Port

MAC Address CAM Table

VLAN

Application Intelligence

Integrated Security

Non Stop Forwarding & Stateful Switchover

Ease of management Carries multiple VLANs

Unified network services (Wired & Wireless)

Add VLAN tag in Ethernet Frame
Trunking

Features in latest switches

Dedicated Bandwidth per port

Like Transparent Bridge

Switch
Fundamentals
MAC Address = Physical Address
Can also be applied to
Virtual Devices
(Virtual Servers)
802.3 Frame Format

Preamble 7 Bytes - its like flag indicating frame is arriving

SFD Start of Frame Delimiter 1 Byte – Tells that next byte is of Destination Address

Destination Address 6 Bytes – 2 least rightmost bits of 1st byte defines if destination is Individual or Multicast

Source Address 6 Bytes

Hub Shares bandwidth among multiple ports
Length/Type 2 Bytes - Tells how much is the size of Data in this frame
Layer 1 device
Data Minimum 46 Bytes, Maximum 1500 bytes. If less than 46 bytes than padding bytes are added to make 46
Jumbo Frame 9000 Bytes

FCS 4 Bytes (Covers these 4)

DA

Data

Length/Type
SA
 More effective use of links between Access & Distribution Layer 3 Access Distribution Layer
Careful allocation of VLANs and IP Addressing

Expensive High Availability

Future is this one
Security (Port Security, DHCP Snooping etc)

Layer 2 Access Distribution Layer Convergence

Access
Large Broadcast Domain
Sub Optimal Use of links due to STP not as intelligent as routing protocols Access to End Devices

Cheaper

Catalyst 6800 Hierarchical Design Dual Path Redundancy between Access and Core
Control Plane centralized in Route Processor
Access VLANs termination
Data Plane individual in every Line Card
Distribution Routing between Access VLANs

Routing towards Core

Offers FHRP to Access

Application Centric
Infrastructures
Core/Backbone

Servers Farms Data Centers Network Design Campus Network

Fundamentals
Flat Network Design Layer 2

Acts as Aggregator - Connects elements of enterprise network

Enterprise Resources

Default go to CEF/Fast Dst MAC

In catalyst, fast switching is Core Routing (Fast and Stable)
Switching, Go to
called route caching (Flow based) Process Switch in dire Catalyst & Nexus Src MAC
Future Growth Consideration
situation TTL
CEF is called Topology Based switching Rewritten of packets
(Routing Table based) when pass between Ethernet Header Checksum
Switching Technique IP subnets No direct connectivity to hardware (servers, access point etc)
Stores MAC Table
IP Header Checksum
CAM (Content Addressable Memory)

TCAM (Ternary CAM, like dedicated memory for specific purpose)

Cut Through Do not check CRC, starts switching as soon as frame received Good for data centers
Store-n-Forward Checks CRC and if correct, regenerate frame (Most switches like this!)

Stored QoS Table & ACLs

QoS Action on In-Coming Frame Prioritized
Rate Limited

Marked
 Layer 3 and as fast as possible

2 Core Switches infra = Dual Core

Layer 2 must terminate at Distribution
More than 2 Core Switches = Multi Node Core
Never connect Access Switches together
Core Layer
Dual Links

Design basics

Usually no more than

2000 users in a switch
block Access Distribution Block (Access + Dis Switches) Resource in same VLAN as host
Local

Core Block Switch Blocks Enterprise Network Traffic Types Remote Resource in different VLAN so goes through Distribution

Design should be
Design Enterprise
Resource in different location so goes through Core
Size and number of common workgroups
based on
Traffic Type and Patterns
 1. Route Caching (also NetFlow OR Demand Based OR RP (Route Processor) Routes Once, Switching Engine
Route Once, Switch Many) (SE) switches packet
RP still there but download Routing table in FIB, SE
2. Topology Based (also Cisco Express Forwarding) then switch packets Only this one is used now

Multilayer Switch Methods Feature Manager Compile ACEs into TCAM Table in a structured manner for parallel processing Example Template “desktop default” good for access layer
operation
TCAM Partitioned database space for better performance of switch
Switch Database
Manager (SDM) (4500 and 6500 has fixed memory, cant be partitioned)

Processing
Value (134 bit contains everything in ACE except subnet mask)
Mask (134 bit contains subnet mask)

1. Ingress Queue Result (Permit or Deny or Dont Care)

2. Dst MAC check (CAM Table)

3. ACL Check (MAC, IP, Protocol Type if not standard IP, Port #)
4. QoS Check (TCAM)

5. Egress Queue ARP Packets

Layer 2 Switch Frame Forwarding DHCP
Operation Routing Protocol Updates
Packets need encryption
MLS or CEF Exception Packets Legacy Protocols Packets (Appletalk)
Packet Forwarding MLS MTU Increased

TTL Expired
Fragmentation Needed
1. Ingress Queue

2. CAM Table and FIB Table check - at same time

3. QoS, ACL check - at same time

4. Frame Rewritten (SRC MAC, DST MAC)

5. SRC MAC = Switch Layer 3 Port

6. DST MAC = Next hop MAC

7. IP Header Checksum Recalculate

8. Ethernet Frame CRC Checksum Recalculate

 Switch send pre-determined voltages at port to determine power rating of attached device,
once device responds, switch applies that power level

60W, only available in Cisco 4500

POE UPoE

If host is fixed (say FD and 100M) and switch is Auto Nego so switch port will be
100M and HD because host is fixed so switch will not receive duplex info and set to
Auto Negotiation Half (by default)

Autonegotiation Only works for UTP 10/100 or 10/100/1000

Ethernet Standards 100Base FE 100 Base FX Fiber = 10 Km

(Key Points)
1000Base GE
1000BaseT = 100 meter
1000BaseLX/LH = SMF = 10 Km
1000BaseZX = SMF = 100 Km

10GBase 10GE
IEEE802.3ae (ae because of physical media change,
frame format remains the same as above

40G and 100G are IEEE 802.3ba Ethernet standard

Version 2 shows VTP Domain + Native VLAN name, enhanced error tracking
Advertisements are only 1 way (sent) but never expect receive anything
CDP Sent at layer 2
60 seconds interval, hold time 180 sec

Also has MED (Media Endpoint Device) TLV, provides further detailed info for device
LLDP
Sends device info in TLV (Type Length Value) format 10GigE standards GigE standards
802.1ab Standard Based
Disabled by default
CDP vs LLDP Chart 30 sec interval, 120 sec holdtime
Mandatory TLVs
https://www.cisco.com/en/US/
Chassis ID, Port ID, and Time-to-Live
technologies/tk652/tk701/
technologies_white_paper0900aecd804cd
46d.html
 Frames are sent every 30 sec

Switchport mode dynamic desireable is default

Switchport trunk encapsulation (dot1q or isl or negotiate)

default is negotiate

Can be negotiated if both switches are in same VTP domain or

DTP one or both switch are in Null Domain

Configuration

If vlan dot1q tag native cmd is confg, the native

vlan will be tagged and any untagged frames will
be dropped, control traffic will continue to be
operating with native vlan although vlan dot1q tag
native is cfgd
80/20 meaning 80% localized traffic, 20% across core Observed in End to End VLAN Architecture
20/80 meaning 20% localized traffic, 80% across core Observed in local VLAN architecture

Traffic Rule
1 to 1005, Default is VLAN1 and VLAN 1002-1005 are reserved for special purpose (Token Ring and Control Protocols

Range Range 1 to 4094 (Extended Range) if VTP Transparent Mode, due to VTP version 1 and 2 limitation, VTP version 3 doesn’t have this constraint Also Native VLAN concept to the trunk, native VLAN is
VLAN Place where VLAN config is saved, separate from switch configuration not tagged with 802.1 4 Bytes Header, by default is
vlan 1, used by CDP or LLDP
VLAN Database Extended Range VLANs from 1006 to 4094 are not saved in VLAN database, rather in normal switch configuration.
(Exception for VTP version 3, in VTPv3, extended range VLANs are also saved in VLAN database) as per Cisco Docs

802.1Q, IEEE Standard Add 4 Bytes Tag After SRC ADD Field in a Frame 1st 2 Bytes are Tag Protocol Identifier identifying 802.1Q (Value 0X8100)
Trunking
ISL, Cisco Proprie, adds 26 bytes header and 4 bytes trailer CRC Range 0-4095
2nd 2 Bytes is TCI (Tag Control Info) 0, 1, 4095 are reserved
12 bits VLAN Identifier
Any Trunking, add additional bytes to 802.3 frame ISL add 30 bytes, 802.1Q adds 4 Bytes
3 bits Priority Field for Class of Service (CoS), IEEE 802.1P
IP Phone Ethernet Frame cannot exceed more than 1518 bytes excluding trunking
protocol bytes (standard of 802.3)
Link between IP Phone and Access Switch can be TRUNK or ACCESS. If ACCESS, only 1 VLAN will be
used for both voice + data. OR Access Port that can accept “tagged” voice packets 802.3ac standard increase this size to
1522 bytes by adding 4 Bytes for
802.1Q Tag
Voice VLAN Cases switchport voice vlan { vlan-id | dot1p | untagged | none }
untagged - Voice VLAN in Native VLAN (though in native vlan but can be tagged ) and Data also in Native VLAN
(untagged, No CoS)
Trunk is negotiated through CDP exchange
None (This is default) - Voice VLAN in Access VLAN (untagged so no CoS) and Data in Access VLAN (untagged, No CoS)

Also sometimes called Auxiliary VLAN dot1p - Voice in VLAN 0 (tagged so 802.1p CoS) and Data in Native VLAN (untagged, No CoS)

vlan-id - Voice in Voice VLAN (tagged so 802.1p CoS) and Data in Native VLAN (untagged, No CoS)
 # of subset advertisements to follow
Domain
Revision #

MD5 Hash Code VLAN Name

Sent by VTP Server VLAN ID
Domain Name Status
Config revision # MTU Size
Specific VLAN Info 1 to n
Sent by VTP Server
Summary

Subset

Request from clients Sent by clients at the time of boot to ask for information

New Switch added as VTP server with

higher revision #
Types
New switch added as client and possess
higher rev# and informs existing server that
accepts the higher rev of new client
VTP Synchronization Problem Advertisements Mostly by server, but also by client when client booted and asks for VTP info

In VTPv1, switch will not relay VTP advertisements if VTP Domain Name and Version does not match with received VTP packet
In VTPv2, switch will relay VTP advertisements regardless of VTP domain
VTP Domain Name, default is “Null” meaning BLANK string Transparent Mode
VTP This is also a mode. No VTP advertisements will be processed or even relayed
OFF Mode

Only hash of password is sent in adver,

not the password itself Versions Version 1 Supports VLANs 1 - 1005 Token Ring support
Security
Password on Servers as well as on the Relay VTP advertisement without checking VTP Version
clients is required
Version 2 Supports VLANs 1 - 1005 Unrecognized TLV support so that new VTP messages can be added
Consistency checks for config entered through CLI or SNMP
Pruning Version 3 Supports VLANs 1 - 4094
If enabled, all VLANs from 2 to 1001
becomes eligible for pruning Per Port VTP enablement, oppose to whole switch

If enabled on server, it will be advertised to Primary and Sec servers concept, sec servers advertises and primary to take control of a domain
whole domain In this way, it minimizes the danger of new switch added as server and wipe all VLANs

Extended-range VLANs (1006 to 4094) are only

Transparent switch has no effect of
saved in the VLAN database in VTP version 3
pruning Extended VLANs support 1-4094

VLAN 1, 1002 to 1005 and extended range Secret - password itself will be
VLANs (1006 to 4094) are pruning Enhanced Security using secret key not visible in config saved in run confg
ineligible
Hidden - only hash will be
saved in run confg
 IEEE Standard
Uses 802.1Q Trunk CST (Common Spanning Tree)
Native VLAN (by
default VLAN 1) for
BPDU exchange

Cisco Propr
PVST (Per VLAN Spanning Tree

Uses ISL

Cisco Pro
PVST+ (Per VLAN Spanning Tree +)
Interoperable with
PVST and CST 10 Mbps = 100
100 Mbps = 19
With PVST, uses ISL
with CST uses 802.1Q Types of STP 1 Gbps = 4
10 Gbps = 2
Disabled (Port is shutdown) Path Cost Version 0 identifies 802.1D BPDU
Blocking (No MAC learning, No BPDU TX, only BPDU RX) Flag
Lower the better 32768 Default
Listening (No MAC Learning, BPDU TX and RX) 0-65535 is range Root ID (8B)
2B Priority
Learning (MAC Learning, BPDU TX and RX) Sent by only Root Bridge, Root Path Cost
Forwarding (Forwarding and ALL) 6B MAC Address once it is elected Port ID
Port States Sender Bridge ID (8B)
Bridge ID IEEE802.1D Standard Send every 2 sec as Hello by RB and other Message Age
switches only relays what RB sets and sends Maximum Age
Send BPDUs at Multicast 01-80-c2-00-00-00 default 20 sec
Basic
Blocked Port (it is STP 2 Types of BPDU Configuration BPDU Contains Hello Time
neither RP nor DP) Port Roles Forward Delay
Designated Port, the switch that has lowest Root Message Type (is it Config BPDU
Path Cost will be having DP for specific segment Main Objective Topology Change Notification (TCN) BPDU or TCN BPDU?

Root Port having lowest root path cost

To stop bridging loops by making For TCN, there is Hello Time set by
Alternate Port (used specifically in Uplink Fast), switches aware of each other each switch locally. TCN BPDU are
blocked port that can immediately become not sent for a port where
forwarding if existing RP/Forwarding port fails. “portfast”is enabled
Mostly used for Access Switches
TCN BPDU Contains
no “data”, only set
flag that “change has
occurred”
1. Lowest Root Bridge ID
2. Lowest Root Path Cost
Change could be anything, Port state
3. Lowest Sender Bridge ID Tie Breaking Criteria 1. TCP BPDU sent by root port towards root Actions when
Port Priority (0-255, 128 changed, BPDU not received etc.
“change” is detected
default) + Port No. 4. Lowest Sender Port ID 2. Once TCN BPDU is received by RB, it will send "acknowledgement" by any switch
TIP 3. Then RB sends Cfg BPDU with "Change" Flag set so other switches know "change" has occured
Rather than changing STP timers, better to 4. Other switches receive "Cfg BPDU" with change flag set
change STP Diameter, this will force STP to
change timers accordingly 5. Switches reduces their mac-address-table time aging time from 300 sec to forward delay = 15 sec + Max Age time of BPDU (20 sec)

6. Then when new entries learnt again and new Cfg BPDU is received, root port of switch changes

7. Network converges
 Keep an eye on other blocking ports (called Alternate Ports)
to make them forwarding if existing Root Port/Forwarding TCNs will not be sent on Port Fast enabled ports
Port fails spanning-tree portfast default - enable globally and non-trunk ports will be Port Fast
Port Fast switchport host - macro command - enables Port Fast, change port to access and disable PAgP
Put other uplinks in Blocking and immediately makes
forwarding as soon as primary root port is failed Also one command “spanning-tree portfast trunk”-can be used when trunk is used say between switch and router on the
stick OR switch and server having multiple VLANs
spanning-tree uplinkfast [max-update-rate pkts-per-second ] Hello Time (default 2 sec, range 1 to 10)

"max-update-rate" this commands defines pps rate of Timers Forward Time (default 15 sec, range 4 to 30)
dummy MC frame that switch sends to uplink switches so
that UL switches can learn MAC address of hosts Max Age (default 20 sec, range 6 to 40)
connected to that access layer switch where UF is enabled

MC packets are sent to dummy address with src address of all Root Primary or Secondary is a macro, that runs only “once” when command is issued and adjust values as explained. It is
hosts in switch's mac-address-table possible that any other switch may become root later if it sets priority manually lower than Root Primary

Default rate of this pps is 150 pps, range 0-65535

Also UF is for Access Layer switches so this is not valid for

RBridge
802.1t Extended Sys ID = Priority + VLAN ID
Also switch priority is increase to 4096x12 so that this switch
doesnt become RB
If prio of RB is greater than 24576, then sets priority to 24576 (4096 x 6)
Uplink Fast Root Primary
Port Cost increased 3000 so this switch is also not used as Command
transit to root If prio of RB is equal or less than 24576, then sets priority 4096 less than that priority

Config basics
STP Configuration
Root secondary Prio is set to 28672 (4096 x 7). Based on assumption that priority is lower than default
Command 32768, else there is no method to query automatic sec RB selection
Detects "indirect failure"

Best to set prio manually to 0

Backbone Fast
If inferior BPDU is received, switch identify that link to RB is failed
Through this command, we can also set Diameter of network, default considered is 7. This defines “timers” in the network
With BBF, switch will not wait for Max Age to expire, it
will start looking for alternative paths to RB

If Inferior BPDU received on Blocked Port, then RP and other

BP are considered for root path

If Inferior BPDU received on root Port, then all bocked ports

are considered for root path

If Inferior BPDU received on root Port and no ports are

blocked, then switch considers itself as root

RLQ (Root Link Query) protocol BBF uses

RLQ sends RLQ Request, reply can only be generated by

RB or if any switch has los connection to root

If RB replies, it means root path is okay

If any other switch reply, then it means a failure to reach root

 Effective only on Non-Designated Ports
Monitor non-designated ports for loss of received BPDU

If BPDU is lost, the port is put into "loop-inconsistent" state

Complementary to Port Fast
When BPDUs are recovered, normal port state is retained If "any" BPDU is received, port will be err-disable and must be re-enabled to work okay again
Command to enable globally - "spanning-tree loopguard default"
If enabled globally, then will be enabled on any port where Port Fast is enabled
Though enabled globally, switch identifes non-desig ports and only
Command - "spanning-tree portfast bpduguard default"
monitors BPDU activity on those
Corrective action of LGuard is per VLAN basis, though is enabled as a port
basis

To disable on a port - "IF [ no ] spanning-tree guard loop"

BPDU Guard
Port does not allow to be used as Root Port
Meaning no Root Bridge can be see on the port
Loop Guard Root Guard Enabled per interface "spanning-tree guard root"
STP Protection
If Superior BPDU is received, port will become "root inconsistent" state and blocked

show spanning-tree inconsistentports - command to check port in these states

BPDUs not sent, also not allowed to receive

Global Cmd - "spanning-tree portfast bpdufilter default" - filtering will be enabled by

BPDU Filtering
default on those ports only where Port Fast is enabled

To enable on port by port basis, irrespective if PortFast is enabled on this port, then
"spanning-tree bpdufilter { enable | disable }"

In essence, equals to disabling STP

If BPDU is received on any portfast enabled interface where BPDU filter was enabled then port
will loose its portfast status and starts acting normally in terms of STP calculation

Detects unidirectional link that are mostly appears on fiber links

Identifies unidirectional by sending frame and expected echoed frame back

Unidrectional link means that if BPDU is lost, it doesnt mean that port starts
forwarding because its a faulty condition

2 ends of link sends and expects echoed frame indepdendently

Hence even different timers of sending frame still works well with UDLD

Default frame sending time (Message Time) is 15 sec Normal Mode - generates syslog message, port continues its mormal operation, port state is shown as "undetermined state"

UDLD works per port basis, meaning in EtherChannel if only 1 link in

UDLD
channel has issue, only that link will be affected, no other Aggressive Mode – Tries to reconfirm by sending 8 Messages, once per sec, if no reply received, puts port in “err-disabled”
2 modes of operation

Configuration If put in err-disabled, must be retuned back to normal by EXEC command “Switch# udld reset”
Interface enabled - (config-if)# udld { enable | aggressive | disable }

Differs from normal, as normally, we do shut/no-shut to bring back err-disabled ports

Globally enabled - (config)# udld { enable | aggressive | message time seconds }, default is 15 sec
 RSTP is underlying mechanism to fasten the convergence

If deployed with PVST, it becomes Rapid PVST (RPVST)

If deployed with PVST+, it becomes Rapid PVST+ (RPVST+)

RSTP can also be deployed with MSTP (Multiple STP, standard IEEE802.1s)
Deployment Scenario

However, if any switch runs Root Port (same as 802.1D)

802.1D and switch running 802.1w
talks, then port of 802.1D shows in Designated Port (same as 802.1D)
spanning tree output as “P2p Alternate Port (same as 802.1D that is used in Uplink Fast)
Peer(STP)”
Backup Port (Less desriable than existing port connects to same segment)
Then, switch starts supporting Key difference between Alternate and Backup Port is Alternate Port is not on
both, 802.1d & 802.1w the same segment, Backup Port is in same segment
(remember backward compat) Port Roles
Switches communicate with each other based on their port role, rather than based on BPDU relaying
that was generated by Root Bridge – key to fast convergence of RSTP

By default, switch is in PVST+ mode

(802.1D), change to Rapid PVST+
Port States based on what port does with incoming "frames" (not BPDUs)
(802.1w) by global spanning-tree mode rapid-pvst
Same as 802.1D Disabled,
Discarding - frames discarded, no MAC address learning Blocking, Listening combined

Config Learning - frames discarded, MAC Address learning

Forwarding - frames forwarded, MAC Address learning

Port States Any Port Role can have Any Port State More flexible approach then 802.1D
Advanced RSTP (IEEE 802.1w)
Spanning Tree Same BPDU Message Format as 802.1D, only some bits previously unused are now used

Version 1, represents it is RSTP BPDU to distinguish from 802.1D BPDU

BPDUs are exchanged between each switch port every Hello Interval = 2 sec
BPDUs in RSTP Reason for fast
If 3 consecutive BPDUs miss, switch neighbor is considered down convergence
Port acts as per type of BPDU it receives, if 802.1D BPDU is received,
Backward Compatible with 802.1D 802.1D port roles and states apply, same is valid for 802.1w
Only during migration (if happening), switch locks port
state for “migration timer” to avoid confusion Helps also in migration from 802.1D to 802.1w, vice versa
Topology Change To force ports to become P2P, use if mode spanning-tree link-type point-to-point Full Duplex ports are by default RSTP point-to-point
Notification Convergence in RSTP
Proposal and Agreement are actually Config BPDUs
Edge Port, only connects to 1 host
Next are Port Types Root Port
TCN is noticed by RSTP when non-edge port
transitions to Forwarding Point to Point Port - port between switches that can become designated port
Actually RSTP detects “change” when non- (simply port that connects to only 1 switch and can forward BPDU, thats why P2P
forwarding ports start forwarding. This is “rapid”
part Basic Building Blocks are Proposal and
Agreement sent between neighbor switches Pro and Agree Sent
Pro is "I want to be Designated Port"
During synchr, each switch decides
Other switches informed via series of TCN Agree is "yes" and then I will be Root Port
independently, put other links to other
BPDUs thrght the NW, MAC Add Table updated switches as “Discarded” When Pro is received, all non-edge ports put into Discarding so that no chance
of loop
In case if no reply received for Pro (may be switch When Agree is reached, then Discarded ports start their
doesn’t understand 802.1w, then normal 802.1D synchronization with their neighbors
process kicks in, port goes through 802.1D steps Synchronization Process continues all the way till all switc agree
This process is key to quick convergence
So switches are agreeing between themselves, not waiting for RB to send BPDUs
 IEEE802.1s is standard

Main Advantage, balance between PVST+ (STP instance per VLAN) and CST (Single STP instance for all VLANs)
In MST, VLANs can be mapped to Instances, hence flexibility

Basics

CST (whole ent net is treated to be logically running 1 and only 1 CST), this is done mainly so that MSTP can talk to legacy 802.1D

Within one CST, there is a MST Region, acting as logical "black box" from this whole CST perspective

Maximum 16 MST Instances

Instance 0 is always called IST (Internal Spanning Tree Instance)

Only MSTI0 = IST is allowed to send BPDUs

Then withing MST Region, there are MSTI (MST Instances) Instance to VLAN Mapping of other MSTIs is recorded as hash value in IST BPDU, hence no need to send whole
instance-VLAN mapping, only hash!
There are building blocks
Information about other MSTIs (from 1 to 15) are added as M-Record to IST BPDU, hence IST BPDU carries information
about all MST Instances in MST Region

Also any switch outside MST region, running PVST+ (instance per VLAN) can communicate with MSTP Region using 802.1Q native VLAN
(by default VLAN 1)
Concept
Any switch outside MST region, must talk to MST Region using CST using 802.1Q trunk native VLAN. Here is interoperability point!

MSTP Every block connects to have operational MSTP

Concept of CST Everything (meaning whole ent net while running MST) is treated as 1 single large instance of CST
Within that CST, there are MST Regions running MSTI (including IST which is MSTI=0)
Then if there is any other non-MST switch outside MST region, wants to talk to MST region, it can using CST (802.1D BPDUs over trunk)
Concept behind MST Instances
So CST provides compatibility between MST and Non-MST switches

Concept of IST
IST is running inside MST Region
MSTI=0 is always IST in the MST Region
IST responsible for managing BPDUs for MST Region
IST also responsible for BPDUs going out from and coming in towards MST region
Nutshell, IST is one single logical look of MST that is shown to "outside world" meaning non-MST switches
By default, all VLANs are mapped to IST, we need to config MST to map VLANs to other MSTI, also IST will be enabled on every switch port, no
matter if VLAN of that port is mapped to any MSTI

MST Configuration Name

Concept of MST Region MST Region is domain of switches running MST sharing same MST Attributes that are Concept of IST Instance
MST Revision #
Configuration GCFG, "spanning-tree mode mst", enable MST
VLAN-to-Instance Mapping
Global – enter MST cfg mode - spanning-tree mst configuration
Switch(config-mst)# instance instance-id vlan vlan-list
Switch(config-mst)# revision
Switch(config-mst)# name
Switch(config-mst)# show pending Show pending config (meaning configured but not applied
 Modes, ON/Active/Passive (Self Explanatory) Default is Passive Mode,
If config of one port in channel is changed,
config of other ports will also be One of End swtch should have this role and will
LACP (Link Aggregation Control Also defines System Priority (Priority 0-65535,
automatically aligned drive which ports will be part of link aggr, this will
Feature Protocol) 32768 default + MAC), lower preferred do through identifying port capabilities of itself
and neighbor
Cisco Proprietry Port ID (Priority 0-65535 default 32768 + Port #),
Default is auto lower preferred More than 8 ports can be part of Lnk Aggr, only
No PAgP exchange, force aggregation Cisco says also no dflt 8 will be choosen, other in stndby mode and will
be selected if any port fails. Lower Port ID ports
IEEE 802.1ad preferred
Wait for other end to start negotiation,
however, do not expect PAgP packets to On EtherChan can't be SPAN destination
receive, so if other end is ON, link will be Ether-Channel in a SPAN If port in EtherChan is a destination port, it will be removed from EC until it remains as DST
aggregated and puts in Inactive/Suspended state
Auto Silent
Wait for other end to start negotiation, PAgP (Port Aggregation Protocol) FE, GE or 10GE, 2 to 8 links can be aggregated
however, expect PAgP packets to receive, so Total Bandwidth is TX and RX combined, due to Full Duplex nature!
if other end is ON, link will NOT be Auto Non-Silent
aggregated FE = 200Mbps, 4FE = 800Mbps, 8FE = 1600Mbps
Desirable Silent
Do not wait for other end to start negotiation, EtherChannel can be created between
however, do not expect PAgP packets to receive, so if Link Aggregation 2 different physical switches in a stack
other end is ON, link will be aggregated Protocols
Desirable Non-Silent That Stack in Cisco terminology = Virtual Switching System = multiple
physical switches as 1 big logical
Do not wait for other end to start
negotiation, however, do expect PAgP Ether Channel using VSS is MEC (Multichassis EtherChannel)
packets to receive, so if other end is ON, link
will NOT be aggregated Aggregation of Basics

Config switch links

(config-if)# channel-protocol pagp Same Speed and Duplex
(config-if)# channel-group number mode { on | {{ auto | desirable }
[ non-silent ]}} Bundling Checklist Same Spanning Tree config
If Trunk, then same native VLAN, same set of VLANs allowed
To reduce changes of mis-
configuration, following command is Choices of load Switch(config)# port-channel load-balance method
already enabled. It’s a guarding Commands/ balancing Methodology of Load
feature Troubleshooting Configure
Balancing
(config)# [ no ] Last 1 bit used, if 0, go to channel, if 1 go to
spanning-tree If Single Criteria 2 Channel Link channel 2
etherchannel guard (Either SRC or DST)
misconfig
Last 2 bits used, 00 = 1st channel, 01=2nd channel,
Up to 4 Channel Link 10=3rd channel, 11=4th channel
Puts port in err-disabled if any
misconfig is detected show etherchannel
port-channel SRC DST PORT Last 3 bits, same methodology as above but
Up to 8 Channel Link with 3 bits
DST PORT

SRC PORT XOR will happen between

show etherchannel SRC DST MAC If Multiple Criteria last 1 bit, or 2 bits or 3
load-balance (Both, SRC & DST) bits XOR=same bits= 0 (e.g 10=1, 00=0, 11=0)
SRC DST IP
DST MAC After XOR, same method described
Special Case (Traffic from
above
SRC MAC Router to Router)

show etherchannel DST IP Routers use burned-IN MAC Address so if criteria is SRC or DST
port-channel MAC, then every time traffic to and from particular router will
SRC IP be using same link if EC is used between routers
Special Case (Non-IP
Traffic e.g IPX)
Default is Src MAC
If IP is configured as selection criteria, then switch/router will automatically
show etherchannel select “next best” that could be based on MAC, but will not drop the traffic
summary
 Concept was "Route Once, Switch Meaning that multiple line cards having their own Forwarding Engines
Many" within Switch downloads "not full" but only "required" copy of FIB from
Accelerated CEF Main Layer 3 Engine
Combined effort of Route Processor (RP) and
Switching Engine (SE) This is not really “wire speed” switching but better than having only 1 main/
central FIB
RP routes 1st packet of flow
Subsequent packets are switched by SE as SE In case if specific route info not available in FIB portion they have, they
learns 1st route from RP can request “on fly” that info from main L3 engine
Legacy Approach

This means that every line card (dedicated hardware) in say 6500
Distributed CEF has its own locally installed Forwarding Engine

Meaning that Forwarding is now "distributed"

Multilayer Switching
2 Main Components
It processes routes normally using Routing Protocol or Static Concept This is best in performance compared to aCEF and normal CEF
st
1 Layer 3 Engine
It has ARP Table
CEF Further
It has Routing Table Optimization Inter VLAN routing – does either by Router or Multi Layer Switch
2nd Layer 3 Forwarding Engine
MLS meaning that one hardware (switch) can do Layer 2 switching between hosts within 1
VLAN and Layer 3 routing between VLANs (inter-VLAN)
It has Forwarding Information Base (FIB)
CEF Approach (Latest
It has Adjancency Table and In Use)
It has Rewrite Engine (not mentioned as
standard but it is present) – it rewrites src
MAC, dst MAC, TTL, IP checksum, layer2 frame Forwarding Information Base (FIB) Multilayer Basics
checksum
Switching For Layer-2, "switchport"
Remember that Layer 3 Forwarding Engine is
specifically hardware based forwarding engine, Ports Config If intend to use IPv6 along with IPv4, then must config "sdm prefer dual-ipv4-and-ipv6"
hence it “switches” packet, it doesn’t “route”. Adjacency Table
For Layer-3, "no switchport"
Route is done by “Layer 3 Engine”

It arranges routes in an order – longest prefix to smallest SVI (Switched Virtual

It also contains “host” routes for quick routing Interface)
It is logical layer 3 interface represents VLAN
FIB also has next hop IPs (ARP to Next Hop IP mapping is in Adj Table)
When FIB is done with its choosen path and ADJ table has provided At least 1 port in VLAN must be active and STP converged to make SVI also up
next hop MAC, then traffic goes to ReWrite engine to rewrite packet This above behavior is called "SVI autostate"
(src MAC, dst MAC, TTL values decrement etc) for transport
If you want this to be disabled or not considered for particular interface, give command in
Adj table – it has layer 2 to layer 3 map info, IP to MAC, it provides MAC address for next hop CEF Punt IF "switchport autostate exclude"
layer 3 IP
With this even if VLAN is not active on that port, SVI still remains up
If “adj table” has no entry for next hop MAC, its called “CEF glean state”, meaning that
request is sent to Layer 3 engine to send ARP request and get MAC address, once get, provide
to Adj Table – “show ip cef adjacency glean” There are some packets that can't
be switched by CEF, these are called
In the meantime, any further packets to that particular dst are dropped. Its called ARP throttling. CEF Punt packets (meaning “kicked
Layer 3 engine keeps on sending ARP request every 2 sec to get ARP reply so that CEF can come out from CEF”)
out from “glean” state CEF Check Commands Packets with expired TTL
There are some additional ADJ states that must be there in MTU is exceeded and packets need fragmentation
ADJ table to handle different situation Entry not found in FIB
Discard Adj (when pkts
discarded due to Access List)
Punt Adj (when packets are Show adjacency - cmd Packet requires ICMP redirect
CEF punt and can't be CEF
switched) - see "CEF Punt" –
show ip cef Packets encapsulation is not supported
show cef not-cef-switched

Drop Adj (to drop traffic that Packet requires NAT

dropped due to different issues, When you see "receive" in CEF table, it means
encap mismatch etc) – show cef that for this route there is no CEF adjanceny, IP Access List with Log option is matched with packet
drop rather it will be dealt with internally by a
"receiving" switch FIB is full so no more routes can be added in FIB
Null Adj (to blackhole traffic)
 RFC2131 explains DHCP
Options are like "telling bit more to clients" apart from IP Sent as Broadcast by client to acquire IP address, Though client has not yet “any” IP address still
adderss/mask/gateway/leasetime Method to transport DHCP Discover received by “all” DHCP servers where BC can reach it can send this BC message
Options are predefined standard numbers that tells DHCP broadcast msgs to 1
client about related device/hardware/service centralized DHCP server Again sent as BC by server so that client can receive Contains all info about offer (IP, GW, lease
Example Option 43 (location of Wireless LAN Controller) as unicast. So clients send DHCP Offer it as yet client does not have any IP address time etc)
BC, switch acting as relay, DHCP Relay
Option 69 (Location of SMTP Server) change it to UC Contains specific info of server when client send
Again sent as BC by client to “formally” ask from so that “servers” know which “server’s” offer
Cfgd - Switch(dhcp-config)# option option-num value DHCP Request server for “offered” IP client is requesting

This can be sent as Unicast and also BC This is confirmation from server that IP
DHCP ACK (acknowledgement) (based on config) address is formally now reserved for client

Many broadcast So scope of DHCP is either limited to a “VLAN” else, we need a method to forward
Basics and messages involved broadcast to 1 centralized DHCP server
DHCP
DHCP Options Configuring Messages
DHCP By default, when switch is confgd as
Config Points to note DHCP, lease is for 1 day

Show ip dhcp binding – command to check DHCP binding

DHCPv6
For IPv6, DHCP server can be configured to assign IPv6 Switch# clear ip dhcp binding – to clear bindings
address, DNS Server, Domain Name info etc Manual Binding if
required
To define DHCPv6 pool name, Switch(config)# ipv6 dhcp Create pool with only 1IP with command “host”
pool pool-name
Also identify client with either Client Identifier or MAC Address in config
Then on switch port/SVI, mention the name of this pool
also, Switch(config-if)# ipv6 dhcp server pool-name
Client Identifier
This is used by DHCP Protocol

It starts with 01 (HEX format)

"01" indicates it is Client Identifier

DHCPv6 Lite 01 is followed by MAC Address
"Lite" means that IPv6 address will be acquired by So total Client Identifer is 48 + 8 bits = 56 bits
client through normal Stateless Autoconfig process
Only options,such as DNS/Domain will be obtained
through switch acting as DHCPv6 server BOOTP is legacy IP Address Assignment protocol –
MAC Address This is used by BOOTP (if BOOTP is in use) superseded by DHCP
Config is same as above, but do not define IPv6
prefix for address assignment
IPv6 DHCP Relay
Only define DNS/DName, then give command
Switch(config-if)# ipv6 nd other-config-flag

This command will tell clients that for "other config" To config, cmd is Switch(config-if)# ipv6 dhcp relay destination ipv6-address
switch DHCPv6 will provide info
 Syslog messages have particular format

Timestamp-Facility-Severity-Basic Descriptive Code-Text By default, timestamp is “Switch Uptime”

Basics
Severity Levels are like circular plates so Level 7 means you will get messages all the way from 7 till 0 “see diagram”
To avoid that access ports generate msgs for every user-port go up/down, use Switch(config-if)# no logging event link-status

Syslog Messages Depository By default, syslog severity level-7 (and above) msgs are sent to Console
Console, send messages on console
These are viewable only if we connect using Console Port
If we connect using Telnet/SSH, Console messages can be exported to Telnet/SSH
session by "terminal monitor" cmd
Switch(config)# logging console severity
Buffer is roll over, as it fills full, new msgs takes over old msgs
Don’t give much bytes, as switch may need same for other tasks
Size can be (4096 to 2147483647) bytes
Change by Switch(config)# logging buffered size
By default size is 4096 bytes, enough for 50 lines of msgs
Enable it with Switch(config)# logging buffered severity
By default is disabled
Internal Buffer - save messages in an internal switch buffer

Remote Server- export messages to E-ACE-WNID

external server and save there Sent to UDP port 514
Switch(config)# logging host ip-address Meaning only IP connectivity is required

Switch(config)# logging trap severity

Switch Timestamps for logging Default internal time of Cisco switch is 1 March 1993!
Logging Default is to based on "uptime"
Any other server synchronizing its time with Stratum 1 Devices in the network may synchronize with any server
Managed by NTP, any minute delay of
time between layered synchronization is
Authoritative Time source is at Stratum 1 server will then be placed at Stratum 2 based on the device proximity with that server managed by NTP well

NTP Modes
NTP Server Can synch with upper stratum servers and also can act as time server for other devices

NTP Client Can synch with its server, but cannot provide time to anyone
NTP Peer Can exchange/share time with other devices also acting as peer
NTP Broadcast Act as server that broadcast/multicast in one direction, like time “push”

Cfg cmd is Switch(config)# ntp server ip-address [ prefer ] [ version { 3 | 4 }] Default is version 3, version
4 provides IPv6 support

One caveat Central authoritative time sources provides accurate time, however, do not update automatically for daylight savings. For this use command “clock timezone” or “clock summer-timezone”
NTP Authentication so that switch can know it needs to change time in summer based on whatever latest time is on the switch
Clients authenticate servers, not servers authenticate clients

First define key with a number, then enable authentication, then specify key number to use for authentication, then mention server for which we need to use authentication
NTP Access Group
We can apply ACL to NTP to control access & activities
Serve-only, caters only synhronizatino requests for time, doesn't synchronize its own time
SNTP
Simplified Network Time Protocol Serve, caters synch and control requests, doesn't synchronize its own time
Lite Version of NTP
peer, caters synch and control requests and also synchrone its own time
When configured with SNTP, switch can only act as Client
query-only, caters only control requests

Service timestamp cmd Switch(config)# service timestamps log datetime [ localtime ] [ show-timezone ] [ msec ] [ year ]

[localtime] means that show the time on timestamps based on local time cfgd

Otherwise UTC coordinated time meaning may be in GMT (as per time server) will be shown
 Step-1 (same as V1)

Step-2 (same as V1)

snmp-server host host-address [ informs V2c Config
Step-3 (same as V1, except v2c introduces
] version 2c communitystring "informs" in addition to "traps"
Step-1 Define Access List (identify IP addresses of SNMP access-list access-list-number
Step-1 (same as v1 & v2c) Manager allowed/not allowed to access switch permit ip-addr
snmp-server view
Step-2 Define “View” (meaning what Objects/MIB Step-2 Define Comm String (either ro or rw and attach Acc List with it, snmp-server community community-
view-name oid-tree variables are viewable under particular view same string must be cfgd on Manager) string [ ro | rw ] [ access-listnumber]
Step-3 Define SNMP Host (it is Manager, cfg Comm String must be used
by this manager, also which "trap" will be sent to this manager, by dflt snmp-server host host-address
no traps) community-string [ trap-type ]
Step-3 Define Group
snmp-server group group-name v3 { noauth | auth | (Group is actually a
priv } collection of “users”
[ read read- view ] [ write write-view ] [ notify notify- with defined security
view ] [ access accesslist] levels and views

V1 Config
Communicate with SNMP
Central Management station that
agent at UDP port 161
can poll device and receive traps
Step-4 Create Users SNMP Manager
and attach with Application that runs on remote hardware and possess MIB database. It can also send
Group (can define Main “unsolicited” traps (doesn’t require acknowledgement) and “informs” (require acknw)
snmp-server user user-name group-name v3 auth {md5 | multiple usernames Components SNMP Agent at UDP port 162 to SNMP Manager
sha } auth- password priv { des | 3des | aes { 128 | 192 | and attach to same
256 } privpassword [ access-list-number ] Group) V3 Config SNMP It is actually a database of Objects (such as Interface/CPU) and MIB variables (e.g incoming byte counter)
MIB identified by Object Code.x.x.x (variable code)

Step-5 Define SNMP SNMP Manager Msgs Get Request - asks for info (MIB info) from Agent
Manager (and attach Get Next Request - ask for next available MIB (send after Get Request if needed)
snmp-server host host-address [ informs ] version Username with this Get Bulk Request - Send table/list of multiple variables
SNMP Manager
3 { noauth | auth | priv } username [ trap-type ] Set Request - MIB variable needs to to be set to specific value
“host”)
32 bit counter (one that is used to provide values for diff counters of interface
SNMP Versions
V1 e.g inbytes, outbytes, errors, CRCs)
Only authen thrgh Community String
V2c
Counters increased to 64 bits
Authen still thrfg Community Strings
Inform msg type added (from agent to manager), it wasn't there in V1
Bulk Msg type added (from manager to agent)
V3

Usernames are grouped as "Username

Authentication thru Usernames Groups"

Username Groups then are assigned "access

capability" to MIBs/messages
Hence flexible control who can read/write/
access msgs

Data Integrity by adding encryption (DES/3DES/AES between Manager and Agent

Security Options
NoAuthNoPriv - No authentication, no data encryption
AuthNoPriv - Authentication with username, but no
encryption
AuthPriv - Authe and also Encryption
 Uses for live network performance monitoring

Has IP SLA Source & IP SLA destination/responder

To start, IP SLA src establish "control" session with destination using UDP port 1967
Can track IP SLA Service feedback and take action as per return result
IOS can run multiple IP SLA operations @ same time

IP SLA acts like "probes" in the network to provide info about SLA stats

Switch(config)# track object-number ip sla operation-number { Config It’s important that cases where responder is required, clocks are synched using NTP
state | reachability } Basics
track the return code or state of the IP SLA operation (bits are either
o or 1!) “State” means

The result is up if the IP SLA operation is successful or has risen above “reachability” means Probes Available
a threshold

For Tracking Purpose

IP SLA

IP SLA can work in

coordination with SNMP
Config Responder Simple config for responder, Switch(config)# ip sla responder
This is done when SNMP Manager would like to config IP SLA automatically and Responder config is not required in all cases (e.g ICMP echo no need), require
retrieve results. This is possible by providing IP SLA MIBs (IP SLA has its own MIB!) only where UDP protocols type that do not normally reply, needs to reply
access read and write to SNMP Manager
Security Enable security by adding key-chain Switch(config)# ip sla key-chain chain-name

IP SLA src Has various options depending what is measures, ICMP echo, UDP?
If UDP Jitter then, responder also must respond so that time stamps can be
checked to measure jitter
Switch(config-ip-sla)# udp-jitter destination-ip-addr dest-udp-port [ sourceip
source-ip-addr ] [ source-port source-udp-port ] [ num-packets number-
ofpackets] [ interval packet-interval ]

For UDP jitter, can also add voice testing

Switch(config-ip-sla)# udp-jitter
destination-ip-addr dest-udp-port codec {
g711alaw | g711ulaw | g729a }
SLA Schedule Can schedule SLA
start, end, recurring
Monitor
Switch# show ip sla configuration
With aggregated keyword added, summary of test results
show ip sla statistics [ aggregated ] monitored over whole operational duration are shown
Else, this command shows only latest SLA stats
“RX” packets are mirrored and sent to DST port before any ingress policies are applied, e.g ACL may
drop packet, however, before mirrored copy will be sent by switch
Notes

This VLAN needs to be end to end from src to dst.

STP will operate on this VLAN normally to prevent We need to create SPAN simply copies the frame and sends to DST port. Simply mirroring hence
bridging loops Remote SPAN VLAN original traffic is not affected
Switch(config)# monitor session session-number
source { interface type member/ SRC port can be physical interface, VLAN, etherchannel (EC), specific port in the EC
mod/num | vlan vlan-id }[ rx | tx | both ] and trunk. If trunk then we can filter, which VLAN in the trunk needs to be
At SRC, we need to identify src port Local SPAN
Switch(config)# monitor session session-number
monitored. If specific port in EC, then traffic only in that port will be monitored.
or vlan and our destination will be
SRC port can’t be an SVI
destination remote vlan rspan-vlan-id RSPAN VLAN

At DST, we need to identify Traffic direction to be monitored can RX (received at the src), TX (transmitted from
Switch(config)# monitor session session-number source
src as RSPAN VLAN and our the source) or BOTH. Both is default
remote vlan
rspan-vlan-id destination will be physical Src port and dst port bandwidth could be different. If src port is 10G and SPAN
port dst port is only G, then Gig port can be overwhelmed. Traffic at dst port (G) will
Switch(config)# monitor session session-number
destination interface type member/mod/num [
be placed in input queue just as a normal traffic
encapsulation replicate]

There can be more than one source session and more than one
destination session active in the same RSPAN VLAN
RSPAN (Remote SPAN)
An RSPAN destination session and an RSPAN source session that are using the Src is at one switch and
Switch(config)# monitor session session-number source { interface type
same RSPAN VLAN cannot run on the same switch or switch stack. SPAN dst is at another
switch Local SPAN Config To config src port member/mod/num | vlan vlan-id }[ rx | tx | both ], default is “both”
SPAN
Src port - It can be monitored in multiple SPAN sessions.
Dst port Source ports can be in the same or different VLANs

Switch(config)# monitor session session-number destination

To remove SPAN, cfg is “Switch(config)# no monitor interface type member/mod/num [ encapsulation replicate ]
session { session | range session-range } | local | all }

By default switch will not send any tagged packets or any switch generated
pkts to span dst port such as BPDUs, DTP, PAgP, VTPs. If we want these also
to be send to span dst port, then add keyword “encapsulation replicate”
A destination port can participate in only one SPAN session at a time.
SPAN src as Trunk Port
and we want to filter
VLANs for which traffic
will be mirrored
Switch(config)# monitor session session-number filter vlan vlan-range

It is normal to have multiple RSPAN VLANs in a network at the same time with each
Caveat By default span dst port is not expected to send any traffic, it
RSPAN VLAN
normally only receives. However if we want span dst port to send
defining a network-wide RSPAN session. traffic as well, we need to define which traffic we can expect by
cmd “ingress { dot1q vlan vlan-id | isl | untagged vlan vlan-id }
Its purpose is to present a copy of all RSPAN VLAN
packets (except Layer 2 control packets) to the user for analysis.
If dot1q traffic then specify vlan tag for that, if isl then mention isl, if
normal untagged, then mentioned untagged
Depends upon switch hardware. 3600 for e.g supports 2 SPAN session, 6500 supports 64
# of SPAN sessions sessions
 Switch(config)# redundancy Logical Switches objective is to use redundant links that are normally be “blocked”, to ease
management/config, to simplify topology
Switch(config-red)# mode { rpr | rpr-plus | sso }
Switch# show redundancy states, to check status Dist/Core layer switches can become redundant as users are not directly connected. Access Layer
can’t as users are directly connected, any failure will result in end user no access
Config of SUP Redundancy
So if we create logical at access and also distribution, then we can combine physical links bw
them as etherchannel and hence no physical redundant link be available

StackWise is Cisco tech to create logical switch using stack cable connecting multiple phy
Note switches. One switch will be Master and only 1 mgmt IP can manage multipl swtchs
SUP modules does not perform 1 specific function
VSS (Virtual Switching System), Cisco prop to create logical switch out of multiple physical. Each
SUP module has several functions built-in phy switch has Supervis Module, if 1 fails, another takes over (4500, 6500 and 8500 series etc)
Level of redundancy dictates out of those, which one will be ready in VSL (Virtual Switch Link), physical link/cable that connects 2 independent chassis to create logical
standby module, if active module fails swtch. VSL should be multiple physical interfaces (again point is redundancy)!
See modules in diagram below SUP is brain of switch, in itself it has multiple modules, like
SUP redundancy
In conjunction to SUP standby, there is also Route Processor redundancy that is often config/concept physical chips inserted in SUP card. Multiple SUP exist in single
interchangeably used. This is SRM (Single Router Mode) & DRM (Dual Router Mode) chassis, one SUP acts as active, other as standby

Has 3 Redundancy modes

Route Processor Redundancy (RPR)
SRM/DRM
SRM, in which out of 2 RPs, one will be active at all time, other be standby Route Processor Redundancy+ (RPR+)
DRM, in which out of 2 RPs, both will be active all time Stateful Switchover SSO
Standby SUP partially booted, when active fails, it reload all other
internal modules and fully initialize
High Availability Concepts RPR Failover Time greater than 2 minutes
Basics Switch ports do not retain their states
Config of SUP
synchronization RPR+ Again standby SUP is partially booted
By default, active SUP synchronize startup cfg and cfg register with standby SUP
We can cfg/change this default if needed and add other options as well to be But switching modules are initialized along during partially booting
synchr
This allows switchport to retain their states
Switch(config)# redundancy Failover time greater than 30 sec
Switch(config-red)# main-cpu
SSO Stateful Switch Over
Switch(config-r-mc)# auto-sync { startup-config | config-register | bootvar }
To return to default, use auto-sync standard command Standby SUP fully booted
Startup/Running configs are fully synched
No traffic outage
Ports Retain their state
NSF Concept/Config
NSF = Non Stop Forwarding Switch(config)# router bgp as-number Failover Time > 1 sec
Switch(config-router)# bgp graceful-restart
We know RIB (Routing Information Base) feeds FIB (Forwarding Information Base)
Switch(config)# router eigrp as-number
FIB then downloaded to switching hardware
Switch(config-router)# nsf
So that CEF can be performed, CEF is dependent on FIB
Switch(config)# router ospf process-id
When stanby SUP becomes active after active SUP fails, it must update its RIB immediately Switch(config-router)# nsf
This update can quickly be achieved without relying/waiting for Routing Protocols to converge by
using NSF
NSF is Cisco proprietary feature to expedite RIB update

NSF-aware routers can talk to each other and update their RIBs

Config needs to be done at both routers, one that needs assistance for its RIB to be updated and
another that is providing assistance
 IEEE standards based, very similar to HSRP
L3 HA is to provide gateway address to local hosts
Master Router highest priority 254 (1-254 is range, default 100) Master Router and Backup Router HSRP, VRRP and GLBP are protocols, clubbed as FHRP (First Hop Redundancy Protocol)
VRRP Group number range 0-255 ARP replies for off-net host are done by Gateway router
Basics
Virtual MAC address 0000.5e00.01xx, where xx is a two-digit hex VRRP group number
Cisco Proprietary
VRRP advertisement sent at 1-second intervals (range 1-255 sec). Backup routers optionally can
Hello Msgs @ UDP port 1985 @ 224.0.0.2 (All Routers MC)
learn the this interval from Master, adv sent at 224.0.0.18 using IP protocol 112
Active/Primary Router and Standby Router, all other routers in Listen State
By default, all VRRP routers are configured to preempt the current Master if greater prio
Default Priority 100, range (0-255), higher the better
Switch(config-if)# vrrp group priority level, assign priority
Switch(config-if)# vrrp group timers advertise [ msec ] interval - advertise timers, default is 1 sec Preempt by default disabled, can be enabled

Switch(config-if)# vrrp group timers learn – learn timers from Master If priorities same, then router with highest IP address on HSRP interface becomes active
Switch(config-if)# no vrrp group preempt – to disable preempt, by default is enabled
Group number range 0-255, Group # is locally interface significant
Switch(config-if)# vrrp group preempt [ delay seconds ] – delay preempt by “sec” VRRP
1 Disabled
Switch(config-if)# vrrp group authentication string – only normal authen, no MD5! Active Router reply for ARP requests
2 Init
Switch# show vrrp [ brief ]
3 Listen
Dynamic traffic load balancing by providing multiple virtual MAC addresses in return of ARP
Gateway address will be 1, hence no multiple gateway cfg required at hosts HSRP Routers need to go through 4 Speak
1 router will act AVG (Active Virtual Gateway), others will be AVF (Active Virtual Forwarders) HSRP these states 5 Standy
Up to 4 virtual MACs can be provided in a group hence up to 4 AVFs possible,
6 Active
other routers will be in standby state (if more than 4 routers in GLBP group)
AVG will reply to ARP with 1 of 4 MACs based on load balancing cfgd
AVG highest prio (range 1-255, dflt 100), else higher IP address at GLBP interface Switch(config-if)# standby group priority priority
GLBP grp numbers range (0-1023) HSRP Config Switch(config-if)# standby 1 priority 200 (default is 100)
Preempt is not "on" by dflt, must be cfgd to enable
Router share hello (dflt 3 sec & holdtime 10 sec, range hello 1-60 sec GLBP (Cisco Switch(config-if)# standby group timers [ msec ] hello [ msec ] holdtime
or 50 to 60000 msec, holdtime range up to 180 sec or 180000 msec Basics Prop) Layer 3 High
Hellos can be cfgd on every router or only on AVG and he can share with others in a group Availability Default Hello = 3 sec, Holdtime 3 x hello = 9 - 10 sec

Details Hello Range if sec 1-254, Holdtime range 1-255, recommended holdtime alteast 3 x hello
Virtual MAC Address 0007.b4xx.xxyy (xxxx is GLBP group, yy is forwarder number)
If 1 AVF fails, AVG assigns another AVF to take care of hosts of failed AVF Load Balancing in HSRP is Hello Range if msec 15-999, Holdtime range 50-3000
Remember! AVG can also be AVF
So new AVF will take care of 2 virtual MAC addresses, itself and failed AVF possible by creating 2
show glbp [ brief ], show cmd groups where each one Switch(config-if)# standby group preempt [ delay [ minimum seconds ] [ reload seconds ]]
This dual role is not recommended to be continued for long time so below is cmd;
will act as standby for
Switch(config-if)# glbp "group" timers redirect "redirect" "timeout", redirect (time for which AVG If preempt cfgd, then router with higher priority will takeover anytime. With “delay”, it can
other and active for itself
keeps on responding with failed AVF MAC address in response to ARP, timeout is time after which cause delay for cfgd time(0 to 3600 sec). With “reload”, it can cause delay to preempt after
AVG will not respond to failed AVF MAC and hosts must refresh their ARP table router is reloaded
Router# show standby [ brief] [
Redirect time, default 600 sec, range 0-3600, timeout time default 14400 sec, range 700-64800 sec vlan vlan-id | type mod/num ] –
Above command is to protect that new AVF is not over-burdened with responding of 2 virtual MACs for Plain Text authentication, Switch(config-if)# standby group authentication string (up to 8 characters)
show command
long time
AVG can assign AVF roles to routers in GLBP grp based on their weights, weights can be tracked, MD5 authentication, Switch(config-if)# standby group authentication md5 key-string [ 0 | 7 ] string
reduced and AVG can take action based on it (dflt weight 100, range 1-254) With above cmd, key string can be entered as “plain text” using 0, or type 7 hash using
Switch(config)# track object-number interface type member/module/number { lineprotocol | ip routing }, to cfg tracking on AVF keyword 7
Switch(config-if)# glbp group weighting maximum [ lower lower ] [ upper upper ], to assign weight to AVF, if lower (AVF must
MD5 auth also possible using Key Chain, Switch(config-if)# standby group authentication md5 key-
give up AVF role, if reaches upper, AVF can resume its role , cmd on AVF
chain chain-name
Switch(config-if)# glbp group weighting track object-number [ decrement value ], decrement weight based on tracking, cmd on AVF
Decrement by default 10, range 1-254 Key Chain more flexible as you can rotate the keys easily
Load Balancing Methods, Round Robin (reply to every ARP with next AVF MAC), Weighted (higher On AVG HSRP can track interface from HSRP router and decrement its priority so may be other
weight AVF’s MAC be replied more) Host Specific (specific host always be replied with specific AVF MAC router can take over role as active
Switch(config-if)# glbp group load-balancing [ round-robin | weighted | host-dependent ]
For other router to take over, its prio must be higher and it must be preempt cfgd
Switch(config-if)# glbp group ip [ ip-address [ secondary ]], cfg GLBP group IP
Cfg is Switch(config-if)# standby group track type mod/num [ decrementvalue ], default decre value
Switch(config-if)# glbp group ipv6 autoconfigure, for IPv6
is 10

For HSRP IP address, standby group ip ip-address [ secondary ], with secondary keyword, we can tell HSRP that
On AVF physical interface for which HSRP is cfgd has seccondary IP so HSRP should also support secondary IP

For IPv6 cmds are; Switch(config-if)# standby version 2, standby ipv6 autoconfig
HSRP MAC address format, 0000.0c07.acXX, XX is grp number in hex
For group 1, XX be 01, for group 16, XX be 10
Write 16 in bits, 00010000 (128 64 32 16 8 4 2 1), so 0001 = 1, 0000 = 0
 Always enable secure pw, use “enable secret” rather than “enable password”. Use “service To make sure that only authorized/allowed hosts can access the network
password encryption Switch(config-if)# switchport port-security, to activate port security on an interface
Use banners, best banner is “banner motd”, will be displayed when user authenticates and logs in. Switch(config-if)# switchport port-security maximum max-addr, maximum MACs allowed to learn on the port, Range 1-1024
other banners may display info before user authenticates hence not recommended To ensure that dynamically learned MAC add remains in CAM table and runng config
Use “ssh” instead of “telnet” and also limit access to ssh using access list even after switch reboot, Switch(config-if)# switchport port-security mac-address sticky
Block VTY and Telnet access to certain IP addresses only, command is “Switch(config-line)# access-class 10 in”
To manually lock mac addrs with port, Switch(config-if)# switchport port-security mac-address 0006.5b02.a841
Do not create “rw” community strings in SNMPv1 and v2c, if needed, create only “ro”. Try to
If manually cnfgd MACs are less than maximum MACs allowed on the port, then rest of MACs can be learned
use SNMPv3 for secure authentication
dynamically
Disable “ip http server”, if require the use only secure https server “ ip http secure server” also
limit access to secure server by command Switch(config)# ip http access-class 1 Action to take if violation occurs, Switch(config-if)# switchport port-security violation {shutdown | restrict | protect}
Cfgr unused ports as access port, shut them down or assign them to any bogus vlan. Can use Shutdown - port will be put in err-disabled literally shutdown, manually needs to be no-shut or errdisable
“switchport host” command to cnfg port as access and apply other access port cnfg recovery config, default err disable recovery is 300 sec
restrict - port will be up, violating MAC addres is dropped, SNMP trap/syslog msg is generated identifying violation
Disable CDP/LLDP with any port that is expected to connect to host, only enable them on ports protect - port will be up, violating MAC address be dropped, no trap/log is sent or generated
that are going to be connected with authorzed switches. CDP/LLDP share sensitive info. But To clear port security learned MACs if port is in protect/restrict condition, clear port-security with options
remember that ports where Cisco IP phone is supposed to be connected, CDP is required Switch# show port-security interface gigabitethernet 1/0/11, show command to check psecure status, show interfaces status err-disabled,
another command
Secure STP by enabling BPDU guard on ports where do not expect to receive BPDU
802.1X standard, implemented by combining port-based security + AAA
For successful implementation, end host and switch must support EAPOL (Extensible
Authentication Protocol over LAN
If End Host authenticated, gets normal access, if not, then no access at all
If End Host supports EAPOL, but switch doesn’t, then EH will ignore and normally communicates.
However if switch impose EAPOL and hosts doesn’t support, switch will not allow access to host
EAPOL is L2 pro and only proto allowed on the port until host is authenti. Port stars in unautho state, host must authen
to make port authoriz and start accessing. Once authenti end host logs out, port again reverts to unauthori state
Securing switch Port Based For 802.1X, we must use RADIUS server (only 1 supported by Cisco switch for 802.1X
best practice Securing Authentication Switch(config)# aaa new-model, enable AAA
Switch Access (config)# radius-server host { hostname | ip-address } [ key string ], define RADIUS and key between switch and RADIUS for authen

Switch(config)# aaa authentication dot1x default group radius, define that switch must use dot1X with defined RADIUS

Switch(config)# dot1x system-auth-control, enable DOT1X globally on a switch

Switch(config-if)# dot1x port-control {force-authorized | forceunauthorized | auto}, enable 802.1X on a switchport

force-authorized, (default) ,meaning switch is instructed to forcefully authorize any host (literally open door for anyone
force-unauthorized, The port is forced to never authorize any connected client, so literally blocking everyone

Auto: The port uses an 802.1X exchange to move from the unauthorized to the authorized state, if successful. This requires an
802.1X-capable application on the client PC. This is correct state if we want host to authorize using 802.1X and gets access
As per general settings, we expected only 1 host when we implement 802.1X as this is why we implemented to give access to 1 authen
host. However, if more than 1 host is expected, then (config-if)# dot1x host-mode multi-host, to enable multihost access on a single
switch port (may be hub connected

show dot1x all, show command

Storm Control To limit broadcast, muticast and unknown unicast frames as they enter switch port
storm-control { broadcast | multicast | unicast } level { level [ level-low ] | bps bps [ bps-low ] | pps pps [ pps-low ]}

There are 2 values example level, level low OR bps, bps low
st
1 value when will reach, switch will trigger storm control action, and unless the value
goes below “low” action will remain in place
Level/level-low is % of intface bandwidth, pps/bps is bits/sec or pkts/sec with range from
0 to 10G
Dflt action is to drop any packets above the defined threshold, else u can cfg as below

Switch(config-if)# storm-control action { shutdown | trap }, either shutdown the port as err disabled or send SNMP trap

To check, Switch# show storm-control [ interface-id ] [ broadcast | multicast | unicast ]

 Trunks are critical as they carry multiple VLANs, protecting them is important VLANs can be secured using VLAN Access list (VACL)
If switchport is left at default cnfg, it will be in DTP Auto mode, so attacker can set its side VACLs are also arranged in TCAM same as IP ACLs so that its processing does not affect switching speed
as DTP On or Desirable to make trunk. Once trunk is made, switch treats port with
attacker PC as trunk and allow all VLANs, Attacker gets access to all VLANs VACLs filter traffic only within VLAN (meaning within VLAN boundary, hence it has no “in” or “out” direction as traffic is
not leaving VLAN, it just remains within
Best way is to disable unused port and change their config to switchport mode access
manually so that no trunk can be negotiated Define VLAN Access map, Switch(config)# vlan access-map map-name [ sequence-number ]

Another source of attack is VLAN Hopping Attack. This attack happens if following conditions Define match condition, Switch(config-access-map)# match ip address { acl-number | acl-name } OR
Switch(config-access-map)# match mac address acl-name
exist
Define action, Switch(config-access-map)# action { drop | forward [ capture ] | redirect type mod/ num }, redirect meaning that redirect frame/packet to
1st Attacker is connected to access port with a VLAN ID that is same as Native VLAN
specified interface
2nd Switch also has 802.1Q Trunk and native VLAN of trunk same as access VLAN where
attacker is connected Apply VLAN Filter, Switch(config)# vlan filter map-name vlan-list vlan-list

Switch trunk allow VLANs that attacker might have attacked Private VLAN is a VLAN “within” a VLAN so its like that ports in “one” VLAN are further
subdivided into multiple VLANs
Attacker will the send frame with 2 VLAN tags, inner tag is for VLAN where attacker For Private VLANs, we must define few more VLAN types, Primary VLAN is the main VLAN that is
would like to attack, outer tag is same as access VLAN of port and also for Native VLAN to be subdivided, Secondary VLANs are within Primary VLANs

Switch on receiving such frames, check outer tag same as its access VLAN and Native VLAN, Primary VLAN is only exit point for Secondary VLANs. Hence SVI for that VLAN is defined on
hence switch removes that tag and found inner tag of attacking VLAN and that VLAN as is Primary VLAN
allowed in the trunk so switch forwards traffic across trunk that ultimately reaches Secondary VLANs are of 2 types, Community VLAN and Isolated VLANs
attacked host
Ports within Community VLAN can communicate with each other and also with Primary VLAN
To block VLAN Hopping attack, cnfg native VLAN to some bogus VLAN, allow only those Port within Isolated VLAN can only communicate with Primary VLANs and not with anyone else
VLANs on trunk that are required
There are also port types associated with PVLANS. Promiscuous port is one that connect with
external router or any other ex gateway. This port can talk to any port as if like Private VLAN rules
doesn’t apply to it
Then there is Host Port that connects to end host. Obviously this port must be associated with
Securing VLAN trunks Securing Private VLANs either Isolated or Community VLAN. Next are config steps
Switch(config)# vlan vlan-id
VLANs Define Secon VLAN Switch(config-vlan)# private-vlan { isolated | community }

Switch(config)# vlan vlan-id

Create Primary VLAN and Switch(config-vlan)# private-vlan primary
associate Sec VLAN with Pri VL Switch(config-vlan)# private-vlan association { secondary-vlan-list

Define port function Switch(config-if)# switchport mode private-vlan { host | promiscuous }

If “host” port then associate Sec Switch(config-if)# switchport private-vlan host-association primary-vlan-id
VLAN with Pri VLAN secondary-vlan-id

If “promiscuous” port then Switch(config-if)# switchport private-vlan mapping primary-vlan-id secondary-

map b/w Pri and Sec VLAN vlanlist

If “primary” VLAN is also

used in creating an SVI Switch(config-if)# private-vlan mapping { secondary-vlan-list, on SVI interface

VLAN Hopping Attack

 Background: When host doesn’t know MAC address of dst, but knows IP address of dst,
it send ARP request so that target with having dst IP replied with its MAC so that sender Spoofing attacks are where attacker hides its real info and present itself as legitimate user
knows whats the MAC of target and complete its frame
Example is attacker shows itself as DHCP server whole locating itself on same subnet where the hosts are and reply to DHCP
There is a risk that any rogue host or attacker can reply with its own MAC for target IP requests and provide dflt gateway info as its own IP so traffic from host first goes to attacker then attacker silently forwards it to
and src unknown of this, adds that in its arp table and sends packet to attacker. Attacker correct destination. All this happens while host is unknown
acts as Man in the Middle attack
DAI is a method, a check, to make sure that legitimate dst itself is replying to ARP This type of attack is blocked by enabling “ip dhcp snooping” on switch. This will divide switch into 2 parts, untrusted ports and
requests trusted ports. Trusted ports where trusted dhcp server are located, untrusted ports where all other hosts are located

This is done by switch checking DHCP snooping database or if static binding is cnfgd and Any message that is supposed to be received from DHCP server, if received on untrusted port, that packet/message will be
then check static binding table discarded and port will be put in err disabled state

We need to divide switch ports into trusted or untrusted ports, on trusted ports no check We need to define “trusted” and “untrusted” ports and cnfg this
will be done, on untrusted ports check will be done Globally enable IP DHCP snooping, Switch(config)# ip dhcp snooping
As DAI checks DHCP snooping database to validate arp reply, so DHCP snooping must be Enable DHCP for particular VLANs, Switch(config)# ip dhcp snooping vlan vlan-id [vlan-id ]
enabled for DAI to work properly Define trusted ports, Switch(config-if)# ip dhcp snooping trust
For those MAC/IP entries that are static, we need to manually define “arp inspection list” By default, all ports are untrusted
so that Arp Inspection can refer to those static entries to validate info We can limit # of DHCP packets that can be received on untrusted ports, Switch(config-if)# ip dhcp snooping limit rate rate, this is a security
feature to limit any expected DHCP overwhelming packet rate, limit is 1 to 2048 packets, default is unlimited # of pkts
1 more point, ARP replies are reply to original request of src host. ARP reply carries
confirmation that yes for this target dst IP, I am the real and this is my MAC. ARP reply
also carries information about original arp request so in order for DAI to check and There is an option called option-82 enabled by default on switch. Option 82 adds more information to DHCP request before that
validate that original ARP request contents, we need to cnfgr few steps additional request can go to DHCP server. When switch receives DHCP request on un-trusted port, switch adds its own MAC address and
port identifier from port where request is received, this is to provide additional info to server so that server can also assign IP
To enable DAI, Switch(config)# ip arp inspection vlan vlan-range Dynamic ARP address based on that info. Also when server replies, switch compares the information in reply to info it has initially provided to
Inspection (DAI) make sure that reply is indeed coming from authorized dhcp server
Define trusted ports (by default all ports are untrusted), Switch(config-if)# ip arp inspection trust
To enable/disable option-82 (or any other dhcp option), Switch(config)# [ no ] ip dhcp snooping information option
For static entries (not possible to learn through dhcp snooping database) define “arp
inspection list” Switch(config)# arp access-list acl-name Switch# show ip dhcp snooping [ binding ], to check dhcp bindings. If you do not mention “binding” key word, then only those ports will be shown that are trusted or
where we applied rate limit, untrusted ports will not be shown
Switch(config-acl )# permit ip host sender-ip mac host sender-mac [ log ]

Switch(config)# ip arp inspection filter arp-acl-name vlan vlan-range [ static ], apply arp inspection list to VLAN, if we add
Preventing
“static” word it means that switch will not look into DHCP database in case if match is not found in arp inspection list, literally
meaning that drop all, else switch will look into dhcp snooping database
Spoofing attacks IP Source Guard A technique where switch makes sure that it is receiving packet/frame from SRC IP which is legitimate and not spoofed
This is achieved by referring to DHCP snooping database and also static mac address/IP address to port binding
If we want DAI to also check on contents of original arp request (along with arp reply Switch refers to DHCP snooping database and checks it once packet is received on switch interface, check if src IP of packet
which is on by default), then, Switch(config)# ip arp inspection validate {[src-mac] [dst-mac] [ip ]} is same as matching snooping database
To check DAI status, show ip arp inspection If we also want to check/verify that MAC address is also from authorized src, then we can do this as well, however, we
need to enable port security within IP src guard command
To cnfgr static binding, Switch(config)# ip source binding mac-address vlan vlan-id ip-address interface type member/module/number

To cnfgr IP src guard, Switch(config-if)# ip verify source [port-security ], to enable MAC address check as well, mention [port-security] commands
To check src guard status, Switch# show ip verify source [interface type member/module/number ]
To check src binding, Switch# show ip source binding [ ip-address ] [ mac-address ] [ dhcp-snooping | static ] [ interface type member/mod/num ] [ vlan vlan-id ]
 AAA is used to manage users
TACACS+ is Cisco Prop, separates Authen, Autho and Acc functions, uses TCP port 49,
Config of accounting on a switch defines what AAA server would account for, which activity communication is encrypted between switch and AAA server
and when RADIUS is standardized, authen and authori are combined as one resource/action, uses UDP ports 1812
AAA servers and groups must already be confgd as before for Authe and Autho and 1813
Switch(config)# aaa accounting { system | exec | commands level } { default | list-name } { start-stop | Basics Cisco implements AAA using Cisco ISE (Identity Services Engine) or Secure ACS (Access Control Server
stop-only | wait-start | none } method1 [ method2 ...]
Authentication
System – major system events such as reload/restart are recorded Config Enable AAA, Switch(config)# aaa new-model
Exec - whole exec session is recorded along with who logged in, what time, which IP, which line? Define local username/password (in case required), Switch(config)# username username password password
commands - commands entered are recorded, if mention level, then command entered at that Define servers, (config)# radius-server host { hostname | ip-address } [ key string ]
level are recorded
Define server group, if multiple servers, Switch(config)# aaa group server { radius | tacacs+ } group-name
default - which method list be used?
Add individual server in a group, Switch(config-sg)# server ip-address
start-stop - record events when they start and stop
Define auth methods, Switch(config)# aaa authentication login { default | list-name } method1 [ method2 ...]
stop-only - record events when they stop only
Methods could tacacas+, radius, local or line
none - no events are recorded For line, password confgd on line (vty/console) is used to authe, no username is cnfgd/
required
We can choose line where accounting can be applied with particular “method” list, else default list
will be applied, Switch(config-line)# accounting { commands level | connection | exec } { default | list-name } Define authen methods to be used on a particular line, console or VTY, Switch(config-line)# login
authentication { default | list-name }
Switch(config)# aaa accounting exec default start-stop group myauthservers For safe side, once you cnfgr AAA authentication, remain in the session and open another telnet
Switch(config)# aaa accounting commands 15 default start-stop group myauthservers session to see if authe works fine, else if you logout and authen cnfg has any error, it will not be
possible for login
In above example, accounting will be done for “exec” session with default method list when Define local auth method as gateway of last resort always, in case if any server is down
session will be started and then stopped using server group called myauthservers. Moreover all Authorization
commands at level 15 will be also accounted Accounting Config To define what is user allowed to do once authenticated
Config Managing Switch Switch(config)# aaa authorization { commands | config-commands | configuration | exec | network | reverse-access } { default | list-name }
method1 [ method2 ...]
Users
Commands – server must check and authorize if users can access all commands on switch
Config-commands -server check if user can use configuration (config t) commands
Configuration – server check if user can access config t mode
Exec – server check if user can access exec mode (# mode)

Network – server check if user can use network related services such as 802.1 x auth for example
Reverse-access, if user can do reverse access example reverse telnet, telnet from switch to any other
device

In methods, you can define, radius, tacacs+, if-authenticated (meaning user will be authorized only if it
already authenticated, none (meaning no external authorization is used and all users will be authorized
successfully

Then we can define authorization for specific line, Switch(config-line)# authorization { commands level | exec | reverse-
access { default | list-name }, if this command is not used then default group will be used for all lines

Example, if we want that default group is used for all lines in switch to authoriz exec access and if
myauthservers is down, use “none” backup strategy!, then Switch(config)# aaa authorization exec default group
myauthservers none

Authori in TACACS+ is quite flexible and per command authori works, however with RADIUS, its pretty
much ALL or NONE approach