Professional Documents
Culture Documents
21 – Aaron Balchunas 1
___________________________________________
Aaron Balchunas
aaron@routeralley.com
http://www.routeralley.com
________________________________________________
Foreword:
This document is freely given, and can be freely distributed. However, the
contents of this document cannot be altered, without my written consent.
Nor can this document be sold or published without my expressed consent.
I sincerely hope that this document provides some assistance and clarity in
your studies.
________________________________________________
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 2
Table of Contents
Part I – General Switching Concepts
Section 1 Ethernet Standards
Section 2 Hubs vs. Switches vs. Routers
Section 3 Switching Models
Section 4 Switching Tables
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 3
________________________________________________
Part I
General Switching Concepts
________________________________________________
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 4
Section 1
- Ethernet -
What is Ethernet?
Ethernet has become the standard technology used in LAN networking. Over
time, the Ethernet standard has evolved to satisfy bandwidth requirements,
resulting in various IEEE “categories” of Ethernet:
• 802.3 - Ethernet (10 Mbps)
• 802.3u - Fast Ethernet (100 Mbps)
• 802.3z or 802.3ab - Gigabit Ethernet (1000 Mbps)
Various subsets of these Ethernet categories exist, operating at various speeds,
distances, and cable types:
Standard Cable Type Speed Max. Distance
10base2 Coaxial (thinnet) 10 Mbps 185 meters
10base5 Coaxial (thicknet) 10 Mbps 500 meters
10baseT Twisted-pair 10 Mbps 100 meters
100baseT Twisted-pair 100 Mbps 100 meters
1000baseSX Fiber (multi-mode) 1 Gbps >500 meters
1000baseLX Fiber (single-mode) 1 Gbps > 3 km
Even though the term “Ethernet” is widely used to describe any form of
Ethernet technology, technically the term refers to the 10 Mbps category.
The most common implementation of Ethernet is over Category 5 twisted-
pair cable, with a maximum distance of 100 meters.
Fast Ethernet
Full Duplex Fast Ethernet allows devices connected to a switch to both send
and receive simultaneously, doubling the bandwidth to 200 Mbps per port.
Many switches (and hubs) support both Ethernet and Fast Ethernet, and are
commonly referred to as 10/100 switches. These switches will auto-
negotiate both port speed and duplex.
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 6
Gigabit Ethernet
Gigabit Ethernet operates at 1000 Mbps, and can be utilized over Category
5e twisted-pair (1000baseT) or fiber cabling (1000baseSX or 1000baseLX).
Gigabit Ethernet over copper is defined in the IEEE 802.3ab standard.
Full Duplex Gigabit Ethernet allows devices connected to a switch to both
send and receive simultaneously, doubling the bandwidth to 2000 Mbps.
Newer switches can support Ethernet, Fast Ethernet, and Gigabit Ethernet
simultaneously, and are often referred to as 10/100/1000 switches. Again,
switches and devices can auto-negotiate both speed and duplex.
10 Gigabit Ethernet has also been developed, defined in the IEEE 802.3ae
standard, and currently can operate only over fiber cabling.
Twisted-Pair Cabling
Twisted-pair cable usually contains 2 or 4 pairs of wire, which are twisted
around each other to reduce crosstalk. Crosstalk is a form of
electromagnetic interference (EMI) or “noise” that reduces the strength and
quality of a signal. It is caused when the signal from one wire “bleeds” or
interferes with another wire’s signal.
Twisted-pair cabling can be either shielded or unshielded. Shielded twisted-
pair is more resistant to from external EMI. Florescent light ballasts,
microwaves, and radio transmitters can all create EMI.
There are various categories of twisted-pair cable, identified by the number
of “twists per inch.”
• Category 3 (three twists per inch)
• Category 5 (five twists per inch)
• Category 5e (five twists per inch, pairs are twisted around each
other)
Category 5 (and 5e) twisted-pair cabling usually contains four pairs of wire
(eight wires total), and each wire is assigned a color:
• White Orange • White Blue
• Orange • Blue
• White Green • White Brown
• Green • Brown
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 7
The pins are completely reversed on one end to make a rollover cable:
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 9
Section 2
- Hubs vs. Switches vs. Routers -
“Layered” Communication
The OSI model represents seven “layers” that define how network
communication should occur.
As data “travels” from the user application down the layers of the OSI
model, each of the lower layers adds a header (and sometimes trailer)
containing information specific to that layer. These “headers” are called
Protocol Data Units (PDUs), and the process of adding these headers is
called encapsulation.
Depending on what layer we are looking at, the data’s PDU is identified
with different terms:
Application Data
Presentation Data
Session Data
Transport Segments
Network Packets
Data-link Frames
Physical Bits
When we identify the layer that certain devices operate at, we are actually
identifying what “header” or “PDU” that device looks at. For example, we
usually identify switches as Layer 2 devices, because switches look for
MAC address information stored in the Data-Link header of a frame.
Similarly, we identify routers as Layer 3 devices, because routers look for
logical (usually IP) addressing information in the Network header of a
packet.
However, switches can also operate at higher layers of the OSI model, as
described on subsequent pages in this guide.
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 10
Layer 1 Hubs
Hubs are Layer 1 devices that physically connect network devices together
for communication.
Hubs do not look at the Data-Link header, and thus cannot make intelligent
forwarding decisions based on MAC address. Thus, hubs will always
forward every frame, including unicasts, out every port, excluding the port
that frame originated from.
Ethernet hubs operate at half-duplex. At half duplex, devices can either
transmit or receive data, but not simultaneously.
Half-duplex Ethernet uses Carrier Sense Multiple Access with Collision
Detect (CSMA/CD) to control media access. Devices monitor the physical
link, and will only transmit a frame if the link is idle. If two devices send a
packet simultaneously, a collision will occur. When a collision is detected,
both NICs will wait a random amount of time before resending their
respective packets.
All ports on a hub belong to the same collision domain. If devices
connected to a hub send a frame simultaneously, a collision will occur.
Hubs belong to only one broadcast domain. A hub will forward both
broadcasts and multicasts out every port, except for the port the broadcast or
multicast originated from. Only Layer 3 devices, such as routers, can be
break up broadcast domains.
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 11
Layer 2 Switching
Layer-2 switches build MAC address tables that allow them to make
intelligent forwarding decisions on frames. The MAC address table
maintains a list of MAC addresses and the switch port those MACs are
associated with. Layer 2 switches are also referred to as multi-port
transparent bridges.
When a Layer-2 switch is first powered on, it will flood every frame,
including unicasts, out every port (excluding the port the frame originated
from).
Switches will build their MAC address tables by looking at the source MAC
address on each frame.
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 12
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 13
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 14
Layer 3 Routing
Layer 3 Routing is the process of sending a packet of information from one
network to another network. Thus, routes are usually based on the
destination network, and not the destination host (host routes can exist, but
are used only in rare circumstances). A Layer 3 router looks at the Network
layer header of packets for this logical addressing information.
To route, routers build routing tables that contain the following:
• The destination network and subnet mask
• The “next hop” router to get to the destination network
• Routing metrics and Administrative Distance
The routing table is concerned with two types of protocols:
• A routed protocol is a layer 3 protocol that applies logical addresses
to devices and routes data between networks. Examples would be IP
and IPX.
• A routing protocol dynamically builds the network, topology, and
next hop information in routing tables. Examples would be RIP,
IGRP, OSPF, etc.
Each port on a Layer 3 router belongs to its own collision domain. Thus,
routers are like switches, in that they create more collision domains, which
results in fewer collisions.
However, unlike Layer 2 switches, Layer 3 routers also break up broadcast
domains. As a rule, routers will never forward broadcasts from one network
to another network. Routers, by default, will not forward multicasts either,
unless they are configured to participate in a multicast tree.
Layer 3 routers must examine the Network layer header of each packet
before that data can be “routed.” Thus, each packet consumes CPU cycles as
it passes through the router, resulting in latency. Layer 3 routers do not have
ASICs to allow routing to occur at “wire speed."
Thus, routing is always slower than switching.
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 15
In the above example, there are THREE broadcast domains, and EIGHT
separate collision domains.
• Each port coming off a router creates a separate broadcast AND
collision domain.
• Each port of a switch creates a separate collision domain.
• Hubs belong to only one collision domain, and switches and hubs both
only belong to one broadcast domain.
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 16
Layer 3 Switching
Layer 3 switches group ports together into separate Virtual LANs
(VLANs). Each VLAN belongs to a separate broadcast domain, and usually
to a separate IP subnet. Broadcasts from one VLAN will never be forwarded
to another VLAN.
Layer 3 switches look at both the Data-link and Network layer headers, for
MAC address and IP address information respectively. Thus, Layer 3
switches can make intelligent forwarding decisions based on both hardware
and logical addresses. Layer 3 switches use routing modules to allow routing
to occur between logical networks. This is called interVLAN routing.
Layer 3 switches keep track of IP address traffic flows. Consider the
following diagram:
Si
Layer 3
Switch
Computer A Computer B
VLAN1 VLAN2
Layer 4 Switching
Layer 4 switches, like Layer 3 switches, will examine both the Data-link and
Network layer headers, for MAC address and IP address information
respectively. Thus, Layer 4 switches will also make intelligent forwarding
decisions based on both hardware and logical addresses.
However, Layer 4 switches also examine the Transport layer header of a
segment for TCP and UDP port number information. Thus, Layer 4 switches
not only cache IP address traffic flows, but also Layer 4 application flows.
Si
Layer 4
Switch
Client Webserver
VLAN1 VLAN2
Consider the above example. If the Client requests data from the Webserver,
the Layer 4 switch will add the Client’s MAC address to the MAC table.
The Layer 4 switch will also cache the IP traffic flow between the Client and
the Webserver, allowing subsequent information to be switched instead of
routed, to reduce latency.
The Layer 4 switch will further cache the Application traffic flow, based on
TCP or UDP port number, between the Client and Webserver. In this case,
The Client will be accessing TCP port 80 on the Webserver.
Caching application traffic flows allow administrators to apply QoS
(Quality of Service) to specific applications. In the above example, we
could provide a higher level of service (i.e. more bandwidth) to HTTP than
any other application flow.
Layer 4 switches require more memory than Layer 2 or 3 switches to keep
track of application traffic flows.
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 18
Multilayer Switching
Multilayer switching is a generic term that describes devices that support
Layer 2, Layer 3, and Layer 4 switching.
Thus, multilayer switches have the following characteristics:
• Build MAC address tables associating MACs with switch ports
• Cache IP (or logical) address traffic flows
• Cache TCP or UDP (application) traffic flows
• Apply QoS to traffic flows
A key characteristic of Multilayer switches is the ability to “switch” Layer 2
frames, Layer 3 packets, and Layer 4 segments at wire speed. This ability is
provided by hardware ASICs, and ensures less latency than Layer 3 routers.
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 19
Section 3
- Switching Models -
Network Traffic Models
When designing scalable, efficient networks, it is critical to consider how
traffic “flows” through the network, rather than simply concentrating on the
type of traffic. A traffic flow is a map of the path data takes to get from a
source to a destination, and the type of data being transmitted.
Originally, proper network design followed the 80/20 rule, which dictates
that 80 percent of the traffic remains on the local network, and only 20
percent should be routed to another network. This allowed a majority of the
traffic to be switched instead of routed, and thus latency was reduced.
Servers and resources were thus placed close to the users that required them.
However, the architecture of networks has been changing. Instead of placing
“workgroup” servers in every local network, many organizations have
centralized their resources. Internet web servers, email servers, and IP
telephony are examples of this trend. Thus, a majority of traffic must be
“routed” to a centralized network. This concept is identified as the 20/80
rule.
Because routing introduces more latency than switching, the 20/80 rule has
dictated a need for a faster Layer 3 technology, namely Layer 3 switching.
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 20
Si Si
Si Si
• Access Layer – The Access Layer is where the end user connects into
the network. Access Layer switches generally have a high number of
low-cost ports per switch, and VLANs are usually configured at this
Layer. In a distributed environment (80/20 rule), servers and other
such resources are kept close to users in the Access Layer.
• Distribution Layer – The Distribution Layer provides end users with
access to the Core (backbone) Layer. Security (using access-lists) and
QoS are usually configured at the Distribution Layer.
• Core Layer – The Core Layer is the “backbone” of the network. The
Core Layer is concerned with switching data quickly and efficiently
between all other “layers” or “sections” of the network. In a
centralized environment (20/80 rule), servers and other such
resources are placed in their own “dedicated” Access Layer, and the
Core Layer must switch traffic from all other Access Layers to this
Server Block.
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 21
Servers Internet
Internet Border
Router
Distribution Distribution
MultiLayer Switch Si Si MultiLayer Switch
Cisco likes to break down network hierarchies into separate “blocks.” Notice
that the Core Block, which connects all other blocks, has redundant links to
all distribution layer switches.
The Switch Block contains the Distribution and Access Layer switches that
service end users. The Server Farm Block contains all network resources
that end users need access to. The Enterprise Edge Block connects this
Autonomous System to the Internet.
The above is an example of a Dual Core design, where there is a clearly
defined Core layer separated from the Distribution Layer. Network designs
that do not require a separately defined Core layer can instead combine the
functions of the Core and Distribution layers, in a Collapsed Core design.
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 22
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 23
Section 4
- Switching Tables -
The Layer 2 Switching “Process”
Layer 2 switches contain queues where frames are stored after they are
received and before they are sent.
When a Layer 2 switch receives a frame on a port, it places that frame in one
of the port’s ingress queues. When the switch decides which port that frame
should sent out of, it places the frame in that port’s egress queue. If the
destination MAC address in the frame is not in the MAC address table, the
frame is placed in the egress queue of all ports and is flooded throughout the
network.
Each port can be configured with multiple ingress or egress queues. Using
Quality of Service (QoS), each queue can be assigned a different priority.
Thus, we can give a higher preference to more critical traffic, such as video
conferencing, by placing that traffic in a high priority queue.
Before a Layer 2 switch can take a frame from one port’s ingress queue to
another port’s egress queue, it must consult two tables:
• Content Addressable Memory (CAM), which is Cisco’s term for the
MAC address table. It can also be referred to as the Layer 2
Forwarding Table.
• Ternary Content Addressable Memory (TCAM), which contains
access lists that can filter frames by MAC address, and QoS access-
lists to prioritize traffic. In multi-layer switches, the TCAM also
contains access lists to filter frames based on IP address or TCP/UDP
port.
Both the CAM and TCAM are stored in RAM, so that information lookup is
quick. Throughout the rest of this guide, the MAC address table will be
referred to as the CAM.
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 24
Don’t be confused that the columns are labeled “destination” address and
“destination” port. The MAC address is always learned from the source
MAC. However, once the address is learned, that address is used as a
possible “destination” address for any new frames the switch receives.
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 25
Please note, in earlier versions of the Cisco IOS (prior to 12.1), the
command syntax for the above commands contained an additional hyphen
between “mac” and “address”:
Switch(config)# mac-address-table aging-time 360
Switch(config)# mac-address-table static 0011.2233.4455 vlan 1 interface fa0/0
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 26
The Feature Manager (FM) will automatically integrate the access-lists into
the TCAM. Configuring the TCAM consists solely of creating the necessary
access-lists.
The values are the source of 172.16.0.0, and the destination of 172.17.1.1.
The masks in this case are 0.0.255.255 for the 172.16.0.0 source network,
dictating that the last two octets can be anything. A mask of 0.0.0.0 is given
to the destination host 172.17.1.1, indicating it must be an exact match.
The result in this case is either permit or deny. However, other results are
possible when using QoS access-lists, which is more concerned with
prioritizing traffic than filtering it.
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 27
________________________________________________
Part II
Switch Configuration
________________________________________________
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 28
Section 5
- Basic Switch Management -
Catalyst Operating Systems
Catalyst switches, depending on the model, support one of two possible
operating systems:
• Catalyst OS (CatOS)
• IOS
The CatOS is an antiquated interface based on “set” commands. Retired
Catalyst models such as the 40xx and 50xx series supported the CatOS
interface.
Modern Catalyst switches support the Cisco IOS, enhanced with switching-
specific commands. Catalyst models that support the Cisco IOS include:
• 29xx series
• 35xx series
• 37xx series
• 45xx series
• 49xx series
• 65xx series
The Cisco IOS interface on Catalyst switches is nearly identical to that of the
router IOS (with the exception of the switching-specific commands). The
IOS is covered in great detail in other guides on this site, specifically:
• Router Components
• Introduction to the Cisco IOS
• Advanced IOS Functions
Some basic IOS concepts will be reviewed in this guide. For more
comprehensive information, please consult the above guides.
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 29
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 30
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 31
Lines identify ports that allow us to connect into, and then configure, Cisco
devices. Examples would include console ports, auxiliary ports, and VTY
(or telnet) ports.
Just like interfaces, to configure a line, one must specify both the type of
line, and the line number (again, always begins at “0”). Thus, to configure
the first console line on a switch:
Switch(config)# line console 0
Switch(config-line)#
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 32
Enable Passwords
The enable password protects a switch’s Privileged mode. This password
can be set or changed from Global Configuration mode:
Switch(config)# enable password MYPASSWORD
Switch(config)# enable secret MYPASSWORD2
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 33
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 34
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 35
Section 6
- Switch Port Configuration -
Switch Port Configuration
To enter interface configuration mode for interface Fast Ethernet 0/10:
Switch(config)# interface fa0/10
The above command selects ports fa0/10, fa0/12, and fa0/14. Please note the
space on either side of the commas.
A contiguous range of interfaces can be specified:
Switch(config)# interface range fa0/10 - 15
The above command selects ports fa0/10 through fa0/15. Please note the
space on either side of the dash.
Macros can be created for groups of ports that are configured often:
Switch(config)# define interface-range MACRONAME fa0/10 – 15
Switch(config)# interface range macro MACRONAME
This will also display duplex, speed, and packet errors on this particular
interface.
To view the errdisable state (explained shortly) of an interface:
Switch# show interface status err-disabled
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 36
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 37
The last line specifies the duration a port will remain in errdisable before
recovering. The default is 300 seconds.
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 38
________________________________________________
Part III
Switching Protocols and Functions
________________________________________________
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 39
Section 7
- VLANs and VTP -
Review of Collision vs. Broadcast Domains
In a previous guide, we learned that a “collision domain” is a segment where
a collision can occur, and that a Layer 2 switch running in Full Duplex
breaks up collision domains. Thus, Layer 2 switches create more collision
domains, which results in fewer collisions.
We also learned that Layer 2 switches do not break up broadcast domains,
and thus belong to only one broadcast domain. Layer 2 switches will
forward a broadcast or multicast out every port, excluding the port the
broadcast or multicast originated from.
Only Layer-3 devices can break apart broadcast domains. Because of this,
Layer-2 switches are not well suited for large, scalable networks. Layer-2
switches make forwarding decisions solely based on Data-Link layer MAC
addresses, and thus have no way of differentiating between one network and
another.
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 40
VLAN Example
Consider the following example:
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 41
Advantages of VLANs
VLANs provide the following advantages:
Broadcast Control – In a pure Layer 2 environment, broadcasts are
received by every host on the switched network. In contrast, each VLAN
belongs to its own broadcast domain (or IP subnet); thus broadcast traffic
from one VLAN will never reach another VLAN.
Security – VLANs allow administrators to “logically” separate users and
departments.
Flexibility and Scalability – VLANs remove the physical boundaries of a
network. Users and devices can be added or moved anywhere on the
physical network, and yet remain assigned to the same VLAN. Thus, access
to resources will never be interrupted.
VLAN Membership
VLAN membership can be configured one of two ways:
Statically – Individual (or groups of) switch-ports must be manually
assigned to a VLAN. Any device connecting to that switch-port(s) becomes
a member of that VLAN.
Dynamically – Devices are automatically assigned into a VLAN based on
its MAC address. Cisco developed a dynamic VLAN product called the
VLAN Membership Policy Server (VMPS). In more sophisticated
systems, a user’s network account can be used to determine VLAN
membership.
Catalyst switches that participate in a VTP domain (explained shortly)
support up to 1005 VLANs.
Catalyst switches configured in VTP transparent mode support up to 4094
VLANs.
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 42
The first command creates VLAN 100, and places you in VLAN
configuration mode. The second command assigns the name MY_VLAN to
this VLAN.
The list of VLANs is stored in Flash in a database file named vlan.dat.
However, information concerning which ports are assigned to a specific
VLAN is not stored in this file; it is stored in the startup-config file instead.
Next, we must assign an interface (or range of interfaces) to this VLAN. The
following commands will assign interface fa0/10 into our newly created
MY_VLAN.
Switch(config)# interface fa0/10
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 100
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 43
VLAN B
VLAN A, B, C
VLAN C
VLAN A
VLAN B
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 44
VLAN Frame-Tagging
When utilizing trunk links, switches need a mechanism to identify which
VLAN a particular frame belongs to. Frame tagging places a VLAN ID in
each frame, identifying which VLAN the frame belongs to.
Tagging occurs only when a frame is sent out a trunk port. Consider the
following example:
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 45
IEEE 802.1Q
IEEE 802.1Q, otherwise known as DOT1Q, is the standardized frame-
tagging protocol supported by most switch manufacturers, including Cisco.
Thus, switches from multiple vendors can be “trunked” together.
Instead of adding an additional header and trailer, 802.1Q actually embeds a
4-byte VLAN ID into the Layer 2 frame header. This still increases the size
of a frame from its usual 1514 bytes to 1518 bytes, but most modern VLAN-
enabled switches support 802.1Q and the slight increase in size.
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 46
The first line in each set of commands places you in interface configuration
mode. The second line manually sets this switchport as a trunk port. The
third line manually sets the tagging protocol the trunk link will use. Always
remember, both sides of the trunk line must be configured with the same
tagging protocol.
The Catalyst switch can negotiate the tagging protocol:
Switch(config)# interface fa0/10
Switch(config-if)# switchport trunk encapsulation negotiate
Certain VLANs are reserved and cannot be removed from a trunk link,
including VLAN 1 and VLANs 1002-1005.
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 47
Native VLANs
A native VLAN can also be configured on trunk ports:
Switch(config)# interface fa0/10
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk native vlan 100
Native VLANs are usually configured when plugging Cisco Voice over IP
(VoIP) phones into a Catalyst Switch (which is beyond the scope of this
section). Only 802.1Q supports Native VLANs, ISL does not.
Native VLANs are also useful if a trunk port fails. For example, if an end
user connects a computer into a trunk port, the trunking status will fail and
the interface will essentially become an access port. The user’s computer
will then be “joined” to the Native VLAN.
Native VLANs provide another benefit. A trunk port will accept “untagged”
frames and place them in the Native VLAN. Consider the following
example:
Assume that both 802.1Q switches have trunk links configured to the non-
802.1Q switch, and that the trunk ports are configured in Native VLAN 100.
Not only will the 802.1Q switches be able to communicate with each other,
the non-802.1Q switch will be “placed” in Native VLAN 100, and be able to
communicate with any device in VLAN 100 on any switch.
(Please note, that the author of this study guide finds the “benefit” of the
above example of Native VLANs to be……dubious at best, and confusing
as hell at worst. Native VLANs find their true purpose when a Cisco VoIP
phone is plugged into a trunk link, or when a trunk link fails).
By default, the Native VLAN is VLAN 1.
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 48
If both ports are manually set to trunk¸ a trunk link will be created.
If one port is set to dynamic desirable, and the other port is set to manual
trunk, dynamic desirable, or dynamic auto, a trunk link will be created.
If one port is set to dynamic auto, and the other port is set to manual trunk
or dynamic desirable, a trunk link will be created.
If both ports are set to dynamic auto, the link will never become a trunk,
because both ports are waiting for the other to “initialize” the trunk.
Trunk ports send out DTP frames every 30 seconds to indicate their
configured “mode.”
In general, it is best to manually specific the trunk link, and disable DTP
using the switchport nonegotiate command:
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 49
Troubleshooting Trunks
When troubleshooting a misbehaving trunk link, ensure that the following is
configured identically on both sides of the trunk:
• Mode (both sides must be set to “trunk” or dynamically negotiated)
• Frame-tagging protocol (ISL, 802.1Q, or dynamically negotiated)
• Native VLAN
• VTP Domain
• Allowed VLANs
If the above parameters are not set identically on both sides, the trunk link
will never become active.
Troubleshooting Commands
To show a list of all active VLANs:
Switch# show vlan
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 50
VTP “Modes”
VTP-enabled switches can operate in one of three modes:
Server – Only VTP servers can create, modify or delete entries in the
VLAN database. Servers advertise their VLAN database to all other
switches on the network. This is the default mode for Cisco Catalyst
switches. Servers can only advertise VLANs 1 - 1005.
Client – VTP clients cannot make modifications to the VLAN database, and
will receive all of their VLAN information from VTP servers. A client will
also forward an update from a server to other clients.
Transparent – VTP transparent switches will not advertise or accept any
VLAN database information from other switches (even a server). Changes
can be made only to the transparent switch’s local VLAN database.
However, transparent VTP switches will forward VTP information from
servers to clients, and thus acts as a “pass-through.”
Note: if you are installing a new switch, make sure that you configure it as a
VTP client before plugging it into the network. By default, a Cisco Catalyst
switch will be in server mode, and will advertise a blank VLAN database
to all other switches. Configuring it as a client, or lowering its VTP revision
number to 1, first allows it to “learn” the current VLAN database.
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 51
Configuring VTP
To configure a switch’s VTP domain:
Switch(config)# vtp domain MYDOMAIN
To prevent a malicious user from using a VTP server to delete all VLAN
information, the VTP domain can be password protected:
Switch(config)# vtp password PASSWORD
All switches participating in the VTP domain must be configured with the
same password.
There are two versions of VTP. VTP version 2 supports additional
functionality, including error checking and support for Token Ring. VTP
version 2 also allows transparent switches to always forward update
information from servers to clients, even if the transparent switch is in a
separate domain. By default, a Catalyst switch uses VTP version 1. To
configure the VTP version:
Switch(config)# vtp version 2
To view status information about VTP, including version, domain and mode:
Switch# show vtp status
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 52
VTP Pruning
VTP pruning is a process of preventing unnecessary VLAN broadcast or
multicast traffic.
In the following example, VTP pruning would prevent VLAN “C”
broadcasts from being sent to Switch 2. Pruning would further prevent
VLAN “A” and “B” broadcasts from being sent to Switch 3.
With VTP pruning, traffic is only sent out the necessary VLAN trunk ports
where those VLANs exist.
VTP pruning is disabled by default on Catalyst IOS switches. To enable
VTP pruning:
Switch(config)# vtp pruning
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 53
Section 8
- EtherChannel -
Port Aggregation
When a switched network spans multiple switches, some method of
“linking” those switches must be used. A single Fast Ethernet or Gigabit
Ethernet port can be used to uplink between switches, but this introduces a
bottleneck to the flow of traffic. For example, when using a 24-port Catalyst
switch, imagine having to pipe the traffic of 23 ports over a single port to
reach another switch!
Unfortunately, we cannot simply connect two or more ports from one switch
to another switch, as this introduces a switching loop to the network. The
result would be an almost instantaneous broadcast storm.
Port Aggregation allows us to tie multiple ports together into a single
“logical” interface. Cisco’s implementation of port aggregation is called
EtherChannel. The switch treats an EtherChannel as a single interface, thus
eliminating the possibility of a switching loop.
Not only does port aggregation increase the bandwidth of a link, but it also
provides redundancy. If a single port fails, traffic will be redirected to the
other port(s).
A maximum of 8 Fast Ethernet or 8 Gigabit Ethernet ports can be “grouped”
together when forming an EtherChannel. Thus, when running in full duplex,
a Fast EtherChannel (FEC) has a maximum bandwidth of 1600 Mbps. A
Gigabit EtherChannel (GEC) has a maximum bandwidth of 16 Gbps.
A maximum of 64 EtherChannels can be configured on a single Catalyst
3550XL switch. A Catalyst 6500 switch supports up to 128 EtherChannels.
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 54
EtherChannel Requirements
EtherChannels can be formed with either access or trunk ports.
An EtherChannel comprised of access ports provides increased bandwidth
and redundancy to a host device, such as a server. The host device must
support a port aggregation protocol, such as LACP.
EtherChannels comprised of trunk ports provide increased bandwidth and
redundancy to other switches.
All interfaces in an EtherChannel must be configured identically. Specific
settings that must be identical include:
• Speed settings
• Duplex settings
• STP settings
• VLAN membership (for access ports)
• Native VLAN (for trunk ports)
• Allowed VLANs (for trunk ports)
• Trunking Encapsulation (ISL or 802.1Q, for trunk ports)
When configuring an EtherChannel “trunk” to another switch, the above
configuration should be identical on both switches.
EtherChannels will not form if either dynamic VLANs or port security are
enabled on the participating EtherChannel interfaces.
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 55
EtherChannel Load-Balancing
Data sent across an EtherChannel is not load-balanced equally between all
interfaces. EtherChannel utilizes a load-balancing algorithm, which can be
based on several forms of criteria, including:
• Source IP Address (src-ip)
• Destination IP Address (dst-ip)
• Both Source and Destination IP (src-dst-ip)
• Source MAC address (src-mac)
• Destination MAC address (dst-mac)
• Both Source and Destination MAC (src-dst-mac)
• Source TCP/UDP port number (src-port)
• Destination TCP/UDP port number (dst-port)
• Both Source and Destination port number (src-dst-port)
On a Catalyst 3550XL, the default load-balancing method for Layer 2
switching is src-mac. For Layer 3 switching, it’s src-dst-ip.
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 56
Fa0/10 Fa0/18
Fa0/10 Fa0/18
Switch B
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 57
Fa0/10 Fa0/18
Fa0/10 Fa0/18
Switch B
Source 0 1 0 1
Destination 0 0 1 1
Result 0 1 1 0
Based on the XOR operation, the result can either be “off” (“0”) or “on”
(“1”). This determines the link the switch will use. In our above example of
source/destination IP address, the XOR operation would result in a “1”, and
thus we would use Link 1.
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 58
EtherChannel Protocols
EtherChannel can either be configured manually, or can be dynamically
negotiated via one of two protocols:
• PAgP (Port Aggregation Protocol) – Cisco’s proprietary
aggregating protocol.
• LACP (Link Aggregation Control Protocol) – The IEEE
standardized aggregation protocol, otherwise known as 802.3ad.
Both PAgP and LACP exchange packets between switches in order to form
the EtherChannel. However, when the EtherChannel is manually configured
(i.e., set to on), no update packets are exchanged.
Thus, an EtherChannel will not be formed if one switch has a manually
configured EtherChannel, and the other switch is configured with a dynamic
protocol (PAgP or LACP).
Furthermore, PAgP and/or LACP configuration must be removed from a
switch’s interfaces before a manual EtherChannel can be formed.
The other switch must also have the EtherChannel manually configured as
on. Remember that speed, duplex, VLAN, and STP information must be the
same on every port in the EtherChannel.
The channel-group number identifies this particular EtherChannel. The
channel-group number does not need to be configured identically on both
switches. Remember, a maximum of 64 EtherChannels are allowed on a
Catalyst 3550XL switch.
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 59
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 60
Or on interfaces:
Switch(config)# interface range fa0/10 – 11
Switch(config-if)# lacp port-priority PRIORITY
A low value indicates a high priority. The ports with the lowest values
(highest priorities) become active in the EtherChannel.
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 61
Troubleshooting EtherChannel
To view the current status of all configured EtherChannels:
Switch# show etherchannel summary
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 62
Section 9
- Spanning-Tree Protocol -
Switching “Loops”
By default, a switch will forward a broadcast or multicast out all ports,
excluding the port the broadcast/multicast was sent from.
When a “loop” is introduced into the network, a highly destructive
broadcast storm can develop within seconds. Broadcast storms occur when
broadcasts are endlessly switched through the loop, choking off all other
traffic.
Consider the following “looped” environment:
Switch 1
Switch 2 Switch 3
Switch 4 Switch 5
If the computer connected to Switch 4 sends out a broadcast, the switch will
forward the broadcast out all ports, including the ports connecting to Switch
2 and Switch 5. Those switches, likewise, will forward that broadcast out all
ports, including to their neighboring switches.
The broadcast will loop around the switches infinitely. Only powering off
the switch or removing all cabling can stop the storm.
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 63
STP “Types”
Various flavors of STP exist, including:
• Common Spanning Tree (CST) – A single STP process is used for
all VLANs
• Per-VLAN Spanning Tree (PVST) – Cisco proprietary version of
STP, that uses a separate STP process for each VLAN
• Per-VLAN Spanning Tree Plus (PVST+) – Enhanced version of
PVST that allows CST-enabled switches and PVST-enabled switches
to interoperate. This is default on newer Catalyst switches.
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 64
Remember that the lowest priority determines the Root Bridge. Switches 2,
3, and 5 have the default priority set. Switches 1 and 4 each have a priority
of 100 configured. However, Switch 1 will become the root bridge, as it has
the lowest MAC address.
Switches exchange BPDU’s to perform the election process. By default, all
switches “believe” they are the Root Bridge, until a switch with a lower
Bridge ID is discovered.
Root Bridge elections are a continuous process. If a new switch with a lower
Bridge ID is added to the topology, it will be elected as the new Root
Bridge.
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 65
Bandwidth Cost
4 Mbps 250
10 Mbps 100
16 Mbps 62
100 Mbps 19
1 Gbps 4
Assume the links between all switches are 10Mbps Ethernet, with a Path
Cost of 100. Each switch will identify the port with the least cumulative Path
Cost to get to the Root Bridge.
For Switch 4, the port leading “up” to Switch 2 has a Path Cost of 200, and
becomes the Root Port. The port to Switch 5 has a higher Path Cost of 300.
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 66
Ports on the Root Bridge are never placed in a blocking state, and thus are
always Designated Ports.
The segments between Switches 2 and 4, and between Switches 3 and 5,
already contained a Root Port. Each segment requires a Designated Port, and
thus the ports on Switch 2 and Switch 3 become Designated Ports.
The segment between Switch 4 and Switch 5 does not contain a Root Port. A
segment can only have one Designated Port, and thus one of the ports must
be placed in a blocking state.
Normally, Path Cost is used to determine which port is blocked. However,
the ports connecting Switches 4 and 5 have the same Path Cost to reach the
Root Bridge (300). Whichever switch has the lowest Bridge ID is awarded
the Designated Port. Whichever switch has the highest Bridge ID has its
port placed in a blocking state. In this example, Switch 4 has the lowest
priority, and thus Switch 5’s port goes into a blocking state.
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 67
Port ID
In certain circumstances, there will be a tie in both Path Cost and Bridge ID.
Consider the following example:
Switch 1
Root Bridge
Fa0/10 Fa0/11
Switch 2
If the bandwidth of both links are equal, then both of Switch 2’s interfaces
have an equal path cost to the Root Bridge. Which interface will become the
Root Port? The next “tiebreaker” should be the lowest Bridge ID, but that
obviously cannot be used in this circumstance (unless Switch 2 is
experiencing a schizophrenic identity crisis ☺).
Instead, Port ID will be used as the tiebreaker. An interface’s Port ID
consists of two “parts,” a 6 bit port priority value plus the MAC address for
that port. Whichever interface has the lowest Port ID will become the Root
Port.
By default, the port priority of an interface is 128. By lowering this value,
we can ensure a specific interface becomes the Root Port:
Remember, that port priority is the last tiebreaker STP will consider. STP
decides Root and Designated Ports based on the following criteria, and in
this order:
• Lowest Path Cost to the Root Bridge
• Lowest Bridge ID
• Lowest Port ID
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 68
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 69
Switch 2 Switch 3
Switch 4
With Common Spanning Tree (CST), all VLANS would belong to the same
STP process. Thus, if one Switch 4’s ports entered a “blocking” state to
eliminate the loop, all VLANs would be blocked out that port. For efficiency
purposes, this may not be ideal.
In the above examples, the benefit of PVST becomes apparent. STP runs a
separate process for each VLAN, allowing a port to enter a blocking state
only for that specific VLAN. Thus, it is possible to “load balance” VLANs,
to allow traffic to flow more efficiently.
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 70
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 71
STP Timers
STP utilizes three timers to ensure all switches remain synchronized, and to
allow enough time for the Spanning Tree process to ensure a loop-free
environment.
Hello Timer – Default is 2 seconds. Indicates how often BPDU’s are sent
by switches.
Forward Delay – Default is 15 seconds. Indicates a “delay” period in both
the “listening” and “learning” states of a port, for a total of 30 seconds. This
delay ensures STP has ample time to detect and eliminate loops.
Max Age – Default is 20 seconds. If a switch fails to receive BPDU’s from
a neighboring switch for the Max Age period, it will remove that switch’s
information from the STP topology database.
All timer values can be adjusted, and should only be adjusted on the Root
Bridge. The Root Bridge will propagate the changed settings to all other
switches participating in STP.
When a change to the network topology occurs, switches send out TCN
(Topology Change) BPDUs. When a switch receives a TCN BPDU, it will
temporarily change its MAC address Aging Timer from 300 seconds to 15
seconds, so that any erroneous MAC addresses can be flushed out of the
CAM.
To adjust the three STP timers for VLAN 10:
Switch(config)# spanning-tree vlan 10 hello-time 10
Switch(config)# spanning-tree vlan 10 forward-time 20
Switch(config)# spanning-tree vlan 10 max-age 40
The timers are measured in seconds. The above examples represent the
maximum value each timer can be configured to.
Remember that STP is configured on a VLAN by VLAN basis on Catalyst
Switches.
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 72
The root primary parameter in the above command automatically lowers the
switch’s priority to 24,768. If another switch on the network has a lower
priority than 24,768, the above command will lower the Priority by 4096
less than that switch.
We can have a Secondary Root Bridge for redundancy. To force a switch
to become a Secondary Root Bridge:
Switch(config)# spanning-tree vlan 10 root secondary diameter 7
The above root commands also adjust the Hello, Forward Delay, and Max
Age timers. This is the recommended way to adjust timers, instead of
manually altering each, as the hello timers are tuned specifically to the
diameter of the switching network.
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 73
STP PortFast
PortFast allows switch ports that connect a host device (such as a PC), to
bypass the normal progression of STP “states.” Because no possibility of a
loop exists on a port connecting a host device, the port can move from a
“blocking” state to a “forwarding” state immediately, eliminating the
normal 30 to 50 second delay.
To configure PortFast on an interface:
Switch(config-if)# spanning-tree portfast
STP UplinkFast
Switches can have multiple uplinks to other “upstream” switches. If the
multiple links are not placed in an EtherChannel, then at least one of the
ports is placed into a “blocking” state to eliminate the loop.
If a directly-connected interface goes down, STP needs to perform a
recalculation to bring the other interface out of a “blocking” state. As stated
earlier, this calculation can take from 30 to 50 seconds.
UplinkFast allows the port in a “blocking” state to be held in standby-mode,
and activated immediately if the “forwarding” interface fails. If multiple
ports are in a “blocking” state, whichever port has the lowest Root Path Cost
will become unblocked.
UplinkFast is configured globally for all VLANs on the switch:
Switch(config)# spanning-tree uplinkfast
The Root Bridge cannot have UplinkFast enabled, as the “standby” ports are
calculated using the best Path Cost to the Root Bridge.
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 74
STP BackboneFast
While UplinkFast allows faster convergence if a directly connected interface
fails, BackboneFast provides the same benefit is an indirectly connected
interface fails.
For example, if the Root Bridge fails, another switch will be elected the
Root. A switch learning about the new Root Bridge must wait its Max Age
timer to flush out the old information, before it will accept the updated info.
By default, the Max Age timer is 20 seconds.
BackboneFast allows a switch to bypass the Max Age timer if it detects an
indirect failure on the network. It will update itself with the new Root info
immediately.
BackboneFast is configured globally, and should be implemented on all
switches in the network when used:
Switch(config)# spanning-tree backbonefast
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 75
Protecting STP
STP is vulnerable to attack for two reasons:
• STP builds its topology information by accepting a neighboring
switch’s BPDU’s
• The Root Bridge is always determined by the lowest Bridge ID
(Priority + MAC address)
Switches with a low priority can be maliciously placed on the network, and
elected the Root Bridge. This can lead to a highly undesirable topology
design.
Two mechanisms exist to protect the STP topology, Root Guard and BPDU
Guard. Both mechanisms are configured on an individual port basis, and are
disabled by default.
Root Guard prevents an unauthorized switch from advertising itself as a
Root Bridge.
Switch(config-if)# spanning-tree guard root
The above command prevents this switch from accepting a “new” Root
Bridge off of this interface. If a Root Bridge advertises itself to this port, the
port will enter a root-inconsistent state, and will enter a pseudo “blocking”
state.
BPDU Guard is used on interfaces that also have PortFast enabled.
Normally, a PortFast-enabled interface is connecting a host device, such as a
computer or printer, and should never receive BPDU’s.
If another switch is accidentally or maliciously plugged into a PortFast
interface, BPDU Guard will place the interface into an errdisable state
(explained in an earlier section). More accurately, if an interface configured
for BPDU Guard receives a BPDU, then the errdisable state will occur.
Switch(config-if)# spanning-tree bpduguard enable
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 76
The enable parameter sets UDLD into normal mode, and the aggressive
parameter is for aggressive mode (obviously). The message time parameter
modifies how often ID frames are sent out.
UDLD can be configured on individual interfaces:
Switch(config-if)# udld enable
Switch(config-if)# udld aggressive
Switch(config-if)# udld disable
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 77
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 78
Implementations of RSTP
Two separate standards of RSTP (over multiple VLANS) have been
developed:
• Rapid Per-VLAN Spanning Tree Protocol (RPVST+) – Cisco’s
proprietary implementation (no surprise)
• Multiple Spanning Tree (MST) – The IEEE 802.1s standard
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 79
MST Configuration
MST must first be enabled on a switch:
Switch(config)# spanning-tree mode mst
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 80
Section 10
- MultiLayer Switching -
Routing Between VLANs
VLANs separate a Layer 2 switch into multiple broadcast domains. Each
VLAN is its own individual broadcast domain (i.e. IP subnet). Only ports
belonging to the same VLAN can freely communicate; ports assigned to
separate VLANS require a router to communicate.
Routing between VLANs can be accomplished one of three ways:
• Using an external router that has a link to each VLAN:
• Using an external router that has a single link into the switch, over
which all VLANs can be routed. The router must understand either
802.1Q or ISL trunking encapsulations, and the switch port must be
configured as a trunk. This method is known as router on a stick:
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 81
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 83
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 84
These IP addresses will serve as the default gateways for the clients on each
VLAN. By adding an IP address to a VLAN, those networks will be added
to the routing table, allowing routing to occur.
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 85
Fallback Bridging
The Catalyst 3550 only supports IP when using CEF multilayer switching. If
other protocols (IPX, Appletalk, SNA) need to be “routed” between VLANs,
fallback bridging can be used.
To configure fallback bridging, a bridge group must first be created. Then
specific VLANs can be assigned to that bridge group. A maximum of 31
bridge groups can be created.
Switch(config)# bridge-group 1 protocol vlan-bridge
Switch(config)# interface vlan 100
Switch(config-if)# bridge-group 1
Switch(config)# interface vlan 101
Switch(config-if)# bridge-group 1
The first command creates the bridge group. The next command place
VLANs 100 and 101 in bridge group 1. If protocols other than IP utilize
these VLANs, they will be transparently bridged across the VLANs.
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 86
Section 11
- SPAN -
Monitoring Traffic
Various technologies and packet sniffers exist to monitor traffic on a
network. Catalyst switches support a feature called Switched Port Analyzer
(SPAN) to simplify this process.
SPAN works by copying or mirroring the traffic from one or more source
ports, to a destination port. Because the traffic is only copied, SPAN will
never affect any of the traffic on the source port(s). A packet sniffer or
similar device can be connected to this “destination” port, capturing traffic
without interfering with the actual data.
A SPAN source can consist of:
• One or more access switchports (Local SPAN)
• One or more routed interface
• An EtherChannel
• A trunk port
• An entire VLAN (VSPAN)
SPAN can mirror data coming inbound or outbound on a source interface,
or both.
A SPAN destination can consist of only a single switchport or routed
interface. Once an interface is identified as a SPAN destination, it is
dedicated to that purpose. No user traffic will be sent down that link. If you
configure a SPAN destination as a trunk port, it will be able to capture all
VLAN tagged data.
A SPAN destination cannot be an EtherChannel.
Under some circumstances, the traffic from the SPAN source can exceed the
capacity of the destination interface. For example, if the SPAN source was
an entire VLAN, this could very easily exceed the bandwidth capabilities of
a single Fast Ethernet interface. In this instance, packets in the destination
queue will be dropped to ease the congestion. Always remember, that the
source port(s)/VLAN are never affected.
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 87
Configuring SPAN
The first step in configuring SPAN is to identify a source:
Switch(config)# monitor session 1 source interface fa0/10 rx
Switch(config)# monitor session 1 source interface fa0/11 tx
Switch(config)# monitor session 1 source vlan 100 both
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 88
Consider the above example. The previous page described how to configure
SPAN if both the source and destination ports were on the same switch.
However, it is also possible to utilize SPAN if the source and destination are
on different switches, using Remote SPAN (RSPAN).
Each switch in the chain must support RSPAN, and the information is sent
across a configured RSPAN VLAN.
Configuration on Switch 1 would be:
Switch(config)# vlan 123
Switch(config-vlan)# remote-span
Switch(config)# monitor session 1 source interface fa0/10
Switch(config)# monitor session 1 destination vlan 123
On all three switches, we must create the RSPAN VLAN, and apply the
remote-span parameter to it.
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 89
________________________________________________
Part IV
Advanced Switch Services
________________________________________________
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 90
Section 12
- Redundancy and Load Balancing -
Importance of Redundancy
Consider the following example:
Users utilize a single “gateway” to reach the Internet. In this example, the
gateway is a multilayer switch; however, it could just have easily been a
Layer 3 router. Throughout the rest of this section, the terms “router” and
“multilayer switch” will be used interchangeably.
The gateway represents a single point of failure on this network. If that
gateway fails, users no longer can access the Internet (or any other resource
beyond the gateway). This lack of redundancy may be unacceptable on
mission-critical networks.
A method to allow multiple “gateways” became necessary:
However, the solution needed to be transparent to the end user (or host
device).
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 91
In the above example, Switch 2 would become the Active HSRP router, as it
has the highest priority. Switch 1 would become the Standby router.
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 92
HSRP “States”
A router or multilayer switch configured for HSRP will progress through
several “states” before settling into a role:
• Disabled – the interfaces is not configured for HSRP, or is
administratively shut down
• Init – this is the “starting” state when an interface is first brought up
• Learn – the router is waiting to hear hellos from the Active Router, to
learn the configured Virtual Address
• Listen – the router is aware of the Virtual IP address, but was not
elected the Active or Standby Router.
• Speak – the router is currently participating in an Active Router
election, and is sending Hello packets.
• Standby – the router is acting as a “backup” to the Active Router.
Monitors and sends hellos to the Active Router
• Active – the router is currently accepting and forwarding user traffic,
using the Virtual IP address. The Active Router actively exchanges
hellos with the Standby Router
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 93
HSRP Configuration
All HSRP configuration is completed on the interface that will be
“accepting” traffic.
To configure the priority of a router:
Switch(config)# interface fa0/10
Switch(config-if)# standby 1 priority 150
The standby 1 command specifies what HSRP group that interface belongs
to. The priority 150 parameter changes the actual priority value. Remember
that a higher value wins, and that the default priority is 100.
However, if a new router is added to the HSRP group, and it has the best
priority, it will not automatically assume the role of the Active router. In
fact, the first router to be powered on will become the Active router, even if
it has the lowest priority!
To force the highest-priority switch to assume the role of Active router:
Switch(config-if)# standby 1 preempt delay 10
The standby 1 preempt command allows this switch to force itself as the
Active router, if it has the highest priority. The delay 10 parameter tells the
router to wait 10 seconds before becoming Active.
HSRP routers send out Hello packets to verify each other’s status:
Switch(config-if)# standby 1 timers 4 12
The standby 1 timers command allows us to configure the two timers. The
first setting 4 sets the Hello timer to 4 seconds. The second setting 12 sets
the holddown timer to 12 seconds.
Remember, by default, Hello packets are sent every 3 seconds. Only the
Standby router listens to Hello packets from the Active router. If the Standby
router doesn’t hear any Hellos from the Active router for the holddown
period, then it will assume the Active router is down.
In general, the holddown timer should be three times the Hello timer. HSRP
Hello packets are sent to the multicast address 224.0.0.2 over UDP port
1985.
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 94
Authentication can be configured for HSRP. All HSRP routers in the group
must be configured with the same clear-text string:
Switch(config-if)# standby 1 authentication CISCO
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 95
HSRP Tracking
In the above example, Switch 2 becomes the Active Router, and Switch 1
becomes the Standby router. Both Switch 1 and Switch 2 send out Hello
packets with updates on their status.
On Switch 2, if port Fa0/12 goes down, the switch is still able to send Hello
packets to Switch 1 via Fa0/10. Thus, Switch 1 will never realize that no
traffic is leaving Switch 2, as the switch still appears to be “Active.”
To combat this, HSRP can “track” interfaces. If the “tracked” interface fails,
the router’s (or multilayer switch’s) priority is decreased by a specific value.
For example, on Switch 2 we would configure:
Switch(config-if)# standby 1 track fa0/12 50
The above command sets tracking for the fa0/12 interface, and will decrease
the priority of the switch by 50 if the interface fails. The hope is that the
priority is decreased enough to allow another router to be promoted to
Active.
Tracking of interfaces does not work unless the other router is configured to
“preempt” the Active Router.
Switch(config-if)# standby 1 preempt
Otherwise, Switch 1 would never take over, even if Switch 2’s priority was
decreased to 1.
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 96
Switch 1: Switch 2:
Switch(config)# int fa0/10 Switch(config)# int fa0/10
Switch(config-if)# no switchport Switch(config-if)# no switchport
Switch(config-if)# ip address 192.168.1.5 255.255.255.0 Switch(config-if)# ip address 192.168.1.6 255.255.255.0
Switch(config-if)# standby 1 priority 50 Switch(config-if)# standby 1 priority 75
Switch(config-if)# standby 1 preempt Switch(config-if)# standby 1 preempt
Switch(config-if)# standby 1 ip 192.168.1.1 Switch(config-if)# standby 1 ip 192.168.1.1
Switch(config-if)# standby 1 authentication CISCO Switch(config-if)# standby 1 authentication CISCO
Switch(config-if)# standby 1 track fa0/12 50
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 97
Or re-enabled again:
Switch(config-if)# vrrp 1 preempt
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 98
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 99
GLBP Example
Routers (or multilayer switches) in the GLBP group are assigned a virtual IP
address. Clients point to this virtual address as their default gateway.
Remember that for IP communication to occur, a device needs to broadcast
an ARP request to determine the MAC address for that virtual IP. Whichever
router was elected the AVG (highest priority) listens for those ARP requests.
In addition to the AVG, up to three other routers can become Active Virtual
Forwarders (AVF’s). The AVG assigns each AVF (including itself) a
virtual MAC address (for a maximum total of 4 virtual MAC addresses).
When a client performs an ARP request, the AVG will provide the client
with one of the virtual MAC addresses. In this way, load balancing can
occur.
GLBP is not limited to four routers. Any routers that are not AVF’s become
Secondary Virtual Forwarders (SVF’s), which wait in standby until an
AVF fails.
What determines whether a router becomes an AVF or SVF? Each router is
assigned a weight, and the default weight is 100. Weight can either be
statically configured, or dynamically decided. When dynamically decided, a
router’s weight will drop if a tracked interface fails.
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 100
GLBP Load-Balancing
GLBP supports three load balancing methods:
• Round Robin – Traffic is distributed equally between all routers. The
first request is sent to Router 1, the second to Router 2, etc. This is the
default load balancing mechanism.
• Weighted – Routers that have a higher weight will be utilized more
frequently.
• Host-Dependent – Once a client performs an ARP request, that client
always utilizes the same gateway
Configuring GLBP
To set a GLBP router’s priority to 150:
Switch(config-if)# glbp 1 priority 150
The first command creates a track object 10, which is tracking interface
fa0/12. The second command assigns that track object to glbp group 1, and
will decrease this router’s weight by 50 if interface fa0/12 fails. Another
router cannot become AVF unless it is configured to preempt.
We can also specify the Virtual IP, and the load-balancing method:
Switch(config-if)# glbp 1 ip 192.168.1.2
Switch(config-if)# glbp 1 load-balancing weighted
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 101
We’ll assume the servers are Web servers. To access the Web resource,
users will connect to the Virtual IP address 192.168.1.10. The multilayer
switch intercepts this packet, and redirects it to one of the physical servers
inside the server farm. In essence, the multilayer switch is functioning as a
Virtual Server.
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 102
Configuring SLB
Two separate elements need to be configured with SLB, the Server Farm,
and the Virtual Server.
To configure the Server Farm:
Switch(config)# ip slb serverfarm MYFARM
Switch(config-slb-sfarm)# predictor leastconns
The ip slb serverfarm command sets the server farm name, and places you in
SLB Server Farm configuration mode.
The predictor command sets the load-balancing method.
The real command identifies the IP address of a physical server in the farm,
and places you in SLB Real Server configuration mode.
The weight command assigns the load-balancing weight to that server.
The inservice command activates the real server. To deactivate: no inservice
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 103
The ip slb vserver command sets the Virtual Server name, and places you in
SLB Virtual Server configuration mode.
The serverfarm command associates the server farm to this Virtual Server.
The virtual command assigns the virtual IP address for the server farm.
The client command allows you to specify which clients can access the
server farm. It utilizes a wildcard mask like an access-list. In the above
example, client 192.168.0.0 0.0.255.255 would allow all clients in the
192.168.x.x Class B network.
The inservice activates the Virtual Server. To deactivate: no inservice.
To troubleshoot SLB:
Switch# show ip slb serverfarms
Switch# show ip slb vserver
Switch# show ip slb real
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 104
Section 13
- Multicast -
Types of “packets”
Three types of packets can exist on an IPv4 network:
Unicast – A packet sent from one host to only one other host. A hub will
forward a unicast out all ports. If a switch has a table entry for the unicast’s
MAC address, it will forward it out only the appropriate port.
Broadcast – A packet sent from one host to all hosts on the IP subnet. Both
hubs and switches will forward a broadcast out all ports. By definition, a
router will not forward a broadcast from one segment to another.
Multicast – A packet sent from one host to a specific group of hosts.
Switches, by default, will forward a multicast out all ports. A router, by
default, will not forward a multicast from one segment to another.
Multicast Concepts
Remember, a multicast is a packet sent from one computer to a group of
hosts. A host must join a multicast group in order to accept a multicast.
Joining a multicast group can be accomplished statically or dynamically.
Multicast traffic is generally sent from a multicast server, to multicast
clients. Very rarely is a multicast packet sent back from a client to the
server.
Multicasts are utilized in a wide range of applications, most notably voice or
video systems that have one source “serving” out data to a very specific
group of clients.
The key to configuring multicast is to ensure only the hosts that require the
multicast traffic actually receive it.
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 105
Multicast Addressing
IPv4 addresses are separated into several “classes.”
Class A: 1.1.1.1 – 127.255.255.255
Class B: 128.0.0.0 – 191.255.255.255
Class C: 192.0.0.0 – 223.255.255.255
Class D: 224.0.0.0 – 239.255.255.255
Class D addresses have been reserved for multicast. Within the Class D
address space, several ranges have been reserved for specific purposes:
• 224.0.0.0 – 224.0.0.255 – Reserved for routing and other network
protocols, such as OSPF, RIP, VRRP, etc.
• 224.0.1.0 – 238.255.255.255 – Reserved for “public” use, can be used
publicly on the Internet. Many addresses in this range have been
reserved for specific applications
• 239.0.0.0 – 239.255.255.255 – Reserved for “private” use, and cannot
be routed on the Internet.
The following outlines several of the most common multicast addresses
reserved for routing protocols:
• 224.0.0.1 – all hosts on this subnet
• 224.0.0.2 – all routers on this subnet
• 224.0.0.5 – all OSPF routers
• 224.0.0.6 – all OSPF Designated routers
• 224.0.0.9 – all RIPv2 routers
• 224.0.0.10 – all IGRP routers
• 224.0.0.12 – DHCP traffic
• 224.0.0.13 – all PIM routers
• 224.0.0.19-21 – ISIS routers
• 224.0.0.22 – IGMP traffic
• 224.0.1.39 – Cisco RP Announce
• 224.0.1.40 – Cisco RP Discovery
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 106
Binary 0000 0001 0000 0000 0101 1110 0100 0001 1000 0010 1100 0011
Decimal 0 1 0 0 5 14 4 1 8 2 12 3
Hex 0 1 0 0 5 e 4 1 8 2 c 3
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 107
225.2.100.15 = 00000001.00000000.01011110.00000010.01100100.00001111
231.130.100.15 = 00000001.00000000.01011110.00000010.01100100.00001111
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 108
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 109
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 110
IGMP Example
In the above example, assume the router is using IGMPv2. Interface fa0/1
points towards the multicast source, and thus becomes the upstream
interface.
Initially, the router will sent out Group Specific Queries out all non-
upstream interfaces. Any multicast hosts will respond with a Membership
Report stating what multicast group they wish to join.
Interfaces fa0/2 and fa0/3 will become downstream interfaces, as they
contain multicast hosts. No multicast traffic will be sent out fa0/4.
If all multicast hosts leave the multicast group off of interface fa0/2, it will
be removed from the multicast tree. If a multicast host is ever added off of
interface fa0/4, it will become a downstream interface.
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 112
IGMP Configuration
No configuration is required to enable IGMP, except to enable IP multicast
routing (ip multicast-routing). We can change the version of IGMP running
on a particular interface (by default, it is Version 2):
Switch(config-if)# ip igmp version 1
WE can also simply force a router interface to always forward the traffic of a
specific multicast group out an interface:
Switch(config-if)# ip igmp static-group 226.1.5.10
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 113
Multicast
Source
Router 1
Router 6 Router 7
Router 5
Consider the above example. When PIM routers operate in Dense Mode, all
segments of the multicast tree are flooded initially. Eventually, “branches”
that do not require the multicast traffic are pruned off:
Multicast
Source
Router 1
Router 6 Router 7
Router 5
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 115
When PIM routers operate in Sparse Mode, multicast traffic is not initially
flooded throughout the entire multicast tree. Instead, a Rendezvous Point
(RP) is elected or designated, and all multicast sources and clients must
explicitly register with the RP. This provides a centralized method of
directing the multicast traffic of multiple multicast sources:
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 116
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 117
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 118
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 119
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 120
Troubleshooting Multicasting
To view IGMP groups and current members:
Switch# show ip igmp groups
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 121
If using PIM in Dense Mode, the output would be similar to the following:
IP Multicast Routing Table
Flags: D - Dense, S - Sparse, C - Connected, L - Local, P - Pruned
R - RP-bit set, F - Register flag, T - SPT-bit set
Timers: Uptime/Expires
Interface state: Interface, Next-Hop, State/Mode
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 122
If using PIM in Sparse Mode, the output would be similar to the following:
IP Multicast Routing Table
Flags: D - Dense, S - Sparse, C - Connected, L - Local, P - Pruned
R - RP-bit set, F - Register flag, T - SPT-bit set
Timers: Uptime/Expires
Interface state: Interface, Next-Hop, State/Mode
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 123
Section 14
- Introduction to QoS -
Obstacles to Network Communication
Various types of “traffic” can exist on a network, including voice, video, and
“data” (such as email, file sharing, web traffic, etc.).
Some forms of traffic, especially voice and video, require “guaranteed” or
“regulated” service. Such traffic is more susceptible to the obstacles of
network communication, which include:
Bandwidth – Nothing interferes with network communication more than a
simple lack of sufficient physical speed. Thus, increasing bandwidth is often
considered the best method of improving network communication.
Bandwidth is generally measured in bits-per-second (bps), and can either
be a fixed rate speed (as Ethernet usually is), or a variable rate speed (as
Frame-Relay is). Various mechanisms, such as compression, can be used to
pseudo-increase the bandwidth capacity of a link.
Delay – Defines the latency that occurs when traffic is sent from one device
to another device. Delay can occur at several points on a network, all of
which will be covered shortly.
Jitter – Describes the fragmentation that occurs when traffic arrives at
irregular times (in other words, with a varying amount of delay), or in the
wrong order. Voice communication is especially susceptible to jitter issues.
Data Loss – Defines the inconsistency or failure that occurs when traffic is
dropped due to congestion. Packets are most often dropped when queues
become full, and tail drop takes effect.
All of these factors – bandwidth, delay, jitter, and data loss – adversely
affect network communication. While increasing bandwidth may alleviate
many issues, various Quality of Service (QoS) tools have been developed to
control the affects of these factors, when additional bandwidth may not be
available. These QoS mechanisms provide specific applications with
guaranteed, consistent service.
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 124
Types of Delay
As stated earlier, delay can occur at all points on a network. Thus, various
types of delay have been defined:
• Serialization Delay – refers to the time necessary to encode bits of
data on a physical interface. Calculating serialization delay can be
accomplished using a simple formula:
________# of bits________
bits per second (bps)
QoS Methodologies
Three separate QoS “philosophies” exist, each with a different method (or
non-method) of providing quality of service:
• Best-Effort – Traffic is routed on a first come, first served basis.
Best-Effort is not truly QoS, but simply the default behavior of routers
and switches.
• Integrated Services (IntServ) – “End-to-end” QoS, meaning that a
dedicated (or guaranteed) communication path is provided (or
“reserved”) from the sending host to the receiving host. This quickly
becomes impractical on large networks with a variety of applications
needing QoS. There is only so much bandwidth that can be reserved.
• Differentiated Services (DiffServ) – Organizes traffic into separate
Classes of Service (CoS). Each router (or hop) is configured with
“instructions” on how to handle traffic, based on the CoS criteria.
The CCNP exams concentrate mostly on DiffServ QoS.
QoS Tools
Various tools have been developed to enforce QoS. Most of these tools are
used in conjunction with each other for a complete QoS policy.
• Classification and Marking – classification differentiates services by
looking at packet headers. Marking uses either the IP Precedence or
DSCP field of a packet to specify the level of QoS required for a
specific service/application.
• Queuing - used to allocate bandwidth and priority to specific traffic
types (per the above classification and marking).
• Queue Congestion Avoidance – used to regulate queue usage so that
total queue saturation does not occur.
• Traffic Shaping and Policing – used to regulate (or enforce) traffic
flow rates, to prevent link saturation.
Each of the above tools is covered in great detail in separate guide.
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 126
Section 15
- DiffServ QoS -
Classifying Traffic
Differentiated QoS relies on the “classification” of traffic. The header of an
IP packet contains a one byte (8 bit) field for Type of Service (ToS). The
value of this ToS field indicates the level of QoS needed for the IP packet.
The ToS field is used by two “implementations” of QoS:
• IP Precedence - which uses only 3 bits of the ToS field to classify
traffic
• Differentiated Service Code Point (DSCP) – which uses 6 bits of
the ToS field to classify traffic. When using DSCP, the ToS field is
often referred to as the Differentiated Services (DS) field.
IP Precedence
IP Precedence utilizes three bits of the ToS header to identify the “priority”
of a packet. The IP Precedence of a packet can be set using access lists, class
maps, route maps, or various QoS “traffic shaping” mechanisms. The higher
the value, the better “service” that is provided.
Eight different IP Precedence values exist:
Type Decimal Binary Description
Next, we must identify the traffic we wish to apply QoS to, in a class map:
Switch(config)# access-list 10 permit 192.168.1.0 0.0.0.255
The first command creates the class-map named MYCLASS. The match-any
parameter indicates that the packet can match any of the criteria within the
class-map. We could also have specified match-all, which would have
required that the packet match all the criteria within the class-map.
After creating the class map, we are placed into Class Map Configuration
Mode. Here, we use match statements to specify the criteria our packet must
match.
We can match by access-list: match access-group 10
We can match by IP precedence: match ip precedence 2
We can match by DSCP value: match ip dscp af21
We can even match by application using Cisco’s Network-Based
Application Recognition (NBAR):
match protocol ftp
match protocol napster
match protocol kazaa2
NBAR keeps track of TCP/UDP traffic flows. The list of supported
applications for NBAR grows regularly.
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 129
The first command creates the policy-map named MYPOLICY. The second
command associates the class-map we created earlier to this policy.
Finally, we can specify either the DSCP value or IP Precedence we wish to
apply to this traffic.
Thus, any traffic matching the criteria of class map MYCLASS, coming
inbound on interface fa0/10, will have the QoS information in the policy
MYPOLICY applied.
By default, routers and switches are configured not to trust the QoS
information received on an interface. This is useful for routers on the “edge”
of your network, preventing erroneous or malicious QoS-enabled packets
from congesting router queues. To enable your router/switch to trust either
DSCP or IP Precedence values:
Switch(config-if)# mls qos trust dscp
Switch(config-if)# mls qos trust ip-precedence
“Not trusting” QoS information will not drop those packets! It simply
ignores the IP Precedence or DSCP information inside the packet header.
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 130
Troubleshooting QoS
To view the QoS settings on an interface:
Switch# show mls qos interface fa0/10
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 131
Section 16
- Congestion Avoidance (WRED) -
Queue Congestion
Queues are susceptible to congestion. If a port’s queue buffer fills to
capacity, packets will be dropped. QoS provides switches and routers with a
mechanism to drop lower priority traffic before higher priority traffic.
By default, ports will perform tail drop if congestion occurs. Tail drop
works on a first come, first served basis. If a standard queue fills to capacity,
any new packets are indiscriminately dropped, regardless of QoS.
0 10 25
1 12 25
2 14 25
3 16 25
If our WRED configuration matched the above table, packets with a precedence
of “0” would be randomly dropped once 10 packets were queued. Packets with
a precedence of “2” would similarly be dropped once 14 packets were queued.
The maximum queue size is 25, thus all new packets of any precedence would
be dropped once 25 packets were queued.
Configuration of basic WRED occurs on an interface. To configure WRED
when using IP Precedence:
Switch(config)# interface fa0/1
Switch(config-if)# random-detect
Switch(config-if)# random-detect precedence 0 10 25
Switch(config-if)# random-detect precedence 1 12 25
Switch(config-if)# random-detect precedence 2 14 25
Switch(config-if)# random-detect precedence 3 16 25
Switch(config-if)# random-detect precedence 4 18 25
Switch(config-if)# random-detect precedence 5 20 25
The above command would be used if a particular port has two standard
egress queues (remember, the number of queues depends on the Catalyst
model). The two numbers are the weights for Queue 1 and Queue 2,
respectively. The weight is a number between 1 and 255, and serves as a
ratio for sending traffic.
In the above example, Queue 2 would be allowed to transmit twice as much
traffic as Queue 1 every “cycle” (255 is roughly twice that of 127). This
way, the higher-priority traffic should always be serviced first, and more
often.
Next, we can enable WRED on a particular queue. Is WRED enabled by
default? Cisco’s documentation on this is inconsistent. To enable WRED on
queue 1:
Switch(config-if)# wrr-queue random-detect 1
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 134
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 135
Troubleshooting QoS
To view the QoS settings on an interface:
Switch# show mls qos interface fa0/10
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 136
________________________________________________
Part V
Switch Security
________________________________________________
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 137
Section 17
- AAA -
AAA
Securing access to Cisco routers and switches is a critical concern. Often,
access is secured using enable and vty/console passwords, configured locally
on the device.
For large networks with many devices, this can become unmanageable,
especially when passwords need to be changed. A centralized form of access
security is required.
AAA is a security system based on Authentication, Authorization, and
Accounting.
Authentication is used to grant or deny access based on a user account and
password. Authorization determines what level of access that user has on
the Router/router when authenticated. Accounting can keep track of who
logged into what device, and for how long.
AAA must be enabled globally on a router/Router. By default, it is disabled.
Router(config)# aaa new-model
Privilege Levels
IOS devices have a total of 16 privilege levels, numbered 0 through 15.
User Exec mode is privilege level 1. Privileged Exec mode is privilege
level 15.
We can create a custom Privilege level, including the commands users are
allowed to input at that mode:
Router(config)# privilege exec all level 3 show interface
Router(config)# privilege exec all level 3 show ip route
Router(config)# privilege exec all level 3 show reload
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 138
Configuring Authentication
Authentication can be handled several different ways. We can use a
username and password configured locally on the router/Router:
Router(config)# username MYNAME password MYPASSWORD
There are several key differences between RADIUS and TACACS+ servers:
• RADIUS is an industry standard protocol, while TACACS+ is Cisco
proprietary
• RADIUS utilizes UDP, while TACACS+ utilizes TCP
• RADIUS encrypts only the password during the authentication
process, while TACACS+ encrypts the entire packet
There is one additional key difference: TACACS+ allows for the
authorization of a user, in addition to the authentication of a user. Thus,
TACACS+ allows us to control what commands a particular user can input.
RADIUS provides only authentication services.
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 139
The above command creates an authentication profile for router login named
default, directing the router to use the RADIUS server(s), TACACS+
server(s), and local forms of authentication, in that order.
Thus, the RADIUS server(s) will always be used, unless they fail. Then the
TACACS+ server will be used and then finally local authentication. This
provides fault-tolerance and automatic failover.
You should always include local at the end of this command. Otherwise, if
all RADIUS and TACACS+ servers are down, you won’t be able to log into
the router.
Multiple authentication profiles can be created. Each must have a unique
profile name. Obviously, default is the default profile name. If we wanted a
separate profile named ONLYLOCAL:
Router(config)# aaa authentication login ONLYLOCAL local
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 140
Or:
Router(config)# interface serial 0
Router(config-if)# encapsulation ppp
Router(config-if)# ppp authentication chap MYPROFILE
Notice that the top example uses PAP (Password Authentication Protocol),
while the bottom example uses CHAP Challenge Handshake Authentication
Protocol. PAP sends the password in clear text, whereas CHAP encrypts the
password with an MD5 hash. Thus, CHAP is far more secure.
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 141
Configuring Authorization
Authorization allows us to dictate what rights a user has to the router once
they have logged in:
Router(config)# aaa authorization commands default radius
Router(config)# aaa authorization config-commands default radius
Router(config)# aaa authorization exec default radius
Router(config)# aaa authorization network default radius
Router(config)# aaa authorization reverse-access default radius
The Router will consult the RADIUS server to “authorize” access to specific
privilege modes (or in the case of TACACS+, even specific commands). A
user trying to access Global Configuration mode must be authorized to do so
on the RADIUS server.
Explanations of the above “sections” we can authorize:
• commands – access to any Router command at any mode
• config-commands – access to any Router configuration command
• exec – access to privileged mode
• network – access to network-related commands
• reverse-access – ability to reverse telnet from the Router
We can then apply this authorization to a line:
Router(config)# line vty 0 15
Router(config-line)# authorization default
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 142
Configuring Accounting
We can configure accounting to log access to routers and switches:
Router(config)# aaa accounting system default stop-only
Router(config)# aaa accounting exec default start-stop
Router(config)# aaa accounting commands 3 default start-stop
Router(config)# aaa accounting commands 15 default start-stop
Troubleshooting AAA
To debug the various functions of AAA:
Router# debug aaa authentication
Router# debug aaa authorization
Router# debug aaa accounting
Router# debug radius
Router# debug tacacs
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNP Switching Study Guide v1.21 – Aaron Balchunas 143
Section 18
- Switch Port and VLAN Security -
Switch Port Security
Port Security adds an additional layer of security to the switching network.
Generally, the MAC address of a host does not change. If we are certain that
a specific host will always remain plugged into a specific port, we can filter
all MAC addresses but that host’s address. We can either statically set this
MAC address, of have the switch dynamically learn it from traffic.
To enable Port Security:
Switch(config-if)# switchport port-security
By default, Port Security will allow only one MAC on a port. We can adjust
the maximum number of MACs, up to 1024:
Switch(config-if)# switchport port-security maximum 2
Only those MACs will be able to send traffic through this port. If we had
specified a maximum of 10 MAC address for this port, and manually
specified only two, the remaining 8 MACs would be dynamically learned.
Finally we must tell the switch how to react if an unauthorized MAC address
tries to send traffic through this port:
Switch(config-if)# switchport port-security violation shutdown
Switch(config-if)# switchport port-security violation restrict
Switch(config-if)# switchport port-security violation protect
***
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.