cisco ccnp switch v1
TRANSCRIPT
Cisco CCNP SWITCH v1.0 Exam Review
INTRODUCTION
This document provides a comprehensible guide to review every concept on the CCNP SWITCH
v1.0 exam. This document was created by a student for students; in no way this replaces
studying resources. This is a guide to easily review and remember forgotten concepts.
I‟ve made efforts to make diagrams readable, understandable, and have used color coding to
easily identify commands, output to watch out for and comments. However, I‟m not a graphic
designer so…
This is an example:
Normal network device output (Switches and Routers) are displayed on green
Commands are displayed on blue
Lines that need attention that help troubleshooting easier are on red
My own comments to explain certain are on yellow
Please forward all feedback, questions and suggestions to [email protected]
1.1 VLAN FOUNDATIONS
VLANs are used to logically group users, configure specific access controls and help implement
quality of service.
Broadcast traffic is restrained to the specific VLAN segment; not forwarded through all switch
ports
Trunk Ports forward traffic from ALL VLANs
Native VLAN is the VLAN assigned for all untagged packets (default native VLAN is 1) received
on Trunk Links
1 VLAN = 1 Subnet
1.1.1 Local VLANs VLANs spanning the local switch block only
Local VLANs should not extend beyond the distribution layer!
1.1.1 End to End VLANs VLANs spanning all switches
1.2 VLAN CONFIGURATION
Before configuring VLANs, let‟s look at the current existing VLANs
Switch#show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
Gig1/1, Gig1/2
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
Creating VLANs
Switch#configure terminal
Switch(config)#vlan 10
Switch(config-vlan)#name CCNP
Switch(config-vlan)#end
Verifying VLANs
Switch#show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
#This is the native (default) Fa0/5, Fa0/6, Fa0/7, Fa0/8
#vlan Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
Gig1/1, Gig1/2
10 CCNP active
1002 fddi-default active #Unused VLANs added by Cisco to be
1003 token-ring-default active #Industry compliant
1004 fddinet-default active #
1005 trnet-default active #
Adding switchports to a VLAN
Switch#configure terminal
Switch(config)#interface range fa0/10 - 20
Switch(config-if-range)#switchport mode access
Switch(config-if-range)#switchport access vlan 10
Switch(config-if-range)#end
Verifying switchport VLAN configuration
Switch#show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/21, Fa0/22, Fa0/23
Fa0/24, Gig1/1, Gig1/2
10 CCNP active Fa0/10, Fa0/11, Fa0/12, Fa0/13
Fa0/14, Fa0/15, Fa0/16, Fa0/17
Fa0/18, Fa0/19, Fa0/20
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
VLAN information is not stored with the configuration file!, instead, the VLAN information is
stored on Flash on the file: vlan.dat.
When clearing a switch, don‟t forget to erase this file along with its startup-config with:
Switch#erase startup-config
Erasing the nvram filesystem will remove all configuration files! Continue? [confirm]
[OK]
Erase of nvram: complete
%SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvram
Switch#delete flash:vlan.dat
Delete filename [vlan.dat]?
Delete flash:/vlan.dat? [confirm]
1.3 VLAN TRUNKING
Trunking forwards packets from ALL VLANs through the trunking interfaces; leaves tags ON.
The switch adds VLAN information into each frame (does not encapsulate)
Trunking is a Layer 2 feature
1.3.1 Inter-Switch Link (ISL)
Cisco Propietary Encapsulates the frames Not available in new switches
1.3.1 802.1Q Industry Standard Inserts a tag on the frame only
1.3.2 Trunk Negotiation
DTP (Dynamic Trunking Protocol) is the protocol used to negotiate trunk between switches
Default DTP mode is Dynamic Desirable (attempts to negotiate a trunk with the other side)
DTP Modes:
Access: Used to configure ports connecting to servers, computers and other end devices
Trunk: Used to hard code a trunk relationship; used on ports that connect to other switches
Dynamic Auto: Will listen for DTP requests, only forms a trunk if the other side is Dynamic
Desirable
Dynamic Desirable: Default, will send DTP requests to attempt to form a trunk.
Non-negotiate: Will not attempt and will not respond to DTP requests.
Verifying DTP Configuration on specific ports
Switch#show interfaces fastEthernet 0/10 switchport
Name: Fa0/10
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 10 (CCNP)
#Output omitted
Dynamic
Auto Dynamic Desirable
Trunk Trunk &
Nonegotiate Access
Dynamic Auto
Access Trunk Trunk Limited
Connectivity Access
Dynamic Desirable
Trunk Trunk Trunk Limited
Connectivity Access
Trunk
Trunk Trunk Trunk Trunk Limited
Connectivity
Trunk & Nonegotiate
Limited Connectivity
Limited Connectivity
Trunk Trunk Limited
Connectivity
Access
Access Access Limited
Connectivity Limited
Connectivity Access
Configuring Trunk Links
Switch#configure terminal
Switch(config)#interface fastEthernet 0/1
Switch(config-if)#switchport mode trunk
Switch(config-if)#switchport trunk native vlan 99 #Other side still has native VLAN 1
Switch(config-if)#
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
#Fa0/1 comes up as the trunk is established. Other side is already configured.
%CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on FastEthernet0/1 (99),
with Switch FastEthernet0/1 (1).
%CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on FastEthernet0/1 (99),
with Switch FastEthernet0/1 (1).
#Notice native VLAN mismatch – the other side has native VLAN 1. Once other side
changes to 99 this message disappears.
Switch(config-if)#switchport mode trunk allowed vlan 10,20,9
#This command restricts what VLANs are allowed on this specific trunk link on this
interface
Verifying Trunk Link
Switch#show interface fastEthernet 0/1 switchport
Name: Fa0/1
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 99 (Inactive)
#Output omitted
1.4 VTP The goal is to replicate VLANs among 2 or more Switches.
All new switches start with rev0. As VLAN changes are made, revision is increased by 1.
If a higher revision is detected on a neighbor switch, the local switch will replace its VLAN
information with the neighbor‟s since it‟s a “Newer” version of the VLAN database on the
network.
For replication to take place, the switches must share the following parameters:
VTP Version: Version 2 is the latest one
VTP Domain: When Default (NULL), it will inherit the first domain it sees on the network.
CASE SENSITIVE!
VTP Password: Ignored if password is blank
VTP Modes
Server (Default): Can change VLAN information; sends/receives VTP Updates to other switches
Client: Cannot change VLAN information; sends/receive VTP Updates from Server to other
clients
Transparent: Can change VLAN information; ignores updates from server BUT passes through
these updates to other switches; does not send updates generated by itself. When in
transparent mode, the revision will always be 0.
VTP Pruning stops the switch from sending broadcast to other switches if they do not know
about the VLAN where the broadcast generated.
1.3.2 Verifying VTP
Initial VTP status on a new switch. Check default mode, version, revision, etc…
Switch#show vtp status
VTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 255
Number of existing VLANs : 5
VTP Operating Mode : Server
VTP Domain Name :
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x7D 0x5A 0xA6 0x0E 0x9A 0x72 0xA0 0x3A
Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00
Local updater ID is 0.0.0.0 (no valid interface found)
#The last 2 lines will indicate what switch gave us the current revision update.
Configuring and verifying the different modes
Switch#configure terminal
Switch(config)#vtp mode client
Setting device to VTP CLIENT mode.
Switch(config)#do show vtp status
#Output omitted
VTP Operating Mode : Client
#Output omitted
Switch(config)#vtp mode transparent
Setting device to VTP TRANSPARENT mode.
Switch(config)#do show vtp status
#Output omitted
VTP Operating Mode : Transparent
#Output omitted
Configuring VTP Domain, password and verification
Switch(config)#vtp domain ccnp
Changing VTP domain name from NULL to ccnp
Switch(config)#vtp password ccnp
Setting device VLAN database password to ccnp
Switch(config)#do show vtp status
#Output omitted
VTP Operating Mode : Transparent
VTP Domain Name : ccnp
#Output omitted
Creating VLANs and verifying revision numbers
Switch(config)#do show vtp status
VTP Version : 2
Configuration Revision : 0
#Output omitted
Switch(config)#vlan 10
Switch(config-vlan)#name CCNP
Switch(config-vlan)#do show vtp status
VTP Version : 2
Configuration Revision : 1
#Output omitted
Switch(config-vlan)#vlan 20
Switch(config-vlan)#name CCSP
Switch(config-vlan)#do show vtp status
VTP Version : 2
Configuration Revision : 2
#Output omitted
Configuring VTP Pruning
Switch(config)#vtp pruning
2.1 SPANNING-TREE
By default, switches forward ALL broadcast packets out of every port except the one it received it
from.
Business requirements drive us to build redundant systems, networks, and infrastructure
Spanning-tree allows us to build redundant network links while avoiding switching loops
Original spanning-tree (802.1d) was designed to detect and prevent switch loops
BPDUs (Bridge Protocol Data Units) are sent on every switchport as broadcast; if a specific
BPDU arrives to the originating switch, spanning-tree will realize there‟s a loop somewhere and
start blocking ports
BPDUs also designate one of the switches to be the root bridge
BPDUs are sent every 2 seconds
The root bridge becomes the privileged switch; all ports become designated ports
All the other switches find the best port to reach the root bridge (root port) and all other
redundant links are evaluated to decide who blocks what. On every link, there must be at least 1
designated port.
Bridge ID is determined by: Priority.MAC-Address.PortNumber. Lowest is better! (MAC-
Address of the switch, not the switchport!)
MAC-Address of the switch port can be found with the `show version` command
By default, the priority is 32,768; changeable every 4096 (for PVSTP)
Lowest priority is 0, highest is 61,440
Link cost relates to link speed:
10Mbps = Cost 100
100Mbps = Cost 19
1Gbps = Cost 4
10Gbps = Cost 2
Switches will calculate the cost to reach the root bridge to find the best link
Spanning-tree runs straight out of the box, no need to turn it on
Edge ports are ports that connect to end devices, configured with the spanning-tree portfast
command
2.1.1 Spanning-Tree in Action
2.1.2 PVST
PVST makes STP run individual instances for each VLAN
All switches now support PVST
PVST Changes the Bridge ID by adding the VLAN number to the Priority. For example, for
VLAN1, the priority would be 32769 instead of 32768.
Helps with load balancing as vlan traffic can be distributed among 2 or more switches. Usually
the distribution switches are configured each to be the root bridge for different VLANs.
Enabling PVST
Switch(config)#spanning-tree mode pvst
Verifying STP on root bridge (SwitchA)
SwitchA#show spanning-tree
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 32769 #Adds VLAN number (1)
Address 0006.2A9A.4388
This bridge is the root #We are the root bridge for VLAN 1
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) #Ourselves
Address 0006.2A9A.4388
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 20
Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/1 Desg FWD 19 128.1 P2p
Fa0/3 Desg FWD 19 128.3 P2p
#Designates all ports on FWD (Forwarding) State, cost is 19 so these are 100Mbps Links
Verifying STP on non-root bridge (SwitchB)
SwitchB#show spanning-tree
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 32769
Address 0006.2A9A.4388 #MAC Address of root bridge
Cost 19 #Cost to get to root bridge
Port 3(FastEthernet0/3) #Interface used to get to root bridge
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 0050.0FB5.B5B0
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 20
Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/2 Desg FWD 19 128.2 P2p
Fa0/3 Root FWD 19 128.3 P2p
#One root port and at least 1 Designated port per link (SwitchC must be blocking)
Verifying STP on non-root bridge (SwitchC)
SwitchC#show spanning-tree
VLAN0001
#Output omitted
Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/1 Root FWD 19 128.1 P2p
Fa0/2 Altn BLK 19 128.2 P2p
#In fact, SwitchC has an Alternate (Blocking) port to the root bridge, and a root port
Configuring SwitchB as the root bridge for VLAN 1
SwitchB(config)#spanning-tree vlan 1 root primary
%SYS-5-CONFIG_I: Configured from console by console
SwitchB(config)#do show spanning-tree
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 24577 #PVST calculates the new priority
Address 0050.0FB5.B5B0
This bridge is the root #In fact, we are the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 24577 (priority 24576 sys-id-ext 1)
Address 0050.0FB5.B5B0
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 20
Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/2 Desg FWD 19 128.2 P2p
Fa0/3 Desg FWD 19 128.3 P2p
#Fa0/3 which was Root port before, has become Designated since we are the root bridge
SwitchA‟s new spanning-tree output
Switch1#show spanning-tree
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 24577
Address 0050.0FB5.B5B0 #MAC Address of root bridge
Cost 19 #Cost to get to root bridge
Port 3(FastEthernet0/3) #Interface used to get to root bridge
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 0006.2A9A.4388
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 20
Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/1 Desg FWD 19 128.1 P2p
Fa0/3 Root FWD 19 128.3 P2p
#One root port and at least 1 Designated port per link (SwitchC must be blocking)
2.1.2 STP Port States
Blocking
If a port is blocked and link to root is lost, this port will stay blocked for 20 seconds to see if root link comes back up before it enables the failover link
Listening
If link doesn‟t come up, the port moves to „Listening‟ (LST) state and waits 15 Seconds to send/receive BPDUs to detect loops
Learning
After listening, the port starts to Learn (LRN) for the next 15 seconds to fill up CAM table with MAC Addresses
Forwarding Port is promoted to the Forwarding (FWD) state
Takes up to 50 seconds to failover (OUCH!). Because STP was designed decades ago, this wasn‟t
too much of a problem. Nowadays networks are way faster and can transfer data much quicker.
Need for Speed
2.1.3 RSTP (Rapid Spanning-Tree)
Have you ever had that problem when you boot your PC and by the time the PC boots you don‟t have network connection and logging on to the domain takes forever because it cannot contact active directory, and if it does it cannot load your account profile? This is because PCs boot quick and run DHCPClient before the switch can transition the port to forwarding state. The result is a PC without an IP trying to talk to the network. To get around this, we enable portfast on switchports that we know connect to an end device
Switch(config-if)#spanning-tree portfast
%Warning: portfast should only be enabled on ports connected to a single
host. Connecting hubs, concentrators, switches, bridges, etc... to this
interface when portfast is enabled, can cause temporary bridging loops.
Use with CAUTION
%Portfast has been configured on FastEthernet0/10 but will only
have effect when the interface is in a non-trunking mode.
RSTP (802.1w) redefines port states, lowers the timers and can converge almost instantly; no
more waiting 50 seconds.
Must be enabled on ALL switches for it to work properly
2.1.4 RSTP Port States
2.1.4 RSTP Roles
The root bridge becomes the privileged switch; all ports become designated ports
All the other switches find the best port to reach the root bridge (root port) and all other
redundant links are evaluated to decide who blocks what. On every link, there must be at least 1
designated port.
The blocking port roles from STP are now alternate ports. The switch will remember this path
as a possible link to reach the root bridge. This allows RSTP to failover to this alternate port
without having to re-learn the topology
Edge ports are ports that connect to end devices, configured with the spanning-tree portfast
command
2.1.5 RSTP Configuration
Enabling rapid-pvst
Switch(config)#spanning-tree mode rapid-pvst
Discarding Replaces Blocking (BLK) to prevent loops
Learning
Port starts to Learn (LRN) for the next 15 seconds to fill up CAM table with MAC Addresses
Forwarding Port is promoted to the Forwarding (FWD) state
3.1 ETHERCHANNEL
Etherchannel allows us to use multiple physical connections and put them together as one
virtual link. This virtual link is called a channel group.
Provides automatic failover; if one of the physical links fails, the channel group simply uses the
rest of the links in the group.
Protocols for Etherchannel are PAgP (Port Aggregation Protocol) and LACP (Link Aggregation
Control Protocol).
Make sure the interfaces configured with Etherchannel belong to the same VLAN! And on both sides! Changes made to the port-channel interface affects all switchports members of the channel
3.1.1 PAgP Cisco Propietary Port Modes: On, Desirable, Auto
3.1.1 LACP Industry Standard (802.3ad) Port Modes: On, Active, Passive
PAgP On Desirable Auto
On On On On Desirable On On On Auto On On Off
LACP On Active Passive
On On On On Active On On On Passive On On Off
3.1.2 Layer 2 Etherchannel
SwitchA(config)#interface range fa0/1 - 3
SwitchA(config-if-range)#channel-group 1 mode ?
active Enable LACP unconditionally
auto Enable PAgP only if a PAgP device is detected
desirable Enable PAgP unconditionally
on Enable Etherchannel only
passive Enable LACP only if a LACP device is detected
SwitchA(config-if-range)#channel-group 1 mode on
3.1.3 Verifying Layer 2 Etherchannel
Verifying Etherchannel. Other verification commands include show etherchannel detail
SwitchA#show etherchannel port-channel
Channel-group listing:
----------------------
Group: 1
----------
Port-channels in the group:
---------------------------
Port-channel: Po1
------------
Age of the Port-channel = 00d:00h:02m:25s
Logical slot/port = 2/1 Number of ports = 3
GC = 0x00000000 HotStandBy port = null
Port state = Port-channel
Protocol = PAGP
Port Security = Disabled
Ports in the Port-channel:
Index Load Port EC state No of bits
------+------+------+------------------+-----------
0 00 Fa0/1 On 0
0 00 Fa0/2 On 0
0 00 Fa0/3 On 0
Time since last port bundled: 00d:00h:02m:25s Fa0/3
SwitchA#show etherchannel summary
Number of channel-groups in use: 1
Number of aggregators: 1
Group Port-channel Protocol Ports
------+-------------+-----------+----------------------------------------------
1 Po1(SU) PAgP Fa0/1(P) Fa0/2(P) Fa0/3(P)
Switch#show etherchannel
Channel-group listing:
----------------------
Group: 1
----------
Group state = L2
Ports: 3 Maxports = 8
Port-channels: 1 Max Port-channels = 1
Protocol: -
3.1.4 Layer 3 Etherchannel
Same steps as Layer2, except now we can give a routable IP address to the channel-group
through the port-channel interface
We must remove Layer 2 features from the switch ports with the command no switchport
before activating the Etherchannel
SwitchA(config)#interface range fa0/1 - 3
SwitchA(config-if-range)#channel-group 1 mode on
SwitchA(config-if-range)#no switchport
#Interface Port-Channel 1 was just created
SwitchA(config-if-range)#end
SwitchA#show ip interface brief
#Output omitted
Port-channel 1 unassigned YES unset up up
SwitchA#configure terminal
SwitchA(config)#interface port-channel 1
SwitchA(config-if)#no switchport
SwitchA(config-if)#ip address 10.1.1.1 255.255.255.0
4.1 INTER-VLAN ROUTING
Done through Router-on-a-stick or Layer 3 Switch routing
Needed to allow devices on one VLAN to talk to another device on a different VLAN
1. PC1 sends ARP request for its default gateway (a sub-interface on the router)
2. Router responds with the MAC address for this sub-interface
3. PC1 sends packet with VLAN 20 destination IP to Router
4. Switch forwards packet through trunk link to Router
5. Router detects the destination to be connected to his VLAN 20 sub interface
6. Router does ARP to contact PC2 7. PC2 responds to ARP 8. Router forwards packet to PC2
Etc…
4.1.1 Router-on-a-stick Configuration
Easy to setup, very low cost
Congestion on the link (imagine all broadcast from all vlans, all traffic from all machines in and
out the network flows through this link TWICE, single point of failure, and last but not least;
routing speed is slow compared to a switch
Switch(config)#interface fast Ethernet 0/1
Switch(config-if)#switchport mode trunk
Switch(config)#interface fast Ethernet 0/10
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 10
Switch(config)#interface fast Ethernet 0/20
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 20
Router(config)#interface fa0/1
Router(config-if)#no shutdown
Router(config-if)#interface fa0/1.10
Router(config-subif)#encapsulation dot1Q 10
Router(config-subif)#ip address 10.10.1.1 255.255.255.0
Router(config-subif)#interface fa0/1.20
Router(config-subif)#encapsulation dot1Q 20
Router(config-subif)#ip address 10.20.1.1 255.255.255.0
#Sub-interface ID .10 does NOT have to match the vlan number. Just better practice
4.1.2 Layer 3 Switch Routing Configuration
Routing at wire speed!
Cost of a layer 3 switch, can be expensive, especially if deploying redundant devices
#We must enable IP Routing
Switch(config)#ip routing
#Using SVIs
Switch(config)#interface fast Ethernet 0/10
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 10
Switch(config)#interface fast Ethernet 0/20
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 20
Switch(config)#interface vlan 10
#SVI vlan 10 has just been created
Switch(config-if)#ip address 10.10.1.1 255.255.255.0
Switch(config)#interface vlan 20
#SVI vlan 10 has just been created
Switch(config-if)#ip address 10.20.1.1 255.255.255.0
#Using Physical Interfaces
Switch(config)#interface fast Ethernet 0/10
Switch(config-if)#no switchport
Switch(config-if)#ip address 10.10.1.1 255.255.255.0
Switch(config)#interface fast Ethernet 0/20
Switch(config-if)#no switchport
Switch(config-if)#ip address 10.20.1.1 255.255.255.0
5.1 GATEWAY REDUNDANCY
Redundancy protocols, allow you to configure many gateways as a single virtual gateway,
transparent to clients.
HSRP (Hot Standby Router Protocol), VRRP (Virtual Router Redundancy Protocol) and GLBP
(Gateway Load Balancing Protocol)
Automatic failover to “backup” gateway if the main one goes down
Interface tracking allows you to detect specific link status and reduce priority accordingly to
replace active gateway
5.1.1 HSRP Hellos every 3 seconds, hold timer is 10 seconds (Default) Virtual IP & Virtual MAC shared by gateways Virtual MAC: 0000.0c07.ac?? (Group #) One Active, Others Standby Organized in Standby Groups Cisco Proprietary Init, Speak, Active, Standby
5.1.1 VRRP Hellos every 1 second, hold timer is 3 seconds (Default) Virtual IP & Virtual MAC shared by gateways Virtual MAC: 0000.5e00.01?? (Group #) One Master, One Backup Organized in VRRP Groups Industry Standard (IETF)
5.1.1 GLBP Hellos every 3 seconds, hold timer is 10 seconds (Default) Virtual IP & multiple virtual MAC Addresses from AVFs All gateways are loadbalanced One AVG, many AVFs Cisco Propietary
5.1.2 Configuring HSRP
Creating Standby Groups
SwitchA(config)#interface vlan 1
SwitchA(config-if)#ip address 10.1.1.1 255.255.255.0
SwitchA(config-if)#standby 1 ip 10.1.1.254
SwitchA(config-if)#standby 1 priority 150
SwitchA(config-if)#standby 1 preempt
SwitchB(config)#interface vlan 1
SwitchB(config-if)#ip address 10.1.1.2 255.255.255.0
SwitchB(config-if)#standby 1 ip 10.1.1.254
SwitchB(config-if)#standby 1 preempt
#Default priority is 100
5.1.3 Verifying HSRP
Verify standy configuration, who is active who is on standby. Hello messages are sent when state
is Speak, Active and Standby
SwitchA#show standby
Vlan 1 - Group 1
State is Listen
Virtual IP address is 10.1.1.254
Active virtual MAC address is unknown
Local virtual MAC address is 0000.0c07.ac01 (v1 default)
Hello time 3 sec, hold time 10 sec
Preemption enabled
Active router is unknown
Standby router is unknown
Priority 150 (configured 150)
IP redundancy name is "hsrp-Fa0/0-1" (default)
#It’s listening... after a few moments...
Mar 1 00:05:53.255: %HSRP-5-STATECHANGE: Vlan 1 Grp 1 state Speak
-> Standby
Mar 1 00:05:53.755: %HSRP-5-STATECHANGE: Vlan 1 Grp 1 state
Standby -> Active
SwitchA#show standby
Vlan 1 - Group 1
State is Active
2 state changes, last state change 00:01:41
Virtual IP address is 10.1.1.254
Active virtual MAC address is 0000.0c07.ac01
Local virtual MAC address is 0000.0c07.ac01 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 0.460 secs
Preemption enabled
Active router is local
Standby router is 10.1.1.1, priority 100 (expires in 8.968 sec)
Priority 150 (configured 150)
IP redundancy name is "hsrp-Fa0/0-1" (default)
5.1.4 Tuning HSRP
Tuning commands for HSRP; Hello and Hold Down timers should be the same on all routers!
Setting up tracking for WAN interfaces; if that links goes down we decrement the priority so the
other switch takes over! (only effective with preempt enabled)
SwitchA(config)#interface vlan 1
SwitchA(config-if)#standby 1 timers msec 50 msec 200
SwitchB(config)#interface vlan 1
SwitchB(config-if)#standby 1 timers msec 50 msec 200
#This changes hello timer to 50msecs and hold down to 200msecs
SwitchA(config-if)#standby 1 track fa0/1 60
#Now we tell it to decrement priority by 60 if fa0/1 dies
SwitchA(config-if)#interface fast Ethernet 0/1
SwitchA(config-if)#shutdown
Mar 1 00:22:37.719: %HSRP-5-STATECHANGE: FastEthernet0/1 Grp
1 state Active -> Init
SwitchA(config-if)#do show standby
Vlan 1 - Group 1
State is Init (interface down)
#Output omitted; the standby switch has taken over!
Hello time 50 msec, hold time 200 msec
Priority 90 (configured 150)
Track interface FastEthernet0/0 state Down decrement 60
IP redundancy name is "hsrp-Fa0/0-1" (default)
We should determine a timer that activates as soon as the switch becomes active. This timer will
determine what‟s the minimum amount of time the switch will stay as active; this is to avoid
problems with flapping interfaces, or if the active reboots, we don‟t want to give the active role to
a router that is just learning routes!
SwitchA(config-if)#standby 1 preempt delay minimum 180
#Waits 180 seconds before giving up the active role after it’s promoted
SwitchA(config-if)#standby 1 preempt delay reload 180
#Waits 180 seconds before preempting the active one after a reload
5.1.5 Configuring VRRP
Creating VRRP Groups
SwitchA(config)#interface vlan 1
SwitchA(config-if)#ip address 10.1.1.1 255.255.255.0
SwitchA(config-if)#vrrp 1 ip 10.1.1.254
SwitchA(config-if)#vrrp 1 preempt
SwitchA(config-if)#vrrp 1 timers ?
advertise Set the Advertisement timer
learn Learn timer values from current Master
#On the master we only configure the advertise timer
#The Backup devices automatically learn the timers
SwitchA(config-if)#vrrp 1 timers advertise msec 60
SwitchB(config)#interface vlan 1
SwitchB(config-if)#ip address 10.1.1.2 255.255.255.0
SwitchB(config-if)#vrrp 1 ip 10.1.1.254
SwitchB(config-if)#vrrp 1 preempt
SwitchB(config-if)#vrrp 1 priority 90
#Default priority is also 100
5.1.3 Verifying VRRP
Verify VRRP configuration, who is master who is backup
SwitchA#show vrrp
Vlan 1 - Group 1
State is Master
Virtual IP address is 10.1.1.254
Virtual MAC address is 0000.5e00.0101
Advertisement interval is 0.060 sec
Preemption enabled
Priority is 100
Master Router is 10.1.1.1 (local), priority is 100
Master Advertisement interval is 0.060 sec
Master Down interval is 0.789 sec
#It’s the master
SwitchB#show vrrp
Vlan 1 - Group 1
State is Backup
Virtual IP address is 10.1.1.254
Virtual MAC address is 0000.5e00.0101
Advertisement interval is 1.000 sec
Preemption enabled
Priority is 90
Master Router is 10.1.1.1, priority is 100
Master Advertisement interval is 1.000 sec
Master Down interval is 3.648 sec (expires in 3.572 sec)
5.1.4 Tuning VRRP
Only the delay minimum command is available
SwitchA(config-if)#vrrp 1 preempt delay minimum 180
#Waits 180 seconds before giving up the active role after it’s promoted
5.1.5 Configuring GLBP
In GLBP, the priority elects who will be the AVG (Active Virtual Gateway). The rest of routers on
the group will be designed as AVFs (Active Virtual Forwarders).
SwitchA(config-if)#glbp 1 ip 10.1.1.254
SwitchA(config-if)#glbp 1 priority 150
SwitchA(config-if)#glbp 1 preempt
SwitchA(config-if)#glbp 1 timer msec 60 msec 200
#This changes hello timer to 60msecs and hold down to 200msecs
SwitchB(config-if)#glbp 1 ip 10.1.1.254
SwitchB(config-if)#glbp 1 priority 90
SwitchB(config-if)#glbp 1 preempt
SwitchB(config-if)#glbp 1 timer msec 60 msec 200
5.1.6 Verifying GLBP
We can look at who‟s the gateway and who are the forwarders, virtual mac addresses, etc…
SwitchA#show glbp
Vlan 1 - Group 1
State is Active
2 state changes, last state change 00:03:34
Virtual IP address is 10.1.1.254
Hello time 60 msec, hold time 200 msec
Next hello sent in 0.044 secs
Redirect time 600 sec, forwarder time-out 14400 sec
Preemption enabled
Active is local
Standby is 10.1.1.2, priority 90 (expires in 0.148 sec)
Priority 150 (configured)
Weighting 100 (default 100), thresholds: lower 1, upper 100
Load balancing: round-robin
Group members:
cc00.1060.0000 (10.1.1.1) local
cc01.1060.0000 (10.1.1.2)
There are 2 forwarders (1 active)
Forwarder 1
State is Active
1 state change, last state change 00:03:24
MAC address is 0007.b400.0101 (default)
Owner ID is cc00.1060.0000
Redirection enabled
Preemption enabled, min delay 30 sec
Active is local, weighting 100
Forwarder 2
State is Listen
MAC address is 0007.b400.0102 (learnt)
Owner ID is cc01.1060.0000
Redirection enabled, 599.992 sec remaining (maximum 600 sec)
Time to live: 14399.992 sec (maximum 14400 sec)
Preemption enabled, min delay 30 sec
Active is 10.1.1.2 (primary), weighting 100 (expires in 0.188 sec)
5.1.4 Tuning GLBP
Only the delay minimum command is available
SwitchA(config-if)#glbp 1 preempt delay minimum 180
#Waits 180 seconds before giving up the active role after it’s promoted
Additional tuning is possible with GLBP for configuring weights, load-balancing, etc; however
it‟s not covered on the exam.
6.1 WIRELESS LANS
WAPs (Wireless Access Points) communicate like hubs. Only one wireless client can talk at a
time since it‟s a shared signal in half duplex.
Wireless works on Layer1 and Layer2 of the OSI model.
Uses CSMA/CA (Collition Avoidance) instead of CSMA/CD (Collition Detection) used in
Ethernet technology
Suffers from interference from other devices using radio frequency (wireless phones,
microwaves), and other physical obstacles (walls, columns, etc)
Wireless is an extension to a physical network. A Workgroup Bridge connects two LANs through
a wireless connection. Number of users connecting through a workgroup bridge is very limited;
enough for about 10 people.
Can be used to connect branches in the same MAN (Metropolitan Area Network) in a cost
effective way without having to lease lines, run own cables and without paying monthly fees.
6.1.1 SSIDs
Service Set Identifier (SSID) is a unique identifier that represents a VLAN or a network.
Connecting to an SSID
Figure 1
Figure 2
Figure 3
Figure 4
Figure 1
When a client first tries to connect, it will send a probe as a broadcast, requesting all access
points that it can reach to reply a beacon
Figure 2
The Access Points that were able to hear the probe will reply with a beacon to the host. This can
be disabled.
Figure 3
The client will choose one from the list of beacons that replied (the list of wireless networks
available to you in Windows).
Figure 4
Assuming there is no security enabled, the wireless access point will add the MAC address of the
new wireless client to the list of connected devices and provide it with an IP if DHCP is available
and enabled.
6.1.2 WLAN Design
Repeaters should have a 50% area overlap to be able to reproduce signals properly
APs should have up to 15% area overlap to be able to roam from one to another without losing connection to an SSID
Neighbor Access Points must use non-overlapping channels
6.1.3 WLAN Roaming
Seamless hand off from one Access Point to another; as soon as a stronger AP signal is detected.
Not supported by normal wireless routers such as netgear, Linksys, etc.
Designed to provide coverage over wide areas, but can be quite costly.
Overlapping shouldn‟t be less than 15% or packets way be lost and roaming might not be
successful
As the client gets far from its AP, beacons from the AP starts to miss probes (which are sent
periodically from the client), signal starts to get weaker.
As signal gets weaker, the client analyzes other Access Points with the same SSID that may
provide better signal. If so, it attempts to roam to this new access point.
Wireless Access Points can support multiple VLANs. This means we can create different SSIDs
(one per VLAN), each one can have different security mechanisms, and the AP would trunk to a
switch to allow communication for all VLANs.
6.1.4 WLAN Frequencies
900Mhz range: 902 – 928 2.4Ghz range: 2,400 – 2,483 5Ghz range: 5,150 – 5,350 High Frequency = Higher data rates = Shorter ranges
6.1.5 802.11a 6.1.5 802.11b 6.1.5 802.11g
Up to 54Mbps
Up to 11Mbps Up to 54Mbps
NOT Compatible with b or g
Most popular standard Compatible with b
12 to 23 non overlapping
channels
3 non overlapping channels: 1,6,11
3 non overlapping channels: 1,6,11
6.1.6 WLAN Security WEP (Wired Equivalent Protection), 802.1X EAP, WPA (Wi-fi Protected Access) and WPA2 (802.11I) Hardware that supports WEP can also support WPA; not WPA2 WPA uses TKIP (Temporal Key Integration Protocol) WPA2 uses TKIP and AES (Advanced Encryption Standard)
6.1.7 WLAN Hardware Two types of Access Points; Autonomous APs and Lightweight APs.
6.1.7.1 Autonomous AP 6.1.7.1 Lightweight AP
Stand Alone
Server-Dependant or Controller Based
Controlled with WDS (Wireless Domain
Services) for Roaming
Controlled using WLC (Wireless LAN Controller)
Managed with WLSE (WLAN Solution Engine)
through Ciscoworks
Managed with WCS (Wireless Control System)
IOS Based with web interface
Donwloads config. from WLC
Costs more, can convert into Lightweight AP
based on IOS
Only Lightweight
6.1.8 Lightweight APs Lightweight Access Point Protocol (LWAPP) is used on the links between a wireless controller (WLC) and the Access points Controller is the brain; APs just process packets from/to wireless clients
Split MAC topology
6.1.9 PoE (Power over Ethernet) 802.3af (PoE) is the industry standard; Ability of a device to send power along the Ethernet connection to an end device; such as ip phones, APs, printers, etc. Both devices must support PoE, and same standard, whether it is 802.3af , Cisco‟s proprietary PoE, or any other third party PoE proprietary standards. Cisco switches support 802.3af and its proprietary protocol
6.1.10 WLAN Antennas 3 Types of antennas: Omni-Directional, Directional and Yagi Antennas
6.1.11 Omni 6.1.11 Directional 6.1.11 Yagi
Equal coverage all around
No signal behind the antenna which is aimed towards the
desired area
Antenna pointed towards
desired area, much more range and the angle of beam can be
adjusted; the small it is the more powerful the signal and the
longer it can travel
7.1 VoIP VoIP used to save costs on voice transmission Low Bandwidth, centralized data and voice Saves costs on staff and move, add and changes PC daisy chains to the network through the switch 64Kbps that take a normal voice line converts to 8Kbps through VoIP Integration of data world and voice world.
7.1.1 How VoIP Works
Phones talk to Call Manager using the „Skinny‟ protocol. The communication happens whenever an event occurs that require the phone to act. IP Phones are dumb terminals. They don‟t know anything other than to do what Call Manager says How a call works: -Once a handset is picked up, the phone will tell CCM that the handset has been picked up. -CCM tells the phone to play a dialtone -Every time a key is pressed the phone talks to CCM through skinny -When CCM recognizes a dialed number as a pattern, extension, etc, it will instruct the phone to play the ringing tone and will instruct the other phone to ring -Once the other phone picks up CCM instructs both phones to establish a connection using RTP (real-time transmission protocol) -RTP must be prioritized for QoS
7.1.2 Dual VLANs Switchport is configured as access mode, as part of vlan 200. Then, the voice vlan is added as vlan 100. Cisco implements CDP to recognize the phone through this switchport
SwitchA(config-if)#switchport mode access
SwitchA(config-if)#switchport access vlan 200
SwitchA(config-if)#switchport voice vlan 100
#The switch will send CDP packets to make sure a Cisco phone is plugged in
7.1.3 QoS -Marking packets for QoS:
Class of Service (CoS): Layer 2
Type of Service (ToS): Layer 3
Classification of packets occur when a packet is inspected to see what kind of traffic it contains Packets can be categorized with access-lists, source ports, etc. Classification is CPU intensive CoS is marking frames at Layer 2. No deep packet inspection; looks at CoS tag on the frame, 3 Bits of marking for 7 levels of marking (0 to 7). For Example, all SQL traffic can be marked. Levels 6 and 7 are reserved by Cisco for routing protocols, etc. At Layer3, CoS is dropped since it‟s Layer 2 and replaced with ToS. IP Precedence was the old way of marking at Layer 3, up to 7 levels of marking. DSCP now provides up to 64. Routers can look at the ToS to determine priority without having to do deep packet inspection
7.1.3 Configuring QoS
SwitchA(config-if)#mls qos trust cos
#Means “I will trust the CoS marking on this port”; implemented on ports connecting to
phones
SwitchA(config-if)#mls qos trust device cisco-phone
#For security measures, this will trust the CoS on this port only if a cisco phone is
detected on the other side through CDP.
Auto QoS is available to automatically implement the most appropriate QoS parameters on the interface based on bandwidth, switchport, etc. to meet Cisco‟s best practices
SwitchA(config-if)#auto qos voip cisco-phone
#This auto detects the best priority for this type of traffic
7.1.3 Verifying Auto QoS
SwitchA#show run int fa0/1
interface FastEthernet0/1
switchport access vlan 200
switchport mode access
switchport access vlan 100
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
wrr-queue bandwidth 10 20 70 1
wrr-queue min-reserve 1 5
wrr-queue min-reserve 2 6
wrr-queue min-reserve 3 7
wrr-queue min-reserve 4 8
wrr-queue cos-map 1 0 1
wrr-queue cos-map 2 2 4
wrr-queue cos-map 3 3 6 7
wrr-queue cos-map 4 5
priority-queue out
end
#All these lines were applied by auto qos