Adds the ability to track status between DTE devices.
- Freek can be configured on a physical interface, but when the freek status goes down, freek will not bring down the physical interface, because it will not know when to bring it back up.
- For this reason it is recommended to configure freek on a sub-interface.
Freek Modes:
1. Bidirectional
- Both sides of the PVC can send and respond to keepalive requests.
- If one side is configured as bidirectional, the other end must be configured the same.
- Sets the timers and keeps track of error counters.
2. Request
- With Request mode only one side is enabled in send mode.
- If one side is configured as Request, the other end must be Reply or Passive-Reply.
- Sets the timers and keeps track of error counters.
3. Reply
- The device waits for, and replies to keepalive requests.
- If one side is configured as Reply, the other end must be Request.
- Sets the timers and keeps track of error counters.
4. Passive-reply
- The device waits for keepalive requests and responds to them.
- Sets the timers.
example:
configure end-to-end keepalives for the VC. if the routers have 3 errors within 4 events. the subinterface should transition into down state. and if they have 4 success events in a row, the sub-interface should transition into up state. ensure that keepalivs are exchanged every 20 seconds.
config-set:
map-class frame-relay TST14
frame-relay end-to-end keepalive mode bidirectional
frame-relay end-to-end keepalive timer send 30
frame-relay end-to-end keepalive timer recv 20
frame-relay end-to-end keepalive event-window send 5
frame-relay end-to-end keepalive event-window recv 5
frame-relay end-to-end keepalive error-threshold send 3
frame-relay end-to-end keepalive error-threshold recv 3
frame-relay end-to-end keepalive success-events send 4
frame-relay end-to-end keepalive success-events recv 4
!
interface Serial0/0.104 point-to-point
ip address 150.1.14.1 255.255.255.0
frame-relay interface-dlci 104
class TST14
Sunday, February 27, 2011
Saturday, February 26, 2011
LAB: Frame Relay Back to Back with Multilink
R1
interface MFR1
no ip address
no keepalive
!
interface MFR1.102 point-to-point
ip address 150.1.102.1 255.255.255.0
frame-relay interface-dlci 102
!
interface Serial0/0
no ip address
encapsulation frame-relay MFR1
serial restart-delay 0
clock rate 128000
no arp frame-relay
!
interface Serial0/1
no ip address
encapsulation frame-relay MFR1
serial restart-delay 0
clock rate 128000
no arp frame-relay
R2
interface MFR1
no ip address
no keepalive
!
interface MFR1.201 point-to-point
ip address 150.1.102.2 255.255.255.0
frame-relay interface-dlci 102
!
interface Serial0/0
no ip address
encapsulation frame-relay MFR1
serial restart-delay 0
no arp frame-relay
!
interface Serial0/1
no ip address
encapsulation frame-relay MFR1
serial restart-delay 0
no arp frame-relay
VERIFICATION
MFR1 is up, line protocol is up
Hardware is Multilink Frame Relay bundle interface
MTU 1500 bytes, BW 3088 Kbit/sec, DLY 20000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation FRAME-RELAY, loopback not set
Keepalive not set
DTR is pulsed for 2 seconds on reset
FR SVC disabled, LAPF state down
Broadcast queue 0/64, broadcasts sent/dropped 15/0, interface broadcasts 0
Last input 00:00:10, output never, output hang never
Last clearing of "show interface" counters 00:17:36
Input queue: 0/75/6/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/120 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
15 packets input, 4605 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
15 packets output, 4635 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
0 carrier transitions
R1#show frame-relay multilink
Bundle: MFR1, State = up, class = A, fragmentation disabled
BID = MFR1
Bundle links:
Serial0/1, HW state = up, link state = Up, LID = Serial0/1
Serial0/0, HW state = up, link state = Up, LID = Serial0/0
notes: Frame Relay MFR (Multilink Frame-Relay) or FRF.16.1
MFR provides a cost-effective way to increase bandwidth by enabling multiple frame-relay links to be aggregated into a single bundle of bandwidth acting as one interface.
- MFR variable bandwidth support allows the option to activate or deactivate a frame-relay bundle based on Class-A, B, or C.
1. Class A (Single Link)
- The bundle will activate when any single bundle link is up and will deactivate when all bundle links are down (default).
2. Class B (All Links)
- The bundle will activate when all bundle links are up and will deactivate when any single bundle link is down.
3. Class C (Threshold)
- The bundle will activate when the minimum configured number of bundle links are up and will deactivate when the minimum number of configured bundle links fails to meet the threshold.
- MFR variable bandwidth support allows the option to activate or deactivate a frame-relay bundle based on Class-A, B, or C.
1. Class A (Single Link)
- The bundle will activate when any single bundle link is up and will deactivate when all bundle links are down (default).
2. Class B (All Links)
- The bundle will activate when all bundle links are up and will deactivate when any single bundle link is down.
3. Class C (Threshold)
- The bundle will activate when the minimum configured number of bundle links are up and will deactivate when the minimum number of configured bundle links fails to meet the threshold.
notes: Frame Relay Back to Back FR
- Are router-to-router serial links running frame-relay encapsulation, but with no frame-relay switch in between to do LMI.
- For back-to-back links two things are required:
- Disable LMI keepalives with "no keepalives".
- Configure one side as a DCE end with a clock rate.
- Any DLCIs can be used, provided both sides have the same DLCIs configured.
config-set:
R4:
interface Serial0/1
ip address 155.1.45.4 255.255.255.0
encapsulation frame-relay
no keepalive
frame-relay map ip 155.1.45.5 514 broadcast
R5:
interface Serial0/1
ip address 155.1.45.5 255.255.255.0
encapsulation frame-relay
no keepalive
clock rate 64000
frame-relay map ip 155.1.45.4 514 broadcast
- For back-to-back links two things are required:
- Disable LMI keepalives with "no keepalives".
- Configure one side as a DCE end with a clock rate.
- Any DLCIs can be used, provided both sides have the same DLCIs configured.
config-set:
R4:
interface Serial0/1
ip address 155.1.45.4 255.255.255.0
encapsulation frame-relay
no keepalive
frame-relay map ip 155.1.45.5 514 broadcast
R5:
interface Serial0/1
ip address 155.1.45.5 255.255.255.0
encapsulation frame-relay
no keepalive
clock rate 64000
frame-relay map ip 155.1.45.4 514 broadcast
notes: Frame Relay Interface Types & Split Horizon
Frame-relay interfaces carry one of two characteristics: point-to-point or multipoint.
1. Physical interfaces
- Are treated as multipoint interfaces.
- Multipoint means the interface can terminate multiple PVC's(layer2 circuits).
- Requires layer3-to-layer2 resolution through either InARP or manual mapping. (Refer to previous section)
- Manual mapping per PVC is done with the "frame map ip" command.
- To manually assign just one PVC on the interface use "frame-relay interface-dlci".
- may need to disable ip split horizon depending on the routing protocol.
- dont use point-to-point or point-to-multipoint subinterface
- all dlcis are recieved on physical interface, n need an interface-dlci command.
2. Point-to-Point sub-interfaces
- Can only terminate one PVC.
- Do not require layer3-to-layer2 resolution, since there is only one PVC.
- Inverse-arp is disable when in Point-to-point. Do not send InARP status queries, but will respond to an InARP status query request.
- require frame-relay interface dlci command
- will have a type mismatch with physical & point to multipoint interfaces.
- broadcast will work since it is point to point.
3. Multipoint sub-interfaces
- Are treated as multipoint interfaces.
- Can terminate multiple PVCs.
- Requires layer3-to-layer2 resolution through either InARP or manual mappings.
- Manual mapping per PVC is done with the "frame map ip" command.
- To manually assign just one PVC on the interface use "frame-relay interface-dlci".
- may need to disable split-horizon
- will have a type mismatch with point-to-point sub interface
Split Horizon
- multipoint interface will need to think about split horizon ( FR, ATM & Ethernet)
- used by RIP & EIGRP
Interface states
1. The physical interface connecting to a frame-relay switch will be up/up, once it receives LMI from that frame-relay switch, regardless of the DLCI it is learning or not learning.
- This means a physical interface can be up/up, even though there is no layer2 communication.
2. But with a point-to-point sub-interface, the sub-interface will only show up/up, when LMI is received and one of the received DLCIs matches the DLCI configured on the sub-interface.
3. When a multipoint sub-interface has multiple DLCI's defined, all DLCI's must be down before the interface will show down/down. If one DLCI is up, the interface will be up/up.
TIPS:
1. When removing a frame-relay sub-interface configuration, the configuration is removed off the interface, but the sub-interface will only be deleted after a reboot.
- This can be seen with a "sh ip int brief" when the interface is listed as DELETED.
- Thus to change a sub-interface from point-to-point to multipoint, delete the sub-interface and reload the router. Then create new multipoint interface.
2. Always do "show frame-relay map" when starting a lab and after configuration is complete to verify layer2 connectivity.
If there are 0.0.0.0 frame-relay mappings, save the configuration and reload. It is the only way to get rid of it.
3. To ping a locally configured IP on a frame-relay interface, layer3-to-layer2 resolution is required. This is needed because the frame actually exits the router to the other side of the link only to get redirected back because of the remote IP. If the mapping is not done, the ping reply is dropped by the router on the other side of the link.
1. Physical interfaces
- Are treated as multipoint interfaces.
- Multipoint means the interface can terminate multiple PVC's(layer2 circuits).
- Requires layer3-to-layer2 resolution through either InARP or manual mapping. (Refer to previous section)
- Manual mapping per PVC is done with the "frame map ip" command.
- To manually assign just one PVC on the interface use "frame-relay interface-dlci".
- may need to disable ip split horizon depending on the routing protocol.
- dont use point-to-point or point-to-multipoint subinterface
- all dlcis are recieved on physical interface, n need an interface-dlci command.
2. Point-to-Point sub-interfaces
- Can only terminate one PVC.
- Do not require layer3-to-layer2 resolution, since there is only one PVC.
- Inverse-arp is disable when in Point-to-point. Do not send InARP status queries, but will respond to an InARP status query request.
- require frame-relay interface dlci command
- will have a type mismatch with physical & point to multipoint interfaces.
- broadcast will work since it is point to point.
3. Multipoint sub-interfaces
- Are treated as multipoint interfaces.
- Can terminate multiple PVCs.
- Requires layer3-to-layer2 resolution through either InARP or manual mappings.
- Manual mapping per PVC is done with the "frame map ip" command.
- To manually assign just one PVC on the interface use "frame-relay interface-dlci".
- may need to disable split-horizon
- will have a type mismatch with point-to-point sub interface
Split Horizon
- multipoint interface will need to think about split horizon ( FR, ATM & Ethernet)
- used by RIP & EIGRP
Interface states
1. The physical interface connecting to a frame-relay switch will be up/up, once it receives LMI from that frame-relay switch, regardless of the DLCI it is learning or not learning.
- This means a physical interface can be up/up, even though there is no layer2 communication.
2. But with a point-to-point sub-interface, the sub-interface will only show up/up, when LMI is received and one of the received DLCIs matches the DLCI configured on the sub-interface.
3. When a multipoint sub-interface has multiple DLCI's defined, all DLCI's must be down before the interface will show down/down. If one DLCI is up, the interface will be up/up.
TIPS:
1. When removing a frame-relay sub-interface configuration, the configuration is removed off the interface, but the sub-interface will only be deleted after a reboot.
- This can be seen with a "sh ip int brief" when the interface is listed as DELETED.
- Thus to change a sub-interface from point-to-point to multipoint, delete the sub-interface and reload the router. Then create new multipoint interface.
2. Always do "show frame-relay map" when starting a lab and after configuration is complete to verify layer2 connectivity.
If there are 0.0.0.0 frame-relay mappings, save the configuration and reload. It is the only way to get rid of it.
3. To ping a locally configured IP on a frame-relay interface, layer3-to-layer2 resolution is required. This is needed because the frame actually exits the router to the other side of the link only to get redirected back because of the remote IP. If the mapping is not done, the ping reply is dropped by the router on the other side of the link.
notes: Frame Relay Address Resolution
Frame-relay networks are multi-access networks, which means that more than two devices can attach to the network, similar to LANs.
- Unlike LANs, you cannot send a data link layer broadcast over frame-relay. Therefore frame-relay networks are often called NBMA (nonbroadcast multi-access) network.
- Because frame-relay is a multi-access technology, it always needs layer3-to-layer2 address resolution to identify to which remote router a frame is destined too.
- The exceptions are frame-relay point-to-point sub-interface and PPP-over-frame-relay.
- Broadcast Replication
- Frame-relay does not have the capability to send a single frame over multiple PVC's to multiple destinations.
- But the broadcast functionality is still sometimes required by routing protocols.
- Also known a pseudo-broadcast, frame-relay can make duplicate copies of a packet and send one on each PVC.
- Frame-relay can thus send copies of layer3 broadcasts over VCs, if configured to do so.
Note: at the hub it is essential to use, to send broadcast/multicat, osfp and rip can send unicast to its neighbor.
Static Mappings
- Are used to statically resolve the REMOTE layer3 address(IP) to a LOCAL Layer2 address(DLCI).
- Are manually configured with the command "frame-relay map".
- Require broadcast to be enabled manually if needed.
- Static frame-relay mappings (frame-relay map) override dynamic mappings (via InARP).
- 0vveride dynamic mappings
- broadcast support must be manually configured with the "broadcast" keyword. ( this is important for routing protocols)
command:
frame-relay map ip 100.100.100.4 204 broadcast
Interface DLCI
- use on point to point and point to multipoint
- not used in conjunction w frame-relay map
- physical interface may receive many DLCIs but a subinterface needs to know which DLCI to use.
command:
note: if need to enable TE, map-class applied to an interface it will be applied to all DLCI.
frame-relay interface-dlci 112
class map-class name
InARP (Inverse ARP)
- Is used to dynamically resolve the REMOTE layer3 address(IP) to a LOCAL Layer2 address(DLCI).
- Is enabled automatically when an IP address is configured.
- Has auto-broadcast enabled by default.
- The InARP status query request can be disabled per DLCI or for all DLCIs on a interface. The InARP reply cannot be disabled!!
- The command "no frame-relay inverse-arp" configured on a physical interface stops the InARP query messages only for the physical interface, not the sub-interfaces. It must be configured on the sub-interfaces is needed.
- When a point-to-point interface is connected to a InARP disabled interface, the InARP disabled interface will still reply, provided an IP address is configured on that interface. On the querying router the
"sh frame-relay map" will still show that mapping as dynamic.
- when a dlci is placed on a subinterface it will not initiate inverse arp request, but it will still respond however.
Note: dynamically learned arp is always learned via broadcast.
CCIE LAB SCENARIO: not allowed to use inverse-arp
show frame-relay map ( you will see dynamic listed learned via inversearp)
if you dont turn-off inverse-arp at the beginning of the lab you will see magical connectivity you didnt expect. because on a fr switch perspective it is fully meshed.
issue the following commands sets
int s0/0
shutdown
encapsulation frame-relay
no frame-relay inverse-arp
no shut
also you can clear the fr in-arp
clear frame-relay inarp
commands:
Shows the DLCI mapping, status, dynamic/static, type, broadcast
sh frame-relay map
Disables InARP requests only for the DLCIs specified
no frame-relay inverse arp ip {dlci}
Statically map a remote IP address to a local DLCI [broadcast] Enables frame-relay broadcast relay across the PVC
frame-relay map ip {ip} {dlci} [broadcast]
- Unlike LANs, you cannot send a data link layer broadcast over frame-relay. Therefore frame-relay networks are often called NBMA (nonbroadcast multi-access) network.
- Because frame-relay is a multi-access technology, it always needs layer3-to-layer2 address resolution to identify to which remote router a frame is destined too.
- The exceptions are frame-relay point-to-point sub-interface and PPP-over-frame-relay.
- Broadcast Replication
- Frame-relay does not have the capability to send a single frame over multiple PVC's to multiple destinations.
- But the broadcast functionality is still sometimes required by routing protocols.
- Also known a pseudo-broadcast, frame-relay can make duplicate copies of a packet and send one on each PVC.
- Frame-relay can thus send copies of layer3 broadcasts over VCs, if configured to do so.
Note: at the hub it is essential to use, to send broadcast/multicat, osfp and rip can send unicast to its neighbor.
Static Mappings
- Are used to statically resolve the REMOTE layer3 address(IP) to a LOCAL Layer2 address(DLCI).
- Are manually configured with the command "frame-relay map".
- Require broadcast to be enabled manually if needed.
- Static frame-relay mappings (frame-relay map) override dynamic mappings (via InARP).
- 0vveride dynamic mappings
- broadcast support must be manually configured with the "broadcast" keyword. ( this is important for routing protocols)
command:
frame-relay map ip 100.100.100.4 204 broadcast
Interface DLCI
- use on point to point and point to multipoint
- not used in conjunction w frame-relay map
- physical interface may receive many DLCIs but a subinterface needs to know which DLCI to use.
command:
frame-relay interface-dlci 101
frame-relay interface-dlci 112
class map-class name
InARP (Inverse ARP)
- Is used to dynamically resolve the REMOTE layer3 address(IP) to a LOCAL Layer2 address(DLCI).
- Is enabled automatically when an IP address is configured.
- Has auto-broadcast enabled by default.
- The InARP status query request can be disabled per DLCI or for all DLCIs on a interface. The InARP reply cannot be disabled!!
- The command "no frame-relay inverse-arp" configured on a physical interface stops the InARP query messages only for the physical interface, not the sub-interfaces. It must be configured on the sub-interfaces is needed.
- When a point-to-point interface is connected to a InARP disabled interface, the InARP disabled interface will still reply, provided an IP address is configured on that interface. On the querying router the
"sh frame-relay map" will still show that mapping as dynamic.
- when a dlci is placed on a subinterface it will not initiate inverse arp request, but it will still respond however.
Note: dynamically learned arp is always learned via broadcast.
CCIE LAB SCENARIO: not allowed to use inverse-arp
show frame-relay map ( you will see dynamic listed learned via inversearp)
if you dont turn-off inverse-arp at the beginning of the lab you will see magical connectivity you didnt expect. because on a fr switch perspective it is fully meshed.
issue the following commands sets
int s0/0
shutdown
encapsulation frame-relay
no frame-relay inverse-arp
no shut
also you can clear the fr in-arp
clear frame-relay inarp
commands:
Shows the DLCI mapping, status, dynamic/static, type, broadcast
sh frame-relay map
Disables InARP requests only for the DLCIs specified
no frame-relay inverse arp ip {dlci}
Statically map a remote IP address to a local DLCI [broadcast] Enables frame-relay broadcast relay across the PVC
frame-relay map ip {ip} {dlci} [broadcast]
Friday, February 25, 2011
notes: Frame Relay Operation
Frame-relay is a packet-switching technology commonly implemented as an encapsulation technique, used between LANs over a wide area network (WAN).
- Virtual Circuit (VC) logical communication path betwe 2 or more routers, VC can be permanent (PVC) or switched (SVC).
DLCI (DataLink Connection Identifiers)
- identifies the PVC going to peer.
- DLCI's are used as a frame-relay address, which identifies the VC over which frames should travel in a frame-relay cloud.
- It is contained within a 10-bit field inside the frame-relay header.
- DLCI's are locally significant to a link and can change as it passes through the network.
- L2 addressing
4 DLCI status:
1. Active - operational. both sides are communicating.
2. Inactive - something on the other end is not working ( but your local connection to FR is ok.)
3. Deleted - during LMI enquiry. i.e you have dlci 222 but in the FR cloud or switch that dlci didnt exists.
4. static - Indicates that LMI was turned off with the "no keepalives".
LMI (Local Management Interface)
- LMI communication is dependent on keepalive.
- LMI messages manage the communication between the DCE (frame-relay switch) and the DTE (a router).
- A DTE sends LMI status inquiry messages to the DCE.
- The DCE responds with LMI status messages to inform the DTE (router) about the DLCIs and status of each VC.
- These inquiry/status messages functions as, and are referred to as LMI keepalives too.
- 10 seconds default keepalive
- LMI can enabled/disabled by using the keepalive/no keepalive commands.
- LMI holdtime is 3x keepalives. LMI holtime cannot be adjusted directly, but only by changing the keepalive interval times three.
- If 3 keepalives (default) are missed an interface will be considered down.
- There are three LMI types: Cisco/ANSI/q933a.
- LMI autosense is enabled by default, which determines the LMI type to be used.
- LMI messages/keepalives will inform the router of all of the DLCIs in use, but will not give any information as to what DLCI is associated with what interfaces/sub-interface.
- The command "encapsulation frame-relay" enables LMI automatically.
CCIE LAB SCENARIO: configure routers such that the LMI status enquiries are sent every 5 seconds and full status lmi request are sent every 3 cycles instead of 6
config-set:
int s0/0
keepalive 5
frame-relay lmi-n391 dte 3
LMI Keepalives and Full Status Update
- default, LMI keepalives are sent every 10 seconds.
- Keepalives must match, to prevent flapping interfaces.
- If LMI autosense is unsuccessful, an intelligent retry scheme is built in.
- Every N391 interval (default is 60 seconds, which is 6 keepalives at 10 seconds each), LMI autosense will attempt to ascertain the LMI type and request a complete status info about each VC. This is also known as full status update.
- If required to change the full status update timers, change the N391 interval to how often a full update should be requested.
Lab Scenario: If a router should request a full update once every 180 sec, (180sec / 10 sec keepalive = 18), thus only request an update every 18th keepalive.
interface command:
frame lmi-n391dte 18
2 types of FR encapsulation:
1. Cisco - enabled by default, is used if both DTE are cisco devices
2. IETF - is for multivendor environment.
config-set encapsulation per interface and per dlci
interface s1/0
encapsulation frame-relay ietf
frame-relay map ip 131.108.123.2 48 broadcast
frame-relay map ip 131.108.123.3 49 broadcast cisco
!
interface s1/1
encapsulation frame-relay
frame-relay map ip 131.108.143.2 58 broadcast ietf
frame-relay map ip 131.108.143.3 59 broadcast
- FECN, BECN and DE
- FECN (Forward Explicit Congestion Notification) and BECN (Backward Explicit Congestion Notification) are set in the LAPF header to signal congestion on a particular PVC.
- When a frame-relay switch notices congestion on a PVC, the switch will set the FECN bit indicating congestion in that direction.
- A router or switch noticing the FECN, will set the BECN bit on traffic returning to the source, to indicate congestion and possible instruct the source to slow down transmission.
- The DE (Discard Eligibility) is used to indicate traffic that are in violation of the conformed rate, might be subject to discarding during periods of congestion. Frames marked with DE bit will be dropped
Broadcast Queue
- With large frame-relay networks huge amounts of DLCI updates can consume bandwidth, interface buffers and even cause packet loss.
- To avoid such problems, you can create a special broadcast queue on an interface, to use its own queue and buffers.
frame broadcast-queue {Q-size} {Bps} {packet-rate}
- CDP is enabled by default on all supported interfaces (except for frame-relay multipoint sub-interfaces)
- Virtual Circuit (VC) logical communication path betwe 2 or more routers, VC can be permanent (PVC) or switched (SVC).
DLCI (DataLink Connection Identifiers)
- identifies the PVC going to peer.
- DLCI's are used as a frame-relay address, which identifies the VC over which frames should travel in a frame-relay cloud.
- It is contained within a 10-bit field inside the frame-relay header.
- DLCI's are locally significant to a link and can change as it passes through the network.
- L2 addressing
4 DLCI status:
1. Active - operational. both sides are communicating.
2. Inactive - something on the other end is not working ( but your local connection to FR is ok.)
3. Deleted - during LMI enquiry. i.e you have dlci 222 but in the FR cloud or switch that dlci didnt exists.
4. static - Indicates that LMI was turned off with the "no keepalives".
LMI (Local Management Interface)
- LMI communication is dependent on keepalive.
- LMI messages manage the communication between the DCE (frame-relay switch) and the DTE (a router).
- A DTE sends LMI status inquiry messages to the DCE.
- The DCE responds with LMI status messages to inform the DTE (router) about the DLCIs and status of each VC.
- These inquiry/status messages functions as, and are referred to as LMI keepalives too.
- 10 seconds default keepalive
- LMI can enabled/disabled by using the keepalive/no keepalive commands.
- LMI holdtime is 3x keepalives. LMI holtime cannot be adjusted directly, but only by changing the keepalive interval times three.
- If 3 keepalives (default) are missed an interface will be considered down.
- There are three LMI types: Cisco/ANSI/q933a.
- LMI autosense is enabled by default, which determines the LMI type to be used.
- LMI messages/keepalives will inform the router of all of the DLCIs in use, but will not give any information as to what DLCI is associated with what interfaces/sub-interface.
- The command "encapsulation frame-relay" enables LMI automatically.
CCIE LAB SCENARIO: configure routers such that the LMI status enquiries are sent every 5 seconds and full status lmi request are sent every 3 cycles instead of 6
config-set:
int s0/0
keepalive 5
frame-relay lmi-n391 dte 3
LMI Keepalives and Full Status Update
- default, LMI keepalives are sent every 10 seconds.
- Keepalives must match, to prevent flapping interfaces.
- If LMI autosense is unsuccessful, an intelligent retry scheme is built in.
- Every N391 interval (default is 60 seconds, which is 6 keepalives at 10 seconds each), LMI autosense will attempt to ascertain the LMI type and request a complete status info about each VC. This is also known as full status update.
- If required to change the full status update timers, change the N391 interval to how often a full update should be requested.
Lab Scenario: If a router should request a full update once every 180 sec, (180sec / 10 sec keepalive = 18), thus only request an update every 18th keepalive.
interface command:
frame lmi-n391dte 18
2 types of FR encapsulation:
1. Cisco - enabled by default, is used if both DTE are cisco devices
2. IETF - is for multivendor environment.
config-set encapsulation per interface and per dlci
interface s1/0
encapsulation frame-relay ietf
frame-relay map ip 131.108.123.2 48 broadcast
frame-relay map ip 131.108.123.3 49 broadcast cisco
!
interface s1/1
encapsulation frame-relay
frame-relay map ip 131.108.143.2 58 broadcast ietf
frame-relay map ip 131.108.143.3 59 broadcast
- FECN, BECN and DE
- FECN (Forward Explicit Congestion Notification) and BECN (Backward Explicit Congestion Notification) are set in the LAPF header to signal congestion on a particular PVC.
- When a frame-relay switch notices congestion on a PVC, the switch will set the FECN bit indicating congestion in that direction.
- A router or switch noticing the FECN, will set the BECN bit on traffic returning to the source, to indicate congestion and possible instruct the source to slow down transmission.
- The DE (Discard Eligibility) is used to indicate traffic that are in violation of the conformed rate, might be subject to discarding during periods of congestion. Frames marked with DE bit will be dropped
Broadcast Queue
- With large frame-relay networks huge amounts of DLCI updates can consume bandwidth, interface buffers and even cause packet loss.
- To avoid such problems, you can create a special broadcast queue on an interface, to use its own queue and buffers.
frame broadcast-queue {Q-size} {Bps} {packet-rate}
- CDP is enabled by default on all supported interfaces (except for frame-relay multipoint sub-interfaces)
Friday, February 18, 2011
LAB: FLex LInks
Flex Links feature is used as an alternative to Spanning-Tree Protocol in
environments where physical loops occur in the layer 2 network
- The backup link operates in standby mode, and waits for the line protocol of the active link to go down. If the line protocol of the active link is down, the backup link becomes active and immediately starts forwarding. When the active link’s line protocol status comes back up, the backup link goes back into standby state and stops forwarding traffic.
SW1:
interface Port-channel1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport backup interface Fa0/16
switchport backup interface Fa0/16 preemption mode forced
switchport backup interface Fa0/16 preemption delay 20
!
interface FastEthernet0/13
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode on
!
interface FastEthernet0/14
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode on
!
interface FastEthernet0/16
switchport trunk encapsulation dot1q
switchport mode trunk
SW2:
interface Port-channel1
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/13
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode on
!
interface FastEthernet0/14
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode on
!
interface FastEthernet0/16
switchport trunk encapsulation dot1q
switchport mode trunk
SW3:
interface FastEthernet0/13
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/16
switchport trunk encapsulation dot1q
switchport mode trunk
verification:
SW1#show interfaces po1 switchport backup
Switch Backup Interface Pairs:
Active Interface Backup Interface State
------------------------------------------------------------------------
Port-channel1 FastEthernet0/16 Active Up/Backup Standby
Thursday, February 17, 2011
notes: 3550 & 3560 QoS
3550
fastethernet
QOS scheduling: tx-(4q0t),tx-(1p3q0t)
gigabitethernet
QOS scheduling: tx-(4q2t),tx-(1p3q2t)
- priority at queue 4
- default port cos 0
- default port is untrusted
- default cos to tx queue mapping
0 - 1
1 - 1
2 - 2
3 - 2
4 - 3
5 - 3
6 - 4
7 - 4
- default cos-dscp map
show mls qos maps cos-dscp
Cos-dscp map:
cos: 0 1 2 3 4 5 6 7
--------------------------------
dscp: 0 8 16 24 32 40 48 56
- default wrr weights
wrr bandwidth weights:
qid-weights
1 - 25
2 - 25
3 - 25
4 - 25
weight 4 range (0-255) when set to "0" it is configured as expedite queue
3560
QoS scheduling: tx-(4q2t)
-same cos-tx queues mapping
-same cos-dscp mapping
- same queue bandwidth weights
-no vlan-based classification
- can use class based marking to set dscp
to verify queing
show mls qos interface queueing
to change cos-dscp mapping:
mls qos map cos-dscp (dscp-values)
config-set for 3550 setting cos-tx queues mapping:
Rack1SW3(config-if)#wrr-queue cos-map 1 0 1 2
Rack1SW3(config-if)#wrr-queue cos-map 2 3
Rack1SW3(config-if)#wrr-queue cos-map 3 4
Rack1SW3(config-if)#wrr-queue cos-map 4 5
Rack1SW3(config-if)#priority-queue out ---configure priority queueing
Rack1SW3#show mls qos interface queueing
FastEthernet0/1
QoS is disabled. Only one queue is used
When QoS is enabled, following settings will be applied
Egress expedite queue: dis
wrr bandwidth weights:
qid-weights
1 - 25
2 - 25
3 - 25
4 - 25
Cos-queue map:
cos-qid
0 - 1
1 - 1
2 - 1
3 - 2
4 - 3
5 - 4
6 - 4
ex:
wrr-queue bandwidth 1 2 3 4
10%- queue1
20%-queue2
30%-queue3
40%-queue4
fastethernet
QOS scheduling: tx-(4q0t),tx-(1p3q0t)
gigabitethernet
QOS scheduling: tx-(4q2t),tx-(1p3q2t)
- priority at queue 4
- default port cos 0
- default port is untrusted
- default cos to tx queue mapping
0 - 1
1 - 1
2 - 2
3 - 2
4 - 3
5 - 3
6 - 4
7 - 4
- default cos-dscp map
show mls qos maps cos-dscp
Cos-dscp map:
cos: 0 1 2 3 4 5 6 7
--------------------------------
dscp: 0 8 16 24 32 40 48 56
- default wrr weights
wrr bandwidth weights:
qid-weights
1 - 25
2 - 25
3 - 25
4 - 25
weight 4 range (0-255) when set to "0" it is configured as expedite queue
3560
QoS scheduling: tx-(4q2t)
-same cos-tx queues mapping
-same cos-dscp mapping
- same queue bandwidth weights
-no vlan-based classification
- can use class based marking to set dscp
to verify queing
show mls qos interface queueing
to change cos-dscp mapping:
mls qos map cos-dscp (dscp-values)
config-set for 3550 setting cos-tx queues mapping:
Rack1SW3(config-if)#wrr-queue cos-map 1 0 1 2
Rack1SW3(config-if)#wrr-queue cos-map 2 3
Rack1SW3(config-if)#wrr-queue cos-map 3 4
Rack1SW3(config-if)#wrr-queue cos-map 4 5
Rack1SW3(config-if)#priority-queue out ---configure priority queueing
Rack1SW3#show mls qos interface queueing
FastEthernet0/1
QoS is disabled. Only one queue is used
When QoS is enabled, following settings will be applied
Egress expedite queue: dis
wrr bandwidth weights:
qid-weights
1 - 25
2 - 25
3 - 25
4 - 25
Cos-queue map:
cos-qid
0 - 1
1 - 1
2 - 1
3 - 2
4 - 3
5 - 4
6 - 4
ex:
wrr-queue bandwidth 1 2 3 4
10%- queue1
20%-queue2
30%-queue3
40%-queue4
notes: IP Phone Trust and CoS Extend
- ports are configured to trust the QoS marking only if the presence of a Cisco IP Phone is
sensed via CDP messages.
- If no Cisco device is detected on the port then the QoS markings are not trusted, even if the port is configured for trust.
- the switch may also instruct the IP Phone’s switch to apply specific CoS markings for frames received from the connected PC. The switch may either accept (trust) 802.1p bits received from the attached PC or enforce the instructed value. This feature particularly
makes sense to be used with the dot1p Voice VLAN option.
config-set:
interface FastEthernet0/6
mls qos trust cos
mls qos trust device cisco-phone
switchport priority extend cos 1
verification:
show mls qos interface #
sensed via CDP messages.
- If no Cisco device is detected on the port then the QoS markings are not trusted, even if the port is configured for trust.
- the switch may also instruct the IP Phone’s switch to apply specific CoS markings for frames received from the connected PC. The switch may either accept (trust) 802.1p bits received from the attached PC or enforce the instructed value. This feature particularly
makes sense to be used with the dot1p Voice VLAN option.
config-set:
interface FastEthernet0/6
mls qos trust cos
mls qos trust device cisco-phone
switchport priority extend cos 1
verification:
show mls qos interface #
notes: Voice VLAN
Voice VLAN (VVLAN)
- Most Cisco phones have a built-in 3-port switch and is able to distinguish the phone and the PC using different VLANs and optionally 802.1p COS.
- Voice config is communicated via CDP to the IP phone.
3 different connecting options:
1. Separate DATA VLAN / VOICE VLAN.
- VOIP frames are tagged with COS 5.
- Connection between switch and IP phone is a 802.1q trunk with native VLAN equal to data VLAN.
config set:
interface FastEthernet0/2
switchport access vlan 146
switchport voice vlan 600
spanning-tree portfast
!
interface FastEthernet0/4
switchport trunk encapsulation dot1q
switchport trunk native vlan 146
switchport trunk allowed vlan 146,600
switchport mode trunk
switchport voice vlan 600
spanning-tree portfast trunk
spanning-tree bpdufilter enable
Note that as soon as the switchport voice vlan command is applied to the
port, the spanning-tree portfast feature is automatically enabled.
2. Single VLAN for both VOICE and DATA
- Frames are not tagged, thus the phone merely acts as a switch.
- Connection between switch and IP phone is configured as a ACCESS link.
if no "switchport voice vlan" configured, then option 2 automatically applies.
3. Single VLAN for DATA and VOICE but with COS 5 marking
- ATA traffic is marked as COS 0 within a 802.1q header.
- VOICE traffic is marked as COS 5 within the 802.1q header.
- COS zero will be accepted as the access VLAN.
config set:
interface FastEthernet0/6
switchport access vlan 146
switchport voice vlan dot1p
- Most Cisco phones have a built-in 3-port switch and is able to distinguish the phone and the PC using different VLANs and optionally 802.1p COS.
- Voice config is communicated via CDP to the IP phone.
3 different connecting options:
1. Separate DATA VLAN / VOICE VLAN.
- VOIP frames are tagged with COS 5.
- Connection between switch and IP phone is a 802.1q trunk with native VLAN equal to data VLAN.
config set:
interface FastEthernet0/2
switchport access vlan 146
switchport voice vlan 600
spanning-tree portfast
!
interface FastEthernet0/4
switchport trunk encapsulation dot1q
switchport trunk native vlan 146
switchport trunk allowed vlan 146,600
switchport mode trunk
switchport voice vlan 600
spanning-tree portfast trunk
spanning-tree bpdufilter enable
Note that as soon as the switchport voice vlan command is applied to the
port, the spanning-tree portfast feature is automatically enabled.
2. Single VLAN for both VOICE and DATA
- Frames are not tagged, thus the phone merely acts as a switch.
- Connection between switch and IP phone is configured as a ACCESS link.
if no "switchport voice vlan" configured, then option 2 automatically applies.
3. Single VLAN for DATA and VOICE but with COS 5 marking
- ATA traffic is marked as COS 0 within a 802.1q header.
- VOICE traffic is marked as COS 5 within the 802.1q header.
- COS zero will be accepted as the access VLAN.
config set:
interface FastEthernet0/6
switchport access vlan 146
switchport voice vlan dot1p
notes: VACL
VACL
- VLAN access map similar to route-map
- Is used to apply a layer3 filter to layer2 transit traffic.
- Uses route-map logic to permit(forward) or deny(drop) traffic.
- Changes made to the access-map, will not take effect until the access-map is removed and re-applied.
- ONLY a ACL-permit performs the "forward"/"drop" function in the access-map. A ACL-deny will be ignored.
- So to deny traffic with VLAN ACL's, permit the traffic and use a "drop" action in the access-map.
MAC-ACL’s will only match NON-IP traffic.
- Cisco 3560 switch sees IPv6 traffic as IP-traffic, but a Cisco 3550 switch sees IPv6 traffic as NON-IP-traffic.
- Ethertypes are not fully listed on IOS command help or DOC-CD,
memorise!
0x0806 0x0 : ARP
0x0800 0x0 : IPv4
0x86DD 0x0 : IPv6
0xAAAA 0x0 : CISCO proprietary (STP, PAGP, VTP, PVST+, CDP, DTP, and UDLD)
0x4242 0x0 : CST
config-set: Blocks all ICMP echo’s & IPv6 on VLAN-162 but forward all other
access-list 101 permit icmp any any echo
mac access-list extended EtherType
permit any any 0xAAAA 0x0
!
vlan access-map VACL 10
action drop
match ip address 101 - Drops ICMP Echo
vlan access-map VACL 20
action drop
match mac address EtherType
vlan access-map VACL 30
action forward - Forwards all other traffic
!
vlan filter VACL vlan-list 162 - Applies access-map
- VLAN access map similar to route-map
- Is used to apply a layer3 filter to layer2 transit traffic.
- Uses route-map logic to permit(forward) or deny(drop) traffic.
- Changes made to the access-map, will not take effect until the access-map is removed and re-applied.
- ONLY a ACL-permit performs the "forward"/"drop" function in the access-map. A ACL-deny will be ignored.
- So to deny traffic with VLAN ACL's, permit the traffic and use a "drop" action in the access-map.
MAC-ACL’s will only match NON-IP traffic.
- Cisco 3560 switch sees IPv6 traffic as IP-traffic, but a Cisco 3550 switch sees IPv6 traffic as NON-IP-traffic.
- Ethertypes are not fully listed on IOS command help or DOC-CD,
memorise!
0x0806 0x0 : ARP
0x0800 0x0 : IPv4
0x86DD 0x0 : IPv6
0xAAAA 0x0 : CISCO proprietary (STP, PAGP, VTP, PVST+, CDP, DTP, and UDLD)
0x4242 0x0 : CST
config-set: Blocks all ICMP echo’s & IPv6 on VLAN-162 but forward all other
access-list 101 permit icmp any any echo
mac access-list extended EtherType
permit any any 0xAAAA 0x0
!
vlan access-map VACL 10
action drop
match ip address 101 - Drops ICMP Echo
vlan access-map VACL 20
action drop
match mac address EtherType
vlan access-map VACL 30
action forward - Forwards all other traffic
!
vlan filter VACL vlan-list 162 - Applies access-map
notes: DHCP Snooping and IP Source Guard
DHCP Snooping
- DHCP snooping is a feature that provides network security by filtering untrusted DHCP messages and by building and maintaining a DHCP snooping binding database.
- acts like a firewall between untrusted hosts and DHCP servers.
- One can use DHCP snooping to differentiate between untrusted interfaces connected to the end user and trusted interfaces connected to the DHCP server or another switch.
enable snooping globally:
ip dhcp snooping
ip dhcp snooping vlan #
interface command:
interface FastEthernet 0/1
ip dhcp snooping trust
ip dhcp snooping limit rate 200
IP Source Guard
- IP Source Guard is a Catalyst security feature related to DHCP snooping.
- IP source guard helps prevent IP spoofing by enabling only the IP addresses obtained through DHCP snooping on a particular port. When a client receives an IP address from the authorized DHCP server, a port access control list (PACL) is installed on the port. This PACL enables traffic in the interface if it is sourced from the DHCP provided IP address.
global command:
ip verify source vlan dhcp-snooping port-security
- DHCP snooping is a feature that provides network security by filtering untrusted DHCP messages and by building and maintaining a DHCP snooping binding database.
- acts like a firewall between untrusted hosts and DHCP servers.
- One can use DHCP snooping to differentiate between untrusted interfaces connected to the end user and trusted interfaces connected to the DHCP server or another switch.
enable snooping globally:
ip dhcp snooping
ip dhcp snooping vlan #
interface command:
interface FastEthernet 0/1
ip dhcp snooping trust
ip dhcp snooping limit rate 200
IP Source Guard
- IP Source Guard is a Catalyst security feature related to DHCP snooping.
- IP source guard helps prevent IP spoofing by enabling only the IP addresses obtained through DHCP snooping on a particular port. When a client receives an IP address from the authorized DHCP server, a port access control list (PACL) is installed on the port. This PACL enables traffic in the interface if it is sourced from the DHCP provided IP address.
global command:
ip verify source vlan dhcp-snooping port-security
Wednesday, February 16, 2011
notes: Switchport Security
port security feature to restrict input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port.
- Can only be configured on static access or trunk ports. No dynamic links.
You can configure these types of secure MAC addresses:
1. Static secure MAC addresses: Manually configured by using the switchport port-security mac-address
- MAC address interface configuration command.
2. Dynamic secure MAC addresses: Dynamically learned, stored only in the address table and removed when the switch restarts.
3. Sticky secure MAC addresses: Dynamically learned or manually configured, stored in the address table and added to the running configuration. These addresses can be saved in the configuration file.
3 violation modes, based on the action to be taken if a violation occurs:
1. Protect: Packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses.
2. Restrict: Packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses; you are notified.
-Generates SNMP/Syslogs.
3. Shutdown: Port security violation causes the interface to immediately become error-disabled and turns off the port LED; it also sends a Simple Network Management Protocol (SNMP) trap, logs a syslog message, and increments the violation counter.
command set to configure port security:
switchport port-security
switchport port-security maximum value [vlan [vlan-list]]
switchport port-security violation {protect | restrict | shutdown}
switchport port-security mac-address mac-address [vlan vlan-id]
switchport port-security mac-address sticky
You can use port security aging to set the aging time for static and dynamic secure addresses on a port. Two types of aging are supported per port:
1. Absolute: The secure addresses on the port are deleted after the specified aging time.
2. Inactivity: The secure addresses on the port are deleted only if the secure addresses are inactive for the specified aging time.
command:
switchport port-security aging {static | time time | type {absolute | inactivity}}
setting error disable aging for port security:
errdisable recovery cause psecure-violation
errdisable recovery interval 5400 (sec)
- Can only be configured on static access or trunk ports. No dynamic links.
You can configure these types of secure MAC addresses:
1. Static secure MAC addresses: Manually configured by using the switchport port-security mac-address
- MAC address interface configuration command.
2. Dynamic secure MAC addresses: Dynamically learned, stored only in the address table and removed when the switch restarts.
3. Sticky secure MAC addresses: Dynamically learned or manually configured, stored in the address table and added to the running configuration. These addresses can be saved in the configuration file.
3 violation modes, based on the action to be taken if a violation occurs:
1. Protect: Packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses.
2. Restrict: Packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses; you are notified.
-Generates SNMP/Syslogs.
3. Shutdown: Port security violation causes the interface to immediately become error-disabled and turns off the port LED; it also sends a Simple Network Management Protocol (SNMP) trap, logs a syslog message, and increments the violation counter.
command set to configure port security:
switchport port-security
switchport port-security maximum value [vlan [vlan-list]]
switchport port-security violation {protect | restrict | shutdown}
switchport port-security mac-address mac-address [vlan vlan-id]
switchport port-security mac-address sticky
You can use port security aging to set the aging time for static and dynamic secure addresses on a port. Two types of aging are supported per port:
1. Absolute: The secure addresses on the port are deleted after the specified aging time.
2. Inactivity: The secure addresses on the port are deleted only if the secure addresses are inactive for the specified aging time.
command:
switchport port-security aging {static | time time | type {absolute | inactivity}}
setting error disable aging for port security:
errdisable recovery cause psecure-violation
errdisable recovery interval 5400 (sec)
notes: CCIE LAB useful templates
for default authentication on console and vtys:
aaa authentication login mycon none
aaa authentication login myvty line
line con0
login authentication mycon
line vty 0 4
login authentication myvty
password cisco
aaa authentication login mycon none
aaa authentication login myvty line
line con0
login authentication mycon
line vty 0 4
login authentication myvty
password cisco
Tuesday, February 15, 2011
LAB: Bridging over WAN
Rack1R2
bridge irb
!
interface FastEthernet0/0
no ip address
speed 100
full-duplex
bridge-group 1
!
interface Serial0/0
ip address 155.1.0.2 255.255.255.0
encapsulation frame-relay
clock rate 2000000
cdp enable
frame-relay map bridge 205 broadcast
frame-relay interface-dlci 205
bridge-group 1
!
interface BVI1
ip address 111.111.111.2 255.255.255.0
!
!
bridge 1 protocol ieee
bridge 1 route ip
Rack1R5
bridge irb
!
interface FastEthernet0/0
no ip address
speed 100
full-duplex
bridge-group 1
!
interface Serial0/0
ip address 155.1.0.5 255.255.255.0
encapsulation frame-relay
clock rate 2000000
cdp enable
frame-relay map bridge 502 broadcast
frame-relay interface-dlci 502
bridge-group 1
!
interface BVI1
ip address 111.111.111.5 255.255.255.0
!
!
bridge 1 protocol ieee
bridge 1 route ip
VERIFICATION:
Rack1R2#ping 111.111.111.5 source bvI 1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 111.111.111.5, timeout is 2 seconds:
Packet sent with a source address of 111.111.111.2
!!!!!
Rack1R5#ping 111.111.111.2 source bvI 1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 111.111.111.2, timeout is 2 seconds:
Packet sent with a source address of 111.111.111.5
!!!!!
LAB: Fallback Bridging (VLAN bridging)
R4:
interface FastEthernet0/1
ip address 104.0.0.4 255.255.255.0
ipv6 address 2001::4/64
!
router rip
version 2
no auto-summary
network 104.0.0.0
R6:
interface FastEthernet0/1
ip address 106.0.0.6 255.255.255.0
ipv6 address 2001::6/64
!
router rip
version 2
no auto-summary
network 106.0.0.0
SW4:
vlan 104
!
bridge 1 protocol vlan-bridge
!
interface FastEthernet0/4
switchport access vlan 104
!
interface FastEthernet0/6
no switchport
ip address 106.0.0.10 255.255.255.0
bridge-group 1
!
interface Vlan104
ip address 104.0.0.10 255.255.255.0
bridge-group 1
!
ip routing
!
router rip
version 2
no auto-summary
network 104.0.0.0
network 106.0.0.0
verification:
Rack1R4#traceroute 106.0.0.6
Translating "106.0.0.6"
Type escape sequence to abort.
Tracing the route to 106.0.0.6
1 104.0.0.10 4 msec 0 msec 4 msec
2 106.0.0.6 0 msec * 0 msec
Rack1R4#traceroute 2001::6
Type escape sequence to abort.
Tracing the route to 2001::6
1 2001::6 4 msec 0 msec 0 msec
Saturday, February 12, 2011
LAB: EtherChannel over 802.1q Tunneling
R1:
interface FastEthernet0/0
ip address 155.1.146.1 255.255.255.0
R4:
interface FastEthernet0/1
ip address 155.1.146.4 255.255.255.0
SW1:
vlan 146
!
interface FastEthernet0/1
switchport access vlan 146
!
interface FastEthernet0/13
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 14 mode desirable
!
interface FastEthernet0/14
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 14 mode desirable
!
interface FastEthernet0/15
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 14 mode desirable
SW2:
vlan 100,200,300
!
interface FastEthernet0/13
switchport access vlan 100
switchport mode dot1q-tunnel
l2protocol-tunnel cdp
l2protocol-tunnel stp
l2protocol-tunnel point-to-point pagp
!
interface FastEthernet0/14
switchport access vlan 200
switchport mode dot1q-tunnel
l2protocol-tunnel cdp
l2protocol-tunnel stp
l2protocol-tunnel point-to-point pagp
!
interface FastEthernet0/15
switchport access vlan 300
switchport mode dot1q-tunnel
l2protocol-tunnel cdp
l2protocol-tunnel stp
l2protocol-tunnel point-to-point pagp
!
interface FastEthernet0/16
switchport trunk encapsulation dot1q
switchport mode trunk
metro VLAN tags of 100, 200, and 300
SW3:
vlan 100,200,300
!
interface FastEthernet0/16
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/19
switchport access vlan 100
switchport trunk encapsulation dot1q
switchport mode dot1q-tunnel
l2protocol-tunnel cdp
l2protocol-tunnel stp
l2protocol-tunnel point-to-point pagp
!
interface FastEthernet0/20
switchport access vlan 200
switchport mode dot1q-tunnel
l2protocol-tunnel cdp
l2protocol-tunnel stp
l2protocol-tunnel point-to-point pagp
!
interface FastEthernet0/21
switchport access vlan 300
switchport mode dot1q-tunnel
l2protocol-tunnel cdp
l2protocol-tunnel stp
l2protocol-tunnel point-to-point pagp
SW4:
vlan 146
!
interface FastEthernet0/4
switchport access vlan 146
!
interface FastEthernet0/19
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 14 mode auto
!
interface FastEthernet0/20
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 14 mode auto
!
interface FastEthernet0/21
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 14 mode auto
VERIFICATION:
Rack1SW1#show cdp neighbor
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone
Device ID Local Intrfce Holdtme Capability Platform Port ID
Rack1SW4 Fas 0/15 153 S I WS-C3550-2Fas 0/21
Rack1SW4 Fas 0/14 153 S I WS-C3550-2Fas 0/20
Rack1SW4 Fas 0/13 153 S I WS-C3550-2Fas 0/19
Rack1R1 Fas 0/1 131 R S I 2610XM Fas 0/0
Rack1R3 Fas 0/3 128 R S I 2611XM Fas 0/0
Rack1R5 Fas 0/5 124 R S I 2611XM Fas 0/0
interface FastEthernet0/0
ip address 155.1.146.1 255.255.255.0
R4:
interface FastEthernet0/1
ip address 155.1.146.4 255.255.255.0
SW1:
vlan 146
!
interface FastEthernet0/1
switchport access vlan 146
!
interface FastEthernet0/13
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 14 mode desirable
!
interface FastEthernet0/14
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 14 mode desirable
!
interface FastEthernet0/15
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 14 mode desirable
SW2:
vlan 100,200,300
!
interface FastEthernet0/13
switchport access vlan 100
switchport mode dot1q-tunnel
l2protocol-tunnel cdp
l2protocol-tunnel stp
l2protocol-tunnel point-to-point pagp
!
interface FastEthernet0/14
switchport access vlan 200
switchport mode dot1q-tunnel
l2protocol-tunnel cdp
l2protocol-tunnel stp
l2protocol-tunnel point-to-point pagp
!
interface FastEthernet0/15
switchport access vlan 300
switchport mode dot1q-tunnel
l2protocol-tunnel cdp
l2protocol-tunnel stp
l2protocol-tunnel point-to-point pagp
!
interface FastEthernet0/16
switchport trunk encapsulation dot1q
switchport mode trunk
metro VLAN tags of 100, 200, and 300
SW3:
vlan 100,200,300
!
interface FastEthernet0/16
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/19
switchport access vlan 100
switchport trunk encapsulation dot1q
switchport mode dot1q-tunnel
l2protocol-tunnel cdp
l2protocol-tunnel stp
l2protocol-tunnel point-to-point pagp
!
interface FastEthernet0/20
switchport access vlan 200
switchport mode dot1q-tunnel
l2protocol-tunnel cdp
l2protocol-tunnel stp
l2protocol-tunnel point-to-point pagp
!
interface FastEthernet0/21
switchport access vlan 300
switchport mode dot1q-tunnel
l2protocol-tunnel cdp
l2protocol-tunnel stp
l2protocol-tunnel point-to-point pagp
SW4:
vlan 146
!
interface FastEthernet0/4
switchport access vlan 146
!
interface FastEthernet0/19
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 14 mode auto
!
interface FastEthernet0/20
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 14 mode auto
!
interface FastEthernet0/21
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 14 mode auto
VERIFICATION:
Rack1SW1#show cdp neighbor
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone
Device ID Local Intrfce Holdtme Capability Platform Port ID
Rack1SW4 Fas 0/15 153 S I WS-C3550-2Fas 0/21
Rack1SW4 Fas 0/14 153 S I WS-C3550-2Fas 0/20
Rack1SW4 Fas 0/13 153 S I WS-C3550-2Fas 0/19
Rack1R1 Fas 0/1 131 R S I 2610XM Fas 0/0
Rack1R3 Fas 0/3 128 R S I 2611XM Fas 0/0
Rack1R5 Fas 0/5 124 R S I 2611XM Fas 0/0
LAB: 802.1q Layer 2 tunneling
R1:
interface FastEthernet0/0
no shutdown
!
interface FastEthernet0/0.14
encapsulation dot1Q 14
ip address 14.0.0.1 255.255.255.0
!
interface FastEthernet0/0.41
encapsulation dot1Q 41
ip address 41.0.0.1 255.255.255.0
R4:
interface FastEthernet0/1
no shutdown
!
interface FastEthernet0/1.14
encapsulation dot1Q 14
ip address 14.0.0.4 255.255.255.0
!
interface FastEthernet0/1.41
encapsulation dot1Q 41
ip address 41.0.0.4 255.255.255.0
SW1:
system mtu 1504
!
interface FastEthernet0/1
switchport access vlan 100
switchport mode dot1q-tunnel
l2protocol-tunnel cdp
no cdp enable
!
interface FastEthernet0/13
switchport trunk encapsulation dot1q
switchport mode trunk
SW2:
system mtu 1504
!
interface FastEthernet0/13
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/16
switchport trunk encapsulation dot1q
switchport mode trunk
SW3:
system mtu 1504
!
interface FastEthernet0/16
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/19
switchport trunk encapsulation dot1q
switchport mode trunk
SW4:
system mtu 1504
!
interface FastEthernet0/4
switchport access vlan 100
switchport mode dot1q-tunnel
l2protocol-tunnel cdp
no cdp enable
!
interface FastEthernet0/19
switchport trunk encapsulation dot1q
switchport mode trunk
verification:
Rack1R4#show cdp neighbor
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater
Device ID Local Intrfce Holdtme Capability Platform Port ID
Rack1R1 Fas 0/1 125 R S I 2610XM Fas 0/0
notes: Storm Control & Unicast flooding
Storm control
- is used to limit the amount of unicast, multicast, or broadcast traffic
received in a port.
- The most common application of this feature is to prevent
broadcast storms, but it can also be used to police individual ports not to exceed
a desired rate.
-Traffic above multicast rate suppresses unicast, broadcast and multicast.
- With storm control it recommended to hardcode the interface speed to get around 10/100/1000 negotiation issue.
command:
interface FastEthernet0/1
storm-control unicast level pps 100
interface FastEthernet0/6
storm-control broadcast level 1.00
interface FastEthernet0/4
storm-control broadcast level bps 10m
verification:
show storm-control
"every broadcast is a multicast, but every multicast is not a broadcast"
if you want to limit multicast to 10% and broadcast to 20%, it will not reach the 20% broadcast.
Unicast Flooding
If a destination MAC address is not in the MAC address table of the switch, the frame is flooded out all ports for that respective VLAN. Although some flooding is unavoidable and expected, excessive flooding might be caused by asymmetric routing, STP topology changes, or forwarding table overflow. Also, flooding can result from attacks on the network, especially if denial-of-service (DoS) attacks occur.
- Switches can now implement a unicast flood-prevention feature.
global command:
mac-address-table unicast-flood {limit kfps} {vlan vlan} {filter timeout | alert | shutdown}
- is used to limit the amount of unicast, multicast, or broadcast traffic
received in a port.
- The most common application of this feature is to prevent
broadcast storms, but it can also be used to police individual ports not to exceed
a desired rate.
-Traffic above multicast rate suppresses unicast, broadcast and multicast.
- With storm control it recommended to hardcode the interface speed to get around 10/100/1000 negotiation issue.
command:
interface FastEthernet0/1
storm-control unicast level pps 100
interface FastEthernet0/6
storm-control broadcast level 1.00
interface FastEthernet0/4
storm-control broadcast level bps 10m
verification:
show storm-control
"every broadcast is a multicast, but every multicast is not a broadcast"
if you want to limit multicast to 10% and broadcast to 20%, it will not reach the 20% broadcast.
Unicast Flooding
If a destination MAC address is not in the MAC address table of the switch, the frame is flooded out all ports for that respective VLAN. Although some flooding is unavoidable and expected, excessive flooding might be caused by asymmetric routing, STP topology changes, or forwarding table overflow. Also, flooding can result from attacks on the network, especially if denial-of-service (DoS) attacks occur.
- Switches can now implement a unicast flood-prevention feature.
global command:
mac-address-table unicast-flood {limit kfps} {vlan vlan} {filter timeout | alert | shutdown}
notes: Private VLANS, protected ports
Private VLANs
- Can split a single broadcast domain, defined by a single VLAN, into multiple isolated broadcast subdomains, that are defined by primary VLAN and secondary VLANs.
- Basically it is VLANs inside a VLAN.
- Commonly used in shared layer2 environments, like ISP co-locations/hotel rooms, so two sites/rooms can't communicate directly.
- PVLANs can only be configured when a switch is in VTP transparent mode!!!
- Difference between PVLAN and protected port, PVLAN can span multiple switches whereas protected ports don't.
- Private VLAN information is NOT propagated via VTP.
- Secondary VLANs (isolated and community) do not run their own instance of spanning-tree.
Different port roles:
1. Promiscuous ports - Are allowed to talk to all other ports within the VLAN.
- Are the roles assigned to the primary VLAN ports.
2. Community ports - Are allowed to talk to any other ports only in the same community.
3. Isolated ports - Can only talk to other promiscuous ports.
steps to configure Private VLANS
Note: must be in vtp transparent mode ( so vtp domain must be configured)
1. Create the secondary VLANs as community or isolated.
vlan 1000
private-vlan community
vlan 2000
private-vlan isolated
2. Create the primary VLANs and associate the secondary VLANs.
vlan 100
private-vlan primary
private-vlan association 1000,2000
3. Assign ports to which mode and map/associate it with secondary vlans
interface fa0/1
switchport mode private-vlan promiscuous
switchport private-vlan mapping 100 1000,2000
int fa0/2
switchport mode private-vlan host
switchport private-vlan host-association 100 1000
int fa0/3
switchport mode private-vlan host
switchport private-vlan host-association 100 2000
verification:
show vlan private-vlan
Protected Ports:
are used to prevent traffic from being exchanged at layer 2 between two or more ports that are in the same VLAN.
- Traffic received in a protected port cannot be sent out another protected port, however traffic received in a protected port can be sent out a non-protected port.
This feature is a much smaller subset of the Private VLAN feature, and cannot span between multiple physical switches.
command:
interface FastEthernet0/2
switchport protected
interface FastEthernet0/24
switchport protected
- Can split a single broadcast domain, defined by a single VLAN, into multiple isolated broadcast subdomains, that are defined by primary VLAN and secondary VLANs.
- Basically it is VLANs inside a VLAN.
- Commonly used in shared layer2 environments, like ISP co-locations/hotel rooms, so two sites/rooms can't communicate directly.
- PVLANs can only be configured when a switch is in VTP transparent mode!!!
- Difference between PVLAN and protected port, PVLAN can span multiple switches whereas protected ports don't.
- Private VLAN information is NOT propagated via VTP.
- Secondary VLANs (isolated and community) do not run their own instance of spanning-tree.
Different port roles:
1. Promiscuous ports - Are allowed to talk to all other ports within the VLAN.
- Are the roles assigned to the primary VLAN ports.
2. Community ports - Are allowed to talk to any other ports only in the same community.
3. Isolated ports - Can only talk to other promiscuous ports.
steps to configure Private VLANS
Note: must be in vtp transparent mode ( so vtp domain must be configured)
1. Create the secondary VLANs as community or isolated.
vlan 1000
private-vlan community
vlan 2000
private-vlan isolated
2. Create the primary VLANs and associate the secondary VLANs.
vlan 100
private-vlan primary
private-vlan association 1000,2000
3. Assign ports to which mode and map/associate it with secondary vlans
interface fa0/1
switchport mode private-vlan promiscuous
switchport private-vlan mapping 100 1000,2000
int fa0/2
switchport mode private-vlan host
switchport private-vlan host-association 100 1000
int fa0/3
switchport mode private-vlan host
switchport private-vlan host-association 100 2000
verification:
show vlan private-vlan
Protected Ports:
are used to prevent traffic from being exchanged at layer 2 between two or more ports that are in the same VLAN.
- Traffic received in a protected port cannot be sent out another protected port, however traffic received in a protected port can be sent out a non-protected port.
This feature is a much smaller subset of the Private VLAN feature, and cannot span between multiple physical switches.
command:
interface FastEthernet0/2
switchport protected
interface FastEthernet0/24
switchport protected
notes: SPAN and RSPAN
- SPAN (Switchport Analyzer)
-Is used to redirect traffic from a port or VLAN onto another for analysis by devices such as a packet sniffer or IPS.
-By default traffic coming in on the destination SPAN port will get dropped.
-The [ingress] keyword tells the switch, which access VLAN inbound traffic on the destination port should belong to.
config-set:
monitor session 1 source vlan 146
monitor session 1 destination interface Fa0/24
monitor session 1 source interface Fa0/4
monitor session 1 destination interface Fa0/24 ingress vlan 146
note: session # are locally significant
RSPAN
- Feature is used when the source port or VLAN that is being monitored, is on a different physical switch than the sniffer.
steps to configure:
1. configure the RSPAN VLAN, which carries special attributes.
SW4:
vlan 500
remote-span
2. configure the source of the traffic for the SPAN session and direct it to the RSPAN VLAN.
SW2:
monitor session 2 source interface Fa0/4
monitor session 2 destination remote vlan 500
3. On the switch with the attached sniffer, create a SPAN session with the source as the RSPAN VLAN and the destination as port where the sniffer is attached.
SW1:
monitor session 2 destination interface Fa0/24 ingress vlan 146
monitor session 2 source remote vlan 500
verification:
show monitor session all
-Is used to redirect traffic from a port or VLAN onto another for analysis by devices such as a packet sniffer or IPS.
-By default traffic coming in on the destination SPAN port will get dropped.
-The [ingress] keyword tells the switch, which access VLAN inbound traffic on the destination port should belong to.
config-set:
monitor session 1 source vlan 146
monitor session 1 destination interface Fa0/24
monitor session 1 source interface Fa0/4
monitor session 1 destination interface Fa0/24 ingress vlan 146
note: session # are locally significant
RSPAN
- Feature is used when the source port or VLAN that is being monitored, is on a different physical switch than the sniffer.
steps to configure:
1. configure the RSPAN VLAN, which carries special attributes.
SW4:
vlan 500
remote-span
2. configure the source of the traffic for the SPAN session and direct it to the RSPAN VLAN.
SW2:
monitor session 2 source interface Fa0/4
monitor session 2 destination remote vlan 500
3. On the switch with the attached sniffer, create a SPAN session with the source as the RSPAN VLAN and the destination as port where the sniffer is attached.
SW1:
monitor session 2 destination interface Fa0/24 ingress vlan 146
monitor session 2 source remote vlan 500
verification:
show monitor session all
notes: 802.1X Port-Based Authentication
defines a client/server-based access control and authentication protocol that restricts unauthorized clients from connecting to a LAN through publicly accessible ports.
remembers
- DO NOT forget to add “aaa authentication login default none”, else you might lock the switch and forfeit any points related to that switch.
- Uses AAA with RADIUS for authentication
- everytime " aaa new-model" is type it will erase existing aaa config.
You control the port authorization state by using the dot1x port-control interface configuration command and these keywords:
1. force-authorized: Disables 802.1X authentication and causes the port to transition to the authorized state without any authentication exchange required
2. force-unauthorized: Causes the port to remain in the unauthorized state, ignoring all attempts by the client to authenticate
3. auto: Enables 802.1X authentication and causes the port to begin in the unauthorized state
802.1X port-based authentication is supported in two topologies:
1. Point-to-point
2. Wireless LAN
Use the following commands to enable 802.1X authentication. Note that dot1x authentication requires RADIUS as the method.
global:
aaa new-model
aaa authentication dot1x default group radius
dot1x system-auth-control
radius-server host 10.10.10.10
radius-server key cisco
aaa authorization network default group radius
interface:
dot1x port-control auto
dot1x host-mode multihost (multiple devices can be authenticated on that single port)
dot1x auth-fail vlan 888
dot1x auth-fail max 2 (default:3)
dot1x guest-vlan 888
dot1x critical vlan 24 (if port authentication failed, and to ensure port comes up)
remembers
- DO NOT forget to add “aaa authentication login default none”, else you might lock the switch and forfeit any points related to that switch.
- Uses AAA with RADIUS for authentication
- everytime " aaa new-model" is type it will erase existing aaa config.
You control the port authorization state by using the dot1x port-control interface configuration command and these keywords:
1. force-authorized: Disables 802.1X authentication and causes the port to transition to the authorized state without any authentication exchange required
2. force-unauthorized: Causes the port to remain in the unauthorized state, ignoring all attempts by the client to authenticate
3. auto: Enables 802.1X authentication and causes the port to begin in the unauthorized state
802.1X port-based authentication is supported in two topologies:
1. Point-to-point
2. Wireless LAN
Use the following commands to enable 802.1X authentication. Note that dot1x authentication requires RADIUS as the method.
global:
aaa new-model
aaa authentication dot1x default group radius
dot1x system-auth-control
radius-server host 10.10.10.10
radius-server key cisco
aaa authorization network default group radius
interface:
dot1x port-control auto
dot1x host-mode multihost (multiple devices can be authenticated on that single port)
dot1x auth-fail vlan 888
dot1x auth-fail max 2 (default:3)
dot1x guest-vlan 888
dot1x critical vlan 24 (if port authentication failed, and to ensure port comes up)
notes: Smartport Macros
Smartport Macros
- Used to define a well known template of config to apply onto multiple interfaces.
- There are default macros on a switch, that can be seen with "sh parser macro [brief]"
Type:
1. global - applying macro on global mode.
2. interface - applying macro on interface mode.
command to create macro:
macro name name
command to apply the macro:
macro apply name
example config for interface mode:
macro name setvlan
switchport access vlan $VLAN
spanning-tree portfast bpduguard
@
interface range fa0/10-19
macro apply setvlan $VLAN 5
example config for global:
macro name rangeport
interface range fa0/15-15
switchport mode access
spanning-tree portfast
@
Note: since the interface range cmd is included it is a macro global.
- macro is really not working for interface range cmd.
predefined macros
- need to be familiar with those macros
to check the built-in and custom macros:
show parser macro
CCIE lab scenario: use smartport macro voice vlan 20, enable switchport mode security using one cmd, an you may not need macro to do it.
macro apply cisco-phone $access_vlan 10 $voice-vlan 20
How to know when you used the macro: there is a macro definition:
Here are some predefine macros:
Rack1SW1#show parser macro
Total number of macros = 7
--------------------------------------------------------------
Macro name : cisco-global
Macro type : default global
# Enable dynamic port error recovery for link state failures.
errdisable recovery cause link-flap
errdisable recovery interval 60
# Config Cos to DSCP mappings
mls qos map cos-dscp 0 8 16 26 32 46 46 56
# Enable aggressive mode UDLD on all fiber uplinks
udld aggressive
# Enable Rapid PVST+ and Loopguard
spanning-tree mode rapid-pvst
spanning-tree loopguard default
spanning-tree extend system-id
--------------------------------------------------------------
Macro name : cisco-desktop
Macro type : default interface
# macro keywords $access_vlan
# Basic interface - Enable data VLAN only
# Recommended value for access vlan should not be 1
switchport access vlan $access_vlan
switchport mode access
# Enable port security limiting port to a single
# MAC address -- that of desktop
switchport port-security
switchport port-security maximum 1
# Ensure port-security age is greater than one minute
# and use inactivity timer
switchport port-security violation restrict
switchport port-security aging time 2
switchport port-security aging type inactivity
# Configure port as an edge network port
spanning-tree portfast
spanning-tree bpduguard enable
--------------------------------------------------------------
Macro name : cisco-phone
Macro type : default interface
# Cisco IP phone + desktop template
# macro keywords $access_vlan $voice_vlan
# VoIP enabled interface - Enable data VLAN
# and voice VLAN
# Recommended value for access vlan should not be 1
switchport access vlan $access_vlan
switchport mode access
# Update the Voice VLAN value which should be
# different from data VLAN
# Recommended value for voice vlan should not be 1
switchport voice vlan $voice_vlan
# Enable port security limiting port to a 2 MAC
# addressess -- One for desktop on data vlan and
# one for phone on voice vlan
switchport port-security
switchport port-security maximum 2
# Ensure port-security age is greater than one minute
# and use inactivity timer
switchport port-security violation restrict
switchport port-security aging time 2
switchport port-security aging type inactivity
# Enable auto-qos to extend trust to attached Cisco phone
auto qos voip cisco-phone
# Configure port as an edge network port
spanning-tree portfast
spanning-tree bpduguard enable
--------------------------------------------------------------
Macro name : cisco-switch
Macro type : default interface
# macro keywords $native_vlan
# Access Uplink to Distribution
# Do not apply to EtherChannel/Port Group
switchport trunk encapsulation dot1q
# Define unique Native VLAN on trunk ports
# Recommended value for native vlan should not be 1
switchport trunk native vlan $native_vlan
# Update the allowed VLAN range such that it
# includes data, voice and native VLANs
switchport trunk allowed vlan ALL
# Hardcode trunk
switchport mode trunk
# Configure qos to trust this interface
auto qos voip trust
# 802.1w defines the link as pt-pt for rapid convergence
spanning-tree link-type point-to-point
--------------------------------------------------------------
Macro name : cisco-router
Macro type : default interface
# macro keywords $native_vlan
# Access Uplink to Distribution
switchport trunk encapsulation dot1q
# Define unique Native VLAN on trunk ports
# Recommended value for native vlan should not be 1
switchport trunk native vlan $native_vlan
# Update the allowed VLAN range such that it
# includes data, voice and native VLANs
switchport trunk allowed vlan ALL
# Hardcode trunk
switchport mode trunk
# Configure qos to trust this interface
auto qos voip trust
mls qos trust dscp
# Ensure fast access to the network when enabling the interface.
# Ensure that switch devices cannot become active on the interface.
spanning-tree portfast trunk
spanning-tree bpduguard enable
--------------------------------------------------------------
Macro name : cisco-wireless
Macro type : default interface
# macro keywords $native_vlan
# Access Uplink to Distribution
switchport trunk encapsulation dot1q
# Define unique Native VLAN on trunk ports
# Recommended native vlan should NOT be 1
switchport trunk native vlan $native_vlan
# Update the allowed VLAN range such that it
# includes data, voice and native VLANs
switchport trunk allowed vlan ALL
# Hardcode trunk and disable negotiation to speed up convergence
switchport mode trunk
switchport nonegotiate
# Configure qos to trust this interface
auto qos voip trust
mls qos trust cos
# Ensure that switch devices cannot become active on the interface.
spanning-tree bpduguard enable
--------------------------------------------------------------
- Used to define a well known template of config to apply onto multiple interfaces.
- There are default macros on a switch, that can be seen with "sh parser macro [brief]"
Type:
1. global - applying macro on global mode.
2. interface - applying macro on interface mode.
command to create macro:
macro name name
command to apply the macro:
macro apply name
example config for interface mode:
macro name setvlan
switchport access vlan $VLAN
spanning-tree portfast bpduguard
@
interface range fa0/10-19
macro apply setvlan $VLAN 5
example config for global:
macro name rangeport
interface range fa0/15-15
switchport mode access
spanning-tree portfast
@
Note: since the interface range cmd is included it is a macro global.
- macro is really not working for interface range cmd.
predefined macros
- need to be familiar with those macros
to check the built-in and custom macros:
show parser macro
CCIE lab scenario: use smartport macro voice vlan 20, enable switchport mode security using one cmd, an you may not need macro to do it.
macro apply cisco-phone $access_vlan 10 $voice-vlan 20
How to know when you used the macro: there is a macro definition:
Here are some predefine macros:
Rack1SW1#show parser macro
Total number of macros = 7
--------------------------------------------------------------
Macro name : cisco-global
Macro type : default global
# Enable dynamic port error recovery for link state failures.
errdisable recovery cause link-flap
errdisable recovery interval 60
# Config Cos to DSCP mappings
mls qos map cos-dscp 0 8 16 26 32 46 46 56
# Enable aggressive mode UDLD on all fiber uplinks
udld aggressive
# Enable Rapid PVST+ and Loopguard
spanning-tree mode rapid-pvst
spanning-tree loopguard default
spanning-tree extend system-id
--------------------------------------------------------------
Macro name : cisco-desktop
Macro type : default interface
# macro keywords $access_vlan
# Basic interface - Enable data VLAN only
# Recommended value for access vlan should not be 1
switchport access vlan $access_vlan
switchport mode access
# Enable port security limiting port to a single
# MAC address -- that of desktop
switchport port-security
switchport port-security maximum 1
# Ensure port-security age is greater than one minute
# and use inactivity timer
switchport port-security violation restrict
switchport port-security aging time 2
switchport port-security aging type inactivity
# Configure port as an edge network port
spanning-tree portfast
spanning-tree bpduguard enable
--------------------------------------------------------------
Macro name : cisco-phone
Macro type : default interface
# Cisco IP phone + desktop template
# macro keywords $access_vlan $voice_vlan
# VoIP enabled interface - Enable data VLAN
# and voice VLAN
# Recommended value for access vlan should not be 1
switchport access vlan $access_vlan
switchport mode access
# Update the Voice VLAN value which should be
# different from data VLAN
# Recommended value for voice vlan should not be 1
switchport voice vlan $voice_vlan
# Enable port security limiting port to a 2 MAC
# addressess -- One for desktop on data vlan and
# one for phone on voice vlan
switchport port-security
switchport port-security maximum 2
# Ensure port-security age is greater than one minute
# and use inactivity timer
switchport port-security violation restrict
switchport port-security aging time 2
switchport port-security aging type inactivity
# Enable auto-qos to extend trust to attached Cisco phone
auto qos voip cisco-phone
# Configure port as an edge network port
spanning-tree portfast
spanning-tree bpduguard enable
--------------------------------------------------------------
Macro name : cisco-switch
Macro type : default interface
# macro keywords $native_vlan
# Access Uplink to Distribution
# Do not apply to EtherChannel/Port Group
switchport trunk encapsulation dot1q
# Define unique Native VLAN on trunk ports
# Recommended value for native vlan should not be 1
switchport trunk native vlan $native_vlan
# Update the allowed VLAN range such that it
# includes data, voice and native VLANs
switchport trunk allowed vlan ALL
# Hardcode trunk
switchport mode trunk
# Configure qos to trust this interface
auto qos voip trust
# 802.1w defines the link as pt-pt for rapid convergence
spanning-tree link-type point-to-point
--------------------------------------------------------------
Macro name : cisco-router
Macro type : default interface
# macro keywords $native_vlan
# Access Uplink to Distribution
switchport trunk encapsulation dot1q
# Define unique Native VLAN on trunk ports
# Recommended value for native vlan should not be 1
switchport trunk native vlan $native_vlan
# Update the allowed VLAN range such that it
# includes data, voice and native VLANs
switchport trunk allowed vlan ALL
# Hardcode trunk
switchport mode trunk
# Configure qos to trust this interface
auto qos voip trust
mls qos trust dscp
# Ensure fast access to the network when enabling the interface.
# Ensure that switch devices cannot become active on the interface.
spanning-tree portfast trunk
spanning-tree bpduguard enable
--------------------------------------------------------------
Macro name : cisco-wireless
Macro type : default interface
# macro keywords $native_vlan
# Access Uplink to Distribution
switchport trunk encapsulation dot1q
# Define unique Native VLAN on trunk ports
# Recommended native vlan should NOT be 1
switchport trunk native vlan $native_vlan
# Update the allowed VLAN range such that it
# includes data, voice and native VLANs
switchport trunk allowed vlan ALL
# Hardcode trunk and disable negotiation to speed up convergence
switchport mode trunk
switchport nonegotiate
# Configure qos to trust this interface
auto qos voip trust
mls qos trust cos
# Ensure that switch devices cannot become active on the interface.
spanning-tree bpduguard enable
--------------------------------------------------------------
notes: Bridging
Transparent bridging
- is using normal STP rules
- same election root bridge and root port election
Router in bridge mode doesnt support the sys-id-ext, brigde priority will always be 32768 for any vlan which will make the router as a root bridge.
enabling transparent bridging on routers:
step1: enable bridging:
bridge # protocol ieee
step2: bind to the interfaces:
interface fa0/1
bridge-group #
for frame-relay interfaces:
interface s0/0
encapsulation frame-relay
frame-relay map bridge dlci# broadcast
bridge-group #
CRB (concurrent Routing and Bridging)
- this protocol can be routed on one interface while being bridged on another interface.
- When CRB is used traffic in the routed domain cannot be passed onto the bridge domain.
- CRB is considered legacy since IRB includes all the functionality of CRB with the addition of the BVI.
IRB (Integrated Routing and Bridging)
- this protocol can be both routed and bridged on the same interface.
- When IRB is used traffic from the routed domain can be passed onto the bridge domain.
enabling IRB:
1. Create transparent bridge group
bridge # protocol ieee
2. Enable IRB and what to be bridged
bridge irb
bridge # route ip
bridge # bridge ip
-on by default
3. Enable routing & bridging for the bridge-group under the interface
interface fa0/0
bridge-group #
4. Configure BVI to connect the bridged and routed domain
interface BVI #
ip add 1.1.1.1 255.255.255.0
Fallback Bridging (VLAN bridging)
used to bridge non-routed or non-supported protocols (SNA, DECNet, AppleTalk, etc.)
to communicate across VLANs and routed ports. one good implementation also is bridging IPv6.
enabling VLAN bridging
1. Specify the bridging VLAN
bridge # protocol vlan-bridge
2. Assign the SVI and routed port to this bridge.
interface vlan1
bridge-group #
interface fa0/1
no switchport
bridge-group #
verification:
sh bridge # group
- is using normal STP rules
- same election root bridge and root port election
Router in bridge mode doesnt support the sys-id-ext, brigde priority will always be 32768 for any vlan which will make the router as a root bridge.
enabling transparent bridging on routers:
step1: enable bridging:
bridge # protocol ieee
step2: bind to the interfaces:
interface fa0/1
bridge-group #
for frame-relay interfaces:
interface s0/0
encapsulation frame-relay
frame-relay map bridge dlci# broadcast
bridge-group #
CRB (concurrent Routing and Bridging)
- this protocol can be routed on one interface while being bridged on another interface.
- When CRB is used traffic in the routed domain cannot be passed onto the bridge domain.
- CRB is considered legacy since IRB includes all the functionality of CRB with the addition of the BVI.
IRB (Integrated Routing and Bridging)
- this protocol can be both routed and bridged on the same interface.
- When IRB is used traffic from the routed domain can be passed onto the bridge domain.
enabling IRB:
1. Create transparent bridge group
bridge # protocol ieee
2. Enable IRB and what to be bridged
bridge irb
bridge # route ip
bridge # bridge ip
-on by default
3. Enable routing & bridging for the bridge-group under the interface
interface fa0/0
bridge-group #
4. Configure BVI to connect the bridged and routed domain
interface BVI #
ip add 1.1.1.1 255.255.255.0
Fallback Bridging (VLAN bridging)
used to bridge non-routed or non-supported protocols (SNA, DECNet, AppleTalk, etc.)
to communicate across VLANs and routed ports. one good implementation also is bridging IPv6.
enabling VLAN bridging
1. Specify the bridging VLAN
bridge # protocol vlan-bridge
2. Assign the SVI and routed port to this bridge.
interface vlan1
bridge-group #
interface fa0/1
no switchport
bridge-group #
verification:
sh bridge # group
notes: layer 2 tunneling
802.1q Tunnel
- Used to provide transparent layer2 VPN over a switched ethernet network, to carry unicast, broadcast, multicast, CDP, VTP or STP.
- Uses dot1q inside dot1q, to tunnel layer2 traffic.
- Cannot be dynamically negotiated, and traffic is not encrypted.
NOTE: Confirm prior to configuration that underlying end-to-end connectivity is established.
- When using dot1q tunneling CDP, STP & VTP are NOT carried across the tunnel by default.
- Additionally dot1q also supports etherchannels between customer sites.
- Dot1q-Tunnel requires:
- 802.1q trunking end-to-end
- System MTU should be a minimum of 1504, to support the additional 4-byte metro tag.
PITFALL: Careful when running OSPF to a switch with a system MTU of 1504, the adjacency won’t come up, due to a MTU mismatch.
Disable the MTU check on the routers OSPF interface with "ip ospf mtu-ignore"
Note: you can configure l2 protocol tunneling on ports configured as access or tunnel ports. You cant enable l2 tunneling on ports that is configured
switchport dynamic mode auto
switchport dynamic desirable
from Ruhan's CCIE notes
- Used to provide transparent layer2 VPN over a switched ethernet network, to carry unicast, broadcast, multicast, CDP, VTP or STP.
- Uses dot1q inside dot1q, to tunnel layer2 traffic.
- Cannot be dynamically negotiated, and traffic is not encrypted.
NOTE: Confirm prior to configuration that underlying end-to-end connectivity is established.
- When using dot1q tunneling CDP, STP & VTP are NOT carried across the tunnel by default.
- Additionally dot1q also supports etherchannels between customer sites.
- Dot1q-Tunnel requires:
- 802.1q trunking end-to-end
- System MTU should be a minimum of 1504, to support the additional 4-byte metro tag.
PITFALL: Careful when running OSPF to a switch with a system MTU of 1504, the adjacency won’t come up, due to a MTU mismatch.
Disable the MTU check on the routers OSPF interface with "ip ospf mtu-ignore"
Note: you can configure l2 protocol tunneling on ports configured as access or tunnel ports. You cant enable l2 tunneling on ports that is configured
switchport dynamic mode auto
switchport dynamic desirable
from Ruhan's CCIE notes
notes: MSTP 802.1s
Multiple Spanning Tree
- MSTP is using RSTP
- Allows user-defined STP instances to be mapped to multiple VLANs.
- Up to 64 instance.
- If no instances are defined, all VLANs are mapped to instance 0.
- Same election process as STP. MST also uses the lowest BID in the network to elect the Root Bridge.
- With MST there is only one election per user-defined instance.
- MST also uses a cost value derived from the inverse bandwidth of the interface.
- When MST is enabled, RSTP is automatically enabled.
MSTP configuration
Step 1. Globally enable MISTP (MSTP) on your switches:
spanning-tree mode mst
Step 2. Enter MST configuration submode:
spanning-tree mst configuration
Step 3. Set the MST region name:
name name
Step 4. Set a configuration revision number: optional
revision rev_num
Step 5. Map your VLANs to MST instances:
instance # vlan range
verification:
show spanning-tree mst configuration
show spanning-tree mst vlan_id
CCIE Lab Scenario: if you are to ask to create 2 instance/ you just need to create 1 instance since instance 0 is already running.
configuration of root
per vlan
spanning-tree vlan # root primary/secondary
per mst
spanning-tree mst # root primary/secondary
priority
per vlan
spanning-tree vlan # priority #
per mst
spanning-tree mst # priority #
- MSTP is using RSTP
- Allows user-defined STP instances to be mapped to multiple VLANs.
- Up to 64 instance.
- If no instances are defined, all VLANs are mapped to instance 0.
- Same election process as STP. MST also uses the lowest BID in the network to elect the Root Bridge.
- With MST there is only one election per user-defined instance.
- MST also uses a cost value derived from the inverse bandwidth of the interface.
- When MST is enabled, RSTP is automatically enabled.
MSTP configuration
Step 1. Globally enable MISTP (MSTP) on your switches:
spanning-tree mode mst
Step 2. Enter MST configuration submode:
spanning-tree mst configuration
Step 3. Set the MST region name:
name name
Step 4. Set a configuration revision number: optional
revision rev_num
Step 5. Map your VLANs to MST instances:
instance # vlan range
verification:
show spanning-tree mst configuration
show spanning-tree mst vlan_id
CCIE Lab Scenario: if you are to ask to create 2 instance/ you just need to create 1 instance since instance 0 is already running.
configuration of root
per vlan
spanning-tree vlan # root primary/secondary
per mst
spanning-tree mst # root primary/secondary
priority
per vlan
spanning-tree vlan # priority #
per mst
spanning-tree mst # priority #
notes: RSTP 802.1w
RSTP
- takes advantage of STP features;
a. portfast - now called edge port, not participating in STP.
b. uplinkfast - built-in
c. backbonefast - built-in
RSTP port roles
1. Root port - Is the port that has the best root path cost to the root.
2. Designated port - Is the downstream port that has the best root path cost to the root.
- Is a downstream interface pointing away from the root bridge.
- By default, all ports on the root bridge are DP
3. Alternate port - Is a port that has an alternate path to the root. An alternate port, is less desirable than the root port.
- In blocking state will receive STP info, but not send any out that interface.
4. Backup port - Is a backup designated port.
- quickly converging backup to the root port for a system.
RSTP Port States
RSTP port states are simplified from 802.1D and consist of the following:
1. Discarding
- Incoming frames are simply dropped; no MAC addresses are learned.
- Combines the 802.1D (STP) disabled, blocking, and listening states.
2. Learning
- Incoming frames are dropped, but MAC addresses are learned.
3. Forwarding
- Incoming frames are forwarded according to MAC addresses that have been (and are being) learned.
Implementing RSTP
On most Cisco switches, configuring 802.1s (Multiple Spanning Tree, MST) automatically enables RSTP. Cisco did invent a mode of operation, PVST+ mode, that enables you to use RSTP without the implementation of MST.
command to enable rstp/pvst+:
spanning-tree mode rapid-pvst
- takes advantage of STP features;
a. portfast - now called edge port, not participating in STP.
b. uplinkfast - built-in
c. backbonefast - built-in
RSTP port roles
1. Root port - Is the port that has the best root path cost to the root.
2. Designated port - Is the downstream port that has the best root path cost to the root.
- Is a downstream interface pointing away from the root bridge.
- By default, all ports on the root bridge are DP
3. Alternate port - Is a port that has an alternate path to the root. An alternate port, is less desirable than the root port.
- In blocking state will receive STP info, but not send any out that interface.
4. Backup port - Is a backup designated port.
- quickly converging backup to the root port for a system.
RSTP Port States
RSTP port states are simplified from 802.1D and consist of the following:
1. Discarding
- Incoming frames are simply dropped; no MAC addresses are learned.
- Combines the 802.1D (STP) disabled, blocking, and listening states.
2. Learning
- Incoming frames are dropped, but MAC addresses are learned.
3. Forwarding
- Incoming frames are forwarded according to MAC addresses that have been (and are being) learned.
Implementing RSTP
On most Cisco switches, configuring 802.1s (Multiple Spanning Tree, MST) automatically enables RSTP. Cisco did invent a mode of operation, PVST+ mode, that enables you to use RSTP without the implementation of MST.
command to enable rstp/pvst+:
spanning-tree mode rapid-pvst
notes: STP 802.1D
Spanning Tree Protocol- 802.1D
- is a Layer 2 loop-prevention mechanism
-on Cisco switch PVST is enabled by default / one stp instance per vlan
BPDU (Bridge Protocol Data Unit)
-Is a packet used to advertise spanning-tree protocol information.
Bridge ID (BID)
The bridge ID (BID) is a critical element for the creation of the spanning-tree, loop-free topology.
- The bridge ID consists of a 2-byte bridge priority and a 6-byte MAC address. The default priority is 32,768.
- Newer switchoperating systems break the priority field into two sections:
4-bit priority and a 12-bit extended system ID.
- This extended system ID value is just the VLAN ID. This enables each VLAN to have a unique bridge ID while still using the same MAC address and priority value. Previously, multiple MAC addresses were needed for each VLAN to ensure uniqueness.
Path Cost
- is the measure of distance from one bridge to another. Links are assigned a cost value by STP. This cost value is based on bandwidth. Higher-bandwidth links receive a lower-cost value, and STP deems a lower-cost path as preferred to a higher-cost path.
STP Port Roles
1. Root port - Is the one port on a switch that is closest (with the lowest root path cost) to the root bridge.
2. Designated port - Is the downstream port on a LAN segment that is closest to the root. This port relays, or transmits BPDUs down the tree.
3. Blocking port - Is a port that are neither root nor a designated port.
4. Alternate port - Is a port that is a candidate root port in blocking state. (Next-closest to the root bridge)
- These ports are identified for quick use by the STP uplinkfast feature.
4. Forwarding port - Ports where no other STP activity is detected or expected. These are ports with normal end-user connections.
STP Process
1. Election of Root Bridge - switch that has lowest Bridge ID
- configuration bridge protocol data units (BPDU) are sent between switches for each port
and BIDs are compared.
2. Election of Root Ports
a. Lowest cumulative cost to the root:
b. Lowest upstream BID:
c. Lowest port ID
c.1 Lowest port priority (0-255) (default = 128)
c.2 Lowest port number ie Fa0/5 = 5.
3. Election of Designated Ports - same criteria as root ports
STP manipulation:
1. Port Cost (on inbound link is local, outbound does nothing)
- Can be changed to influence how the local switch elects its local ROOT port upstream.
- Changing the port cost will affect all downstream switches, as cost is the sum of all port costs to the root.
2. Port Priority (on outbound link will offset choice of downstream switch, inbound does nothing)
- Can be changed to influence how a downstream switch elects its root port.
- Priority is locally significant between two directly connected switches.
Note: show span vlan will not reflect the upstream priority the command "detail" option should use below;
show spanning-tree VLAN {id} detail
" as 'designated port id x.x'
STP Port Phases:
1. Disabled
- Ports that are in a down state. This state is special and is not part of the normal STP progression for a port.
2. Blocking - BPDUs receive only (only when switch initially come up)
- cannot recieve data and add MAC address to its table.
- Blocking delay=20 sec, and this value CANNOT be changed.
3. Listening BPDUs sent and received
- The port is allowed to receive and send BPDUs so that it can actively participate in STP.
- The port still cannot send or receive data frames.
Listening delay = 15 sec.
4. Learning Bridging table is built
- The switch now can learn new MAC addresses to add to its address table.
- The port cannot yet send any data frames.
- Learning delay = 15 sec.
5. Forwarding Sending/receiving data
- After the forward delay (listening and learning states) (default = 30 sec) the port transitions to forwarding state.
- The port now can send and receive data frames, collect MAC addresses in its address table, and send and receive BPDUs.
STP timers control convergence in the process:
1. Hello: 2 sec (time between each configuration BPDU)
2. Forward Delay: 15 sec (controls durations of listening/learning states)
command:
spanning-tree vlan # forward-time sec
3. Max Age: 20 sec (controls the duration of the blocking state)
command:
CCIE Lab Scenario: Ports initially comes up, should be forwarding not more than 44 seconds;
44 -20 (blocking time)= 24 (listening + forwarding) means 12 listening and 12 forwarding
spanning-tree vlan # forward-time 12
Advanced STP Features
1. STP Portfast - override listening and learning stage to forwarding stage.
- The switch does not generate a TCN when a port configured for PortFast is going up or down—for example, when a workstation power-cycles.
interface command:
spanning-tree portfast
2. STP Portfast default - same effect, this is a global command
global command:
spanning-tree portfast default
3. STP Uplinkfast - failure of a root port an alternate port is immediately transition to root port.
- cisco proprietary
When you configure UplinkFast, the local switch has a priority set to 49,152 and adds 3000 to the cost of all links.
Finally, a mechanism is included that causes the manipulation of MAC address tables for other bridges.
global command:
spanning-tree uplinkfast
4. STP Backbonefast - speed up convergence when indirect failure occurs upstream by immediately expiring max-age timer.
- cisco proprietary
Configure BackboneFast on all switches to speed convergence when the failure occurs and is indirectly located, such as in the core of the backbone. It reduces convergence from approximately 50 seconds to approximately 30 seconds.
global command:
spanning-tree backbonefast
5. STP BPDU Guard - enforce access layer security on the termination of STP domain.
- when BPDU is recieved the port will transition to err-disable stae
interface command:
spanning-tree bpduguard enable
6. STP BPDU Guard default - works with portfast default in order to automatically enable BPDU guard on any interface in the portfast state
global command:
spanning-tree portfast default
spanning-tree bpduguard default
7. STP BPDU filter - used to terminate STP domain
- it drops all inbound BPDUs and does not send BPDUs on to the interface
- does not put port into err-disable state.
interface command:
spanning-tree bpdufilter enable
8. STP BPDU filter default - works with portfast default by allowing interfaces that should have portfast enabled
global command:
spanning-tree portfast default
spanning-tree bpdufilter default
9. STP Root Guard - similar with BDPU guard, but the difference is a root guard interface is only disabled if a superior BPDU is received, placing the interface into ROOT_INCONSISTANT_STATE.
interface command:
spanning-tree guard root
10. STP Loop Guard - Is used to prevent STP loops from occurring due to a unidirectional link. loos causes by some stp process
- Similar to UDLD but instead uses BDPU keepalive to determine unidirectional traffic.
- If a blocked port transitions to forwarding state erroneously, a loop can occur.
- Blocked ports will be transitioned into LOOP_INCONSISTANT_STATE to avoid loops.
interface command:
spanning-tree guard loop
10. UDLD (Unidirection Link Detection) -
- Cisco proprietary.
- UDLD is typically used with fibre optic cables.
- Peers discover each other by exchanging frames sent to the MAC-address 0100:0CCC:CCCC.
global command:
udld enable
only applies to fibre interfaces!!!
interface command:
udld port aggressive
- applies to all interfaces
2 modes:
1. Normal - informational mode, generates a log entry, but doesn't disable or shutdown the port.
2. Aggressive - will place a interface into err-disable state.
Disabling Spanning-Tree
- STP cannot be disabled directly on a per interface basis.
- One can turn off Spanning Tree Protocol (STP) on a per-VLAN basis, or globally on the switch.
- Use the "no spanning-tree vlan vlan-id" command in order to disable STP on a per-VLAN basis.
- However by filtering BPDU's on a interface one will effectively disable STP running on that interface.
- FLEX-Links also disables STP on an interface.
- is a Layer 2 loop-prevention mechanism
-on Cisco switch PVST is enabled by default / one stp instance per vlan
BPDU (Bridge Protocol Data Unit)
-Is a packet used to advertise spanning-tree protocol information.
Bridge ID (BID)
The bridge ID (BID) is a critical element for the creation of the spanning-tree, loop-free topology.
- The bridge ID consists of a 2-byte bridge priority and a 6-byte MAC address. The default priority is 32,768.
- Newer switchoperating systems break the priority field into two sections:
4-bit priority and a 12-bit extended system ID.
- This extended system ID value is just the VLAN ID. This enables each VLAN to have a unique bridge ID while still using the same MAC address and priority value. Previously, multiple MAC addresses were needed for each VLAN to ensure uniqueness.
Path Cost
- is the measure of distance from one bridge to another. Links are assigned a cost value by STP. This cost value is based on bandwidth. Higher-bandwidth links receive a lower-cost value, and STP deems a lower-cost path as preferred to a higher-cost path.
STP Port Roles
1. Root port - Is the one port on a switch that is closest (with the lowest root path cost) to the root bridge.
2. Designated port - Is the downstream port on a LAN segment that is closest to the root. This port relays, or transmits BPDUs down the tree.
3. Blocking port - Is a port that are neither root nor a designated port.
4. Alternate port - Is a port that is a candidate root port in blocking state. (Next-closest to the root bridge)
- These ports are identified for quick use by the STP uplinkfast feature.
4. Forwarding port - Ports where no other STP activity is detected or expected. These are ports with normal end-user connections.
STP Process
1. Election of Root Bridge - switch that has lowest Bridge ID
- configuration bridge protocol data units (BPDU) are sent between switches for each port
and BIDs are compared.
2. Election of Root Ports
a. Lowest cumulative cost to the root:
b. Lowest upstream BID:
c. Lowest port ID
c.1 Lowest port priority (0-255) (default = 128)
c.2 Lowest port number ie Fa0/5 = 5.
3. Election of Designated Ports - same criteria as root ports
STP manipulation:
1. Port Cost (on inbound link is local, outbound does nothing)
- Can be changed to influence how the local switch elects its local ROOT port upstream.
- Changing the port cost will affect all downstream switches, as cost is the sum of all port costs to the root.
2. Port Priority (on outbound link will offset choice of downstream switch, inbound does nothing)
- Can be changed to influence how a downstream switch elects its root port.
- Priority is locally significant between two directly connected switches.
Note: show span vlan will not reflect the upstream priority the command "detail" option should use below;
show spanning-tree VLAN {id} detail
" as 'designated port id x.x'
STP Port Phases:
1. Disabled
- Ports that are in a down state. This state is special and is not part of the normal STP progression for a port.
2. Blocking - BPDUs receive only (only when switch initially come up)
- cannot recieve data and add MAC address to its table.
- Blocking delay=20 sec, and this value CANNOT be changed.
3. Listening BPDUs sent and received
- The port is allowed to receive and send BPDUs so that it can actively participate in STP.
- The port still cannot send or receive data frames.
Listening delay = 15 sec.
4. Learning Bridging table is built
- The switch now can learn new MAC addresses to add to its address table.
- The port cannot yet send any data frames.
- Learning delay = 15 sec.
5. Forwarding Sending/receiving data
- After the forward delay (listening and learning states) (default = 30 sec) the port transitions to forwarding state.
- The port now can send and receive data frames, collect MAC addresses in its address table, and send and receive BPDUs.
STP timers control convergence in the process:
1. Hello: 2 sec (time between each configuration BPDU)
2. Forward Delay: 15 sec (controls durations of listening/learning states)
command:
spanning-tree vlan # forward-time sec
3. Max Age: 20 sec (controls the duration of the blocking state)
command:
CCIE Lab Scenario: Ports initially comes up, should be forwarding not more than 44 seconds;
44 -20 (blocking time)= 24 (listening + forwarding) means 12 listening and 12 forwarding
spanning-tree vlan # forward-time 12
Advanced STP Features
1. STP Portfast - override listening and learning stage to forwarding stage.
- The switch does not generate a TCN when a port configured for PortFast is going up or down—for example, when a workstation power-cycles.
interface command:
spanning-tree portfast
2. STP Portfast default - same effect, this is a global command
global command:
spanning-tree portfast default
3. STP Uplinkfast - failure of a root port an alternate port is immediately transition to root port.
- cisco proprietary
When you configure UplinkFast, the local switch has a priority set to 49,152 and adds 3000 to the cost of all links.
Finally, a mechanism is included that causes the manipulation of MAC address tables for other bridges.
global command:
spanning-tree uplinkfast
4. STP Backbonefast - speed up convergence when indirect failure occurs upstream by immediately expiring max-age timer.
- cisco proprietary
Configure BackboneFast on all switches to speed convergence when the failure occurs and is indirectly located, such as in the core of the backbone. It reduces convergence from approximately 50 seconds to approximately 30 seconds.
global command:
spanning-tree backbonefast
5. STP BPDU Guard - enforce access layer security on the termination of STP domain.
- when BPDU is recieved the port will transition to err-disable stae
interface command:
spanning-tree bpduguard enable
6. STP BPDU Guard default - works with portfast default in order to automatically enable BPDU guard on any interface in the portfast state
global command:
spanning-tree portfast default
spanning-tree bpduguard default
7. STP BPDU filter - used to terminate STP domain
- it drops all inbound BPDUs and does not send BPDUs on to the interface
- does not put port into err-disable state.
interface command:
spanning-tree bpdufilter enable
8. STP BPDU filter default - works with portfast default by allowing interfaces that should have portfast enabled
global command:
spanning-tree portfast default
spanning-tree bpdufilter default
9. STP Root Guard - similar with BDPU guard, but the difference is a root guard interface is only disabled if a superior BPDU is received, placing the interface into ROOT_INCONSISTANT_STATE.
interface command:
spanning-tree guard root
10. STP Loop Guard - Is used to prevent STP loops from occurring due to a unidirectional link. loos causes by some stp process
- Similar to UDLD but instead uses BDPU keepalive to determine unidirectional traffic.
- If a blocked port transitions to forwarding state erroneously, a loop can occur.
- Blocked ports will be transitioned into LOOP_INCONSISTANT_STATE to avoid loops.
interface command:
spanning-tree guard loop
10. UDLD (Unidirection Link Detection) -
- Cisco proprietary.
- UDLD is typically used with fibre optic cables.
- Peers discover each other by exchanging frames sent to the MAC-address 0100:0CCC:CCCC.
global command:
udld enable
only applies to fibre interfaces!!!
interface command:
udld port aggressive
- applies to all interfaces
2 modes:
1. Normal - informational mode, generates a log entry, but doesn't disable or shutdown the port.
2. Aggressive - will place a interface into err-disable state.
Disabling Spanning-Tree
- STP cannot be disabled directly on a per interface basis.
- One can turn off Spanning Tree Protocol (STP) on a per-VLAN basis, or globally on the switch.
- Use the "no spanning-tree vlan vlan-id" command in order to disable STP on a per-VLAN basis.
- However by filtering BPDU's on a interface one will effectively disable STP running on that interface.
- FLEX-Links also disables STP on an interface.
Subscribe to:
Posts (Atom)