Sunday, February 27, 2011

notes: Frame Relay End-to-End Keepalives

Adds the ability to track status between DTE devices.
- Freek can be configured on a physical interface, but when the freek status goes down, freek will not bring down the physical interface, because it will not know when to bring it back up.
- For this reason it is recommended to configure freek on a sub-interface.

Freek Modes:

1. Bidirectional

- Both sides of the PVC can send and respond to keepalive requests.
- If one side is configured as bidirectional, the other end must be configured the same.
- Sets the timers and keeps track of error counters.

2. Request

- With Request mode only one side is enabled in send mode.
- If one side is configured as Request, the other end must be Reply or Passive-Reply.
- Sets the timers and keeps track of error counters.

3. Reply

- The device waits for, and replies to keepalive requests.
- If one side is configured as Reply, the other end must be Request.
- Sets the timers and keeps track of error counters.

4. Passive-reply
- The device waits for keepalive requests and responds to them.
- Sets the timers.

example:

configure end-to-end keepalives for the VC. if the routers have 3 errors within 4 events. the subinterface should transition into down state. and if they have 4 success events in a row, the sub-interface should transition into up state. ensure that keepalivs are exchanged every 20 seconds.

config-set:

map-class frame-relay TST14
frame-relay end-to-end keepalive mode bidirectional
frame-relay end-to-end keepalive timer send 30
frame-relay end-to-end keepalive timer recv 20
frame-relay end-to-end keepalive event-window send 5
frame-relay end-to-end keepalive event-window recv 5
frame-relay end-to-end keepalive error-threshold send 3
frame-relay end-to-end keepalive error-threshold recv 3
frame-relay end-to-end keepalive success-events send 4
frame-relay end-to-end keepalive success-events recv 4
!
interface Serial0/0.104 point-to-point
ip address 150.1.14.1 255.255.255.0
frame-relay interface-dlci 104
class TST14

Saturday, February 26, 2011

LAB: Frame Relay Back to Back with Multilink


R1

interface MFR1
no ip address
no keepalive
!
interface MFR1.102 point-to-point
ip address 150.1.102.1 255.255.255.0
frame-relay interface-dlci 102
!
interface Serial0/0
no ip address
encapsulation frame-relay MFR1
serial restart-delay 0
clock rate 128000
no arp frame-relay
!
interface Serial0/1
no ip address
encapsulation frame-relay MFR1
serial restart-delay 0
clock rate 128000
no arp frame-relay

R2

interface MFR1
no ip address
no keepalive
!
interface MFR1.201 point-to-point
ip address 150.1.102.2 255.255.255.0
frame-relay interface-dlci 102
!
interface Serial0/0
no ip address
encapsulation frame-relay MFR1
serial restart-delay 0
no arp frame-relay
!
interface Serial0/1
no ip address
encapsulation frame-relay MFR1
serial restart-delay 0
no arp frame-relay



VERIFICATION

MFR1 is up, line protocol is up
Hardware is Multilink Frame Relay bundle interface
MTU 1500 bytes, BW 3088 Kbit/sec, DLY 20000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation FRAME-RELAY, loopback not set
Keepalive not set
DTR is pulsed for 2 seconds on reset
FR SVC disabled, LAPF state down
Broadcast queue 0/64, broadcasts sent/dropped 15/0, interface broadcasts 0
Last input 00:00:10, output never, output hang never
Last clearing of "show interface" counters 00:17:36
Input queue: 0/75/6/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/120 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
15 packets input, 4605 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
15 packets output, 4635 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
0 carrier transitions

R1#show frame-relay multilink
Bundle: MFR1, State = up, class = A, fragmentation disabled
BID = MFR1
Bundle links:
Serial0/1, HW state = up, link state = Up, LID = Serial0/1
Serial0/0, HW state = up, link state = Up, LID = Serial0/0

notes: Frame Relay MFR (Multilink Frame-Relay) or FRF.16.1

MFR provides a cost-effective way to increase bandwidth by enabling multiple frame-relay links to be aggregated into a single bundle of bandwidth acting as one interface.
- MFR variable bandwidth support allows the option to activate or deactivate a frame-relay bundle based on Class-A, B, or C.

1. Class A (Single Link)
- The bundle will activate when any single bundle link is up and will deactivate when all bundle links are down (default).

2. Class B (All Links)
- The bundle will activate when all bundle links are up and will deactivate when any single bundle link is down.

3. Class C (Threshold)
- The bundle will activate when the minimum configured number of bundle links are up and will deactivate when the minimum number of configured bundle links fails to meet the threshold.

notes: Frame Relay Back to Back FR

- Are router-to-router serial links running frame-relay encapsulation, but with no frame-relay switch in between to do LMI.
- For back-to-back links two things are required:
- Disable LMI keepalives with "no keepalives".
- Configure one side as a DCE end with a clock rate.
- Any DLCIs can be used, provided both sides have the same DLCIs configured.


config-set:

R4:

interface Serial0/1
ip address 155.1.45.4 255.255.255.0
encapsulation frame-relay
no keepalive
frame-relay map ip 155.1.45.5 514 broadcast

R5:

interface Serial0/1
ip address 155.1.45.5 255.255.255.0
encapsulation frame-relay
no keepalive
clock rate 64000
frame-relay map ip 155.1.45.4 514 broadcast

notes: Frame Relay Interface Types & Split Horizon

Frame-relay interfaces carry one of two characteristics: point-to-point or multipoint.

1. Physical interfaces

- Are treated as multipoint interfaces.
- Multipoint means the interface can terminate multiple PVC's(layer2 circuits).
- Requires layer3-to-layer2 resolution through either InARP or manual mapping. (Refer to previous section)
- Manual mapping per PVC is done with the "frame map ip" command.
- To manually assign just one PVC on the interface use "frame-relay interface-dlci".
- may need to disable ip split horizon depending on the routing protocol.
- dont use point-to-point or point-to-multipoint subinterface
- all dlcis are recieved on physical interface, n need an interface-dlci command.


2. Point-to-Point sub-interfaces

- Can only terminate one PVC.
- Do not require layer3-to-layer2 resolution, since there is only one PVC.
- Inverse-arp is disable when in Point-to-point. Do not send InARP status queries, but will respond to an InARP status query request.
- require frame-relay interface dlci command
- will have a type mismatch with physical & point to multipoint interfaces.
- broadcast will work since it is point to point.


3. Multipoint sub-interfaces

- Are treated as multipoint interfaces.
- Can terminate multiple PVCs.
- Requires layer3-to-layer2 resolution through either InARP or manual mappings.
- Manual mapping per PVC is done with the "frame map ip" command.
- To manually assign just one PVC on the interface use "frame-relay interface-dlci".
- may need to disable split-horizon
- will have a type mismatch with point-to-point sub interface


Split Horizon

- multipoint interface will need to think about split horizon ( FR, ATM & Ethernet)
- used by RIP & EIGRP


Interface states

1. The physical interface connecting to a frame-relay switch will be up/up, once it receives LMI from that frame-relay switch, regardless of the DLCI it is learning or not learning.
- This means a physical interface can be up/up, even though there is no layer2 communication.

2. But with a point-to-point sub-interface, the sub-interface will only show up/up, when LMI is received and one of the received DLCIs matches the DLCI configured on the sub-interface.

3. When a multipoint sub-interface has multiple DLCI's defined, all DLCI's must be down before the interface will show down/down. If one DLCI is up, the interface will be up/up.


TIPS:

1. When removing a frame-relay sub-interface configuration, the configuration is removed off the interface, but the sub-interface will only be deleted after a reboot.
- This can be seen with a "sh ip int brief" when the interface is listed as DELETED.
- Thus to change a sub-interface from point-to-point to multipoint, delete the sub-interface and reload the router. Then create new multipoint interface.

2. Always do "show frame-relay map" when starting a lab and after configuration is complete to verify layer2 connectivity.
If there are 0.0.0.0 frame-relay mappings, save the configuration and reload. It is the only way to get rid of it.

3. To ping a locally configured IP on a frame-relay interface, layer3-to-layer2 resolution is required. This is needed because the frame actually exits the router to the other side of the link only to get redirected back because of the remote IP. If the mapping is not done, the ping reply is dropped by the router on the other side of the link.

notes: Frame Relay Address Resolution

Frame-relay networks are multi-access networks, which means that more than two devices can attach to the network, similar to LANs.
- Unlike LANs, you cannot send a data link layer broadcast over frame-relay. Therefore frame-relay networks are often called NBMA (nonbroadcast multi-access) network.
- Because frame-relay is a multi-access technology, it always needs layer3-to-layer2 address resolution to identify to which remote router a frame is destined too.
- The exceptions are frame-relay point-to-point sub-interface and PPP-over-frame-relay.

- Broadcast Replication

- Frame-relay does not have the capability to send a single frame over multiple PVC's to multiple destinations.
- But the broadcast functionality is still sometimes required by routing protocols.
- Also known a pseudo-broadcast, frame-relay can make duplicate copies of a packet and send one on each PVC.
- Frame-relay can thus send copies of layer3 broadcasts over VCs, if configured to do so.

Note: at the hub it is essential to use, to send broadcast/multicat, osfp and rip can send unicast to its neighbor.

Static Mappings

- Are used to statically resolve the REMOTE layer3 address(IP) to a LOCAL Layer2 address(DLCI).
- Are manually configured with the command "frame-relay map".
- Require broadcast to be enabled manually if needed.
- Static frame-relay mappings (frame-relay map) override dynamic mappings (via InARP).
- 0vveride dynamic mappings
- broadcast support must be manually configured with the "broadcast" keyword. ( this is important for routing protocols)

command:

frame-relay map ip  100.100.100.4 204 broadcast

Interface DLCI

- use on point to point and point to multipoint
- not used in conjunction w frame-relay map
- physical interface may receive  many DLCIs but a subinterface needs to know which DLCI to use.

command:

frame-relay interface-dlci 101
 
note: if need to enable TE, map-class applied to an interface it will be applied to all DLCI.

frame-relay interface-dlci 112
   class map-class name


InARP (Inverse ARP)

- Is used to dynamically resolve the REMOTE layer3 address(IP) to a LOCAL Layer2 address(DLCI).
- Is enabled automatically when an IP address is configured.
- Has auto-broadcast enabled by default.
- The InARP status query request can be disabled per DLCI or for all DLCIs on a interface. The InARP reply cannot be disabled!!
- The command "no frame-relay inverse-arp" configured on a physical interface stops the InARP query messages only for the physical interface, not the sub-interfaces. It must be configured on the sub-interfaces is needed.
- When a point-to-point interface is connected to a InARP disabled interface, the InARP disabled interface will still reply, provided an IP address is configured on that interface. On the querying router the
"sh frame-relay map" will still show that mapping as dynamic.
- when a dlci is placed on a subinterface it will not initiate inverse arp request, but it will still respond however.

Note: dynamically learned arp is always learned via broadcast.

CCIE LAB SCENARIO: not allowed to use inverse-arp

show frame-relay map ( you will see dynamic listed learned via inversearp)

if you dont turn-off inverse-arp at the beginning of the lab you will see magical connectivity you didnt expect. because on a fr switch perspective it is fully meshed.

issue the following commands sets

int s0/0
shutdown
encapsulation frame-relay
no frame-relay inverse-arp
no shut

also you can clear the fr in-arp

clear frame-relay inarp

commands:

Shows the DLCI mapping, status, dynamic/static, type, broadcast

sh frame-relay map

Disables InARP requests only for the DLCIs specified

no frame-relay inverse arp ip {dlci}

Statically map a remote IP address to a local DLCI [broadcast] Enables frame-relay broadcast relay across the PVC

frame-relay map ip {ip} {dlci} [broadcast]

Friday, February 25, 2011

notes: Frame Relay Operation

Frame-relay is a packet-switching technology commonly implemented as an encapsulation technique, used between LANs over a wide area network (WAN).

- Virtual Circuit (VC) logical communication path betwe 2 or more routers, VC can be permanent (PVC) or switched (SVC).


DLCI (DataLink Connection Identifiers)

- identifies the PVC going to peer.
- DLCI's are used as a frame-relay address, which identifies the VC over which frames should travel in a frame-relay cloud.
- It is contained within a 10-bit field inside the frame-relay header.
- DLCI's are locally significant to a link and can change as it passes through the network.
- L2 addressing

4 DLCI status:

1. Active - operational. both sides are communicating.

2. Inactive - something on the other end is not working ( but your local connection to FR is ok.)

3. Deleted - during LMI enquiry. i.e you have dlci 222 but in the FR cloud or switch that dlci didnt exists.

4. static - Indicates that LMI was turned off with the "no keepalives".

LMI (Local Management Interface)

- LMI communication is dependent on keepalive.
- LMI messages manage the communication between the DCE (frame-relay switch) and the DTE (a router).
- A DTE sends LMI status inquiry messages to the DCE.
- The DCE responds with LMI status messages to inform the DTE (router) about the DLCIs and status of each VC.
- These inquiry/status messages functions as, and are referred to as LMI keepalives too.
- 10 seconds default keepalive
- LMI can enabled/disabled by using the keepalive/no keepalive commands.
- LMI holdtime is 3x keepalives. LMI holtime cannot be adjusted directly, but only by changing the keepalive interval times three.
- If 3 keepalives (default) are missed an interface will be considered down.
- There are three LMI types: Cisco/ANSI/q933a.
- LMI autosense is enabled by default, which determines the LMI type to be used.
- LMI messages/keepalives will inform the router of all of the DLCIs in use, but will not give any information as to what DLCI is associated with what interfaces/sub-interface.
- The command "encapsulation frame-relay" enables LMI automatically.


CCIE LAB SCENARIO: configure routers such that the LMI status enquiries are sent every 5 seconds and full status lmi request are sent every 3 cycles instead of 6

config-set:

int s0/0
keepalive 5
frame-relay lmi-n391 dte 3







LMI Keepalives and Full Status Update

- default, LMI keepalives are sent every 10 seconds.
- Keepalives must match, to prevent flapping interfaces.
- If LMI autosense is unsuccessful, an intelligent retry scheme is built in.
- Every N391 interval (default is 60 seconds, which is 6 keepalives at 10 seconds each), LMI autosense will attempt to ascertain the LMI type and request a complete status info about each VC. This is also known as full status update.
- If required to change the full status update timers, change the N391 interval to how often a full update should be requested.

Lab Scenario: If a router should request a full update once every 180 sec, (180sec / 10 sec keepalive = 18), thus only request an update every 18th keepalive.

interface command:

frame lmi-n391dte 18


2 types of FR encapsulation:

1. Cisco - enabled by default, is used if both DTE are cisco devices

2. IETF - is for multivendor environment.

config-set encapsulation per interface and per dlci

interface s1/0
encapsulation frame-relay ietf
frame-relay map ip 131.108.123.2 48 broadcast
frame-relay map ip 131.108.123.3 49 broadcast cisco
!
interface s1/1
encapsulation frame-relay
frame-relay map ip 131.108.143.2 58 broadcast ietf
frame-relay map ip 131.108.143.3 59 broadcast


- FECN, BECN and DE

- FECN (Forward Explicit Congestion Notification) and BECN (Backward Explicit Congestion Notification) are set in the LAPF header to signal congestion on a particular PVC.
- When a frame-relay switch notices congestion on a PVC, the switch will set the FECN bit indicating congestion in that direction.
- A router or switch noticing the FECN, will set the BECN bit on traffic returning to the source, to indicate congestion and possible instruct the source to slow down transmission.
- The DE (Discard Eligibility) is used to indicate traffic that are in violation of the conformed rate, might be subject to discarding during periods of congestion. Frames marked with DE bit will be dropped

Broadcast Queue

- With large frame-relay networks huge amounts of DLCI updates can consume bandwidth, interface buffers and even cause packet loss.
- To avoid such problems, you can create a special broadcast queue on an interface, to use its own queue and buffers.

frame broadcast-queue {Q-size} {Bps} {packet-rate}

- CDP is enabled by default on all supported interfaces (except for frame-relay multipoint sub-interfaces)

Friday, February 18, 2011

LAB: FLex LInks


Flex Links feature is used as an alternative to Spanning-Tree Protocol in
environments where physical loops occur in the layer 2 network
- The backup link operates in standby mode, and waits for the line protocol of the active link to go down. If the line protocol of the active link is down, the backup link becomes active and immediately starts forwarding. When the active link’s line protocol status comes back up, the backup link goes back into standby state and stops forwarding traffic.


SW1:

interface Port-channel1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport backup interface Fa0/16
switchport backup interface Fa0/16 preemption mode forced
switchport backup interface Fa0/16 preemption delay 20
!
interface FastEthernet0/13
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode on
!
interface FastEthernet0/14
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode on
!
interface FastEthernet0/16
switchport trunk encapsulation dot1q
switchport mode trunk

SW2:

interface Port-channel1
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/13
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode on
!
interface FastEthernet0/14
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode on
!
interface FastEthernet0/16
switchport trunk encapsulation dot1q
switchport mode trunk

SW3:

interface FastEthernet0/13
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/16
switchport trunk encapsulation dot1q
switchport mode trunk


verification:

SW1#show interfaces po1 switchport backup
Switch Backup Interface Pairs:
Active Interface Backup Interface State
------------------------------------------------------------------------
Port-channel1 FastEthernet0/16 Active Up/Backup Standby

Thursday, February 17, 2011

notes: 3550 & 3560 QoS

3550
fastethernet
QOS scheduling: tx-(4q0t),tx-(1p3q0t)

gigabitethernet
QOS scheduling: tx-(4q2t),tx-(1p3q2t)

- priority at queue 4
- default port cos 0
- default port is untrusted
- default cos to tx queue mapping
0 - 1
1 - 1
2 - 2
3 - 2
4 - 3
5 - 3
6 - 4
7 - 4

- default cos-dscp map

show mls qos maps cos-dscp
Cos-dscp map:
cos: 0 1 2 3 4 5 6 7
--------------------------------
dscp: 0 8 16 24 32 40 48 56

- default wrr weights
wrr bandwidth weights:
qid-weights
1 - 25
2 - 25
3 - 25
4 - 25

weight 4 range (0-255) when set to "0" it is configured as expedite queue

3560
QoS scheduling: tx-(4q2t)
-same cos-tx queues mapping
-same cos-dscp mapping
- same queue bandwidth weights
-no vlan-based classification
- can use class based marking to set dscp



to verify queing

show mls qos interface queueing

to change cos-dscp mapping:

mls qos map cos-dscp (dscp-values)


config-set for 3550 setting cos-tx queues mapping:

Rack1SW3(config-if)#wrr-queue cos-map 1 0 1 2
Rack1SW3(config-if)#wrr-queue cos-map 2 3
Rack1SW3(config-if)#wrr-queue cos-map 3 4
Rack1SW3(config-if)#wrr-queue cos-map 4 5
Rack1SW3(config-if)#priority-queue out ---configure priority queueing

Rack1SW3#show mls qos interface queueing
FastEthernet0/1
QoS is disabled. Only one queue is used
When QoS is enabled, following settings will be applied
Egress expedite queue: dis
wrr bandwidth weights:
qid-weights
1 - 25
2 - 25
3 - 25
4 - 25
Cos-queue map:
cos-qid
0 - 1
1 - 1
2 - 1
3 - 2
4 - 3
5 - 4
6 - 4

ex:

wrr-queue bandwidth 1 2 3 4

10%- queue1
20%-queue2
30%-queue3
40%-queue4

notes: IP Phone Trust and CoS Extend

- ports are configured to trust the QoS marking only if the presence of a Cisco IP Phone is
sensed via CDP messages.
- If no Cisco device is detected on the port then the QoS markings are not trusted, even if the port is configured for trust.
- the switch may also instruct the IP Phone’s switch to apply specific CoS markings for frames received from the connected PC. The switch may either accept (trust) 802.1p bits received from the attached PC or enforce the instructed value. This feature particularly
makes sense to be used with the dot1p Voice VLAN option.

config-set:

interface FastEthernet0/6
mls qos trust cos
mls qos trust device cisco-phone
switchport priority extend cos 1


verification:

show mls qos interface #

notes: Voice VLAN

Voice VLAN (VVLAN)
- Most Cisco phones have a built-in 3-port switch and is able to distinguish the phone and the PC using different VLANs and optionally 802.1p COS.
- Voice config is communicated via CDP to the IP phone.

3 different connecting options:

1. Separate DATA VLAN / VOICE VLAN.
- VOIP frames are tagged with COS 5.
- Connection between switch and IP phone is a 802.1q trunk with native VLAN equal to data VLAN.

config set:

interface FastEthernet0/2
switchport access vlan 146
switchport voice vlan 600
spanning-tree portfast
!
interface FastEthernet0/4
switchport trunk encapsulation dot1q
switchport trunk native vlan 146
switchport trunk allowed vlan 146,600
switchport mode trunk
switchport voice vlan 600
spanning-tree portfast trunk
spanning-tree bpdufilter enable


Note that as soon as the switchport voice vlan command is applied to the
port, the spanning-tree portfast feature is automatically enabled.


2. Single VLAN for both VOICE and DATA
- Frames are not tagged, thus the phone merely acts as a switch.
- Connection between switch and IP phone is configured as a ACCESS link.

if no "switchport voice vlan" configured, then option 2 automatically applies.

3. Single VLAN for DATA and VOICE but with COS 5 marking

- ATA traffic is marked as COS 0 within a 802.1q header.
- VOICE traffic is marked as COS 5 within the 802.1q header.
- COS zero will be accepted as the access VLAN.

config set:

interface FastEthernet0/6
switchport access vlan 146
switchport voice vlan dot1p

notes: VACL

VACL

- VLAN access map similar to route-map
- Is used to apply a layer3 filter to layer2 transit traffic.
- Uses route-map logic to permit(forward) or deny(drop) traffic.
- Changes made to the access-map, will not take effect until the access-map is removed and re-applied.
- ONLY a ACL-permit performs the "forward"/"drop" function in the access-map. A ACL-deny will be ignored.
- So to deny traffic with VLAN ACL's, permit the traffic and use a "drop" action in the access-map.

MAC-ACL’s will only match NON-IP traffic.
- Cisco 3560 switch sees IPv6 traffic as IP-traffic, but a Cisco 3550 switch sees IPv6 traffic as NON-IP-traffic.
- Ethertypes are not fully listed on IOS command help or DOC-CD,

memorise!
0x0806 0x0 : ARP
0x0800 0x0 : IPv4
0x86DD 0x0 : IPv6
0xAAAA 0x0 : CISCO proprietary (STP, PAGP, VTP, PVST+, CDP, DTP, and UDLD)
0x4242 0x0 : CST

config-set: Blocks all ICMP echo’s & IPv6 on VLAN-162 but forward all other
access-list 101 permit icmp any any echo

mac access-list extended EtherType
permit any any 0xAAAA 0x0
!
vlan access-map VACL 10
action drop
match ip address 101 - Drops ICMP Echo
vlan access-map VACL 20
action drop
match mac address EtherType
vlan access-map VACL 30
action forward - Forwards all other traffic
!
vlan filter VACL vlan-list 162 - Applies access-map

notes: DHCP Snooping and IP Source Guard

DHCP Snooping

- DHCP snooping is a feature that provides network security by filtering untrusted DHCP messages and by building and maintaining a DHCP snooping binding database.
- acts like a firewall between untrusted hosts and DHCP servers.
- One can use DHCP snooping to differentiate between untrusted interfaces connected to the end user and trusted interfaces connected to the DHCP server or another switch.

enable snooping globally:

ip dhcp snooping

ip dhcp snooping vlan #

interface command:

interface FastEthernet 0/1
ip dhcp snooping trust
ip dhcp snooping limit rate 200


IP Source Guard

- IP Source Guard is a Catalyst security feature related to DHCP snooping.
- IP source guard helps prevent IP spoofing by enabling only the IP addresses obtained through DHCP snooping on a particular port. When a client receives an IP address from the authorized DHCP server, a port access control list (PACL) is installed on the port. This PACL enables traffic in the interface if it is sourced from the DHCP provided IP address.

global command:

ip verify source vlan dhcp-snooping port-security

Wednesday, February 16, 2011

notes: Switchport Security

port security feature to restrict input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port.
- Can only be configured on static access or trunk ports. No dynamic links.

You can configure these types of secure MAC addresses:

1. Static secure MAC addresses: Manually configured by using the switchport port-security mac-address
- MAC address interface configuration command.

2. Dynamic secure MAC addresses: Dynamically learned, stored only in the address table and removed when the switch restarts.

3. Sticky secure MAC addresses: Dynamically learned or manually configured, stored in the address table and added to the running configuration. These addresses can be saved in the configuration file.


3 violation modes, based on the action to be taken if a violation occurs:

1. Protect: Packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses.

2. Restrict: Packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses; you are notified.
-Generates SNMP/Syslogs.

3. Shutdown: Port security violation causes the interface to immediately become error-disabled and turns off the port LED; it also sends a Simple Network Management Protocol (SNMP) trap, logs a syslog message, and increments the violation counter.


command set to configure port security:

switchport port-security
switchport port-security maximum value [vlan [vlan-list]]
switchport port-security violation {protect | restrict | shutdown}
switchport port-security mac-address mac-address [vlan vlan-id]
switchport port-security mac-address sticky

You can use port security aging to set the aging time for static and dynamic secure addresses on a port. Two types of aging are supported per port:

1. Absolute: The secure addresses on the port are deleted after the specified aging time.
2. Inactivity: The secure addresses on the port are deleted only if the secure addresses are inactive for the specified aging time.

command:

switchport port-security aging {static | time time | type {absolute | inactivity}}

setting error disable aging for port security:

errdisable recovery cause psecure-violation
errdisable recovery interval 5400 (sec)

notes: CCIE LAB useful templates

for default authentication on console and vtys:

aaa authentication login mycon none
aaa authentication login myvty line

line con0
login authentication mycon

line vty 0 4
login authentication myvty
password cisco

Tuesday, February 15, 2011

LAB: Bridging over WAN


Rack1R2

bridge irb
!
interface FastEthernet0/0
no ip address
speed 100
full-duplex
bridge-group 1
!
interface Serial0/0
ip address 155.1.0.2 255.255.255.0
encapsulation frame-relay
clock rate 2000000
cdp enable
frame-relay map bridge 205 broadcast
frame-relay interface-dlci 205
bridge-group 1
!
interface BVI1
ip address 111.111.111.2 255.255.255.0
!
!
bridge 1 protocol ieee
bridge 1 route ip


Rack1R5


bridge irb
!
interface FastEthernet0/0
no ip address
speed 100
full-duplex
bridge-group 1
!
interface Serial0/0
ip address 155.1.0.5 255.255.255.0
encapsulation frame-relay
clock rate 2000000
cdp enable
frame-relay map bridge 502 broadcast
frame-relay interface-dlci 502
bridge-group 1
!
interface BVI1
ip address 111.111.111.5 255.255.255.0
!
!
bridge 1 protocol ieee
bridge 1 route ip


VERIFICATION:

Rack1R2#ping 111.111.111.5 source bvI 1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 111.111.111.5, timeout is 2 seconds:
Packet sent with a source address of 111.111.111.2
!!!!!

Rack1R5#ping 111.111.111.2 source bvI 1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 111.111.111.2, timeout is 2 seconds:
Packet sent with a source address of 111.111.111.5
!!!!!

LAB: Fallback Bridging (VLAN bridging)


R4:

interface FastEthernet0/1
ip address 104.0.0.4 255.255.255.0
ipv6 address 2001::4/64
!
router rip
version 2
no auto-summary
network 104.0.0.0

R6:

interface FastEthernet0/1
ip address 106.0.0.6 255.255.255.0
ipv6 address 2001::6/64
!
router rip
version 2
no auto-summary
network 106.0.0.0

SW4:

vlan 104
!
bridge 1 protocol vlan-bridge
!
interface FastEthernet0/4
switchport access vlan 104
!
interface FastEthernet0/6
no switchport
ip address 106.0.0.10 255.255.255.0
bridge-group 1
!
interface Vlan104
ip address 104.0.0.10 255.255.255.0
bridge-group 1
!
ip routing
!
router rip
version 2
no auto-summary
network 104.0.0.0
network 106.0.0.0

verification:

Rack1R4#traceroute 106.0.0.6
Translating "106.0.0.6"
Type escape sequence to abort.
Tracing the route to 106.0.0.6
1 104.0.0.10 4 msec 0 msec 4 msec
2 106.0.0.6 0 msec * 0 msec

Rack1R4#traceroute 2001::6
Type escape sequence to abort.
Tracing the route to 2001::6
1 2001::6 4 msec 0 msec 0 msec

Saturday, February 12, 2011

LAB: EtherChannel over 802.1q Tunneling

R1:
interface FastEthernet0/0
ip address 155.1.146.1 255.255.255.0

R4:
interface FastEthernet0/1
ip address 155.1.146.4 255.255.255.0

SW1:
vlan 146
!
interface FastEthernet0/1
switchport access vlan 146
!
interface FastEthernet0/13
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 14 mode desirable
!
interface FastEthernet0/14
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 14 mode desirable
!
interface FastEthernet0/15
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 14 mode desirable

SW2:

vlan 100,200,300
!
interface FastEthernet0/13
switchport access vlan 100
switchport mode dot1q-tunnel
l2protocol-tunnel cdp
l2protocol-tunnel stp
l2protocol-tunnel point-to-point pagp
!
interface FastEthernet0/14
switchport access vlan 200
switchport mode dot1q-tunnel
l2protocol-tunnel cdp
l2protocol-tunnel stp
l2protocol-tunnel point-to-point pagp
!
interface FastEthernet0/15
switchport access vlan 300
switchport mode dot1q-tunnel
l2protocol-tunnel cdp
l2protocol-tunnel stp
l2protocol-tunnel point-to-point pagp
!
interface FastEthernet0/16
switchport trunk encapsulation dot1q
switchport mode trunk


metro VLAN tags of 100, 200, and 300

SW3:

vlan 100,200,300
!
interface FastEthernet0/16
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/19
switchport access vlan 100
switchport trunk encapsulation dot1q
switchport mode dot1q-tunnel
l2protocol-tunnel cdp
l2protocol-tunnel stp
l2protocol-tunnel point-to-point pagp
!
interface FastEthernet0/20
switchport access vlan 200
switchport mode dot1q-tunnel
l2protocol-tunnel cdp
l2protocol-tunnel stp
l2protocol-tunnel point-to-point pagp
!
interface FastEthernet0/21
switchport access vlan 300
switchport mode dot1q-tunnel
l2protocol-tunnel cdp
l2protocol-tunnel stp
l2protocol-tunnel point-to-point pagp

SW4:

vlan 146
!
interface FastEthernet0/4
switchport access vlan 146
!
interface FastEthernet0/19
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 14 mode auto
!
interface FastEthernet0/20
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 14 mode auto
!
interface FastEthernet0/21
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 14 mode auto


VERIFICATION:

Rack1SW1#show cdp neighbor
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone
Device ID Local Intrfce Holdtme Capability Platform Port ID
Rack1SW4 Fas 0/15 153 S I WS-C3550-2Fas 0/21
Rack1SW4 Fas 0/14 153 S I WS-C3550-2Fas 0/20
Rack1SW4 Fas 0/13 153 S I WS-C3550-2Fas 0/19
Rack1R1 Fas 0/1 131 R S I 2610XM Fas 0/0
Rack1R3 Fas 0/3 128 R S I 2611XM Fas 0/0
Rack1R5 Fas 0/5 124 R S I 2611XM Fas 0/0

LAB: 802.1q Layer 2 tunneling




R1:
interface FastEthernet0/0
no shutdown
!
interface FastEthernet0/0.14
encapsulation dot1Q 14
ip address 14.0.0.1 255.255.255.0
!
interface FastEthernet0/0.41
encapsulation dot1Q 41
ip address 41.0.0.1 255.255.255.0
R4:
interface FastEthernet0/1
no shutdown
!
interface FastEthernet0/1.14
encapsulation dot1Q 14
ip address 14.0.0.4 255.255.255.0
!
interface FastEthernet0/1.41
encapsulation dot1Q 41
ip address 41.0.0.4 255.255.255.0

SW1:
system mtu 1504
!
interface FastEthernet0/1
switchport access vlan 100
switchport mode dot1q-tunnel
l2protocol-tunnel cdp
no cdp enable
!
interface FastEthernet0/13
switchport trunk encapsulation dot1q
switchport mode trunk
SW2:
system mtu 1504
!
interface FastEthernet0/13
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/16
switchport trunk encapsulation dot1q
switchport mode trunk

SW3:
system mtu 1504
!
interface FastEthernet0/16
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/19
switchport trunk encapsulation dot1q
switchport mode trunk
SW4:
system mtu 1504
!
interface FastEthernet0/4
switchport access vlan 100
switchport mode dot1q-tunnel
l2protocol-tunnel cdp
no cdp enable
!
interface FastEthernet0/19
switchport trunk encapsulation dot1q
switchport mode trunk

verification:

Rack1R4#show cdp neighbor
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater
Device ID Local Intrfce Holdtme Capability Platform Port ID
Rack1R1 Fas 0/1 125 R S I 2610XM Fas 0/0

notes: Storm Control & Unicast flooding

Storm control
- is used to limit the amount of unicast, multicast, or broadcast traffic
received in a port.
- The most common application of this feature is to prevent
broadcast storms, but it can also be used to police individual ports not to exceed
a desired rate.
-Traffic above multicast rate suppresses unicast, broadcast and multicast.
- With storm control it recommended to hardcode the interface speed to get around 10/100/1000 negotiation issue.

command:

interface FastEthernet0/1
storm-control unicast level pps 100

interface FastEthernet0/6
storm-control broadcast level 1.00

interface FastEthernet0/4
storm-control broadcast level bps 10m

verification:

show storm-control


"every broadcast is a multicast, but every multicast is not a broadcast"

if you want to limit multicast to 10% and broadcast to 20%, it will not reach the 20% broadcast.

Unicast Flooding

If a destination MAC address is not in the MAC address table of the switch, the frame is flooded out all ports for that respective VLAN. Although some flooding is unavoidable and expected, excessive flooding might be caused by asymmetric routing, STP topology changes, or forwarding table overflow. Also, flooding can result from attacks on the network, especially if denial-of-service (DoS) attacks occur.
- Switches can now implement a unicast flood-prevention feature.

global command:

mac-address-table unicast-flood {limit kfps} {vlan vlan} {filter timeout | alert | shutdown}

notes: Private VLANS, protected ports

Private VLANs

- Can split a single broadcast domain, defined by a single VLAN, into multiple isolated broadcast subdomains, that are defined by primary VLAN and secondary VLANs.
- Basically it is VLANs inside a VLAN.
- Commonly used in shared layer2 environments, like ISP co-locations/hotel rooms, so two sites/rooms can't communicate directly.
- PVLANs can only be configured when a switch is in VTP transparent mode!!!
- Difference between PVLAN and protected port, PVLAN can span multiple switches whereas protected ports don't.
- Private VLAN information is NOT propagated via VTP.
- Secondary VLANs (isolated and community) do not run their own instance of spanning-tree.

Different port roles:

1. Promiscuous ports - Are allowed to talk to all other ports within the VLAN.
- Are the roles assigned to the primary VLAN ports.

2. Community ports - Are allowed to talk to any other ports only in the same community.

3. Isolated ports - Can only talk to other promiscuous ports.


steps to configure Private VLANS

Note: must be in vtp transparent mode ( so vtp domain must be configured)

1. Create the secondary VLANs as community or isolated.

vlan 1000
private-vlan community

vlan 2000
private-vlan isolated

2. Create the primary VLANs and associate the secondary VLANs.

vlan 100
private-vlan primary
private-vlan association 1000,2000

3. Assign ports to which mode and map/associate it with secondary vlans

interface fa0/1
switchport mode private-vlan promiscuous
switchport private-vlan mapping 100 1000,2000

int fa0/2
switchport mode private-vlan host
switchport private-vlan host-association 100 1000

int fa0/3
switchport mode private-vlan host
switchport private-vlan host-association 100 2000

verification:

show vlan private-vlan


Protected Ports:

are used to prevent traffic from being exchanged at layer 2 between two or more ports that are in the same VLAN.
- Traffic received in a protected port cannot be sent out another protected port, however traffic received in a protected port can be sent out a non-protected port.
This feature is a much smaller subset of the Private VLAN feature, and cannot span between multiple physical switches.


command:

interface FastEthernet0/2
switchport protected

interface FastEthernet0/24
switchport protected

notes: SPAN and RSPAN

- SPAN (Switchport Analyzer)

-Is used to redirect traffic from a port or VLAN onto another for analysis by devices such as a packet sniffer or IPS.
-By default traffic coming in on the destination SPAN port will get dropped.
-The [ingress] keyword tells the switch, which access VLAN inbound traffic on the destination port should belong to.

config-set:

monitor session 1 source vlan 146
monitor session 1 destination interface Fa0/24

monitor session 1 source interface Fa0/4
monitor session 1 destination interface Fa0/24 ingress vlan 146

note: session # are locally significant

RSPAN

- Feature is used when the source port or VLAN that is being monitored, is on a different physical switch than the sniffer.


steps to configure:

1. configure the RSPAN VLAN, which carries special attributes.

SW4:

vlan 500
remote-span

2. configure the source of the traffic for the SPAN session and direct it to the RSPAN VLAN.

SW2:

monitor session 2 source interface Fa0/4
monitor session 2 destination remote vlan 500


3. On the switch with the attached sniffer, create a SPAN session with the source as the RSPAN VLAN and the destination as port where the sniffer is attached.

SW1:

monitor session 2 destination interface Fa0/24 ingress vlan 146
monitor session 2 source remote vlan 500


verification:

show monitor session all

notes: 802.1X Port-Based Authentication

defines a client/server-based access control and authentication protocol that restricts unauthorized clients from connecting to a LAN through publicly accessible ports.

remembers
- DO NOT forget to add “aaa authentication login default none”, else you might lock the switch and forfeit any points related to that switch.
- Uses AAA with RADIUS for authentication
- everytime " aaa new-model" is type it will erase existing aaa config.

You control the port authorization state by using the dot1x port-control interface configuration command and these keywords:

1. force-authorized: Disables 802.1X authentication and causes the port to transition to the authorized state without any authentication exchange required

2. force-unauthorized: Causes the port to remain in the unauthorized state, ignoring all attempts by the client to authenticate

3. auto: Enables 802.1X authentication and causes the port to begin in the unauthorized state

802.1X port-based authentication is supported in two topologies:

1. Point-to-point
2. Wireless LAN

Use the following commands to enable 802.1X authentication. Note that dot1x authentication requires RADIUS as the method.

global:

aaa new-model
aaa authentication dot1x default group radius
dot1x system-auth-control

radius-server host 10.10.10.10
radius-server key cisco
aaa authorization network default group radius

interface:
dot1x port-control auto
dot1x host-mode multihost (multiple devices can be authenticated on that single port)
dot1x auth-fail vlan 888
dot1x auth-fail max 2 (default:3)
dot1x guest-vlan 888
dot1x critical vlan 24 (if port authentication failed, and to ensure port comes up)

notes: Smartport Macros

Smartport Macros
- Used to define a well known template of config to apply onto multiple interfaces.
- There are default macros on a switch, that can be seen with "sh parser macro [brief]"

Type:

1. global - applying macro on global mode.
2. interface - applying macro on interface mode.

command to create macro:

macro name name

command to apply the macro:

macro apply name


example config for interface mode:

macro name setvlan
switchport access vlan $VLAN
spanning-tree portfast bpduguard
@

interface range fa0/10-19
macro apply setvlan $VLAN 5


example config for global:

macro name rangeport
interface range fa0/15-15
switchport mode access
spanning-tree portfast
@

Note: since the interface range cmd is included it is a macro global.
- macro is really not working for interface range cmd.



predefined macros

- need to be familiar with those macros

to check the built-in and custom macros:

show parser macro

CCIE lab scenario: use smartport macro voice vlan 20, enable switchport mode security using one cmd, an you may not need macro to do it.

macro apply cisco-phone $access_vlan 10 $voice-vlan 20

How to know when you used the macro: there is a macro definition:


Here are some predefine macros:

Rack1SW1#show parser macro
Total number of macros = 7
--------------------------------------------------------------
Macro name : cisco-global
Macro type : default global
# Enable dynamic port error recovery for link state failures.
errdisable recovery cause link-flap
errdisable recovery interval 60

# Config Cos to DSCP mappings
mls qos map cos-dscp 0 8 16 26 32 46 46 56

# Enable aggressive mode UDLD on all fiber uplinks
udld aggressive

# Enable Rapid PVST+ and Loopguard
spanning-tree mode rapid-pvst
spanning-tree loopguard default
spanning-tree extend system-id
--------------------------------------------------------------
Macro name : cisco-desktop
Macro type : default interface
# macro keywords $access_vlan
# Basic interface - Enable data VLAN only
# Recommended value for access vlan should not be 1
switchport access vlan $access_vlan
switchport mode access

# Enable port security limiting port to a single
# MAC address -- that of desktop
switchport port-security
switchport port-security maximum 1

# Ensure port-security age is greater than one minute
# and use inactivity timer
switchport port-security violation restrict
switchport port-security aging time 2
switchport port-security aging type inactivity

# Configure port as an edge network port
spanning-tree portfast
spanning-tree bpduguard enable
--------------------------------------------------------------
Macro name : cisco-phone
Macro type : default interface
# Cisco IP phone + desktop template

# macro keywords $access_vlan $voice_vlan


# VoIP enabled interface - Enable data VLAN
# and voice VLAN
# Recommended value for access vlan should not be 1
switchport access vlan $access_vlan
switchport mode access

# Update the Voice VLAN value which should be
# different from data VLAN
# Recommended value for voice vlan should not be 1
switchport voice vlan $voice_vlan

# Enable port security limiting port to a 2 MAC
# addressess -- One for desktop on data vlan and
# one for phone on voice vlan
switchport port-security
switchport port-security maximum 2

# Ensure port-security age is greater than one minute
# and use inactivity timer
switchport port-security violation restrict
switchport port-security aging time 2
switchport port-security aging type inactivity

# Enable auto-qos to extend trust to attached Cisco phone
auto qos voip cisco-phone

# Configure port as an edge network port
spanning-tree portfast
spanning-tree bpduguard enable
--------------------------------------------------------------
Macro name : cisco-switch
Macro type : default interface
# macro keywords $native_vlan
# Access Uplink to Distribution
# Do not apply to EtherChannel/Port Group
switchport trunk encapsulation dot1q

# Define unique Native VLAN on trunk ports
# Recommended value for native vlan should not be 1
switchport trunk native vlan $native_vlan

# Update the allowed VLAN range such that it
# includes data, voice and native VLANs
switchport trunk allowed vlan ALL

# Hardcode trunk
switchport mode trunk

# Configure qos to trust this interface
auto qos voip trust

# 802.1w defines the link as pt-pt for rapid convergence
spanning-tree link-type point-to-point
--------------------------------------------------------------
Macro name : cisco-router
Macro type : default interface
# macro keywords $native_vlan
# Access Uplink to Distribution
switchport trunk encapsulation dot1q

# Define unique Native VLAN on trunk ports
# Recommended value for native vlan should not be 1
switchport trunk native vlan $native_vlan

# Update the allowed VLAN range such that it
# includes data, voice and native VLANs
switchport trunk allowed vlan ALL

# Hardcode trunk
switchport mode trunk

# Configure qos to trust this interface
auto qos voip trust
mls qos trust dscp

# Ensure fast access to the network when enabling the interface.
# Ensure that switch devices cannot become active on the interface.
spanning-tree portfast trunk
spanning-tree bpduguard enable
--------------------------------------------------------------
Macro name : cisco-wireless
Macro type : default interface
# macro keywords $native_vlan
# Access Uplink to Distribution
switchport trunk encapsulation dot1q

# Define unique Native VLAN on trunk ports
# Recommended native vlan should NOT be 1
switchport trunk native vlan $native_vlan

# Update the allowed VLAN range such that it
# includes data, voice and native VLANs
switchport trunk allowed vlan ALL

# Hardcode trunk and disable negotiation to speed up convergence
switchport mode trunk
switchport nonegotiate

# Configure qos to trust this interface
auto qos voip trust
mls qos trust cos

# Ensure that switch devices cannot become active on the interface.
spanning-tree bpduguard enable
--------------------------------------------------------------

notes: Bridging

Transparent bridging
- is using normal STP rules
- same election root bridge and root port election

Router in bridge mode doesnt support the sys-id-ext, brigde priority will always be 32768 for any vlan which will make the router as a root bridge.

enabling transparent bridging on routers:

step1: enable bridging:

bridge # protocol ieee

step2: bind to the interfaces:

interface fa0/1
bridge-group #

for frame-relay interfaces:

interface s0/0
encapsulation frame-relay
frame-relay map bridge dlci# broadcast
bridge-group #


CRB (concurrent Routing and Bridging)
- this protocol can be routed on one interface while being bridged on another interface.
- When CRB is used traffic in the routed domain cannot be passed onto the bridge domain.
- CRB is considered legacy since IRB includes all the functionality of CRB with the addition of the BVI.


IRB (Integrated Routing and Bridging)
- this protocol can be both routed and bridged on the same interface.
- When IRB is used traffic from the routed domain can be passed onto the bridge domain.


enabling IRB:

1. Create transparent bridge group

bridge # protocol ieee

2. Enable IRB and what to be bridged

bridge irb
bridge # route ip

bridge # bridge ip
-on by default

3. Enable routing & bridging for the bridge-group under the interface

interface fa0/0
bridge-group #

4. Configure BVI to connect the bridged and routed domain

interface BVI #
ip add 1.1.1.1 255.255.255.0

Fallback Bridging (VLAN bridging)
used to bridge non-routed or non-supported protocols (SNA, DECNet, AppleTalk, etc.)
to communicate across VLANs and routed ports. one good implementation also is bridging IPv6.

enabling VLAN bridging

1. Specify the bridging VLAN

bridge # protocol vlan-bridge

2. Assign the SVI and routed port to this bridge.

interface vlan1
bridge-group #

interface fa0/1
no switchport

bridge-group #

verification:

sh bridge # group

notes: layer 2 tunneling

802.1q Tunnel
- Used to provide transparent layer2 VPN over a switched ethernet network, to carry unicast, broadcast, multicast, CDP, VTP or STP.
- Uses dot1q inside dot1q, to tunnel layer2 traffic.
- Cannot be dynamically negotiated, and traffic is not encrypted.
NOTE: Confirm prior to configuration that underlying end-to-end connectivity is established.
- When using dot1q tunneling CDP, STP & VTP are NOT carried across the tunnel by default.
- Additionally dot1q also supports etherchannels between customer sites.
- Dot1q-Tunnel requires:
- 802.1q trunking end-to-end
- System MTU should be a minimum of 1504, to support the additional 4-byte metro tag.

PITFALL: Careful when running OSPF to a switch with a system MTU of 1504, the adjacency won’t come up, due to a MTU mismatch.
Disable the MTU check on the routers OSPF interface with "ip ospf mtu-ignore"

Note: you can configure l2 protocol tunneling on ports configured as access or tunnel ports. You cant enable l2 tunneling on ports that is configured
switchport dynamic mode auto
switchport dynamic desirable

from Ruhan's CCIE notes

notes: MSTP 802.1s

Multiple Spanning Tree
- MSTP is using RSTP
- Allows user-defined STP instances to be mapped to multiple VLANs.
- Up to 64 instance.
- If no instances are defined, all VLANs are mapped to instance 0.
- Same election process as STP. MST also uses the lowest BID in the network to elect the Root Bridge.
- With MST there is only one election per user-defined instance.
- MST also uses a cost value derived from the inverse bandwidth of the interface.
- When MST is enabled, RSTP is automatically enabled.

MSTP configuration

Step 1. Globally enable MISTP (MSTP) on your switches:

spanning-tree mode mst

Step 2. Enter MST configuration submode:

spanning-tree mst configuration

Step 3. Set the MST region name:

name name

Step 4. Set a configuration revision number: optional

revision rev_num

Step 5. Map your VLANs to MST instances:

instance # vlan range

verification:

show spanning-tree mst configuration

show spanning-tree mst vlan_id

CCIE Lab Scenario: if you are to ask to create 2 instance/ you just need to create 1 instance since instance 0 is already running.

configuration of root

per vlan

spanning-tree vlan # root primary/secondary

per mst

spanning-tree mst # root primary/secondary

priority

per vlan

spanning-tree vlan # priority #

per mst

spanning-tree mst # priority #

notes: RSTP 802.1w

RSTP

- takes advantage of STP features;
a. portfast - now called edge port, not participating in STP.
b. uplinkfast - built-in
c. backbonefast - built-in

RSTP port roles

1. Root port - Is the port that has the best root path cost to the root.

2. Designated port - Is the downstream port that has the best root path cost to the root.
- Is a downstream interface pointing away from the root bridge.
- By default, all ports on the root bridge are DP

3. Alternate port - Is a port that has an alternate path to the root. An alternate port, is less desirable than the root port.
- In blocking state will receive STP info, but not send any out that interface.

4. Backup port - Is a backup designated port.
- quickly converging backup to the root port for a system.

RSTP Port States

RSTP port states are simplified from 802.1D and consist of the following:

1. Discarding
- Incoming frames are simply dropped; no MAC addresses are learned.
- Combines the 802.1D (STP) disabled, blocking, and listening states.

2. Learning

- Incoming frames are dropped, but MAC addresses are learned.

3. Forwarding
- Incoming frames are forwarded according to MAC addresses that have been (and are being) learned.

Implementing RSTP

On most Cisco switches, configuring 802.1s (Multiple Spanning Tree, MST) automatically enables RSTP. Cisco did invent a mode of operation, PVST+ mode, that enables you to use RSTP without the implementation of MST.

command to enable rstp/pvst+:

spanning-tree mode rapid-pvst

notes: STP 802.1D

Spanning Tree Protocol- 802.1D

- is a Layer 2 loop-prevention mechanism
-on Cisco switch PVST is enabled by default / one stp instance per vlan

BPDU (Bridge Protocol Data Unit)

-Is a packet used to advertise spanning-tree protocol information.

Bridge ID (BID)

The bridge ID (BID) is a critical element for the creation of the spanning-tree, loop-free topology.
- The bridge ID consists of a 2-byte bridge priority and a 6-byte MAC address. The default priority is 32,768.
- Newer switchoperating systems break the priority field into two sections:

4-bit priority and a 12-bit extended system ID.

- This extended system ID value is just the VLAN ID. This enables each VLAN to have a unique bridge ID while still using the same MAC address and priority value. Previously, multiple MAC addresses were needed for each VLAN to ensure uniqueness.

Path Cost

- is the measure of distance from one bridge to another. Links are assigned a cost value by STP. This cost value is based on bandwidth. Higher-bandwidth links receive a lower-cost value, and STP deems a lower-cost path as preferred to a higher-cost path.

STP Port Roles

1. Root port - Is the one port on a switch that is closest (with the lowest root path cost) to the root bridge.

2. Designated port - Is the downstream port on a LAN segment that is closest to the root. This port relays, or transmits BPDUs down the tree.

3. Blocking port - Is a port that are neither root nor a designated port.

4. Alternate port - Is a port that is a candidate root port in blocking state. (Next-closest to the root bridge)
- These ports are identified for quick use by the STP uplinkfast feature.

4. Forwarding port - Ports where no other STP activity is detected or expected. These are ports with normal end-user connections.


STP Process

1. Election of Root Bridge - switch that has lowest Bridge ID
- configuration bridge protocol data units (BPDU) are sent between switches for each port
and BIDs are compared.

2. Election of Root Ports

a. Lowest cumulative cost to the root:
b. Lowest upstream BID:
c. Lowest port ID
c.1 Lowest port priority (0-255) (default = 128)
c.2 Lowest port number ie Fa0/5 = 5.

3. Election of Designated Ports - same criteria as root ports

STP manipulation:

1. Port Cost (on inbound link is local, outbound does nothing)
- Can be changed to influence how the local switch elects its local ROOT port upstream.
- Changing the port cost will affect all downstream switches, as cost is the sum of all port costs to the root.
2. Port Priority (on outbound link will offset choice of downstream switch, inbound does nothing)
- Can be changed to influence how a downstream switch elects its root port.
- Priority is locally significant between two directly connected switches.

Note: show span vlan will not reflect the upstream priority the command "detail" option should use below;
show spanning-tree VLAN {id} detail

" as 'designated port id x.x'

STP Port Phases:

1. Disabled
- Ports that are in a down state. This state is special and is not part of the normal STP progression for a port.

2. Blocking - BPDUs receive only (only when switch initially come up)
- cannot recieve data and add MAC address to its table.
- Blocking delay=20 sec, and this value CANNOT be changed.

3. Listening BPDUs sent and received
- The port is allowed to receive and send BPDUs so that it can actively participate in STP.
- The port still cannot send or receive data frames.
Listening delay = 15 sec.

4. Learning Bridging table is built
- The switch now can learn new MAC addresses to add to its address table.
- The port cannot yet send any data frames.
- Learning delay = 15 sec.

5. Forwarding Sending/receiving data
- After the forward delay (listening and learning states) (default = 30 sec) the port transitions to forwarding state.
- The port now can send and receive data frames, collect MAC addresses in its address table, and send and receive BPDUs.

STP timers control convergence in the process:

1. Hello: 2 sec (time between each configuration BPDU)

2. Forward Delay: 15 sec (controls durations of listening/learning states)
command:
spanning-tree vlan # forward-time sec

3. Max Age: 20 sec (controls the duration of the blocking state)
command:

CCIE Lab Scenario: Ports initially comes up, should be forwarding not more than 44 seconds;
44 -20 (blocking time)= 24 (listening + forwarding) means 12 listening and 12 forwarding

spanning-tree vlan # forward-time 12

Advanced STP Features

1. STP Portfast - override listening and learning stage to forwarding stage.
- The switch does not generate a TCN when a port configured for PortFast is going up or down—for example, when a workstation power-cycles.

interface command:
spanning-tree portfast

2. STP Portfast default - same effect, this is a global command

global command:
spanning-tree portfast default

3. STP Uplinkfast - failure of a root port an alternate port is immediately transition to root port.
- cisco proprietary
When you configure UplinkFast, the local switch has a priority set to 49,152 and adds 3000 to the cost of all links.
Finally, a mechanism is included that causes the manipulation of MAC address tables for other bridges.

global command:
spanning-tree uplinkfast

4. STP Backbonefast - speed up convergence when indirect failure occurs upstream by immediately expiring max-age timer.
- cisco proprietary
Configure BackboneFast on all switches to speed convergence when the failure occurs and is indirectly located, such as in the core of the backbone. It reduces convergence from approximately 50 seconds to approximately 30 seconds.

global command:
spanning-tree backbonefast

5. STP BPDU Guard - enforce access layer security on the termination of STP domain.
- when BPDU is recieved the port will transition to err-disable stae

interface command:
spanning-tree bpduguard enable

6. STP BPDU Guard default - works with portfast default in order to automatically enable BPDU guard on any interface in the portfast state

global command:
spanning-tree portfast default
spanning-tree bpduguard default

7. STP BPDU filter - used to terminate STP domain
- it drops all inbound BPDUs and does not send BPDUs on to the interface
- does not put port into err-disable state.

interface command:
spanning-tree bpdufilter enable


8. STP BPDU filter default - works with portfast default by allowing interfaces that should have portfast enabled

global command:
spanning-tree portfast default
spanning-tree bpdufilter default

9. STP Root Guard - similar with BDPU guard, but the difference is a root guard interface is only disabled if a superior BPDU is received, placing the interface into ROOT_INCONSISTANT_STATE.

interface command:
spanning-tree guard root

10. STP Loop Guard - Is used to prevent STP loops from occurring due to a unidirectional link. loos causes by some stp process
- Similar to UDLD but instead uses BDPU keepalive to determine unidirectional traffic.
- If a blocked port transitions to forwarding state erroneously, a loop can occur.
- Blocked ports will be transitioned into LOOP_INCONSISTANT_STATE to avoid loops.

interface command:
spanning-tree guard loop

10. UDLD (Unidirection Link Detection) -
- Cisco proprietary.
- UDLD is typically used with fibre optic cables.
- Peers discover each other by exchanging frames sent to the MAC-address 0100:0CCC:CCCC.

global command:
udld enable

only applies to fibre interfaces!!!

interface command:

udld port aggressive

- applies to all interfaces

2 modes:

1. Normal - informational mode, generates a log entry, but doesn't disable or shutdown the port.
2. Aggressive - will place a interface into err-disable state.

Disabling Spanning-Tree

- STP cannot be disabled directly on a per interface basis.
- One can turn off Spanning Tree Protocol (STP) on a per-VLAN basis, or globally on the switch.
- Use the "no spanning-tree vlan vlan-id" command in order to disable STP on a per-VLAN basis.
- However by filtering BPDU's on a interface one will effectively disable STP running on that interface.
- FLEX-Links also disables STP on an interface.