have its limits. By default, you can't assign over 75% of an interface's bandwidth via CBWFQ, because 25% is reserved for network control and routing traffic.
Available Bandwidth
Why is 358 Kbps all that's available? Start with the bandwidth of a serial interface, 1544 kbps. Only 75% of that bandwidth can be assigned through CBWFQ, and 1544 x .75 = 1158. We can assign only 1158 kbps of a T1 interface's bandwidth in the policy map. We have already assigned 800 kbps to class 17210100, leaving only 358 kbps for other classes. Keep this 75% rule in mind - it's a very common error with CBWFQ configurations. Don't jump to the conclusion that bandwidth 64 is the proper command to use when you've got a 64 kbps link and you want to enable voice traffic to use all of it. Always go with a minimum of 75% of available bandwidth, and don't forget all the other services that will need bandwidth as well!
Reservable bandwidth
The "reservable bandwidth" referenced in this command isn't just the bandwidth assigned in CBWFQ. It also includes bandwidth allocated for the following:
Low Latency Queueing (LLQ) IP Real Time Protocol (RTP) Priority Frame Relay IP RTP Priority Frame Relay PVC Interface Priority Queueing Resource Reservation Protocol (RSVP)
106
Tail Drop
Tail drop may be the default, but there are two major issues with it. First, this isn't a very discriminating way to drop traffic. What if this were voice traffic that needed to go to the head of the line? Tail drop offers no mechanism to look at a packet and decide that a packet already in the queue should be dropped to make room for it. The other issue with tail drop is TCP global synchronization. This is a result of TCP's behavior when packets are lost.
Dropped packets
Packets dropped due to tail drop result in the TCP senders reducing their transmission rate. As the transmission slows, the congestion is reduced. All TCP senders will gradually increase their transmission speed as a result of the reduced congestion - which results in congestion occurring all over again.
TCP Global Synchronization

The result of TCP global synchronization? When the TCP sender simultaneously slow their transmission, that results in underutilization of the bandwidth. When the TCP senders all increase their transmission rate at the same time, the bandwidth is oversubscribed, packets are dropped and must be retransmitted, and the entire process begins all over again. Basically, the senders are either sending too little or too much traffic at any given time.
107
RED and WRED

To avoid the TCP Global Synchronization problems, Random Early Detection (RED) or Weighted Random Early Detection (WRED) can be used in place of Tail Drop. RED will proactively drop packets before the queue gets full, but the decision of which packets will be dropped is still random. WRED uses either a packet's IP Precedence or Differentiated Services Code Point (DSCP) to decide which packets should be dropped. WRED gives the best service it can to packets in a priority queue. If the priority queue becomes full, WRED will drop packets from other queues before dropping any from the priority queue.
CBWFQ
CBWFQ is definitely a step in the right direction, but what we're looking for is a guarantee (or something close to it) that data adversely affected by delays is given the highest priority possible. Low Latency Queueing (LLQ) is an "add-on" to CBWFQ that creates such a strict priority queue for such traffic, primarily voice traffic, allowing us to avoid the jitter that comes with voice traffic that is not given the needed priority queueing. (Cisco recommends that you use an LLQ priority queue only to transport Voice Over IP traffic.) Since we're mentioning "priority" so often here, it shouldn't surprise you to learn that the command to enable LLQ is priority.
Before LLQ Configuration

Before we configure LLQ, there are a couple of commands and services we've mentioned that don't play well with LLQ:
WRED and LLQ can't work together. Why? Because WRED is effective only with TCP-based traffic, and the voice traffic that will use LLQ's priority queue is UDP-based. The random-detect and priority commands can't be used in the same class. By its very nature, LLQ doesn't have strict queue limits, so the queue-limit and priority commands are mutually exclusive. Finally, the bandwidth and priority commands are also mutually exclusive.
108
Example
R2#show access-list Extended IP access list 155 permit udp 210.1.1.0 0.0.0.255 220.1.1.0 0.0.0.255 range 17000 18000 permit udp 210.1.1.0 0.0.0.255 220.1.1.0 0.0.0.255 range 20000 21000 R2(config)#class-map VOICE_TRAFFIC_PRIORITY R2(config-cmap)#match access-group 155 R2(config)#policy-map VOICE R2(config-pmap)#class VOICE_TRAFFIC_PRIORITY R2(config-pmap-c)#priority 45 R2(config-pmap-c)#class class-default R2(config-pmap-c)#fair-queue R2(config-pmap-c)#interface serial0 R2(config-if)#service-policy output VOICE
Priority Queueing The "next level" of queueing is Priority Queueing (PQ), where four predefined queues exist: High, Medium, Normal, and Low. Traffic is placed into one of these four queues through the use of access lists and priority lists. The High queue is also called the strict priority queue, making HQ and LLQ the queueing solutions to use when a priority queue is needed.
Predefined queues Part 1 These four queues are predefined, as are their limits:
High-Priority Queue: 20 Packets Medium-Priority Queue: 40 Packets Normal-Priority Queue: 60 Packets Low-Priority Queue: 80 Packets
109
Predefined queues Part 2

It won't surprise you to learn that these limits can be changed. Before we configure PQ and change these limits, there's one very important concept that you must keep in mind when developing a PQ strategy. PQ is not round-robin; when there are packets in the High queue, they're going to be sent before any packets in the lower queues. If too many traffic types are configured to go into the High and Medium queues, packets in the Normal and Low queues may never be sent! This is sometimes referred to as traffic starvation or packet starvation. (I personally think it's more like queue starvation, but the last thing we need is a third name for it.)
Custom Queueing
Custom Queueing (CQ) takes PQ one step further - CQ actually allows you to define how many bytes will be forwarded from every queue when it's that queue's turn to transmit. CQ doesn't have the same queues that PQ has, though. CQ has 17 queues, with queues 1 - 16 being configurable. Queue Zero carries network control traffic and cannot be configured to carry additional traffic. By default, the packet limit for each configurable queue is 20 packets and each will send 1500 bytes when it's that queue's turn to transmit.
Network Control Traffic The phrase "network control traffic" in regards to Queue Zero covers a lot of traffic. Traffic that uses Queue Zero includes.
Hello packets for EIGRP, OSPF, IGRP, ISIS Syslog messages STP keepalives
110
Round-Robin System
CQ uses a round-robin system to send traffic. When it's a queue's turn to send, that queue will transmit until it's empty or until the configured byte limit is reached. By configuring a byte-limit, CQ allows you to allocate the desired bandwidth for any and all traffic types. Configuring CQ is basically a three-step process:
Define the size of the queues Define what packets should go in each queue Define the custom queue list by applying the list to the appropriate interface
111

BCMSN: Cisco CCNP

Încărcat de

Informații document

Descriere originală:

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

BCMSN: Cisco CCNP

Încărcat de

Drepturi de autor:

Formate disponibile

BCMSN

Building Cisco Multilayer Switched Networks

Train Signal, Inc., 2002-2007

Welcome To Your BCMSN Video Boot Camp!

PDF Created with deskPDF PDF Writer - Trial :: http://www.docudesk.com

LAN Switching Basics

Train Signal, Inc., 2002-2007

PDF Created with deskPDF PDF Writer - Trial :: http://www.docudesk.com

Fast Ethernet Part 1

Fast Ethernet Part 2

Train Signal, Inc., 2002-2007

PDF Created with deskPDF PDF Writer - Trial :: http://www.docudesk.com

Train Signal, Inc., 2002-2007

Long Range Ethernet

Train Signal, Inc., 2002-2007

A Quick Cable Review

Train Signal, Inc., 2002-2007

PDF Created with deskPDF PDF Writer - Trial :: http://www.docudesk.com

Train Signal, Inc., 2002-2007

Destination MAC Part 1

PDF Created with deskPDF PDF Writer - Trial :: http://www.docudesk.com

Destination MAC Part 2

Train Signal, Inc., 2002-2007

Content Addressable Memory Table

... but they're all the same thing.

Train Signal, Inc., 2002-2007

Cisco Filename Part 1

PDF Created with deskPDF PDF Writer - Trial :: http://www.docudesk.com

Cisco Filename Part 2

Autorecovery From An Err-Disabled State

Virtual LANs (VLANs)

PDF Created with deskPDF PDF Writer - Trial :: http://www.docudesk.com

Reasons for VLANs Part 1

Train Signal, Inc., 2002-2007

Reasons for VLANs Part 2

Reasons for VLANs Part 3

PDF Created with deskPDF PDF Writer - Trial :: http://www.docudesk.com

Train Signal, Inc., 2002-2007

Speed and Duplex Settings

VLAN Membership Policy Server Part 1

PDF Created with deskPDF PDF Writer - Trial :: http://www.docudesk.com

Train Signal, Inc., 2002-2007

VLAN Membership Policy Server Part 3

Some things to watch out for when configuring VMPS:

Train Signal, Inc., 2002-2007

PDF Created with deskPDF PDF Writer - Trial :: http://www.docudesk.com

Train Signal, Inc., 2002-2007

PDF Created with deskPDF PDF Writer - Trial :: http://www.docudesk.com

Train Signal, Inc., 2002-2007

Train Signal, Inc., 2002-2007

Other dot1q facts you should be familiar with:

Train Signal, Inc., 2002-2007

PDF Created with deskPDF PDF Writer - Trial :: http://www.docudesk.com

Train Signal, Inc., 2002-2007

Train Signal, Inc., 2002-2007

PDF Created with deskPDF PDF Writer - Trial :: http://www.docudesk.com

Train Signal, Inc., 2002-2007

switchport trunk encapsulation command Part 1

Train Signal, Inc., 2002-2007

switchport trunk encapsulation command Part 2

Train Signal, Inc., 2002-2007

PDF Created with deskPDF PDF Writer - Trial :: http://www.docudesk.com