CCNP

CCNP SWITCH
Version 2.0
__________________________________________________________________________________
Warning and Disclaimer

This book is designed to provide information about Switching for networking
profile for freshers and experienced. Every effort bas been made to make this
book as complete and as accurate as possible, but no warranty or fitness is
implied. The authers have neither liability nor responsibility to any person or
entity with respect to any loss or damage arising from the information
contained in this book.
Feedback Information
Reader’s feedback is a natural continuation of this process. If you have any
comments regarding how we could improve the quality of this book, or
otherwise alter it to better suit your needs, you can contact us through email
at cisconetworklearning@gmail.com.
You can also visit to my youtube channel:

www.youtube.com/cisconetworklearning
Dedications
I would like to dedicate this book to my Mom and Dad for their love,
encouragement and continuous support.
Acknowledgement
First, I would like to thank God for giving me the opportunity and ability to
write, teach, and do what I truly enjoy doing. Also , I would like to thank to my
family, especially to wife for constant encouragement and help.
Contents which will be covered in this ebook
 Basic of Switch.
 CDP: Cisco Discovery Protocol.
 VLAN: Virtual Local Area Network.
 Trunking.
 VTP: Vlan Trunking Protocol.
 Etherchannel.
 STP: Spanning Tree Protocol.
 STP Protection.
 RSTP: Rapid Spanning Tree Protocol.
 MSTP: Multi Spanning Tree Protocol.
 MLS: Multi Layer Switch.
 High Availability (HSRP, VRRP, GLBP).
 IP Telephony.
 Wireless.
 AAA Authentication, Authorization, Accounting.
 Layer 2 security: (DHCP Snooping, IP Source Guard, Dynamic ARP
inspection, VLAN Hoping, VLAN ACL, Protected port, Private VLAN, storm
control, Span, Port based security).
Switching
 switching is a process in which data will be switch from source
to destination
Types of Switching
 Layer 2 switching
 Layer 3 switching
 Multi-Layer switching
Layer 2 Switching
 process in which data can be forword on the basis of layer 2

addresses.
Types of layer 2 switching
 Ethernet switch
 Frame-Relay switch
 ATM switch
Ethernet Switching
 process in which we forword traffic on basis of mac address.
Function / Process of layer2 ethernet switch
 Address Learning
 Filtering and Forwording Decision
 Loop Avoidance
Layer3 Devices can perform three types of switching
Process Switching: desvices perform routing lookup for each

received packet
Fast Switching: RP will lookup routing table for first packet after that
SE will generate a short-cut entry in cache memory and for next
packet SE will check short-cut entry. and RP will get free.
CEF switching (cisco express forwording)
cef create two table FIB and Adjecancy table
FIB: it is a replica of routing table.
Packet Rewriter: when a packet cross a layer3 device, it will always

responsible to rewrite header checksum, layer2 information and TTL.
how switch learn mac address

Dynamically: switch can learn mac address automatically of devices in its
cam table.
Statically: we can manually enter the mac address of devices in cam table.
we can generate cam table manually to stop unknown unicast broadcasting.
 switch#show mac-address-table dynamic / interface fa 0/1

 switch#show mac-address-table static
 switch#show mac-address-table
how to generate mac address table statically
 sw(config)#mac-address-table static 0000.0000.0001 vlan 1 interface fa
0/1
 sw(config)#mac-address-table static 0000.0000.0001 drop
How to recover any port from error disable

 switch(config-if)#errordisable recovery cause all
 switch(config-if)#errordisable recovery interval 60
how to change aging time

 switch(config)#mac address-table aging-time 200
how to create smart port macro

 sw(config)#define interface-range test fa 0/1 - 4 , fa 0/7 , fa
0/10
 sw(config)#interface range macro test
 sw(config-if-range)#
how to give description to any port

 switch(config-if)#description 'this port is connected to
printer'
 switch# show interface fa 0/1
how to specify the speed on a particular port

 switch(config-if)#speed 10/100/1000/auto
how to change link mode on a port
 switch(config-if)#duplex auto/half/full
 switch#show interface fa 0/1
CDP Cisco Discovery Protocol

 it is a cisco proprietory protocol
 it works on layer2
 it is bydefault enabled on cisco devices
 it is used to discover the information about its immediate
neighbor
 this information will helpfull in case troubleshooting
 cdp timer 60sec, holddown 180sec
 multicast mac address 0100.0CCC.CCCC
 switch# show cdp neighbor details
 switch# show cdp neighbor
how to enable cdp

 switch(config)#cdp run
 switch(config)#no cdp run
 switch(config-if)# cdp enable
 switch(config-if)# no cdp enable
how to change cdp timer

 switch(config)# cdp timer 80
 switch(config)# cdp holddown 200
LLDP Link Layer Discovery Protocol
 it is a open standard protocol
 it is used to discover the information about its immediate
neighbor
 this information will helpfull in case troubleshooting
 LLDP timer 30sec, LLDP holddown 120sec
 it will send its all information in TLV (type length value)
LLDP configuration
 switch(config)#lldp run
 switch(config-if)# lldp transmit
 switch(config-if)# lldp receive
 switch# show lldp
 switch# show lldp neighbors
 switch# show lldp entry
VLAN virtual local area network

 To break broadcast domain at layer2 we use vlan and one vlan
defines one broadcast domain.
 vlan identify by a number and it is in 12bits.
 range of vlan from 0 to 4095 (normal= 1 to 1005,
extended=1006 to 4094)
 default vlan is vlan1
 vlan database save in vlan.dat file in flash memory.
how to create vlan
 switch(config)#vlan 10
 switch(config-vlan)#name sales
 switch#show vlan brief
how to assing port to any vlan

static vlan assing:
 switch(config-if)# switchport access vlan 10
 switch#show vlan brief
 switch#show vlan id 10
dynamic vlan assign

 VMPS VLan Management Policy Server
 AAA Authentication, Authorization and Accounting.
Switchport
a switch which has capability to do layer2 address switching
 Access port- carry single vlan data

 Trunk port - carry multiple vlan data
DTP Dynamic Trunking Protocol
 bydefault it is enabled on all ports of switch.
 it create access port and trunk port dynamically
 periodic msg 30sec
 multicast mac address 0100.0CCC.CCCC.
 DTP mode: 1 dynamic auto. 2 dynamic desirable.
how to create manual access port or trunk port

 switch(config-if)#switchport mode access
 switch(config-if)#switchport mode trunk
 switch#show interface fa 0/1 switchport
 switch#show interface trunk / status
 switch#show interface fa 0/1 trunk
how to create dynamic access port or trunk port

 switch(config-if)#switchport mode dynamic desirable
 switch(config-if)# switchport mode dynamic auto
how to disable DTP

 switch(config-if)#switchport mode access
 switch(config-if)#switchport nonegotiate
note: if we create manual access to any port, dtp will get disable.
how to change encapsulation type

 switch(config-if)#switchport trunk encapsulation dot1q/isl
 switch(config-if)#switchport trunk encapsulation negociate
how to allow vlan list on trunk port
 sw(config-if)#switchport trunk allowed vlan all/none/add/re
Native VLan
 it is used to support untaged data on trunk port. only dot1Q is
support native vlan, not ISL.
how to create native vlan to any vlan on trunk

 switch(config-if)#switchport trunk native vlan 2
IVR inter-lan routing

 it is used to communicate between two different vlans
VTP VLan Trunking Protocol

 it is a cisco proprietory protocol.
 it works at layer2.
 it is used to transfer vlan information from one switch to
another switch
 centeralized vlan management
 it uses multicast mac address 0100.OCCC.CCCC for vtp updates
(CDP,VTP,UDLD)
VTP Modes
 Server Mode
 Client Mode
 Transparent Mode
Server Mode
 in this mode we can add, remove and edit vlan.

 it is default mode of vtp on most of series of switches
 it save vlan information in vlan.dat file in flash memory.
 in this mode vtp can generate vtp update
 it work as a relay agent
 it support only normal range of vlan
Client Mode
 in this mode we can't add, remove and edit vlan.

 it also stores vlan information in its vlan.dat file
 it support only normal range of vlan
 it also work as a relay agent
 it can receive vlan from another switch
Transparent Mode
 in this mode we can add, remove or edit vlan.

 it is default mode of vtp on some plateform
 it doesn't update its own vlan database based on received vtp
updates from its neighbors switch.
 it doesn't forword its own vlan information to any other switch
 it doesn't generate vtp updates
 it support normal range vlan as well as extended range of vlan
 it store vlan information in its vlan.dat file and also in running-
config
 it also work as relay agent
VTP requirement
 trunking should be enable between two switch

 vtp domain name must match
 vtp password must match (optional)
How VTP send update Msg
 Triggered update
 Periodic update
C.R. Number (configuration Revision)
 it is in 32 bits
 this number is always represented in decimal.
 bydefault C.R. number is 0.
 it will always incremented by one whenever any vlan added or
removed in vlan database
Types of VTP messages
 summary advertisement
 subset advertisement
 advertisement request from client
 Join
summary advertisement
 vtp server generate summary advertisement msg in every

300sec and everytime when vlan database change occurs.
 it check only C.R. number
contents of summary advertisement
 domain name
 version
 C.R. number
 MD5 digest value (domain, password, cr number)
 total number of subset advertisement msg.
Subset advertisement
 it contain actual information of vlan.

 it will generated when vlan changes will occur. or in the
response of subset req.
advertisement request from client
 client switch might be reset and its vlan database have cleared,
after that generate a client adv req msg and vtp server will
repond with summary adv and subset adv to bring it up to date.
Note: Server mode switch will not generate any vtp update untill its
domain name is Null
note: md5 Digest value calculated with domain name, password, CR

Number.
note: switch will recalculate its md5 digest value if any update
received with highter CR number.
note: cr number will become 0, when we will change domain name.
note: cr number will increment by 1 if we will change version.
note: vtp password not required on transparent mode switch.

VTP configuration
 switch(config)#vtp mode server/client/transparent

 switch(config)#vtp domain cisco
 switch(config)#vtp password ccie
 switch#show vtp status
 switch#show vtp counters
 switch#debug sw-vlan vtp event
Types of VTP version
 version1: doesn't support GVRP and token ring

 version2: support GVRP and token ring
 version3
vtp version 3
 we can create extended vlan in server mode

 we can create private vlan in server mode and can propogate
private vlan to another switch
 we can encrypt password
 modes : 1 server 2 client 3 transparent 4 off mode
Updater-ID
 To find out that which switch is giving vtp update.

 we can create updater-id by creating svi interface.
 lower svi ip address will become updater-id.
VTP Prunning
 it is used to stop unwanted broadcast to any switch which not

exist any computer in that vlan.
 transparent switch not support vtp prunning.
 enable vtp prunning on server mode switch, client switch will
automatically get enabled.
 vlan 1 can't be prunn.
how to enable vtp prunning
 switch(config)#vtp prunning
 switch#show int fa 0/24 prunning
 switch(config-if)#switchport trunk pruning vlan remove 10 (on
trunk for not prunn to any vlan)
GVRP genric vlan registration protocol
 it is open standard protocol

 it is used to transfer vlan information from one switch to
another.
Etherchannel
 it is also called Link Aggregation

 it is used to aggregate multiple physical link into a single logical
link.
 That logical link called port channel.
Requirement of etherchannel
 Duplex must match

 Speed must match
 etherchannel standard must match
 Trunk allowed vlan list must match
 native vlan must match
 trunk encapsulation protocol must match
 prunning eligibility list must match
Note:- after creating etherchannel stp will not work for switchport
which are member of port channel.
Types of etherchannel
 Static
 PAGP
 LACP
PAGP
 It stand for port aggregation protocol.

 aggregate up to 8 link
 Modes: 1. Auto 2 Desirable
PAGP Directional mode
Silent : it will create portchannel without checking bydirectional

connectivity for every port.
Non-silent: it will check bydirectional connectivity for every

port,both side need diserable.it is used for fiber-optic.
LACP
 It stand for link aggregation control protocol

 it can aggregate up to 16 links in a single channel group
 only 8 link will participate actively at a time
 remaining port will remain in hot-stand by state.
 modes: 1 Active 2 Passive
LACP Sys-ID
 main switch will elect with using lacp system id(lower)

 that main switch will elect active port by using port id and it will
negociate with neighbor.
Election of main switch
 1) sys-priority (default 32768) 2) sys- mac (base mac)
LACP Port-ID
 it will elect active port and negociate with neighbor.
Election of active port
 1) port-priority(default 32768) 2) interface-ID

etherchannel load-balancing algorithem
 source mac
 destination mac
 source and destination mac
 source ip address
 destination ip address
 source and destination ip address
 source port number
 destination port number
 source and destination port number
configure static etherchannel
 switch (config-if-range)#channel-group 10 mode on

 switch#show etherchannel
 switch#show etherchannel summary
 Switch# show interface port-channel 10
 switch# show spanning-tree
 switch# show ip interface brief
 switch# show etherchannel load-balancing
configuration of PAGP
 (config-if-range)#channel-group 20 mode desirable/non-silent

 switch(config-if-range)#channel-group 20 mode auto
configuration of LACP
 switch(config-if-range)#channel-group 20 mode active

 switch(config-if-range)#channel-group 20 mode passsive
 switch# show etherchannel
 switch#show lacp sys-id
 switch#show lacp internal
 switch(config)#lacp system-priority (1-65535)
 switch(config-if)#lacp port-priority (0-65535)
 switch(config)#port-channel load-balancing ?
layer3 etherchannel
 if there is 8link in etherchannel than 8 neighborship will

establish.
 8 neighbors entry in neighbor table.
 if any port goes down, neighborship will down
 if we have 8link than we have to give ip in 8 subnets.
 more cpu utalization
 to solve this problem we will use layer3 etherchannel
configuration of layer3 etherchannel
 switch1(config-if-range)#no switchport
 switch1(config-if-range)#channel-group 20 mode
on/desirable/active
 switch2(config-if-range)#no switchport
 switch2(config-if-range)# channel-group 20 mode
on/auto/passive
 switch1(config)#interface port-channel 20
 switch1(config-if)# ip address 10.0.0.1 255.0.0.0
 switch1(config-if)#no shutdown
 switch2(config)#interface port-channel 20
 switch2(config-if)# ip address 10.0.0.2 255.0.0.0
 switch2(config-if)#no shutdown
STP Spanning Tree Protocol
 it is a open standard protocol

 IEEE standard is 802.1d
 it is a layer 2 protocol
 it will always mulsticast bpdu 0180.c200.0000
 it is used to prevent switched network topology from bridging
loops by putting some interfaces into forwording state and
some interfaces into blocking state.
STP Terminology
 Root Bridge
 BPDU
 Root Port /designated port
 Cost
 Alternet Port/ Blocking Port
STP performs three major tasks
 Root Bridge Election

 Root Port election
 Designated port election
root port and designated port election criterias

 lowest cost to reach root bridge
 lowest designated bridge id
 lowest designated port id
Root Bridge
 A switch which has best bridge id (lowest) will become root

bridge.
Bridge ID: it is a 8byte long id
 1 Bridge priority(2bytes): bydefault 32768 , 0 to 65535

 2 Bridge mac (6bytes)
BPDU Bridge Protocol Data Unit
 BPDU will share Bridge id between switches to elect the root

bridge
 STP generate hello msg after every 2 sec that is called BPDU
msg
 A BPDU which has best Bridge-id(lowest) will always superior
BPDU.
types of BPDU msg
 configuration BPDU
 TCN BPDU
configuration BPDU
 this BPDU msg will be generated periodically in every 2 seconds

contents of configuration BPDU message
 version (1byte)
 Protocol-id (2 byte)
 type (configuration or TCN BPDU) (1byte)
 flag (1byte)
 Root Bridge id (8byte)
 designated Bridge-id (8byte)
 camulative cost to reach root Bridge (4byte)
 designated port id (2byte)
 max age (2byte)
 message age (2byte)
 forword delay timer (2byte)
 hello timer (2byte)
TCN BPDU
 STP will generate tcn pdu when change is occur in topology

 it will inform that there is change in topology.
Contents of TCN BPDU
 version
 protocol id
 type
Note: root bridge will always generate zero cost bpdu
Note: after election of root bridge only root bridge will be

responsible to generate configuration bpdu
STP path cost
 10Mbps - 100
 100Mbps - 19
 1Gbps - 4
 10Gbps - 2
Note: we can modify these cost value according to requirement.
Note: when a switch receive a superior BPDU than it will immediately

stop to announce itself as a root Bridge.
Root Port: RP is that port which receive lower cost BPDU msg
designated port: A port which transmit lower cost BPDU msg.
Port-ID
 1 port priority (bydefault 128)

 2 interface ID (lowest)
Note: all port of root bridge will always remain as DP
Note: root port election will be performed only on non-root bridge.
Note: one non-root bridge can have maximum one root port
Note: on a single segment both end cant be either dp or non-dp
Note: dp and rp will always remain in forwording state
Note: tcn will be send after learning state.

STP port States
 disable: cant send or receive data

 blocking: can receive bpdu, cant send, receive data , learn mac.
 listening:can send receive bpdu.cant send,receive data,learn mac
 learning: can send, receive bpdu, , cant send,receive data,learn mac
 forwording: can send, receive bpdu, learn mac, data send and recieve.
Types of topology change
 insignificant topology change

 direct topology change
 indirect topology change
Insignificant topology change
 when access port goes down and comes up thn switches
generate tcn bpdu and these kind of changes known as
insignificant topology change.
Note: if any link status goes down or come up, the switch must see
that as a topology change and inform to the root bridge.
step1: if the pc on switch C is turned off. the switch detects the link
status going down
step2: switch c begins sending tcn bpdu toward the root bridge over
its port 0/2
step3: the root bridge sends a tcn ack back to switch c and thn sends
a configuration bpdu withthe tcn flag bit set to all down stream
switches. this is done to inform every switch of a topology changes
somewhere in the network.
step4: the tcn flag is received from the root, so both switch set there
mac aging time 300sec to 15sec. the aging time stays short for the
duration of the forword delay time.
PortFast
we enable portfast on access port, after enabling portfast access port

directly move in forwording state without delay time, and switches
will not generate tcn bpdu. if switches not generate tcn thn switches
will not configure there aging time 300sec to 15sec.
sw# show spanning-tree
mac aging time 300sec
sw# debug spanning-tree events
on all switches
R1(config-if)#shutdown
sw#show spanning-tree
aging time 15sec and port will take 30sec to come in forwording
state.
how to enable portfast
sw(config-if)# spanning-tree portfast
r1(config-if)#shutdown
switch port directly jump to forwording state without dalay time,

mac aging time will not configure 300 to 15sec.
Direct Topology Change
when switch have minimum one alternet port available thn direct
topology change will occur if any port goes down or come up.
convergence time in direct topolog y change is 30sec.
step1: if link goes down between switchA and switchC. both switch
detects a link is down, immediatly switchA and switchC will delete
there mac entry of those ports.
switchC will remove the previous best bpdu tht is received from the
root bridge over port 0/2. and port 0/2 is now down so that Bpdu is
no longer valid.
step2: switchA will send conf bpdu with tcn flag bit set to switchB,
and switchB will forword that bpdu toward switchc. and all switches
will change there aging time 300 to 15sec.
step3: switchC will receive superior bpdu from root through switchB
and switchC port 0/1 will become RP in listening state for 15sec.
step4: after 15sec all switches mac table will flush. and port 0/1 of
switchC will change state from listening to learing for 15sec.
between these 15sec (learning state) if pc1A send data frame to
pc1B, switchB will flood this frame(unknown unicast flooding).
step5: after completing 15sec, port 0/1 of swtichC change its state
from learing to forwording, now switchC can send data frame from
its port 0/1 after that switchB and switchA recieve frame and build
mac table.
uplink fast
it is used to reduce the convergence time 30sec when direct

topology change occurs. if any RP port goes down thn uplink fast
immediatly create new RP (in mili sec) to alternet port in forwording
state without any delay time.
0100.0ccd.cdcd
requirement of uplink fast
 minimum one alternet port must be availble on switch

 priority must be default on switches
configure uplink fast

R# ping 12.1.1.2 repeat 10000
it will ping continously
sw2#debug spanning-tree events
Sw2(config)#interface fastethernet 0/21
sw2(config-if)#shutdown
ping will break and drop 15packets arround 30sec.
enable uplink fast
sw2(config)#spanning-tree uplinkfast
sw2# show spanning-tree uplinkfast
sw2(config)#interface fastethernet 0/21
sw2(config-if)#shutdown
now only one packet will drop in pinging bcz 0/22 will directly move
into forwording state
indirect topology change

step1 link goes down between switchA and switchB
step2 switchA and switchB will generate TCN bpdu towards switchC
and all switches will change there aging time from 300sec to 15sec.
step3 switchB was receiving superior bpdu only on port 0/1 but after
link down of 0/1, switchB will start to announce itself as root bridge.
so SwichB will generate inferior bpdu towards switchC
Note: if any switch annouce itself as root bridge in the presence of

root bridge, that bpdu of new root bridge is called as inferior bpdu.
step4 when switchC receive inferior bpdu, it will start max age
timer(20sec) of superior bpdu.
step5 after expire max age timer of superior bpdu switchC will
compaire and declair that switchA is root Bridge. so switchC will
change its port state from blocking to listening of 0/1.
step6 now switchC will send a copy of bpdu that is received from
switchA towords switchB. and switchB will change its port0/2 from
Dp to RP.
backbone fast
backbone fast shoud be enable on every switch. it will reduce 20sec

of max age timer. after enabling backbone fast if any indirect
toplogy change occur in the network. port will change there state
from blocking to forwording state in 30 without delay of max
age20sec. it will not take 50sec for convergence.
how to work backbone fast
step1 after enabling backbone fast if any link goes down between
switchA and switchB.
step2 switchB will send inferior bpdu to switchC.
step3 when switchC receive inferior bpdu thn switchC send RLQ
request msg to root bridge switch.
step4 switchA will receive rlq request msg and give rlq reponse that
im root bridge to switchC
step5 switchC will immediately change port state of 0/1 from

blocking to listening state without dalay of max age 20sec
step6 now switchC will send superior bpdu to switchB. and switchB
will stop to announce root bridge itself.
configure backbone fas
sw#debug spanning-tree events
enable debuging on all switches
switch2(config)#interface fastethernet 0/21
switch2(config-if)#shutdown
now port 0/23 of switch3 will take 50min to come up
enable backbone fast
sw(config)#spanning-tree backbonefast
enable on all switches
sw#debug spanning-tree backbonefast (on all switch)
switch2(config)#interface fastethernet 0/21
switch2(config-if)#shutdown
now port 0/23 of switch3 will take 30sec to come up.

Types of STP
 CST
 PVST
 PVST+
CST
 it stand for common spanning tree

 A single instance of stp for all vlan
 it reduce the switch cpu load during stp calculations
 no capability for load balancing
 it was open stardard
PVST
 it stand for per vlan spanning tree

 it is a cisco propriotry protocol
 it operate a separate instance of stp for each individual vlan
 capability for load balancing
 it support isl only
PVST+
 it stand for per vlan spanning tree plus

 it operate a separate instance of stp for each individual vlan
 capability for load balancing
 it support ISL and DOT1Q both.
 work same as pvst
 it is default on every cisco switches
sw(config)#vlan 1-10
it will show different instance for all vlans
how to create root bridge to any switch for all vlan
sw(config)#spanning-tree vlan 1-4094 priority 0 (increment of 4096)
sw#show spanning-tree vlan 1
sw#show spanning-tree vlan
how to create root bridge to any switch for specific vlan
sw(config)#spanning-tree vlan 2 priority 0

primary and secondary root bridge
 it is used for load balancing and fault tolerance

 primary - priority 24576
 secondary- priority 28672
sw1(config)#spanning-tree vlan 1-5 root primary
sw1(config)#spanning-tree vlan 6-10 root secondary
sw2(config)#spanning-tree vlan 1-5 root secondary
sw2(config)#spanning-tree vlan 6-10 root primary
sw1#show spanning-tree vlan 4 (root bridge)
sw1#show spanning-tree vlan 7 (non-root bridge)
sw2#show spanning-tree vlan 7 (root bridge)
sw2#show spanning-tree vlan 4 (non-root bridge)

how to create primary and secondary root bridge manually
sw1(config)#spanning-tree vlan 1-5 priority 0
change stp timer through diameter in primary keyword
sw(config)#spanning-tree vlan 1-5 root primary diameter 4
note: we change timer for fast convergence but switch overhead will
increase.
Rule of 4096 increment in priority
 to make different bridge id for every vlan

 separate vlan instance with the help of sys-id-ext-1
 system id extended is bydefault enabled
 it is support by pvst in cisco switches
problem
 vlan1 priority 10 priority 11

 vlan3 priority 8 priority 11
solution
 vlan1 priority0 priority 1

switch(config)#spanning-tree vlan 1-10 priority ?
election of RP on the behalf of cost
sw2#show spanning-tree vlan 1 interface fastethernet 0/21 details
 it will show path cost 19
sw2(config-if)#spanning-tree cost 18 (for all vlan)
sw2(config-if)#spanning-tree vlan 1-5 cost 18 (for specific vlan)
sw2#show spanning-tree
note: cost will always calculate on non-dp

election of RP on the behalf of port-id
 port-id always change on dp

 bydefault port priority is 128
 port priority can change in the increment of 16
sw1(config-if)#spanning-tree port-priority 144 (for all vlan)

sw1(config-if)#spanning-tree vlan 6-10 port-priority 144 (specific vlan)
STP Protection
 Root Guard
 Loop Guard
 BPDU Guard
 BPDU filter
 UDLD Unidirectional Link Detection.
Root Guard
Root guard is a security feature of stp and it will be enabled only on

DP trunk port. after enbling root guard if any dp port receive any
bpdu message on dp trunk port thn it will immediatly put that
switchport into root-inconsistent state. we cant enable root guard
for per vlan.
enable root guard on all dp trunk port.
how to configure root guard

sw1(config)#spanning-tree vlan 1-4094 riority 4096
sw1(config)#interface range fastethernet 0/19 , fa 0/21
sw1(config-if-range)#spanning-tree Guard root
sw3(config)#spanning-tree vlan 1 priority 0
sw1#show spanning-tree
0/19, 0/21 root_inconsistant state.
sw3(config)#no spanning-tree vlan 1 priority 0

port will automatically remove from root inconsistant state immediatly.
Loop Guard
step1 bpdu not receiving on switchC port 0/2 due to traffic congession or any
other problem like ios bugs.
step2 switchC will wait for bpdu for 20sec on port 0/2 bcz bpdu max-age timer
is 20sec.
step3 switchC will change its state of 0/1 port from blocking to R.P.
step4 switchC change its state of port 0/2 from RP to dp (this port will not
come in blocking state bcz no bpdus are receiving on that port)
step5 now loop is occur in this topology bcz both port are in forwording state
between switchA and switchC
sw(config-if)#spanning-tree guard loop
note: loop guard will be enable on non-dp
after enabling loop guard on all non-dp port, if any root port not receive bpdu
thn it will wait for 20sec and after 20sec this port will become
loop_inconsistant state. now there is no chance of loops. we cant enable for
per vlan bases.
BPDU guard
 it enable on all access port not on trunk port

 enable on all switch port where stp portfast is enabled.
 after enabling bpdu guard on access port, if that port receive any bpdu
msg, it will immediatly move into errordisable state.
 it protect from attackers
sw(config-if)#spanning-tree bpduguard enable

sw(config-if)# spanning-tree bpduguard disable
sw(config)#spanning-tree portfast default
sw(config)#spanning-tree portfast bpduguard default
BPDU Filter
 it also enable on all access port

 it is also protect form attackers.
 after enabling bpdu filter on access port and after that any bpdu receive
on that port it will simply discard this bpdu and it will not process this
bpdu. and also not forword any bpdu from this port.
 it will not put any port in error disable state if any bpdu receive.
note: if we used both bpdu guard and bpdu filter switch will process to bpdu
filter.
sw(config-if)#spanning-tree bpdufilter enable

sw(config-if)#spanning-tree bpdufilter disable
sw(config)#spanning-tree portfast default
sw(config)#spanning-tree portfast bpdufilter default
UDLD unidirectional link detection

 it protect from unidirectional link
 it is a cisco propriotry protocol
 it will always multicast to udld msg 0100.0ccc.cccc
 this feature is used for fiber optic cable
there is two types of udld mode
normal
 it is like bpdu filter

 udld msg 7sec
 if any port found unidirectional thn it will generate a log msg
aggresive
 it is like bpdu guard

 udld msg 15sec
 if any port found unidirectional thn port will goes in error disable.
configuration of normal mode
sw1(config)#udld enable
sw1(config-if-range)#udld port
sw2(config-if-range)#udld port
sw#show udld fastethernet 0/19

configuration of aggressive mode
sw1(config-if-range)#udld port aggressive
sw2(config-if-range)#udld port aggressive
sw#show udld fastethernet 0/19

RSTP Rapid spanning tree protocol
 rapid pvst
 IEEE standard is 802.1w.
 it has fast convergence.
 all switches generate proposal bpdu
Feature of rstp
 built-in uplink fast.

 built-in backbone fast.
 portfast will require to enable on all access port.
Note: root bridge election, RP, DP and non-DP election criterea is same as stp.
STP state vs rstp state
 disable -----------
 blockING ------------
 listening discarding
 learning learning 15sec
 forwording forwording
RSTP Convergence process

step1 when switches will come up both switch will announce that im root
bridge and both ports will become DP.
step2 both ports will send proposal bpdu
step3 sw2 will receive superior bpdu and it will immedialty perform
synchronization, and it will stop to announce that im root bridge. and it will
lost its DP state of port and swA simply keep sending proposal bpdu.
note: in synchronization switch will put its all interfaces in discarding state to
avoid loops
step4 swB will elect RP port and generate Aggrement toward swA through RP
port. immedaitly both port wil change there state directly into forwording
state without delay time (port which send and receive aggrement)
step1: sw1 and sw2 will send proposal bpdu from its both port
step2 sw2 will receive superior bpdu on 0/1 port, when sw2 receive superior
bpdu it will perform synchronization.
step3 sw2 will change its port state of 0/1 from dp to RP.
step4 sw2 port 0/1 will generate aggrement from this port and send it toword
sw1 on port 0/1. and it will put both port in forwording state immediatly.
step5 sw1 port 0/2 will not receive aggrement bcz sw2 port 0/2 is in discarding
state so sw1 port 0/2 will come in forwording state from discarding and
learning.
step6 if rp goes down thn alternet port 0/2 will change its state from
discarding to RP in forwording state without delay time bcz uplink fast feature
is bydefault enabled in rstp.
configuration of rstp
sw1(config)# spanning-tree mode rapid-pvst
sw2(config)#spanning-tree mode rapid-pvst
sw(config)#interface range fa 0/21 - 22
sw(config-if-range)#shutdown
sw#debug spanning-tree events
sw(config-if-range)#no shutdown
note: we can change RP port on the behalf of cost and port id same as pvst+
MSTP/MST
 it stand for multi spanning-tree protocol / multiple spanning-tree
cst:- single instance
pvst+: -per vlan instance
mstp: multiple instance for multiple vlan
 convergance same as rstp

 we can map multiple vlan into a single instance of stp
 bydefault it works as a cst, bcz all vlan are mapped into a single instance
of stp (instance 0).
 feature of mstp is same as rstp (uplinkfast, backbone fast)
 there is two types of mstp: 1 intra domain/region. 2 inter domain/region
 it support max 16 instance on single switch.
 instance 0 is called as cist(common internal spanning-tree)
MSTP Attributes
 Name (32 charector)

 revision number (0-65535) bydefault 0
 instance (0-4094) bydefault 0
contents of M-record
 Name
 revision
 hash value
sw(config)#spanning-tree mode mst (on all switches)

sw1(config)#vlan 1-10
sw# show spanning-tree (to check mst enabled or not)
sw#show spanning-tree mst configuration
sw(config)#spanning-tree mst configuration
sw(config-mst)#name cisco
sw(config-mst)#revision 1
sw(config-mst)#instance 1 vlan 1-5
sw(config-mst)#instance 2 vlan 6-10
same configuration of all switches
Load balancing in mstp
Sw1(config)#spanning-tree mst 1 root primary
Sw1(config)#spanning-tree mst 2 root secondary
Sw2(config)#spanning-tree mst 1 root secondary
Sw1(config)#spanning-tree mst 2 root parimary

Sw1(config)#spanning-tree mst 1 priority 0
sw2(config-if)#spanning-tree mst 2 cost 199999
sw2#show spanning-tree mst 1/2
or
sw2(config-if)#spanning-tree mst 2 port-priority 144
sw2#show spanning-tree mst 1/2
sw#show spanning-tree mst 1 interface fa 0/21

MLS multi-layer switching
 CEF cisco express forwording

 intervlan routing
 DHCP server configuration for multiple vlan's
types of switching
 process switching
 fast switching
 CEF switching
process switching
in process switching router will perform routing lookup for every packet
fast switching
RP router will perform routing lookup for first packet only, generate cache
SE router will forword next packet through cache memory.
MLS Generations:
 1st generation: fast switching(rp, se)

 2nd generation: CEF cisco express forwording.
component of router or MLS
Control plane: handle routing protocol, also handle routing table
Data plane: it will handle transit traffic
Type of adjacency table
Null adjacency: null adj table will be responsible to handle all those packet
which are forworded towards nulls interface
Drop adjacency: this table is basically responsible to handle all those packet
which are encounteredwith mismatch of encapsulation or crc error.
Discard adjacency: this table is resonsible to handle all those packet which are
discarded by an acl
Glean adjacency: this table is responsible to have information about all directly
connected network and whenever a packet will mode to a any directly
connected network thn all those packet will be handled by glean adjacency.
Punt adjacency: this table is reponsible to handle those packet which is not
processed by cef and forworded to control plane to process these packet
CEF works into two mode:
Ccef: centeralized CEF (common FIB and adj.)
Dcef: distributed CEF (copy of FIB and adj. on all line card)
how to enable CEF
router(config)#IP CEF
router#show ip cef
router#show ip cef adjacency glean
router# show ip cef summary
router#show ip cef details
r(config)#no ip cef
r(config)#no ip route-cache
DHCP/Intervlan routing in MLS
sw1(config)#spanning-tree port fast default
sw1(config)#vlan 10,20,30,100
sw1(config-if)#switchport access vlan 100

configure DHCP and pool
r1(config)#ip dhcp pool vlan10
r1(dhcp-config)#network 192.168.10.0 /24
r1(dhcp-config)#default-router 192.168.10.1
R1# show ip dhcp pool
R1# show ip dhcp pool
R2(config)#interface fastethernet 0/0
R2(config-if)#ip address dhcp
R2(config-if)#no shutdown
r2#debug ip dhcp
note: dhcp server will not offer ip address to client

create svi on sw1 for vlan10,100 / configure relay agent
sw1(config)#interface vlan 10
sw1(config-vlan)#ip address 192.168.10.1 255.255.255.0
sw1(config)#ip routing
sw1#ping 100.1.1.1 (it should ping)
sw1(config-vlan)#ip helper-address 100.1.1.1
note: if still dhcp is not providing ip address than configure routing
sw1(config)#router eigrp 10
sw1(config-router)#no auto-summary
sw1(config-router)#network 0.0.0.0
r1(config)#router eigrp 10
r1(config-router)#no auto-summary
r1(config-router)#network 0.0.0.0
create svi on sw1 for vlan20/ configure dhcp relay-agent
r3(config)#interface fastethernet 0/0
r3(config-if)#ip address dhcp
r3#debug ip dhcp
note: dhcp will not provide ip address
note: now r3 will get ip address from dhcp
provide ip address in vlan30 on switch2
sw1(config-if)#no switchport
sw1(config-if)#ip address 102.1.1.1 255.255.255.0
sw2(config)#ip routing
sw2(config)#interface fa 0/21
sw2(config-if)#no switchport
sw2(config-if)#no shutdown
sw2(config)#router eigrp 10
sw2(config-router)#no auto-summary
sw2(config-router)#network 0.0.0.0
sw2(config)#vlan 30
DHCP snooping
if any machine get ip address from rogue dhcp server that machine cant access
internet or printer or can't communicate with other computers
configure dhcp snooping
after enabling dhcp snooping on switch, all switchport will become untrusted,
so we have to make trusted port to that port which is connected to dhcp
server.
sw1(config)#ip dhcp snooping
sw1(config)#ip dhcp snooping vlan1
sw1#show ip dhcp snooping (no port will show as trusted)
sw1(config-if)#ip dhcp snooping trust
note: dhcp will not provide ip address bcz swtich is working as a relay agent
and there is no helper address on switch
there is two option to provide ip address
1 add helper address on switch 1
sw1(config)#int vlan 1
sw1(config-if)#ip helper-address 192.168.1.1

2 disable option 82
sw1(config)#int vlan 1
sw1(config-if)#no ip address
sw1(config-if)#no ip helper-address
sw1(config)#no ip dhcp snooping information option
sw# show ip dhcp snooping
IP source Guard
it is same as port security, in ip source guard we can bind ip address with

switch port. dhcp snooping is required for ip source guard.
sw1(config)#ip source binding 0000.0000.0001 vlan 1 10.0.0.1 int fa 0/1
sw1(config-if)#ip verify source
DAI Dynamic ARP Inspection
it is use to prevent switched network from MIM attack (man in middle). dhcp
snooping is require for DAI.
what is mim attack.
a attacker computer which is giving the response of arp req on the behalf of
other computer. after that whn the computer will receive data frame it can
capture the traffic.
how DAI will work
note: when we enable dhcp snooping switch will create snooping database
table when dhcp server will provide ip address.
step1: pcB wants to communicate with pcD (src1.2, dst 1.4) pcB will generate
a arp req
step2 when switch will receive this arp req than it will check src ip and src mac
in dhcp snooping database. if these contents is matching in database than it is
valid arp req. otherwise it will drop.
step3 arp req is valid so switch will broadcast this arp req.
step4 now computer C wants to give arp response on this behalf of

computerD. switch will receive arp reponse from attacker pcD
now switch will compaire this arp reponse details in snooping database and it
will not match so it will drop this arp response
step5 only original user can give arp response.
how to configure DAI on switch
sw(config)#ip arp inspection vlan 1
sw#show ip dhcp snooping binding (to chck snooping database)
Note: dhcp server cant communicate bcz its ip is manually configured and its
database is not present in snooping database.
we can manually make this trusted
switch(config)#int fa 0/1
switch(config-if)#ip arp inspection trust
switch#show ip arp inspection
we can create arp acl for static ip / manual database
sw1(config)#arp access-list test
sw1(config-arp-nacl)#permit ip host 192.168.1.1 mac host 0000.0000.0001
sw1(config)#ip arp inspection filter test vlan 1
sw#show ip arp inspection vlan 1
vlan hoping
step1 attacker wants to make down FTP server with some virus or files. but
attacker machine can't communicate bcz it is in different vlan.
step2 attacker will generate frame with tagging of vlan20 from computer itself
with the help of some applications. now data will go to switch. witch will check
that this data is coming from native vlan1. bcz it received on port 0/1 and this
port is in native vlan1. so it will send data without tagging on trunk port.
step3 when sw2 will receive data thn it will check tagging, it wil found tag of
vlan20 so it will forword data to ftp server bcz it is in vlan20
step4 now ftp will not give response bcz destination is in different vlan.
solution: change native vlan to prevent this kind of attack.
VLAN Acl
we can filter traffic between vlans with using vlan acl
how to filter telnet through vlan acl
r4(config)#username cisco password cisco
r4(config)#line vty 0 4
r4(config-line)#tranport input telnet
r4(config-line)#login local
now all devices can access telnet of r4
sw1(config)#access-list 101 permit tcp any any eq telnet

sw1(config)#vlan access-map test 10
sw1(config-access-map)#match ip address 101
sw1(config-access-map)#action drop
sw1(config-access-map)#action forword
sw1(config)#vlan filter test vlan-list 20 (vlan id)
sw#show vlan access-map
how to filter icmp
sw1(config)#access-list 102 permit icmp any any
sw1(config-access-map)#match ip addess 102
sw1(config-access-map)#action drop
Protected Port
protected port will not communicate with protected port. it will work for local
switchport
sw(config-if)#switchport protected
Private Vlan
we can create private vlan only in transparent mode switch

there are two types of private vlan
primary vlan: it is a main vlan like vlan 100
secondary vlan: we can create secondary vlan under primary vlan
community:
 machine can communicate in intra-community

 machine can't communicate in inter-community
Isolated:
 machine can't communicate in inter-isolate and intra-isolate

 it is a stand alone vlan
 we will create only one isolated
switchport mode in private vlan
Host: member of private vlan
promiscous: member of primary vlan

configuration of private vlan
 sw1(config)#vtp mode transparent

 sw1(config)#vlan 10
 sw1(config-vlan)#private-vlan community
 sw1(config-vlan)#private-vlan community
 sw1(config-vlan)#private-vlan isolated
 sw1(config-vlan)#private-vlan primary
 sw1(config-vlan)#private-vlan association 10,20,30
 sw1#show vlan private-vlan
assign port to vlan
 sw1(config)#int fa 0/2
 sw1(config-if)#switchport mode private-vlan host
 sw1(config-if)#switchport private-vlan host-association 100 10
 sw1(config)# int fa 0/3
 sw1(config-if)#switchport mode private-vlan promiscous
 sw1(config-if)# switchport private-vlan mapping 100 10,20,30
 sw1#show vlan private-vlan.
Storm control
this feature prevents lan port from broadcast flooding, multicast flooding and
unicast flooding on physical interfaces.
storm control moniters the level of each traffic type for which you have
enabled it.
shutdown: when a traffic storm occurs, traffic storm control puts the port into
the error-disable state. to re-enable port, we can use the error-disable
detection and recovery feature or the shutdown and no shutdown command.
Trap: when a traffic storm occurs, traffic storm control generates an snmp trap
configure storm control for broadcast flooding
 sw1(config-if)#storm-control broadcast level bps 100

 sw1(config-if)#storm-control action shutdown
 sw1(config-if)#storm-control action trap
 sw1#show interfaces status err-disable
 R#ping 10.0.0.2
 R#show ip arp
sw1 port 0/1 will shutdown and arp will not resolved
configure storm control for multicast flooding and unicast flooding
 sw1(config-if)#storm-control multicast/unicast level bps 100

 sw1(config-if)#storm-control action shutdown
 sw1(config-if)#storm-control action trap
note: we can configure storm control for layer3 port also after assigning ip
address.
SPAN
 it stand for switchport analyzer

 it is also called port mirroring.
 to analyz network traffic passing through port by using span.
 it will send a copy of the traffic to another port on the switch
 span moniters received or sent (both) traffic on one or more source port
to a destination port for analysis.
 only traffic that is entered or leaves source ports can be monitered
source port characterstics
 it can be any port type (etherchannel, fastethernet, gigaethernet.)

 it cant be a destination port
 each source port can be configured with a direction (ingress, egress,
both)
 for etherchannel source, the monitered deirection would apply to all the
physical port in the group
 source port can be in same or different vlan.
 we can configure a trunk port as a source port, all vlans active on the
trunk are monitered.
destination port characterstics
 it can be any ethernet physical port.

 it cant be a source port
 it cant be a etherchannel group or a vlan.
 it can be a physical port that is assign to an etherchanel group, the port
will be remove from the group while it is configured as a span
destination port
 the port does not transmit any traffic except that required for span
session.
 when it is a destination port, it doesn't participate in any of the layer2
protocols (stp, vtp, cdp, dtp , pagp, lacp)
 no address learning occurs on the destination port.
Local Span
source and destination port are on a single switch that is called local span.
configure local span for a single source port
 sw1(config)#moniter session 1 source interface fastethernet 0/1 both

 sw1(config)#moniter session 1 destination interface fastethernet 0/5
 sw1#show interface fastethernet 0/1
 line protocol is down (monitering)
 sw1#show interfaces status
 fastethernet0/5 monitering
 r#ping 12.1.1.2 repeat 50

 sw1#show interface fastethernet 0/5
 packet output that is received
 sw1(config)#no moniter session 1/all
configure local span for source as multiple port
 sw1(config)#moniter session 10 source interface fastethernet 0/1-4 both

 sw#show moniter session 10
configure local span for source vlan
 sw1(config)#moniter session 10 source vlan 1-5 both

 sw1#show moniter session 10
configure local span for destination as multiple port
 sw1(config)#moniter session 10 source vlan 1 both

 sw1(config)#moniter session 10 destination interface fastethernet 0/5 -6
 sw#show moniter session 10
configure span for source as trunk port

 sw1(config)#moniter session 10 filter vlan 5-6 (not moniter)
Rspan/remote span
source and destination ports are on different switches in this scanario we use
rspan
 sw1(config-vlan)# remote-span
 sw2(config-vlan)# remote-span
 sw# show vlan remote-span
 sw1(config)#moniter session 1 destination remote vlan 100
 sw2(config)#moniter session 1 source remote vlan 100
note: remote vlan must not be prunned.

Gateway high availability
 Gateway redundancy
 protocol used for providing high availablity
 HSRP: Hot standby router protocol
 VRRP: Virtual router redundancy protocol
 GLBP: Gateway load-balancing protocol
 Aggregates two or more physical gateways into a single virtual gateway
HSRP: Hot standby router protocol
 it is a cisco proprietry protocol.

 hello interval is 3sec
 hold interval is 10sec
 it uses udp port no 1985
 it uses multicast address to send its message 224.0.0.2
 bydefault its priority is 100
 it has built-in track command
 default decrement in priority is 10 with using track command.
 it supports authentication 1.plain text. 2. MD5.
 it supports maximum 256 groups, group range is (0-255)
 it uses virtual mac address 0000.0c07.acxx (xx group id)
 bydefault preemption is disable in HSRP for active router election.
HSRP states
 Disabled
 Init
 Speaking
 Listening
 Standby
 Active
note: for one group only one device can be in active state and one device can
be in standby state and all others will remain in listen state.
active router election process
 1 higher priority
 2 higher ip address* (in some specific case only)
standby router election process
 1 higher priority
 2 higher ip address
configuration of HSRP
 r1(config)#router eigrp 100

 r1(config-router)#no auto-summary
 r1(config-router)#network 0.0.0.0
 r1(config-router)#passive-interface fastethernet 0/0

 core(config)#router eigrp 100

 core(config-router)#no auto-summary
 core(config-router)#network 0.0.0.0
configure HSRP
 R1(config)# interface fastethernet 0/0

 r1(config-if)#standby 1 ip 192.168.101.100


 r#show standby
Note: if we enable hsrp on all router within 10second. hsrp will elect active
router on the behalf of priority or highest ip address.
Note: if we enable hsrp on r1 and wait for 10sec, thn r1 will elect as a active
router
Note: preemption is enabled for standby state. if r2 is in standby state and we

enable hsrp on r3 thn r3 will be in standby state and r2 will change its state in
listen bcz preemption is enable for standby state.
how to change priority
 r1(config)#interface fastethernet 0/0

 r1(config-if)#standby 1 priority 120
how to enable preemption for active router election
 r1(config-if)#standby 1 preempt
note: preemption will not work with highest ip address. it will work when
priority is define on router.
how to configure tracking line-protocol

 r1(config-if)#standby 1 track serial 0/0 21
note: preemption should be enable for tracking
configure tracking for specific route
 r1(config)#track 50 ip route 1.1.1.1 255.255.255.0 reachability

 r1(config-if)#standby 1 track 50 decrement 21
Note: hsrp can provide gateway radundancy but not provide load-balancing.
how to change timers in hsrp

 r1(config-if)#standby 1 timers 1 5
 r1(config-if)## standby 1 timers msec 100 msec 300
authentication in hsrp
 r1(config-if)#standby 1 authentication md5 key-string cisco

how to provide Load-balancing in hsrp
how to configure hsrp in rack

VRRP virtual router redundancy protocol
 it is an open standard protocol.

 hello interval 1sec and hold interval 3sec.
 it uses multicast address 224.0.0.18.
 it uses ip protocol number 112.
 default priority is 100.
 bydefault preemption is enabled.
 no built-in track command but we can use external track.
 default decrement in priority is 10 with using external track.
 it supports authentication.
 after master election only master will send hello msg and others will
receive.
 virtual mac address 0000.5E00.01xx.
VRRP states
 master
 backup
master election criterias
 higher priority
 higher ip address
Note: if priority is tie thn higher ip address will take place to elect master
configuration of VRRP
 R1(config)#interface fa 0/0
 R1(config-if)#vrrp 1 ip 192.168.101.100
 r2(config-if)#vrrp 1 ip 192.168.101.100
 r3(config-if)#vrrp 1 ip 192.168.101.100
 r#show vrrp
 r1(config-if)#vrrp 1 priority 120
 r1#debug ip packet details
Note: we can make master to any router by priority.
tracking for line protocol
 r1(config)#track 60 interface serial 0/0 line-protocol

 r1(config)#interface fa 0/0
 r1(config-if)#vrrp 1 track 60 / decrement 21
 r#show vrrp
tracking for specific route

 r2(config)#int fa 0/0
 r2(config-if)#vrrp 1 track 50.
how to provide load balancing
 group1 ip 192.168.101.100 active r1 priority 101

how to set preemption delay
r1(config-if)#vrrp 1 preempt delay min 30
how to change timers
r1(config-if)#vrrp 1 timers advertise msec 100
how to configure authentication
r1(config-if)#vrrp 1 authentication md5 key-string cisco 123
GLBP gateway load balancing protocol
 hello interval 3sec, hold interval 10sec

 it uses udp port number 3222
 it uses multicast address 224.0.0.102
 default priority is 100
 default weight is 100
 bydefault preemption is disabled
 it support load balancing
 it uses mac address 0007.B400.xxxx
components of glbp
 AVG
 AVF
AVG active virtual gateway
 AVG election is same as hsrp

 it is responsible to provide arp response for all arp request which are
coming from lan users based on load balancing algorithem.
AVF active virtual forworder
 it is responsible to forword data
Note: all routers will work as a forworder
Note: in one group we can have max 4 forworder
Note: default forworder time out is 14400sec
Note:when we enable GLBP on any router it will become forworder1, when we

enable glbp on second router it will become forworder2. same thing will
happen for r3. and when any forworder goes down thn eleciton will be done
between rest of two router.
tracking by weights with line-protocol
 r1(config)#track 1 interface serial 0/0 line-protocol

 r1(config-track)#
 r1(config-if)#glbp 1 weighting track 1 decrement 100
shutdown serial link than its weight value will go equal to lower value (1). so
this router will not eligible for active router. and it will take 30sec to make
active to another router bcz preemption delay is 30sec.
tracking by weight with specific route

 r1(config-if)#glbp 1 weighting track 10 decrement 100
load balancing algorithem
 round robin 1:1:1 (bydefault)

 weighting (3:2:1)
 host dependant
how to configure load balancing algorithem weighting
 r1(config-if)#glbp 1 load-balancing weighted

 r1(config-if)#glbp 1 weighting 300

note: we can change it on active avg router only
how to change load balancing algorithem host-dependnt
 r1(config-if)#glbp 1 load-balancing host-dependent
how to change hello and hold timer
 r1(config-if)#glbp timers msec 100 msec 1000
how to configure authentication
 r1(config-if)#glbp 1 authentication md5 key-string cisco123 (no all

router)
IP Telephony
converge network
POE power over ethernet

how to configure PoE on switchport
sw(config-if)#power inline auto
sw#show power inline
real time data / traffic
 voice data, video data traffic

 udp protocol
 no need of tcp
 real time
 voice packet size 100bytes
 to give priority to voice data we uses QOS
voice vlan
to seperate voice base traffic on any interface we can configure voice vlan
externally. in case of voice vlan single switchport can be of multiple vlan
 sw(config)#int fa 0/1
 sw(config-if)#switchport mode access
 sw(config-if)#switchport access vlan 10
 sw(config-if)#switchport access voice vlan 20
 sw#sow vlan brief
network design
Access Layer: 2900,2950,2960

 in this layer end users are connected to the network
 these layer switches usually provide layer2 (vlan) connectivity
 high port density (switchport security)
 user access functions such as vlan membership, traffic and protocol
filtering, and quality of services
distribution layer: 3500,3700,3800
 it provide interconnection between access and core layer

 aggregation of multiple access-layer devices
 high layer3 throughput for packet handling
 security and plicy based connectivity function through access lists or
packet filtering
 Qos
core layer: 4500,6500
core layer provides connectivity of all distribution-layer device
it is a backbone of network
very high throughput at layer 3
no access list, packet filtering
redundancy for high availablity
advance Qos
hardware redundancy
in mls swithes there will be multiple sup card availabe and power supply for
redundancy. one supcard will work activly and second will be in standby mode.
if first supcard goes down than second will become in active mode.
redundancy mode:
 RPR: (2min)
 RPR Plus: (30sec)
 SSO: statefull switch over (1sec)
how to configure redundancy mode
 router(config)#redundancy
 router(config-red)#mode rpr/rpr-plus/sso
 router#show redundancy states
NSF Nonstop forwording
 it is a cisco prorietry protocol

 we are using sso for redundancy. if active sup goes down than standby
supcard will become active in 1sec but reliability is still on routing
protocol. bcz when any sup will become active than routing protocol will
initiate and routing table will be gernerated again and it will take some
time (10sec) bcz eigrp and ospf convergence is slow as compaire sso.to
avoid this problem we can enable NSF with sso
 if any active sup goes down than standby will become active than NSF
immediatly coverge the routing table
 NSF is required with sso
 device should be NSF aware
how to confgure NSF for eigrp
 router(config-router)#nsf
how to configure NSF for ospf
 router(config-router)#nsf
how to confgure NSF for BGP
 router(config-router)#bgp graceful-restart
AAA Authentication, Authorization, Accounting
 authentication: authenticate user id and password only

 authorization: how many commands user can run
 accounting: device will create records for monitering
types of AAA
Radius server remote access dial in user services
tacacs+ server
 it is cisco proprietory protocol
Note: we can configure router as a aaa server but we can not perform
accounting.
 router(config)#aaa new-model
 router(config)#aaa authenti login ccie line group radius group tacacs+
local
 router(config)#radius-server host 100.1.1.100 key cisco@123
 router(config)#tacacs-server host 100.1.1.200
 router(config)#tacacs-server key cisco@12345
 router(config)#username cisco password cisco1 (local database)
 router(config)#line vty 0
 router(config-line)#login authentication ccie
Port-based authentication
 it uses 802.1x standard, extensible authentication protocol over lan

(EAPOL).
 A switch port will not pass any traffic until a user has authenticated with
the switch.
 if authentication is successful, the user can use the port normally.
 switch and pc both must support the 802.1x standard.
 pc must have an 802.1x capable application or client software.
 switch(config)#aaa new-model
 sw(config)#aaa authentication dot1x default group radius group tacacs+
local
 switch(config)#radius-server host 100.1.1.1 key cisco123
 switch(config)#tacacs-server host 100.1.1.2
 swtich(config)#tacacs-server key cisco12345
 switch(config)#username cisco password cisco123
 sw(config)#dot1x system-auth-control (to enable dot1x)
 sw(config-if)#switchport mode access
 switch(config-if)#dot1x port-control auto

CCNP

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CCNP

Uploaded by

Copyright:

Available Formats

CCNP SWITCH

Warning and Disclaimer

You can also visit to my youtube channel:

Contents which will be covered in this ebook

 process in which data can be forword on the basis of layer 2

Types of layer 2 switching

 process in which we forword traffic on basis of mac address.

Function / Process of layer2 ethernet switch

Process Switching: desvices perform routing lookup for each

CEF switching (cisco express forwording)

cef create two table FIB and Adjecancy table

FIB: it is a replica of routing table.

Packet Rewriter: when a packet cross a layer3 device, it will always

how switch learn mac address

 switch#show mac-address-table dynamic / interface fa 0/1

How to recover any port from error disable

how to change aging time

how to create smart port macro

how to give description to any port

how to specify the speed on a particular port

CDP Cisco Discovery Protocol

how to enable cdp

how to change cdp timer

VLAN virtual local area network

how to assing port to any vlan

dynamic vlan assign

 Access port- carry single vlan data

how to create manual access port or trunk port

how to create dynamic access port or trunk port

how to disable DTP

how to change encapsulation type

how to create native vlan to any vlan on trunk

IVR inter-lan routing

VTP VLan Trunking Protocol

 in this mode we can add, remove and edit vlan.

 in this mode we can't add, remove and edit vlan.

 in this mode we can add, remove or edit vlan.

 trunking should be enable between two switch

How VTP send update Msg

C.R. Number (configuration Revision)

Types of VTP messages

 vtp server generate summary advertisement msg in every

 it contain actual information of vlan.

advertisement request from client

note: md5 Digest value calculated with domain name, password, CR

note: cr number will become 0, when we will change domain name.

note: cr number will increment by 1 if we will change version.

note: vtp password not required on transparent mode switch.

 switch(config)#vtp mode server/client/transparent

Types of VTP version

 version1: doesn't support GVRP and token ring

 we can create extended vlan in server mode

 To find out that which switch is giving vtp update.

 it is used to stop unwanted broadcast to any switch which not

how to enable vtp prunning

GVRP genric vlan registration protocol

 it is open standard protocol

 it is also called Link Aggregation

 Duplex must match

 It stand for port aggregation protocol.

PAGP Directional mode

Silent : it will create portchannel without checking bydirectional

Non-silent: it will check bydirectional connectivity for every