bsmsn notes

8/3/2019 Bsmsn Notes

1/59

***Spanning Tree Protocol (STP)As you study this section, answer the following questions:

1. How does STP eliminate bridging loops?2. Which port state builds the bridge database with MAC addresses?3. Which timers can be configured to speed up STP performance?4. Which devices generate configuration Bridge Protocol Data Units (BPDUs)?5. What is the difference between a root port and a designated port?

After finishing this section, you should be able to complete the following tasks:

Given the MAC Address of a switch, configure it to be the root bridge.

Configure a switch to be a primary root bridge.

Configure a switch to be a secondary root bridge

This section covers the following exam objectives:

201. Explain the functions and operations of the Spanning Tree protocols (i.e., RSTP,PVRST, MISTP).

STP FactsTo provide for fault tolerance, many networks implement redundant paths between devicesusing multiple switches. However, providing redundant paths between segments causespackets to be passed between the redundant paths endlessly. This condition is known as abridging loop.

To prevent bridging loops, the IEEE 802.1d committee defined a standard called the spanningtree algorithm (STA), or spanning tree protocol (STP). With this protocol, one bridge (orswitch) for each route is assigned as the designated bridge. Only the designated bridge canforward packets. Redundant bridges (and switches) are assigned as backups.

The spanning tree algorithm provides the following benefits:

Eliminates bridging loops

Provides redundant paths between devices

Enables dynamic role configuration

Recovers automatically from a topology change or device failure

Identifies the optimal path between any two network devices

The spanning tree algorithm calculates the best loop-free path through a network byassigning a role to each bridge or switch and by assigning roles to the ports of each bridge orswitch. The bridge role determines how the device functions in relation to other devices, and

whether the device forwards traffic to other segments.

Role Characteristics

Root bridge The root bridge is the master or controlling bridge.

There is only one root bridge in the network. The root bridge is the logicalcenter of the spanning-tree topology in a switched network.

The root bridge is determined by the switch with the lowest bridge ID(BID).

The bridge ID is composed of two parts: a bridge priority number

1


2/59

and the MAC address assigned to the switch.

The default priority number for all switches is 32,768 (0x8000 inhexadecimal). This means that for unconfigured switches, theswitch with the lowest MAC address becomes the root bridge.

You can manually configure the priority number to force a specificswitch to become the root switch.

The root bridge periodically broadcasts configuration messages. Thesemessages are used to select routes and reconfigure the roles of otherbridges if necessary.

All ports on a root bridge forward messages to the network.

Note: Newer switches add the VLAN number to the priority value. For example,if you configure a priority value of 4096, the switch will use the priority of 4097for VLAN 1, 4098 for VLAN 2, and so on.

Designatedbridge

A designated bridge is any other device that participates in forwarding packetsthrough the network.

They are selected automatically by exchanging bridge configurationpackets.

To prevent bridging loops, there is only one designated bridge persegment.

Backupbridge

All redundant devices are classified as backup bridges.

Backup bridges listen to network traffic and build the bridge database.However, they will not forward packets.

A backup bridge can take over if the root bridge or a designated bridge

fails.

Switches send special packets called Bridge Protocol Data Units (BPDUs) out each port tothe multicast address 01:80:C2:00:00:00. BPDUs sent and received from other bridges areused to determine the bridge roles and port states, verify that neighbor devices are stillfunctioning, and recover from network topology changes. STP uses the following types ofBPDUs:

A Configuration BPDU is sent by the root bridge on all its ports. Each BPDU containsSTP parameters which are critical to STP stability. Only the root bridge generates the

configuration BPDU, guaranteeing that there is no mismatching STP information. Ifconfiguration BPDUs are not received by root ports on other bridges, a topologychange may occur.

A Topology Change (TC) BPDU is generated by the switch when it detects a topologychange, such as the following:

A port in forwarding or listening transitions to blocking

A port moves to forwarding state, and the bridge already has a designated port

A Non-root bridge receives a TC on its designated port (a propagation TC issent)

2


3/59

During the negotiation process and normal operations, each switch port is in one of thefollowing states:

Port State Description

Disabled A port in the disabled state is powered on but does not participate in listeningto network messages or forwarding them. A bridge must be manually placedin the disabled state.

Blocking When a device is first powered on, its ports are in the blocking state. Inaddition, backup bridge ports are always in the blocking state. Ports in theblocking state receive packets and BPDUs sent to all bridges, but will notprocess any other packets.

Listening The listening state is a transitionary state between blocking and learning. Theport remains in the listening state for a specific period of time. This time periodallows network traffic to settle down after a change has occurred. Forexample, if a bridge goes down, all other bridges go to the listening state for aperiod of time. During this time the bridges redefine their roles.

Learning A port in the learning state is receiving packets and building the bridgedatabase (associating MAC addresses with ports). A timer is also associated

with this state. The port goes to the forwarding state after the timer expires.Forwarding The root bridge and designated bridges are in the forwarding state when they

can receive and forward packets. A port in the forwarding state can both learnand forward. All ports of the root switch are in forwarding mode.

The following timers affect STP performance and state changes:

The hello time is the time between each BPDU that is sent on a port by the root bridgeand forwarded by other designated bridges. It is 2 seconds by default, but can beconfigured between 1 and 10 seconds.

The forward delayis the time spent in the listening and learning states. It is 15 secondsby default, but can be configured between 4 and 30 seconds.

The max age timercontrols the maximum length of time a bridge port saves itsconfiguration BPDU information. It is 20 seconds by default, but can be configuredbetween 6 and 40 seconds.

Note: Although it is possible to tune spanning-tree timers, the recommendation is to leave thespanning tree timers at their default values.

During the configuration process, ports on each switch are configured as one of the followingtypes:

Port type Description

Root port

The port on the designated switch with the lowest port cost back to the root

bridge is identified as the root port.

Each designated switch has a single root port (a single path back to theroute bridge).

Root ports are in the forwarding state.

The root bridge does not have a root port.

Designatedport

One port on each segmentis identified as the designated port. The designatedport identifies which port on the segment is allowed to send and receive frames

3


4/59

onto that segment. Designated ports are selected based on the lowest pathcost to get back to the root switch.

All ports on the root bridge are designated ports (unless a switch port loopsback to a port on the same switch).

Designated ports are selected based on the lowest path cost to get back to

the root switch.Designated ports are used to send frames back to the root bridge.Designated ports are in the forwarding state.

Blockingport

A blocking port is any port that is not a root or a designated port. A blocking portis in the blocking state.

When determining both the root port and designated ports on non-root bridge switches, theswitches use the following criteria to select the port that is closest to the root bridge.

The port with the lowest cost to get back to the root bridge becomes the root ordesignated port. Default IEEE port costs include the following:

10 Mbps = 100 100 Mbps = 19

1 Gbps = 4

10 Gbps = 2

If two paths have the same cost, the bridge ID of the next switches in each path iscompared. The path with the switch with the lowest bridge ID becomes the path backto the root. Remember that the bridge ID is composed of two parts:

The priority number assigned to the switch.

The MAC address used by the switch.If the priority numbers are the same on both switches, the switch with the lowest MACaddress is the path back to the root.

If the switch has two ports that have the same cost back to the root (for example, if twoconnections exist to the same switch), the port on the switch with the lowest port IDbecomes the designated port.

The port ID is derived from two numbers: the port priority and the port number.

The port priority ranges from 0-255, with a default of 128.

The port number is the number of the port. For example, the port number forFa0/3 is 3.

With the default port priority setting, the lowest port number becomes thedesignated port.

Spanning Tree ExampleBy default, spanning tree is enabled on all Cisco switches. When you add switches to thenetwork, spanning tree operates automatically to identify the root bridge and configure eachport to prevent loops. In a small environment, you can probably rely on the switches toconfigure themselves. In a large environment, however, you will need to plan the network sothat you can control which switch becomes the root bridge, and so you can identify ports thatshould be blocking or forwarding.

To identify how spanning tree will configure switches in a network, you will need to know thebridge ID for each bridge (which includes the priority value and the MAC address). If nopriority value is included, assume the default priority of 32768. With the bridge ID and MAC

4


5/59

addresses, use the following process to identify the state of each port:

Identify the root bridge. The root bridge is the switch with the lowest bridge ID.

The switch with the lowest priority value is the root bridge.

If two or more switches have the same priority value, the switch with the lowestMAC address is the root bridge.

On the root bridge, label each port as a designated port.

For every other bridge, identify its root port. The root port is the port with the lowestcost back to the root bridge.

To identify the cost, add the cost for each segment back to the root bridge.

If two paths have the same cost, then look at the bridge ID of the next switch inthe path.

After labeling each root port, identify a designated port for each segment that does notalready have a designated port.

The designated port will be the port that connects to the path with the lowestcost back to the root bridge.

If two paths have the same cost, compare the bridge ID of the next switch in thepath.

At this point, each segment should have a designated port identified. For any ports not

labeled as a root port or a designated port, indicate that the port is a blocking port.The following graphic illustrates a switched network with redundant paths. The priority valuesand MAC addresses for each switch are identified. Numbers on each link are used to identifythe link. Each link has the same cost value.

Using the steps outlined above:

Switch A is the root bridge because it has the lowest priority (4096).

Fa0/1 and Fa0/2 on switch A are designated ports and will be forwarding.

Root ports on the other switches are as follows:

5


6/59

The root port on switch B is Fa0/1.

The root port on switch C is Fa0/2.

There are two paths back to the root bridge: B to A or D to A.

Both paths have the same cost because they involve crossing twosegments with equal costs.

B to A is preferred because the bridge ID for switch B is lower than that of

switch D. The priority values are the same, so the lowest MAC address isused (000E.8411.68C0).

The root port on switch D is Fa0/1.

At this point, designated ports already exist for segments 1 and 2. For the remainingsegments:

For segment 3, Fa0/3 on switch B is the designated port because the cost fromB to A is less than the cost from C to D to A.

For segment 4, Fa0/3 on switch D is the designated port for the same reason.

For segment 5, Fa0/2 on switch B is the designated port.

There are two paths from segment 5 to the root bridge: B to A or D to A.

Both paths have the same cost.

B to A is preferred because the bridge ID for switch A is lower than that ofswitch D. The priority values are the same, so the lowest MAC address isused (000E.8411.68C0).

The following remaining ports are blocking ports:

Fa0/1 on switch C.

Fa0/2 on switch D.

The following graphic shows each port labeled after spanning tree converges.

Be aware of the effect that configuration changes make in this example:

If all switches had the same priority value, then switch B would have been the rootbridge because its MAC address is the lowest. Changing the root bridge would alsochange several other port states.

Changing the priority on switch D to 8192 would have the following effects:

The root port on switch C would change to Fa0/1. The path through switch Dwould be preferred over the path through switch B because of the lower prioritynumber.

The designated port for segment 5 would change to Fa0/2 on switch D, whileFa0/2 on switch B would be blocking.

Fa0/2 on switch C would change to blocking.

Assuming the default cost value of 19 for FastEthernet links, changing the cost of

segment 1 to 100 would have the following effects: The root port on switch D would be Fa0/2. The total cost of that path would be

38.

The designated port for segment 4 would be Fa0/1 on switch C. Port Fa0/3 onswitch D would now be blocking.

Port Fa0/1 on switch D would be blocking because Fa0/2 would be used toreach the root bridge.

6


7/59

STP Command ListBy default, spanning tree is enabled on all Cisco switches. By default, spanning tree isenabled with a single instance of the spanning tree protocol for VLAN1. By default, all switchports are members of VLAN1, therefore all ports participate in spanning tree by default.Creating an additional VLAN automatically runs another instance of the spanning treeprotocol. Spanning tree configuration consists of the following tasks:

Modifying the spanning tree mode if a mode other than Per-VLAN Spanning Tree Plus(PVST+) is desired.

Changing the bridge priority to control which switch becomes the root bridge.

Designating edge ports (ports with no attached switches).

The following table lists commands you would use to configure spanning tree:

Use... To...

Switch(config)#spanning-treemode pvst

Switch(config)#spanning-treemode rapid-pvst

Switch(config)#spanning-treemode mst

Set the spanning tree mode.

Switch(config)#spanning-treevlan priority

Manually set the bridge priority number.

The priority value ranges between 0 and 61,440.

Each switch has the default priority of 32,768.

Priority values are set in increments of 4096. If

you enter another number, your value will berounded to the closest increment of 4096, or youwill be prompted to enter a valid value.

The switch with the lowest priority numberbecomes the root bridge.

Switch(config)#spanning-treevlan root primary

Force the switch to be the root of the spanning tree.

The IOS software checks the switch priority of thecurrent root switch for each VLAN.

The switch sets the switch priority for thespecified VLAN to 24576 (default value) if thisvalue will cause this switch to become the root forthe specified VLAN.

If any root switch for the specified VLAN has aswitch priority lower than 24576, the switch setsits own priority for the specified VLAN to 4096less than the lowest switch priority.

Switch(config)#spanning-tree Force the switch to be the secondary root (backup) of

7


8/59

vlan root secondary the spanning tree if the root switch fails.

The IOS software changes the switch priorityfrom the default value (32768) to 28672.

If the root switch should fail, this switch becomesthe next root switch (if the other switches in the

network use the default switch priority of 32768).

Switch(config-if)#spanning-treeport-priority

Change the interface's port priority in increments of 16.

Switch(config-if)#spanning-treevlan port-priority

Change the interface's port priority in increments of 16for a specific VLAN. This is for trunk interfaces.

Switch(config)#spanning-treevlan hello-time

Configure the time between each BPDU that is sent ona port by the root bridge and forwarded by otherdesignated bridges.

Switch(config)#spanning-tree

vlan forward-time

Configure the time spent in the listening and learning

states.

Switch(config)#spanning-treevlan max-age

Configure the maximum length of time a bridge portsaves its configuration BPDU information.

Switch(config)#no spanning-treevlan

Disables spanning tree on the selected VLAN.

ExamplesThe following command sets the bridge priority for a VLAN 20:

Switch(config)#spanning-tree vlan 20 priority 4096

The following command configures this switch with a bridge priority of 4096 for VLAN 15 if theexisting root bridge has a priority of 8092:

Switch(config)#spanning-tree vlan 15 root primary

Spanning Tree ProtocolsAs you study this section, answer the following questions:

What are the differences between PVST and PVST+?

What are the three STP modes available on Cisco Catalyst switches?

Which Rapid PVST+ port states are different than PVST+ port states and why? What is the difference between a Rapid PVST+ alternate port and a backup port?

What is MSTP region?


Given a scenario, configure Rapid PVST+ on assigned switches.

Given a scenario, configure MST on multiple switches with the minimum amount ofMST instances.


8


9/59

201. Explain the functions and operations of the Spanning Tree protocols (i.e., RSTP,PVRST, MISTP).

202. Configure RSTP (PVRST) and MISTP.

Common Spanning Tree (CST) FactsCommon Spanning-Tree (CST) has one spanning-tree instance for the entire bridged network

(regardless of the number of VLANs). CST details include the following:

No load balancing is possible between switches in the network

Switch CPU usage is low, because only one instance needs computation

It can be used when only one Layer 2 topology is needed in the network

Per-VLAN Spanning Tree (PVST) FactsPer-VLAN Spanning Tree Protocol (PVST) is a spanning-tree mode based on the 802.1dstandard, but includes Cisco proprietary extensions. Per-VLAN Spanning Tree Plus (PVST+)provides the same functionality as PVST except that PVST+ uses 802.1Q trunking technologyand is interoperable with CST and PVST. PVST+ characteristics include the following:

Layer 2 load balancing for the VLAN on which it runs

Each instance of PVST+ on a VLAN has a single root bridge

Each active VLAN has its own instance of PVST+

A short aging time for learned MAC address entries

PVST+ is not supported on non-Cisco devices

PVST+ is the default spanning-tree mode used on all Ethernet port-based VLANs

Rapid Spanning Tree (RSTP) FactsRapid Spanning Tree Protocol (RSTP) is based on the 802.1w standard and provides fasterspanning tree convergence after a topology change. RSTP uses the following port states:

RSTP PortState

STP PortState*

Description

Discarding

Disabled A port in discarding state:

Discards frames received on the interface

Discards frames switched from another interface forforwarding

Does not learn MAC addresses

Listens for BPDUs

Blocking

Listening

Learning Learning A port in the learning state:

Discards frames received on the interface

Discards frames switched from another interface forforwarding

Learns MAC addresses

9


10/59

Listens for BPDUs

Forwarding Forwarding

A port in the forwarding state:

Receives and forwards frames received on theinterface

Forwards frames switched from another interface

Learns MAC addresses

Listens for BPDUs

RSTP uses bridge and port roles similarly to STP:

There is a single root bridge.

Each segment has a single designated bridge. The port on the designated bridge isidentified as the designated port. All ports on the root bridge are designated ports.

Each designated bridge has a single port identified as the root port. The root port is thebest path back to the root bridge. The root bridge is the only bridge that does not have

a root port. Instead of having blocking ports, RSTP splits this role into two roles:

An alternate portis the switch's best alternative to its current root port. Analternate port can be used to replace the root port if the root port fails.

A backup portis the switch's alternative port connected to the same networksegment as the designated port. A backup port provides an alternate path to thesame segment, but not an alternate path back to the root bridge.

Both port roles are in the blocking state.

In addition to the port roles, RSTP uses the port type to determine whether to use advancedfeatures that provide rapid convergence. These port types are:

Port Type Description

Point-to-point

A point-to-point link is a port that connects only to another switch.

The presence of full-duplex communication indicates a point-to-point link.Because the link has only a single connected switch, it can take advantage of

RSTP improvements that help it recover quickly.

Shared

A shared link is a link with more than a single attached device.

The presence of half-duplex communication indicates a shared link.

Ports connected to shared links cannot use RSTP improvements.

Edge An edge port is a port that is not connected to another switch.

Because the edge port does not have a switch, the possibility of a loop iseliminated.

Edge ports can be put into the forwarding state immediately.

If the port receives a BPDU, it treats the port as a point-to-point or shared

10


11/59

link.

Be aware of the following details:

When any RSTP port receives legacy 802.1d BPDU, it falls back to legacy STP and theinherent fast convergence benefits of 802.1w are lost.

The rapid convergence features of RSTP combined with PVST+ form Rapid PVST+.Rapid PVST+ is one of the three STP modes available on Cisco switches.

Multiple STP (MSTP) FactsMultiple STP (MSTP) is an IEEE standard (802.1s) which allows several VLANs to bemapped to a reduced number of spanning-tree instances. MSTP characteristics include thefollowing:

Supports a large number of VLANs mapped to spanning-tree MSTP instances

CPU usage is low despite the number of VLANs, because it only processes the amountof instances

Layer 2 load balancing for the instancesAn MSTP region is a group of interconnected bridges that have the same MSTPconfiguration. The configuration includes the name of the region, the revision number, and theMSTP VLAN-to-instance assignment map. There is no limit on the number of MSTP regionsin the network. If you connect two MSTP regions with different MSTP configurations, theMSTP regions do the following:

Load balance across redundant paths in the network . If two MSTP regions areredundantly connected, all traffic flows on a single connection with the MSTP regions ina network.

Provide an RSTP handshake to enable rapid connectivity between regions. However,

the handshaking is not as fast as between two bridges. To prevent loops, all thebridges inside the region must agree upon the connections to other regions. Thissituation introduces a delay.

Be aware of the following MSTP details:

The switch supports up to 65 MSTP instances. Instances can be identified by anynumber in the range from 0 to 4094.

A VLAN assignment can be to only one spanning tree instance at a time.

MSTP instances are significant to the local region only, and is independent of otherMSTP regions.

Instance 0, the Internal Spanning-Tree (IST), is reserved for interacting with other

Spanning-Tree Protocols and other MSTP regions. An IST instance is capable ofrepresenting the entire MSTP region to external networks.

When the switch is in the MSTP mode, the Rapid Spanning Tree Protocol (RSTP) isautomatically enabled.

RSTP and MSTP Command ListThe following table lists commands you would use to configure RSTP (RPVST+) and MST:

Use... To...

Switch(config)#spanning-tree mode rapid-pvst Set the spanning tree

11


12/59

mode to Rapid PVST+

Switch(config)#spanning-tree mode mst Set the spanning treemode to MultipleSpanning (MSTP).

Switch(config)#spanning-tree vlan priority Manually set the bridgepriority number in

Rapid PVST+.Switch(config)#spanning-tree vlan root primary Force the switch to be

the root of the spanningtree in Rapid PVST+.

Switch(config)#spanning-tree vlan root secondary Force the switch to bethe secondary root(backup) of thespanning tree if the rootswitch fails in RapidPVST+.

Switch(config)#spanning-tree mst configuration Enter MSTP

configuration mode.Switch(config-mst)#name Set the configuration

name for the region.All switches must sharethe same MSTP nameto participate in thesame MSTP instances.

Switch(config-mst?)#revision Set the configurationrevision number for theregion.Note: The revision

number is notautomaticallyincremented when anew configuration iscommitted.

Switch(config-mst)#instance vlan Switch(config-mst)#instance vlan ,Switch(config-mst)#instance vlan -

Map VLANs to anMSTP instance.

Switch(config)#spanning-tree mst priority

Manually set the bridgepriority number inMSTP.

Switch(config)#spanning-tree mst root primary Force the switch to bethe root of the spanningtree in MSTP.

Switch(config)#spanning-tree mst root secondary Force the switch to bethe secondary root(backup) of thespanning tree if the rootswitch fails in MSTP.

Switch(config)#no spanning-tree mst configuration Return to the defaultMSTP region

12


13/59

configuration.

ExamplesThe following commands enable Rapid PVST+ for the switch and set the bridge priority to alower value than the default:

Switch(config)#spanning-tree mode rapid-pvstSwitch(config)#spanning-tree vlan 1 priority 4096

The following commands create the Sales MSTP region, map VLANs 2, 5, and 10 to instance3, map VLANs 6, 7, and 8 to instance 4, and provide a revision number of 1 to the region:

Switch(config)#spanning-tree mode mstSwitch(config)#spanning-tree mst configurationSwitch(config-mst)#name SalesSwitch(config-mst)#revision 1Switch(config-mst)#instance 3 vlan 2,5,10Switch(config-mst)#instance 4 vlan 6,7,8

Optional STP Features and UDLD

As you study this section, answer the following questions:

Which optional STP feature helps to prevent loops on a port where Port Fast isenabled?

What will be the response if a switch receives a BPDU after being globally enabled withBPDU guard?

What is the difference between globally-enabled BDPU filtering and per-port-enabledBDPU filtering?

Which optional STP feature provides an alternate path back to the root bridge if the

root port or link goes down? How does BackboneFast detect failures on indirect links or connections?

What happens when a switch sends a superior BPDU to a root guard enabledinterface?

Which UDLD mode will make up to eight attempts before changing the port state to theerr-disabled state?


Given a scenario, configure Port Fast on access ports.

Given a scenario, configure a switch to use Port Fast BPDU filtering.

Secure the STP topology by configuring FastEthernet ports with Root Guard.

Protect a spanning tree topology with Loop Guard. Within a hierarchical network, configure UplinkFast.

Within a hierarchical network, configure BackboneFast.


203. Describe and configure STP security mechanisms (i.e., BPDU Guard, BPDUFiltering, Root Guard).

204. Configure and Verify UDLD and Loop Guard.

13


14/59

Optional STP Feature Facts

The biggest disadvantage of STP is that it is slow to respond to topology changes. With a linkfailure, convergence could take up to 30 seconds. By optimizing switch settings, this delaycould be reduced to about 14 seconds, but even this was too long.

To improve convergence (to about 1 second) and fine tune STP, Cisco introduced thefollowing proprietary features:

Feature Description

Port Fast Port Fastforces access or trunk ports to immediately transition to thespanning tree forwarding state. When ports do not have a switch or hubattached, bridging loops on that port are eliminated and therefore do notneed to enter the spanning tree listening and learning states. Port Fast isglobally enabled on the switch or per-interface.

Note: Port Fast affects all VLANs on an interface.

BPDU guard BPDU guarddisables (moves to the err-disable state) an interface when a

BPDU is received on the interface. The BPDU guard feature should beconfigured in a service-provider network to prevent an access port fromparticipating in the spanning tree. BPDU guard is globally enabled on theswitch or per-interface:

If globally enabled, the switch configures each Port Fast-configuredinterface to shut down if a BPDU is received. This is because PortFast-configured interfaces are meant for workstations and servers,devices which do not generate BPDUs.

If enabled on an interface, the interface is also configured to shutdown if a BPDU is received. The difference is that the interface

does not need to be Port Fast-enabled.

Note: You must manually re-enable the port that is put into err-disablestate or configure errdisable-timeout.

BPDU filtering BPDU filteringkeeps switches from sending and receiving BPDUs oninterfaces. This allows the workstation or server, which is connected to theinterface, from receiving unnecessary traffic. BPDU filtering is globallyenabled on the switch or per-interface:

If globally enabled, the switch configures each Port Fast-configured

interface to return to normal STP operation if the port receives aBPDU. It immediately loses its Port Fast-enabled status, anddisables BPDU filtering.

If enabled on a per-port basis, the switch drops all BPDUs itreceives, and does not send BPDUs.Note: Enabling BPDU filtering on an interface is the same asdisabling spanning tree on the interface and may result in bridgingloops.

UplinkFast UplinkFastenables a switch to maintain an alternate path back to the root

14


15/59

bridge. If the root port or link goes down, the alternate port can be used toquickly re-establish communication with the root bridge. The alternate porttransitions to the forwarding state immediately without going through thelistening and learning states. Be aware of the following details:

An uplink group is a set of Layer 2 interfaces (per VLAN), only one

of which is forwarding at any given time. An uplink group consists of the root port (which is forwarding) and a

set of blocked ports, except for self-looping ports.

The uplink group provides an alternate path in case the currentlyforwarding link fails.

Note: UplinkFast is useful in network access layer switches with a limitednumber of active VLANs. UplinkFast should not be enabled on backboneor distribution layer switches.

BackboneFast BackboneFastdetects failures on indirect links or connections in the core

(or backbone) layer of a hierarchical network. Be aware of the followingdetails:

BackboneFast reduces the default convergence time in situationswhere the root port is lost and the backup link leads through adifferent switch.

BackboneFast is a complementary feature to UplinkFast.

When a switch receives an inferior BPDU from the designated portof another switch other than the root bridge, the BPDU is a signalthat the other switch might have lost its path to the root, andBackboneFast tries to find an alternate path to the root. An inferior

BPDU identifies a switch that declares itself as both the root bridgeand the designated switch.

If the inferior BPDU arrives on a blocked interface, the rootport and other blocked interfaces on the switch becomealternate paths to the root switch.

If the inferior BPDU arrives on the root port, all blockedinterfaces become alternate paths to the root switch.

If the inferior BPDU arrives on the root port and there are noblocked interfaces, the switch assumes that it has lostconnectivity to the root switch, causes the maximum agingtime on the root port to expire, and becomes the root switch

according to normal spanning-tree rules.

Root Guard Root guardsecures the STP topology by forcing an interface to become adesignated port to prevent surrounding switches from becoming a rootswitch during network anomalies (such as adding a new switch to thetopology). Be aware of the following details:

If a switch sends superior BPDUs to an interface with root guardenabled, the interface is blocked (i.e. changed to a root-inconsistent

15


16/59

state).

Recovery occurs as soon as the offending device ceases to sendsuperior BPDUs.

The configuration of root guard is on a per-interface basis.

If the switch is operating multiple STP (MSTP), root guard forcesthe interface to be a designated port.

Root guard enabled on an interface applies to all the VLANs towhich the interface belongs.

VLANs can be grouped and mapped to an MSTP instance.

Do not enable the root guard on interfaces to be used by theUplinkFast feature. With UplinkFast, the backup interfaces (in theblocked state) replace the root port in the case of a failure.However, if root guard is also enabled, all the backup interfacesused by the UplinkFast feature are placed in the root-inconsistentstate (blocked) and are prevented from reaching the forwardingstate.

The current design recommendation is to enable Root Guard on all

access ports so that a root bridge is not established through theseports.

Loop Guard Loop guardprevents alternate or root ports from becoming designatedports because of a failure that leads to a unidirectional link. A port inblocking state relies on the continuous reception of BPDUs from the rootbridge. If the BPDUs are not received according to STP timers, STPconceives the topology as loop-free and will transition the port through thelistening, learning, and forwarding states. If a non-designated port stopsreceiving BPDUs when loop guard is enabled, STP places the port into theloop-inconsistent state instead of moving through the listening, learning,

and forwarding states.

Be aware of the following details:

Loop guard is most effective when it is configured on the entireswitched network.

When you enable loop guard globally, the switch enables loopguard only on ports operating in full-duplex.

When the switch is operating in PVST+ or rapid-PVST+ mode, loopguard prevents alternate and root ports from becoming designatedports, and spanning tree does not send BPDUs on root or alternateports.

Both loop guard and root guard cannot be enabled on the sameinterface at the same time.

UDLD Facts

Unidirectional Link Detection (UDLD) is a Layer 2 protocol which detects and may disableports when traffic transmitted by the local device over a link is received by the neighbor buttraffic transmitted from the neighbor is not received by the local device. This situation typically

16


17/59

arises in the case of a faulty Gigabit Interface Converter(GBIC) or interface, softwaremalfunction, hardware failure, or other anomalous behavior.

UDLD works with the Layer 1 mechanisms to learn the physical status of a link. At Layer 1,auto-negotiation takes care of physical signaling and fault detection. UDLD performs tasksthat auto-negotiation cannot perform, such as detecting the identities of neighbors andshutting down misconnected ports. When you enable both auto-negotiation and UDLD, the

Layer 1 and Layer 2 detections work together to prevent physical and logical unidirectionalconnections and the malfunctioning of other protocols.

UDLD supports two modes of operation:

Mode Description

Normal In normal mode, UDLD can detect unidirectional links due to misconnectedports on fiber-optic connections. The Layer 1 mechanisms do not detect thismisconnection. While operating in normal mode:

If Layer 1 mechanism remains up with unidirectional link conditions, anerror message is displayed and the port state changes to the err-

disabled state.If one side of a link has a port stuck (both TX and RX), UDLD does not

take any action, and the logical link is considered undetermined.If one of the link remains up while the other side of the link has gone

down, UDLD does not take any action, and the logical link isconsidered undetermined.

Aggressive In aggressive mode, UDLD can also detect and disable unidirectional linksdue to one or both of the following:

One-way traffic on fiber-optic and twisted-pair links. One-way traffic

may occur when: One of the ports cannot send or receive traffic

One of the ports is down while the other is up

One of the fiber strands is disconnected

Misconnected ports on fiber-optic links

While operating in aggressive mode, UDLD tries to re-establish theunidirectional connection for all issues listed above. If the connection failsafter eight attempts, an error message is displayed and the port statechanges to the err-disabled state.

The following table shows common commands to configure UDLD.

Use... To...

switch(config)#udld enable Configure the global UDLD setting on the switch tonormal mode.

switch(config)#udld aggressive Configure the global UDLD setting on the switch toaggressive mode.

switch(config-if)#udld port Enable normal mode UDLD on the interface.

17


18/59

This command does not appear in the CLIunless a GBIC is installed in the port youare trying to enable.

An individual interface configuration

overrides the setting of the udld enableglobal configuration command.

switch(config-if)#udld port aggressive Enable aggressive mode UDLD on the interface.

switch(config)#errdisable recoverycause udld

Enable the timer to automatically recover from theUDLD error-disabled state.

switch(config)#errdisable recoveryinterval

Specify the time to recover from the UDLD error-disabled state.

switch#udld reset Reset all the ports that are shut down by UDLDand permit traffic to begin passing through themagain.

switch#show udld To display the UDLD status for the specified port orfor all ports.

Be aware of the following:

When configuring the mode (normal or aggressive), make sure that the same mode isconfigured on both sides of the link.

Globally enabling UDLD on the switch only affects fiber-optic ports. For twisted-pairports, UDLD must be configured on the interface.

Optional STP Feature Command List

The following table shows common commands to configure advanced STP features.

Use... To...

switch(config-if)#spanning-tree portfast

Configure the Port Fast feature on aspecific interface.

Note: This command is for an edge-typeinterface. If configured on an interfacewhich is not connected to an end

workstation or server, an accidentaltopology loop could cause a data packetloop and disrupt switch and networkoperation.

switch(config-if)#spanning-tree portfast trunk Enable the Port Fast feature on theinterface even in trunk mode.

switch(config-if)#spanning-tree portfast disable Disable the Port Fast feature on theinterface.

18


19/59

switch(config-if)#spanning-tree bpdufilter enableswitch(config-if)#spanning-tree bpdufilter disable

Enable or disable BPDU filtering on thespecified interface.

Note: By default, BPDU filtering isdisabled on the interface. EnablingBPDU filtering on an interface is the

same as disabling spanning tree on itand can result in bridging loops.

switch(config-if)#spanning-tree bpduguard enableswitch(config-if)#spanning-tree bpduguard disable

Enable or disable BPDU guard on thespecified interface. Enabling BPDUguard will put an interface in the error-disabled state when it receives a bridgeprotocol data unit (BPDU).

switch(config)#spanning-tree portfast default

Configure the Port Fast feature on allnon-trunking interfaces (i.e. accessports). The Port Fast feature will

immediately transition the interface tothe spanning tree forwarding state.

Note: Configuring Port Fast oninterfaces connected to hubs,concentrators, switches, and bridgescan cause temporary bridging loops.

switch(config)#spanning-tree portfast bpdufilterdefault

Configure the BPDU filter on all PortFast-enabled interfaces by default.

This will prevent the switchinterface from sending orreceiving BPDUs.

The interfaces still send a fewBPDUs at link-up before theswitch begins to filter outboundBPDUs.

If a BPDU is received on a PortFast-enabled interface, theinterface loses its Port Fast-

operational status and BPDUfiltering is disabled.

switch(config)#spanning-tree portfast bpduguarddefault

Configure the BPDU Guard on all PortFast-enabled interfaces on the switch.This will place the interfaces that receiveBPDUs in an error-disabled state.

switch(config)#spanning-tree uplinkfast Configure the UplinkFast feature on an

19


20/59

access layer switch.

Note: When you configure rapid PVST+disable UplinkFast. Similar functionalityis built into rapid spanning tree (RSTP).

switch(config)#spanning-tree backbonefastConfigure the BackboneFast feature ona switch. If you use BackboneFast, youmust enable it on all switches in thenetwork.

switch(config-if)#spanning-tree guard root Configure the Root Guard feature on theinterface.

switch(config)#spanning-tree loopguard default

Configure the Loop Guard feature on theswitch. Do not enable loop guard:

On Port Fast-enabled or dynamic

VLAN ports If root guard is enabled

On ports that are connected to ashared link

switch(config-if)#spanning-tree guard loop Configure the Loop Guard feature on theinterface.

ExamplesThe following commands set the bridge priority for a VLAN, enable Port Fast on two ports and

globally enables BPDU guard:Switch(config)#int fa0/12Switch(config-if)#spanning-tree portfastSwitch(config-if)#int fa0/13Switch(config-if)#spanning-tree portfastSwitch(config-if)#exitSwitch(config)#spanning-tree portfast bpduguard default

Verifying STP Configurations

As you study this section, answer the following questions:

Which command displays whether Loopguard, UplinkFast, BPDU Filter, and BPDUGuard are enabled?

How can you verify that spanning tree is working?

How can you determine the root bridge within a STP topology?

Where can you discover the root bridge's priority and MAC address?


Given a scenario, verify STP information.

Given a scenario, troubleshoot a STP topology.

20


21/59


205. Verify or troubleshoot Spanning Tree protocol operations.

STP Show Command List

The following table shows common commands to display STP configurations:

Use... To...switch#show spanning-tree Show spanning tree configurationinformation including thefollowing:

Root bridge priority andMAC address

The cost to the root bridge

Local switch bridge ID andMAC address

The role and status of all

local interfaces The priority and number for

each interface

To verify that spanning tree isworking, look for an entry similarto the following for each VLAN:

Spanning tree enabledprotocol ieee

switch#show spanning-tree active Display STP informationregarding active interfaces for allVLANs.

switch#show spanning-tree detail Display detailed STP informationfor all VLANs configured on aswitch.

switch#show spanning-tree interface switch#show spanning-tree interface detail

Display general and detailed STPinformation regarding thespecified interface.

switch#show spanning-tree summary Display STP summaryinformation for each VLANconfigured on a switch.

switch#show spanning-tree vlan Show summary STP informationfor the specified VLAN.

switch#show spanning-tree vlan root Show information about the rootbridge for a specific VLAN.Information shown includes:

The root bridge ID,

21


22/59

including the prioritynumber and the MACaddress

The cost to the root bridgefrom the local switch

The local port that is the

root port

Switch#show spanning-tree vlan bridge Show spanning tree configurationinformation about the local switchfor the specified VLAN.Information includes the localbridge ID, including the priorityand MAC address.

switch#show spanning-tree backbonefast Display the STP BackboneFaststatus and statistics.

switch#show spanning-tree uplinkfast Display the STP UplinkFast

status and statistics.

***VLANsAs you study this section, answer the following questions:

6. What are the administrative advantages of creating VLANs?7. Why are end-to-end VLANs more difficult to troubleshoot than local VLANs?8. What is the difference between a static VLAN and a dynamic VLAN?9. What two configuration steps must you take to manage a Layer 2 switch from a remote

network?After finishing this section, you should be able to complete the following tasks:

Display the current VLAN configuration.

Execute common VLAN configuration commands.

Given a scenario, create a VLAN and assign port membership as assigned.

Given a scenario, configure management VLAN settings.This section covers the following exam objectives:

101. Explain the functions of VLANs in a hierarchical network.

102. Configure VLANs (e.g., Native, Default, Static and Access).

VLAN FactsA virtual LAN (VLAN) can be defined as:

Broadcast domains defined by switch port rather than network address A grouping of devices based on service need, protocol, or other criteria rather than

physical proximityUsing VLANs lets you assign devices on different switch ports to different logical (or virtual)LANs. The following graphic shows a single-switch VLAN configuration.

Be aware of the following facts about VLANs:

In the graphic above, FastEthernet ports 0/1 and 0/2 are members of VLAN 1.FastEthernet ports 0/3 and 0/4 are members of VLAN 2.

In the graphic above, workstations in VLAN 1 will notbe able to communicate with

22


23/59

workstations in VLAN 2, even though they are connected to the same physical switch.

Defining VLANs creates additional broadcast domains. The above example has twobroadcast domains, each of which corresponds to one of the VLANs.

By default, switches come configured with several default VLANs:

VLAN 1

VLAN 1002

VLAN 1003 VLAN 1004

VLAN 1005

On Cisco switches, the default VLAN configuration on a single port is VLAN 1. If noconfiguration changes are made on the switch, all ports have VLAN 1 as theirnativeVLAN.

Creating VLANs with switches offers the following administrative benefits.

You can isolate network failures to a particular subnet (within a single VLAN)

You can simplify device moves (devices are moved to new VLANs by modifying theport assignment)

You can control broadcast traffic and create collision domains based on logical criteria

You can control security (isolate traffic within a VLAN)

You can load-balance network traffic (divide traffic logically rather than physically)When designing VLANs in a hierarchical network, consider the following concepts:

Designconcept

Description

E

nd-to-End

VLANs

End-to-end VLANs are VLANs that span throughout the entire network. End-to-End VLANs:

Are associated with a workgroup, such as a department or team

May span several wiring closets or even several buildings

Are difficult to troubleshoot because they span through the entire

switched network

LocalVLANs

Local VLANs are VLANs that are local to a specific domain, such as thebuilding access submodule. Local VLANs (data and voice):

Are limited to a single access switch within a wiring closet (the singleswitch should be configured with a limited amount of VLANs)

Should not be extended beyond the building distribution submodule

Result in user traffic crossing a Layer 3 device to reach networkresources

Are easier to troubleshoot because they isolate traffic to a particularnetwork segment

Note: When designing the VLAN configuration in a hierarchical network, the

local VLAN concept is recommended.

VLANs are created through one of the following:

Type Description

Static

Static VLANs are manually configured on the switch's physical interface using thecommand line. Static VLANs work well when network additions, changes, andmoves are rare.Note: By default, all ports are static-access ports assigned to VLAN 1.

Dynamic Dynamic VLANs are created through a VLAN Management Policy Server (VMPS).

23


24/59

The VMPS has a database of MAC addresses mapped to specific VLANs. When anincoming frame is first received on a port, the VMPS views the MAC address,compares it to the database, and assigns the port to a particular VLAN. Be aware ofthe following Dynamic VLAN details:

The VMPS database should be created by the network engineer and thenuploaded to the switch.

A dynamic port can only belong to one VLAN at a time. Multiple hosts may be active on a dynamic port only if they all belong to the

same VLAN.Note: Only some Cisco Catalyst switches support VMPS and dynamic VLANs.

VLAN Command ListTo configure a simple VLAN, first create the VLAN, and then assign ports to that VLAN. Thefollowing table shows common VLAN configuration commands.

Use... To...

switch(config)#vlan switch(config-vlan)#name WORD

Define a VLANGiving the VLAN a name is optional.

VLAN names must be unique.

switch(config)#no vlan

Delete a VLANWhen you delete a VLAN, all portsassigned to the VLAN remainassociated with the deleted VLAN,and are therefore inactive. You mustreassign the ports to the appropriateVLAN.

switch(config-if)#switchport access vlan

Assign ports to the VLANNote: If you assign a port to a VLANthat does not exist, the VLAN will be

created automatically.

switch(config-if)#switchport mode accessSpecify the interface as anunconditional access port.

switch#show vlanswitch#show vlan brief

Show a list of VLANs on the system

switch#show vlan id Show information for a specificVLAN

ExampleThe following commands create VLAN 12 named IS_VLAN, identifies port 0/12 as having onlyworkstations attached to it, and assigns the port to VLAN 12.

switch#config tswitch(config)#vlan 12switch(config-vlan)#name IS_VLANswitch(config-vlan)#interface fast 0/12switch(config-if)#switchport access vlan 12

Management VLAN Configuration FactsTo manage the Layer 2 switch from a remote network, you will need to give VLAN 1 (thedefault management VLAN) an IP address, as well as configure the default gateway on theswitch. Keep in mind the following facts about IP addresses configured on switches:

Basic switches operate at Layer 2, and therefore do not need an IP address to

24


25/59

function. In fact, a switch performs switching functions just fine without an IP addressset.

You only need to configure a switch IP address if you want to manage the switch froma Telnet or Web session.

A Layer 2 switch itself has only a single (active) IP address. Each switch port does nothave an IP address (unless the switch is performing Layer 3 switching). The IP address

identifies the switch as a host on the network but is not required for switching functions.To configure the switch IP address, you set the address on the VLAN 1 interface. This is alogical interface defined on the switch to allow management functions. Use the followingcommands to configure the switch IP address:

switch#config terminalswitch(config)#interface vlan 1switch(config-if)#ip address 1.1.1.1 255.255.255.0switch(config-if)#no shutdown

To enable management from a remote network, you will also need to configure the defaultgateway. Use the following command in global configuration mode:

switch(config)#ip default-gateway 1.1.1.254

Note: You can use the ip address dhcp command to configure a switch to get its IP addressfrom a DHCP server. The DHCP server can be configured to deliver the default gateway andDNS server addresses to the Cisco device as well. The manually-configured default gatewayaddress overrides any address received from DHCP.

25


26/59

VLAN Trunking Protocol (VTP)As you study this section, answer the following questions:

10. What two conditions on switches will notallow you to modify the VLANconfiguration?

11. What is the easiest way to recover from losing the onlyVTP server?

12. Which type of VTP message is the most frequently sent by switches?13. What happens when you add a switch to the network with a higher revision

number to your VTP configuration?14. How do you remove a VTP domain name?


Configure the VTP mode, domain, and password.

Confirm the VTP status of a switch.This section covers the following exam objectives:

104. Explain and configure VTP.

VTP Facts

The VLAN Trunking Protocol (VTP) simplifies VLAN configuration on a multi-switch networkby propagating configuration changes to other switches. With the VTP, switches are placed inone of the following three configuration modes.

Mode Characteristics

Server A switch in server mode is used to modify the VLAN configuration. On a server:

Changes can be made to the VLAN configuration on the switch.

The switch advertises VTP information to other switches in the domain.

The switch updates its VLAN configuration from other switches in thedomain.

The switch saves the VLAN configuration in NVRAM.

Client A switch in client mode receives changes from a VTP server and passes VTP

information to other switches. On a client: Changes cannot be made to the VLAN configuration.

The switch advertises VTP information to other switches in the domain.

The switch updates its VLAN configuration from other switches in thedomain.

The switch does notsave the VLAN configuration in NVRAM.

Transparent

A switch in transparent mode allows for local configuration of VLANs, but doesnot update its configuration based on the configuration of other switches. On atransparent switch:

Changes can be made to the VLAN configuration on the switch.

Local VLAN information is not advertised to other switches. VTP information received from other switches is passed through the

switch. Note: The transparent switch only relays VTP information if it is inthe same VTP domain or if it has a null (blank) VTP domain.

The switch does not update its VLAN configuration from other switches inthe domain.

The switch saves its VLAN configuration in NVRAM.

VTP message types include the following:

Type Description

26


27/59

SummarySummary advertisements inform adjacent switches of the current VTPdomain name and the configuration revision number. By default, Catalystswitches send summary advertisements every five minutes.

Subset

Subset advertisements are sent after a VLAN has been added, deleted, orchanged on a switch in server mode. One or several subset advertisementsfollow the summary advertisement. A subset advertisement contains a list of

VLAN information. If there are several VLANs, more than one subsetadvertisement can be required in order to advertise all the VLANs.

AdvertisementRequest

Advertisement requests from switches configured as clients. A switch needsa VTP advertisement request in these situations:

The switch has been reset.

The VTP domain name has been changed.

The switch has received a VTP summary advertisement with a higherconfiguration revision than its own.

Upon receipt of an advertisement request, a VTP device sends a summaryadvertisement. One or more subset advertisements follow the summaryadvertisement.

Keep in mind the following facts about VTP:

By default, switches are preconfigured in server mode. If you do not intend to use VTP,configure each switch to use transparent mode.

A VTP Domain is one or several switches that share the same VTP environment.Catalyst switches only support a single VTP domain per switch.

You can have multiple VTP servers in the same domain on the network. Changesmade to any server are propagated to other client and server switches.

To make VLAN changes on a switch, the switch must be in either server or transparentmode. You cannot modify the VLAN configuration if:

The switch is in client mode

The switch is in server mode and without a configured domain name. VTP uses the following process for communicating updates:

VTP summary advertisement packets contain the domain name, MD5 version ofthe password, and the revision number.

When a switch receives a summary packet, it compares the domain name andpassword in the packet with its own values. If the domain name and passworddo not match, the packet is dropped.

If the domain name and password match, the switch compares the revisionnumber in the packet.

If the revision number in the packet is lower or equal, the packet is ignored. If itis higher, the switch sends an advertisement request for the latest updates.

When the updates are received, the VLAN configuration and the revisionnumber is updated.

If you lose your only VTP server, the easiest way to recover is to change one of theVTP clients to server mode. VLAN information and revision numbers remain the same.

Switches must meet the following conditions before VTP information can beexchanged:

The switches must be connected by a trunk link (VTP is not used on accessports).

Switches must be in the same domain. Switches in different domains do not

27


28/59

share or forward VTP information. Transparent switches must be in the samedomain or have a null domain name to pass VTP information to other switches.

Passwords on each device must match. The password is included in each VTPadvertisement. The receiving switch compares the password in theadvertisement with its configured password. It will only accept information in thepacket if the passwords match. The password provides a method of

authenticating the packet contents that they came from a trusted source. Connecting two switches with different VTP domains works only if you manually turn

trunking on. VTP information is carried in DTP packets, so only switches in the samedomain can use DTP for automatic trunking configuration. However, when two switcheswith different domains are connected, VTP information will not be passed between theswitches.

When you change the VLAN configuration on a server, the revision number isincremented. The revision number on a transparent switch remains at 0, even whenchanges are made to the VLAN configuration.

All devices in the domain must use the same VTP version. By default, VTP version 2 isdisabled. Only enable VTP version 2 if all devices support version 2.

VTP pruningis a feature that eliminates or prunes unnecessary broadcast traffic. Forinstance, VTP pruning will only forward broadcast messages to switches which haveports assigned to a particular VLAN ID.

VTP Configuration FactsThe following table lists common VTP commands.

Use... To...

Switch(config)#vtp mode serverSwitch(config)#vtp mode clientSwitch(config)#vtp mode transparent

Configure the VTP mode of the switch.Note: The default mode is server.

Switch(config)#vtp domain WORD

Configure VTP domain of the switch.

The default domain name is (blank). All switches must be configured with the

same domain name.

A new VTP client switch (with a blank domainname) will automatically set its domain namebased on the first VTP advertisement itreceives.

A switch in transparent mode will notautomatically set its domain name.

Switch(config)#vtp password WORD

Configure VTP password of the switch.

When a password is used, all switches in thesame domain must use the same password.

You must manually configure the VTPpassword on each switch.

Switch(config)#vtp pruning

Reduce broadcast traffic by forwarding themessages only through switch trunks which belongto a particular VLAN ID.Note: Enabling or disabling VTP pruning on a serverenables or disables it on all devices in the domain.

Switch#show vtp status View the current VTP configuration of the switch.

28


29/59

Switch#show vtp password View the current VTP password of the switch.

Be aware of the following when troubleshooting the VTP configuration:If you add a switch to the network with a higher revision number, the VLAN configuration

on that switch will update (modify) the existing VLAN configuration on all other switchesin the domain. This is true even if the switch you add is a client. Client switches passtheir configuration information on to other switches. This information can be used to

update server or client switches with lower revision numbers.If you add a switch to the network with a lower revision number, the switch's configuration

will be modified to match the configuration currently used on the network. This is trueeven if the switch you add is a server.

To prevent disruptions to the existing configuration when adding new switches, reset therevision number on all new switches before adding them to the network. The revisionnumber resets to 0 each time you:

Change the domain name.Change the VTP mode to transparent.

Before adding a switch back into the network, change the domain name or the mode totransparent, then change it back to its original setting.

Be sure to place switches in the same domain adjacent to each other through trunk links.If you insert a switch with a different domain name between two switches, VTPinformation will not be passed through the new switch. To correct this problem, use oneof the following solutions:

Modify the domain name on the new switch to match the existing switches.Move the new switch so that switches in the same domain are connected directly

together.Note: Once set, you cannot completely remove a domain name. In other words, onceyou have configured a VTP domain name, you can only change the name, you cannotremove it completely.

VLAN TrunkingAs you study this section, answer the following questions:

When does the trunking protocol not tag the frame over a trunk link, and how does ithandle the frame?

When does dynamic trunking configure a trunk link?

What happens if two switches on a VLAN trunk are both configured for auto dynamictrunking?


Manually configure trunking on interfaces where switches will be attached.

Configure switches to use 802.1Q trunking protocol and dynamic desirable mode.

Configure the native VLAN for a trunk link.

Configure which VLANs are permitted to communicate over a trunk link.This section covers the following exam objectives:

103. Explain and configure VLAN trunking (i.e., IEEE 802.1Q and ISL)

105. Verify or troubleshoot VLAN configurations.

VLAN Trunking FactsTrunkingis a term used to describe connecting two switches together. Trunking is importantwhen you configure VLANs that span multiple switches as shown in the diagram.

Be aware of the following facts regarding trunking and VLANs:

29


30/59

In the above graphic, each switch has two VLANs. Each VLAN is assigned to a singleport (The port is known as an access port.).

Workstations in VLAN 1 can only communicate with workstations in VLAN 1. Thismeans that the two workstations connected to the same switch cannot communicatewith each other. Communications within the VLAN must pass through the trunk link tothe other switch.

Trunk ports identify which ports are connected to other switches.

Trunk ports can automatically carry traffic for all VLANs defined on the switch. You canprevent traffic from a specific VLAN from being carried on the trunk through a specificconfiguration.

Typically, Gigabit Ethernet ports are used for trunk ports, although any port can be atrunking port.

When trunking is used, frames that are sent over a trunk port are tagged with the VLAN IDnumber so that the receiving switch knows to which VLAN the frame belongs.

Tags are appended by the first switch in the path, and removed by the last.

Only VLAN-capable devices understand the frame tag.

Tags must be removed before a frame is forwarded to a non-VLAN-capable device.

The trunking protocol describes the format that switches use for tagging frames with theVLAN ID. Cisco devices support two trunking protocols:

TrunkingProtocol

Characteristics

Inter-Switch

Link (ISL)

Inter-Switch Link (ISL) trunking protocol details include the following:

A Cisco-proprietary trunking protocol.

ISL can only be used between Cisco devices.

ISL encapsulates the frame with an ISL header and trailer, instead oftagging (modifying) the frame.

ISL supports VLAN numbers 1-1005.

Be aware of the following facts regarding the trunking protocols: If a non-ISL-configured trunk port receives an ISL-encapsulated Ethernet

frame, it may consider those frames to be transmission errors becausethe ISL header and trailer cause the frame to have an excessive size.

Switches that do not support ISL simply drop ISL frames because theycannot decode the ISL encapsulation.

802.1Q 802.1Q trunking protocol details include the following:

An IEEE standard for trunking and therefore supported by a wide range ofdevices.

802.1Q supports VLAN numbers 1-4094.

With 802.1Q trunking, frames from the native VLANare not tagged.Frames from all other VLANs are tagged. For example, if an 802.1Q porthas VLANs 2, 3 and 4 assigned to it with VLAN 2 being the native VLAN,frames on VLAN 2 that exit the port are not given an 802.1Q header.Frames which enter this port and have no 802.1Q header are put intoVLAN 2.

If the native VLAN on one end of the trunk is different than thenative VLAN on the other end, the traffic of the native VLANs onboth sides cannot be transmitted correctly on the trunk.

The native VLAN is VLAN 1 by default, but may be configured.

30


31/59

Note: When using multiple vendors in a switched network, be sure each switchsupports the 802.1Q standards if you want to implement VLANs.

Cisco switches have the ability to automatically detect ports that are trunk ports, and tonegotiate the trunking protocol used between devices. Switches use the Dynamic TrunkingProtocol (DTP) to detect and configure trunk ports. For example, when you connect twoswitches together, they will automatically recognize each other and select the trunking

protocol to use.VLAN Trunking Command ListThe following table lists important commands for configuring and monitoring trunking on aswitch.

Use... To...

Switch(config-if)#switchport mode trunk Enable unconditionaltrunking on theinterface. The port willnotuse DynamicTrunking Protocol(DTP) on the interface.

Switch(config-if)#switchport trunk encapsulation dot1qSwitch(config-if)#switchport trunk encapsulation islSwitch(config-if)#switchport trunk encapsulation negotiate

Set the trunkingprotocol, or allows thetrunking protocol to benegotiated.Note: Not all Catalystswitches allowconfiguration of thetrunking protocol.

Switch(config-if)#switchport trunk native vlan Configure the VLANthat is sending andreceiving untaggedtraffic on the trunk portwhen the interface is in802.1Q trunking mode.

Switch(config-if)#switchport trunk allowed vlan allSwitch(config-if)#switchport trunk allowed vlan add Switch(config-if)#switchport trunk allowed vlan remove

Set which VLANs areallowed tocommunicate over thetrunk.Remove which VLANsare not allowed tocommunicate over thetrunk.Note: The defaultallows all VLANs in theVLAN database tocommunicate over thetrunk.

Switch(config-if)#switchport mode dynamic auto Enable automatictrunking discovery andconfiguration. Theswitch uses DTP to

31


32/59

configure trunking.

Switch(config-if)#switchport mode dynamic desirable Enable dynamictrunking configuration.

If a switch isconnected, it willattempt to use

the desiredtrunkingprotocol.

If a switch is notconnected, it willcommunicate asa normal port.

Switch(config-if)#switchport mode access Disable trunkingconfiguration on theport. The port is set tothe access mode

unconditionally andoperates as anontrunking, singleVLAN interface thatsends and receivesnon-tagged frames.

Switch#show interface trunkSwitch#show interface fa0/1 trunk

Show interface trunkinginformation with thefollowing:

ModeEncapsulation

Trunking statusVLAN assignments

Note: Be aware of the following when configuring VLAN trunking:

Two switches both configured to use auto dynamic trunking will not trunk. At least oneof the switches must be set to manually trunk or to use desirable dynamic trunking.

To avoid auto-negotiation on trunk ports, manually configure the speed and duplex.

Verifying and Troubleshooting VLANsAs you study this section, answer the following questions:

15. When examining the output from the show interfaces fa 0/1 trunk command,what does the n- in front of the protocol designate?

16. How can you determine which VLANs are allowed to communicate over a trunklink?

17. How can you determine when an interface is operating as an access port or atrunk port?

18. Which command displays an overview of VLAN and trunking information of aninterface?


Given a scenario, verify VLAN information.

Given a scenario, troubleshoot a VLAN trunking link.

32


33/59


105. Verify or troubleshoot VLAN configurations.

VLAN Verification and Troubleshooting Command ListThe following commands are used to display VLAN configurations for verification andtroubleshooting:

show vlan brief

show interfaces trunkshow interfaces fa 0/1 switchport

The following output is generated from the showvlan briefcommand. The output displaysthe VLAN membership of each port.

VLAN Name Status Ports---- --------------------- --------- -------------------------------1 default active Fa0/3, Fa0/4, Fa0/5, Fa0/6,

Fa0/7, Fa0/8, Fa0/9, Fa0/10,Fa0/11, Fa0/12, Gi0/1, Gi0/2

2 VLAN0002 active Fa0/21002 fddi-default active

1003 token-ring-default active1004 fddinet-default active1005 trnet-default active

Note: Use the show vlan command to display information about a single VLANidentified by VLAN IDThe following is output generated from the show interfaces fa 0/1 switchport command anda table describing the associating fields.

Name: Fa0/1Switchport: EnabledAdministrative Mode: dynamic autoOperational Mode: static access

Administrative Trunking Encapsulation: negotiateOperational Trunking Encapsulation: dot1qNegotiation of Trunking: OnAccess Mode VLAN: 1 (default)Trunking Native Mode VLAN: 1 (default)--output omittedTrunking VLANs Enabled: ALLPruning VLANs Enabled: 2-1001

Field Description

Name Displays the port name. This is the interface specified in thecommand.

Switchport Displays the administrative and operational status of the port. In thisdisplay, the port is in switchport mode.

Administrative ModeOperational Mode

Displays the administrative mode. The administrative mode isconfigured with the following interface configuration commands:

switchport mode access

switchport mode trunk

switchport mode dynamic auto

switchport mode dynamic desirableThe operational mode is how the port is actually operating. In this

33


34/59

output, the port is in dynamic auto administrative mode, but the portis operating as an access port.

AdministrativeTrunkingEncapsulationOperational Trunking

EncapsulationNegotiation ofTrunking

Displays the administrative and operational encapsulation methodand whether trunking negotiation is enabled.

Access Mode VLAN Displays the VLAN ID to which the port is configured. This isconfigured with the switchport access vlan interfaceconfiguration command.

Trunking NativeMode VLAN

Lists the VLAN ID of the trunk that is in native mode. This isconfigured with the switchport trunk native vlan interface configuration command.

Trunking VLANsEnabled

Lists the allowed VLANs on the trunk. This is configured with thefollowing interface configuration commands:

switchport trunk allowed vlan all switchport trunk allowed vlan remove

In the output above, all VLANs are permitted to communicate on thetrunk if it was in trunking mode.

Pruning VLANsEnabled

Lists the VLANs which have been pruned from the interface.

The following is output generated from the show interfaces fa 0/1 trunk command and atable describing the output values.

Port Mode Encapsulation Status Native vlanFa0/1 on n-802.1q trunking 1

Port Vlans allowed on trunkFa0/1 1-9,11-4094Port Vlans allowed and active in management domainFa0/1 1-2,5

Port Vlans in spanning tree forwarding state and not prunedFa0/1 1-2,5

Value Description

Mode

This is the administrative mode on the interface. The administrativemode is configured with the following interface configurationcommands:

switchport mode access

switchport mode trunk

switchport mode dynamic auto

switchport mode dynamic desirableIf configured as an access port, the mode is off.

Encapsulation This is the encapsulation protocol on the trunk. If a "n-" precedesthe protocol, it has been negotiated. This is configured with thefollowing interface configuration commands:

switchport trunk encapsulation dot1q

34


35/59

switchport trunk encapsulation isl

switchport trunk encapsulation negotiateNote: This command may not be available on all Catalyst switches.Negotiate is the default.

Status This is the operational status of the trunk.

Native VLANThe native VLAN is the VLAN which will not be tagged with 802.1Qtags. Frames from all other VLANs are tagged.

VLANs allowed on trunk

Lists the allowed VLANs on the trunk. This is configured with thefollowing interface configuration commands:

switchport trunk allowed vlan all

switchport trunk allowed vlan remove In the output above, VLAN 10 is not permitted to communicate onthe trunk.

VLANs allowed andactive in management

domain

Lists the VLANs which are configured on the switch and allowedover the trunk link.Note: If the VLANs are configured on the switch but are not

permitted to communicate on the trunk, they will not be listed here.VLANs in spanning treeforwarding state and notpruned

Lists the VLANs that are pruning-eligible.

Note: If you do not specify an interface with the switchport interfaces trunk command, onlyinformation for active trunking ports appears.

***EtherChannelAs you study this section, answer the following questions:

19. What will happen to redundant links between switches when EtherChannel is

configured?20. What are the differences between LACP and PAgP?21. When would you choose LACP over PAgP when configuring EtherChannel?


Given a scenario, configure switches to negotiate the PAgP EtherChannel.

Given a scenario, configure interfaces to negotiate an EtherChannel with LACP .This section covers the following exam objectives:

206. Configure and verify link aggregation using PAgP or LACP.

EtherChannel FactsEtherChannel combines multiple switch ports into a single, logical link between two switches.With EtherChannel:

You can combine 2-8 ports into a single link.

All links in the channel group are used for communication between the switches.

Use EtherChannel to increase the bandwidth between switches.

Use EtherChannel to establish automatic-redundant paths between switches. If onelink fails, communication will still occur over the other links in the group.

Use EtherChannel to reduce spanning tree convergence times.

Cisco Catalyst switches use one of the following protocols for EtherChannel configuration:

Protocol Description

35


36/59

PortAggregationProtocol

(PAgP)

Port Aggregation Protocol(PAgP) is a management function that checksthe parameter consistency at either end of the link and assists the channelin adapting to link failure or addition. PAgP prevents loops or packet lossdue to misconfigured channels and aids in network reliability. PAgPoperates in the following modes:

Auto places the port into a passive negotiating state and forms an

EtherChannel if the port receives PAgP packets. While in this mode,the port does not initiate the negotiation.Note: This is the default mode.

Desirable places the port in a negotiating state to form anEtherChannel by sending PAgP packets. A channel is formed withanother port group in either the auto or desirable mode.

Note: PAgP is the default channel protocol in Cisco switches.

LinkAggregation

Control

Protocol(LACP)

Link Aggregation Control Protocol (LACP) is based on the 802.3adstandard and has similar functions as PAgP. LACP should be used whenconfiguring EtherChannel between Cisco switches and non-Cisco vendorswitches that support 802.3ad. LACP operates in the following modes:

Passive places the port into a passive negotiating state and forms anEtherChannel if the port receives LACP packets. While in this mode,the port does not initiate the negotiation.Note: This is the default mode.

Active places the port in a negotiating state to form an EtherChannelby sending LACP packets. A channel is formed with another portgroup in either the active or passive mode.

Note: An on mode forces a port to join an EtherChannel without negotiations. The on modecan be useful if the remote device does not support PAgP or LACP. In the on mode, a usableEtherChannel exists only when the switches at both ends of the link are configured in the onmode.

Be aware of the following EtherChannel details: All ports in an EtherChannel must use the same protocol (PAgP or LACP).

All ports in an EtherChannel must have the same speed and duplex mode. LACPrequires that the ports operate only in full-duplex mode.

A port cannot belong to more than one channel group at the same time.

All ports in an EtherChannel must be configured to be in the same access VLANconfiguration or be configured as VLAN trunks with the same allowable VLAN list andthe same native VLAN.

All ports in an EtherChannel require the same trunk mode (i.e. ISL or IEEE 802.1Q) toavoid unexpected results.

If you do not configure EtherChannel, the spanning tree algorithm will identify each linkas a redundant path to the other bridge and will put one of the ports in blocking state.

Do not try to configure more than 6 EtherChannels on the switch.

Configure a LACP EtherChannel with up to 16 Ethernet ports of the same type. Up toeight ports can be active, and up to eight ports can be in standby mode.

Enable all ports in an EtherChannel. A port in an EtherChannel that is disabled byusing the shutdown interface configuration command is treated as a link failure, andits traffic is transferred to one of the remaining ports in the EtherChannel.

EtherChannel Command ListThe following table shows common commands to configure EtherChannel.

36


37/59

Use... To...

Switch(config-if)#channel-protocol lacpSwitch(config-if)#channel-protocol pagp

Select the EtherChannel protocol onthe interface.

Switch(config-if)#channel-group mode autoSwitch(config-if)#channel-group mode desirable

Select the PAgP mode on theinterface.

Switch(config-if)#channel-group mode activeSwitch(config-if)#channel-group mode passive Select the LACP mode on theinterface.

Switch(config-if)#channel-group mode onEnable the on mode and force aport to join an EtherChannel withoutPAgP or LACP negotiations.

Switch(config-if)#no channel-group Disable EtherChannel on theinterface.

Switch#show etherchannelShow EtherChannel details on theswitch

Switch#show etherchannel summary

Show EtherChannel information for

a channel with a one-line summaryper channel group.

Note: Each channel group has its own number. All ports assigned to the same channel groupwill be viewed as a single logical link.ExamplesThe following commands configure GigabitEthernet 0/1 and 0/2 interfaces to actively initiatethe negotiation of an EtherChannel with the PAgP protocol and with a channel group of 5:

Switch>enaSwitch#conf tSwitch(config)#int range gi 0/1 - 2Switch(config-if-range)#channel-protocol pagp

Switch(config-if-range)#channel-group 5 mode desirableThe following commands configure FastEthernet 0/1 through 0/4 interfaces to from anEtherChannel with the LACP protocol only if the other device actively initiates theEtherChannel connection:

Switch>enaSwitch#conf tSwitch(config)#int range ga 0/1 - 4Switch(config-if-range)#channel-protocol lacpSwitch(config-if-range)#channel-group 3 mode passiveSwitch(config-if-range)#duplex full

***4.1 Gateway RedundancyAs you study this section, answer the following questions:22. How does a virtual router help to protect against single point of failure?23. If there are three routers in a HSRP group, how many virtual IP addresses would

be assigned to that group of routers?24. What are the main differences between HSRP and VRRP, and are they

compatible?25. What is the maximum number of routers that can act as active IP default

gateways in a GLBP group?26. If there are two routers in a GLBP group, how many virtual MAC addresses are

37


38/59

assigned to routers in that group?This section covers the following exam objectives:

401. Explain the functions and operations of gateway redundancy protocols (i.e.,HSRP, VRRP, and GLBP).

Gateway Redundancy FactsGateway redundancy is a fault-tolerant approach for hosts to communicate outside their local

subnet. Typically, hosts are configured with a single default gateway (next-hop router) so theymay communicate outside the local subnet. However (as shown in the image below) if thedefault gateway should fail, the hosts are limited to communicating only within the subnet,effectively disconnecting from the rest of the network. Even if there is a redundant routerwhich could serve as a replacement gateway, there is no dynamic method by which the hostscould switch to a new default gateway IP address.Gateway redundancy protects against a single point of failure. In gateway redundancy, agroup of two or more routers actively manage a single virtual router MAC address and IPaddress (as seen below). This configuration ensures that if a router fails, a backup routertakes responsibility as the default gateway. With gateway redundancy, LAN clients send trafficto the virtual router, but an actual router handles the forwarding of that traffic. The difference

between a virtual and actual router is unnoticeable to the clients.Hot Standby Router Protocol (HSRP)Hot Standby Router Protocol (HSRP) is a Cisco proprietary redundancy protocol forestablishing a fault-tolerant default gateway. The protocol consists of a virtual MAC addressand IP address that are shared between two or more routers, and a process that monitorsboth LAN and serial interfaces via a multicast protocol.An HSRP group, a set of routers participating in HSRP that jointly emulate a virtual router,consists of the following entities or roles:

Entity or Role Description

Active Router An active router which forwards traffic destined to the virtual IP address(see the illustration below).

StandbyRouter

A standbyrouter which will become the active router should the existingactive router fail (see the illustration below).

Virtual Router

A virtualrouter which is not an actual router. It is a concept of the entireHSRP group acting as one virtual router. It is assigned its own IP addressand MAC address; however, the active router actin

bsmsn notes

Documents