Documente Academic
Documente Profesional
Documente Cultură
Cisco CCNP
Your Instructor:
Chris Bryant, CCIE #12933 Earned my CCIE on February 26, 2004 Founded The Bryant Advantage in June of that year My Video Boot Camps and other study materials place an emphasis on clearly explained theory and plenty of work on REAL CISCO routers and switches Real Education + Real Equipment = Real CCNAs and CCNPs A+, Network+, Security+, and Microsoft Vista Certification tutorials and study tools Visit the website: www.thebryantadvantage.com
Train Signal, Inc., 2002-2007
Exam Prep Tips: Take your time and master the material. Get some hands-on work with the BCMSN-level protocols. Do not practice debugs on a production network at any time. Get plenty of rest the day before exam. By that time, the die is cast. Don't cram for the exam. Prepare.
Train Signal, Inc., 2002-2007
Ethernet, Fast Ethernet, Gig Ethernet Quick cabling overview Basic Switch Operation Filenames and autorecovery
Ethernet
Good old "basic" Ethernet is based on IEEE 802.3, and offers a bandwidth of 10 MB to end users. The more users there are on an Ethernet segment, the higher the chance of collisions, which render signals sent by the hosts to an unusable state. When the hosts are connected to their own individual switch ports, they will each get a dedicated 10 MB and the chance of collisions is eliminated. Each port on a switch is its own collision domain. Ethernet uses UTP cabling (Unshielded Twisted Pair), and this cable type has a length limit of 100 meters. Referring to the Cisco three-layer networking model, Ethernet is generally going to be found at the access layer, connecting end users to the network.
Train Signal, Inc., 2002-2007
Gigabit Ethernet
The next logical step is Gigabit Ethernet, often referred to as "Gig Ethernet". Gig Ethernet will support speeds up to 1000 MBPS, or 1 Gigabit Per Second (GBPS). The cabling you use with your Gig Ethernet ports is going to vary widely. The necessary cable is determined by the Gigabit Ethernet standard in use on your particular switch. Some of the more common cable types to use with Gigabit Ethernet are Shielded Twisted-Pair (STP), Multimode Fiber (MMF) cable with either a 50- or 62.5 micron core, and Single-Mode Fiber (SMF) with an 8-, 9-, or 50-micron core. Make sure to check your switch's documentation before you start buying cables!
Train Signal, Inc., 2002-2007
10 Gigabit Ethernet
Often referred to in documentation as 10GbE. 10Gig Ethernet will only work on fiber-optic and in full-duplex mode. (That's the only way all that speed can be used!)
What's A "Geebic"?
A GBIC, pronounced "geebic", is a module that fits into a Gig Ethernet port. These modules are hot-swappable for easier migration to a new media type.
MAC Table
A switch uses Layer 2 addresses, more commonly referred to as MAC addresses, to forward or filter frames as needed. When a switch is first powered on, its MAC address table is empty. While a MAC table can be populated with static MAC entries, it's more efficient to have the switch learn the addresses dynamically. The switch does this by examining the source MAC address before deciding how to get the frame to the destination MAC address. When a switch examines the source MAC of a frame, the switch checks its MAC table to see if there's an entry for that address. If not, the switch adds that address to its MAC table along with the port used to reach that address.
Train Signal, Inc., 2002-2007
There's one more reason that may lead you to create VLANs. If you have a network segment with hosts whose very existence should not be known by the rest of the network, just put these hosts into their own VLAN. Unless you then make them known to the rest of the network via router-on-a-stick or a Layer 3 switch, these hosts will not be known or reachable by hosts in other VLANs.
Train Signal, Inc., 2002-2007
Static VLAN
It's easy to put a port into a static VLAN, but there are two commands needed to do so. By default, these ports are running in dynamic desirable trunking mode, meaning that the port is actively attempting to form a trunk with a remote switch. The problem is that a trunk port belongs to all VLANs by default, and we want to put this port into a single VLAN only.
VLAN Membership Policy Server Part 2 VMPS uses a TFTP server to help in this dynamic port assignment scheme. A database on the TFTP server that maps source MAC addresses to VLANs is downloaded to the VMPS server, and that downloading occurs every time you power cycle the VMPS server. VMPS uses UDP to listen to client requests.
10
Trunk Part 1
A trunk is a point-to-point connection between two physically connected switches that allows traffic to flow between the switches, regardless of the VLAN the traffic is destined for. By default, a trunk port is a member of all VLANs, so traffic for any and all VLANs can travel across this trunk. That includes broadcast traffic! How does the receiving switch know what VLAN the frame belongs to? The frames are tagged by the transmitting switch with a VLAN ID, reflecting the number of the VLAN whose member ports should receive this frame. When the frame arrives at the remote switch, that switch will examine this ID and then forward the frame appropriately.
Train Signal, Inc., 2002-2007
Trunk Part 2
You may have had a CCNA flashback when I mentioned "dot1q"! There were quite a few differences between the trunking protocols ISL and dot1q, so let's review those before we examine a third trunking protocol that you didn't learn during your CCNA studies. For a trunk to form successfully, the ports must agree on the speed, the duplex setting, and the encapsulation type. Many Cisco switches offer the choice of ISL and IEEE 802.1q - and I can practically guarantee your BCMSN exam just might discuss these encap types! Let's take a detailed look at each right now.
ISL Part 1
ISL is Cisco-proprietary, making it unsuitable for a multivendor environment. That's one drawback, but there are others. ISL will place both a header and trailer onto the frame, encapsulating it. This increases the overhead on the trunk line. You know that the default VLAN is also known as the "native VLAN", and another drawback to ISL is that ISL does not use the concept of the native VLAN. This means that every single frame transmitted across the trunk will be encapsulated. The 26-byte header that is added to the frame by ISL contains the VLAN ID; the 4-byte trailer contains a Cyclic Redundancy Check (CRC) value. The CRC is a frame validity scheme that checks the frame's integrity.
Train Signal, Inc., 2002-2007
11
ISL Part 2
In turn, this encapsulation leads to another potential issue. ISL encapsulation adds 30 bytes total to the size of the frame, potentially making them too large for the switch to handle. (The maximum size for an Ethernet frame is 1518 bytes. Frames larger than that are called giants.) For that reason, if one trunking switch is using ISL and its remote partner is not, the remote partner will consider the ISLencapsulated frames as giants.
Dot1q Part 1
In contrast, dot1q does not encapsulate frames. A 4-byte header is added to the frame, resulting in less overhead than ISL and resulting in a maximum frame size of 1522 bytes. If the frame is destined for hosts residing in the native VLAN, even that small header isn't added. Since the dot1q header is only 4 bytes in size, and isn't even placed on every frame, using dot1q lessens the chance of oversized frames. When the remote port receives an untagged frame, the switch knows that these untagged frames are destined for the native VLAN.
Dot1q Part 2
12
Point-to-point Protocols
Believe it or not, ISL and dot1q actually have something in common! They're both considered point-to-point protocols, since by definition a trunk only has two endpoints, and that's it - just like ISDN. Also notice that there's a 4-byte addition in both ISL and dot1q - make sure to have them straight: ISL: 4-byte trailer (with CRC value) dot1q: 4-byte header inserted into the frame
Gotchas Part 1
I've created a lot of trunks over the years, and I've bumped into quite a few "gotchas" that you might not think to look at in a production network.
For trunks to work properly, the port speed and port duplex setting should be the same on the two trunking ports. ISL switches don't care about the native VLAN setting, because they don't use the native VLAN to begin with. Giants are frames that are larger than 1518 bytes, and these can occur on ISL since they add 30 bytes to the frame. Some Catalyst switches have Cisco-proprietary hardware that allows them to handle the larger frames. Check the documentation for your switch to see if this is the case for your model.
Train Signal, Inc., 2002-2007
Gotchas Part 2
Dot1q does add 4 bytes to the frame, but thanks to IEEE 802.3ac, the maximum frame length can be extended to 1522 bytes. (The opposite of a giant is a runt. While giants are too large to be successfully transmitted, runts are frames less than 64 bytes in size.) Both switches must be in the same VTP domain - watch those domain names, they're case-sensitive. If you're working on a multilayer switch (also called a "Layer 3 switch"), make sure the port you want to trunk is a Layer 2 port by configuring the interface-level command switchport on it. You can configure a 10, 100, or 1000 MBPS interface as a trunk. Changing the native VLAN on one switch does not dynamically change the native VLAN on a remote trunking partner.
13
Native VLAN
By default, the native VLAN is VLAN 1. The native VLAN is the VLAN the port will belong to when it is not trunking, regardless of whether it once was a trunk port. The native vlan can be changed with the switchport trunk native vlan command, but you should be prepared for an error message very quickly after configuring it on one side of the trunk. We'll change the native vlan setting on fast 0/11 on one side of an existing trunk and see what happens. Changing the native VLAN on one switch in a trunk does not automatically change it for the other switch!
14
Trunk mode
Trunk mode means just that - this port is in unconditional trunk mode and cannot be an access port. Since this port cannot negotiate, it's standard procedure to place the remote port in trunk mode. Turning off DTP when you place a port in trunk mode is a great idea, because there's no use in sending negotiation frames every 30 seconds if no negotiation is necessary! Dynamic desirable is the default setting for most Cisco switch ports today. If the local switch port is running dynamic desirable and the remote switch port is running in trunk, dynamic desirable, or dynamic auto, a trunk will form. This is because a port in dynamic desirable mode is sending and responding to DTP frames. If you connect two 2950s with a crossover cable, a trunk will form in less than 10 seconds with no additional configuration needed.
Train Signal, Inc., 2002-2007
15
Naming VLANs
You can give your VLAN a more intuitive name with the name command.
Snowflakes Part 1
Learning to design anything from a class or study guide can be frustrating, because like snowflakes, no two networks are alike. What works well for "Network A" may be inefficient for "Network B". You need to know about the following VLAN design types for both the exam and the real world, but as always you've got to be able to apply your knowledge to your network's needs. In my BSCI Study Guide's discussion of Cisco's Three-Layer Hierarchical Networking Model, I mention that it's important to let the Distribution layer handle the "little things" in order to allow the core switches to do what they do best - switch!
16
Snowflakes Part 2
With VLAN design, we're looking at much the same scenario. If we don't control broadcast and multicast traffic, it can soon affect our network negatively, particularly if we allow it to flow through the core switches. Your VLAN scheme should keep as many broadcasts and multicasts away from the core switches as is possible. There are two major VLAN designs, end-to-end and local. Watch the details here, as one is following the 80/20 rule and the other is following the 20/80 rule.
17
Local VLANs
Local VLANs are designed with the 20/80 rule in mind. Local VLANs assume that 20 percent of traffic is local in scope, while the other 80 percent will traverse the network core. While physical location is unimportant in end-to-end VLANs, users are grouped by location in Local VLANs. More and more networks are using centralized data depositories, such as server farms - and even in the simplified network diagram above, the end user must go across a WAN to reach the server farm, another reason that 80/20 traffic patterns aren't seen as often as they were in the past.
VTP
VLAN Trunking Protocol (VTP) allows each switch in a network to have an overall view of the active VLANs. VTP also allows network administrators to restrict the switches upon which VLANs can be created, deleted, or modified.
Train Signal, Inc., 2002-2007
18
Server mode
In Server mode, a VTP switch can be used to create, modify, and delete VLANs. This means that a VTP deployment has to have at least one Server, or VLAN creation will not be possible. This is the default setting for Cisco switches. Switches running in Client mode cannot be used to create, modify, or delete VLANs. Clients do listen for VTP advertisements and act accordingly when VTP advertisements notify the Client of VLAN changes. VTP Transparent mode actually means that the switch isn't participating in VTP. (Bear with me here.) Transparent VTP switches don't synchronize their VTP databases with other VTP speakers; they don't even advertise their own VLAN information! Therefore, any VLANs created on a Transparent VTP switch will not be advertised to other VTP speakers in the domain, making them locally significant only.
Train Signal, Inc., 2002-2007
VTP Versions
There are two versions of VTP, V1 and V2, and the main difference between the two versions affects how a VTP Transparent switch handles an incoming VTP advertisement. VTP Version 1: The Transparent switch will forward that advertisement's information only if the VTP version number and domain name on that switch is the same as that of downstream switches. VTP Version 2: The Transparent switch will forward VTP advertisements via its trunk port(s) even if the domain name does not match.
19
Switches
VTP Advertisements are multicasts, but they are not sent out every port on the switch. The only devices that need the VTP advertisements are other switches that are trunking with the local switch, so VTP advertisements are sent out trunk ports only. The hosts in VLAN 10 in the following exhibit would not receive VTP advertisements.
Train Signal, Inc., 2002-2007
Along with the VTP domain name, VTP advertisements carry a configuration revision number that enables VTP switches to make sure they have the latest VLAN information. VTP advertisements are sent when there has been a change in a switch's VLAN database, and this configuration revision number increments by one before it is sent.
Train Signal, Inc., 2002-2007
20
Potential issue
This brings up a potential issue that I've seen more than once in the real world. When you introduce a new switch into a VTP domain, you have to make sure that its revision number is zero - and that goes for Clients as well as Servers.
Train Signal, Inc., 2002-2007
Revision number
I've seen this happen with switches that were brought it to swap out with a downed switch. That revision number has to be reset to zero! If you ever see VLAN connectivity suddenly lost in your network, but the switches are all functional, you should immediately check to see if a new switch was recently installed. If the answer is yes, I can practically guarantee that the revision number is the issue.
Train Signal, Inc., 2002-2007
21
Cisco Theory
Cisco theory holds that there are two ways to reset a switch's revision number to zero:
Change the VTP domain name to a nonexistent domain, then change it back to the original name. Change the VTP mode to Transparent, then change it back to Server.
VTP Advertisements
There are three major types of VTP advertisements - here's what they are and what they do. Keep in mind that Cisco switches only accept VTP advertisements from other switches in the same VTP domain. Summary Advertisements are transmitted by VTP servers every 5 minutes, or upon a change in the VLAN database. Information included in the summary advertisement:
VTP domain name and version Configuration revision number MD5 hash code Timestamp Number of subset advertisements that will follow this ad
Train Signal, Inc., 2002-2007
Subset Advertisements
Subset Advertisements are transmitted by VTP servers upon a VLAN configuration change. Subset ads give specific information regarding the VLAN that's been changed, including:
Whether the VLAN was created, deleted, activated, or suspended The new name of the VLAN The new Maximum Transmission Unit (MTU) VLAN Type (Ethernet, Token Ring, FDDI)
22
VTP Pruning
Trunk ports belong to all VLANs, which leads to an issue involving broadcasts and multicasts. A trunk port will forward broadcasts and multicasts for all VLANs it knows about, regardless of whether the remote switch actually has ports in that VLAN or not!
Train Signal, Inc., 2002-2007
Enabling pruning
Enabling pruning on one VTP Server actually enables pruning for the entire domain, but I wanted to show you that a switch has to be in Server mode to have pruning enabled. It doesn't hurt anything to enter the command vtp pruning on all Servers in the domain, but it's unnecessary.
Train Signal, Inc., 2002-2007
23
By now, you've probably noticed that the first field in the readout of show vtp status is the VTP version. The first version of VTP was VTP Version 1, and that is the default of some older Cisco switches. The next version was Version 2, and that's the default on many newer models, including the 2950. As RIPv2 has advantages over RIPv1, VTP v2 has several advantages over VTPv1. Version 2 supports Token Ring VLANs and Token Ring switching, where Version 1 does not.
Consistency check
When changes are made to VLANs or the VTP configuration at the command-line interface (CLI), Version 2 will perform a consistency check. So what's being checked? VLAN names and numbers. This helps to prevent incorrect / inaccurate names from being propagated throughout the network. A switch running VTPv2 and Transparent mode will forward VTP advertisements received from VTP Servers in that same domain.
write erase
Those of you with switches in your home labs have probably run into this situation. You run a write erase on your routers, reload them, and since NVRAM is now empty, you're prompted to go into setup mode. All IP addressing, routing protocols, static routes - everything's gone.
Train Signal, Inc., 2002-2007
24
VTP password
By setting a VTP password, you place the entire VTP domain into Secure Mode. Every switch in the domain must have a matching password.
25
We'll talk about TCNs later in this section, but for now it's enough to know that the name is the recipe - a switch sends a TCN when there is a change in the network topology.
Configuration BPDUs
Configuration BPDUs are used for the actual STP calculations. Once a root bridge is elected, only that root bridge will originate Configuration BPDUs; the non-root bridges will forward copies of that BPDU. BPDUs also carry out the election to decide which switch will be the Root Bridge. The Root Bridge is the "boss" of the switching network - this is the switch that decides what the STP values and timers will be. Each switch will have a Bridge ID Priority value, more commonly referred to as a BID. This BID is a combination of a default priority value and the switch's MAC address, with the priority value listed first. For example, if a Cisco switch has the default priority value of 32,768 and a MAC address of 11-22-33-44-55-66, the BID would be 32768:11-22-3344-55-66. Therefore, if the switch priority is left at the default on all switches, the MAC address is the deciding factor in the root bridge election.
Train Signal, Inc., 2002-2007
26
Root port
The port that SW2 is using to reach the root bridge is called the root port, and it wasn't selected at random. Each switch port has an assigned Path Cost, and this Path Cost is used to arrive at the Root Path Cost. The BPDU actually carries the Root Path Cost, and this cost increments as the BPDU is forwarded throughout the network. A port's Path Cost is locally significant only and is unknown by downstream switches.
The root bridge will transmit a BPDU with the Root Path Cost set to zero. When a neighboring switch receives this BDPU, that switch adds the cost of the port the BPDU was received on to the incoming Root Path Cost. Root Path Cost increments as BPDUs are received, not sent. That new root path cost value will be reflected in the BDPU that switch then sends out.
Train Signal, Inc., 2002-2007
The Path Cost is locally significant only. In the previous example, SW3 doesn't have any idea what the Path Cost on SW2 is, and doesn't particularly care. No switch downstream of SW3 will know of any Path Costs on SW2 or SW3 the downstream switches will only see the cumulative cost, the Root Path Cost.
Train Signal, Inc., 2002-2007
27
How Root Path Costs Are Determined The default STP Path Costs are determined by the speed of the port. These path costs have changed from their original values, so you'll be shown both here. The costs we'll see on the switches in this section are the revised costs.
10 MBPS Port: Originally 100, still 100 100 MBPS Port: Originally 10, now 19 1 GBPS Port: Originally 1, now 4 10 GBPS Port: Originally 1, now 2
Train Signal, Inc., 2002-2007
Like other STP commands and features, this is another command that you should have a very good reason for configuring before using it. Make sure to add up the Root Path Cost for other available paths before changing a port's Path Cost to ensure you're getting the results you want - or perhaps avoid results you don't want! In the following example, SW2 shows a Path Cost of 19 for both ports 0/11 and 0/12.
28
Disabled isn't generally thought of as an STP port state; you're not going to look into the STP table of a VLAN and see "DIS" next to a port. Cisco does officially consider this to be an STP state, though. A disabled port is one that is administratively shut down. A disabled port obviously isn't forwarding frames, but it's not even officially taking place in STP.
Train Signal, Inc., 2002-2007
learning mode
When the port goes into learning mode, it's not yet forwarding frames, but the port is learning MAC addresses by adding them to the switch's MAC address table. Finally, a port enters forwarding mode. This allows a port to forward and receive data frames, send and receive BPDUs, and place MAC addresses in its MAC table. To see the STP mode of a given interface, use the show spanning-tree interface command.
29
Timers Part 1
You may remember these timers from your CCNA studies as well, and you should also remember that these timers should not be changed lightly. What you might not have known is that if you decide to change any and all of these timers, that change must be configured on the root bridge! The root bridge will inform the nonroot switches of the change via BPDUs. Don't believe me? :) We'll prove that very shortly. Right now, let's review the STP timer basics.
Train Signal, Inc., 2002-2007
Timers Part 2
Hello Time defines how often the Root Bridge will originate Configuration BPDUs. By default, this is set to 2 seconds. Forward Delay is the length of both the listening and learning STP stages, with a default value of 15 seconds. Maximum Age, referred to by the switch as MaxAge, is the amount of time a switch will retain the superior BPDU's contents before discarding it. The default is 20 seconds.
Train Signal, Inc., 2002-2007
Example 1
SW3(config)#spanning vlan 20 root primary SW3#show spanning vlan 20 VLAN0020 Spanning tree enabled protocol ieee Root ID Priority 24596 Address 0011.9375.de00 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 24596 (priority 24576 sys-id-ext 20) Address 0011.9375.de00 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 15
30
Example 2
SW2#show spanning vlan 20 VLAN0020 Spanning tree enabled protocol ieee Root ID Priority 32788 Address 0011.9375.de00 Cost 19 Port 24 (FastEthernet0/22) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32788 (priority 32768 sys-id-ext 20) Address 0018.19c7.2700 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300
Example 3
SW1#show spanning vlan 20 VLAN0020 Spanning tree enabled protocol ieee Root ID Priority 32788 Address 0011.9375.de00 Cost 38 Port 15 (FastEthernet0/13) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32788 (priority 32768 sys-id-ext 20) Address 0019.557d.8880 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300
Example 4
SW1(config)#spanning vlan 20 root secondary SW1#show spanning vlan 20 VLAN0020 Spanning tree enabled protocol ieee Root ID Priority 24596 Address 0011.9375.de00 Cost 38 Port 15 (FastEthernet0/13) Hello Time 2 sec Max Age 20 sec Bridge ID
Priority 28692 (priority 28672 sys-id-ext 20) Address 0019.557d.8880 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300
31
I'm sure you remember the Cisco Three-Layer Hierarchical Model, which lists the three layers of a switching network - Core, Distribution, and Access. Access switches are those found closest to the end users, and the root bridge should not be an access-layer switch. Ideally, the root bridge should be a core switch, which allows for the highest optimization of STP.
Train Signal, Inc., 2002-2007
Configuration BPDUs are originated only by the root bridge, but a TCN BPDU will be generated by any switch in the network when one of two things happen:
A port goes into Forwarding mode A port goes from Forwarding or Learning mode into Blocking mode
While the TCN BPDU is important, it doesn't give the other switches a lot of detail. The TCN doesn't say exactly what happened, just that something happened.
32
This indicates to all receiving switches that the default aging time for their MAC tables should be changed from the default of 5 minutes to whatever the Forward Delay value is - by default, that's 15 seconds. (Another reason to be careful, if not downright hesitant, to start adjusting STP timers.) A natural question is "How long will the aging time for the MAC table stay at the Forward Delay value?" Here's the quick formula for the answer: (Forward Delay) + (Max Age) Assuming the default settings, that's a total of 35 seconds... and yet another reason to consider leaving the STP timers at their defaults!
Train Signal, Inc., 2002-2007
Cisco switching veterans just know that Portfast has to get involved here somewhere! Portfastenabled ports cannot result in TCN generation, which makes perfect sense. The most common usage of Portfast is when a single PC is connected directly to the switch port, and since such a port going into Forwarding mode doesn't impact STP operation, there's no need to alert the entire network about it.
Train Signal, Inc., 2002-2007
33
The BID priority is the default priority of 32768 plus the System ID Extension value (sys-id-ext). The sys-id-ext value just happens to be the VLAN number, so the BID priority is 32768 + 20, which equals 32788. Some switches running CatOS can support this feature; with those switches, it's called STP MAC Address Reduction. Disabled by default, it can be enabled with the set spantree macreduction command. (set commands are run on CatOS switches only - IOS-based switches use the CLI commands you see throughout this book.)
Train Signal, Inc., 2002-2007
Portfast, Uplinkfast, Backbonefast Root Guard, BPDU Guard, Loop Guard UDLD, BPDU Skew Detection Rapid STP, PVST, PVST+, CST, MST
34
Portfast
You should remember this one from your CCNA studies! Suitable only for switch ports connected directly to a single host, Portfast allows a port running STP to go directly from blocking to forwarding mode.
Uplinkfast
When a port goes through the transition from blocking to forwarding, you're looking at a 50second delay before that port can actually begin forwarding frames. Configuring a port with Portfast is one way to get around that, but again, you can only use it when a single host device is found off the port. What if the device connected to a port is another switch?
Train Signal, Inc., 2002-2007
35
Root port
The original root port will become the root port again when it detects that its link to the root switch has come back up. This does not take place immediately. The switch uses the following formula to determine how long to wait before transitioning the original root port back to the forwarding state: ( 2 x FwdDelay) + 5 seconds
Train Signal, Inc., 2002-2007
Immediate action
Uplinkfast will take immediate action to ensure that a switch cannot become the root switch -- actually, two immediate actions!
First, the switch priority will be set to 49,152, which means that if all other switches are still at their default priority, they'd all have to go down before this switch can possibly become the root switch. Additionally, the STP Port Cost will be increased by 3000, making it highly unlikely that this switch will be used to reach the root switch by any downstream switches.
36
Backbonefast
Uplinkfast and Portfast are great, but they've got limitations on when they can and should be run. You definitely can't run either one in a network backbone, but the Cisco-proprietary feature Backbonefast can be used to help recover from indirect link failures. The key word there is indirect. If a core switch detects an indirect link failure - a failure of a link that is not directly connected to the core switch in question - Backbonefast goes into action. This indirect link failure is detected when an inferior BPDU is received. When BackboneFast is configured, this process skips the MaxAge stage. While this does not eliminate delays as efficiently as PortFast and UplinkFast, but the delay is cut from 50 seconds to 30. (MaxAge's default value is 20 seconds, but the 15-second Listening and Learning stages still have to run.)
Train Signal, Inc., 2002-2007
BackboneFast uses the Root Link Query (RLQ) protocol. RLQ uses a series of requests and responses to detect indirect link outages. RLQ requests are transmitted via the ports that would normally be receiving BPDUs. The purpose of these RLQ requests is to ensure that the local switch still has connectivity to the root switch. The RLQ request identifies the bridge that is considered the root bridge, and the RLQ response will identify the root bridge that can be accessed via that port. If they're one and the same, everything's fine.
Train Signal, Inc., 2002-2007
RLQ Request
Upon receiving a RLQ request, a switch will answer immediately under one of two conditions:
The receiving switch is indeed the root bridge named in the RLQ request The receiving switch has no connectivity to the root bridge named in the RLQ request, because it considers another switch to be the root bridge
The third possibility is that the receiving switch is not the root, but considers the root switch named in the RLQ request to indeed be the root switch. In that case, the RLQ request is relayed toward the root switch by sending it out the root port.
Train Signal, Inc., 2002-2007
37
Root Guard
Root Guard is configured at the port level, and disqualifies any switch that is downstream from that port from becoming the root or secondary root. Root Guard will actually block that superior BPDU, discard it, and put the port into rootinconsistent state. When those superior BPDUs stop coming, SW3 will allow that port to transition normally through the STP port states.
Train Signal, Inc., 2002-2007
BPDU Guard
BPDU Guard protects against this disastrous possibility. If any BPDU comes in on a port that's running BPDU Guard, the port will be shut down and placed into error disabled state, shown on the switch as err-disabled.
Train Signal, Inc., 2002-2007
38
Normal mode
When a unidirectional link is detected in normal mode, UDLD generates a syslog message but does not shut the port down. In aggressive mode, the port will be put into error disabled state ("err-disabled") after eight UDLD messages receive no echo from the remote switch. Why is it called "aggressive"? Because the UDLD messages will go out at a rate of one per second when a potential unidirectional link is found.
39
A duplex mismatch between two trunking switches isn't quite a unidirectional link, but it can indeed lead to a switching loop. You're not often going to change switch duplex settings, especially on trunk ports, but if you change one switch port's duplex setting, change that of any trunking partner! Believe it or not, the switching loop potential is caused by CSMA/CD! The full-duplex port will not perform CSMA/CD, but the half-duplex port will. The problem comes in when the half-duplex port listens to the segment, hears nothing, and sends frames as it normally would under CSMA/CD rules...
Loop Guard
We've had BPDU Guard, Root Guard, and now... Loop Guard! You can probably guess that the "loop" being guarded against is a switching loop... but how does Loop Guard prevent switching loops? Let's revisit an earlier example to see how the absence of BPDUs can result in a switching loop. Loop Guard does not allow a port to go from blocking to forwarding in this situation. With Loop Guard enabled, the port will go from blocking to loop-inconsistent, which is basically still blocking mode, and a switching loop will not form
Train Signal, Inc., 2002-2007
40
Transition States
Let's compare the transition states: STP: disabled > blocking > listening > learning > forwarding RSTP: discarding > learning > forwarding
Train Signal, Inc., 2002-2007
There are other port types unique to RSTP. You know what a root port is, but RSTP also has edge ports and point-to-point ports. An edge port is just what it sounds like - a port on the edge of the network. In this case, it's a switch port that is connected to a single host, most likely an end user's PC. An edge port will operate just like an STP port that is running Portfast. A point-to-point port is any port that is connected to another switch and is running in full-duplex mode.
41
Another major difference between STP and RSTP is the way BPDUs are handled. With STP, only the root bridge is sending BPDUs every two seconds; the nonroot bridges simply forward, or relay, that BPDU when they receive it. RSTP-enabled switches generate a BPDU every two seconds, regardless of whether they have received a BPDU from the root switch or not. (The default value of hello time, the interval at which switches send BPDUs, is two seconds in both STP and RSTP.)
This change not only allows all switches in the network to have a role in detecting link failures, but discovery of link failures is faster. Why? Because every switch expects to see a BPDU from its neighbor every two seconds, and if three BPDUs are missed, the link is considered down. The switch then immediately ages out all information concerning that port. This cuts the error detection process from 20 seconds in STP to 6 seconds in RSTP.
42
MaxAge timer
When a switch running STP misses a BPDU, the MaxAge timer begins. This timer dictates how long the switch will retain the last BPDU before timing it out and beginning the STP recalculation process. By default, MaxAge is 20 seconds. When a switch running RSTP misses three BPDUs, it will immediately are out the superior BPDU's information and begin the STP recalculation process. Since the default hello-time is 2 seconds for both STP and RSTP, it takes an RSTP-enabled switch only 6 seconds overall to determine that a link to a neighbor has failed.
Train Signal, Inc., 2002-2007
BPDU format
The BPDU format is the same for STP and RSTP, but RSTP uses all flag bits available in the BPDU for various purposes including state negotiation between neighbors, but STP uses only the Topology Change (TC) and Topology Change Ack (TCA) flags. The details of this negotiation are out of the scope of the BCMSN exam, but can easily be found on the Internet by searching for "RSTP" in your favorite search engine. The RSTP BPDU is also of a totally different type (Type 2, Version 2), which allows an RSTP-enabled switch to detect older switches. Switching features we looked at earlier in this section Uplinkfast, Portfast, and Backbonefast are built-in to RSTP.
Train Signal, Inc., 2002-2007
43
PVST
PVST doesn't play well at all with CST, so Cisco came up with PVST+. PVST+ is described by Cisco's website as having the same functionality as PVST, with the + version using dot1q rather than ISL. PVST+ is Ciscoproprietary as well. PVST+ can serve as an intermediary between groups of PVST switches and switches running CST; otherwise, the groups wouldn't be able to communicate. Using PVST+ along with CST and PVST can be a little difficult to fine-tune at first, but this combination is running in many a network right now - and working fine!
Train Signal, Inc., 2002-2007
44
Configuration of MST
The configuration of MST involves logically dividing the switches into regions, and the switches in any given region must agree of the following:
The MST configuration name The MST instance-to-VLAN Mapping table The MST configuration revision number
If any of these three values are not agreed upon by two given switches, they are in different regions. Switches send MST BPDUs that contain the configuration name, revision number, and a digest value derived from the mapping table.
MST configurations
MST configurations can become quite complex and a great deal of planning is recommended before implementing it. No matter the size of the network, however, keep the central point in mind - the purpose of MST is to map multiple VLANs to a lesser number of STP instances. A good way to get a mental picture of the interoperability of MST and CST is that CST will cover the entire network, and MST is a "subset" of the network. CST is going to maintain a loop-free network only with the links connecting the MST network subnets, and it's MST's job to keep a loop-free topology in the MST region. CST doesn't know what's going on inside the region, and it doesn't want to know.
Train Signal, Inc., 2002-2007
IST
The "IST" in each region stands for Internal Spanning Tree, and it's the IST instance that is responsible for keeping communications in the MST Region loop-free. Up to 16 MST instances (MSTIs) can exist in a region, numbered 0 through 15. MSTI 0 is reserved for the IST instance, and only the IST is going to send MST BPDUs. Occasionally the first ten MST instances are referred to as "00" - "09". These are not hex values - they're regular old decimals. Here's the good part -- there's no such thing as "VTP For MST". Each and every switch in your MST deployment must be configured manually. (No, I'm not kidding!) When you create VLAN mappings in MST, you've got to configure every switch in your network with those mappings - they're not advertised.
Train Signal, Inc., 2002-2007
45
Why Does Anyone Run STP Instead Of PVST? Like the TCP vs. UDP argument from your CCNA studies, this seems like a bit of a nobrainer. STP: 100 VLANs results in one STP process PVST: 100 VLANs results in 100 STP processes, allowing for greater flexibility with trunk usage (per-VLAN load balancing, for example)
Train Signal, Inc., 2002-2007
46
Etherchannels
Etherchannels
Etherchannels aren't just important for your BCMSN studies, they're a vital part of many of today's networks. Knowing how to configure and troubleshoot them is a vital skill that any CCNP must have. Etherchannels are part of the CCNA curriculum, but many CCNA books either leave Etherchannels out entirely or mention them briefly. You may not have even seen an Etherchannel question on your CCNA exam, so we're going to begin this section with a review of what an Etherchannel is and why we would configure one. After that review, we'll begin an in-depth examination of how Etherchannels work, and I'll show you some real-world examples of common Etherchannel configuration errors to help you master this skill for the BCMSN exam and for the real world.
Train Signal, Inc., 2002-2007
Logical Bundling
An Etherchannel is the logical bundling of two to eight parallel Ethernet trunks. This bundling of trunks is also referred to as aggregation. This provides greater throughput, and is another effective way to avoid the 50-second wait between blocking and forwarding states in case of a link failure. Spanning-Tree Protocol (STP) considers an Etherchannel to be one link. If one of the physical links making up the logical Etherchannel should fail, there is no STP reconfiguration, since STP doesnt know the physical link went down. STP sees only the Etherchannel, and a single link failure will not bring an Etherchannel down. Etherchannels use the Exclusive OR (XOR) algorithm to determine which channel in the EC to use to transmit data to the remote switch.
Train Signal, Inc., 2002-2007
47
Logical Link
If one of the three physical links goes down, STP will not recalculate. While some bandwidth is obviously lost, the logical link itself stays up. Data that is traveling over the downed physical link will be rerouted to another physical link in a matter of milliseconds - it will happen so fast that you won't even hear about it from your end users!
Train Signal, Inc., 2002-2007
Negotiating An Etherchannel
There are two protocols that can be used to negotiate an etherchannel. The industry standard is the Link Aggregation Control Protocol (LACP), and the Ciscoproprietary option is the Port Aggregation Protocol (PAgP). PAgP packets are sent between Cisco switches via ports that have the capacity to be placed into an etherchannel. First, the PAgP packets will check the capabilities of the remote ports against those of the local switch ports. The remote ports are checked for two important values.
Train Signal, Inc., 2002-2007
The remote port group number must match the number configured on the local switch The device ID of all remote ports must be the same - after all, if the remote ports are on separate switches, that would defeat the purpose of configuring an etherchannel!
Train Signal, Inc., 2002-2007
48
PAgP
PAgP also has the capability of changing a characteristic of the etherchannel as a whole if one of the ports in the etherchannel is changed. If you change the speed of one of the ports in an etherchannel, PAgP will allow the etherchannel to dynamically adapt to this change. The industry standard bundling protocol defined in 802.3ad, LACP assigns a priority value to each port that has etherchannel capability. You can actually assign up to 16 ports to belong to an LACP-negotiated etherchannel, but only the eight ports with the lowest port priority will be bundled. The other ports will be bundled only if one or more of the bundled ports fails.
Train Signal, Inc., 2002-2007
Initiating EC
You can see the different terminology LACP and PAgP use for the same results - "active" and "desirable" for the local port to initiate the EC, "auto" and "passive" if the remote port is going to initiate the EC. To enable the etherchannel with no negotiation, use the on option. For an EC to form, LACP must have at least one of the two ports on each physical link set for "active"; if both ports are set to "passive", no EC will be built. The same can be said for PAgP and the settings "auto" and "desirable" - if both ports are set to auto, the link won't join the EC. To verify both PAgP and LACP neighbors, you can use the show pagp neighbor and show lacp neighbor commands.
49
Troubleshooting EtherChannels
Once you get an EC up and running, it generally stays that way - unless a port setting changes. From personal experience, here are a few things to watch out for: Changing the VLAN assignment mode to dynamic. Ports configured for dynamic VLAN assignment from a VMPS cannot remain or become part of an EC. The allowed range of VLANs for the EC must match that of the ports. Here's a reenactment of an EC issue I ran into once. The configuration of the channel-group looked just fine
Train Signal, Inc., 2002-2007
Error Message
interface FastEthernet0/11 switchport trunk allowed vlan 10,20 no ip address channel-group 1 mode on ! interface FastEthernet0/12 switchport trunk allowed vlan 100,200 no ip address channel-group 1 mode on
.. but notice that the allowed VLANs on these two ports is different. That will prevent an EC from working correctly. Here's the error message that occurs in a scenario like this:
02:46:10: %EC-5-CANNOT_BUNDLE2: Fa0/12 is not compatible with Fa0/11 and will be suspended (vlan mask is different)
Train Signal, Inc., 2002-2007
EC Error
When I remove the original command, I get the EC error message again, but once I change port 0/12's config to match 0/11's, the EC forms.
SW1(config)#int fast 0/12 SW1(config-if)#no switchport trunk allowed vlan 100,200 02:51:15: %EC-5-CANNOT_BUNDLE2: Fa0/12 is not compatible with Fa0/11 and will be suspended (vlan mask is different) 02:51:15: %EC-5-CANNOT_BUNDLE2: Fa0/12 is not compatible with Fa0/11 and will be suspended (vlan mask is different) SW1(config-if)#switchport trunk allowed vlan 10,20 02:51:25: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/12, changed state to up
50
Changing a port attribute. Ports need to be running the same speed, duplex, native VLAN, and just about any other value you can think of! If you change a port setting and the EC comes down, you know what to do - change the port setting back!
Train Signal, Inc., 2002-2007
Physical security
Physical security - lock those servers, routers, and switches up! This is the most basic form of network security, and it's also the most ignored. Passwords - set 'em, change 'em on occasion (and that occasion should not be the Millennium) Different privilege levels - not every user needs the same level of access to potentially destructive commands. Grant remote access only to those who absolutely, positively need it.
51
AAA
You may have heard or read the acronym AAA in Cisco switch documentation. This stands for Authentication, Authorization, and Accounting - and you didn't know it, but you're already working with AAA. Well, "A", anyway! The passwords we've set here are part of Authentication, and this local database of passwords is just one method of authenticating users. We can also use RADIUS servers (Remote Authentication Dial-In User Service, a UDP service) or TACACS+ servers (Terminal Access Controller Access Control System, a TCP service). Both RADIUS and TACACS+ offer a lot of options. We're going to look at a basic switch config that could get us started with either. First, we've got to enable AAA on the switch. (This is not required if only the local database will be used.)
Train Signal, Inc., 2002-2007
Authorization
The second A is Authorization, and we've already configured a little of that as well. Assigning the right to perform given tasks is Authorization, and when we granted one of our Telnet users privilege level 15, we authorized that user to pretty much do what they want to do. While RADIUS is limited in the different levels of authorization, TACACS+ can be configured to force the user to be authenticated for any of the tasks seen here in IOS Help.
Accounting
For some of us, this is the best part of AAA - Accounting. As in, "holding people accountable for what they do!" Accounting will use a RADIUS or TACACS+ server to track user activity. As with the previous AAA services, a method list must be defined:
Train Signal, Inc., 2002-2007
52
Port Security
Here's another basic security feature that's regularly overlooked, but is very powerful. Port security uses a host's MAC address as a password, and if a device with a different MAC address sends frames to the switch on that port, the port will take action - by default, it will shut down.
Train Signal, Inc., 2002-2007
Little gotcha
There is a little "gotcha" with port security that you need to be aware of. You can specify the number of secure MAC addresses, and you can specify secure MAC addresses as well. What if you allow for more secure MAC address than you actually configure manually, as shown below?
SW1(config-if)#switchport SW1(config-if)#switchport SW1(config-if)#switchport aaaa.aaaa.aaaa SW1(config-if)#switchport cccc.cccc.cccc port-security port-security maximum 3 port-security mac-address port-security mac-address
Port security is a great feature, but you can't run it on all ports. There are a few port types that you can't configure with port security:
trunk ports ports placed in an Etherchannel destination SPAN port 802.1x ports
53
By default, once the user authenticates, all traffic can be received and transmitted through this port.
Force-authorized
Force-authorized, the default, does just what it sounds like - it forces the port to authorize any host attempting to use the port, but authentication is not required. Basically, there is no authentication on this port type. A port in force-unauthorized state literally has the port unable to authorize any client - even clients who could otherwise successfully authenticate! The auto setting enables dot1x on the port, which will begin the process as unauthorized. Only the necessary EAPOL frames will be sent and received while the port's unauthorized. Once the authentication is complete, normal transmission and receiving can begin. Not surprisingly, this is the most common setting.
Train Signal, Inc., 2002-2007
54
SPAN
SPAN allows the switch to mirror the traffic from the source port(s) to the destination port to which the network analyzer is attached. (In some Cisco documentation, the destination port is referred to as the monitor port.) SPAN works very well, and the basic operation is simple. Studying SPAN for exams and network usage can seem complicated at first, though, because there are several different versions of SPAN. The versions are much the same, though; the real difference comes in when you define the source ports. It's the location of the source ports that determines the SPAN version that needs to run on the switch.
Local SPAN
In the previous example, we're running Local SPAN, since the destination and source ports are all on the same switch. If the source was a VLAN rather than a collection of physical ports, VLAN-based SPAN (VSPAN) would be in effect.
55
56
A destination port can be any port type. A destination port can participate in only one SPAN session. A destination port cannot be a source port. A destination port cannot be part of an Etherchannel. A destination port doesn't participate in STP, CDP, VTP, PaGP, LACP, or DTP.
Train Signal, Inc., 2002-2007
ESPAN
Finally, you may see the term "ESPAN" in some SPAN documentation. This is Enhanced SPAN, and some of Cisco's documentation mentions that this term has been used so often to describe different additions that the term has lost meaning. You'll still see it occasionally, but it doesn't refer to any specific addition or change to SPAN.
Access lists
At this point in your Cisco studies, you're very familiar with access lists and their many, many, many uses! Access lists do have their limitations, though. While an ACL can filter traffic traveling between VLANs, it can't do anything about traffic from one host in a VLAN to another host in the same VLAN. Why not? It relates to how ACLs are applied on a multilayer switch. You know that the CAM (Content Addressable Memory) table holds the MAC addresses that the switch has learned, but the TCAM - Ternary Content Addressable Memory - cuts down on the number of lookups required to compare a packet against an ACL.
57
Additional notes and tips regarding VACLs Part 1 Bridged traffic, as well as non-IP and non-IPX traffic, should be filtered with VACLs VACLs run from top to bottom, and run until a match occurs VACLs have an implicit deny at the end. The VACL equivalent of "permit all" is an "action forward" clause with no match criterion, as shown in the previous example. If traffic is not expressly forwarded, it's implicitly dropped!
Train Signal, Inc., 2002-2007
Only one VACL can be applied to a VLAN The sequence numbers allow you to go back and add lines without rewriting the entire VACL. They are still active while being edited. A routing ACL can be applied to a SVI to filter inbound and/or outbound traffic just as you would apply one to a physical interface, but VACLs are not applied in that way - they're applied in global configuration mode.
Train Signal, Inc., 2002-2007
58
Use the log option with care. Logging must be performed by the switch software, not the hardware.
Train Signal, Inc., 2002-2007
Private VLANs
This may well be the ultimate in filtering VLAN traffic! Hosts can be placed into a secondary VLAN, which is going to have one of two results:
The host will be able to communicate with other hosts in the secondary VLAN and with the primary VLAN, but not with hosts in other secondary VLANs - this is a community private VLAN The host can communicate with the primary VLAN, but with no other hosts, including other hosts in its own secondary VLAN -this is an isolated private VLAN
Example
In the following example, the router is located off a switch port that has been configured as a private VLAN port. There are options here as well:
The device connected to the private VLAN port can communicate with any device connected to any primary or secondary VLAN - this is promiscuous mode. This is the recommended mode for ports connected to gateway devices, such as the router seen below. The host connected to the port is on either type of private VLAN (isolated or community), and can communicate with devices found off other promiscuous ports. If the host is configured as part of a community private VLAN, the host can also communicate with other hosts in that private VLAN.
Train Signal, Inc., 2002-2007
59
It may be hard to believe, but something as innocent as DHCP can be used for network attacks. The potential for trouble starts when a host sends out a DHCPDiscovery packet, it listens for DHCPOffer packets - and as we know, the host will accept the first Offer it gets!
Train Signal, Inc., 2002-2007
60
The rogue host has effectively placed itself into the middle of the communication, leading to the term man in the middle for this kind of network attack. When the rogue host does the same for an ARP Request being sent from Host B to Host A, all communications between Host A and Host B will actually be going through the rogue host. Enabling Dynamic ARP Inspection (DAI) prevents this behavior by building a database of trusted MAC-IP address mappings. This database is the same database that is built by the DHCP Snooping process, and static ARP configurations can be used by DAI as well.
Train Signal, Inc., 2002-2007
Cisco's recommended trusted/untrusted port configuration is to have all ports connected to hosts run as untrusted and all ports connected to switches as trusted. Since DAI runs only on ingress ports, this configuration scheme ensures that every ARP packet is checked once, but no more than that. There is no problem with running DAI on trunk ports or ports bundled into an Etherchannel.
Train Signal, Inc., 2002-2007
61
IP Source Guard
We can use IP Source Guard to prevent a host on the network from using another host's IP address. IP Source Guard works in tandem with DHCP Snooping, and uses the DHCP Snooping database to carry out this operation. As with DAI, DHCP Snooping must be enabled before enabling IP Source Guard. When the host first comes online and connects to an untrusted port on the switch, the only traffic that can reach that host are DHCP packets. When the client successfully acquires an IP address from the DHCP Server, the switch makes a note of this IP address assignment.
Train Signal, Inc., 2002-2007
Since ARP, IP addresses, and DHCP all have potential security issues, we can't leave MAC addresses out because network attackers sure won't do so! A MAC Address Flooding attack is an attempt by a network intruder to overwhelm the switch memory reserved for maintenance of the MAC address table. The intruder generates a large number of frames with different source MAC addresses - all of them invalid. As the switch's MAC address table capabilities are exhausted, valid entries cannot be made - and this results in those valid frames being broadcast instead of unicast.
Train Signal, Inc., 2002-2007
62
You can combat MAC Address Flooding with two of the features we addresses earlier in this section - port-based authentication and port security. By making sure our host devices are indeed who we think they are, we reduce the potential for an intruder to unleash a MAC Address Flooding attack on our network. The key isn't to fight the intruder once they're in our network - the key is to keep them out in the first place.
Double Tagging
One form of VLAN Hopping is double tagging, so named because the intruder will transmit frames that are "double tagged" with two separate VLAN IDs. As you'll see in our example, certain circumstances must exist for a double tagging attack to be successful: The intruder's host device must be attached to an access port. The VLAN used by that access port must be the native VLAN. The term "native VLAN" tips us off to the third requirement - dot1q must be the trunking protocol in use, since ISL doesn't use the native VLAN.
Train Signal, Inc., 2002-2007
VLAN Hopping
VLAN Hopping seems innocent enough, but it's quite the opposite. VLAN Hopping has been used for network attacks ranging from Trojan horse virus propagation to stealing bank account numbers and passwords. That's why you often see the native VLAN of a network such as the one above set to a VLAN that no host on the network is a member of - that stops this version of VLAN Hopping right in its tracks.
Train Signal, Inc., 2002-2007
63
Switch Spoofing
Notice that I said "this version". Switch spoofing is another variation of VLAN Hopping that is even worse than double tagging, because this version allows the rogue to pretend to be a member of *all* VLANs in your network. Many Cisco switch ports now run in dynamic desirable mode by default, which means that a port is sending out Dynamic Trunking Protocol frames in an aggressive effort to form a trunk. A potential problem exists, since the switch doesn't really know what kind of device is receiving the DTP frames.
Train Signal, Inc., 2002-2007
Multilayer Switching
Route Caching, Cisco Express Forwarding Inter-VLAN Routing & SVIs Fallback Bridging Router Redundancy Protocols (HSRP, IRDP, VRRP, GLBP) Server Load Balancing (SLB)
Train Signal, Inc., 2002-2007
64
ASICs
Application-Specific Integrated Circuits (ASICs) will perform the L2 rewriting operation of these packets. You know from your CCNA studies that while the IP source and destination address of a packet will not change during its travels through the network, the L2 source and addresses may and probably will. With multilayer switching, it's the ASICs that perform this L2 address overwriting.
Train Signal, Inc., 2002-2007
Route Caching
The first multilayer switching (MLS) method is route caching. This method may be more familiar to you as NetFlow switching. Route caching devices have both a routing processor and a switching engine. The routing processor routes a flow's first packet, the switching engine snoops in on that packet and the destination, and the switching engine takes over and forwards the rest of the packets in that flow. Now, what exactly does a "flow" consist of? A flow is a unidirectional stream of packets from a source to a destination, and packets on the same flow will share the same protocol. That is, if a source is sending both WWW and TFTP packets to the same destination, there are actually two flows of traffic. The MLS cache entries support such unidirectional flows. There's always room for improvement from the first implementation of anything, though, and that improvement is Cisco Express Forwarding.
Train Signal, Inc., 2002-2007
65
DEF-Enabled Devices
CEF-enabled devices the same routing information that a router would, but it's not found in a typical routing table. CEF-enabled switches keep a Forwarding Information Base (FIB) that contains the usual routing information - the destination networks, their masks, the next-hop IP addresses, etc - and CEF will use the FIB to make L3 prefix-based decisions. The FIB's contents will mirror that of the IP routing table actually, the FIB is really just the IP routing table in another format. You can view the FIB with the show ip cef command.
Train Signal, Inc., 2002-2007
FIB
The FIB takes care of the L3 routing information, but what of the L2 information we need? That's found in the Adjacency Table (AT). As adjacent hosts are discovered via ARP, that next-hop L2 information is kept in this table for CEF switching. Once the appropriate L3 and L2 next-hop addresses have been found, the MLS is just about ready to forward the packet. The MLS will make the same changes to the packet as a router normally would, and that includes changing the L2 destination MAC address - that's going to be changed to the next-hop destination, as I'm sure you remember from your CCNA studies. The L3 destination will remain the same. (The L2 source address will change as well, to the MAC address on the MLS switch interface that transmits the packet.)
Train Signal, Inc., 2002-2007
Enabling DEF
Enabling CEF is about as simple as it gets. CEF is on by default on any and all CEF-enabled switches, and you can't turn it off. Remember, CEF is hardware-based, not software-based, so it's not a situation where running "no cef" on a switch will disable CEF. There's no such command! A multilayer switch must have IP routing enabled for CEF to run, however. Trying to view the FIB of a switch with IP routing not enabled results in this console readout...
Train Signal, Inc., 2002-2007
66
Example
SW2#show ip cef %IPv4 CEF not running ... and then after enabling IP routing. SW2(config)#ip routing SW2#show ip cef Prefix Next Hop 0.0.0.0/32 receive 224.0.0.0/4 drop 224.0.0.0/24 receive 255.255.255.255/32 receive
Interface
L3 Switching
As with several advanced L3 switching capabilities, not every L3 switch can run CEF. For instance, the 2900XL and 3500XL do not support CEF. Keep in mind that switches that do support CEF do so by default, and CEF can't be turned off on those switches! CEF does support per-packet and perdestination load balancing, but again does not do so on all multilayer switches. Be sure to check your switch's capabilities before purchasing.
Train Signal, Inc., 2002-2007
The control plane's job is to first build the ARP and IP routing tables, which makes the FIB and AT creation possible. In turn, the data plane is also called by several different names:
"data plane" "hardware engine" "ASIC"
67
Tables for L3 Switching The control plane builds the tables necessary for L3 switching, but it's the data plane that does the actual work! It's the data plane that places data in the L3 switch's memory while the FIB and AT tables are consulted, and then performs any necessary encapsulation before forwarding the data to the next hop.
Train Signal, Inc., 2002-2007
Note that packets with TCP header options are still switched in hardware; it's the IP header options that cause trouble!
Switching Options
With so many switching options available today, it's hard to keep up with which option is fastest, then nextfastest, and so on. According to Cisco's website, here's the order:
1.
Distributed CEF (DCEF). The name is the recipe the CEF workload is distributed over multiple CPUs. 2. CEF 3. Fast Switching 4. Process Switching
Train Signal, Inc., 2002-2007
68
Inter-VLAN Communication Part 2 Router-on-a-stick does put an extra load on the router's processor as well, so you have to be careful as to which router in your network you select for this job. The biggest concern I have personally with ROAS is that the router becomes a single point of failure. If that FastEthernet port goes down, that's the end of your inter-VLAN traffic.
Configuring traffic
Bringing an external router into the picture is one method of configuring inter-VLAN traffic, but we also have the option of using a switch with an internal route processor or Route Switch Module (RSM). For example, a Catalyst 5000 switch's RSM takes the place of an external router - no router-on-a-stick needed!
69
Step One Step One In L3 Switching Troubleshooting: Make Sure IP Routing Is On!
L2 Mode Remember, the ports on a multilayer switch will all be running in L2 mode by default. To configure a port as a routing port, use the no switchport command, followed by the appropriate IP address.
Important Details
As always, there are some simple but important details to keep in mind when configuring SVIs.
You need to create the VLAN before the SVI, and that VLAN must be active at the time of SVI creation Theoretically, you need to open the SVI with no shut just as you would open a physical interface after configuring an IP address Remember that the VLAN and SVI work together, but they're not the same thing. Creating a VLAN doesn't create an SVI, and creating an SVI doesn't create a VLAN.
Train Signal, Inc., 2002-2007
70
Fallback Bridging
Odds are that you'll never need to configure fallback bridging, but it falls under the category of "it couldn't hurt to know it". CEF has a limitation in that IPX, SNA, LAT, and AppleTalk are either not supported by CEF or, in the case of SNA and LAT, are nonroutable protocols. If you're running any of these on an CEF-enabled switch, you'll need fallback bridging to get this traffic from one VLAN to another. Fallback bridging involves the creation of bridge groups, and the SVIs will have to be added to these bridge groups.
Train Signal, Inc., 2002-2007
Commands
To create a bridge group: MLS(config)# bridge-group 1 To join a SVI to a bridge group: MLS(config)#interface vlan 10 MLS(config-if)#bridge-group 1
Train Signal, Inc., 2002-2007
Redundancy Part 1
In networking, we'll take as much redundancy as we can get. If a router goes down, we've obviously got real problems. Hosts are relying on that router as a gateway to send packets to remote networks. For true network redundancy, we need two things:
A secondary router to handle the load when the primary goes down A protocol to get the networks using that secondary protocol as soon as possible
Train Signal, Inc., 2002-2007
71
Redundancy Part 2
That second point is so important that Cisco currently offers four separate protocols to expedite the cutover to the secondary router. These methods have much the same end result, but how they get there is another story. It's a story you can expect to be asked about quite a bit on your exam, so let's get to work and hit the details of these four redundancy strategies.
Train Signal, Inc., 2002-2007
IRDP
IRDP does not involve a virtual router of any kind - when hosts transmit data, they will be using the IP and MAC address of a real, physical router as the default gateway, not the IP and MAC address of a virtual router. Hosts may also generate Router Solicitation messages, usually at startup, asking IRDP routers to send Router Advertisement packets. To enable IRDP on a router's interface, just use the ip irdp command. MLS(config)# interface serial0 MLS(config-if)# ip irdp
Train Signal, Inc., 2002-2007
72
HSRP Part 1
Defined in RFC 2281, HSRP is a Cisco-proprietary protocol in which routers are put into an HSRP router group. Along with dynamic routing protocols and STP, HSRP is considered a high-availability network service, since all three have an almost immediate cutover to a secondary path when the primary path is unavailable. One of the routers will be selected as the primary, and that primary will handle the routing while the other routers are in standby, ready to handle the load if the primary router becomes unavailable. In this fashion, HSRP ensures a high network uptime, since it routes IP traffic without relying on a single router.
Train Signal, Inc., 2002-2007
HSRP Part 2
The hosts using HSRP as a gateway don't know the actual IP or MAC addresses of the routers in the group. They're communicating with a pseudorouter, a "virtual router" created by the HSRP configuration. This virtual router will have a virtual MAC and IP address as well. The standby routers aren't just going to be sitting there, though! By configuring multiple HSRP groups on a single interface, HSRP load balancing can be achieved.
Train Signal, Inc., 2002-2007
73
HSRP Speakers The output of the show standby command also tells us that the HSRP speakers are sending Hellos every 3 seconds, with a 10-second holdtime. These values can be changed with the standby command, but HSRP speakers in the same group should have the same timers. You can even tie down the hello time to the millisecond, but it's doubtful you'll ever need to do that.
Train Signal, Inc., 2002-2007
Priority
Another key value in the show standby command is the priority. The default is 100, as shown in both show standby outputs. The router with the highest priority will be the primary HSRP router, with the router with the highest IP address on an HSRP-enabled interface becoming the primary if there is a tie on priority. We'll raise the default priority on R2 and see the results.
Train Signal, Inc., 2002-2007
74
On rare occasions, you may have to change the MAC address assigned to the virtual router. This is done with the standby mac-address command. Just make sure you're not duplicating a MAC address that's already on your network!
Train Signal, Inc., 2002-2007
75
HSRP States
Disabled - Some HSRP documentation lists this as a state, others do not. I don't consider it one, but Cisco may. Disabled means that the interface isn't running HSRP yet. Initial (Init) -- The router goes into this state when an HSRPenabled interface first comes up. HSRP is not yet running on a router in Initial state. Learn -- At this point, the router has a lot to learn! A router in this state has not yet heard from the active router, does not yet know which router is the active router, and it doesn't know the IP address of that router, either. Other than that, it's pretty bright. ;) Listen -- The router now knows the virtual IP address, but is not the primary or the standby router. It's listening for hello packets from those routers.
Train Signal, Inc., 2002-2007
76
77
Default Priority
In the following network, R2 is the primary due to its priority of 105. R3 has the default priority of 100. R2 will therefore be handling all the traffic sent to the virtual router's IP address of 172.12.23.10. That's fine, but there is a potential single point of failure. If R2's Serial0 interface fails, the hosts will be unable to reach the server farm. HSRP can be configured to drop R2's priority if the line protocol of R2's Serial0 interface goes down, making R3 the primary router. (The default decrement in the priority when the tracked interface goes down is 10.)
Train Signal, Inc., 2002-2007
The #1 problem with an HSRP Interface Tracking configuration that is not working properly is a priority / decrement value problem.
Example Part 1
R1#show standby FastEthernet0/0 - Group 1 State is Active 2 state changes, last state change 01:08:58 Virtual IP address is 172.12.23.10 Active virtual MAC address is 0000.0c07.ac01 Local virtual MAC address is 0000.0c07.ac01 (v1 default) Hello time 3 sec, hold time 10 sec Next hello sent in 2.872 secs Preemption disabled Active router is local Standby router is unknown Priority 100 (default 100) IP redundancy name is "hsrp-Fa0/0-1" (default)
Train Signal, Inc., 2002-2007
78
Example Part 2
FastEthernet0/0 - Group 5 State is Init (virtual IP in wrong subnet) Virtual IP address is 172.12.34.10 (wrong subnet for this interface) Active virtual MAC address is unknown Local virtual MAC address is 0000.0c07.ac05 (v1 default) Hello time 3 sec, hold time 10 sec Preemption disabled Active router is unknown Standby router is unknown Priority 75 (default 100) Track interface Serial0/0 state Down decrement 25 IP redundancy name is "hsrp-Fa0/0-5" (default)
Train Signal, Inc., 2002-2007
79
VRRP Part 1
Defined in RFC 2338, VRRP is the open-standard equivalent of the Cisco-proprietary HSRP. VRRP works very much like HSRP, and is suited to a multivendor environment. The operation of the two is so similar that you basically learned VRRP while going through the HSRP section! There are a few minor differences, a few of which are:
VRRP's equivalent to HSRP's Active router is the Master router. (Some VRRP documentation refers to this router as the IP Address Owner.) This is the router that has the virtual router's IP address as a real IP address on the interface it will receive packets on.
Train Signal, Inc., 2002-2007
VRRP Part 2
The physical routers in a VRRP Group combine to form a Virtual Router. VRRP Advertisements are multicast to 224.0.0.18. VRRP's equivalent to HSRP's Standby router state is the Backup state. The MAC address of VRRP virtual routers is 00-00-5e-00-01-xx, and you guessed it - the xx is the group number in hexadecimal. "preempt" is a default setting for VRRP routers. As of IOS Version 12.3(2)T, VRRP now has an Object Tracking feature. Similar to HSRP's Interface Tracking feature, a WAN interface can be tracked and a router's VRRP priority dropped when that interface goes down.
Train Signal, Inc., 2002-2007
80
Key to GLBP The key to GLBP is that when a host sends an ARP request for the MAC of the virtual router, one of the physical routers will answer. The host will then have the IP address of the virtual router and the MAC address of a physical router in the group. In the following illustrations, the three hosts send an ARP request for the MAC of the virtual router.
Train Signal, Inc., 2002-2007
81
Command examples
GLBP is enabled just as VRRP and HSRP are - by assigning an IP address to the virtual router. The following command will assign the address 172.1.1.10 to group 5. MLS(config-if)# glbp 5 ip 172.1.1.10 To change the interface priority, use the glbp priority command. To allow the local router to preempt the current AVG, use the glbp preempt command. MLS(config-if)# glbp 5 priority 150 MLS(config-if)# glbp 5 preempt
Train Signal, Inc., 2002-2007
Hosts communication
The hosts will seek to communicate with the server at 210.1.1.14, not knowing that they're actually communicating with the routers in ServFarm. This allows quick cutover if one of the physical servers goes down, and also serves to hide the actual IP addresses of the servers in ServFarm. The basic operations of SLB involves creating the server farm, followed by creating the virtual server. We'll first add 210.1.1.11 to the server farm: MLS(config)# ip slb serverfarm ServFarm MLS(config-slb-sfarm)# real 210.1.1.11 MLS(config-slb-real)# inservice
Train Signal, Inc., 2002-2007
82
Controlling connections
You may also want to control which of your network hosts can connect to the virtual server. If hosts or subnets are named with the client command, those will be the only clients that can connect to the virtual server. Note that this command uses wildcard masks. The following configuration would allow only the hosts on the subnet 210.1.1.0 /24 to connect to the virtual server. MLS(config-slb-vserver)# client 210.1.1.0 0.0.0.255
Train Signal, Inc., 2002-2007
IP Telephony & Cisco IP Phones IP Phone Basics Voice VLANs Voice QoS DiffServ at L2 & L3 Trusting Incoming Values Basics of AVVID Power Over Ethernet
Train Signal, Inc., 2002-2007
83
Voice over IP
If you dont have much (or any) experience with Voice Over IP (VoIP) yet, youre okay for now youll be able to understand this chapter with no problem. I say for now because all of us need to know some basic VoIP. Voice and security are the two fastest-growing sectors of our business. Theyre not going to slow down anytime soon, either. Once youre done with your CCNP, I urge you to look into a Cisco voice certification. There are plenty of good vendor-independent VoIP books on the market as well. Most Cisco IP phones will have three ports. One will be connected to a Catalyst switch, another to the phone ASIC, and another will be an access port that will connect to a PC.
Train Signal, Inc., 2002-2007
Four Choices When it comes to the link between switch and the IP Phone, weve got four choices:
Configure the link Configure the link 802.1p Configure the link tag voice traffic Configure the link Voice VLAN as an access link as a trunk link and use as a trunk link and do not as a trunk link and specify a
84
Dot1p Option
Details you should know about Part 1 As always, there are just a few details you should be aware of when configuring:
When Voice VLAN is configured on a port, Portfast is automatically enabled but if you remove the Voice VLAN, Portfast is NOT automatically disabled. Cisco recommends that QoS be enabled on the switch and the switch port connected to the IP phone be set to trust incoming CoS values. The commands to perform these tasks are mls qos and the interfacelevel command mls qos trust cos, respectively.
Train Signal, Inc., 2002-2007
85
Three Main Enemies I mentioned jitter earlier, but weve got three main enemies when it comes to successful voice transmission:
Jitter Delay Packet Loss
QoS
Best-effort delivery is the QoS you have when you have no explicit QoS configuration the packets are simply forwarded in the order in which they came into the router. Best-effort works fine for UDP, but not for voice traffic. The Integrated Services Model, or IntServ, is far superior to best-effort. I grant you thats a poor excuse for a compliment! IntServ uses the Resource Reservation Protocol (RSVP) to do its job, and that reservation involves creating a high-priority path in advance of the voice traffics arrival. The device that wants to transmit the traffic does not do so until a reserved path exists from source to destination. The creation of this path is sometimes referred to as Guaranteed Rate Service (GRS) or simple Guaranteed Service.
Train Signal, Inc., 2002-2007
DiffServ That issue is address with the Differentiated Services Model, or DiffServ. Where IntServ reserves an entire path in advance for the entire voice packet flow to use, DiffServ does not reserve bandwidth for the flow; instead, DiffServ makes its QoS decisions on a per-hop basis as the flow traverses the network.
Train Signal, Inc., 2002-2007
86
DiffServ Model
The DiffServ model allows each network device along the way to make a separate decision on how best to forward the packet towards its intended destination, rather than having all forwarding decisions made in advance. This process is Per-Hop Behavior (PHB). The core tasks of DiffServ QoS are marking and classification. (They are two separate operations, but they work very closely together, as youll see.) Marking is the process of tagging data with a value, and classification is taking the appropriate approach to queueing and transmitting that data according to that value.
Train Signal, Inc., 2002-2007
87
ToS
The IP ToS byte consists of...
an IP precedence value, generally referred to as IP Prec (3 bits) a Type Of Service Value (4 bits) a zero (1 bit)
DiffServ uses this 8-bit field as well, but refers to this as the Differentiated Services (DS) field. The DS byte consists of...
a Differentiated Service Code Point value (DSCP, 6 bits, RFC 2474) an Explicit Congestion Notification value (ECN, 2bits, RFC 2481)
The given combination of any class and DP value is expressed as follows: AF (Class Number)(Drop Precedence) That is, AF Class 2 with a DP of high would be expressed as: AF23
Train Signal, Inc., 2002-2007
88
Other Techniques
Weve talked at length about using a priority queue for voice traffic, but there are some other techniques we can use as well. As with any other QoS, the classification and marking of traffic should be performed as close to the traffic source as possible. Access-layer switches should always perform this task, not only to keep the extra workload off the core switches but to ensure the end-to-end QoS you wanted to configure is the QoS youre getting. Another method of improving VoIP quality is to configure RTP Header Compression. This compression takes the IP/UDP/RTP header from its usual 40 bytes down to 2-4 bytes. RTP header compression is configured with the interface-level ip rtp header-compression command, with one option you should know about passive. If the passive option is configured, outgoing packets are subject to RTP compression only if incoming packets are arriving compressed.
Train Signal, Inc., 2002-2007
AVVID Part 1
Ciscos Architecture for Voice, Video, and Integrated Data (AVVID) is a comprehensive network architecture approach which integrates Voice and Video into an existing Data network. (But you knew that from the name, right?) A PDF available on Ciscos website lists these five AVVID components as primary concerns:
High Availability Quality of Service Security Enterprise Mobility Scalability
Train Signal, Inc., 2002-2007
AVVID Part 2
Basically, AVVID is designed to take an organizations existing infrastructures and combine them into one large infrastructure. Ciscos theory holds that doing so will reduce overall costs while preparing the infrastructure to run the latest and greatest Cisco technologies. Storage Networking is becoming more and more important every day, and is also an important part of an AVVID design.
Train Signal, Inc., 2002-2007
89
Wide-Ranging AVVID
To show you how wide-ranging AVVID is, a single AVVID infrastructure is designed to hold all of the following hardware:
Cisco routers Cat switches IP phones Voice trunking Cisco Call Manager Analog and digital gateways to the PSTN Voice modules
Train Signal, Inc., 2002-2007
POE
With POE, the electricity necessary to power the IP Phone is actually transferred from the switch to the phone over the UTP cable that already connects the two devices. Not every switch is capable of running POE. Check your particular switchs documentation for POE capabilities and details. The IEEE standard for POE is 802.3af. There is also a proposed standard for High-Power POE, 802.3at. To read more than youd ever want to know about POE, visit http://www.poweroverethernet.com.
Train Signal, Inc., 2002-2007
90
Wireless Networking Wireless Basics and Standards Antenna Types and Usage CSMA/CA CCX Program The Lightweight Access Point Protocol Aironet System Tray Utility
Train Signal, Inc., 2002-2007
WLAN
A common wireless topology is an Infrastructure Wireless Local Area Network (WLAN) , also called a Basic Service Set (BSS), where a Wireless Access Point (WAP) is used to allow multiple devices to intercommunicate. The area of coverage the WAP provides is called a cell, and as any of us who have used wireless networks know, that cell can shrink and grow without warning! Hosts successfully connecting to the WAP in a BSS are said to have formed an association with the WAP. Forming this association usually requires the host to present required authentication and/or the correct Service Set Identifier (SSID). The SSID is the public name of the wireless network. A SSID is simply a string of text. SSIDs are case-sensitive and can be up to 32 characters in length.
Train Signal, Inc., 2002-2007
91
AP vs. WAP
Cisco uses the term AP instead of WAP in much of their documentation; just be prepared to see this term expressed either way on your exam and in network documentation. I'll call it an AP for the rest of this section. A BSS operates much like a hub-and-spoke network in that all communication must go through the hub, which in this case is the AP. APs can also be arranged in such a way that a mobile user, or roaming user, will (theoretically) always be in the provider's coverage area. Those of us who are roaming users understand the "theoretical" part! Speaking as a roaming user, did you ever wonder how your wireless card decides to quit using its current AP and start using the next one in line? Well, keep wondering. :) Seriously, wireless vendors keep us guessing on this one, since they all use different standards on when that cutover needs to be performed.
Train Signal, Inc., 2002-2007
92
Wi-Fi Alliance
Recognizing the weaknesses inherent in WEP, the Wi-Fi Alliance (their home page is http://wi-fi.org) saw the need for stronger security features in the wireless world. Their answer was Wi-Fi Protected Access (WPA), a higher standard for wireless security. Basically, WPA was adopted by many wireless equipment vendors while the IEEE was working on a higher standard as well, 802.11i - but it wasn't adopted by every vendor. As a result, WPA is considered to work universally with wireless NICs, but not with all early APs. When the IEEE issued 802.11i, the Wi-Fi Alliance improved the original WPA standards, and came up with WPA2. As you might expect, not all older wireless cards will work with WPA2.
Train Signal, Inc., 2002-2007
93
IBSS APs are not required to create a wireless network. In an ad hoc WLAN ("wireless LAN"), the wireless devices communicate with no AP involved. The official name for an ad hoc WLAN is an Independent Basic Service Set (IBSS). In the real world, you'll almost always here them call ad hoc networks, but it couldn't hurt to keep the official name in mind for your exam.
Train Signal, Inc., 2002-2007
94
95
CSMA/CA
With "Wireless LANs", life isn't so simple. Wireless LANs can't listen and send at the same time - they're half-duplex so traditional collision detection techniques cannot work. Instead, wireless LANs will use IEEE standard 802.11, CSMA/CA, (Carrier Sense Multiple Access with Collision Avoidance). Lets walk through an example of Wireless LAN access, and youll see where the avoidance part of CSMA/CA comes in. The foundation of CSMA/CA is the Distributed Coordination Function (DCF). The key rule of DCF is that when a station wants to send data, the station must wait for the Distributed Interframe Space (DIFS) time interval to expire before doing so. In our example, Host A finds the wireless channel to be idle, waits for the DIFS timer to expire, and then sends frames.
Train Signal, Inc., 2002-2007
DCF-speak In DCF-speak, this random amount of time is the Backoff Time. The formula for computing Backoff Time is beyond the scope of the BCMSN exam, but the computation does involve a random number, and that random value helps avoid collisions.
Train Signal, Inc., 2002-2007
96
The Lightweight Access Point Protocol (LWAPP) As our wireless networks get larger and larger, we really need some kind of central authority to ensure that a consistent access policy is successfully implemented. By no small coincidence, Cisco has developed such an authority as part of their Cisco Unified Wireless Network - the WLAN Controller, which communicates with Lightweight Access Points (LAP). This communication takes place via LWAPP, the LightWeight Access Point Protocol.
Train Signal, Inc., 2002-2007
WLAN Controller
The WLAN Controller is basically the quarterback of the WLAN, with the LAPs serving as the other players. The WLAN Controller will be configured with security procedures, Quality of Service (QoS) policies, mobile user policies, and more. The WLAN Controller than informs the LAPs of these policies and procedures, ensuring that each LAP is consistently enforcing the same set of wireless network access rules and regulations. Many Cisco Aironet access points can operate autonomously or as an LAP. Here are a few of those models:
1230 AG Series 1240 AG Series 1130 AG Series
Some other Aironet models have circumstances under which they cannot operate as LAPs - make sure to do your research before purchasing!
Train Signal, Inc., 2002-2007
97
EAP Authentication If you're connecting to an ad hoc network, just substitute "remote client" for "AP" in the above list. The key is to know that red, green, and yellow are referring to signal strength, light gray indicates a lack of EAP authentication, dark gray means there is no connection to an AP or remote client, and white means the adapter is disabled.
Train Signal, Inc., 2002-2007
Network Design and Models Core, Distribution, Access Layers Enterprise Composite Network Model Server Farm Block Network Management Block Enterprise Edge Block Service Provider Edge Block
Train Signal, Inc., 2002-2007
98
The term core switches refers to any switches found here, the core layer. Switches at the core layer allow switches at the distribution layer to communicate, and this is more than a full-time job. It's vital to keep any extra workload off the core switches, and allow them to do what they need to do - switch! The core layer is the backbone of your entire network, so we're interested in high-speed data transfer and very low latency. That's it! The core layer is the backbone of our network, so we've got to optimize data transport.
Train Signal, Inc., 2002-2007
99
Redundancy
We always want redundancy, but you want a lot of redundancy in your core layer. This is the nerve center of your entire network, so fault tolerance needs to be as high as you can possibly get it. Root bridges should also be located in the core layer whenever possible.
Train Signal, Inc., 2002-2007
The Access Layer - Part 1 End users communicate with the network at this layer. VLAN membership is handled at this layer, as well as traffic filtering and basic QoS. Redundancy is important at this layer as well - hey, when isn't redundancy important? - so redundant uplinks are vital. The uplinks should also be scalable to allow for future network growth.
Train Signal, Inc., 2002-2007
100
The Enterprise Composite Network Model This model is much larger than the Cisco threelayer model, as you'll see in just a moment. I want to remind you that networking models are guidelines, and should be used as such. This is particularly true of the Enterprise Composite Network Model, which is one popular model used to design campus networks. A campus network is basically a series of LANs that are interconnected by a backbone.
Train Signal, Inc., 2002-2007
Switch blocks
Switch blocks are units of access-layer and distribution-layer devices. These layers contain both the traditional L2 switches (found at the access layer) and multilayer switches, which have both L2 and L3 capabilities (found at the distribution layer). Devices in a switch block work together to bring network access to a unit of the network, such as a single building on a college campus or in a business park.
Train Signal, Inc., 2002-2007
101
Core blocks
Core blocks consist of the high-powered core switches, and these core blocks allow the switch blocks to communicate. This is a tremendous responsibility, and it's the major reason that I'll keep mentioning that we want the access and distribution layers to handle as many of the "extra" services in our network whenever possible. We want the core switches to be left alone as much as possible so they can concentrate on what they do best - switch.
Train Signal, Inc., 2002-2007
Few Factors
The design of such a network is going to depend on quite a few factors - the number of LANs involved, the physical layout of the building or buildings involved being just two of them - so again, remember that these models are guidelines. Helpful guidelines, though! The Enterprise Composite Network Model uses the term block to describe the three layers of switches we just described. The core block is the collection of core switches, which is the backbone mentioned earlier. The access and distribution layer switches are referred to as the switch blocks.
Train Signal, Inc., 2002-2007
Model Parts
Overall, there are three main parts of this model:
The Enterprise Campus The Enterprise Edge The Service Provider Edge
102
Dual Core
The core design shown here is often referred to as dual core, referring to the redundant fashion in which the switch blocks are connected to the core block. The point at which the switch block ends and the core block begins is very clear. A smaller network may not need switches to serve only as core switches, or frankly, may not be able to afford such a setup. Smaller networks can use a collapsed core, where certain switches will perform both as distribution and core switches.
Train Signal, Inc., 2002-2007
Network management tools are no longer a luxury - in today's networks, they're a necessity. AAA servers, syslog servers, network monitoring tools, and intruder detection tools are found in almost every campus network today. All of these devices can be placed in a switch block of their own, the network management block.
Train Signal, Inc., 2002-2007
103
Internet and WAN connectivity for a campus network is a two-block job - one block we have control over, the other we do not. The Enterprise Edge Block is indeed the edge of the campus network, and this block of the routers and switches needed to give the needed WAN connectivity to the rest of the campus network.
Train Signal, Inc., 2002-2007
While the Service Provider Edge Block is considered part of the campus network model, we have no control over the actual structure of this block. And frankly, we don't really care! The key here is that this block borders the Enterprise Edge Block, and is the final piece of the Internet connectivity puzzle for our campus network. Take a look at all the lines leading to those core switches. Now you know why we want to dedicate as much of these switches' capabilities to pure switching we're going to need it!
Train Signal, Inc., 2002-2007
Weighted Fair Queueing Class Maps & Policy Maps Priority Queueing Custom Queueing
104
First In, First Out FIFO is just what it sounds like - there is no priority traffic, no traffic classes, no queueing decision for the router to make. FIFO is fine for many networks, and if you have no problem with network congestion, FIFO may be all you need. If you've got traffic that's especially timesensitive such as voice and video, FIFO is not your best choice.
Train Signal, Inc., 2002-2007
WFQ
What's so "fair" about Weighted Fair Queueing (WFQ)? WFQ prevents one particular stream of network traffic, or flow, from using most or all of the available bandwidth while forcing other streams of traffic to sit and wait. These flows are defined by WFQ and require no access list configuration. Flow-based WFQ is the default queueing scheme for Serial interfaces running at E1 speed or below. Flow-Based WFQ takes these packet flows and classifies them into conversations. WFQ gives priority to the interactive, low-bandwidth conversations, and then splits the remaining bandwidth fairly between the noninteractive, high-bandwidth conversations.
Train Signal, Inc., 2002-2007
105
CBWFQ
CBWFQ configuration does have its limits. By default, you can't assign over 75% of an interface's bandwidth via CBWFQ, because 25% is reserved for network control and routing traffic.
Available Bandwidth
Why is 358 Kbps all that's available? Start with the bandwidth of a serial interface, 1544 kbps. Only 75% of that bandwidth can be assigned through CBWFQ, and 1544 x .75 = 1158. We can assign only 1158 kbps of a T1 interface's bandwidth in the policy map. We have already assigned 800 kbps to class 17210100, leaving only 358 kbps for other classes. Keep this 75% rule in mind - it's a very common error with CBWFQ configurations. Don't jump to the conclusion that bandwidth 64 is the proper command to use when you've got a 64 kbps link and you want to enable voice traffic to use all of it. Always go with a minimum of 75% of available bandwidth, and don't forget all the other services that will need bandwidth as well!
Train Signal, Inc., 2002-2007
Reservable bandwidth
The "reservable bandwidth" referenced in this command isn't just the bandwidth assigned in CBWFQ. It also includes bandwidth allocated for the following:
Low Latency Queueing (LLQ) IP Real Time Protocol (RTP) Priority Frame Relay IP RTP Priority Frame Relay PVC Interface Priority Queueing Resource Reservation Protocol (RSVP)
Train Signal, Inc., 2002-2007
106
Tail Drop
Tail drop may be the default, but there are two major issues with it. First, this isn't a very discriminating way to drop traffic. What if this were voice traffic that needed to go to the head of the line? Tail drop offers no mechanism to look at a packet and decide that a packet already in the queue should be dropped to make room for it. The other issue with tail drop is TCP global synchronization. This is a result of TCP's behavior when packets are lost.
Train Signal, Inc., 2002-2007
Dropped packets
Packets dropped due to tail drop result in the TCP senders reducing their transmission rate. As the transmission slows, the congestion is reduced. All TCP senders will gradually increase their transmission speed as a result of the reduced congestion - which results in congestion occurring all over again.
Train Signal, Inc., 2002-2007
107
CBWFQ
CBWFQ is definitely a step in the right direction, but what we're looking for is a guarantee (or something close to it) that data adversely affected by delays is given the highest priority possible. Low Latency Queueing (LLQ) is an "add-on" to CBWFQ that creates such a strict priority queue for such traffic, primarily voice traffic, allowing us to avoid the jitter that comes with voice traffic that is not given the needed priority queueing. (Cisco recommends that you use an LLQ priority queue only to transport Voice Over IP traffic.) Since we're mentioning "priority" so often here, it shouldn't surprise you to learn that the command to enable LLQ is priority.
Train Signal, Inc., 2002-2007
108
Example
R2#show access-list Extended IP access list 155 permit udp 210.1.1.0 0.0.0.255 220.1.1.0 0.0.0.255 range 17000 18000 permit udp 210.1.1.0 0.0.0.255 220.1.1.0 0.0.0.255 range 20000 21000 R2(config)#class-map VOICE_TRAFFIC_PRIORITY R2(config-cmap)#match access-group 155 R2(config)#policy-map VOICE R2(config-pmap)#class VOICE_TRAFFIC_PRIORITY R2(config-pmap-c)#priority 45 R2(config-pmap-c)#class class-default R2(config-pmap-c)#fair-queue R2(config-pmap-c)#interface serial0 R2(config-if)#service-policy output VOICE
Priority Queueing The "next level" of queueing is Priority Queueing (PQ), where four predefined queues exist: High, Medium, Normal, and Low. Traffic is placed into one of these four queues through the use of access lists and priority lists. The High queue is also called the strict priority queue, making HQ and LLQ the queueing solutions to use when a priority queue is needed.
Train Signal, Inc., 2002-2007
Predefined queues Part 1 These four queues are predefined, as are their limits:
High-Priority Queue: 20 Packets Medium-Priority Queue: 40 Packets Normal-Priority Queue: 60 Packets Low-Priority Queue: 80 Packets
109
Custom Queueing
Custom Queueing (CQ) takes PQ one step further - CQ actually allows you to define how many bytes will be forwarded from every queue when it's that queue's turn to transmit. CQ doesn't have the same queues that PQ has, though. CQ has 17 queues, with queues 1 - 16 being configurable. Queue Zero carries network control traffic and cannot be configured to carry additional traffic. By default, the packet limit for each configurable queue is 20 packets and each will send 1500 bytes when it's that queue's turn to transmit.
Train Signal, Inc., 2002-2007
Network Control Traffic The phrase "network control traffic" in regards to Queue Zero covers a lot of traffic. Traffic that uses Queue Zero includes.
Hello packets for EIGRP, OSPF, IGRP, ISIS Syslog messages STP keepalives
Train Signal, Inc., 2002-2007
110
Round-Robin System
CQ uses a round-robin system to send traffic. When it's a queue's turn to send, that queue will transmit until it's empty or until the configured byte limit is reached. By configuring a byte-limit, CQ allows you to allocate the desired bandwidth for any and all traffic types. Configuring CQ is basically a three-step process:
Define the size of the queues Define what packets should go in each queue Define the custom queue list by applying the list to the appropriate interface
111