Professional Documents
Culture Documents
Version 2.0
__________________________________________________________________________________
Feedback Information
Reader’s feedback is a natural continuation of this process. If you have any
comments regarding how we could improve the quality of this book, or
otherwise alter it to better suit your needs, you can contact us through email
at cisconetworklearning@gmail.com.
Dedications
I would like to dedicate this book to my Mom and Dad for their love,
encouragement and continuous support.
Acknowledgement
First, I would like to thank God for giving me the opportunity and ability to
write, teach, and do what I truly enjoy doing. Also , I would like to thank to my
family, especially to wife for constant encouragement and help.
Basic of Switch.
CDP: Cisco Discovery Protocol.
VLAN: Virtual Local Area Network.
Trunking.
VTP: Vlan Trunking Protocol.
Etherchannel.
STP: Spanning Tree Protocol.
STP Protection.
RSTP: Rapid Spanning Tree Protocol.
MSTP: Multi Spanning Tree Protocol.
MLS: Multi Layer Switch.
High Availability (HSRP, VRRP, GLBP).
IP Telephony.
Wireless.
AAA Authentication, Authorization, Accounting.
Layer 2 security: (DHCP Snooping, IP Source Guard, Dynamic ARP
inspection, VLAN Hoping, VLAN ACL, Protected port, Private VLAN, storm
control, Span, Port based security).
Switching
switching is a process in which data will be switch from source
to destination
Types of Switching
Layer 2 switching
Layer 3 switching
Multi-Layer switching
Layer 2 Switching
Ethernet switch
Frame-Relay switch
ATM switch
Ethernet Switching
Address Learning
Filtering and Forwording Decision
Loop Avoidance
Layer3 Devices can perform three types of switching
Fast Switching: RP will lookup routing table for first packet after that
SE will generate a short-cut entry in cache memory and for next
packet SE will check short-cut entry. and RP will get free.
Statically: we can manually enter the mac address of devices in cam table.
we can generate cam table manually to stop unknown unicast broadcasting.
LLDP configuration
switch(config)#lldp run
switch(config-if)# lldp transmit
switch(config-if)# lldp receive
switch# show lldp
switch# show lldp neighbors
switch# show lldp entry
Switchport
a switch which has capability to do layer2 address switching
note: if we create manual access to any port, dtp will get disable.
Native VLan
it is used to support untaged data on trunk port. only dot1Q is
support native vlan, not ISL.
Server Mode
Client Mode
Transparent Mode
Server Mode
Client Mode
Transparent Mode
Triggered update
Periodic update
it is in 32 bits
this number is always represented in decimal.
bydefault C.R. number is 0.
it will always incremented by one whenever any vlan added or
removed in vlan database
summary advertisement
subset advertisement
advertisement request from client
Join
summary advertisement
domain name
version
C.R. number
MD5 digest value (domain, password, cr number)
total number of subset advertisement msg.
Subset advertisement
client switch might be reset and its vlan database have cleared,
after that generate a client adv req msg and vtp server will
repond with summary adv and subset adv to bring it up to date.
Note: Server mode switch will not generate any vtp update untill its
domain name is Null
note: switch will recalculate its md5 digest value if any update
received with highter CR number.
Updater-ID
switch(config)#vtp prunning
switch#show int fa 0/24 prunning
switch(config-if)#switchport trunk pruning vlan remove 10 (on
trunk for not prunn to any vlan)
Etherchannel
Note:- after creating etherchannel stp will not work for switchport
which are member of port channel.
Types of etherchannel
Static
PAGP
LACP
PAGP
LACP Sys-ID
LACP Port-ID
source mac
destination mac
source and destination mac
source ip address
destination ip address
source and destination ip address
source port number
destination port number
source and destination port number
configuration of PAGP
layer3 etherchannel
switch1(config-if-range)#no switchport
switch1(config-if-range)#channel-group 20 mode
on/desirable/active
switch2(config-if-range)#no switchport
switch2(config-if-range)# channel-group 20 mode
on/auto/passive
switch1(config)#interface port-channel 20
switch1(config-if)# ip address 10.0.0.1 255.0.0.0
switch1(config-if)#no shutdown
switch2(config)#interface port-channel 20
switch2(config-if)# ip address 10.0.0.2 255.0.0.0
switch2(config-if)#no shutdown
STP Terminology
Root Bridge
BPDU
Root Port /designated port
Cost
Alternet Port/ Blocking Port
configuration BPDU
TCN BPDU
configuration BPDU
version (1byte)
Protocol-id (2 byte)
type (configuration or TCN BPDU) (1byte)
flag (1byte)
Root Bridge id (8byte)
designated Bridge-id (8byte)
camulative cost to reach root Bridge (4byte)
designated port id (2byte)
max age (2byte)
message age (2byte)
forword delay timer (2byte)
hello timer (2byte)
TCN BPDU
version
protocol id
type
10Mbps - 100
100Mbps - 19
1Gbps - 4
10Gbps - 2
Root Port: RP is that port which receive lower cost BPDU msg
Port-ID
Note: one non-root bridge can have maximum one root port
step1: if the pc on switch C is turned off. the switch detects the link
status going down
step2: switch c begins sending tcn bpdu toward the root bridge over
its port 0/2
step3: the root bridge sends a tcn ack back to switch c and thn sends
a configuration bpdu withthe tcn flag bit set to all down stream
switches. this is done to inform every switch of a topology changes
somewhere in the network.
step4: the tcn flag is received from the root, so both switch set there
mac aging time 300sec to 15sec. the aging time stays short for the
duration of the forword delay time.
PortFast
on all switches
R1(config-if)#shutdown
sw#show spanning-tree
aging time 15sec and port will take 30sec to come in forwording
state.
r1(config-if)#shutdown
when switch have minimum one alternet port available thn direct
topology change will occur if any port goes down or come up.
convergence time in direct topolog y change is 30sec.
step1: if link goes down between switchA and switchC. both switch
detects a link is down, immediatly switchA and switchC will delete
there mac entry of those ports.
switchC will remove the previous best bpdu tht is received from the
root bridge over port 0/2. and port 0/2 is now down so that Bpdu is
no longer valid.
step2: switchA will send conf bpdu with tcn flag bit set to switchB,
and switchB will forword that bpdu toward switchc. and all switches
will change there aging time 300 to 15sec.
step3: switchC will receive superior bpdu from root through switchB
and switchC port 0/1 will become RP in listening state for 15sec.
step4: after 15sec all switches mac table will flush. and port 0/1 of
switchC will change state from listening to learing for 15sec.
between these 15sec (learning state) if pc1A send data frame to
pc1B, switchB will flood this frame(unknown unicast flooding).
step5: after completing 15sec, port 0/1 of swtichC change its state
from learing to forwording, now switchC can send data frame from
its port 0/1 after that switchB and switchA recieve frame and build
mac table.
uplink fast
0100.0ccd.cdcd
sw2(config-if)#shutdown
sw2(config)#spanning-tree uplinkfast
sw2(config-if)#shutdown
now only one packet will drop in pinging bcz 0/22 will directly move
into forwording state
step2 switchA and switchB will generate TCN bpdu towards switchC
and all switches will change there aging time from 300sec to 15sec.
step3 switchB was receiving superior bpdu only on port 0/1 but after
link down of 0/1, switchB will start to announce itself as root bridge.
so SwichB will generate inferior bpdu towards switchC
step4 when switchC receive inferior bpdu, it will start max age
timer(20sec) of superior bpdu.
step5 after expire max age timer of superior bpdu switchC will
compaire and declair that switchA is root Bridge. so switchC will
change its port state from blocking to listening of 0/1.
step6 now switchC will send a copy of bpdu that is received from
switchA towords switchB. and switchB will change its port0/2 from
Dp to RP.
backbone fast
step1 after enabling backbone fast if any link goes down between
switchA and switchB.
step3 when switchC receive inferior bpdu thn switchC send RLQ
request msg to root bridge switch.
step4 switchA will receive rlq request msg and give rlq reponse that
im root bridge to switchC
step6 now switchC will send superior bpdu to switchB. and switchB
will stop to announce root bridge itself.
configure backbone fas
switch2(config-if)#shutdown
sw(config)#spanning-tree backbonefast
switch2(config-if)#shutdown
CST
PVST
PVST+
CST
PVST
sw(config)#vlan 1-10
sw#show spanning-tree
sw#show spanning-tree
note: we change timer for fast convergence but switch overhead will
increase.
problem
sw2#show spanning-tree
sw#show spanning-tree
STP Protection
Root Guard
Loop Guard
BPDU Guard
BPDU filter
UDLD Unidirectional Link Detection.
Root Guard
sw1#show spanning-tree
step1 bpdu not receiving on switchC port 0/2 due to traffic congession or any
other problem like ios bugs.
step2 switchC will wait for bpdu for 20sec on port 0/2 bcz bpdu max-age timer
is 20sec.
step3 switchC will change its state of 0/1 port from blocking to R.P.
step4 switchC change its state of port 0/2 from RP to dp (this port will not
come in blocking state bcz no bpdus are receiving on that port)
step5 now loop is occur in this topology bcz both port are in forwording state
between switchA and switchC
after enabling loop guard on all non-dp port, if any root port not receive bpdu
thn it will wait for 20sec and after 20sec this port will become
loop_inconsistant state. now there is no chance of loops. we cant enable for
per vlan bases.
BPDU guard
BPDU Filter
note: if we used both bpdu guard and bpdu filter switch will process to bpdu
filter.
normal
aggresive
sw1(config)#udld enable
sw1(config-if-range)#udld port
sw2(config)#udld enable
sw2(config-if-range)#udld port
sw1(config)#udld enable
sw2(config)#udld enable
Feature of rstp
Note: root bridge election, RP, DP and non-DP election criterea is same as stp.
disable -----------
blockING ------------
listening discarding
learning learning 15sec
forwording forwording
step3 sw2 will receive superior bpdu and it will immedialty perform
synchronization, and it will stop to announce that im root bridge. and it will
lost its DP state of port and swA simply keep sending proposal bpdu.
note: in synchronization switch will put its all interfaces in discarding state to
avoid loops
step4 swB will elect RP port and generate Aggrement toward swA through RP
port. immedaitly both port wil change there state directly into forwording
state without delay time (port which send and receive aggrement)
step1: sw1 and sw2 will send proposal bpdu from its both port
step2 sw2 will receive superior bpdu on 0/1 port, when sw2 receive superior
bpdu it will perform synchronization.
step3 sw2 will change its port state of 0/1 from dp to RP.
step4 sw2 port 0/1 will generate aggrement from this port and send it toword
sw1 on port 0/1. and it will put both port in forwording state immediatly.
step5 sw1 port 0/2 will not receive aggrement bcz sw2 port 0/2 is in discarding
state so sw1 port 0/2 will come in forwording state from discarding and
learning.
step6 if rp goes down thn alternet port 0/2 will change its state from
discarding to RP in forwording state without delay time bcz uplink fast feature
is bydefault enabled in rstp.
configuration of rstp
sw(config-if-range)#shutdown
sw(config-if-range)#no shutdown
note: we can change RP port on the behalf of cost and port id same as pvst+
MSTP/MST
MSTP Attributes
contents of M-record
Name
revision
hash value
sw(config-mst)#name cisco
sw(config-mst)#revision 1
or
types of switching
process switching
fast switching
CEF switching
process switching
in process switching router will perform routing lookup for every packet
fast switching
RP router will perform routing lookup for first packet only, generate cache
MLS Generations:
Null adjacency: null adj table will be responsible to handle all those packet
which are forworded towards nulls interface
Drop adjacency: this table is basically responsible to handle all those packet
which are encounteredwith mismatch of encapsulation or crc error.
Discard adjacency: this table is resonsible to handle all those packet which are
discarded by an acl
Glean adjacency: this table is responsible to have information about all directly
connected network and whenever a packet will mode to a any directly
connected network thn all those packet will be handled by glean adjacency.
Punt adjacency: this table is reponsible to handle those packet which is not
processed by cef and forworded to control plane to process these packet
CEF works into two mode:
Dcef: distributed CEF (copy of FIB and adj. on all line card)
router(config)#IP CEF
router#show ip cef
r(config)#no ip cef
r(config)#no ip route-cache
DHCP/Intervlan routing in MLS
sw1(config)#vlan 10,20,30,100
r1(dhcp-config)#default-router 192.168.10.1
r1(dhcp-config)#default-router 192.168.20.1
r1(dhcp-config)#default-router 192.168.30.1
R2(config-if)#no shutdown
r2#debug ip dhcp
sw1(config)#interface vlan 10
sw1(config)#ip routing
sw1(config)#interface vlan 10
sw1(config)#router eigrp 10
sw1(config-router)#no auto-summary
sw1(config-router)#network 0.0.0.0
r1(config)#router eigrp 10
r1(config-router)#no auto-summary
r1(config-router)#network 0.0.0.0
create svi on sw1 for vlan20/ configure dhcp relay-agent
r3#debug ip dhcp
sw1(config)#interface vlan 20
sw1(config-if)#no switchport
sw2(config)#ip routing
sw2(config)#interface fa 0/21
sw2(config-if)#no switchport
sw2(config-if)#no shutdown
sw2(config)#router eigrp 10
sw2(config-router)#no auto-summary
sw2(config-router)#network 0.0.0.0
sw2(config)#vlan 30
sw2(config)#interface fa 0/2
sw2(config)#interface vlan 30
DHCP snooping
if any machine get ip address from rogue dhcp server that machine cant access
internet or printer or can't communicate with other computers
configure dhcp snooping
after enabling dhcp snooping on switch, all switchport will become untrusted,
so we have to make trusted port to that port which is connected to dhcp
server.
note: dhcp will not provide ip address bcz swtich is working as a relay agent
and there is no helper address on switch
sw1(config)#int vlan 1
sw1(config)#int vlan 1
sw1(config-if)#no ip address
sw1(config-if)#no ip helper-address
IP source Guard
sw1(config)#interface fa 0/1
it is use to prevent switched network from MIM attack (man in middle). dhcp
snooping is require for DAI.
what is mim attack.
a attacker computer which is giving the response of arp req on the behalf of
other computer. after that whn the computer will receive data frame it can
capture the traffic.
note: when we enable dhcp snooping switch will create snooping database
table when dhcp server will provide ip address.
step1: pcB wants to communicate with pcD (src1.2, dst 1.4) pcB will generate
a arp req
step2 when switch will receive this arp req than it will check src ip and src mac
in dhcp snooping database. if these contents is matching in database than it is
valid arp req. otherwise it will drop.
step3 arp req is valid so switch will broadcast this arp req.
now switch will compaire this arp reponse details in snooping database and it
will not match so it will drop this arp response
Note: dhcp server cant communicate bcz its ip is manually configured and its
database is not present in snooping database.
we can manually make this trusted
switch(config)#int fa 0/1
vlan hoping
step1 attacker wants to make down FTP server with some virus or files. but
attacker machine can't communicate bcz it is in different vlan.
step2 attacker will generate frame with tagging of vlan20 from computer itself
with the help of some applications. now data will go to switch. witch will check
that this data is coming from native vlan1. bcz it received on port 0/1 and this
port is in native vlan1. so it will send data without tagging on trunk port.
step3 when sw2 will receive data thn it will check tagging, it wil found tag of
vlan20 so it will forword data to ftp server bcz it is in vlan20
step4 now ftp will not give response bcz destination is in different vlan.
VLAN Acl
r4(config)#line vty 0 4
r4(config-line)#login local
sw1(config-access-map)#action drop
sw1(config-access-map)#action forword
sw1(config-access-map)#action drop
Protected Port
protected port will not communicate with protected port. it will work for local
switchport
sw(config-if)#switchport protected
Private Vlan
community:
Isolated:
sw1(config)#int fa 0/2
sw1(config-if)#switchport mode private-vlan host
sw1(config-if)#switchport private-vlan host-association 100 10
sw1(config)# int fa 0/3
sw1(config-if)#switchport mode private-vlan host
sw1(config-if)#switchport private-vlan host-association 100 10
sw1(config)#int fa 0/4
sw1(config-if)#switchport mode private-vlan host
sw1(config-if)#switchport private-vlan host-association 100 20
sw1(config)#int fa 0/5
sw1(config-if)#switchport mode private-vlan host
sw1(config-if)#switchport private-vlan host-association 100 20
sw1(config)#int fa 0/6
sw1(config-if)#switchport mode private-vlan host
sw1(config-if)#switchport private-vlan host-association 100 30
sw1(config)#int fa 0/7
sw1(config-if)#switchport mode private-vlan host
sw1(config-if)#switchport private-vlan host-association 100 30
sw1(config)#int fa 0/1
sw1(config-if)#switchport mode private-vlan promiscous
sw1(config-if)# switchport private-vlan mapping 100 10,20,30
sw1#show vlan private-vlan.
Storm control
this feature prevents lan port from broadcast flooding, multicast flooding and
unicast flooding on physical interfaces.
storm control moniters the level of each traffic type for which you have
enabled it.
shutdown: when a traffic storm occurs, traffic storm control puts the port into
the error-disable state. to re-enable port, we can use the error-disable
detection and recovery feature or the shutdown and no shutdown command.
Trap: when a traffic storm occurs, traffic storm control generates an snmp trap
configure storm control for broadcast flooding
sw1 port 0/1 will shutdown and arp will not resolved
note: we can configure storm control for layer3 port also after assigning ip
address.
SPAN
Local Span
source and destination port are on a single switch that is called local span.
configure local span for a single source port
Rspan/remote span
source and destination ports are on different switches in this scanario we use
rspan
sw1(config)#vlan 100
sw1(config-vlan)# remote-span
sw2(config)#vlan 100
sw2(config-vlan)# remote-span
sw# show vlan remote-span
sw1(config)#moniter session 1 source interface fastethernet 0/1 both
sw1(config)#moniter session 1 destination remote vlan 100
sw2(config)#moniter session 1 source remote vlan 100
sw2(config)#moniter session 1 destination interface fastethernet 0/5
Gateway redundancy
protocol used for providing high availablity
HSRP: Hot standby router protocol
VRRP: Virtual router redundancy protocol
GLBP: Gateway load-balancing protocol
Aggregates two or more physical gateways into a single virtual gateway
HSRP states
Disabled
Init
Speaking
Listening
Standby
Active
note: for one group only one device can be in active state and one device can
be in standby state and all others will remain in listen state.
1 higher priority
2 higher ip address* (in some specific case only)
1 higher priority
2 higher ip address
configuration of HSRP
configure HSRP
r#show standby
Note: if we enable hsrp on all router within 10second. hsrp will elect active
router on the behalf of priority or highest ip address.
Note: if we enable hsrp on r1 and wait for 10sec, thn r1 will elect as a active
router
r1(config-if)#standby 1 preempt
note: preemption will not work with highest ip address. it will work when
priority is define on router.
Note: hsrp can provide gateway radundancy but not provide load-balancing.
authentication in hsrp
master
backup
higher priority
higher ip address
Note: if priority is tie thn higher ip address will take place to elect master
configuration of VRRP
R1(config)#interface fa 0/0
R1(config-if)#vrrp 1 ip 192.168.101.100
r2(config-if)#vrrp 1 ip 192.168.101.100
r3(config-if)#vrrp 1 ip 192.168.101.100
r#show vrrp
r1(config-if)#vrrp 1 priority 120
r1#debug ip packet details
components of glbp
AVG
AVF
AVG active virtual gateway
shutdown serial link than its weight value will go equal to lower value (1). so
this router will not eligible for active router. and it will take 30sec to make
active to another router bcz preemption delay is 30sec.
converge network
voice vlan
to seperate voice base traffic on any interface we can configure voice vlan
externally. in case of voice vlan single switchport can be of multiple vlan
sw(config)#int fa 0/1
sw(config-if)#switchport mode access
sw(config-if)#switchport access vlan 10
sw(config-if)#switchport access voice vlan 20
sw#sow vlan brief
network design
it is a backbone of network
advance Qos
hardware redundancy
in mls swithes there will be multiple sup card availabe and power supply for
redundancy. one supcard will work activly and second will be in standby mode.
if first supcard goes down than second will become in active mode.
redundancy mode:
RPR: (2min)
RPR Plus: (30sec)
SSO: statefull switch over (1sec)
how to configure redundancy mode
router(config)#redundancy
router(config-red)#mode rpr/rpr-plus/sso
router#show redundancy states
router(config-router)#nsf
router(config-router)#nsf
how to confgure NSF for BGP
router(config-router)#bgp graceful-restart
types of AAA
tacacs+ server
Note: we can configure router as a aaa server but we can not perform
accounting.
router(config)#aaa new-model
router(config)#aaa authenti login ccie line group radius group tacacs+
local
router(config)#radius-server host 100.1.1.100 key cisco@123
router(config)#tacacs-server host 100.1.1.200
router(config)#tacacs-server key cisco@12345
router(config)#username cisco password cisco1 (local database)
router(config)#line vty 0
router(config-line)#login authentication ccie
Port-based authentication