***Spanning Tree Protocol (STP)

As you study this section, answer the following questions: 1. 2. 3. 4. 5. How does STP eliminate bridging loops? Which port state builds the bridge database with MAC addresses? Which timers can be configured to speed up STP performance? Which devices generate configuration Bridge Protocol Data Units (BPDUs)? What is the difference between a root port and a designated port?

After finishing this section, you should be able to complete the following tasks: Given the MAC Address of a switch, configure it to be the root bridge. Configure a switch to be a primary root bridge. Configure a switch to be a secondary root bridge This section covers the following exam objectives: 201. Explain the functions and operations of the Spanning Tree protocols (i.e., RSTP, PVRST, MISTP).

STP Facts
To provide for fault tolerance, many networks implement redundant paths between devices using multiple switches. However, providing redundant paths between segments causes packets to be passed between the redundant paths endlessly. This condition is known as a bridging loop. To prevent bridging loops, the IEEE 802.1d committee defined a standard called the spanning tree algorithm (STA), or spanning tree protocol (STP). With this protocol, one bridge (or switch) for each route is assigned as the designated bridge. Only the designated bridge can forward packets. Redundant bridges (and switches) are assigned as backups. The spanning tree algorithm provides the following benefits: Eliminates bridging loops Provides redundant paths between devices Enables dynamic role configuration Recovers automatically from a topology change or device failure Identifies the optimal path between any two network devices

The spanning tree algorithm calculates the best loop-free path through a network by assigning a role to each bridge or switch and by assigning roles to the ports of each bridge or switch. The bridge role determines how the device functions in relation to other devices, and whether the device forwards traffic to other segments. Role Characteristics Root bridge The root bridge is the master or controlling bridge. There is only one root bridge in the network. The root bridge is the logical center of the spanning-tree topology in a switched network. The root bridge is determined by the switch with the lowest bridge ID (BID). The bridge ID is composed of two parts: a bridge priority number 1

and the MAC address assigned to the switch. The default priority number for all switches is 32,768 (0x8000 in hexadecimal). This means that for unconfigured switches, the switch with the lowest MAC address becomes the root bridge. You can manually configure the priority number to force a specific switch to become the root switch. The root bridge periodically broadcasts configuration messages. These messages are used to select routes and reconfigure the roles of other bridges if necessary. All ports on a root bridge forward messages to the network. Note: Newer switches add the VLAN number to the priority value. For example, if you configure a priority value of 4096, the switch will use the priority of 4097 for VLAN 1, 4098 for VLAN 2, and so on. A designated bridge is any other device that participates in forwarding packets through the network. Designated bridge They are selected automatically by exchanging bridge configuration packets. To prevent bridging loops, there is only one designated bridge per segment. All redundant devices are classified as backup bridges. Backup bridge Backup bridges listen to network traffic and build the bridge database. However, they will not forward packets. A backup bridge can take over if the root bridge or a designated bridge fails.

Switches send special packets called Bridge Protocol Data Units (BPDUs) out each port to the multicast address 01:80:C2:00:00:00. BPDUs sent and received from other bridges are used to determine the bridge roles and port states, verify that neighbor devices are still functioning, and recover from network topology changes. STP uses the following types of BPDUs: A Configuration BPDU is sent by the root bridge on all its ports. Each BPDU contains STP parameters which are critical to STP stability. Only the root bridge generates the configuration BPDU, guaranteeing that there is no mismatching STP information. If configuration BPDUs are not received by root ports on other bridges, a topology change may occur. A Topology Change (TC) BPDU is generated by the switch when it detects a topology change, such as the following: A port in forwarding or listening transitions to blocking A port moves to forwarding state, and the bridge already has a designated port A Non-root bridge receives a TC on its designated port (a propagation TC is sent) 2

During the negotiation process and normal operations, each switch port is in one of the following states: Port State Disabled Description A port in the disabled state is powered on but does not participate in listening to network messages or forwarding them. A bridge must be manually placed in the disabled state. Blocking When a device is first powered on, its ports are in the blocking state. In addition, backup bridge ports are always in the blocking state. Ports in the blocking state receive packets and BPDUs sent to all bridges, but will not process any other packets. Listening The listening state is a transitionary state between blocking and learning. The port remains in the listening state for a specific period of time. This time period allows network traffic to settle down after a change has occurred. For example, if a bridge goes down, all other bridges go to the listening state for a period of time. During this time the bridges redefine their roles. Learning A port in the learning state is receiving packets and building the bridge database (associating MAC addresses with ports). A timer is also associated with this state. The port goes to the forwarding state after the timer expires. Forwarding The root bridge and designated bridges are in the forwarding state when they can receive and forward packets. A port in the forwarding state can both learn and forward. All ports of the root switch are in forwarding mode. The following timers affect STP performance and state changes: The hello time is the time between each BPDU that is sent on a port by the root bridge and forwarded by other designated bridges. It is 2 seconds by default, but can be configured between 1 and 10 seconds. The forward delay is the time spent in the listening and learning states. It is 15 seconds by default, but can be configured between 4 and 30 seconds. The max age timer controls the maximum length of time a bridge port saves its configuration BPDU information. It is 20 seconds by default, but can be configured between 6 and 40 seconds. Note: Although it is possible to tune spanning-tree timers, the recommendation is to leave the spanning tree timers at their default values. During the configuration process, ports on each switch are configured as one of the following types: Port type Description The port on the designated switch with the lowest port cost back to the root bridge is identified as the root port. Each designated switch has a single root port (a single path back to the route bridge). Root ports are in the forwarding state. The root bridge does not have a root port.

Root port

Designated One port on each segment is identified as the designated port. The designated port port identifies which port on the segment is allowed to send and receive frames 3

onto that segment. Designated ports are selected based on the lowest path cost to get back to the root switch. All ports on the root bridge are designated ports (unless a switch port loops back to a port on the same switch). Designated ports are selected based on the lowest path cost to get back to the root switch. Designated ports are used to send frames back to the root bridge. Designated ports are in the forwarding state. Blocking A blocking port is any port that is not a root or a designated port. A blocking port port is in the blocking state. When determining both the root port and designated ports on non-root bridge switches, the switches use the following criteria to select the port that is closest to the root bridge. The port with the lowest cost to get back to the root bridge becomes the root or designated port. Default IEEE port costs include the following: 10 Mbps = 100 100 Mbps = 19 1 Gbps = 4 10 Gbps = 2 If two paths have the same cost, the bridge ID of the next switches in each path is compared. The path with the switch with the lowest bridge ID becomes the path back to the root. Remember that the bridge ID is composed of two parts: The priority number assigned to the switch. The MAC address used by the switch. If the priority numbers are the same on both switches, the switch with the lowest MAC address is the path back to the root. If the switch has two ports that have the same cost back to the root (for example, if two connections exist to the same switch), the port on the switch with the lowest port ID becomes the designated port. The port ID is derived from two numbers: the port priority and the port number. The port priority ranges from 0-255, with a default of 128. The port number is the number of the port. For example, the port number for Fa0/3 is 3. With the default port priority setting, the lowest port number becomes the designated port.

Spanning Tree Example

By default, spanning tree is enabled on all Cisco switches. When you add switches to the network, spanning tree operates automatically to identify the root bridge and configure each port to prevent loops. In a small environment, you can probably rely on the switches to configure themselves. In a large environment, however, you will need to plan the network so that you can control which switch becomes the root bridge, and so you can identify ports that should be blocking or forwarding. To identify how spanning tree will configure switches in a network, you will need to know the bridge ID for each bridge (which includes the priority value and the MAC address). If no priority value is included, assume the default priority of 32768. With the bridge ID and MAC 4

addresses, use the following process to identify the state of each port:

Identify the root bridge. The root bridge is the switch with the lowest bridge ID. The switch with the lowest priority value is the root bridge. If two or more switches have the same priority value, the switch with the lowest MAC address is the root bridge. On the root bridge, label each port as a designated port. For every other bridge, identify its root port. The root port is the port with the lowest cost back to the root bridge. To identify the cost, add the cost for each segment back to the root bridge. If two paths have the same cost, then look at the bridge ID of the next switch in the path. After labeling each root port, identify a designated port for each segment that does not already have a designated port. The designated port will be the port that connects to the path with the lowest cost back to the root bridge. If two paths have the same cost, compare the bridge ID of the next switch in the path. At this point, each segment should have a designated port identified. For any ports not labeled as a root port or a designated port, indicate that the port is a blocking port. The following graphic illustrates a switched network with redundant paths. The priority values and MAC addresses for each switch are identified. Numbers on each link are used to identify the link. Each link has the same cost value. Using the steps outlined above: Switch A is the root bridge because it has the lowest priority (4096). Fa0/1 and Fa0/2 on switch A are designated ports and will be forwarding. Root ports on the other switches are as follows: 5

 The root port on switch B is Fa0/1. The root port on switch C is Fa0/2. There are two paths back to the root bridge: B to A or D to A. Both paths have the same cost because they involve crossing two segments with equal costs. B to A is preferred because the bridge ID for switch B is lower than that of switch D. The priority values are the same, so the lowest MAC address is used (000E.8411.68C0). The root port on switch D is Fa0/1. At this point, designated ports already exist for segments 1 and 2. For the remaining segments: For segment 3, Fa0/3 on switch B is the designated port because the cost from B to A is less than the cost from C to D to A. For segment 4, Fa0/3 on switch D is the designated port for the same reason. For segment 5, Fa0/2 on switch B is the designated port. There are two paths from segment 5 to the root bridge: B to A or D to A. Both paths have the same cost. B to A is preferred because the bridge ID for switch A is lower than that of switch D. The priority values are the same, so the lowest MAC address is used (000E.8411.68C0). The following remaining ports are blocking ports: Fa0/1 on switch C. Fa0/2 on switch D. The following graphic shows each port labeled after spanning tree converges. Be aware of the effect that configuration changes make in this example: If all switches had the same priority value, then switch B would have been the root bridge because its MAC address is the lowest. Changing the root bridge would also change several other port states. Changing the priority on switch D to 8192 would have the following effects: The root port on switch C would change to Fa0/1. The path through switch D would be preferred over the path through switch B because of the lower priority number. The designated port for segment 5 would change to Fa0/2 on switch D, while Fa0/2 on switch B would be blocking. Fa0/2 on switch C would change to blocking. Assuming the default cost value of 19 for FastEthernet links, changing the cost of segment 1 to 100 would have the following effects: The root port on switch D would be Fa0/2. The total cost of that path would be 38. The designated port for segment 4 would be Fa0/1 on switch C. Port Fa0/3 on switch D would now be blocking. Port Fa0/1 on switch D would be blocking because Fa0/2 would be used to reach the root bridge.

STP Command List

By default, spanning tree is enabled on all Cisco switches. By default, spanning tree is enabled with a single instance of the spanning tree protocol for VLAN1. By default, all switch ports are members of VLAN1, therefore all ports participate in spanning tree by default. Creating an additional VLAN automatically runs another instance of the spanning tree protocol. Spanning tree configuration consists of the following tasks: Modifying the spanning tree mode if a mode other than Per-VLAN Spanning Tree Plus (PVST+) is desired. Changing the bridge priority to control which switch becomes the root bridge. Designating edge ports (ports with no attached switches). The following table lists commands you would use to configure spanning tree: Use... Switch(config)#spanning-tree mode pvst Switch(config)#spanning-tree mode rapid-pvst Switch(config)#spanning-tree mode mst Switch(config)#spanning-tree Manually set the bridge priority number. vlan <1-4094> priority <0-61440> The priority value ranges between 0 and 61,440. Each switch has the default priority of 32,768. Priority values are set in increments of 4096. If you enter another number, your value will be rounded to the closest increment of 4096, or you will be prompted to enter a valid value. The switch with the lowest priority number becomes the root bridge. Switch(config)#spanning-tree vlan <1-4094> root primary Force the switch to be the root of the spanning tree. The IOS software checks the switch priority of the current root switch for each VLAN. The switch sets the switch priority for the specified VLAN to 24576 (default value) if this value will cause this switch to become the root for the specified VLAN. If any root switch for the specified VLAN has a switch priority lower than 24576, the switch sets its own priority for the specified VLAN to 4096 less than the lowest switch priority. Switch(config)#spanning-tree Force the switch to be the secondary root (backup) of 7 To... Set the spanning tree mode.

vlan <1-4094> root secondary

the spanning tree if the root switch fails. The IOS software changes the switch priority from the default value (32768) to 28672. If the root switch should fail, this switch becomes the next root switch (if the other switches in the network use the default switch priority of 32768).

Switch(config-if)#spanning-tree port-priority <0-240> Switch(config-if)#spanning-tree vlan <1-4094> port-priority <0240> Switch(config)#spanning-tree vlan <1-4094> hello-time <1-10> Switch(config)#spanning-tree vlan <1-4094> forward-time <430> Switch(config)#spanning-tree vlan <1-4094> max-age <6-40> Switch(config)#no spanning-tree vlan <1-4094>

Change the interface's port priority in increments of 16. Change the interface's port priority in increments of 16 for a specific VLAN. This is for trunk interfaces. Configure the time between each BPDU that is sent on a port by the root bridge and forwarded by other designated bridges. Configure the time spent in the listening and learning states. Configure the maximum length of time a bridge port saves its configuration BPDU information. Disables spanning tree on the selected VLAN.

Examples The following command sets the bridge priority for a VLAN 20: Switch(config)#spanning-tree vlan 20 priority 4096 The following command configures this switch with a bridge priority of 4096 for VLAN 15 if the existing root bridge has a priority of 8092: Switch(config)#spanning-tree vlan 15 root primary

Spanning Tree Protocols

As you study this section, answer the following questions: What are the differences between PVST and PVST+? What are the three STP modes available on Cisco Catalyst switches? Which Rapid PVST+ port states are different than PVST+ port states and why? What is the difference between a Rapid PVST+ alternate port and a backup port? What is MSTP region?

After finishing this section, you should be able to complete the following tasks: Given a scenario, configure Rapid PVST+ on assigned switches. Given a scenario, configure MST on multiple switches with the minimum amount of MST instances. This section covers the following exam objectives: 8

 201. Explain the functions and operations of the Spanning Tree protocols (i.e., RSTP, PVRST, MISTP). 202. Configure RSTP (PVRST) and MISTP.

Common Spanning Tree (CST) Facts

Common Spanning-Tree (CST) has one spanning-tree instance for the entire bridged network (regardless of the number of VLANs). CST details include the following: No load balancing is possible between switches in the network Switch CPU usage is low, because only one instance needs computation It can be used when only one Layer 2 topology is needed in the network

Per-VLAN Spanning Tree (PVST) Facts

Per-VLAN Spanning Tree Protocol (PVST) is a spanning-tree mode based on the 802.1d standard, but includes Cisco proprietary extensions. Per-VLAN Spanning Tree Plus (PVST+) provides the same functionality as PVST except that PVST+ uses 802.1Q trunking technology and is interoperable with CST and PVST. PVST+ characteristics include the following: Layer 2 load balancing for the VLAN on which it runs Each instance of PVST+ on a VLAN has a single root bridge Each active VLAN has its own instance of PVST+ A short aging time for learned MAC address entries PVST+ is not supported on non-Cisco devices PVST+ is the default spanning-tree mode used on all Ethernet port-based VLANs

Rapid Spanning Tree (RSTP) Facts

Rapid Spanning Tree Protocol (RSTP) is based on the 802.1w standard and provides faster spanning tree convergence after a topology change. RSTP uses the following port states: RSTP Port State STP Port State* Disabled Blocking Description A port in discarding state: Discards frames received on the interface Discards frames switched from another interface for forwarding Does not learn MAC addresses Listens for BPDUs A port in the learning state: Discards frames received on the interface Discards frames switched from another interface for forwarding Learns MAC addresses 9

Discarding Listening

Learning

Learning

 Listens for BPDUs A port in the forwarding state: Receives and forwards frames received on the interface Forwards frames switched from another interface Learns MAC addresses Listens for BPDUs

Forwarding

Forwarding

RSTP uses bridge and port roles similarly to STP: There is a single root bridge. Each segment has a single designated bridge. The port on the designated bridge is identified as the designated port. All ports on the root bridge are designated ports. Each designated bridge has a single port identified as the root port. The root port is the best path back to the root bridge. The root bridge is the only bridge that does not have a root port. Instead of having blocking ports, RSTP splits this role into two roles: An alternate port is the switch's best alternative to its current root port. An alternate port can be used to replace the root port if the root port fails. A backup port is the switch's alternative port connected to the same network segment as the designated port. A backup port provides an alternate path to the same segment, but not an alternate path back to the root bridge. Both port roles are in the blocking state. In addition to the port roles, RSTP uses the port type to determine whether to use advanced features that provide rapid convergence. These port types are: Port Type Description A point-to-point link is a port that connects only to another switch. Point-topoint The presence of full-duplex communication indicates a point-to-point link. Because the link has only a single connected switch, it can take advantage of RSTP improvements that help it recover quickly. A shared link is a link with more than a single attached device. Shared The presence of half-duplex communication indicates a shared link. Ports connected to shared links cannot use RSTP improvements. An edge port is a port that is not connected to another switch. Because the edge port does not have a switch, the possibility of a loop is eliminated. Edge ports can be put into the forwarding state immediately. If the port receives a BPDU, it treats the port as a point-to-point or shared 10

Edge

link. Be aware of the following details: When any RSTP port receives legacy 802.1d BPDU, it falls back to legacy STP and the inherent fast convergence benefits of 802.1w are lost. The rapid convergence features of RSTP combined with PVST+ form Rapid PVST+. Rapid PVST+ is one of the three STP modes available on Cisco switches.

Multiple STP (MSTP) Facts

Multiple STP (MSTP) is an IEEE standard (802.1s) which allows several VLANs to be mapped to a reduced number of spanning-tree instances. MSTP characteristics include the following: Supports a large number of VLANs mapped to spanning-tree MSTP instances CPU usage is low despite the number of VLANs, because it only processes the amount of instances Layer 2 load balancing for the instances An MSTP region is a group of interconnected bridges that have the same MSTP configuration. The configuration includes the name of the region, the revision number, and the MSTP VLAN-to-instance assignment map. There is no limit on the number of MSTP regions in the network. If you connect two MSTP regions with different MSTP configurations, the MSTP regions do the following: Load balance across redundant paths in the network. If two MSTP regions are redundantly connected, all traffic flows on a single connection with the MSTP regions in a network. Provide an RSTP handshake to enable rapid connectivity between regions. However, the handshaking is not as fast as between two bridges. To prevent loops, all the bridges inside the region must agree upon the connections to other regions. This situation introduces a delay. Be aware of the following MSTP details: The switch supports up to 65 MSTP instances. Instances can be identified by any number in the range from 0 to 4094. A VLAN assignment can be to only one spanning tree instance at a time. MSTP instances are significant to the local region only, and is independent of other MSTP regions. Instance 0, the Internal Spanning-Tree (IST), is reserved for interacting with other Spanning-Tree Protocols and other MSTP regions. An IST instance is capable of representing the entire MSTP region to external networks. When the switch is in the MSTP mode, the Rapid Spanning Tree Protocol (RSTP) is automatically enabled.

RSTP and MSTP Command List

The following table lists commands you would use to configure RSTP (RPVST+) and MST: Use... Switch(config)#spanning-tree mode rapid-pvst To... Set the spanning tree 11

Switch(config)#spanning-tree mode mst Switch(config)#spanning-tree vlan <1-4094> priority <0-61440> Switch(config)#spanning-tree vlan <1-4094> root primary Switch(config)#spanning-tree vlan <1-4094> root secondary

Switch(config)#spanning-tree mst configuration Switch(config-mst)#name <WORD>

Switch(config-mst?)#revision <number>

Switch(config-mst)#instance <0-4094> vlan <vlan id> Switch(config-mst)#instance <0-4094> vlan <vlan id>,<vlan id> Switch(config-mst)#instance <0-4094> vlan <vlan id>-<vlan id> Switch(config)#spanning-tree mst <instance id> priority <061440> Switch(config)#spanning-tree mst <instance id> root primary Switch(config)#spanning-tree mst <instance id> root secondary

mode to Rapid PVST+ Set the spanning tree mode to Multiple Spanning (MSTP). Manually set the bridge priority number in Rapid PVST+. Force the switch to be the root of the spanning tree in Rapid PVST+. Force the switch to be the secondary root (backup) of the spanning tree if the root switch fails in Rapid PVST+. Enter MSTP configuration mode. Set the configuration name for the region. All switches must share the same MSTP name to participate in the same MSTP instances. Set the configuration revision number for the region. Note: The revision number is not automatically incremented when a new configuration is committed. Map VLANs to an MSTP instance. Manually set the bridge priority number in MSTP. Force the switch to be the root of the spanning tree in MSTP. Force the switch to be the secondary root (backup) of the spanning tree if the root switch fails in MSTP. Return to the default MSTP region 12

Switch(config)#no spanning-tree mst configuration

configuration. Examples The following commands enable Rapid PVST+ for the switch and set the bridge priority to a lower value than the default: Switch(config)#spanning-tree mode rapid-pvst Switch(config)#spanning-tree vlan 1 priority 4096 The following commands create the Sales MSTP region, map VLANs 2, 5, and 10 to instance 3, map VLANs 6, 7, and 8 to instance 4, and provide a revision number of 1 to the region: Switch(config)#spanning-tree mode mst Switch(config)#spanning-tree mst configuration Switch(config-mst)#name Sales Switch(config-mst)#revision 1 Switch(config-mst)#instance 3 vlan 2,5,10 Switch(config-mst)#instance 4 vlan 6,7,8 Optional STP Features and UDLD As you study this section, answer the following questions: Which optional STP feature helps to prevent loops on a port where Port Fast is enabled? What will be the response if a switch receives a BPDU after being globally enabled with BPDU guard? What is the difference between globally-enabled BDPU filtering and per-port-enabled BDPU filtering? Which optional STP feature provides an alternate path back to the root bridge if the root port or link goes down? How does BackboneFast detect failures on indirect links or connections? What happens when a switch sends a superior BPDU to a root guard enabled interface? Which UDLD mode will make up to eight attempts before changing the port state to the err-disabled state? After finishing this section, you should be able to complete the following tasks: Given a scenario, configure Port Fast on access ports. Given a scenario, configure a switch to use Port Fast BPDU filtering. Secure the STP topology by configuring FastEthernet ports with Root Guard. Protect a spanning tree topology with Loop Guard. Within a hierarchical network, configure UplinkFast. Within a hierarchical network, configure BackboneFast.

This section covers the following exam objectives: 203. Describe and configure STP security mechanisms (i.e., BPDU Guard, BPDU Filtering, Root Guard). 204. Configure and Verify UDLD and Loop Guard.

13

Optional STP Feature Facts The biggest disadvantage of STP is that it is slow to respond to topology changes. With a link failure, convergence could take up to 30 seconds. By optimizing switch settings, this delay could be reduced to about 14 seconds, but even this was too long. To improve convergence (to about 1 second) and fine tune STP, Cisco introduced the following proprietary features: Feature Port Fast Description Port Fast forces access or trunk ports to immediately transition to the spanning tree forwarding state. When ports do not have a switch or hub attached, bridging loops on that port are eliminated and therefore do not need to enter the spanning tree listening and learning states. Port Fast is globally enabled on the switch or per-interface. Note: Port Fast affects all VLANs on an interface. BPDU guard BPDU guard disables (moves to the err-disable state) an interface when a BPDU is received on the interface. The BPDU guard feature should be configured in a service-provider network to prevent an access port from participating in the spanning tree. BPDU guard is globally enabled on the switch or per-interface: If globally enabled, the switch configures each Port Fast-configured interface to shut down if a BPDU is received. This is because Port Fast-configured interfaces are meant for workstations and servers, devices which do not generate BPDUs. If enabled on an interface, the interface is also configured to shut down if a BPDU is received. The difference is that the interface does not need to be Port Fast-enabled. Note: You must manually re-enable the port that is put into err-disable state or configure errdisable-timeout. BPDU filtering BPDU filtering keeps switches from sending and receiving BPDUs on interfaces. This allows the workstation or server, which is connected to the interface, from receiving unnecessary traffic. BPDU filtering is globally enabled on the switch or per-interface: If globally enabled, the switch configures each Port Fast-configured interface to return to normal STP operation if the port receives a BPDU. It immediately loses its Port Fast-enabled status, and disables BPDU filtering. If enabled on a per-port basis, the switch drops all BPDUs it receives, and does not send BPDUs. Note: Enabling BPDU filtering on an interface is the same as disabling spanning tree on the interface and may result in bridging loops. UplinkFast UplinkFast enables a switch to maintain an alternate path back to the root 14

bridge. If the root port or link goes down, the alternate port can be used to quickly re-establish communication with the root bridge. The alternate port transitions to the forwarding state immediately without going through the listening and learning states. Be aware of the following details: An uplink group is a set of Layer 2 interfaces (per VLAN), only one of which is forwarding at any given time. An uplink group consists of the root port (which is forwarding) and a set of blocked ports, except for self-looping ports. The uplink group provides an alternate path in case the currently forwarding link fails. Note: UplinkFast is useful in network access layer switches with a limited number of active VLANs. UplinkFast should not be enabled on backbone or distribution layer switches. BackboneFast BackboneFast detects failures on indirect links or connections in the core (or backbone) layer of a hierarchical network. Be aware of the following details: BackboneFast reduces the default convergence time in situations where the root port is lost and the backup link leads through a different switch. BackboneFast is a complementary feature to UplinkFast. When a switch receives an inferior BPDU from the designated port of another switch other than the root bridge, the BPDU is a signal that the other switch might have lost its path to the root, and BackboneFast tries to find an alternate path to the root. An inferior BPDU identifies a switch that declares itself as both the root bridge and the designated switch. If the inferior BPDU arrives on a blocked interface, the root port and other blocked interfaces on the switch become alternate paths to the root switch. If the inferior BPDU arrives on the root port, all blocked interfaces become alternate paths to the root switch. If the inferior BPDU arrives on the root port and there are no blocked interfaces, the switch assumes that it has lost connectivity to the root switch, causes the maximum aging time on the root port to expire, and becomes the root switch according to normal spanning-tree rules. Root Guard Root guard secures the STP topology by forcing an interface to become a designated port to prevent surrounding switches from becoming a root switch during network anomalies (such as adding a new switch to the topology). Be aware of the following details: If a switch sends superior BPDUs to an interface with root guard enabled, the interface is blocked (i.e. changed to a root-inconsistent 15

state). Recovery occurs as soon as the offending device ceases to send superior BPDUs. The configuration of root guard is on a per-interface basis. If the switch is operating multiple STP (MSTP), root guard forces the interface to be a designated port. Root guard enabled on an interface applies to all the VLANs to which the interface belongs. VLANs can be grouped and mapped to an MSTP instance. Do not enable the root guard on interfaces to be used by the UplinkFast feature. With UplinkFast, the backup interfaces (in the blocked state) replace the root port in the case of a failure. However, if root guard is also enabled, all the backup interfaces used by the UplinkFast feature are placed in the root-inconsistent state (blocked) and are prevented from reaching the forwarding state. The current design recommendation is to enable Root Guard on all access ports so that a root bridge is not established through these ports. Loop Guard Loop guard prevents alternate or root ports from becoming designated ports because of a failure that leads to a unidirectional link. A port in blocking state relies on the continuous reception of BPDUs from the root bridge. If the BPDUs are not received according to STP timers, STP conceives the topology as loop-free and will transition the port through the listening, learning, and forwarding states. If a non-designated port stops receiving BPDUs when loop guard is enabled, STP places the port into the loop-inconsistent state instead of moving through the listening, learning, and forwarding states. Be aware of the following details: Loop guard is most effective when it is configured on the entire switched network. When you enable loop guard globally, the switch enables loop guard only on ports operating in full-duplex. When the switch is operating in PVST+ or rapid-PVST+ mode, loop guard prevents alternate and root ports from becoming designated ports, and spanning tree does not send BPDUs on root or alternate ports. Both loop guard and root guard cannot be enabled on the same interface at the same time. UDLD Facts Unidirectional Link Detection (UDLD) is a Layer 2 protocol which detects and may disable ports when traffic transmitted by the local device over a link is received by the neighbor but traffic transmitted from the neighbor is not received by the local device. This situation typically 16

arises in the case of a faulty Gigabit Interface Converter (GBIC) or interface, software malfunction, hardware failure, or other anomalous behavior. UDLD works with the Layer 1 mechanisms to learn the physical status of a link. At Layer 1, auto-negotiation takes care of physical signaling and fault detection. UDLD performs tasks that auto-negotiation cannot perform, such as detecting the identities of neighbors and shutting down misconnected ports. When you enable both auto-negotiation and UDLD, the Layer 1 and Layer 2 detections work together to prevent physical and logical unidirectional connections and the malfunctioning of other protocols. UDLD supports two modes of operation: Mode Normal Description In normal mode, UDLD can detect unidirectional links due to misconnected ports on fiber-optic connections. The Layer 1 mechanisms do not detect this misconnection. While operating in normal mode: If Layer 1 mechanism remains up with unidirectional link conditions, an error message is displayed and the port state changes to the errdisabled state. If one side of a link has a port stuck (both TX and RX), UDLD does not take any action, and the logical link is considered undetermined. If one of the link remains up while the other side of the link has gone down, UDLD does not take any action, and the logical link is considered undetermined. Aggressive In aggressive mode, UDLD can also detect and disable unidirectional links due to one or both of the following: One-way traffic on fiber-optic and twisted-pair links. One-way traffic may occur when: One of the ports cannot send or receive traffic One of the ports is down while the other is up One of the fiber strands is disconnected Misconnected ports on fiber-optic links While operating in aggressive mode, UDLD tries to re-establish the unidirectional connection for all issues listed above. If the connection fails after eight attempts, an error message is displayed and the port state changes to the err-disabled state.

The following table shows common commands to configure UDLD. Use... switch(config)#udld enable switch(config)#udld aggressive switch(config-if)#udld port To... Configure the global UDLD setting on the switch to normal mode. Configure the global UDLD setting on the switch to aggressive mode. Enable normal mode UDLD on the interface. 17

 This command does not appear in the CLI unless a GBIC is installed in the port you are trying to enable. An individual interface configuration overrides the setting of the udld enable global configuration command. switch(config-if)#udld port aggressive switch(config)#errdisable recovery cause udld switch(config)#errdisable recovery interval <value> switch#udld reset switch#show udld Be aware of the following: When configuring the mode (normal or aggressive), make sure that the same mode is configured on both sides of the link. Globally enabling UDLD on the switch only affects fiber-optic ports. For twisted-pair ports, UDLD must be configured on the interface. Optional STP Feature Command List The following table shows common commands to configure advanced STP features. Use... To... Configure the Port Fast feature on a specific interface. Note: This command is for an edge-type interface. If configured on an interface which is not connected to an end workstation or server, an accidental topology loop could cause a data packet loop and disrupt switch and network operation. Enable the Port Fast feature on the interface even in trunk mode. Disable the Port Fast feature on the interface. 18 Enable aggressive mode UDLD on the interface. Enable the timer to automatically recover from the UDLD error-disabled state. Specify the time to recover from the UDLD errordisabled state. Reset all the ports that are shut down by UDLD and permit traffic to begin passing through them again. To display the UDLD status for the specified port or for all ports.

switch(config-if)#spanning-tree portfast

switch(config-if)#spanning-tree portfast trunk switch(config-if)#spanning-tree portfast disable

Enable or disable BPDU filtering on the specified interface. switch(config-if)#spanning-tree bpdufilter enable switch(config-if)#spanning-tree bpdufilter disable Note: By default, BPDU filtering is disabled on the interface. Enabling BPDU filtering on an interface is the same as disabling spanning tree on it and can result in bridging loops. Enable or disable BPDU guard on the specified interface. Enabling BPDU guard will put an interface in the errordisabled state when it receives a bridge protocol data unit (BPDU). Configure the Port Fast feature on all non-trunking interfaces (i.e. access ports). The Port Fast feature will immediately transition the interface to the spanning tree forwarding state. Note: Configuring Port Fast on interfaces connected to hubs, concentrators, switches, and bridges can cause temporary bridging loops. Configure the BPDU filter on all Port Fast-enabled interfaces by default. This will prevent the switch interface from sending or receiving BPDUs. The interfaces still send a few BPDUs at link-up before the switch begins to filter outbound BPDUs. If a BPDU is received on a Port Fast-enabled interface, the interface loses its Port Fastoperational status and BPDU filtering is disabled. Configure the BPDU Guard on all Port Fast-enabled interfaces on the switch. This will place the interfaces that receive BPDUs in an error-disabled state. Configure the UplinkFast feature on an

switch(config-if)#spanning-tree bpduguard enable switch(config-if)#spanning-tree bpduguard disable

switch(config)#spanning-tree portfast default

switch(config)#spanning-tree portfast bpdufilter default

switch(config)#spanning-tree portfast bpduguard default switch(config)#spanning-tree uplinkfast

19

access layer switch. Note: When you configure rapid PVST+ disable UplinkFast. Similar functionality is built into rapid spanning tree (RSTP). Configure the BackboneFast feature on a switch. If you use BackboneFast, you must enable it on all switches in the network. Configure the Root Guard feature on the interface. Configure the Loop Guard feature on the switch. Do not enable loop guard: On Port Fast-enabled or dynamic VLAN ports If root guard is enabled On ports that are connected to a shared link Configure the Loop Guard feature on the interface.

switch(config)#spanning-tree backbonefast

switch(config-if)#spanning-tree guard root

switch(config)#spanning-tree loopguard default

switch(config-if)#spanning-tree guard loop

Examples The following commands set the bridge priority for a VLAN, enable Port Fast on two ports and globally enables BPDU guard: Switch(config)#int fa0/12 Switch(config-if)#spanning-tree portfast Switch(config-if)#int fa0/13 Switch(config-if)#spanning-tree portfast Switch(config-if)#exit Switch(config)#spanning-tree portfast bpduguard default Verifying STP Configurations As you study this section, answer the following questions: Which command displays whether Loopguard, UplinkFast, BPDU Filter, and BPDU Guard are enabled? How can you verify that spanning tree is working? How can you determine the root bridge within a STP topology? Where can you discover the root bridge's priority and MAC address? After finishing this section, you should be able to complete the following tasks: Given a scenario, verify STP information. Given a scenario, troubleshoot a STP topology. 20

This section covers the following exam objectives: 205. Verify or troubleshoot Spanning Tree protocol operations. STP Show Command List The following table shows common commands to display STP configurations: Use... switch#show spanning-tree To... Show spanning tree configuration information including the following: Root bridge priority and MAC address The cost to the root bridge Local switch bridge ID and MAC address The role and status of all local interfaces The priority and number for each interface To verify that spanning tree is working, look for an entry similar to the following for each VLAN: Spanning tree enabled protocol ieee switch#show spanning-tree active switch#show spanning-tree detail switch#show spanning-tree interface <type> <number> switch#show spanning-tree interface <type> <number> detail switch#show spanning-tree summary switch#show spanning-tree vlan <1-4094> switch#show spanning-tree vlan <1-4094> root Display STP information regarding active interfaces for all VLANs. Display detailed STP information for all VLANs configured on a switch. Display general and detailed STP information regarding the specified interface. Display STP summary information for each VLAN configured on a switch. Show summary STP information for the specified VLAN. Show information about the root bridge for a specific VLAN. Information shown includes: The root bridge ID, 21

including the priority number and the MAC address The cost to the root bridge from the local switch The local port that is the root port Switch#show spanning-tree vlan <1-4094> bridge Show spanning tree configuration information about the local switch for the specified VLAN. Information includes the local bridge ID, including the priority and MAC address. Display the STP BackboneFast status and statistics. Display the STP UplinkFast status and statistics.

switch#show spanning-tree backbonefast switch#show spanning-tree uplinkfast

***VLANs
As you study this section, answer the following questions: 6. What are the administrative advantages of creating VLANs? 7. Why are end-to-end VLANs more difficult to troubleshoot than local VLANs? 8. What is the difference between a static VLAN and a dynamic VLAN? 9. What two configuration steps must you take to manage a Layer 2 switch from a remote network? After finishing this section, you should be able to complete the following tasks: Display the current VLAN configuration. Execute common VLAN configuration commands. Given a scenario, create a VLAN and assign port membership as assigned. Given a scenario, configure management VLAN settings. This section covers the following exam objectives: 101. Explain the functions of VLANs in a hierarchical network. 102. Configure VLANs (e.g., Native, Default, Static and Access).

VLAN Facts
A virtual LAN (VLAN) can be defined as: Broadcast domains defined by switch port rather than network address A grouping of devices based on service need, protocol, or other criteria rather than physical proximity Using VLANs lets you assign devices on different switch ports to different logical (or virtual) LANs. The following graphic shows a single-switch VLAN configuration. Be aware of the following facts about VLANs: In the graphic above, FastEthernet ports 0/1 and 0/2 are members of VLAN 1. FastEthernet ports 0/3 and 0/4 are members of VLAN 2. In the graphic above, workstations in VLAN 1 will not be able to communicate with 22

workstations in VLAN 2, even though they are connected to the same physical switch. Defining VLANs creates additional broadcast domains. The above example has two broadcast domains, each of which corresponds to one of the VLANs. By default, switches come configured with several default VLANs: VLAN 1 VLAN 1002 VLAN 1003 VLAN 1004 VLAN 1005 On Cisco switches, the default VLAN configuration on a single port is VLAN 1. If no configuration changes are made on the switch, all ports have VLAN 1 as their native VLAN. Creating VLANs with switches offers the following administrative benefits. You can isolate network failures to a particular subnet (within a single VLAN) You can simplify device moves (devices are moved to new VLANs by modifying the port assignment) You can control broadcast traffic and create collision domains based on logical criteria You can control security (isolate traffic within a VLAN) You can load-balance network traffic (divide traffic logically rather than physically) When designing VLANs in a hierarchical network, consider the following concepts: Design Description concept End-to-end VLANs are VLANs that span throughout the entire network. Endto-End VLANs: Are associated with a workgroup, such as a department or team May span several wiring closets or even several buildings Are difficult to troubleshoot because they span through the entire switched network Local VLANs are VLANs that are local to a specific domain, such as the building access submodule. Local VLANs (data and voice): Are limited to a single access switch within a wiring closet (the single switch should be configured with a limited amount of VLANs) Should not be extended beyond the building distribution submodule Result in user traffic crossing a Layer 3 device to reach network resources Are easier to troubleshoot because they isolate traffic to a particular network segment Note: When designing the VLAN configuration in a hierarchical network, the local VLAN concept is recommended. VLANs are created through one of the following: Type Description Static VLANs are manually configured on the switch's physical interface using the command line. Static VLANs work well when network additions, changes, and Static moves are rare. Note: By default, all ports are static-access ports assigned to VLAN 1. Dynamic Dynamic VLANs are created through a VLAN Management Policy Server (VMPS). 23 Local VLANs End-to-End VLANs

The VMPS has a database of MAC addresses mapped to specific VLANs. When an incoming frame is first received on a port, the VMPS views the MAC address, compares it to the database, and assigns the port to a particular VLAN. Be aware of the following Dynamic VLAN details: The VMPS database should be created by the network engineer and then uploaded to the switch. A dynamic port can only belong to one VLAN at a time. Multiple hosts may be active on a dynamic port only if they all belong to the same VLAN. Note: Only some Cisco Catalyst switches support VMPS and dynamic VLANs.

VLAN Command List

To configure a simple VLAN, first create the VLAN, and then assign ports to that VLAN. The following table shows common VLAN configuration commands. Use... To... Define a VLAN switch(config)#vlan <1-4094> Giving the VLAN a name is optional. switch(config-vlan)#name WORD VLAN names must be unique. Delete a VLAN When you delete a VLAN, all ports assigned to the VLAN remain switch(config)#no vlan <1-4094> associated with the deleted VLAN, and are therefore inactive. You must reassign the ports to the appropriate VLAN. Assign ports to the VLAN Note: If you assign a port to a VLAN switch(config-if)#switchport access vlan <1-4094> that does not exist, the VLAN will be created automatically. Specify the interface as an switch(config-if)#switchport mode access unconditional access port. switch#show vlan Show a list of VLANs on the system switch#show vlan brief Show information for a specific switch#show vlan id <1-4064> VLAN Example The following commands create VLAN 12 named IS_VLAN, identifies port 0/12 as having only workstations attached to it, and assigns the port to VLAN 12. switch#config t switch(config)#vlan 12 switch(config-vlan)#name IS_VLAN switch(config-vlan)#interface fast 0/12 switch(config-if)#switchport access vlan 12

Management VLAN Configuration Facts

To manage the Layer 2 switch from a remote network, you will need to give VLAN 1 (the default management VLAN) an IP address, as well as configure the default gateway on the switch. Keep in mind the following facts about IP addresses configured on switches: Basic switches operate at Layer 2, and therefore do not need an IP address to 24

function. In fact, a switch performs switching functions just fine without an IP address set. You only need to configure a switch IP address if you want to manage the switch from a Telnet or Web session. A Layer 2 switch itself has only a single (active) IP address. Each switch port does not have an IP address (unless the switch is performing Layer 3 switching). The IP address identifies the switch as a host on the network but is not required for switching functions. To configure the switch IP address, you set the address on the VLAN 1 interface. This is a logical interface defined on the switch to allow management functions. Use the following commands to configure the switch IP address: switch#config terminal switch(config)#interface vlan 1 switch(config-if)#ip address 1.1.1.1 255.255.255.0 switch(config-if)#no shutdown To enable management from a remote network, you will also need to configure the default gateway. Use the following command in global configuration mode: switch(config)#ip default-gateway 1.1.1.254 Note: You can use the ip address dhcp command to configure a switch to get its IP address from a DHCP server. The DHCP server can be configured to deliver the default gateway and DNS server addresses to the Cisco device as well. The manually-configured default gateway address overrides any address received from DHCP.

25

VLAN Trunking Protocol (VTP)

As you study this section, answer the following questions: 10. What two conditions on switches will not allow you to modify the VLAN configuration? 11. What is the easiest way to recover from losing the only VTP server? 12. Which type of VTP message is the most frequently sent by switches? 13. What happens when you add a switch to the network with a higher revision number to your VTP configuration? 14. How do you remove a VTP domain name? After finishing this section, you should be able to complete the following tasks: Configure the VTP mode, domain, and password. Confirm the VTP status of a switch. This section covers the following exam objectives: 104. Explain and configure VTP.

VTP Facts

The VLAN Trunking Protocol (VTP) simplifies VLAN configuration on a multi-switch network by propagating configuration changes to other switches. With the VTP, switches are placed in one of the following three configuration modes. Mode Characteristics Server A switch in server mode is used to modify the VLAN configuration. On a server: Changes can be made to the VLAN configuration on the switch. The switch advertises VTP information to other switches in the domain. The switch updates its VLAN configuration from other switches in the domain. The switch saves the VLAN configuration in NVRAM. Client A switch in client mode receives changes from a VTP server and passes VTP information to other switches. On a client: Changes cannot be made to the VLAN configuration. The switch advertises VTP information to other switches in the domain. The switch updates its VLAN configuration from other switches in the domain. The switch does not save the VLAN configuration in NVRAM. Transpar A switch in transparent mode allows for local configuration of VLANs, but does ent not update its configuration based on the configuration of other switches. On a transparent switch: Changes can be made to the VLAN configuration on the switch. Local VLAN information is not advertised to other switches. VTP information received from other switches is passed through the switch. Note: The transparent switch only relays VTP information if it is in the same VTP domain or if it has a null (blank) VTP domain. The switch does not update its VLAN configuration from other switches in the domain. The switch saves its VLAN configuration in NVRAM. VTP message types include the following: Type Description 26

Summary advertisements inform adjacent switches of the current VTP Summary domain name and the configuration revision number. By default, Catalyst switches send summary advertisements every five minutes. Subset advertisements are sent after a VLAN has been added, deleted, or changed on a switch in server mode. One or several subset advertisements Subset follow the summary advertisement. A subset advertisement contains a list of VLAN information. If there are several VLANs, more than one subset advertisement can be required in order to advertise all the VLANs. Advertisement requests from switches configured as clients. A switch needs a VTP advertisement request in these situations: The switch has been reset. The VTP domain name has been changed. Advertisement The switch has received a VTP summary advertisement with a higher Request configuration revision than its own. Upon receipt of an advertisement request, a VTP device sends a summary advertisement. One or more subset advertisements follow the summary advertisement. Keep in mind the following facts about VTP: By default, switches are preconfigured in server mode. If you do not intend to use VTP, configure each switch to use transparent mode. A VTP Domain is one or several switches that share the same VTP environment. Catalyst switches only support a single VTP domain per switch. You can have multiple VTP servers in the same domain on the network. Changes made to any server are propagated to other client and server switches. To make VLAN changes on a switch, the switch must be in either server or transparent mode. You cannot modify the VLAN configuration if: The switch is in client mode The switch is in server mode and without a configured domain name. VTP uses the following process for communicating updates: VTP summary advertisement packets contain the domain name, MD5 version of the password, and the revision number. When a switch receives a summary packet, it compares the domain name and password in the packet with its own values. If the domain name and password do not match, the packet is dropped. If the domain name and password match, the switch compares the revision number in the packet. If the revision number in the packet is lower or equal, the packet is ignored. If it is higher, the switch sends an advertisement request for the latest updates. When the updates are received, the VLAN configuration and the revision number is updated. If you lose your only VTP server, the easiest way to recover is to change one of the VTP clients to server mode. VLAN information and revision numbers remain the same. Switches must meet the following conditions before VTP information can be exchanged: The switches must be connected by a trunk link (VTP is not used on access ports). Switches must be in the same domain. Switches in different domains do not 27

share or forward VTP information. Transparent switches must be in the same domain or have a null domain name to pass VTP information to other switches. Passwords on each device must match. The password is included in each VTP advertisement. The receiving switch compares the password in the advertisement with its configured password. It will only accept information in the packet if the passwords match. The password provides a method of authenticating the packet contents that they came from a trusted source. Connecting two switches with different VTP domains works only if you manually turn trunking on. VTP information is carried in DTP packets, so only switches in the same domain can use DTP for automatic trunking configuration. However, when two switches with different domains are connected, VTP information will not be passed between the switches. When you change the VLAN configuration on a server, the revision number is incremented. The revision number on a transparent switch remains at 0, even when changes are made to the VLAN configuration. All devices in the domain must use the same VTP version. By default, VTP version 2 is disabled. Only enable VTP version 2 if all devices support version 2. VTP pruning is a feature that eliminates or prunes unnecessary broadcast traffic. For instance, VTP pruning will only forward broadcast messages to switches which have ports assigned to a particular VLAN ID.

VTP Configuration Facts

The following table lists common VTP commands. Use... To... Switch(config)#vtp mode server Configure the VTP mode of the switch. Switch(config)#vtp mode client Note: The default mode is server. Switch(config)#vtp mode transparent Configure VTP domain of the switch. The default domain name is <null> (blank). All switches must be configured with the same domain name. A new VTP client switch (with a blank domain Switch(config)#vtp domain WORD name) will automatically set its domain name based on the first VTP advertisement it receives. A switch in transparent mode will not automatically set its domain name. Configure VTP password of the switch. When a password is used, all switches in the Switch(config)#vtp password WORD same domain must use the same password. You must manually configure the VTP password on each switch. Reduce broadcast traffic by forwarding the messages only through switch trunks which belong Switch(config)#vtp pruning to a particular VLAN ID. Note: Enabling or disabling VTP pruning on a server enables or disables it on all devices in the domain. Switch#show vtp status View the current VTP configuration of the switch. 28

Switch#show vtp password View the current VTP password of the switch. Be aware of the following when troubleshooting the VTP configuration: If you add a switch to the network with a higher revision number, the VLAN configuration on that switch will update (modify) the existing VLAN configuration on all other switches in the domain. This is true even if the switch you add is a client. Client switches pass their configuration information on to other switches. This information can be used to update server or client switches with lower revision numbers. If you add a switch to the network with a lower revision number, the switch's configuration will be modified to match the configuration currently used on the network. This is true even if the switch you add is a server. To prevent disruptions to the existing configuration when adding new switches, reset the revision number on all new switches before adding them to the network. The revision number resets to 0 each time you: Change the domain name. Change the VTP mode to transparent. Before adding a switch back into the network, change the domain name or the mode to transparent, then change it back to its original setting. Be sure to place switches in the same domain adjacent to each other through trunk links. If you insert a switch with a different domain name between two switches, VTP information will not be passed through the new switch. To correct this problem, use one of the following solutions: Modify the domain name on the new switch to match the existing switches. Move the new switch so that switches in the same domain are connected directly together. Note: Once set, you cannot completely remove a domain name. In other words, once you have configured a VTP domain name, you can only change the name, you cannot remove it completely.

VLAN Trunking
As you study this section, answer the following questions: When does the trunking protocol not tag the frame over a trunk link, and how does it handle the frame? When does dynamic trunking configure a trunk link? What happens if two switches on a VLAN trunk are both configured for auto dynamic trunking? After finishing this section, you should be able to complete the following tasks: Manually configure trunking on interfaces where switches will be attached. Configure switches to use 802.1Q trunking protocol and dynamic desirable mode. Configure the native VLAN for a trunk link. Configure which VLANs are permitted to communicate over a trunk link. This section covers the following exam objectives: 103. Explain and configure VLAN trunking (i.e., IEEE 802.1Q and ISL) 105. Verify or troubleshoot VLAN configurations.

VLAN Trunking Facts

Trunking is a term used to describe connecting two switches together. Trunking is important when you configure VLANs that span multiple switches as shown in the diagram. Be aware of the following facts regarding trunking and VLANs: 29

 In the above graphic, each switch has two VLANs. Each VLAN is assigned to a single port (The port is known as an access port.). Workstations in VLAN 1 can only communicate with workstations in VLAN 1. This means that the two workstations connected to the same switch cannot communicate with each other. Communications within the VLAN must pass through the trunk link to the other switch. Trunk ports identify which ports are connected to other switches. Trunk ports can automatically carry traffic for all VLANs defined on the switch. You can prevent traffic from a specific VLAN from being carried on the trunk through a specific configuration. Typically, Gigabit Ethernet ports are used for trunk ports, although any port can be a trunking port. When trunking is used, frames that are sent over a trunk port are tagged with the VLAN ID number so that the receiving switch knows to which VLAN the frame belongs. Tags are appended by the first switch in the path, and removed by the last. Only VLAN-capable devices understand the frame tag. Tags must be removed before a frame is forwarded to a non-VLAN-capable device. The trunking protocol describes the format that switches use for tagging frames with the VLAN ID. Cisco devices support two trunking protocols: Trunking Characteristics Protocol Inter-Switch Link (ISL) trunking protocol details include the following: A Cisco-proprietary trunking protocol. ISL can only be used between Cisco devices. ISL encapsulates the frame with an ISL header and trailer, instead of tagging (modifying) the frame. Inter-Switch ISL supports VLAN numbers 1-1005. Link (ISL) Be aware of the following facts regarding the trunking protocols: If a non-ISL-configured trunk port receives an ISL-encapsulated Ethernet frame, it may consider those frames to be transmission errors because the ISL header and trailer cause the frame to have an excessive size. Switches that do not support ISL simply drop ISL frames because they cannot decode the ISL encapsulation. 802.1Q 802.1Q trunking protocol details include the following: An IEEE standard for trunking and therefore supported by a wide range of devices. 802.1Q supports VLAN numbers 1-4094. With 802.1Q trunking, frames from the native VLAN are not tagged. Frames from all other VLANs are tagged. For example, if an 802.1Q port has VLANs 2, 3 and 4 assigned to it with VLAN 2 being the native VLAN, frames on VLAN 2 that exit the port are not given an 802.1Q header. Frames which enter this port and have no 802.1Q header are put into VLAN 2. If the native VLAN on one end of the trunk is different than the native VLAN on the other end, the traffic of the native VLANs on both sides cannot be transmitted correctly on the trunk. The native VLAN is VLAN 1 by default, but may be configured. 30

Note: When using multiple vendors in a switched network, be sure each switch supports the 802.1Q standards if you want to implement VLANs. Cisco switches have the ability to automatically detect ports that are trunk ports, and to negotiate the trunking protocol used between devices. Switches use the Dynamic Trunking Protocol (DTP) to detect and configure trunk ports. For example, when you connect two switches together, they will automatically recognize each other and select the trunking protocol to use.

VLAN Trunking Command List

The following table lists important commands for configuring and monitoring trunking on a switch. Use... To... Switch(config-if)#switchport mode trunk Enable unconditional trunking on the interface. The port will not use Dynamic Trunking Protocol (DTP) on the interface. Switch(config-if)#switchport trunk encapsulation dot1q Set the trunking Switch(config-if)#switchport trunk encapsulation isl protocol, or allows the Switch(config-if)#switchport trunk encapsulation negotiate trunking protocol to be negotiated. Note: Not all Catalyst switches allow configuration of the trunking protocol. Switch(config-if)#switchport trunk native vlan <vlan id> Configure the VLAN that is sending and receiving untagged traffic on the trunk port when the interface is in 802.1Q trunking mode. Switch(config-if)#switchport trunk allowed vlan all Set which VLANs are Switch(config-if)#switchport trunk allowed vlan add <vlan id> allowed to Switch(config-if)#switchport trunk allowed vlan remove <vlan id> communicate over the trunk. Remove which VLANs are not allowed to communicate over the trunk. Note: The default allows all VLANs in the VLAN database to communicate over the trunk. Switch(config-if)#switchport mode dynamic auto Enable automatic trunking discovery and configuration. The switch uses DTP to 31

Switch(config-if)#switchport mode dynamic desirable

Switch(config-if)#switchport mode access

Switch#show interface trunk Switch#show interface fa0/1 trunk

configure trunking. Enable dynamic trunking configuration. If a switch is connected, it will attempt to use the desired trunking protocol. If a switch is not connected, it will communicate as a normal port. Disable trunking configuration on the port. The port is set to the access mode unconditionally and operates as a nontrunking, single VLAN interface that sends and receives non-tagged frames. Show interface trunking information with the following: Mode Encapsulation Trunking status VLAN assignments

Note: Be aware of the following when configuring VLAN trunking: Two switches both configured to use auto dynamic trunking will not trunk. At least one of the switches must be set to manually trunk or to use desirable dynamic trunking. To avoid auto-negotiation on trunk ports, manually configure the speed and duplex.

Verifying and Troubleshooting VLANs

As you study this section, answer the following questions: 15. When examining the output from the show interfaces fa 0/1 trunk command, what does the n- in front of the protocol designate? 16. How can you determine which VLANs are allowed to communicate over a trunk link? 17. How can you determine when an interface is operating as an access port or a trunk port? 18. Which command displays an overview of VLAN and trunking information of an interface? After finishing this section, you should be able to complete the following tasks: Given a scenario, verify VLAN information. Given a scenario, troubleshoot a VLAN trunking link. 32

This section covers the following exam objectives: 105. Verify or troubleshoot VLAN configurations.

VLAN Verification and Troubleshooting Command List

The following commands are used to display VLAN configurations for verification and troubleshooting: show vlan brief show interfaces trunk show interfaces fa 0/1 switchport The following output is generated from the show vlan brief command. The output displays the VLAN membership of each port. VLAN Name Status Ports ---- --------------------- --------- ------------------------------1 default active Fa0/3, Fa0/4, Fa0/5, Fa0/6, Fa0/7, Fa0/8, Fa0/9, Fa0/10, Fa0/11, Fa0/12, Gi0/1, Gi0/2 2 VLAN0002 active Fa0/2 1002 fddi-default active 1003 token-ring-default active 1004 fddinet-default active 1005 trnet-default active Note: Use the show vlan <vlan id> command to display information about a single VLAN identified by VLAN ID The following is output generated from the show interfaces fa 0/1 switchport command and a table describing the associating fields. Name: Fa0/1 Switchport: Enabled Administrative Mode: dynamic auto Operational Mode: static access Administrative Trunking Encapsulation: negotiate Operational Trunking Encapsulation: dot1q Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) --output omitted Trunking VLANs Enabled: ALL Pruning VLANs Enabled: 2-1001 Field Description Name Displays the port name. This is the interface specified in the command. Switchport Displays the administrative and operational status of the port. In this display, the port is in switchport mode. Administrative Mode Displays the administrative mode. The administrative mode is Operational Mode configured with the following interface configuration commands: switchport mode access switchport mode trunk switchport mode dynamic auto switchport mode dynamic desirable The operational mode is how the port is actually operating. In this 33

Administrative Trunking Encapsulation Operational Trunking Encapsulation Negotiation of Trunking Access Mode VLAN Displays the VLAN ID to which the port is configured. This is configured with the switchport access vlan <vlan id> interface configuration command. Trunking Native Lists the VLAN ID of the trunk that is in native mode. This is Mode VLAN configured with the switchport trunk native vlan <vlan id> interface configuration command. Trunking VLANs Lists the allowed VLANs on the trunk. This is configured with the Enabled following interface configuration commands: switchport trunk allowed vlan all switchport trunk allowed vlan remove <vlan id> In the output above, all VLANs are permitted to communicate on the trunk if it was in trunking mode. Pruning VLANs Lists the VLANs which have been pruned from the interface. Enabled The following is output generated from the show interfaces fa 0/1 trunk command and a table describing the output values. Port Mode Encapsulation Status Native vlan Fa0/1 on n-802.1q trunking 1 Port Fa0/1 Port Fa0/1 Port Fa0/1 Value Vlans allowed on trunk 1-9,11-4094 Vlans allowed and active in management domain 1-2,5

output, the port is in dynamic auto administrative mode, but the port is operating as an access port. Displays the administrative and operational encapsulation method and whether trunking negotiation is enabled.

Vlans in spanning tree forwarding state and not pruned 1-2,5 Description This is the administrative mode on the interface. The administrative mode is configured with the following interface configuration commands: switchport mode access Mode switchport mode trunk switchport mode dynamic auto switchport mode dynamic desirable If configured as an access port, the mode is off. Encapsulation This is the encapsulation protocol on the trunk. If a "n-" precedes the protocol, it has been negotiated. This is configured with the following interface configuration commands: switchport trunk encapsulation dot1q 34

 switchport trunk encapsulation isl switchport trunk encapsulation negotiate Note: This command may not be available on all Catalyst switches. Negotiate is the default. Status This is the operational status of the trunk. The native VLAN is the VLAN which will not be tagged with 802.1Q Native VLAN tags. Frames from all other VLANs are tagged. Lists the allowed VLANs on the trunk. This is configured with the following interface configuration commands: switchport trunk allowed vlan all VLANs allowed on trunk switchport trunk allowed vlan remove <vlan id> In the output above, VLAN 10 is not permitted to communicate on the trunk. Lists the VLANs which are configured on the switch and allowed VLANs allowed and over the trunk link. active in management Note: If the VLANs are configured on the switch but are not domain permitted to communicate on the trunk, they will not be listed here. VLANs in spanning tree forwarding state and not Lists the VLANs that are pruning-eligible. pruned Note: If you do not specify an interface with the switchport interfaces trunk command, only information for active trunking ports appears.

***EtherChannel
As you study this section, answer the following questions: 19. What will happen to redundant links between switches when EtherChannel is configured? 20. What are the differences between LACP and PAgP? 21. When would you choose LACP over PAgP when configuring EtherChannel? After finishing this section, you should be able to complete the following tasks: Given a scenario, configure switches to negotiate the PAgP EtherChannel. Given a scenario, configure interfaces to negotiate an EtherChannel with LACP . This section covers the following exam objectives: 206. Configure and verify link aggregation using PAgP or LACP.

EtherChannel Facts

EtherChannel combines multiple switch ports into a single, logical link between two switches. With EtherChannel: You can combine 2-8 ports into a single link. All links in the channel group are used for communication between the switches. Use EtherChannel to increase the bandwidth between switches. Use EtherChannel to establish automatic-redundant paths between switches. If one link fails, communication will still occur over the other links in the group. Use EtherChannel to reduce spanning tree convergence times. Cisco Catalyst switches use one of the following protocols for EtherChannel configuration: Protocol Description 35

Port Aggregation Protocol (PAgP) is a management function that checks the parameter consistency at either end of the link and assists the channel in adapting to link failure or addition. PAgP prevents loops or packet loss due to misconfigured channels and aids in network reliability. PAgP operates in the following modes: Auto places the port into a passive negotiating state and forms an EtherChannel if the port receives PAgP packets. While in this mode, the port does not initiate the negotiation. Note: This is the default mode. Desirable places the port in a negotiating state to form an EtherChannel by sending PAgP packets. A channel is formed with another port group in either the auto or desirable mode. Note: PAgP is the default channel protocol in Cisco switches. Link Aggregation Control Protocol (LACP) is based on the 802.3ad standard and has similar functions as PAgP. LACP should be used when configuring EtherChannel between Cisco switches and non-Cisco vendor switches that support 802.3ad. LACP operates in the following modes: Passive places the port into a passive negotiating state and forms an EtherChannel if the port receives LACP packets. While in this mode, the port does not initiate the negotiation. Note: This is the default mode. Active places the port in a negotiating state to form an EtherChannel by sending LACP packets. A channel is formed with another port group in either the active or passive mode. Note: An on mode forces a port to join an EtherChannel without negotiations. The on mode can be useful if the remote device does not support PAgP or LACP. In the on mode, a usable EtherChannel exists only when the switches at both ends of the link are configured in the on mode. Be aware of the following EtherChannel details: All ports in an EtherChannel must use the same protocol (PAgP or LACP). All ports in an EtherChannel must have the same speed and duplex mode. LACP requires that the ports operate only in full-duplex mode. A port cannot belong to more than one channel group at the same time. All ports in an EtherChannel must be configured to be in the same access VLAN configuration or be configured as VLAN trunks with the same allowable VLAN list and the same native VLAN. All ports in an EtherChannel require the same trunk mode (i.e. ISL or IEEE 802.1Q) to avoid unexpected results. If you do not configure EtherChannel, the spanning tree algorithm will identify each link as a redundant path to the other bridge and will put one of the ports in blocking state. Do not try to configure more than 6 EtherChannels on the switch. Configure a LACP EtherChannel with up to 16 Ethernet ports of the same type. Up to eight ports can be active, and up to eight ports can be in standby mode. Enable all ports in an EtherChannel. A port in an EtherChannel that is disabled by using the shutdown interface configuration command is treated as a link failure, and its traffic is transferred to one of the remaining ports in the EtherChannel.

EtherChannel Command List

The following table shows common commands to configure EtherChannel. 36

Link Aggregation ControlPort Aggregation Protocol Protocol (LACP) (PAgP)

To... Select the EtherChannel protocol on the interface. Select the PAgP mode on the interface. Select the LACP mode on the interface. Enable the on mode and force a Switch(config-if)#channel-group <1-8> mode on port to join an EtherChannel without PAgP or LACP negotiations. Disable EtherChannel on the Switch(config-if)#no channel-group <1-8> interface. Show EtherChannel details on the Switch#show etherchannel switch Show EtherChannel information for Switch#show etherchannel summary a channel with a one-line summary per channel group. Note: Each channel group has its own number. All ports assigned to the same channel group will be viewed as a single logical link. Examples The following commands configure GigabitEthernet 0/1 and 0/2 interfaces to actively initiate the negotiation of an EtherChannel with the PAgP protocol and with a channel group of 5: Switch>ena Switch#conf t Switch(config)#int range gi 0/1 - 2 Switch(config-if-range)#channel-protocol pagp Switch(config-if-range)#channel-group 5 mode desirable The following commands configure FastEthernet 0/1 through 0/4 interfaces to from an EtherChannel with the LACP protocol only if the other device actively initiates the EtherChannel connection: Switch>ena Switch#conf t Switch(config)#int range ga 0/1 - 4 Switch(config-if-range)#channel-protocol lacp Switch(config-if-range)#channel-group 3 mode passive Switch(config-if-range)#duplex full

Use... Switch(config-if)#channel-protocol lacp Switch(config-if)#channel-protocol pagp Switch(config-if)#channel-group <1-8> mode auto Switch(config-if)#channel-group <1-8> mode desirable Switch(config-if)#channel-group <1-8> mode active Switch(config-if)#channel-group <1-8> mode passive

***4.1 Gateway Redundancy

As you study this section, answer the following questions: 22. How does a virtual router help to protect against single point of failure? 23. If there are three routers in a HSRP group, how many virtual IP addresses would be assigned to that group of routers? 24. What are the main differences between HSRP and VRRP, and are they compatible? 25. What is the maximum number of routers that can act as active IP default gateways in a GLBP group? 26. If there are two routers in a GLBP group, how many virtual MAC addresses are 37

assigned to routers in that group? This section covers the following exam objectives: 401. Explain the functions and operations of gateway redundancy protocols (i.e., HSRP, VRRP, and GLBP).

Gateway Redundancy Facts

Gateway redundancy is a fault-tolerant approach for hosts to communicate outside their local subnet. Typically, hosts are configured with a single default gateway (next-hop router) so they may communicate outside the local subnet. However (as shown in the image below) if the default gateway should fail, the hosts are limited to communicating only within the subnet, effectively disconnecting from the rest of the network. Even if there is a redundant router which could serve as a replacement gateway, there is no dynamic method by which the hosts could switch to a new default gateway IP address. Gateway redundancy protects against a single point of failure. In gateway redundancy, a group of two or more routers actively manage a single virtual router MAC address and IP address (as seen below). This configuration ensures that if a router fails, a backup router takes responsibility as the default gateway. With gateway redundancy, LAN clients send traffic to the virtual router, but an actual router handles the forwarding of that traffic. The difference between a virtual and actual router is unnoticeable to the clients.

Hot Standby Router Protocol (HSRP)

Hot Standby Router Protocol (HSRP) is a Cisco proprietary redundancy protocol for establishing a fault-tolerant default gateway. The protocol consists of a virtual MAC address and IP address that are shared between two or more routers, and a process that monitors both LAN and serial interfaces via a multicast protocol. An HSRP group, a set of routers participating in HSRP that jointly emulate a virtual router, consists of the following entities or roles: Entity or Role Description Active Router An active router which forwards traffic destined to the virtual IP address (see the illustration below). Standby A standby router which will become the active router should the existing Router active router fail (see the illustration below). A virtual router which is not an actual router. It is a concept of the entire HSRP group acting as one virtual router. It is assigned its own IP address Virtual Router and MAC address; however, the active router acting as the virtual router actually forwards the packets. Additional HSRP member routers are neither active nor standby, but they Additional are configured to participate in the same HSRP group. These routers HSRP forward any packets addressed to their assigned interface IP addresses but member do not forward packets destined for the virtual router because they are not routers the active router. HSRP has the following router states: Initial is the starting state of HSRP. All routers begin in this state. This state indicates that HSRP is not yet fully operational. Learn is when the router has not determined the virtual IP address and has not yet received a hello message from the active router. Listen is when the router knows the virtual IP address, but is neither the active router nor the standby router. This is the state for additional HSRP member routers. The router in this state listens for hello messages, participating only if the holdtime expires. Speak is when the routers in the HSRP group are in the election process for the active 38

and standby routers. Standby is when the HSRP router is a candidate to become the next active router and sends periodic hello messages to inform other routers in the HSRP group of its status. Active is when the router forwards packets assigned to the virtual MAC and IP address of the HSRP group. It also sends periodic hello messages to inform other routers in the HSRP group of its status. Routers configured with HSRP exchange three types of multicast messages: Message Description The active router assumes and maintains its role through the use of hello messages. When the active router fails, the other HSRP routers stop receiving the hello messages. The standby router assumes the role of active router when the holdtime expires. The holdtime is the time between the receipt of a hello message and the presumption that the sending router has failed. HSRP timer details include the following: Hello messages are sent every 3 seconds by default. Holdtime expires after 10 seconds by default. Both timers can be configured with an msec parameter for faster failover times. Note: All routers in the HSRP group should use the same timer values. A coup message is sent by a standby router which wants to assume the function Coup of the active router. The active router sends the resign message when it is about to shut down or Resign when a router that has a higher priority sends a hello or coup message. The active router is decided by the following: On a per-group basis, the HSRP router can be configured with a priority value. The default is 100. It can be between 0-255. The router with the highest priority becomes the active router if it initializes first. Note: If several routers have the same priority, the physical IP address of the router's interface is used. The router with the highest IP address becomes the active router. A preemption configuration will force a specific router to be an active router if it has the highest priority for the group. If the preempted active router fails, the standby router becomes the active router. If the preempted active router regains service, it will become the active router again. Be aware of the following details: If preemption is not enabled, the standby router which takes over for a failed router will remain the active router even if the former active router regains service. If preemption is enabled, the former active router regains service immediately after it receives a hello message from the active router with a lower priority by sending a coup message. When a lower priority active router receives a coup message from an active, higher priority router, the router changes to the Speak state and sends a resign message. Note: The transition through HSRP states is displayed with the debug standby EXEC command. Be aware of the following HSRP details: The virtual MAC address is XXXX.XX07.ACxx. The first six values in the address (XXXX.XX) represent the vendor code. The last two values (xx) represent the HSRP group number in hexadecimal. For example, a virtual MAC address for HSRP group 79 39 Hello

would be XXXX.XX07.AC4F If a host sends an ARP request with the virtual router's IP address, the active router will return the virtual router's MAC address. One or more HSRP groups need to be configured for each VLAN or subnet. HSRP is not configured globally. Using the VLAN ID as the HSRP group number makes troubleshooting easier. However, the group number is limited to a value between 0 and 255. To configure HSRP load sharing, configure at least two routers to participate in two HSRP groups. Configure the first router to serve as the active router for the first HSRP group and the backup router for the second HSRP group. Configure the second router to serve as the active router for the second HSRP group and the backup router for the first HSRP group. An HSRP tracking feature monitors the active router's interface that is used to forward traffic from the hosts. If that interface goes down, the priority of the HSRP group is reduced to allow the HSRP standby router to become the active router. The HSRP group priority of the active router is decreased by 10 by default, but can be configured. Careful planning of standby priorities for all routers is needed to ensure that the HSRP standby tracking feature lowers priorities enough for standby routers to take active roles. If preemption is not enabled on the standby router, it will not send a coup message to become the active router for the group. When configuring routers in the HSRP group, at least one router in the group must be configured with the virtual IP address. Other routers in the group will learn the virtual IP address because it is forwarded in the hello messages.

Virtual Router Redundancy Protocol (VRRP)

1. What is the difference between setting up a VRRP group or a HSRP group? 2. How many routers in a VRRP group need to be configured with the virtual IP address? 3. What happens to the VRRP master router when another router in the CRRP group is configured with preemption? Virtual Router Redundancy Protocol (VRRP) is a standards-based alternative to HSRP. VRRP and HSRP are similar in concept, but not compatible. The main differences include the following: The physical router that is currently forwarding data on behalf of the virtual router is called the master router. Physical routers standing by to take over from the master router are called backup routers. Backup routers do not send advertisements like standby routers do in an HSRP group. Values used to determine the VRRP priority range between 1-254. The default priority value is 100. If the configured virtual IP address is the same IP address as the router's physical interface, the router is known as the IP address owner and becomes the master router. Similar to HSRP, preemption allows a failed router to return as the VRRP master router if it has the highest priority for the VRRP group. However, in VRRP, an IP address 40

owner of the VRRP group will always preempt. Each router in the VRRP group must be configured with the virtual IP address. In the illustration below, if the VRRP virtual IP address is 10.0.1.1, then RouterA is the IP address owner and serves as the master router. RouterB and RouterC would be backup routers. VRRP uses the following timers: The advertisement interval is the interval between when the advertisements are sent. The default is 1 second and can be configured. The master-down interval is the time for a backup to declare the master is down. The master-down interval cannot be configured directly, but is calculated as three times the value of the advertisement interval. Be aware of the following details: The virtual MAC address is 0000.5E00.01xx. The last two values (xx) is the Virtual Router IDentifier (VRID) and represents the VRRP group number in hexadecimal. HSRP and VRRP are not routing protocols as they do not advertise IP routes or affect the routing table in any way. Router(config)#interface <type number> Enter interface configuration mode and Router(config-if)#vrrp <0-255> ip enable vrrp with a group number. Router(config-if)# vrrp <0-255> ip <a.b.c.d> Configure the vrrp standby group with a virtual IP address. IP is configured on each router Router(config-if)#VRRP <0-255> preempt Configure vrrp for pre-emption so the router may take over if it has a higher priority than the current active router. Router(config-if)#VRRP <0-255> timers Configure the hello timer and hold timer msec <hello-value> values for VRRP. Router(config-if)#VRRP <0-255> timers msec <holdtime-value>

Gateway Load Balancing Protocol (GLBP)

Gateway Load Balancing Protocol (GLBP) is a Cisco proprietary protocol that automatically selects and simultaneously uses multiple virtual gateways. It is intended to fully use resources without the configuration of multiple groups and default gateways. GLBP details include the following: Routers in a GLBP group elect one gateway to be the Active Virtual Gateway (AVG) for that group. The AVG assigns a virtual MAC address to each router of the GLBP group. The AVG is responsible for answering Address Resolution Protocol (ARP) requests for the virtual IP address. Load balancing is achieved by the AVG replying to the host's ARP requests with different virtual MAC addresses. A GLBP group can have up to four member routers acting as IP default gateways. The gateways are known as Active Virtual Forwarders (AVFs). Each AVF assumes responsibility for forwarding packets sent to the virtual MAC address assigned to it by the AVG. A virtual forwarder that is assigned a virtual MAC address by the AVG is known as a primary virtual forwarder. A virtual forwarder that has learned the virtual MAC address (from hello 41

messages) is referred to as a secondary virtual forwarder. An AVG can assign itself with a MAC address, and assume the responsibilities of the AVF as well. GLBP operates virtual gateway redundancy in the same way as HSRP. The gateway with the highest priority for the group is elected as the AVG, another gateway is elected as the standby virtual gateway, and the remaining gateways are placed in a listen state. If an AVG fails, the standby virtual gateway will assume responsibility for the virtual IP address. A new standby virtual gateway is then elected from the gateways in the listen state. GLBP supports the following modes for load balancing: Mode Description In the round-robin scheme, when a host sends an ARP request, the AVG returns a virtual MAC address based on its table of MAC addresses assigned to AVF. When another host sends an ARP request, the AVG replies with the next MAC address in its table, and so on. Note: This is the default method. In the weighted scheme, the AVF advertises how much traffic the interface can handle to the AVG. The AVG then directs traffic according to the advertised amounts. Initial weighting values can be set and optional thresholds specified. Interface states can be tracked and a decrement value set to reduce the weighting value if the interface goes down. When the GLBP router weighting drops below a specified value, the router will no longer be an active virtual forwarder. When the weighting rises above a specified value, the router can resume its role as an active virtual forwarder. HostIn the host-dependent scheme, the host will always use the same virtual MAC dependent address and same VFG (as long as that address and gateway is participating in the GLBP group). Be aware of the following details: GLBP members communicate between each other through hello messages sent every 3 seconds. Group numbers range from 0-1023. AVG states match the HSRP active router states. The default gateway on each host device must be configured as the GLBP group's virtual IP address. Weighted Round-robin

HSRP Configuration
As you study this section, answer the following questions: Which router in a HSRP group will be the active router if all the routers in a HSRP group are assigned the same priority? What is the function of preemption? What is interface tracking and how does it affect the HSRP priority value? How many routers in a HSRP group need to be configured with the virtual IP address? When does a router in a HSRP group send a coup message? How is the HSRP group number identified in the virtual MAC address? 42

After finishing this section, you should be able to complete the following tasks: Configure multiple routers to form a HSRP virtual default gateway. Configure preemption for a HSRP group. Configure interface tracking within a HSRP group. This section covers the following exam objectives: 402. Configure HSRP, VRRP, and GLBP. 403. Verify High Availability configurations.

HSRP Command List

The following table lists commands used to configure and verify HSRP: Use... To... Router(config)#interface <type number> Enter interface configuration mode and Router(config-if)#standby <0-255> ip enable HSRP with a group number. Router(config-if)#standby <0-255> ip Configure the HSRP standby group with a <a.b.c.d> virtual IP address. Router(config-if)#standby <0-255> preempt Configure HSRP for pre-emption so the router may take over if it has a higher priority than the current active router. Router(config-if)#standby <0-255> priority Configure the HSRP group priority. <0-255> Router(config-if)#standby <0-255> track Monitors the active router's interface that is <interface type number> <decrement value> used to forward traffic from the hosts, and specifies the HSRP group priority amount that is decremented if the interface goes down. Router(config-if)#standby <0-255> timers Configure the hello timer and hold timer msec <hello-value> values for HSRP. Router(config-if)#standby <0-255> timers msec <holdtime-value> Router(config-if)#no standby <0-255> timers Reset the hello timer and hold timer values back to their defaults, 3 and 10 seconds respectively. Router(config-if)#standby <0-255> Configure the authentication as plain text or authentication <value> encrypted text. This will authenticate HSRP Router(config-if)#standby <0-255> packets received from other routers in the authentication md5 key-string 0|7 <value> group. Specifying 0 means the key value is unencrypted. Specifying 7 means the key value is encrypted. The key-string authentication key is automatically encrypted if the service passwordencryption global configuration command is enabled. Note: If you configure authentication, all routers within the GLBP group must use the same authentication string. Router#show standby Display the gateway redundancy configuration and status of the configured 43

Router#debug standby

interfaces. Displays HSRP state changes and debugging information regarding transmission and receipt of Hot Standby Protocol packets. Use this command to determine whether hot standby routers recognize one another and take the proper actions.

Examples The following table provides example gateway redundancy configurations and descriptions: Commands Description RouterA(config)#interface vlan 10 The first group of commands configures a RouterA(config-if)#standby 10 ip 10.2.2.1 single router (RouterA) with one HSRP RouterA(config-if)#standby 10 priority 100 standby group for VLAN 10 with a virtual RouterA(config-if)#end address of 10.2.2.1 and a priority of 100. The RouterB(config)#interface vlan 10 second group of commands configures a RouterB(config-if)#standby 10 priority 90 single router (RouterB) with the same group RouterB(config-if)#end yet a different priority. This command set configures RouterA as the active router for VLAN 10 because it has the highest priority. RouterB is configured as the standby router. Note: When configuring routers in the HSRP group, at least one router in the group must be configured with the virtual IP address. Other routers in the group will learn the virtual IP address because it is forwarded in the hello messages. RouterA(config)#interface vlan 10 The first group of commands configure a RouterA(config-if)#standby 10 ip 10.2.2.1 single router (RouterA) with two HSRP RouterA(config-if)#standby 10 priority 150 standby groups on VLAN 10 and 20 with a RouterA(config-if)#interface vlan 20 virtual address of 10.2.2.1 and 10.3.3.1 with a RouterA(config-if)#standby 20 ip 10.3.3.1 priority of 150 and 100, respectively. The RouterA(config-if)#standby 20 priority 100 second group of commands configure a RouterA(config-if)#end single router (RouterB) with the same groups RouterB(config)#interface vlan 10 yet configures a different priority for each RouterB(config-if)#standby 10 priority 100 VLAN. RouterB(config-if)#interface vlan 20 This command set configures RouterA as the RouterB(config-if)#standby 20 priority 150 active router for VLAN 10 and the standby RouterB(config-if)#end router for VLAN 20. It is vice versa for RouterB.

GLBP Configuration
As you study this section, answer the following questions: 27. What is difference when configuring a GLBP group and a HSRP group? 28. What are the different choices available for GLBP load-balancing? After finishing this section, you should be able to complete the following tasks: Configure two routers in a GLBP group to form a virtual default gateway, and implement a load balancing method. 44

This section covers the following exam objectives: 402. Configure HSRP, VRRP, and GLBP. 403. Verify High Availability configurations.

GLBP Command List

The following table lists commands used to configure and verify GLBP: Use... To... Router(config-if)#glbp <0-1023> ip Enable a GLBP group with a specified group number. Router(config-if)#glbp <0-1023> ip <a.b.c.d> Configure the interface of a member of the virtual group with the identified virtual IP address. Router(config-if)#glbp <0-1023> priority <1-255> Configure the priority of the configured router (same as HSRP). Router(config-if)#glbp <0-1023> preempt Configure GLBP for pre-emption so the router may take over if it has a higher priority than the current active router. Router(config-if)#glbp <0-1023> load-balancing Configure the load balancing method. host-dependent Router(config-if)#glbp <0-1023> load-balancing round-robin Router(config-if)#glbp <0-1023> load-balancing weighted Router(config)#track <1-500> interface <type Configure an interface to be tracked. number> line-protocol | ip routing The line-protocol keyword tracks whether the interface is up. The ip routing keywords also check that IP routing is enabled on the interface, and an IP address is configured. Router(config-if)#glbp <0-1023> weighting <1Configure GLBP weighting values: 254> [lower <value>] [upper <value>] Specify the initial weighting value, Router(config-if)#glbp <0-1023> weighting track and the upper and lower <1-500> decrement <value> thresholds. Specify an object to be tracked and specify a weighting reduction of a GLBP gateway when a tracked object fails. Router#show glbp Display the gateway redundancy configuration and status of the configured interfaces. Examples The following command set configures a GLBP group on VLAN 7, a virtual address of 10.0.2.1, a priority of 110, and host-dependent load balancing: Router(config)#interface vlan 7 Router(config-if)#glbp 7 ip 10.0.2.1 Router(config-if)#glbp 7 priority 110 Router(config-if)#glbp 7 load-balancing host-dependent 45

Troubleshooting Gateway Redundancy

As you study this section, answer the following questions: How can you tell when an interface is participating in a gateway redundancy configuration? How does the tracking feature affect a gateway redundancy configuration? Which commands allow you to verify a HSRP gateway redundancy configuration? After finishing this section, you should be able to complete the following tasks: Configure a scenario, verify and troubleshoot gateway redundancy configurations. This section covers the following exam objectives: 403. Verify High Availability configurations.

Troubleshooting Gateway Redundancy Facts

The following commands are used to display gateway redundancy configurations for verification and troubleshooting: show standby show glbp The following is output generated from the show standby command and a table describing the associated fields relating HSRP configuration and operating details. FastEthernet0/1 - Group 200 State is Standby 10 state changes, last state change 2d05h Virtual IP address is 10.0.0.15 Active virtual MAC address is 0000.0c07.acc8 Local virtual MAC address is 0000.0c07.acc8 (v1 default) Hello time 3 sec, hold time 10 sec Next hello sent in 0.540 secs Preemption disabled Active router is 10.0.0.3, priority 110 (expires in 8.952 sec) Standby router is local Priority 75 (default 100) Track interface Serial0/1 state Down decrement 25 The following table describes important information shown in the command output: Component Description Interface type - Interface type and number and Hot Standby group number for the Group interface. State is This is the current state of the local router. It can be one of the following: Active indicates that the current Hot Standby router. Standby indicates that the router next in line to be the Hot Standby router. Speak indicates that the router is sending packets to claim the active or standby role. Listen indicates that the router is not in the active nor standby state, but if no messages are received from the active or standby router, it will start to speak. Init or Disabled indicates that the router is not yet ready or able to participate in HSRP, possibly because the associated interface is not up. HSRP groups configured on other routers on the network that are learned via snooping are displayed as being in the Init state. Locally configured groups with an interface that is down or 46

Virtual IP address is Active virtual MAC address Local virtual MAC address Hello time, hold time Next hello sent in Preemption enabled Active router is

groups without a specified interface IP address appear in the Init state. For these cases, the Active addr and Standby addr fields will show "unknown." Note: The state is listed as disabled in the fields when the standby ip command has not been specified. This is the virtual IP address assigned within the HSRP group. Virtual MAC address being used by the current active router. The last two digits are the HSRP group number in hexadecimal format. Virtual MAC address that would be used if this router became the active router. The hello time is the time between hello packets (in seconds) based on the standby timers command. The hold time is the time (in seconds) before other routers declare the active or standby router to be down, based on the standby timers command. Time at which the Cisco IOS software will send the next hello packet (in a hours:minutes:seconds format). Indicates whether preemption is enabled with the standby preempt command. If enabled, the minimum delay is the time for which a higherpriority non-active router will wait before preempting the lower-priority active router. This can be "local," "unknown," or an IP address. Address (and the expiration date of the address) of the current active Hot Standby router. In the example above, it is the IP address of the other router participating in the HSRP group. This can be "local," "unknown," or an IP address. Address (and the expiration date of the address) of the "standby" router (the router that is next in line to be the Hot Standby router). In the example above, it is the local router. The configured and operating HSRP group priority. This operating value may be different than the configured value if the track command has been configured and the tracked interface is down. List of interfaces that are being tracked and their corresponding states. Based on the standby track command. In the example above, the tracked interface is DOWN, decrementing the priority from its default of 100 to 75.

Standby router is Priority Tracking

The following is output generated from the show glbp command and a table describing the associated fields relating GLBP configuration and operating details. FastEthernet0/1 - Group 100 State is Standby 1 state change, last state change 1w0d Virtual IP address is 10.0.0.5 (learnt) Hello time 3 sec, hold time 10 sec Next hello sent in 0.508 secs Redirect time 600 sec, forwarder time-out 14400 sec Preemption disabled Active is 10.0.0.3, priority 100 (expires in 7.224 sec) Standby is local 47

Priority 200 (configured) Weighting 100 (default 100), thresholds: lower 1, upper 100 Load balancing: round-robin Group members: 000d.bd8e.0781 (10.0.0.2) local 001a.6ca7.b473 (10.0.0.3) There are 2 forwarders (1 active) Forwarder 1 State is Listen MAC address is 0007.b400.6401 (learnt) Owner ID is 001a.6ca7.b473 Time to live: 14397.224 sec (maximum 14400 sec) Preemption enabled, min delay 30 sec Active is 10.0.0.3 (primary), weighting 100 (expires in 7.828 sec) Forwarder 2 State is Active 1 state change, last state change 1w0d MAC address is 0007.b400.6402 (default) Owner ID is 000d.bd8e.0781 Preemption enabled, min delay 30 sec Active is local, weighting 100 The following table describes important information shown in the command output: Component Description Interface type and Interface type and number and GLBP group number for the interface. group number State of the virtual gateway or virtual forwarder. For a virtual gateway, the state can be one of the following: Active indicates that the gateway is the active virtual gateway (AVG) and is responsible for responding to Address Resolution Protocol (ARP) requests for the virtual IP address. Disabled indicates that the virtual IP address has not been configured or learned yet, but another GLBP configuration exists. Initial indicates that the virtual IP address has been configured or State is learned, but virtual gateway configuration is not complete. An interface must be up and configured to route traffic, and an interface IP address must be configured. Listen indicates that the virtual gateway is receiving hello packets and is ready to change to the "speak" state if the active or standby virtual gateway becomes unavailable. Speak indicates that the virtual gateway is attempting to become the active or standby virtual gateway. Standby indicates that the gateway is next in line to be the AVG. Virtual IP address This is the virtual IP address assigned within the GLBP group. is The hello time is the time between hello packets (in seconds) based on Hello time, hold the standby timers command. The hold time is the time (in seconds) time before other routers declare the active or standby router to be down, based on the standby timers command. 48

Next hello sent in

Preemption enabled

Active is

Standby is

Priority Weighting Load balancing Track object Group members

Forwarders

MAC address is Owner ID is

Time at which the Cisco IOS software will send the next hello packet (in a hours:minutes:seconds format). Indicates whether preemption is enabled with the glbp preempt command. If enabled, the minimum delay is the time for which a higherpriority non-active router will wait before preempting the lower-priority active router. This field is also displayed under the forwarder section where it indicates GLBP forwarder preemption. This can be "local," "unknown," or an IP address. Address (and the expiration date of the address) of the current AVG. In the example above, it is the IP address of the other router participating in the GLBP group. This can be "local," "unknown," or an IP address. Address (and the expiration date of the address) of the "standby" router (the router that is next in line to be the AVG). In the example above, it is the local router. The configured and operating GLBP group priority. This operating value may be different than the configured value if the track command has been configured and the tracked interface is down. The initial weighting value with lower and upper threshold values. The load balancing method in the group. This can be one of the following: Round-robin Host-dependent Weighted The list of objects that are being tracked and their corresponding states. This lists the actual IP address and MAC address of the routers participating in the GLBP group. GLBB may use these as AVFs. For a virtual forwarder, the state can be one of the following: Active indicates that the gateway is the active virtual forwarder (AVF) and is responsible for forwarding packets sent to the virtual forwarder MAC address. Disabled indicates that the virtual MAC address has not been assigned or learned. This is a transitory state because a virtual forwarder changing to a disabled state is deleted. Initial indicates that the virtual MAC address is known, but virtual forwarder configuration is not complete. An interface must be up and configured to route traffic, an interface IP address must be configured, and the virtual IP address must be known. Listen indicates that the virtual forwarder is receiving hello packets and is ready to change to the "active" state if the AVF becomes unavailable. In the example above, the local router is the only active virtual forwarder. This is the Virtual MAC address being used within the GLBP group. This is the actual MAC address of the forwarder.

49

***Wireless Overview As you study this section, answer the following questions: What is a best practice to eliminate interference caused by wireless devices operating on overlapping channels? Which wireless component acts as a hub on the wireless side and a bridge on the wired side? What is the difference between an IBSS and ESS? What is the difference between refraction and multipath radio wave interference? What protocol does an access point use within a wireless mesh network to find the wired network? How can you overcome multipath interference in a wireless network? This section covers the following exam objectives: 501.Describe the components and operations of WLAN topologies (i.e., AP and Bridge). Wireless Facts Wireless networks use radio waves for data transmission instead of electrical signals on Ethernet cables. In order to use radio waves as the medium for transmission, specific characteristics of radio waves are defined: Characteristic Description Many radio devices operate within a specified frequency range which limits the frequencies on which it is allowed to transmit. In the United States, radio frequency wireless LANs use one of two frequency ranges defined by the FCC: Frequency range or band Industrial, Scientific, and Medical (ISM) operating between 2.4 - 2.4835 GHz. Unlicensed National Information Infrastructure (U-NII) operating between 5.75 - 5.85 GHz. The frequency range is divided into equal segments called channels. Wireless networking channels are much like television channels, where each channel allows for separate data transmission. However, channels within the range overlap with adjacent channels. By using specific channels and not others, you can ensure that the channels do not overlap, eliminating interference Channel caused by wireless devices operating on different channels. In the 5 GHz range, there are 23 total channels. 12 channels are nonoverlapping channels. In the 2.4 GHz range, there are 11 total channels, with 3 nonoverlapping channels. Modulation When a device sends data over a wireless network, it can change (or technique modulate) the radio signal's specifications. The three common modulation techniques used in wireless networking include: Frequency Hopping Spread Spectrum (FHSS) uses a narrow frequency band and 'hops' data signals in a predictable sequence from frequency to frequency over a wide band of frequencies. This type of modulation is no longer used with current wireless standards. Direct Sequence Spread Spectrum (DSSS) uses an 11-bit Barker sequence to break data into pieces and sends the pieces across 50

multiple frequencies in a defined range. Orthogonal Frequency Division Multiplexing (OFDM) is not a spread spectrum frequency. It uses 48 discreet radio frequency channels that can carry data. Most newer devices use additional modulation techniques and enhancements including: Complementary Code Keying (CCK) Quadrature Phase-shift Keying/Differential Quadrature Phase-Shift Keying (QPSK/DQPSK) Binary Phase-Shift Keying/Differential Binary Phase-Shift Keying (BPSK/DBPSK) Wireless networks use Carrier Sense, Multiple Access/Collision Avoidance (CSMA/CA) to control media access and avoid (rather than detect) collisions. CSMA/CA uses the following process: The sending device listens to make sure that no other device is transmitting. If another device is transmitting, the device waits a random period of time (called a backoff period) before attempting to send again. If no other device is transmitting, the sending device broadcasts a Request-to-send (RTS) message to the receiver or access point. The RTS includes the source and destination, as well as information on the duration of the requested communication. The receiving device responds with a Clear-to-send (CTS) packet. The CTS also includes the communication duration period. Other devices use the information in the RTS and CTS packets to delay attempting to send until the communication duration period (and subsequent acknowledgement) has passed. The sending device transmits the data. The receiving device responds with an acknowledgement (ACK). If an acknowledgement is not received, the sending device assumes a collision and retransmits the affected packet. After the time interval specified in the RTS and CTS has passed, other devices can start the process again to attempt to transmit. Note: Using RTS and CTS (steps 2 and 3 above) is optional and depends on the capabilities of the wireless devices. Without RTS/CTS, collisions are more likely to occur. Wireless communication operates in half-duplex (shared, two-way communication). Devices can both send and receive, but not at the same time. Devices must take turns using the transmission channel. Typically, once a party begins receiving a signal, it must wait for the transmitter to stop transmitting before replying. The image below illustrates several natural causes that impact broadcasted radio waves: Absorption occurs when radio waves are absorbed by an object, such as a wall or furniture. Reflection occurs when radio waves bounces off objects, such as metal or glass surfaces. Scattering occurs when radio waves strike an uneven surface and are reflected in many directions. Refraction occurs when radio waves pass through objects and change direction, such as glass surfaces. Multipath occurs when radio waves are echoed off a physical object, creating two signals received at the same detector. The signals arrive at the detector out of phase with each other because one signal traveled a different length. 51

 Diffraction occurs when radio waves strike sharp edges, such as external corners for buildings, and the waves are bent. Wireless Infrastructure Facts There are two methods of wireless networking: Method Description An ad hoc network works in peer-to-peer mode. The wireless NICs in each host communicate directly with one another. An ad hoc network: Uses a physical mesh topology. Is cheap and easy to set up. Ad Hoc Cannot handle more than four hosts. Requires special modifications to reach wired networks. You will typically only use an ad hoc network to create a direct, temporary connection between two hosts. An infrastructure wireless network employs an access point (AP) that functions like a hub on an Ethernet network. With an infrastructure network: The network uses a physical star topology. You can easily add hosts without increasing administrative efforts (scalable). Infrastructure The access point can be easily connected to a wired network, allowing clients to access both wired and wireless hosts. The placement and configuration of access points require planning to implement effectively. You should implement an infrastructure network for all but the smallest of wireless networks. The following diagram shows a sample enterprise wireless network operating in infrastructure mode:

The various components of a wireless network are described in the following table. Component Description 52

Station (STA) Access Point (AP)

Basic Service Set (BSS)

The distribution system (DS) is the backbone or LAN that connects multiple APs (and BSSs) together. The DS allows wireless clients to communicate with the wired network and with wireless clients in other cells. Wireless networks use the following for identification: Identifier Description The Service Set Identifier (SSID), also called the network name, groups wireless devices together into the same logical network. All devices on the same network (within the BSS and ESS) must have the same SSID. Service Set The SSID is a 32-bit value that is inserted into each frame. The SSID Identifier is case-sensitive. (SSID) The SSID is sometimes called the BSS ID (Basic Service Set ID) or the ESS ID (Extended Service Set ID). In practice, each term means the same thing. Note: Using BSS ID to describe the SSID of a BSS is technically incorrect. The BSSID is a 48-bit value that identifies an AP in an infrastructure network Basic Service or a STP in an ad hoc network. The BSSID allows devices to find a specific Set Identifier AP within an ESS that has multiple access points, and is used by STAs to (BSSID) keep track of APs when roaming between BSSs. Note: Do not confuse the BSSID with the SSID. They are not the same thing. Access points can be organized in a mesh topology known as a wireless mesh network. The wireless mesh network is a coverage area of access points working as a single network. Access to the mesh is dependent on the access points working in harmony with each other to create the network. A wireless mesh network is reliable and offers redundancy. When placing access points in a wireless mesh network, Cisco's Adaptive Wireless Path Protocol (AWPP) 53

Independent Basic Service Set (IBSS) Extended Service Set (ESS) Distribution System (DS)

An STA is a wireless network card (NIC) in an end device such as a laptop or wireless PDA. STA often refers to the device itself, not just the network card. An access point (AP), sometimes called a wireless access point, is the device that coordinates all communications between wireless devices as well as the connection to the wired network. It acts as a hub on the wireless side and a bridge on the wired side. It also synchronizes the stations within a network to minimize collisions. A BSS, also called a cell, is the smallest unit of a wireless network. All devices in the BSS can communicate with each other. The devices in the BSS depend on the operating mode: In an ad hoc implementation, each BSS contains two devices that communicate directly with each other. In an infrastructure implementation, the BSS consists of one AP and all STAs associated with the AP. An IBSS is a set of STAs configured in ad hoc mode. An ESS consists of multiple BSSs with a distribution system (DS). The graphic above is an example of an ESS.

establishes an optimal path to a wired gateway. AWPP details include the following: AWPP dynamically discovers neighboring radios and calculates the quality of all possible paths to the wired network. The calculations are continuously updated, allowing network connectivity and paths to change as the traffic patterns on wireless links change. The ability of AWPP to quickly adapt to changing links eliminates any single point of failure and increases the networks reliability. There are two types of antennas you should be aware of: Directional antenna: Creates a narrow, focused signal in a particular direction. Focuses signal provides greater signal strength increasing the transmission distance. Provides a stronger point-to-point connection, better equipping them to handle obstacles. Can be highly-directional or semi-directional. Omni-directional antenna: Disperses the RF wave in an equal 360-degree pattern. Provides access to clients in a radius. Wireless Standards Facts Four organizations influence the standards used for wireless communication: Organization Details The FCC is the regulating US government agency over Federal Communication Commission communication frequencies, including the frequencies (FCC) used by wireless networking devices. International Telecommunication The ITU-R is the regulating international agency over Union Radiocommunications Sector communication frequencies. (ITU-R) The Wi-Fi Alliance is an industry consortium that Wi-Fi Alliance encourages interoperability of products that implement wireless standards. The IEEE is a technical professional group that, among Institute of Electrical and Electronics other contributions, developed the 802.11 series that Engineers (IEEE) became the national and international standard. The original 802.11 specification operated in the 2.4 GHz range and provided up to 2 Mbps. Additional IEEE subcommittees have further refined wireless networking. Three of the most common standards as well as a new standard in draft stage are listed in the following table: Specification Standard 802.11g 2.4 GHz (ISM) 54 Mbps 300 Ft. 11 (3)

802.11a 802.11b 5 GHz (UFrequency 2.4 GHz (ISM) NII) Maximum speed 54 Mbps 11 Mbps Maximum range 150 Ft. 300 Ft. Channels 23 (12) 11 (3)

802.11n 2.4 GHz (ISM) or 5 GHz (U-NII) 600 Mbps 1200 Ft. 2.4 GHz--23 (12 or 6) 54

(nonoverlapped) Modulation technique DSSS, CCK, DQPSK, DBPSK DSSS (and others) at lower data rates At higher data rates, OFDM, QPSK, BPSK With 802.11b

5 GHz--11 (3 or 1) OFDM and others, depending on implementation With 802.11a/b/g, depending on implementation

OFDM

Backwardscompatibility

N/A

No

Be aware of the following regarding the wireless network implementation: The actual speed depends on several factors including distance, obstructions (such as walls), and interference. The actual maximum distance depends on several factors including obstructions, antenna strength, and interference. For example, for communications in a typical environment (with one or two walls), the actual distance would be roughly half of the maximums. The speed of data transmission decreases as the distance between the transmitter and receiver increases. In other words, in practice, you can get the maximum distance or the maximum speed, but not both. Some newer 802.11a or 802.11g devices provide up to 108 Mbps using 802.11n predraft technologies (MIMO and channel bonding). The ability of newer devices to communicate with older devices depends on the capabilities of the transmit radios in the access point. For example: Some 802.11n devices can transmit at either 2.4 GHz or 5 GHz. This means that the radio is capable of transmitting at either frequency. However, a single radio cannot transmit at both frequencies at the same time. Most 802.11g devices can transmit using DSSS, CCK, DQPSK, and DBPSK for backwards compatibility with 802.11b devices. However, the radio cannot transmit using both DSSS and OFDM at the same time. This means that when you connect a legacy device to the wireless network, all devices on the network operate at the legacy speed. For example, connecting an 802.11b device to an 802.11n or 802.11g access point slows down the network to 802.11b speeds. A dual band access point can use one radio to transmit at one frequency, and a different radio to transmit at a different frequency. For example, you can configure many 802.11n devices to use one radio to communicate at 5 GHz with 802.11a devices, and the remaining radios to use 2.4 GHz to communicate with 802.11n devices. Dual band 802.11a and 802.11g devices are also available. Multipath interference is less of an issue for OFDM implementations because the frequency is selective. DSSS comprises a single signal, whereas OFDM comprises multiple signals. Multiple interference affects an entire DSSS signal, yet it affects only a subset of the OFDM signals. Note: Multiple antennas can also reduce multipath interference. Wireless Security Facts Security for wireless networking is provided from the following standards: 55

Method Wired Equivalent Privacy (WEP) Wi-Fi Protected Access 2 (WPA2) or 802.11i Wi-Fi Protected Access (WPA) Cisco interim solution

Description WEP is an optional component of the 802.11 specifications and was deployed in 1997. WEP was designed to provide wireless connections with the same security as wired connections. WEP has the following weaknesses: Static Pre-shared Keys (PSK) were given to the access point and client and could not be dynamically changed or exchanged without administration. As a result, every host on large networks usually use the same key. Because it doesn't change, the key can be captured and easily broken. The key values were short, making it easy to predict. Cisco's interim solution was deployed in 2001 to address the problems of WEP. The solution included the following: A Cisco proprietary version of Temporal Key Integrity Protocol (TKIP) encryption. User authentication using 802.1x. 802.1x requires a centralized server (called a RADIUS server) to authenticate users through user account names and passwords. The use of dynamic keys. WPA is the implementation name for wireless security based on initial 802.11i drafts and was deployed in 2003. It was intended as an intermediate measure to take the place of WEP while a fully secured system (802.11i) was prepared. WPA: Uses TKIP for encryption. Supports both Pre-shared Key (referred to as WPA-PSK or WPA Personal) and 802.1x (referred to as WPA Enterprise) authentication. Can use dynamic keys or pre-shared keys. Can typically be implemented in WEP-capable devices through a software/firmware update. Note: The Cisco interim solution is not compatible with WPA. WPA2 is the implementation name for wireless security that adheres to the 802.11i specifications and was deployed in 2005. It is built upon the idea of Robust Secure Networks (RSN). Like WPA, it resolves the weaknesses inherent in WEP, and is intended to eventually replace both WEP and WPA. WPA2: Uses Advanced Encryption Standard (AES) as the encryption method. It is similar to and more secure than TKIP, but requires special hardware for performing encryption. Supports both Pre-shared Key (referred to as WPA2-PSK or WPA2 Personal) and 802.1x (referred to as WPA2 Enterprise) authentication. Can use dynamic keys or pre-shared keys. Note: WPA2 has the same advantages over WEP as WPA. While more secure than WPA, its main disadvantage is that it requires new hardware for implementation.

Authentication on a wireless network is provided by one of the following methods. Method Description Open Open authentication requires that clients provide a MAC address to connect to the wireless network. Access can be controlled on a limited basis by performing MAC 56

Shared secret

802.1x

address filtering where devices whose addresses are listed can connect. Because MAC addresses are easily spoofed, this provides little practical security. Shared secret authentication, also called pre-shared key authentication, configures clients and access points with a shared key (or password). Only devices with the correct shared key can connect to the wireless network. 802.1x is an authentication standard for wired Ethernet networks that allows for user authentication. The 802.1x standards have been adapted for use in wireless networks to provide secure authentication. 802.1x authentication requires the following components: A RADIUS server to centralize user account and authentication information. A centralized database for user authentication is required to allow wireless clients to roam between cells but authenticate using the same account information. A Public Key Infrastructure (PKI) for issuing certificates. At a minimum, the RADIUS server must have a server certificate. To support mutual authentication, each client must also have a certificate.

***Layer 2 Security Threats

As you study this section, answer the following questions: 29. What type of attack causes a switch to act like a hub and send all incoming packets out each port? 30. What is the difference between MAC Flooding and MAC Address Spoofing? 31. How does ARP Spoofing confuse the network devices? 32. How does VLAN hopping allow attackers to gain access to unauthorized VLANs? This section covers the following exam objectives: 601. Describe common Layer 2 network attacks (e.g., MAC Flooding, Rogue Devices, VLAN Hopping, DHCP Spoofing, etc.)

Layer 2 Security Threat Facts

Layer 2 security attacks and threats are typically launched by a device within the network. This is because Layer 2 devices, generally located at the interior of the network, have default operational mode that forwards all traffic unless configured otherwise. Conversely, devices located at the edge of an organization's border, such as a network router with a firewall, have a default, secure operational mode and allow no communication until configured otherwise. The lack of default security on the Layer 2 device provides an opportunity for the network to be quickly compromised, often without detection, when an attack is launched on an internal campus device. A rogue device is any unauthorized device on the network. Rouge devices are ignorantly or maliciously connected to the network and may create a Layer 2 security threat. Rogue devices typically include the following: An unauthorized wireless access point An unauthorized switch 57

 A hub device connected by an employee Unauthorized laptop or workstation without proper security patches or virus protection You should be aware of the following types of Layer 2 security threats: Threat MAC Flooding Description MAC flooding is when a switch is flooded with packets, each containing different source MAC addresses. MAC flooding consumes the limited memory set aside in the switch to store the MAC address-to-physical port translation table. The result of this attack causes the switch to enter a state called failopen mode, in which all incoming packets are broadcasted out on all ports (as with a hub), instead of just down the correct port as per normal operation. VLAN hopping is when an attacking host on a VLAN attempts to gain access to traffic on other VLANs that would normally not be accessible. There are two primary methods of VLAN hopping: In a switch spoofing attack, an attacking host that is capable of speaking the tagging and trunking protocols used in maintaining a VLAN imitates a trunking switch. Traffic for multiple VLANs is then accessible to the attacking host. In a double tagging attack, an attacking host prepends two VLAN tags to packets that it transmits. o The first header (which corresponds to the VLAN that the attacker is really a member of) is stripped off by a first switch the packet encounters, and the packet is then forwarded. o The second, false, header is then visible to the second switch that the packet encounters. This false VLAN header indicates that the packet is destined for a host on a second, target VLAN. The packet is then sent to the target host as though it were layer 2 traffic. By this method, the attacking host can bypass layer 3 security measures that are used to logically isolate hosts from one another. DHCP Address Exhaustion and DHCP Server Spoofing ARP Spoofing DHCP address exhaustion is when an attacking device requests all available IP addresses from a DHCP server by sending requests with fabricated client MAC addresses. DHCP server spoofing is when an attacking device establishes itself as a rouge DHCP server to cause a Denial of Service (DoS) attack. ARP spoofing (also called ARP poisoning) is a method of attacking an Ethernet network to allow data sniffing or cause a DoS. In ARP spoofing: 58

VLAN Hopping

 Fake or spoofed ARP messages are sent to an Ethernet LAN which contain false MAC addresses. Network devices such as switches become confused and either: o Send frames to the wrong host which allows the frames to be sniffed. o Send frames to unreachable hosts which will cause a DoS. MAC Address Spoofing MAC address spoofing is when an attacking device spoofs the MAC address of a valid host currently in the MAC address table of the switch. The switch then forwards frames destined for that valid host to the attacking device.

end

59