Switch Final v6 PDF

9000235254 P. NAGABABU NAGACISCO@GMAIL.COM 9553.9553.
07

This material is valid till 31
st
November 2011. New material is available on 1
st
December 2011 1 | P a g e

CCNP CISCO CERTIFIED NETWORK PROFESSIONAL- SWITCH
9000235254
P. NAGABABU
nagacisco@gmail.com
9553.9553.07
CCNP-Cisco Certified Network Professional
Prepared by Nagababu Polisetti

C I S C O C E R T I F I E D N E T W O R K P R O F E S S I O N A L C C N P S WI T C H
9000235254 P. NAGABABU NAGACISCO@GMAIL.COM 9553.9553.07

st
st
INDEX

Lesson Topic Page No
1 Switch Operation 3
2 Ethernet Port Configuration 9
3 VLANs and Trunks 14
4 VTP 21
5 Link Aggregation 26
6 Switch Functioning 31
7 Traditional STP 34
8 STP configuration 42
9 Protect STP 48
10 Advanced STP 53
11 MLS 61
12 Campus Network Design 68
13 L3 Availability- Load balancing 74
14 Supervisor Power Redundancy 89
15 IP Telephony 98
16 Secure Switch Access 105
17 Secure VLANs 113
18 WLANs 118

9000235254 P. NAGABABU

st
Nov
LESSON 1 : SWITCH OPERATION
It gets the data from one port
It reads source MAC and destination MAC from L2 Header
Looks into CAM table finds the outgoing port information
Then unicasts the data to outgoing port
If there is no outgoing port information then do unknown unicast flooding
It enters source MAC, incoming port information in MAT
If CAM table already has that entry refreshe
Switch can work at full duplex or half duplex
Switch has dedicated circuits between ports (Micro segmentation)
(Every port has dedicated bandwidth)
Switch has specialized hardware called ASICS, provides faster switching
L2Switch can read L2 header. It cant read

L2 Header contains source MAC, destination MAC information
L3 Header contains source IP, destination IP information
L4 Header contains source Port, destination Port information

P. NAGABABU NAGACISCO@GMAIL.COM
st
Decem

L2 Switch Operation

It reads source MAC and destination MAC from L2 Header
table finds the outgoing port information
Then unicasts the data to outgoing port
If there is no outgoing port information then do unknown unicast flooding
It enters source MAC, incoming port information in MAT
If CAM table already has that entry refreshes it
Switch can work at full duplex or half duplex
Switch has dedicated circuits between ports (Micro segmentation)
(Every port has dedicated bandwidth)
Switch has specialized hardware called ASICS, provides faster switching
t cant read L3 header, L4 Header
L2 Header contains source MAC, destination MAC information
L3 Header contains source IP, destination IP information
L4 Header contains source Port, destination Port information
9553.9553.07
ecember 2011 3 | P a g e


st
st
When a frame arrives at switch port, it is placed into one of the ports ingress queues
Queues have different priority levels to process important frames first
Switch hardware decides where to and how to forward the frame by making three fundamental decisions
All decisions are made simultaneously by independent portions of switching hardware, provides faster
switching

L2 forwarding table
The frames destination MAC address is used as index
If the address is found, the egress switch port and appropriate vlan-id are read from the table
If there is no destination MAC, unicast flooding happens at egress ports
Security ACL
TCAM contains ACL in compiled form in a single table lookup
It takes decision to permit or deny the frame
Qos ACL
TCAM contains Qos ACL in compiled form in a single table lookup
It takes the decisions to prioritize the traffic and to mark Qos parameters in outbound frames

MultiLayer Switch Operation

L2 switches forward frames based on L2 header
MLS forwards the frames based on L2, L3, L4 headers
So named as Multi Layer switch or MLS
Two types of MLS (Multi layer switch)
o Route Caching
o Topology based
MLS- Route Caching
The first generation of MLS requires Route processor (RP) and Switch Engine (SE)
RP process a traffic flows first packet to determine the destination
SE listens to the first packet to the resulting destination and sets up a shortcut entry in its MLS cache
SE forwards subsequent packets in the same traffic flow based on cache entries
Net flow LAN switching, flow-based, demand-based switching
Also called as route once, switch many

MLS- Topology Based
The second generation of MLS utilizes a specialized hardware
FIB forward information base (area of hardware)
L3 routing information builds and populates into FIB database
This database has efficient table lookups
so packets can be forwarded at high speed
If a network topology changes, the new routing information is updated in FIB database dynamically without
performance effect
Topology based MLS is also known as CEF (Cisco Express forwarding)


st
Nov

When a frame arrives at switch port, it is placed into one of the ports ingress queues
Each packet is pulled off an ingress queue and inspected for both L2 and L3 destination addresses
Decision of where to forward the packet is based on two address tables
Decision of how to forward the packet is based on ACL and QoS
All these actions are performed simultaneously in hardware

L2 forwarding table
The destination MAC is used as an index to the CAM table
If the frame contains packet to be forwarded, destinatio
In this case CAM table results are used
L3 forwarding table
The destination IP is used as an index in FIB table
The longest match is found and next
FIB also has each next-hop L2 address and egress switch po
So single table lookups are enough
Security ACLs
ACLs are compiled into TCAM entries to filter packets in a single table lookup
Qos ACLs
Packet classification, policing and marking all can be performed as single table lookups in Qos TCAM
L3 rewrite
The packet is put into L3 rewrite
The TTL (time to live) decremented by 1 and L3 checksums are recalculated
L2 header source MAC, destination MAC are rewritten
New Source MAC is MLS interface L2 address
New Destination MAC is next hop L2 address
L2 checksums are recalculated

CEF can directly forward most IP packets between hosts
are known.
st
Decem
arrives at switch port, it is placed into one of the ports ingress queues
Decision of where to forward the packet is based on two address tables FIB and CAM
Decision of how to forward the packet is based on ACL and QoS
All these actions are performed simultaneously in hardware
The destination MAC is used as an index to the CAM table
If the frame contains packet to be forwarded, destination MAC is L3 ports MAC
In this case CAM table results are used
The destination IP is used as an index in FIB table
The longest match is found and next-hop L3 address is obtained
hop L2 address and egress switch port, vlan-id
So single table lookups are enough
ACLs are compiled into TCAM entries to filter packets in a single table lookup
The packet is put into L3 rewrite
The TTL (time to live) decremented by 1 and L3 checksums are recalculated
L2 header source MAC, destination MAC are rewritten
New Source MAC is MLS interface L2 address
New Destination MAC is next hop L2 address

CEF can directly forward most IP packets between hosts. This occurs when both source-destination L2, L3 addresses
9553.9553.07

arrives at switch port, it is placed into one of the ports ingress queues
FIB and CAM
destination L2, L3 addresses

st
Nov
CEF can not directly forward some IP packets
needed. These packets are flagged for further processing
The packets require further process are
ARP requests and replies
IP packets require router response (TTL expired, MTU exceeded, fragmentation)
IP broadcasts relayed as unicast (DHCP reque
Routing protocol updates
Cisco Discovery protocol updates
IPX routing protocol and service updates
Packets needs encryption
Packets triggering NAT
Non-IP and Non

Switches generally have large CAM tables so that many addresses can be looked up for frame forwarding
Its not possible to maintain every possible host MAC address in large networks
CAM table entry expires after 300 seconds by default if no frames are seen

To make static entry in CAM table

Switch purges CAM table entry if the port is down or if the same MAC is learned on a different switchport
If the switch notices that a MAC is being learned on alternating switch ports, it generates an error message
flapping between interfaces

TCAM ternary CAM
TCAMs have compiled information
TCAM evaluates a packet against an entire ACL in a
Switches can have multiple TCAMs to process the packet against
security ACLs and Qos ACL in parallel with L2

IOS has two components that are part of the TCAM
1. Feature Manager (FM)
o if the ACL is created FM
2. Switching Database Manager (SDM)
o SDM software configures or tunes the TCAM partitions to perform different functions, if needed
o TCAMs are fixed in 4500, 6500 platforms, cant be repartitioned
Three (Ternary) input values are used in TCAM
0 1 are binary values used to define a key
st
Decem
CEF can not directly forward some IP packets, if they are special packet types or if there is any spec
These packets are flagged for further processing
The packets require further process are
ARP requests and replies
IP broadcasts relayed as unicast (DHCP requests, IP helper-address functions)
Routing protocol updates
Cisco Discovery protocol updates
IPX routing protocol and service updates
Packets needs encryption
Packets triggering NAT
IP and Non-IPX protocol packets (appletalk, decnet etc)
CAM TABLES
Its not possible to maintain every possible host MAC address in large networks
CAM table entry expires after 300 seconds by default if no frames are seen on that port
To change CAM entry aging time

To make static entry in CAM table, Before IOS version 12.1(11)EA1, mac-address-table command works
TCAM TABLES
TCAMs have compiled information
TCAM evaluates a packet against an entire ACL in a single table lookup
Switches can have multiple TCAMs to process the packet against
security ACLs and Qos ACL in parallel with L2-L3 forwarding decisions
IOS has two components that are part of the TCAM
if the ACL is created FM software compiles and merges the ACL entries (ACE) in the TCAM
Switching Database Manager (SDM)
SDM software configures or tunes the TCAM partitions to perform different functions, if needed
TCAMs are fixed in 4500, 6500 platforms, cant be repartitioned
Three (Ternary) input values are used in TCAM. They are 0 1 X
0 1 are binary values used to define a key
9553.9553.07
if they are special packet types or if there is any special process
address functions)
on that port

table command works
software compiles and merges the ACL entries (ACE) in the TCAM
SDM software configures or tunes the TCAM partitions to perform different functions, if needed

st
Nov
X (dont care) is a mask value to define which bits of the key are relevant

TCAM entries are composed of Value, Mask, Result (VMR) combinations
Fields from frame or packet are fed into the TCAM
They are matched against value and mask pairs to yield a result

Values
Values are 134 bit quantities, consisting of source and destination addresses and other relevant protocol
information all patterns to be matched
Values in the TCAM come directly from any address, port, or other protocol information given in an ACE
Masks
Masks are 134 bit quantities, in exactly the same format, or bit order, as the values
Masks define which value bits should be considered and which should be neglected
The masks from ACE are compiled and fed into TCAMs
Results
Results are numeric values, that represent what action should be taken after TCAM lookup
TCAM offers a number of possible results or actions
The result can be permit or deny decision or an index to a QoS policer or a pointer to a next
table, and so on

The TCAM always is organized by masks, where each unique mask has 8 value patterns associated with it
If a mask is filled up with 8 value patterns, the next pattern is placed as new mask
6500 platforms have multiple TCAMs (security ACLs and QoS ACL) can hold upto 4096 masks and 32768
value patterns
Each of the mask value pairs is evaluated simultaneously, re
table lookup

st
Decem
X (dont care) is a mask value to define which bits of the key are relevant
TCAM entries are composed of Value, Mask, Result (VMR) combinations
Fields from frame or packet are fed into the TCAM
They are matched against value and mask pairs to yield a result

The masks from ACE are compiled and fed into TCAMs
ssible results or actions
The result can be permit or deny decision or an index to a QoS policer or a pointer to a next

a mask is filled up with 8 value patterns, the next pattern is placed as new mask
Each of the mask value pairs is evaluated simultaneously, revealing the best or longest match in a single
9553.9553.07


The result can be permit or deny decision or an index to a QoS policer or a pointer to a next-hop routing

vealing the best or longest match in a single

st
Nov
The access-list is compiled and merged into TCAM
First all possible unique masks are identified for each ACE and fed into TCAM MASKS starting from mask1,
mask2, mask3 and so on
These mask bits must be set for matching
For each unique mask, all possible value pattern are identified and fed into
Actions are fed into RESULTS (permit or deny)
IOS Feature Manager checks all ACEs for L4 operations and places them in LOU
register pairs
After the LOUs are loaded, they are referenced in the TCAM entries that need them
When a frame/packet arrives at ingress port,
and appropriate action will be taken

st
Decem

list is compiled and merged into TCAM
ts must be set for matching
For each unique mask, all possible value pattern are identified and fed into TCAM VALUE PATTERN
(permit or deny)
IOS Feature Manager checks all ACEs for L4 operations and places them in LOU
When a frame/packet arrives at ingress port, the header is checked against the TCAM entries very quickly
and appropriate action will be taken
9553.9553.07

TCAM VALUE PATTERN
IOS Feature Manager checks all ACEs for L4 operations and places them in LOU (logical operation unit)
TCAM entries very quickly


st
Nov
LESSON 2 : ETHERNET PORT CONFIGURATION

LAN media technologies
Ethernet
FDDI Fiber distribution data interface
CDDI Copper distribution data interface
ATM Asynchronous transfer mode
Token ring
Ethernet is the most popular choice because of its low cost, market availability, and scalability to higher bandwidths

Ethernet 10Mbps
LAN technology based on IEEE 802.3 standard
Offers speed at 10Mbps
Ethernet is a shared medium that becomes both a collision and a
Ethernet is based on CSMA/CD technology
Half duplex communication with hubs
Half/full duplex communication with switches
10BASE-T ethernet cabling (UTP) is restricted to an end
10BASE2, 10BASE5, 10BASE-F etc are other ethernet applications use different cabling

Fast Ethernet 100Mbps
LAN technology based on IEEE 802.3u standard
Offers speed at 100Mbps
Full duplex/ half duplex communication
200Mbps total throughput at full duplex
100 Mbps fast ethernet also supports 10Mbps to be compatible with legacy ethernet
With auto negotiation feature the ports can be set to maximum available bandwidth as a common
understanding

st
Decem
Fiber distribution data interface
Copper distribution data interface
Asynchronous transfer mode
e most popular choice because of its low cost, market availability, and scalability to higher bandwidths
LAN technology based on IEEE 802.3 standard
Ethernet is a shared medium that becomes both a collision and a broadcast domain
Ethernet is based on CSMA/CD technology
Half duplex communication with hubs
Half/full duplex communication with switches
T ethernet cabling (UTP) is restricted to an end-to-end distance of 100mts (328 feet)
F etc are other ethernet applications use different cabling
LAN technology based on IEEE 802.3u standard
Full duplex/ half duplex communication
200Mbps total throughput at full duplex
ethernet also supports 10Mbps to be compatible with legacy ethernet

9553.9553.07
e most popular choice because of its low cost, market availability, and scalability to higher bandwidths
broadcast domain
end distance of 100mts (328 feet)
F etc are other ethernet applications use different cabling

ethernet also supports 10Mbps to be compatible with legacy ethernet

st
Nove
Gigabit Ethernet 1000 Mbps / 1Gbps
LAN technology based on IEEE 802.3z
Offers speed at 1000Mbps (1Gbps)
Supports only full duplex communication
Gigabit ethernet supports several cabling types referred to as 1000BASE
Gigabit over copper (1000BASE
Gigabit ethernet supports backward
These ports are called as 10/100/1000 ports which denotes triple speed
In Cisco switches gigabit ethernet (1000Mbps) is supported only at full duplex
Duplex auto negotiation is not possible
But speed auto negotiation is possible

10 Gigabit Ethernet 10Gbps
LAN technology based on IEEE 802.3ae
10Gigabit ethernet is also known as 10GbE
Offers speed at 10Gbps
It operates only at full duplex
This standard defines several different transceivers that can be
interfaces
These are classified as
o LAN PHY
Interconnects switches in a campus network (at core layer)
o WAN PHY
SONET (synchronous optical network), SDH (synchronous Digital hierarchy) networks in
Metropolitan area ne

ovember 2011. New material is available on 1
st
Decem
/ 1Gbps
LAN technology based on IEEE 802.3z
ers speed at 1000Mbps (1Gbps)
Supports only full duplex communication
Gigabit ethernet supports several cabling types referred to as 1000BASE-X
Gigabit over copper (1000BASE-T) is based on IEEE 802.3ab standard
Gigabit ethernet supports backward compatibility for fast ethernet and legacy ethernet
These ports are called as 10/100/1000 ports which denotes triple speed
In Cisco switches gigabit ethernet (1000Mbps) is supported only at full duplex
Duplex auto negotiation is not possible
to negotiation is possible
LAN technology based on IEEE 802.3ae
10Gigabit ethernet is also known as 10GbE
This standard defines several different transceivers that can be used as PMD (physical media dependent)
Interconnects switches in a campus network (at core layer)
Metropolitan area networks
9553.9553.07
cember 2011 10 | P a g e

compatibility for fast ethernet and legacy ethernet
used as PMD (physical media dependent)

st
Nove
10BASE-LX4 is only a LAN PHY
Ethernet Port cables- connectors
Catalyst switches support a variety of network connections, including all forms of ethernet
They support several types of cabling, including UTP and optical fiber
Fast ethernet (100BASE-FX) ports use two
All catalyst switch families support 10/100 autosensing for fast ethernet and 10/100/1000 autosensing for
Gigabit ethernet
These ports use RJ-45 connectors on Category 5 UTP cabling (4 pairs)

Gigabit Ethernet Port cables- connectors
Catalyst switches with Gigabit Ethernet ports have standardized rectangular openings that can accept gigabit
interface converter (GBIC) or small form factor pluggable (SFP) modules
The GBIC and SFP modules provide the media personality for the port so that various cable media can
connect
GBIC modules can use SC fiber optic and RJ
SFP modules can use LC and MT
GBIC and SFP modules are available for the Gigabit
1000BASE-SX
SC fiber connectors and MMF for distances up to 550m
1000BASE-LX/LH
SC fiber connectors and either MMF or SMF for distances up to 10km
1000BASE-ZX
SC fiber connectors and SMF for distances up to 70km to 100km
GIGASTACK
Provides a GBIC to GBIC connection between stacking Catalyst switches or between any two
gigabit switch ports over a short distance
1000BASE-T
Supports an RJ-45 connector f

st
Decem
LX4 is only a LAN PHY. The remaining PMDs can be used as LAN PHY or a WAN PHY

cabling, including UTP and optical fiber
FX) ports use two-strand MMF with MT-RJ or SC connectors to provide connectivity
45 connectors on Category 5 UTP cabling (4 pairs)
connectors
GBIC) or small form factor pluggable (SFP) modules
GBIC modules can use SC fiber optic and RJ-45 UTP connectors
SFP modules can use LC and MT-RJ fiber-optic and RJ-45 UTP connectors
GBIC and SFP modules are available for the Gigabit Ethernet media
SC fiber connectors and MMF for distances up to 550m
SC fiber connectors and SMF for distances up to 70km to 100km
gigabit switch ports over a short distance
45 connector for four-pair UTP cabling for distances up to 100m
9553.9553.07

The remaining PMDs can be used as LAN PHY or a WAN PHY
SC connectors to provide connectivity
pair UTP cabling for distances up to 100m

st
Nove
The fiber base modules always have receive fiber on left connector and transmit fiber on right connector
while facing the connector
These modules produce invisible laser radiation from the transmit
direct look at connectors

SwitchPort Error conditions
Catalyst switch detects an error condition on every switchport for every possible cause
If an error condition is detected, the switchport is put into errdisable state and is disabled

st
Decem
These modules produce invisible laser radiation from the transmit connector. Its very dangerous to have a

9553.9553.07
Its very dangerous to have a



st
Nove

st
Decem

9553.9553.07


st
st
LESSON 3 : VLANs AND TRUNKs

Flat Network
A full Layer 2 only switched network is called as flat network topology
A flat network is a single broadcast domain
Every device can see every broadcast packet
To overcome problems with flat network topology, network is subdivided into logical areas, called vlans
Vlan is a single broadcast domain
Vlan consists of hosts defined as members, communicating as logical network segment
Devices in a vlan can see broadcast packets sent by same vlan members
Inter vlan communication is not possible in L2 networks

VLAN- Virtual LAN
VLANs are identified with numbers called VLAN id
Vlan id range is 1-1005
Vlan 1 is default vlan
By default all the ports assigned to vlan 1
Vlans 1002-1005 are reserved for legacy functions related to token ring, FDDI
Catalyst switches also support extended range of vlans range from 1 - 4094 for compatibility with IEEE
802.1q standard
The extended range is enabled only when the switch is configured for VTP transparent
VTP versions 1 and 2 do not replicate extended vlans
VTP version 3 can replicate extended vlans
Switches maintain VLAN definitions and VTP configuration information in a separate file called vlan.dat in
flash memory


st
Nove
Vlan Membership
The ports can gain membership into a vlan in two ways
Static vlan configuration
o Manual configuration of ports into vlans
o Port based vlan membership
o End user devices become vlan
o Each port receives Port vlan
o End user device is not aware of vlan membership
o Static vlan membership is handled in hardware with ASIC
Dynamic vlan configuration
o Dynamic configuration of ports into vlans
o End user mac based vlan membership
o VMPS vlan membership policy server needed to handle mac database
o When a system connected to switchport, it queries vmps about vlan membership
o Finally end device gets the vlan membership
o VMPS can be configured with cisco works application

Deploying VLANs
Cisco recommends one to one correspondence between vlans and IP subnets
As per Cisco, the no of devices in a broadcast domains should be less than 254 (/24)
Limiting the devices in a broadcast domain increases network performance
Vlans should not be allowed to extend beyond the L2 domain of the distribution switch
Means vlans should not reach networks core layer

st
Decem
The ports can gain membership into a vlan in two ways
Manual configuration of ports into vlans
Port based vlan membership
End user devices become vlan members based on physical switchport
Each port receives Port vlan-id (PVID) that associated with vlan number
End user device is not aware of vlan membership
Static vlan membership is handled in hardware with ASIC
configuration of ports into vlans
End user mac based vlan membership
vlan membership policy server needed to handle mac database
When a system connected to switchport, it queries vmps about vlan membership
Finally end device gets the vlan membership
VMPS can be configured with cisco works application
Cisco recommends one to one correspondence between vlans and IP subnets
broadcast domain increases network performance
Means vlans should not reach networks core layer
9553.9553.07
When a system connected to switchport, it queries vmps about vlan membership


st
Nove
VLANs can be scaled in the switch block by using two basic methods
End to End vlans
o Called as Campus wide Vlans, spans entire switch fabric of a network
o Supports maximum flexibility and end user moment
o This vlan is available at the access layer in every switch block in the campus
o Follows 80/20 rule (80% local, 20% remote
o Not recommended in ECNM, because broadcast traffic is carried over till far ends
o Difficult to maintain
Local vlans
o Local Vlans, do not span entire switch fabric of a network
o Vlans are local to a specific switch block
o Follows 20/80 rule (20% local,
o Recommended in ECNM
o Provides maximum manageability

Trunk Links

Vlan connectivity is possible by connecting access
Its not possible to connect access
Multiple access-links can be replaced with single trunk link
A trunk link can transport more than one VLAN through a single switchport
So Switchports are categorized into access ports and trunk ports
Access ports can be associated with a single vlan
Trunk ports can be associated with one, many or all active vlans
Cisco supports trunking on both fast ethernet, gigabit ethernet and aggregated links

st
Decem
VLANs can be scaled in the switch block by using two basic methods
Called as Campus wide Vlans, spans entire switch fabric of a network
Supports maximum flexibility and end user moment
This vlan is available at the access layer in every switch block in the campus
Follows 80/20 rule (80% local, 20% remote traffic)
Not recommended in ECNM, because broadcast traffic is carried over till far ends
Local Vlans, do not span entire switch fabric of a network
Vlans are local to a specific switch block
Follows 20/80 rule (20% local, 80% remote traffic)
Recommended in ECNM
Provides maximum manageability
Vlan connectivity is possible by connecting access-links between switches
Its not possible to connect access-links if more vlans exist in the network
links can be replaced with single trunk link
A trunk link can transport more than one VLAN through a single switchport
So Switchports are categorized into access ports and trunk ports
Access ports can be associated with a single vlan
be associated with one, many or all active vlans
9553.9553.07
This vlan is available at the access layer in every switch block in the campus
Not recommended in ECNM, because broadcast traffic is carried over till far ends


st
Nove
Frame Tagging
As trunk links carry multiple vlans data, the switches must identify from which vlan the data is coming
The vlan-id should be attached to the frames while travelling through trunk links
Trunk port adds vlan-id to the normal ethernet frame before sending it through trunk link
This frame is called tagged ethernet frame
Trunk port removes vlan-id from the tagged
System can identify only the normal frame
Attaching vlan identifier to the normal ethernet frame is called

Frame tagging can be done in two methods
ISL
Dot1Q

st
Decem
id should be attached to the frames while travelling through trunk links
id to the normal ethernet frame before sending it through trunk link
This frame is called tagged ethernet frame
id from the tagged ethernet frame before sending it to the system
System can identify only the normal frame
Attaching vlan identifier to the normal ethernet frame is called frame-tagging or frame
Frame tagging can be done in two methods

9553.9553.07
id to the normal ethernet frame before sending it through trunk link
ethernet frame before sending it to the system
tagging or frame-encapsulation


st
Nove
Dot1Q Frame tagging

The first two bytes are TPID and last two bytes are TCI (Tag control information)
TPID always has a value of 0x8100 to signify 802.1q tag
TCI contains 3 bit priority used to implement CoS (class of service)
1 bit of TCI is CFI(canonical format indicator), identifies whether MAC address is in ethernet or token ring
format
CFI is also called as little-endian or big
The last 12 bits are VLAN-ID to indicate source vlan for the frame
The vlan-id can have values from 0 t

Frame tagging Errors
Normal ethernet frame size is 1518 bytes
Frame-tagging methods increase frame size to 1522 bytes or 1548 bytes
Generally these frames exceed MTU size and reported as baby giant frames
Switches usually report these frames as ethernet errors or oversize frames
But Switches have to forward these frames anyway,
In case of ISL, Catalyst switches use proprietary hardware
In case of 802.1q, switches comply with IEEE 802.3ac standard, which can accept t

Native VLANs
Native vlan is the vlan from which the frames are not tagged
Native vlans are supported only with IEEE 802.1q trunking method
ISL do not support native vlans
Native vlans must match at both the ends on the trunk link
By default vlan 1 is native vlan
Native vlans are very useful if ethernet segments are connected between trunk links

st
Decem

The first two bytes are TPID and last two bytes are TCI (Tag control information)
TPID always has a value of 0x8100 to signify 802.1q tag
TCI contains 3 bit priority used to implement CoS (class of service)
ical format indicator), identifies whether MAC address is in ethernet or token ring
endian or big-endian format

ID to indicate source vlan for the frame
id can have values from 0 to 4095, but vlans 0,1,4095 are reserved
Normal ethernet frame size is 1518 bytes
tagging methods increase frame size to 1522 bytes or 1548 bytes
Generally these frames exceed MTU size and reported as baby giant frames
usually report these frames as ethernet errors or oversize frames
Switches have to forward these frames anyway,
In case of ISL, Catalyst switches use proprietary hardware
In case of 802.1q, switches comply with IEEE 802.3ac standard, which can accept the frames with 1522 bytes
Native vlan is the vlan from which the frames are not tagged
Native vlans are supported only with IEEE 802.1q trunking method

Native vlans must match at both the ends on the trunk link


9553.9553.07

ical format indicator), identifies whether MAC address is in ethernet or token ring

he frames with 1522 bytes


st
Nove
DTP
DTP Dynamic Trunking Protocol
DTP is Cisco proprietary point-to
Used to negotiate common trunking mode between
A trunk link can be negotiated between two switches, only if they belong to same
or anyone of the switch set to NULL domain
If two switches belong to different VTP management domains negotiation is not possible
Then trunk mode should be set to ON with manual intervention

By default DTP frames are sent out every 30 seconds to keep neighboring switchports informed of the link
mode
The trunk encapsulation method is negotiated to select either ISL or IEEE 802.1q, whichev
the trunk support
If both ends support both types, ISL is preferred
DTP is enabled by default

Trunk Negotiation

Local switchport state
Access
Trunk
Desirable
Auto
Auto
Nonegotiate

st
Decem
Dynamic Trunking Protocol
to-point protocol
Used to negotiate common trunking mode between two switches
A trunk link can be negotiated between two switches, only if they belong to same
or anyone of the switch set to NULL domain
trunk mode should be set to ON with manual intervention
The trunk encapsulation method is negotiated to select either ISL or IEEE 802.1q, whichev
If both ends support both types, ISL is preferred
Far end switchport state Trunk negotiation
Access, trunk, desirable, auto No Trunk
Trunk, desirable, auto Trunk
Trunk, auto, desirable Trunk
Trunk, desirable Trunk
Auto No Trunk
Access, trunk, desirable, auto No Trunk
9553.9553.07
VTP management domain
The trunk encapsulation method is negotiated to select either ISL or IEEE 802.1q, whichever both ends of

Trunk negotiation
No Trunk
Trunk
Trunk
Trunk
No Trunk
No Trunk

st
Nove

st
Decem

9553.9553.07


st
Nove
VTP
Since campus network contains more
Cisco developed a method to manage vlans easily in campus networks
VTP Vlan Trunking Protocol
VTP carries vlan information from one switch to other switch automatically
VTP allows the switches to replicate vlan information dynamically
VTP uses L2 trunk frames to communicate VLAN information among a group of switches
VTP manages the addition, deletion and renaming of vlans across the network from a central point of
control
VTP, VLAN information is stored in vlan.dat file located at flash

VTP Domains
VTP is organized into management domains
Switches in same VTP domain share vlan information
Switches with different VTP domains cant share vlan information
By default domain name is NULL
the entire VTP operations are controlled by VTP advertisements
VLAN replication is bounded by VTP domain

VTP Modes
VTP works in three modes
Server mode
Client mode
Transparent mode

Server Mode
Vlan configuration is possible
Server is master
Vlan replication
VTP information is synchronized
Default mode
Network needs at least one server
Works like VTP relay
st
Decem
LESSON 4 : VTP
Since campus network contains more number of switches, management of vlans is not easy in general
Cisco developed a method to manage vlans easily in campus networks

VTP carries vlan information from one switch to other switch automatically
s to replicate vlan information dynamically
is stored in vlan.dat file located at flash
VLANs replication
VTP is organized into management domains
Switches in same VTP domain share vlan information
Switches with different VTP domains cant share vlan information
name is NULL
the entire VTP operations are controlled by VTP advertisements
VLAN replication is bounded by VTP domain
Client Mode Transparent Mode
Vlan configuration is not possible Vlan configuration is possible
Client follows server Transparent does not follow server
Vlan replication No vlan replication
VTP information is synchronized VTP information is not synchronized
Not a default mode Not a default mode
No of clients depends on
requirement
No of transparents depends on
requirement
Works like VTP relay Works like VTP relay in version 2
9553.9553.07
number of switches, management of vlans is not easy in general
Transparent Mode
Vlan configuration is possible
Transparent does not follow server
No vlan replication
VTP information is not synchronized
Not a default mode
No of transparents depends on
requirement
Works like VTP relay in version 2

st
Nove
VTP Advertisements
Entire VTP operations are maintained by VTP advertisements
VTP advertisements are sent as multicast frames
By default VTP advertisement are sent as non
If secure mode is enabled, VTP password must be same on every switch to share VTP advertisements
VTP switches use an index called VTP configuration revision number to keep a track of most recent
information
Every switch stores latest VTP c
VTP process always starts with 0 as VTP configuration revision number
If there is any change in server configuration revision number will be incremented by 1

If a new server switch is added to network with highest revision number,
it may collapse the network with VTP advertisements
Every switch thinks that new server is added, try to synchronize, may delete existing vlan information
This is called VTP synchronization problem
To avoid this, revision number must be set to 0
To reset revision number
o Change the switch VTP mode to transparent and then back to server
o Change switchs VTP domain to a bogus name and then change back to the original name

VTP advertisements can occur in three forms
Summary advertisements
o Sent by server for every 300 seconds or vlan database change occurs
o Includes summary information
Subset advertisements
o Sent by servers if vlan configuration change occurs
o They contain information about every vlan
Advertisement requests from clients
o Sent by client as a query if it needs any vlan information
o Subset advertisements are sent by server as reply

Summary Advertisements
st
Decem
Entire VTP operations are maintained by VTP advertisements
VTP advertisements are sent as multicast frames
By default VTP advertisement are sent as non-secure advertisements, without password
Every switch stores latest VTP configuration revision number
VTP process always starts with 0 as VTP configuration revision number
If a new server switch is added to network with highest revision number,
it may collapse the network with VTP advertisements
synchronization problem
To avoid this, revision number must be set to 0
Change the switch VTP mode to transparent and then back to server (Or)
Change switchs VTP domain to a bogus name and then change back to the original name
VTP advertisements can occur in three forms
Sent by server for every 300 seconds or vlan database change occurs
Includes summary information
Sent by servers if vlan configuration change occurs
rmation about every vlan
Advertisement requests from clients
Sent by client as a query if it needs any vlan information
Subset advertisements are sent by server as reply

9553.9553.07
without password

Change switchs VTP domain to a bogus name and then change back to the original name


st
Nove
Summary Advertisements

Advertisements Request

VTP Modes

Version 1
Default version
Transparent mode does not work as
VTP relay
Supports only 1-1005 vlan id
Can coexist with version 2
No Consistency check on VTP to prevent
errors
Doesnt support token ring
Doesnt support unrecognized TLVs
(Type, length, value)

If a VTP version is set in server switch, automatically it populates to client switches, if they support that version

st
Decem

Version 2
Not default version Not default version
Transparent mode does not work as Transparent mode works as
VTP relay
Transparent mode works as
Supports only 1-1005 vlan id Supports 1
Can coexist with version 1
Future version
No Consistency check on VTP to prevent Consistency check on VTP
to prevent errors
Supports token ring
Doesnt support unrecognized TLVs Supports unrecognized TLVs
(Type, length, value)
9553.9553.07

Version 3
Not default version
Transparent mode works as
VTP relay
Supports 1-4095 vlan id
Future version

st
Nove
VTP Configuration

VTP Pruning
VTP pruning reduces unnecessary flooded traffic
It makes more efficient use of trunk bandwidth
With VTP pruning, broadcast and unknown unicast flooding are forwarded over a trunk link only if the
receiving switch has active ports in that vlan
VTP pruning improves network performance and consumes less processing cycles of switch
By default VTP is disabled on IOS

Vlan 1 carries management information and control information
Vlan 1, 1002-1005 are not eligible for pruning
Vlans 2-1001 are eligible for pruning
VTP pruning has no effect on transparent switches, manual configuration requires to prune vlans from trunk
links
st
Decem
VTP pruning reduces unnecessary flooded traffic
It makes more efficient use of trunk bandwidth
receiving switch has active ports in that vlan
pruning improves network performance and consumes less processing cycles of switch
By default VTP is disabled on IOS-based switches
Vlan 1 carries management information and control information
1005 are not eligible for pruning
re eligible for pruning

No VTP Pruning

9553.9553.07

pruning improves network performance and consumes less processing cycles of switch


st
Nove
VTP Pruning Configuration

st
Decem
VTP Pruning

9553.9553.07


st
Nove
LESSON 5 : LINK AGGREGATION
Etherchannel
Individual physical links are bundled together to aggregate the bandwidth

Individual physical links can be bundled together to aggregate the bandwidth between switches
This works like single logical channel between switches called ETHERCHANNEL
2 to 8 physical links can be bundled together in an Etherchannel

FEC : Fast Ether Channel
o 100 Mbps links are bundled together, supports 800Mbps speed (1600Mbps throughput)
GEC : Gigabit Ether Channel
o 1 Gbps links are bundled together, supports 8Gbps speed (16Gbps throughput)
10GEC : 10Gigabit Ether Channel
o 10 Gbps links are bundled together, supports 80Gbps speed (160Gbps throughput

Generally L2 loops will occur by connecting parallel links between switch
But Etherchannel will combine them to a single logical link
On Etherchannel, traffic load is
With load-balancing algorithm, Etherchannel selects one of the links to forward the traffic
The physical link with same speed and properties can be bundled
The Etherchannel can be access link or trunk link
Etherchannel supports redundancy
If one of the link is failed within the channel, the traffic will be moved to another adjacent link. Failover
occurs in less than few milliseconds

Etherchannel Traffic Distribution
In etherchannel traffic is not distributed equally on all links
The traffic distribution is based on a hashing algorithm
o Source IP
o Destination IP
o Source IP-Destination IP
o Source MAC
o Destination MAC
o Source MAC-Destination MAC
o Source Port
o Destination Port
o Source Port-Destination Port
st
Decem
Individual physical links are bundled together to aggregate the bandwidth

channel between switches called ETHERCHANNEL
2 to 8 physical links can be bundled together in an Etherchannel
100 Mbps links are bundled together, supports 800Mbps speed (1600Mbps throughput)
inks are bundled together, supports 8Gbps speed (16Gbps throughput)
10GEC : 10Gigabit Ether Channel
10 Gbps links are bundled together, supports 80Gbps speed (160Gbps throughput
Generally L2 loops will occur by connecting parallel links between switch
Etherchannel will combine them to a single logical link
On Etherchannel, traffic load is not distributed equally among the individual links
balancing algorithm, Etherchannel selects one of the links to forward the traffic
same speed and properties can be bundled
The Etherchannel can be access link or trunk link
Etherchannel supports redundancy
w milliseconds
In etherchannel traffic is not distributed equally on all links
The traffic distribution is based on a hashing algorithm. This algorithm can use
Destination IP
Destination MAC
Destination Port
9553.9553.07

100 Mbps links are bundled together, supports 800Mbps speed (1600Mbps throughput)
inks are bundled together, supports 8Gbps speed (16Gbps throughput)
10 Gbps links are bundled together, supports 80Gbps speed (160Gbps throughput

balancing algorithm, Etherchannel selects one of the links to forward the traffic

st
Nove
The hash algorithm computes a binary pattern that selects a link number in the bundle to carry each frame

If only one address or port number is us
If two addresses or port number are used, algorithm performs XOR (exclusive OR) operation on one or more
low-order-bits

Link selections - if only one address is used in distribution algorithm

Link selections if two addresses are used in distribution algorithm
A conversation between two devices always is sent through the same Etherchannel link because two
endpoint addresses stay the same
st
Decem
If only one address or port number is used, algorithm takes one or more low-order
if only one address is used in distribution algorithm
if two addresses are used in distribution algorithm

endpoint addresses stay the same
9553.9553.07
order-bits


st
Nove
If there is a high data conversation between two servers, they
of distribution algorithm. It may lead to load imbalance
To avoid this, Source-Destination ports can be used as load balancing method
When a device talks to multiple devices, the traffic can be distributed on
distribution algorithm

Etherchannel load balancing

method
Src-ip
Dst-ip
Src-dst-ip
Src-mac
Dst-mac
Src-dst-mac
Src-port
Dst-port
Src-dst-port

For L2 switching the default load balance method is src
For L3 switching the default load balance method is src

Etherchannel Protocols
Etherchannel negotiation protocols are used to provide dynamic link
Two protocols are available to negotiate bundled links in catalyst switches
o PAgP
Port Aggregation Protocol
Cisco Proprietary solution
o LACP
Link aggregation control protocol
Open standard solution

Negotiation Mode
Negotiation packets sent
PAgP LACP
On On
Auto Passive
Desirable Active

st
Decem
If there is a high data conversation between two servers, they always use same Etherchannel link as a result
It may lead to load imbalance
Destination ports can be used as load balancing method
When a device talks to multiple devices, the traffic can be distributed on several etherchannel links based on

Hash input Hash Operation
Source ip Bits
Destination ip Bits
Source and destination ip XOR
Source mac Bits
Destination mac Bits
Source and destination mac XOR
Source port Bits
Destination port Bits
Source and destination port XOR
For L2 switching the default load balance method is src-mac
For L3 switching the default load balance method is src-dst-ip
Etherchannel negotiation protocols are used to provide dynamic link configuration
Two protocols are available to negotiate bundled links in catalyst switches
Port Aggregation Protocol
Cisco Proprietary solution
Link aggregation control protocol
Open standard solution
Negotiation packets sent Characteristics
No All ports channeling
Yes Waits to channel until asked
Yes Actively asks to form a channel
9553.9553.07
always use same Etherchannel link as a result
several etherchannel links based on

Switch model
All models
All models
All models
All models
All models
All models
6500,4500
6500,4500
6500,4500
configuration
Characteristics
All ports channeling
Waits to channel until asked
Actively asks to form a channel

st
Nove
PAgP
PAgP packets are exchange between switches over Etherchannel capable ports
PAgP forms an Etherchannel only on ports that are
PAgP dynamically modifies parameters of the Etherchannel if one of the bundled ports is modified (vlan
speed, duplex)
PAgP configured in desirable mode
PAgP configured in auto mode (default) waits to be asked by far

LACP
Defined in IEEE 802.3ad (Clause 43)
LACP packets are exchanged between switches over Etherchannel
The switch with lowest system priority (2B priority
actively are participating in the Etherchannel
Ports are selected and become active according to their
A set of up to 16 potential links can be defined for each etherchannel
8 ports with lowest priorities are grouped together, remaining are stand
LACP configured in active mode asks far
LACP configured in passive mode waits to be asked by far

st
Decem
PAgP packets are exchange between switches over Etherchannel capable ports
PAgP forms an Etherchannel only on ports that are configured for identical static VLANs or trunking
PAgP dynamically modifies parameters of the Etherchannel if one of the bundled ports is modified (vlan
PAgP configured in desirable mode asks a far-end switch to negotiate Etherchannel
PAgP configured in auto mode (default) waits to be asked by far-end switch to negotiate Etherchannel
Defined in IEEE 802.3ad (Clause 43)
LACP packets are exchanged between switches over Etherchannel capable ports
The switch with lowest system priority (2B priority-6B switch MAC) makes decisions about what ports
actively are participating in the Etherchannel
Ports are selected and become active according to their lowest port priority (2B priority
A set of up to 16 potential links can be defined for each etherchannel
8 ports with lowest priorities are grouped together, remaining are stand-by
LACP configured in active mode asks far-end switch to negotiate Etherchannel
ssive mode waits to be asked by far-end switch to negotiate Etherchannel

9553.9553.07
static VLANs or trunking
PAgP dynamically modifies parameters of the Etherchannel if one of the bundled ports is modified (vlan-id,
end switch to negotiate Etherchannel

6B switch MAC) makes decisions about what ports
lowest port priority (2B priority-2B port number)


st
Nove
Etherchannel Status

st
Decem

9553.9553.07


st
Nove
LESSON 6 : SWITCH FUNCTIONING

Example 1:

Example 2:

st
Decem

9553.9553.07


st
Nove
Loops
In L3 Networks multiple paths to destination offer redundancy or
In L2 Networks multiple paths to destination create loops
In switching Networks Loops occur if a switch has multiple paths to another switch
This is the situation where a single frame propagates between switches multiple times, in various p

Broadcast Storm
If a system broadcasts (or unknown uni cast flooding) t
the systems as multiple copies in various paths
It consumes switch processing cycles and memory
Finally Network performance comes down
This situation is called broadcast storm

Avoiding Loops
Ensure the switches have only one path to reach every other switch

st
Decem
In L3 Networks multiple paths to destination offer redundancy or load balancing
In L2 Networks multiple paths to destination create loops
This is the situation where a single frame propagates between switches multiple times, in various p
If a system broadcasts (or unknown uni cast flooding) the data in the loop network,
the systems as multiple copies in various paths
It consumes switch processing cycles and memory
comes down
This situation is called broadcast storm
Ensure the switches have only one path to reach every other switch

9553.9553.07
This is the situation where a single frame propagates between switches multiple times, in various paths
he data in the loop network, a single frame goes to all


st
Nove
Loop Prevention
Redundancy is required between switches to avoid network outages
Backup paths are required to achieve 100% network uptime
At the same time loops must be avoided
This can be done spanning tree protocol (STP) dynamically
STP blocks some ports automatically which are causing loops

st
Decem
Redundancy is required between switches to avoid network outages
achieve 100% network uptime
At the same time loops must be avoided
This can be done spanning tree protocol (STP) dynamically
STP blocks some ports automatically which are causing loops

9553.9553.07


st
Nove
LESSON 7 : TRADITIONAL STP
BPDU
BPDU- Bridge Protocol Data Unit
STP operations are performed by exchanging BPDU messages between switches
By default BPDUs are sent for every 2 seconds
A switch sends BPDU frames to other switches using its own MAC as Source MAC and 01
destination MAC
01-80-c2-00-00-00 is STP multicast MAC address
Two types of BPDU
o Configuration BPDU
Used for Spanning tree computation
o TCN BPDU
Topology Change Notification BPDU
Used to announce

CONFIGURATION BPDU

Bridge ID

STP Link Cost
In STP process, the links are given with a number called cost
Cost is used to suspend slowest links than high speed links to avoid loops
High speed links have low cost
To support high speed links, STP cost standards are modified
New STP cost is in use at present

st
Decem
LESSON 7 : TRADITIONAL STP
Bridge Protocol Data Unit
STP operations are performed by exchanging BPDU messages between switches
By default BPDUs are sent for every 2 seconds
A switch sends BPDU frames to other switches using its own MAC as Source MAC and 01
00 is STP multicast MAC address(IP Multicast MAC : 01-00-5e-00-00
Used for Spanning tree computation
Used to announce changes in the network topology
In STP process, the links are given with a number called cost
Cost is used to suspend slowest links than high speed links to avoid loops

support high speed links, STP cost standards are modified
New STP cost is in use at present
9553.9553.07

A switch sends BPDU frames to other switches using its own MAC as Source MAC and 01-80-c2-00-00-00 as
00-00 - 01-00-5e-7f-ff-ff)


st
Nove
Link Bandwidth
4 Mbps
10 Mbps
16 Mbps
45 Mbps
100 Mbps
155 Mbps
622 Mbps
1 Gbps
10 Gbps

STP Terminology
BPDU Bridge Protocol data Unit
RB Root Bridge
NRB Non Root Bridge
RP Root Port
DP Designated Port
NDP Non Designated Port

STP Process
1.Electing Root Bridge
2.Electing Root port per switch
3.Electing Designated port per segment
4.Electing Non designated ports

Reference STP Topology for Analysis

This topology has multiple switches and multiple loops. The links have different speeds as shown in figure.
STP can be explained by using this physically loop topology. The result will be logically loop free topology

st
Decem
Link Bandwidth Old STP cost New STP cost
250 250
10 Mbps 100 100
16 Mbps 63 62
45 Mbps 22 39
100 Mbps 10 19
155 Mbps 6 14
622 Mbps 2 6
1 4
0 2
Bridge Protocol data Unit Fundamental message in STP process
Switch with lowest bridge ID
Switches other than RB
Port on NRB that has best cost path to RB
Goes to forwarding state

Port on LAN segment that has best cost path to RB
Non Designated Port Port neither RP nor DP. Goes to blocking state (BLK)
switch
Electing Designated port per segment
Electing Non designated ports
using this physically loop topology. The result will be logically loop free topology
9553.9553.07
Fundamental message in STP process
Switch with lowest bridge ID
Switches other than RB
Port on NRB that has best cost path to RB
forwarding state
Port on LAN segment that has best cost path to RB
Goes to blocking state (BLK)

using this physically loop topology. The result will be logically loop free topology

st
Nove
1. Electing Root Bridge
All ports on all switches are in blocked state initially
Every switch treats itself as Root Bridge when STP process starts
Every switch sends BPDU to the remaining switches
BPDUs carry bridge id information to select root bridge
Finally only one switch with lowest Bridge ID is elected as Root Bridge
If priority is same, the switch with lowest MAC becomes Root Bridge

2. Electing Root Ports
Switch may have multiple paths to reach root bridge
The port with best cost path to RB is elected as Root Port
High speed ports have best cost paths. Cost is inversely proportional to speed
Only one Root Port exists per switch. Root Port goes to forwarding
If there is a tie in selecting RP, It prefers the link from the switch with lowest Bridge ID
Still there is a tie, then looks at Port ID, the port with least port id is preferred

st
Decem
All ports on all switches are in blocked state initially
Every switch treats itself as Root Bridge when STP process starts
U to the remaining switches
BPDUs carry bridge id information to select root bridge
Finally only one switch with lowest Bridge ID is elected as Root Bridge
If priority is same, the switch with lowest MAC becomes Root Bridge
Switch may have multiple paths to reach root bridge
The port with best cost path to RB is elected as Root Port
High speed ports have best cost paths. Cost is inversely proportional to speed
Only one Root Port exists per switch. Root Port goes to forwarding state
9553.9553.07



st
Nove
3. Electing Designated Port Per Segment
The port on the segment that has best cost path to RB is elected as designated Port (DP)
Only one DP exists per segment (switch to switch link). DP goes to forwarding state
All the ports on Root Bridge are Designated Ports
If there is a tie in selecting DP, It prefers the link fr
Tie Break: Lowest Root Bridge ID/Lowest root path cost/Lowest Sender Bridge ID/ Lowest sender Port ID

4. Electing Non-Designated Ports
The port neither RP nor DP becomes Non designated port
Non designated port goes to blocking state. NDP is also called as Blocked port (BLK)
These ports have the chances to become active if operational link fails
STP rebuilds the topology if something goes wrong with active links
STP rebuilds the new topology by activating some blocked ports ensuring loop free topology all the time

st
Decem
Electing Designated Port Per Segment
that has best cost path to RB is elected as designated Port (DP)
All the ports on Root Bridge are Designated Ports
If there is a tie in selecting DP, It prefers the link from the switch with lowest Bridge ID
Lowest Root Bridge ID/Lowest root path cost/Lowest Sender Bridge ID/ Lowest sender Port ID
The port neither RP nor DP becomes Non designated port
These ports have the chances to become active if operational link fails
gy if something goes wrong with active links
9553.9553.07
that has best cost path to RB is elected as designated Port (DP)
om the switch with lowest Bridge ID
Lowest Root Bridge ID/Lowest root path cost/Lowest Sender Bridge ID/ Lowest sender Port ID



st
Nove
STP Physical and Logical topologies

To participate in STP, each switch port progress through 5 states
Disable
Blocking
Listening
Learning
Forwarding

Disable
Disable state is shutdown state and not a part of normal STP progression

Blocked
When a port initializes, it begins in the blocking state so that no loops can form
The port is allowed only to send and receive BPDU
The ports that are put into standby mode to remove a loop enter the blocking state

Listening
A port is moved from Blocking to Listening if the switch thinks that the port can be selected as a root port or
designated port
In listening state port the port is allowed to send/receive BPDUs
If the port loses its RP or DP status in STP process, it returns to the blocking state
The port stays in Listening state for 15 sec, forward delay

Learning
After forward delay(15sec) in listening state, the port is moved to learning state
The port can send/receive BPDU and learns MAC addresses to add them to MAT
The Port stays in Learning state for 15sec, forward delay

Forwarding
After forward delay(15sec) in learning sta
Only RPs and DPs are moved to forwarding state
The port can send/receive BPDU, learn MAC and send/receive data
Now the port is fully functioning switch port in STP topology

st
Decem
STP States
progress through 5 states
Disable state is shutdown state and not a part of normal STP progression
When a port initializes, it begins in the blocking state so that no loops can form
is allowed only to send and receive BPDU
In listening state port the port is allowed to send/receive BPDUs
If the port loses its RP or DP status in STP process, it returns to the blocking state
The port stays in Listening state for 15 sec, forward delay
delay(15sec) in listening state, the port is moved to learning state
The port can send/receive BPDU and learns MAC addresses to add them to MAT
The Port stays in Learning state for 15sec, forward delay
After forward delay(15sec) in learning state, the port is moved to forwarding state
Only RPs and DPs are moved to forwarding state
The port can send/receive BPDU, learn MAC and send/receive data
Now the port is fully functioning switch port in STP topology
9553.9553.07



st
Nove
STP States
Disabled
Blocking
Listening Send & Receive BPDUs
Learning Send & Receive BPDUs
Forwarding
Send & Receive
Send & Receive data

STP uses three timers to make sure that a network converges properly before a bridging loop can form
STP timers provide facility for the switches to have time to receive network changes
STP three timers
o Hello Time
The time interval between configuration BPDUs sent by Root Bridge
IEEE 802.1d standard
o Forward delay
The port spending time in Listening and Learni
Default is 15 sec
o Maximum Age
The time interval that a switch stores a BPDU before discarding it
In STP process every switch keeps a copy of best BPDU, it learned
The BPDU ages out if the switch loses contact with BPDUs source
The default Max ag

The default STP timers are designed based on a reference model of L2 network with 7 switches diameter
including Root Bridge (as shown in above diagram)
STP timers can be changed from default values
But, careful network consideration is
st
Decem
Port properties Duration
Shutdown
Receive BPDUs
Indefinite if loop has been
detected (20 seconds)
Send & Receive BPDUs Forward delay (15seconds)
Send & Receive BPDUs - Learn MAC address Forward delay (15seconds)
Send & Receive BPDUs - Learn MAC addresses
Send & Receive data
Indefinite as long as port is up
and loop is not detected

STP Timers
the switches to have time to receive network changes
IEEE 802.1d standard- default Hello time is 2sec
The port spending time in Listening and Learning states
Default is 15 sec
The time interval that a switch stores a BPDU before discarding it
In STP process every switch keeps a copy of best BPDU, it learned
The BPDU ages out if the switch loses contact with BPDUs source
The default Max age time is 20 sec

(as shown in above diagram)
STP timers can be changed from default values
But, careful network consideration is required to change the values
9553.9553.07
Duration
-
Indefinite if loop has been
detected (20 seconds)
Forward delay (15seconds)
Forward delay (15seconds)
Indefinite as long as port is up
and loop is not detected

the switches to have time to receive network changes


st
Nove
STP default timers work efficiently at most of the times
Switches diameter size (default 7) can be configured on root switch
In this case, root bridge calculates new timers for all three timers automatically that gives best
large networks

Timer
Hello Interval between configuration BPDUs
Forward delay Time spent in Listening, Learning states
Max Age The time BPDU stored without receiving an update

TCN BPDU
TCN BPDU- Topology Change Notification BPDU
Used to announce a change in active network topology
TCN BPDU does not carry any data, only informs topology change

Topology change occurs when a switchport goes down or up (goes to forwarding state or
Switch sends TCN BPDU out of RP, if it notices topology change
Switches keep on sending TCN BPDU until acknowledgment is received
Finally TCN BPDU reaches Root Bridge
Root Bridge then sets TCN flag in Configuration BPDU and sends to all

All switches receive this configuration BPDU, understand topology change and shorten their MAT aging time
to forward delay (15sec) default is 300sec
If MATs are flushed out, the switches cant forward the frames and avoids loops
Any systems actively communicating this time are kept in MAT for 35 sec (forward

If a system connected to switchport goes down, then also it generates TCN BPDU, floods in the network,
which finally causes the switches to flush their MAT
To avoid these undesired situations, spanning
end devices connected

st
Decem
STP default timers work efficiently at most of the times
Switches diameter size (default 7) can be configured on root switch
In this case, root bridge calculates new timers for all three timers automatically that gives best
Function
Interval between configuration BPDUs
Time spent in Listening, Learning states
The time BPDU stored without receiving an update
Used to announce a change in active network topology
TCN BPDU does not carry any data, only informs topology change
Topology change occurs when a switchport goes down or up (goes to forwarding state or
Switch sends TCN BPDU out of RP, if it notices topology change
Switches keep on sending TCN BPDU until acknowledgment is received
Finally TCN BPDU reaches Root Bridge
Root Bridge then sets TCN flag in Configuration BPDU and sends to all switches
to forward delay (15sec) default is 300sec
If MATs are flushed out, the switches cant forward the frames and avoids loops
ely communicating this time are kept in MAT for 35 sec (forward
which finally causes the switches to flush their MAT
se undesired situations, spanning-tree port fast feature can be used on switch ports where the
9553.9553.07
In this case, root bridge calculates new timers for all three timers automatically that gives best results for
Default Value
2 seconds
15 seconds
20 seconds

Topology change occurs when a switchport goes down or up (goes to forwarding state or blocking state)
ely communicating this time are kept in MAT for 35 sec (forward-delay 15+Max age 20)
tree port fast feature can be used on switch ports where the


st
Nove

3 Types of STP

STP Types
CST
PVST
PVST+

st
Decem
Topology Changes

STP TYPES
Function
Common Spanning Tree
One instance of STP, over the native vlan
IEEE 802.1q based
Per-Vlan Spanning Tree
One instance of STP per vlan
Cisco ISL based
Per-Vlan Spanning Tree plus
Provides interoperability between CST and PVST
Operate over both 802.1q and ISL
9553.9553.07


st
Nove
LESSON
STP Configuration
By default, STP is enable for all active VLANs and on all ports of a switch

Inefficient Root Bridge Election

STP has elected RB with default procedure and blocked high speed links which resulted poor STP converged network

STP is fully automatic and converges STP topology in best way most of the times
In some networks, STP may elect a slower switch as Root Bridge
Which leads to slow STP convergence and poor performance
In this case Root Bridge can be configured statically
The method to elect a specific switch as root bridge is

Root Bridge Configuration
Two formats to configure STP Bridge ID
o Traditional 802.1D bridge priority value (16bits), followed
o 802.1t extended system id (4bit Priority multiplier x4096 + 12bit vlan id) followed by a nonunique
switch MAC address for the vlan
If the switch supports 1024 unique MAC addresses for its own use, traditional method
If the switch cant support 1024 unique MAC addresses for its own use, the extended system id enabled by
default

st
Decem
LESSON 8 : STP CONFIGURATION
By default, STP is enable for all active VLANs and on all ports of a switch

fully automatic and converges STP topology in best way most of the times
In some networks, STP may elect a slower switch as Root Bridge
Which leads to slow STP convergence and poor performance
In this case Root Bridge can be configured statically
ecific switch as root bridge is Change the default priority 32768 to a lower value
Two formats to configure STP Bridge ID
Traditional 802.1D bridge priority value (16bits), followed by unique switch MAC address of
802.1t extended system id (4bit Priority multiplier x4096 + 12bit vlan id) followed by a nonunique
switch MAC address for the vlan
If the switch supports 1024 unique MAC addresses for its own use, traditional method
9553.9553.07
: STP CONFIGURATION

Change the default priority 32768 to a lower value
by unique switch MAC address of the vlan
802.1t extended system id (4bit Priority multiplier x4096 + 12bit vlan id) followed by a nonunique
If the switch supports 1024 unique MAC addresses for its own use, traditional method enabled by default


st
Nove

Root Path Cost Configuration

Port ID

Port ID is 16 bit quantity
8 bits for port priority and 8 bits for port
By default Port priority is 128 (range: 0
Port number range is 0-255 represents ports actual physical mapping

st
Decem

8 bits for port priority and 8 bits for port number
By default Port priority is 128 (range: 0-255)
255 represents ports actual physical mapping
9553.9553.07


st
Nove
STP Timers

Methods allow faster STP convergence in the event of link failure
PortFast
Allows fast connectivity to be established on access
UplinkFast
Enables fastuplink failover on an access
BackboneFast
Enables fast convergence in the network backbone (core) after a

PortFast
st
Decem
Methods allow faster STP convergence in the event of link failure
established on access-layer switchports to hosts
Enables fastuplink failover on an access-layer switch when dual uplinks are connected to distribution
Enables fast convergence in the network backbone (core) after a spanning-tree topology change occurs

9553.9553.07

layer switch when dual uplinks are connected to distribution-layer
tree topology change occurs

st
Nove
Because of Spanning-tree convergence, a port initialization delay can be up to 50 sec
(20 sec PAgP negotiation + 15 sec Listening state + 15 sec Learning state)
The ports connected to end user devices need
at these ports
With port fast feature the port is immediately moved to forwarding state, neglecting forward

UplinkFast

If access-layer switch is connected to two distribution
state, second is in blocking state
If primary goes down, STP takes 50 sec time to converge
But with uplink fast feature, the secondary uplink immediately comes up without waiting for STP timers
Uplink fast works by keeping a track of possible paths to root bridge
This feature is not allowed in root bridge

Uplink fast feature provides a facility for upstream switches to learn MAC addresses on new uplink by
sending dummy multicast packets
These packets contain CAM addresses as source MAC and 0100.0ccd.cdcd as destination
These multicast frames are sent out at a rate specified by max
The default is 150 packets per second. Range is 0
No dummy multicast packets are sent if va

st
Decem
tree convergence, a port initialization delay can be up to 50 sec
(20 sec PAgP negotiation + 15 sec Listening state + 15 sec Learning state)
The ports connected to end user devices need not follow STP convergence and timers as loops do not occurs
With port fast feature the port is immediately moved to forwarding state, neglecting forward
layer switch is connected to two distribution switches with two uplinks, One uplink is in forwarding
state, second is in blocking state
If primary goes down, STP takes 50 sec time to converge
fast works by keeping a track of possible paths to root bridge
This feature is not allowed in root bridge
sending dummy multicast packets
ontain CAM addresses as source MAC and 0100.0ccd.cdcd as destination
These multicast frames are sent out at a rate specified by max-update-rate parameter
The default is 150 packets per second. Range is 0-65535 pps
No dummy multicast packets are sent if value set to 0 pps
9553.9553.07
tree convergence, a port initialization delay can be up to 50 sec
not follow STP convergence and timers as loops do not occurs
With port fast feature the port is immediately moved to forwarding state, neglecting forward-delay timers

One uplink is in forwarding
ontain CAM addresses as source MAC and 0100.0ccd.cdcd as destination
rate parameter

st
Nove
BackboneFast

Backbone fast works by having a switch actively determine whether alternative paths exist to root bridge, in
case the switch detects indirect link failure (link not connected directly)
A switch detects an indirect link
Inferior BPDU generated by designated bridge announcing itself as new root, if it lost connectivity with root
bridge
Normally switch waits for max age time before responding to inferior BPDU
Backbone fast begins to determine whether other alternate paths to the root bridge exis
If inferior BPDU received on BLK port, switch considers RP and other BLKs are alternate paths to the Root
Bridge
If inferior BPDU received on RP itself, switch considers all BLKs are alternate
If inferior BPDU received on RP and no BLKs are on switch, Backbone fast feature allows the switch to
become a Root Bridge before max age timer expires
Backbone fast uses Root Link Query (RLQ) protocol to see if upstream switches
root bridge
RLQ requests and RLQ replies are sent between switches
Backbone fast operates by shorting Max age timer when needed
Backbone fast can reduce the maximum convergence delay only from 50 sec to 30 sec

st
Decem

case the switch detects indirect link failure (link not connected directly)
A switch detects an indirect link failure when it receives inferior BPDU
Normally switch waits for max age time before responding to inferior BPDU
etermine whether other alternate paths to the root bridge exis
If inferior BPDU received on RP itself, switch considers all BLKs are alternate paths to the Root Bridge
become a Root Bridge before max age timer expires
Backbone fast uses Root Link Query (RLQ) protocol to see if upstream switches have stable connections to
RLQ requests and RLQ replies are sent between switches
Backbone fast operates by shorting Max age timer when needed
9553.9553.07

etermine whether other alternate paths to the root bridge exist
paths to the Root Bridge
have stable connections to


st
Nove
STP Verification

st
Decem

9553.9553.07


st
Nove
LESSON 9 : PROTECT STP

Switch ports are assigned with specific roles after STP convergence
Root Port
Designated Port
Blocking Port
Alternate Port
Forwarding Port Ports where no STP activity is running. Ports with end user devices

Rogue Route Bridge
If a rogue switch with lowest Bridge ID is joined in the network by mistake,
It will be elected as RB and try to converge the network, which is an undesired situation
To prevent a switch to become RB, two features can be used on switchports
o Root guard
prevents a switch to become RB by not considering superior BPDUs
Can receive legitimate BPDUs
o BPDU guard
Prevents all BPDUs on a switchport that effect Root Bridge
Root Guard
If root guard is enabled on a switchport and if it receives superior BPDU,
become the root
As long as the superior BPDUs are being received on the
state
No data can be sent or received in that state, but can listen to BPDUs received
Root guard enabled port is used to forward or relay BPDU, not to receive BPDU
By default root guard is disabled on all switchports
It can be enabled only on per-port basis
Root guard should be used only on the ports where root bridge is not expected

BPDU Guard
If the port is access port and port fast is enabled, normally BPDUs are not expected
If a rogue switch with lowest Bridge ID connected to a switchport by mistake, sends BPDUs, try to converge
the network, which is undesired
BPDU guard is used to prevent al
The BPDU guard enabled port will be put into errdisable state if it receives BPDU
st
Decem
LESSON 9 : PROTECT STP

Port on a switch that has best cost path to RB
Port on a LAN segment that has best cost path to RB
Port neither RP nor DP
Ports that are candidate Root Ports but in blocking state
Used by STP uplink fast feature for fast convergence
Ports where no STP activity is running. Ports with end user devices
If a rogue switch with lowest Bridge ID is joined in the network by mistake,
To prevent a switch to become RB, two features can be used on switchports
Can receive legitimate BPDUs
Prevents all BPDUs on a switchport that effect Root Bridge
If root guard is enabled on a switchport and if it receives superior BPDU, it will not allow the new switch to
As long as the superior BPDUs are being received on the port, the port will be kept in
No data can be sent or received in that state, but can listen to BPDUs received
d enabled port is used to forward or relay BPDU, not to receive BPDU
By default root guard is disabled on all switchports
port basis
Root guard should be used only on the ports where root bridge is not expected
the network, which is undesired
BPDU guard is used to prevent all BPDUs on switchport that effect RB
The BPDU guard enabled port will be put into errdisable state if it receives BPDU
9553.9553.07
Port on a switch that has best cost path to RB
Port on a LAN segment that has best cost path to RB
Ports that are candidate Root Ports but in blocking state
Used by STP uplink fast feature for fast convergence
Ports where no STP activity is running. Ports with end user devices
it will not allow the new switch to
port, the port will be kept in root-inconsistent STP


st
Nove
By default, BPDU guard is disabled on all switchports
BPDU guard should be used only on the ports where port fast enabled
BPDU guard should not enabled on the ports where uplinks connected, which could receive legitimate
BPDUs

Loss of BPDUs
If BPDUs are not received in timely manner, timers expire and try to converge the topology, even though
there is no topology change
To prevent unexpected loss of BPDUs, two features can be used
o Loop guard
o UDLD

Loop guard
BPDUs may be blocked some times, even though no changes in network
STP try to activate NDP, creating loops
Loop guard can be used to prevent unexpected loss of BPDU
If loop guard is enabled on a port, it keeps a track of the BPDU activity on NDPs
If BPDUs are missed, the port is moved to loop inconsistent state
The port is effectively blocking at this point to keep it in NDP, no further loops
When BPDUs are received on the port again, the port is moved through normal STP states
By default loop guard is disabled on all switchports

UDLD
UDLD Uni directional link detection
o Unidirectional link : the link transfers the data only in one way
o Bidirectional link : the link transfers the data in both directions
st
Decem
By default, BPDU guard is disabled on all switchports
BPDU guard should be used only on the ports where port fast enabled
should not enabled on the ports where uplinks connected, which could receive legitimate
To prevent unexpected loss of BPDUs, two features can be used
BPDUs may be blocked some times, even though no changes in network
STP try to activate NDP, creating loops
Loop guard can be used to prevent unexpected loss of BPDUs
If loop guard is enabled on a port, it keeps a track of the BPDU activity on NDPs
If BPDUs are missed, the port is moved to loop inconsistent state
The port is effectively blocking at this point to keep it in NDP, no further loops
on the port again, the port is moved through normal STP states
By default loop guard is disabled on all switchports
Uni directional link detection
Unidirectional link : the link transfers the data only in one way
link transfers the data in both directions
9553.9553.07
should not enabled on the ports where uplinks connected, which could receive legitimate

on the port again, the port is moved through normal STP states


st
Nove
In campus network all the switches use bidirectional links
Sometimes they become unidirectional links because of physical layer problems
Uni directional link problems occur mostly at fiber optic media ports (GBIC,
If the link is unidirectional, BPDUs pass only in one direction, the other end cant receive the BPDUs, STP
timers expire
This leads to activate NDPs, causing loops because the link is not really down
UDLD is used to detect these unidirectional links
This is cisco proprietary solution

UDLD should be enabled on both ports of a link
Port sends special L2 UDLD frames and expects far
If echo frames received, link is bidirectional otherwise unidirectional
UDLD frames are sent for every 15 seconds by default
UDLD link detection time should be less than STP convergence time, to avoid a loop before forming
STP takes 50 seconds time to move an NDP to forwarding state
(20sec Max age + 15sec listening + 15sec forwarding)
UDLD take 45 seconds (3 times UDLD interval) time to detect unidirectional link

UDLD has two modes of operation
o Normal Mode
When unidirectional condition is detected, the port is allowed to continue its operation
The port is marked as undetermined state and gener
o Aggressive Mode
When unidirectional condition is detected, the switch takes action to re
This time UDLD messages are sent out once a second for 8 seconds
If no echos are received, the port is put in errdisable state, it cant be used
When UDLD is configured for the first time on the link, it will not disable the link before the
far-end is configured. It indefinitely waits for the neighbor to be configured
In Etherchannel bundle, if one physical link is found as unidirectional, UDLD disables only
that link, not the entire channel

st
Decem
In campus network all the switches use bidirectional links
Sometimes they become unidirectional links because of physical layer problems
Uni directional link problems occur mostly at fiber optic media ports (GBIC, SFP)
This leads to activate NDPs, causing loops because the link is not really down
UDLD is used to detect these unidirectional links
This is cisco proprietary solution
UDLD should be enabled on both ports of a link
Port sends special L2 UDLD frames and expects far-end switch to echo those frames
If echo frames received, link is bidirectional otherwise unidirectional
nt for every 15 seconds by default
STP takes 50 seconds time to move an NDP to forwarding state
(20sec Max age + 15sec listening + 15sec forwarding)
45 seconds (3 times UDLD interval) time to detect unidirectional link
UDLD has two modes of operation
The port is marked as undetermined state and generates a syslog message
When unidirectional condition is detected, the switch takes action to re
end is configured. It indefinitely waits for the neighbor to be configured
that link, not the entire channel
9553.9553.07
end switch to echo those frames
ates a syslog message
When unidirectional condition is detected, the switch takes action to re-establish link
end is configured. It indefinitely waits for the neighbor to be configured


st
Nove
BPDU Filtering
BPDU filtering feature is used to filter BPDUs on switchports
Switchports with BPDU filtering enabled can
BPDU filtering can be enabled on switchports where there is no chance for loops
The ports with end user devices connected are eligible for BPDU filtering
This feature is disabled on all switchports, by default

STP Protection Verification

STP Protection features

Root guard: Apply to ports where root is never expected
BPDU guard: Apply to all user ports where Port fast is enabled
st
Decem
BPDU filtering feature is used to filter BPDUs on switchports
with BPDU filtering enabled can not send or receive BPDUs
BPDU filtering can be enabled on switchports where there is no chance for loops
The ports with end user devices connected are eligible for BPDU filtering
This feature is disabled on all switchports, by default

Root guard: Apply to ports where root is never expected
BPDU guard: Apply to all user ports where Port fast is enabled
9553.9553.07


st
Nove
Loop guard: Apply to non designated ports (can be applied to all ports also)
UDLD: Apply to all fiber

STP Protection features combinations
Permissible combinations on a switchport
o Loop guard and UDLD
o Root guard and UDLD
Not Permissible combinations on a switchport
o Root guard and loop guard
o Root guard and BPDU guard

st
Decem

fiber-optic links between switches (must be enabled on both ends)

Permissible combinations on a switchport

Not Permissible combinations on a switchport
guard
Root guard and BPDU guard

9553.9553.07

optic links between switches (must be enabled on both ends)


st
st
LESSON 10 : ADVANCED STP

RSTP
RSTP Rapid Spanning Tree Protocol
Typically STP takes 30 seconds to 50 seconds time for topology change
In production networks it has become unbearable time
RSTP uses STPs principle concepts and make the resulting convergence must faster
IEEE 802.1W standard
As with 802.1D (STP), RSTPs basic functionality can be applied as single instance or multiple instances
RSTP is only the underlying mechanism
It cant be implemented as an individual
It can be implemented with PVST+ resulting RPVST+
RSTP is used as a part of MST (IEEE 802.1S)

RSTP Port Roles
Root Bridge is elected in the same manner as with STP (lowest bridge id)
In RSTP, each switch interacts with its neighbors through each port Interactive process is performed based
on port role

o Root Port
The port on each switch that has best cost path to RB (same as STP)
o Designated Port
The port on network segment that has best cost path to RB (same as STP)
o Alternate Port
Standby Root Port
The port that has alternate path to RB (second best path)
o Backup Port
Standby Designated Port
The port on network segment that has alternate path to RB (second best path)

STP port roles RSTP port roles
Root Port Root Port
Designated Port Designated Port (P2P)
Alternate Port (uplinkfast) Alternate Port
- Backup Port
Blocking Discarding

RSTP Port States
RSTP has 3 port states Discarding, Learning, Forwarding
A port role can have one of these states
o Discarding
Incoming frames are dropped, no MACs are learned
Combines disable, blocked, listening states of 802.1D

st
st
o Learning
Incoming frames are dropped, but MACs are learned
o Forwarding
Incoming frames are forwarded, MACs are learned

STP port states RSTP port states
Disable
Discarding Blocked
Listening
Learning Learning
Forwarding Forwarding

RSTP BPDU
RSTP uses the 802.1D BPDU format for backward compatibility
Some unused bits in the Message type field are used (interactive process)
BPDU version set to 2 (802.1D BPDU version 0)
BPDUs are sent out every switchport at hello time intervals, regardless of RB BPDUs
Any switch anywhere in the network can play an active role in maintaining the topology
Switches expect BPDUs from neighbors
Neighbor is assumed to be down if three consecutive BPDUs are missed (6sec default)
If neighbor is down, all information related to the port connected to neighbor is aged out
RSTP BPDUs can co-exist with 802.1D BPDUs
Switches can differentiate BPDUs with the help of version information

RSTP Convergence
RSTP convergence includes two stage process
Common root bridge election
STP domain Switch ports moment from discarding to appropriate state to prevent loops

RSTP Port types
RSTP has three types of ports
o Edge Port
The port where single host is connected, BPDUs are never expected
If switch receives BPDU on edge port, the port looses its edge port status
o Root Port
The port with best cost path to RB, goes to forwarding state
o Point to Point Port (P2P)
Port that connects to another switch and becomes DP
P2P ports are decided with quick handshake between switches by exchanging proposal and
agreement messages


st
Nove
RSTP Point to Point Links
Point to Points automatically are determined by the duplex mode in use
Full duplex ports are considered point to
Half duplex ports are considered shared medium and 802.1D convergence method is used in this case
RSTP handles the complete STP convergence of the network
point links
When a switch needs to make STP decision, a handshake is made with the nearest neighbor and so on,
entire network point to point links

Synchronization
To Participate in RSTP convergence, all the port states must be decided
Non-edge ports begin in discarding stat
After BPDU exchange between neighbor switches, RB can be identified
If a port receives a superior BPDU from a neighbor, that port becomes the RP
For each non-edge port, the switch exchanges a proposal
links at each end
st
Decem
Point to Points automatically are determined by the duplex mode in use
Full duplex ports are considered point to point (only two ports on the link)
RSTP handles the complete STP convergence of the network as a propagation of handshakes over point to
switch needs to make STP decision, a handshake is made with the nearest neighbor and so on,
entire network point to point links
To Participate in RSTP convergence, all the port states must be decided
edge ports begin in discarding state
After BPDU exchange between neighbor switches, RB can be identified
If a port receives a superior BPDU from a neighbor, that port becomes the RP
edge port, the switch exchanges a proposal-agreement handshake to decide port states of

9553.9553.07
as a propagation of handshakes over point to
switch needs to make STP decision, a handshake is made with the nearest neighbor and so on,
agreement handshake to decide port states of


st
Nove
Because of RSTP problems or non-P2P links issues, if a port is failed to send agreement message, 802.1D
convergence will occur on the link, that is

Topology Changes
RSTP detects a topology change only when a non
When a topology change is detected, BPDUs with TC bit set are sent out all of the nonedge designated ports
Switch propagates TC message (topology change) to other switches
their MATs

RSTP Configuration

RAPID PVST

st
Decem
P2P links issues, if a port is failed to send agreement message, 802.1D
, that is moving the port from blocked, listening, learning and forwarding

detects a topology change only when a non-edge port transitions to forwarding state
Switch propagates TC message (topology change) to other switches in the network so that they can correct
9553.9553.07
P2P links issues, if a port is failed to send agreement message, 802.1D
moving the port from blocked, listening, learning and forwarding

edge port transitions to forwarding state
in the network so that they can correct


st
Nove
MST Multiple Spanning Tree
IEEE 802.1S standard

CST-PVST-MST comparisons

CST
CST common spanning tree
only one instance of STP is used for
all vlans
If 500 vlans are exist in the network,
only one STP instance runs
Less overhead on the switch
No load balancing instance uses
only one link, remaining are blocked

STP Topologies

MST works by mapping one or more vlans to a single STP instance
MST implementation includes
o Identifying the number of STP instances
o Mapping a set of Vlans to each instance

st
Decem
MST

PVST+
PVST+ Per vlan spanning tree
one instance of STP is used for each
active vlan
MST Multiple
Multiple instances of STP are
If 500 vlans are exist in the network, If 500 vlans are exist in the network,
500 STP instances run
A set of vlans are allowed on
More overhead on the switch Less overhead on the switch

Load balancing every instance can
use one of the available links
Load balancing
can use one of the available links
MST works by mapping one or more vlans to a single STP instance

Identifying the number of STP instances needed to support desired topologies
Mapping a set of Vlans to each instance
9553.9553.07
MST
Multiple Spanning Tree
Multiple instances of STP are
used
A set of vlans are allowed on
every instance
Less overhead on the switch
Load balancing every instance
can use one of the available links

needed to support desired topologies

st
Nove
MST Region
MST regions are created to manage MST operations
MST attributes
o MST configuration name (32 characters)
o MST config revision number ( 0 to 65535)
o MST instance to vlan mapping table (4096 entries)
MST attributes must match on all switches to belong to same region
independent regions
MST attributes are exchanged between switches with MST BPDUs

IST
IST Internal spanning tree
MST can interoperate with all other forms of STP
In MST region, IST is an instance that presents entire region as a virtual bridge to CST
BPDUs are exchanged at the region boundary only over the native vlan
IST is called as MST Instance 0

MST Instances
MST instances exist within the MST region
Vlan sets are mapped to MST instances
Cisco supports a 16 MSTIs in each region
IST always exists as MSTI number 0
By default all the vlans are mapped to IST
Only IST (MSTI 0) sends and receive MST BPDUs
Only one BPDU is needed to carry all MSTI information
Other MSTI information is appended to BPDUs as
Other MST regions can be combined with IST only at region boundary

st
Decem
MST regions are created to manage MST operations
MST configuration name (32 characters)
MST config revision number ( 0 to 65535)
mapping table (4096 entries)
MST attributes must match on all switches to belong to same region, If not they belong to different
MST attributes are exchanged between switches with MST BPDUs
roperate with all other forms of STP
BPDUs are exchanged at the region boundary only over the native vlan

instances exist within the MST region
Vlan sets are mapped to MST instances
Cisco supports a 16 MSTIs in each region
IST always exists as MSTI number 0
By default all the vlans are mapped to IST
Only IST (MSTI 0) sends and receive MST BPDUs
s needed to carry all MSTI information
Other MSTI information is appended to BPDUs as M-record
Other MST regions can be combined with IST only at region boundary

9553.9553.07
If not they belong to different


st
Nove
MSTP Configuration

Switch cant run both PVST+ and MST at same
Switch can be configured to use
o PVST+ (spanning-tree mode pvst) or
o RPVST+ (spanning-tree mode rapid
o MST (spanning-tree mode mst)
If MST is configured on the switch, RSTP mechanism is applied by default

st
Decem

Switch cant run both PVST+ and MST at same
Switch can be configured to use
tree mode pvst) or
tree mode rapid-pvst) or
tree mode mst)
If MST is configured on the switch, RSTP mechanism is applied by default
9553.9553.07


st
Nove

st
Decem
9553.9553.07


st
Nove
Intervlan Routing
Communication between different vlans is called inter vlan routing
Intervlan routing is possible only with L3 capable device

Inter VLAN routing methods
o Connect access links to router interfaces
o Router on a stick (switch trunk
o Multi Layer Switching

Multilayer switch can perform both L2 switching and L3 routing
L2 switching occurs between interfaces (switch ports) that are assigned to
L3 routing can occur between L3 in
address
MLS has two types of L3 interfaces

o L3 Port
Physical port with L3 functionality enabled (no switchport configuration)
By default, all the ports are L2 ports (most of the platforms)
6500 ports are L3 ports by default
o SVI
switched virtual interface
Logical L3 interface that represents entire vlan
This becomes default gateway for all hosts in that vlan

All L3 interfaces (SVI and L3 physical ports) can be configured with IP addresses

st
Decem
LESSON 11: MLS
Communication between different vlans is called inter vlan routing
Intervlan routing is possible only with L3 capable device
Connect access links to router interfaces
Router on a stick (switch trunk port to router)

MultiLayer Switch

Multilayer switch can perform both L2 switching and L3 routing
L2 switching occurs between interfaces (switch ports) that are assigned to L2 Vlans or L2 trunks
L3 routing can occur between L3 interfaces (non switch ports or SVI) that has been configured with L3
MLS has two types of L3 interfaces
By default, all the ports are L2 ports (most of the platforms)
6500 ports are L3 ports by default
switched virtual interface
Logical L3 interface that represents entire vlan
This becomes default gateway for all hosts in that vlan
9553.9553.07

L2 Vlans or L2 trunks
terfaces (non switch ports or SVI) that has been configured with L3

st
Nove

MLS Configuration

st
Decem
9553.9553.07


st
Nove
CEF Cisco Express Forwarding
In first generation of MLS netflow switching was used
In second generation of MLS, CEF is introduced
CEF feature allows high-performance packet forwarding through the use of dynamic lookup

Switch platforms that perform CEF in hardware
o Catalyst 6500 supervisor 720 (with an integrated MSFC3)
o Catalyst 6500 supervisor 2/ MSFC2 combination
o Catalyst 4500 Supervisor 3,4 and 5
o Fixed switches 3750,3560,3550,2950
CEF runs by default (ip routing)

CEF Packet Flow

CEF Verification

st
Decem
CEF
Cisco Express Forwarding
In first generation of MLS netflow switching was used
In second generation of MLS, CEF is introduced
performance packet forwarding through the use of dynamic lookup
Switch platforms that perform CEF in hardware
Catalyst 6500 supervisor 720 (with an integrated MSFC3)
Catalyst 6500 supervisor 2/ MSFC2 combination
Catalyst 4500 Supervisor 3,4 and 5
Fixed switches 3750,3560,3550,2950

9553.9553.07
performance packet forwarding through the use of dynamic lookup tables


st
Nove

CEF Punt Packets
CEF can forward most of the IP packets
Some packets cant be forwarded by CEF, then they are marked as CEF Punt and sent to L3 engine for
further processing
CEF punt packets are
o Entry cant be located in FIB
o FIB table is full
o IP TTL has expired
o MTU is exceeded, fragmentation needed
o Encapsulation type not supported
o ICMP redirect is involved
o Packets tunneled, compression or encryption operation
o ACL with log option is triggered
o NAT operations triggered

CEF Techniques
CEF operations can be handled on a single hardware platform (3560,3750)
CEF can be optimized through the use of s
There are two types of CEF Techniques
o Accelerated CEF aCEF
L3 forwarding Engines dont have self
Every L3 forwarding Engine can have a part of FIB
FIB is downloaded when it is required
FIB is accelerated on L3 Engines
o Distributed CEF dCEF
L3 forwarding Engines have self
FIB is replicated on all L3 forwarding Engines
Provide greater performance

Adjacency Table
For each entry FIB contains Next
FIB also contains L2 information for every next
Adjacency table consists of MAC addresses of nodes that can be reached in single L2 hop
Adjacency table information is built from the ARP table
Adjacency table is updated when next
If an ARP entry doesnt exist, FIB entry is marked as CEF g
In CEF glean state, FIB hardware cant forward those packets until ARP addresses are resolved
st
Decem
CEF can forward most of the IP packets
cant be located in FIB
MTU is exceeded, fragmentation needed
Encapsulation type not supported
ICMP redirect is involved
Packets tunneled, compression or encryption operation
ACL with log option is triggered
ons triggered
CEF operations can be handled on a single hardware platform (3560,3750)
CEF can be optimized through the use of specialized forwarding hardware, using CEF techniques
There are two types of CEF Techniques
aCEF
L3 forwarding Engines dont have self-contained FIB
Every L3 forwarding Engine can have a part of FIB
FIB is downloaded when it is required
FIB is accelerated on L3 Engines
dCEF
L3 forwarding Engines have self-contained FIB
replicated on all L3 forwarding Engines
Provide greater performance
For each entry FIB contains Next-hop L3 address
FIB also contains L2 information for every next-hop entry. This part of FIB is called adjacency table
consists of MAC addresses of nodes that can be reached in single L2 hop
Adjacency table information is built from the ARP table
Adjacency table is updated when next-hop receives a valid ARP entry
If an ARP entry doesnt exist, FIB entry is marked as CEF glean
9553.9553.07

using CEF techniques
This part of FIB is called adjacency table
consists of MAC addresses of nodes that can be reached in single L2 hop

st
Nove
L3 engine sends ARP request for every two seconds until it gets resolved. This is called as ARP throttling or
throttling adjacency
After ARP resolution, FIB adjacency is updated, to forward the packets in FIB hardware

Adjacency Table Verification

Adjacency Entries
Adjacency entry types
o Null adjacency
The packets destined for the null interface
o Drop adjacency
The packets that cant be forwarded, because
unsupported protocol, no routing information, checksum error etc
o Discard adjacency
The packets discarded because of ACL or other policy action
o Punt adjacency
The packets must be sent to L3 engine for further pr

st
Decem
adjacency is updated, to forward the packets in FIB hardware
The packets destined for the null interface
The packets that cant be forwarded, because of encapsulation failure, unresolved address,
The packets discarded because of ACL or other policy action
The packets must be sent to L3 engine for further processing
9553.9553.07
adjacency is updated, to forward the packets in FIB hardware

of encapsulation failure, unresolved address,


st
Nove
L3 Packet Rewrite
Multi Layer Switches have additional functional block L3 rewrite, that changes L3 packet contents before forwarding
The frame/packet fields changed by L3 rewrite are
L2 destination address : changed to next
L2 source address : changed to outbound L3 interfaces MAC address
L3 IP TTL : decremented by one , crossed one L3 hop
L3 IP checksum : recalculated as L3 fields are modified
L2 frame checksum : recalculated as L2 fields are modified

CEF Configuration
CEF is enabled on all CEF capable switches by default
6500 switches run CEF by default, can never be disabled
3750, 4500 switches run CEF by default, but can be disabled per interface basis

MultiLayer Switch Verification

DHCP Process
MLS can function like a DHCP server
It can relay DHCP broadcast messages as Unicast messages to specified IP address

st
Decem
The frame/packet fields changed by L3 rewrite are
L2 destination address : changed to next-hop devices MAC address
L2 source address : changed to outbound L3 interfaces MAC address
L3 IP TTL : decremented by one , crossed one L3 hop
L3 IP checksum : recalculated as L3 fields are modified
L2 frame checksum : recalculated as L2 fields are modified
capable switches by default
6500 switches run CEF by default, can never be disabled (sup 720-integrated MSFC3 or sup 2
3750, 4500 switches run CEF by default, but can be disabled per interface basis
MLS can function like a DHCP server
It can relay DHCP broadcast messages as Unicast messages to specified IP address
9553.9553.07
integrated MSFC3 or sup 2-MSFC2)


st
Nove

DHCP Configuration

st
Decem

9553.9553.07


st
Nove
LESSON 12: CAMPUS NETWORK DESIGN

Network Design
If more number of systems exists in a broadcast domain, a single broadcast message spreads the entire
network
Every system process the incoming frames, that degrades network performance

Routers and vlans break broadcast domains
Cisco suggests, there should be
Limiting the systems in a broadcast domain upgrades network performance
Network segmentation should be done to enhance network performance
Network segmentation can be done by using vlans in the networks
Routers and L3 switches can be used to route the traffic between network segments

Broadcast Domains No VLANs

st
Decem
number of systems exists in a broadcast domain, a single broadcast message spreads the entire
Every system process the incoming frames, that degrades network performance
Routers and vlans break broadcast domains
Cisco suggests, there should be no more than 254 computers in a broadcast domain
Limiting the systems in a broadcast domain upgrades network performance
Network segmentation should be done to enhance network performance
Network segmentation can be done by using vlans in the networks
9553.9553.07
number of systems exists in a broadcast domain, a single broadcast message spreads the entire

no more than 254 computers in a broadcast domain


st
Nove
Broadcast Domains With VLANs

Network Hierarchy

Two Layer Network Hierarchy

Three Layer Network Hierarchy

Service Type
Local
Remote Different segment/vlan as user
Enterprise

st
Decem
Three Layer Network Hierarchy

Location of Service Extent of Traffic flow
Same segment/vlan as user Access layer only
Different segment/vlan as user Access to distribution layers
Central to all campus users Access to distribution to core layers
9553.9553.07

Hierarchy

Extent of Traffic flow
Access layer only
Access to distribution layers
distribution to core layers

st
Nove
Three Layer Network Hierarchy- Comparisons

Access Layer
End users connectivity
Vlan membership
Low cost per switch port
High port density
Scalable uplinks to higher layers
User access functions as vlan
membership, traffic and protocol
filtering
Resiliency through multiple uplinks

Modular Network Design

Fully Redundant Network

st
Decem
Comparisons
Distribution Layer
Intervlan routing
Traffic policies, ACL, QoS
High performance switching
Backbone connectivity
Aggregation of multiple access-layer
devices
High Layer3 throughput for packet
handling
Security and policy based connectivity
through ACL
Qos features
Scalable and resilient high-speed link
to the core and access layers
Very high throughput at Layer3
No unnecessary packet
manipulations
No ACL or p
Redundancy and resiliency for high
Advanced Qos functions
9553.9553.07
Core Layer
High performance switching
Backbone connectivity
Very high throughput at Layer3
No unnecessary packet
manipulations
No ACL or packet filtering
Redundancy and resiliency for high
availability
Advanced Qos functions


st
Nove
Disorganized Networks
Organized Networks

Switch Block and Core Block

st
Decem

9553.9553.07


st
Nove
Switch block is A set of distribution switches and their accompanying access layer switches
Typically 2 distribution switches are placed in a switch block
Switch blocks contain a balanced mix of Layer 2 and Layer 3 functionality
VLANs should not extend beyond switch block
Broadcast should not propagate from switch block to core block
STP is confined to each switch block (STP boundary)
Typically 2000 users can be placed in a switch block

Switch Block Sizing
Switch block size depends on
Traffic types and patterns
L3 switching capacity at distribution layer
Number of users connected to access
Vlan boundaries and subnets
Size of STP domains

Large Switch Blocks
The problems with large switch blocks
The routing at distribution layer becomes
Intensive CPU processing because of inter vlan routing, ACL, Policing
Broadcast and multicast traffic slows the switches in switch block

Switch Block Designs

st
Decem
Switch Block
set of distribution switches and their accompanying access layer switches
Typically 2 distribution switches are placed in a switch block
Switch blocks contain a balanced mix of Layer 2 and Layer 3 functionality
VLANs should not extend beyond switch block
roadcast should not propagate from switch block to core block
STP is confined to each switch block (STP boundary)
Typically 2000 users can be placed in a switch block
capacity at distribution layer
Number of users connected to access-layer switches (typically <2000 users)

The routing at distribution layer becomes traffic bottlenecks
Intensive CPU processing because of inter vlan routing, ACL, Policing
Broadcast and multicast traffic slows the switches in switch block
9553.9553.07
set of distribution switches and their accompanying access layer switches


st
Nove
Core block connects two or more switch blocks in a campus
The links from distribution to core are L3 links
Core block is meant for high speed connectivity between switch blocks
The links between core switches should be good enough to carry aggregated data
GEC or 10GbEC can be used to aggregate the traffic
Two core block designs
o Collapsed core
o Dual core

Collapsed Core
Collapsed core design can be used for smaller campus networks

Dual Core Design
Dual Core Design can be used for larger campus networks

Dual core design connects two or more switch
The core is scalable with more switch blocks
This design uses two identical switches at core block
The core block should be ready to handle 100% traffic from switch blocks
Switch blocks connected to core block with L3 links. So
Multiple L3 links can offer redundancy and load
The vlans will not extend to core layer
This is most versatile design for enterprise campus networks
st
Decem
Core Block
Core block connects two or more switch blocks in a campus network
The links from distribution to core are L3 links
Core block is meant for high speed connectivity between switch blocks
The links between core switches should be good enough to carry aggregated data
GEC or 10GbEC can be used to aggregate the traffic
Collapsed core design can be used for smaller campus networks
Dual Core Design can be used for larger campus networks
Dual core design connects two or more switch blocks with redundancy
The core is scalable with more switch blocks
This design uses two identical switches at core block
The core block should be ready to handle 100% traffic from switch blocks
Switch blocks connected to core block with L3 links. So bridging loops will not occur
Multiple L3 links can offer redundancy and load-balancing
The vlans will not extend to core layer
This is most versatile design for enterprise campus networks
9553.9553.07

bridging loops will not occur

st
Nove
LESSON 1

Packet Forwarding Examples

Example 1: Data flow from 192.168.6.1 to 192.168.6.2
192.168.6.1 sends broadcast ARP request to know DMAC
o SIP-192.168.6.1, DIP-192.168.6.2
192.168.6.2 sends unicast ARP reply
o SIP -192.168.6.2, DIP-192.168.6.1
Now 192.168.6.1 is aware of DMAC
Now 192.168.6.1 can send data to
ARP Requests and replies are sent to resolve MAC address for IP address

Example 2: Data flow from 192.168.6.1 to 10.0.0.2
192.168.6.1 sends broadcast ARP request to know DMAC of gateway
o SIP-192.168.6.1, DIP-192.168.6.100
o SIP -192.168.6.100, DIP
Now 192.168.6.1 can send data to default gateway
Router then checks routing table
Now router(10.0.0.100)sends broadcas
o SIP-10.0.0.100, DIP-10.0.0.2
o SIP 10.0.0.2, DIP -10.0.0.100
Now router is aware of DMAC,
After rewriting SMAC, DMAC router sends data to the destination
o SIP-192.168.6.1, DIP-10.0.0.2

Devices maintain ARP information in cache memory
ARP entry expires dynamically, if there is no active communication
Systems : arp -a (dos)
Router : show ip arp

st
Decem
LESSON 13: L3 AVAILABILITY
1: Data flow from 192.168.6.1 to 192.168.6.2
192.168.6.1 sends broadcast ARP request to know DMAC
192.168.6.2, SMAC 1111.1111.1111, DMAC-?
unicast ARP reply
192.168.6.1, SMAC- 2222.2222.2222, DMAC-1111.1111.1111
192.168.6.1 can send data to 192.168.6.2. Because it has SMAC, DMAC, SIP, DIP information
ARP Requests and replies are sent to resolve MAC address for IP address
192.168.6.1 to 10.0.0.2
192.168.6.1 sends broadcast ARP request to know DMAC of gateway
192.168.6.100, SMAC 1111.1111.1111, DMAC-?
DIP-192.168.6.1, SMAC- 3333.3333.3333, DMAC-1111.1111.1111
Now 192.168.6.1 can send data to default gateway Because it has SMAC, DMAC, SIP, DIP information
Router then checks routing table, Finds exit interface to destination
Now router(10.0.0.100)sends broadcast ARP request to know DMAC
10.0.0.2, SMAC-4444.4444.4444, DMAC- ?
10.0.0.100, SMAC-6666.6666.6666, DMAC-4444.4444.4444
, Router rewrites SMAC and DMAC
After rewriting SMAC, DMAC router sends data to the destination
10.0.0.2, SMAC-4444.4444.4444, DMAC-6666.6666.6666
Devices maintain ARP information in cache memory
ARP entry expires dynamically, if there is no active communication
9553.9553.07

1111.1111.1111
Because it has SMAC, DMAC, SIP, DIP information
1111.1111.1111
Because it has SMAC, DMAC, SIP, DIP information
4444.4444.4444
6666.6666.6666

st
Nove
Router Redundancy

For high availability, three protocols are available for router redundancy, load balancing
HSRP
o Hot Standby Router Protocol
VRRP
o Virtual Router Redundancy Protocol
GLBP
o Gateway Load Balancing Protocol

HSRP
HSRP Hot Standby Router Protocol
Cisco proprietary (RFC 2281)
Provides gateway redundancy by allowing routers or MLS to appear as single gateway IP
Gateway IP is assigned to common HSRP group (not for single
One router is elected as primary or active router( with high priority)
Another router is elected as standby router (second best priority)
All the remaining routers are in listening state
All routers exchange HSRP hello messages for every 3 seconds
Hello messages are sent to the multicast destination 224.0.0.2 using UDP port 1985
Maximum 16 HSRP groups can be supported (group range : 0

HSRP Election
HSRP election is based on priority value (default 100, range
The router with highest priority value becomes the active router for the group
If all routers have same priority, the router with highest IP address on HSRP interface becomes active router

st
Decem

For high availability, three protocols are available for router redundancy, load balancing
Hot Standby Router Protocol
Virtual Router Redundancy Protocol
Gateway Load Balancing Protocol
HSRP
Hot Standby Router Protocol
Gateway IP is assigned to common HSRP group (not for single router)
One router is elected as primary or active router( with high priority)
Another router is elected as standby router (second best priority)
All the remaining routers are in listening state
All routers exchange HSRP hello messages for every 3 seconds to know the status of each other
Maximum 16 HSRP groups can be supported (group range : 0-255)
HSRP election is based on priority value (default 100, range 0-255)
The router with highest priority value becomes the active router for the group

9553.9553.07
to know the status of each other


st
Nove
HSRP States
HSRP routers states
Disabled
Init
Listen
Speak
Standby
Active

HSRP Active Role
The Active router sends hello messages for every 3 seconds, by default
If 3 consequent hellos are missed (10 sec hold time), the active router is assumed to be down and standby
router turns its state to active
The listening router with best priority becomes new standby router
If a router is configured with highest priority, it cant pickup active role immediately
already in working state in HSRP group
Pre-empt feature can be used to allow a

HSRP Pre-empt

HSRP Timers

HSRP Authentication
HSRP supports authentication to prevent unauthorized routers participate in HSRP
HSRP supports both plain-text and MD5 authentication
Authentication key word must match in every router to participate in HSRP
By default cisco is authentication key word
HSRP plain-text authentication key string can be up to 8 characters

st
Decem
The Active router sends hello messages for every 3 seconds, by default

listening router with best priority becomes new standby router
If a router is configured with highest priority, it cant pickup active role immediately
already in working state in HSRP group
feature can be used to allow a router to take active role at any time, if it has high priority
text and MD5 authentication
Authentication key word must match in every router to participate in HSRP
is authentication key word
text authentication key string can be up to 8 characters

9553.9553.07
If a router is configured with highest priority, it cant pickup active role immediately, because active router is
router to take active role at any time, if it has high priority



st
Nove
HSRP MD5 Authentication
HSRP MD5 authentication supports key

HSRP MD5 authentication method can be configured with a key chain

HSRP Election

HSRP can detect external link failures and allow the other routers to take active role
It can be done by tracking a router interface and
Router decreases its own priority by 10 (default) for every link failure
The other routers have a chance to take active role, if the pre
Without preemption, the active role cant be g

HSRP Gateway
Each router in HSRP group has its own unique IP address assigned to L3 interface
In HSRP group every router has a common gateway IP address
It is virtual router address, kept alive by HSRP
This address known as HSRP address or Standby address
All the clients use this HSRP address as gateway
st
Decem
HSRP MD5 authentication supports key string up to 64 characters
HSRP MD5 authentication method can be configured with a key chain

It can be done by tracking a router interface and decrease the priority incase of link failure
Router decreases its own priority by 10 (default) for every link failure
The other routers have a chance to take active role, if the pre-empt is already configured
Without preemption, the active role cant be given to any other router
Each router in HSRP group has its own unique IP address assigned to L3 interface
In HSRP group every router has a common gateway IP address
It is virtual router address, kept alive by HSRP
HSRP address or Standby address
All the clients use this HSRP address as gateway
9553.9553.07

decrease the priority incase of link failure
empt is already configured


st
Nove
HSRP group routers keep this address always up

HSRP has special MAC address for HSRP address
XX represents HSRP group number (two
MAC address range : 0000.0C07.AC00
If HSRP group 16 is configured, it can use 0000.0C07.AC10 as MAC address

HSRP Process

st
Decem
HSRP group routers keep this address always up
HSRP has special MAC address for HSRP address . That is 0000.0C07.ACXX
XX represents HSRP group number (two-digit hex value)
MAC address range : 0000.0C07.AC00 0000.0C07.ACFF
If HSRP group 16 is configured, it can use 0000.0C07.AC10 as MAC address

9553.9553.07


st
Nove
HSRP Load balancing

st
Decem

9553.9553.07


st
Nove
HSRP Verification

VRRP Virtual router redundancy Protocol
VRRP is similar to HSRP in operation
Open standard protocol
Defined in RFC 2338
In VRRP, active router is called as Master router
All other routers are in backup state
The router with highest priority becomes master router
priority range 1-254, default is 100
VRRP group number range is from 0 to 255

VRRP advertisements are sent for every 1 second, by default
VRRP sends its advertisements to the multicast address 224.0.0.18 using IP protocol 112
Pre-empting is the default feature in VRRP
So the router with highest priority can become master at any time
VRRP uses special MAC address for virtual router IP address. That is 0000.5E00.01XX
XX represents VRRP group number (two digit hex
If VRRP group 16 is configured, it can use 0000.5E00.0110 as MAC address
VRRP has no mechanism to track interfaces connected to external links

st
Decem

VRRP
Virtual router redundancy Protocol
similar to HSRP in operation
In VRRP, active router is called as Master router
All other routers are in backup state
The router with highest priority becomes master router
254, default is 100
P group number range is from 0 to 255
VRRP advertisements are sent for every 1 second, by default
empting is the default feature in VRRP
priority can become master at any time
XX represents VRRP group number (two digit hex-value)
If VRRP group 16 is configured, it can use 0000.5E00.0110 as MAC address
has no mechanism to track interfaces connected to external links
9553.9553.07


st
Nove
VRRP Process

st
Decem

9553.9553.07


st
Nove
VRRP Load balancing

st
Decem
9553.9553.07


st
Nove
VRRP Configuration

VRRP Verification

GLBP Gateway Load Balancing Protocol
HSRP, VRRP provide load balancing
GLBP provides load balancing efficiently, in which all the hosts can use a single gateway
GLBP is cisco proprietary protocol
All routers assigned to a common GLBP group
GLBP provides load balancing by allo
For the same gateway IP address, different MAC addresses are sent as ARP replies
Traffic go through one of the routers associated with that MAC address
st
Decem

GLBP
Gateway Load Balancing Protocol
HSRP, VRRP provide load balancing by assigning multiple gateways to the host groups
GLBP is cisco proprietary protocol
All routers assigned to a common GLBP group
GLBP provides load balancing by allowing all routers to forward a portion of overall traffic
For the same gateway IP address, different MAC addresses are sent as ARP replies
Traffic go through one of the routers associated with that MAC address
9553.9553.07

by assigning multiple gateways to the host groups
wing all routers to forward a portion of overall traffic


st
Nove
GLBP Router Roles
Router roles in GLBP
AVG
o Active virtual gateway
AVF
o Active virtual forwarder

AVG
The router with highest priority becomes AVG
Default priority is 100, range is 1 to 255
If priority is same, router with highest active IP becomes AVG
AVG coordinates GLBP process
The routers participating in GLBP are called AVFs
AVG assigns virtual MAC addresses to each of the routers (AVFs) participating in GLBP
Maximum 4 MAC addresses can be used in any group
Only AVG answers all ARP requests
AVG also plays AVF role
GLBP group range is 0 1023
In GLBP, pre-empting feature is not default
without pre-empting, AVG role cant be given any other router (if AVG is active)

AVG Timers
To know AVF status, AVG sends Hello messages periodically for every 3 seconds by default
If hellos are not received from a peer within hold
Timers can be configured on AVG (not necessary on AVFs)
AVFs can learn timers from AVG, by default
st
Decem

Active virtual forwarder
The router with highest priority becomes AVG
Default priority is 100, range is 1 to 255
If priority is same, router with highest active IP becomes AVG

participating in GLBP are called AVFs
Maximum 4 MAC addresses can be used in any group
Only AVG answers all ARP requests
empting feature is not default
empting, AVG role cant be given any other router (if AVG is active)
received from a peer within hold-time (10 sec) , it is assumed to be down
Timers can be configured on AVG (not necessary on AVFs)
AVFs can learn timers from AVG, by default
9553.9553.07


time (10 sec) , it is assumed to be down

st
Nove

AVF
AVF obtain MAC addresses from AVG
If an AVF fails in GLBP group, the AVF
AVF handles two MAC addresses to function like two AVFs
Redirect timer is used to determine when AVG will flush the old MAC address
temporarily)
Timeout timer is used to determine how long GLBP peers wait before flushing old MAC
When timeout timer expires, the clients using this MAC in ARP cache must clear the entry,
will answer to that MAC
Clients will get new MAC address as ARP reply

Redirect timer is 600 seconds (10 min) by default
Timeout timer is 14400 seconds (4 hours) by default

GLBP Weight
GLBP weight is used to define, which router can become AVF
Interfaces can be tracked to provide dynamic weight
If an interface goes down AVF decreases its weight and
If interface comes up AVF increases its weight
Two weight thresholds can be configured in GLBP
If weight decreases below the lower threshold, AVF must loose its role
If weight increases above the upper threshold, router gains its AVF role
By default weight is 100, range is 1 to 254
In weight adjustment, object-number is used with a range of 1

st
Decem
AVF obtain MAC addresses from AVG
If an AVF fails in GLBP group, the AVF role and MAC address are given to another AVF temporarily
AVF handles two MAC addresses to function like two AVFs
is used to determine when AVG will flush the old MAC address (assigned to another AVF
ermine how long GLBP peers wait before flushing old MAC
When timeout timer expires, the clients using this MAC in ARP cache must clear the entry,
Clients will get new MAC address as ARP reply
conds (10 min) by default
Timeout timer is 14400 seconds (4 hours) by default
GLBP weight is used to define, which router can become AVF
Interfaces can be tracked to provide dynamic weight
If an interface goes down AVF decreases its weight and
If interface comes up AVF increases its weight
Two weight thresholds can be configured in GLBP
If weight decreases below the lower threshold, AVF must loose its role
upper threshold, router gains its AVF role
By default weight is 100, range is 1 to 254
number is used with a range of 1-500
9553.9553.07

role and MAC address are given to another AVF temporarily
(assigned to another AVF
ermine how long GLBP peers wait before flushing old MAC
When timeout timer expires, the clients using this MAC in ARP cache must clear the entry, Because no AVF


st
Nove

GLBP Load Balancing
AVG assigns virtual MAC addresses for each of the AVFs in GLBP group
GLBP load balancing methods
o Round robin
ARP replies are sent with next available virtual MAC address
Traffic load distributed evenly across all AVFs
It is default load balancing method in GLBP
o Weighted
GLBP weight decides load balancing
Higher weight value res
GLBP weight is used to set the relative proportions among AVFs
o Host-dependent
Each client always gets same MAC address as ARP reply
This method is used if the client needs consistent gateway MAC

GLBP Gateway

st
Decem
AVG assigns virtual MAC addresses for each of the AVFs in GLBP group

ARP replies are sent with next available virtual MAC address
Traffic load distributed evenly across all AVFs
It is default load balancing method in GLBP
GLBP weight decides load balancing
Higher weight value results in more frequent ARP replies
GLBP weight is used to set the relative proportions among AVFs
Each client always gets same MAC address as ARP reply
This method is used if the client needs consistent gateway MAC

9553.9553.07


st
Nove
GLBP Load balancing

st
Decem

9553.9553.07


st
Nove
GLBP Verification

Gateway Redundancy

HSRP
Show standby brief
Show standby type mod/num
VRRP
Show vrrp brief all
Show vrrp interface type mod/num
GLBP
Show glbp [group=0-1023] [brief]

Router Redundancy Protocols
Property
Standard Cisco proprietary
Router roles Active , standby routers
Load balance
Multiple groups
Different gateways
Interface tracking
Default pre-empt
Virtual MAC 0000.0c07.acxx

st
Decem
Displays HSRP status
Show standby type mod/num Displays HSRP on an interface
Displays VRRP status
Show vrrp interface type mod/num Displays VRRP on an interface
1023] [brief] Displays status of a GLBP group

HSRP VRRP
Cisco proprietary Open standard Cisco proprietary
Active , standby routers Master, backup routers
Multiple groups
Different gateways
Multiple groups
Different gateways
Single group
Single gateway
Yes No
No Yes
0000.0c07.acxx 0000.5e00.01xx Assigned by AVG
9553.9553.07

Displays HSRP on an interface

Displays VRRP on an interface
Displays status of a GLBP group
GLBP
Cisco proprietary
AVG, AVF
Single group
Single gateway
Yes
No
Assigned by AVG

st
Nove
LESSON 14: SUPERVISOR

Modular Switch Chassis

Switch Supervisors
Modular switches have multiple modules and are controlled by supervisor engines
Supervisor Engines contain console
If supervisor Engine fails, packets will not be routed and interfaces will go down

Redundant Supervisors
Catalyst 4500R, 6500 switches accept two SUP modules installed in a single chassis
The first sup module boot up and becomes active supervisor for the chassis
The second sup module remains in standby mode
If first sup fails, the standby sup becomes activ

st
Decem
LESSON 14: SUPERVISOR-POWER REDUNDANCY

Supervisor Engines contain console port, startup-configuration, IOS image etc
If supervisor Engine fails, packets will not be routed and interfaces will go down

boot up and becomes active supervisor for the chassis
The second sup module remains in standby mode
If first sup fails, the standby sup becomes active

9553.9553.07
POWER REDUNDANCY



st
st
Supervisor Redundancy Modes
Redundant Supervisor modules can be configured in 3 modes
o RPR
Route Processor Redundancy
o RPR+
Route Processor Redundancy Plus
o SSO
Stateful Switch Over
These modes indicate the readiness of standby supervisor
The failover time depends on readiness of standby supervisor
These modes affect how the two supervisors handshake and synchronize information

RPR
RPR Route Processor Redundancy
The redundant supervisor is only partially booted and initialized
When active sup fails, the standby sup must reload every other module in the switch and then initialize all
the supervisor functions
Takes more time ( around 2 minutes)

RPR+
RPR+ Route Processor Redundancy Plus
The redundant supervisor is booted, the supervisor and route engines are initialized
Layer 2 or Layer 3 functions are not started
When active sup fails, the standby module completely initializes without reloading other switch modules
Switchports remains in their states
Takes average time (around 30 seconds)

SSO
SSO Stateful Switch Over
The redundant supervisor is fully booted and initialized
Both startup-config, running-config are synchronized between the sup modules
L2 information is maintained on both supervisors
So hardware switching can continue during a failover
Links do not flap during a failover
With NSF options, L3 routing protocols initialization and convergence also synchronize
Takes less time (around 1 sec)

Router Processing Modes (SRM-DRM)
Router Processing Modes
o SRM
Single Router Mode
Two route processors are used, but only one is active at any time
o DRM
Dual Router Mode
Two route processors are used and both are active at any time

st
Nove
RPR , RPR+ have only one active supervisor, The route processor portion is not initialized or used on the
standby unit
SRM uses two route processors (one is active). RPR, RPR+ use only one route processor.
compatible with RPR or RPR+
SSO uses two route processors. SRM is inherent with SSO, that brings up the standby route processor.
called as SRM with SSO

Redundancy Modes

Mode
RPR
Catalyst 6500 supervisors 2 and 720,
catalyst 4500R supervisors 4 and 5
RPR+ Catalyst 6500 supervisors 2 and 720
SSO
Catalyst 6500 supervisors 720,
Catalyst 4500R supervisors 4 and 5

Standby Mode Readiness

st
Decem
SRM uses two route processors (one is active). RPR, RPR+ use only one route processor.
SSO uses two route processors. SRM is inherent with SSO, that brings up the standby route processor.
Supported Platforms Failover time
Catalyst 6500 supervisors 2 and 720,
catalyst 4500R supervisors 4 and 5
Good > 2 minutes
Catalyst 6500 supervisors 2 and 720 Better >30 seconds
Catalyst 6500 supervisors 720,
Catalyst 4500R supervisors 4 and 5
Best >1 second
9553.9553.07
SRM uses two route processors (one is active). RPR, RPR+ use only one route processor. So SRM is not
SSO uses two route processors. SRM is inherent with SSO, that brings up the standby route processor. This is
Failover time
Good > 2 minutes
Better >30 seconds
Best >1 second


st
Nove
Supervisor Redundancy

By default, the active supervisor synchronizes its startup
supervisor
Configuration required to synchronize other information

NSF
NSF Non Stop Forwarding
NSF is used to quickly rebuild routing information base (RIB) table after supervisor switchover
RIB is used to generate FIB for CEF
FIB is downloaded to any switch modules or hardware that perform CEF
NSF gets assistance from other NSF
These neighbors provide routing information to the standby supervisor, that allows to build RIB quickly
NSF is cisco proprietary feature
NSF is supported along with SSO on catalyst 4500R supervisors 3, 4, 5
MSFC3)
NSF is supported on IOS 12.2 (20)EWA or later
NSF is supported by the BGP, EIGRP, OSPF, IS

st
Decem
By default, the active supervisor synchronizes its startup-config and config-register values with the standby
Configuration required to synchronize other information
RIB is used to generate FIB for CEF
FIB is downloaded to any switch modules or hardware that perform CEF
NSF gets assistance from other NSF-aware neighbors
NSF is cisco proprietary feature
NSF is supported along with SSO on catalyst 4500R supervisors 3, 4, 5 and 6500 supervisor 720 (integrated
NSF is supported on IOS 12.2 (20)EWA or later
NSF is supported by the BGP, EIGRP, OSPF, IS-IS routing protocols
9553.9553.07

register values with the standby

and 6500 supervisor 720 (integrated

st
Nove
NSF Configuration

Redundant Power Supply
6500, 4500R platforms can accept two power supply modules in a single chassis
The power supplies must be identical, having the same power input and max power output ratings
Two possible power modes
o Combined mode
Both power modules work together to share the total power load for all modules
Used for large power requirements like PoE for IP tel
It doesnt provide power redundancy
If power supply fails, switch powers down some of the modules, until power supply
requirement is met by one functioning power supply
o Redundant mode
Each of the installed power supplies can supply the total power
whole switch chassis
If one power supply fails, the other can carry the total power load, without powering down
any module
Redundant mode is default mode
Its not possible to identify which power supply is actually powering the
off or fails

st
Decem
6500, 4500R platforms can accept two power supply modules in a single chassis
supplies must be identical, having the same power input and max power output ratings
Used for large power requirements like PoE for IP telephones
It doesnt provide power redundancy
requirement is met by one functioning power supply
Each of the installed power supplies can supply the total power load that is required by the
whole switch chassis
Redundant mode is default mode
Its not possible to identify which power supply is actually powering the switch, until one of them is turned
9553.9553.07

supplies must be identical, having the same power input and max power output ratings
load that is required by the
switch, until one of them is turned


st
Nove

Some devices need inline power (PoE) to operate (cisco IP phones, wireless APs)
These devices request a power budget when they initialize (more budget later times)
The power budget requests are sent

st
Decem
Some devices need inline power (PoE) to operate (cisco IP phones, wireless APs)
The power budget requests are sent on CDP exchanged between devices and switch

9553.9553.07
on CDP exchanged between devices and switch


st
Nove
LESSON 1
PoE
PoE Power Over Ethernet
Cisco IP phone must have power to operate
Power can come from two sources
o External AC adapter
Wall warts provide 48V DC
o PoE
48V DC Inline power that comes from catalyst switch over the network cable
PoE has the benefit that it can be managed, monitored and offered to IP phone
The end device has to send power budget request in order to get PoE
Switch cant offer PoE for PC, because they dont send any power request
PoE is available on many plat forms like 3750 , catalyst 4500, 6500
PoE methods
o ILP
Inline Power
Cisco proprietary method
o IEEE 802.3af
Open standard method
Vendor interoperability

Detecting a Power Device
In cisco ILP method, switch sends 340KHz test tone on the transmit pair of the twisted pair
A Powered device (IP phone) loops the 340KHz test tone
The switch port can hear its test tone looped back
Then switch knows the presence of powered

In IEEE 802.3af, switch supplies a small voltage across transmit and receive pairs of the copper twisted pair
connection
Then resistance is measured
If 25Kohm resistance is measured, switch knows presence of powered
IEEE 802.3af power classes

Power class Max power offered at 48V DC
0
1
2
3
4
Switch determines to which
st
Decem
LESSON 15: IP TELEPHONY
Cisco IP phone must have power to operate
Power can come from two sources
Wall warts provide 48V DC power
PoE has the benefit that it can be managed, monitored and offered to IP phone
The end device has to send power budget request in order to get PoE
for PC, because they dont send any power request
PoE is available on many plat forms like 3750 , catalyst 4500, 6500
Cisco proprietary method
Open standard method
Vendor interoperability
In cisco ILP method, switch sends 340KHz test tone on the transmit pair of the twisted pair
A Powered device (IP phone) loops the 340KHz test tone
The switch port can hear its test tone looped back
Then switch knows the presence of powered device and offers inline power
If 25Kohm resistance is measured, switch knows presence of powered device
Max power offered at 48V DC Notes
15.4 W Default class
4.0 W Optional class
- Reserved for future use

Switch determines to which power class, the powered device belongs
9553.9553.07
In cisco ILP method, switch sends 340KHz test tone on the transmit pair of the twisted pair Ethernet cable


Default class
Optional class
Optional class
Optional class
Reserved for future use
power class, the powered device belongs

st
Nove
Supplying Power to a device
A switch first offers default power allocation to the powered device
On 3750-24-PWR, IP phone receives 15.4 W (0.32 Amps at 48V DC)
For cisco ILP, inline power is provided
For IEEE 802.3af, power is provided over data pairs 2 and 3 (RJ
pins 4-5, 7-8)
Later the power budget can be changed from default to more appropriate value
Cisco ILP uses CDP for power budget decision
IEEE 802.3af uses power classes for power budget decision

PoE configuration

PoE Switchports
A catalyst switch waits for 4 seconds after inline power is applied to a port
Dont connect a non-powered device (PC) i
from the port
Wait for 10 seconds before connecting anything back into the same port
damage the device

st
Decem
A switch first offers default power allocation to the powered device
PWR, IP phone receives 15.4 W (0.32 Amps at 48V DC)
For cisco ILP, inline power is provided over data pairs 2 and 3 (RJ-45 pins 1-2, 3-6) at 48V DC
For IEEE 802.3af, power is provided over data pairs 2 and 3 (RJ-45 pins 1-2, 3-6) or
Later the power budget can be changed from default to more appropriate value
uses CDP for power budget decision
IEEE 802.3af uses power classes for power budget decision
A catalyst switch waits for 4 seconds after inline power is applied to a port
powered device (PC) immediately to the port after disconnecting a powered device
Wait for 10 seconds before connecting anything back into the same port Otherwise power delivery may
9553.9553.07
6) at 48V DC
over pairs 1 and 4 (RJ-45

mmediately to the port after disconnecting a powered device
Otherwise power delivery may

st
Nove
Voice VLAN
Cisco IP phone can provide data connection for PC,
Single Ethernet IO (information outlet) is enough to

With trunk mode the voice traffic is encapsulated over a unique voice
With access mode the voice traffic is encapsulated over regular data
ID or PVID
The QoS information from the voice packets must be carried

To configure IP phone uplink, only the switchport need to be configured w
Switch instructs the phone to follow the selected mode
In case of trunk-link, a special case trunk is negotiated by DTP and CDP

Voice VLAN Modes

Mode Native VLAN (untagged)
Vlan-id PC data
Dot1p PC data
Untagged PC data / voice
none (default) PC data / voice (access vlan)
st
Decem
Cisco IP phone can provide data connection for PC, along with voice stream
Single Ethernet IO (information outlet) is enough to provide connectivity for both

With trunk mode the voice traffic is encapsulated over a unique voice VLAN called as voice VLAN ID or VVID
With access mode the voice traffic is encapsulated over regular data VLAN called as native vlan or port VLAN
The QoS information from the voice packets must be carried
To configure IP phone uplink, only the switchport need to be configured with selected mode
Switch instructs the phone to follow the selected mode
link, a special case trunk is negotiated by DTP and CDP

Native VLAN (untagged) Voice VLAN Voice QoS (CoS Bits)
PC data VLAN vlan-id
PC data VLAN 0
PC data / voice -
PC data / voice (access vlan) -
9553.9553.07
provide connectivity for both PC and cisco IP phone

called as voice VLAN ID or VVID
called as native vlan or port VLAN
ith selected mode

Voice QoS (CoS Bits)
802.1p
802.1p
802.1p
-

st
Nove
st
Decem

9553.9553.07


st
Nove
The most versatile mode uses the
Voice and User data are carried over separate vlans
VOIP packets in the voice vlan also carry the Cos bits in 802.1p

Voice VLAN Data VLAN
The trunk contains only two vlans
A voice vlan (tagged vvid) and the data vlan
The switch ports access vlan is used as the data vlan (for PC)
If IP phone is removed and a PC is
data vlan appear as the access vlan

IP phone special-case 802.1Q trunk is not shown as trunk port in the switch configuration

STP runs with two instances for both Voice vlan and Da

Voice QoS
QoS Quality of Service
It is the method used in network to protect and prioritize time
QoS need to be implemented for voice traffic and video traffic
Voice packets need to be delivered in the most timely
Generally users cant tolerate if there is delay in voice or video traffic

Packet flow
Factors that influence packet flow
o Delay
The time required for a router or switch to perform table lookups
The total delay from source to destination is called latency
o Jitter
The variation in delay is called jitter
With jitter, consecutive packets reach at different time intervals
Audio and video streams are easily affected with jitter
o Loss
The packets dropped
st
Decem
The most versatile mode uses the vlan-id
Voice and User data are carried over separate vlans
voice vlan also carry the Cos bits in 802.1p
The trunk contains only two vlans
A voice vlan (tagged vvid) and the data vlan
The switch ports access vlan is used as the data vlan (for PC)
If IP phone is removed and a PC is connected to the same switch port, the PC can still operate because the
data vlan appear as the access vlan
case 802.1Q trunk is not shown as trunk port in the switch configuration
STP runs with two instances for both Voice vlan and Data vlan
It is the method used in network to protect and prioritize time-critical or important traffic
QoS need to be implemented for voice traffic and video traffic
Voice packets need to be delivered in the most timely fashion with little jitter, little loss and little delay
Generally users cant tolerate if there is delay in voice or video traffic
Factors that influence packet flow
The time required for a router or switch to perform table lookups
The total delay from source to destination is called latency
The variation in delay is called jitter
With jitter, consecutive packets reach at different time intervals
Audio and video streams are easily affected with jitter
The packets dropped without delivery because of congested or error
9553.9553.07
the PC can still operate because the

case 802.1Q trunk is not shown as trunk port in the switch configuration

critical or important traffic
with little jitter, little loss and little delay

without delivery because of congested or error-prone network

st
Novem
QoS
To protect packets from delay-jitter
3 Basic types of QoS
o Best-effort delivery
o Integrated services model
o Differentiated services model

Best Effort Delivery
The intermediate devices like switches and routers forward the traffic with Best
There is no real QoS
The interested traffic must stay along with the remaining traffic

Integrated Services (IntServ)
Path is reserved in advance from source to
RSVP- Resource Reservation Protocol
The source application requests QoS parameters through RSVP
Each network device along the path checks whether it supports the QoS request
QoS is applied per-flow basis
No scalability

Differentiated Services (DiffServ)
No advance path reservation
Packet headers contain QoS information
Each device handles packets individually based on QoS bits
Devices prioritize the interested traffic by holding back the normal traffic
QoS is applied per-hop basis
Offers QoS scalability
DiffServ model can offer premium services to voice traffic
st
Decemb
jitter-loss, QoS can be implemented
Integrated services model
Differentiated services model
intermediate devices like switches and routers forward the traffic with Best-effort
The interested traffic must stay along with the remaining traffic
Path is reserved in advance from source to destination by RSVP
Resource Reservation Protocol
The source application requests QoS parameters through RSVP
Each network device along the path checks whether it supports the QoS request

Packet headers contain QoS information
Each device handles packets individually based on QoS bits
Devices prioritize the interested traffic by holding back the normal traffic
DiffServ model can offer premium services to voice traffic
9553.9553.07
ember 2011 100 | P a g e
effort


st
Novem

DiffServ is per-hop behavior
Each router or switch checks QoS information in every packet to decide how to forward the packet
The packet headers contain some flags, classi
decision based on QoS policies that are configured on each router or switch along the path

L2 QoS Classification
L2 Switches follow Best-effort to forward the frames
No QoS mechanism for normal
QoS occurs between switches for tagged
Tagged Ethernet frames carry CoS (Class of Service) bits
CoS bits are lost when the frame is untagged at far

st
Decemb
The packet headers contain some flags, classifications, or markings that can be used to make forwarding
effort to forward the frames
No QoS mechanism for normal Ethernet frames
QoS occurs between switches for tagged Ethernet frames
frames carry CoS (Class of Service) bits
CoS bits are lost when the frame is untagged at far-end switch
9553.9553.07
ember 2011 101 | P a g e

fications, or markings that can be used to make forwarding


st
Novem

This 6-bit DS value is known as DSCP
DSCP- Differentiated Service Code Point
DSCP value is examined by DiffServ Network device
DS and ToS Bytes are same (occupying same location in IP header)
DSCP bits are arranged for compatibility with the 3bit IP precedence
So non-DiffServ devices still can int

IP Precedence (3-bits)
Name Value Bits
Routine 0 000
Priority 1 001
Immediate 2 010
Flash 3 011
Flash
Override
4 100
Critical 5 101
Internetwork
control
6 110

Network
control
7 111

st
Decemb
bit DS value is known as DSCP
Differentiated Service Code Point
DSCP value is examined by DiffServ Network device
DS and ToS Bytes are same (occupying same location in IP header)
DSCP bits are arranged for compatibility with the 3bit IP precedence
DiffServ devices still can interpret some QoS information
DSCP (6-bits)
Per-Hop
Behavior
Class
Selector
Drop
Precedence
Code-Point
Name
Default

Default
AF 1
1: Low AF11
2: Medium AF12
3: High AF13
AF 2
1: Low AF21
2: Medium AF22
3: High AF23
AF 3
1: Low AF31
2: Medium AF32
3: High AF33
AF 4
1: Low AF41
2: Medium AF42
3: High AF43
EF

EF

40

9553.9553.07
ember 2011 102 | P a g e

DSCP Bits
(Decimal)
000 000 (0)
001 010 (10)
001 100 (12)
001 110 (14)
010 010 (18)
010 100 (20)
010 110 (22)
011 010 (26)
011 100 (28)
011 110 (30)
100 010 (34)
100 100 (36)
100 110 (38)
101 110 (46)
40-47:only 46 is used
48-55
56-63

st
Novem
L3 QoS Classification
Three class selector bits (DS5, DS4, DS3) classify packets into eight classes
Class 0 is the default class offers only best
Classes 1- 4 are called AF (assured forwarding) service levels
traffic
Class 5 is known as EF (Expedited forwarding)
such as voice traffic
Class 6 is for internetwork control
Class 7 is for network control
Routers and switches use classes
network stability

Three bits (DS2, DS1, DS0) are drop precedence bits. DS0 is always 0
3 levels of drop precedence
o Low (1)
o Medium (2)
o High (3)
Lower drop precedence value gives better service
AF21 means AF level 2 with drop precedence 1

To manipulate packets according to QoS
should receive
This is called classification of packets
Each packet is classified according to type of traffic (TCP/UDP)

Each switch must decide whether to trust incoming QoS values (QoS
If Switch trusts QoS values, they are carried over and used to make QoS decisions
If switch doesnt trust QoS values, they are reassigned or overruled

st
Decemb
Three class selector bits (DS5, DS4, DS3) classify packets into eight classes
is the default class offers only best-effort forwarding
are called AF (assured forwarding) service levels. Higher AF class numbers indicate high
is known as EF (Expedited forwarding) indicates premium service. EF is given for time
is for internetwork control
Routers and switches use classes 6 and 7 for STP and routing protocols offers timely
(DS2, DS1, DS0) are drop precedence bits. DS0 is always 0
Lower drop precedence value gives better service
AF21 means AF level 2 with drop precedence 1
To manipulate packets according to QoS policies, a switch must identify which level of service each packet
This is called classification of packets
Each packet is classified according to type of traffic (TCP/UDP)
Each switch must decide whether to trust incoming QoS values (QoS bits)
If Switch trusts QoS values, they are carried over and used to make QoS decisions
If switch doesnt trust QoS values, they are reassigned or overruled
9553.9553.07
ember 2011 103 | P a g e
Higher AF class numbers indicate high-priority
iven for time-critical data
for STP and routing protocols offers timely delivery of packets for
policies, a switch must identify which level of service each packet


st
Novem
QoS Configuration

Auto QoS
Auto QoS feature automatically configures advanced QoS
Auto QoS feature is enabled by a macro command
Auto QoS handles
o Enabling QoS
o CoS-to-DSCP mapping for QoS marking
o Ingress and Egress queue tuning
o Strict priority queues for egress voice traffic
o Establishing an interface QoS trust boundary

st
Decemb
Auto QoS feature automatically configures advanced QoS parameters
Auto QoS feature is enabled by a macro command
DSCP mapping for QoS marking
Ingress and Egress queue tuning
Strict priority queues for egress voice traffic
Establishing an interface QoS trust boundary
9553.9553.07
ember 2011 104 | P a g e


st
Novem
LESSON 16: SECURE SWITCH ACCESS

Switch Port Security

Catalyst switches offer port security feature based on MAC addresses of connected system
Unauthorized MAC addresses cant gain access and disconnected from the network
Port Security is not enabled by
In switches, Port security can be enabled on per interface basis
Port-security is applied only for access ports

By default sticky feature is used for port security.
So that ports learn MAC addresses from the connected systems dynamically
By default no aging occurs for sticky mac

Port-Security Violation
Security violation occurs if more than specified mac
Port security defines, what action the port has to take

st
Decemb
SSON 16: SECURE SWITCH ACCESS

Port Security is not enabled by default
In switches, Port security can be enabled on per interface basis
security is applied only for access ports

By default sticky feature is used for port security.
So that ports learn MAC addresses from the connected systems dynamically
ault no aging occurs for sticky mac-addresses
Security violation occurs if more than specified mac-addresses are learned on the port
Port security defines, what action the port has to take in case of security violation
9553.9553.07
ember 2011 105 | P a g e
SSON 16: SECURE SWITCH ACCESS

addresses are learned on the port


st
Novem
Port-Security

Port-Based Authentication

Catalyst switches support port-
IEEE 802.1x standard
The switches will not accept the data until user is authenticated
For Port-based authentication, both Switch and PC must support 802.1x standard
802.1x uses EAPOL Extensible Authentication Protocol Over LANs (L2 Protocol)
The client PC must have 802.1x capable software in order to initiate authentication session with switch
Authentication session closes when the user logs out

802.1x
Port-based authentication can be handled by RADIUS servers
RADIUS Remote Authentication Dial In User Service
Only RADIUS is supported for 802.1x

st
Decemb
-based authentication, a combination of AAA authentication and port security
The switches will not accept the data until user is authenticated
authentication, both Switch and PC must support 802.1x standard
Extensible Authentication Protocol Over LANs (L2 Protocol)
ation session closes when the user logs out
based authentication can be handled by RADIUS servers
Remote Authentication Dial In User Service
Only RADIUS is supported for 802.1x
9553.9553.07
ember 2011 106 | P a g e

based authentication, a combination of AAA authentication and port security


st
Novem
Port-Based Authentication

st
Decemb
9553.9553.07
ember 2011 107 | P a g e


st
Novem
Mitigating Spoofing Attacks
The attacker can become man-in
Hosts send packets to this rogue gateway, attacker can glean information from packets before forwarding
them normally
Switches can be protected from these spoofing atta
Switch features to mitigate spoofing attacks
o DHCP snooping
o IP Source Guard
o Dynamic ARP inspection

DHCP Snooping
The attacker may bring up rogue DHCP server that assigns a spoofed gateway to the hosts
Then hosts try to send information to this spoofed
Switches can be configured with DHCP snooping feature to mitigate these attacks
With DHCP snooping, ports are categorized into trusted and untrusted ports
Legitimate DHCP servers should be connected at trusted ports
If DHCP reply comes from any unt
down in the errdisable state
DHCP snooping can keep a track of the completed DHCP bindings
address offered, lease time etc

st
Decemb
in-the-middle to work like a rogue gateway
Switches can be protected from these spoofing attacks
Switch features to mitigate spoofing attacks
Dynamic ARP inspection
Then hosts try to send information to this spoofed gateway
Switches can be configured with DHCP snooping feature to mitigate these attacks
With DHCP snooping, ports are categorized into trusted and untrusted ports
Legitimate DHCP servers should be connected at trusted ports
If DHCP reply comes from any untrusted port is discarded and offending switch port is automatically shut
DHCP snooping can keep a track of the completed DHCP bindings. This database contains client MAC, IP

9553.9553.07
ember 2011 108 | P a g e

rusted port is discarded and offending switch port is automatically shut
This database contains client MAC, IP


st
Novem

IP Source Guard
A host can use spoofed IP addresses to misguide other hosts in a subnet or vlan
If a host uses random spoofed IP addresses, the return traffic will not find the way
spoofed IP addresses are used to disguise the origin of Denial
Switches use IP Source guard feature to mitigate Spoofed IP address attacks

IP Source Guard feature uses DHCP snooping database and static IP source binding entries to mitigate
spoofed IP attacks
The source IP must be matched to the IP address learned by DHC
The source MAC address must be matched to the MAC address learned on the switch port
If the addresses are not matched, switch drops the frames coming from the ports
Before configuring IP source guard,
o First DHCP snooping should
o and Port-security should be enabled to detect spoofed MAC addresses

st
Decemb
A host can use spoofed IP addresses to misguide other hosts in a subnet or vlan
If a host uses random spoofed IP addresses, the return traffic will not find the way
spoofed IP addresses are used to disguise the origin of Denial-of-Service attacks
tches use IP Source guard feature to mitigate Spoofed IP address attacks
The source IP must be matched to the IP address learned by DHCP snooping or static entry
If the addresses are not matched, switch drops the frames coming from the ports
Before configuring IP source guard,
First DHCP snooping should be enabled to detect spoofed IP addresses
security should be enabled to detect spoofed MAC addresses

9553.9553.07
ember 2011 109 | P a g e

P snooping or static entry


st
Novem
Dynamic ARP Inspection
The attacker can send spoofed ARP replies to the Requests and becomes man
The hosts will add this bogus ARP information in their cache and sends packets to attacker
This attack is called ARP poisoning or ARP spoofing
Catalyst switches have DIA (Dynamic ARP Inspection) feature to mitigate these attacks

The ports are categorized into trusted ports and u
ARP inspection is done only on untrusted ports
No Inspection is done on trusted ports
Switch gets legitimate ARP database from static entries or DHCP snooping
If an ARP reply arrives on untrusted port, switch compares IP and MAC against its
If switch finds invalid or conflict values, drops the frame and generates a log message

For the hosts with static IP addresses, no DHCP snooping database exists
So an ARP ACL should be configured to permit the static IP

st
Decemb
The attacker can send spoofed ARP replies to the Requests and becomes man-in-the
bogus ARP information in their cache and sends packets to attacker
This attack is called ARP poisoning or ARP spoofing
The ports are categorized into trusted ports and untrusted ports
ARP inspection is done only on untrusted ports
No Inspection is done on trusted ports
Switch gets legitimate ARP database from static entries or DHCP snooping
If an ARP reply arrives on untrusted port, switch compares IP and MAC against its legitimate ARP database
For the hosts with static IP addresses, no DHCP snooping database exists
So an ARP ACL should be configured to permit the static IP-MAC combinations
9553.9553.07
ember 2011 110 | P a g e
the-middle
bogus ARP information in their cache and sends packets to attacker
legitimate ARP database


st
st
Securing Switches
Configure secure passwords
o Configure switches with secure passwords
o Protect all the lines
o Enable secret password for privilege mode
o Service password-encryption for password encryption
o AAA servers can be used for authentication

Use system banners
o Banners display message at the time of user login
o This message can be used to warn unauthorized users
o As a welcome message to authorized users
o Banner motd configures login message

Secure the web interface
o Web interface can be disabled by no ip http server
o switches can be accessed with https web interface if it supports
ip http secure server
access-list acl-no permit ip-address match
ip http access-class acl-no

Secure the switch console
o Switch console connectivity need to be secured even though physical security is implemented at
wiring closets and datacenter

Secure virtual terminal access
o Only authorized hosts should be allowed to access switch vty lines
access-list acl-no permit ip-address match
line vty 0 15
access-class acl-no in
show user all

Use SSH whenever possible
o telnet sessions are not secure because session data go as clear text characters
o SSH uses strong encryption to secure session data
o Its always better to use SSH as transport input
o SSHv2 is very secure than v1 and v1.5

Secure SNMP access
o To prevent unauthorized configuration changes RW SNMP access can be disabled
snmp-server community string RW
o RO SNMP access can be configured with access-list to limit the source addresses that have read-only
access


st
st
Secure unused switch ports
o Every unused switchport should be disabled to prevent users to use them
o Every user switchport should configured as access port, so that trunk negotiation cant happen
o switchport host can be applied to support only one PC on a switchport

Secure STP operation
o Malicious users can inject STP BPDUs to disrupt STP loop-free topology
o BPDU guard feature can be enabled to prevent unexpected BPDUs

Secure CDP usage
o CDP packets are sent out for every 60 seconds
o Its recommended to enable CDP, only on the ports where trusted cisco devices are connected
o This prevents advertising unnecessary information to listening attackers
o CDP must be enabled on ports, where IP phones appear
o no cdp enable to disable cdp on an interface


st
Novem
LESSON 17: SECURE VLANS

VACLs
VACL VLAN ACL
The traffic between VLANs can be filtered with ACLs
ACLs (Router ACLs RACL) are compiled and fed into TCAM
VLAN ACLs are filters that can control
VACLs are also compiled and fed into TCAMs
VACLs are similar to route-maps (with a series of matching conditions and actions to take)

First VLAN access map is created that consists statements with sequence numbers
Each statement can contain one or more matching conditions, followed by an action
Matching conditions can be verified by IP, IPX or MAC address ACLs
They are evaluated in sequence with sequence number

st
Decemb
LESSON 17: SECURE VLANS
The traffic between VLANs can be filtered with ACLs
RACL) are compiled and fed into TCAM
VLAN ACLs are filters that can control traffic within a VLAN
VACLs are also compiled and fed into TCAMs
maps (with a series of matching conditions and actions to take)
First VLAN access map is created that consists statements with sequence numbers
contain one or more matching conditions, followed by an action
Matching conditions can be verified by IP, IPX or MAC address ACLs
They are evaluated in sequence with sequence number
9553.9553.07
ember 2011 113 | P a g e
maps (with a series of matching conditions and actions to take)

contain one or more matching conditions, followed by an action


st
Novem
Private VLANs
In some cases, the hosts in a vlan need not
But they need to communicate with common gateway
Private Vlans can be used to solve these issues
Private vlans are special vlans that allows traffic only between specified vlans
Private vlans are two types
o Primary vlan
o Secondary vlan
Secondary vlans must be associated with Primary vlans
Secondary vlans can not communicate with each other
Secondary vlans can communicate only with associated Primary vlans
VTP do not carry any information about private vlans
Private vlans are locally specific to switch

Secondary vlans are two types
o Isolated
o Community

Ports associated with
Communication with
same vlan ports
Isolated
Community

Private vlan port types
o Promiscuous
The switchport communicates with anything else connected to primary or secondary
Typically connected to a router, firewall or common gateway device
o Host
The switchport connects to a regular
This port communicates with a promiscuous port or same community vlan ports

st
Decemb
In some cases, the hosts in a vlan need not communicate with each other
But they need to communicate with common gateway
Private Vlans can be used to solve these issues
Private vlans are special vlans that allows traffic only between specified vlans
Secondary vlans must be associated with Primary vlans
Secondary vlans can not communicate with each other
Secondary vlans can communicate only with associated Primary vlans
VTP do not carry any information about private vlans
locally specific to switch

Communication with
same vlan ports
Communication with other
secondary vlan ports
Communication with
No No
Yes No
The switchport connects to a regular host that resides on isolated or community vlan
9553.9553.07
ember 2011 114 | P a g e

Communication with
Primary vlan ports
Yes
Yes
host that resides on isolated or community vlan

st
Novem
Private VLAN Configuration

Private VLAN configuration Example

Configuring Ports with Private Vlans
Switch(config)# vlan 10
Switch(config-vlan)# private-vlan community
Switch(config-vlan)# private-vlan isolated
Switch(config-vlan)# private-vlan primary
Switch(config-vlan)# private-vlan association 10,20,30
Switch(config-vlan)# exit

Switch(config)# interface range fa 0/1
Switch(config-if)# switchport private
st
Decemb
1
vlan community
vlan community
vlan isolated
vlan primary
vlan association 10,20,30
Switch(config)# interface range fa 0/1 5
if)# switchport private-vlan host
if)# switchport private-vlan host-association 100 10
9553.9553.07
ember 2011 115 | P a g e


st
Novem


Switch(config)# interface fa 0/24
Switch(config-if)# switchport mode private

Private VLAN configuration Example

Associating secondary vlans to primary vlan SVI
Switch(config-vlan)# private-vlan isolated
Switch(config-vlan)# vlan 50
Switch(config-vlan)# vlan 200
Switch(config-vlan)# private-vlan pri
Switch(config-vlan)# private-vlan association 40, 50
Switch(config)# interface vlan 200
Switch(config-if)# ip address 192.168.200.1 255.255.255.0
Switch(config-if)# private-vlan mapping 40 , 50

Securing VLAN trunks
If the switch port is left to default configuration (dynamic desirable),
the attacker PC may send DTP packets to negotiate trunk and port becomes trunk port
So attacker may get access to other vlans data
To avoid these attacks, switchport should be config
DTP negotiation will not happen if port is set to access mode

st
Decemb
interface range fa 0/6 10
if)# switchport private-vlan host-association 100 20
Switch(config)# interface range fa 0/11 16
switchport private-vlan host-association 100 30
Switch(config)# interface fa 0/24
if)# switchport mode private-vlan promiscuous
if)# switchport private-vlan mapping 100 10,20,30
2
Associating secondary vlans to primary vlan SVI
vlan isolated
vlan community
vlan primary
vlan association 40, 50
Switch(config)# interface vlan 200
if)# ip address 192.168.200.1 255.255.255.0
vlan mapping 40 , 50

If the switch port is left to default configuration (dynamic desirable),
So attacker may get access to other vlans data
To avoid these attacks, switchport should be configured to access mode, if PC is connected
DTP negotiation will not happen if port is set to access mode
9553.9553.07
ember 2011 116 | P a g e

ured to access mode, if PC is connected

st
Novem
VLAN Hopping Attack
Vlan hopping attacks occur because the use of untagged native vlans
These attacks can be avoided by
o Set the native vlan of a trunk
o Prune the native vlan at both ends of the trunk link
Even though native vlan is pruned from the trunk link, CDP, PAgP, DTP still carry management information as
a special case
Switch carries management information on the native
allowed vlans

VLAN Hopping Attacks- Security Configuration Example

Configuring 802.1q trunk to carry only vlans 10 and 20
Switch(config-vlan)# name bogus_native
Switch(config)# interface gig 0/2
Switch(config-if)# switchport trunk encapsulation dot1q
Switch(config-if)# switchport trunk native vlan 800
Switch(config-if)# switchport trunk allowed vlan remove 800
Switch(config-if)# switchport mode trunk

Another method to avoid vlan hopping attacks is to force native vlan to be tagged

st
Decemb
Vlan hopping attacks occur because the use of untagged native vlans
These attacks can be avoided by
Set the native vlan of a trunk to a bogus or unused vlan id
Prune the native vlan at both ends of the trunk link
Switch carries management information on the native vlan, even though native vlan is not in the list of
Security Configuration Example

Configuring 802.1q trunk to carry only vlans 10 and 20
vlan)# name bogus_native
Switch(config)# interface gig 0/2
if)# switchport trunk encapsulation dot1q
if)# switchport trunk native vlan 800
if)# switchport trunk allowed vlan remove 800
t mode trunk
Another method to avoid vlan hopping attacks is to force native vlan to be tagged
9553.9553.07
ember 2011 117 | P a g e

vlan, even though native vlan is not in the list of


st
Novem
LESSON 18: WLANS

Wireless
Shared Ethernet segment works at half duplex
Switched Ethernet segment works at full duplex
WLAN operates at half duplex
Full duplex is possible in WLAN, if transmitting and receiving frequencies are different
802.11 standards permit only half
802.3 uses CSMA/CD mechanism, 802.11 uses CSMA/CA mechanism

Collisions
When transmitting Wireless station transmits a frame, the r
acknowledgement to confirm the frame is received error
802.11 uses CSMA/CA mechanism
WLAN uses DCF (distributed coordination function) process th
In 802.11 every station has to wait for a short amount of time called DIFS (DCF interframe space) before
transmitting anything

DCF Process

st
Decemb
LESSON 18: WLANS
segment works at half duplex
segment works at full duplex

duplex is possible in WLAN, if transmitting and receiving frequencies are different
802.11 standards permit only half-duplex
802.3 uses CSMA/CD mechanism, 802.11 uses CSMA/CA mechanism
When transmitting Wireless station transmits a frame, the receiving wireless station must send an
acknowledgement to confirm the frame is received error-free
802.11 uses CSMA/CA mechanism that try to avoid collisions by setting some random back off timer
WLAN uses DCF (distributed coordination function) process that try to avoid collisions
9553.9553.07
ember 2011 118 | P a g e
duplex is possible in WLAN, if transmitting and receiving frequencies are different
eceiving wireless station must send an
that try to avoid collisions by setting some random back off timer
at try to avoid collisions


st
Novem
RTS/CTS Mechanism
WLAN
In WLAN, clients can communicate with intermediate AP
AP matches some parameters before accepting any client association
o SSID
o Compatible Wireless Data rate
o Authentication Credentials
SSID is Service Set Identifier, a text string included in every wireless frame
Generally SSID is APs Wireless c
SSID is similar to Vlan ID in switching networks

IBSS
BSS
st
Decemb

In WLAN, clients can communicate with intermediate AP (access point)
AP matches some parameters before accepting any client association
Compatible Wireless Data rate
Authentication Credentials
SSID is Service Set Identifier, a text string included in every wireless frame
Generally SSID is APs Wireless card MAC address
SSID is similar to Vlan ID in switching networks
9553.9553.07
ember 2011 119 | P a g e


st
Novem
ESS
AP Operation
AP is responsible to maintain the WLAN
It can cover a limited number of clients
Multiple APs can be used to cover more number of clients
AP can connect wireless network with wired network
AP supports open authentication or shared key authentication

Mapping VLANs to SSID
st
Decemb
AP is responsible to maintain the WLAN
It can cover a limited number of clients
Multiple APs can be used to cover more number of clients
wireless network with wired network
AP supports open authentication or shared key authentication
9553.9553.07
ember 2011 120 | P a g e


st
Novem
AP uses multiple SSIDs and maps them to vlans
End users will use the appropriate SSID that has been mapped to respective vlan

CELL
Cell is the coverage area of AP
Cell range defined by AP capacity and antenna pattern
Cell pattern is 3 dimensional
AP location must be carefully planned with live measurements of signal strength, quality
All the clients must be placed within the cell for
Small cells are called as microcells and very small cells are picocells

Roaming

To cover a wide area, more number of APs can be used
Adjacent APs can use different frequencies to avoid interference at overlapping area
Moving client association from AP to AP is called roaming
If the client has same IP while roaming is called L2 roaming
If the client changes it IP while roaming is called L3 roaming

Traditional WLAN architecture
In traditional WLAN, AP works as autonomous AP having it
It becomes very difficult to manage the network if more number of Autonomous APs exist

st
Decemb
AP uses multiple SSIDs and maps them to vlans
End users will use the appropriate SSID that has been mapped to respective vlan

Cell range defined by AP capacity and antenna pattern
All the clients must be placed within the cell for AP association
Small cells are called as microcells and very small cells are picocells

To cover a wide area, more number of APs can be used
association from AP to AP is called roaming
If the client has same IP while roaming is called L2 roaming
If the client changes it IP while roaming is called L3 roaming
In traditional WLAN, AP works as autonomous AP having its own security policies
9553.9553.07
ember 2011 121 | P a g e



st
Novem

Cisco Unified WLAN Architecture
Cisco Unified WLAN architecture provides centralized capabilities
o WLAN Security
o WLAN deployment
o WLAN management
o WLAN control

WLAN Architectures Comparison

st
Decemb
Cisco Unified WLAN architecture provides centralized capabilities
9553.9553.07
ember 2011 122 | P a g e


st
Novem
Cisco Unified WLAN Architecture Features
LAP Lightweight Access Point
o LAP performs only the real
WLC Wireless LAN Controller
o All management functions are performed on WL
o LAP totally depends on WLC
o WLC is common for many LAPs

LAP and WLC form a tunnel between them to carry 802.11 related messages and client data
LAP and WLC need not be on the same subnet or VLAN
Tunnel encapsulates the data between the LAP and WLC within
The tunneled data can be switched or routed across the campus network

st
Decemb
Cisco Unified WLAN Architecture Features
Lightweight Access Point
LAP performs only the real-time 802.11 operation
Wireless LAN Controller
All management functions are performed on WLC
LAP totally depends on WLC
WLC is common for many LAPs
LAP and WLC need not be on the same subnet or VLAN
Tunnel encapsulates the data between the LAP and WLC within new IP packets
The tunneled data can be switched or routed across the campus network
9553.9553.07
ember 2011 123 | P a g e


st
Novem
WLC Functions
Dynamic Channel assignment
o Chooses and configures RF channel used by each LAP
Transmit Power Optimization
o Sets the transmit power of each LAP based
Self-healing Wireless Coverage
o If LAP radio dies, the coverage area is healed by turning up the surrounding LAP
Flexible Client Roaming
o Client can have L3 or L2 roaming with very fast roaming times
Dynamic Client Load balancing
o If more LAPs cover same area, load balancing occurs
RF monitoring
o Gathers information about RF interference, noise, signals from surrounding APs
Security Management
o WLC negotiates security parameters before accepting client association

WLC Platforms

Model Interface
2100 8 10/100 TX
4402
4404
5500
WiSM
4 GigE bundled in an
etherchannel
for each controller
WLC module for
ISR routers
Can be integrated in 2800 and
3800 routers
Catalyst 3750G
integrated WLC
Integrated in 24
10/100/1000 TX switch

WCS
WCS Wireless Control System
WCS is an optional server platform that can be used as a single GUI front
network
WCS can locate wireless client by triangulating the clients signal as received by multiple APs
802.11 RFID tags can be deployed to track objects as they move around in the wireless coverage area

st
Decemb

Chooses and configures RF channel used by each LAP

Sets the transmit power of each LAP based on the coverage area needed
healing Wireless Coverage
If LAP radio dies, the coverage area is healed by turning up the surrounding LAP
Client can have L3 or L2 roaming with very fast roaming times
Dynamic Client Load balancing
If more LAPs cover same area, load balancing occurs
Gathers information about RF interference, noise, signals from surrounding APs
WLC negotiates security parameters before accepting client association
Interface Attribute
8 10/100 TX Handles up to 6, 12, 25 LAPs
2 GigE Handles up to 12, 25, 50 LAPs
4 GigE Handles up to 100 LAPs
8 GigE Handles up to 12, 25, 50, 100, 250 LAPs
4 GigE bundled in an
etherchannel
for each controller
Catalyst 6500 module with two WLCs
Handles up to 300 LAPs (150 per controller)
Up to 5 WiSMs in a single chassis
Can be integrated in 2800 and
3800 routers
Handles up to 6, 8, 12, 25 LAPs
Integrated in 24-port
10/100/1000 TX switch
Handles up to 50 LAPs per switch,
Up to 200 LAPs per switch stack
Wireless Control System
WCS is an optional server platform that can be used as a single GUI front-end to all
9553.9553.07
ember 2011 124 | P a g e
If LAP radio dies, the coverage area is healed by turning up the surrounding LAP
Gathers information about RF interference, noise, signals from surrounding APs
Attribute
Handles up to 6, 12, 25 LAPs
Handles up to 12, 25, 50 LAPs
Handles up to 100 LAPs
Handles up to 12, 25, 50, 100, 250 LAPs
Catalyst 6500 module with two WLCs
Handles up to 300 LAPs (150 per controller)
Up to 5 WiSMs in a single chassis
Handles up to 6, 8, 12, 25 LAPs
Handles up to 50 LAPs per switch,
Up to 200 LAPs per switch stack
end to all WLCs in a campus


st
Novem
LAP
LAP is designed to be a zero-touch configuration
The LAP finds WLC and obtain configuration parameters from WLC

LAP can maintain a list of up to three WLCs (primary, secondary, tertiary)
LAP is always joined and bound to one WLC at any time
If WLC is failed, LAP reboots and
Client associations are dropped and no data pass during this time
HREAP (Cisco Hybrid Remote Edge Access Point) is a special case, where LAPs are separated from WLC with
WAN link
HREAP works like autonomous AP

Traffic Pattern

st
Decemb
touch configuration
The LAP finds WLC and obtain configuration parameters from WLC
LAP can maintain a list of up to three WLCs (primary, secondary, tertiary)
LAP is always joined and bound to one WLC at any time
If WLC is failed, LAP reboots and search for live WLC again
Client associations are dropped and no data pass during this time
HREAP works like autonomous AP

9553.9553.07
ember 2011 125 | P a g e



st
Novem
Roaming
To make client roaming faster and easier, all client associations can be managed in a central location
LAP supports L2 and L3 roaming with the help of WLC
The client association is always contained within LWAPP or CAPWAP tunnel

Intra Controller Roaming
Inter Controller Roaming- L2

st
Decemb
LAP supports L2 and L3 roaming with the help of WLC
The client association is always contained within LWAPP or CAPWAP tunnel

9553.9553.07
ember 2011 126 | P a g e


st
Novem
Inter Controller Roaming-L3

Mobility Groups
In inter controller roaming, WLCs must exchange client association information
For this WLCs are configured into logical mobility groups
Client can roam to any LAP and associated WLC, within the mobility group
If the client moves to LAP with different mobility group,
association and IP address
A mobility group can have up to 24 WLCs of any platform
The number of LAPs in a mobility group depends on number of WLCs

Autonomous AP

st
Decemb
In inter controller roaming, WLCs must exchange client association information
For this WLCs are configured into logical mobility groups
to any LAP and associated WLC, within the mobility group
If the client moves to LAP with different mobility group, WLC drops the session information, client
A mobility group can have up to 24 WLCs of any platform
LAPs in a mobility group depends on number of WLCs
9553.9553.07
ember 2011 127 | P a g e

WLC drops the session information, client


st
Novem
Light Weight AP

st
Decemb
9553.9553.07
ember 2011 128 | P a g e

Switch Final v6 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Switch Final v6 PDF

Uploaded by

Copyright:

Available Formats

9000235254 P. NAGABABU NAGACISCO@GMAIL.COM 9553.9553.

You might also like