You are on page 1of 126

Switching Notes

Introduction
Before you start reading these notes, you should have completed the following course or have
equivalent networking experience:

Cisco Exam 640-802 OR


Cisco Exam 640-822 AND Exam 640-816
Cisco Device Icons

Icon

The following table lists the specific icons Cisco uses to represent network devices and
connections.
Represents

Hub

Bridge

Switch

Layer 3 Switch

Router

Access point

Network cloud

Ethernet connection

Serial Line
connection

Wireless connection

Virtual Circuit

Multilayer Switching Overview


As you study this section, answer the following questions:

What is the difference between Fast Ethernet, Gigabit Ethernet, and 10-Gigabit Ethernet?
What are the three common submodules in a Cisco hierarchical network design?
Which submodule is designed to provide fast failure recovery?
What is a hierarchical network?
Where can you find distribution-layer and access-layer switches in a hierarchical network?

Multilayer Switching Overview


Original switches operated at Layer 2. Newer switches can operate at other layers. Generally, the
term multilayer switch is used to describe a switch that is both capable of Layer 2 and Layer 3
switching; however, the following table summarizes basic marketing terms used to describe
switches which perform functions at different layers:
Term

Description
Current Layer 2 switches:

Layer 2
Switching

Operate at the Data Link layer of the OSI model.


Forward traffic without frame modification
Support Internet Group Management Protocol (IGMP) snooping and Quality
of Service (QoS) markings
Have limited scalability in large networks without Layer 3 boundaries

Current Layer 3 switches:


Layer 3
Switching

Operate at the Network layer of the OSI model


Rewrite packets by using Application-Specific Integrated Circuit (ASIC)
hardware
Are different than routers because they use hardware components (i.e. ASIC)
to route traffic and have more physical ports

Current Layer 4 switches:


Layer 4
Switching

Operate at the Transport layer of the OSI model


Use IP session information contained in the TCP and UDP port information of
the packet to distinguish traffic type
Provide traffic load balancing based on TCP sessions

Current Layer 7 switches

Layer 7
Switching

Operate at the Application layer of the OSI model


Provide load balancing for HTTP, HTTPS and/or VPN, or for any application
TCP/IP traffic using a specific port
Can often also be used to perform standard operations such as SSL
encryption/decryption to reduce the load on the servers receiving the traffic,
and to centralize the management of digital certificates
May include a web cache and participate in a content delivery network

Hierarchical Network Design

Hierarchical network design is a model of interconnected network devices and computers in


discrete layers. The design is typically comprised of floor-level devices, building-level devices, and
campus-level devices. Different devices are implemented to meet specific needs depending on the
location.
The illustration below has three layers or submodules in Cisco's hierarchical network design. The
concept of the submodules coincide with the physical implementation of the network devices used
in multilayer networks.

The following table describes the submodule:


Submodule

Description

Building
Access

The Building Access submodule, also known as the Access layer, contains end-user
workstations, IP phones, and the Layer 2 access switches that connect devices to the
Building Distribution submodule.

Building
Distribution

The Building Distribution submodule, also known as the Distribution layer, provides
aggregation of the Building Access devices. It contains Layer 3 switches which
perform IP routing and implement QoS and access control. This submodule is
intended for fast failure recovery because it has two equal-cost paths to the core
layer.

Campus
Backbone

The Campus Backbone submodule, also known as the Core layer, provides
redundant and fast-converging paths between the distribution layer. This submodule
is intended to route and switch traffic as fast as possible from one module to
another.

Hierarchical Network Ethernet Facts


In a hierarchical network, several different types of Ethernet categories are implemented between
devices because of bandwidth requirements:

10-Gigabit Ethernet has a bandwidth of 10,000 Mbps (half duplex) 20,000 Mbps (full
duplex)
Gigabit Ethernet has a bandwidth of 1,000 Mbps (half duplex) 2,000 Mbps (full duplex)
Fast Ethernet has a bandwidth of 100 Mbps (half duplex) 200 Mbps (full duplex)

The following image displays which Ethernet categories would be implemented in a hierarchal
network design:

The following table compares the characteristics of various Ethernet implementations.


Category

Standard

Bandwidth

10Base5

10 Mbps

Maximum Segment
Length
Coaxial (thicknet) 500 meters

10Base2

10 Mbps

Coaxial (thinnet) 185 meters

10BaseT

10 Mbps (half
duplex)
20 Mbps (full
duplex)

Twisted pair
(Cat3, 4, or 5)

100BaseTX

100 Mbps (half


duplex)
Twisted pair
200 Mbps (full (Cat5)
duplex)

100 meters

100BaseT4

100 Mbps (half


duplex)
Twisted pair
200 Mbps (full (Cat5)
duplex)

100 meters

100BaseFX

100 Mbps (half


duplex)
Fiber optic
200 Mbps (full
duplex)

412 meters (half duplex


multimode cable)
2,000 meters (full duplex
singlemode cable)

1000BaseSX (short)

1,000 Mbps

220 to 550 meters

Ethernet

Fast
Ethernet

Gigabit

Cable Type

Fiber optic

100 meters

Ethernet

10-Gigabit
Ethernet

(half duplex)
2,000 Mbps
(full duplex)

depending on cable
quality

1000BaseLX (long)

1,000 Mbps
(half duplex)
2,000 Mbps
(full duplex)

Fiber optic

550 to 5,000 meters


depending on cable
quality

1000BaseZX

1,000 Mbps
(half duplex)
2,000 Mbps
(full duplex)

Fiber optic
(Single-mode)

70 to 100 km depending
on cable quality

1000BaseCX (short
copper)

1,000 Mbps
(half duplex)
2,000 Mbps
(full duplex)

Special copper

25 meters, used within


wiring closets

1000BaseT

1,000 Mbps
(half duplex)
2,000 Mbps
(full duplex)

Twisted pair
(Cat5e)

100 meters

10GBaseSR (short
range)

10,000 Mbps
(full duplex)

Fiber optic

26 to 82 meters with
multi-mode cable

10GBaseLR (long
range)

10,000 Mbps
(full duplex)

Fiber optic

10 km with single-mode
cable

10GBaseLRM (long
reach multimode)

10,000 Mbps
(full duplex)

Fiber optic

220 meters with multimode cable

10GBaseER
(extended range)

10,000 Mbps
(full duplex)

Fiber optic

40 km with single-mode
cable

10GBaseLX4

10,000 Mbps
(full duplex)

Fiber optic

240 to 300 meters with


multi-mode cable

10GBaseCX4

10,000 Mbps
(full duplex)

Copper

15 meters

10GBaseKX4
10GBaseKR

10,000 Mbps
(full duplex)

Copper

<1 meter

10GBaseT

10,000 Mbps
(full duplex)

Twisted pair
55 meters with Cat6
(Cat6)
100 meters with Cat6
Twisted pair
partitioned
(Cat6 partitioned)

Note: 1000BaseCX is not supported on any Cisco device.

Initial Switch Configuration


As you study this section, answer the following questions:

What is the difference between the config-vlan mode and the VLAN configuration mode?
What is the difference between using exit or Ctrl + Z when changing configuration modes?
What three different duplex modes can be set on the interface?
What will be the result of disabling the Auto-MDIX?

Command Mode Prompts and Commands


The following graphic and table summarize the basic command mode prompts of the switch.

Mode

User EXEC

To Exit

Details

Prompt

To Enter

Switch>

This mode, also known as


User mode, allows a user to
view a limited amount of
Press
exit
information. Essentially, the
<enter>, then logout
disconnect user can look around but not
log in
break anything by executing
non-disruptive commands.
disable
(exit
disconnects)

This mode, also known as


Enable mode, allows the user
to execute powerful or
privileged commands, such as
reload which tells the switch
to reboot the Cisco IOS.

config
Global
Switch(config)#
terminal
Configuration

exit, ^Z*

This mode allows the user to


make global configurations on
the switch (or configurations
which affect the whole
switch), such as the hostname
of the switch.

Line

exit, ^Z*

Use this mode to configure

Privileged
EXEC

Switch#

Switch(config-

enable

line

line)#

parameters for the terminal


line, such as the console,
Telnet, and SSH lines.

<type>
<number>

The switch has multiple


interface modes depending on
the physical (or logical)
interface type. For this course,
you should be familiar with
the following switch interface
modes:

Interface

Switch(configif)#

interface
<type>
exit, ^Z*
<number>

Ethernet (10 Mbps


Ethernet)
FastEthernet (100
Mbps Ethernet)
GigabitEthernet (1 GB
Ethernet)
VLAN

Note: The VLAN interface


configuration mode is used to
configure the switch IP
address and other
management functions. It is a
logical management interface
configuration mode, instead
of a physical interface
configuration mode as used
for the FastEthernet and
GigabitEthernet ports.
Details of the config-vlan
mode include the following:

Config-vlan

Switch(configvlan)#

vlan <14094>

exit, ^Z*

You can use the


config-vlan mode to
perform all VLAN
configuration tasks.
Changes made in vlan
mode take place
immediately.

Note: Do not confuse the


config-vlan mode with the
VLAN interface configuration
mode.
Details of the VLAN
configuration mode include
the following:
VLAN
Switch(vlan)#
Configuration

vlan
database

exit, ^Z*

The vlan configuration


mode allows you to
only configure a
subset of VLAN
features.
Changes made in the

VLAN configuration
mode do not take
effect until you save
the changes, either
before or while exiting
the configuration
mode.
Changes made in the
VLAN configuration
mode are not stored in
the regular switch
configuration file.

Note: The VLAN


configuration mode is being
deprecated (phased out).
Note: *^Z (Ctrl + Z) exits all configuration modes to privileged EXEC mode. exit "backs up" one
configuration mode.
Initial Switch Configuration Command List
The following table lists common initial switch configuration commands:
Use...
Switch(config)#hostname
<name>
Switch(config)#interface
<type> <number>
Switch(configif)#description
<description text>
Switch(config)#enable secret
<password>

To...
Change the host name of the Switch

Set a description for a specific interface

Set the encrypted password used for privileged mode


access. The enable secret is always used if it exists.
This command uses the Message-Digest 5 (MD5)
hashing algorithm to encrypt the password.

Switch(config)#enable password
<password>

Set the unencrypted password for privileged mode access.


This password is used if the enable secret is not set.

Switch(config)#line con 0

Switch to the line configuration mode for the console.

Switch(config)#line vty <0-197>


<1-197>

Switch to the line configuration mode for the virtual


terminal. Specify one line number or a range of line
numbers, for example: line vty 0 4

Switch(config-line)#password

Set the line password (for either console or VTY access).

Switch(config-line)#login

Require the password for line access.

Switch(config)#no enable secret


Switch(config)#no enable
password
Switch(config-line)#no login
Switch(config-line)#no password

Remove the password. The no login command disables


password checking.

Switch(config)#service passwordencryption

Encrypt all passwords as a type 7 password. Encrypted


type 7 passwords are not secure and can be easily broken;
however, the encrypted values do provide some level of

protection from someone looking over your shoulder


after having issued the show run command. Rather than
relying on this encryption, make sure to use the enable
secret command for better encryption.
Switch#show version

View hardware configuration, running IOS version, ROM


bootstrap version, and RAM and processor information

Switch#show running-config

View the currently running configuration file

Switch#show startup-config
or
Switch#show config

View the startup configuration file stored in NVRAM


(the saved copy of the configuration file)

Port Configuration Command List


The following table lists common port configuration commands:
Use...

To...

switch(config)#interface <type> <number>


switch(config)#interface FastEthernet 0/14
switch(config)#interface GigabitEthernet 0/1

Move to interface configuration mode

switch(config)#interface
<number>
switch(config)#interface
0/14 - 24
switch(config)#interface
gigabitethernet 0/1 - 4
switch(config)#interface
- 10
switch(config)#interface
gi 0/1 - 2

Move to configuration mode for a range


of interfaces

range <type>
range fastethernet
range
range fa 0/1 - 4 , 7
range fa 0/8 - 9 ,

switch(config-if)#speed
switch(config-if)#speed
switch(config-if)#speed
switch(config-if)#speed

10
100
1000
auto

Set the port speed on the interface

switch(config-if)#duplex half
switch(config-if)#duplex full
switch(config-if)#duplex auto

Set the duplex mode on the interface

switch(config-if)#no shutdown
switch(config-if)#shutdown

Enable or disable the interface

switch#show interface status

Show interface status of all ports

switch#show ip interface brief

Show line and protocol status of all ports

Be aware of the following switch configuration details:

All switch ports are enabled (no shutdown) by default.


Port numbering on some switches begins at 1, not 0. For example, FastEthernet 0/1 is the
first FastEthernet port on a 2960 switch.
Through auto-negotiation, the 10/100/1000 ports configure themselves to operate at the
speed of attached devices. If the attached ports do not support auto-negotiation, you can
explicitly set the speed and duplex parameters.
If the speed and duplex settings are set to auto, the switch will use auto-MDIX to sense the
cable type (crossover or straight-through) connected to the port and will automatically adapt
itself to the cable type used. When you manually configure the speed or duplex setting, it
disables auto-MDIX so you will need to be sure to use the correct cable.
Note: If one link partner has the duplex manually-configured and the other link partner is

using auto-negotiation, a mismatch will occur, resulting in very poor performance and
Layer 2 error frames. This is because the auto-negotiating link partner did not receive autonegotiation parameters from the other link partner and consequently defaulted to half duplex
as defined in the IEEE 802.3u specification.
Always manually configure the speed and duplex settings for critical connections. Use autonegotiation for connections to user workstations.

VLANs
As you study this section, answer the following questions:

What are the administrative advantages of creating VLANs?


Why are end-to-end VLANs more difficult to troubleshoot than local VLANs?
What is the difference between a static VLAN and a dynamic VLAN?
What two configuration steps must you take to manage a Layer 2 switch from a remote
network?

After finishing this section, you should be able to complete the following tasks:

Display the current VLAN configuration.


Execute common VLAN configuration commands.
Given a scenario, create a VLAN and assign port membership as assigned.
Given a scenario, configure management VLAN settings.

This section covers the following exam objectives:

101. Explain the functions of VLANs in a hierarchical network.


102. Configure VLANs (e.g., Native, Default, Static and Access).

VLAN Facts
A virtual LAN (VLAN) can be defined as:

Broadcast domains defined by switch port rather than network address


A grouping of devices based on service need, protocol, or other criteria rather than physical
proximity

Using VLANs lets you assign devices on different switch ports to different logical (or virtual)
LANs. The following graphic shows a single-switch VLAN configuration.

Be aware of the following facts about VLANs:

In the graphic above, FastEthernet ports 0/1 and 0/2 are members of VLAN 1. FastEthernet
ports 0/3 and 0/4 are members of VLAN 2.
In the graphic above, workstations in VLAN 1 will not be able to communicate with
workstations in VLAN 2, even though they are connected to the same physical switch.
Defining VLANs creates additional broadcast domains. The above example has two
broadcast domains, each of which corresponds to one of the VLANs.
By default, switches come configured with several default VLANs:
o VLAN 1
o VLAN 1002
o VLAN 1003
o VLAN 1004
o VLAN 1005
On Cisco switches, the default VLAN configuration on a single port is VLAN 1. If no
configuration changes are made on the switch, all ports have VLAN 1 as their native
VLAN.

Creating VLANs with switches offers the following administrative benefits.

You can isolate network failures to a particular subnet (within a single VLAN)
You can simplify device moves (devices are moved to new VLANs by modifying the port
assignment)
You can control broadcast traffic and create collision domains based on logical criteria
You can control security (isolate traffic within a VLAN)
You can load-balance network traffic (divide traffic logically rather than physically)

When designing VLANs in a hierarchical network, consider the following concepts:


Design
concept

Description
End-to-end VLANs are VLANs that span throughout the entire network. End-toEnd VLANs:

End-to-End
VLANs

Are associated with a workgroup, such as a department or team


May span several wiring closets or even several buildings
Are difficult to troubleshoot because they span through the entire switched
network

Local VLANs are VLANs that are local to a specific domain, such as the building
access submodule. Local VLANs (data and voice):

Local VLANs

Are limited to a single access switch within a wiring closet (the single switch
should be configured with a limited amount of VLANs)
Should not be extended beyond the building distribution submodule
Result in user traffic crossing a Layer 3 device to reach network resources
Are easier to troubleshoot because they isolate traffic to a particular network
segment

Note: When designing the VLAN configuration in a hierarchical network, the local
VLAN concept is recommended.
VLANs are created through one of the following:
Type

Description

Static

Static VLANs are manually configured on the switch's physical interface using the

command line. Static VLANs work well when network additions, changes, and moves
are rare.
Note: By default, all ports are static-access ports assigned to VLAN 1.
Dynamic VLANs are created through a VLAN Management Policy Server (VMPS). The
VMPS has a database of MAC addresses mapped to specific VLANs. When an incoming
frame is first received on a port, the VMPS views the MAC address, compares it to the
database, and assigns the port to a particular VLAN. Be aware of the following Dynamic
VLAN details:
Dynamic

The VMPS database should be created by the network engineer and then
uploaded to the switch.
A dynamic port can only belong to one VLAN at a time.
Multiple hosts may be active on a dynamic port only if they all belong to the same
VLAN.

Note: Only some Cisco Catalyst switches support VMPS and dynamic VLANs.

VLAN Command List


To configure a simple VLAN, first create the VLAN, and then assign ports to that VLAN. The
following table shows common VLAN configuration commands.
Use...

To...

switch(config)#vlan <1-4094>
switch(config-vlan)#name
WORD

Define a VLAN
Giving the VLAN a name is optional. VLAN names must be
unique.

switch(config)#no vlan
<1-4094>

Delete a VLAN
When you delete a VLAN, all ports assigned to the VLAN
remain associated with the deleted VLAN, and are therefore
inactive. You must reassign the ports to the appropriate
VLAN.

switch(config-if)#switchport
access vlan <1-4094>

Assign ports to the VLAN


Note: If you assign a port to a VLAN that does not exist, the
VLAN will be created automatically.

switch(configif)#switchport mode
access

Specify the interface as an unconditional access port.

switch#show vlan
switch#show vlan brief

Show a list of VLANs on the system

switch#show vlan id <1-4064>

Show information for a specific VLAN

Example
The following commands create VLAN 12 named IS_VLAN, identifies port 0/12 as having only
workstations attached to it, and assigns the port to VLAN 12.
switch#config t
switch(config)#vlan 12
switch(config-vlan)#name IS_VLAN
switch(config-vlan)#interface fast 0/12
switch(config-if)#switchport access vlan 12

Management VLAN Configuration Facts

To manage the Layer 2 switch from a remote network, you will need to give VLAN 1 (the default
management VLAN) an IP address, as well as configure the default gateway on the switch. Keep in
mind the following facts about IP addresses configured on switches:

Basic switches operate at Layer 2, and therefore do not need an IP address to function. In
fact, a switch performs switching functions just fine without an IP address set.
You only need to configure a switch IP address if you want to manage the switch from a
Telnet or Web session.
A Layer 2 switch itself has only a single (active) IP address. Each switch port does not have
an IP address (unless the switch is performing Layer 3 switching). The IP address identifies
the switch as a host on the network but is not required for switching functions.

To configure the switch IP address, you set the address on the VLAN 1 interface. This is a logical
interface defined on the switch to allow management functions. Use the following commands to
configure the switch IP address:
switch#config terminal
switch(config)#interface vlan 1
switch(config-if)#ip address 1.1.1.1 255.255.255.0
switch(config-if)#no shutdown

To enable management from a remote network, you will also need to configure the default
gateway. Use the following command in global configuration mode:
switch(config)#ip default-gateway 1.1.1.254

Note: You can use the ip address dhcp command to configure a switch to get its IP address from a
DHCP server. The DHCP server can be configured to deliver the default gateway and DNS server
addresses to the Cisco device as well. The manually-configured default gateway address overrides
any address received from DHCP.

VLAN Trunking
As you study this section, answer the following questions:

When does the trunking protocol not tag the frame over a trunk link, and how does it handle
the frame?
When does dynamic trunking configure a trunk link?
What happens if two switches on a VLAN trunk are both configured for auto dynamic
trunking?

After finishing this section, you should be able to complete the following tasks:

Manually configure trunking on interfaces where switches will be attached.


Configure switches to use 802.1Q trunking protocol and dynamic desirable mode.
Configure the native VLAN for a trunk link.
Configure which VLANs are permitted to communicate over a trunk link.

This section covers the following exam objectives:

103. Explain and configure VLAN trunking (i.e., IEEE 802.1Q and ISL)
105. Verify or troubleshoot VLAN configurations.

VLAN Trunking Facts


Trunking is a term used to describe connecting two switches together. Trunking is important when
you configure VLANs that span multiple switches as shown in the diagram.

Be aware of the following facts regarding trunking and VLANs:

In the above graphic, each switch has two VLANs. Each VLAN is assigned to a single port
(The port is known as an access port.).
Workstations in VLAN 1 can only communicate with workstations in VLAN 1. This means
that the two workstations connected to the same switch cannot communicate with each
other. Communications within the VLAN must pass through the trunk link to the other
switch.
Trunk ports identify which ports are connected to other switches.

Trunk ports can automatically carry traffic for all VLANs defined on the switch. You can
prevent traffic from a specific VLAN from being carried on the trunk through a specific
configuration.
Typically, Gigabit Ethernet ports are used for trunk ports, although any port can be a
trunking port.

When trunking is used, frames that are sent over a trunk port are tagged with the VLAN ID number
so that the receiving switch knows to which VLAN the frame belongs.

Tags are appended by the first switch in the path, and removed by the last.
Only VLAN-capable devices understand the frame tag.
Tags must be removed before a frame is forwarded to a non-VLAN-capable device.

The trunking protocol describes the format that switches use for tagging frames with the VLAN ID.
Cisco devices support two trunking protocols:
Trunking
Protocol

Characteristics
Inter-Switch Link (ISL) trunking protocol details include the following:

A Cisco-proprietary trunking protocol.


ISL can only be used between Cisco devices.
ISL encapsulates the frame with an ISL header and trailer, instead of tagging
(modifying) the frame.
ISL supports VLAN numbers 1-1005.

Inter-Switch
Link (ISL) Be aware of the following facts regarding the trunking protocols:

If a non-ISL-configured trunk port receives an ISL-encapsulated Ethernet


frame, it may consider those frames to be transmission errors because the ISL
header and trailer cause the frame to have an excessive size.
Switches that do not support ISL simply drop ISL frames because they cannot
decode the ISL encapsulation.

802.1Q trunking protocol details include the following:

802.1Q

An IEEE standard for trunking and therefore supported by a wide range of


devices.
802.1Q supports VLAN numbers 1-4094.
With 802.1Q trunking, frames from the native VLAN are not tagged. Frames
from all other VLANs are tagged. For example, if an 802.1Q port has VLANs
2, 3 and 4 assigned to it with VLAN 2 being the native VLAN, frames on
VLAN 2 that exit the port are not given an 802.1Q header. Frames which
enter this port and have no 802.1Q header are put into VLAN 2.
o If the native VLAN on one end of the trunk is different than the native
VLAN on the other end, the traffic of the native VLANs on both sides
cannot be transmitted correctly on the trunk.
o The native VLAN is VLAN 1 by default, but may be configured.

Note: When using multiple vendors in a switched network, be sure each switch
supports the 802.1Q standards if you want to implement VLANs.
Cisco switches have the ability to automatically detect ports that are trunk ports, and to negotiate
the trunking protocol used between devices. Switches use the Dynamic Trunking Protocol (DTP) to

detect and configure trunk ports. For example, when you connect two switches together, they will
automatically recognize each other and select the trunking protocol to use.
VLAN Trunking Command List
The following table lists important commands for configuring and monitoring trunking on a switch.
Use...
Switch(configif)#switchport mode
trunk
Switch(configif)#switchport trunk
encapsulation dot1q
Switch(configif)#switchport trunk
encapsulation isl
Switch(configif)#switchport trunk
encapsulation negotiate
Switch(configif)#switchport trunk native
vlan <vlan id>
Switch(configif)#switchport trunk
allowed vlan all
Switch(configif)#switchport trunk
allowed vlan add <vlan id>
Switch(configif)#switchport trunk
allowed vlan remove <vlan
id>

Switch(configif)#switchport mode
dynamic auto

To...
Enable unconditional trunking on the interface. The port will
not use Dynamic Trunking Protocol (DTP) on the interface.
Set the trunking protocol, or allows the trunking protocol to be
negotiated.
Note: Not all Catalyst switches allow configuration of the
trunking protocol.
Configure the VLAN that is sending and receiving untagged
traffic on the trunk port when the interface is in 802.1Q
trunking mode.
Set which VLANs are allowed to communicate over the trunk.
Remove which VLANs are not allowed to communicate over
the trunk.
Note: The default allows all VLANs in the VLAN database to
communicate over the trunk.
Enable automatic trunking discovery and configuration. The
switch uses DTP to configure trunking.
Enable dynamic trunking configuration.

Switch(configif)#switchport mode
dynamic desirable

Switch(configif)#switchport mode
access

If a switch is connected, it will attempt to use the


desired trunking protocol.
If a switch is not connected, it will communicate as a
normal port.

Disable trunking configuration on the port. The port is set to the


access mode unconditionally and operates as a nontrunking,
single VLAN interface that sends and receives non-tagged
frames.
Show interface trunking information with the following:

Switch#show interface trunk


Switch#show interface fa0/1
trunk

Mode
Encapsulation
Trunking status
VLAN assignments

Note: Be aware of the following when configuring VLAN trunking:

Two switches both configured to use auto dynamic trunking will not trunk. At least one of
the switches must be set to manually trunk or to use desirable dynamic trunking.
To avoid auto-negotiation on trunk ports, manually configure the speed and duplex.

VLAN Trunking Protocol (VTP)


As you study this section, answer the following questions:

What two conditions on switches will not allow you to modify the VLAN configuration?
What is the easiest way to recover from losing the only VTP server?
Which type of VTP message is the most frequently sent by switches?
What happens when you add a switch to the network with a higher revision number to your
VTP configuration?
How do you remove a VTP domain name?

After finishing this section, you should be able to complete the following tasks:

Configure the VTP mode, domain, and password.


Confirm the VTP status of a switch.

This section covers the following exam objectives:

104. Explain and configure VTP.

VTP Facts
The VLAN Trunking Protocol (VTP) simplifies VLAN configuration on a multi-switch network by
propagating configuration changes to other switches. With the VTP, switches are placed in one of
the following three configuration modes.
Mode

Server

Characteristics
A switch in server mode is used to modify the VLAN configuration. On a server:

Changes can be made to the VLAN configuration on the switch.


The switch advertises VTP information to other switches in the domain.
The switch updates its VLAN configuration from other switches in the domain.
The switch saves the VLAN configuration in NVRAM.

A switch in client mode receives changes from a VTP server and passes VTP
information to other switches. On a client:
Client

Changes cannot be made to the VLAN configuration.


The switch advertises VTP information to other switches in the domain.
The switch updates its VLAN configuration from other switches in the domain.
The switch does not save the VLAN configuration in NVRAM.

A switch in transparent mode allows for local configuration of VLANs, but does not
update its configuration based on the configuration of other switches. On a transparent
switch:
Transparent

Changes can be made to the VLAN configuration on the switch.


Local VLAN information is not advertised to other switches.
VTP information received from other switches is passed through the switch.
Note: The transparent switch only relays VTP information if it is in the same
VTP domain or if it has a null (blank) VTP domain.
The switch does not update its VLAN configuration from other switches in the
domain.

The switch saves its VLAN configuration in NVRAM.

VTP message types include the following:


Type

Description

Summary

Summary advertisements inform adjacent switches of the current VTP domain


name and the configuration revision number. By default, Catalyst switches send
summary advertisements every five minutes.

Subset

Subset advertisements are sent after a VLAN has been added, deleted, or changed
on a switch in server mode. One or several subset advertisements follow the
summary advertisement. A subset advertisement contains a list of VLAN
information. If there are several VLANs, more than one subset advertisement can
be required in order to advertise all the VLANs.
Advertisement requests from switches configured as clients. A switch needs a
VTP advertisement request in these situations:

Advertisement
Request

The switch has been reset.


The VTP domain name has been changed.
The switch has received a VTP summary advertisement with a higher
configuration revision than its own.

Upon receipt of an advertisement request, a VTP device sends a summary


advertisement. One or more subset advertisements follow the summary
advertisement.
Keep in mind the following facts about VTP:

By default, switches are preconfigured in server mode. If you do not intend to use VTP,
configure each switch to use transparent mode.
A VTP Domain is one or several switches that share the same VTP environment. Catalyst
switches only support a single VTP domain per switch.
You can have multiple VTP servers in the same domain on the network. Changes made to
any server are propagated to other client and server switches.
To make VLAN changes on a switch, the switch must be in either server or transparent
mode. You cannot modify the VLAN configuration if:
o The switch is in client mode
o The switch is in server mode and without a configured domain name.
VTP uses the following process for communicating updates:
1. VTP summary advertisement packets contain the domain name, MD5 version of the
password, and the revision number.
2. When a switch receives a summary packet, it compares the domain name and
password in the packet with its own values. If the domain name and password do not
match, the packet is dropped.
3. If the domain name and password match, the switch compares the revision number
in the packet.
4. If the revision number in the packet is lower or equal, the packet is ignored. If it is
higher, the switch sends an advertisement request for the latest updates.
5. When the updates are received, the VLAN configuration and the revision number is
updated.
If you lose your only VTP server, the easiest way to recover is to change one of the VTP
clients to server mode. VLAN information and revision numbers remain the same.
Switches must meet the following conditions before VTP information can be exchanged:
o The switches must be connected by a trunk link (VTP is not used on access ports).

Switches must be in the same domain. Switches in different domains do not share or
forward VTP information. Transparent switches must be in the same domain or have
a null domain name to pass VTP information to other switches.
o Passwords on each device must match. The password is included in each VTP
advertisement. The receiving switch compares the password in the advertisement
with its configured password. It will only accept information in the packet if the
passwords match. The password provides a method of authenticating the packet
contents that they came from a trusted source.
Connecting two switches with different VTP domains works only if you manually turn
trunking on. VTP information is carried in DTP packets, so only switches in the same
domain can use DTP for automatic trunking configuration. However, when two switches
with different domains are connected, VTP information will not be passed between the
switches.
When you change the VLAN configuration on a server, the revision number is incremented.
The revision number on a transparent switch remains at 0, even when changes are made to
the VLAN configuration.
All devices in the domain must use the same VTP version. By default, VTP version 2 is
disabled. Only enable VTP version 2 if all devices support version 2.
VTP pruning is a feature that eliminates or prunes unnecessary broadcast traffic. For
instance, VTP pruning will only forward broadcast messages to switches which have ports
assigned to a particular VLAN ID.
o

VTP Configuration Facts


The following table lists common VTP commands.
Use...
Switch(config)#vtp mode
server
Switch(config)#vtp mode
client
Switch(config)#vtp mode
transparent

To...
Configure the VTP mode of the switch.
Note: The default mode is server.
Configure VTP domain of the switch.

Switch(config)#vtp
domain WORD

The default domain name is <null> (blank).


All switches must be configured with the same domain
name.
A new VTP client switch (with a blank domain name) will
automatically set its domain name based on the first VTP
advertisement it receives.
A switch in transparent mode will not automatically set its
domain name.

Configure VTP password of the switch.


Switch(config)#vtp
password WORD

Switch(config)#vtp
pruning

When a password is used, all switches in the same domain


must use the same password.
You must manually configure the VTP password on each
switch.

Reduce broadcast traffic by forwarding the messages only through


switch trunks which belong to a particular VLAN ID.
Note: Enabling or disabling VTP pruning on a server enables or
disables it on all devices in the domain.

Switch#show vtp status

View the current VTP configuration of the switch.

Switch#show vtp password

View the current VTP password of the switch.

Be aware of the following when troubleshooting the VTP configuration:

If you add a switch to the network with a higher revision number, the VLAN configuration
on that switch will update (modify) the existing VLAN configuration on all other switches
in the domain. This is true even if the switch you add is a client. Client switches pass their
configuration information on to other switches. This information can be used to update
server or client switches with lower revision numbers.
If you add a switch to the network with a lower revision number, the switch's configuration
will be modified to match the configuration currently used on the network. This is true even
if the switch you add is a server.
To prevent disruptions to the existing configuration when adding new switches, reset the
revision number on all new switches before adding them to the network. The revision
number resets to 0 each time you:
o Change the domain name.
o Change the VTP mode to transparent.
Before adding a switch back into the network, change the domain name or the mode to
transparent, then change it back to its original setting.

Be sure to place switches in the same domain adjacent to each other through trunk links. If
you insert a switch with a different domain name between two switches, VTP information
will not be passed through the new switch. To correct this problem, use one of the following
solutions:
o Modify the domain name on the new switch to match the existing switches.
o Move the new switch so that switches in the same domain are connected directly
together.
Note: Once set, you cannot completely remove a domain name. In other words, once you
have configured a VTP domain name, you can only change the name, you cannot remove it
completely.

Verifying and Troubleshooting VLANs


As you study this section, answer the following questions:

When examining the output from the show interfaces fa 0/1 trunk command, what does
the n- in front of the protocol designate?
How can you determine which VLANs are allowed to communicate over a trunk link?
How can you determine when an interface is operating as an access port or a trunk port?
Which command displays an overview of VLAN and trunking information of an interface?

After finishing this section, you should be able to complete the following tasks:

Given a scenario, verify VLAN information.


Given a scenario, troubleshoot a VLAN trunking link.

This section covers the following exam objectives:

105. Verify or troubleshoot VLAN configurations.

VLAN Verification and Troubleshooting Command List


The following commands are used to display VLAN configurations for verification and
troubleshooting:
show vlan brief
show interfaces trunk
show interfaces fa 0/1 switchport
The following output is generated from the show vlan brief command. The output displays the
VLAN membership of each port.
VLAN Name
Status
Ports
---- --------------------- --------- -----------------------------1
default
active
Fa0/3, Fa0/4, Fa0/5, Fa0/6,
Fa0/7, Fa0/8, Fa0/9, Fa0/10,
Fa0/11, Fa0/12, Gi0/1, Gi0/2
2
VLAN0002
active
Fa0/2
1002 fddi-default
active
1003 token-ring-default
active
1004 fddinet-default
active
1005 trnet-default
active
Note: Use the show vlan <vlan id> command to display information about a single VLAN
identified by VLAN ID
The following is output generated from the show interfaces fa 0/1 switchport command and a
table describing the associating fields.
Name: Fa0/1
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: static access
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On

Access Mode VLAN: 1 (default)


Trunking Native Mode VLAN: 1 (default)
--output omitted
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Field

Description

Name

Displays the port name. This is the interface specified in the command.

Switchport

Displays the administrative and operational status of the port. In this


display, the port is in switchport mode.
Displays the administrative mode. The administrative mode is configured
with the following interface configuration commands:

Administrative Mode
Operational Mode

switchport
switchport
switchport
switchport

mode
mode
mode
mode

access
trunk
dynamic auto
dynamic desirable

The operational mode is how the port is actually operating. In this output,
the port is in dynamic auto administrative mode, but the port is operating
as an access port.
Administrative
Trunking
Encapsulation
Operational Trunking
Encapsulation
Negotiation of
Trunking

Displays the administrative and operational encapsulation method and


whether trunking negotiation is enabled.

Access Mode VLAN

Displays the VLAN ID to which the port is configured. This is configured


with the switchport access vlan <vlan id> interface configuration
command.

Lists the VLAN ID of the trunk that is in native mode. This is configured
Trunking Native Mode
with the switchport trunk native vlan <vlan id> interface configuration
VLAN
command.
Lists the allowed VLANs on the trunk. This is configured with the
following interface configuration commands:

Trunking VLANs
Enabled

switchport trunk allowed vlan all


switchport trunk allowed vlan remove <vlan
id>

In the output above, all VLANs are permitted to communicate on the trunk
if it was in trunking mode.
Pruning VLANs
Enabled

Lists the VLANs which have been pruned from the interface.

The following is output generated from the show interfaces fa 0/1 trunk command and a table
describing the output values.
Port
Native vlan
Fa0/1

Mode

Encapsulation

Status

on

n-802.1q

trunking

Port
Fa0/1

Vlans allowed on trunk


1-9,11-4094

Port
Fa0/1

Vlans allowed and active in management domain


1-2,5

Port
pruned
Fa0/1

Vlans in spanning tree forwarding state and not


1-2,5

Value

Description
This is the administrative mode on the interface. The administrative
mode is configured with the following interface configuration
commands:

Mode

switchport
switchport
switchport
switchport

mode
mode
mode
mode

access
trunk
dynamic auto
dynamic desirable

If configured as an access port, the mode is off.


This is the encapsulation protocol on the trunk. If a "n-" precedes the
protocol, it has been negotiated. This is configured with the following
interface configuration commands:
Encapsulation

switchport trunk encapsulation dot1q


switchport trunk encapsulation isl
switchport trunk encapsulation negotiate

Note: This command may not be available on all Catalyst switches.


Negotiate is the default.
Status

This is the operational status of the trunk.

Native VLAN

The native VLAN is the VLAN which will not be tagged with 802.1Q
tags. Frames from all other VLANs are tagged.
Lists the allowed VLANs on the trunk. This is configured with the
following interface configuration commands:

VLANs allowed on trunk

switchport trunk allowed vlan all


switchport trunk allowed vlan remove <vlan
id>

In the output above, VLAN 10 is not permitted to communicate on the


trunk.
VLANs allowed and active
in management domain
VLANs in spanning tree
forwarding state and not
pruned

Lists the VLANs which are configured on the switch and allowed over
the trunk link.
Note: If the VLANs are configured on the switch but are not permitted
to communicate on the trunk, they will not be listed here.
Lists the VLANs that are pruning-eligible.

Note: If you do not specify an interface with the switchport interfaces trunk command, only
information for active trunking ports appears.

Spanning Tree Protocol (STP)


As you study this section, answer the following questions:

How does STP eliminate bridging loops?


Which port state builds the bridge database with MAC addresses?
Which timers can be configured to speed up STP performance?
Which devices generate configuration Bridge Protocol Data Units (BPDUs)?
What is the difference between a root port and a designated port?

After finishing this section, you should be able to complete the following tasks:

Given the MAC Address of a switch, configure it to be the root bridge.


Configure a switch to be a primary root bridge.
Configure a switch to be a secondary root bridge

This section covers the following exam objectives:

201. Explain the functions and operations of the Spanning Tree protocols (i.e., RSTP,
PVRST, MISTP).

STP Facts
To provide for fault tolerance, many networks implement redundant paths between devices using
multiple switches. However, providing redundant paths between segments causes packets to be
passed between the redundant paths endlessly. This condition is known as a bridging loop.
To prevent bridging loops, the IEEE 802.1d committee defined a standard called the spanning tree
algorithm (STA), or spanning tree protocol (STP). With this protocol, one bridge (or switch) for
each route is assigned as the designated bridge. Only the designated bridge can forward packets.
Redundant bridges (and switches) are assigned as backups.
The spanning tree algorithm provides the following benefits:

Eliminates bridging loops


Provides redundant paths between devices
Enables dynamic role configuration
Recovers automatically from a topology change or device failure
Identifies the optimal path between any two network devices

The spanning tree algorithm calculates the best loop-free path through a network by assigning a
role to each bridge or switch and by assigning roles to the ports of each bridge or switch. The
bridge role determines how the device functions in relation to other devices, and whether the device
forwards traffic to other segments.
Role

Characteristics
The root bridge is the master or controlling bridge.

Root bridge

There is only one root bridge in the network. The root bridge is the logical
center of the spanning-tree topology in a switched network.
The root bridge is determined by the switch with the lowest bridge ID (BID).
o The bridge ID is composed of two parts: a bridge priority number and
the MAC address assigned to the switch.
o The default priority number for all switches is 32,768 (0x8000 in
hexadecimal). This means that for unconfigured switches, the switch

with the lowest MAC address becomes the root bridge.


o You can manually configure the priority number to force a specific
switch to become the root switch.
The root bridge periodically broadcasts configuration messages. These
messages are used to select routes and reconfigure the roles of other bridges if
necessary.
All ports on a root bridge forward messages to the network.

Note: Newer switches add the VLAN number to the priority value. For example, if
you configure a priority value of 4096, the switch will use the priority of 4097 for
VLAN 1, 4098 for VLAN 2, and so on.
A designated bridge is any other device that participates in forwarding packets
through the network.
Designated
bridge

They are selected automatically by exchanging bridge configuration packets.


To prevent bridging loops, there is only one designated bridge per segment.

All redundant devices are classified as backup bridges.


Backup
bridge

Backup bridges listen to network traffic and build the bridge database.
However, they will not forward packets.
A backup bridge can take over if the root bridge or a designated bridge fails.

Switches send special packets called Bridge Protocol Data Units (BPDUs) out each port to the
multicast address 01:80:C2:00:00:00. BPDUs sent and received from other bridges are used to
determine the bridge roles and port states, verify that neighbor devices are still functioning, and
recover from network topology changes. STP uses the following types of BPDUs:

A Configuration BPDU is sent by the root bridge on all its ports. Each BPDU contains STP
parameters which are critical to STP stability. Only the root bridge generates the
configuration BPDU, guaranteeing that there is no mismatching STP information. If
configuration BPDUs are not received by root ports on other bridges, a topology change
may occur.
A Topology Change (TC) BPDU is generated by the switch when it detects a topology
change, such as the following:
o A port in forwarding or listening transitions to blocking
o A port moves to forwarding state, and the bridge already has a designated port
o A Non-root bridge receives a TC on its designated port (a propagation TC is sent)

During the negotiation process and normal operations, each switch port is in one of the following
states:
Port State Description
A port in the disabled state is powered on but does not participate in listening to
Disabled network messages or forwarding them. A bridge must be manually placed in the
disabled state.
Blocking

When a device is first powered on, its ports are in the blocking state. In addition,
backup bridge ports are always in the blocking state. Ports in the blocking state receive
packets and BPDUs sent to all bridges, but will not process any other packets.

Listening

The listening state is a transitionary state between blocking and learning. The port
remains in the listening state for a specific period of time. This time period allows
network traffic to settle down after a change has occurred. For example, if a bridge
goes down, all other bridges go to the listening state for a period of time. During this

time the bridges redefine their roles.


Learning

A port in the learning state is receiving packets and building the bridge database
(associating MAC addresses with ports). A timer is also associated with this state. The
port goes to the forwarding state after the timer expires.

The root bridge and designated bridges are in the forwarding state when they can
Forwarding receive and forward packets. A port in the forwarding state can both learn and forward.
All ports of the root switch are in forwarding mode.
The following timers affect STP performance and state changes:

The hello time is the time between each BPDU that is sent on a port by the root bridge and
forwarded by other designated bridges. It is 2 seconds by default, but can be configured
between 1 and 10 seconds.
The forward delay is the time spent in the listening and learning states. It is 15 seconds by
default, but can be configured between 4 and 30 seconds.
The max age timer controls the maximum length of time a bridge port saves its
configuration BPDU information. It is 20 seconds by default, but can be configured
between 6 and 40 seconds.

Note: Although it is possible to tune spanning-tree timers, the recommendation is to leave the
spanning tree timers at their default values.
During the configuration process, ports on each switch are configured as one of the following
types:
Port type

Description
The port on the designated switch with the lowest port cost back to the root bridge is
identified as the root port.

Root port

Each designated switch has a single root port (a single path back to the route
bridge).
Root ports are in the forwarding state.
The root bridge does not have a root port.

One port on each segment is identified as the designated port. The designated port
identifies which port on the segment is allowed to send and receive frames onto that
segment. Designated ports are selected based on the lowest path cost to get back to the
root switch.
Designated
port

Blocking
port

All ports on the root bridge are designated ports (unless a switch port loops
back to a port on the same switch).
Designated ports are selected based on the lowest path cost to get back to the
root switch.
Designated ports are used to send frames back to the root bridge.
Designated ports are in the forwarding state.

A blocking port is any port that is not a root or a designated port. A blocking port is in
the blocking state.

When determining both the root port and designated ports on non-root bridge switches, the
switches use the following criteria to select the port that is closest to the root bridge.
1. The port with the lowest cost to get back to the root bridge becomes the root or designated
port. Default IEEE port costs include the following:

10 Mbps = 100
100 Mbps = 19
1 Gbps = 4
10 Gbps = 2
2. If two paths have the same cost, the bridge ID of the next switches in each path is
compared. The path with the switch with the lowest bridge ID becomes the path back to the
root. Remember that the bridge ID is composed of two parts:
o The priority number assigned to the switch.
o The MAC address used by the switch.
o
o
o
o

If the priority numbers are the same on both switches, the switch with the lowest MAC
address is the path back to the root.
3. If the switch has two ports that have the same cost back to the root (for example, if two
connections exist to the same switch), the port on the switch with the lowest port ID
becomes the designated port.
o The port ID is derived from two numbers: the port priority and the port number.
o The port priority ranges from 0-255, with a default of 128.
o The port number is the number of the port. For example, the port number for Fa0/3
is 3.
o With the default port priority setting, the lowest port number becomes the
designated port.
Spanning Tree Example
By default, spanning tree is enabled on all Cisco switches. When you add switches to the network,
spanning tree operates automatically to identify the root bridge and configure each port to prevent
loops. In a small environment, you can probably rely on the switches to configure themselves. In a
large environment, however, you will need to plan the network so that you can control which
switch becomes the root bridge, and so you can identify ports that should be blocking or
forwarding.
To identify how spanning tree will configure switches in a network, you will need to know the
bridge ID for each bridge (which includes the priority value and the MAC address). If no priority
value is included, assume the default priority of 32768. With the bridge ID and MAC addresses,
use the following process to identify the state of each port:
1. Identify the root bridge. The root bridge is the switch with the lowest bridge ID.
o The switch with the lowest priority value is the root bridge.
o If two or more switches have the same priority value, the switch with the lowest
MAC address is the root bridge.
2. On the root bridge, label each port as a designated port.
3. For every other bridge, identify its root port. The root port is the port with the lowest cost
back to the root bridge.
o To identify the cost, add the cost for each segment back to the root bridge.
o If two paths have the same cost, then look at the bridge ID of the next switch in the
path.
4. After labeling each root port, identify a designated port for each segment that does not
already have a designated port.
o The designated port will be the port that connects to the path with the lowest cost
back to the root bridge.
o If two paths have the same cost, compare the bridge ID of the next switch in the
path.
5. At this point, each segment should have a designated port identified. For any ports not
labeled as a root port or a designated port, indicate that the port is a blocking port.

The following graphic illustrates a switched network with redundant paths. The priority values and
MAC addresses for each switch are identified. Numbers on each link are used to identify the link.
Each link has the same cost value.

Using the steps outlined above:


1. Switch A is the root bridge because it has the lowest priority (4096).
2. Fa0/1 and Fa0/2 on switch A are designated ports and will be forwarding.
3. Root ports on the other switches are as follows:
o The root port on switch B is Fa0/1.
o The root port on switch C is Fa0/2.
There are two paths back to the root bridge: B to A or D to A.
Both paths have the same cost because they involve crossing two segments
with equal costs.
B to A is preferred because the bridge ID for switch B is lower than that of
switch D. The priority values are the same, so the lowest MAC address is
used (000E.8411.68C0).
o The root port on switch D is Fa0/1.
4. At this point, designated ports already exist for segments 1 and 2. For the remaining
segments:
o For segment 3, Fa0/3 on switch B is the designated port because the cost from B to
A is less than the cost from C to D to A.
o For segment 4, Fa0/3 on switch D is the designated port for the same reason.
o For segment 5, Fa0/2 on switch B is the designated port.
There are two paths from segment 5 to the root bridge: B to A or D to A.
Both paths have the same cost.
B to A is preferred because the bridge ID for switch A is lower than that of
switch D. The priority values are the same, so the lowest MAC address is
used (000E.8411.68C0).
5. The following remaining ports are blocking ports:
o Fa0/1 on switch C.
o Fa0/2 on switch D.
The following graphic shows each port labeled after spanning tree converges.

Be aware of the effect that configuration changes make in this example:

If all switches had the same priority value, then switch B would have been the root bridge
because its MAC address is the lowest. Changing the root bridge would also change several
other port states.
Changing the priority on switch D to 8192 would have the following effects:
o The root port on switch C would change to Fa0/1. The path through switch D would
be preferred over the path through switch B because of the lower priority number.
o The designated port for segment 5 would change to Fa0/2 on switch D, while Fa0/2
on switch B would be blocking.
o Fa0/2 on switch C would change to blocking.
Assuming the default cost value of 19 for FastEthernet links, changing the cost of segment 1
to 100 would have the following effects:
o The root port on switch D would be Fa0/2. The total cost of that path would be 38.
o The designated port for segment 4 would be Fa0/1 on switch C. Port Fa0/3 on switch
D would now be blocking.
o Port Fa0/1 on switch D would be blocking because Fa0/2 would be used to reach the
root bridge.

STP Command List


By default, spanning tree is enabled on all Cisco switches. By default, spanning tree is enabled with
a single instance of the spanning tree protocol for VLAN1. By default, all switch ports are members
of VLAN1, therefore all ports participate in spanning tree by default. Creating an additional VLAN
automatically runs another instance of the spanning tree protocol. Spanning tree configuration
consists of the following tasks:

Modifying the spanning tree mode if a mode other than Per-VLAN Spanning Tree Plus
(PVST+) is desired.
Changing the bridge priority to control which switch becomes the root bridge.
Designating edge ports (ports with no attached switches).

The following table lists commands you would use to configure spanning tree:
Use...

To...

Switch(config)#spanning-tree
mode pvst
Switch(config)#spanning-tree
mode rapid-pvst

Set the spanning tree mode.

Switch(config)#spanning-tree
mode mst
Manually set the bridge priority number.

Switch(config)#spanning-tree
vlan <1-4094> priority <061440>

The priority value ranges between 0 and


61,440.
Each switch has the default priority of
32,768.
Priority values are set in increments of
4096. If you enter another number, your
value will be rounded to the closest
increment of 4096, or you will be
prompted to enter a valid value.
The switch with the lowest priority number
becomes the root bridge.

Force the switch to be the root of the spanning


tree.

Switch(config)#spanning-tree
vlan <1-4094> root primary

The IOS software checks the switch


priority of the current root switch for each
VLAN.
The switch sets the switch priority for the
specified VLAN to 24576 (default value) if
this value will cause this switch to become
the root for the specified VLAN.
If any root switch for the specified VLAN
has a switch priority lower than 24576, the
switch sets its own priority for the
specified VLAN to 4096 less than the
lowest switch priority.

Force the switch to be the secondary root (backup)


of the spanning tree if the root switch fails.

Switch(config)#spanning-tree
vlan <1-4094> root secondary

The IOS software changes the switch


priority from the default value (32768) to
28672.
If the root switch should fail, this switch
becomes the next root switch (if the other
switches in the network use the default
switch priority of 32768).

Switch(config-if)#spanning-tree Change the interface's port priority in increments


port-priority <0-240>
of 16.
Switch(config-if)#spanning-tree Change the interface's port priority in increments
vlan <1-4094> port-priority <0- of 16 for a specific VLAN. This is for trunk
240>
interfaces.

Configure the time between each BPDU that is


Switch(config)#spanning-tree
sent on a port by the root bridge and forwarded by
vlan <1-4094> hello-time <1-10>
other designated bridges.
Switch(config)#spanning-tree
Configure the time spent in the listening and
vlan <1-4094> forward-time <4learning states.
30>
Switch(config)#spanning-tree
vlan <1-4094> max-age <6-40>

Configure the maximum length of time a bridge


port saves its configuration BPDU information.

Switch(config)#no spanning-tree
Disables spanning tree on the selected VLAN.
vlan <1-4094>
Examples
The following command sets the bridge priority for a VLAN 20:
Switch(config)#spanning-tree vlan 20 priority 4096
The following command configures this switch with a bridge priority of 4096 for VLAN 15 if the
existing root bridge has a priority of 8092:
Switch(config)#spanning-tree vlan 15 root primary

Spanning Tree Protocols


As you study this section, answer the following questions:

What are the differences between PVST and PVST+?


What are the three STP modes available on Cisco Catalyst switches?
Which Rapid PVST+ port states are different than PVST+ port states and why?
What is the difference between a Rapid PVST+ alternate port and a backup port?
What is MSTP region?

After finishing this section, you should be able to complete the following tasks:

Given a scenario, configure Rapid PVST+ on assigned switches.


Given a scenario, configure MST on multiple switches with the minimum amount of MST
instances.

This section covers the following exam objectives:

201. Explain the functions and operations of the Spanning Tree protocols (i.e., RSTP,
PVRST, MISTP).
202. Configure RSTP (PVRST) and MISTP.

Common Spanning Tree (CST) Facts


Common Spanning-Tree (CST) has one spanning-tree instance for the entire bridged network
(regardless of the number of VLANs). CST details include the following:

No load balancing is possible between switches in the network


Switch CPU usage is low, because only one instance needs computation
It can be used when only one Layer 2 topology is needed in the network

Per-VLAN Spanning Tree (PVST) Facts


Per-VLAN Spanning Tree Protocol (PVST) is a spanning-tree mode based on the 802.1d standard,
but includes Cisco proprietary extensions. Per-VLAN Spanning Tree Plus (PVST+) provides the
same functionality as PVST except that PVST+ uses 802.1Q trunking technology and is
interoperable with CST and PVST. PVST+ characteristics include the following:

Layer 2 load balancing for the VLAN on which it runs


Each instance of PVST+ on a VLAN has a single root bridge
Each active VLAN has its own instance of PVST+
A short aging time for learned MAC address entries
PVST+ is not supported on non-Cisco devices
PVST+ is the default spanning-tree mode used on all Ethernet port-based VLANs

Rapid Spanning Tree (RSTP) Facts


Rapid Spanning Tree Protocol (RSTP) is based on the 802.1w standard and provides faster
spanning tree convergence after a topology change. RSTP uses the following port states:
RSTP Port
State
Discarding

STP Port
State*
Disabled
Blocking

Description
A port in discarding state:

Listening

Discards frames received on the interface


Discards frames switched from another interface for
forwarding
Does not learn MAC addresses
Listens for BPDUs

A port in the learning state:

Learning

Learning

Discards frames received on the interface


Discards frames switched from another interface for
forwarding
Learns MAC addresses
Listens for BPDUs

A port in the forwarding state:


Forwarding

Forwarding

Receives and forwards frames received on the interface


Forwards frames switched from another interface
Learns MAC addresses
Listens for BPDUs

RSTP uses bridge and port roles similarly to STP:

There is a single root bridge.


Each segment has a single designated bridge. The port on the designated bridge is identified
as the designated port. All ports on the root bridge are designated ports.
Each designated bridge has a single port identified as the root port. The root port is the best
path back to the root bridge. The root bridge is the only bridge that does not have a root
port.
Instead of having blocking ports, RSTP splits this role into two roles:
o An alternate port is the switch's best alternative to its current root port. An alternate
port can be used to replace the root port if the root port fails.
o A backup port is the switch's alternative port connected to the same network
segment as the designated port. A backup port provides an alternate path to the same
segment, but not an alternate path back to the root bridge.
Both port roles are in the blocking state.

In addition to the port roles, RSTP uses the port type to determine whether to use advanced features
that provide rapid convergence. These port types are:
Port Type Description
A point-to-point link is a port that connects only to another switch.
Point-topoint

The presence of full-duplex communication indicates a point-to-point link.


Because the link has only a single connected switch, it can take advantage of
RSTP improvements that help it recover quickly.

A shared link is a link with more than a single attached device.


Shared

The presence of half-duplex communication indicates a shared link.

Ports connected to shared links cannot use RSTP improvements.

An edge port is a port that is not connected to another switch.

Edge

Because the edge port does not have a switch, the possibility of a loop is
eliminated.
Edge ports can be put into the forwarding state immediately.
If the port receives a BPDU, it treats the port as a point-to-point or shared link.

Be aware of the following details:

When any RSTP port receives legacy 802.1d BPDU, it falls back to legacy STP and the
inherent fast convergence benefits of 802.1w are lost.
The rapid convergence features of RSTP combined with PVST+ form Rapid PVST+. Rapid
PVST+ is one of the three STP modes available on Cisco switches.

Multiple STP (MSTP) Facts


Multiple STP (MSTP) is an IEEE standard (802.1s) which allows several VLANs to be mapped to
a reduced number of spanning-tree instances. MSTP characteristics include the following:

Supports a large number of VLANs mapped to spanning-tree MSTP instances


CPU usage is low despite the number of VLANs, because it only processes the amount of
instances
Layer 2 load balancing for the instances

An MSTP region is a group of interconnected bridges that have the same MSTP configuration. The
configuration includes the name of the region, the revision number, and the MSTP VLAN-toinstance assignment map. There is no limit on the number of MSTP regions in the network. If you
connect two MSTP regions with different MSTP configurations, the MSTP regions do the
following:

Load balance across redundant paths in the network. If two MSTP regions are redundantly
connected, all traffic flows on a single connection with the MSTP regions in a network.
Provide an RSTP handshake to enable rapid connectivity between regions. However, the
handshaking is not as fast as between two bridges. To prevent loops, all the bridges inside
the region must agree upon the connections to other regions. This situation introduces a
delay.

Be aware of the following MSTP details:

The switch supports up to 65 MSTP instances. Instances can be identified by any number in
the range from 0 to 4094.
A VLAN assignment can be to only one spanning tree instance at a time.
MSTP instances are significant to the local region only, and is independent of other MSTP
regions.
Instance 0, the Internal Spanning-Tree (IST), is reserved for interacting with other
Spanning-Tree Protocols and other MSTP regions. An IST instance is capable of
representing the entire MSTP region to external networks.
When the switch is in the MSTP mode, the Rapid Spanning Tree Protocol (RSTP) is
automatically enabled.
RSTP and MSTP Command List
The following table lists commands you would use to configure RSTP (RPVST+) and
MST:

Use...

To...

Switch(config)#spanning-tree mode
rapid-pvst

Set the spanning tree mode to Rapid


PVST+

Switch(config)#spanning-tree mode
mst

Set the spanning tree mode to Multiple


Spanning (MSTP).

Switch(config)#spanning-tree vlan
<1-4094> priority <0-61440>

Manually set the bridge priority number in


Rapid PVST+.

Switch(config)#spanning-tree vlan
<1-4094> root primary

Force the switch to be the root of the


spanning tree in Rapid PVST+.

Switch(config)#spanning-tree vlan
<1-4094> root secondary

Force the switch to be the secondary root


(backup) of the spanning tree if the root
switch fails in Rapid PVST+.

Switch(config)#spanning-tree mst
configuration

Enter MSTP configuration mode.

Switch(config-mst)#name <WORD>

Set the configuration name for the region.


All switches must share the same MSTP
name to participate in the same MSTP
instances.

Set the configuration revision number for


the region.
Switch(config-mst)#revision <number> Note: The revision number is not
automatically incremented when a new
configuration is committed.
Switch(config-mst)#instance <0-4094>
vlan <vlan id>
Switch(config-mst)#instance <0-4094>
Map VLANs to an MSTP instance.
vlan <vlan id>,<vlan id>
Switch(config-mst)#instance <0-4094>
vlan <vlan id>-<vlan id>
Switch(config)#spanning-tree mst
<instance id> priority <0-61440>

Manually set the bridge priority number in


MSTP.

Switch(config)#spanning-tree mst
<instance id> root primary

Force the switch to be the root of the


spanning tree in MSTP.

Switch(config)#spanning-tree mst
<instance id> root secondary

Force the switch to be the secondary root


(backup) of the spanning tree if the root
switch fails in MSTP.

Switch(config)#no spanning-tree mst


configuration

Return to the default MSTP region


configuration.

Examples
The following commands enable Rapid PVST+ for the switch and set the bridge priority to
a lower value than the default:
Switch(config)#spanning-tree mode rapid-pvst
Switch(config)#spanning-tree vlan 1 priority 4096
The following commands create the Sales MSTP region, map VLANs 2, 5, and 10 to
instance 3, map VLANs 6, 7, and 8 to instance 4, and provide a revision number of 1 to the
region:
Switch(config)#spanning-tree mode mst
Switch(config)#spanning-tree mst configuration
Switch(config-mst)#name Sales
Switch(config-mst)#revision 1

Switch(config-mst)#instance 3 vlan 2,5,10


Switch(config-mst)#instance 4 vlan 6,7,8

Optional STP Features and UDLD


As you study this section, answer the following questions:

Which optional STP feature helps to prevent loops on a port where Port Fast is enabled?
What will be the response if a switch receives a BPDU after being globally enabled with
BPDU guard?
What is the difference between globally-enabled BDPU filtering and per-port-enabled
BDPU filtering?
Which optional STP feature provides an alternate path back to the root bridge if the root
port or link goes down?
How does BackboneFast detect failures on indirect links or connections?
What happens when a switch sends a superior BPDU to a root guard enabled interface?
Which UDLD mode will make up to eight attempts before changing the port state to the errdisabled state?

After finishing this section, you should be able to complete the following tasks:

Given a scenario, configure Port Fast on access ports.


Given a scenario, configure a switch to use Port Fast BPDU filtering.
Secure the STP topology by configuring FastEthernet ports with Root Guard.
Protect a spanning tree topology with Loop Guard.
Within a hierarchical network, configure UplinkFast.
Within a hierarchical network, configure BackboneFast.

This section covers the following exam objectives:

203. Describe and configure STP security mechanisms (i.e., BPDU Guard, BPDU Filtering,
Root Guard).
204. Configure and Verify UDLD and Loop Guard.

Optional STP Feature Facts


The biggest disadvantage of STP is that it is slow to respond to topology changes. With a link
failure, convergence could take up to 30 seconds. By optimizing switch settings, this delay could be
reduced to about 14 seconds, but even this was too long.
To improve convergence (to about 1 second) and fine tune STP, Cisco introduced the following
proprietary features:
Feature

Port Fast

Description
Port Fast forces access or trunk ports to immediately transition to the spanning tree
forwarding state. When ports do not have a switch or hub attached, bridging loops
on that port are eliminated and therefore do not need to enter the spanning tree
listening and learning states. Port Fast is globally enabled on the switch or perinterface.
Note: Port Fast affects all VLANs on an interface.

BPDU guard disables (moves to the err-disable state) an interface when a BPDU is
received on the interface. The BPDU guard feature should be configured in a
service-provider network to prevent an access port from participating in the
BPDU guard spanning tree. BPDU guard is globally enabled on the switch or per-interface:

If globally enabled, the switch configures each Port Fast-configured


interface to shut down if a BPDU is received. This is because Port Fast-

configured interfaces are meant for workstations and servers, devices which
do not generate BPDUs.
If enabled on an interface, the interface is also configured to shut down if a
BPDU is received. The difference is that the interface does not need to be
Port Fast-enabled.

Note: You must manually re-enable the port that is put into err-disable state or
configure errdisable-timeout.
BPDU filtering keeps switches from sending and receiving BPDUs on
interfaces. This allows the workstation or server, which is connected to the
interface, from receiving unnecessary traffic. BPDU filtering is globally enabled on
the switch or per-interface:
BPDU
filtering

If globally enabled, the switch configures each Port Fast-configured


interface to return to normal STP operation if the port receives a BPDU. It
immediately loses its Port Fast-enabled status, and disables BPDU filtering.
If enabled on a per-port basis, the switch drops all BPDUs it receives, and
does not send BPDUs.
Note: Enabling BPDU filtering on an interface is the same as disabling
spanning tree on the interface and may result in bridging loops.

UplinkFast enables a switch to maintain an alternate path back to the root bridge. If
the root port or link goes down, the alternate port can be used to quickly re-establish
communication with the root bridge. The alternate port transitions to the forwarding
state immediately without going through the listening and learning states. Be aware
of the following details:

UplinkFast

An uplink group is a set of Layer 2 interfaces (per VLAN), only one of


which is forwarding at any given time.
An uplink group consists of the root port (which is forwarding) and a set of
blocked ports, except for self-looping ports.
The uplink group provides an alternate path in case the currently forwarding
link fails.

Note: UplinkFast is useful in network access layer switches with a limited number
of active VLANs. UplinkFast should not be enabled on backbone or distribution
layer switches.
BackboneFast detects failures on indirect links or connections in the core (or
backbone) layer of a hierarchical network. Be aware of the following details:

BackboneFast

BackboneFast reduces the default convergence time in situations where the


root port is lost and the backup link leads through a different switch.
BackboneFast is a complementary feature to UplinkFast.
When a switch receives an inferior BPDU from the designated port of
another switch other than the root bridge, the BPDU is a signal that the other
switch might have lost its path to the root, and BackboneFast tries to find an
alternate path to the root. An inferior BPDU identifies a switch that declares
itself as both the root bridge and the designated switch.
o If the inferior BPDU arrives on a blocked interface, the root port and
other blocked interfaces on the switch become alternate paths to the
root switch.
o If the inferior BPDU arrives on the root port, all blocked interfaces
become alternate paths to the root switch.
o If the inferior BPDU arrives on the root port and there are no blocked
interfaces, the switch assumes that it has lost connectivity to the root

switch, causes the maximum aging time on the root port to expire,
and becomes the root switch according to normal spanning-tree rules.
Root guard secures the STP topology by forcing an interface to become a
designated port to prevent surrounding switches from becoming a root switch during
network anomalies (such as adding a new switch to the topology). Be aware of the
following details:

Root Guard

If a switch sends superior BPDUs to an interface with root guard enabled,


the interface is blocked (i.e. changed to a root-inconsistent state).
Recovery occurs as soon as the offending device ceases to send superior
BPDUs.
The configuration of root guard is on a per-interface basis.
If the switch is operating multiple STP (MSTP), root guard forces the
interface to be a designated port.
Root guard enabled on an interface applies to all the VLANs to which the
interface belongs.
VLANs can be grouped and mapped to an MSTP instance.
Do not enable the root guard on interfaces to be used by the UplinkFast
feature. With UplinkFast, the backup interfaces (in the blocked state) replace
the root port in the case of a failure. However, if root guard is also enabled,
all the backup interfaces used by the UplinkFast feature are placed in the
root-inconsistent state (blocked) and are prevented from reaching the
forwarding state.
The current design recommendation is to enable Root Guard on all access
ports so that a root bridge is not established through these ports.

Loop guard prevents alternate or root ports from becoming designated ports because
of a failure that leads to a unidirectional link. A port in blocking state relies on the
continuous reception of BPDUs from the root bridge. If the BPDUs are not received
according to STP timers, STP conceives the topology as loop-free and will
transition the port through the listening, learning, and forwarding states. If a nondesignated port stops receiving BPDUs when loop guard is enabled, STP places the
port into the loop-inconsistent state instead of moving through the listening,
learning, and forwarding states.
Be aware of the following details:
Loop Guard

Loop guard is most effective when it is configured on the entire switched


network.
When you enable loop guard globally, the switch enables loop guard only on
ports operating in full-duplex.
When the switch is operating in PVST+ or rapid-PVST+ mode, loop guard
prevents alternate and root ports from becoming designated ports, and
spanning tree does not send BPDUs on root or alternate ports.
Both loop guard and root guard cannot be enabled on the same interface at
the same time.

UDLD Facts
Unidirectional Link Detection (UDLD) is a Layer 2 protocol which detects and may disable ports
when traffic transmitted by the local device over a link is received by the neighbor but traffic
transmitted from the neighbor is not received by the local device. This situation typically arises in

the case of a faulty Gigabit Interface Converter (GBIC) or interface, software malfunction,
hardware failure, or other anomalous behavior.
UDLD works with the Layer 1 mechanisms to learn the physical status of a link. At Layer 1, autonegotiation takes care of physical signaling and fault detection. UDLD performs tasks that autonegotiation cannot perform, such as detecting the identities of neighbors and shutting down
misconnected ports. When you enable both auto-negotiation and UDLD, the Layer 1 and Layer 2
detections work together to prevent physical and logical unidirectional connections and the
malfunctioning of other protocols.
UDLD supports two modes of operation:
Mode

Description
In normal mode, UDLD can detect unidirectional links due to misconnected ports on
fiber-optic connections. The Layer 1 mechanisms do not detect this misconnection.
While operating in normal mode:

Normal

If Layer 1 mechanism remains up with unidirectional link conditions, an error


message is displayed and the port state changes to the err-disabled state.
If one side of a link has a port stuck (both TX and RX), UDLD does not take
any action, and the logical link is considered undetermined.
If one of the link remains up while the other side of the link has gone down,
UDLD does not take any action, and the logical link is considered
undetermined.

In aggressive mode, UDLD can also detect and disable unidirectional links due to one
or both of the following:

Aggressive

One-way traffic on fiber-optic and twisted-pair links. One-way traffic may


occur when:
o One of the ports cannot send or receive traffic
o One of the ports is down while the other is up
One of the fiber strands is disconnected
Misconnected ports on fiber-optic links

While operating in aggressive mode, UDLD tries to re-establish the unidirectional


connection for all issues listed above. If the connection fails after eight attempts, an
error message is displayed and the port state changes to the err-disabled state.
The following table shows common commands to configure UDLD.
Use...

To...

switch(config)#udld enable

Configure the global UDLD setting on the switch to


normal mode.

switch(config)#udld aggressive

Configure the global UDLD setting on the switch to


aggressive mode.
Enable normal mode UDLD on the interface.

switch(config-if)#udld port

This command does not appear in the CLI


unless a GBIC is installed in the port you are
trying to enable.
An individual interface configuration overrides
the setting of the udld enable global

configuration command.
switch(config-if)#udld port
aggressive

Enable aggressive mode UDLD on the interface.

switch(config)#errdisable recovery
cause udld

Enable the timer to automatically recover from the


UDLD error-disabled state.

switch(config)#errdisable recovery
interval <value>

Specify the time to recover from the UDLD errordisabled state.

switch#udld reset

Reset all the ports that are shut down by UDLD and
permit traffic to begin passing through them again.

switch#show udld

To display the UDLD status for the specified port or


for all ports.

Be aware of the following:

When configuring the mode (normal or aggressive), make sure that the same mode is
configured on both sides of the link.
Globally enabling UDLD on the switch only affects fiber-optic ports. For twisted-pair ports,
UDLD must be configured on the interface.

Optional STP Feature Command List


The following table shows common commands to configure advanced STP features.
Use...

To...
Configure the Port Fast feature on a specific interface.

switch(config-if)#spanningtree portfast

Note: This command is for an edge-type interface. If


configured on an interface which is not connected to an end
workstation or server, an accidental topology loop could
cause a data packet loop and disrupt switch and network
operation.

switch(config-if)#spanningtree portfast trunk

Enable the Port Fast feature on the interface even in trunk


mode.

switch(config-if)#spanningtree portfast disable

Disable the Port Fast feature on the interface.


Enable or disable BPDU filtering on the specified interface.

switch(config-if)#spanningtree bpdufilter enable


switch(config-if)#spanningtree bpdufilter disable

Note: By default, BPDU filtering is disabled on the


interface. Enabling BPDU filtering on an interface is the
same as disabling spanning tree on it and can result in
bridging loops.

switch(config-if)#spanningtree bpduguard enable


switch(config-if)#spanningtree bpduguard disable

Enable or disable BPDU guard on the specified interface.


Enabling BPDU guard will put an interface in the errordisabled state when it receives a bridge protocol data unit
(BPDU).

switch(config)#spanning-tree
portfast default

Configure the Port Fast feature on all non-trunking


interfaces (i.e. access ports). The Port Fast feature will
immediately transition the interface to the spanning tree
forwarding state.
Note: Configuring Port Fast on interfaces connected to hubs,

concentrators, switches, and bridges can cause temporary


bridging loops.
Configure the BPDU filter on all Port Fast-enabled
interfaces by default.

switch(config)#spanning-tree
portfast bpdufilter default

switch(config)#spanning-tree
portfast bpduguard default

This will prevent the switch interface from sending


or receiving BPDUs.
The interfaces still send a few BPDUs at link-up
before the switch begins to filter outbound BPDUs.
If a BPDU is received on a Port Fast-enabled
interface, the interface loses its Port Fast-operational
status and BPDU filtering is disabled.

Configure the BPDU Guard on all Port Fast-enabled


interfaces on the switch. This will place the interfaces that
receive BPDUs in an error-disabled state.
Configure the UplinkFast feature on an access layer switch.

switch(config)#spanning-tree
uplinkfast

Note: When you configure rapid PVST+ disable UplinkFast.


Similar functionality is built into rapid spanning tree
(RSTP).

switch(config)#spanning-tree
backbonefast

Configure the BackboneFast feature on a switch. If you use


BackboneFast, you must enable it on all switches in the
network.

switch(config-if)#spanningtree guard root

Configure the Root Guard feature on the interface.


Configure the Loop Guard feature on the switch. Do not
enable loop guard:

switch(config)#spanning-tree
loopguard default

switch(config-if)#spanningtree guard loop

On Port Fast-enabled or dynamic VLAN ports


If root guard is enabled
On ports that are connected to a shared link

Configure the Loop Guard feature on the interface.

Examples
The following commands set the bridge priority for a VLAN, enable Port Fast on two ports and
globally enables BPDU guard:
Switch(config)#int fa0/12
Switch(config-if)#spanning-tree portfast
Switch(config-if)#int fa0/13
Switch(config-if)#spanning-tree portfast
Switch(config-if)#exit
Switch(config)#spanning-tree portfast bpduguard default

Verifying STP Configurations


As you study this section, answer the following questions:

Which command displays whether Loopguard, UplinkFast, BPDU Filter, and BPDU Guard
are enabled?
How can you verify that spanning tree is working?
How can you determine the root bridge within a STP topology?
Where can you discover the root bridge's priority and MAC address?

After finishing this section, you should be able to complete the following tasks:

Given a scenario, verify STP information.


Given a scenario, troubleshoot a STP topology.

This section covers the following exam objectives:

205. Verify or troubleshoot Spanning Tree protocol operations.

STP Show Command List


The following table shows common commands to display STP configurations:
Use...

To...
Show spanning tree configuration information including the
following:

switch#show spanning-tree

Root bridge priority and MAC address


The cost to the root bridge
Local switch bridge ID and MAC address
The role and status of all local interfaces
The priority and number for each interface

To verify that spanning tree is working, look for an entry similar


to the following for each VLAN:
Spanning tree enabled protocol ieee
switch#show spanning-tree
active

Display STP information regarding active interfaces for all


VLANs.

switch#show spanning-tree
detail

Display detailed STP information for all VLANs configured on a


switch.

switch#show spanning-tree
interface <type> <number>
switch#show spanning-tree
interface <type> <number>
detail

Display general and detailed STP information regarding the


specified interface.

switch#show spanning-tree
summary

Display STP summary information for each VLAN configured on


a switch.

switch#show spanning-tree
vlan <1-4094>

Show summary STP information for the specified VLAN.

switch#show spanning-tree
vlan <1-4094> root

Show information about the root bridge for a specific VLAN.


Information shown includes:

The root bridge ID, including the priority number and the
MAC address

The cost to the root bridge from the local switch


The local port that is the root port

Switch#show spanning-tree
vlan <1-4094> bridge

Show spanning tree configuration information about the local


switch for the specified VLAN. Information includes the local
bridge ID, including the priority and MAC address.

switch#show spanning-tree
backbonefast

Display the STP BackboneFast status and statistics.

switch#show spanning-tree
uplinkfast

Display the STP UplinkFast status and statistics.

EtherChannel
As you study this section, answer the following questions:

What will happen to redundant links between switches when EtherChannel is configured?
What are the differences between LACP and PAgP?
When would you choose LACP over PAgP when configuring EtherChannel?

After finishing this section, you should be able to complete the following tasks:

Given a scenario, configure switches to negotiate the PAgP EtherChannel.


Given a scenario, configure interfaces to negotiate an EtherChannel with LACP .

This section covers the following exam objectives:

206. Configure and verify link aggregation using PAgP or LACP.

EtherChannel Facts
EtherChannel combines multiple switch ports into a single, logical link between two switches. With
EtherChannel:

You can combine 2-8 ports into a single link.


All links in the channel group are used for communication between the switches.
Use EtherChannel to increase the bandwidth between switches.
Use EtherChannel to establish automatic-redundant paths between switches. If one link
fails, communication will still occur over the other links in the group.
Use EtherChannel to reduce spanning tree convergence times.

Cisco Catalyst switches use one of the following protocols for EtherChannel configuration:
Protocol

Description

Port Aggregation Protocol (PAgP) is a management function that checks the


Port Aggregation
parameter consistency at either end of the link and assists the channel in
Protocol (PAgP)
adapting to link failure or addition. PAgP prevents loops or packet loss due to

misconfigured channels and aids in network reliability. PAgP operates in the


following modes:

Auto places the port into a passive negotiating state and forms an
EtherChannel if the port receives PAgP packets. While in this mode, the
port does not initiate the negotiation.
Note: This is the default mode.
Desirable places the port in a negotiating state to form an EtherChannel
by sending PAgP packets. A channel is formed with another port group
in either the auto or desirable mode.

Note: PAgP is the default channel protocol in Cisco switches.


Link Aggregation Control Protocol (LACP) is based on the 802.3ad standard
and has similar functions as PAgP. LACP should be used when configuring
EtherChannel between Cisco switches and non-Cisco vendor switches that
support 802.3ad. LACP operates in the following modes:
Link Aggregation
Control Protocol
(LACP)

Passive places the port into a passive negotiating state and forms an
EtherChannel if the port receives LACP packets. While in this mode, the
port does not initiate the negotiation.
Note: This is the default mode.
Active places the port in a negotiating state to form an EtherChannel by
sending LACP packets. A channel is formed with another port group in
either the active or passive mode.

Note: An on mode forces a port to join an EtherChannel without negotiations. The on mode can be
useful if the remote device does not support PAgP or LACP. In the on mode, a usable
EtherChannel exists only when the switches at both ends of the link are configured in the on mode.
Be aware of the following EtherChannel details:

All ports in an EtherChannel must use the same protocol (PAgP or LACP).
All ports in an EtherChannel must have the same speed and duplex mode. LACP requires
that the ports operate only in full-duplex mode.
A port cannot belong to more than one channel group at the same time.
All ports in an EtherChannel must be configured to be in the same access VLAN
configuration or be configured as VLAN trunks with the same allowable VLAN list and the
same native VLAN.
All ports in an EtherChannel require the same trunk mode (i.e. ISL or IEEE 802.1Q) to
avoid unexpected results.
If you do not configure EtherChannel, the spanning tree algorithm will identify each link as
a redundant path to the other bridge and will put one of the ports in blocking state.
Do not try to configure more than 6 EtherChannels on the switch.
Configure a LACP EtherChannel with up to 16 Ethernet ports of the same type. Up to eight
ports can be active, and up to eight ports can be in standby mode.
Enable all ports in an EtherChannel. A port in an EtherChannel that is disabled by using the
shutdown interface configuration command is treated as a link failure, and its traffic is
transferred to one of the remaining ports in the EtherChannel.
EtherChannel Command List
The following table shows common commands to configure EtherChannel.

Use...

To...

Switch(config-if)#channelprotocol lacp

Select the EtherChannel protocol on the interface.

Switch(config-if)#channelprotocol pagp
Switch(config-if)#channel-group
<1-8> mode auto
Switch(config-if)#channel-group
<1-8> mode desirable

Select the PAgP mode on the interface.

Switch(config-if)#channel-group
<1-8> mode active
Switch(config-if)#channel-group
<1-8> mode passive

Select the LACP mode on the interface.

Switch(config-if)#channel-group
<1-8> mode on

Enable the on mode and force a port to join an


EtherChannel without PAgP or LACP negotiations.

Switch(config-if)#no channelgroup <1-8>

Disable EtherChannel on the interface.

Switch#show etherchannel

Show EtherChannel details on the switch

Switch#show etherchannel summary

Show EtherChannel information for a channel with a


one-line summary per channel group.

Note: Each channel group has its own number. All ports assigned to the same channel group
will be viewed as a single logical link.
Examples
The following commands configure GigabitEthernet 0/1 and 0/2 interfaces to actively
initiate the negotiation of an EtherChannel with the PAgP protocol and with a channel
group of 5:
Switch>ena
Switch#conf t
Switch(config)#int range gi 0/1 - 2
Switch(config-if-range)#channel-protocol pagp
Switch(config-if-range)#channel-group 5 mode desirable
The following commands configure FastEthernet 0/1 through 0/4 interfaces to from an
EtherChannel with the LACP protocol only if the other device actively initiates the
EtherChannel connection:
Switch>ena
Switch#conf t
Switch(config)#int range ga 0/1 - 4
Switch(config-if-range)#channel-protocol lacp
Switch(config-if-range)#channel-group 3 mode passive
Switch(config-if-range)#duplex full

Inter-VLAN Routing
As you study this section, answer the following questions:

To provide inter-VLAN routing, a device must have which layer of functionality?


What are two implementations of inter-VLAN routing?
Is a SVI a logical or physical interface?
What function includes the concept of route once, switch many?

This section covers the following exam objectives:

301. Explain and configure Inter-VLAN routing (i.e., SVI and routed ports).
302. Explain and enable CEF operation.

Inter-VLAN Routing Facts


In a typical configuration with multiple VLANs and a single or multiple switches, workstations in
one VLAN will not be able to communicate with workstations in other VLANs. To enable interVLAN communication, you will need to use a Layer 3 device. The Layer 3 device enables interVLAN routing through Layer 3 networks or IP networks. In a typical configuration, there is a oneto-one relationship between number of VLANs and IP subnets on a network (e.g. if you had three
VLANs on one switch, the workstations belonging to the VLANs would be in three separate IP
subnets). The following devices are capable of providing inter-VLAN routing:
Device

Description
A router (or a group of routers) is capable of inter-VLAN routing. Either two or more
interfaces or a single interface can be used to communicate between the VLANs. When a
single physical interface is used, it must be divided into two logical interfaces called
subinterfaces. This configuration is also called a router on a stick. In each case, the
router interfaces are connected to switch trunk ports. The router interfaces or
subinterfaces must be running a trunking protocol (either ISL or 802.1Q).

Router

Be aware of the following details for inter-VLAN routing on a router:

The top example uses two physical interfaces on the router.


The bottom example uses a single physical interface on the router.
In this simple configuration, no routing protocol is needed because each interface
on the router is directly connected.
Each interface or subinterface requires an IP address.
To support additional VLANs, add more physical interfaces or logical
subinterfaces to the router.
When a host sends traffic to other subnets in a router on a stick configuration, it
sends the traffic to the default gateway, which is the IP address of the
subinterface configured on the external router.

A multilayer switch is a switch which can have the interfaces configured for Layer 2 and
Layer 3 functionality. Layer 3 (logical) switch interfaces are configured as one of the
following:

A routed port is similar to a port on a traditional router. It is configured with an


IP address and is not associated with a particular VLAN. A routed port behaves
like a regular router interface, except that it does not support sub-interfaces.
Routed ports are used for point-to-point links. In a multi-switched network,
routed ports connect core- and distribution-layer switches.
A Switch Virtual Interface (SVI) which is configured with an IP address and is
associated with a single VLAN. A Layer 3 switch treats each interface as a
physical link through which it can route traffic. The IP address associated with
the SVI is the default gateway of the workstation. SVI uses hardware-switching.
A SVI is mostly implemented to interconnect the VLANs between distributionlayer and access-layer switches in a multi-switched network.

Multilay
er switch

Be aware of the following multilayer switch details for inter-VLAN routing:

On some multi-layer switches, IP routing should be enabled for communication


between subnets.
The no switchport command configures an interface as a Layer 3 interface for
routed ports.
VLANs must be present (created) in the VLAN database before creating SVIs.
The default gateway configuration on each host device must be the VLAN
interface IP address on the Layer 3 switch.
Most enterprise and service provider networks use Layer 3 switching.

Cisco routers and Layer 3 switches can be configured to forward DHCP requests when clients try to
locate or communicate with DHCP servers. To enable the DHCP relay agent feature, use the ip
helper-address command on the client VLAN interfaces (for SVIs) and subinterfaces (for router
on a stick). The ip helper-address command not only forwards DHCP requests, but also forwards
TFPT, DNS, Time, NetBIOS, name server, and BOOTP packets by default.

MLS Facts
Multi-Layer Switching (MLS) combines Layer 2, 3, and 4 switching technologies to provide highspeed packet rewriting and forwarding. Another name for traditional MLS is NetFlow-based
switching. The major difference between the packet switching operation of a router and that of a
Layer 3 switch is the physical implementation. In general-purpose routers, packet switching takes
place using a microprocessor, whereas a Layer 3 switch uses Application-Specific Integrated
Circuit (ASIC) hardware. This is known as hardware-based packet switching.
Multi-layer switching can move traffic at wire speed and also provide Layer 3 routing, which can
remove the bottleneck from the network routers. This technology is based on the idea of route once,
switch many. Multi-layer switching can make routing and switching decisions based on the
following:

MAC source/destination address in a Data Link frame


IP source/destination address in the Network Layer header
Protocol field in the Network Layer header
Port source/destination numbers in the Transport Layer header

In the illustration above, traditional MLS follows this basic process:


1. Workstation A in VLAN 1 sends a packet to a workstation B in VLAN 2, with a destination
MAC address as the default gateway (the router).
2. The switch (also known as a switching engine) recognizes this packet as an MLS candidate
packet because the destination MAC address matches the MAC address of the router (also
known as a route processor).
3. The switch creates a candidate entry for this flow and forwards the packet.
4. The router accepts the packet from the workstation A, rewrites the Layer 2 destination
MAC address (workstation B's MAC address), and sends the packet to the workstation B.
5. The switch, upon seeing both the packets, creates an MLS entry in the ASIC so that the
switch rewrites and forwards all future packets matching this flow.
Cisco Express Forwarding (CEF) is an advanced Layer 3 switching technology used mainly in
large networks or the Internet. CEF is mainly used to increase packet switching speed, reducing the
overhead and delays introduced by other routing techniques, increasing overall performance. CEF
consists of two key components:
Component

Description

Forwarding
Information Base

The Forwarding Information Base (FIB) is similar to the routing table


generated by multiple routing protocols, maintaining only the next-hop address

(FIB)

for a particular IP route. FIB details include the following:

CEF uses the FIB to make IP destination switching decisions.


The CEF maintains a mirror image of the forwarding information
contained in the IP routing table.
When routing or topology changes occur in the network, the IP routing
table is updated and those changes are reflected in the FIB.
The FIB maintains the next-hop address information based on the
information in the IP routing table.
Both the Layer 3 router processor and the Layer 2 hardware switching
engine components maintain the FIB.

The adjacency table maintains Layer 2 or switching information linked to a


particular FIB entry, avoiding the need for an ARP request for each table
lookup.
Adjacency Tables

CEF builds the adjacency table from the ARP table.


The adjacency table contains Layer 2 rewrite (MAC) information for
the next hop address.

Be aware of the following CEF-based MLS details:

CEF-based MLS scales to large networks and is not limited on the number of traffic flows.
CEF-based MLS is the default on all Cisco multilayer switches that support CEF.
CEF-based MLS is topology-based. The control plane downloads the routing table
information (i.e. FIB and adjacency table) to the data plane for hardware switching.
CEF-based MLS uses either centralized switching or distributed switching. Distributed
switching provides higher performance than centralized switching.
Switches use Ternary Content Addressable Memory (TCAM) and other hardware-switching
components not only for CEF but also for applying Quality of Service (QoS) and access
lists to packets routed and switched using hardware switching.

The following commands you would use to configure CEF and view a brief display of all FIB
entries:
Switch(config)#interface fa0/1
Switch(config-if)#ip cef
Switch(config-if)#end
Switch#show ip cef

Inter-VLAN Routing Configuration


As you study this section, answer the following questions:

Why shouldn't you set up an IP address on a router's subinterface for an inter-VLAN routing
configuration?
How does a router know which subinterface to use within inter-VLAN routing?
How do you display the networks connected to a Layer 3 switch?
When does a Layer 2 switch need a default gateway IP address?

After finishing this section, you should be able to complete the following tasks:

Implement inter-VLAN routing with an external router.


Configure SVIs on a switch for inter-VLAN routing.

This section covers the following exam objectives:

301. Explain and configure Inter-VLAN routing (i.e., SVI and routed ports).
302. Explain and enable CEF operation.
303. Verify or troubleshoot Inter-VLAN routing configurations.

Inter-VLAN Routing Command List


The following table lists commands used to configure and verify inter-VLAN routing:
Use...
Router(config)#interface fa0/1
Router(config-if)#no shutdown
Router(config-if)#interface fa0/1.1
Router(config-subif)#

Router(config-subif)#encapsulation dot1q <vlan id>


Router(config-subif)#encapsulation isl <vlan id>

Router(config-subif)#encapsulation dot1q <vlan id>


native

To...
Enable the interface.
Create a subinterface
and enter the
subinterface
configuration mode
for a router-on-astick configuration.
Set the trunking
encapsulation
method for the
VLAN on the
subinterface for a
router-on-a-stick
configuration.
Note: Only some
switches support ISL
encapsulation. You
need to configure the
router with the
supported trunking
encapsulation.
Configure the VLAN
that is sending and
receiving untagged
traffic on the trunk
port when the
interface is in
802.1Q trunking

mode. This should


match the native
VLAN on the
connected switch for
a router-on-a-stick
configuration.
Note: By default, the
native VLAN is 1.
Specify an IP address
and subnet mask on
Router(config-subif)#ip address <a.b.c.d> <a.b.c.d> the subinterface for a
router-on-a-stick
configuration.
Router(config-subif)#ip helper-address

Enable DHCP relay


agent feature for a
router-on-a-stick
configuration.

Switch(config)#ip default-gateway <a.b.c.d>

Configure the default


gateway on a switch.
This will enable
management of the
switch from a remote
network.

Switch(config)#ip routing

Enable IP routing on
the multilayer switch
for a SVI
configuration.

Switch(config)#vlan <id>

Create a VLAN in
the VLAN database
and enter the VLAN
configuration mode.

Switch(config)#router <routing protocol>

Enable a specified
routing protocol on
the multilayer switch
for a SVI
configuration.

Switch(config)#interface vlan <vlan id>

Enter VLAN
interface
configuration mode
for the specified
VLAN for a SVI
configuration.

Switch(config-if)#ip address <a.b.c.d> <a.b.c.d>

Specify an IP address
and subnet mask on
the VLAN interface
for a SVI
configuration.

Switch(config-if)#no shutdown

Enable the interface.

Switch(config-if)#ip helper-address

Enable DHCP relay


agent on the
multilayer switch for
a SVI configuration.

Switch#show running-config

Display the interVLAN


configurations,
including
subinterfaces, IP
routing information,
and SVI addresses.

Switch#ping a.b.c.d

Test connectivity to
the hosts, VLAN
interfaces, and
VLAN subinterfaces.

Switch#show ip route

Display the available


IP routes on the
switch or router.

Switch#show ip protocols

Display information
about the routing
protocols that are
enabled on the
switch or router.

Switch#show ip cef

Display brief
information of all
FIB entries.

Switch#show ip adjacency

Verify that an
adjacency exists for a
connected device,
that the adjacency is
valid, and that the
MAC header rewrite
string is correct. The
information
displayed by the
show adjacency
commands includes
the following:

Protocol
Interface
Type of
routed
protocol
traffic using
this
adjacency
Next hop
address

Examples
The following commands configure a router with a single interface (a router-on-a-stick
configuration) to perform inter-VLAN routing for VLAN 1 and VLAN 20:
Router(config)#interface fa0/1
Router(config-if)#no shutdown
Router(config-if)#no ip address

Router(config-if)#interface fa0/1.1
Router(config-subif)#description subinterface for VLAN 1
Router(config-subif)#encapsulation dot1Q 1
Router(config-subif)#ip address 192.168.1.1 255.255.255.0
Router(config-subif)#interface fa0/1.20
Router(config-subif)#description subinterface for VLAN 20
Router(config-subif)#encapsulation dot1Q 20
Router(config-subif)#ip address 192.168.2.1 255.255.255.0
The following commands configure a Switch Virtual Interface (SVI) to perform inter-VLAN
routing for VLAN 1 and VLAN 12 on a multilayer switch when the VLANs already exist in the
VLAN database:
Switch(config)#ip routing
Switch(config)#router rip
Switch(config)#interface vlan 1
Switch(config-if)#ip address 192.168.1.1 255.255.255.0
Switch(config-if)#no shutdown
Switch(config-if)#interface vlan 12
Switch(config-if)#ip address 192.168.2.1 255.255.255.0
Switch(config-if)#no shutdown

Troubleshooting Inter-VLAN Routing


As you study this section, answer the following questions:

How can you tell when a SVI is configured on a Layer 3 switch?


What commands should you use to verify a router-on-a-stick configuration?

After finishing this section, you should be able to complete the following tasks:

Given a scenario, verify inter-VLAN routing information.


Given a scenario, troubleshoot an inter-VLAN routing implementation.

This section covers the following exam objectives:

303. Verify or troubleshoot Inter-VLAN routing configurations.

Troubleshooting Inter-VLAN Routing Facts


The following commands are used to display inter-VLAN routing configurations for verification
and troubleshooting:
show vlan brief
show ip route
show run
The following output is generated from the show vlan brief command. The output displays which
VLANs are in the VLAN database and the VLAN membership of each port.
VLAN Name
Status
Ports
---- --------------------- --------- -----------------------------1
default
active
Fa0/3, Fa0/4, Fa0/5, Fa0/6,
Fa0/7, Fa0/8, Fa0/9, Fa0/10,
Fa0/11, Fa0/12, Gi0/1, Gi0/2
2
VLAN0002
active
Fa0/2
1002 fddi-default
active
1003 token-ring-default
active
1004 fddinet-default
active
1005 trnet-default
active
Note: When using SVIs for inter-VLAN routing, the VLAN must exist in the VLAN database.
The following is output generated from the show ip route command and a table describing the
associated fields relating to inter-VLAN routing on a Layer 3 switch.
L3Switch#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
C
C

192.168.1.0/24 is directly connected, Vlan1


192.168.2.0/24 is directly connected, Vlan2

The following table describes important information shown in the command output:
Component Description
The first characters of a routing table entry identifies the source or type of the route.

Route type

C is for directly connected networks


S is for static routes
R is for routes learned through RIP
Additional codes indicate routes learned through other routing protocols

All SVIs are shown as directly connected, because the switch treats each interface as a
physical link through which it can route traffic.
Network

Following the route type is the network address and subnet mask. This identifies the
specific subnet address for the route.

VLAN ID

The VLAN ID indicates which VLAN interface is associated with the IP route. In the
example above, VLAN 1 and VLAN 2 are configured with SVIs.

Routes for SVIs will only be shown if:

The interface has been assigned an IP address


The interface is enabled
The interface line protocol is up
The VLAN exists in the VLAN database

The following is a portion of the output generated from the show run command and a table
describing the associated fields relating to inter-VLAN routing on a Layer 3 switch.
output omitted
!
interface Vlan10
ip address 192.168.10.1 255.255.255.0
!
interface Vlan20
ip address 192.168.20.1 255.255.255.0
shutdown
!
Field

Description

VLAN
This is the VLAN ID found in the VLAN database.
Interface ID
IP address

This is the IP address of the Switch Virtual Interface (SVI). An IP address and subnet
mask must be assigned to the interface before inter-VLAN routing can occur.

Enabled

The shutdown and no shutdown commands enable the interface. In the example
above, the omission of the shutdown command on the VLAN 10 interface indicates
that the SVI is enabled and routing may occur through the SVI.

Gateway Redundancy
As you study this section, answer the following questions:

How does a virtual router help to protect against single point of failure?
If there are three routers in a HSRP group, how many virtual IP addresses would be
assigned to that group of routers?
What are the main differences between HSRP and VRRP, and are they compatible?
What is the maximum number of routers that can act as active IP default gateways in a
GLBP group?
If there are two routers in a GLBP group, how many virtual MAC addresses are assigned to
routers in that group?

This section covers the following exam objectives:

401. Explain the functions and operations of gateway redundancy protocols (i.e., HSRP,
VRRP, and GLBP).

Gateway Redundancy Facts


Gateway redundancy is a fault-tolerant approach for hosts to communicate outside their
local subnet. Typically, hosts are configured with a single default gateway (next-hop router)
so they may communicate outside the local subnet. However (as shown in the image below)
if the default gateway should fail, the hosts are limited to communicating only within the
subnet, effectively disconnecting from the rest of the network. Even if there is a redundant
router which could serve as a replacement gateway, there is no dynamic method by which
the hosts could switch to a new default gateway IP address.

Gateway redundancy protects against a single point of failure. In gateway redundancy, a


group of two or more routers actively manage a single virtual router MAC address and IP
address (as seen below). This configuration ensures that if a router fails, a backup router
takes responsibility as the default gateway. With gateway redundancy, LAN clients send
traffic to the virtual router, but an actual router handles the forwarding of that traffic. The
difference between a virtual and actual router is unnoticeable to the clients.

Hot Standby Router Protocol (HSRP)


Hot Standby Router Protocol (HSRP) is a Cisco proprietary redundancy protocol for establishing a
fault-tolerant default gateway. The protocol consists of a virtual MAC address and IP address that
are shared between two or more routers, and a process that monitors both LAN and serial interfaces
via a multicast protocol.
An HSRP group, a set of routers participating in HSRP that jointly emulate a virtual router, consists
of the following entities or roles:
Entity or
Description
Role
An active router which forwards traffic destined to the virtual IP address (see the
illustration below).

Active
Router

Standby
Router

A standby router which will become the active router should the existing active router
fail (see the illustration below).

Virtual
Router

A virtual router which is not an actual router. It is a concept of the entire HSRP group
acting as one virtual router. It is assigned its own IP address and MAC address;
however, the active router acting as the virtual router actually forwards the packets.

Additiona
l HSRP
member
routers

Additional HSRP member routers are neither active nor standby, but they are configured
to participate in the same HSRP group. These routers forward any packets addressed to
their assigned interface IP addresses but do not forward packets destined for the virtual
router because they are not the active router.

HSRP has the following router states:

Initial is the starting state of HSRP. All routers begin in this state. This state indicates that
HSRP is not yet fully operational.
Learn is when the router has not determined the virtual IP address and has not yet received
a hello message from the active router.
Listen is when the router knows the virtual IP address, but is neither the active router nor the
standby router. This is the state for additional HSRP member routers. The router in this state
listens for hello messages, participating only if the holdtime expires.
Speak is when the routers in the HSRP group are in the election process for the active and
standby routers.
Standby is when the HSRP router is a candidate to become the next active router and sends
periodic hello messages to inform other routers in the HSRP group of its status.
Active is when the router forwards packets assigned to the virtual MAC and IP address of
the HSRP group. It also sends periodic hello messages to inform other routers in the HSRP
group of its status.

Routers configured with HSRP exchange three types of multicast messages:


Message Description

Hello

The active router assumes and maintains its role through the use of hello messages. When
the active router fails, the other HSRP routers stop receiving the hello messages. The
standby router assumes the role of active router when the holdtime expires. The holdtime
is the time between the receipt of a hello message and the presumption that the sending
router has failed. HSRP timer details include the following:

Hello messages are sent every 3 seconds by default.


Holdtime expires after 10 seconds by default.

Both timers can be configured with an msec parameter for faster failover times.

Note: All routers in the HSRP group should use the same timer values.
Coup

A coup message is sent by a standby router which wants to assume the function of the
active router.

Resign

The active router sends the resign message when it is about to shut down or when a router
that has a higher priority sends a hello or coup message.

The active router is decided by the following:

On a per-group basis, the HSRP router can be configured with a priority value. The default
is 100. It can be between 0-255. The router with the highest priority becomes the active
router if it initializes first.
Note: If several routers have the same priority, the physical IP address of the router's
interface is used. The router with the highest IP address becomes the active router.
A preemption configuration will force a specific router to be an active router if it has the
highest priority for the group. If the preempted active router fails, the standby router
becomes the active router. If the preempted active router regains service, it will become the
active router again. Be aware of the following details:
o If preemption is not enabled, the standby router which takes over for a failed router
will remain the active router even if the former active router regains service.
o If preemption is enabled, the former active router regains service immediately after
it receives a hello message from the active router with a lower priority by sending a
coup message. When a lower priority active router receives a coup message from an
active, higher priority router, the router changes to the Speak state and sends a resign
message.
Note: The transition through HSRP states is displayed with the debug standby EXEC
command.

Be aware of the following HSRP details:

The virtual MAC address is XXXX.XX07.ACxx. The first six values in the address
(XXXX.XX) represent the vendor code. The last two values (xx) represent the HSRP group
number in hexadecimal. For example, a virtual MAC address for HSRP group 79 would be
XXXX.XX07.AC4F
If a host sends an ARP request with the virtual router's IP address, the active router will
return the virtual router's MAC address.
One or more HSRP groups need to be configured for each VLAN or subnet. HSRP is not
configured globally.
Using the VLAN ID as the HSRP group number makes troubleshooting easier. However,
the group number is limited to a value between 0 and 255.
To configure HSRP load sharing, configure at least two routers to participate in two HSRP
groups.
o Configure the first router to serve as the active router for the first HSRP group and
the backup router for the second HSRP group.
o Configure the second router to serve as the active router for the second HSRP group
and the backup router for the first HSRP group.
An HSRP tracking feature monitors the active router's interface that is used to forward
traffic from the hosts. If that interface goes down, the priority of the HSRP group is reduced
to allow the HSRP standby router to become the active router.
o The HSRP group priority of the active router is decreased by 10 by default, but can
be configured. Careful planning of standby priorities for all routers is needed to
ensure that the HSRP standby tracking feature lowers priorities enough for standby
routers to take active roles.

If preemption is not enabled on the standby router, it will not send a coup message
to become the active router for the group.
When configuring routers in the HSRP group, at least one router in the group must be
configured with the virtual IP address. Other routers in the group will learn the virtual IP
address because it is forwarded in the hello messages.
o

Virtual Router Redundancy Protocol (VRRP)


Virtual Router Redundancy Protocol (VRRP) is a standards-based alternative to HSRP. VRRP and
HSRP are similar in concept, but not compatible. The main differences include the following:

The physical router that is currently forwarding data on behalf of the virtual router is called
the master router.
Physical routers standing by to take over from the master router are called backup routers.
Backup routers do not send advertisements like standby routers do in an HSRP group.
Values used to determine the VRRP priority range between 1-254. The default priority
value is 100.
If the configured virtual IP address is the same IP address as the router's physical interface,
the router is known as the IP address owner and becomes the master router.
Similar to HSRP, preemption allows a failed router to return as the VRRP master router if it
has the highest priority for the VRRP group. However, in VRRP, an IP address owner of the
VRRP group will always preempt.
Each router in the VRRP group must be configured with the virtual IP address.

In the illustration below, if the VRRP virtual IP address is 10.0.1.1, then RouterA is the IP address
owner and serves as the master router. RouterB and RouterC would be backup routers.

VRRP uses the following timers:

The advertisement interval is the interval between when the advertisements are sent. The
default is 1 second and can be configured.
The master-down interval is the time for a backup to declare the master is down. The
master-down interval can not be configured directly, but is calculated as three times the
value of the advertisement interval.

Be aware of the following details:

The virtual MAC address is 0000.5E00.01xx. The last two values (xx) is the Virtual Router
IDentifier (VRID) and represents the VRRP group number in hexadecimal.
HSRP and VRRP are not routing protocols as they do not advertise IP routes or affect the
routing table in any way.

Gateway Load Balancing Protocol (GLBP)


Gateway Load Balancing Protocol (GLBP) is a Cisco proprietary protocol that automatically
selects and simultaneously uses multiple virtual gateways. It is intended to fully use resources
without the configuration of multiple groups and default gateways. GLBP details include the
following:

Routers in a GLBP group elect one gateway to be the Active Virtual Gateway (AVG) for
that group.
o The AVG assigns a virtual MAC address to each router of the GLBP group.
o The AVG is responsible for answering Address Resolution Protocol (ARP) requests
for the virtual IP address.
o Load balancing is achieved by the AVG replying to the host's ARP requests with
different virtual MAC addresses.
A GLBP group can have up to four member routers acting as IP default gateways. The
gateways are known as Active Virtual Forwarders (AVFs). Each AVF assumes
responsibility for forwarding packets sent to the virtual MAC address assigned to it by the
AVG.
o A virtual forwarder that is assigned a virtual MAC address by the AVG is known as
a primary virtual forwarder.
o A virtual forwarder that has learned the virtual MAC address (from hello messages)
is referred to as a secondary virtual forwarder.
o An AVG can assign itself with a MAC address, and assume the responsibilities of
the AVF as well.
GLBP operates virtual gateway redundancy in the same way as HSRP. The gateway with
the highest priority for the group is elected as the AVG, another gateway is elected as the
standby virtual gateway, and the remaining gateways are placed in a listen state. If an AVG
fails, the standby virtual gateway will assume responsibility for the virtual IP address. A
new standby virtual gateway is then elected from the gateways in the listen state.

GLBP supports the following modes for load balancing:


Mode

Description

Roundrobin

In the round-robin scheme, when a host sends an ARP request, the AVG returns a
virtual MAC address based on its table of MAC addresses assigned to AVF. When
another host sends an ARP request, the AVG replies with the next MAC address in its
table, and so on.
Note: This is the default method.
In the weighted scheme, the AVF advertises how much traffic the interface can handle
to the AVG. The AVG then directs traffic according to the advertised amounts.

Weighted

Initial weighting values can be set and optional thresholds specified. Interface
states can be tracked and a decrement value set to reduce the weighting value if
the interface goes down.
When the GLBP router weighting drops below a specified value, the router will
no longer be an active virtual forwarder.
When the weighting rises above a specified value, the router can resume its
role as an active virtual forwarder.

In the host-dependent scheme, the host will always use the same virtual MAC address
Hostand same VFG (as long as that address and gateway is participating in the GLBP
dependent
group).
Be aware of the following details:

GLBP members communicate between each other through hello messages sent every 3
seconds.
Group numbers range from 0-1023.
AVG states match the HSRP active router states.
The default gateway on each host device must be configured as the GLBP group's virtual IP
address.

HSRP Configuration
As you study this section, answer the following questions:

Which router in a HSRP group will be the active router if all the routers in a HSRP group
are assigned the same priority?
What is the function of preemption?
What is interface tracking and how does it affect the HSRP priority value?
How many routers in a HSRP group need to be configured with the virtual IP address?
When does a router in a HSRP group send a coup message?
How is the HSRP group number identified in the virtual MAC address?

After finishing this section, you should be able to complete the following tasks:

Configure multiple routers to form a HSRP virtual default gateway.


Configure preemption for a HSRP group.
Configure interface tracking within a HSRP group.

This section covers the following exam objectives:

402. Configure HSRP, VRRP, and GLBP.


403. Verify High Availability configurations.

HSRP Command List


The following table lists commands used to configure and verify HSRP:
Use...
Router(config)#interface <type number>
Router(config-if)#standby <0-255> ip

To...
Enter interface
configuration mode
and enable HSRP
with a group number.

Router(config-if)#standby <0-255> ip <a.b.c.d>

Configure the HSRP


standby group with a
virtual IP address.

Router(config-if)#standby <0-255> preempt

Configure HSRP for


pre-emption so the
router may take over
if it has a higher
priority than the
current active router.

Router(config-if)#standby <0-255> priority <0-255>

Configure the HSRP


group priority.

Router(config-if)#standby <0-255> track <interface


type number> <decrement value>

Monitors the active


router's interface that
is used to forward
traffic from the hosts,
and specifies the
HSRP group priority
amount that is
decremented if the
interface goes down.

Router(config-if)#standby <0-255> timers msec


<hello-value>

Configure the hello


timer and hold timer

values for HSRP.


Router(config-if)#standby <0-255> timers msec
<holdtime-value>

Router(config-if)#no standby <0-255> timers

Reset the hello timer


and hold timer values
back to their defaults,
3 and 10 seconds
respectively.
Configure the
authentication as
plain text or
encrypted text. This
will authenticate
HSRP packets
received from other
routers in the group.

Router(config-if)#standby <0-255> authentication


<value>
Router(config-if)#standby <0-255> authentication
md5 key-string 0|7 <value>

Specifying 0
means the key
value is
unencrypted.
Specifying 7
means the key
value is
encrypted.
The keystring
authentication
key is
automatically
encrypted if
the service
passwordencryption
global
configuration
command is
enabled.

Note: If you
configure
authentication, all
routers within the
GLBP group must
use the same
authentication string.

Router#show standby

Display the gateway


redundancy
configuration and
status of the
configured interfaces.

Router#debug standby

Displays HSRP state


changes and
debugging
information regarding

transmission and
receipt of Hot
Standby Protocol
packets. Use this
command to
determine whether
hot standby routers
recognize one another
and take the proper
actions.
Examples
The following table provides example gateway redundancy configurations and descriptions:
Commands

Description

The first group of commands


configures a single router (RouterA)
with one HSRP standby group for
VLAN 10 with a virtual address of
10.2.2.1 and a priority of 100. The
second group of commands
configures a single router (RouterB)
with the same group yet a different
RouterA(config)#interface vlan 10
RouterA(config-if)#standby 10 ip 10.2.2.1 priority.
RouterA(config-if)#standby 10 priority
100
This command set configures
RouterA(config-if)#end
RouterA as the active router for
VLAN 10 because it has the highest
RouterB(config)#interface vlan 10
priority. RouterB is configured as
RouterB(config-if)#standby 10 priority 90 the standby router.
RouterB(config-if)#end
Note: When configuring routers in
the HSRP group, at least one router
in the group must be configured with
the virtual IP address. Other routers
in the group will learn the virtual IP
address because it is forwarded in
the hello messages.
RouterA(config)#interface vlan 10
RouterA(config-if)#standby 10 ip 10.2.2.1
RouterA(config-if)#standby 10 priority
150
RouterA(config-if)#interface vlan 20
RouterA(config-if)#standby 20 ip 10.3.3.1
RouterA(config-if)#standby 20 priority
100
RouterA(config-if)#end
RouterB(config)#interface vlan 10
RouterB(config-if)#standby 10 priority
100
RouterB(config-if)#interface vlan 20
RouterB(config-if)#standby 20 priority
150
RouterB(config-if)#end

The first group of commands


configure a single router (RouterA)
with two HSRP standby groups on
VLAN 10 and 20 with a virtual
address of 10.2.2.1 and 10.3.3.1 with
a priority of 150 and 100,
respectively. The second group of
commands configure a single router
(RouterB) with the same groups yet
configures a different priority for
each VLAN.
This command set configures
RouterA as the active router for
VLAN 10 and the standby router for
VLAN 20. It is vice versa for
RouterB.

VRRP Configuration
As you study this section, answer the following questions:

What is the difference between setting up a VRRP group or a HSRP group?


How many routers in a VRRP group need to be configured with the virtual IP address?
What happens to the VRRP master router when another router in the VRRP group is
configured with preemption?

After finishing this section, you should be able to complete the following tasks:

Configure two routers to form a VRRP group?

This section covers the following exam objectives:

402. Configure HSRP, VRRP, and GLBP.


403. Verify High Availability configurations.
VRRP Command List
The following table lists commands used to configure and verify VRRP:

Use...

To...

Router(config-if)#vrrp <1-255> ip <a.b.c.d>

Enable a VRRP
group with a
specified group
number and a virtual
IP address.

Router(config-if)#vrrp <1-255> priority <0-255>

Configure the VRRP


group priority.
Note: If the priority
is configured to 0,
the router releases
responsibility for
being the master
router for the VRRP
group.
Configure VRRP for
pre-emption so the
router may take over
if it has a higher
priority than the
current active router.

Router(config-if)#vrrp <1-255> preempt

Note: The router that


is the IP address
owner will preempt,
regardless of the
setting of this
command.
Router(config-if)#vrrp <1-255> timers <advertise-value>

Configure the
advertisement
interval VRRP.

Router#show vrrp

Display the gateway


redundancy
configuration and

status of the
configured
interfaces.

Examples
The following command set configures a VRRP group on VLAN 7, a virtual address of
10.0.1.1, a priority of 110, and preemption:
RouterA>ena
RouterA#conf t
RouterA(config)#interface vlan 7
RouterA(config-if)#vrrp 7 ip 10.0.1.1
RouterA(config-if)#vrrp 7 priority 110
RouterA(config-if)#vrrp 7 preempt

GLBP Configuration
As you study this section, answer the following questions:

What is difference when configuring a GLBP group and a HSRP group?


What are the different choices available for GLBP load-balancing?

After finishing this section, you should be able to complete the following tasks:

Configure two routers in a GLBP group to form a virtual default gateway, and implement a
load balancing method.

This section covers the following exam objectives:

402. Configure HSRP, VRRP, and GLBP.


403. Verify High Availability configurations.

GLBP Command List


The following table lists commands used to configure and verify GLBP:
Use...

To...

Router(config-if)#glbp <0-1023> ip

Enable a GLBP
group with a
specified group
number.

Router(config-if)#glbp <0-1023> ip <a.b.c.d>

Configure the
interface of a
member of the
virtual group with
the identified virtual
IP address.

Router(config-if)#glbp <0-1023> priority <1-255>

Configure the
priority of the
configured router
(same as HSRP).

Router(config-if)#glbp <0-1023> preempt

Configure GLBP for


pre-emption so the
router may take over
if it has a higher
priority than the
current active router.

Router(config-if)#glbp <0-1023> load-balancing


host-dependent
Router(config-if)#glbp <0-1023> load-balancing
round-robin

Configure the load


balancing method.

Router(config-if)#glbp <0-1023> load-balancing


weighted
Router(config)#track <1-500> interface <type
number> line-protocol | ip routing

Configure an
interface to be
tracked.

The lineprotocol
keyword
tracks
whether the
interface is
up.
The ip
routing
keywords
also check
that IP
routing is
enabled on
the interface,
and an IP
address is
configured.

Configure GLBP
weighting values:

Router(config-if)#glbp <0-1023> weighting <1-254>


[lower <value>] [upper <value>]
Router(config-if)#glbp <0-1023> weighting track <1500> decrement <value>

Router#show glbp

Specify the
initial
weighting
value, and the
upper and
lower
thresholds.
Specify an
object to be
tracked and
specify a
weighting
reduction of a
GLBP
gateway
when a
tracked object
fails.

Display the gateway


redundancy
configuration and
status of the
configured
interfaces.

Examples
The following command set configures a GLBP group on VLAN 7, a virtual address of 10.0.2.1, a
priority of 110, and host-dependent load balancing:
Router(config)#interface vlan 7
Router(config-if)#glbp 7 ip 10.0.2.1

Router(config-if)#glbp 7 priority 110


Router(config-if)#glbp 7 load-balancing host-dependent

Troubleshooting Gateway Redundancy


As you study this section, answer the following questions:

How can you tell when an interface is participating in a gateway redundancy configuration?
How does the tracking feature affect a gateway redundancy configuration?
Which commands allow you to verify a HSRP gateway redundancy configuration?

After finishing this section, you should be able to complete the following tasks:

Configure a scenario, verify and troubleshoot gateway redundancy configurations.

This section covers the following exam objectives:

403. Verify High Availability configurations.

Troubleshooting Gateway Redundancy Facts


The following commands are used to display gateway redundancy configurations for verification
and troubleshooting:
show standby
show glbp
The following is output generated from the show standby command and a table describing the
associated fields relating HSRP configuration and operating details.
FastEthernet0/1 - Group 200
State is Standby
10 state changes, last state change 2d05h
Virtual IP address is 10.0.0.15
Active virtual MAC address is 0000.0c07.acc8
Local virtual MAC address is 0000.0c07.acc8 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 0.540 secs
Preemption disabled
Active router is 10.0.0.3, priority 110 (expires in 8.952 sec)
Standby router is local
Priority 75 (default 100)
Track interface Serial0/1 state Down decrement 25

The following table describes important information shown in the command output:
Component

Description

Interface type
Interface type and number and Hot Standby group number for the interface.
- Group
This is the current state of the local router. It can be one of the following:

State is

Active indicates that the current Hot Standby router.


Standby indicates that the router next in line to be the Hot Standby router.
Speak indicates that the router is sending packets to claim the active or
standby role.
Listen indicates that the router is not in the active nor standby state, but if
no messages are received from the active or standby router, it will start to
speak.
Init or Disabled indicates that the router is not yet ready or able to
participate in HSRP, possibly because the associated interface is not up.

HSRP groups configured on other routers on the network that are learned
via snooping are displayed as being in the Init state. Locally configured
groups with an interface that is down or groups without a specified interface
IP address appear in the Init state. For these cases, the Active addr and
Standby addr fields will show "unknown."
Note: The state is listed as disabled in the fields when the standby ip command has
not been specified.
Virtual IP
address is

This is the virtual IP address assigned within the HSRP group.

Active virtual Virtual MAC address being used by the current active router. The last two digits are
MAC address the HSRP group number in hexadecimal format.
Local virtual
Virtual MAC address that would be used if this router became the active router.
MAC address
Hello time,
hold time

The hello time is the time between hello packets (in seconds) based on the standby
timers command. The hold time is the time (in seconds) before other routers declare
the active or standby router to be down, based on the standby timers command.

Next hello
sent in

Time at which the Cisco IOS software will send the next hello packet (in a
hours:minutes:seconds format).

Preemption
enabled

Indicates whether preemption is enabled with the standby preempt command. If


enabled, the minimum delay is the time for which a higher-priority non-active
router will wait before preempting the lower-priority active router.

Active router
is

This can be "local," "unknown," or an IP address. Address (and the expiration date
of the address) of the current active Hot Standby router. In the example above, it is
the IP address of the other router participating in the HSRP group.

This can be "local," "unknown," or an IP address. Address (and the expiration date
Standby router
of the address) of the "standby" router (the router that is next in line to be the Hot
is
Standby router). In the example above, it is the local router.
Priority

The configured and operating HSRP group priority. This operating value may be
different than the configured value if the track command has been configured and
the tracked interface is down.

Tracking

List of interfaces that are being tracked and their corresponding states. Based on the
standby track command. In the example above, the tracked interface is DOWN,
decrementing the priority from its default of 100 to 75.

The following is output generated from the show glbp command and a table describing the
associated fields relating GLBP configuration and operating details.
FastEthernet0/1 - Group 100
State is Standby
1 state change, last state change 1w0d
Virtual IP address is 10.0.0.5 (learnt)
Hello time 3 sec, hold time 10 sec
Next hello sent in 0.508 secs
Redirect time 600 sec, forwarder time-out 14400 sec
Preemption disabled
Active is 10.0.0.3, priority 100 (expires in 7.224 sec)
Standby is local
Priority 200 (configured)
Weighting 100 (default 100), thresholds: lower 1, upper 100
Load balancing: round-robin
Group members:
000d.bd8e.0781 (10.0.0.2) local
001a.6ca7.b473 (10.0.0.3)
There are 2 forwarders (1 active)
Forwarder 1

State is Listen
MAC address is 0007.b400.6401 (learnt)
Owner ID is 001a.6ca7.b473
Time to live: 14397.224 sec (maximum 14400 sec)
Preemption enabled, min delay 30 sec
Active is 10.0.0.3 (primary), weighting 100 (expires in 7.828 sec)
Forwarder 2
State is Active
1 state change, last state change 1w0d
MAC address is 0007.b400.6402 (default)
Owner ID is 000d.bd8e.0781
Preemption enabled, min delay 30 sec
Active is local, weighting 100

The following table describes important information shown in the command output:
Component

Description

Interface type
and group
number

Interface type and number and GLBP group number for the interface.
State of the virtual gateway or virtual forwarder. For a virtual gateway, the state
can be one of the following:

State is

Virtual IP
address is

Active indicates that the gateway is the active virtual gateway (AVG) and
is responsible for responding to Address Resolution Protocol (ARP)
requests for the virtual IP address.
Disabled indicates that the virtual IP address has not been configured or
learned yet, but another GLBP configuration exists.
Initial indicates that the virtual IP address has been configured or learned,
but virtual gateway configuration is not complete. An interface must be up
and configured to route traffic, and an interface IP address must be
configured.
Listen indicates that the virtual gateway is receiving hello packets and is
ready to change to the "speak" state if the active or standby virtual
gateway becomes unavailable.
Speak indicates that the virtual gateway is attempting to become the active
or standby virtual gateway.
Standby indicates that the gateway is next in line to be the AVG.

This is the virtual IP address assigned within the GLBP group.

The hello time is the time between hello packets (in seconds) based on the
Hello time, hold standby timers command. The hold time is the time (in seconds) before other
time
routers declare the active or standby router to be down, based on the standby
timers command.
Next hello sent
in

Preemption
enabled

Time at which the Cisco IOS software will send the next hello packet (in a
hours:minutes:seconds format).
Indicates whether preemption is enabled with the glbp preempt command. If
enabled, the minimum delay is the time for which a higher-priority non-active
router will wait before preempting the lower-priority active router.
This field is also displayed under the forwarder section where it indicates GLBP
forwarder preemption.

Active is

This can be "local," "unknown," or an IP address. Address (and the expiration


date of the address) of the current AVG. In the example above, it is the IP address
of the other router participating in the GLBP group.

Standby is

This can be "local," "unknown," or an IP address. Address (and the expiration


date of the address) of the "standby" router (the router that is next in line to be the
AVG). In the example above, it is the local router.

Priority

The configured and operating GLBP group priority. This operating value may be
different than the configured value if the track command has been configured and
the tracked interface is down.

Weighting

The initial weighting value with lower and upper threshold values.
The load balancing method in the group. This can be one of the following:

Load balancing

Round-robin
Host-dependent
Weighted

Track object

The list of objects that are being tracked and their corresponding states.

Group members

This lists the actual IP address and MAC address of the routers participating in
the GLBP group. GLBB may use these as AVFs.
For a virtual forwarder, the state can be one of the following:

Forwarders

Active indicates that the gateway is the active virtual forwarder (AVF)
and is responsible for forwarding packets sent to the virtual forwarder
MAC address.
Disabled indicates that the virtual MAC address has not been assigned or
learned. This is a transitory state because a virtual forwarder changing to a
disabled state is deleted.
Initial indicates that the virtual MAC address is known, but virtual
forwarder configuration is not complete. An interface must be up and
configured to route traffic, an interface IP address must be configured, and
the virtual IP address must be known.
Listen indicates that the virtual forwarder is receiving hello packets and is
ready to change to the "active" state if the AVF becomes unavailable.

In the example above, the local router is the only active virtual forwarder.
MAC address is This is the Virtual MAC address being used within the GLBP group.
Owner ID is

This is the actual MAC address of the forwarder.

VoIP Overview
As you study this section, answer the following questions:

What are the disadvantages of sending voice signals over an IP network?


Under what circumstances should you enable Quality of Service (QoS) features?
At what point (in milliseconds) will callers be aware of roundtrip delays?
What are the characteristics of VoIP traffic?
What two data flows make up a VoIP call?

This section covers the following exam objectives:

701. Describe the characteristics of voice in the campus network.

VoIP Overview Facts


Voice over IP (VoIP) is a protocol optimized for the transmission of voice through the Internet or
other packet switched networks. Voice over IP protocols carry telephony signals as digital audio
encapsulated in a data packet stream over IP. VoIP traffic is smooth, benign, drop-sensitive, and
delay-sensitive, and is typically User Datagram Protocol (UDP)-based.
A VoIP call consists of two data flows:

The voice carrier stream, consisting of Real-Time Transport Protocol (RTP) packets
containing the actual voice samples
The call control signaling, consisting of one of several protocols which set up, maintain,
teardown, and redirect the call. Protocols used in call control include the following:
o H.323
o Session Initiation Protocol (SIP)
o Media Gateway Control Protocol (MGCP)

Properly provisioning the network bandwidth is a major component of designing a successful Cisco
VoIP solution (also called Telephony). When implementing VoIP, you should consider the
following:

Reserve enough bandwidth for the maximum amount of calls crossing a link. The sum of
the calculated bandwidth of all applications (such as those for voice, video, and data) should
not exceed 75% of the total bandwidth on the link. This is the recommended threshold.
Even when the total required bandwidth for all applications is under 75% of the available
bandwidth, always enable Quality of Service (QoS) features. This ensures that voice traffic
will flow properly.
Voice codecs compress the voice samples and affect the amount of bandwidth required for
each VoIP call and the payload size. Popular voice codecs include G.711 and G.729, which
use a total bandwidth of 87.2 Kbps and 31.2 Kbps for a payload size of 160 bytes or 20
bytes, respectively.
VoIP headers make up a considerable amount of overhead and bandwidth consumption.
You should be aware of the following VoIP header sizes:
o 18 bytes for the Ethernet header, including the Frame Check Sequence (FCS) or
Cyclic Redundancy Check (CRC).
o 20 bytes for the IP header
o 8 bytes for the UDP header
o 12 bytes for the RTP header
Note: To calculate the total packet size, add the Ethernet, IP, UDP, RTP headers, and voice
payload.

VoIP requires a well-engineered, end-to-end network that provides little latency for data stream
transmission. Fine-tuning the network to adequately support VoIP involves overcoming the
following issues:
Issue

Description
Delay (or latency) is the amount of time required for the spoken voice to be carried to the
receiver's ear.

Delay

Delays cause long pauses between speaking and receiving, and might result in
callers continually interrupting each other.
Callers notice roundtrip delays of 250 milliseconds (ms) or more.
International standards call for a delay of 150 ms or less.

There are two main types of delay:

Fixed-network delay refers to the time it takes a device to encode and decode
traffic and the time required for electrical and optical signals to travel the media en
route to the receiver.
Variable-network delay refers to network conditions, such as congestion, which
affect the overall time it takes a packet to reach its destination.

Jitter is the variation of delay in transmissions.


Jitter

Jitter causes strange sound effects as the delay of packets fluctuates.


Acceptable levels of jitter vary by vendor, but should be very low (between .5 and
30 ms).
Jitter can be controlled to some extent by packet buffers in VoIP equipment.

Packet loss occurs when packets do not arrive.

Packet
loss

Packet loss causes drop-outs in the conversation.


Because voice traffic is time sensitive, lost packets do not need to be retransmitted.
Voice traffic is very sensitive to packet loss. Even a 1% loss of packets can be
detected.
Ideally, Cisco recommends 0% packet loss, although very low (.1-.5% maximum)
might still be acceptable.

Echo is hearing your own voice in the telephone receiver while you are talking.

Echo

When timed properly, echo is reassuring to the speaker.


If echo exceeds approximately 25 milliseconds, it can be distracting and cause
breaks in the conversation.
Excessive delay can cause unacceptable echo.
VoIP implementations use echo cancellers to regulate the echo.

Voice VLANs
As you study this section, answer the following questions:

What is the function of a voice VLAN on a switch?


What is another name for a voice VLAN?
Which protocol separates voice traffic from data traffic?
How should you configure an IP phone daisy chain configuration which includes IP phones
that do not understand CDP?
When you disable a voice VLAN on an interface that had the Port Fast feature enabled,
what happens to the status of Port Fast?

This section covers the following exam objectives:

701. Describe the characteristics of voice in the campus network.


702. Describe the functions of Voice VLANs and trust boundaries.

Voice VLAN Facts


A voice VLAN (also known as an auxiliary VLAN) is a secondary VLAN for VoIP traffic on a
switch access port. The voice VLAN on the switch separates both data and voice traffic to their
respective VLANs. For example, in an IP Phone Daisy Chain configuration, Cisco IP phones allow
workstations to access the network by connecting the IP phone to the switch and then connecting
the workstation's Ethernet cable to an additional port on the phone. In this configuration, both the
workstation (sending data traffic) and the IP phone (sending voice traffic) are connected to the
same switch interface, thereby residing in the same VLAN. However, when the switch is
configured with a voice VLAN, the voice traffic is separated from the data traffic (see illustration
below).

In a typical Cisco IP Phone daisy chain configuration, you configure a switch port to send CDP
packets to the phone. The CDP packets will instruct the IP phone on how to send the voice traffic.
The following steps describe how a voice VLAN is created and then operates in a typical Cisco IP
Phone daisy chain configuration:
1. The switch interface is configured using the switchport voice vlan <vlan id> command.
This signals to the switch that it will be using 802.1q tagging with the specified VLAN ID.
2. The Cisco IP phone is connected to the switch interface.
3. Once connected, the switch sends Cisco Discover Protocol (CDP) packets to the phone
which include the voice VLAN ID information.
4. The Cisco IP phone receives the CDP packets, interprets the voice VLAN ID, and begins
sending VoIP traffic with the 802.1q tags for the specified voice VLAN.
5. The IP phone also sends data traffic to the same interface but does not include 802.1q tags,
effectively sending traffic to the native (access) VLAN. If configured, the switch could then
tag the data traffic with 802.1q tags for the respective VLAN.

Note: In daisy chain configurations which include other IP phones that do not interpret CDP
information, configure the switch to use 802.1p with the switchport voice vlan dot1p command.
802.1p is a protocol which allows traffic to be prioritized with Quality of Service (QoS) markings.
By using 802.1p, non-Cisco IP phones can elevate the priority of voice traffic. This configuration is
useful for trusting the priority markings from IP phones without using a separate voice VLAN. You
can also use the switchport voice vlan dot1p command on a Cisco IP phone to tag the voice
traffic, but instead of placing the traffic on a voice VLAN, it will use the access VLAN to carry the
voice traffic.
Be aware of the following details when configuring voice VLANs:

If the Cisco IP Phone and a device attached to the phone are in the same VLAN, they must
be in the same IP subnet.
You must enable CDP on the switch port connected to the Cisco IP Phone to send the
configuration to the phone. CDP is globally enabled by default on all switch interfaces.
The Port Fast feature is automatically enabled when voice VLAN is configured. When you
disable voice VLAN, the Port Fast feature is not automatically disabled.
Do not configure voice VLAN on private VLAN ports.
You should configure voice VLAN on Layer 2, switch access ports. Voice VLANs are not
supported on trunk ports.

Quality of Service (QoS) and Trust Boundary


As you study this section, answer the following questions:

What QoS technologies are available to prevent delay and/or jitter in a VoIP network?
What is the difference between Auto-QoS and standard QoS methods?
Where is the best location to set the trust boundary?
What is the problem with extending the trust boundary too far?

This section covers the following exam objectives:

701. Describe the characteristics of voice in the campus network.


702. Describe the functions of Voice VLANs and trust boundaries.

QoS Facts
Quality of Service (QoS) is the ability to guarantee a certain level of performance to a data flow.
QoS-enabled infrastructures allow you to do the following:

Classify and mark traffic such that network devices can differentiate traffic flows
Condition (police) traffic to tailor traffic flows to specific traffic behavior and throughput.
Mark traffic rates above specified thresholds as lower priority traffic.
Drop packets when rates reach specified thresholds.
Schedule packets such that higher-priority packets transmit from output queues before
lower-priority packets.
Manage output queues such that lower-priority packets awaiting transmission do not
monopolize buffer space.

Two QoS service models are used in an IP network:


Model

Integrated
services
(IntServ)

Description
Integrated services, also known as Hard QoS, explicitly reserve services for traffic
flows. Network devices make service reservation requests before sending data, and
once a request is confirmed, the network device sends the data. Through integrated
services, bandwidth and data transmission below the traffic's delay requirements
are guaranteed for the traffic flow.
Note: Integrated services are not scalable and require continuous signaling from
network devices.
Differentiated services, also known as Soft QoS, provides QoS depending on the
data traffic class. As incoming frames enter the switch, differentiated services
categorize the traffic and then sort it into queues of various efficiencies. The
switch directly marks the packet for classification at Layer 2 or Layer 3:

Differentiated
services
(DiffServ)

Layer 2 Class of Service (CoS) uses three bits in the Ethernet header for
QoS classification. The bits allow for up to eight distinct values: 0 through
7, with 7 as high-priority.
A Layer 3 Type of Service (ToS) byte contains a 6-bit Differentiated
Services Code Points (DSCP) value used for QoS classification. The DSCP
field allows for up to 64 (0-63) distinct values. Packets can be marked with
a standard DSCP value or user defined class. For instance, the default
DSCP standard value for all traffic has a value of 0. This is the value for
untrusted traffic.
Note: The first 3 bits (0-2) of the DSCP value define the traffic class. These
DSCP bits are known as the IP Precedence. IP Precedence values range

from 0 through 7.
Be aware of the following differentiated services details:

The network provides the QoS service on a per-hop, per-device basis,


rather than on a traffic flow basis as provided by integrated services.
Differentiated services is a scalable model and is the preferred method
within a multi-layer switched network.

Cisco switches provide the following QoS components:


Component

Description

Classification

Classification distinguishes a frame or packet with a specific priority or


predetermined criteria. In the case of Cisco switches, classification determines the
internal DSCP value on frames.

Marking

Marking is when the switch changes the DSCP, CoS, or IP Precedence values on
incoming frames or packets.
Traffic conditioning refers to the switch's ability to regulate traffic. Traffic
conditioning a combination of the following:

Traffic
conditioning

Shaping delays excess traffic using a buffer, or queuing mechanism, to hold


packets and shape the flow when the data rate of the source is higher than
expected, such as a burst of traffic. Shaping is not suitable for delaysensitive traffic flows, such as voice and video traffic.
Policing drops traffic when the traffic is above a specified rate or threshold.
Policing does not delay or buffer traffic.

Congestion management schedules packets such that higher-priority packets


transmit from output queues before lower-priority. Congestion avoidance monitors
traffic loads and drops packets using complex algorithms. Both congestion
management and congestion avoidance are a per-queue QoS feature. Congestion
management and congestion avoidance methods including the following:

Congestion
Management
and Avoidance

First In, First Out (FIFO) queuing packets are forwarded in the same order
in which they arrive at the interface. This is a Best-effort type of service.
Although this is a form of congestion management, it does not implement
QoS features.
Weighted Fair Queuing (WFQ) is a flow-based queuing algorithm that does
two things simultaneously: It schedules interactive traffic to the front of the
queue to reduce response time, and it fairly shares the remaining bandwidth
between high bandwidth flows.
Priority Queuing (PQ) ensures that important traffic gets the fastest
handling at each point where it is used. It was designed to give strict
priority to important traffic.
Custom Queuing (CQ) reserves a percentage of available bandwidth for an
interface for each selected traffic type. If a particular type of traffic is not
using the reserved bandwidth, other queues and types of traffic may use the
remaining bandwidth.
Weighted Random Early Detection (WRED) attempts to avoid congestion
by randomly dropping packets with a certain classification when output
buffers reach a specific threshold.
Internet Protocol Real-Time Protocol Priority (IP RTP Priority) provides a
strict priority queuing scheme on a Frame Relay permanent virtual circuit

(PVC) for delay-sensitive data such as voice traffic.


Combinations of existing queuing features, such as:
o Class-based weighted fair queuing (CBWFQ) extends the standard
WFQ functionality to provide support for user-defined traffic
classes. For CBWFQ, you define traffic classes based on match
criteria including protocols, Access Control Lists (ACLs), and input
interfaces.
o Low Latency Queuing (LLQ) brings strict priority queuing to
CBWFQ.

Auto-QoS is a feature which simplifies the deployment of existing QoS features. Auto-QoS makes
assumptions about the network, so the switch can prioritize different traffic flows and appropriately
use the incoming and outgoing queues instead of using the default QoS behavior. This includes
QoS requirements for VoIP traffic. The appropriate QoS features and optimal QoS values that
pertain to each feature are automatically configured (from a Cisco template of best practices) to
meet voice requirements; however, the template configuration generated by auto-QoS can be
modified if desired.
Trust Boundary Facts
The trust boundary is a perimeter in the networks where devices are configured to check and reset
the DSCP, IP Precedence, or CoS classification values of the traffic received from the untrusted
devices (devices outside the trust boundary). Be aware of the following details:

Markings that devices make outside the trust boundary are often reset, or at least checked
and modified if necessary.
The trust boundary should be configured on devices as close to the traffic source as possible
(i.e. the edge of the network). For example, an access-layer switch or a Cisco IP phone
could be configured to form the trust boundary (see the illustration below).
The devices that form the trust boundary forward classified traffic toward the interior of the
network. The switches located at the interior of the network should have all interfaces
configured for trusting the classified traffic because there is no need to classify the packets.
The trust boundary forms what is known as a QoS domain. The QoS domain includes the
switch, the interior of the network, and edge devices that can classify incoming traffic for
QoS (see the illustration below).
When configuring a Cisco IP phone to form the perimeter of the trusted boundary, Cisco
Discovery Protocol (CDP) must be globally enabled on the switch and on the port
connected to the IP phone. CDP is used to detect the Cisco IP phone. The switch will only
extend the trust boundary when the incoming traffic comes from the phone. For example, if
users disconnect their PCs from networked Cisco IP Phones and connect them to the switch
port to take advantage of trusted CoS or DSCP settings, the switch disables the trusted
setting on the switch or routed port and prevents misuse.

VoIP Configuration
As you study this section, answer the following questions:

How far should you extend the trust boundary and how is it done?
How do you configure a switch to instruct an IP phone to separate voice traffic from data
traffic?
How do you configure the switch to trust incoming QoS markings on voice traffic?
Which command will instruct the IP phone to elevate the priority of voice traffic, but still
send all traffic on the access VLAN?
Which commands will instruct the IP phone to trust or overwrite incoming QoS markings
from the workstation?

After finishing this section, you should be able to complete the following tasks:

Configure a switch to instruct the IP phone to separate voice traffic to another VLAN.
Configure a switch to instruct the IP phone to give voice traffic priority and keep all traffic
on the access VLAN.
Configure QoS settings for VoIP with 802.1p and trust CoS values for traffic.
Configure a trust boundary on the network edge and set trust configurations within the
network.
Configure Auto-QoS on switches for a VoIP configuration.

This section covers the following exam objectives:

702. Describe the functions of Voice VLANs and trust boundaries.


703. Configure and verify basic IP Phone support (i.e. Voice VLAN, Trust and CoS
options, AutoQoS for voice).

Voice VLAN Command List


The following table lists commands used to configure and verify voice VLANs:
Use...

To...

switch(config)#vlan <1-4094>

Define a VLAN
Note: The voice VLAN should be present and active on the
switch for the IP phone to correctly communicate on the
voice VLAN.
Configure a Voice VLAN on the interface and instruct the
IP phone to separate voice and data traffic into different
VLANs.

Switch(config-if)#switchport
voice vlan <vlan id>

The IP phone will use 802.1Q tagging with the


specified VLAN ID.
By default, the IP phone forwards the voice traffic
with an 802.1q priority of 5.

Configure the IP phone to use 802.1p priority tagging and


uses the access VLAN to carry all traffic.
Switch(config-if)#switchport
voice vlan dot1p

This is a common configuration for VoIP phones


which do not understand CDP messages sent from
the switch.
By default, the Cisco IP phone forwards the voice

traffic with an 802.1p priority of 5.


Switch(config-if)#switchport
voice vlan none

Not instruct the IP telephone about the voice VLAN.

Switch(config-if)#switchport
voice vlan untagged

Configure the IP phone to send untagged voice traffic. This


is the default for the telephone.

Switch#show interfaces <type>


<number> switchport

View an interface-level configuration for designating the


voice VLAN.

Examples
The following commands create VLAN 5 and 770, and instruct a Cisco IP phone to tag the voice
traffic with the VLAN 770 ID and the data traffic with the VLAN 5 ID:
Switch(config)#vlan 5
Switch(config-vlan)#vlan 770
Switch(config-vlan)#interface range fa 0/12 - 13
Switch(config-if-range)#switchport mode access
Switch(config-if-range)#switchport access vlan 5
Switch(config-if-range)#switchport voice vlan 770
The following commands create VLAN 5, instruct the phones connected to FastEthernet 0/2 and
0/8 to use the 802.1p protocol to tag the voice traffic and use the access VLAN to carry all traffic:
Switch(config)#vlan 5
Switch(config-vlan)#interface range fa 0/2 , fa 0/8
Switch(config-if-range)#switchport mode access
Switch(config-if-range)#switchport access vlan 5
Switch(config-if-range)#switchport voice vlan dot1p
QoS Command List
The following table lists commands used to configure and verify QoS settings on a switch:
Use...

To...

Switch(config)#mls qos

Enable QoS globally on the switch.


Configure the interface to trust the Layer 2 CoS labels of all
traffic received on that port.

Switch(config-if)#mls qos
trust cos

Switch(config-if)#mls qos
trust
Switch(config-if)#mls qos
trust dscp

If the port is CoS trusted and packets are untagged, the


default CoS value (0) becomes the CoS value for the
packet.
To change the default port CoS value, use the mls qos
cos <0-7> interface configuration command.
By default, if the interface is configured with a voice
VLAN using 802.1q or 802.1p, the default CoS setting on
voice traffic is configured with a priority of 5. The
default CoS for data traffic is 0.

Configure a routed port (Layer 3) to trust the DSCP labels of all


traffic received on that port.

The port will then assign the same DSCP value to the
packet.
For an untagged packet, the default port CoS value is

used.
Switch(config-if)#mls qos
trust ip-precedence

Configure the interface to trust the IP precedence value of all


traffic received on that port. For an untagged packet, the default
port CoS value is used.
Specify that the Cisco IP Phone is a trusted device if learned
from CDP. This enables the trusted boundary feature.

Switch(config-if)#mls qos
trust device cisco-phone

Trusting the DSCP or CoS values depend upon a required


accompanying command of mls qos trust cos or mls qos
trust dscp.
You must globally enable the Cisco Discovery Protocol
(CDP) on the switch and on the port connected to the IP
phone, with cdp run and cdp enable, respectively. By
default, both are enabled.

Configure the IP phone to override the priority received from the


PC or the attached device with the specified CoS value.
Switch(configif)#switchport priority
extend cos <0-7>

Switch(configif)#switchport priority
extend cos trust

The value is a number from 0 to 7, with 7 as the highest


priority.
The default priority is 0.

Configure the IP phone's access port to trust the priority received


from the PC or the attached device.
To globally disable the QoS features on the switch.

Switch(config)#no mls qos

Switch#show mls qos


Switch#show mls qos
interface <type> <number>

With QoS disabled, there is no concept of trusted or


untrusted ports because the packets are not modified (the
CoS, DSCP, and IP precedence values in the packet are
not changed).
Traffic is switched in pass-through mode (packets are
switched without any rewrites and classified as best
effort).

Display the QoS settings on the switch or interface.

Examples
The following commands configure FastEthernet 0/5 and FastEthernet 0/6 to trust CoS markings on
all incoming frames:
Switch(config)#mls qos
Switch(config)#interface range fa 0/5 - 6
Switch(config-if-range)#mls qos trust cos
The following commands configure FastEthernet 0/12 and FastEthernet 0/13 to trust CoS markings
from Cisco IP phones and enable the trusted boundary feature:
Switch(config)#cdp run
Switch(config)#interface range fa 0/12 - 13
Switch(config-if-range)#cdp enable

Switch(config-if-range)#mls qos trust cos


Switch(config-if-range)#mls qos trust device cisco-phone
The following commands configure QoS trusting for DSCP marking on packets sent on an interior
link between to trusted devices:
SwitchA(config)#interface gi 0/1
SwitchA(config-if)#mls qos trust dscp
Auto-QoS Command List
When using auto-QoS, a template configuration is used to configure the appropriate QoS features
and optimal QoS values that pertain to VoIP. Be aware of the following details:

The auto-QoS configuration can be modified if desired by configuring other QoS


commands, but you should do so only after the auto-QoS configuration is completed.
The auto-QoS configuration is a series of QoS commands which are generated when autoQoS is enabled. The generated configurations are added to the running configuration. The
switch applies the auto-QoS-generated commands as if the commands were entered from
the CLI.
For auto-QoS to function properly, do not disable the CDP. By default, the CDP is enabled
on all ports and globally on the switch.
When auto-QoS is enabled, QoS is globally enabled on the switch. (This is equivalent to
running the mls qos global configuration command.)
You can enable auto-QoS on static, dynamic-access, voice VLAN access, and trunk ports.

The following table lists commands used to configure and verify auto-QoS on a switch:
Use...

To...
Configure a port at the edge of the network to trust the QoS label
received in the packet if the packet comes from a Cisco IP phone.

Switch(configif)#auto qos voip


cisco-phone

This command enables the trusted boundary feature.


The switch uses the CDP to detect the presence or absence of a
Cisco IP Phone.
When a Cisco IP Phone is detected, the classification on the port
is set to trust the QoS label received in the packet.
When a Cisco IP Phone is absent, the classification is set to not
trust the QoS label in the packet.

Note: On a single interface, you cannot enable both trusted boundary


(mls qos trust device cisco-phone) and AutoQoS (auto qos voip ciscophone) at the same time; they are mutually exclusive.
Identify this port as connected to a trusted switch or router (a device
connected to the interior of the network), and automatically configure
QoS. The QoS labels of incoming packets are trusted as follows:
Switch(configif)#auto qos voip
trust

For non-routed ports, the CoS value of the incoming packet is


trusted.
For routed ports, the DSCP value of the incoming packet is
trusted.

Note: When configuring trusted ports between devices, configure the


port on both devices.
Switch(config-if)#no

Remove auto-QoS on the interface.

auto qos voip

Note: If the AutoQoS generated QoS configuration is deleted without


configuring the no auto qos voip command, auto-QoS will not be
completely removed from the configuration properly. You must use the
no mls qos command to disable the auto-QoS-generated global
configuration commands.
Switch#show auto qos
interface <type>
<number>

Display the auto-QoS settings on the switch or interface.

Examples
The following commands configure auto-QoS for FastEthernet0/12 and FastEthernet 0/13 and
enable the trusted boundary feature:
Switch(config)#cdp run
Switch(config)#interface range fa 0/12 - 13
Switch(config-if-range)#cdp enable
Switch(config-if-range)#auto qos voip cisco-phone
The following commands configure auto-QoS on FastEthernet0/5, enable the trusted boundary
feature, and allow the IP phone to tag voice traffic with the VLAN 700 ID:
Switch(config)#cdp run
Switch(config)#interface range fa 0/5
Switch(config-if)#cdp enable
Switch(config-if)#auto qos voip cisco-phone
Switch(config-if)#switchport voice vlan 700
The following commands configure auto-QoS trusting for an interior link between
GigabitEthernet0/1 and GigabitEthernet0/0 on SwitchA and SwitchB, respectively:
SwitchA(config)#interface gi 0/1
SwitchA(config-if)#auto qos voip trust
SwitchB(config)#interface gi 0/0
SwitchB(config-if)#auto qos voip trust

Power over Ethernet (PoE)


As you study this section, answer the following questions:

What is the advantage of using a switch with PoE capability?


How does a PoE-capable device notify the switch of its power needs?

After finishing this section, you should be able to complete the following tasks:

Configure a switch to use PoE for IP phones and for devices which do not need PoE.

This section covers the following exam objectives:

701. Describe the characteristics of voice in the campus network.


703. Configure and verify basic IP Phone support (i.e. Voice VLAN, Trust and CoS
options, AutoQoS for voice).

PoE Facts
Switches with Power over Ethernet (PoE) capability provide electrical power through the Cat 5
cable. This eliminates the need to have a separate power cable for the phone. 802.3af is the IEEE
standard for PoE, whereas Cisco Inline Power is Cisco-proprietary. Catalyst switches include the
following PoE features:

The ability to provide power to devices if the switch detects that there is no power on the
circuit.
The device and the switch negotiate through power-negotiation CDP messages for an
agreed power-consumption level. The negotiation allows a high-power Cisco powered
device to operate at its highest power mode.
The device notifies the switch of the amount of power that it is consuming through CDP
packets.
The switch maintains a power budget, monitors and tracks requests for power, and grants
power only when it is available.

The following table lists commands used to configure PoE on a switch:


Command

Description
In auto mode, the switch automatically detects if the connected device
requires power. If the switch discovers a powered device connected to the
port and if the switch has enough power, it grants power, updates the power
budget, and turns on power to the port on a first-come, first-served basis. Be
aware of the following details:

Switch(configif)#power inline
auto

Switch(configif)#power inline

If a device being powered by the switch is then connected to an AC


power source, the switch might continue to power the device. The
switch might continue to report that it is still powering the device
whether the device is being powered by the switch or receiving
power from an AC power source.
If a powered device is removed, the switch automatically detects the
disconnect and removes power from the port. You can connect a
non-powered device without damaging it.
This is the default setting.

In static mode, the switch pre-allocates power to the port (even when no
powered device is connected) and guarantees that power will be available

static

for the port. Be aware of the following details:

If you do not specify a wattage, the switch pre-allocates the


maximum value.
Use the static setting on a high-priority interface.

Delay mode is an optional configuration which specifies the power


shutdown delay time. The shutdown delay time is configured with the
following options:
Switch(configif)#power inline
delay

Shutdown seconds, time that the switch continues to provide power


to the device after link is down. The range is 0 to 20 seconds.
Initial seconds, the initial time that the power shutdown delay is in
effect. The range is 0 to 300 seconds.

Switch(configif)#power inline
never

In never mode, the switch disables powered-device detection and never


powers the PoE port even if an unpowered device is connected. Use this
mode only when you want to make sure power is never applied to a PoEcapable port, making the port a data-only port.

Switch(configif)#no power
inline

Use the no power inline interface command to reset the PoE setting to the
defaults.

Note: Example
The following commands configure auto PoE for FastEthernet0/12 and FastEthernet 0/13, and no
PoE for FastEthernet 0/5:
Switch(config)#interface range fa 0/12 - 13
Switch(config-if-range)#power inline auto
Switch(config-if-range)#int fa 0/5
Switch(config-if)#power inline never

Layer 2 Security Threats


As you study this section, answer the following questions:

What type of attack causes a switch to act like a hub and send all incoming packets out each
port?
What is the difference between MAC Flooding and MAC Address Spoofing?
How does ARP Spoofing confuse the network devices?
How does VLAN hopping allow attackers to gain access to unauthorized VLANs?

This section covers the following exam objectives:

601. Describe common Layer 2 network attacks (e.g., MAC Flooding, Rogue Devices,
VLAN Hopping, DHCP Spoofing, etc.)

Layer 2 Security Threat Facts


Layer 2 security attacks and threats are typically launched by a device within the network. This is
because Layer 2 devices, generally located at the interior of the network, have default operational
mode that forwards all traffic unless configured otherwise. Conversely, devices located at the edge
of an organization's border, such as a network router with a firewall, have a default, secure
operational mode and allow no communication until configured otherwise. The lack of default
security on the Layer 2 device provides an opportunity for the network to be quickly compromised,
often without detection, when an attack is launched on an internal campus device.
A rogue device is any unauthorized device on the network. Rouge devices are ignorantly or
maliciously connected to the network and may create a Layer 2 security threat. Rogue devices
typically include the following:

An unauthorized wireless access point


An unauthorized switch
A hub device connected by an employee
Unauthorized laptop or workstation without proper security patches or virus protection

You should be aware of the following types of Layer 2 security threats:


Threat

Description

MAC
Flooding

MAC flooding is when a switch is flooded with packets, each containing different
source MAC addresses. MAC flooding consumes the limited memory set aside in
the switch to store the MAC address-to-physical port translation table. The result of
this attack causes the switch to enter a state called failopen mode, in which all
incoming packets are broadcasted out on all ports (as with a hub), instead of just
down the correct port as per normal operation.
VLAN hopping is when an attacking host on a VLAN attempts to gain access to
traffic on other VLANs that would normally not be accessible. There are two
primary methods of VLAN hopping:

VLAN
Hopping

In a switch spoofing attack, an attacking host that is capable of speaking the


tagging and trunking protocols used in maintaining a VLAN imitates a
trunking switch. Traffic for multiple VLANs is then accessible to the
attacking host.
In a double tagging attack, an attacking host prepends two VLAN tags to
packets that it transmits.
o The first header (which corresponds to the VLAN that the attacker is
really a member of) is stripped off by a first switch the packet

DHCP
Address
Exhaustion
and
DHCP Server
Spoofing

encounters, and the packet is then forwarded.


The second, false, header is then visible to the second switch that the
packet encounters. This false VLAN header indicates that the packet
is destined for a host on a second, target VLAN. The packet is then
sent to the target host as though it were layer 2 traffic. By this
method, the attacking host can bypass layer 3 security measures that
are used to logically isolate hosts from one another.

DHCP address exhaustion is when an attacking device requests all available IP


addresses from a DHCP server by sending requests with fabricated client MAC
addresses. DHCP server spoofing is when an attacking device establishes itself as a
rouge DHCP server to cause a Denial of Service (DoS) attack.
ARP spoofing (also called ARP poisoning) is a method of attacking an Ethernet
network to allow data sniffing or cause a DoS. In ARP spoofing:

ARP
Spoofing

MAC
Address
Spoofing

Fake or spoofed ARP messages are sent to an Ethernet LAN which contain
false MAC addresses.
Network devices such as switches become confused and either:
o Send frames to the wrong host which allows the frames to be sniffed.
o Send frames to unreachable hosts which will cause a DoS.

MAC address spoofing is when an attacking device spoofs the MAC address of a
valid host currently in the MAC address table of the switch. The switch then
forwards frames destined for that valid host to the attacking device.

Port Security
As you study this section, answer the following questions:

What is the main difference between a SecureDynamic address and a SecureSticky address?
When configuring a Port Security maximum on a port with a voice VLAN, how many MAC
addresses should you account for?
What is the difference between port security and MAC filtering?

After finishing this section, you should be able to complete the following tasks:

Configure Port Security by enabling port-security and configuring security parameters.


Configure Port Security to only allow access of a specific MAC address and drop frames of
unauthorized MAC addresses.
Configure Port Security settings on an interface that has previously been configured to
support Voice VLANs.

This section covers the following exam objectives:

602. Explain and configure Port Security, 802.1x, VACLs, Private VLANs, DHCP
Snooping, and DAI.
603. Verify Catalyst switch (IOS-based) security configurations (i.e., Port Security, 802.1x,
VACLs, Private VLANs, DHCP Snooping, and DAI).

Port Security Facts


Under normal circumstances, there are no restrictions on the devices that can be attached to a
switch port. With switch port security, the devices that can connect to a switch through the port are
restricted.

Port security uses the MAC address to identify allowed and denied devices.
By default, port security allows only a single device to connect through a switch port. You
can, however, modify the maximum number of allowed devices.
MAC addresses are stored in RAM in a table, and are identified with the port and by a
MAC address type. Port security uses the following three MAC address types:
Type

Description

A SecureConfigured address is a MAC address that has been manually


SecureConfigured identified as an allowed address. The address is configured in interface
mode and stored in the running-config file.
A SecureDynamic address is a MAC address that has been dynamically
learned and allowed by the switch.

SecureDynamic

1. When a device connects to the switch port, its MAC address is


identified.
2. If the maximum number of allowed devices has not been reached,
its MAC address is added to the table, and use of the port is
allowed.
SecureDynamic addresses are only saved in the MAC address table in
RAM, and are not added to the configuration file.

SecureSticky

A SecureSticky address is a MAC address that is manually configured or


dynamically learned and saved. With sticky learning enabled:

3. When a device connects to the switch port, its MAC address is


identified.
4. If the maximum number of allowed devices has not been reached,
its MAC address is added to the table, and use of the port is
allowed.
5. The MAC address is automatically entered into the runningconfig file as a sticky address.
Be aware of the following:
o
o
o

You can manually configure an address and identify it as a sticky


address.
If you disable the sticky feature, all sticky addresses are
converted to SecureDynamic addresses.
If you enable the sticky feature, all SecureDynamic addresses are
converted to SecureSticky addresses, even if they have been
learned before the sticky feature was enabled.

A port violation occurs when the maximum number of MAC addresses has been seen on the
port, and an unknown MAC address is then seen.
You can configure the switch to take one of the following actions when a violation occurs:
o Shut down the port. This is the default setting.
o Drop all frames from unauthorized MAC addresses.
o Drop all frames and generate an SMNP trap.

Be aware of the following when using port security:

You can only enable port security on an access port.


Port security does not protect against MAC address spoofing (where an attacker changes the
MAC address to match the MAC address of an allowed device).
If you do not manually configure allowed MAC addresses for a port, the switch will allow
the first MAC addresses it detects to connect, up to the maximum number.
Once the maximum number of MAC addresses for a port has been reached, either through
manual, dynamic, or sticky learning, no more MAC addresses will be allowed, and a
violation will occur.
Save the running-config file to the startup-config to make manually-configured and sticky
addresses available when the system restarts. Otherwise, the switch will need to relearn
sticky addresses.
When you enable port security on an interface that is also configured with a voice VLAN,
you must set the maximum allowed secure addresses on the port to two plus the maximum
number of secure addresses allowed on the access VLAN.
o When the port is connected to a Cisco IP Phone, the phone requires up to two MAC
addresses. The phone address is learned on the voice VLAN and might also be
learned on the access VLAN.
o Connecting a PC to the phone requires additional MAC addresses.
Note: The recommended maximum allowed value is 3 when a voice VLAN is configured
on the interface.

You cannot configure static secure or sticky secure MAC addresses on the voice VLAN. If
any type of port security is enabled on the access VLAN, dynamic port security is
automatically enabled on the voice VLAN.
The port security feature specifies which MAC addresses are allowed. A separate, but
related feature, called MAC filtering prevents a host with a specific MAC address from

sending traffic into the network. MAC filtering uses the MAC address to VLAN access
maps to specify which MAC addresses are restricted.
Port Security Command List
Each switch port has its own port security settings. To configure port security, take the following
general actions:

Explicitly configure the port as an access port.


Enable switch port security.
(Optional) Configure MAC addresses and other settings. When you enable port security, the
following default settings are used:
o A maximum of 1 device
o Violation mode is shutdown
o Dynamic learning is enabled, but sticky learning is disabled

Use the following commands to manage switch port security:


Command
switch(config-if)#switchport
mode access

switch(config-if)#switchport
port-security

Function
Identifies the port as an access port.
Note: You can only configure port security after
explicitly making the port an access port.
Enables port security.
Note: You can enter port security commands for an
interface without port security being enabled.
However, port security will not be enforced (enabled)
if this entry is missing.
Configures the maximum number of MAC addresses
that can be allowed for a port. The default allows
only a single MAC address per port.

switch(config-if)#switchport
port-security maximum <1-8320>

Use the no form of the command to reset the


value to its default.
When a voice VLAN exists on the interface,
set maximum allowed value to 3 (the
recommended value).

Enables sticky learning of MAC addresses.

switch(config-if)#switchport
port-security mac-address
sticky

Without this command, addresses are


dynamically learned but not recorded. With
this command, learned addresses are added to
the running-config file.
Using the no form of the command disables
sticky learning, removes any sticky entries
from the configuration file, and converts the
sticky addresses to dynamic addresses.

switch(config-if)#switchport
port-security mac-address
h.h.h

Identifies an allowed MAC address (h.h.h is a


hexadecimal format of the MAC address).

switch(config-if)#switchport
port-security mac-address
sticky h.h.h

Identifies an allowed MAC address, making it a


sticky address.
Note: You cannot use this command without first

entering the switchport port-security mac-address


sticky command.
Identifies the action the switch will take when an
unauthorized device attempts to use the port. Action
keywords are:
switch(config-if)#switchport portsecurity
violation action

switch(config)#errdisable recovery
cause psecure-violation

protect drops the frames from the


unauthorized device
restrict does the same as protect and also
generates an SNMP trap
shutdown disables the port

Recovers from a port security violation (enables


disabled ports).
You can also enable disabled ports by using the
shutdown/no shutdown commands for the interface.

Note: You cannot configure more MAC addresses for a port than the maximum allowed number.
To add more MAC addresses to an interface after the limit has been reached, increase the maximum
number first or delete existing MAC addresses. This limitation applies to MAC addresses with or
without the sticky parameter.
Examples
The following commands configure switch port security to allow only host 5ab9.0012.02af to use
FastEthernet 0/12:
switch(config)#interface fast 0/12
switch(config-if)#switchport mode access
switch(config-if)#switchport port-security
switch(config-if)#switchport port-security mac-address 5ab9.0012.02af

The following commands configure FastEthernet 0/15 to accept the first MAC address it receives
as the allowed MAC address for the port:
switch(config)#interface fast 0/15
switch(config-if)#switchport mode access
switch(config-if)#switchport port-security
switch(config-if)#switchport port-security mac-address sticky

The following commands configure port security for voice VLAN configurations on FastEthernet
0/1 through 0/4:
switch(config)#interface range fa 0/1 - 4
switch(config-if-range)#switchport port-security
switch(config-if-range)#switchport port-security maximum 3
Port Security Monitoring Facts
Use the following commands to verify port security operations:
Command
switch#show portsecurity

Description
Shows a summary of port security settings for enabled
interfaces. Information includes:

An interface that has port security enabled


The maximum allowed MAC addresses

The current number of MAC addresses allowed on


the port
The number of security violations
The action to take for a violation

Shows a list of MAC addresses used by port security.


Information includes:
switch#show portsecurity address

The MAC address


Its type (SecureConfigured, SecureDynamic,
SecureSticky)
The associated interface

Shows detailed port security information for a specific


interface. Shows all details included with the show portsecurity command and adds:
switch#show portsecurity interface <type
and number>

Enabled or disabled state of port security on the


interface
The port status
The total numbers of configured and sticky addresses
The MAC address and VLAN of the last device to use
the port

Listed below is a sample output from the show port-security interface command:
switch#show port-security interface fa0/3
Port Security
: Enabled
Port Status
: Secure-shutdown
Violation Mode
: Shutdown
Aging Time
: 0 mins
Aging Type
: Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses
: 2
Total MAC Addresses
: 2
Configured MAC Addresses
: 1
Sticky MAC Addresses
: 0
Last Source Address:Vlan
: 0800.46f5.491c:1
Security Violation Count
: 1
Individual entries are explained in the following table:
Entry

Description
Shows the enabled or the disabled state of port security.

Port Security

Port Status

Enabled means that the switchport port-security command has been


issued for the interface.
Disabled means that the interface is not enforcing port security. It does
not mean that the interface is shut down or is not operational.

The port status indicates the operational status of the port as viewed by port
security. A status of Secure-down could mean any of the following conditions:

The interface has been shut down


There is no device connected to the interface
Port security is disabled, but the interface is operational and in use by a
device
The interface has been disabled because of a port security violation

A status of Secure-up indicates that the line is operational and port security is
being enforced.
Violation Mode

Identifies the configured violation mode for the interface (shutdown, protect, or
restrict).

Maximum MAC
Identifies the configured maximum number of allowed devices.
Addresses
Total MAC
Addresses

Identifies the total number of known MAC addresses on this port. This includes
all addresses in the running-config file (including sticky addresses) and all
dynamic addresses that have been learned.

Configured
Identifies the number of addresses configured with the switchport port-security
MAC Addresses mac-address command (excluding sticky addresses).
Sticky MAC
Addresses

Identifies the number of addresses in the running-config file identified with the
switchport port-security mac-address sticky entries.

Security
Identifies the number of violations detected. If this value is anything other than 1,
Violation Count then the port has already taken the action specified by the Violation Mode line.

Additional Switch Security Features


As you study this section, answer the following questions:

How does DHCP snooping provide security for the network?


Which 802.1X option forces the switch to allow all communication on an interface?
How does DAI help to prevent man-in-the-middle attacks?
What are the default DAI configuration settings?
Which type of private VLAN would you typically configure on a default gateway?

After finishing this section, you should be able to complete the following tasks:

Configure DAI to prevent ARP cache poisoning and man-in-the-middle attacks.


Configure DAI to trust inter-network ARP requests.

This section covers the following exam objectives:

602. Explain and configure Port Security, 802.1x, VACLs, Private VLANs, DHCP
Snooping, and DAI.
603. Verify Catalyst switch (IOS-based) security configurations (i.e., Port Security, 802.1x,
VACLs, Private VLANs, DHCP Snooping, and DAI).

DHCP Snooping and IP Source Guard Facts


DHCP snooping is a security feature that filters untrusted DHCP messages to prevent unauthorized
DHCP server responses (an untrusted DHCP message is a message that is received from outside
the network or firewall). DHCP snooping also acts like a firewall between untrusted hosts and
DHCP servers. DHCP snooping can differentiate between untrusted interfaces connected to the end
user and trusted interfaces connected to the DHCP server or another switch.
For DHCP snooping to function properly, all DHCP servers must be connected to the switch
through trusted interfaces. When DHCP snooping is enabled, the switch drops a DHCP packet
when one of these situations occurs:

A packet from a DHCP server, such as a DHCPOFFER, DHCPACK, DHCPNAK, or


DHCPLEASEQUERY packet, is received from outside the network or firewall.
A packet is received on an untrusted interface, and the source MAC address and the DHCP
client hardware address do not match on the DHCP snooping binding database (also known
as a DHCP snooping binding table).
The switch receives a DHCPRELEASE or DHCPDECLINE broadcast message that
contains a MAC address in the DHCP snooping binding table, but the interface information
in the binding table does not match the interface on which the message was received.
A DHCP relay agent forwards a DHCP packet that includes a relay-agent IP address that is
not 0.0.0.0, or the relay agent forwards a packet that includes option-82 information to an
untrusted port. Option 82 is the relay agent information option as described in RFC 3046.
Note: If the switch is an aggregation switch supporting DHCP snooping and is connected to
an edge switch that is inserting DHCP option-82 information, the switch drops packets with
option-82 information when packets are received on an untrusted interface.

IP Source Guard (IPSG) is a security feature that restricts IP traffic on non-routed, Layer 2
interfaces. IPSG filters traffic based on the DHCP snooping binding database and on manually
configured IP source bindings. IPSG prevents traffic attacks caused when a host tries to use the IP
address of its neighbor. IPSG details include the following:

IPSG blocks all IP traffic received on the interface, except for DHCP packets allowed by
DHCP snooping.

A port access control list (PACL) is applied to the interface. The port ACL allows only IP
traffic with a source IP address in the IP source binding table and denies all other traffic.
The IP source binding table has bindings that are learned by DHCP snooping or are
manually configured. An entry in the table has an IP address, its associated MAC address,
and its associated VLAN number.
Note: The switch uses the IP source binding table only when IPSG is enabled.
IPSG is supported only on Layer 2 ports, including access and trunk ports. You can
configure IP source guard with the following options:
o With the source IP address filtering option, IP traffic is filtered based on the source
IP address. The switch forwards IP traffic when the source IP address matches an
entry in the DHCP snooping binding database or a binding in the IP source binding
table.
o With the source IP and MAC address filtering option, IP traffic is filtered based on
the source IP and MAC addresses. The switch forwards traffic only when the source
IP and MAC addresses match an entry in the IP source binding table.
When IPSG with source IP filtering is enabled on an interface, DHCP snooping must be
enabled on the access VLAN to which the interface belongs.

Use the following commands to configure DHCP Snooping and IP Source Guard:
Use...
switch(config)#ip dhcp
snooping

To...
Enable DHCP snooping globally.
Enable DHCP snooping on a VLAN or range of VLANs.

switch(config)#ip dhcp
snooping vlan <vlan id>

switch(config)#ip dhcp
snooping information
option
switch(config-if)#ip dhcp
snooping trust
switch(config-if)#no ip
dhcp snooping trust
switch(config-if)#ip
verify source vlan dhcpsnooping port security
switch#show ip dhcp
snooping binding

Note: You can enter a single VLAN ID identified by


VLAN ID number, a series of VLAN IDs separated by
commas, a range of VLAN IDs separated by hyphens, or a
range of VLAN IDs separated by entering the starting and
ending VLAN IDs separated by a space.
Enable the switch to insert and remove DHCP relay
information (option-82 field) in forwarded DHCP request
messages to the DHCP server.
Note: The default is enabled.
Configure the interface as trusted or untrusted.
Note: The default is untrusted.
Enable IPSG using the MAC addresses found in the DHCP
snooping database.
Verify the DHCP bindings.

Examples
The following commands globally configure IP DHCP snooping on the switch and enable IP
DHCP snooping on VLAN 20:
switch(config)#ip dhcp snooping
switch(config)#ip dhcp snooping vlan 20

The following commands configure IPSG on FastEthernet 0/5 with the source IP address filtering
option:

switch(config)#int fa 0/5
switch(config-if)#ip verify source

802.1X Authentication Facts


802.1X is an IEEE protocol that defines a client/server access control and authentication to restrict
unauthorized clients from connecting to a LAN through accessible ports. 802.1X port-based
authentication requires the following devices (as illustrated below):

The client is typically a workstation requesting authentication to the network using 802.1X.
The authentication server is responsible for validating request from clients forwarded by the
switch. Authentication servers are RADIUS servers which support EAP (Extensible
Authentication Protocol).
The switch is responsible for forwarding the 802.1X requests from the client to the
authentication server and granting access to the network based on a successful
authentication. The switch is acting as a proxy in the 802.1X authentication process.

The switch port state determines whether the client is granted access to the network. The switch
port states for 802.1X include the following:

In the unauthorized state, the port drops all traffic except for the 802.1X protocol packets.
This is the initial port state.
In the authorized state, the port forwards traffic as normal. The port transitions to authorized
after the client has been successfully authenticated.

To control the 802.1X port authorization state, Catalyst switches support the following options:
Option

Description

ForceAuthorized

The force-authorized option disables 802.1X port based authentication and causes
the port to transition to the authorized state without requiring the authentication
exchange. The port transmits and receives normal traffic without authenticating the
client.
Note: This is the default setting.

ForceUnauthorized

The force-unauthorized option forces the port to remain in the unauthorized state,
dropping all traffic, including all attempts by the client to authenticate. The switch
cannot provide authentication services to the client through this port.

Auto

The auto option enables 802.1X port-based authentication and causes the port to
begin in the unauthorized state, allowing only 802.1X protocol packets.

If the authentication server authenticates the client (the server sends an


802.1X accept frame), the switch port state transitions to authorized and all
frames from the authenticated client are allowed through the port.
If the authentication fails, the port remains in the unauthorized state. This
state only allows the client to continue to authenticate by sending 802.1X
protocol packets.
If the authentication server is unreachable, the switch may retransmit the
802.1X protocol packets. If the switch does not receive a response from the
server after a specified number of attempts, the authentication fails and port
will not grant access to the network.

Be aware of the following 802.1X details:

802.1X must be enabled globally before port-specific configuration.


802.1X requires the use of a RADIUS server for access control. The RADIUS server
requires its own, separate configuration.
802.1X supports authentication for voice VLANs, guest VLANs, and port security.

Use the following commands to configure 802.1X:


Use...

To...

switch(config)#aaa new-model

Enable AAA globally.

switch(config)#aaa authentication dot1x


default

Configure AAA to use 802.1X


authentication.

switch(config)#dot1x system-auth-control

Enable 802.1X globally on the switch.

switch(config)#interface <type> <number>


switch(config-if)#dot1x port-control auto
switch(config-if)#dot1x port-control forceauthorized
switch(config-if)#dot1x port-control forceunauthorized

Configure the interface for the 802.1X


authorization state.

Examples
The following commands globally enable 802.1X and then configure the FastEthernet 0/12 switch
port with the 802.1X auto option:
switch(config)#aaa new-model
switch(config)#aaa authentication dot1x
switch(config)#dot1x system-auth-control
switch(config)#interface fast 0/12
switch(config-if)#switchport mode access
switch(config-if)#dot1x port-control auto

Access Control List (ACL) Facts


Switches use access lists to control switched traffic. Switches use specialized hardware to support a
limited number of ACL entries and features compared to software-switching methods found in
routers. All Catalyst switches perform ACL lookups regardless of whether ACLs exist, and as a
result ACLs have no effect on the switching performance. Layer 3 catalyst switches recognize four
types of ACLs:
Type

Description

VLAN Access

VACLs, also known as VLAN access-maps, apply to all traffic in a VLAN.

Control List
(VACL)

VACLs support filtering based on Ethertype and MAC addresses. VACLs are
order-sensitive, similar to Cisco-based route maps. Switches support the
following VACL actions:

The Forward (Permit) action forwards the frame as normal.


The Drop (Deny) action drops traffic when the traffic does not match
any of the permit ACL entries, or the traffic is dropped when it matches
a deny ACL entry.
The Redirect action is useful for redirecting specific traffic for
monitoring, security, or switching purposes.

Note: Depending on the series of Catalyst switches, VACL may not be


supported.
Router Access
Control List
(RACL)

RACLs are standard Cisco-configured ACLs applied to routed interfaces.


Catalyst switches support RACLs with permit and deny actions. RACLs are
configured in the same way as normal Cisco IOS ACLs.
Note: RACLs control only routed traffic, whereas VACLs are capable of
controlling traffic flowing within the VLAN or controlling switched traffic.

QoS Access
QoS ACLs define packets that are to be applied to QoS classification, marking,
Control List (QoS
policing, and scheduling.
ACL or QACL)
PACLs are applied at Layer 2 to control traffic entering or leaving a port.
PACLs apply to a switch port, trunk port, or EtherChannel port. The following
ACLs are supported on Layer 2 interfaces using PACLs:

Port Access
Control List
(PACL)

Standard IP access lists using source addresses.


Extended IP access lists using source and destination addresses and
optional Layer 4 protocol information.
MAC extended access lists using source and destination MAC addresses
and optional Layer 3 protocol information.

Be aware of the following PACL details:

When the PACL is applied to trunk ports, the ACL filters traffic on all
VLANs present on the trunk port.
When the PACL is applied to a port with a voice (auxiliary) VLAN, the
ACL filters traffic on both data and voice VLANs.
IP traffic is filtered by using IP ACLs and non-IP traffic is filtered by
using MAC ACLs.

Dynamic ARP Inspection (DAI) Facts


Dynamic ARP Inspection (DAI) is a security feature that validates ARP packets in a network which
prevents the classic man-in-the middle attack. DAI associates a trust state with each interface on the
switch:

Packets arriving on trusted interfaces bypass all dynamic ARP inspection validation checks.
Packets arriving on untrusted interfaces undergo the dynamic ARP inspection validation
process (described below). By default, all interfaces are untrusted.

In a typical network configuration, you configure all switch ports connected to host ports as
untrusted and configure all switch ports connected to switches as trusted. With this configuration,

all ARP packets entering the network from a DAI-enabled switch bypass the security check and no
other validation is needed at any other place in the VLAN or in the network.
When DAI is enabled, the switch performs the following activities on an untrusted port:
1. All ARP requests and responses are intercepted.
2. Each intercepted packet is verified that it has a valid IP-to-MAC address binding. Valid IPto-MAC address bindings are stored in the DHCP snooping binding database (the database
is built when DHCP snooping is enabled on the VLANs and on the switch).
o If the packet has a valid binding, the switch forwards the packet to the appropriate
destination.
o If the packet has an invalid binding, the switch drops the ARP packet and generates
system messages on a rate-controlled basis.
The switch's CPU performs DAI validation checks; therefore, the number of incoming ARP packets
is rate-limited to prevent a denial-of-service attack. Be aware of the following details:

The default rate for untrusted interfaces is 15 ARP packets per second (pps). The rate-limit
can be configured.
When the limit is exceeded, the switch places the port in the error-disabled state. The port
remains in that state until manually enabled, or after a specified timeout period.
Note: Trusted interfaces are not rate-limited.

Be aware of the DAI details:

DAI does not prevent hosts in other portions of the network from poisoning the caches of
the hosts connected to a switch running DAI.
In cases in which some switches in a VLAN run DAI and other switches do not, configure
the interfaces connecting such switches as untrusted.
DAI is supported on access ports, trunk ports, and EtherChannel ports. It is not supported on
private VLAN ports.
When DHCP snooping is disabled or in non-DHCP environments, use ARP ACLs to permit
or to deny packets.
In cases in which some switches in a VLAN run dynamic ARP inspection and other
switches do not, configure the interfaces connecting such switches as untrusted.

Use the following commands to configure DAI:


Use...
switch(config)#ip arp inspection
vlan <vlan id>

To...
Enable dynamic ARP inspection on a per-VLAN
basis.
Note: By default, dynamic ARP inspection is
disabled on all VLANs.
Configure the interface as trusted.

switch(config)#int gi 0/1
switch(config-if)#ip arp inspection
trust

Note: The switch does not check ARP packets that it


receives from the other switch on the trusted
interface.

switch(config-if)#no ip arp
inspection trust

Return the interface to an untrusted state.

switch(config-if)#ip arp inspection


limit rate <0-2048>

Limit the rate of incoming ARP requests and


responses on the interface in pps.

switch(config-if)#ip arp inspection


limit rate none

Configure no upper limit of incoming ARP packets

that can be processed. This is helpful for trunk ports.


switch#show ip arp inspection
interfaces
switch#show ip arp inspection vlan
<vlan id>

Verify the dynamic ARP inspection configuration.

switch#show ip dhcp snooping binding

Verify the DHCP bindings.

switch#show ip arp inspection


statistics vlan <vlan id>

Check the dynamic ARP inspection statistics.


Enable error recovery from the dynamic ARP
inspection error-disable state.

switch(config)#errdisable recovery
cause arp-inspection
switch(config)#errdisable recovery
cause arp-inspection interval <3086400>

By default, recovery is disabled.


By default, the recovery interval is 300
seconds. To change the interval, use interval
<30-86400>, specifying the time in seconds
to recover from the error-disable state.

Note: You can also enable disabled ports by using


the shutdown/no shutdown commands for the
interface.
Examples
The following commands configure DAI for VLANs 20 and 22 and GigabitEthernet 0/2 as trusted:
switch(config)#ip arp inspection vlan 20
switch(config)#ip arp inspection vlan 22
switch(config)#int gi 0/2
switch(config-if)#ip arp inspection trust

Private VLAN Facts


Private VLANs (PVLANs) allow layer 2 isolation between ports within the same VLAN (and the
same IP subnet). PVLANs turn a single VLAN broadcast domain into multiple small broadcast
domains. You can assign a specific set of ports within a PVLAN and thereby control access among
the ports at Layer 2. There are three types of PVLAN members:

A promiscuous port communicates with all other PVLAN ports. The promiscuous port is
the port that you typically use to communicate with external routers, network management
devices, backup servers, administrative workstations, and other devices.
An isolated port has complete Layer 2 separation from other ports within the same PVLAN.
This separation includes broadcasts, and the only exception is the promiscuous port.
Isolated ports can only forward traffic to promiscuous ports.
A community port can communicate with other ports in the same community and with the
promiscuous ports. These ports have Layer 2 isolation from all other ports in other
communities, or isolated ports within the PVLAN. Broadcasts are forwarded only between
associated community ports and the promiscuous port.

Isolated and community ports are secondary VLANs. Every secondary PVLAN is mapped to one
primary PVLAN. A primary VLAN carries traffic from promiscuous ports to isolated, community,
and other promiscuous ports. A PVLAN will only have one primary VLAN, but may have several
secondary VLANS.
In a switched environment, assign an individual private VLAN and associated IP subnet to each
individual or common group of workstations. The workstations only need to communicate with a
default gateway to gain access outside the private VLAN. When implementing private VLANs,
consider the following:

Configure ports connected to end stations (such as interfaces connected to servers) as


isolated to prevent any communication at Layer 2. (For example, if the end stations were
servers, this configuration would prevent Layer 2 communication between the servers.)
Configure the interface to which the default gateway and selected end stations are attached
as promiscuous.

Be aware of the following PVLAN details:

You can configure PVLANs and normal VLANs on the same switch.
PVLANs cannot include VLANs 1 or 10021005.
You can only designate a VLAN as a PVLAN if that VLAN has no current access port
assignments. Remove any ports in that VLAN before you make the VLAN a PVLAN.
Do not configure PVLAN ports as EtherChannels.
If you delete a VLAN that you use in the PVLAN configuration, the ports that associate
with the VLAN become inactive.
You can extend PVLANs across switches with the use of trunks. You must set VLAN
Trunk Protocol (VTP) mode to transparent.
Note: You must manually enter the same PVLAN configuration on every switch because
VTP in transparent mode does not propagate this information.

Switch Hardening
As you study this section, answer the following questions:

Why should you disable CDP on all interfaces with a connection outside the network?
How does a banner with a warning that displays when a user logs into the router protect the
network?
What different ways can you use to secure passwords?
What processes can you use to control remote access?

This section covers the following exam objectives:

602.Explain and configure Port Security, 802.1x, VACLs, Private VLANs, DHCP
Snooping, and DAI.

Switch Hardening Facts


Hardening is the process of securing devices and software by reducing the security exposure and
by tightening security controls. Added benefits of improving performance can also happen through
the hardening process, but are not the primary goal. Take the following general actions to secure
your devices and network:
Security
Measure

Description

Physical
security

Ensure physical security by keeping network devices in a locked room. If


someone can gain access to the physical Cisco device, they can easily bypass any
configured passwords. Passwords are useless if physical access is not controlled.
Use the following methods to secure Cisco device passwords:

Secure
passwords

Set the enable secret password instead of the enable password. Make sure
that the two passwords are different.
Use the service password-encryption command to encrypt other
passwords in the configuration file. This provides a low level of security,
but passwords can be easily broken.

Use the banner command to provide a warning banner to users who try to log into
the router. Be aware of the following:

Banner

Unused
Services

In some jurisdictions, civil and criminal prosecution of crackers who break


into your systems is made much easier if you provide a banner that informs
unauthorized users that their use is unauthorized.
In other jurisdictions, you can be forbidden to monitor the activities of
even unauthorized users unless you have taken steps to notify them of your
intent.

Disable unused services on the switch configuration before implementing the


switch configuration into the network, such as disabling DTP (Dynamic Trunking
Protocol) and PAgP (Port Aggregation Protocol) on end user (access) ports.
Note: Some services are enabled on Catalyst switches by default.

Console
Password

Set the password with the password command while in line configuration mode
(for either console or VTY access). This will prevent access to the console when
someone gains physical access to the device.

Control remote Secure remote access through the following actions:

access

Configure VTY passwords. Use the login command with a password to


require a password. Use the login command without a password to prevent
access.
Configure SSH (Secure Shell) as an allowable (default) method for VTY
lines.
Use an access list on VTY lines to prevent access from specific locations.

SNMP and SNMP version 2 (SNMPv2) send communications in clear,


unencrypted text. SNMP version 3 (SNMPv3) provides increased security over the
prior SNMP versions, such as:

Secure SNMP

Message integrity, or ensuring that a packet has not been tampered with intransit.
Authentication, or determining the message is from a valid source.
Encryption, or the scrambling the contents of a packet prevents it from
being seen by an unauthorized source.

Use SNMPv3 with an encrypted password and ACL to limit SNMP from only
trusted workstations and subnets.
Unused Ports

Use the shutdown command on all unused interfaces. This will disable the
interface and prevent a connection if someone where to gain physical access to a
device with unused ports.
Use the following features to prevent changes in the STP topology:

Secure STP
topology

CDP

PortFast BPDU guard prevents loops by disabling (moved to err-disable


state) a PortFast-configured interfaces when a BPDU is received on the
interface. PortFast-configured interfaces are meant for workstations and
servers, devices which do not generate BPDUs.
Root guard forces an interface to become a designated port to prevent
surrounding switches from becoming a root switch during network
anomalies, such as adding a new switch to the topology. Root guard blocks
the port, and subsequent recovery is automatic. Recovery occurs as soon as
the offending device ceases to send superior BPDUs.

Use no cdp run on the device or no cdp enable on an interface to avoid sharing
information about the Cisco device with neighboring devices. This helps to reduce
exposure due to reconnaissance attacks.
The three main components of access control are referred to as the AAA:

AAA
Authentication

Authentication is the process of validating a subject's identity. It includes


the identification process, the user providing input to prove identity, and
the system accepting that input as valid.
Authorization is the granting or denying a subject's access to an object
based on authentication.
Auditing (also referred to as accounting) is maintaining a record of a
subject's activities within the information system.

AAA uses the following to administer its security functions:

Remote Authentication and Dial-In User Service (RADIUS) is a


centralized method of authenticating remote clients. RADIUS was
originally defined and standardized in RFC 2138. Authentication requests
from multiple RAS servers are forwarded to a single RADIUS server for

authentication.
Terminal Access Controller Access Control System (TACACS) is an
alternative to RADIUS that allows the use of multi-factor authentication
by separating the authorization, accounting, and authentication features.
802.1X is an IEEE protocol that defines a client/server access control and
authentication to restrict unauthorized clients form connecting to a LAN
through accessible ports.

Note: Be careful when configuring AAA because you may lock yourself out of the
switch, which would require you to initiate the password recovery sequence to
return the switch to an accessible state.
Use access lists to control incoming or outgoing traffic with the following criteria:

Access lists

HTTP Server

Source IP protocol (i.e. IP, TCP, UDP, etc.)


Source hostname or host IP address
Source or destination socket number
Destination hostname or host IP address
Precedence or TOS values

The Cisco IOS provides an HTTP server to configure the device via a web
interface. The recommendation is to disable the feature because a user may gain
access and make configuration changes or send multiple HTTP requests resulting
in a DoS-type attack. Use the no ip http server command while in global
configuration mode to disable the server.

Wireless Overview
As you study this section, answer the following questions:

What is a best practice to eliminate interference caused by wireless devices operating on


overlapping channels?
Which wireless component acts as a hub on the wireless side and a bridge on the wired
side?
What is the difference between an IBSS and ESS?
What is the difference between refraction and multipath radio wave interference?
What protocol does an access point use within a wireless mesh network to find the wired
network?
How can you overcome multipath interference in a wireless network?

This section covers the following exam objectives:

501.Describe the components and operations of WLAN topologies (i.e., AP and Bridge).

Wireless Facts
Wireless networks use radio waves for data transmission instead of electrical signals on Ethernet
cables. In order to use radio waves as the medium for transmission, specific characteristics of radio
waves are defined:
Characteristic

Description
Many radio devices operate within a specified frequency range which limits the
frequencies on which it is allowed to transmit. In the United States, radio
frequency wireless LANs use one of two frequency ranges defined by the FCC:

Frequency
range or band

Channel

Industrial, Scientific, and Medical (ISM) operating between 2.4 - 2.4835


GHz.
Unlicensed National Information Infrastructure (U-NII) operating between
5.75 - 5.85 GHz.

The frequency range is divided into equal segments called channels. Wireless
networking channels are much like television channels, where each channel allows
for separate data transmission. However, channels within the range overlap with
adjacent channels. By using specific channels and not others, you can ensure that
the channels do not overlap, eliminating interference caused by wireless devices
operating on different channels.

In the 5 GHz range, there are 23 total channels. 12 channels are nonoverlapping channels.
In the 2.4 GHz range, there are 11 total channels, with 3 non-overlapping
channels.

When a device sends data over a wireless network, it can change (or modulate) the
radio signal's specifications. The three common modulation techniques used in
wireless networking include:
Modulation
technique

Frequency Hopping Spread Spectrum (FHSS) uses a narrow frequency


band and 'hops' data signals in a predictable sequence from frequency to
frequency over a wide band of frequencies. This type of modulation is no
longer used with current wireless standards.

Direct Sequence Spread Spectrum (DSSS) uses an 11-bit Barker sequence


to break data into pieces and sends the pieces across multiple frequencies
in a defined range.
Orthogonal Frequency Division Multiplexing (OFDM) is not a spread
spectrum frequency. It uses 48 discreet radio frequency channels that can
carry data.

Most newer devices use additional modulation techniques and enhancements


including:

Complementary Code Keying (CCK)


Quadrature Phase-shift Keying/Differential Quadrature Phase-Shift Keying
(QPSK/DQPSK)
Binary Phase-Shift Keying/Differential Binary Phase-Shift Keying
(BPSK/DBPSK)

Wireless networks use Carrier Sense, Multiple Access/Collision Avoidance (CSMA/CA) to control
media access and avoid (rather than detect) collisions. CSMA/CA uses the following process:
1. The sending device listens to make sure that no other device is transmitting. If another
device is transmitting, the device waits a random period of time (called a backoff period)
before attempting to send again.
2. If no other device is transmitting, the sending device broadcasts a Request-to-send (RTS)
message to the receiver or access point. The RTS includes the source and destination, as
well as information on the duration of the requested communication.
3. The receiving device responds with a Clear-to-send (CTS) packet. The CTS also includes
the communication duration period. Other devices use the information in the RTS and CTS
packets to delay attempting to send until the communication duration period (and
subsequent acknowledgement) has passed.
4. The sending device transmits the data. The receiving device responds with an
acknowledgement (ACK). If an acknowledgement is not received, the sending device
assumes a collision and retransmits the affected packet.
5. After the time interval specified in the RTS and CTS has passed, other devices can start the
process again to attempt to transmit.
Note: Using RTS and CTS (steps 2 and 3 above) is optional and depends on the capabilities of the
wireless devices. Without RTS/CTS, collisions are more likely to occur.
Wireless communication operates in half-duplex (shared, two-way communication). Devices can
both send and receive, but not at the same time. Devices must take turns using the transmission
channel. Typically, once a party begins receiving a signal, it must wait for the transmitter to stop
transmitting before replying.
The image below illustrates several natural causes that impact broadcasted radio waves:

Absorption occurs when radio waves are absorbed by an object, such as a wall or furniture.
Reflection occurs when radio waves bounces off objects, such as metal or glass surfaces.
Scattering occurs when radio waves strike an uneven surface and are reflected in many
directions.
Refraction occurs when radio waves pass through objects and change direction, such as
glass surfaces.
Multipath occurs when radio waves are echoed off a physical object, creating two signals
received at the same detector. The signals arrive at the detector out of phase with each other
because one signal traveled a different length.
Diffraction occurs when radio waves strike sharp edges, such as external corners for
buildings, and the waves are bent.

Wireless Infrastructure Facts


There are two methods of wireless networking:
Method

Description
An ad hoc network works in peer-to-peer mode. The wireless NICs in each host
communicate directly with one another. An ad hoc network:

Ad Hoc

Uses a physical mesh topology.


Is cheap and easy to set up.
Cannot handle more than four hosts.
Requires special modifications to reach wired networks.

You will typically only use an ad hoc network to create a direct, temporary
connection between two hosts.
An infrastructure wireless network employs an access point (AP) that functions like
a hub on an Ethernet network. With an infrastructure network:

Infrastructure

The network uses a physical star topology.


You can easily add hosts without increasing administrative efforts (scalable).
The access point can be easily connected to a wired network, allowing clients
to access both wired and wireless hosts.
The placement and configuration of access points require planning to
implement effectively.

You should implement an infrastructure network for all but the smallest of wireless

networks.
The following diagram shows a sample enterprise wireless network operating in infrastructure
mode:

The various components of a wireless network are described in the following table.
Component

Description

Station (STA)

An STA is a wireless network card (NIC) in an end device such as a laptop or


wireless PDA. STA often refers to the device itself, not just the network card.

Access Point
(AP)

An access point (AP), sometimes called a wireless access point, is the device that
coordinates all communications between wireless devices as well as the
connection to the wired network. It acts as a hub on the wireless side and a
bridge on the wired side. It also synchronizes the stations within a network to
minimize collisions.
A BSS, also called a cell, is the smallest unit of a wireless network. All devices
in the BSS can communicate with each other. The devices in the BSS depend on
the operating mode:

Basic Service
Set (BSS)

In an ad hoc implementation, each BSS contains two devices that


communicate directly with each other.
In an infrastructure implementation, the BSS consists of one AP and all
STAs associated with the AP.

Independent
Basic Service
Set (IBSS)

An IBSS is a set of STAs configured in ad hoc mode.

Extended
Service Set
(ESS)

An ESS consists of multiple BSSs with a distribution system (DS). The graphic
above is an example of an ESS.

Distribution
System (DS)

The distribution system (DS) is the backbone or LAN that connects multiple APs
(and BSSs) together. The DS allows wireless clients to communicate with the
wired network and with wireless clients in other cells.

Wireless networks use the following for identification:


Identifier

Description
The Service Set Identifier (SSID), also called the network name, groups wireless
devices together into the same logical network.

Service Set
Identifier
(SSID)

All devices on the same network (within the BSS and ESS) must have the
same SSID.
The SSID is a 32-bit value that is inserted into each frame. The SSID is
case-sensitive.
The SSID is sometimes called the BSS ID (Basic Service Set ID) or the
ESS ID (Extended Service Set ID). In practice, each term means the same
thing.

Note: Using BSS ID to describe the SSID of a BSS is technically incorrect.


Basic Service
Set Identifier
(BSSID)

The BSSID is a 48-bit value that identifies an AP in an infrastructure network or a


STP in an ad hoc network. The BSSID allows devices to find a specific AP within
an ESS that has multiple access points, and is used by STAs to keep track of APs
when roaming between BSSs.
Note: Do not confuse the BSSID with the SSID. They are not the same thing.

Access points can be organized in a mesh topology known as a wireless mesh network. The
wireless mesh network is a coverage area of access points working as a single network. Access to
the mesh is dependent on the access points working in harmony with each other to create the
network. A wireless mesh network is reliable and offers redundancy. When placing access points in
a wireless mesh network, Cisco's Adaptive Wireless Path Protocol (AWPP) establishes an optimal
path to a wired gateway. AWPP details include the following:

AWPP dynamically discovers neighboring radios and calculates the quality of all possible
paths to the wired network.
The calculations are continuously updated, allowing network connectivity and paths to
change as the traffic patterns on wireless links change.
The ability of AWPP to quickly adapt to changing links eliminates any single point of
failure and increases the networks reliability.

There are two types of antennas you should be aware of:

Directional antenna:
o Creates a narrow, focused signal in a particular direction.
o Focuses signal provides greater signal strength increasing the transmission distance.
o Provides a stronger point-to-point connection, better equipping them to handle
obstacles.
o Can be highly-directional or semi-directional.
Omni-directional antenna:
o Disperses the RF wave in an equal 360-degree pattern.
o Provides access to clients in a radius.

Wireless Standards Facts

Four organizations influence the standards used for wireless communication:


Organization

Details

Federal Communication Commission


(FCC)

The FCC is the regulating US government agency over


communication frequencies, including the frequencies
used by wireless networking devices.

International Telecommunication
Union Radiocommunications Sector
(ITU-R)

The ITU-R is the regulating international agency over


communication frequencies.

Wi-Fi Alliance

The Wi-Fi Alliance is an industry consortium that


encourages interoperability of products that implement
wireless standards.

Institute of Electrical and Electronics


Engineers (IEEE)

The IEEE is a technical professional group that, among


other contributions, developed the 802.11 series that
became the national and international standard.

The original 802.11 specification operated in the 2.4 GHz range and provided up to 2 Mbps.
Additional IEEE subcommittees have further refined wireless networking. Three of the most
common standards as well as a new standard in draft stage are listed in the following table:
Specification

Standard
802.11g

802.11a

802.11b

5 GHz
(U-NII)

2.4 GHz (ISM) 2.4 GHz (ISM)

2.4 GHz (ISM) or 5 GHz


(U-NII)

Maximum speed 54 Mbps

11 Mbps

54 Mbps

600 Mbps

Maximum range 150 Ft.

300 Ft.

300 Ft.

1200 Ft.

Channels
23 (12)
(non-overlapped)

11 (3)

11 (3)

2.4 GHz--23 (12 or 6)


5 GHz--11 (3 or 1)

Modulation
technique

OFDM

DSSS, CCK,
DQPSK,
DBPSK

DSSS (and others) at


lower data rates
OFDM and others,
At higher data rates, depending on
OFDM, QPSK,
implementation
BPSK

Backwardscompatibility

N/A

No

With 802.11b

Frequency

802.11n

With 802.11a/b/g,
depending on
implementation

Be aware of the following regarding the wireless network implementation:

The actual speed depends on several factors including distance, obstructions (such as walls),
and interference.
The actual maximum distance depends on several factors including obstructions, antenna
strength, and interference. For example, for communications in a typical environment (with
one or two walls), the actual distance would be roughly half of the maximums.
The speed of data transmission decreases as the distance between the transmitter and
receiver increases. In other words, in practice, you can get the maximum distance or the
maximum speed, but not both.
Some newer 802.11a or 802.11g devices provide up to 108 Mbps using 802.11n pre-draft
technologies (MIMO and channel bonding).
The ability of newer devices to communicate with older devices depends on the capabilities
of the transmit radios in the access point. For example:

Some 802.11n devices can transmit at either 2.4 GHz or 5 GHz. This means that the
radio is capable of transmitting at either frequency. However, a single radio cannot
transmit at both frequencies at the same time.
Most 802.11g devices can transmit using DSSS, CCK, DQPSK, and DBPSK for
backwards compatibility with 802.11b devices. However, the radio cannot transmit
using both DSSS and OFDM at the same time.

This means that when you connect a legacy device to the wireless network, all devices on
the network operate at the legacy speed. For example, connecting an 802.11b device to an
802.11n or 802.11g access point slows down the network to 802.11b speeds.

A dual band access point can use one radio to transmit at one frequency, and a different
radio to transmit at a different frequency. For example, you can configure many 802.11n
devices to use one radio to communicate at 5 GHz with 802.11a devices, and the remaining
radios to use 2.4 GHz to communicate with 802.11n devices. Dual band 802.11a and
802.11g devices are also available.
Multipath interference is less of an issue for OFDM implementations because the frequency
is selective.
o DSSS comprises a single signal, whereas OFDM comprises multiple signals.
o Multiple interference affects an entire DSSS signal, yet it affects only a subset of the
OFDM signals.
Note: Multiple antennas can also reduce multipath interference.

Wireless Security Facts


Security for wireless networking is provided from the following standards:
Method

Description
WEP is an optional component of the 802.11 specifications and was deployed in
1997. WEP was designed to provide wireless connections with the same security
as wired connections. WEP has the following weaknesses:

Wired Equivalent
Privacy (WEP)

Static Pre-shared Keys (PSK) were given to the access point and client
and could not be dynamically changed or exchanged without
administration. As a result, every host on large networks usually use the
same key.
Because it doesn't change, the key can be captured and easily broken.
The key values were short, making it easy to predict.

Cisco's interim solution was deployed in 2001 to address the problems of WEP.
The solution included the following:

Cisco interim
solution

Wi-Fi Protected
Access (WPA)

A Cisco proprietary version of Temporal Key Integrity Protocol (TKIP)


encryption.
User authentication using 802.1x. 802.1x requires a centralized server
(called a RADIUS server) to authenticate users through user account
names and passwords.
The use of dynamic keys.

WPA is the implementation name for wireless security based on initial 802.11i
drafts and was deployed in 2003. It was intended as an intermediate measure to
take the place of WEP while a fully secured system (802.11i) was prepared.
WPA:

Uses TKIP for encryption.


Supports both Pre-shared Key (referred to as WPA-PSK or WPA
Personal) and 802.1x (referred to as WPA Enterprise) authentication.
Can use dynamic keys or pre-shared keys.
Can typically be implemented in WEP-capable devices through a
software/firmware update.

Note: The Cisco interim solution is not compatible with WPA.


WPA2 is the implementation name for wireless security that adheres to the
802.11i specifications and was deployed in 2005. It is built upon the idea of
Robust Secure Networks (RSN). Like WPA, it resolves the weaknesses inherent
in WEP, and is intended to eventually replace both WEP and WPA. WPA2:

Wi-Fi Protected
Access 2
(WPA2) or
802.11i

Uses Advanced Encryption Standard (AES) as the encryption method. It


is similar to and more secure than TKIP, but requires special hardware
for performing encryption.
Supports both Pre-shared Key (referred to as WPA2-PSK or WPA2
Personal) and 802.1x (referred to as WPA2 Enterprise) authentication.
Can use dynamic keys or pre-shared keys.

Note: WPA2 has the same advantages over WEP as WPA. While more secure
than WPA, its main disadvantage is that it requires new hardware for
implementation.
Authentication on a wireless network is provided by one of the following methods.
Method Description
Open

Open authentication requires that clients provide a MAC address to connect to the
wireless network. Access can be controlled on a limited basis by performing MAC
address filtering where devices whose addresses are listed can connect. Because MAC
addresses are easily spoofed, this provides little practical security.

Shared
secret

Shared secret authentication, also called pre-shared key authentication, configures clients
and access points with a shared key (or password). Only devices with the correct shared
key can connect to the wireless network.
802.1x is an authentication standard for wired Ethernet networks that allows for user
authentication. The 802.1x standards have been adapted for use in wireless networks to
provide secure authentication. 802.1x authentication requires the following components:

802.1x

A RADIUS server to centralize user account and authentication information. A


centralized database for user authentication is required to allow wireless clients to
roam between cells but authenticate using the same account information.
A Public Key Infrastructure (PKI) for issuing certificates. At a minimum, the
RADIUS server must have a server certificate. To support mutual authentication,
each client must also have a certificate.

Cisco Unified Wireless Network


As you study this section, answer the following questions:

What is the difference between an autonomous access point and a lightweight access point?
How does a WLAN controller communicate with a lightweight access point?
What type of traffic is encrypted and encapsulated between a lightweight access point and a
WLAN controller?
What WLAN management devices are found within a Unified Wireless Network
infrastructure?
What is the process used by the lightweight access point to associate with a WLAN
controller?
What are the benefits of using ADU profiles?
When does a client begin to roam to another access point?
What does it mean when the ADU tray icon is red?
How can you enable AES with the ADU?
In what order should multiple WEP keys be configured on wireless devices?

This section covers the following exam objectives:

502. Describe the features of Client Devices, Network Unification, and Mobility Platforms
(i.e., CCX, LWAPP).
503. Configure a wireless client (i.e., ADU).

Cisco Unified Wireless Network Facts


Cisco's Unified Wireless Network attempts to address WLAN security, deployment and
management of a wireless network. The following network devices and their features are a part of
the Unified Wireless Network infrastructure:
Device

Description
The Cisco Wireless LAN Controller (WLAN controller) is a network device
which centrally controls wireless functions in the LAN. The WLAN
controller allows the network administrator to manage the wireless network
from one centralized console. Management functions include the following:

Wireless LAN
Controller (WLAN
controller)

Wireless security policies


Intrusion detection and prevention
Radio Frequency (RF) management
Quality of Service (QoS)
Mobility services, such as guest access, voice over Wi-Fi, and
location services

WLAN controllers use Radio Resource Management (RRM) algorithms to


detect and adapt to changes in the air space which create a self-configuring,
self-optimizing, and self-correcting wireless LAN environment. Examples
include:

If a WLAN controller fails, the lightweight APs joined to that


controller automatically failover to an alternate controller.
If an access point fails, the WLAN controller automatically
increases power on the neighboring access points to compensate
and provide coverage.

A mobility group is where multiple WLAN controllers are configured as

one group to allow client roaming. By creating a mobility group, multiple


controllers can dynamically share information and forward traffic when a
client roams between controllers or subnets. Be aware of the following
mobility group details:

A maximum of 24 controllers can be included in a mobility group.


All controllers in a mobility group must be consistently configured.

A Lightweight Access Point (LAP) is an access point which is


authenticated and controlled by a WLAN controller through the
Lightweight Access Point Protocol (LWAPP).

Through LWAPP, a WLAN controller can centrally and securely


manage multiple LAPs running a simplified version of Cisco IOS.
LWAPP UDP control messages are encrypted with Advanced
Encryption Standard-Counter Mode with Cipher Block Chaining
Message Authentication Code Protocol (AES-CCMP).
Data traffic from the LAP and WLAN controller is not encrypted in
LWAPP and is switched at the WLAN controller.
Both data traffic and control messages between the LAP and
WLAN controller are encapsulated.
LWAPP operates both at Layer 2 and Layer 3.
o Layer 2 LWAPP requires the LAP and WLAN controller to
be directly connected or in the same VLAN/subnet.
o Layer 3 LWAPP allows the LAP and WLAN controller to
be in different VLANs/subnets.

Association is the process of a LAP attempting to connect to the WLAN


controller. The following process is used to associate the LAP to the
WLAN controller:
Lightweight Access
Point

1. The LAP issues a DHCP discovery request to get an IP address,


unless it has previously had a static IP address configured.
2. If Layer 2 LWAPP mode is supported on the LAP, the LAP
broadcasts a LWAPP discovery message in a Layer 2 LWAPP
frame. Any WLAN controller that is connected to the network and
that is configured for Layer 2 LWAPP mode responds with a Layer
2 discovery response.
3. If the LAP does not support Layer 2 mode, or if the WLAN
controller or the LAP fails to receive a LWAPP discovery response
to the Layer 2 LWAPP discovery message broadcast, the LAP
attempts a Layer 3 LWAPP WLAN controller discovery. The Layer
3 LWAPP WLAN controller discovery algorithm is used to build a
controller list. After a controller list is built, the AP selects a WLAN
controller and attempts to join the WLAN controller. The LWAPP
Layer 3 WLAN controller discovery algorithm repeats until at least
one WLAN controller is found and joined.
The LAP uses the following information to make a WLAN controller
selection:
1. Discovery messages are sent to the primary-configured controller,
secondary-configured controller, and tertiary-configured controller.
2. If no response is made, the master-configured controller responds to
the access point.

3. If no response is made from the master-configured controller, the


response from the least-loaded controller will be used.

Autonomous Access
Point

An autonomous access point is an access point which requires local


management. For example, in most situations if a new security feature
needed to be implemented into an enterprise's wireless network with
several autonomous access points, each access point would need to be
individual configured. This is in contrast to lightweight access points,
which allow management from the WLAN controller.

Client adaptors

A client adaptor, such as a CardBus or a PCMCIA wireless adaptor, is the


device used to connect the user's local machine to the wireless LAN. To
ensure interoperability between Cisco's wireless network devices and client
adaptors, Cisco developed the Cisco Certified Extensions (CCX) program.
Through the CCX program, independent testers ensure that third-party
802.11 wireless LAN products comply with Cisco's proprietary wireless
LAN protocols.
A wireless bridge is a wireless networking device used for network
connection between buildings. It is an alternative to wired networks, where
wired networks are not feasible. The wireless bridge providing access to the
main wired LAN is known as the root bridge. Only one bridge in a WLAN
can be set as the root bridge. Other bridges in the WLAN are configured as
non-root bridges. A root bridge supports the following by default:

Wireless Bridge

Non-root bridges, which are the remote side of the bridge


connection
Work Group Bridges (WGBs), which are access points configured
to provide wireless access to a segment of wired clients
Wireless client cards, such as a CardBus or PCMCIA card client
adaptor
Access points configured as repeaters which extend the wireless
network's signal

Bridges must maintain a line of sight, known as the Fresnel zone. If the
Fresnel zone is obstructed, then the line of sight is not clear and the link
might be unreachable.
The following are WLAN management devices found within a Unified Wireless Network
infrastructure:

Cisco Wireless Control System (WCS) is a platform for wireless LAN planning,
configuration, management, and troubleshooting. The WCS is recommended when two or
more WLAN controllers are deployed in the network.
Cisco Wireless Services Module (WiSM) is a WLAN controller services module for the
Cisco Catalyst 6500 Series modular switches and Cisco 7600 Series routers. The WCS can
control the WiSM.
Cisco Wireless LAN Controller Module (WLCM) is also a controller module, but for small
to medium business networks. The WCS can control the WLCM.
CiscoWorks Wireless LAN Solution Engine (WLSE) is a control engine which centrally
manages autonomous access points. The WLSE can be converted to a WCS to mange
LAPs.

ADU Configuration Facts

In the Cisco Unified Wireless Network, clients should have the Cisco Aironet Desktop Utility
(ADU) installed on the local or client machine. The ADU is a GUI diagnostic and configuration
utility. The ADU organizes wireless client adapter configuration settings in a profile. Profile details
include the following:

The user can configure a maximum of 16 different profiles on the ADU.


Each profile has custom settings which are implemented on the client adaptor when the user
selects the profile.
The various profiles enable different configuration settings depending on the location, such
as an office or airport.
Once created, the user can switch between the profiles without having to reconfigure the
ADU configuration settings each time they change locations.
Profiles are stored in the registry and are lost if the client adapter's software is uninstalled.

Among many ADU configurations, there are two parameters that affect the client's roaming
capabilities between multiple access points:

BSS aging interval is the amount of time (in seconds) that the ADU keeps an access point in
its roaming scan list after it can no longer communicate to that device. The higher the value,
the greater the number of access points to which the client may roam.
Scan valid interval is amount of time (in seconds) before the ADU starts scanning for a
better access point after reaching a low signal strength threshold or missing beacons. The
higher the value, the less time the client spends scanning for a better access point and the
more time it has to send data.
Note: The client does not scan for a new access point as long as it has a good connection
and is passing data. The client stays connected to an access point as long as it can. However,
when the transfer of data packets needs to be retried or beacons are missed, the station
automatically searches for and associates to another access point. This process is referred to
as seamless roaming.

When configuring security settings on the ADU, consider the following:

Select the encryption method used on the access point.


Configuring WEP with the Cisco ADU allows more than one WEP key.
o When setting more than one WEP key, the keys must be assigned to the same WEP
key numbers for all devices. For example, WEP key 2 must be WEP key number 2
on all devices.
o When multiple WEP keys are set, they must be in the same order on all devices
(whether in infrastructure mode or ad hoc mode).
When configuring the encryption method to AES on the Cisco ADU, use the
WPA/WPA2/CCKM and LEAP option within profile management. The Lightweight
Extensible Authentication Protocol (LEAP) is a proprietary wireless LAN authentication
method used in 802.1x authentication.

The Cisco ADU has a tray icon which displays status of the wireless signal received from the
access point and if the client is authenticated. Be aware of the following ADU tray icons and what
they represent:
Icon Description
A white icon indicates that the client adapter's radio is disabled.
A dark gray icon indicates that the client adapter is not associated to an access point (in
infrastructure mode) or another client (in ad hoc mode).
A light gray icon indicates that the client adapter is associated to an access point (in
infrastructure mode) or another client (in ad hoc mode) but the user is not EAP authenticated.

A green icon indicates that the client adapter is associated to an access point (in infrastructure
mode) or another client (in ad hoc mode), the user is authenticated if the client adapter is
configured for EAP authentication, and the signal strength is excellent or good.
A yellow icon indicates that the client adapter is associated to an access point (in
infrastructure mode) or another client (in ad hoc mode), the user is authenticated if the client
adapter is configured for EAP authentication, and the signal strength is fair
A red icon indicates that the client adapter is associated to an access point (in infrastructure
mode) or another client (in ad hoc mode), the user is authenticated if the client adapter is
configured for EAP authentication, and the signal strength is poor.