ccnp switch 642-813 material guide

8/18/2019 CCNP Switch 642-813 Material Guide

1/63

CCNP Switch 642-813 Planning & Design

Planning The CCNP SWITCH exam tests very heavily on the planning and verifcation requirementswithin the certifcation lueprint! "ll o# the exam topics elow #all into the $planning%category!

• Implement VLAN ase! s"l#ti"n$ gi%en a netw"' !esign an! a set "(e)#iements*

o Create a &'"N ased implementation plano Create a &'"N ased verifcation plano (ocument results o# &'"N implementation and verifcation

• Implement a Sec#it+ ,tensi"n "( a La+e 2 s"l#ti"n$ gi%en a netw"'!esign an! a set "( e)#iements*

o Create a implementation plan #or the Security solutiono Create a verifcation plan #or the Security solutiono (ocument results o# Security implementation and verifcation

• Implement Switch ase! La+e 3 se%ices$ gi%en a netw"' !esign an! a set"( e)#iements

o Create an implementation plan #or the Switch ased 'ayer ) solutiono Create a verifcation plan #or the Switch ased 'ayer ) solutiono (ocument results o# Switch ased 'ayer ) implementation and verifcation

• Implement .igh A%ailailit+$ gi%en a netw"' !esign an! a set "(e)#iements

o Create a High "vailaility implementation plano Create a High "vailaility verifcation plano (ocument results o# High "vailaility implementation and verifcation

That is a large portion o# the CCNP SWITCH exam lueprint! It*s tough #or Cisco to test howto write up an implementation plan within the time #rame allowed #or the exam+ so they testit indirectly! They may present a complicated usiness prolem with many undefnedtechnical $implementation% components and require you to solve the prolem! In order to

do so+ you*ll have to e ale to come up with an implementation plan on the ,y to -nowwhich technologies+ protocols+ inter#aces+ etc! need to e confgured! .nce you confgurethem+ you will also need to come up with a $verifcation plan% in your head so you can veri#ythat the usiness need was met /and you get your points #or the question0!

"n example may e a complex prolem requiring you to confgure new &'"Ns on a recentlyadded switch /&'"N plan0+ add '"CP trun-s /H" plan0+ change the routing on the existingmultilayer switches to add the new &'"N networ-s /layer ) planning0! 'oad alance the allnew connections using HS1P /H" plan0 ased on usiness &'"N requirements /&"'N plan0!It*s easy to see how quic-ly a prolem li-e that can cover many o# the lueprint planningtopics in a single exam question! 2xpect to see situational prolems li-e that example!

Implementati"n Plan C"mp"nents

"lmost every networ- implementation should consist o# several phases /ex! install hardware+push confgurations+ cut3over to production+ etc!0! It is important to rememer the #ollowingsteps #or each phase4

5! (escription o# the step6! 1e#erence to design documents)! (etailed implementation guidelines7! (etailed roll3ac- guidelines in case o# #ailure8! 2stimated time needed #or implementation

Speci/c Cisc" Design 0ec"mmen!ati"ns


2/63

There are some general guidelines Cisco recommends around 'ayer 6 design! Ciscorecommends the local &'"N approach i# possile within the campus environment! Thatallows the access layer to #ocus on port density and &'"N termination! The distriutionlayer can then e used #or routing and oundary defnitions! The core is then usedexclusively #or optimi9ed transport o# tra:c!

eneal Netw"' Planning #i!elinesDesign

• When veri#ying a new networ- design+ test it frst on a pilot networ- e#oreimplementing it networ-3wide on the production networ-

• When planning #or H"+ to minimi9e the ris- o# potential outages+ it is critical to usethe appropriate technology as well as redundancy within that technology to preventsingle points o# #ailure

Implementati"n Plan" documented rollac- plan should e part o# any implementation plan

Sec#it+ Planning #i!elinesDesign

• ;a-e sure you have a list o# the applications running in the environment• I# it is a security design+ Cisco recommends having a networ- audit per#ormed

e#orehandImplementati"n PlanCritical pieces to include when designing and implementing a security solution include4

• "n incident response plan

• The organi9ation*s security policy

• " list o# customer requirementsVei/cati"n Plan&erifcation o# an implemented security solution requires results #rom audit testing o# theimplemented solution

VLAN Planning #i!elines

Implementati"n Plan• Some examples o# organi9ational o


3/63

networ- in#rastructure layer!)! Applicati"n La+e = Includes usiness applications!NOTE – Make sure you understand Cisco’s defnition and roles or access, distribution, andcore layers.

PPDI•

Pepae = organi9ational requirements+ strategy+ fnancial


4/63


5/63

CCNP Switch 642-813 Vlans & 5#n's

&'"N ? a single roadcast domain ? logical networ- segment /sunet0&'"Ns are used to segment large roadcast domains into smaller+ more managealesections! @y de#ault+ all switch ports are assigned to &'"N 5+ type 2thernet+ and ;TA o#58BB ytes!Note End user devices associated with a !"#N are unaware that the !"#N even e$ists.

5" ceate a VLANSwitch con# t

Switch/confg0 %lan 43Switch/confg3vlan0 name ;ar-etingSwitch/confg3vlan0 exit Assign it t" an inte(aceSwitch/confg0 int #a 5D6)Switch/confg3i#0 switchp"t m"!e accessSwitch/confg3i#0 switchp"t access %lan 43Switch/confg3i#0 no shut5" !elete a VLANSwitch/confg0 n" %lan 43

There are two types o# &'"N confguration+ static and dynamic! The most common methodis static ecause it is simple and easy to confgure! It must e confgured on every inter#ace

#or every device!" &'"N ;emership Policy Server can e used to dynamically assign ports to a &'"N =ased on the source ;"C address o# the host that is attached to the inter#ace! I# the samehost moves to another switch port on the networ-+ the new inter#ace is automaticallyassigned to the proper &'"N!

VLAN "!els,n!-t"-en! /or campus3wide &'"N deployments02very &'"N is made availale to every access switch across the networ-! In this option+roadcasts must cross the core and suc- up valuale trun- resources! Asually use &TPClientDServer modes! This model is sometimes implemented #or two reasons! >irst+ users can connect to anyswitch port independent o# their physical location and e placed on the correct &'"N!Second+ resource and security parameters can e defned #or all memers o# a particular&'"N and can e updated #rom a central location!L"cal Ases layer three at the distriution layer to -eep inter3&'"N tra:c within that switch loc-and is etter suited #or environments where most tra:c is not locally destined! Asually uses&TP transparent mode ecause you don*t want the &'"Ns propagated around he networ-/hence+ $local%0! In this model+ a &'"N should not extend past it*s distriution switch!5he 8727 0#le@ac- in the 5EEBFs when most networ- resources were local /ex! printers+ servers0+ a designrule developed -nown as the $GBD6B rule%! The rule stated that you should design networ-


6/63

oundaries such that GB o# tra:c stays within the local sunet /doesn*t cross a ac-oneor leave the &'"N0 and only around 6B o# tra:c should e destined #or remote sites /ex!Internet0! Well the enterprise and computing environment has changed dramatically sincethen with we3ased services exploding = and now the new recommendation is the opposite+the 6BDGB rule! That means that 6B o# tra:c is local and GB traverses the distriutionlayerDcore!

It*s an important concept ecause the local &'"N model generally #ollows the oppositeapproach o# the GBD6B rule+ where most tra:c is is destined remotely! 1ememer that!

9est pactices (" VLAN !esign• >or the local &'"Ns model+ limit 53) &'"Ns per access switch and limit those &'"Ns

to only a couple access switches and the distriution switches!• "void using &'"N 5 as the $lac-hole% #or all unused ports!

• Try to separate voice+ data+ management+ de#ault+ and lac-hole &'"Ns /eachassigned their own &'"N I(0!

• In the local &'"Ns model+ avoid &TP /use transparent mode0!

• Turn o (TP on trun- ports and confgure them manually = also use I222 GB6!5J overIS'!

• ;anually confgure access ports that are not intended to e trun-s y using the

switchport mode host command! /disales 2therChannel+ disales trun-ing+ andenales Port>ast0

• Prevent all data tra:c #rom &'"N 5!

• "void Telnet on management &'"Ns+ use SSH instead!

Aser access ports are typically at least >ast 2thernet or Kigait 2thernet! 'in-s etween theaccess and distriution layers are typically Kigait 2thernet or #aster+ layer 6+ and havean oversuscription ratio o# no more than 6B45! 'in-s etween the distriution and coreshould e Kigait 2therchannel or 5B3Kig 2thernet with an oversuscription ratio o# no morethan 745!

VLAN 5"#lesh""ting Steps5! Ph+sical C"nnecti"n :; No = Chec- with C(PL fx any caling or duplex prolems6! 0"#te an! switch c"n/g#ati"n :; No = compare confgurations and

fx inconsistencies)! VLAN c"n/g#ati"n :; No = >ix &'"N prolems

VLAN Vei/cati"n5" !etemine the t#n'ing stat#s "( an inte(ace show int #a 5D67 trun-

# si%&ler alternative would be' show trunk.


7/63

5" see a c"mplete !etaile! inte(ace list (" all VLANs show vlanNote The show vlan co%%and does not include trunk &orts in its !"#N &ort out&ut as theycarry a variety o !"#Ns.

VLAN 5#n'ing

5hee ae tw" (ame tagging meth"!s (" t#n' lin'sISLCisco proprietary+ adds own #rame header and C1C! The IS' header is 6M ytes and it appends and additional C1C which is 7 ytes+ #or a total o#)B additional ytes to every IS' encapsulated #rame! @ecause it it proprietary+ IS' trun-encapsulation will only wor- with Cisco devices = and not all Cisco switches even support it!

872*1=.pen standard+ inserts its own 7 yte tag within #rame and recalculated the C1C value+allows #or native &'"Ns /untagged #rames to go through0!GB6!5J has ecome the dominate layer 6 trun-ing protocol in use today as #ewerorgani9ations use Cisco*s proprietary IS'! GB6!5J also adds a 7 yte tag into the 2thernet#rame #or &'"N tagging and is designed exclusively #or point3to3point lin-s! The 7 yte feldthat is inserted y GB6!5J does not inter#ere with the original #rame header+ so the ;"CsourceDdestination in#ormation is unchanged!GB6!5J is o#ten used y service providers #or a tunneling secure &PNs! GB6!5J tunneling#eature allows ISPs to segregate dierent customer*s tra:c throughout their in#rastructure!Asing GB6!5J or IS' can create prolems with their tagging methods! The maximum si9e #orany #rame as specifed y I222 GB6!) is 585G ytes! That means that i# a #rame entering atrun- port is already near the maximum si9e+ the header and C1C added y IS' or theinserted tag and C1C added y GB6!5J will push the #rame si9e over the I222 limit! Toresolve this con,ict+ the I222 GB6!) committee created a sugroup = GB6!)ac that extendedthe maximum 2thernet #rame si9e to 5866 ytes! I# you see the $Kiants% counter on aninter#ace anything other than 9ero+ this is li-ely the cause!

(TP /(ynamic Trun-ing Protocol0 is a proprietary protocol #or negotiating a common trun-ingmode etween two switches!5" c"n/g#e a VLAN t#n' inte(aceSwitch/confg0 int #a 5D8Switch/confg3i#0 switchportSwitch/confg3i#0 switchp"t t#n' encaps#lati"n >isl ? !"t1) ? neg"tiate@Switch/confg3i#0switchp"t t#n' nati%e %lan 5 /#or GB6!5J trun-s only0Switch/confg3i#0 switchp"t t#n' all"we! %lan >list ? a!! list | em"%e list @Switch/confg3i#0 switchp"t m"!e >t#n' ? !+namic >!esiale ? a#t"@@

I# set to dynamic+ it de#aults to IS' i# not specifed! Trun- lin-s y de#ault allow all active &'"Ns /those that the switch -nows aout0! "lso+ alldot5J trun-s use &'"N 5 as the de#ault native &'"N!It is recommended to specifcally allow only &'"Ns that cross the trun- using theswitchport trunk allowed vlan command! @ecause the switch will #orward roadcasts out

all ports on that &'"N+ #rames will e #orwarded over the trun- too = which wastes trun-andwidth!I# an non3trun-ing port receives an IS' encapsulated #rame+ it will not e ale to remove theIS' header and will y de#ault drop the IS' #rames! I# a non3trun-ing port receives an GB6!5Jencapsulated #rame+ it simply reads the destination ;"C address and #orwards the #rame asit would any other layer 6 #rame!

5#n'ing "!es


8/63

;a-e sure you understand how these trun-ing modes interact ecause it ma-es easy testmaterial! Notice that even dynamic desirale /the most aggressive dynamic trun-ing mode0will still not #orm a trun- i# the other end is confgured as an access port!5#n' 3 manual permanent trun-ing modeD+namic !esiale /de#ault0 3 the port actively tries to ring up the lin- as a trun-+ sendingnegotiations with the other end

D+namic a#t" = the port can e converted to a trun- lin-+ ut only i# the #ar end requests itN"neg"tiate - puts the inter#ace into permanent trun-ing mode and does not send (TP#rames

Trun- TrouleshootingWhen trouleshooting a trun- lin-+ all o# the #ollowing must e set the same on oth ends4

• trun-ing mode /trun-+ dynamic auto+ dynamic desirale 0

• encapsulation

• native &'"Ns />or dot5J only and will only rea- native &'"N tra:c i# mismatched0

• allowed &'"Ns

I# you are required to trouleshoot &'"N tra:c that is not eing passed across a trun-+ ma-esure that the &'"N is in the inter#ace allowed list #or each side o# the trun-! While all &'"Nsare allowed y de#ault across trun- lin-s+ many organi9ations explicitly defne allowed &'"Nsover trun-s #or security and to prevent unnecessary roadcast tra:c on the lin-!

Native &'"NsIt is important that the native &'"N is confgured correctly on oth sides o# an GB6!5J trun-! Native &'"N is a $de#ault% &'"N that allows #rames to e passed through the trun-untagged! I# there were devices in the middle o# the trun- that required line access+ theycould use the native &'"N! This is a rare situation+ ut worth understanding!

&TP&lan Trun-ing Protocol uses layer 6 trun- #rames to communicate &'"N in#ormation amongswitches! It manages the addition+ deletion+ and renaming o# &'"Ns across the networ-#rom a single source!

• .rgani9ed into domains /only one per switch0! 2ach switch within that domain musthave the same &TP domain name confgured otherwise dataase in#ormation will note synchroni9ed! @ecause each switch can only e confgured with a single &TP

domain+ it will only listen and act on &TP advertisements it hears that match its own&TP domain name!

• "dvertisements are used to communicate changes to other switches

V5P "!esSe%e m"!e These switches have #ull control #or creation and changes to &'"Ns! "ll changed areadvertised out to all other switches! 2ach domain has at least one &TP server!


9/63

Client m"!eCannot create or change &'"Ns+ ut they do send periodic advertisements and can changetheir confgurations to match those they hear!5anspaent m"!e(o not participate in &TP! In &TP version 5+ a switch in transparent mode inspects &TPmessages #or the domain name and version and #orwards a message only i# oth match! &TP

version 6 #orwards &TP messages in transparent mode without chec-ing the version = only amatching &TP domain name is required!

V5P C"n/g#ati"n 0e%isi"n N#me&TP switches use an index called the &TP confguration revision numer which is sentwith &TP advertisements! The confguration revision numer helps to identi#y changes to thenetwor- y increasing y one every time a change occurs! 2very switch stores the revisionnumer o# the last advertisement they heard! I# a switch receives an advertisement with ahigher revision numer than is stored locally+ its confguration is changed to re,ect the newadvertisement and #orwards the advertisement to it*s neighor switches!I# the revision numer is the same as in its dataase+ it simply ignores the advertisement!>inally+ i# the numer in the advertisement is lower than the numer stored in its dataase+the switch will respond ac- with more current &'"N in#ormation!It is imp"tant t" set the e%isi"n n#me t" 7 e("e inseting a new switch int" ap"!#cti"n en%i"nment! Transparent mode*s revision numer is always B!

There are two ways to do it45! Change it to transparent mode+ then ac- to server!6! Change the &TP domain name to a ogus name+ then change it ac- to the original!

I# a switch is set to server /the de#ault0 or client and is inserted into the environment with ahigher rev! numer than the last advertisement+ a &TP synchroni9ation prolem occurs+potentially disaling all &'"N3assigned ports! Note that even a client with a higher revisionnumer can ta-e down the entire networ- i# it propagates its &'"N dataase to its peers 3 soe very care#ul when adding new switches"lso+ &TP in#ormation is stored in ,ash in the vlan!dat fle! That way it survives reoots!5" chec' the V5P e%isi"n n#meSwitch show vtp status

V5P essage 5+pes There are three dierent types o# &TP messages4S#mma+ a!%etisementsSent #rom all switches every )BB seconds /8 minutes0 and a#ter any &'"N3related changes/"dded+ removed+ renamed0S#set a!%etisements&TP servers send suset advertisements a#ter a &'"N change occurs that #ollow thesummary advertisements! The provide more specifc details into the changes!0e)#ests ("m clientsClients can requests any &TP in#ormation they don*t have! The server will respond with asummary advertisement and susequent suset advertisements!

V5P Vesi"ns&TP has two versions /5 O 60 that are not interoperale! "ll that is required to change #romv5 to v6 across the networ- is the change one server switch to v6 and it will send out anadvertisement to all other switches to ma-e the change as well! v5 is the de#ault!5" c"n/g#e a V5P se%e (" %2Switch/confg0 vtp version 6&TP v6 has the #ollowing enhancements over v54

• To-en 1ing &'"N support

• T'& support


10/63

• &ersion3independent message #orwarding

• Per#orms consistency chec-s

V5P P#ning&TP Pruning ma-es more e:cient use o# trun- andwidth y reducing unnecessary ,oodedtra:c over trun- lin-s! @roadcasts and unicast #rames are only transmitted over a trun- lin-

i# the switch on the receiving end o# the trun- has ports in that &'"N!9+ !e(a#lt$ V5P p#ning is !isale! t" enale itSwitch/confg0 vtp pruningWhen pruning is enaled on a server+ it propagates the pruning to all switches in themanagement domain! /This is generally the quic-est way to enale it within your switchednetwor-0! "lso+ &'"N 5 is considered pruning ineligile y Cisco! &'"Ns 635BBB are eligile#or pruning y de#ault!

V5P C"n/g#ati"nNote !T inor%ation will not be e$chan)ed without frst conf)urin) the !T do%ainna%e.C"n/g#ing a V5P anagement D"mainSwitch/confg0 vtp domain domain3name

Switch/confg0 vtp server Q client Q transparentRSwitch/confg0 vtp password passwordNote ( a !T &assword is locally conf)ured, the sa%e &assword %ust be set on all !T- &artici&atin) switches."#ter &TP is confgured+ the switch will egin passing the management domain+ confgurationrevision numer+ and -nown &'"Ns and their parameters through its trun- lin-s!

V5P ,ample C"n/g#ati"n To confgure a &TP server in Cisco I.S in confguration mode #or &TP versions 5 and 6+ #ollowthese steps #rom privileged 22C mode4Step 1* 2nter gloal confguration mode4Switch confgure terminalStep 2* Confgure the &TP mode as server4

Switch/confg0 vtp serverStep 3* Confgure the domain name4Switch/confg0 vtp domain domainnameStep 4* /.ptional!0 2nale &TP version 64Switch/confg0 vtp version 6Step B* /.ptional!0 Speci#y a &TP password4Switch/confg0 vtp password passwordstringStep 6* /.ptional!0 2nale &TP pruning in the management domain4Switch/confg0 vtp pruning

Vei(+ing the V5P C"n/g#ati"n5" !ispla+ in("mati"n a"#t the V5P c"n/g#ati"nSwitch show vtp statusThe show vt& status co%%and is e$tre%ely valuable when troubleshootin) a !T issue. (tshows the conf)uration re)ister nu%ber on the switch, the !T do%ain na%e, !T versionnu%ber, and !T %ode e$. server/.5" !ispla+ statistics a"#t the V5P "peati"nSwitch show vtp counters

V5P 5"#lesh""ting Trouleshooting &TP i# a switch does not seem to e receiving updates #rom a &TP serverswitch4

5! ;a-e sure the switch is not set to transparent mode!


11/63

6! The lin- towards the &TP server may not e in trun-ing mode! 1ememer that &TPadvertisements are only sent over trun-ed lin-s! Per#orm a sh int $$0$ switch&ort toveri#y!

)! ;a-e sure the &TP domain name matches that o# the server /it is case sensitive0!7! ;a-e sure the &TP version is set the same!8! I# using &TP passwords+ ma-e sure they match on oth the server and client!

Private &'"NsPrivate &'"Ns allow you to prevent layer 6 connectivity etween two devices within thesame &'"N! "n example would e two we servers that reside on the same networ-+ ut #orsecurity purposes+ should never communicate! This allows a separated environment+ utone that conserves IP addresses! @oth ISPs and we hosting providers are #requent users o#private &'"Ns!Private &'"N ports are associated with a set o# supporting &'"Ns! .nly when oth conceptsare comined will private &'"Ns #unction properly! The terms Cisco uses are primary andsecondary private &'"Ns! In a nutshell+ a normal or &ri%ary &'"N can e associated withspecially defned secondary private &'"Ns!

Pi%ate VLAN P"t 5+pes5hee ae tw" sec"n!a+ pi%ate VLAN p"t t+pesIs"late!Complete layer 6 separation #rom other ports within the same private &'"N+ except #orpromiscuous ports! "ll tra:c to the port is loc-ed+ except tra:c #rom promiscuous ports! /2x! a port confgured #or a highly3secure server0C"mm#nit+Communicate among themselves as well as the promiscuous port! Several devices canelong to a common community private &'"N+ in which they will only e ale to tal- to eachother and the promiscuous port /ex! de#ault gateway0!Note: All secondary VLANs must be associated with one primary VLAN. #lso, VTPdoes not pass private VLAN information so the &rivate !"#N conf)uration is only localto the switch they are conf)ured on.

Inte(ace "!es2ach physical switch inter#ace that uses a private &'"N must e confgured with a &'"Nassociation!5he inte(ace can e "ne "( tw" m"!es4P"misc#"#s They can communicate with all other ports within the private &'"N! These are usuallyassigned to router or &'"N inter#aces as they need access to all the networ-ed deviceswithin the private &'"N! " promiscuous port is only part o# one primary &'"N+ ut eachpromiscuous port can map to more than one secondary Private &'"N!."st" switch port that connects to a regular host that resides in a community or isolated &'"N! The port only communicates with the promiscuous port or ports in the same community&'"N!

Pi%ate VLAN C"n/g#ati"n1* Set the V5P m"!e t" 5anspaentSwitch/confg0 vtp mode transparent2* De/ne the sec"n!a+ VLANsSwitch/confg0 vlan 6BSwitch/confg3vlan0 private3vlan isolated Q communityR3* De/ne the pima+ VLANSwitch/confg0 vlan 5BSwitch/confg3vlan0 private3vlan primary


12/63

Switch/confg3vlan0 private3vlan association secondary3vlan3list Q add secondary3vlan3list Qremove secondary3vlan3listR4* De/ne the ph+sical inte(aceSwitch/confg3i#0 switchport mode private3vlan host Q promiscuousRSwitch/confg3i#0 switchport private3vlan host association primary3vlan3id secondary3vlan3id-O1-

Switch/confg3i#0 switchport private3vlan mapping &ri%ary-vlan-id secondary-vlan-list Q addsecondary-vlan-list R Q remove secondary-vlan-list R22 (nteraces set to &ro%iscuous %ode you %ust *%a&+ the &ort to &ri%ary and secondary!"#Ns. 3ust re%e%ber that &ro%iscuous &orts are *%a&&ed+ and host &orts are*associated+.Pi%ate VLAN C"n/g#ati"n ,ample This is getting messy+ so let*s run through an example that confgures oth isolated andcommunity secondary private &'"Ns as well as host and promiscuous inter#aces4Switch con# tSwitch/confg0 vtp mode transparentSwitch/confg0 vlan 7BSwitch/confg3vlan0 private3vlan communitySwitch/confg0 vlan 8BSwitch/confg3vlan0 private3vlan communitySwitch/confg0 vlan MBSwitch/confg3vlan0 private3vlan isolatedSwitch/confg0 vlan 5BBSwitch/confg3vlan0 private3vlan primarySwitch/confg3vlan0 private3vlan association 7B+8B+MBSwitch/confg3vlan0 exitSwitch/confg0 int #astethernet BD7Switch/confg3i#0 switchport mode private3vlan hostSwitch/confg3i#0 switchport private3vlan host association 5BB 7BSwitch/confg0 int #astethernet BD8Switch/confg3i#0 switchport mode private3vlan hostSwitch/confg3i#0 switchport private3vlan host association 5BB 8BSwitch/confg0 int #astethernet BDMSwitch/confg3i#0 switchport mode private3vlan hostSwitch/confg3i#0 switchport private3vlan host association 5BB MBSwitch/confg0 int #astethernet BD5Switch/confg3i#0 switchport mode private3vlan promiscuousSwitch/confg3i#0 switchport private3vlan mapping 5BB 7B+8B+MB

Pi%ate VLANs "n SVIs.n switched virtual inter#aces /S&Is0 or layer ) &'"Ns with IP addresses+ an additional mapmust e inserted! >or this example+ let*s use layer ) &'"N )BB as the primary &'"N! 'et*salso assume that we have already created and confgured secondary private &'"Ns GB andEB! These are the additional mapping steps that must occur4Switch/confg0 vlan GBSwitch/confg3vlan0 private3vlan isolated

Switch/confg0 vlan EBSwitch/confg3vlan0 private3vlan communitySwitch/confg0 vlan )BBSwitch/confg3vlan0 private3vlan primarySwitch/confg3vlan0 private3vlan association GB+EBSwitch/confg3vlan0 exitSwitch/confg0 inter#ace vlan )BBSwitch/confg3i#0 ip address 5E6!5MG!5!5EE 688!688!688!B


13/63

#t this &oint, !"#N 455 can co%%unicate at layer 4, but the secondary !"#Ns 65 7 85/ arestuck at layer 9. To allow the secondary !"#Ns to switch layer 4 tra:c as well, you need toinsert this %a&&in) on the &ri%ary !"#N ;!(/ interaceSwitch/confg3i#0 private3vlan mapping GB+EB

CCNP Switch 642-813 Inte-VLAN 0"#ting

&'"Ns require a layer ) device etween them to communicate! Cisco recommends using

layer ) routing at the distriution layer o# the multilayer switched networ- to terminate local&'"NS+ isolate networ- prolems+ and avoid access layer issues #rom aecting the core!


14/63

5hee ae 3 inte-VLAN "#ting !e%ice "pti"ns• layer ) multilayer Catalyst switch

• external router that allows trun-ing /router3on3a3stic-0

• external router with enough inter#aces #or every &'"N /this doesn*t scale and is veryexpensive0

All Catal+st m#ltila+e switches s#pp"t the ("ll"wing t+pes "( la+e 3 inte(aces0"#te! p"t = a pure layer ) port similar to that on a routerSwitch %it#al inte(ace SVI = virtual routed &'"N inter#ace #or inter3&'"N routing9i!ge %it#al inte(ace 9VI = a layer ) ridging inter#ace

Inte-VLAN 0"#ting 5+pes,tenal 0"#te "#te-"n-a-stic'" layer two switch can e connected to a single router to allow inter3&'"N communicationeither using a single physical lin- as a trun- with multiple su3inter#aces /a!-!a! router3on3a3stic-0 or using seperate physical lin-s etween the switch and router #or each individual&'"N!An eample c"n/g#ati"n "n the "#te w"#l! einterace


15/63

i& address =5.=.95.5 9??.9??.9??.5interace nativei& address =5.=.??.5 9??.9??.9??.5

A!%antages• Wor-s with almost all switches ecause the switches do not have to support layer )+

ast2thernet BDB!61outer/confg3sui#0 description &'"N 61outer/confg3sui#0 encapsulation dot5J 61outer/confg3sui#0 ip address 5B!6!6!5 688!688!688!B1outer/confg3sui#0 exit1outer/confg0 end,ample switch t#n' inte(ace c"n/g#ati"n c"nnecte! t" "#teEs ast2thernet 7D6switch/confg3i#0 switchport trun- encapsulation

dot5qswitch/confg3i#0 switchport mode trun-

Switch Vit#al Inte(aces


16/63

1e%e%ber that Cisco reco%%ends usin) layer 9 connectivity between access anddistribution layers and layer 4 routin) between distribution and core layers.S&Is are virtual &'"N inter#aces on multilayer switchesL one S&I is created #or each &'"N toe routed and it per#orms the process #or all the pac-ets associated with that &'"N! The only S&I created y de#ault is the S&I #or &'"N 5! The rest must e created manuallyusing the command4

Switch/con#0 interface vlan vlan_id

SVIs ae c"mm"nl+ #se! ("• (e#ault gateways #or users within the &'"N

• &irtual route etween &'"Ns

• Provides an IP address #or connectivity to the switch itsel#

• Can e used as an inter#ace #or routing protocols"n S&I is considered $up% when at least one inter#ace in it*s associated &'"N is active and#orwarding tra:c! I# all inter#aces within that &'"N are down+ the S&I goes down to preventcreating a routing loop!

A!%antages• >ast ecause all per#ormed in hardware

• No need #or external lin-s #or routing• 'ow latency /doesn*t need to leave the switch0

Disa!%antages• ;ay require a more expensive switch

C"n/g#ing Inte-VLAN 0"#ting with SVIsImplementati"n Planning

• Identi#y which &'"Ns require layer ) gateways as you may not want all &'"Ns to eroutale within the organi9ation

• ;a-e sure &'"Ns are frst created on the switch+ then ma-e the S&Is

• >ind out what IPs need to e confgured on each S&I inter#ace+ then use the noshutdown command to enale them

•

Confgure any routing protocols that are required• (etermine i# any switchports should e excluded #rom contriuting to the S&I line3

state up3and3down calculationC"n/g#ing SVIs5! 2nale IP routing6! Create the &'"Ns)! Create the S&I7! "ssign an IP address to each S&I8! 2nale the inter#aceM! .ptional = 2nale an IP routing protocolNote: 1outin) &rotocols are only re>uired to allow di@erent devices to co%%unicate acrossdi@erent !"#Ns or networks. They are not re>uired to route between ;!(s on the sa%eswitch because the switch sees the ;!(s as connected interaces.

,ample C"n/g#ati"nSwitch confgure terminal2nter confguration commands+ one per line! 2nd with CNT'D!Switch/confg0 ip routingSwitch/confg0 vlan 5BSwitch/confg0 inter#ace vlan 5BSwitch/confg3i#0 ip address 5B!5B!5!5 688!B!B!BSwitch/confg3i#0 no shutdownSwitch/confg0 router ripSwitch/confg3router0 networ- 5B!B!B!B


17/63

SVI A#t"state"n S&I is automatically created when the #ollowing conditions are met4

• The &'"N is active and exists in the &'N dataase

• The &'"N inter#ace exists and is not administratively shut down

• "t least a single port on the switch has a port in the &'"N+ is in the up state+ and is in

the spanning3tree #orwarding state!

This automatic S&I creation is called S&I "utostate! I# there are multiple ports on the switchin the same &'"N+ the de#ault action is to ta-e down the S&I inter#ace i# all o# the ports inthat &'"N are shut down! The command switchport autostate eclude+ when applied to port+ will allow the &'"N togo down i# all o# the other ports in the &'"N go down except the one autostate exclude wasapplied to! This is o#ten desirale when tra:c analy9ers are attached to a host! They willstay up+ ut are


18/63

5"#lesh""ting Inte-VLAN P"lemsHere is a list to run through when identi#ying an issue related to inter3&'"N routing4

• Correct &'"Ns on switches and trun-s

• Correct routes

• Correct primary and secondary root ridges

• Correct IP addresses and mas-s

5he tale el"w "#tlines c"mm"n iss#es that ma+ c"me #p an! s"me p"tentialca#ses*

0"#ting P"t"c"l C"n/g#ati"nAnli-e routers+ multilayer switches do not automatically route until a layer ) inter#ace is

defned or an S&I is created! 1outing can e confgured


19/63

Switch >orwarding "rchitectures There are three dierent ways pac-ets are switched on a layer ) switch or router4P"cess Switching2ach pac-et is examined y the internal processor and and is handled in so#tware! This isthe slowest option /only used in routers0!0"#te Caching /old method also -nown as $#ast switching%0

The route processor trac-s a ,ow*s frst pac-et+ setting up a $shortcut% #or the remainingpac-ets to avoid so#tware3ased routing+ instead eing immediatey#orwarded in hardware! This method is #aster than process switching and is done in oth routers and layer )switches!Cisc" ,pess


20/63

>rames passing through the switch frst enter the ingress queue+ then proceedsimultaneously to the Sec#it+ 5CA ACLs$ ="S 5CA$ an! L2


21/63

• (iscard

• (rop>or the CCNP SWITCH exam+ it*s not important that you understand the #unction o# eachadI@Switch sh"w a!Gacenc+

(isplays current ad


22/63

Switch/confg0 ip dhcp pool example5BSwitch/confg3dhcp0 networ- 5B!5!5B!B 688!688!688!BSwitch/confg3dhcp0 de#ault3router 5B!5!5B!5Switch/confg3dhcp0 option 58B 5B!5!5!8B /.ption 583 specifes a T>TP server IP 3 o#ten #orIP phones to reach Call ;anagers0Switch/confg3dhcp0 lease B G B /B days G hours B minutes0

Switch/confg0 inter#ace vlan5BSwitch/confg3i#0 ip address 5B!5!5B!5 688!688!688!BC"n/g#ing D.CP 0ela+I# an enterprise is using external (HCP servers+ then the ip helper#address command muste entered on the layer ) inter#ace! @ecause hosts use roadcast messages to try to fndthe (HCP server+ i# it is in a dierent sunet+ it will e dropped at the de#ault gatewayecause roadcasts are not #orwarded across &'"N oundaries! The (HCP relay agent allows the (HCP request to e #orwarded on as a unicast message toa single IP address! It not only #orwards (HCP services+ ut also T>TP+ (NS+ Time+ [email protected]+names server+ and @..TP pac-ets y de#ault! The ip helpe-a!!ess command must eapplied to the layer ) inter#ace itsel#!

C"n/g#ati"n ,ampleswitch/confg0 inter#ace vlan5Bswitch/confg3i#0 ip address 5B!5!5B!5 688!688!688!Bswitch/confg3i#0 ip helper3address 5B!5!5BB!5Note ou can a&&ly to to an ;!( or a routed interace.

Vei(+ing D.CP SettingsAse these two commands to chec- its operation4Switch sh"w ip !hcp in!ing 3 displays client (HCP indings including IP address and;"CSwitch !e#g ip !hcp se%e pac'et3 shows in real3time the (HCP discover+ oer+ reply+and ac- pac-ets


23/63


24/63

CCNP Switch 642-813 ,theChannel

,theChannel is a term used to descrie undling or aggregating 63G parallel lin-s!2therChannel provides a level o# lin- redundancy! I( "ne lin' in the #n!le (ails$ taHcsent th"#gh that lin' is a#t"maticall+ m"%e! t" an a!Gacent lin' in the #n!le*Normally multiple lin-s etween switches creates the potential #or ridging loops+ utecause an 2therChannel undle is treated as a single logical lin- y oth switches+ it avoidsthe prolem!Spanning Tree sees the undle as a single lin- so individual ports will not e placed in aloc-ed STP state+ allowing greater andwidth utili9ation! I# there are two redundant2therChannel undles+ one entire 2therChannel will e loc-ed y STP to prevent a loop!

"ny changes made to an inter#ace a#ter the 2therChannel has een created will eautomatically ma-e the same change to all other ports in that undle! "lso = undlescannot #orm i# any o# the assigned ports are SP"N ports!2therChannel lin-s can e either access or trun- lin-s+ ut i# they are trun-ed /usually thecase0+ they require the #ollowing the e the same on all connected inter#aces4

• &'"Ns

• Trun-ing ;ode

• Native &'"N

• Speed

• (uplex

,theChannel lin' neg"tiati"n p"t"c"lsPAgP P"t Aggegati"n P"t"c"l

• Cisco proprietary• >orms 2therChannel only i# ports are confgured #or identical static &'"Ns or trun-ing

• Will automatically modi#y inter#ace parameters on all ports o# the undle i# the2therChannel inter#ace is changed!

• STP sends pac-ets over only one physical lin- in a P"gP undle! @ecause STP*salgorithm uses the lowest port priority /priority [ port I(0+ i# de#aults are set+ STP willalways use the lowest numer port #or @P(As!

LACP Lin' Aggegati"n C"nt"l P"t"c"l• "n open standard to P"gP

• I222 GB6!)ad

• Ases priority system #or end switches

• Switch with the lowest system priority /6 yte value #ollowed y ;"C = lowest wins0determines which ports are active in the 2therChannel at any given time!

• Ases port priority to determine which ports to place in standy mode i#hardware limitations do not allow all ports to participate in the 2therChannel!

• ;ost implementations leave the system and port priority to de#aults

,theChannel Neg"tiati"n P"t"c"ls S#mma+


25/63

C"n/g#ati"nPAgPPAgP ,theChannel Inte(ace C"n/g#ati"n Switch/confg0 inter#ace #a 5D5D6Switch/confg3i#0 channel3protocol pagpSwitch/confg3i#0 channel3group nu%ber mode on Q auto Q desiraleR Q Unon3silentVRR@y de#ault+ P"gP operates in silent sumode = allowing ports to e added to the2therChannel+ even i# it does not hear anything #rom the #ar end! This allows a switch to

#orm an 2therChannel with a non3P"gP devices such as a networ- analy9er or server! It isest practice to aways use non3silent mode when connecting two switches together!

LACPLACP ,theChannel Inte(ace C"n/g#ati"nSwitch/confg0 lacp system3priority numer /optional0Switch/confg0 inter#ace #a 5D5D)Switch/confg3i#0 channel3protocol lacpSwitch/confg3i#0 channel3group numer mode on Q passive Q activeRSwitch/confg3i#0lacp port3priority numer /optional0

It*s important to note that 2therChannel can operate at layer 6 and )! The confguration is ait dierent etween the two+ so recogni9e what type you need e#ore you egin your

confgurations! 'ayer 6 2therChannel lin-s are simply a undled switch lin- that acts as onelogical lin-! This is most commonly used #or trun-ed lin-s etween switches!

'ayer ) 2therChannel undles allow you to create a virtual portchannel lin- that can econfgured with an IP address! "n example where this would e use#ul would e i# you areconnecting an 2therChannel undle to a router! The router will require that its undle has anIP address+ so the virtual portchannel inter#ace that you create can e assigned an IPaddress! "nother example would e etween multilayer switches at the distriution andcore layers! Cisco recommends running layer ) connectivity etween the two and2therChannels would assist with providing increased andwidth and redundancy!Switch/confg0 inter#ace portchannel nu%ber Switch/confg3i#0 ip address x!x!x!x x!x!x!x /#or layer ) only0Switch/confg3i#0 switchport mode trun-

Switch/confg3i#0 switchport trun- vlan allowed vlan 6+8M+\BSwitch/confg3i#0 switchport trun- native vlan EENote that in the conf)uration e$a%&le above how the interace %ode trunk/ and !"#Ns areall conf)ured on the &ortchannel directly and not on the &hysical interaces that %ake u&the bundle. Fhile it will &ass tra:c either way, it is %uch si%&ler to %ana)e !"#Nconsistency and conf)uration on the bundled link. " '"CP system priority can e assigned to defne the decision3ma-ing switch /lower prioritywins = de#ault is )6+\MG0! I# no priority is assigned+ the switch with the lowest ;"C addresswill e assigned!


26/63

'ayer ) 2therChannel Confguration1* Ceate a %it#al la+e 2 inte(aceSwitch/confg0 inter#ace port3channel 52* Change the p"t t" la+e 3Switch/confg3i#0 no switchport

3* Assign an IP a!!ess t" the p"t-channelSwitch/confg3i#0 ip address ipaddress sunetmas-4* Select the ph+sical inte(aces that ae pat "( the #n!leSwitch/confg0 inter#ace ran)e interaceAid &ortnu%berAran)eB* Set ph+sical inte(aces t" la+e 322 ( all o the &hysical interaces are not actin) in the sa%e layer e$. &ort-channel set to noswitch&ort and interaces set to deault – switch&ort/, the EtherChannel will not or%.Switch/confg3i#3range0 no switchport6* Assign all ph+sical inte(aces t" the ,theChannel g"#p*Switch/confg3i#3range0 channel3group channel-)rou&-nu%ber mode auto Unon3silentV Qdesirale Unon3silentV Q onR Q active Q passiveR

2therchannel 'oad @alancing The undles use an algorithm to determine each lin-*s load+ so they will never e ale tooperate at 5BB capacity o# the sum o# the lin-s! That means the load will not e alancedequally amongst the individual lin-s! " hash algorithm is used to determine which individualinter#ace each #rame is #orwarded through! The algorithm can use source IP+ destination IP+ a comination o# the two+ source anddestination ;"C+ or TCPDA(P port numers! I# only one address or port numer is used #orthe hash+ the switch uses one or more low3order its o# the hash results as an index into theundled lin-s! I# two or more addresses and or TCP ports are hashed+ the hash per#orms an.1 on the low3order its o# the addresses or ports as the index! To confgure the 2therChannel load alancing type gloally on the switch4Switch/confg0 port3channel load3alance %ethod;ethods4

src3ip source IP

dst3ip destination IPsrc3dst3ip source and destination IP /.10 ]](2>"A'T ;2TH.(]]

src3mac source ;"C

dst3mac destination ;"C

src3dst3mac source and destination ;"C /.10

src3port source port

dst3port destination port

src3dst3port source and destination port /.10

Trouleshooting an 2therChannel1ememer that there should e consistent confgurations on oth ends o# the undle!

• I# using mode $on%+ ma-e sure oth ends are set to it!

• I# one end is set to desirale /P"gP0 or active /'"CP0+ the other side must e set toeither desirale or auto!

• "uto /P"gP0 passive /'"CP0 modes require the #ar end to request #or participation!

• P"gP auto and desirale modes de#ault to silent sumode = which will estalish an2therChannel without hearing #rom the #ar end! I# set to non3silent sumode+ pac-etsmust e received #rom the #ar end e#ore a channel will #orm!

5" %ei(+ the ,theChannel Stat#sSwitch show etherchannel summary5" %ei(+ an in!i%i!#al p"tEs c"n/g#ati"n


27/63

Switch sh run inter#ace xxDxx5" chec' (" ,theChannel e"s "n an inte(aceSwitch sh run inter#ace xxDxx etherchannel5" %ei(+ the ,theChannel l"a! alancing "n a switchSwitch sh etherchannel load3alance


28/63

CCNP Switch 642-813 Spanning 5ee

Spanning Tree Protocol /STP0 is designed to prevent prolems related to ridging loops! STPsolves the prolem y loc-ing redundant paths and allowing only a single active path!Spanning tree wor-s y selecting a root switch then selecting a loop3#ree path #rom the rootswitch to every other switch! To do that+ spanning tree must choose a single root ridge+one root port #or each nonroot switch+ and a single designated port #or each networ-segment!

Several dierent versions o# Spanning Tree have een introduced over the years! Here are a#ew4C"mm"n Spanning 5ee CS5I222 GB6!5(+ .ne instance o# spanning tree runs #or the entire switched networ- resulting inlow CPA requirements+ ut suoptimal tra:c paths when multiple &'"Ns are used! It is alsoslow to converge!Pe VLAN Spanning 5ee Pl#s PVS5F.ne instance o# STP per &'"N+ more resources required+ slow convergence still+ includesport#ast+ @P(A guard+ @P(A flter+ 1oot Kuard+ and 'oop Kuard!0api! S5P 0S5PI222 GB6!5w+ .ne instance o# STP+ ut very #ast convergence time! Still suoptimal tra:c,ows ecause only a single instance #or the entire switched networ-!

#ltiple Spanning 5ee S5"n I222 standard that allows you to map multiple &'"NS with similar tra:c ,owrequirements into the same spanning3tree instance! ;ST also supports 1STP #or #astconvergence! 2ach instance supports Port#ast+ @P(A guard+ @P(A flter+ 1oot Kuard+ and'oop Kuard!PV0S5F" Cisco enhancement to 1STP that ehaves similar to P&ST[! It supports a separateinstance o# 1STP #or each &'"N and each instance supports Port#ast+ @P(A guard+ @P(Aflter+ 1oot Kuard+ and 'oop Kuard! This option has the largest CPA and memoryrequirements!Note M;T and !1;TG have beco%e the do%inate s&annin)-tree &rotocols o choice and inCisco switches, !;TG is the deault Havor o ;T that is enabled when a !"#N is created.

S5P Path Selecti"nSpanning tree uilds the tree structure attempting to use the #astest lin-s it has availale #orthe active paths! STP uses the #ollowing steps to select its paths45! 'owest root ridge I( /@I(06! 'owest path cost to the root)! 'owest sender ridge I(7! 'owest sender port I( /PI(0

STP (efnitions9i!ge ID = ridge priority [ ;"C "ddress


29/63

9i!ge Pi"it+ = B3M8+8)8De(a#lt Pi"it+ = )6+\MGP"t ID = port priority [ port numerP"t Pi"it+ = B367B /de#ault is 56G+ increments o# 5M0Path C"st = The cumulative cost o# all lin-s etween the switch and the root ridge

S5P C"n%egence5! 0""t i!ge electi"n2ach &'"N elects one root ridge! "ll ports on the root ridge act as designated ports+which send and receive tra:c as well as @P(As! The ridge with the lowest priorityecomes root!

6! 0""t p"ts ae !etemine! "n all n"n-""t i!ges2ach non3root ridge is assigned a single root port that sends and receives tra:c! The rootport is chosen ased on the port with the lowest3cost path etween the non3root ridge andthe root ridge! I# two paths are equal cost+ the port with the lowest port I( /priority [ portnumer0 will win!)! Designate! p"t selecti"n2ach segment has a single designated port! (esignated ports are chosen #rom non3rootports that have the lowest path cost to the root ridge! In the event o# a tie+ the ridge I(acts as a tierea-er /lowest wins0! "ll ports on a root ridge are designated ports!

STP Port 1oles0""t p"t

• .n non3root ridges only

• >orwards tra:c towards the root ridge

• .nly one per switch

• Can populate the ;"C taleDesignate! p"t

• .n root and non3root ridges

• "ll ports on root ridge are designated ports• 1eceives and #orwards #rames towards the root ridge as needed

• .nly one per segment

• Can populate the ;"C taleN"n!esignate! p"t

• (oes not #orward pac-ets /loc-ing0

• (oes not populate the ;"C taleDisale! p"t

• " port that is shut down9l"c'ing

• In nondesignated status and does not #orward #rames

• 1eceives @P(As to determine root switch

• (e#ault 6B seconds in this state /max age0Listening

• 1eceives and sends @P(As

• 58 seconds /#orward delay0Leaning

• Populates the C"; tale

• 58 seconds /#orward delay0


30/63

• >orwards #rames

• Sends and receives @P(AsDisale!

• (oes not participate in STP

• (oes not #orward #rames

STP Path CostSpanning3tree uses a lin- cost calculation to determine the the root ports on non3rootswitches! It is calculated y adding the costs o# all lin-s etween the root ridge and thelocal switch!

• 5B Kps ? Cost 6

• 5 Kps ? Cost 7

• 5BB ;ps ? Cost 5E

• 5B ;ps ? Cost 5BB0api! Spanning 5ee1apid Spanning Tree Protocol /I222 GB6!5w0 was introduced to dramatically speed up STP*sconvergence when networ- changes occur! 1STP can revert to GB6!5( /common spanning3tree0 to inter3operate with legacy ridges on a per3port asis! " rapid version o# P&ST[+1P&ST[ is a per3&'"N implementation o# rapid spanning3tree!

0S5P P"t StatesDisca!ing

• ;erges the #ormer disaled+ loc-ing+ and listening states

• Prevents the #orwarding o# #rames

• Seen in oth staleDactive and synchroni9ationDchangesLeaning

• 1eceives #rames to populate the ;"C tale

• Seen in oth staleDactive and synchroni9ationDchanges


31/63

P"tast can e confgured gloally on an access switch #or all inter#aces to saveconfguration time! "lso+ it only applies to access inter#aces+ not trun-s! Ase the s&annin)-tree &ortast trunk command i# it is required on a trun-! I# you do so+ ma-e sure to disale itexplicitly on uplin- inter#aces!5" c"n/g#e P"tast and disale oth channeling and trun-ing negotiation on an inter#ace4Switch /confg3i#0 switchp"t h"st

0PVS5F C"n/g#ati"n5! 2nale 1P&ST[ gloally on all switches Switch/confg0spanning3tree mode rapid3pvst6! (esignate and confgire a primary root rigde Switch/confg0spanning3tree vlan 6 rootprimary)! (esignate and confgire a secondary root rigde Switch/confg0spanning3tree vlan 6 rootsecondary7! &eri#y the confguration Switchshow spanning3tree vlan 6

#ltiple Spanning 5ee;ST+ or GB6!5s+ expands upon the I222 GB6!5w 1ST algorithm in an attempt to reduce thenumer o# STP instances+ thus reducing the required CPA cycles on a switch! ;ST enalesyou to group &'"Ns and associate them with spanning tree instances! 2ach instance*stopology can e independent o# the rest+ allowing &'"Ns to e grouped and load alanced#or #ault tolerance measures! ;ST is also ac-wards compatile with all older STPvariations!Switches participating in ;ST that have the same ;ST confguration in#ormation are re#erredto as a region! Switches with dierent ;ST confgurations or that are running legacy GB6!5(are considered separate ;ST regions!Note ;witches in the sa%e M;T re)ion %ust have the e$act sa%e M;T conf)uration towork &ro&erly includin) revision nu%ber/.;ST is usually not implemented in campus environments ecause i# you #ollow the local&'"N model /recommended y Cisco0+ there should not e that many &'"Ns on any givenswitch ecause they should only extend to the switch loc- oundary! That ma-es 1P&ST[a etter choice ecause o# it*s simpler confguration! @ecause ;ST is still o#ten deployed+Cisco defnitely still considers it an important topic on the SWITCH exam!

;ultiple Spanning Tree 1egions2ach switch that runs ;ST in the networ- has a single ;ST confguration consisting o# the#ollowing ) items4

• Confguration name /alphanumeric0

• Confguration revision numer

• " 7BEM3element tale that associates each &'"N to a given instance

• The de#ault ;ST instance is #or all &'"Ns is ;STBB!


32/63

S5 C"n/g#ati"n;ST must e manually confgured on each participating switch! "pply the #ollowingconfgurations on each switch that runs ;ST4,nale S5 gl"all+Switch/confg0 spanning3tree mode mst

,nte S5 S#m"!eSwitch/confg0 spanning3tree mst confgurationSwitch/confg3mst0 sh current1* De/ne a c"n/g#ati"n nameSwitch/confg3mst0 name X2* Set the S5 e%isi"n n#meSwitch/confg3mst0 revision 53* ap the VLANs t" an S5 instanceSwitch/confg3mst0 instance 5 vlan )+ 8+ \Switch/confg3mst0 instance 6 vlan 6+ 7+ MDispla+ c"n/g#ati"n t" e applie!Switch/confg3mst0 show pendingNote This ste& is i%&ortant because without it, you will be unable to veriy theconf)uration.

Displa+ c#ent #nning S5 c"n/g#ati"n4Switch/confg3mst0 show currentAppl+ the c"n/g#ati"nSwitch/confg3mst0 endCancel the c"n/g#ati"nSwitch/confg3mst0 aortAssign an S5 ""t i!geSwitch/confg0 spanning3tree mst 6 root primary

Vei/cati"n C"mman!sSwitch show spanning3tree mstSwitch show spanning3tree mst 5 /to view ;ST in#o #or a single instance0Switch show spanning3tree mst 5 detailSwitch show spanning3tree mst inter#ace #a BD)

Spanning 5ee ,nhancements9PD #a!Prevents prolems related to switches accidentally eing connected to Port>ast3enaledports! @ridging loops would normally instantly occur! It places the port in err3disale state i#it receives a @P(A 3 disaling the inter#ace!5" enale 9PD #a! gl"all+ "n the switchSwitch/confg0 spanning3tree port#ast edge pduguard de#ault5" enale 9PD #a! at the inte(ace le%elSwitch/confg0 spanning3tree pduguard enale

9PD ast3enaled inter#aces!Jhen enale! gl"all+ "n the switch

• Confgures all Port>ast ports #or @P(A fltering

• I# @P(As are seen+ the port looses its Port>ast status+ @P(A fltering is disaled+ andSTP resumes de#ault operation on the port

• When the port comes up+ it sends 5B @P(As+ i# it hears any @P(As during that timePort>ast and @P(A fltering are disaled

Jhen applie! t" an in!i%i!#al p"t


33/63

• It ignores all @P(As it receives

• It does not transmit @P(As

• @ecause it ignores incoming @P(As+ this can lead to ridging loop scenariosNote4 I# you enale @P(A Kuard and @P(A fltering on the same inter#ace+ @P(A Kuard hasno eect ecause @P(A fltering has precedence over @P(A Kuard!

5" enale 9PD /lteing gl"all+ "n the switchSwitch/confg0 spanning3tree port#ast pduflter de#ault5" enale 9PD /lteing at the inte(ace le%elSwitch/confg0 spanning3tree pduflter enale5" %ei(+Switch show spanning3tree summary .1Switch show spanning3tree inter#ace #a BD) detail

0""t #a!1oot guard was developed to control where root ridges can e located within the networ-!Switches learn aout and elect root ridges ased on @P(As they receive+ so i# a new switchis added to the environment with a lower ridge priority than the current root ridge+ thenew switch will ecome root = and in turn disrupt your care#ully planned tra:c patterns! To

prevent this #rom occurring+ root guard can e applied to inter#ace where a root ridgeshould never een seen!When root guard is applied to an inter#ace+ it #orces the port to essentially always remain adesignated inter#ace+ never allowing it to transition to a root port! I# a root guard3enaled port received a superior @P(A+ it immediately moves the port to a root3inconsistentSTP state /essentially the same as the listening state0 and does not #orward any tra:c outthat port!When the root guard protected port stops receiving superior @P(As+ it automaticallyunloc-s the port and proceeds through its normal listening+ learning+ and eventually#orwarding states! No intervention is required!5" enale ""t g#a! "n an inte(aceSwitch/confg0 int #a 7D7Switch/confg3i#0 spanning3tree guard root

L""p #a!;ost ridging loops that occur when STP is active happen when a port in loc-ing statestops receiving @P(As on the inter#ace and there#ore transition the port to #orwarding state =creating an all3ports3#orwarding loop! It loc-s ports on a per3&'"N asis+ so on trun-s it willonly loc- that &'"N = not the whole trun-!'oop guard should e applied to all non3desgnated ports /ex! root+ alternate0!5" enale l""p g#a! "n an inte(aceSwitch/confg0 int #a 7D7Switch/confg3i#0 spanning3tree guard loop5" enale l""p g#a! gl"all+ "n the switchSwitch/confg0 spanning3tree loopguard de#ault5" %ei(+

Switch show spanning3tree inter#ace #a BD) detail

DLDA('( is another loop3prevention mechanism #or STP! It tries to discover unidirectional lin-se#ore they grow into ridging loops! This situation is much more common in fer opticnetwor-s where there is a physical 1xDTx pair and a situation can arrise where one is not#unctioning correctly!STP relies on constant and consistant reception o# @P(A messages! I# a switch stopsreceiving @P(As on a designated /upstream0 port+ STP ages out the in#ormation #or the portand transistiones it into #orwarding state! This will lead to a loop!


34/63

A('( sends A('( protocol pac-ets to its neighor switch = 58 seconds is the de#ault! Theneighor is then expected to echo pac-et the pac-ets e#ore a timer expires! I# the switchdoes not hear a reply it waits+ e#ore fnally shutting down the port!

5hee ae tw" DLD m"!esN"mal

A('( simply places the port into an undetermined state i# it stops hearing responses #romits directly3connected neighorAggessi%e /Pre#erred0 Tries to re3estalish the connection up to G times+ then puts the port in err3disale state/essentially shutting down the port0Note4 A('( is enaled y de#ault on all 2thernet fer3optic inter#aces!

5" enale DLD "n an inte(aceSwitch/confg0 int #a 7D7Switch/confg3i#0 udld port aggressiveR5" enale DLD gl"all+ "n all /e p"tsSwitch/confg0 udld enale Q aggressiveRNote4 While oth loop guard and aggressive A('( have many overlapping #unctions+enaling oth provides the est protection!


35/63

• " root ridge should e manually assigned in every STP topology!

• I# using P&ST[ or 1P&ST[+ assign a root ridge #or each &'"N using the command4's&annin)-tree vlan ( root !

• I# using HS1P+ ma-e sure the STP root ridge and HS1P active router are assigned tothe same device i# possile!

• Ase the STP 2nhancements /sometimes re#erred to as the STP tool-it0 to optimi9e the

topology• 'oop guard 3 Implement on layer 6 uplin- ports etween access and distriution layer

• 1oot guard 3 Implement on distriution switch ports #acing the access ports

• Aplin->ast3 Implement on uplin- ports #rom access to distriution switches

• @P(A guard or root guard3 Implement on access ports connected to end devices+ asis Port>ast

• A('( 3Sometimes implemented on fer ports etween switches

5"#lesh""ting Spanning 5eeD#ple ismatchI# one side o# a lin- is set to hal# duplex and the other is set to #ull+ then the potential existsthat the #ull duplex side will egin sending lots o# tra:c to the hal# duplex inter#ace! I# thathappens+ the hal# duplex inter#ace will experience collisions when it attempts to transmitSTP @P(As! The #ull duplex inter#ace will there#ore never receive them+ and assume other

inter#aces on the switch in loc-ing state can trans#er to a #orwarding state = creating a loop!ni!iecti"nal lin' (ail#e This occurs when a hardware #ailure causes a normally two3way lin- to ecome a one3waylin-! The potential loop prolem is the same as with the duplex mismatch issue+ with oneside moving #rom loc-ing to #orwarding ecause they stop receiving superior @P(As on theinter#ace!"ggressive A('( can prevent loops #rom #orming when this occurs y putting the oendingport into err3disale state! Cisco recommends using agressive A('( on all point3point lin-sin a switched environment!


36/63


37/63

D"c#ment


38/63

CCNP Switch 642-813 SNP$ S+sl"g$ & IP SLA

;any people may e con#used as to why I would dedicate an entire page to networ-

monitoring tools and their confguration! The reason is ecause these topics are testedrelatively heavy on the actual CCNP SWITCH exam! Whether you agree or disagree aoutthe weight given to these topics is irrelevant! It*s covered on the exam = so ta-e the time tounderstand the topics!

SyslogSyslog is a networ- management protocol that is not unique to Cisco devices+ut integrates well within Cisco*s I.S! Syslog allows a networ-3attached device to reportand log error and notifcation messages either locally or to a remote Syslog server!Syslog messages are plain text sent using A(P port 857! 2very syslog message contains twoparts+ a severity level and a #acility! The severity level goes #rom B to \ with B eing themost severe to \ eing simply in#ormational!S+sl"g Pi"it+ highest t" l"west

B! 2mergency /highest05! "lert6! Critical)! 2rror7! Warning8! NoticeM! In#ormational\! (eug /lowest0

>acilities are service identifers that categori9e events and messages #or easier reporting!5he m"st c"mm"n (acilities "n IS !e%ices incl#!e

• IP

• .SP>

•

SXS /operating system0• IP Security /IP Sec0

• 1oute Switch Processor /1SP0

• Inter#ace /I>0

essages ae pesente! in the ("ll"wing ("mat>"CI'ITX3SA@>"CI'ITX3S2&21ITX3;N2;.NIC4;essage3textAn eampleSXS383C.N>IKI4 cwr6BBB on vtyB Confgured #rom console y /5E6!5MG!M7!680


39/63

The example syslog message aove indicates that the operating system /#acility ? SXS0 isissuing a notifcation /S2&21ITX ? 80 has een confgured /;N2A;.NIC ? C.N>IK0 and thata user on &TXB #rom IP 5E6!5MG!M7!)7 has made the confguration!Note One o the %ost co%%on ;yslo) %essa)es you’ll see is line &rotocol u&0down%essa)es ater a conf)uration chan)e has been %ade in conf) %ode. #lso, is #C" lo))in)is enabled, ;yslo) %essa)es will be )enerated when &ackets %atch #C" &ara%eters.

C"n/g#ing S+sl"g To confgure syslog to export events to an external syslog server+ use the #ollowingcommands4Switch/confg0 logging Ii& address o serverJSwitch/confg0 logging trap Iseverity levelJ To confgure the local switch to store syslog messages+ use the l"gging #Kee! command!;witchconf)/' lo))in) uered ^I5-KJ "o))in) severity levelAse the show lo$$in$ command to show the contents o# the local log fles!

SNPSN;P is simply the standard #or networ- monitoring and management and contains threecore elements4

• Networ- ;anagement "pplication /SN;P ;anager0

• SN;P "gents /running inside a managed device0

• ;I@ (ataase o


40/63

IP Service 'evel "greementService level agreements+ or S'"s+ are contractual agreements usually etween a customerand service provider that spell out the minimum acceptale levels o# service! S'"s areo#ten attached to W"N and ;P'S lin-s ecause any downtime can signifcantly aectusiness per#ormanceDprofts! In terms o# the exam+ Cisco*s S'" attempts to measurelatency+


41/63

6! The responder sends a confrmation message ac- to the source router and listens on thespecifed port!)! I# the response #rom the control message is .Y+ it egins sending proe pac-ets!7! The responder responds to the incoming proe pac-ets #or the predetermined time!

5he !iagam a"%e "#tlines the timestamp p"cess IP SLA #ses t" calc#late "#n!tip time 055 acc#atel+*5! The source sends a pac-et at time T56! The responder records oth the receipt time /T60 and the transmitted time /T)0!@ecause there can e delay etween when the router receives the pac-et and when a

confrmation is sent ac- out the inter#ace+ it trac-s the dierence in time/in su3milliseconds0! The source later sutracts this dierence #rom the total 1TT ecause it wasnot time in transit+ ut rather router so#tware processing time!"n additional eneft o# so many timestamps is the aility to trac- one3way delay+


42/63

CCNP Switch 642-813 .igh-A%ailailit+ %e%iew

High availaility is an organi9ational o


43/63

• "voiding single points o# #ailure as much as possileo This can e achieved at the access layer with help #rom SS. /#or layer 60 and

potentially NS> /#or layer )0 0e!#n!ant S#pe%is" ,nginesProviding redundant switch supervisor engines adds another level o# high3availaility #or

critical distriution and core layer devices! 1edundant switch supervisor engine options areonly availale on Cisco Catalyst 78BB and M8BB #amilies o# switches!5he thee e!#n!anc+ "pti"ns ae

• 1P1 /1oute Processor 1edundancy0 and 1P1[

• SS. /State#ul Switchover0

• NS> /Non3Stop >orwarding00P0 was the frst #orm o# supervisor engine redundancy and is no longer the pre#erredoption! The primary reason is the time required to #ailover to the ac-up supervisorengine!1P1 = 6 to 7 minutes on M8BB /_MB seconds on 78BB01P1[ = ta-es etween )B3MB seconds1P1 also does not synchroni9e routing in#ormation with the redundant supervisor engine+ soall dynamic routing state in#ormation is lost upon #ailover! "lso+ upon #ailover the >I@ tales

are cleared so all dynamic routing protocols must reconverge! .nly static routes will remainin tact as they are manually confgured!

State(#l Switch"%e SSSS. is designed to minimi9e disruption while transitioning layer 6 services during asupervisor #ailover! 2ven a cloc- synchroni9ation #ailure etween supervisors is enough tocause a #ailover with SS.! The redundant supervisor starts up in a #ully initiali9ed state and syncs with the startup andrunning confguration o# the active supervisor engine! "ll susequent changes are then alsoupdated+ allowing #or seamless continuation o# all supported layer two protocols!SS. recogni9es the lin- status o# every port+ so lin-s that were active e#ore the switchoverremain active! Neighoring devices do not see the lin- go down and spanning3tree remainsunaected!

.n the M8BBs+ the switchover ta-es etween B3) seconds! .n the 78BB series switches itta-es less than a second! 'ayer ) in#ormation must e relearned however which includesreuilding "1P tales and layer ) C2> ad entries are removed!Changes have een made to many o# the modern routing protocols /2IK1P+ .SP>+ IS3IS+ @KP0so that upon switchover+ an NS>3enaled router sends special pac-ets that trigger routing


44/63

updates #rom the NS>3aware neighors without resetting the peer relationship andpreventing route ,apping and changes!In s#mma+$ NS< imp"%es netw"' a%ailailit+ an! stailit+*

C"n/g#ing NS< The confguration is dierent #or 2IK1P+ IS3IS+ and .SP> than #or @KP! See the examples

elow4Switch con# tSwitch/confg0 router osp# 5BBSwitch/confg0 ns# Switch con# tSwitch/confg0 router gp 5BSwitch/confg0 gp grace#ul3restart .S0PSeveral frst hop redundancy protocols exist including I1(P+ HS1P+ &&1P+ and K'@P! HS1P isanother high3availaility tool li-e Spanning Tree and dynamic routing protocols!(e#ault gateways are essential #or devices to communicate with devices outside their localnetwor-! I# the gateway is unavailale #or any reason+ external conversations cease! In aneort to mitigate that situation+ frst hop redundancy protocols have een developed toprovide pairs o# gateways+ o#ten one active and the other in standy+ to allow an always3upde#ault gateway!HS1P /1>C 66G50 is a redundancy protocol developed y Cisco to solve this prolem! HS1Pprovides a virtual ;"C and IP address that represents a set /6 or more0 o# physical routers! The virtual IP will e used as the de#ault gateway address #or the segment! The virtual IP willrespond to any "1P requests #or the ;"C address o# the de#ault gateway with its own! The active router sends hellos /multicast 667!B!B!6 DD A(P port 5EG80 to the standyrouter/s0 to let them -now it is still up! I# a standy router stops receiving hellos #rom theactive router+ it assumes the role o# active and ta-es over #orwarding pac-et #or thenetwor- 3 all transparent to the end systems!

.S0P "#ps The virtual ;"C used is always BBBB!BcB\!acxx where xx is the HS1P group I(! The !BcB\portion is the well3-nown HS1P virtual ;"C identifer! >or example+ i# you see a messagewith !BcB\!B where the s are random ;"C values+ the HS1P group numer woulde 55! The B H2 values a#ter the !BcB\! is 55 in ase 5B #ormat!Note There can be only a sin)le active and sin)le standby router in a D;1 )rou&. #tertwo routers, the rest stay in initial state and wait or the active or standby to )o down beorecontendin) or the active and standby &osition. The active router &rocesses &ackets sent tothe virtual router. The active router is the HS1P group is determined y an election process! The router withthe highest HS1P priority confgured wins and i# no specifc priority has een set+ the routerwith the highest IP address is elected as the active router!Note # new election will only occur i the active router is re%oved, the sa%e is true or thestandby router. This deault behavior can be chan)ed with the &ree%&t co%%and.

.S0P StatesInitialState #rom which routers egin HS1P process!Stan!+" candidate to ecome the next active router!Lean The router is still waiting to hear #rom the active router!


45/63

Acti%e The router is currently #orwarding pac-ets!Listen'istens #or hello messages #rom the active and standy routers!Spea' Participates in the election #or the active or standy router! This is also the state an active

router enters immediately a#ter it has een preempted y a higher priority router!22 Dellos are sent in the active, standby, and s&eak states.

.S0P C"n/g#ati"nWhen confguring oth spanning tree and HS1P on a segment+ it is est practice to ma-e theroot ridge and HS1P active router the same device! HS1P can only e confgured on alayer ) inter#ace including S&Is+ routed inter#aces+ and ') etherchannels!.S0P C"n/g#ati"n Switch/con#3i#0 stan!+ )rou&-nu%ber ip i&-address The group numer is only required i# you plan on implementing more than one HS1P groupon the router! I# none is specifed+ group numer B will e used!" priority value can e set to #orce a router to ecome the active router in the group! Thede#ault is 5BB+ and it can e manually set etween B and 688! Higher wins! I# the priority isthe same+ the router with the highest IP address will ecome active #or that standy group!'oad sharing is o#ten implimented with HS1P y confguring multiple groups and assigningdierent &'"Ns to each!5" set the .S0P pi"it+ %al#e (" a "#teSwitch/con#3i#0 stan!+ )rou&-nu%ber pi"it+ &riority-value The n" stan!+ pi"it+ command will assign the router a priority o# 5BB /de#ault0!1ememer that i# two routers are manually ooted up at the same time+ i# the one with thelower priority oots up frst = it will ecome the active router in the group even though it*spriority is lower! That is ecause it will not see any other routers when it egins the electionprocess and will transition straight to active! .nce the other router comes up+ it will notautomatically ecome active! To change this+ use the preempt command on the router youwant to remain active!Switch/con#3i#0 stan!+ )rou&-nu%ber peempt To test+ use the command show standby brief%

.S0P A#thenticati"n"uthentication is optional with the #ollowing command4Switch/con#3i#0 stan!+ )rou&-nu%ber a#thenticati"n &assword The de#ault password is cisco i# none is specifed and the password string must e the sameon all memers o# the standy group!

.S0P 5imesHS1P uses two important timers etween the activeDstandy routers! .ell" times areused to exchange HS1P in#ormation while the h"l! !"wn time is used to determine howlong e#ore a router is declared to e down in a group! The de#ault hello times are )seconds and the de#ault hold down timer is 5B seconds! That means there could e up to a5B second delay e#ore the standy router egins #orwarding tra:c i# the active goes down!

To tune the timers /in seconds04Switch/con#3i#0 stan!+ )rou&-nu%ber times helloti%e holdti%eE$a%&leSwitch/con#3i#0 stan!+ 5B times 5 )Note ( you are noticin) the D1; states re>uently chan)in), you %ay have a &hysicallayer &roble% or a s&annin)-tree loo&. ( you notice the out&ut, *;tandby router is unknowne$&ired+, you likely have a D1; %isconf)uration or a &hysical connectivity issue.

.S0P Vesi"ns


46/63

HS1P comes in two versions+ 5 and 6! The most signifcant dierence is that v5 only allowsup to 688 group numers and v6 allows up to 7BE8 = ma-ing it now possile to correspondgroup numers with &'"N I(s!

5ac'ing Trac-ing a critical uplin- inter#ace can #orce a re3election y decrementing the active router*s

priority value y a set amount /de#ault 5B0!Switch/con#3i#0 stan!+ )rou&-nu%ber tac' interace value-to-decre%ent &ample:Switch/con#3i#0 stan!+ 5B tac' #a 5DBD5 5BB

V00P&11P is an open standard redundancy protocol that is similar to Cisco*s HS1P! .nedierence is that the virtual IP can either e a virtual one /as is the case with HS1P0 or it cane the actual IP address o# the active router!

The &11P %master% #orwards the tra:c and is chosen ecause it owns the real IP address orhas the highest priority /de#ault is again 5BB0! The $ac-up% router ta-es over i# the master#ails! Priority values are etween 53688! I# the master router #ails+ it advertises a priority o#B+ #orcing an election amongst the ac-up routers without waiting #or the hold down timer toexpire! Note Multi&le !11 )rou&s are allowed like D;1/.

V00P C"n/g#ati"nSwitch/con#3i#0 %p )rou&-nu%ber ip virtual-i&-addressSwitch/con#3i#0 %p )rou&-nu%ber pi"it+ &riority-valueV00P 5imes

• "dvertisements+ or hellos = de#ault 5 second

• ;aster down interval ? ) times the advertisement time [ s-ew /essentially the sameas HS1P*s hold down timer0

•

S-ew time ? /68M3priority0D68M! Ased to ensure the highest priority ac-up routerecomes master!Note Make chan)es on the %aster because chan)es in ti%ers are then &ro&a)ated to thebacku&s auto%atically. Switch/con#3i#0 %p )rou&-nu%ber a!%etise ti%e-in-secondsNote !11 cannot track interace chan)es, but can track ( ;"# obLect )rou&s.

L9P.ne o# the ma


47/63

The orwarders+ or "&>s!

L9P C"n/g#ati"nSwitch/con#3i#0 glp )rou&-nu%ber ip virtual-i&-address

Switch/con#3i#0 glp )rou&-nu%ber pi"it+ &riority-value1ememer that the de#ault gateway IP address that is confgured on the end hosts should eset to the virtual IP address!

I0DPSome newer hosts use the IC;P 1outer (iscovery Protocol /1>C 568M0 to fnd a new routerwhen a route ecomes availale! " host running I1(P listens #or hello multicast messages#rom its confgured router and uses an alternate router when that router is no longeravailale! It is not necessary to understand the technical details o# how I1(P wor-s+ ut eaware that it is a valid frst hop redundancy protocol!


48/63

CCNP Switch 642-813 V"IP & ="S

&oice over IP /&oIP0 is ecoming more and more common in the enterprise world yreplacing traditional T(; phone systems with #eature3rich IP3ased communication servers!Some enefts o# converged voice+ video+ and data into a single networ- include4,pense e!#ceI# only a single cale drop is required per user+ caling and networ- provisioning costs godown! PSTN costs also go down as more calls can use the existing data networ- and not thepulic phone service!,Hciencies in an!wi!th>or example+ i# a voice call is not in progress data can e transmitted on the same lin-! That*s not the case with traditional phone lines!Inn"%ati%e (eat#es&oIP allows new services to e added including uni#ying several modes o# communication/ex! voicemail+ email+ I;0! Service providers can also sell new services and provide more,exile pricing arrangements! AVVID"rchitecture #or voice+ video and integrated data+ more commonly re#erred to y Cisco as"&&I(+ was an all3encompassing lueprint #or converged enterprise networ-s pitched y


49/63

Cisco! While it was originally intended to include a very large cross3section o# product#amilies+ it has een primarily #ocused on Cisco*s &oIP products! >or the exam you shouldsimply e aware o# the #undamental deployment concerns which "&&I( addresses4

• High availaility

• JoS

• Security

• ;oility• Scalaility

V"IP C"mp"nents

• IP Ph"nes = Provides voice and applications to users

• Cisc" ni/e! C"mm#nicati"ns anage /AC;0 = 2ssentially an IP P@

• V"ice atewa+s = Translate etween IP and PSTN

• ate'eepes3 .ptional+ usually in larger environments! Per#orms call admissioncontrol+ allocates andwidth #or calls+ and resolves phone numers to IP addresses

• Vi!e" C"n(eencing nits = "llow voiceDvideo calls

• #ltip"int C"nt"l nits 3 "llow multi3point audio and videocon#erencing

• Applicati"n Se%es = Provide application services li-e Anity &oicemail

Note !oice tra:c co%es in two ty&es, voice bearer and call control si)nalin). The voicebearer tra:c uses 1T 1eal Ti%e rotocol/ over Q, while the call control &ortion can useseveral di@erent &rotocols to co%%unicate between the &hone and QCM and QCM to voice)ateway.

V"IP Netw"' 0e)#iementsWhen planning #or a &oIP deployment+ -eep in mind the #ollowing #actors4


50/63

• The sum o# every application*s andwidth /including voice0 should not exceed \8 o# the total availale andwidth #or each lin-!

V"ice VLANs&oice &'"Ns/sometimes re#erred to as auxiliary &'"NS0 are a way #or Cisco switches todynamically tag and assign voice tra:c including placing it in it*s own separate

&'"NDsunet! That allows #or JoS and security to e applied as well as simplifedtrouleshooting! &oice &'"Ns are disaled y de#ault!Cisco IP phones have a small internal switch that places an GB6!5q tag on the voice tra:cand mar-s the Class o# Service /CoS0 its in the tag! (ata tra:c /#rom the attached PC0 issent over the native &'"N+ while all voice tra:c is sent over the confgured &'"N on theaccess port! Cisco calls this setup a multi3&'"N access port! This whole process o# enalingvoice &'"Ns also enales the switch to #orward #rames with specifc 872*1P mar-ings!GB6!5P designates how JoS is applied at the ;"C layer!

P"we "%e ,thenetP", Switches Two dierent power standards exist #or Po2+ Cisco Inline Po2 and I222 GB6!)a#! @oth have amechanism to sense that a powered device is connected to a port = GB6!)a# relies on the

devices to let the switch -now how much power it needs+ while Cisco*s devices canadditionally use C(P to send that in#ormation! ;ost phones don*t require more that 58Watts o# power+ ut some Po2 equipment still requires more! The new GB6!)at standard willspeci#y up to )B Watts o# power! Some current Cisco switches can supply up to 6BW!Switch assumes all Po2 devices require 58!7 W o# power until the device tells the switchotherwise! I# the switch reoots+ all Po2 devices will receive 58!7 Watts at the same time+which is why you should udget 58!7 W #or every Po2 device when doing power planning!Note Non-C devices always )et =?. F allocated to the%.

P", C"n/g#ati"nCisco switches automatically detect and provide power+ ut i# you need to disale it or re3enale it = use the #ollowing commands4Switch/confg3i#0 p"we inline >ne%e ? a#t"@ To view power in#ormation #or all ports4Switch sh"w p"we inline RinteraceS Vi!e"&ideo tra:c+ #rom Cisco*s perspective+ #alls into one o# three categories4an+ t" man+2xamples include Telepresence+ We2x+ peer3to3peer video apps(ata ,ows client3to3client or ;CA3to3client@andwidth requirements #or high3de# video can e up to 56 ;s per location /withcompression0an+ t" (ew2xamples include IP surveillance cameras! Typically require up to 7 ;s o# andwidth


51/63


52/63

Cisco recommends mar-ing the tra:c as close to the source as possile! IP phones canmar- their own tra:c and other clients can e mar-ed at the access switch! I# that is not anoption mar- at the distriution layer+ ut never at the core! ;ar-ing slows tra:c down+ so ithas no place eing in the core! "ll devices within the networ- path should e confgured to

trust the mar-ing and provide service ased on that!

C"n/g#ing ="S (" V"IP@e#ore rolling out &oIP in your environment+ thin- through the #ollowing planning steps45! P",2nsure there is enough power #or all the phones and has a APS ac-up6! V"ice VLAN Thin- through the numer o# &'"NsDsunets required+ add (HCP scoped #or the phones+ addvoice networ-s to routing protocols

)! ="S(ecide on which mar-ing and queues you plan on using! Cisco recommends implementing"utoJoS and then tuning as needed!7!


53/63

Switch/confg3i#0 mls qos trust dscp Q cosR Trust mar-ings only i# a Cisco phone is connected4Switch/confg3i#0 mls qos trust device cisco3phoneInstructs the IP phone to setDoverwrite CoS values #or data coming #rom a PC attached to thephone! The phone would then e the new trust oundary ecause it is now doing themar-ing on the data tra:c! "lso important to note that the CoS value assigned at the end

o# the statement is a numer etween B and \!! \ eing the highest priority and B eing thede#ault value4Switch/confg3i#0 switchport priority extend cos cos3valueInstructs the phone to trust the priority o# the data coming #rom the attached PC4Switch/confg3i#0 switchport priority extend trust&eri#y inter#ace parameters4Switch show inter#aces inter#ace3id switchport&eri#y JoS parameters on an inter#ace4Switch show mls qos inter#ace inter#ace3id


54/63

CCNP Switch 642-813 Jieless & Sec#it+ 5"pics

>or the purpose o# this exam+ Wireless '"Ns /W'"N0 transmit using either 1> or in#rared#requencies+ o#ten through an access point! .ne interesting point is that #or the spectrumscovered on the test+ there are usually no additional 1> licenses required! They are limited in


55/63

physical transmission distance /ex! within a ,oor+ department+ or campus0 and areconsidered y Cisco an extension o# the wired campus networ-!5he Cisc" ni/e! Jieless Netw"' Cisco*s wireless architecture model includes 8 layers4

5! Client !e%ices 3 Wireless end clients /ex! laptop+ smart phone DD Note4 Ciscomentions that these must e Cisco $approved% although almost all wireless devices

will wor-06! "ilit+ plat("m = "ccess points and wireless ridges)! Netw"' #ni/cati"n = 2xisting wired networ- /2x! routers+ switch+ W'"N

controllers07! Netw"' management = W'"N location+ management and security /Cisco Wireless

Control Systems UWCSV is Cisco*s solution here08! "ilit+ se%ices /also called Anifed "dvanced Services0 = advanced products and

services li-e wireless IP phones+ 1> frewalls+ and location appliancesNote Cisco o@ers wireless ( &hones with the sa%e eature set ound in desk &hones,includin) o&tional "E# authentication.

5he Cisc" C"mpatile ,tensi"ns P"gam The Cisco Compatile 2xtensions /CC0 program ensures the widespread availaility o#client !e%ices that are interoperale with a Cisco W'"N in#rastructure! Xou may notice a$Cisco Compatile% stic-er on the device or its pac-aging! Jieless LAN Atti#tesWireless access points provide client connectivity similar to what a switch would do in awired in#rastructure! 1adio waves are the physical medium as apposed to wires and thesame networ- and application layer protocols can run over a W'"N networ- /ex! IP+ HTTP+etc!0!

S"me speci/c c"nsi!eati"ns• W'"Ns use Carrier Sense ;ultiple3"ccessDCollision "voidance /CSACA0

• @ecause it is $avoidance% centric and not $detection% centric+ it is hal( !#ple!CSACA #ses 05S e)#est t" sen! an! C5S clea t" sen! messages t"

a%"i! c"llisi"ns• 0< is s#sceptile t" inte(eence$ !ist"ti"n$ an! n"ise o#ten caused y

physical structures and specifc materials!• W'"N design should include the #act that clients are o#ten moile and use atteries!

• (ierent countries have unique rules and standards regarding 1> implementations!

• "ntennas are characteri9ed y polari9ation+ gain+ and directionality and antennapower is measured in d@i

SSIDsService Set Identifers or SSI(s map a networ-+ y &'"N+ to a specifc segment o# users! Thesegment o# users can have specifc JoS or security assigned to them when they associatewith the SSI(! The SSI(s are o#ten roadcast y wireless access points+ ut can also esimply statically confgured on a host device!

Note ;;( na%es are case sensitive, so inconsistent case in an ;;( conf)uration canresult in a ailed connection."nother important point regarding SSI( confguration is when an "P is hosting multipleSSI(s /and in turn multiple &'"Ns0+ the lin- ac- to the switch must e a trun- that supportsall o# the &'"Ns!

Jieless 5"p"l"gies There are three main types o# W'"N topologies used today4

• Client access /thin- end devices connecting to an "P 0


56/63

• P"int-t" p"int /ex! uilding3to3uilding0

• esh There are two modes o# connection4

• A!-h"c /a!-!a! Independent @asic Service Set UI@SSV0o Clients communicate directly with each other without the use o# an access

point

o 'imited in range and #unction• In(ast#ct#e

o @asic Service Set U@SSV = .ne "P to connect to clients+ so the signal range/-nown as it*s microcell0 must encompass all clients

o 2xtended Service Set U2SSV = ;ultiple "Ps with overlapping microcellsconnected y a common distriution system

;icrocells should overlap y 5B358 #or data ;icrocells should overlap y 5836B #or voice 2ach "P should use a dierent channel

Note Fireless brid)es allow wired devices to connect to the wireless network by &lu))in)directly into the brid)e.

• Jieless eshWireless mesh networ-s are usually designed #or long distances! .nly the "Ps on theedges o# the mesh networ- connected to the wired in#rastructure = the rest hops "Pto "P+ each acting as a repeater! 2ach intermediate "P has multiple paths throughthe mesh networ-+ all coordinated y the "daptive Wireless Path /"WP0 protocol!"WP chooses the est path #or tra:c to the wired networ- and also select a ac-uppath in case the pre#erred path #ails!

Client C"nnecti%it+5he ("ll"wing steps !e/ne h"w clients c"nnect t" an access p"int* Yeep in mindthat "Ps send out eacons with SSI( in#ormation at regular intervals unless confguredotherwise!

5! Clients sen!s p"e e)#est and listen #or proe responses and eacons6! AP eplies to the request with a proe response)! Client then initiates an ass"ciati"n with the access p"int* (uring the

association+ GB6!5x authentication and any other necessary security in#ormation ispassed to the "P!

7! AP accepts the ass"ciati"n* ;"C address and SSI( in#ormation is exchangedetween the two!

8! AP a!!s clientEs AC t" itEs ass"ciati"n taleWhen 2SS In#rastructure mode is in use+ clients can r

ccnp switch 642-813 material guide

Documents