cisco ccnp switch v1

Cisco CCNP SWITCH v1.0 Exam Review

INTRODUCTION

This document provides a comprehensible guide to review every concept on the CCNP SWITCH

v1.0 exam. This document was created by a student for students; in no way this replaces

studying resources. This is a guide to easily review and remember forgotten concepts.

I‟ve made efforts to make diagrams readable, understandable, and have used color coding to

easily identify commands, output to watch out for and comments. However, I‟m not a graphic

designer so…

This is an example:

Normal network device output (Switches and Routers) are displayed on green

Commands are displayed on blue

Lines that need attention that help troubleshooting easier are on red

My own comments to explain certain are on yellow

Please forward all feedback, questions and suggestions to [email protected]

mailto:[email protected]

1.1 VLAN FOUNDATIONS

VLANs are used to logically group users, configure specific access controls and help implement

quality of service.

Broadcast traffic is restrained to the specific VLAN segment; not forwarded through all switch

ports

Trunk Ports forward traffic from ALL VLANs

Native VLAN is the VLAN assigned for all untagged packets (default native VLAN is 1) received

on Trunk Links

1 VLAN = 1 Subnet

1.1.1 Local VLANs VLANs spanning the local switch block only

Local VLANs should not extend beyond the distribution layer!

1.1.1 End to End VLANs VLANs spanning all switches

1.2 VLAN CONFIGURATION

Before configuring VLANs, let‟s look at the current existing VLANs

Switch#show vlan brief

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4

Fa0/5, Fa0/6, Fa0/7, Fa0/8

Fa0/9, Fa0/10, Fa0/11, Fa0/12

Fa0/13, Fa0/14, Fa0/15, Fa0/16

Fa0/17, Fa0/18, Fa0/19, Fa0/20

Fa0/21, Fa0/22, Fa0/23, Fa0/24

Gig1/1, Gig1/2

1002 fddi-default act/unsup

1003 token-ring-default act/unsup

1004 fddinet-default act/unsup

1005 trnet-default act/unsup

Creating VLANs

Switch#configure terminal

Switch(config)#vlan 10

Switch(config-vlan)#name CCNP

Switch(config-vlan)#end

Verifying VLANs



---- -------------------------------- --------- -------------------------------


#This is the native (default) Fa0/5, Fa0/6, Fa0/7, Fa0/8

#vlan Fa0/9, Fa0/10, Fa0/11, Fa0/12

Fa0/13, Fa0/14, Fa0/15, Fa0/16

Fa0/17, Fa0/18, Fa0/19, Fa0/20

Fa0/21, Fa0/22, Fa0/23, Fa0/24

Gig1/1, Gig1/2

10 CCNP active

1002 fddi-default active #Unused VLANs added by Cisco to be

1003 token-ring-default active #Industry compliant

1004 fddinet-default active #

1005 trnet-default active #

Adding switchports to a VLAN


Switch(config)#interface range fa0/10 - 20

Switch(config-if-range)#switchport mode access

Switch(config-if-range)#switchport access vlan 10

Switch(config-if-range)#end

Verifying switchport VLAN configuration



---- -------------------------------- --------- -------------------------------


Fa0/5, Fa0/6, Fa0/7, Fa0/8

Fa0/9, Fa0/21, Fa0/22, Fa0/23

Fa0/24, Gig1/1, Gig1/2

10 CCNP active Fa0/10, Fa0/11, Fa0/12, Fa0/13

Fa0/14, Fa0/15, Fa0/16, Fa0/17

Fa0/18, Fa0/19, Fa0/20

1002 fddi-default active

1003 token-ring-default active

1004 fddinet-default active

1005 trnet-default active

VLAN information is not stored with the configuration file!, instead, the VLAN information is

stored on Flash on the file: vlan.dat.

When clearing a switch, don‟t forget to erase this file along with its startup-config with:

Switch#erase startup-config

Erasing the nvram filesystem will remove all configuration files! Continue? [confirm]

[OK]

Erase of nvram: complete

%SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvram

Switch#delete flash:vlan.dat

Delete filename [vlan.dat]?

Delete flash:/vlan.dat? [confirm]

1.3 VLAN TRUNKING

Trunking forwards packets from ALL VLANs through the trunking interfaces; leaves tags ON.

The switch adds VLAN information into each frame (does not encapsulate)

Trunking is a Layer 2 feature

1.3.1 Inter-Switch Link (ISL)

Cisco Propietary Encapsulates the frames Not available in new switches

1.3.1 802.1Q Industry Standard Inserts a tag on the frame only

1.3.2 Trunk Negotiation

DTP (Dynamic Trunking Protocol) is the protocol used to negotiate trunk between switches

Default DTP mode is Dynamic Desirable (attempts to negotiate a trunk with the other side)

DTP Modes:

Access: Used to configure ports connecting to servers, computers and other end devices

Trunk: Used to hard code a trunk relationship; used on ports that connect to other switches

Dynamic Auto: Will listen for DTP requests, only forms a trunk if the other side is Dynamic

Desirable

Dynamic Desirable: Default, will send DTP requests to attempt to form a trunk.

Non-negotiate: Will not attempt and will not respond to DTP requests.

Verifying DTP Configuration on specific ports

Switch#show interfaces fastEthernet 0/10 switchport

Name: Fa0/10

Switchport: Enabled

Administrative Mode: static access

Operational Mode: static access

Administrative Trunking Encapsulation: dot1q

Operational Trunking Encapsulation: native

Negotiation of Trunking: Off

Access Mode VLAN: 10 (CCNP)

#Output omitted

Dynamic

Auto Dynamic Desirable

Trunk Trunk &

Nonegotiate Access

Dynamic Auto

Access Trunk Trunk Limited

Connectivity Access

Dynamic Desirable

Trunk Trunk Trunk Limited

Connectivity Access

Trunk

Trunk Trunk Trunk Trunk Limited

Connectivity

Trunk & Nonegotiate

Limited Connectivity

Limited Connectivity

Trunk Trunk Limited

Connectivity

Access

Access Access Limited

Connectivity Limited

Connectivity Access

Configuring Trunk Links


Switch(config)#interface fastEthernet 0/1

Switch(config-if)#switchport mode trunk

Switch(config-if)#switchport trunk native vlan 99 #Other side still has native VLAN 1

Switch(config-if)#

%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up

#Fa0/1 comes up as the trunk is established. Other side is already configured.

%CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on FastEthernet0/1 (99),

with Switch FastEthernet0/1 (1).

%CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on FastEthernet0/1 (99),

with Switch FastEthernet0/1 (1).

#Notice native VLAN mismatch – the other side has native VLAN 1. Once other side

changes to 99 this message disappears.

Switch(config-if)#switchport mode trunk allowed vlan 10,20,9

#This command restricts what VLANs are allowed on this specific trunk link on this

interface

Verifying Trunk Link

Switch#show interface fastEthernet 0/1 switchport

Name: Fa0/1

Switchport: Enabled

Administrative Mode: trunk

Operational Mode: trunk

Administrative Trunking Encapsulation: dot1q

Operational Trunking Encapsulation: dot1q

Negotiation of Trunking: On

Access Mode VLAN: 1 (default)

Trunking Native Mode VLAN: 99 (Inactive)

#Output omitted

1.4 VTP The goal is to replicate VLANs among 2 or more Switches.

All new switches start with rev0. As VLAN changes are made, revision is increased by 1.

If a higher revision is detected on a neighbor switch, the local switch will replace its VLAN

information with the neighbor‟s since it‟s a “Newer” version of the VLAN database on the

network.

For replication to take place, the switches must share the following parameters:

VTP Version: Version 2 is the latest one

VTP Domain: When Default (NULL), it will inherit the first domain it sees on the network.

CASE SENSITIVE!

VTP Password: Ignored if password is blank

VTP Modes

Server (Default): Can change VLAN information; sends/receives VTP Updates to other switches

Client: Cannot change VLAN information; sends/receive VTP Updates from Server to other

clients

Transparent: Can change VLAN information; ignores updates from server BUT passes through

these updates to other switches; does not send updates generated by itself. When in

transparent mode, the revision will always be 0.

VTP Pruning stops the switch from sending broadcast to other switches if they do not know

about the VLAN where the broadcast generated.

1.3.2 Verifying VTP

Initial VTP status on a new switch. Check default mode, version, revision, etc…

Switch#show vtp status

VTP Version : 2

Configuration Revision : 0

Maximum VLANs supported locally : 255

Number of existing VLANs : 5

VTP Operating Mode : Server

VTP Domain Name :

VTP Pruning Mode : Disabled

VTP V2 Mode : Disabled

VTP Traps Generation : Disabled

MD5 digest : 0x7D 0x5A 0xA6 0x0E 0x9A 0x72 0xA0 0x3A

Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00

Local updater ID is 0.0.0.0 (no valid interface found)

#The last 2 lines will indicate what switch gave us the current revision update.

Configuring and verifying the different modes


Switch(config)#vtp mode client

Setting device to VTP CLIENT mode.

Switch(config)#do show vtp status

#Output omitted

VTP Operating Mode : Client

#Output omitted

Switch(config)#vtp mode transparent

Setting device to VTP TRANSPARENT mode.


#Output omitted

VTP Operating Mode : Transparent

#Output omitted

Configuring VTP Domain, password and verification

Switch(config)#vtp domain ccnp

Changing VTP domain name from NULL to ccnp

Switch(config)#vtp password ccnp

Setting device VLAN database password to ccnp


#Output omitted

VTP Operating Mode : Transparent

VTP Domain Name : ccnp

#Output omitted

Creating VLANs and verifying revision numbers


VTP Version : 2


#Output omitted

Switch(config)#vlan 10

Switch(config-vlan)#name CCNP

Switch(config-vlan)#do show vtp status

VTP Version : 2


#Output omitted

Switch(config-vlan)#vlan 20

Switch(config-vlan)#name CCSP

Switch(config-vlan)#do show vtp status

VTP Version : 2


#Output omitted

Configuring VTP Pruning

Switch(config)#vtp pruning

2.1 SPANNING-TREE

By default, switches forward ALL broadcast packets out of every port except the one it received it

from.

Business requirements drive us to build redundant systems, networks, and infrastructure

Spanning-tree allows us to build redundant network links while avoiding switching loops

Original spanning-tree (802.1d) was designed to detect and prevent switch loops

BPDUs (Bridge Protocol Data Units) are sent on every switchport as broadcast; if a specific

BPDU arrives to the originating switch, spanning-tree will realize there‟s a loop somewhere and

start blocking ports

BPDUs also designate one of the switches to be the root bridge

BPDUs are sent every 2 seconds

The root bridge becomes the privileged switch; all ports become designated ports

All the other switches find the best port to reach the root bridge (root port) and all other

redundant links are evaluated to decide who blocks what. On every link, there must be at least 1

designated port.

Bridge ID is determined by: Priority.MAC-Address.PortNumber. Lowest is better! (MAC-

Address of the switch, not the switchport!)

MAC-Address of the switch port can be found with the `show version` command

By default, the priority is 32,768; changeable every 4096 (for PVSTP)

Lowest priority is 0, highest is 61,440

Link cost relates to link speed:

10Mbps = Cost 100

100Mbps = Cost 19

1Gbps = Cost 4

10Gbps = Cost 2

Switches will calculate the cost to reach the root bridge to find the best link

Spanning-tree runs straight out of the box, no need to turn it on

Edge ports are ports that connect to end devices, configured with the spanning-tree portfast

command

2.1.1 Spanning-Tree in Action

2.1.2 PVST

PVST makes STP run individual instances for each VLAN

All switches now support PVST

PVST Changes the Bridge ID by adding the VLAN number to the Priority. For example, for

VLAN1, the priority would be 32769 instead of 32768.

Helps with load balancing as vlan traffic can be distributed among 2 or more switches. Usually

the distribution switches are configured each to be the root bridge for different VLANs.

Enabling PVST

Switch(config)#spanning-tree mode pvst

Verifying STP on root bridge (SwitchA)

SwitchA#show spanning-tree

VLAN0001

Spanning tree enabled protocol ieee

Root ID Priority 32769 #Adds VLAN number (1)

Address 0006.2A9A.4388

This bridge is the root #We are the root bridge for VLAN 1

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) #Ourselves



Aging Time 20

Interface Role Sts Cost Prio.Nbr Type

---------------- ---- --- --------- -------- --------------------------------

Fa0/1 Desg FWD 19 128.1 P2p


#Designates all ports on FWD (Forwarding) State, cost is 19 so these are 100Mbps Links

Verifying STP on non-root bridge (SwitchB)

SwitchB#show spanning-tree

VLAN0001


Root ID Priority 32769

Address 0006.2A9A.4388 #MAC Address of root bridge

Cost 19 #Cost to get to root bridge

Port 3(FastEthernet0/3) #Interface used to get to root bridge


Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)

Address 0050.0FB5.B5B0


Aging Time 20


---------------- ---- --- --------- -------- --------------------------------


Fa0/3 Root FWD 19 128.3 P2p

#One root port and at least 1 Designated port per link (SwitchC must be blocking)

Verifying STP on non-root bridge (SwitchC)

SwitchC#show spanning-tree

VLAN0001

#Output omitted


---------------- ---- --- --------- -------- --------------------------------


Fa0/2 Altn BLK 19 128.2 P2p

#In fact, SwitchC has an Alternate (Blocking) port to the root bridge, and a root port

Configuring SwitchB as the root bridge for VLAN 1

SwitchB(config)#spanning-tree vlan 1 root primary

%SYS-5-CONFIG_I: Configured from console by console

SwitchB(config)#do show spanning-tree

VLAN0001


Root ID Priority 24577 #PVST calculates the new priority


This bridge is the root #In fact, we are the root





Aging Time 20


---------------- ---- --- --------- -------- --------------------------------



#Fa0/3 which was Root port before, has become Designated since we are the root bridge

SwitchA‟s new spanning-tree output

Switch1#show spanning-tree

VLAN0001


Root ID Priority 24577

Address 0050.0FB5.B5B0 #MAC Address of root bridge

Cost 19 #Cost to get to root bridge

Port 3(FastEthernet0/3) #Interface used to get to root bridge





Aging Time 20


---------------- ---- --- --------- -------- --------------------------------



#One root port and at least 1 Designated port per link (SwitchC must be blocking)

2.1.2 STP Port States

Blocking

If a port is blocked and link to root is lost, this port will stay blocked for 20 seconds to see if root link comes back up before it enables the failover link

Listening

If link doesn‟t come up, the port moves to „Listening‟ (LST) state and waits 15 Seconds to send/receive BPDUs to detect loops

Learning

After listening, the port starts to Learn (LRN) for the next 15 seconds to fill up CAM table with MAC Addresses

Forwarding Port is promoted to the Forwarding (FWD) state

Takes up to 50 seconds to failover (OUCH!). Because STP was designed decades ago, this wasn‟t

too much of a problem. Nowadays networks are way faster and can transfer data much quicker.

Need for Speed

2.1.3 RSTP (Rapid Spanning-Tree)

Have you ever had that problem when you boot your PC and by the time the PC boots you don‟t have network connection and logging on to the domain takes forever because it cannot contact active directory, and if it does it cannot load your account profile? This is because PCs boot quick and run DHCPClient before the switch can transition the port to forwarding state. The result is a PC without an IP trying to talk to the network. To get around this, we enable portfast on switchports that we know connect to an end device

Switch(config-if)#spanning-tree portfast

%Warning: portfast should only be enabled on ports connected to a single

host. Connecting hubs, concentrators, switches, bridges, etc... to this

interface when portfast is enabled, can cause temporary bridging loops.

Use with CAUTION

%Portfast has been configured on FastEthernet0/10 but will only

have effect when the interface is in a non-trunking mode.

RSTP (802.1w) redefines port states, lowers the timers and can converge almost instantly; no

more waiting 50 seconds.

Must be enabled on ALL switches for it to work properly

2.1.4 RSTP Port States

2.1.4 RSTP Roles

The root bridge becomes the privileged switch; all ports become designated ports

All the other switches find the best port to reach the root bridge (root port) and all other

redundant links are evaluated to decide who blocks what. On every link, there must be at least 1

designated port.

The blocking port roles from STP are now alternate ports. The switch will remember this path

as a possible link to reach the root bridge. This allows RSTP to failover to this alternate port

without having to re-learn the topology

Edge ports are ports that connect to end devices, configured with the spanning-tree portfast

command

2.1.5 RSTP Configuration

Enabling rapid-pvst

Switch(config)#spanning-tree mode rapid-pvst

Discarding Replaces Blocking (BLK) to prevent loops

Learning

Port starts to Learn (LRN) for the next 15 seconds to fill up CAM table with MAC Addresses

Forwarding Port is promoted to the Forwarding (FWD) state

3.1 ETHERCHANNEL

Etherchannel allows us to use multiple physical connections and put them together as one

virtual link. This virtual link is called a channel group.

Provides automatic failover; if one of the physical links fails, the channel group simply uses the

rest of the links in the group.

Protocols for Etherchannel are PAgP (Port Aggregation Protocol) and LACP (Link Aggregation

Control Protocol).

Make sure the interfaces configured with Etherchannel belong to the same VLAN! And on both sides! Changes made to the port-channel interface affects all switchports members of the channel

3.1.1 PAgP Cisco Propietary Port Modes: On, Desirable, Auto

3.1.1 LACP Industry Standard (802.3ad) Port Modes: On, Active, Passive

PAgP On Desirable Auto

On On On On Desirable On On On Auto On On Off

LACP On Active Passive

On On On On Active On On On Passive On On Off

3.1.2 Layer 2 Etherchannel

SwitchA(config)#interface range fa0/1 - 3

SwitchA(config-if-range)#channel-group 1 mode ?

active Enable LACP unconditionally

auto Enable PAgP only if a PAgP device is detected

desirable Enable PAgP unconditionally

on Enable Etherchannel only

passive Enable LACP only if a LACP device is detected

SwitchA(config-if-range)#channel-group 1 mode on

3.1.3 Verifying Layer 2 Etherchannel

Verifying Etherchannel. Other verification commands include show etherchannel detail

SwitchA#show etherchannel port-channel

Channel-group listing:

----------------------

Group: 1

----------

Port-channels in the group:

---------------------------

Port-channel: Po1

------------

Age of the Port-channel = 00d:00h:02m:25s

Logical slot/port = 2/1 Number of ports = 3

GC = 0x00000000 HotStandBy port = null

Port state = Port-channel

Protocol = PAGP

Port Security = Disabled

Ports in the Port-channel:

Index Load Port EC state No of bits

------+------+------+------------------+-----------

0 00 Fa0/1 On 0

0 00 Fa0/2 On 0

0 00 Fa0/3 On 0

Time since last port bundled: 00d:00h:02m:25s Fa0/3

SwitchA#show etherchannel summary

Number of channel-groups in use: 1

Number of aggregators: 1

Group Port-channel Protocol Ports

------+-------------+-----------+----------------------------------------------

1 Po1(SU) PAgP Fa0/1(P) Fa0/2(P) Fa0/3(P)

Switch#show etherchannel

Channel-group listing:

----------------------

Group: 1

----------

Group state = L2

Ports: 3 Maxports = 8

Port-channels: 1 Max Port-channels = 1

Protocol: -

3.1.4 Layer 3 Etherchannel

Same steps as Layer2, except now we can give a routable IP address to the channel-group

through the port-channel interface

We must remove Layer 2 features from the switch ports with the command no switchport

before activating the Etherchannel

SwitchA(config)#interface range fa0/1 - 3

SwitchA(config-if-range)#channel-group 1 mode on

SwitchA(config-if-range)#no switchport

#Interface Port-Channel 1 was just created

SwitchA(config-if-range)#end

SwitchA#show ip interface brief

#Output omitted

Port-channel 1 unassigned YES unset up up

SwitchA#configure terminal

SwitchA(config)#interface port-channel 1

SwitchA(config-if)#no switchport

SwitchA(config-if)#ip address 10.1.1.1 255.255.255.0

4.1 INTER-VLAN ROUTING

Done through Router-on-a-stick or Layer 3 Switch routing

Needed to allow devices on one VLAN to talk to another device on a different VLAN

1. PC1 sends ARP request for its default gateway (a sub-interface on the router)

2. Router responds with the MAC address for this sub-interface

3. PC1 sends packet with VLAN 20 destination IP to Router

4. Switch forwards packet through trunk link to Router

5. Router detects the destination to be connected to his VLAN 20 sub interface

6. Router does ARP to contact PC2 7. PC2 responds to ARP 8. Router forwards packet to PC2

Etc…

4.1.1 Router-on-a-stick Configuration

Easy to setup, very low cost

Congestion on the link (imagine all broadcast from all vlans, all traffic from all machines in and

out the network flows through this link TWICE, single point of failure, and last but not least;

routing speed is slow compared to a switch

Switch(config)#interface fast Ethernet 0/1

Switch(config-if)#switchport mode trunk


Switch(config-if)#switchport mode access

Switch(config-if)#switchport access vlan 10




Router(config)#interface fa0/1

Router(config-if)#no shutdown

Router(config-if)#interface fa0/1.10

Router(config-subif)#encapsulation dot1Q 10

Router(config-subif)#ip address 10.10.1.1 255.255.255.0

Router(config-subif)#interface fa0/1.20

Router(config-subif)#encapsulation dot1Q 20

Router(config-subif)#ip address 10.20.1.1 255.255.255.0

#Sub-interface ID .10 does NOT have to match the vlan number. Just better practice

4.1.2 Layer 3 Switch Routing Configuration

Routing at wire speed!

Cost of a layer 3 switch, can be expensive, especially if deploying redundant devices

#We must enable IP Routing

Switch(config)#ip routing

#Using SVIs







Switch(config)#interface vlan 10

#SVI vlan 10 has just been created

Switch(config-if)#ip address 10.10.1.1 255.255.255.0

Switch(config)#interface vlan 20

#SVI vlan 10 has just been created


#Using Physical Interfaces


Switch(config-if)#no switchport



Switch(config-if)#no switchport


5.1 GATEWAY REDUNDANCY

Redundancy protocols, allow you to configure many gateways as a single virtual gateway,

transparent to clients.

HSRP (Hot Standby Router Protocol), VRRP (Virtual Router Redundancy Protocol) and GLBP

(Gateway Load Balancing Protocol)

Automatic failover to “backup” gateway if the main one goes down

Interface tracking allows you to detect specific link status and reduce priority accordingly to

replace active gateway

5.1.1 HSRP Hellos every 3 seconds, hold timer is 10 seconds (Default) Virtual IP & Virtual MAC shared by gateways Virtual MAC: 0000.0c07.ac?? (Group #) One Active, Others Standby Organized in Standby Groups Cisco Proprietary Init, Speak, Active, Standby

5.1.1 VRRP Hellos every 1 second, hold timer is 3 seconds (Default) Virtual IP & Virtual MAC shared by gateways Virtual MAC: 0000.5e00.01?? (Group #) One Master, One Backup Organized in VRRP Groups Industry Standard (IETF)

5.1.1 GLBP Hellos every 3 seconds, hold timer is 10 seconds (Default) Virtual IP & multiple virtual MAC Addresses from AVFs All gateways are loadbalanced One AVG, many AVFs Cisco Propietary

5.1.2 Configuring HSRP

Creating Standby Groups

SwitchA(config)#interface vlan 1


SwitchA(config-if)#standby 1 ip 10.1.1.254

SwitchA(config-if)#standby 1 priority 150

SwitchA(config-if)#standby 1 preempt

SwitchB(config)#interface vlan 1

SwitchB(config-if)#ip address 10.1.1.2 255.255.255.0

SwitchB(config-if)#standby 1 ip 10.1.1.254

SwitchB(config-if)#standby 1 preempt

#Default priority is 100

5.1.3 Verifying HSRP

Verify standy configuration, who is active who is on standby. Hello messages are sent when state

is Speak, Active and Standby

SwitchA#show standby

Vlan 1 - Group 1

State is Listen

Virtual IP address is 10.1.1.254

Active virtual MAC address is unknown

Local virtual MAC address is 0000.0c07.ac01 (v1 default)

Hello time 3 sec, hold time 10 sec

Preemption enabled

Active router is unknown

Standby router is unknown

Priority 150 (configured 150)

IP redundancy name is "hsrp-Fa0/0-1" (default)

#It’s listening... after a few moments...

Mar 1 00:05:53.255: %HSRP-5-STATECHANGE: Vlan 1 Grp 1 state Speak

-> Standby

Mar 1 00:05:53.755: %HSRP-5-STATECHANGE: Vlan 1 Grp 1 state

Standby -> Active

SwitchA#show standby

Vlan 1 - Group 1

State is Active

2 state changes, last state change 00:01:41


Active virtual MAC address is 0000.0c07.ac01

Local virtual MAC address is 0000.0c07.ac01 (v1 default)

Hello time 3 sec, hold time 10 sec

Next hello sent in 0.460 secs

Preemption enabled

Active router is local

Standby router is 10.1.1.1, priority 100 (expires in 8.968 sec)



5.1.4 Tuning HSRP

Tuning commands for HSRP; Hello and Hold Down timers should be the same on all routers!

Setting up tracking for WAN interfaces; if that links goes down we decrement the priority so the

other switch takes over! (only effective with preempt enabled)


SwitchA(config-if)#standby 1 timers msec 50 msec 200


SwitchB(config-if)#standby 1 timers msec 50 msec 200

#This changes hello timer to 50msecs and hold down to 200msecs

SwitchA(config-if)#standby 1 track fa0/1 60

#Now we tell it to decrement priority by 60 if fa0/1 dies

SwitchA(config-if)#interface fast Ethernet 0/1

SwitchA(config-if)#shutdown

Mar 1 00:22:37.719: %HSRP-5-STATECHANGE: FastEthernet0/1 Grp

1 state Active -> Init

SwitchA(config-if)#do show standby

Vlan 1 - Group 1

State is Init (interface down)

#Output omitted; the standby switch has taken over!

Hello time 50 msec, hold time 200 msec


Track interface FastEthernet0/0 state Down decrement 60


We should determine a timer that activates as soon as the switch becomes active. This timer will

determine what‟s the minimum amount of time the switch will stay as active; this is to avoid

problems with flapping interfaces, or if the active reboots, we don‟t want to give the active role to

a router that is just learning routes!

SwitchA(config-if)#standby 1 preempt delay minimum 180

#Waits 180 seconds before giving up the active role after it’s promoted

SwitchA(config-if)#standby 1 preempt delay reload 180

#Waits 180 seconds before preempting the active one after a reload

5.1.5 Configuring VRRP

Creating VRRP Groups



SwitchA(config-if)#vrrp 1 ip 10.1.1.254

SwitchA(config-if)#vrrp 1 preempt

SwitchA(config-if)#vrrp 1 timers ?

advertise Set the Advertisement timer

learn Learn timer values from current Master

#On the master we only configure the advertise timer

#The Backup devices automatically learn the timers

SwitchA(config-if)#vrrp 1 timers advertise msec 60


SwitchB(config-if)#ip address 10.1.1.2 255.255.255.0

SwitchB(config-if)#vrrp 1 ip 10.1.1.254

SwitchB(config-if)#vrrp 1 preempt

SwitchB(config-if)#vrrp 1 priority 90

#Default priority is also 100

5.1.3 Verifying VRRP

Verify VRRP configuration, who is master who is backup

SwitchA#show vrrp

Vlan 1 - Group 1

State is Master


Virtual MAC address is 0000.5e00.0101

Advertisement interval is 0.060 sec

Preemption enabled

Priority is 100

Master Router is 10.1.1.1 (local), priority is 100

Master Advertisement interval is 0.060 sec

Master Down interval is 0.789 sec

#It’s the master

SwitchB#show vrrp

Vlan 1 - Group 1

State is Backup


Virtual MAC address is 0000.5e00.0101

Advertisement interval is 1.000 sec

Preemption enabled

Priority is 90

Master Router is 10.1.1.1, priority is 100

Master Advertisement interval is 1.000 sec

Master Down interval is 3.648 sec (expires in 3.572 sec)

5.1.4 Tuning VRRP

Only the delay minimum command is available

SwitchA(config-if)#vrrp 1 preempt delay minimum 180


5.1.5 Configuring GLBP

In GLBP, the priority elects who will be the AVG (Active Virtual Gateway). The rest of routers on

the group will be designed as AVFs (Active Virtual Forwarders).

SwitchA(config-if)#glbp 1 ip 10.1.1.254

SwitchA(config-if)#glbp 1 priority 150

SwitchA(config-if)#glbp 1 preempt

SwitchA(config-if)#glbp 1 timer msec 60 msec 200

#This changes hello timer to 60msecs and hold down to 200msecs

SwitchB(config-if)#glbp 1 ip 10.1.1.254

SwitchB(config-if)#glbp 1 priority 90

SwitchB(config-if)#glbp 1 preempt

SwitchB(config-if)#glbp 1 timer msec 60 msec 200

5.1.6 Verifying GLBP

We can look at who‟s the gateway and who are the forwarders, virtual mac addresses, etc…

SwitchA#show glbp

Vlan 1 - Group 1

State is Active

2 state changes, last state change 00:03:34


Hello time 60 msec, hold time 200 msec

Next hello sent in 0.044 secs

Redirect time 600 sec, forwarder time-out 14400 sec

Preemption enabled

Active is local

Standby is 10.1.1.2, priority 90 (expires in 0.148 sec)

Priority 150 (configured)

Weighting 100 (default 100), thresholds: lower 1, upper 100

Load balancing: round-robin

Group members:

cc00.1060.0000 (10.1.1.1) local

cc01.1060.0000 (10.1.1.2)

There are 2 forwarders (1 active)

Forwarder 1

State is Active

1 state change, last state change 00:03:24

MAC address is 0007.b400.0101 (default)

Owner ID is cc00.1060.0000

Redirection enabled

Preemption enabled, min delay 30 sec

Active is local, weighting 100

Forwarder 2

State is Listen

MAC address is 0007.b400.0102 (learnt)

Owner ID is cc01.1060.0000

Redirection enabled, 599.992 sec remaining (maximum 600 sec)

Time to live: 14399.992 sec (maximum 14400 sec)

Preemption enabled, min delay 30 sec

Active is 10.1.1.2 (primary), weighting 100 (expires in 0.188 sec)

5.1.4 Tuning GLBP

Only the delay minimum command is available

SwitchA(config-if)#glbp 1 preempt delay minimum 180


Additional tuning is possible with GLBP for configuring weights, load-balancing, etc; however

it‟s not covered on the exam.

6.1 WIRELESS LANS

WAPs (Wireless Access Points) communicate like hubs. Only one wireless client can talk at a

time since it‟s a shared signal in half duplex.

Wireless works on Layer1 and Layer2 of the OSI model.

Uses CSMA/CA (Collition Avoidance) instead of CSMA/CD (Collition Detection) used in

Ethernet technology

Suffers from interference from other devices using radio frequency (wireless phones,

microwaves), and other physical obstacles (walls, columns, etc)

Wireless is an extension to a physical network. A Workgroup Bridge connects two LANs through

a wireless connection. Number of users connecting through a workgroup bridge is very limited;

enough for about 10 people.

Can be used to connect branches in the same MAN (Metropolitan Area Network) in a cost

effective way without having to lease lines, run own cables and without paying monthly fees.

6.1.1 SSIDs

Service Set Identifier (SSID) is a unique identifier that represents a VLAN or a network.

Connecting to an SSID

Figure 1

Figure 2

Figure 3

Figure 4

Figure 1

When a client first tries to connect, it will send a probe as a broadcast, requesting all access

points that it can reach to reply a beacon

Figure 2

The Access Points that were able to hear the probe will reply with a beacon to the host. This can

be disabled.

Figure 3

The client will choose one from the list of beacons that replied (the list of wireless networks

available to you in Windows).

Figure 4

Assuming there is no security enabled, the wireless access point will add the MAC address of the

new wireless client to the list of connected devices and provide it with an IP if DHCP is available

and enabled.

6.1.2 WLAN Design

Repeaters should have a 50% area overlap to be able to reproduce signals properly

APs should have up to 15% area overlap to be able to roam from one to another without losing connection to an SSID

Neighbor Access Points must use non-overlapping channels

6.1.3 WLAN Roaming

Seamless hand off from one Access Point to another; as soon as a stronger AP signal is detected.

Not supported by normal wireless routers such as netgear, Linksys, etc.

Designed to provide coverage over wide areas, but can be quite costly.

Overlapping shouldn‟t be less than 15% or packets way be lost and roaming might not be

successful

As the client gets far from its AP, beacons from the AP starts to miss probes (which are sent

periodically from the client), signal starts to get weaker.

As signal gets weaker, the client analyzes other Access Points with the same SSID that may

provide better signal. If so, it attempts to roam to this new access point.

Wireless Access Points can support multiple VLANs. This means we can create different SSIDs

(one per VLAN), each one can have different security mechanisms, and the AP would trunk to a

switch to allow communication for all VLANs.

6.1.4 WLAN Frequencies

900Mhz range: 902 – 928 2.4Ghz range: 2,400 – 2,483 5Ghz range: 5,150 – 5,350 High Frequency = Higher data rates = Shorter ranges

6.1.5 802.11a 6.1.5 802.11b 6.1.5 802.11g

Up to 54Mbps

Up to 11Mbps Up to 54Mbps

NOT Compatible with b or g

Most popular standard Compatible with b

12 to 23 non overlapping

channels

3 non overlapping channels: 1,6,11

3 non overlapping channels: 1,6,11

6.1.6 WLAN Security WEP (Wired Equivalent Protection), 802.1X EAP, WPA (Wi-fi Protected Access) and WPA2 (802.11I) Hardware that supports WEP can also support WPA; not WPA2 WPA uses TKIP (Temporal Key Integration Protocol) WPA2 uses TKIP and AES (Advanced Encryption Standard)

6.1.7 WLAN Hardware Two types of Access Points; Autonomous APs and Lightweight APs.

6.1.7.1 Autonomous AP 6.1.7.1 Lightweight AP

Stand Alone

Server-Dependant or Controller Based

Controlled with WDS (Wireless Domain

Services) for Roaming

Controlled using WLC (Wireless LAN Controller)

Managed with WLSE (WLAN Solution Engine)

through Ciscoworks

Managed with WCS (Wireless Control System)

IOS Based with web interface

Donwloads config. from WLC

Costs more, can convert into Lightweight AP

based on IOS

Only Lightweight

6.1.8 Lightweight APs Lightweight Access Point Protocol (LWAPP) is used on the links between a wireless controller (WLC) and the Access points Controller is the brain; APs just process packets from/to wireless clients

Split MAC topology

6.1.9 PoE (Power over Ethernet) 802.3af (PoE) is the industry standard; Ability of a device to send power along the Ethernet connection to an end device; such as ip phones, APs, printers, etc. Both devices must support PoE, and same standard, whether it is 802.3af , Cisco‟s proprietary PoE, or any other third party PoE proprietary standards. Cisco switches support 802.3af and its proprietary protocol

6.1.10 WLAN Antennas 3 Types of antennas: Omni-Directional, Directional and Yagi Antennas

6.1.11 Omni 6.1.11 Directional 6.1.11 Yagi

Equal coverage all around

No signal behind the antenna which is aimed towards the

desired area

Antenna pointed towards

desired area, much more range and the angle of beam can be

adjusted; the small it is the more powerful the signal and the

longer it can travel

7.1 VoIP VoIP used to save costs on voice transmission Low Bandwidth, centralized data and voice Saves costs on staff and move, add and changes PC daisy chains to the network through the switch 64Kbps that take a normal voice line converts to 8Kbps through VoIP Integration of data world and voice world.

7.1.1 How VoIP Works

Phones talk to Call Manager using the „Skinny‟ protocol. The communication happens whenever an event occurs that require the phone to act. IP Phones are dumb terminals. They don‟t know anything other than to do what Call Manager says How a call works: -Once a handset is picked up, the phone will tell CCM that the handset has been picked up. -CCM tells the phone to play a dialtone -Every time a key is pressed the phone talks to CCM through skinny -When CCM recognizes a dialed number as a pattern, extension, etc, it will instruct the phone to play the ringing tone and will instruct the other phone to ring -Once the other phone picks up CCM instructs both phones to establish a connection using RTP (real-time transmission protocol) -RTP must be prioritized for QoS

7.1.2 Dual VLANs Switchport is configured as access mode, as part of vlan 200. Then, the voice vlan is added as vlan 100. Cisco implements CDP to recognize the phone through this switchport

SwitchA(config-if)#switchport mode access

SwitchA(config-if)#switchport access vlan 200

SwitchA(config-if)#switchport voice vlan 100

#The switch will send CDP packets to make sure a Cisco phone is plugged in

7.1.3 QoS -Marking packets for QoS:

Class of Service (CoS): Layer 2

Type of Service (ToS): Layer 3

Classification of packets occur when a packet is inspected to see what kind of traffic it contains Packets can be categorized with access-lists, source ports, etc. Classification is CPU intensive CoS is marking frames at Layer 2. No deep packet inspection; looks at CoS tag on the frame, 3 Bits of marking for 7 levels of marking (0 to 7). For Example, all SQL traffic can be marked. Levels 6 and 7 are reserved by Cisco for routing protocols, etc. At Layer3, CoS is dropped since it‟s Layer 2 and replaced with ToS. IP Precedence was the old way of marking at Layer 3, up to 7 levels of marking. DSCP now provides up to 64. Routers can look at the ToS to determine priority without having to do deep packet inspection

7.1.3 Configuring QoS

SwitchA(config-if)#mls qos trust cos

#Means “I will trust the CoS marking on this port”; implemented on ports connecting to

phones

SwitchA(config-if)#mls qos trust device cisco-phone

#For security measures, this will trust the CoS on this port only if a cisco phone is

detected on the other side through CDP.

Auto QoS is available to automatically implement the most appropriate QoS parameters on the interface based on bandwidth, switchport, etc. to meet Cisco‟s best practices

SwitchA(config-if)#auto qos voip cisco-phone

#This auto detects the best priority for this type of traffic

7.1.3 Verifying Auto QoS

SwitchA#show run int fa0/1

interface FastEthernet0/1

switchport access vlan 200

switchport mode access

switchport access vlan 100

mls qos trust device cisco-phone

mls qos trust cos

auto qos voip cisco-phone

wrr-queue bandwidth 10 20 70 1

wrr-queue min-reserve 1 5




wrr-queue cos-map 1 0 1

wrr-queue cos-map 2 2 4

wrr-queue cos-map 3 3 6 7

wrr-queue cos-map 4 5

priority-queue out

end

#All these lines were applied by auto qos

cisco ccnp switch v1

Documents

vlan switch

vlan brief vlan

vlans native vlan

vlan fa09

vlan foundations vlans

ccnp switchconfigvlan

fddidefault active

default active fa01