00 CCNP Switch 300-115 PDF

De ate Wa Sikandar Shaik CCIEX2About the Author Sikandar Shaik, a dual CCIE (RS/SP# 35012), isa highly experienced and extremely driven senior technical instructor and network consultant. He has been training networking courses for more than 10 years, teaching on a wide range of topics including Routing and Switching, Service Provider and Security (CCNA to CCIE). In addition, he has been developing and updating the content for these courses. He has assisted many engineers in passing out the lab examinations and securing certifications. Sikandar Shaik is highly skilled at designing, planning, coordinating, maintaining, troubleshooting and implementing changes to various aspects of multi-scaled, multi-platform, multi-protocol complex networks as well as course development and instruction for a technical workforce ina varied networking environment. His experience includes responsibilities ranging from operating and maintaining PC's and peripherals to network control programs for multi-faceted data communication networks in LAN, MAN and WAN environments. Sikandar Shaik has delivered in countries like China, Kenya and UAE. He has also worked as a Freelance Cisco Certified Instructor globally for Corporate Major Clients, ructor led trainings in several states in India as well as in abroad Acknowledgment First and foremost I would like to thank the Almighty for his continued blessings and for always being there for me. You have given me the power and confidence to believe in myself and pursue my dreams. I could never have done this without the faith I have in you. Secondly I would like to thank the NOA Solutions team for their continued support, dedication and hard work which helped me in delivering a better product. I would like to thank my family for understanding my long nights at the computer. I have spent lot of time on preparing workbooks and this workbook would not have been possible without their support and encouragement. I would also like to recognize the cooperation of my students who took my trainings and workbooks. I believe my workbooks have helped them in upskilling themselves with respect to the subject and technologies and I will continue preparing workbooks for the updated technology versions. Shaik Gouse Moinuddin Sikandar CCIE x 2 (RS/SP) Feedback Please send feedback if there are any issues with respect to the content of this workbook. I would also appreciate suggestions from you which can improve this workbook further. Kindly send your feedback and suggestions at info@noasolutions.comImplementing Cisco IP Switched Networks (300-115) Implementing Cisco IP Switched Networks (SWITCH 300-15) is a 120-minute qualifying exam with 45-55 questions for the Cisco CCNP and CCDP certifications. ‘The SWITCH 300-115 exam certifies the switching knowledge and skills of successful candidates. They are certified in planning,configuring, and verifying the implementation of complex enterprise switching solutions that use the Cisco Enterprise Campus Architecture. ‘The SWITCH exam also covers highly secure integration of VLANs and WLANs. The following topics are general guidelines for the content that is likely to be included on the exam. However, other related topics may also appear on any specific version of the exam. To better reflect the contents of the exam and for clarity. the following guidelines may change at any time notice. yout INDEX Auto-negotiation, Speed, and Duplex 5 Virtual LAN 6 LAB ~Verify VLAN 2 Trunking we IT LAB : Trunking .. 20 DTP (DYNAMIC TRUNKING PROTOCOL 30 NATIVE VLAN ll Inter-VLAN Routing options... Inter-Vlan routing using Separate Phisical Gateways Inter-Vian routing using sub-interfaces .. Inter-Vlan routing using Multilayer switch. Extended VLAN «a... veel .. go 57 Voice VLAN 59 VLAN Trunking Protocol 62 LAB: VIP cecesecereestecseeneeeeee secnseetinenetensneteneeneeeneeneee 68 VIP Version 3 7 LAB: VTP version 3 79 VIP Pruning .. eeseneeneeee 95 LAB: VTP Pruning.. 98. Spanning-tree Protocol 109 LAB: VERIFYING SPANNING-TREE .. 9 LAB: Tuning STP (cost/proirity/Timers) .. 124 Hierachial Campus Model ese . BT STP : Selecting Root Bridge .... 132 LAB: Per VLAN STP: 133 Etherchannel 150 LAB : Configruing Ether-Channel Using Pagp Protocol Negotiator 155 Layer 3 Etherchannel .. 159Spanming-tree portfast sssscssseessesssssenstisstnssetnenseentenstsneieetentennte — 16L LAB: BPDU Guard (interface & Global mode) 165 LAB: BPDU filter (interface level) .... 174 LAB : Root Guard 179 UDLD and Loopguard .. 185 Errdisable Recovery options ssesssssseensesesiseetnttnetenetnsetstineensetsetesene 189 Spanning tree uplinkfast/backbone fast 191 Rapid STP. 194 Per vian STP ( PVST) 200 Multiple STP. 203 LAB: MSTP (MULTILPLE SPANNING-TREE) / Tuning MSTP 206 SPAN/RSPAN/too.vsereesstneneenenetsenetnenetnenetntnennenenenenentte 220 Using CDPALDP: 28 LAB: VERIFY CDP. 231 Layer? Security Device Security using AAA (TACACS+ and Radius) 237 LAB: AAA Authentication using External servers .eucscusuennenanensnenene 247 Understanding switch security issues 255 Port security 257 LAB : PORT-SECURITY ....... a 7 fea 26I DHCP snooping. 268 LAB : DHCP Snooping : eee ee ee 272 LAB: IP Soutce Guard 282 LAB: Dynamic ARP inspection 289 Storm control. 298 Private VLAN. 301 LAB: Private VLAN 307 First HopRedundancy Protocols 319 LAB: HSRP este . . 327 LAB: VRRP. . 338 LAB: GLBP, 342, SWATCHING MOCK LAB: 353Auto-negotiation, Speed, and Duplex By default, each Cisco switch port uses Ethernet auto-negotiation to determine the speed and duplex setting (half or full). The switches can also set their duplex setting with the duplex and their speed with the speed interface subcommand. ‘Switch (config)fint fa0/1 Switch (config:if}#speed ? 10 Force 10 Mbps operation 100. Force 100 Mbps operation auto Enable AUTO speed configuration Switch (config-if}#duplex ? auto Enable AUTO duplex configuration full Force full duplex operation half Force half-duplex operation Switch#sh interfaces fa0/1 FastEthemet0/1 is down, line protocol is down (disabled) Hardware is Lance, address is 0030.f207.aa01 (bia 0030.f207.aa01) MTU 1500 bytes, BW 100000 Kbit, DLY 1000 usec. reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) To assign IP to a Switch switch(config)# Interface Vian 1 switch(config-i# ip address switch(config-if)# no shutdown To assign Default Gateway to a Switch Switch (config) #ip default-gateway 192.168.1.100VLAN & Trunks Virtual LAN NA. » Divides one single Broadcast domain into Multiple Broadcast domains. » Layer 2 Security » Vian 1 is the default VLAN. » We can create vians from 2 = 1001 Can be Configured on a Manageable switches only | Goisien Dans / NF NYBroadcast Domain XA, Set of all devices that receive broadcast frames originating from any device within the set. What happens when a computer connected to the Accounts department Mf OA. sends a broadcast like an ARP request? (Or if the destination mac unknown ( not present in mac-table) » By default the broadcast goes to each and every device in the network. > As by default there is only one broadcast domain Stops broadcast! —> >>. > Boo Foe god SES Accounts Marketing Sales 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24 Pave+ yaa rset chan ey delet eo NA, » As by default there is only one broadcast domain VLAN divides one single broadcast domain in to multiple Broadcast domains » Limit the number of broadcast » Better performance Accounts Finance 192.168.1.0/29 . 168.3. 192.168.4.0/24 Benefits of VLANs MOA, » Limit the number of broadcast » Better performance » Security1 NOA NGA. » Work based on port numbers » Default all ports will be in vlan 7 » Need to manually assign a port on a switch to a VLAN » One port can be a member of only one VLAN, sen vlan 10 (Green) = 1,2,3,4,9, 12 vlan 20 (Red) = 5,6, 10,11 vlan 30 (Blue) = 7,8 N@A. ‘Switch#show vlan brief 1 default active Fao/1, Fa0/2, Fa0/3, Fao/4 Fa0/s, Fa0/6, Fao/7, Fa0/e Fa0/9, Fa0/10, Fao/11, Fao/12 Fao/13, Fao/14, Fa0/1s, Fa0/16 Fao/17, Fao/18, Fa0/19, Fa0/20 Fao/21, Fa0/22, Fao/23, Fao/24 1002 fddi-default active 1003 token-ring-default active 1004 fddinet-default active 1005 trnet-default activeCreating VLAN ‘Switch(config)+ vlan ‘Switch(config-Vian)+ name ‘Switch(config-Vlan)# Exit Switchash vian brief Switch(confighivian 10 ae Switch(config-vian)éname Green 1 default Switch(config-vian)ivian 20 Switch(config-vianjiname Red Switch(config-vian)ivian 30 Switch(config-vianyiname Blue 10 Green ‘Switch(config-vian)tend des 30 Blue 1002 fddi-default 1003 token-ring-default 1004 fddinet-default 11005 tmet-default Assigning ports - VLAN ‘Switch(configh# interface ‘Switch(config-if}# switchport mode access ‘Switch(config-if} switchport access Vian Status Ports active Fa0/’, Fao/2, Fao/3, Fa0/a Fa0/s, Fa0/6, Fa0/7, Fa0/s Fa0/, Fao/10, Fao/11, Fa0/12 F20/13, Fa0/14, Fa0/15, Fa0/16 F20/17, Fa0/18, Fa0/19, Fa0/20 Fa0/21, Fa0/22, Fao/23, Fao/24 active active active active active active active NA. Switch(confighinterface range f0/1 - 4 , fo/9 , fo/12 ‘Switch(config- Switch(config- Switch(confige rangeytswitchport mode access range)#switchport access vian 10 range)#exitAssigning ports - VLAN MOA. Switchiconfightinterface range f0/5 - 6 , fo/10- 11 Switch(config-if-rangeswitchport mode access Switch(config-if-range)#switchport access vlan 20 Switch(config-ifrange)#exit a Switch(configyint range (0/7 - 8 Switch(config-if-range)#switchport mode access Switch(config-ifrrangeyswitchport access vlan 30 Switchiconfig-ifrangeyexit192.168.1.0/24 STEPS: 1. Ping between 192.168.1.1 and 192.168.1.3 ‘a. (they can communicate with each other and they are on the same network (logically) and same VIAN ( default vlan 1) 2. Create VLAN 20 3. Shift port f0/3 . f0/4 in to VLAN 20 4, Ping between 192.168.1.1 and 192.168.1.3 ‘a. they cannot communicate with each other and they are on the same network (logically) but on different VLAN (VLANI and vian 20) Switchifsh vlan VLAN Name. Status Ports 1 default active Fa0/1, Fa0/2, FaQ/3, FaQ/4 Fa0/5, Fa0/6, Fa0/?, Fa0/8 Fa0/9, FaO/10, Fa0/II, Fa0/12 Fa0/13, FaQ/14, Fa0/15, FaON6 Fa0/7, Fa0/18, Fa0/19, Fa0/20 Fa0/21, Fa0/22, Fa0/23, Fa0/24 Gigi, Gig2 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 tmet-default act/unsup PC>ipconfig \P Addressee Subnet Mask. 255.255.255.0Default Gateway. PC>ping 192.168.1.2 Pinging 19: Reply ROARISQAGBI: by es=32 ti Reply from 192.168.1.2: bytes=32 time=7ms TTL=128 PC>ping 192.168.1.3 Pinging 192.168.1.3 with 32 bytes of data Reply fROmniN92H68ASEbYtES=32 tim Reply from 192.168.1.3: bytes=32 tim Reply from 192.168.1.3: Reply from 192.168.1.3: bytes=32 time=8ms TTL=128 Pc>ping 192.168.1.4 Pinging 192.168.1.4 with 32 bytes of data: REBIVOMISZNEBMM: bytes=32 time=10ms TTL=128 Reply from 192.168.1.4: bytes=32 time=8ms TTL=128 Reply from 192.168.1.4: bytes=32 time=8ms TTL=128, Reply from 192.168.1.4: bytes=32 time=9ms TTL=128, All the Four devices in the LAN can communicate with each other and they are on the same network (logically) and same VLAN ( default vlan 1) TASK: Create Vian 20 And Shift The Ports 3 And 4 In To Vian 20 Switch(config)#vlan 20 Switch(config-vlan)#name SALES Switch(config-vlan)fexit ‘Switch (config)finterface fastEthemet 0/3 Switch(config-i#switchport mode access Switch(config-i#switchport access vlan 20 Switch(config-iifexit Switch(config)#interface fastEthemet 0/4 Switch(config-if}#switchport mode access Switch(config-if)#switchport access vlan 20 Switch#sh vlan VLAN Name Status Ports {cde fatitnetive Fao FAO/2y F 20/5, Face ve a Sie page 19Fa0/7, Fa0/8, Fa0/9, Fa0/10 Fa0/1, FaO/l2, Fa0/13, Fa0/14 FaQ/15, Fa0/16, Fa0/17, Fa0/18 Fa0/19, Fa0/20, Fa0/21, Fa0/22 Fa0/23, Fa0/24, Gigl/1, Gigl/2 20 SALES = active Fa0/3, Fa0/4 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup, 1005 tmet-default act/unsup. PC> ipconfig IP Addressiiainiaiannne 92682001 Subnet Mask. 255.255,255.0 Default Gateway. 192.168.1.100, PC>ping 192.168.1.2 Pinging 192.168.1.2 with 32 bytes of data: Reply fRSMMSZMEBIMZ: bytes=32 time=lIms TTL=128 Reply from 192.168.1.2: bytes=32 time=9ms TTL=128 Reply from 192.168.1.2: bytes=32 time=7ms TTL=128 Reply from 192.168.1.2: bytes=32 tim ms TTL=128 PC>ping 192.168.1.3 Pinging 192.168.1.3 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. PC>ping 192.168.1.4 Pinging 192.168.1.4 with 32 bytes of data: Request timed out. Request timed out. Request timed out.LAB -2 CREATING BASIC VLAN CONFIGURATION ON SWITCHES TASK: * Create four VLANs ( VLAN 10,20,30,40) © Configure port fa0/8_ in to vlan 10 * Configure multiple ports ( 4-7 and10) to vlan 20 Switch(config)#vlan 10 Switch(config-vlan}#name sales Switch(config-vian}fvlan 20 Switch(config-vlan)#name marketing Switch(config-vian)#vlan 30 Switch (config-vian)#vian 40 Switch(config-vlan)#end Switchifsh vlan VLAN Name Status Ports 1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/0, FaO/, Faz Fa0/13, Fa0/14, Fa0/15, Fa0N6 Fa0/17, Fa0/18, Fa0/19, Fa0/20 Fa0/21, Fa0/22, Fa0/23, Fa0/24 Gigi, Gigl/2 ‘There are no active ports in the new vlan which we createdTo shift the ports Switch(configh#int (0/8 ‘Switch (config-if}#switehport mode access Switch(config-i}#switehport access vlan 10 Switch(config:if}Hexit ‘Switch (config)finterface range {0/4 - 7 , f0/10 Switch (config-ifrange)#switchport mode access Switch (configcif-range)#switchport access vlan 20 Switch#sh vlan VLAN Name Status Ports 1 default active | Fa0/1, Fa0/2, Fa0/3, Fa0/9, FaO/I1, Fa0/2, Fa0/13 Fa0/14, Fa0/15, Fa0/16, F207 Fa0/18, Fa0/19, Fa0/20, Fa0/21 Fa0/22, Fa0/23, Fa0/24Trunking MOA. > Asingle VLAN can span over Multiple Switches > Users of the same VLAN ~ may connect on two or more switches with in the LAN waz | MANS VANE 7 HR ‘Gace saozozs (1003024 1004026 MOA. Passing same VLAN Traffic between switches using Single Link. sw sw2Types of links/ports NPA, ‘Access links Trunk links » Connecting to end devices ( Hosts or router) » Do not belong to any VLAN » part of one VLAN » carry multiple VLANs traffic. » Tink between two switches. —> y a8 Frame Tagging NGA, » In order to make sure that same VLAN users on different switches communicate with each other there is a method of tagging happens on trunk links . » Tag is added before a frame is send and removed once it is received on trunk link. > Frame tagging happens only on the trunk links Frame Za Frame Za t | | + Frame includes source and destination MAC entries + Tag includes the VLAN- IDTrunking protocols NPA, Responsible for adding and removing tags on trunk links ISL (nter-switch fink ) TEEE 802.1Q + Isa Cisco proprietary © IEEE Open standard + Itworks with Ethernet, Token ring, ‘© Itworks only on Ethernet FDDI © Only 4 Byte tag will be added to + It adds 20 bytes of tag original frame. + No more supported on new cisco platforms Trunk Configuration NA., Switch(config)# interface Switch(config-if}# switchport mode trunk Switch(config-if} switchport trunk encapsulation dotig roars rezs6504 “25 voa.16524 : ww 10 vw 20 wav 10 vw 20LAB: Trunking Create Vian 10 , Vian 20 on both Switches Shift ports in to thelr respective VLAN as per the diagram. ‘SW-1(confighinterface range fo/1 - 2 'SW-1(configifrange)switchport mode access 'SW-1(config:Frange)switchport access vlan 10 ‘SW-1(configifrange)exit ‘SW-1(confighinterface range fo/3- 4 'SW-1(configitrange)switchport mode access 'SW-1(configirange)switchport access vlan 20 ‘SW-1(configifrange)eend ‘SW-24show vlan MOA. ‘SW-2(confighinterface range fo/1 - 2 ‘SW-2(configiFrange)ssuitchport mode access 'SW-2(configitrange)switchport access vlan 10 ‘SW-2(configi-rangeyrexit ‘SW-2(confighinterface range fo/3- 4 ‘SW-2(configifrange)switchport mode access ‘SW-2(configiFrange}sswitchport access vlan 20 ‘SW-2(configitrangeyeend VLAN Name Status Ports active Fa0/s, F206, Fa0/7, Fao’ Fao/9, Fa0/10, Fa0/11, Fa0/t2 20/13, Fa0/14, Fa0/1S,Fao/16 Faov7, F20/18, Fa0/19,Fa0/20 Fao/21, Fa0/22, Fa0/23, Fa0/24 Gigi/1, Gigv2 1 VLANoo1o active "F20/1, Fao2 20 VLANoo20 active Fa0/3, Faora Status Ports active F20/5, Fa0/6, Fa0/7,Fa0/s Faovs, Fa0/10, Fag/11, F20/12 Fao, Fa0/t4, Fa0/15,F20/16 Fao/17, Fa0/18, Fa0/19, Fa0/20 Fag/21, Fa0/22, Fao/23, Fa0/26 Gigi, Giga 10 VLANooto active" Fa0/1, Faor2 20 VLANoo20 active F20/3, FaoraConfigure Fo/20 port between SW1 and SW? as Trunk link NSA. ‘On both switches wun t0 SW-x(confighinterface fastEthernet 0/20 SW-x(configiff#switchport mode trunk ‘SW-x(configi#switchport trunk encapsulation dotiq ‘SW-1Wsh interfaces trunk Port Mode Encapsulation Status Native vlan Fao/20. on 802.19 trunking 1 MOA, Ensure That users of same VLAN on different Switches must communicate with each other PC>ping 192.168.1.3 femtt ons Pinging 12.1813 with 32 byes of dat: inves sued =e ae Reply from 192.168.1.3: bytes=32 time=17ms TTL=128 Reply from 192.6813: bytes-2 time=tams TTL=128 PC>plng192:168.23, Reply from 192.168.1.3: bytes=32 time=12ms TTL=128 Pinging 192.168.2.3 with 32 bytes of data: Reply from 192.168.1.3: bytes=32 time=10ms TTL=128 Reply from 192.168.2.3: bytes=32 time=13ms TTL=128 Reply from 192.1662. bytes=32 time=12ms TTL=129 Reply from 192.168.2.3: bytes=32 time=1ams TTL Reply from 192,168.23: bytes=a2 time=1ams TTL=128LAB: TRUNKING 192.168.1.3 J ¥92.168.1.1 y Rg (92.6823 4 . 192.168.3.2 t92.168:8.2 _ 12S _teastssia4 VAN 10 WLAN 20 Want MAN 20 TASK: ‘Create Vian 10 , Vian 20 on both Switches «Shift ports in to their respective VLAN as per the diagram. + Confiure F0/20 port between SWI and SW2 as Trunk link © Ensure That users of same VLAN on different Switches must communicate with each other On swt Switch(config)#hostname SW-1 SW/-1(config)#interface range f0/1 - 2 ‘SW-1(contig-if-range)#switchport mode access ‘SW-1(config-if-range)#switchport access vlan 10 % Access VLAN does not exist. Creating vlan 10 SW-I(config-if-range)#exit SW-I(config)finterface range 0/3 - 4 SWW-1(config-if-range)#switchport mode access SW-1(config-if-range)#switchport access vlan 20, SW-1(config-if-range)#end SW-1#sh vlan VLAN Name Status Ports 1 default active Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10, Fa0/11, FaQ/12 Fa0/13, Fa0/14, Fa0/15, FaO6 Fa0/17, Fa0/18, Fa0/19, Fa0/20Fa0/21, Fa0/22, Fa0/23, Fa0/24 Gigi. Gig/2 10 VIANOOIO = active Fa0/1, Fa0/2 20 VLANOO20 active Fa0/3, Fa0/4 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 tmet-default act/unsup. On sw-2 Switch (config}#hostname SW-2 SW-2(config)finterface range fO/l - 2 SW-2(config-ifrange)#switchport mode access SW-2(config-ifrange)#switchport access vlan 10 SW-2(config-if-range)#exit W-2(config)finterface range f0/3 - 4 SW-2(config-ifrange)#switchport mode access SW-2(config-ifrange)#switchport access vlan 20 SW-2(config-ifrange)#end SW-2#sh vlan VLAN Name Status Ports 1 default active _Fa0/5, Fa0/6, Fa0/7, FaQ/8 Fa0/9, FaO/10, FaQ/I1, FaO/12 Fa0/13, Fa0/14, Fa0/15, Fa0/16 FaQ/17, Fa0/18, Fa0/19, Fa0/20 Fa0/21, Fa0/22, Fa0/23, Fa0/24 Gigl/l, Gigl/2 10 VLANOOIO = active Fa0/1, Fa0/2 20 VIANO020 active Fa0/3, Fa0/4 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup From PC 192.168.1.1 PC>ipconfig IP Address.Subnet Mask.... Default Gateway. PC> ping 192.168.1.3 Pinging 192.168.1.3 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. + 255.255.255.0 192.168.1.100 Pc>ping 192.168.1.2 Pinging 192.168.1.2 with 32 bytes of data: Reply from 192.168.1.2: bytes=32 tim = 32 tim Reply from 192.168.1.2: bytes=32 tim Reply from 192.168.1.2: bytes=32 tim PC> ping 192.168.1.4 Pinging 192.168.1.4 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. From PC 192.168.2.1 Pc>ipconfig IP Addressyisttusnnnne! 192,168.21 Subnet Mask, 255.255.255.0 Default Gateway. 192.168.2.100 PC> ping 192.168.2.2 Pinging 192.168.2.2 with 32 bytes of dat Reply from 192.168.2.2: bytes=32 tim Reply from 192.168.2.2: bytes=32 tim Reply from 192.168.2.2: bytes=32 tim Reply from 192.168.2.2: bytes=32 tim SERVER>ping 192.168.2.3 Pinging 192.168.2.3 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. ve Si can page 24SERVER> ping 192.168.2.4 Pinging 192.168.2.4 with 32 bytes of data: Reques timed out. Request timed out. Reques timed out. Request timed out. NOTE: From the above verification Users of the same VLAN connected on the same switch can ping each other Same vlan users on different switches are not able to ping each other In oder to communicate between same vlan on different switches , there should be trunking configured on link (f0/20) between the switches To configure trunking, ‘SW-1(config)finterface fastEthernet 0/20 SW-1(config-i#switchport mode trunk SW-1(config-if}#switchport trunk encapsulation dotlq %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/20, changed state to down LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/20, changed state to up SW-2(config)fint 0/20 SW-2(config-if#switchport mode trunk ‘SW-2(config-i}#switchport trunk encapsulation dotlq ‘SW-l#tsh interfaces trunk Port Mode Encapsulation Status Native vlan Fao/20qMenMMs02TG =— trunking 1 Port Vlans allowed on trunk Fa0/20 1-105 Port Vians allowed and active in management domain Fa0/20 1.10.20 Port Vians in spanning tree forwarding state and not pruned FaQ/20 — 1,10,20 SW.-2sh interfaces trunk Port Mode, Encapsulation Status ‘Native vlan FaO/2ONNNTORNNNBORAG trunking 1 Port Vians allowed on trunk Fa0/20 11-1005 Port Vians allowed and active in management domain Fa0/20 110,20 Port Vlans in spanning tree forwarding state and not pruned Fa0/20 1,10,20From PC 192.168.1.1 Pc> ipconfig IP Address, Subnet Mask... Default Gateway. 192.168.1.1 255.255.255.0 192.168.1.100, PC>ping 192.168.1.3 Pinging 192.168.1.3 with 32 bytes of data: Reply from 192.168.1.3: Reply from 192.168.1.3: bytes=32 time=10ms TTL=128 PC>ping 192.168.1.4 Pinging 192.168.1.4 with 32 bytes of data: Reply from 1921168:1:4:)bytes=32 time=25ms TTI Reply from 192.168.1.4: bytes=32 time=| Reply from 192.168.1.4: bytes=32 tim Reply from 192.168.1.4: bytes=32 tim From PC 192.168.2.1 PC> ipconfig IP Address Subnet Mask. Default Gateway. :192.168.2.1 255.255.255.0 192.168.2.100 PC> ping 192.168.2.3 Pinging 192.168.2.3 with 32 bytes of dat Reply from 192.168.2.3: bytes=32 tim Reply from 192.168.2.3: bytes=32 tim Reply from 192.168.2.3: bytes=32 tim Reply from 192.168.2.3: bytes=32 tim PC>ping 192.168.2.4 Pinging 192.168.2.4 with 32 bytes of dat Reply from 192.168.2.4: bytes=32 time=26ms TTL=128 Reply from 192.168.2.4: bytes=32 tim Reply from 192.168.2.4: bytes=32 tim Reply from 192.168.2.4: bytes=32 time=13ms TTL=128 ve a a i page 26TASK: * Configure The Trunk Link Such That It Only Allow The Vian 10 , 20, 30 , 40 Traffic Should Only Be Allowed (No Other Vian Traffic Should Be Send ) On both switches (SWI/SW2) SW-x(config)#int 10/20 SW-x(config-if)#switchport trunk allowed vlan ? WORD VIAN IDs of the allowed VLANs when this port is in trunking mode add add VLANsto the current list all all VLANs except all VLANs except the following none no VLANs remove remove VLANs from the current list SW-x(config-if}#switchport trunk allowed vlan 10,20,30,40 ‘SW-l#tsh interfaces trunk Port Mode —_—_ Encapsulation Status _Native vlan Fa0/20 on 8021q trunking 1 Port Vlans allowed on trunk Port Vians allowed and active in management domain FaQ/20 10.20 Port Vlans in spanning tree forwarding state and not pruned Fa0/20 10,20 SW.-2sh interfaces trunk Port Mode Encapsulation Status Native vlan Fa0/20 on 802.1q trunking 1 Port Vlans allowed on trunk Port Vians allowed and active in management domain Fa0/20 10,20 Port Vlans in spanning tree forwarding state and not pruned Fa0/20 10,20 TASK: * Create vlan 50, 60,70,80 on both switches © Configure the trunk link {0/20 to add vlan 50 ,60,70,80 to the existing trunk allowed list On both switches (SWI/SW2) ve Sia page 27SW-x(config)#vlan 50 SW-x(config-vian}#vlan 60 SW-x(config-vian)#vlan 70 SW-x(config-vian}#vlan 80 SW-x(config-vian)#end ‘SW-x(config-if}#switchport trunk allowed vlan add 50,60,70,80 ‘SW-l#sh interfaces trunk Port Mode Encapsulation Status. Native vlan Fa0/20 on 8021q trunking 1 Port Vians allowed on trunk Fa0/20 _ 10, 20,30,40,50.60.70,80 Port Vians allowed and active in management domain Fa0/20 10,20,50,60 Port Vians in spanning tree forwarding state and not pruned Fa0/20 — 10,20,50,60 SW-2fsh interfaces trunk Port Mode —_ Encapsulation Status Native vlan Fa0/20 on 8021q trunking 1 Port Vians allowed on trunk Fa0/20 _ 10,20,30.40,50.60.70,80 Port Vians allowed and active in management domain Fa0/20 10,20,50,60 Port Vlans in spanning tree forwarding state and not pruned Fa0/20 10,20,50,60 TASK © Configure the trunk link f0/20 to remove vlan 70,80 to the existing trunk allowed list SW-I(config)#int 10/20 SW-1(config-if}#’switchport trunk allowed vlan remove 70,80 SW-1#sh interfaces trunk Port Mode Encapsulation Status Native vlan Fa0/20 on 202.1q trunking 1 Port —_Vians allowed on trunk Fa0/20 _ 10,20,30,40.50.60 Port Vians allowed and active in management domain Fa0/20 — 10,20,50,60 Port Vlans in spanning tree forwarding state and not pruned Fa0/20 10,20,50,60 SW.-2sh interfaces trunk Port Mode Encapsulation Status Native vlan FaQ/20__on 802.1q___trunking 1 ve a Si page 28Port Vians allowed on trunk Fa0/20 _ 10,20,30,40.50.60 Port Vians allowed and active in management domain FaQ/20 10,20,50,60 Port Vlans in spanning tree forwarding state and not pruned FaQ/20 10,20,50,60DTP (DYNAMIC TRUNKING PROTOCOL) yORK OW Trunking can be done dynamically through negotiation process Switche sh dtp Global DTP information Sending DTP Hello packets every 30 seconds Dynamic Trunk timeout is 300 seconds 0 interfaces using DTP DTP MODES NEA. a uli sw ‘sw2 Configuring trunk manually ‘The port still negotiates trunking with the port on the other end of the link. ACCESS Configuring access manually The port Is a user port in a single VLAN.DTP MODES OA. DESIRABLE: desires to become trunk ( always want to become trunk) Sends and reply to DTP messages It becomes a trunk if the port on the other switch is set to trunk, dynamic desirable or dynamic auto mode. AUTO: ‘Only reply to DTP messages ( not send ) Default mode on most of the modern switches It becomes a trunk if the other end is set to trunk or dynamic desirable mode. 10/20 Tora sw1 sw2 DTP MODES NA, NO-NEGOTIATE. ‘Tum off DTP messages (disable DTP). ‘The port is a trunk and does not do DTP negotiation with the other side of the link. 40/20 Tora SW sw2 DTP can be disabled either by » configuring as access port using switchport mode access > or using switchport nonegotiate commandsSwitchport Mode Interactions es Auto Eee corr ores ES ns es Press Trunk Trunk Trunk Access Trunk ‘Trunk Trunk Net Usasial recommended. rece Access Access, Not amended |ACSESS Note: Table assumes DTP is enabled at both ends. + show dtp interface — to determine current settingLAB: VERIFYING DTP. 10/20 10/21 swl sw2 TASK: + Configure f0/20 of SWI to actively negotiate the DTP messages and SW2_f0/20 port should only reply to the DTP messges © Configure 0/21 of SWI and $W2 should not negotiate any DTP essages ‘Sw-1f sh interfaces fa0/20 switchport Name: Fa0/20 Switehport: Enabled ‘Administrative Mode: dynamic auto ‘Operational Mode: static access Administrative Trunking Encapsulation: dotlg Operational Trunking Encapsulation: native Onsw ‘Sw-I(config)#int (0/20 Sw-l(config-if#switchport mode ? access Set trunking mode to ACCESS unconditionally (SYRBMTIEISEETRINKINGIMOUEROEYAEMIEAIIY negotiate access or trunk mode trunk Set trunking mode to TRUNK unconditionally Sw-I(config-if}#switchport mode dynamic desirable SW-lffsh interfaces fa0/20 switchport Name: Fa0/20 Switchport: Enabled Administrative Mode: dynamic desirable Operational Mode: trunk Administrative Trunking Encapsulation: dotlg SW-l# sh interfaces trunk Port Mode Encapsulation Status Native vlan Port Vlans allowed on trunk Fa0/20 14005 Switchish interfaces trunk Port Mode Encapsulation Status. Native vlan FaOONMalte = 7-202.1q trunking 1 Port Vians allowed on trunkFaQ/20 1.1005 Port Vians allowed and active in management domain Fa0/20 1 Port Vians in spanning tree forwarding state and not pruned Fa0/20 1 TASK: Configure SWI and $W2 to Configure Manaul Trunk and Disable the DTP negotiation Process. On swrysw2 ‘Sw-x(config)fint £0/21 Sw-x(config-if)#switchport mode trunk Sw-x{config-if)#switchport trunk encapsul Sw-x(config-if)#switchport nonegotiate Sw-l#sh interfaces trunk Port Mode Encapsulation Status Native vlan Fa0/20 auto —n-802.1q_—_ trunking 1 Port Vlans allowed on trunk Fa0/20 14005 Fa0/21 11005 Port Vians allowed and active in management domain Fa0/20 1 Fa0/2 1 Port Vians in spanning tree forwarding state and not pruned Fa0/20 1 Fao/2t 1 ‘Sw-2#sh interfaces trunk Port Mode Encapsulation Status Native vlan Fa0/20 auto —n-802.1q_—_ trunking 1 Fa0/21 on = 802.1q_— trunking 1 Port Vians allowed on trunk Fa0/20 11005 Fa0/21 11005 Port Vians allowed and active in management domain Fa0/20 1 Fao/21 1 Port Vins in spanning tree forwarding state and not pruned F020 1 Fa0/21 none NATIVE VLANNative VLAN Native VLAN Native VLAN ACCESS Link + Ifa packet is received on a dotla link, that does not have VLAN tagged, it is assumed that it belongs to native VLAN. + Untagged frames must place into a VLAN by the receiving switch, the native VLAN is the VLAN used. + When a switch receives an untagged frame on a tagged interface it is assumed membership of the Native VLAN. + For Cisco switches the Native VLAN ID must match on both end of the trunk. + By default the Native VLAN is 1. + Best Practice is to configure the Native VLAN ID to VLAN 666 and to ensure that this VLAN is not used anywhere in the network, + Use this new vlan as the native vlan, No ports should be assigned to the native vlan ie. you do not have any end devices in the native vianThe number “666” helps people to remember this. + Anattacker who attempts to use the VLAN hopping attack will end up in a dead VLAN that has no hosts to leverage. This message appears when the native VLAN is mismatched on the two Cisco switcheNative VLAN NPA. Ifa packets received on a dotig link, that does not have VLAN tagged, It is assumed that it belongs to native VLAN. Default native vlan is VLAN 1 Native VLAN Native VLAN Native VLAN o oo a N do ob Native VLAN best Practices TRUNK Link ACCESS Link RK ON v » Best Practice is to configure the Native VLAN ID to VLAN 666 and to ensure that this VLAN is not used anywhere in the network. » No ports should be assigned to the native VLAN » An attacker who attempts to use the VLAN hopping attack will end up in a dead VLAN that has no hosts to leverage. Native VLAN ‘Native VLAN Native VLAN S 8 O38 a ad iad oo ooNative VLAN Configuration OA. ‘SWa(config)+vlan 999 ‘SWa(config-vian)sexit 73 ore sWL sw2 SWsx(config)sint fo/20 ‘SWx(config-if)sswitchport mode trunk ‘SWx(config-if'switchport trunk native vlan 999 For Cisco switches the Native VLAN ID must match on both end of the trunk. This message appears when the native VLAN Is mismatched on the two Cisco switches: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on FastEtherneto/20 (1), with ‘SW1 FastEtherneto/20 (999). Native VLAN -Verification NPA. SW-1#sh interfaces trunk Port Mode Encapsulation Status Native vlan Fao/20. on 802.14 trunking 999 ‘SW1ésh interfaces f0/20 switchport Name: Fa0/20 Switchport: Enabled Administrative Mode: dynamic auto Operational Mode: trunk Administrative Trunking Encapsulation: dotiq Operational Trunking Encapsulation: dotiq Negotiation of Trunking: On ‘Access Mode VLAN: 1 (default) ‘Trunking Native Mode VLAN: 999 (VLANo9s9) Voice VLAN: noneLAB: Native VLAN 192.168.1.2 192.168.1.4 swi sw2 ‘© Connect Devices and assign the IP addressing as per the diagram. ‘© Create vian 999 on both switches. ‘© Configure 0/20 port as trunk link ‘© Ensure that vian 999 should be native vlan on both trunks. «Verify the connectivity between PC (192.168.1.1 and 192.168.1.2).. PC>ipcontig FastEthernetO Connection:(default port) IP Addres.rsnnnnsnnnet 192.168.1.1 Subnet Maske? 255,255,255.0 Default Gateway... .0.0.0 PC>ping 192.168.1.2 Pinging 192.168.1.2 with 32 bytes of data: Reply from 192.168.1.2: bytes=32 time=I2ms TTL=128 Reply from 192.168.1.2: bytes=32 time=Oms TTL=128 Reply from 192.168.1.2: bytes=32 time=Oms TTI Reply from 192.168.1.2: bytes=32 time=Oms TTI (On swr/sw2 ‘SWx(config)#vlan 999 SWx(config-vlan)#end ‘SWx(configh#int £0/20 ‘SWx(config-if}#switchport trunk encapsulation dotlq ‘SWx(config-if)#switehport mode trunk ‘SW24sh interfaces trunk Port Mode Encapsulation Status Native vlan Fa0/20 on 802.1q trunking 1 Port Vians allowed on trunk FaQ/20 11005Port Vians allowed and active in management domain Fa0/20 1 Port Vians in spanning tree forwarding state and not pruned Fa0/20 1 PC> ping 192.168.1.2 Pinging 192.168.1.2 with 32 bytes of data: Reply from 192.168.1.2: bytes=32 time=Ims TTL=128 Reply from 192.168.1.2: bytes=32 time=Oms TTL=128 Reply from 192.168.1.2: bytes=32 time=Oms TTL=128 Reply from 192.168.1.2: bytes=32 time=Oms TTL=128 TASK: change native vlan to 999 on SWI and verify connectivity SWI(config) int (0/20 SWI(config-if}#switchport trunk native vlan 999 SWI(config-if}#end PC> ping 192.168.1.2 Pinging 192.168.1.2 with 32 bytes of data: Request timed out. Request timed out. Request timed out, Request timed out. SW1#sh interfaces trunk Port Mode — Encapsulation Status Native vlan FaQ/20 on 802.1q trunking 999 Port Vians allowed on trunk Fa0/20 11005 Port Vians allowed and active in management domain Fa0/20 1 Port Viansin spanning tree forwarding state and not pruned Fa0/20 1 SWIish interfaces 0/20 switchport Name: Fa0/20 Switchport: Enabled Administrative Mode: dynamic auto Operational Mode: trunk Administrative Trunking Encapsulation: dotlq oe a a i page 99Operational Trunking Encapsulation: dotlq Negotiation of Trunking: On ‘Access Mode VLAN: I (default) Voice VLAN: none SW2#sh interfaces trunk Port Mode Encapsulation Status Native vlan FaQ/20 on 802.1q trunking 1 Port Vians allowed on trunk Fa0/20 1-1005 Port Vians allowed and active in management domain Fa0/20. 1 Port Vians in spanning tree forwarding state and not pruned Fa0/20 1 9W2(config)fint f0/20 9W2 (config-if}#switchport trunk native vian 999 9W2 (config-if}#end PC>ping 192.168.1.2 Pinging 192.168.1.2 with 32 bytes of dat Reply from 192.168.1. 2 time Reply from 192.168.1. Reply from 192.168.1. 32 time=Oms TT Reply from 192.168.1.2: bytes=32 time=Oms TTL=128 ‘Troubleshooting Vian and Trunks Same network © Same vlan © Trunking (mode) Allowed vlan on the trunk link + Native lan must matchInter -VLAN Routing XA, allowing the users of one VLAN to access resources of other VLAN VLAN 10 Accounts VLAN 20 Finance Inter -VLAN Routing * Need a at-least one router NA, 7 Every VLAN must have a default gateway VLAN 10 Accounts VLAN 20 Finance 192.168.1.0/24 192.168.2.0/24Inter-Vlan Routing Methods NA, A. Separate Physical Gateway on Router B. Using Sub-interfaces C. Using Layer 3 Switch VLAN 3. oF VLAN2 VIAN. 4a VANS 1.2.30 ag Trunk t VUNt | c VUAN2 Mutiayer Switch VANS gp teen sie Inter- VLAN routing using separate interfaces WN OA, + Need a atleast one router + Every VLAN must have a default gateway Foro Fon 192.168.1.100 192.168.2.100 1,2, 10 = vlan 10 3,4, 11 = vlan 20 VLAN 10 Sales VLAN 20 marketing 1192,16811.0/24 192.168.2.0/24Inter-Vlan Routing using Separate NA, OE AcADEOY Physical Gateway on Router Router(config)interface FastEthemeto/0 Router(config-f# ip address 192.168.1.100 255.255.255.0 ne Ss _ Router(contfig-fiino shutdown 192.168.1009 Routertconfig-#extt Router(config)tinterface FastEthemet0/1 Router(config-i# ip address 192.168.2.100 255.255.255.0 Router(contfig-fno shutdown Router(config-vexit Switchésh vian VLAN Name Status Ports VLAN 0Sales. VLAN 20 marketing a Weneenons Wasser 1 default active Fa0/s, Fa0/6, Fa0/7, F208 Fa0/9, Fa0/12,Fa0/13, Fa0/16 Fa0/15, Fa0/16, Fa0/17, Fa0/18 Fa0/19, Fa0/20, Fao/21, F20/22 Fa0/23, Fa0/24, Gigt/1, Gigh/2 10 sales active Fao/t, Fa0/2, Fa0/10 20 marketing active Fa0/3, Fa0/4, Fao/11 Inter- VLAN routing using sub-interfaces Router Sub-interfaces + Need a at-least one router + Every VLAN must have a default gateway Foyo.10 192.168.1.100 nh VLAN 10 Sales VLAN 20 marketing 192.168.1.0/24 192.168.2.0/24 Fo/0.20, 192.168.2.100 Fo/20 Trunk 1,2, - vlan 10 liaietlaD, 2Inter VLAN-routing using Router (Router On Stick) NOA,, ‘SW-14sh vian Fo/0.10 VLAN Name Status Ports 192.168.1.100 Fo/a20 192.168.2.100 1 default active Fa0/s, Fao, Fa0/7, Fao’ Faov9, Fa0/10, Fa0/11, Fa0/t2 Fao/13,Fa0/18, Fa0/1s,Fa0/16 Faovt7, Fao/18, Fa0/19, Fa0/20 Faov21, Fao/22, Fa0/23,Fa0/24 Gigi, Gigv2 10 VLANooto active | Fa0/1, Fao2 20. VLANoo20 active Fa0’3, Faova VLAN 10 Sales VLAN 20 marketing 192.168.1.0/24 192.168.2.0/24 ‘SW-1(config}#interface fastEthernet 0/20 (Interface facing Router) SW-1(config:if'switchport mode trunk SW-1(config-ifswitchport trunk encapsulation dotiq INTER VLAN-ROUTING USING ROUTER NOA NETWORK ONE ACADEMY (Router On Stick) R-1(configyint fa0/0 Foro.10 R-1(config-if#_no shutdown 192.168.1100 Hise R-(config-if no ip address R-1(config-if# exit R-r(configy#int (20/0.10 R-(config-sub-iff# encapsulation dotiQ 10 It should be the exact vlan no ( vlan 10) R-t(config-sub-if} ip add 192.168.1.100 255.255.255.0 R-t(config-sub-ift exit VLAN 10 Sales VLAN 20 marketing mene 192.168.2.0/24 R-1(config)int fa0/0.20 R-(config-sub-if# encapsulation dotiQ 20 It should be the exact vlan no ( vian 20) Re(config-sub-if}# ip add 192.168.2.100 255.255.255.0Inter Vian-Routing Using MLS SVI interfaces Vino pew v7268:.100 Vian 20 192.168.2.100 lultilayer Switch] ad) [ob VLAN 20 marketing VLAN 10 Sales 192.168.1.0/24 192.168.2.0/24 Inter VLAN-Routing Using MLS — Lab + Need at-least one Multi-layer Switch * Gateway using SVI interfaces. + Enable IP routing on Switch. 1, 2, - vlan 10 ede llanZe, MOA. SW-tash vlan thins, Vianio wal Vian20 122.3683.100 MR 02. 1682:100 IMultilayer Switch} VLAN 10 Sales 192.168.1.0/24 VLAN 20 marketing 192.168.2.0/24 VLAN Name Status Ports 1 default active Fao/s, Fa0/s,Fa0/7, Fao’ Faov9, Fa0/10, Fao/1, Fa0/12 Fao, Fa0/14, Fa0/1s, Faov16 Fao/17,Fa0/18, Fa0/19,Fa0/20 Fao/21, Fa0/22, F20/23, Fa0/24 Gigvs, Gigv2 active "Fa0/1, Faora active F20/3, Faora 10 VLANooto 20. VLANoo20 Switch (config)#int vian 10 Switch(config-ifip address 192.168.1100 255.255.255.0 Switchi(config-ifno shutdown Switchiconfig-ifexit Switch(configy+int vian 20 Switch(config-ifip address 192.168.2.100 255.255.255.0 Switchi(config-iffino shutdown Switch(config-ifexitNA. Switch(config)#ip routing Vianto RAN Vian20 PC>ping 192.168.21 192.168.1.100 aS 7 RM 192.168.2.100 Pinging 192.168.2.1 with 32 bytes of data: Request timed out. IMultilayer Switch) Reply from 192.168.2.1: bytes=32 time=62ms TTL=127 Reply from 192.168.2.1: bytes=32 time=125ms TTL=127 Reply from 192.168.2.1: bytes=32 time=109ms TTL=127 PC>tracert 192.168.2.1 Tracing route to 192.168.2.1 over a maximum of 30 hops: VLAN 10 Sales Vis aaarial 1 47ms 63ms —62ms —192.168.1.100 marketing. 192,168.1.0/24 2 109ms 125m 7Bms 192,168.21 192.168.2.0/28 Layer 3 Port JM OA. Fo/1 10.0.0. Fo/20 1000.2 Foo 172.16.1.100 Vian 10 ‘Vian 20 192.168.1.100 192.168.2100 lultilayer Switc! erzteis | TEAR VLAN 10 Sales VLAN 20 marketing 172.16.0.0/16 192:168.1.0/24 192.168.2.0/24NA. ‘Switch(config-ifsip address 10.0.0.2 255.0.0.0 % Invalid input detected at” marker. Switch(config-ifno switchport Fort Switch(config-iD#Ip address 10.0.0.2 255.0.0.0 Fovo 172.16.1.100 Fo/20 10.0.0.2 Vian 20 192.168.2.100 Vian 10 192.168.1.100 — mui VLAN 10 Sales VLAN 20 marketing 172.16.0.0/16 soziasaiaiag 192.168.2.0/24 Routing — on MLS NA. Switch(config)trouter rip Router(configh#router rip Switch(config-router)#version 2 Router(config-router)#ver 2 Switch(config-router)#network 192.168.1.0 Router(config-router)¢network 172.16.0.0 Switch(config-router)¢network 192.168.2.0 Router(config-router )#network 10.0.0.0 Switch(config-router)#network 10.0.0.0 Fon Fo 7216.00 Vianve utlayer Swit VLAN 1oSales VLAN ae marketing va600%6 inane one82.07%6Routing —- on MLS NA, Routerish ip route C 10.0.0.0/8is directly connected, FastEtherneto/1 CC 172.16.0.0/16is directly connected, FastEtherneto/0 R_192.168.1.0/24 [12071] via 10.0.0.1, 00:00:01, FastEtherneto/1 R__192.168.2.0/24 [1207/1] via 10.0.0.1, 00:00:01, FastEtherneto/1 PCoping 172.16.1.1 Reply from 172.16.1.1: bytes=32 time. Reply from 172.16.1.1; bytes=32 time: Reply from 172.16.1.1: bytes=32 time=125ms TTL=126 Fon PC> tracert 172.16.1.1 Tracing route to 172.16..3 over a maximum of 30 hops: 1 3ims 31ms32ms —192.166:1.100 172.161.100 2 ms 62ms sms 10001 Visnie " 3 W9ms sms SMS 172.1611 uttlayer Seite VLAN 10 Sales VLAN 20 marketing im160076 Layer 3 Port on MLS MOA. » By default all the ports of any Multilayer Switch will be switch port (Layer 2) » they don’t understand IP addressing and just forward frames by identifying MAC address » In our example we want fo/20 port of MLS as Router port ( layer 3) » To change the default Layer 2 port to a Router port we need to add command “no switchport”LAB: Inter-VLAN Routing using Separate Gateways. TASK © Create Vian 10, Vian 20 on SWI and assign ports in to their respective VLAN as per the diagram. ‘© Ensure That users of VLAN 10 and 20 communicate with each other 192.168.1.100 oi ont vena 2N082 0 192.168.1.0/24 192.108.2024 192.1682.2 Switch config)#vlan 10 Switch config-vian)#name sales Switch(config-vian)#exit Switch(config)#vlan 20 Switch(config-vian)#name marketing Switch(config-vian)#exit Switch(config)¥interface FastEthernetO/1 Switch (config-if)# switchport access vlan 10 ‘Switch (configcif}# switchport mode access ‘Switch (configcif) interface FastEthemet0/2 Switch(config-if)# switchport access vlan 10 Switch(config-if}# switchport mode access Switch (config-if}#interface FastEthemet0/3 Switch (config-if}# switchport access vlan 20 Switch (configif}# switchport mode access Switch (configcif)#interface FastEthemet0/4 Switch(config-if)# switchport access vlan 20 Switch(config-if)# switchport mode access Switch (config-ifeSwitch (config)#interface FastEthernetO/10 Switch(config-if# switchport access vlan 10 Switch (config-if}# switchport mode access Switch (config-if}#interface FastEthernetO/I1 Switch (configcif}# switchport access vlan 20 Switch (configif}# switchport mode access Switch(config-if#end Switchish vian VLAN Name Status Ports 1 default active Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/12, Fa0/13, Fa0/14 Fa0/15, Fa0/16, Fa0/17, Fa0s Fa0/19, Fa0/20, Fa0/21, Fa0/22 Fa0/23, Fa0/24, Gigl/l, Gigl/2 10 ales = active FaO/1, Fa0/2, Fa0/10 20 marketing active Fa0/3, FaQ/4, Fa0/It 1002 fddi-default act/unsup. Router(config)#interface FastEthernet0/O Router(config.if}# ip address 192.168.1.100 255.255.255.0 Router(config.if}#no shutdown Router(config-if}#exit Router(config)#interface FastEthernetO/l Router(config.if# ip address 192.168.2.100 255.255.255.0 Router(config-if}#no shutdown Router(config-if}#exit Router(config)#end Routerish ip int brief Interface IP-Address OK? Method Status Protocol FasttheiO/ON H19216B211001 YES manval up up FasEthemetON 192.168.2100 YESmanual up up Routerfsh ip route Gateway of last resort is not set C _ 192.168.1.0/24 is directly connected, FastEthemet0/0 C_ 192.168.2.0/24 is directly connected, FastEthernetO/1 PC>ipconfig FastEthernetO Connection: lefault port) oe i page 0Link-local IPvé Address. IP Address..sue Subnet Mask.. Default Gateway. PC> ping 192.168.2.1 Pinging 192.168.2.1 with 32 bytes of data: Request timed out. Reply from 192.168.2.1: bytes Reply from 192.168.2.1: bytes=. Reply from 192.168.2.1: bytes 2 time=Oms TT 2 time=Oms TT 2 time=Oms TT PC>tracert 192.168.2.1 Tracing route to 192.168.2.1 over a maximum of 30 hops: 1 13ms Oms Oms 192.168.1100 2 Oms Oms Oms 192.168.2.1 Trace complete.LAB INTER VLAN-ROUTING USING ROUTER (Router on Stick) 1070.10 68.1.100 10/0.20 192.168.2100 Rt 192.168.1.0/24 192.168.2.0/24 TASK: © Create Vian 10 , Vian 20 on SWI ‘+ Shift ports in to their respective VLAN as per the diagram. © Confiure F0/20 port as Trunk link. Create sub interfaces on router port f0/0 ‘© Ensure That users of VLAN 10 and 20 communicate with each other On swat Switch (config)thostname SW1 SW/-1(config)finterface range f0/1 - 2 SW-I(config-if-range)#switchport mode access SW-1(config-if-range)#switchport access vlan 10 % Access VLAN does not exist. Creating vlan 10 SW-A(config-if-range)#exit SW-1(config)finterface range 0/3 - 4 SW-1(config-if-range)#switchport mode access SW-I(config-if-range)#switchport access vian 20, SW-I(config-if-range)#end SW-lish vlanVLAN Name Status Ports 1 default active Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, FaO/O, FaO/11, FaO/12 FaQ/13, Fa0/14, Fa0/15, Fa0/16 Fa0/17, Fa0/18, Fa0/19, Fa0/20 FaQ/21, Fa0/22, Fa0/23, Fa0/24 Gigl/I, Gigl/2 10 VLANOOIO = active Fa0/l, Fad/2_ 20 VLANOO20 active Fa0/3, Fa0/4 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 tmet-default act/unsup Trunk link configuration ‘SW-1(config)#interface fastEthernet 0/20 (Interface facing Router) SW-1(config-if}#switchport mode trunk SW-1(config-if}#switchport trunk encapsulation dotlq * A router on a stick can be used to route between VLANs using either ISL or 802.1Q as the trunking protocol. + Arouter on a stick requires subinterfaces, one for each VLAN. Creating sub interfaces on router interface f0/0 R-l(config)#int fa0/0 R-l(config-if}# no shutdown, Re(config-f}# exit R-l(config)#int fa0/0.10 R-l(config-sub-if}# encapsulation dotlQ 10 It should be the exact vian no (vlan 10) Rel(config-sub-if}# ip add 192.168,1.100 255.255.255.0 Rel(config-sub-if}# exit R-l(config)fint fa0/0.20 RAl(config-sub-if}# encapsulation dotlQ 20 It should be the exact vlan no ( vlan 20) R-l(config-sub-if}# ip add 192.168,2.100 255.255.255.0 Router#fsh ip int Interface IP-Address OK? Method Status Protocol FastEthernet0/O unassigned YES unset up upVerit PC>ipconfig IP Address 2192.168.1.1 Subnet Mask. + 255.255,255.0 Default Gatewayennerereunet 192.168.1.100 PC>ping 192.168.2.1 Pinging 192.168.2.1 with 32 bytes of data: Request timed out. Reply from 192.168.2.1: bytes=32 time Reply from 192.168.2.1: byte: Reply from 192.168.2.1: byte: =62ms TTL=127 PC>tracert 192.168.2.1 ‘Tracing route to 192.168.2.1 over a maximum of 30 hops: 1 47ms 63ms 62ms 192.168.1100 2 109ms 125ms 78ms 192.168.2.1LAB: Inter Vian-Routing Using MLS SVI Vian 10 WN Vianz0 192.168.1.100 Pe 192.168.2.100 VLAN 10 Sales VLAN 20 marketing 192,168.1.0/24 192.168.2.0/24 TASK: Create vian and shift the ports as per the diagram create SVI_( switch virtual interface ) for each vlan and assing IP as per vlan addressing as per the diagram given Ensure that IP routing is enabled on Multilayer Switch verify connectivity between vians (ping 192.168.1.1 —192.168.2.1) ‘TASK: Create Vian and Shift the Ports According To the Diagram ‘Switch (config)#vlan 10 ‘Switch (config-vlan)#vlian 20 Switch(config-vlan}#exit Switch(config)#int range fO/l - 2 Switch(config-if-range}#switchport mode access Switch(config-if-range)#switchport access vlan 10 Switch (config-if-range)fexit Switch(config)#int range f0/3 - 4 Switch (config-if-range)#switchport mode access Switch (config-if-range}#switchport access vlan 20 Switch(config-if-range}#exit SW-1#sh vlanVLAN Name Status Ports 1 default active Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, FaO/O, FaO/11, FaO/12 FaQ/13, Fa0/14, Fa0/15, Fa0/16 Fa0/17, Fa0/18, Fa0/19, Fa0/20 FaQ/21, Fa0/22, Fa0/23, Fa0/24 Gigl/I, Gigl/2 10 VLANOOIO = active Fa0/l, Fad/2_ 20 VLANOO20 active Fa0/3, Fa0/4 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 tmet-default act/unsup TASK: Create SVI (Switch Virtual Interface) For Each Vian Switch (config)fint vlan 10 Switch (config-if)#ip address 192.168.1.100 255.255.255.0 Switch (config-if)#no shutdown Switch (config-f} exit Switch(config)#int vlan 20 Switch(config-if}#ip address 192.168.2.100 255.255.255.0 Switch(config-if}#no shutdown Switch(config-if}exit Switch # sh ip int brief -Vian20 192.168.2100 YESmanual up = up * The VLAN must be defined and active on the switch before the SVI can be used. ‘* The VLAN and the SVI are configured separately, even though they interoperate, Creating or configuring the VI doesn’t create or configure the VLAN: you still must define each one independently Switch (config)#ip routing Enable routing on the switch by using the ip routing command, Even if IP routing was previously enabled, this step ensures that itis activated. : Verify Connectivity between VLANs (Ping 192.168.1. -192.168.2.1) PC>ipcontig2192.168.1.1 255.255.2550 :192.168.1.100 IP Address. Subnet Mask. Default Gateway... PC>ping 192.168.2.1 Pinging 192.168.2.1 with 32 bytes of data: Request timed out. Reply from 192.168.2.1: bytes=32 time=62ms TTL=127 Reply from 192.168.2.1: bytes=32 time=125ms TTL=127 Reply from 1920168.2012 bytes=32 time=109ms TTL=127 Pc>tracert 192.168.2.1 Tracing route to 192.168.2.1 over a maximum of 30 hops: 1 47 ms 63ms_ 62 ms T9ZABBAOO TASK: + Continue With The Previous Lab Configurations + Add A Router Connecting To MLS as per the diagram ( Assuming that there is a Wan Connection Between Router And MLS and they are different locations) 10/20 0/1 1000.28 10.0.0-1/5 WAN 10 192.168.1.100 os so WWW 20. 192.165.2.100 \ / ( NTO 102.168.1.0/24 102.168.2024 V7216.1.4 1721612 172.160.0/16 1.2 192,108.22 TASK: Configure IP addressing as per the Diagram on all Devices. Router(config)#int f0/0 Router(config.if}#ip address 172.16.1.100 255.255.0.0 Router(config.if}#no shutdown Router(config-if}#exitRouter(contfig)#int £01 Router(config.f}#ip address 10.0.0.1 255. Router(config-if}#no shutdown Router(contfig.f#end Router#sh ip int brief Interface IP-Address OK? Method Status Protocol FastEthemet0/O—172.16.1.100 YES manual up up, FastEthernet0/I —10.0.0.1. YES manual up up ‘On MIs Switch(config)#int fa0/20 Switch(config-i#ip address 10.0.0.2 255.0.0.0 By default, every switch port on most Catalyst switch platforms is a Layer 2 interface, whereas every switch port on a Catalyst 6500 is a Layer 3 interface. If an interface needs to operate in a different mode, you must explicitly configure it. An interface is either in Layer 2 or Layer 3 mode, depending on the use of the switchport interface configuration command, You can display a port's current mode with the following command: * Switch# show interface type mod/num switchport If theSwitchportsline in the command output is shown as enabled, the port is in Layer 2 mode. If this line is shown as disabled, as in the following example, the port is inLayer 3 mode: ‘Switch# show interface gigabitethernet 0/1 switchport Name: GiO/1 Switchport: Disabled Switch NOTE: By default all the ports ofany Multilayer Switch will be swithport (Layer 2) they don’t understand IP addressing and just forward frames by identifying MAC address In our example we want f0/20 port of MLS as Router port ( layer 3) To change the default Layer 2 port to a Router port we need to add command “no switchport™ Switch(config-if}#no switchport Switch(config-i}#ip address 10.0.0.2 255.0.0.0 Switch #Sh ip int brief FSXEREREIO/ZOMNMTOIOO —YES manuel up up Switchéping 10.Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds: ttt Success rate is 80 percent (4/5), round-trip min/avg/max = 4/5/7 ms MLS (3560) Switch(config}#router rip Switch (config-router)#version 2 Switch (config-router)# network 192.168.1.0 Switch (config-router) network 192.168.2.0 Switch(config-router) network 10.0.0.0 Switch(config-router)#no auto-summary Switch(config-router)#end ROUTER Router(config)#router rip Router(config-router)#ver 2 Router(config-router)#network 172.16.0.0 Router(config-router)#network 10.0.0.0 Router(config-router)#no auto-summary Router(config-router)#end Routerfsh ip route C 10.0,0.0/8 is directly connected, FastEthernetO/1 C__172,16.0.0/16 is directly connected, FastEthemet0/O R_192.168.1.0/24 [120/]] via 10.0.0.1, 00:00:01, FastEthernetO/1 R__192.168.2.0/24 [120/1] via 10.0.0.1, 00:00:01, FastEth Switch#sh ip route Gateway of last resort is not set C_10.0.0.0/8 is directly connected, FastEthernet0/20 R_172.16.0.0/6 [120/]] via 10.0.0.2, 00:00:01, FastEthernet0/20 C 192.168.1.0/24 is directly connected, VianlO C 192.168.2.0/24 is directly connected, Vian20 PC> ipconfig IP Addressiiiiiiaaaaua T92168:001 Subnet Mask... + 255.255.255.0 Default Gateway. 192.168.1.100 PC> ping 172.1611 Pinging 172.16.1.1 with 32 bytes of data: Request timed out. Reply from 172.16.1.1: bytes=32 time=125ms TTL=126 oe i page 9Reply from 172.16.1.1: bytes=32 time=125ms TTL=126 Reply from 172.16.1.1: bytes=32 time=125ms TTL=126 PC>tracert 172.16.1.1 Tracing route to 172.16.1.1 over a maximum of 30 hops: 1 31ms 31ms 32ms _—192.168.1.100 2 63ms 62ms 62ms 10.0.0. 3 109ms 125ms 125ms 172.1611 Trace complete.Extended VLAN NA, » Historically, Cisco Catalyst switches have supported only up to 1024 VLANs » ISL uses 10-bit VLAN ID (upto 1024 Vian) » 802.1Q includes a 12-bit VLAN ID field (upto 4096 vian) » Cisco refers to the VLANs between 1025 and 4096 as extended-range VLANs. Cisco Catalyst switches support extended-range VLANs Mf OA. under the following restrictions: VTP cannot be used for VLAN management. (VTP must be configured In transparent mode or off ‘Swa(config)#vtp mode? client Set the device to client mode. off Set the device to off mode. swy{config)#vtp made server server Set the device to server mode. Setting device to VIP Server mode for VLANS. transparent Set the device to transparent mode. sw(config)#vlan 4000 W(config-vian)4name ales sw7{config-vian)exit {Failed to create VLANs 4000 Extended VLAN(s) not allowed in current VTP mode. ‘Failed to commit extended VLAN(s) changes.Only Ethernet VLANs are supported. ‘suidsh vlan VLAN Name 1 default 1002 fddi-default 1093 trerf-default 1084 fddinet-default 1005 trbrf-default ‘Sw7(config)#vtp mode transparent Setting device to VTP Transparent mode for VANS. sw7(config)#vlan 4000 ‘SW7(config-vian)#name sales sw7(config-vlan)eexit J | OA. Status Ports Fa0/1, Fae/2, Fa0/4, Fa0/S Fa0/6, Fao/7, Fa0/B, Fa0/9 Fa0/10, Fa0/11, Fa0/12, Fae/13 20/14, Fa0/15, Fa0/16, Fa0/17 Fa0/18, Fae/19, F2e/2, Fae/21 Fa0/22, Gi0/1, Gie/2 act/unsup act/unsup act/unsup act/unsup active Status Ports ‘sW7#sh vlan VIAN Name 1 default ‘active Fao/t,Fao/2, Fao/s, Fao/s Fao/6, Fao/7,Fao/8, Fao/9 Fao/t0, Fao/1,Fao/t2, Fao/t3 Fao/s4, Fao/ts, Fao/16, Fao/i7 Fao/t8, Fao/tg, Fao/20, Faojz1 Fao/22, Gioit,Gio/2 1002 fddi-default ‘oct/unsup 1003 trerfdefault ‘actiunsup 1004 fadinet-default actfunsup 1005 trbrf-default act/unsup +4000 sales activeVoice VLAN eTwo OA. » voice VLAN feature enables access ports to carry IP voice traffic from an IP phone. » switch can connect to IP Phone to carry IP voice traffic » The Cisco IP Phone contains an integrated three-port 10/100 switch ete ice a Tn on : «8 la * 10.41% : Default VLAN configuration : NA, » The voice VLAN feature is disabled by default. » You should configure voice VLAN on switch access ports. » The voice VLAN should be present and active on the switch for the IP phone to correctly communicate on the voice VLAN. > Use the show vlan privileged EXEC command to see if the VLAN is present >The Port Fast featut ‘automatically enabled when voice VLAN is configured. Catalyst 3550 switch Cisco 7960 IP Phone PC eae a sfVoice VLAN - Configuration MOA. > Create VLAN 10 = DATA & VLAN 50 = VOICE » Assign Ports connecting to PC to Data VLAN and IP phones to Voice VLAN 192.18.1.1/24 192.168.1.2/28 Voice VLAN - Configuration ‘NefWOR ONE RcADEHY Switch(configevlan 10 Switch(config-vian}éname DATA Switch(config-vianextt 1si.1814/28 Switch(confighrvlan 50 Switch(config-lanyiname VOICE Cy Switch(config-lanyrexit sware8 nesVoice VLAN - Configuration Assign Ports + connecting to PC to Data VLAN + IP phones to Voice VLAN Switch(configheint f0/1 ‘Switchi(config-if switchport mode access Switch(config-if switchport access vlan 10 Switch(config-ifwexit ‘Switch(configys int fo/3 ‘Switch(config-if switchport mode access Switch(config-fswitchport voice vlan 50 Switch(config-ifexit Switch(configysine fo/2 Switchiconfig-ifswitchport mode access ‘Switch(configif switchport access vlan 10 ‘Switch(config-ifs switchport voice vlan 50, Switch(config-ifivend 192.160.1.2724 MW OA. Voice VLAN - Verification Swiechestiow via sshs124 VLAN Name Status Ports 1 defaule active _Fa0/3, Fa0/9, Fa0/10, Fa0/11 Ey Fa0/12, Fa0/13, Fa0/14, Fa0/15 Fa0/16, Fa0/17, Fa0/18, Fa0/19 Fa0/20, Fa0/21, Fa0/22, Fa0/23, Fa0/24, Gio/1, Gio/2 10 DATA active Fa0/1, Fa/2 50 VOICE active Fa0/2, Fao/3 19216812724VTP VLAN Trunking protocol VLAN TRUNKING PROTOCOL NA,, used to share the VLAN configurations with multiple switches Maintain consistency throughout that network. VIP is a CISCO proprietary protocol Vian 10,20,30 Vian 10,20,30 Sener Vian 10,20, Dian Vian 10,2030 VTP manages the addition, deletion, and renaming. poe of VLANs across the network from a central point of control Fc Fa we EnadSeve‘VTP MODES 1. Server Mode 2. Client mode 3. Transparent mode Server Mode Default mode Creates, modifies, and deletes VLANs Synchronizes VLAN configurations Sends and forwards advertisements Saves configuration in NVRAM eis Client Mode + cannot Add , Modify and Delete its VLAN configurations + Synchrontzes VLAN configurations + Forwards advertisements + Doesn’t store its VLAN configuration + learns It from the server every time It boots up‘= Add , Modify and Delete VLAN configuration ++ Does not synchronize VLAN configurations ‘Saves configuration in NVRAM. = Forwards advertisements Te Client VTP - configuration Configure Trunking Configure VTP Domain Create Vian server/Transparent Verify Gent NOTE: + All links must be configured as trunks. + Information will be passed only if switches connected with Fast Ethernet or higher ports.VTP - configuration ‘SW-1(confighsint fo/20 ‘SW-1(config-if#switchport mode trunk ‘SW-1(config-ifswitchport trunk encapsulation dotiq SWe{confightint range fa0/20 - 21 SW-2(configifsswitchport mode trunk SW-2(config-ifsswitchport trunk encapsulation dotig ‘SWa(config)vint fo/21 ‘SW-3(config-if'switchport mode trunk ‘SW-3(config-ifswitchport trunk encapsulation dotiq VTP - configuration SWi(Contfigh> VTP domain CCIE SWi(Config)* Vtp password cisco123 SW:(Configh? Vep version 2 sw Vip mode server SW3(Confi VTP domain CCIE SW(Config)? Vep password ciscor23 SW(Configh* Vep version 2 SW(Config)* Vtp mode Client ‘SW2ésh interfaces trunk Port — Mode Encapsulation Status Native vlan Fao/20 on 802.14 trunking 1 Fao/21 on 802.14 trunking 1 NA. SWa{Config)e VTP domain CCIE SW2(Config)* Vep password cisco123 wr ‘Vip version 2 SW2(Configv Vep mode Transparent Contig) Cem Note: + Domain name must match & Case sensitive. + VTP password & version must match, + VTP once enabled uses version 1 onlyVTP - Verification XA, ‘SW-r(confighsvlan 10 ‘SW-1(config-vlan)#vian 20 — ‘SW-1(config-vlan}#vlan 30 ‘SW-3#sh vian VLAN Name Status Ports _ 7a ian ran ores a en ro ee TPrietear rae fosters ba Gigy2 ic ae ee ea Bes ao VTP - Verification A WA eehodr ‘Sw-2(config)+vian 100 $Sw-2(configvlanjevian 200 ox D> ‘Sw-2(config-vian}#vian 300, Tenet Dp ‘SW-3#sh vian VLAN Name Status Ports _— 1 default ‘active Fa0/1, Fa0/2,Fa0/s, Faora Faovs, Fa0/6, Faov7, Fa0/s Favs, Fa0/t0, Fao’, Fa0/t2 Fa0/13,Fa0/14, Fa0/1s, Faas Fa0/17, Fa0/18, F20/19, Fao/20 Fao/22,Fao/23, Fa0/24, Gign/1 Gigi 10 VLANoo1o active 20. VLANoo20 active 30 VLANooso activeVTP - Verification ‘SW-t#sh vep password VIP Password: clsco123 Sener DD ‘SW-1#sh vtp status VTP Version 2 > Configuration Revision 4 —— ‘Maximum VLANs supported locally : 255 Number of existing VLANs: 8 VTP Operating Mode Server Gems VTP Domain Name CCIE VTP Pruning Mode + Disabled VTP V2 Mode Enabled VTP Traps Generation Disabled MDS digest 0xD1 OxBE 0x98 OxAB OxDD OxFF Ox2F Ox Configuration last modified by 0.0.0.0 at 31-93 00:36:37 Local updater ID is 0.0.0 (no valid interface found)LAB: VTP, Transparent “>> TASK: 1) Configure the links between Switches as Trunks. (vtp advertisernents are send only on trunk ports) 2) Configure VTP on all switches as per thegiven modes in the Diagram above. 3) To verify VTP a. Create vians on server and verify on client and transparent switch b. Create vians on transparent switch and verify on client and server (On SWI (SERVER) SW-I(configh#int £0/20 SW-I(config-if}#switchport mode trunk SW-I(config-if}#switchport trunk encapsulation dotlq, swe (TRANSPARENT) W2(config)#int range fa0/20 - 21 SW-2(config-i#switchport mode trunk SW-2(config-if}#switchport trunk encapsulation dotlq w3 (CLIENT) SW3 (config)#int f0/21 SW-3 config-i#switchport mode trunk SWW-3 configcif)#switchport trunk encapsulation dotlq SW1#sh interfaces trunk Port Mode _Encapsulation Status __Native vlan SW2#sh interfaces trunkPort Mode Encapsulation Status Native vlan Fa0/20 on 802.1q trunking = Fa0/21_ on 802.19 trunking = SW-3#sh interfaces trunk Port Mode Encapsulation Status Native vlan TASK: © Configure VTP on all switches as per thegiven modes in the Diagram above. © (SWI SERVER. SW2 - TRANSPARENT, SW3 — CLIENT ) ‘Make Sure that Domain name ( case-sensitive) / password / version must match on all switches for sending and receiving VTP Messages sw ‘SW-1(config)#vtp domain CCNP SW-1(config)#vtp password ciscol23 SW-1(config)#vtp version 2 ‘SW-1(config)#vtp mode server SW-2(config}#vtp domain CCNP SW-2(configh#vtp password ciscol23 SW-2(config)fivtp version 2 ‘SW-2(config)#vtp mode transparent ‘SW-1(config)#vtp domain CCNP SW-1(config)#vtp password ciscol23 SW-1(config)#vtp version 2 SW-1(config)#vtp mode client SWl#sh vtp status VTP Version 22 Configuration Revision 22 Maximum VLANs supported locally : 255 Number of existing VLANs: 5 VTP OperatingMode ——: Server VTP Domain Name =: CCNP VTP Pruning Mode : Disabled VTP V2 Mode : Enabled VTP Traps Generation : Disabled MDS digest + 0x86 0x22 0x83 OxBE 0x23 OxAB Ox06 OxCC Configuration last modified by 0.0.0.0 at 3-1-93 00: ve a i page 79 33Local updater ID is 0.0.0.0 (no valid interface found SWI#sh vtp password The current VTP parameters for a management domain can be displayed using the show vtp statuscommand SW-3#'sh vtp status VTPVersion = 2 Configuration Revision: 2 Maximum VLANs supported locally : 255 Number of existing VLANs VIP Operating Mode: Client VTP Domain Name =: CCNP VTP Pruning Mode : Disabled VTP V2 Mode : Enabled VTP Traps Generation : Disabled MDS digest + 0x86 0x22 0x83 OxBE 0x23 OxA8 0x06 OxCC Configuration last modified by 0.0.0.0 at 3-1-93 00:07 To verify VTP © Create vians on server and verify on client and transparent switch ‘* Create vians on transparent switch and verify on client and server sw SW-1(config)#vlan 10 SW-1(config-vian)#vlan 20 SW-1(config-vlan)#vlan 30 SW-1(config-vlan)#vlan 40 SW-1(config-vian)#name sales ‘SW-I(config-vian)#vlan 50 ‘SW-I(config-vian)#name marketing Rlfsh vlan, VLAN Name Status Ports 1 default active FaO/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, FaQ/8 Fa0/9, FaO/I0, FaO/I1, FaO/12 Fa0/13, Fa0/14, Fa0/15, Fa0/16 Fa0/17, Fa0/18, Fa0/19, Fa0/21 Fa0/22, Fa0/23, Fa0/24, Gigi/I Gig/2 ve i can page 741002 fddi-default act/unsup, 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup SW-34sh vlan VLAN Name Status Ports 1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, FaO/7, Fa0/8 Fa0/9, FaO/10, FaO/11, FaO/12 Fa0/13, Fa0/14, Fa0/15, FaO/16 Fa0/17, Fa0/18, Fa0/19, Fa0/20 Fa0/22, Fa0/23, Fa0/24, Gigl/I Gigl/2 10 VLANOOIO = active 20 VIANOO20 ative 30 VLANOO30 ative 40 sles = ative 50 marketing = active ‘Sw-2#sh vlan VLAN Name Status Ports 1 default active _Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, FaO/O, FaO/11, FaO/12 Fa0/13, Fa0/14, Fa0/15, Fa0/16 Fa0/17, Fa0/18, Fa0/19, Fa0/22 Fa0/23, Fa0/24, Gigi/1, Gig/2 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1 et-default act/unsup You don’t see any vian on the transparent mode switch as the transparent will nat synchronize the vlan information from any other Swithces but still forward the Vian information. ve i aca page 75‘Sw-2(config)#vlan 100 ‘Sw-2(config-vian)#vlan 200 Sw-2(config-vian)#vlan 300 Sw-2(config-vian)#end SW2 #sh vlan VLAN Name Status Ports 1 default active FaO/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, FaO/O, FaO/11, FaO/12 Fa0/13, Fa0/14, Fa0/15, Fa0/16 Fa0/17, Fa0/18, Fa0/19, Fa0/22 Fa0/23, Fa0/24 100 VLANOIOO = active 200 VLANO200 active 1002 fdi-default act/unsup Swish vlan VLAN Name Status Ports 1 default active FaO/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, FaOAO, Fa0/I1, FaO/12 Fa0/3, Fa0/14, Fa0/15, Fa0/16 Fa0/17, Fa0/18, Fa0/19, Fa0/21 Fa0/22, Fa0/23, Fa0/24, Gigl/I Gigh/2 10 VLANOOIO active 20. VLANO020 active 30 VLANO030 active 40 VLANO040 active 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 tet-default act/unsup SW3 # sh vlan VLAN Name Status Ports 1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, FaO/0, FaQ/11, FaO/12 ve a i page 76Fa0/13, Fa0/14, Fa0/15, Fa0/16 Fa0/17, Fa0/18, Fa0/19, Fa0/21 Fa0/22, Fa0/23, Fa0/24, Gigi Gigh/2 10 VLANOOI0 active 20 VLANOO20 active 30 VLANOO30 active 40 VLANO040 active 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup, 1005 trnet-default act/unsup ‘You can see the vians created on the transparent switch are not present in any of the other switches ( SWI or SWB ) because the switch in transparent mode will not synchronize the vian information Revision number for switches in the transparent mode will be always ZERO. Sw-2#sh vip status VTP Version. : Configuration Revision 0 ‘Maximum VLANs supported locally : 255 Number of exi VLANs 28 VTP Operating Mode : Transparent VTP Domain Name “CNP. VTP Pruning Mode : Disabled VTP V2 Mode : Enabled VIP Traps Generation : Disabled MDS digest + OxB7 Ox9D OxA5 OxEF OxDE Ox56 OxC5 OxCF Configuration last modified by 0.0.0.0 at 3-1-93 00:07Configuration Revision Number J | OA. + VTP configuration revision number to keep track of the most recent information. + The VTP advertisement process always starts with configuration revision number 0 (zero). + When changes are made on a VTP server, the revision number Is incremented before the advertisements are sent. + Higher the number ~ updated Vian information. + Before Adding a Switch to an Existing VTP Domain ae MN f one La. © Ensure a new switch has VTP revision is 0 before adding it to a network,Change VTP - Revision number NOA (NETWORK OHNE ACADEMY ‘SW-3#show flash: Directory of flash:/ J -twe 3058048 c2950-ieqal2-mz.121-22.EA4.bin 3-1w 556 vlan.dat + Delete Vian.dat file inside the Flash and reload ‘SW-3#delete vian.dat Delete filename [vian.dat}? Delete flash:/vlan.dat? [confirm] SW-3#reload Change VTP - Revision number © Delete Vian.dat file inside the Flash and reload (© Change the switch’s VTP mode to transparent and then change the mode back to server/client. © Change the switch’s VTP domain to a bogus name (a non-existent VTP domain), and then change the VTP domain back to the original name.VTP Versions VTP version 1 VTP Version 2 ‘Supports only one VTP domain ‘Support multiple VTP domain ‘Check for domain name (If matches then only forward VTP messages) Not check for Domain name sending advertisements ( match to synchronize database) More consistent check ( add more overhead) Check for consistency whenever new Information is added ‘No Support for Token ring VLAN Support for Token ring VLAN VTP version 3 — Enhancements NGA, . VIP version 1/2 VIP Version 3 Synchronize only VLAN database Synchronize VLAN , MSTP , private VLAN Password in clear text clear text hidden password Extended VLAN range (1006- 4094) + Supported only in transparent mode Extended VLAN ~ Create on server & Synchronize VTP Modes Server, Client, Transparent VTP Modes Primary server, Secondary Server, Client, Transparent, on Updates VLAN database based on Revision ‘number (Higher) Updates VLAN database — if advertised by Primary serverVTP version 3 - Modes VTP modes Relay/Process | Configure | Save PRIMARY SRV | Yes Yes Yes SECONDARY SRV | Yes No Yes CLIENT Yes No No TRANSPARENT | Yes Yes Yes OFF ~|No Yes | Yes VTP version 3 — Verification TASK: + Configure fo/24 port of sw1/Sw2 as Trunk ports. Configure VTP version 3 using following parameters: + Domain name : NOA + Password hidden : noat23 ‘SWatsh vep status VTP Version capable 21t03 VIP version running 3 VTP Domain Name NOA VTP Pruning Mode : Disabled VTP Traps Generation : Disabled Device ID + 0023.041c.5¢00 Feature VLAN: VTP Operating Mode Server Number of existing VLANs: 5 Dna wt oe ‘SWi(config)vvtp domain NOA ‘SW1\(confightvtp password noa123 ‘SWi(config)#vtp version 3 ‘Sw2(config)tvtp domain NOA ‘Sw2(config)#vtp password noa123 ‘SW2(config)evtp version 3VTP version 3 —Hidden Password A NETWORK NEE ACRODHY svn pment am VIP Password: noat23 sw wa ‘SW2(config)tvtp password noai23 hidden ‘SW1ésh vtp password VIP Password: DooCEEs3Ds9CFCesC33es6FCF64BDC1A Creating Vian on Primary server NA. ‘SW1(config)+vlan 10 VTP VLAN configuration not allowed when device is not the primary server for vlan database. oreo a - me ‘This system is becoming primary server for feature vlan Swi sw Enter VTP Password: ‘SWrésh vip status VIP Version capable 21103 VIP version running 3 VTP Domain Name NOA VTP Pruning Mode Disabled VIP Traps Generation : Disabled Device ID + 0022.be79.2€00, ‘SW1(config)svian 10,20,30,40 Feature VLAN: VTP Operating Mode Primary ServerLAB: VTP version 3 10726 swi aya TASK: Configure f0/24 port of sw1/Sw2 as Trunk ports. Configure VTP version 3 using following parameters: Domain name : NOA Password hidden : noal23 SWI (config)#int 0/24 SWI (config-if}#switchport trunk encapsulation dotlq SWI (config-if}#switchport mode trunk SWI (config-if}#exit SW2(config)#int f0/24 SW2(config.if}# switchport trunk encapsulation dotlq SWw2(config-if}# switchport mode trunk sW2(config-if}#end ‘SW24sh interfaces trunk Port Mode Encapsulation Status Native vlan Fa0/24 on 8021q trunking 1 Port Vians allowed on trunk Fa0/24 1-4094 Port —_Vians allowed and active in management domain Fa0/24 1 Port —_Vians in spanning tree forwarding state and not pruned Fa0/24 none Wish vtp status VTP Version capable H1to3 VIP version running =: VTP Domain Name : VTP Pruning Mode : Disabled VIP Traps Generation : Disabled Device ID +1 0023.041c.5e00 Configuration last modified by 0.0.0.0 at 0-0-00 00s Local updater ID is 0.0.0.0 (no valid interface found) Feature VLAN:Maximum VLANs supported locally: 1005 Number of existing VLANs: 5 Configuration Revision 20 MDS digest + 0x57 OxCD Ox40 Ox65 0x63 Ox59 Ox47 OxBD 0x56 Ox9D Ox4A Ox3E OxA5 0x69 0x35 OxBC SW1#sh vlan brief VLAN Name Status Ports 1 default active _Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10, Fa0/I1, FaO/12 Fa0/13, Fa0/14, Fa0/15, Fa0/16 Fa0/I7, Fa0/18, Fa0/19, Fa0/20 Fa0/21, Fa0/22, Fa0/23, GiO/I cio2 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup SW/I(config)#vtp domain NOA SW/I(config)#vtp password noal23 SWII(config)#vtp version 3 w/2(config)#vtp domain NOA 9W2(config)#vtp password noal23 92 (config)#utp version 3 92 (confightend sweitsh vtp status VTP Version capable Ito 3 VTP version running 3 VTP Domain Name :NOA VTP Pruning Mode Disabled VTP Traps Generation isabled Device ID +: 0023.041c.5200 Feature VLAN: VTP Operating Mode: Server Number of existing VLANs: 5 Number of existing extended VLANs: 0 Maximum VLANs supported locally: 1005 Configuration Revision 20 ve oe i tan page 4Primary ID + 0000.0000.0000 Primary Description : MDS digest SW2ifsh vtp password TASK: Configure Switches to ensure that the password should be seen. SW2#sh vtp password SW2(config)#vtp password noal23 7 secret Specify the vtp password in enerypted form 5W2(config)#vtp password noal23 hidden S\WI(config)#vtp password noal23 hidden SwI(config)end Swish vtp password TASK: © Create vlan 10,20,30,40 on SWI and ensure that it synchonises on both switches: * Configure SWI to be primary switch to update the database. SW/I(config)#vlan 10 SWiivtp primary vlan This system is becoming primary server for feature vlan Enter VIP Password: No conflicting VIP3 devices found. Do you want to continue? [Confirm]SWI#sh vtp status VTP Version capable 1to 3 VIP version running 3 VTP Domain Name :NOA VTP Pruning Mode : Disabled VIP Traps Generation : Disabled Device ID +: 0022.be79.2e00 Feature VLAN: Number of existing VLANs: 5 Number of existing extended VLANs : 0 Maximum VLANs supported locally: 1005 Configuration Revision i Primary ID + 0022.be79.2e00 Primary Description sw MDS digest + OxIE OxA7 OxSE 0x46 0x94 OxBE 0x95 OxAS Ox9D Ox6E OxDS 0x69 0x72 OxEF 0x03 OxDO Feature M! VTP Operating Mode ransparent Feature UNKNOWN: VTP Operating Mode : Transparent SW/I(config)#vlan 10,20,30,40 SWII(config-vian)#end SWI#sh vlan brief VLAN Name Status Ports 1 default active | Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, FaQ/7, FaQ/8 Fa0/9, Fa0/10, FaO/11, FaO/12 Fa0/13, Fa0/14, Fa0/15, Fa0/16 Fa0/I7, Fa0/18, Fa0/19, Fa0/20 Fa0/21, Fa0/22, Fa0/23, GiO/l Gi0/2 ve a a i page1002 fddi-default act/unsup 1003 trerf-default act/unsup 1004 fddinet-default act/unsup 1005 trbrf-default act/unsup swish vian brief VLAN Name Status Ports 1 default active _ Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, FaQ/7, Fa0/ Fa0/9, Fa0/10, FaQ/I1, FaO/12 Fa0/13, Fa0/14, Fa0/15, Fa0/16 Fa0/I7, Fa0/18, Fa0/19, Fa0/20 Fa0/21, Fa0/22, Fa0/23, GiO/l cio/2 10 VIANOOIO = active 20 VLANOO20 active 30 VLANOO30 ative 40 VIANOO40 ative 1002 fddi-default act/unsup 1003 trerf-default act/unsup 1004 fddinet-default act/unsup. 1005 trbrf-default act/unsup Sw2itsh vtp status VTP Version capable :1to3 VIP version running :3 VTP Domain Name :NOA VTP Pruning Mode : Disabled VTP Traps Generation : Disabled Device 1D 1 0023,041c,5e00 Feature VLAN: VTP Operating Mode Number of existing VLANs Number of existing extended VLANs: 0 ‘Maximum VLANs supported locally: 1005 Configuration Revision 3 Primary ID + 0022.be79,2e00 Primary Description SWI MDS digest : OxBF Ox17 Ox16 OxA3 0x73 0x09 OxOF Ox2E OxEC Ox19 Ox4F OxCA Ox13 OxEE OxD4 0x79 oe iia page 7VTP Operating Mode : Transparent Feature UNKNOWN: VIP Operating Mode - Transparent TASK: Create extended vian 2000 - 2001 on SWI SWI(config)#vlan 2000-2001 SWI(config-vian)#end SW1#sh vlan brief VLAN Name Status Ports 1 default active Fa/1, FaQ/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10, FaQ/I1, FaO/12 Fa0/13, Fa0/14, Fa0/15, F016 Fa0/7, Fa0/18, Fa0/19, Fa0/20 Fa0/21, Fa0/22, Fa0/23, GiO/ cio/2 10. VLANOOIO active 20. VLANO020 active 30 VLANOO30 active 40 VLANOO40 active 1002 fddi-default act/unsup. 1003 trerf-default act/unsup 1004 fddinet-default act/unsup 1005 trbrf-default act/unsup 2000 VLAN2000 active 2001 VAN2001 ative swish vlan brief VLAN Name Status Ports 1 default active Fa /1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10, FaQ/1, FaO/12 Fa0/13, Fa0/14, Fa0/15, Fa0/16 Fa0/I7, Fa0/18, Fa0/19, Fa0/20 Fa0/21, Fa0/22, Fa0/23, GiO/l ioe ve a a i page10 VLANOOIO active 20. VLANO020 active 30 VLANOO30 active 40 VLANO040 active 1002 fddi-default act/unsup 1003 trerf-default act/unsup 1004 fddinet-default act/unsup 1005 trbrf-default act/unsup 2000 VIAN2000 active 2001 VLAN2001 active TASK: Promote SW2 to be the primary server and create vlan 3000-3005 on Sw2 SW2#vtp primary vlan This system is becoming primary server for feature vlan Enter VTP Password: No conflicting VTP3 devices found, Do you want to continue? [confirm] Swish vtp status VTP Version capable 11to3 VTP version running 33 VTP Domain Name : NOA VTP Pruning Mode Disabled VTP Traps Generation : Disabled Device ID + 0023.041c.5e00 Feature VLAN: VTP Operating Mode =: Primary Server Number of existing VLANs 19 Number of existing extended VLANs : 2 Maximum VLANs supported locally: 1005 Configuration Revision 24 Primary ID + 0023.041¢.5e00 Primary Description sw MDS digest + OxID OxI1 OxA3 OxIF 0x76 Ox7C OxE7 OxD7 OxIB 0x28 OxB9 OxBD OxFO Ox71 OxIE OxBC Feature MST: VTP Operating Mode : Transparent Feature UNKNOWN: oe a i page 9VTP Operating Mode : Transparent SWI#sh vtp status VTP Version capable 1to 3 VIP version running 3 VTP Domain Name :NOA VTP Pruning Mode : Disabled VIP Traps Generation : Disabled Device ID +: 0022.be79.2e00 Feature VLAN: Number of existing VLANs: 9 Number of existing extended VLANs : 2 Maximum VLANs supported locally: 1005 Configuration Revision 24 Primary ID + 0023,041¢.5e00 Primary Description :sw2 MDS digest : OxID OxI1 OxA3 OxIF 0x76 Ox7C OxE7 OxD7 OxIB 0x28 OxB9 OxBD OxFO Ox71 OxIE OxBC Feature M! VTP Operating Mode ransparent Feature UNKNOWN: VTP Operating Mode : Transparent sW2(config)#vlan 3000-3001 sW2(config-vian}#end swW2#sh vlan brief VLAN Name Status Ports 1 default active | Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, FaQ/7, FaQ/8 Fa0/9, Fa0/10, FaO/11, FaO/12 Fa0/13, Fa0/14, Fa0/15, Fa0/16 Fa0/I7, Fa0/18, Fa0/19, Fa0/20 Fa0/21, Fa0/22, Fa0/23, GiO/l Gi0/2 10 VLANOOIO active 20. VLANOO20 active oe a a i page 9030 VLANOO30 active 40 VLANO040 active 1002 fddi-default act/unsup 1003 trerf-default act/unsup. 1004 fddinet-default act/unsup 1005 trbrf-default act/unsup 2000 VLAN2000 active 2001 VLAN2001 active 3000 VIAN3000 active 3001 VLAN3001 active TASK: + Cofigure MSTP on SWI and ensure that SW2 should also synchronise the MSTP configuration information. SW/litsh spanning-tree mst configuration % Switch is not in mst mode Name {] Revision 0 _ Instances configured 1 Instance Vians mapped oO 1.4094 SWii#vtp primary mst Swish vtp status VIP Version capable 21to3 VIP version running a) VTP Domain Name :NOA VTP Pruning Mode : Disabled VTP Traps Generation isabled Device ID +: 0022.be79.2e00 Feature VLAN: VTP Operating Mode Server ‘Number of existing VLANs 9 Number of existing extended VLANs : 4 Maximum VLANs supported locally: 1005 Configuration Revi 25 Primary ID + 0023.041¢.5200 Primary Description :sw2 MDS digest + OXBO OxFA OxIl Ox95 OxOF OxA9 OxF3 0x58(0x38 0x96 OxDE OxIB 0x26 0x37 Ox8F OxD9 Feature UNKNOWN: VTP Operating Mode : Transparent SW/I(config)tvtp mode server mst SWI(config)#end SWivtp primary mst This system is becoming primary server for feature mst Enter VTP Password: No conflicting VTP3 devices found. Do you want to continue? [confirm] Swish vtp status VTP Version capable 11to3 VTP version running 33 VTP Domain Name : NOA VTP Pruning Mode Disabled VTP Traps Generation : Disabled Device ID + 0022.be79.2e00 Feature VLAN: VTP Operating Mode Number of existing VLANs Number of existing extended VLANs: 4 Maximum VLANs supported locally: 1005 Configuration Revision 35 Primary ID + 0023.041¢.5e00 Primary Description :sw2 MDS digest + OxBO OxFA Oxl1 0x95 OxOF OxA9 OxF3 0x58 (0x38 0x96 OxDE Ox1B 0x26 0x37 Ox8F OxD9 Configuration Revision ie i page 92Primary ID + 0022.be79.2e00 Primary Description swt MDS digest + Ox86 Ox43 Ox4F Ox9D Ox7C Ox8F OxOF OxEB OxIF 0x25 OxD2 Ox5A Ox55 0x98 OxET OxI9 Feature UNKNOWN: VTP Operating Mode : Transparent SW/2 (config)#vtp mode client mst SWI(config)#spanning-tree mode mst SW/I(config) #spanning-tree mst configuration SW/I(config-mst)#name CCIE SW/I(config-nst)#revision 1 SW/I(config-mst)#instance T vlan 10,20 SWI(config-inst)#instance 2 vlan 30,40 SWI(config-mst)#exit SWlish spanning tree mst configuration Name [CCIE] Revision 1 Instances configured 3 Instance Vlans mapped 0 1.9,11-19,21-29,31-39,41-4094 1 10,20 2 30,40 ‘SW2#fsh spanning-tree mst configuration % Switch is not in mst mode Name [CCIE] Revision 1 Instances configured 3 Instance Vlans mapped 0 1-9,11-19,21-29,31-39,41-4094 1 10,20 2 30,40 9/2 (config)#spanning-tree mode mst ve i page 99‘SW2#sh spanning-tree mst configuration Name [CCIE] Revision 1 Instances configured 3 Instance Vians mapped 0 —1.9,11-19,21-29,31-39,41-4094 1 10,20 2 30,40 TASK: * Configure Private VLAN information on $W2 and verify VTP synchronizing private vlan information. w2(config)fvlan 10 W/2(configvlan)#vlan 100 W/2(configvian)#vlan 200 92 (config-vlan)#exit W2(config)4vlan 10 9/2 (config-vlan) #private-vian primary 9/2 (config-vlan)#exit 9/2 (config)#vlan 100 ‘9W2 (config-vian)#private-vian isolated 92 (configvian) fexit 8W2(config)#vlan 200 8W2(config-vlan)#private-vian community SW2(config-vian}#exit 92 (config)#vlan 10 9W/2 (config-vian)#private-vian primary 92 (config-vlan)#private-vian association 100,200 W2 configvlan)#exit sWaifsh vian private-vian Primary Secondary Type Ports SW/litsh vlan private-vian Primary Secondary Type Ports 10 100 isolated oe oe i can page 9410 200 community SWI# sh vlan, VLAN Name Status Ports 1 default active _Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, FaQ/7, FaQ/8 Fa0/9, Fa0/10, FaO/11, FaO/12 Fa0/13, Fa0/14, Fa0/15, Fa0/16 Fa0/I7, Fa0/18, Fa0/19, Fa0/20 Fa0/21, Fa0/22, Fa0/23, Gi0/l cio2 10 VLANOOIO active 20 VLANOO20 active 30 VLANOO30 active 40 VLANO040 active 100 VLANOIOO active 200 VLANO200 active 1002 fddi-default act/unsup 1003 trerf-default act/unsup, 1004 fddinet-default act/unsup. 1005 trbrf-default act/unsup 2000 VLAN2000 active 2001 VLAN2001 active 3000 VLAN3000 active 3001 VLAN3001 active VLAN Type SAID MTU_ Parent RingNo BridgeNo Stp_BrdgMode Transl Trans2 1 enet 100001 1500- - - -- 0 O 10 enet 0010 1500- - - -- 0 0 20 enet 1000220 1500- - - -- 0 0 30 enet 100030 1500- - - -- 0 O 40 enet 100040 1500- - - -- 0 O 100 enet 100100 1500- - - -- 0 O 200 enet 100200 1500- - - -- 0 0 1002 fddi 101002. 1500- - - -- 0 O 1003 trerf 101008 4472 1005 3276 - - sb 0 O 1004 fdnet 101004 1500- - - ieee- 0 O 1005 trorf101005 4472- - 15 ibm- 0 O 2000 enet 102000 1500 - : EOF 20) 200lenet 102001 1500- - - -- 0 O 3000 enet 103000 1500 - : 0} 0) 3001 enet 103001 1500- - - -- 0 0 ve oe i aca page 95VLAN AREHops STEHops Backup CRF 10037 7 off Remote SPAN VLANs TASK: Configure SW/ to disable VTP globally or interace level on 0/23 SWF sh vtp status VTP Version capable 1to 3 VIP version running 33 VTP Domain Name :NOA VTP Pruning Mode Disabled VTP Traps Generation : Disabled Device ID +: 0022.be79.2e00 Feature VLAN: VTP Operating Mode Number of existing VLANs Number of existing extended VLANs: 4 ‘Maximum VLANs supported locally: 1005 Configuration Revision 212 Primary ID + 0023.041¢,5e00 Primary Description :9w2 MDS digest +: OXEE Ox2B Ox19 OxOE OxDI OxBD OxF9 0x96 (0x34 OxES Ox14 OxD1 0x68 OxBl OxF2 OxB3 VTP Operating Mode : Primary Server Configuration Revision 22 Primary ID + 0022.be79,2e00 Primary Description SWI MDS digest + OxO3 0x46 OxEB OxBA Ox16 0x90 OxAC 0x22 (OxB3 Ox6F 0x31 0x99 Ox5C OxOE Ox9B OxF 8. Feature UNKNOWN: VTP Operating Mode ‘ransparent ve a a i page 96TASK: Disable VTP on SWI using Mode off: SW (config)#vtp mode off vlan Setting device to VTP Off mode for VLANS. SW (config)#vtp mode off mst Setting device to VIP Off mode for MST. TASK : Re-eable VTP on swI (vlan and msT) and Disable VTP only on interface f0/23. SWI(config)#vtp mode server vlan Setting device to VTP Server mode for VLANS. SW/I(config)#vtp mode server mst Setting device to VTP Server mode for MST. SWI (config)#int 0/23 SWI(config-if}#no vtp_ SWUI(config-ifi#end, TASK: Create vian 199 and enable RSPAN and ensure that it synchronises this information as well ‘$W2(config)#vlan 199 $W2(config-vian)#remote-span sw2(configvlan)#end sW2#fsh vlan remote-span SW/lifsh vlan remote-spanVTP prunin; NOA anne NeTWoR ONE ACADEMY + Uses bandwidth more efficiently by reducing unnecessary flooded traffic Example: Station A sends broadcast; broadcast flooded only toward any switch with ports assigned to the red VLAN, Flooded ‘puned ‘Switch § Switch 3 Switch + Pruning Disabled Pruning Enabled VTP pruni NOA oe NETWORK ONLINE ACADEMY: ‘© VIP pruning makes more efficient use of trunk bandwidth by reducing unnecessary flooded traffic. Broadcast and unknown unicast frames on a VLAN are forwarded over a trunk link only if the switch on the recelving end of the trunk has ports in that VLAN. ‘® Preserves bandwidth by configuring it to reduce the amount of broadcasts, multicasts, and unicast packets. Flooded trafic is pruned Switch 5! switch 6+ server(Config)* Vep pruning + Enabling pruning on a VTP server, enables it for the entire domain. + VLAN 1 can never prune because it’s an administrative VLAN. Rackisw2show vtp status Version 12 Configuration Revision 6 Naximun VLANs supported locally : 1005 Number of existing VIANe +16 VIP Operating Mode 2 Server VTP Donain Name core VIP Pruning Mode + Enabled rTP V2 Mode Disabled VIP Traps Generation Disabled VTP pruning - Verification Switchifshow interface trunk Port Mode Encapsulation status Native vian Fa0/2 en 202-34 erunking a Port Vans allowed on trunk Fa0/2 1-105 Port Viens allowed and active in management domain Fa0/2 1, 10,20, 1002, 1003, 1004, 1005 Port Vang in spanning tree forwarding state and not pruned Fa0/2 1,10, 20, 1002, 1003, 1004, 1005 Rack1SWifshow interface £a0/16 pruning Port Vlans pruned for lack of request by neighbor Fa0/16 7-8, 10,22, 58, 67, 146 Port Vian traffic requested of neighbor Fa0/16 1,5, 7-10, 22, 43, 58, 67,79, 146Manual Pruning VLANs XA, VIP allows you to decide what VLANs would be allowed on a trunk. SW/1(confighinterface FastEthemnet 0/20 SWr(configeswitchport trunk allowed vian 10,20 a ee NOTE: '¢ Itis important that this command be applied on both ends of a given link. MPA. ‘SW1(confighsinterface FastEthernet 0/20 ‘SWa(config-iswitchport trunk allowed vlan 10,20 ‘SW-1#show interfaces trunk Port Mode Encapsulation Status Native vlan Fao20 on 802.1q trunking 1 Port Vians allowed on trunk Fao/20 10,20 Port Vians allowed and active in management domain Fao/20 10,20 Port Vians in spanning tree forwarding state and not pruned Fa0/20 10,20VIP server tons VTP Client T0720 swt swe TASK: Configure the link 0/19, f0/20 between SWI, SW2 as trunk links. SWI = server , SW2 = Client domain : NOA (version2) password : noal23 Create vian 10,20,30,40 and VTP should sync with others. SWI (config)#int range 0/19 - 20 if-range)#switchport trunk encapsulation dotlq if-range}#switchport mode trunk SWI (config-if-range)fexit, W2(config)#int range f0/19 - 20 2 (config if-range)#switchport trunk encapsul SW2(config.if-range)#switchport mode trunk SW2(config.if-range)#end ‘SW24sh interfaces trunk Port Mode Encapsulation Status Native vlan Fa0/19_ on 802.1q trunking 1 Fa0/20 on 902.1q trunking 1 Port Vians allowed on trunk Fa09 1.4094 Fa0/20 1-4094 Port Vians allowed and active in management domain Fang 1 FaQ/20 1 Port Vians in spanning tree forwarding state and not pruned Fao/i9 1 Fag/20 1 SW (config)#vtp domain NOA SW (config)#vtp password noal23 SW (config)#vtp version 2 ‘W2{config)# vtp mode Server W2(config)# vtp domain NOA W2(config)#_vtp password noal23 sW2(config)# vip version 2W2(config)#_vtp mode client SW/I(config)#vlan 10 SW (config-vian)évlan 20 SW(config-vian)4vlan 30 SW (config-vian}#vlan 40 SW (config-vian)#exit swish vlan brief VLAN Name Status Ports 1 default active Fa0/1, Fa0/2, Fa0/3 Fa0/4, Fa0/5, Fa0/6 Fa0/?, Fa0/8, FaQ/9 FaQ/10, FaQ/I, Fa0/2 Fa0/13, Fa0/14, FaO/5 Fa0Q/6, Fa0/17, Fa0/8 Fa0/21, Fa0/22, Fa0/23 Fa0/24, GiO/, Gio/2 10 VLANOOIO: active 20 VLANOO20 active 30 VLANOO30 active 40 VLANOO040 active 1002 fdi-cefault act/unsup 1003 trerf-default act/unsup 1004 fddinet-default act/unsup 1005 trbrf-defeult act/unsup SW2#sh interfaces trunk Port Mode — Encapsulation Status Native vlan F019 on 802.1q trunking 1 Fa0/20 on 8021q trunking 1 Port — Vlans allowed on trunk Fa0/i9 1-4094 FaQ/20 1-4094 Port Vians allowed and active in management domain FaQ/9 — 1,10,20,30,40 FaQ/20 — 1,10,20,30,40 Port Vians in spanning tree forwarding state and not pruned. FaQ/19 —1,10,20,30,40 FaQ/20 — 1,10,20,30,40 sweBy default trunks allows all the vlan irrespective of whether they have active ports present on that vlan or not. TASK: * Configure VTP pruning on VTP server to ensure that the trunk links should prune the vlan which are not active on that particular switch: SWlitsh vtp status VTP Version Configuration Revision: 5 ‘Maximum VLANs supported locally: 1005 Number of existing VLANs: 9 VTP Operating Mode : Server VTP Domain Name NOA VTP Pruning Mode: Disabled VTP V2 Mode + Enabled VTP Traps Generation : Disabled MDS digest + Ox34 OxFB OxE4 0x98 0x79 OxEA 0x38 Ox2C Configuration last modified by 192.168.1.51 at 3-1-93 01:16:06 Local updater ID is 192.168.1.51 on interface VII (lowest numbered VLAN interface found) Sweitsh vtp status VTP Version Configuration Revision 5 Maximum VLANs supported locally : 1005 Number of existing VLANs: 9 VTP Operating Mode Client VTP Domain Name NOA VTP Pruning Mode: Disabled VTP V2 Mode : Enabled VTP Traps Generation : Disabled MDS digest + 0x34 OxFB OxE4 0x98 0x79 OxEA 0x38 Ox2C Configuration last modified by 192.168.1.51 at 3-1-93 01:16:06 SW/I(config)#vtp pruning SWII(config)ffend SWlitsh vtp status VTP Version Configuration Revision 6 Maximum VLANs supported locally : 1005 Number of existing VLANs: 9 VTP Operating Mode : Server VTP Domain Name NOAVTP V2 Mode : Enabled VTP Traps Generation Disabled MDS digest + Ox06 OxBC OxF4 0x35 OxF9 Ox8C Ox69 OxF7 Configuration last modified by 192.168.1.51 at 3-1-93 01:19:10 Local updater ID is 192.168.1.51 on interface VII (lowest numbered VLAN interface found) SW2#sh vtp status VTP Version 22 Configuration Revision 6 Maximum VLANs supported locally : 1005 Number of existing VLANs VTP Operating Mode VTP Domain Name VTP Pruning Mode: Enabled VTP V2 Mode VTP Traps Generation MDS digest + OxO6 OxBC OxF4 0x35 OxF9 Ox8C Ox69 OxF7 Configuration last modified by 192.168.1.51 at 3-1-93 01:19:10 SW2#sh interfaces trunk Port Mode Encapsulation Status Native vlan Fa0/9_ on 802.1q trunking 1 Fa0/20 on 8021q trunking 1 Port — Vlans allowed on trunk Faoi9 1-4094 Fa0/20 11-4094 Port Vians allowed and active in management domain FaO/9 —1,10,20,30,40 Fa0/20 —1,10,20,30.40 Port _ Vians in spanning tree forwarding state and not pruned Fa0N9 1 Fa0/20 1 By default in my network i have only port f0/1 connected in vlan 1 and | have only vlan 1 active and it will not be pruned anyways by default. TO verify the pruning behavoiour i have vlan 10,20,30.40 created on server and synchronised on both switches create some svi interface for each vlan on both switches for verifying VTP pruning behaviour ( in real networks we have PC connecting to their respective vian, Here we are not adding any PC or routers for testing VTP pruning)SW1#sh vian brief VLAN Name Status Ports 1 default 10 VLANOOIO 20. VLANOO20 30 VLANOO30 40 VLANOO40 1002 fddi-default 1003 trerf-default 1004 fddinet-default 1005 trbrf-default SW (config)#int vlan 10 SWI(config-if}#texit SWI(config)#int vlan 20 SWI(config-if}#exit active Fa0/1, Fa0/2. Fa0/3, Fa0/4, Fa0/5. FaQ/6 Fa0/7, Fa0/8, Fa0/9, Fa0/10, Fa0/I1 Fa0/12, Fa0/13, Fa0/14, FaO/15, Fa06 Fa0/17, Fa0/18, Fa0/21, Fa0/22, Fa0/23 Fa0/24, GiO/1, Gi0/2 active active active active act/unsup act/unsup, act/unsup. act/unsup Once we create SVI for vvlan 10 and 20 on SWI it will update the next switch about the ACtive vian status and SW2 will add them in the not prune list. SW2ifsh interfaces trunk Port Mode Fa0/9 on FaQ/20 on Encapsulation Status ‘Native vlan trunking 1 8021q trunking 1 Port Vlans allowed on trunk Fao/i9 1-4094 Fa0/20 11-4094 Port Vians allowed and active in management domain FaQ/9 _ 1,10,20,30.40 Fa0/20 — 1,10,20,30,40 Port Vians in spanning tree forwarding state and not pruned Faoig 110920 Fa0/20 none ‘SW2#sh interfaces f0/19 pruning Port Vians pruned for lack of request by neighbor Fao/i9 30,40Port Vian traffic requested of neighbor FaQ9 1.30.40 $w2(config)fint vian 30 sw2(config-ifint vlan 40 sw2(config.if}#end Once we create SVI for vian 30 and 40 on $W2 it will update the next switch about the ACtive vian status and SWI will add them in the not prune list SWI#sh interfaces trunk Port Mode Encapsulation Status Native vian Fa0/19_ on 802.1q trunking 1 Fa0/20 on 8021q trunking 1 Port — Vlans allowed on trunk Fao/i9 1-4094 Faq/20 11-4094 Port Vians allowed and active in management domain FaQ/19 _ 1,10,20,30,40 Fa0/20 — 1,10,20,30,40 Port Viansin spanning tree forwarding state and not pruned Faq/20. 1 SWlifsh interfaces f0/19 pruning Port Vians pruned for lack of request by neighbor Fa09 10,20 Port Vian traffic requested of neighbor Fa0/9 1.10.20 VIP Prune eligible List * If we want we can even add the vian list which should not be pruned, as by default all the vlans are pruned except VLAN 1. TASK: * Create vian 199 and ensure that vlan 199 should not get pruned even if they are not active ports. Default vian prune eligible list (2 1001) SW/I(config)#vlan 199 SWI(config-vian)#exitSW (config)#int range F019 - 20 SW/I(config-if-range)#switchport trunk pruning vlan ? WORD VLAN IDs of the allowed VLANs when this port is in trunking mode add add VLANsto the current list except all VLANs except the following none no VLANs remove remove VLANS from the current list SW/I(config-if-range)#switchport trunk pruning vlan remove 199 SWII(config-ifrange)#fexit SW2##sh interfaces trunk Port Mode Encapsulation Status Native vlan Fa09 on 802.1q trunking 1 Fa0/20 on 8021q trunking 1 Port — Vlans allowed on trunk Faq/I9 1-4094 Fa0/20 1-4094 Port Vians allowed and active in management domain FaQ/9 — 1,10,20,30,40,199 FaQ/20 — 1,10,20.30,40,199 Port Viansin spanning tree forwarding state and not pruned Fa0/19 — 1,10,209199 Fa0/20 none SWI#sh interfaces trunk Port Mode Encapsulation Status Native vian Fa0/19_ on 802.1q trunking 1 Fa0/20 on 8021q trunking 1 Port —Vlans allowed on trunk FaQ/i9 1-4094 FaQ/20 1.4094 Port Vians allowed and active in management domain FaQ/9 —1,10,20,30,40,199 Fa0/20 — 1,10,20,30,40,199 Port Viansin spanning tree forwarding state and not pruned Fa0/19 —1,30,40,199 Fa0/20 1TASK: Manual Pruning: * Disable VIP pruning configured. * Configure SWI/SW2 to allow only vlan 1,10.20.30.40 and vlan 199 on their respective trunk links (irespective whether they are active or not) SW/I(config)fno vtp pruning Pruning switched off SW/I(config)#int range f0/19 -20 SWI (config-if-range)#switchport trunk allowed vian 1,10,20,30,40,199 SWI (config-if-range)#exit 9/2 (config)#int range f0/19 - 20 9W/2 (config if-range)#switchport trunk allowed vlan 1.10,20,30.40,199 9/2 (config ifrange)#end Swish interfaces trunk Port Mode — Encapsulation Status Native vlan F019 on 802.1q trunking 1 Fa0/20 on 8021q trunking 1 Port Vlans allowed on trunk FaQA9 — 1,10,20,30,40.199 FaQ/20 — 1,10,20,30,40.199 Port Vlans allowed and active in management domain FaQ/9 — 1,10,20,30,40,199 Fa0Q/20 — 1,10,20,30,40,199 Port _ Vians in spanning tree forwarding state and not pruned TASK: * Create vian 50,60 and add them on the trunk list * Configure Truk to remove vlan 10 from allowed vian list. SWI (config)f#vlan 50 SW (config-vian)évlan 60 SW (config-vian)#exit SWI#sh vlan brief VLAN Name Status Ports1 default active _Fa0/1, Fa0/2, Fa0/3, Fa0/4, Fa0/S, Fa0/6 Fa0/7, Fa0/8, FaQ/9, Fa0/10, Fa0/11 Fa/2, Fa0/13, Fa0/14, Fa0/15, Fa0/16 Fa0/I7, Fa0/18, Fa0/21, Fa0/22, Fa0/23 Fa0/24, GiO/l, Gi0/2 10. VLANOOI0 active 20. VLANO020 active 30 VLANOO30 active 40 VLANO040 active 50 VLANOOSO active 60 VLANO060 ative 199 VLANOI99 active 1002 fddi-default act/unsup 1003 trerf-default act/unsup 1004 fddinet-default act/unsup 1005 trbrf-default act/unsup SW1#sh interfaces trunk Port Mode Encapsulation Status Native vlan Fa0/19_ on 802.1q trunking 1 Fa0/20 on B021q trunking 1 Port Vlans allowed on trunk FaQ/I9 — 1,10,20,30,40,199 FaQ/20 — 1,10,20,30,40.199 Port Vians allowed and active in management domain FaQ/I9__ 1,10,20,30,40,199 Fa0/20 — 1,10,20,30,40,199 Port Vians in spanning tree forwarding state and not pruned FaO/9 —1,10,20,30,40.199 Fa0/20 1 SW/I(config)#int range f0/19 - 20 SW/I(config if-range)#switchport trunk allowed vlan add 50.60 SW/I(config-if-range)#switchport trunk allowed vlan remove 10 SWI config if-range)#exit SWIL#sh interfaces trunk Port Mode Encapsulation Status Native vlan Fa0/19_ on 802.1q trunking 1 Fa0/20 on 802.1q trunking 1 Port Vlans allowed on trunk 1 i a es page 109FaQ/19 — 1,20,30,40,50,60,199 FaQ/20 — 1,20,30,40,50,60,199 Port Vians allowed and active in management domain FaO/19 —1,20,30.40,50,60,199 Fa0/20 — 1,20,30,40,50,60.199 Port Vians in spanning tree forwarding state and not pruned FaQ/9 — 1,20,30,40,50,60,199 Fa0/20 — 1,50,60 9W2(config)fint range f0/19 - 20 range)#switchport trunk allowed vlan add 50,60 fange)#switchport trunk allowed vlan remove 10 range)#end SW2ish interfaces trunk Port Mode Encapsulation Status Native vian F019 on 802.1q trunking 1 Fa0/20 on 8021q trunking 1 Port — Vlans allowed on trunk FaQ/19 — 1,20,30,40,50,60,199 Fa0/20 — 1,20,30,40,50,60,199 Port Vians allowed and active in management domain FaQ/9 —1,20,30,40,50,60,199 Fa0/20 _1,20,30,40,50,60,199 Port Vian in spanning tree forwarding state and not prunedSpanning-tree protocol Bridging loops MOA, Redundant link between switches provides redundancy. Yan TNE RS 1" tc)Bridging loops MOA, Redundant link between switches provides redundancy. Also possibility to create loops when switches do broadcasts. 1 Broadcast storms 2 Mac-table instability 3. Multiple frame transmissions Bridging loops R, | G YA. Broadcast Storm —— Direction of Broadcast FAO FAO j Uy Na FAQS B Fao FaOIS| la + Host A sends a broadcast. + Switches continue to propagate broadcast traffic over and overBridging loops (solution) >» Only one link between switches ( no redundancy) » Shutdown extra link temporarily Manually ( shutdown command) Automatically block extra links ( done by STP) —- A Sa Spanning-tree Protocol NEA, » STP stop the loops which occurs when you have multiple links between switches » STP stops Broadcast Storms, Multiple Frame Copies & Database instability. » STP isa open standard (IEEE 802.1D) » STP is enabled by default on all Cisco Catalyst switches a0/1_——F a0/1 ‘20/2———Fa0/2- SwitchA ‘SwitchBHow STP works netwe OA. 1 Selecting the Root Bridge Selecting the Root Port 5 Selecting Designated port & Non Designated port Z < = — = 1) Selecting the Root Bridge MOA. » The bridge with the Best (Lowest) Bridge ID. » Bridge ID = Priority + MAC address of the switch ( least is best) » Out of all the switches in the network, one is elected as a root bridge that becomes the focal point in the network. Root Bridge a- i “am ~S Non-Root Bridge Non-Root Bridge1) Selecting the Root Bridge OA, > The bridge with the Best (Lowest) Bridge ID. » Bridge ID = Priority + MAC address of the switch ( least is best) » Default priority on cisco switches = 32768 » Show version (to verify base mac-address) Root Bridge onnt:1212:1212 / 32768 1917:4343:3334_ =, Non-Root Bridge Non-Root Bridge » Every LAN will have only one Root Bridge >and all the remaining switches will be considered as Non-root Bridges. 2) Selecting the Root Port: NOA eTWORE ONE ACADBY » Shortest path to the Root bridge » Every Non-root Bridge looks the best way to go Root-bridge Root Bridge Non-Root Bridge _Non-Root Bridge2) Selecting the Root Port: » Shortest path to the Root bridge » Every Non-root Bridge looks the best way to go Root-bridge Root Bridge Non-Root Bridge Non-Root Bridge MOA. Root port selection based on Cost » least cost (Speed) [Bandwidth Port Cost 10 Mbps 1100 Root Bridge 1100 Mbps 1-Gigabit Ethernet '10-Gigabit Ethernet —~*"_ Non-Root Bridge Non-Root Bridge _ » For every non-root bridge there is only one root port.Root port selection based on Cost » least cost (Speed) Bandwidth Port Cost ho Mbps hoo Root Bridge 1100 Mbps ——¥ 1-Gigabit Ethernet '0-Gigabit Ethernet Non-Root Bridge Non-Root Bridge » For every non-root bridge there is only one root port. Root port selection MW a A. » least cost (Speed) ar > Bridge-ID of forwarding switch ca > Least port ( forwarding switch) K » \ 1111:4343:3334 | 32768 a Non-Root Bridge _ 0111:1212:1212 32768 Roower aaRoot port selection «© Teast cost (Speed) » Bridge-ID of forwarding switch © Least port ( forwarding switch) 3) Selecting Designated port & Non Designated port NGA. » least cost (Speed) » The least local Switch ID. » Lowest local Port Number. ; Root Bridge 0001:1234:1234 32768 0111:1212:1212 32768 1111:4343:3334 32768Root bridge — central switch all the traffic forwarded. Root Bridge mi Non-Root Bridge Non-Root Bridge BPDU MOA. » All switches exchange information through what is called as Bridge Protocol Data Units (BPDUs) > BPDUs are sent every 2 sec and dead = 20 sec > ABPDU contains information regarding ports, switches, port priority and addresses. Root Bridge Non-Root Bridge Non-Root BridgeSTP Convergence nerwon OA, STP port states > Blocking 20 Sec or No Limits > Listening 15 Sec. » Learning 15 Sec. Root Bridge » Forwarding No Limits. > Disable No Limits. =" Non-Root Bridge > Non-Root Bridge Wesel Estee LSM elbseeel RN Lab : verifying spanning-tree # Show Spanning-treeLAB: VERIFYING SPANNING-TREE ‘sw2 ee ‘SW3 TASK:_ Find Root Bridge and alternate port (BLK) Swl4sh spanning-tree VLANOOO1 Spanning tree enabled protocol ieee Root ID Priority 32769 ‘Address 0007.ECCD.AC82 Cot 19 Port 20(FastEthernet0/20) Hello Time 2 see Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 00D0.580D.2EEO Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 20 Interface Role Sts Cost Prio.Nbr Type Fa0/20 Root FWD19 128.20 P2p Fao/2i Desg FWD19 128.21. Pap ‘SW2#fsh spanning-tree VLANOOO1 Spanning tree enabled protocol ieee Root ID Priority 32769 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 secBridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 0007.ECCD.AC82 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 20 Interface Role Sts Cost rio. Nbr Type Fa0/20 DesgFWD19 128.20 P2p Fa0/22 DesgFWDI9 128.22 P2p ‘SW3#sh spanning-tree VLANOOOt Spanning tree enabled protocol ieee Root ID Priority 32769 Address 0007.ECCD.AC82 Cot 19 Port 22(FastEthernet0/22) Hello Time 2 sec Max Age 20 see Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 00D0.971E.4EAE Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 20 Interface Role Sts Cost Prio.Nbr Type Fao/21) AIWBLK1® 12821. F2p Fa0/22 Root RWD19 128.22 P2p TASK: * To verify the STP convergence process shutdown the SW/1 f0/20 port and verify with Show spanning-tree ‘Swi (config)#int f0/20 Sw (config-if}#shutdown, Once f0/20 interface of SWI or SW2 goes down, the alternate port {0/21 (SW3) comes to forwarding after delay of 50 sec © BLK 20sec o LN 15sec © LRN 15 sec ‘Sw (config)#int f0/20 ‘Sw (config-if}#shutdown SW3#sh spanning-tree 1 i i can page 122VLANOOO1 Spanning tree enabled protocol iece Root ID Priority 32769 Address 0007.ECCD.AC82 Cot 19 Port 22(FastEthernet0/22) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 00D0.971E.4EAE Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 20 Interface Role StsCost__Prio.Nbr Type Fa0/21 Desg FWDI9 128.21 P2p Fa0/22 Root FWD19 128.22. Pap ‘TASK: Configure F0/20 port of SWI back to normal state (no shutdown) ‘Sw! (config)# int f0/20 wl (config-if}# no shutdown SW3#sh spanning-+tree VLANOOO1 Spanning tree enabled protocol ieee Root ID Priority 32769 Address 0007.ECCD.AC82 Cot 19 Port 22(FastEthernet0/22) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 00D0.971E.4EAE Hello Time 2 see Max Age 20 see Forward Delay 15 sec Aging Time 20 Interface Role Sts Cost Prio.Nbr Type Fao/2t AIM BLKI9 = 128.21 P2p Fa0/22 Root FWD19 128.22 P2p Swlifsh spanning-tree VLANOOOt Spanning tree enabled protocol ieee Root ID Priority 32769 ReAddress 0007.ECCD.ACB2 Cot 19 Port 20(FastEthernet0/20) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 00D0.580D.2EEO Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 20 Interface Role Sts Cost. Prio.Nor Type F20/20 Root FWD19 128.20 P2p Fa0/21 DesgFWDI9 128.21 P2p © $W2 f0/21 goes back to BLK state + SWI-/F0/20 comes back to normal forward state after 30 sec delay (15 sec LSN , 15 sec LRN) TASK: Configure SW/I to be the Root Bridge for Vian 1 by changing the Priority value ‘+ Verify the STP port states changes once we change the Root bridge Configuring Spanning Tree To change the STP priority value, use the following: ‘Switch (config)# spanning-tree vlan < priority value> Swl(config)#spanning-tree vlan 1 priority Sw (config)#spanning tree vian 1 priority 0 Sw (config)#end Swish spanning-tree VLANOOO1 Spanning tree enabled protocol ieee Root ID Priority 1 Address 00D0.580D.2EE0 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 1. (priority 0 sys-id-ext 1) Address 00D0.580D.2EEO Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 20 1 i a en page 124Interface Role StsCost__Prio.Nbr Type Fa0/20 DesgFWD19 128.20 P2p Fao/2t DesgFWDI9 128.21 P2p SW3#sh spanning-tree VLANOOO1 Spanning tree enabled protocol ieee Root ID Priority 1 Address 00D0.580D.2EEO Cot 19 Port 21(FastEthernet0/21) Hello Time 2 see Max Age 20 see Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 00D0.971E.4EAE Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 20 Interface Role Sts Cost Prio.Nbr Type Fa0/21— Root FWDI9. 12821. F2p Faoy22 Altn BLK19 128.22 Pap By default, STP is enabled for all active VLANs and off all ports of a switch. STP should remain enabled in a network to prevent bridging loops from forming. * However, youl might find that STP has been disabled in some Way. If an entire instance of STP has been disabled, you can reenable it with the following global configuration command: © Switch(config)# spanning-tree vlan vlan-id * IFSTP has been disabled for a specific VLAN on a specific port, you can reenable it with the following interface configuration command: © Switch (config-if}# spanning-tree vlan vian-idimers for19 020 ae sw2 TASK: © Connect Sw! and sw2 as per the digram on f0/19, f0/20 ports. + Configure sw! to be the root bridge for all vians (also future vlan). what the rootports and Designated and blocking ports. SW2ish spanning-tree vian 1 VLANOOOT Spanning tree enabled protocol ieee Root ID Priority 32769 Address 000b.be78.8300. Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 000b.be78.8300 Hello Time 2 sec Max Age 20 see Forward Delay 15 sec Aging Time 300 Interface Role Sts Cost. Prio.Nbr Type Fao/ie DesgFWD19 128.19 P2p Fa0/20 DesgFWD19 128.20 P2p + By default in my case, sw2 is elected as Root Bridge based on best bridge ID. * Asper task we need to configure SWI to become the Root Bridge with least prorirty value. SWl#sh spanning-tree VLANOOO1 Spanning tree enabled protocol ieee Root ID Priority 32769 Address 000b.be78.8300 Cot 19 Port 19 (FastEthernet0/19) Hello Time 2 sec Max Age 20 see Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 000b.bee2.fa00Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Interface Role Sts Cost. Prio.Nor Type Fa0/l Desg FWD 19 128.1 Edge Pap Interface Role Sts Cost rio. Nbr Type Fao”ig Root FWD19 128.19 Pap SWI (config)#spanning-tree vlan 1-4094 root primary SW1#sh spanning-tree vlan 1 VLANOOOt Spanning tree enabled protocol ieee Root ID Priority 24577 Address 000b.bee2.fa00 This bridge is the root Hello Time 2 sec Max Age 20 see Forward Delay 15 see Bridge ID Priotity 24577 (priority 24576 sys-id-ext 1) Address 000b.bee2.fa00 Hello Time 2 sec Max Age 20sec Forward Delay 15 sec Aging Time 15 Interface Role StsCost__Prio.Nbr Type Fa0/l Desg FWD19 128.1 Edge Pap Fang DesgFWDI9 128.19 P2p Fa0/20 DesgFWD19 128.20 P2p ‘sW2#tsh spanning-tree vlan 1 VLANOOO1 Spanning tree enabled protocol ieee Root ID Priority 24577 Address 000b.bee2.fa00 Cot 19 Port 19 (FastEthemet0/19) Hello Time 2 sec Max Age 20 see Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 000b.be78.8300 ri i econ page 127Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 15 Interface Role Sts Cost. Prio.Nbr Type Fao/19 Root FWD19 128.19 P2p Fa0/20 Altn BLK19 128.20 P2p + Asper the default configurations sw2 {0/20 goes in to blocking state based on stp root port, and designtated port conditions. TASK: ‘© Configure SW2 to ensure that {0/20 should be in forwarding state ( {0/19 in to blocking) sW2(config)#int f0/20 SW2(config-if}#spanning-tree cost 4 sW2(config-if}# end or W2(config)#interface FastEthernetO/19 sW2(config-if}# spanning-tree cost 100 swW2(config-if}#exit ‘sW24sh spanning-tree vian 1 VLANOOOT Spanning tree enabled protocol ieee Root ID Priority 24577 Address 000b.bee2.fa00 Cot 19 Port 20 (FastEthernet0/20) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32769 (prior Address 000b.be78.8300 Hello Time 2 sec Max Age 20 see Forward Delay 15 see Aging Time 300 32768 sys-id-ext 1) Interface Role Sts Cost rio. Nbr Type F019 Alt BLK100_— 128.19 P2p Fa0/20 Root FWD19 128.20 Pap TASK * Remove the cost configured in the previous task: ‘+ Ensure that that you do the same cost by making changes other than $W2.( on swl)SW2(config)int FON W2(config-if}#no spanning-tree cost 100 sW2(configifhtexit ‘sW2#sh spanning-tree vlan 1 VLANOOO1 Spanning tree enabled protocol ieee Root ID Priority 24577 Address 000b.bee2.fa00 Cot 19 Port 19 (FastEthemet0/19) Hello Time 2 sec Max Age 20 see Forward Delay 15 see Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 000b.be78.8300 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Interface Role Sts Cost Prio.Nbr Type Fano Root FWD19 128.19 P2p Fa0/20 Altn BLK19.— ‘128.20 P2p SWI (config)#int (0/20 SWI (config-if}#spanning-tree port-priority ? <0-240> port priority in increments of 16 WWI (config-if}#spanning-tree port-priority 0 SWI (configiif}#end SWI#sh spanning-tree vian 1 VLANOOO1 Spanning tree enabled protocol ieee Root ID Priority 24577 Address 000b.bee2.fa00 This bridge is the root Hello Time 2 sec Max Age 20 see Forward Delay 15 sec Bridge ID Priority 24577 (priority 24576 sys-id-ext 1) Address 000b.bee2.fa00 Hello Time 2 sec Max Age 20 see Forward Delay 15 sec Aging Time 300 Interface Role Sts Cost Prio.Nbr Type 1 i a en page 19Fa0/l Desg FWD19 128.1 Edge Pap. Fao/19 DesgFWDI9 128.19 P2p Fa0/20 DesgFWDI9 0.20 Pap SW2#sh spanning-tree vlan 1 VLANOOOT Spanning tree enabled protocol ieee Root ID Priority 24577 Address 000b.bee2.fa00 Cot 19 Port 20 (FastEtheret0/20) Hello Time 2 sec Max Age 20 see Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 000b.be78.8300 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Interface Role Sts Cost rio. Nbr Type F209 Atm BLK19_—— 128.19. P2p TASK: Changing STP timers * Configure the root bridge so that switches generate Spanning-Tree hello packets every 3 seconds. * When a new port becomes active, it should wait 20 seconds before transitioning to the forwarding state. * If the switches do not hear a configuration message within 10 seconds, they should attempt reconfiguration. * This configuration should affect all currently active VLANs and any additional VLANs created in the future. SW1ish spanning-tree vian 1 VLANOOO1 Spanning tree enabled protocol ieee Root ID Priority 24577 Address 000b.bee2.fa00 This bridge is the root Hello Time 2 sec Max Age 20 see Forward Delay 15 see Bridge ID Priority 24577 (priority 24576 sys-id-ext 1) Address 000b.bee2.fa00 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Interface Role Sts Cost Prio.Nbr Type 1 i si cn page 90Fa0/l Desg FWD19 128.1 Edge Pap. Fao/19 DesgFWDI9 128.19 P2p Fa0/20 DesgFWDI9 0.20 Pap Downstream devices from the root bridge inherit the timers configured on the root. XVI (config) #spanning-tree vlan 1-4094 hello-time 3 SW (config)#spanning-tree vlan 1-4094 forward-time 10 ‘XV (config)#spanning-tree vlan 1-4094 max-age 10 SWI (config) fend SWI #sh spanning-tree vlan 1 VLANOOO1 Spanning tree enabled protocol ieee Root ID Priority 24577 Address 000b.bee2.fa00 This bridge is the root Bridge ID Priority 24577 (priority 24576 sys-id-ext 1) Address 000b.bee2.fa00 Hello Time 3 sec Max Age 10 sec Forward Delay 10 sec Aging Time 300 Interface Role Sts Cost Prio.Nbr Type Fa0/l Desg FWD 19 128.1. Edge P2p Fao/9 DesgFWDI9 128.19 P2p Fa0/20 DesgFWDI9 0.20 P2p sW2#fsh spanning+ree vlan 1 VLANOOOT Spanning tree enabled protocol ieee Root ID Priority 24577 Address 000b.bee2.fa00 Cot 19 Port 20 (FastEthemet0/20) Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 000b.be78.8300 Hello Time 2 sec Max Age 20 see Forward Delay 15 see Aging Time 300 ve econ page 131Interface Role Sts Cost Prio.Nbr Type Fa0/19 Alta BLK19 128.19 P2p Fa0/20 Root FWD19 128.20 P2p CABEMYHierarchical Campus Model MOA, Policy-Based Connectivity Edge Distribution Module Highs Sea Core Bepartmental Switch Block m, @A.STP : Selecting Root Bridge XA, +» Default root bridge election : priority + Base Mac +» Recommended to Select high speed Switch to be elected as Root Bridge = Change Priority Value ‘= Priority values can be only multiples of 4096 ‘SW-1(confightspanning-tree vian 1 priority 1000 ‘% Bridge Priority must be in increments of 4096. % Allowed values are: (© 4095 8192 12288 16384 20980 24576 28672 32768 36864 40960 45056 49152 53248 57344 61440 STP : Selecting Root Bridge ‘SW-A(confighispanning-tree vian 1 priority 0 ‘SW-B(contfightspanning-tree vlan 1 priority 4096 OR ‘SW-A(config}'spanning-tree vian 1 root Primary ‘SW-B(config)spanning-tree vlan 1 root Secondary NOTE: Primary reduces priority by 8192 from default priority secondary reduces priority 4096 from defeult priorityLAB: Per VLAN STP: sw4 sw3 TASK: ‘Connect four switches as per the diagram. * Find the Root bridge , root ports, alternate ports in the topology SWlitsh spanning-tree \VLANOOOT Spanning tree enabled protocol ieee Root ID Priority 32769 Address 0001.96C4.2C24 This bridge is the root. Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 0001.96C4.224 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 20 Interface Role Sts Cost. Prio.Nor Type Fa0/20 DesgFWD19 128.20 P2p Fao/2i DesgFWD19 128.21 P2p Fa0/22 DesgFWD19 128.22 P2p Sw2flsh spanning-tree VLANOOO! Spanning tree enabled protocol ieeeRoot ID Priority 32769 Address 0001.96C4.2€24 Cot 19 Port 20(FastEthernet0/20) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 0001.C994.B166 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 20 Interface Role Sts Cost Prio.Nbr Type Fa0/20 Root FWD19 128.20 P2p Fa0/21 DesgFWDI9 128.21 P2p Fa0/22 DesgFWD19 128,22 P2p ‘SW3#/sh spanning-tree VLANOOOI Spanning tree enabled protocol ieee Root ID Priority 32769 Address 0001.96C4.2¢24 Cot 19 Port 21(FastEthernet0/21) Hello Time 2 sec Max Age 20 see Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 00D0.97DB.EEIC Hello Time 2 see Max Age 20 sec Forward Delay 15 sec Aging Time 20 Interface Role Sts Cost Prio.Nbr Type FSO/2OUNNAIRIBLKINNNNE23.20 P2p Fa0/21 Root FWD19 128.21 P2p a0/220000NNANRIBLRNSNNN28.22. F2p SW4#sh spanning-tree VLANOOOT Spanning tree enabled protocol ieee Root ID Priority 32769 Address 0001.96C4.2C24 Cot 19 Port 22(FastEthernet0/22) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec 1 i a es page 136Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 0005.5E81.6101 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 20 Interface Role Sts Cost rio. Nbr Type Fa0/20 — DesgFWD19 128.20 Pap Fa0/21 Atm BLK19_—— 128.21 P2p Fa0/22 Root FWD19 128.22 P2p * In this example, SW is the root Bridge and you can verify the root ports and alternate ports in the above outputs * As per you topology it can vary as it based on Mac- address ( vary from switch to switch) TASK: © Configure the links connecting between switches as Trunk links * Configure VTP on all Four switches to synchronize the vlan information * Create vian 10,20,30,40 on SWI and ensure that it syne with other switches. ON sw, Sw2, Sw3, SW4 ‘SWx(config)#int range f0/20 - 22 ‘SWx(config-if-range)#switchport trunk encapsulation dota SWrx(config-ifrange)#switchport mode trunk ‘SWrx(config#vtp domain CCIE SWIfish interfaces trunk Port Mode Encapsulation Status Native vlan Fa0/20 on 8021q trunking 1 Fa0/21 on 802.1q trunking 1 Fa0/22 on 802.1q trunking 1 Port Vians allowed on trunk FaQ/20 1-105 Fa0/21 1-105 Fa0/22 1-105 Port Vlas allowed and active in management domain Faq/20. 1 Faq/21 1 FaQ/22 1 1 i i ean page 137Port Vians in spanning tree forwai Fao/20 1 Faq/21 1 Faq/22, 1 ‘SW2#sh int trunk Port Mode Encapsulation Status. Native vlan FaQ/20_ on 802.1q trunking 1 FaQ/21_ on 802.1q trunking 1 Fa0/22 on 802.1q trunking 1 Port Vlans allowed on trunk Fa0/20 11005 FaQ/21 11005 Fa0/22 1-105 Port Vians allowed and active in management domain F020 1 Fao/2l 1 Fa0/22 1 Port Vians in spanning tree forwarding state and not pruned Fa0/20 1 Fa0/2l 1 Fa0/22 1 sweet SW3#sh interfaces trunk Port Mode Encapsulation Status Native vlan Fa0/20 on 8021q trunking 1 Fa0/21_ on 802.1q trunking 1 Fa0/22 on 802.1q trunking 1 Port Vians allowed on trunk Fa0/20 11005 Fa0/21 11005 Fa0/22 1-105 Port Vians allowed and active in management domain Fa0/20 1 Fao/2t 1 Fa0/22 1 Port Vians in spanning tree forwarding state and not pruned Fa0/20 none Fao/2t 1Fa0/22 none Sw3t ‘SW4fish interfaces trunk Port Mode Encapsulation Status Native vlan Port Vians allowed on trunk Fa0/20 1-105 Fa0/21 11005 Fa0/22 11005 Port Vians allowed and active in management domain FaQ/20 1 FaQ/2. 1 Fao/22 1 Port Vians in spanning tree forwarding state and not pruned Fa0/20 1 Fa0/21 none Fa0/22 1 SWI (config)#vlan 10 SWI (config-vian)#vlan 20 SWI (config-vian)#vlan 30 SWI (config-vian)#vlan 40 SWI (config-vian)#exit VLAN Name Status Ports 1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 FaQ/9, FaO/0, FaQ/I, FaO/12 Fa0/13, Fa0/14, Fa0/15, Fa0/16 FaQ/17, Fa0/18, Fa0/19, Fa0/23 Fa0/24, GigO/, Gig0/2 1002 fddi-default active 1003 token-ring-default active1004 fddinet-default active 1005 tmet-default active SW2fsh vian brief VLAN Name Status Ports 1 default active FaO/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, FaQ/8 Fa0/9, FaO/I0, FaO/I1, FaO/12 Fa0/13, Fa0/14, Fa0/15, Fa0/16 Fa0/17, Fa0/18, Fa0/19, Fa0/23 Fa0/24, GigO/1, Gig0/2 10 VLANOOIO = active 20 VIANO020 ative 30 VLANOO300 active 40 VLANOO40 active 1002 fddi-default active 1003 token-ring-default active 1004 fddinet-default active 1005 trnet-default active SW34sh vian brief VLAN Name Status Ports 1 default active | Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, FaO/10, FaQ/I1, FaO/12 Fa0/13, Fa0/14, Fa0/15, Fa0/16 Fa0/17, Fa0/18, Fa0/19, Fa0/23 Fa0/24, Gigi/l, Gigl/2 10 VIANOOIO = active 20 VLANOO200 active 30 VLANOO30 ative 40 VLANOO40 active 1002 fadi-default active 1003 token-ring-default active 1004 fddinet-default active 1005 trnet-default active SW44sh vian brief VLAN Name Status Ports 1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 CoFa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, FaO/O, FaO/11, FaO/12 Fa0/13, Fa0/14, Fa0/15, Fa0/16 Fa0/17, Fa0/18, Fa0/19, Fa0/23 Fa0/24, Gigh/l, Gigl/2 10 VIANOOIO. = ative 20 VLANOO200 active 30 VLANOO30 active 40 VIANOO40 active 1002 fadi-default active 1003 token-ring-default active 1004 fddinet-default active 1005 trnet-default active TASK: * Configure SWI should be the Root Bridge for VLAN 10 .20 and Backup for VLAN 30.40 * Configure SW2 should be the Root Bridge for VLAN 30,40 and Backup for VLAN 10,20 No! * By default here SWI.will be the root bridge for all vlan as the priority value is same , and Swl is having the least MAC address of all ( this may vary in your labs) SWWlish spanning-tree vlan 10 VLANOOI0 Spanning tree enabled protocol ieee Root ID Priority 32778 Address 0001.96C4.2C24 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32778 (priority 32768 sys-id-ext 10) Address 0001.96C4.2€24 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 20 Interface Role Sts Cost Prio.Nbr Type Fa0/20 © DesgFWD19 128.20 Pap Fao/2t DesgFWDI9 128.21. P2p Fa0/22 DesgFWD19 128.22 P2p SW/lifsh spanning tree vlan 20 VLANO020 Spanning tree enabled protocol ieee Root ID Priority 32788 Address 0001.96C4.2¢24 1 i a ec page 47Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32788 (priority 32768 sys-id-ext 20) Address 0001.96C4.2€24 Hello Time 2 see Max Age 20 sec Forward Delay 15 sec Aging Time 20 Interface Role Sts Cost Prio. Nbr Type Fa0/20 DesgFWD19 128.20 Pap Fao/2t Desg FWDI9 128.21 Pap Fa0/22 DesgFWD19 128.22 P2p SW/lifsh spanning-tree vlan 30 Spanning tree enabled protocol ieee Root ID Priority 32798 Address 0001.96¢4.2C24 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32798 (priority 32768 sys-id-ext 30) Address 0001.96C4.2¢24 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 20 Interface Role Sts Cost Prio.Nbr Type Fa0/20 DesgFWDI9 128.20 P2p Fa0/2t Desg FWDI9 128.21. P2p Fa0/22 DesgFWD19 128.22 P2p SW/litsh spanning-tree vlan 40 VLANO040 Spanning tree enabled protocol ieee Root ID Priority 32808 Address 0001.96C4.2¢24 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32808 (priority 32768 sys-id-ext 40) Address 0001.96C4.2€24 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 20 1 i i ccs page aInterface Role Sts Cost Prio.Nbr Type Fa0/20 DesgFWD19 128.20 P2p Fag/2t Desg FWDI9 128.21 Pap Fa0/22 DesgFWD19 128,22 P2p You can configure a Catalyst switch to become the root bridge using one of two methods, 1. Manually setting the bridge priority value Switch(config)# spanningstree vlan priority 2. Causing the would-be root bridge switch to choose its own priority, based on some assumptions about ‘other switches in the network using primary and secondary options. You can accomplish this with the following command: Switch(config)# spanning+ree vlan root {primary | secondary} The bridge-priority value defaults to 32,768, but you can also assign a value of 0 to 65,535. IF STP extended system ID is enabled (default is most switches) , the default bridge-priority is 32,768 plus the VLAN number. In that case, the value can tange from 0 to 61,440, but only as multiples of 4096. A lower bridge priority is preferable. If the current root priority is less than that, the local switch sets its priority to 4096 less than the current root For the secondary root bridge, the root priority is set to an artificially low value of 28,672. On swt XVI (config)#spanning-tree vlan 10.20 priority 0 ‘XV (config) #spanning-tree vlan 30,40 priority 4096 OR ‘SW (config)#spanning-tree vlan 10,20 root primary XVI (config) #spanning-tree vlan 30.40 root secondary ‘On sw, sW2(config)#spanning-tree vlan 30,40 priority 0 SW2(config)#spanning-tree vlan 10,20 priority 4096 ‘82 (config)#spanning-tree vlan 30,40 root primary ‘sW2(config)#spanning-tree vlan 10.20 root secondary SWHsh spanning-tree vlan 10 VLANOOT0 Spanning tree enabled protocol ieee Root ID Priority 10 Address 0001.96C4,2C24Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 10 (priority O sys-id-ext 10) Address O001,96C4.2C24 Hello Time 2 see Max Age 20 sec Forward Delay 15 sec Aging Time 20 Interface Role Sts Cost. rio. Nbr Type Fa0/20 DesgFWDI9 128.20 P2p Fa0/21 DesgFWDI9 128.21 P2p Fa0/22 DesgFWD19 128,22 P2p SW1#sh spani e vian 20, Spanning tree enabled protocol ieee Root ID Priority 20 Address O001.96C4,2C24 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priotity 20 (priority 0 sys-id-ext 20) Address 0001.964.2¢24 Hello Time 2 sec Max Age 20 see Forward Delay 15 sec Aging Time 20 Interface Role Sts Cost Prio.Nbr Type Fa0/20 DesgFWD19 128.20 P2p Fa0/21 DesgFWDI9 128.21 P2p Fa0/22 DesgFWD1I9 128.22 P2p ‘SWI#sh spanning-tree vlan 30 VLANOO30 Spanning tree enabled protocol ieee Root ID Priority 30 Address 0001.C994.B166 Cot 19 Port 20(FastEthernet0/20) Hello Time 2 sec Max Age 20 see Forward Delay 15 sec Bridge ID Priority 4126 (priority 4096 sysid-ext 30) Address 0001.96C4.2C24 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec 1 i a etn page raeAging Time 20 Interface Role Sts Cost Prio.Nbr Type FEO/200URSSHFWDNS — 128.20 Pap Fa0/21 DesgFWD1I9 128.21 P2p Fa0/22 DesgFWD19 128.22 Pap SWI#sh spanning-tree vlan 40 VLANO040 Spanning tree enabled protocol ieee Root ID Priority 40 Address 0001.€994.B166 Cot 19 Port 20(FastEthernet0/20) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 4136 (priority 4096 sys-id-ext 40) Address 0001.96C4.2C24 Hello Time 2 see Max Age 20 see Forward Delay 15 sec Aging Time 20 Interface Role Sts Cost Prio.Nbr Type FAO/2OUNNIRSSEFWOIY 123.20 P2p Fa0/21 Desg FWD 19 128.21 P2p Fa0/22 Desg FWD 19 128.22 P2p ‘sW2#sh spanning-tree vlan 30 Spanning tree enabled protocol ieee Root ID Priority 30 Address 0001.C994.B166 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 30 (priority 0 sys-id-ext 30) Address 0001.C994.B166 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 20 Interface Role Sts Cost. rio. Nbr Type Fa0/20 DesgFWD19 128.20 P2p Fa0/21 DesgFWDI9 128.21 P2p 1 i a en page rasFa0/22 DesgFWD19 128.22 P2p swW2itsh spanning-tree vlan 40 Spanning tree enabled protocol ieee Root ID Priority 40 Address 0001.C994.B166 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 40 (priority 0 sys-id-ext 40) Address 0001,C994.B166 Hello Time 2 see Max Age 20 see Forward Delay 15 sec Aging Time 20 Interface Role Sts Cost Prio.Nbr Type Fa0/20 DesgFWD19 128.20 P2p Fa/21 DesgFWDI9 128.21 P2p Fa0/22 DesgFWD19 128.22 P2p SW2#sh spanning-ree vlan 10. VLANOOIO Spanning tree enabled protocol ieee Root ID Priority 10 Address 0001.96¢4.2¢24 Cost 19 Port 20(FastEthernet0/20) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priotity 4106 (priority 4096 sy Address 0001.C994.B166 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 20 ext 10) Interface Role Sts Cost__Prio.Nbr Type Fa0/20 Root FWD 19 128.20 Pap Fa0/21 Deg FWDIS 128.21 P2p Fa0/22 Des FWDI9 128.22 P2p ‘SW2ifsh spanning-tree vlan 20 VLANO020 Spanning tree enabled protocol ieee Root ID Priority 20 1 i Oe an page 46Address 0001.96C4.2¢24 Cot 19 Port 20(FastEthernet0/20) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 4116 (priority 4096 sys-id-ext 20) Address 0001.C994.B166 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 20 Interface Role Sts Cost. Prio.Nor Type F0/2000RSSHFWDI9 §— 128.20 P2p Fa0/21 DesgFWDI9 128.21 P2p Fa0/22 DesgFWD19 128,22 P2p SW3#sh spanning-tree vlan 10 VLANOOIO Spanning tree enabled protocol ieee Root ID Priority 10 Address 0001.96C4.2C24 Cot 19 Port 21(FastEthernet0/21) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32778 (priority 32768 sys-id-ext 10) Address 00D0.97DB.EEIC Hello Time 2 see Max Age 20 sec Forward Delay 15 sec Aging Time 20 Interface Role Sts Cost Prio. Nbr Type FS0/20)AIIBLRTINN128.20 P2p Fa0/21 Root FWD19 128.21 P2p FO/22qqUWAIIBLKTONMM 28.22 P2p ‘SW34sh spanning-tree vlan 20 VLANOO20 Spanning tree enabled protocol ieee Root ID Priority 20 Address 0001.96C4.2€24 Cot 19 Port 21(FastEthernet0/21) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec 0 i i eccan page 7Bridge ID Priotity 32788 (priority 32768 sys-id-ext 20) Address 00D0.97DB.EEIC Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 20 Interface Role Sts Cost rio. Nbr Type FAO/20UNNAIRIBLKTSNN28.20 P2p Fa0/21 Root FWD19 128.21 Pap ‘SW3#sh spanning-tree vlan 30 VLANOO30 Spanning tree enabled protocol ieee Root ID Priority 30 Address 0001.C994.B166 Cost 19 Port 22(FastEthernet0/22) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32798 (priority 32768 sys-id-ext 30) Address 00D0.97DB.EEIC Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 20 Interface Role Sts Cost Prio.Nbr Type Fa0/20 Atm BLK19_— “128.20 P2p Fa0/21 Atm BLK19 128.21 P2p Fa0/22 Root FWD19 128.22 P2p ‘SW3#sh spanning-tree vlan 40 Spanning tree enabled protocol ieee Root ID Priority 40 Address 0001.C994.B166 Cot 19 Port 22(FastEthernet0/22) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32808 (priority 32768 sys-id-ext 40) Address 00D0.97DB.EEIC Hello Time 2 see Max Age 20 see Forward Delay 15 sec Aging Time 20 1 i a et page rasInterface Role Sts Cost Prio.Nbr Type Fa0/20 Altn BLK19_— 128.20 P2p Fa0/21VARBLKT9 128.21 P2p Fa0/22 Root FWD19 128.22. P2p ‘SW4#sh spanning-tree vlan 10 Spanning tree enabled protecol ieee Root ID Priority 10 Address 0001.96C4.2C24 Cot 19 Port 22(FastEthernet0/22) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32778 (priority 32768 sys-id-ext 10) Address 0005.5E81.6101 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 20 Interface Role Sts Cost rio. Nbr Type Fa0/20 DesgFWD19 128.20 P2p Fa0/21 SVAlth BLK TINH 128.21 Pap Fa0/22 Root FWD19 128.22, P2p sW4#tsh spanning-tree vlan 20 VLANOO20 Spanning tree enabled protocol ieee Root ID Priority 20 Address 0001.96C4.2€24 Cot 19 Port 22(FastEthernet0/22) Hello Time 2 see Max Age 20 see Forward Delay 15 sec Bridge ID Priority 32788 (priority 32768 sys-id-ext 20) Address 0005.5E81.6101 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 20 Interface Role Sts Cost Prio.Nbr Type Fa0/20 DesgFWD19 128.20 P2p Fa0/20NANHBLKT9§=— 128.21 P2p Fa0/22 Root FWD19 128.22 P2p 1 i i es age raSW4#fsh spanning-tree vlan 30 VLANO030 Spanning tree enabled protocol ieee Root ID Priority 30 Address 0001.C994.B166 Cot 19 Port _21(FastEthernet0/21) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32798 (priority 32768 sys-id-ext 30) Address 005.581.6101 Hello Time 2 see Max Age 20 see Forward Delay 15 sec Aging Time 20 Interface Role Sts Cost Prio.Nbr Type Fa0/20 DesgFWD19 128.20 P2p Fa0/21 Root FWD 19. 128.21 P2p 07220000 NTAIRIBLKIONTINNI28.22 F2p ‘SW4#fsh spanningree vlan 40 VLANO040 Spanning tree enabled protocol ieee Root ID Priority 40 Address 0001.C994.B166 Cost 19 Port _ 21(FastEthernet0/21) Hello Time 2 see Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32808 (priority 32768 sys-id-ext 40) Address 005.581.6101 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 20 Interface Role Sts Cost__Prio.Nbr Type Fa0/20 DesgFWD19 128.20 P2p Fa0/21 Root FWD 19 128.21 P2p FSO/2200UNWATIBLKIS «128.22 F2p 1 i i en page 150Ether channel NPA., © Combining multiple Physical links in to one logical link. « Increases bandwidth and provides redundancy. ad ores rae ‘swt swe Ether-channel - Configuration Manual Dynamic ( using Negotiation protocols ) = LACP, PAGP Switch(configwinterface range f0/21 - 24 Switchiconfig-ifrangeychannel-group 12 mode ? active Enable LACP unconditionally auto Enable PAgP only if a PAgP device is detected desirable Enable PAgP unconditionally on Enable Etherchannel only passive Enable LACP only if a LACP device is detectedEther-channel - Modes NA, lt LCs ‘On PAgP and LACP disabled (Disable Negotiation) Desirable ‘Actively negotiate PAgP. ‘Auto Passively listen for PAgP ‘Active ‘Actively negotiate LACP Passive Passively listen for LACP Switch(confighinterface range f0/21- 24 Switeh(config-ifrange)ichannel-group 12 mode ? active Enable LACP unconditionally auto Enable PAgP only ifa PAgP device is detected desirable Enable PAgP unconditionally on Enable Etherchannel only passive Enable LACP only if a LACP device is detected Successful combination of ether-channel would be: erwor OA, = On-On = Desirable ~ Desirable = Desirable - Auto = Active Active = Active ~ Passive ‘swt a ‘Switch(confighinterface range fo/21 - 24 Switch(config-ifrange)échannel-group 12 mode? ‘active Enable LACP unconditionally auto Enable PAgP only if a PAgP device is detected desirable Enable PAg? unconditionally on Enable Etherchannel only passive Enable LACP only if a LACP device is detectedEther-channel - Configuration SW-1(configyy interface range f0/21 - 26 SW-1(config-if-range} channel-group 12 mode desirable SW-1(config-ifrangey exit ‘SW.-2{configyt interface range f0/21 - 24 ‘SW-2{configifrange)# channel-group 12 mode Auto ‘SW-2{config-ifrange)# exit SW-1#show ip interface brief Interface IP-Address OK? Method Status Protocol FastEthemeto/2¢ unassigned YES unset up up GigabitEthemeto/1 unassigned YES unset down down GigabitEthemeto/2 unassigned YES unset down down Vian unassigned YES unset administratively down down Port-channel 12 unassigned YES unset up up, ‘SW-1ush etherchannel summary Number of channel-groups in se: 1 Number of aggregators: 1 Group Port-channel Protocol Ports 12 Po1aSt) ——PAgP._Fa0/21() Fao/22(P) Fa0/23P) Fa0/24P) ‘SW-1#show spanning-tree VLANe®o? ‘Spanning tree enabled protocol eee Root ID. Pretty 32769 ‘Adress oDOFF283678 “This bride I the root Hello Time 2 sec Max Age 20sec Forward Dely 15 50¢ Brdge ID Priority 32769 (priory 3276s syvihent 1) ‘Adéres oDOFF263678 Hello Time 2 sec Max Age 20sec Forward Delay 15sec ‘Aging Tine 20| Imertace Roe Ss Cost PrioNbr Type Pou: DegFWD? 12827 ShrEtherchannel OA, Up to 6 links can be used to combine in to one logical link. + Etherchannel can be configured as layer 2 or layer 3. EtherChannel load balances traffic over all the links in the bundle. Port-channel is the logical instance of the physical interfaces. . + EtherChannel Load Balancing ‘Switch(confighsport-channel load-balance ? dstip st IP Addr dstmac__Dst Mac Addr sre-dst-ip Src XOR Dst IP Addr ste-dstmac Src XOR Dst Mac Addr a sw2 srcip Src IP Addr sremac Src Mac Addr dst-ip—Load distribution is based on the destination-host IP address. dst-mac—Load distribution is based on the destination-host MAC address of the incoming packet. sre-dstip—Load distribution is based on the source-and-destination host-IP address. src-dst-mac—Load distribution is based on the source-and-destination host-MAC address. src-ip—Load distribution is based on the source-host IP address. sre-mac—Load distribution is based on the source-MAC address of the incoming packet.Some guidelines for EtherChannels NA, All ports must be the same speed and duplex. ® All ports in the bundle should be enabled. all bundle ports in the same VLAN, or make them all trunks. ® Ifthey are trunks, they must all carty the same VLANs and use the same trunking mode. ‘swt aaa +» Interfaces in the channel do not have to be physically next to each other or on the same module. © Assign an IP address to the logical Port Channel interface, not the physical ones, if using a Layer 3 EtherChannel. © The configuration you apply to the Port Channel interface affects the entire EtherChannel. » The configuration you apply to a physical interface affects only that interface.TASK Configure the Four links (f0/20— 23) should appear as one logical link Ports should negotiate using Cisco Proprietary method. Sw SWI (config)fint range f0/20 - 23 SWI (config-if-range)#channel-protocol pagp SWI (config-if-range)#channel-group 10 ? mode Etherchannel Mode of the interface SWI (config-if-range)#channel-group 10 mode ? active _ Enable LACP unconditionally auto Enable PAgP only if a PAgP device is detected, desirable Enable PAgP unconditionally on Enable Etherchannel only passive Enable LACP only if a LACP device is detected SWI (config-if-range)#channel-group 10 mode desirable ‘sW2(config)#int range {0/20 - 23 ‘sW2(configif-range)# channel-protocol pagp SW2(config-ifrange)# channel-group 10 mode ? active _ Enable LACP unconditionally auto Enable PAgP only if a PAgP device is detected desirable Enable PAgP unconditionally on Enable Etherchannel only passive Enable LACP only if a LACP device is detected W2(config.ifrange)# channel-group 10 mode auto sw2(config-if-range)#exit Sw2#sh etherchannel summary Flags: D-down —_P - in port-channel | - stand-alone s - suspended H - Hot-standby (LACP only) R-Layer3 $-Layer2 U-inuse — f- failed to allocate aggregator U- unsuitable for bundling w - waiting to be aggregatedd- default port Number of channel-groups in use: Number of aggregators: 1 Group Port-channel Protocol Ports ‘SW2fsh spanning-tree VLANOOOT Spanning tree enabled protocol ieee Root ID Priority 32769 Address 0001.641A.B200 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address Q001.641A.B200 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 20 Interface Role Sts Cost Prio.Nbr Type : | i ‘SW24sh ip int brief Interface IP-Address OK? Method Status Protocol FastEthernet0/24 unassigned YES unset down down GigabitEthernetO1 unassigned YES unset down. down GigabitEthernet0/2 unassigned YES unset down down Viant unassigned YES unset administratively down down SWlish spanning-tree VLANOOOT Spanning tree enabled protocol ieee Root ID Priority 32769 Address 0001.641A.B200 Cot 7 Port 27(Port-channel 10) 1 i i ecco page 157Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 0060.4750.87A7 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 20 Interface Role Sts Cost rio. Nbr Type TASK: Configure the Portchannel 10 interface as Trunk link. SWI (config)# int port-channel 10 SWI (config-if}# switchport trunk encapsulation dotq SWI (configif}# switchport mode trunk SWI(config:if}# exit 8W/2(config)# int port-channel 10 sW2(config-if}# switchport trunk encapsulation dotiq sW2(config-if}# switchport mode trunk sW2(configif}# exit ‘SW2fsh interfaces trunk Port Mode Encapsulation Status Native vlan Port Vians allowed on trunk FaQ/20 1-105 Fa0/21 11005 Fa0/22 11005 Fa0/23 1-105 Pol0 11005 Port Vians allowed and active in management domain Fa0/20 1 Fa0/21 1 Fa0/22 1 Fa0/23 1 Pod 1 Port Vians in spanning tree forwarding state and not pruned FaQ/20 none FaQ/21_ noneFa0/22 none Fa0/23 none Pol0 none terfaces + Any changes applied on the port channel automatically effect on all the physical i * Port channel will work as long as at least one interface in the group is up and running sW2#fsh etherchannel summary Flags: D-down —_P-- in port-channel | - stand-alone s - suspended H - Hot-standby (LACP only) R-layer3 S-layer? U-inuse — f- failed to allocate aggregator U- unsuitable for bundling ‘w - waiting to be aggregated d- default port Number of channel-groups in use: 1 Number of aggregators: 1 Group Port-channel Protocol Ports atsLayer 3 Etherchannel * In order to configure layer 3 port channel interface, the member ports must be configured with no switchport command before using port-channel commands. IF the channel-group command is issued before the no switchport command on the physical interfaces, the logical port-channel interface will be created as the default of Layer 2, and this cannot be changed afterward. ‘+ To fix this problem, simply issue the no switchport command before the channelgroup command. © If configured properly, the state of the port-channel from the show etherchannel summary command should show RU for routed and in use.Spanning tree Portfast NA, + helps speed up network convergence on access ports. © Cisco-proprietary enhancement to Spanning Tree. ® Port Fast causes a port to enter the spanning-tree forwarding state immediately, bypassing the listening and learning states. NOTE: +» PortFast should be used only when connecting a single end station to a switch port. © Ifyou enable PortFast on a port connected to another networking device, such as a switch, you can create network loops. Portfast Configuration NOA.. Portfast on specific ports (config interface range fo/1 - 10 (config-i) spanning-tree portfast OR Portfast on all access ports globally using one command (configh’spanning-tree portfast defaultLAB: STP PORT FAST: TASK: © Connect Four PC in the LAN as per the Diagram. ‘+ Shutdown the ports on Switch & reconfigure No shutdown and observer the ports going through LSN & LRN stages of STP process before they come to FW Switch(config)#int range {0/1 - 4 Switch(config-if-range)# shutdown Switch(config-if-range)# no shutdown Switchi#sh spanning-tree VLANOO01 Spanning tree enabled protocol ieee Root ID Priority 32769 Address 0001.6336.1BA3 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 0001.6336.1BA3 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 20 Interface Role Sts Cost_—_Prio.Nbr Type Fao/l Desg ISN19 128.1 Pap Fa0/2 DegISNi9 = 128.2 P2p Fa0/4 Desg LSN 19 128.4 P2p Fa0/3 ss: Desg LSN19. 128.3 P2p Switchifsh spanning-tree VLANOOO! Spanning tree enabled protocol ieee Root ID Priority 32769Address 0001.6336.1BA3 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 0001.6336.1BA3 Hello Time 2 see Max Age 20 sec Forward Delay 15 sec Aging Time 20 Interface Role Sts Cost Prio. Nbr Type Fao/l Desg IRNN9 128.1. P2p Fa0/2 Desg ERNI9 128.2 P2p Fa0/4 Desg ERN 19 128.4 P2p Fa0/3 Desg URN 19 128.3 P2p Switch#sh spanning-tree VLANOOOT Spanning tree enabled protocol ieee Root ID Priority 32769 Address 0001.6336.1BA3 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 0001.6336.1BA3 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 20 Interface Role Sts Cost Prio. Nbr Type Fa0/l Desg FRUBII9 128.1 P2p Fa0/2 Desg FWDNS = 128.2 Pap Fa0/4 Desg FWD 19 128.4 P2p Fa0/3 Desg FDI 128.3 P2p All the ports connecting to end devices go through listening and Leaming states by default before they comes to Forwarding State * This is the default STP Loop prevention mechanism on switches * Here we want these access ports to bypass the LSN, LRN stages and transition to FWD immediately * Todo this we configure portfast_on these ports ( used only on access ports) Switch(config)#int range fO/l - 4 Switch(config-if-range}#spanning-tree portfast oeSwitch(config-if-range)fend TO verify: Switch(config)#interface range fO/l - 4 Switch(config-if-range)#shutdown Switch(config-if-range)#no shutdown Switch#sh spanning-tree VLANOOOT Spanning tree enabled protocol ieee Root ID Priority 32769 Address 0001.6336.1BA3 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) ‘Address 0001.6336.1BA3 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 20 Interface Role Sts Cost Prio.Nbr Type Fa0/l Desg 19 128.1 P2p Fa0/2 DesgFWDI9 128.2 P2p Fa0/4 Desg FWDI9 128.4 P2p Fa0/3 Desg 9128.3. P2p Once port fast configured on the LRN states TASK: ferfaces all the ports transitions to Forwarding immediately without LSN. * Configure Switch to ensure that all future access ports should bypass LSN, LRN states using single command.Switch (config)#spanning-tree portfast default Switch(config)#end To Verity Connect some end devices on portf0/5 — 6 to verify Switchdsh spanning-tree VLANOOO1 Spanning tree enabled protocol ieee Root ID Priority 32769 Address 0001,6336.1BA3 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32769 (prior ‘Address 0001.6336.18A3 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 20 32768 sys-id-ext 1) Interface Role Sts Cost Prio.Nbr Type Fa0/l DesgFWDI9_ 128.1 Fao/2 DesgFWD19 128.2 P2p Fa0/4 DesgFWDI9 128.4 Pap Fa0/3 DesgFWDI9 128.3. PapBPDU Guard NOA 4 oe » BPDU Guard prevents loops if another switch is attached to a Portfast port. ® Puts port into an error-disabled state (basically, shut down) if a BPDU is received on the interface. (configh+ interface fo/1 (configrift spanning-tree portfat (config: spanning-tree bpduguard enable BPDUGuard on all access ports globally using one command OR (config)# spanning-tree portfast bpduguard default BPDU Guard verification XA, (configh# interface fo/2 NI (config-i# spanning-tree portfast (config-it spanning-tree bpduguard enable Feo Laptop ceo 3560 ‘“ASPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port FastEthereto/2 with BPDU Guard enabled, Disabling port. APMs-ERR_DISABLE: bpduguard error detected on F20/2, putting Fa0/2 in err-disable state ‘SW1¥show Interface status err-disabled Port Name Status Reason Err-disabled Vians Fa0/2 err-disabled bpduguard + The port is err-disabled has to be manually re-enabled via shut/no shut.BPDU Filtering XA, (config spanning-tree portfast bpdufilter default © Ifa Portfast interface receives any BPDUs, it is taken out of Portfast status. «The interfaces still send some BPDUs at the link-up (configh# interface f0/2 (config-if# spanning-tree bpdufilter enable © The interface doesn’t send any BPDU and ignores the received ones. © The port is not shutdown and this basically disables spanning-tree on the interface.LAB:_BPDU Guard: swt ewe TASK: + Connect link between SWI and SW2 f0/19 and shutdown all remaining ports. Configure $W2 f0/19 as layer 3 ports to test BPDU guard feature. © Enable BPDU Gaurd and portfast feature on SWI. sW2(config)#fint (0/19 8W2(config.if}#no switchport sW2(config.if}#ip address 10.0.0.1 255. sW2(config.if}fexit SWI(config)#vlan 10 SWI(config-vian)#exit SWI (config)#int (0/19 SWI (config-if}#switchport mode access SWI (config-if}#switchport access vlan 10 WWI (config-if}#spanning-tree portfast SWI (config-if}#spanning-tree bpduguard enable SWI (config-if}fexit SW/li#show spanning-tree interface f0/19 detail Port 19 (FastEthemet0/19) of VLANOOIO is forwarding Port path cost 19, Port priority 128, Port Identifier 128.19. Designated root has priority 32778, address 000b.bee2.fa00 Designated bridge has priority 32778, address 000b.bee2.fa00 Designated port id is 128.19, designated path cost 0 Timers: message age 0, forward delay 0, hold 0 Number of transitions to forwarding state: 1 Link type is point-to-point by default BPDU: sent 58, received 0 TASK: Reconfigure FO/19 port on sw2 back to layer 2 port ( adding switchport) sW2(config)#int (0/19 W2(config-if}#switchport swW2(config.if}#exit SWI#sh interfaces f0/19 status err-disabledPort Name Status Reason SW/litsh interfaces status Port Name Status Vian Duplex Speed Type Fa0/l connected 1 aefull a-100 10/100BaseTX TASK: Configure f0/19 port back to layer 3 port and ensure that port comes back up.. Sw2(config.iffint fO9 9W2(config-if}#no switchport 9W2(config-if}#ip address 10.0.0.1 255.0.0.0 sw2(config-if}#exit ‘9/2 (config}#do sh ip int br Interface IP-Address OK? Method Status Protocol FastEthemet09_—10.0.0.1 YESmanualdown = down. 92 (config)#int fO/19 9W2 (config-if}#shutdown 9/2 config.if}#no shutdown 9W2 (config-if}#end SW/2#sh ip int brief Interface IP-Address OK? Method Status Protocol SW2#sh interfaces status TASK: * Configure Err-disable recovery for BDU GAURD such that port should come up automatcially after 60 sec of err-disable state. SWUI(config)ferrdisable recovery cause bpduguard SWI(config)#errdisable recovery interval ? <30-86400> timer-interval(sec) SWI (config)#errdisable recovery interval 60 SWI(config)#exit SWI#sh errdisable recovery ErrDisable Reason Timer Statusudld Disabled security-violatio Disabled channel-misconfig Disabled vps Disabled pagp-flap Disabled dtp-flap Disabled Tink-flap Disabled l2ptguard Disabled psecure-violation Disabled gbic-invalid Disabled dhep-rate-limit Disabled unicast-flood Disabled storm-control Disabled arp-inspection Disabled loopback Disabled Timer interval: 60 seconds Interfaces that will be enabled at the next timeout: TASK: Test by chaning layer 3 inteface f0/19 to switchport and then back to layer 3 ; 9/2 (config)#int fO19 9W2(config.if}#switchport 9w2(config-i}#exit SWI#sh interfaces f0/19 status Port Name Status Vian Duplex Speed Type Fa0N9erredisabled 10 auto auto 10/100BaseTX 9W/2(config)#int fO19 9/2 (config-if}#no switchport W/2 (config-if}fip address 10.0.0.1 255.0.0.0 w2(config-if}#end SWI#sh errdisable recovery ErrDisable Reason Timer Status udid Disabled bpduguard Enabled security-violatio Disabled channel-misconfig Disabled vps Disabled pagp-flap Disabled dtp-lap Disabled Celink-flap_ Disabled l2ptguard Disabled psecure-violation Disabled gbic-invalid Disabled dhep-rateslimit Disabled unicast-flood Disabled storm-control___ Disabled arp-inspection Disabled loopback Disabled Timer interval: 60 seconds Interfaces that will be enabled at the next timeout: Interface Errdisable reason Time left(see) SWI#sh errdisable recovery ErrDisable Reason Timer Status udid Disabled bpduguard Enabled security-violatio Disabled channel-misconfig Disabled vmps Disabled pagp-flap Disabled dtp-fiap Disabled tink-flap Disabled l2ptguard Disabled, psecure-violation Disabled gbic-invalid Disabled dhep-rate- Disabled unicast-flood Disabled stormcontrol Disabled arp-inspection Disabled loopback Disabled Timer interval: 60 seconds Interfaces that will be enabled at the next timeout: Interface Errdisable reason Time left(sec) SW#sh interfaces f0/19 status Port Name Status Vian Duplex Speed TypeTASK: * Reconfigure and verify the same task by removing on interface mode and enabling BPDU guard on global configuration mode: SW/I(config)#int F019 SW (config-if}ne spant SW/I(config-if}no spanning-tree bpduguard enable SWI(config-if}exit SWI (config)#no errdisable recovery cause bpduguard SWI(config)#no errdisable recovery interval 60 SWI#sh errdisable recovery ErrDisable Reason Timer Status udid Disabled bpduguard Disabled security-violatio Disabled channel-misconfig_ Disabled vmps Disabled pagp-flap Disabled dtpflap Disabled linkeflap Disabled l2ptguard Disabled, psecure-violation Disabled gbic-invalid Disabled dhep-ateslimit Disabled unicast-flood Disabled storm-control Disabled arp-inspection Disabled loopback Disabled Timer interval: 300 seconds Interfaces that will be enabled at the next timeout: SWI#sh interfaces f0/19 status Port Name Status Vian Duplex Speed Type ‘SWI (config)#spanning-tree portfast defaultSW/I(config) #spanning-tree portfast bpduguard default SWI (config) #errdisable recovery cause bpduguard SW/I(config)#errdisable recovery interval 60 9W2(config)#int fO19 9w2 config-if}#switchport sw2{(config-if#exit SW2fsh interfaces f0/19 status Port Name Status Vian Duplex Speed Type SW/lifsh interfaces fO/19 status Port Name Status Vian Duplex Speed Type 9/2 (config)#int fO/19 9W2 (config-if}#no switchport 92 (config-if}#ip address 10.0.0.1 255.0.0.0 W/2 config-if}#end SWlitsh errdisable recovery ErrDisable Reason Timer Status udld Disabled bpduguard Enabled security-violatio Disabled channel-misconfig Disabled vmps Disabled pagp-flap Disabled dtp-flap Disabled link-flap Disabled l2ptguard Disabled psecure-violation Disabled gbicinvalid Disabled dhep-rate-limit Disabled unicast-flood Disabled storm-control Disabled arp-inspection Disabled loopback Disabled Timer interval: 60 seconds Interfaces that will be enabled at the next timeot CeInterface Errdisable reason Time left(sec) FaQI9 — bpduguard = 3 SW/litsh interfaces fO/19 status Port Name Status Vian Duplex Speed TypeLAB: BPDU filter (Interface level) BPDU Filter is used to terminate the STP domain, but it has a different functionality: it can also be configured globally or at the interface level. However, behavior is different based on this; this was not the case For BPDU Guard, this had the same functionality regardless of how it was enabled. ‘When configured at the interface level, BPDU Filter silently drops all received inbound BPDUs and does not send any outbound BPDUs on the port. There is no violation option for BPDU Filter, so the port never goes into err-disabled state. BPDU Filter needs to be carefully enabled at the port level, because it will cause permanent loops if on the other end of the link a switch is connected and the network is physically looped: in this case, STP will not be able to detect the loop and the network will become unusable within seconds. = " i, Swi oT TASK: © Connect link between SW/1 and $W2 f0/19 and shutdown all remaining ports. * Configure sw2 f0/19 as layer 3 ports to test BPDU guard feature. * Enable BPDU Gaurd and portfast feature on swl. SW2(config)#int F019 SW2(config-if}#no switchport SW2(config-if)#ip address 10. SW2(config-if)#exit SWI(config)#vlan 10 SWI(config-vian}#exit SWI (config)int (0/19 SWI (config-if}#switchport mode access SWI (config-if}#switchport access vlan 10 WWI (config if}#spanning-tree portfast SWI (config-if}#spanning-tree bpdufilter enable SWI (config.if}#exit SWlish spanning-tree interface f0/19 detail Port 19 (FastEthemet0/19) of VLANOO10 is forwarding, Port path cost 19, Port priority 128, Port Identifier 128.19. Designated root has priority 32778, address 000b.bee2.fa00 Designated bridge has priority 32778, address 000b.bee2.fa00 Designated port id is 128.19, designated path cost 0 Timers: message age O, forward delay 0, hold 0 Number of transitions to forwarding state: 1 Link type is point-to-point by defaultBPDU: sent 9, received 0 TASK: Configure SW2 f0/19 as layer 2 ports so that it can start sending BPDU 9W2(config)#int fO19 9w2{config-if}#switchport w2{(config-if}#end sweet SW/litsh interfaces fO/19 status Port Name Status Vian Duplex Speed Type SW/lifsh spanning-tree int {0/19 detail Port 19 (FastEthernet0/19) of VLANOO10 is forwarding Port path cost 19, Port priority 128, Port Identifier 128.19. Designated root has priority 32778, address 000b.bee2.fa00 Designated bridge has priority 32778, address 000b.bee2.fa00 Designated port id is 128.19, designated path cost 0 Timers: message age 0, forward delay 0, hold 0 Number of transitions to forwarding state: T Link type is point-to-point by default SW/litsh interfaces fO/19 status Port Name Status Vian Duplex Speed Type SW/litsh spanning-tree vlan 10 VLANOOIO Spanning tree enabled protocol ieee Root ID Priority 32778 Address 000b.bee2.fa00 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32778 (priority 32768 sys-id-ext 10) ‘Address 000b.bee2.fa00 Hello Time 2 see Max Age 20 sec Forward Delay 15 sec Aging Time 300 Interface Role StsCost__Prio.Nbr TypeTASK: BPDU global configuration mode: * Remove the Bpdu filter on the interface and enable it globally. * Configure portfast on f0/19 on Sw! for verification. W2 (config) int (O19 SW2(config.if}# no switchport SW2(configiif}# ip address 10.0.0.1 255.0.0.0 sw2(config.if}#end SWI(config)#int (0/19 SWI (config-if}#spanning-tree portfast SWI(config-if}#no spanning-tree bpdufilter enable SWII(config-if}fexit ‘SW/I(config) spanning tree portfast bpdufilter default SWII(config)fend SW1#sh interfaces f0/19 status Port Name Status Vian Duplex Speed Type SW/litsh spanning-tree vlan 10 VLANOOIO Spanning tree enabled protocol ieee Root ID Priority 32778 Address 000b.bee2.fa00 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32778 (priority 32768 sys-id-ext 10) Address 000b.bee2.fa00 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Interface Role StsCost__Prio.Nbr Type SWlitsh spanning-tree int (0/19 detail Port 19 (FastEthemet0/19) of VLANOO10 is forwarding Port path cost 19, Port priority 128, Port Identifier 128.19. Designated root has priority 32778, address 000b.bee2.fa00 Designated bridge has priority 32778, address 000b.bee2.fa00 1 i i ean page 177Designated port id is 128.19, designated path cost 0 Timers: message age 0, forward delay 0, hold 0 Number of transitions to forwarding state: 1 The port is in the portfast mode Link type is point-to-point by default Bpdu filter is enabled by default sw2(config.inifint £019 sw2(config.if}#switchport SW/li#tsh spanning-tree int {0/19 detail Port 19 (FastEthernet0/19) of VLANOO10 is forwarding Port path cost 19, Port priority 128, Port Identifier 128.19. Designated root has priority 32769, address 000b.be78.8300 Designated bridge has priority 32769, address 000b.be78.8300 Designated port id is 128.19, designated path cost 0 Timers: message age 2, forward delay 0, hold 0 Number of transitions to forwarding state: 1 Link type is point-to-point by default SWI#show spanning-tree interface fastEthernet0/19 portfast 9W2(config)fint fo9 9W2(config.if}#no switchport SWlitshow spanning-tree interface fastEthernetO/19 portfast SW/litsh spanning-tree int {0/19 detail Port 19 (FastEthernet0/19) of VLANOO10 is forwarding Port path cost 19, Port priority 128, Port Identifier 128.19. Designated root has priority 32778, address 000b.bee2.fa00 Designated bridge has priority 32778, address 000b.bee2.fa00 Designated port id is 128.19, designated path cost 0 Timers: message age 0, forward delay 0, hold 0 Number of transitions to forwarding state: 1 The port is in the portfast mode Link type is point-to-point by default Bpdu filter is enabled by default BPDU: sent Il, received 0 1 i a ee page 178i. 2 NETWORK ONLINE ACAGEMYRoot Guard NA, . © prevents the wrong switch from becoming the Spanning Tree root. © If'a Root Guard port receives a superior BPDU that might cause it to become a root port, the port Is put into “root-nconsistent” state and does not pass traffic through It. © If the port stops receiving these BPDUs, it automatically re-enables itself. Root Guard NA. (Customer network Servive-provider network Potential spanning-tree root without root guard enabled = & _ Desired Lng root wich —— Ss Estee nee ‘on these interfaces fo prevert Swiches inthe customer ‘network from becoming the root switch or being inthe path the reotConfiguring RootGuard Custer nets Potent span toe ot out tot gud eras ae aa = (config)# interface f0/19 =” (config-if}# spanning-tree guard root Ports disabled by root guard can be viewed with # show spanning-tree inconsistentports Sever perder mich aa / ese bain eniitn cattere tafser D prevert eno Ramees | goreLAB : ROOT GUARD © Root Guard is similar to the BPDU Guard feature in the manner in which it is used to detect STP packets and disable the interface they were received on, * The difference between them is that with Root Guard, the interface is only logically disabled (via Root Inconsistentstate) if a superior BPDU is received on the port with Root Guard enabled. * Root Inconsistentstate is similar to blocking state, in that BPDUs are not sent outbound but accepted inbound, and of course all received frames are dropped. © The switch automatically recovers the port from Root Inconsistentand starts negotiating the new port state and role, as soon as superior BPDUs are no longer received inbound. © Asuperior BPDU indicates a better cost to the root bridge than what is currently installed. © Therefore, in terms of design, this feature is used to prevent a rogue device from announcing itself as the new root bridge and possibly implementing a layer 2 man-in-the-middle attack, Root Guard can be enabled only at the port level and basically prevents a Designated port from becoming Non-Designated. © You will want to configure this functionality on the Root Bridge itself. © Verify that Root Guard is enabled for all VLANs, for example on FastEthemet0/19 port. ‘ong swt aya TAS © Configure SWI so that STP logically blocks Ethemet links connected to SW2 if any of port on SW2 tries to become Root Bridge for any VLAN. SW1ish spanning tree vlan 1 VLANOOO1 Spanning tree enabled protocol ieee Root ID Priority 32769 Address 000b.be78.8300 Cot 19 Port 19 (FastEthemet0/19) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) ‘Address 000b.bee2.fa00 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 15 Interface Role Sts Cost Prio.Nbr Type Fao Desg FWDI9 128.1 Edge P2p Fa09 «Root FWD19——-128.19-P2pSW2#sh spanning-tree vian 1 VLANOOO1 Spanning tree enabled protocol ieee Root ID Priority 32769 Address 000b.be78.8300 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 000b.be78.8300 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Interface Role StsCost__Prio.Nbr Type Fa0/19 Desg FWDI9 128.19 P2p In this lab here, $W/2 is the default root bridge. Configure SWI to use the prority value of 4096 to ensure that SWI should become Root Bridge. SW/I config) #spanning-tree vlan 1 priority 4096 SWI(config) exit SW/lifsh spanning-tree vlan 1 VLANOOO1 Spanning tree enabled protocol ieee Root ID Priority 4097 Address 000b.bee2.fa00 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 4097 (priority 4096 sys-id-ext 1) Address 000b.bee2.fa00 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 15 Interface Role Sts Cost Prio.Nbr Type Fao/t DesgFWD19 128.1. Edge P2p. TASK: * Configure SWI so that STP logically blocks Ethemet links connected to SW2 if any of port on SW/2 tries to become Root Bridge for any VLAN.SWI(config)#int {O19 SWWI(config-if)#spanning-tree guard root SWI(config-if)#exit SWlish spanning-tree int {0/19 detail Port 19 (FastEthernet0/19) of VLANOOO1 is forwarding Port path cost 19, Port priority 128, Port Identifier 128.19. Designated root has priority 4097, address 000b.bee2.fa00 Designated bridge has priority 4097, address 000b,bee2.fa00 Designated port id is 128.19, designated path cost 0 Timers: message age 0, forward delay 0, hold 0 Number of transitions to forwarding state: 1 Link type is point-to-point by default Although Root Guard is enabled at the port level, it works on a per-VLAN basis. TASK: Testing Root guard * Configure sw2 with prority value of 0 to ensure that SW2 sends superior BPDU to swl w2 (configh#spanning-tree vlan 1 priority 0 SW/lifsh spanning tree vlan 1 VLANOOO1 Spanning tree enabled protocol ieee Root ID Priority 4097 Address 000b.bee2.fa00 This bridge is the root Hello Time 2 sec Max Age 20 see Forward Delay 15 sec Bridge ID Priority 4097 (priority 4096 sys-id-ext 1) Address 000b.bee2.fa00 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Interface Role Sts Cost Prio.Nbr Type Fa0/l DesgFWD19 128.1 Edge P2p SWI no longer sends BPDUs outbound on its Root Inconsistentport, TASK: Remove the priority configuration on $W2 and ensuure that sw2 uses the default proirity valuesW2 (config) #no spanning-tree vian 1 priority 0 SWI#sh spanning-tree vlan 1 VLANOOO Spanning tree enabled protocol ieee Root ID Priority 4097 ‘Address 000b.bee2.fa00 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 4097 (priority 4096 sys-id-ext 1) ‘Address 000b.bee2.fa00 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Interface Role StsCost__Prio.Nbr Type Fao/t DesgFWDI9 128.1. Edge P2p. When superior BPDUs are no longer received, SW/I will start to send BPDUs outbound on the ports to negotiate the STP state and role: SWlitsh spanning-tree vian 1 VLANOOOI Spanning tree enabled protocol ieee Root ID Priority 4097 Address 000b.bee2.fa00 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec i-ext 1), Bridge ID Priority 4097 (priority 4096 sy Address 000b.bee2.fa00 Hello Time 2 sec Max Age 20 see Forward Delay 15 sec Aging Time 15 Interface Role StsCost__Prio.Nbr Type Fa0/l Desg FWDI9 128.1. Edge P2pUnidirectional link failure links for which one of the two transmission A ie paths on the link has falled, but not both. 1." ES © This can happen as a result of miscabling, egal cutting one fiber cable, unplugging one fiber . ie or other reasons. \¢ Fort on ¢ dm still + no longer receives STP BPDUs | ge timer sa © Sill ink forwards Trafic. seine ‘© blocking port from the alternate or backup port becomes designated and moves to a forwarding state, This situation creates a loop. A B This is called a unidirectional link Unidirectional link failure Solution Loopguard UDLD ‘im the one direction, Blocking porte fonverdin J f OA.LOOP GAURD NA, Stops the loops: ctional link failures. prevents switch ports from wrongly moving from a blocking to a forwarding state when a unidirectional ink exists in the network. B — —>| — — \¢ Port on sitions to Loop Guard Configuration NA. (On all point to point links (config-isspanning-tree guard loop default OR (On Specific tinks (config)sinterface f0/20 (config-)spanning-tree guard loop ‘can occur because of uni Loopguard automatically re-enables the port if it starts receiving BPDU againUnidirectional Link Detection OA, Do the same job as loop guard Designed more specific for fber ports ( can also work for UTP) © detects a unidirectional link by sending periodic hellos out to the interface. © Italso uses probes, which must be acknowledged by the device on the other end of the link. UDLD has two modes: normal and aggressive. © normal mode, the link status is changed to Undetermined State if the hellos are not returned. © Aggressive mode, the port is error-disabled if a unidirectional link is found. Aggressive mode is the recommended way to configure UDLD. Unidirectional Link Detection XA, To enable UDLD on all fiber-optic interfaces, use the following command: (config udld [enable | aggressive] Note Although this command is given at global config mode, it applies only to fiber ports. To enable UDLD on nonfber ports, give the same command at interface config mode. To control UDLD on a specific fiber port, use the following command: (config-int udld port {aggressive disable} To reenable all interfaces shut by UDLD, use the following: #udid reset To verify UDLD status, use the following: 4 show udld interfaceUDLP & loop guard NA., [Functionality [Loop Guard [UDLD [Configuration Perport IPerpor lAction granularity [persVLAN lper-por Nes, with err-disable JAuto-recover hres fimeout feature JYes, when enabled on alfYes, when enabled on [root and alternate ports fll links in redundant lin redundant topology topology Protection against STP failures caused) lby unidirectional links lProtection against STP failures caused) lby problems in the software 4 E designated switch does not send lspDu) Protection against mis-wiring, No Err-Disable & Err-disable recovery NOA = the portis automatically disabled by the switch operating system software because of an error condition that is encountered on the port. =» When a port is error disabled, it is effectively shut down and no traffic is sent or received on that port. © The port LED is set to the color orange #Show interfaces gigabitethemnet 4/1 status Port Name Status Vian Duplex Speed Type cian err-disabled 100 full 1000 1000Basesx # show interface gigabit4/1 GigabitEthernet4/1 is down, line protocol is down (ert-disabled)Err-disable recovery NOA,, Reasons for error disable state : * Duplex Mismatch Loopback Error Link Flapping (up/down) Port Security Violation Unicast Flooding UDLD Failure Broadcast Storms BPDU Guard Err-disable recovery +. Torecover a port that is in an Errdisable state, administrator must access the switch and configure the specific port with ‘shutdown’ followed by the no shutdown’ command. 2, Use Errdisable recovery option Errdisable recovery NOA.. choose the type of errors that automatically reenable the ports after a specified amount of time. #show errdisable recovery ErrDisable Reason Timer Status udld Disabled. bpduguard Disabled security-violatio Disabled channel-misconfig Disabled pagp-flap Disabled dtp-flap Disabled link-flap Disabled l2ptguard Disabled pseaure-violation Disabled gbic-inval Disabled dhep-rate-limit Disabled mac-imit Disabled unicast-flood Disabled arp-inspection _—Disabled Timer interval: 300 secondsMOA. #errdisable recovery cause ? dtplap Enable timer to recover from dtp-lap error disable state gbic-invalid Enable timer to recover from invalid GBIC error disable state l2ptguard Enable timer to recover from I2protocol-tunnel error disable state linkeflap Enable timer to recover from link-lap error disable state macclimit Enable timer to recover from mac limit disable state pagp-flap Enable timer to recover from pagp-flap error disable state psecure-violation Enable timer to recover from psecure violation disable state Security-violation Enable timer to recover from 802.1x violation disable state ude Enable timer to recover from udld error disable state Lnicastflood Enable timer to recover from unicast flood disable state (Config) #errdisable recovery cause bpduguard (Config)#errdisable recovery interval 120 Errdisable autorecovery NPA,, To enable the Errdisable autorecovery feature for all supported reasons (config) errdisable recovery cause all show interfaces status err-disabled * Shows which local ports are involved in the errdisabled state show errdisable recovery = Shows the time period after which the interfaces are enabled for errdisable conditions. show errdisable detect "= Shows the reason for the errdisable status.STP Flavours RSTP, PVSTP, CST, MSTP STP Convergence — Indirect- link failure NA,STP Convergence - Direct- link failure nn OA " Root Bridge * Non-Root Bridge Non-Root Bridge Spanning-tree Uplink-fast / Backbone-fast NOA,, « Legacy / Cisco proprietary enhancement to speed up the convergence. Uplink-fast » BLK > FWD Immediately if direct-link fails ( instead of 30sec) Backbone-fast > BLK > FWD. 30sec if direct-link fails ( instead of 50 sec)Spanning-tree uplink-fast Switch A (Foot) Switch B u ‘Switch C Spanning-tree Backbonefast Switch A (Root) Switch 8 u B b Blocked port ‘Switch C ® Legacy / Cisco proprietary feature + Backbone Fast can reduce the maximum convergence delay only from 50 to 30 seconds. Switch Switch A u ae <4— UplinkFast transitions port steep rang Soe Swen m, OA, omen ‘Peo wich Ue Unxtanre es Sia 7 Backbone ast ransitons port Demers Saws to lrwanin se SmicnRapid STP (RSTP) 802.1 w NA : 802.1w is a standards way of speeding STP convergence. Inbuilt features of portfast, uplinkfast, backbonefast, BPDUfilter Path Calculation remains same as STP. Direct f RSTP Configuration NA, (configtspanning-tree mode rapid-pvst tshow spanning-tree ‘VLANooot Spanning tree enabled protocol rstp Root ID Priority 32769 ‘Address 0001.C9A4.s67D Cost 19 Port 20(FastEtherneto/20) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sysid-ext 1) ‘Address 000.414.4208 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec ‘Aging Time 20 Interface Role Sts Cost Feo720 Root FWD 19 Prio.Nbr Type wsRSTP Synchronization NA, SWA assumes its port is designated and sends out a proposal. ‘SWB will agree to this, proposal RSTP Synchronization is OA ee Gisiecaz2 ts eeacaes auhoiaton sch Ato eshoruaton to wvich Ao eee change Es pote dasgeates maneeaie ‘Swen C tock ts non-edge aS ‘esignated port eee 2768 ‘paz2.0000.2222RSTP port States NOA OnE AcADEAY ‘Comparing 802.14 and 802.1 Port States Discarding STP Port State Equivalent RSTP Port State Disabled Discarding Blocking Discarding Leoming Listening Discarding Learning Leaming Forwarding Forwarding Forwarding + Discarding - Frames are dropped, no addresses are learned. (ink down / blocking/during sync) ‘+ Leaming - Frames are dropped, but addresses are learned, ‘+ Forwarding Frames are forwarded RSTP port roles NEA. Root Ports, | Designated | | | | anmanwerot gq ¢ | secuorot ge Port anmanwerot gq ¢ | secuorot ge Port | Root port: The best path to the root (same as STP) | Designated port: Same role as with STP Altemate por: A backup to the root port Backup port: A backup to the designated port Disabled port: Not used in the Spanning Tree Edge port: Connected only to an end userRSTP port roles (Contd) Alternate port: © A backup to the root port = Less desirable path to the root © Operates in discarding state. > Same as uplinkfast ( legacy) RSTP port roles (Contd) Backup port: The backup port applies only when a single switch has two links to the same segment (collision domain). To have two links to the same collision domain, the switch must be attached to a hub. ‘A backup to the designated port Multiple links attached to the same network segment Activates if primary designated fails. Root RP. oP Root DP - Designated Port e| RP — Root Port BP ~ Backup Port AP - Alternate Port BPRSTP port roles (Contd) NPA, Edge port: ‘© Equivalent to portfast in STP. Connected only to an end user +» Maintain edge status as long as no BPDU received (with BPDU fiter). Edge Ports BPDU Differences in RSTP ‘© Inregular STP, BPDUs are originated by the root and relayed by each switch. + InRSTP, each switch originates BPDUs, whether or not it receives a BPDU on its root port. PVST Is done by Rapid PVST+ on Catalyst switches. Hell sec , Dead 6secRSTP port costs Data rate |STP Cost (802.1D-1998) RSTP Cost (802.1W-2001), 4Mbivs (250 10 Mbit's |100 16 Mbitis (62 100 Mbit/s 19 1Gbivs 4 2Gbivs (3 10Gbivs [2 5,000,000 12,000,000 1,250,000 ‘200,000 20,000 10,000 2,000Hierarchical Campus Model NOA NeTWOM OFENE ACADEMY STP : Selecting Root Bridge MOA. + Default root bridge election : priority + Base Mac +» Recommended to Select high speed Switch to be elected as Root Bridge = Change Priority Value ‘© Priority values can be only multiples of 4096 ‘SW-1(config)#spanning-tree vlan 1 priority 1000 9% Bridge Priority must be in increments of 4096. 9% Allowed values are: (0 4095 8192 12288 16384 20480 24576 28672 32768 36864 40960 45056 49152 53248 57344 61440STP : Selecting Root Bridge NPA, ‘SW-A(configh'spanning-tree vlan 1 priority 0 ‘SW-B(confighrspanning-tree vlan 1 priority 4096 OR ‘SW-A(config)ispanning-tree vlan 1 root Primary ‘SW-B(config)sspanning-tree vlan 1 root Secondary NOTE: Primary reduces priority by 8192 from default priority secondary reduces priority 4096 from default prority Per-VLAN STP «Every VLAN runs a separate STP instance by default. © Provides load sharing > More overhead ‘SW-A(confightspanning-tree vlan 10,20,30 root primary SW-A(config)spanning-tree vlan 40,50,60 root secondary ‘SW-B(config)tspanning-tree vlan 10,20,30 root secondary SW- B(configh'spanning-tree vlan 40,50,60 root primaryPVST & PVST+ differences OA, + Cisco proprietary. (PVST supports only ISL) + PVST+ allows interoperability between CST and PVST in Cisco switches and support the IEEE 802.1Q standard. Common STP (CST) OA, + Runs on spanning-tree instance for all VLANs +» reduces CPU load. + No load sharing.Multiple Spanning Tree ( MST) NPA, Allows several VLANs to be mapped to single instance of STP » reduces number of spanning-tree instances (processing overhead) Provide load sharing ( separate Root Bridges) Instance 1 maps to VLANs 1-500 Instance 2 maps to VLANs 501-1000 Multiple Spanning Tree ( MST) Started as Cisco’s MISTP Originally standard defined in IEEE 802.15 Instance handles multiple VLANs that have the same Layer 2 topology. Root instance Root instance 2 Instance 1 maps to VLANs 1-500 Instance 1 instance 2 Instance 2 maps to VLANs 501-1000 ceuinaceMSTP Regions iM OA. collection of switches that have the same MST configuration comprises an MST region 1. Instance name (32 bytes) 2. Revision number (two bytes) 3. VLAN to STP instance mappings MSTP Configuration ‘SW1 /SW2 (on all switches) ‘SWx(confightspanning-tree mode mst ‘SWx(confight spanning-tree mst configuration ‘SWx(config-mst)»_ revision 1 SWx(config-mst)s_ name CCIE ‘SWx(config-mst)# instance 1 vlan 10,20,30 ‘SWx(config-mst)# instance 2 vlan 40,50,60 ‘SWx(config-mst)# exit NOTE: Non MST regions Mf OA. 10723 oe SWI sw2 ‘SW1(confighispanning-tree mst 1 root primary ‘SW1(confighispanning-tree mst 2 root secondary ‘SW2 (confightspanning-tree mst 2 root primary ‘SW2 (confighspanning-tree mst 1 root secondary + an instance must have the same MST name and revision number + If not matches then they are considered as different instances and not the same, even if the instances contain the same vlans.Intra vs Inter Region NA, Intra Region * Details ofthe region are known within the region + VLAN to STPIs are manually defined, + Undefined VLANS fall nto CIST (MST 0) Inter Region + Details between regions are not known * Different regions see each other as virtual bridges Result i simplified Incer-Region calculation + Intra-region MSTIs are collapsed into CIST MST Interoperability XA, » MST is backwards compatible with legacy CST and PVST+ ® Behaves like Inter-Region MST © CST Root must be within MST domainLAB: MSTP (MULTILPLE SPANNING-TREE) — 0/23 — 10/24 swl sw2 SW/l#tsh cdp neighbors Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, | - IGMP, r- Repeater, P - Phone, D- Remote, C - CVTA, M - Two-port Mac Relay Device ID Local Intrfce Holdtme Capability Platform Port ID sw Fas0/24 165 S| WS-C3560- Fas 0/24 sw Fas 0/23 165 S| WS-C3560- Fas 0/23 TASK: © Configure manual trunk between swl and sw2 connected links ‘+ Configure vtp to synchronize the vian information between two switches * Create vian 10, 20, 30 , 40 on any one of the switch swrisw2 SWx(config)#int range {0/23 - 24 -range)#switchport trunk encapsulation dotlg SWx(config)#vtp domain CCIE SWI or SW2 SWI (config)#vlan 10 SWI (config-vian)#vlan 20 SWI (config-vian)#vlan 30 SWI (config-vian)#vlan 40 SWI (config-vian)#end ‘SWlifsh spanning-tree vlan 10 VLANOO10 Spanning tree enabled protocol ieee Root ID Priority 32778 Address 0017.95db.9700

00 CCNP Switch 300-115 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

00 CCNP Switch 300-115 PDF

Uploaded by

Copyright:

Available Formats

You might also like