Video 1

Objective
1) Introduction of CCNP 2.0 switching
2) What is new added 2.0 or removed
3) Connectivity to channel
Intro
(SWITCH 300-115) is a 120-minute qualifying exam with 45‒55 questions for the Cisco CCNP and CCDP
certifications

Topic that removed

 Prepare Infrastructure to Support Advanced Services
 Implement a wireless extension of a Layer 2 solution
 Implement a VoIP support solution
 Implement video support solution
 EIGRP routing protocol

New added topics

 Configure and verify switch administration
 SDM templates
 Managing MAC address table
 Troubleshoot Err-disable recovery
 Configure and verify Layer 2 protocols
 CDP, LLDP & UDLD
 Configure and verify switch security features
 DHCP snooping
 IP Source Guard
 Dynamic ARP inspection
 Port security
 Private VLAN
 Storm control
 Describe device security using Cisco IOS AAA with TACACS+ and RADIUS
 AAA with TACACS+ and RADIUS
 Local privilege authorization fallback
 Describe chassis virtualization and aggregation technologies
 Stack wise
http://www.cisco.com/web/learning/exams/list/switch2.html (to know more follow the link)
 Video 2
SDM (Switch Database Management) templets
SDM templates to configure system resources in the Catalyst switch to optimize
support for specific features, depending on how the switch is used in the network. You
can select a template to provide maximum system usage for some functions or use the
default template to balance resources.

SDM Templets types

1. Access templates
2. Default templates
3. Routing templates
4. VLAN templates
5. Dual Ipv4 and Ipv6 templates

Note: - SDM templets type depends on switches model, may not support to all
switches.

SDM configuration and verification

Switch(config)#sdm prefer “prefer_mode”

Switch#show sdm prefer

Note:- Save config and reboot in order to work

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-
2_55_se/configuration/guide/scg3750/swsdm.html
 Video 3

Objective of video
 Managing MAC address table
 Configuring and verifying MAC address table setting
 Troubleshooting MAC address table setting

The MAC address table contains address information that the switch uses to forward traffic between ports. All MAC
addresses in the address table are associated with one or more ports. The address table includes these types of
addresses:
• Dynamic address: a source MAC address that the switch learns and then ages when it is not in use.
• Static address: a manually entered unicast address that does not age and that is not lost when the switch resets.
The address table lists the destination MAC address, the associated VLAN ID, and port number associated with the
address and the type (static or dynamic).
The following sections describe how to manage the MAC address table:
• Disabling MAC Address Learning on an Interface or VLAN
• Displaying Address Table Entries

Disabling MAC Address Learning on an Interface or VLAN

By default, MAC address learning is enabled on all interfaces and VLANs on the router. You can control MAC address
learning on an interface or VLAN to manage the available MAC address table space by controlling which interfaces or
VLANs can learn MAC addresses. Before you disable MAC address learning, be sure that you are familiar with the
network topology and the router system configuration. Disabling MAC address learning on an interface or VLAN could
cause flooding in the network.
Follow these guidelines when disabling MAC address learning on an interface or VLAN:
• Use caution before disabling MAC address learning on an interface or VLAN with a configured switch virtual interface
(SVI). The switch then floods all IP packets in the Layer 2 domain.
• You can disable MAC address learning on a single VLAN ID from 1 to 4094 (for example, no mac address-table
learning vlan 223) or a range of VLAN IDs, separated by a hyphen or comma (for example, no mac address-table
learning vlan 1-10, 15).
• We recommend that you disable MAC address learning only in VLANs with two ports. If you disable MAC address
learning on a VLAN with more than two ports, every packet entering the switch is flooded in that VLAN domain.
• You cannot disable MAC address learning on a VLAN that is used internally by the router. If the VLAN ID that you
enter is an internal VLAN, the switch generates an error message and rejects the command. To view internal VLANs
in use, enter the show vlan internal usage privileged EXEC command.
• If you disable MAC address learning on a VLAN that includes a secure port, MAC address learning is not disabled on
that port.

Beginning in privileged EXEC mode, follow these steps to disable MAC address learning on a VLAN:

Command Purpose

Step 1 configure terminal Enter global configuration mode.

Step 2 no mac-address-table learning {vlanvlan- Disable MAC address learning on an interface

id [,vlan-id | -vlan- or on a specified VLAN or VLANs.
id] | interfaceinterface slot/port}
You can specify a single VLAN ID or a range of
VLAN IDs separated by a hyphen or comma.
Valid VLAN IDs 1 to 4094. It cannot be an
internal VLAN.
 Step 3 End Return to privileged EXEC mode.

Step 4 show mac address-table learning[vlan vlan- Verify the configuration.

id | interface interfaceslot/port]

Step 5 copy running-config startup-config (Optional) Save your entries in the

configuration file.

To re-enable MAC address learning on an interface or VLAN, use the default mac address-
table learning global configuration command. You can also re-enable MAC address learning on a VLAN by
entering the mac address-table learning global configuration command. The first (default) command returns
to a default condition and therefore does not appear in the output from the show running-config command.
The second command causes the configuration to appear in the show running-config privileged EXEC
command display.

This example shows how to disable MAC address learning on VLAN 200:
Router(config)# no mac address-table learning vlan 200
This example shows how to `disable MAC-address learning` for all modules on a specific routed interface:

Router (config)# no mac-address-table learning interface GigabitEthernet 0/5

You can display the MAC address learning status of all VLANs or a specified VLAN by entering the show mac-
address-table learning [vlan vlan-id] privileged EXEC command.

Displaying Address Table Entries

You can display the MAC address table by using one or more of the privileged EXEC commands described in Table 12-1:

Table 12-1 Commands for Displaying the MAC Address Table

Command Description

show mac address-table Displays MAC address table information for the specified MAC
address address.

show mac address-table aging- Displays the aging time in all VLANs or the specified VLAN.
time

show mac address-table count Displays the number of addresses present in all VLANs or the
specified VLAN.

show mac address-table Displays only dynamic MAC address table entries.
dynamic

show mac address-table Displays the MAC address table information for the specified
interface interface.

show mac address-table Displays MAC address learning status of all VLANs or the specified
learning VLAN.

show mac address-table static Displays only static MAC address table entries.

show mac address-table vlan Displays the MAC address table information for the specified VLAN.

For any assistance and query please visit https://www.youtube.com/user/adityakrgaur/about

Or e-mail us [email protected]
 Video no. 4

Objective of this video

 Understanding Errdisable Port State
 Understudying the cause of Errdisable Port State
 Configuring/verifying Errdisable recovery manually and automatic

Function of Errdisable
If the configuration shows a port to be enabled, but software on the switch detects an error situation on the port,
the software shuts down that port. In other words, the port is automatically disabled by the switch operating
system software because of an error condition that is encountered on the port.

When a port is error disabled, it is effectively shut down and no traffic is sent or received on that port. The port
LED is set to the color orange and, when you issue the show interfaces command, the port status shows
err−disabled. Here is an example of what an error−disabled port looks like from the command−line interface
(CLI) of the switch:

cat6knative#show interfaces gigabitethernet 4/1 status

Port Name Status Vlan Duplex Speed Type

Gi4/1 err−disabled 100 full 1000 1000BaseSX

Or, if the interface has been disabled because of an error condition, you can see messages that are similar to
these in both the console and the syslog:

%SPANTREE−SP−2−BLOCK_BPDUGUARD: Received BPDU on port GigabitEthernet4/1 with BPDU

Guard enabled. Disabling port. %PM−SP−4−ERR_DISABLE:
bpduguard error detected on Gi4/1, putting Gi4/1 in err−disable state
This example message displays when a host port receives the bridge protocol data unit (BPDU). The actual
message depends on the reason for the error condition.

The error disable function serves two purposes:

• It lets the administrator know when and where there is a port problem.
• It eliminates the possibility that this port can cause other ports on the module (or the entire module) to
fail.

Causes of Errdisable
• A cable that is out of specification (either too long, the wrong type, or defective)
• A bad network interface card (NIC) card (with physical problems or driver problems)
• A port duplex misconfiguration

There are various reasons for the interface to go into errdisable. The reason can be:

• Port channel misconfiguration

• BPDU guard violation
• UniDirectional Link Detection (UDLD) condition
• Late−collision detection
 • Link−flap detection
• Security violation
• Port Aggregation Protocol (PAgP) flap
• Layer 2 Tunneling Protocol (L2TP) guard
• DHCP snooping rate−limit
• Incorrect GBIC / Small Form−Factor Pluggable (SFP) module or cable
• Address Resolution Protocol (ARP) inspection
• Inline power

Note: Error−disable detection is enabled for all of these reasons by default. In order to disable error−disable
detection, use the no errdisable detect cause command. The show errdisable detect command displays the
error−disable detection status.

If you have enabled errdisable recovery, you can determine the reason for the errdisable status if you issue the
show errdisable recovery command. Here is an example:

cat6knative#show errdisable recovery

Errdisable Reason Timer Status
−−−−−−−−−−−−−−−−− −−−−−−−−−−−−−− udld
Enabled bpduguard Enabled
security−violatio Enabled
channel−misconfig Enabled pagp−flap
Enabled dtp−flap Enabled
link−flap Enabled l2ptguard
Enabled psecure−violation Enabled
gbic−invalid Enabled
dhcp−rate−limit Enabled mac−limit
Enabled unicast−flood Enabled
arp−inspection Enabled Timer
interval: 300 seconds Interfaces that
will be enabled at the next timeout:
Interface Errdisable reason Time left(sec)
−−−−−−−−− −−−−−−−−−−−−−−−−−−−−− −−−−−−−−−−−−−−
Fa2/4 bpduguard 273

Other causes of late collisions include:

♦ A bad NIC (with physical problems, not just configuration problems)

♦ A bad cable

♦ A cable segment that is too long

• Loopback error

%PM−4−ERR_DISABLE: loopback error detected on Gi4/1, putting Gi4/1 in err−disable

state

Reenable the Errdisabled Ports

Issue the shutdown command and then the no shutdown interface mode command on the associated interface
in order to manually re-enable the ports.

The errdisable recovery command allows you to choose the type of errors that automatically reenable the ports
after a specified amount of time. The show errdisable recovery command shows the default error−disable
recovery state for all the possible conditions.
 cat6knative#show errdisable recovery ErrDisable Reason
Timer Status −−−−−−−−−−−−−−−−− −−−−−−−−−−−−−− udld
Disabled bpduguard Disabled security−violatio
Disabled channel−misconfig Disabled pagp−flap

Disabled dtp−flap Disabled link−flap

Disabled l2ptguard Disabled psecure−violation
Disabled gbic−invalid Disabled dhcp−rate−limit
Disabled mac−limit Disabled unicast−flood
Disabled arp−inspection Disabled Timer interval:
300 seconds Interfaces that will be enabled at the next
timeout:

Verify
• show interfaces interface interface_number status shows the current status of the switch port.
• show errdisable detect Displays the current settings of the errdisable timeout feature and, if any of the
ports are currently error disabled, the reason that they are error disabled.

Troubleshoot
• show interfaces status err−disabled Shows which local ports are involved in the errdisabled state.
• show etherchannel summary Shows the current status of the EtherChannel.
• show errdisable recovery Shows the time period after which the interfaces are enabled for errdisable
conditions.
• show errdisable detect Shows the reason for the errdisable status.

These notes takes from CISCO website then edited for this video

For any assistance and query please visit https://www.youtube.com/user/adityakrgaur/about

Or e-mail us [email protected]
 Video no. 5 (300-115)

Objective of this session.

 Understanding neighbor and it`s information discovery using CDP/LLDP
 Configure, verifying and troubleshooting CDP/LLDP

CDP (CISCO discovery protocol) is CISCO proprietary that use to discover neighbor along with other
information etc. It use 01-00-0c-cc-cc-cc multicast address at layer 3 independent.
Note: - 01-00-0c-cc-cc-cc address also used by VTP/DTP/PAgP/UDLD

CDPv2 can use for below listed things.

1) Neighbors along with (Capability, IP,IP prefix, Hostname, Model no., Connected port, IOS version and
platform of device) information
2) VTP Domain name, VTP management Domain, Native VLAN etc.

CDP Configuration/Verification
Note. By default CDPv2 enable with 60/180 sec. keep live/dead timers
You can disable for privacy for share information to neighbor.
 On entire device SW1(config)#no cdp run
 On particular interface SW1(config-if)#no cdp enable
 Changing the timers of CDP SW1(config)#no cdp timer [5-254] sec , SW1(config)#no cdp hold time [10-
255]
 Changing the source IP address of CDP by default it use exit/egress interface ip address but you can
change it. SW1(config)#no cdp source-interface vlan 2
 Can be enable disable log of duplex mismatch on global and particular interface SW1(config)# cdp log
mismatch duplex , SW1(config-if)# cdp log mismatch duplex
LLDP (link layer discovery protocol) IEEE 802.1AB is open standard protocol similar to CDP
LLD work on IP network only While CDP layer three independent

 On cisco device by default it disabled

 30/120/2 hold time/frequency/re-initialization delay
 SW1#Show LLDP [interface] neighbor, SW1(config)#LLDP run, SW1(config-if)#LLDP run

Information gathered
Information gathered with LLDP is stored in the device as a management information database (MIB) and can
be queried with the Simple Network Management Protocol (SNMP) as specified in RFC 2922. The topology of
an LLDP-enabled network can be discovered bycrawling the hosts and querying this database. Information that
may be retrieved include:

 System name and description

 Port name and description
 VLAN name
 IP management address
 System capabilities (switching, routing, etc.)
 MAC/PHY information
 MDI power
 Link aggregation

Media endpoint discovery extension

Media Endpoint Discovery is an enhancement of LLDP, known as LLDP-MED, that provides the following
facilities:

 Auto-discovery of LAN policies (such as VLAN, Layer 2 Priority and Differentiated services (Diffserv)
settings) enabling plug and playnetworking.
 Device location discovery to allow creation of location databases and, in the case of Voice over Internet
Protocol (VoIP), Enhanced 911 services.
 Extended and automated power management of Power over Ethernet (PoE) end points.
 Inventory management, allowing network administrators to track their network devices, and determine their
characteristics (manufacturer, software and hardware versions, serial or asset number).
The LLDP-MED protocol extension was formally approved and published as the standard ANSI/TIA-1057 by
the Telecommunications Industry Association (TIA) in April 2006.[3]

These notes takes from CISCO/Wikipedi.org website then edited for this video

For any assistance and query please visit https://www.youtube.com/user/adityakrgaur/about

Or e-mail us [email protected]
 Video no. 6 (300-115)

Objective of this video.

 Understanding and Configuring the Unidirectional Link Detection (UDLD) Protocol Feature
 Configure, verification and troubleshooting (UDLD)

Problem Definition
Spanning-Tree Protocol (STP) resolves redundant physical topology into a loop-free, tree-like
forwarding topology.
This is done by blocking one or more ports. By blocking one or more ports, there are no loops in the
forwarding topology. STP relies in its operation on reception and transmission of the Bridge Protocol
Data Units (BPDUs). If the STP process that runs on the switch with a blocking port stops receiving
BPDUs from its upstream (designated) switch on the port, STP eventually ages out the STP
information for the port and moves it to the forwarding state. This creates a forwarding loop or STP
loop.
Packets start to cycle indefinitely along the looped path, and consumes more and more bandwidth.
This leads to a possible network outage.
How is it possible for the switch to stop receiving BPDUs while the port is up? The reason is
unidirectional link. A link is considered unidirectional when this occurs:
The link is up on both sides of the connection. The local side is not receiving the packets sent by the
remote side while remote side receives packets sent by local side.
Consider this scenario. The arrows indicate the flow of STP BPDUs.

During normal operation, bridge B is designated on the link B-C. Bridge B sends BPDUs down to C,
which is blocking the port. The port is blocked while C sees BPDUs from B on that link. Now,
consider what happens if the link B-C fails in the direction of C. C stops receiving traffic from B,
however, B still receives traffic from C.C stops receiving BPDUs on the link B-C, and ages the
information received with the last BPDU. This takes up to 20 seconds, depending on the maxAge STP
timer. Once the STP information is aged out on the port, that port transitions from the blocking
state to the listening, learning, and eventually to the forwarding STP state. This creates a
forwarding loop, as there is no blocking port in the triangle A-B-C. Packets cycle along the path (B
still receives packets from C) taking additional bandwidth until the links are completely filled up. This
brings the network down.
Another possible issue that can be caused by a unidirectional link is traffic blackholing.

How Unidirectional Link Detection Protocol Works

In order to detect the unidirectional links before the forwarding loop is created, Cisco designed and
implemented the UDLD protocol.UDLD is a Layer 2 (L2) protocol that works with the Layer 1 (L1)
mechanisms to determine the physical status of a link. At Layer 1, auto-negotiation takes care of
physical signaling and fault detection. UDLD performs tasks that auto-negotiation cannot perform,
such as detecting the identities of neighbors and shutting down misconnected ports. When you
enable both auto-negotiation and UDLD, Layer 1 and Layer2 detections work together to prevent
physical and logical unidirectional connections and the malfunctioning of other protocols.UDLD
works by exchanging protocol packets between the neighboring devices. In order for UDLD to work,
both devices on the link must support UDLD and have it enabled on respective ports.
Each switch port configured for UDLD sends UDLD protocol packets that contain the port's own
device/port ID, and the neighbor's device/port IDs seen by UDLD on that port. Neighboring ports
should see their own device/port ID (echo) in the packets received from the other side. If the port
does not see its own device/port ID in the incoming UDLD packets for a specific duration of time, the
link is considered unidirectional. This echo-algorithm allows detection of these issues:
Link is up on both sides, however, packets are only received by one
side.
Wiring mistakes when receive and transmit fibers are not connected
to the same port on the remote side.
Once the unidirectional link is detected by UDLD, the respective port is disabled and this message is
printed on the console: UDLD-3-DISABLE: Unidirectional link detected on port
1/2. Port disabled
Port shutdown by UDLD remains disabled until it is manually re-enabled, or until errdisable timeout
expires (if configured).

UDLD Modes of Operation

UDLD can operate in two modes: normal and aggressive.
In normal mode, if the link state of the port was determined to be bi-directional and the UDLD
information times out, no action is taken by UDLD. The port state for UDLD is marked as undetermined.
The port behaves according to its STP state.
In aggressive mode, if the link state of the port is determined to be bi-directional and the UDLD
information times out while the link on the port is still up, UDLD tries to re-establish the state of the
port. If not successful, the port is put into the errdisable state.
Aging of UDLD information happens when the port that runs UDLD does not receive UDLD packets
from the neighbor port for duration of hold time. The hold time for the port is dictated by the
remote port and depends on the message interval at the remote side. The shorter the message
interval, the shorter the hold time and the faster the detection. Recent implementations of UDLD
allow configuration of message interval.
UDLD information can age out due to the high error rate on the port caused by some physical issue
or duplex mismatch. Such packet drop does not mean that the link is unidirectional and UDLD in
normal mode will not disable such link.

It is important to be able to choose the right message interval in order to ensure proper detection
time. The message interval should be fast enough to detect the unidirectional link before the
forwarding loop is created, however, it should not overload the switch CPU. The default message
interval is 15 seconds, and is fast enough to detect the unidirectional link before the forwarding loop
is created with default STP timers. The detection time is approximately equal to three times the
message interval.

For example: Tdetection ~ message_interval x3

This is 45 seconds for the default message interval of 15 seconds.

It takes Treconvergence=max_age + 2x forward_delay for the STP to reconverge in case of
unidirectional link failure. With the default timers, it takes 20+2x15=50 seconds.
It is recommended to keep Tdetection < Treconvergence by choosing an appropriate message
interval.

In aggressive mode, once the information is aged, UDLD will make an attempt to re-establish the link
state by sending packets every second for eight seconds. If the link state is still not determined, the
link is disabled.
Aggressive mode adds additional detection of these situations:
The port is stuck (on one side the port neither transmits nor
receives, however, the link is up on both sides).
The link is up on one side and down on the other side. This is issue might be seen on fiber ports. When
transmit fiber is unplugged on the local port, the link remains up on the local side. However, it is down
on the remote side.
Most recently, fiber FastEthernet hardware implementations have Far End Fault Indication (FEFI)
functions in order to bring the link down on both sides in these situations. On Gigabit Ethernet, a
similar function is provided by link negotiation. Copper ports are normally not susceptible to this
type of issue, as they use Ethernet link pulses to monitor the link. It is important to mention that in
both cases, no forwarding loop occurs because there is no connectivity between the ports. If the link
is up on one side and down on the other, however, blackholing of traffic might occur. Aggressive UDLD
is designed to prevent this.
 Configuration and Monitoring
These commands detail the UDLD configuration on Catalyst switches that run CatOS. UDLD needs to first be
enabled globally (default is disabled) with this command:
Vega> (enable) set udld enable
UDLD enabled globally

Issue this command: to verify whether the UDLD is enabled

Vega> (enable) show udld
UDLD: enabled
Message Interval: 15 seconds

UDLD also needs to be enabled on necessary ports with this command:

Vega> (enable) set udld enable 1/2
UDLD enabled on port 1/2

Issue the show udld port command to verify whether UDLD is enabled or disabled on the port and what the
link state is:
Vega> (enable) show udld port
UDLD : enabled
Message Interval : 15 seconds

Port Admin Status Aggressive Mode Link State

-------- ------------ --------------- ----------------
1/1 enabled disabled undetermined
1/2 enabled disabled bidirectional

Aggressive UDLD is enabled on a per-port basis with the set udld aggressive-mode enable <module/port>
command:
Vega> (enable) set udld aggressive-mode enable 1/2
Aggressive UDLD enabled on port 1/2.
Vega> (enable) show udld port 1/2
UDLD : enabled
Message Interval : 15 seconds

Port Admin Status Aggressive Mode Link State

-------- ------------ --------------- ----------------
1/2 enabled enabled undetermined

Issue this command to change the message

interval:
Vega> (enable) set udld interval 10
UDLD message interval set to 10 seconds

The interval can range from 7 to 90 seconds, with the default being 15 seconds.

These notes takes from CISCO website then edited for this video
For any assistance and query please visit https://www.youtube.com/user/adityakrgaur/about
Or e-mail us [email protected]
 Video no. 7 (300-115)

Objective of this videos

 Understanding, configuring and verifying VLAN & trunk.
 Troubleshooting and managing VLAN database.

VLAN is layer 2 isolation of traffic (1VLAN=1 broadcast domain=1subnet) for better resource utilization, QOS,
logically groups users and security.

VLAN no.: -
VLAN no. Usage Description
0,4094 Reserved Not show on VLAN database
1,1002-5 Default VLAN Can`t modified/delete, can use only
1006-4094 Extended range VTP modes must be transparent to use extended range of VLAN
2-1001, Use for Ethernet Can be used and modified/delete if necessary for Ethernet LAN
1006-4094 LAN
Note no. of VLAN also depend on switch model.

Type of VLAN: -
Type of VLAN Descriptions
Data Use for normal data
Voice/axillary Use for IP phone/Voice over IP
Private Use for security , it divided primary and secondary VLAN
Management A VLAN which for Telnet, SSH for configuration
Extended Nothing special but will usable if VTP mode is transparent on switches
Native VLAN For backward compatibility, frame are untagged send over trunk link (by default VLAN1)
Note: - On topic of infra security will discuss more for Private VLAN in this series

Host/node assignment on VLAN: -

By port basis, port reserve for particular VLAN, manual assignment required every time while
assigning to other VLAN
By MAC address basic, more efficient utilization, any port can be used for any VLAN (VMPS
server required)
Note: - A single port can be used for Data and Voice VLAN as well

VLAN creation ways: -

1) On global prompt
2) On VLAN database prompt
3) Directly assign interface to VLAN also create VLAN if not exists
VLAN port Roles: -

Switch port mode Description and works

Access Belong to one VLAN for data can voice as well, not deal with tagged
frame until IP phone connected to that port (disable DTP)
Trunk Belong to multiple VLAN, Deal with tagged & untagged frame (DTP can
be disable for ISL and .1q tagging, default is enable )
Dynamic auto Negotiation mode to for trunk and access (default role)
Dynamic Desirable Negotiation mode but activity form trunk (available on higher series )
*Single port can be belong two different VLAN one for data other for Voice
Note: - Port Operational mode changes if port is Auto/desirable

Valid mode of port to forming Trunk: -

Port role side A Port role side B Result

Access Access No trunk form
Access Trunk No trunk form
Access Desirable No trunk form
Dynamic auto Dynamic auto No trunk form
Desirable Dynamic auto Trunk form
Desirable Desirable Trunk form
Desirable Trunk Trunk form
Trunk Dynamic auto Trunk form
Trunk Trunk Trunk form

Administrative Mode V/S Operational Mode

Configure to work as = Administrative Mode (define by Admin)
Currently working as = Operational Mode (select by negotiation)

Note: - If port Administrative mode is Auto/dynamic/desirable then it can be work as access or trunk by
negotiation
Troubleshooting Trunk port
Switch#show interfaces f0/1 switchport
Switch#show interfaces trunk

Characteristics of trunk port & access port:-

 Trunk port generally use for connect switches and router.

 Access port use port connect end device (like Computer, IP Phone, IP camera etc.
 Trunk port is member of all VLAN be default.
 Access port is member of one data VLAN and voice VLAN if vice VLAN configured.
 A trunk link must have same native VLAN on both side.
 Trunk port can be allow or deny particular VLAN data.
Trunk encapsulation/tagging: -

.1q ISL
IEEE (802.1q) CISCO proprietary
Backward compatible (Native VLAN) No compatibility
Support 4095 no. of VLAN 1000 no. of VLAN
Header size 4 bytes 26 bytes
Trailer size N/A 4 bytes
FCS and recalculation required Not required

Dynamic Trunking Protocol (DTP) is a proprietary networking protocol developed by Cisco

Systems for the purpose of negotiating trunking on a link between two VLAN-aware switches, and for
negotiating the type of trunking encapsulation to be used. It works on the Layer 2 of the OSI model.
VLAN trunks formed using DTP may utilize either IEEE 802.1Q or Cisco ISL trunking protocols.

Managing VLAN database and troubleshooting: -

 Removing VLAN
 Unassigned port from VLAN /Default mode
 Deleting VLAN database

Problem) why port not shown while executed command SW1# show vlan
Solution: - Port may trunk or assign to deleted/removed VLAN from database

Problem) why VLAN automatic created after power recycle, even after deleted from database
& flash:
Solution: - Port may assign to VLAN so after rebooting switch find startup configuration with
VLAN that not exist will create automatically

These notes takes from CISCO website then edited for this video
For any assistance and query please visit https://www.youtube.com/user/adityakrgaur/about
Or e-mail us [email protected]
 Video no. 8 (300-115)

Objective of this videos

 VTP (v1 & v2) detail, Modes, authentication
 VTP pruning , Automatic and Manual
 VTP (v1 & v2) drawback/problem

VLAN trunking protocol (VTP):-

 VLAN Trunk Protocol (VTP) reduces administration in a switched network.
 Use to synchronize VLAN creation and modification.
 But not assign port to the VLANs, required manual assignment or VMPS
 VTP is CISCO proprietary protocol
 All trunk port will send and receive VTP advertisement by default no matter what VTP mode of
operation on switch for (version 1 and 2)
 VTP need configure VTP domain name (by default null) and appropriate trunk link.
 By default VTP v1 is enabled
 VTP v1 & v2 not able to advertised Extended and private VLAN
 In VTP domain no one device can disable VTP

SERVER
 Creation and modification VLAN on entire VTP domain
 By default switches operate on VTP server mode
 Can be synchronize other server`s updates on same VTP domain based on configuration
reversion no.
Client
 Cannot create or modifying the VLAN
 Depended on server
Transparent
 Creation and modification allowed but locally not entire domain
 Doesn’t synchronize from servers
 If server or client change as transparent it keep previous VLAN as it is but revert
configuration reversion no. to 0

What is Configuration reversion no.?

 Basically use to represent and resynchronize VLAN database
 It increase on every modification of VLAN database like (Creation/deletion/renaming
VLANs)
 Server/client updates their database if higher configuration are received.
 Range of Configuration reversion no is 0-65535
 Can be reset (or 0) by changing to transparent mode or deleting VLAN.dat file
 Trigger updates send on modification to entire domain
VTP pruning
Block unnecessary traffic (unknown unicast, multicast & broadcast)
Not applicable to transparent modes
Auto pruning
Need to be enable only on VTP server switch rest of will come known automatically
VLAN 2-1001 are prune eligible in VTP 1&2 version (can pruned)
1002-4094 will not pruned eligible to prune it required manual pruning
Manual pruning
Need to be create allow list on trunk interfaces at any switch
Manual pruning can be prune eligible and non-eligible VLAN

VTP transparent mode problem

1) It not forward data that send by other switches for any vlan to other switch if
transparent switch do not have same VLAN on local database
2) If VTP domain not match they never send VTP updates to others
3) A trunk port that is connected to non VTP supported switch/device will allow all active
vlan without prune because not getting reply back about VTP message

Since VTP port only usage VTP advertisement

These notes takes from CISCO/Wikipedia.org website then edited for this video
For any assistance and query please visit https://www.youtube.com/user/adityakrgaur/about
Or e-mail us [email protected]
 VTP v 3 detail 300-115(v-9)
Objective of this video
 Enhancement in VTP v3
 Configuration & verification

VTP is a Layer 2 messaging protocol that maintains VLAN configuration consistency by managing the addition,
deletion, and renaming of VLANs within a VTP domain. A VTP domain (also called a VLAN management
domain) is made up of one or more network devices that share the same VTP domain name and that are
interconnected with trunks. VTP minimizes misconfigurations and configuration Inconsistencies that can result
in a number of problems, such as duplicate VLAN names, incorrect VLAN-type specifications, and security
violations. Before you create VLANs, you must decide whether

Support/Feature VTP v1 , v2 VTP v3

Ethernet Yes Yes
Token ring Only v2 No
VLAN propagation 1-1001 1-4095
VLAN pruning 1-1001 1-1001 no enhancement
Propagation information Normal VLAN only Normal, Private, MST and unknown
VTP Modes Server, Client and Transparent Server, Client, Transparent and off
Database alternation Server (transparent but locally) Primary server only
Password Keep in clear text Can be hide
VTP adv. control Not possible Can be disable for all interface (trunk)nor specific as well

Extended-range VLANs are supported only in VTP version 3. If converting from VTP version 3 to VTP version 2, VLANs in the
range 1006 to 4094 are removed from VTP control.
VLANs 1002 to 1005 are reserved VLANs in VTP version 1, version 2, and version 3.
VTP mode Off—In VTP off mode, a network device functions in the same manner as a VTP transparent device except that it does not
forward VTP advertisements.
VTP version 3 regions can only communicate over a VTP version 1 or VTP version 2 region in transparent mode.
VTP 1, 2 and 3 not interoperable and domain name must be match to all device.

Understanding VTP Advertisements

Each network device in the VTP domain sends periodic advertisements out each trunking LAN port to a reserved multicast address.
VTP advertisements are received by neighboring network devices, which update their VTP and VLAN configurations as necessary.
VTP version 1 and version 2 advertisements:
• VLAN IDs (ISL and 802.1Q).
• Emulated LAN names (for ATM LANE).
• 802.10 SAID values (FDDI).
• VTP domain name.
• VTP configuration revision number.
• VLAN configuration, including the maximum transmission unit (MTU) size for each VLAN.
• Frame format.

In VTP version 3, the information distributed in VTP version 1 and version 2 advertisements are supported, as well as the following
information:
• A primary server ID.
• An instance number
• A start index.
• An advertisement request is sent by a Client or a Server in these situations:
– On a trunk coming up on a switch with an invalid database.
– On all trunks when the database of a switch becomes invalid as a result of a configuration change or a takeover message.
– On a specific trunk where a superior database has been advertised.
• VTP version 3 adds the following fields to the subset advertisement request:
– A primary server ID.
– An instance number.
– A window size.
– A start index.
 EtherChannel 300-115(v-10)

Technique to combine multiple physical link to make a single logical link for load balancing or load sharing
and fault tolerance, A.K.A Port channel, Channeling, Link aggregation and NIC teaming. Link aggregation can
be use with: Switch to switch, Server to switch and switch to router

Goals and Objectives of LA (link aggregation)

 Increased bandwidth – multiple links combined into one logical link

 Linearly incremental bandwidth – increase in unit multiples as per link added

 Increased availability – failure of a single link within aggregation not cause other member

 Load Sharing – Client traffic may be distributed across links

 Auto Configuration – Configuration on EtherChannel port will also apply to member link

 Rapid convergence – Faster convergence for the link

 Cheaper solution- can be use on existing infrastructure

 L2/L3 – Can be configure as layer 2 and layer three

 Free operation mode - can be use as trunk, access, tunnel as well

 Here we will discuss link aggregation between switches

There are three way to use link aggregation

1) On
• No negotiation, manual configuration required
• Miss-configuration susceptible
• Better way first turn off link which going to be member of port Channel

2) PAgP
• Port aggregation protocol is CISCO proprietary
• Use CDP for negotiation
• Not interoperable with ON and LACP
• Miss-configuration resolution
• It has ‘Auto’ and ‘desirable’ mode

3) LACP
• LACP is IEEE 802.3ad standard
• It has ‘Active’ and ‘Passive’ mode

Note: - PAgP, LACP and ON are not interoperable or compatible

“ON” mode need to define on both switches and is miss-configuration can occur.
To prevent miss-configuration first shutdown interface which going to become the member of EtherChannel
after configuration turn on the port channel it will also turn on member link automatically

Using negotiation method (PAgP or LACP)

• Fast convergence
• Miss-configuration auto resolution

Compatibility Requirements

When you add an interface to a channel group, Cisco NX-OS checks certain interface attributes to
ensure that the interface is compatible with the channel group. Cisco NX-OS also checks a number
of operational attributes for an interface before allowing that interface to participate in the port-
channel aggregation.
The compatibility check includes the following operational attributes:
• Port mode
• Access VLAN
• Trunk native VLAN
• Allowed VLAN list
• Speed
• 802.3x flow control setting
• MTU

The Cisco Nexus 5000 Series switch only supports system level MTU. This attribute cannot be
changed on an individual port basis.
• Broadcast/Unicast/Multicast Storm Control setting
• Priority-Flow-Control
• Untagged CoS
When the interface joins an EtherChannel, the following individual parameters are replaced with the
values on the EtherChannel:
• Bandwidth
• MAC address
• Spanning Tree Protocol

The following interface parameters remain unaffected when the interface joins an EtherChannel:
• Description
• CDP
• LACP port priority
• Debounce

Load Balancing Using EtherChannels

Cisco NX-OS load balances traffic across all operational interfaces in an EtherChannel by reducing
part of the binary pattern formed from the addresses in the frame to a numerical value that selects
one of the links in the channel. EtherChannels provide load balancing by default and the basic
configuration uses the following criteria to select the link:
• For a Layer 2 frame, it uses the source and destination MAC addresses.
• For a Layer 3 frame, it uses the source and destination MAC addresses and the source and
destination IP addresses.
• For a Layer 4 frame, it uses the source and destination MAC addresses, the source and
destination IP addresses, and the source and destination port number.
You can configure the switch to use one of the following methods to load balance across the
EtherChannel:
• Destination MAC address
• Source MAC address
• Source and destination MAC address
• Destination IP address
• Source IP address
 • Source and destination IP address
• Destination TCP/UDP port number
• Source TCP/UDP port number
• Source and destination TCP/UDP port number

Valid mode on both switches to form Ether-Channel

Protocol Mode one end Mode other end Result
ON ON ON Form the LAG
PAgP Desired Desired Form the LAG
PAgP Desired Auto Form the LAG
LACP Active Active Form the LAG
LACP Active Passive Form the LAG

Enabling EtherChannel Guard

You can enable EtherChannel guard to detect an EtherChannel misconfiguration if your switch is running PVST+, rapid PVST+, or
MSTP.
Beginning in privileged EXEC mode, follow these steps to enable EtherChannel guard. This procedure is optional.

Command Purpose
Step 1 configure terminal Enter global configuration mode.

Step 2 spanning-tree etherchannel guard misconfig Enable EtherChannel guard.

Step 3 end Return to privileged EXEC mode.

Step 4 show spanning-tree summary Verify your entries.

Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.

To disable the EtherChannel guard feature, use the no spanning-tree etherchannel guard misconfig global configuration
command.
You can use the show interfaces status err-disabled privileged EXEC command to show which switch ports are disabled because
of an EtherChannel misconfiguration. On the remote device, you can enter the show etherchannel summary privileged EXEC
command to verify the EtherChannel configuration.
After the configuration is corrected, enter the shutdown and no shutdown interface configuration commands on the port-channel
interfaces that were misconfigured.
Q: How many Channel-group can create?

Ans. It depend on platform

Q: Does all switches perform all method of load balancing?

Ans. No it also depend on load-balancing

Q: Does channel-group no. should be identical on both end of switches?

Ans. This is locally significant.

http://www.cisco.com/c/en/us/support/docs/lan-switching/etherchannel/12023-4.html#cat2950_3550

http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli_rel_4_0_1a/CLIC
o nfigurationGuide/EtherChannel.html
 STP 300-115 (v-11)

Objective of this video

 Understanding the Layer 2 loops
 Understanding working of STP
 Configure and verifying STP
 Troubleshooting STP

The behavior of switch/bridge, they perform frame flooding in case of unknown unicasting, multicasting and
broadcasting so if there any redundant link available that can cause layer 2 loop.
In layer loops can cause these problem
 Endlessly layer 2 loops
 Unnecessary resources utilization and multiple frame transmission
 Unstable MAC table
 Unnecessary frame lookup by host
To prevent this problem spanning tree protocol used
STP/STA (spanning tree algorithm) written by “Radia Perlman” for detecting layer 2 loops casing link ,and
block it till first one link goes down or disconnected
To work STP every port send BPDU (bridge protocol data unit) every 2 second for preventing layer 2 loop
And send/receive topology changes

BPDU works for.

Detecting layer 2 loops if originated BPDU frame received by other port in same VLAN
Selecting Root Bridge Reference point of topology synchronization Lower BID become Root
bridge (Root priority +VLAN ID+ MAC address)
Finding Root port All non-Root switched find lowest (cost + priority) link to get Root bridge
that port know as Root port
Synchronizing topology changes When root bridge went down or topology got changes then it send and
and acknowledgement received.

Note: - Root bridge switches all port is designated port and forwarding state
STP can not to turn off
  Bridge priority increment use 4096 because no of VLAN can exist in switches
 Bridge ID and system ID tie up by default so Lower MAC address switch/bridge selected as Root
Bridge
 Root Bridge can changes timers of STP and advertised to all
 Root Bridge is also responsible for propagate TCN (topology changes notification)

STP path selection

 Bridge with lower Bridge ID becomes the Root Bridge
 Prefer the neighbor with the lowest cost Root
 Prefer the neighbor with the lower Bridge ID
 Prefer the lowest sender port ID

STP version

http://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol/5234-5.html

For any assistance and query please visit https://www.youtube.com/user/adityakrgaur/about

Or e-mail us [email protected]
 STP Enhancement/feature

There is three category of STP enhancement: -

1) Faster convergence
2) STP security
3) Loop prevention

Faster convergence

Port fast
 By passing the listening and learning states for trunk and access port.
 Better to connect work station or server
 If connecting with switches it may cause loop
 PVST+, rapid PVST+, or MSTP, support this feature
 Can be enable on interface or globally [spanning-tree portfast |spanning-tree portfast default]
 When running on globally it enable Portfast on interface that is edge port
 It also not affects to MAC-address table

Switchport host
 switchport mode will be set to access
 spanning-tree portfast will be enabled
 channel group will be disabled

Uplink fast
 AlterNet port become root port immediately it bypass listening and learning states toward root Bridge,
 The UplinkFast feature is supported only when the switch is running PVST+

Backbone fast
 BackboneFast is a complementary technology to the UplinkFast feature
 Supported only when the switch is running PVST+
 Indirect failure detection in direction of root bridge
Cross-stack UplinkFast
 Similar to Uplink fast but usage only GigaStack,
 The UplinkFast feature is supported only when the switch is running PVST+
 less than 1 second under normal network conditions)
 Support to 2900/2950/3500/3550 switches that have the 1000BASE-X module installed.

STP security
BPDU filter
 Prevent sending and receiving BPDU on enabled port
BPDU Guard
 Interface that BPDU guard enable will keeps port error disable mode immediately if BPDU received
Root Guard
 Root guard enabled interface cannot become root port

Loop prevention

STP loop guard

 Use BPDU keeplive to prevent unidirectional link failure
UDLD (unidirectional link detection)
 Use UDLD keeplive message to prevent unidirectional link failure
 RSTP 300-115 (v-13)
What is RSTP & how does it works?
RSTP configuration verification and troubleshooting

RSTP (Rapid spanning-Tree protocol

 New standard define IEEE 802.1w but now IEEE 802.1D 2004
 Faster convergence using proposal method
 Simplifies port state
 Adding new port roles
 Way of path selection as it is

STP vs RSTP port state

STP RSTP
Disabled
(Shutdown by admin) Discarding
Blocking (Blocking data frame)
(Blocked redundant link by STP)
Listing
(Listing the data frame) Learning
Learning (Building CAM table & data dropping)
(creating CAM table )
Forwarding Forwarding
(Converged, Data flow allowed ) (Converged, Data flow allowed )

RSTP port role

Root port: -
 Port facing direction of Root Bridge
AlterNet port: -
 Port facing direction of Root Bridge but discarding state.
 Convergence is same as Unlink fast
Designated port: -
 Direction of non-Root Bridge
Backup port: -
 Back-up of designated port toward Non-Root Bridges
 Downstream device is not aware to STP
Enhancement on RSTP
Edge port: -
Edge port is same as portfast that not generate TCN
Configuration is as it for work with legacy STP as well
RSTP link type (for Non-edge port)
 Point-to-point (full duplex) can be used for RSTP
 Shared (Half duplex) fall back in Legacy STP
Working way of RSTP
 RSTP use Proposal system for faster convergence
 Every switch generate BDDU that mean if topology change occur switch will going to find out other
link to get root bridge after 3 hello (2*3= 6 sec)
 A very lager network may longer time to converge
Note: - Even after running RSTP TCN going to propagate that will flush the CAM table so to use edge port as
possible
 MST (Multiple spanning tree protocol)

What is MST & it`s working?

Intra-Region & Inter-Region?
Configuration and verification

MST multiple spanning tree protocol

▪ Initiated by CISCO as MISTP (Multiple instance STP)
▪ Later standard define as IEEE 802.1s A.K.A IEEE 802.1q-2005
▪ It avoid unnecessary resources utilization
▪ Single MST instance can be map to multiple VLAN STP or common STP
▪ It use RSTP for topology calculation
▪ Compatible to legacy STP & PVST

MST region
Where every switches in a region agree to run MST with compatible parameters
Within the region, all switches must run the instance of MST that is defined by the following attributes:

■ MST configuration name (32 characters)

■ MST configuration revision number (0 to 65535)
■ MST instance-to-VLAN mapping table (4096 entries)

If two switches have the same set of attributes, they belong to the same MST region. If not, they
belong to two independent regions.
MST BPDUs contain configuration attributes so that switches receiving BPDUs can compare them
against their local MST configurations. If the attributes match, the STP instances within MST can be
shared as part of the same region. If not, a switch is seen to be at the MST region boundary, where
one region meets another or one region meets traditional 802.1D STP

Understanding Intra and Inter Region

Intra Region

 Details of the region are same within the region

 VLAN to STPIs are manually defined
 Unmapped VLANs fall into CIST or reserved MST instance 0
Inter Region

 Details between regions are different

 Different regions see each other as single bridges
 Result is simplified Inter-Region calculation
 Intra-region MSTIs are look like CIST

MST configuration detail

SW(config)#spanning-tree mst configuration (selecting mst config mode)

SW(config-mst)#name MY_LAN (Assign Region name)
SW(config-mst)#revision [0-65535] (configure manual reversion no.)
SW(config-mst)# instance [0-4094] vlan “Rang” (Mapping VLANs to instances)
SW(config-mst)#exit
SW(config)#spanning-tree mode mst (enabling MST mode operation)

Note:- Make sure VLAN are already exists

Modification & verification detail

spanning-tree mst [0-65535] cost (modifying default cost)
spanning-tree mst [0-65535] priority (Modify the Bridge ID)
spanning-tree mst [0-65535] port-priority (Modify the Port ID)
show spanning-tree interface [int] detail (Verification)
show spanning-tree mst [0-65535] detail (Verification)

http://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol/24248-147.html

For any assistance and query please visit https://www.youtube.com/user/adityakrgaur/about

Or e-mail us [email protected]
 First Hop Redundancy protocol overview
In (300-115) CCNP switch we are going discuss three type of FHRP or gateway load-balancing protocol but
there is more than three protocol.

1) HSRP (Hot standby router protocol)

2) VRRP (Virtual router redundancy protocol)
3) GLBP (Gateway load balancing protocol)

Basically FHRP (First hop redundancy protocol) provide redundancy and load balancing of default gateway
(first hop) by connecting multiple physical Router and treat as one or more logical router which work as
gateway for LAN devices.

http://en.wikipedia.org/wiki/First-hop_redundancy_protocols

Working of FHRP

 Creating group of Physical gateway using Layer 3 device (Router/switches)

 Agree to assign one virtual IP address, which same to all first hop device
 Virtual IP going to use as gateway address to all LAN device
 Creating one or more virtual MAC address
 One first hop is respond ARP request (A.K.A. Active/AVG/Master)
 Use keeplive message in order to get Virtual gateway status
 LAN devices use Virtual IP & MAC address as default gateway
 In MLS there is two way to achieve FHRP
 Using Vlan interface or making no switchport to assign Virtual and Physical IP

Additional Feature
1) Adding IP SLA
2) Authentication
http://www.cisco.com/c/en/us/products/ios-nx-os-software/first-hop-redundancy-protocol-fhrp/index.html

For any assistance and query please visit https://www.youtube.com/user/adityakrgaur/about

Or e-mail us [email protected]
 Hot Standby Router Protocol

 CISCO proprietary, but defined in RFC 2281

 There is two version of HSRP (HSRPv1 and v2)
 Highest priority gateway elect as active gateway
 Active gateway is owner of vMAC/vIP & responding ARP request.
 Default priority is 100 can modify (0-255)
 Highest interface IP as the tie-breaker
 Preempt disabled by default
 Uses UDP multicast 224.0.0.2 at port 1985 for transport
 Messages can be authenticated using clear text or MD5
 HSRPv1 virtual MAC 0000.0c07.acXX. (XX is group no.{0-255})
 HSRPv2 virtual MAC 0000.0c9f.fXXX. (XXX is group no.{0-4095})
 HSRPv2 support IPv6 address
 HSRP versions are not compatible
 Load sharing possible using multiple groups & virtual IP with priority modification

Virtual Router Redundancy Protocol

 Standard based alternative to HSRP
 Virtual Router Redundancy Protocol (VRRP) define in RFC 3768
 Uses terms master/backup same as active/standby
 Rest of concepts are similar
 Uses own transport protocol 112 to IP 224.0.0.18
 Virtual MAC is 0000.5E00.01XX. (XX is group no.)
 Preempt enabled by default
 Can used Physical IP as virtual IP but by default that physical IP assign interface
gateway become master using highest priority 255
 Load sharing can achieve by using multiple group & virtual IP with changing the
priority
 There is three version of VRRP
 VRRPv3 support IPv6 as well

http://meefirst.blogspot.in/2012/02/virtual-router-redundancy-protocol-
vrrp.html
 Gateway Load Balancing Protocol

Gateway Load Balancing Protocol

 Cisco Proprietary Protocol
 Successor of HSRP
 Support load balancing with single vIP & multiple vMAC
 Load balancing by round robin, host dependent & weightage
 Transport via UDP port 3222 to IP 224.0.0.102
 Gateway can have two role AVF & AVG

Role of Active Virtual forwarder (AVF)

 Gateway which is actively forwarding data to WAN
 Not responding ARP request
 Each Gateway forward data toward WAN
 Each AVF assigned a unique virtual MAC by AVG
 AVF working standby for AVG
 For each vMAC one AVF is active rest of VRF will be standby

Role of Active virtual gateway (AVG)

 Only single gateway can works as AVG
 AVG respond ARP requests
 Can respond more than one unique vMAC
 Gateway which have highest priority become AVG
 Load balancing algorithm can change from AVG

Note: - 1) Object tracking can used on AVG & AVF

2) Neither FHRP compatible to each other
 FHRP for IPv6

 Gateway devices should be enabled IPv6 unicast routing

 Can configure only Link local address E.g. FE80:
 LAN device come know about gateway by Router solicitation
 Rest of all remain same
 Protocol that support IPv6 first hop redundancy

1) HSRPv2
2) GLBP
3) VRRPv3

VRRPv3

 Support many type interface Ethernet family, Bridge Group Virtual Interface
(BVI), Multiprotocol Label Switching (MPLS) Virtual Private Networks
(VPNs), VRF-aware MPLS VPNs, and VLANs.
 IPv6 address supported
 Also support Secondary IP addresses
 Multiple subnet can used Secondary IP
 Need to define address-family first
 Allow to configure both address-family on same group
 VRRPv3 need to enabled globally not on interface
 VRRPv3 not support authentication
 Rest of thing are remain same

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp_fhrp/configuration/xe-3s/fhp-xe-3s-book/fhrp-
vrrpv3-xe.html
For any assistance and query please visit https://www.youtube.com/user/adityakrgaur/about
Or e-mail us [email protected]
 Switch port Analyzer (SPAN)

You can analyze network traffic passing through ports or VLANs by using SPAN to
send a copy of the traffic to another port on the local switch or on remote switch
that has been connected to a network analyzer or other monitoring or security
device

 Analyze or monitor traffic for security and other purpose

 Can be analyze interface(s) or VLAN(s) as source
 As destination interface(s) or VLAN(s) can used
 Traffic can be analyze one or both direction
 On destination ports Analyzer device can connect (IDS, host with packet
sniffer software etc.)

SPAN Types

1) Local SPAN (SPAN)

 Source and destination ports on same switch or switch stack
 Tagging or encapsulation not require

2) Remote SPAN(RSPAN)
 Source and destination ports can be remote switch or switch stack
 It use a dedicated VLAN for transport (Remote-span VLAN)
 Send over trunk, tag added

3) Encapsulated RSPAN (ERSPAN)

 Encapsulated into GRE
 Can be send across layer three domain
 It is CISCO proprietary available on higher platform only
http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-series-
switches/10570-41.html

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/lanswitch/configuration/xe-
3s/lanswitch-xe-3s-book/lnsw-conf-erspan.html#GUID-4CAB13D7-0803-4D67-
B720-4AB56A978FEF

For any assistance and query please visit https://www.youtube.com/user/adityakrgaur/about

Or e-mail us [email protected]
 Port security
Use to prevent unauthorized access & limit access, based on MAC address
Can be limit (1-8192) MAC address to attached on particular port
Port security can apply on static trunk & static access ports
If limit exceed/violation occur port can be went to

Shutdown
 Default action after violation
 Port send to err-disabled mode
 For re-enable err-disabled recover or shutdown/no shutdown
 MAC counter keeps history
Protect
 Need to configure for violation action
 Traffic not send to network from violator
 Interface will be working even after violation
 No MAC counter keeps history
Restrict
 Need to configure for violation action
 Traffic not send to network from violator
 Generate log (SNMP/Syslog)
 No MAC counter keeps history
Default configuration for port security
1) Disabled on every interface
2) 1 MAC address allow if port security enabled
3) Default violation is shutdown
4) No aging configured by default for recovery

Ports maintain address table

 Static configured MAC address
 Sticky MAC address
 Dynamic (leaned)

MAC Address Aging

By default, secure MAC addresses are learned permanently. Aging can be configured so
that the addresses expire after a certain amount of time has passed

On trunk port support per-VLAN limits (default unlimited)

Note: - Need to take care of port which have FHRP/IP phone connected
Using a Router insecurity mac can be hide

For any assistance and query please visit https://www.youtube.com/user/adityakrgaur/about

Or e-mail us [email protected]
 DHCP SNOOPING

DHCP snooping is a security feature that acts like a firewall between untrusted
hosts and trusted DHCP servers.
 Use trusted source to reply DHCP offer message
 Rate-limits DHCP traffic from trusted and untrusted sources.
 If untrusted port exceed the limit interface sent to err-disable
 Builds and maintains the DHCP snooping binding database, which contains information
about untrusted hosts with leased IP addresses.
 Utilizes the DHCP snooping binding database to validate subsequent requests from
untrusted hosts.
 Can be enable to disabled DHCP snooping per VLAN basis
 By default, the feature is inactive on all VLANs
 DHCP snooping device insert DHCP option no 82 (gateway & other information)

SW(config)#ip dhcp snooping (Enable DHCP snooping)

SW(config)#ip dhcp snooping vlan [VLAN_NO.] (Enable DHCP snooping on source)
SW(config)#no ip dhcp snooping information option (disable insert option)
SW(config)#interface f0/24
SW(config-if)#ip dhcp snooping trust (make trusted port)
SW (config-if)#ip dhcp snooping limit rate <1-2048> (Rate limit config optional)
SW#show ip dhcp snooping ? (verification)
binding DHCP snooping bindings
database DHCP snooping database agent
statistics DHCP snooping statistics
| Output modifiers
<cr>

For any assistance and query please visit https://www.youtube.com/user/adityakrgaur/about

Or e-mail us [email protected]
 Dynamic ARP inspection
Use to prevent ARP poisoning
ARP poisoning by gratuitous ARP using g/w IP & local MAC
Inspect ARP request/responses
It used DHCP snooping database to verifying
ARP ACLs can also use for ARP Req/res to static IP assign device
DAI is supported on access ports, trunk ports, EtherChannel ports, and private
VLAN ports.
The switch forwards ARP packets that it receives on a trusted interface, but does
not check them

P1-SW2(config)#ip arp inspection vlan N

P1-SW2(config-if)#ip arp inspection trust

IP SOURCE Guard

Prevent IP address spoofing

Use DHCP snooping database to validate MAC and associated IP
Can combine port security

Both use DHCP Snooping feature; DAI is protection against ARP Spoofing and IP
source guard is protection against IP Spoofing

It can enable interface basis

Sw(config-if)# ip verify source | [port-security]
 Storm control

 Prevent large number of broad/uni/multicast packets are received on port

 Can be limit these traffic on per interface basic
 By default it disabled
 Rising and falling thresholds use to block and then restore traffic
 Can be turn off or send trap if limit exceed on port

SW2(config-if)#storm-control ? (Enable storm-control)

action Action to take for storm-control

broadcast Broadcast address storm control
multicast Multicast address storm control
unicast Unicast address storm control
SW2(config-if)#storm-control broadcast level ? (Enable limit & threshold)

<0.00 - 100.00> Enter rising threshold

bps Enter suppression level in bits per second
pps Enter suppression level in packets per second
SW2(config-if)#storm-control broadcast level 80 60

SW2#show storm-control ? (verification)

FastEthernet FastEthernet IEEE 802.3
GigabitEthernet GigabitEthernet IEEE 802.3z
broadcast Broadcast storm control
multicast Multicast storm control
unicast Unicast storm control
| Output modifiers
<cr>

P1-SW2#show storm-control broadcast

Interface Filter State Upper Lower Current
--------- ------------- ----------- ----------- ----------
Gi0/1 Link Down 80.00% 60.00% 0.00%
 Private VLAN

Create layer 2 isolation even port belong to same VLAN

It use a sub-VLAN under VLAN or main VLAN
Main VLAN known as Primary VLAN
Sub-VLAN known as Private VLAN or secondary VLAN
All secondary VLANs must be associated with one primary VLAN

Furthermore Private VLAN divided into 2 sub-VLAN

 Community VLAN
 Isolated VLAN

It use port role for granular traffic control

 Promiscuous port
 Connects to the router/firewall/gateway device
 For external or rest of networks access

 Host port
 Connected to the end host
 Belong to either isolated or community ports
 Host port that belong to same community can access each other

More about Sub-VLANs

 Isolated VLAN
 Ports belong to same isolated sub-VLAN cannot access each other

 Community VLAN
 Device in same community VLAN can access each other
 Basically use to connect same department

For any assistance and query please visit https://www.youtube.com/user/adityakrgaur/about

Or e-mail us [email protected]
Configure the Private VLANs
To configure a private VLAN, begin by defining any secondary VLANs that are needed
for isolation using the following configuration commands:
Switch(config)# vlan vlan-id
Switch(config-vlan)# private-vlan { isolated | community }

Define the primary VLAN that will provide the underlying private VLAN
connectivity
Switch(config)# vlan vlan-id
Switch(config-vlan)# private-vlan primary
Switch(config-vlan)# private-vlan association { secondary-vlan-list | add secondary-
vlan-list | remove secondary-vlan-list }

Define port roles

Define the function of the port that will participate on a private VLAN
Switch(config-if)# switchport mode private-vlan { host | promiscuous }

Map promiscuous mode ports to primary and secondary VLANs:

Switch(config-if)# switchport private-vlan mapping primary-vlan-id secondary-vlanlist| { add secondary-vlan-list } | {
remove secondary-vlan-list }
Associate the switch port with the appropriate primary/secondary VLANs.
Switch(config-if)# switchport private-vlan host-association primary-vlan-id
secondary-vlan-id
 Protected port

Protected port is similar to Private VLAN but it works locally only

Easy implementation using one command
No more feature like Privates VLAN

Port ACL
Port ACLs access-control traffic entering a Layer 2 interface.
The switch does not support port ACLs in the outbound direction
You can apply only one IP access list and one MAC access list to a Layer 2 Interface
Router ACLs are supported only on SVIs.

Port ACLs use (Name/Number)

• Standard IP access lists using source addresses
• Extended IP access lists using source and destination addresses and optional protocol type information
• MAC extended access lists using source and destination MAC addresses and optional protocol type
information

This example shows how to create a standard ACL to deny access to IP host 171.69.198.102, permit
access to any others, and display the results.
Switch (config)# access-list 2 deny host 171.69.198.102
Switch (config)# access-list 2 permit any
Switch(config)# end
Switch# show access-lists
Standard IP access list 2
10 deny 171.69.198.102
20 permit any

Applying ACL
Switch(config)# interface gigabitethernet1/0/1
Switch(config-if)# ip access-group 2 in

This example shows how to apply access list 3 to filter packets going to the CPU:
Switch(config)# interface vlan 1
Switch(config-if)# ip access-group 3 in

http://www.ciscopress.com/articles/article.asp?p=1181682&seqNum=4

For any assistance and query please visit https://www.youtube.com/user/adityakrgaur/about

Or e-mail us [email protected]
 StackWise
Cisco introduced the StackWise and StackWise Plus technologies to enable separate physical switches
to act as a single logical switch. StackWise is available on switch models such as the Cisco Catalyst
3750-E, 3750-X, and 3850 platforms.
  Physical switches must be connected to each other using special-purpose stacking cables.
 Each switch supports two stack ports; switches are connected in a daisy-chain fashion
 Required single IP address to manage all physical switches
 Better resources utilization and aggregation
 STP and other protocol deal as single switch
 Online Stack Adds and Removals allowed
 Bidirectional Flow on stack cables
 Sub-second Failover
 Select a master switch for managements and all

http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-3750-series-
switches/prod_white_paper09186a00801b096a.html

For any assistance and query please visit https://www.youtube.com/user/adityakrgaur/about

Or e-mail us [email protected]
 Authentication, Authorization, and Accounting
1) AAA using Local database
2) AAA using Centralized database (RADIUS, TACACS+)
Local database
Need to assign Privileges levels for use for granular & modular control

IOS default Privileges

Privilege level Accessibility
0, IOS default No access
1, IOS default User mode, very limited access
15, IOS default Privilege exec/enable mode, verification & basic config
2-14, user defined/custom Can be assign to user for specific task/command

Local data base command authorization required.

Switch(config)#privilege [exec|configure] level [2-14] “line of command”

AAA
 Centralized management of users to access network (Telnet, SSH, VPN etc.)
 Whenever user attempts to login it verify by AAA database
 User management done on AAA database without the need to reconfigure each device
 AAA can also control connections passing through switch/Router for access network resources
 AAA can be RADIUS or TACACS+ where database located
 Also need to configure local as fallback

Three services are offered by AAA server, as follows

Authentication: who are you? And are you right person?
Authorization: After authentication, checks what allowed to do for specific user.
Accounting: Use to collect and store information about a user’s login. Information can utilized for audit trail of what a
user did on the network.
How does “AAA” centralized server works

Configuration of AAA
Step 1
Enable AAA on IOS
Switch(config)# aaa new-model

Step 2
Create user for fallback, if radius or tacacs down/not reachable
Switch(config)# username “ADITYA” password “CISCO”

Step 3
Adding RADIUS/TACACS servers. Multiple server may be exist for redundancy
Switch(config)#[radius|tacacs] server “SERVER-NAME” (support IPv4/v6 and more feature)

Or

Switch(config)#[radius-server|tacacs-server] host [Hostname or A.B.C.D] key (support IPv4 only)

Step 4
Creating group of radius/tacacs server & adding severs in it
Switch(config)#aaa group server [radius|tacacs+|ldap] “SERVER_GROUP1”

Step 5
Use the following global configuration command to define a method list:
Switch(config)# aaa authentication login { default | list-name } method1 [ method2 ...]
Note: - it could other than login (e.g. enable, dot1x etc.)

Step 6
Apply a method list to a switch line.
Switch(config)#line [vty|console]
Switch(config-line)#login authentication { default | list-name }
Switch(config-line)#authorization [arap|command|exec|reverse-access]

For any assistance and query please visit https://www.youtube.com/user/adityakrgaur/about

Or e-mail us [email protected]