Ccnpswitch

CCNP SWITCH
L2 and MLS function
5
L2 switch
5
Type of MLS
5
TCAM table
6
More about MLS
8
MLS switching
8
CEF
9
Advanced CEF
9
Fallback bridging
10
Adjacency table
10
Control and data plane
11
Hardware
12
Catalyst 5000/5500
12
Catalyst 3750
14
Catalyst 4500
14
Catalyst software, Cat OS
15
Cables and connectors
16
Fast Ethernet
16
Gigabit Ethernet
16
10 Gigabit Ethernet
17
Autonegotiation
17
Summary
19
VLAN
20
VLAN 1
21
Trunk design
21
Trunking protocols
21
InterVLAN routing
22
802.1Q-in-Q tunneling
23
PPPoE
24
VTP
25
VTP update advertisement
25

VTP version 3
28
Miscellaneous
28
EtherChannel
29
PAgP
29
LACP, 802.3ad
30
Configuration
31
Algorithm
32
STP
33
Type of BDPU
33
Port costs
34
Port states
34
Types of STP
35
STP configuration
35
General
35
Timers
36
Port ID
36
PortFast and UplinkFast
36
BackboneFast
37
Verification
37
Additional features
38
Root Guard
38
BPDU Guard
38
BPDU Filter
38
Loop Guard
38
UDLD
39
RSTP
41
BPDU
41
Port
41
Synchronization
42
Topology Change
42
Compatibility
42
RSTP, RPVST+, and MST
43
IST and MISTP
44
MST configuration
45

Campus Network Design
46
Cisco hierarchical design
46
Switch and core block
46
Cisco Enterprise Composite Model
47
Campus Switched LAN
48
Gateway Redundancy protocol
49
HSRP
49
HSRP election
50
HSRP messages
50
HSRP states
50
HSRP authentication
51
Interface track
51
HRSP load-balance
51
VRRP
52
GLBP
52
AVG and AVF
53
Weighting feature
53
Load-balance algorithm
54
IP phone
55
PoE and power
55
IP phone and switching
56
QoS
57
CoS and ToS
57
QoS Operational Model
58
Configuration
59
Wireless
61
AP Basics
61
802.11 Basics
62
802.11 frames
62
Cisco Unified Wireless Network Architecture (CUWNA)
63
CUWNA roaming
64
Switch configuration
65
Security
66
Port Security
66

DHCP snooping
67
Dynamic ARP inspection
67
IP source guard
68
VLAN hopping
69
802.1x and AAA
69
Switch ACLs
71
PVLAN
72
Other security features
72
Error management
73
More about Switching
75
Miscellaneous
76
Supervisor and route processor redundancy
76
Macro
77
ICMP Router Discovery Protocol, or IRDP
77
StackWise
77
Power redundancy
78

L2 and MLS function
A Layer 2 switch mimics a transparent bridge, which offers segmentation while being
transparent to all end devices.
Whenever a frame with an unknown source address enters the switch, its source MAC
address, along with switch port number and VLAN are recorded in the CAM table.
Time stamps are also added (every time a frame from that device is sent out) so the CAM
table know the latest entry, if newer time stamp of this device is found in another port, and
the switch no longer hears from that device (at the old port), this entry is deleted and the
new entry is used instead (of normal 300 second age out).
By default, MAC address table age out an entry after 300 second of inactivity (5 minutes).
But you can manually adjust this by ‘(config)#mac address-table aging-time SEC’.
You can also configure a static entry of MAC address so it doesn't leave the CAM table
unless you specified so, by ‘(config)#mac address-table static MAC_ADD vlan V_ID interface
TYPE_NO’
To display the MAC address table, use ‘#show mac address-table dynamic [address
MAC_ADD | interface TYPE_NO | vlan VID]’. To delete an entry, add ‘clear’ in front of the
command. To see the CAM table size, use ‘show mac address-table count’ command.
L2 switch
When a frame arrives at a switch port, it’s placed into one of the ingress queues. Each
ingress queues have a different priority service level, so the higher priority queues gets
faster service, this prevents time (latency: the time takes from a frame enters the switch to
leaving it) sensitive frames from being last.
Not only does the switch has to figure out WHERE to send a frame, it also has to figure to
WHETHER it should and HOW. These are the factors affecting the process, each is operated
separately:
- L2 forwarding table, or CAM table.
- Security ACL placed in ternary CAM or TCAM table deciding whether a frame should leave
- QoS ACL determines which egress queue a frame will go, each queue has different priority
to prevent time-sensitive information from delay. Also stored in TCAM table.
When frames come in, all ACLs are run in parallel to match the frame.
When a packet comes in, these components will be involved in its forwarding decision:
- L2 forwarding, or CAM table.
- L3 forwarding, or FIB table
- Security ACLs compiled into TCAM table
- QoS ACLs compiled into TCAM table
Type of MLS
Cisco implements route caching (demand-based) and topology-based switching.
Demand-based switching, also known as flow-based switching, or MLS requires 3
components:

- MLS engine (MLS_SE): can identify Layer 3 flow and lie in data plane. It determines next
hop and egress interface for each packet, rewrite the packet as necessary.
- MLS RP: run routing protocol, maintain and update routing table to MLS-SE
- MLSP: multicast protocol (0100.0cdd.dddd) used to communicate information such as
routing changes between RP and SE.
RP can be an internal or external router, internal router can be RSM or RSFC module on
5000/5500. External router can be connected to 7500, or 7200
Steps of packet forwarding:
1. MLS-SE receive a packet, now known as candidate packet, for new flow. Forwarded to
MLS-RP for route lookup if a flow entry is not found already.
2. MLS-RP determine destination, rewrite the packet and forward it. This packet is now an
enable packet. SE records this path in the flow cache.
3. Following packets in the flow (same source & destination address & port number) are
switched using the same path with ASIC and rewrite engine. Note that both the candidate
and enable packet must pass through the same switch.
When supervisor 720 was introduced, this method become legacy and use CEF instead.
Note: router ACL do not affect the processing of SE because SE is never create the flow in
the cache.
Topology-based or CEF switching refers to the switching method which RP build the RIB
and send a copy called FIB (contain all the IP prefix from routing table) to SE, which forward
packet based on next-hop entry of each packet.
When new entries take place, the CEF table is updated, packets are temporarily switched
slower in RP. Special frames such as Telnet are also switch slower as they also use demand-based
switching.
TCAM table
ACL are made up of one or more access control entities (ACE) or matching statements that
are implemented in hardware. In MLS, ACL is implemented in
1) Feature manager (FM) merges ACEs into TCAM table.
2) Switching Database Manager (SDM) helps to divide the TCAM if necessary.
TCAM entries are composed of Value, Mask and Result (VMR) combination that matches
from the frame or packet headers from the value and mask pair.
- Value are always 134-bit quantities, consisting of source and destination address and
other info, all of which needed to be matched.
Access List
Value and Mask Components, 134 Bits Wide (Number of Bits)
Type
Ethernet Source MAC (48), destination MAC (48), Ethertype (16)
ICMP Source IP (32), destination IP (32), protocol (16), ICMP code (8), ICMP type (4), IP
type of service (ToS) (8)
Extended IP
using TCP/UDP
Source IP (32), destination IP (32), protocol (16), IP ToS (8), source port (16),
source operator (4), destination port (16), destination operator (4)
Other IP Source IP (32), destination IP (32), protocol (16), IP ToS (8)
IGMP Source IP (32), destination IP (32), protocol (16), IP ToS (8), IGMP message type (8)
IPX Source IPX network (32), destination IPX network (32), destination node (48), IPX
packet type (16)
- Mask is also a 134-bit quantity in the exact format, but it does a different job. It turns on
(1) the things needed to be matched and turn off bits not to be matched.

- Results are used to inform switches of the action to take after the lookup occurs.
TCAM table is organized by masks, each unique mask has 8 value patterns. However, some
keywords such as ‘gt’ ‘lt’ ‘neq’, or ‘range’, have more than one match, thus FM comes into
play and compile TCAM entry using logical operation unit (LOU) register pairs.
However, since there are only limited LOUs, if there are more comparison operator than
LOUs, FM must break down ACE for the statement to process.
If too many items are presented in the TCAM table, an overflow may occur due to low on
system resource. This will generate a syslog error.

More about MLS
MLS switching
MLS usually support less feature than their router counterpart.
MLS can perform Layer 1 to 4 switching,
- Physical layer switching: allow user to connect any port to any other port and allow
conversion of one media type to another
- Data Link layer switching, most common, also include WAN protocols. However, CCNP
SWITCH only focus on LAN switching. 3 main functions: learn MAC address, forward
frame, and avoid loop.
- Network layer switching, include inter-VLAN switching. Layer 3 switching is faster than
Layer 3 routing because 1) use of hardware, 2) high performance, 3) high-speed scability,
4) low latency, 5) low per-port cost, 6) flow accounting, 7) Security, and 8) QoS. Switching
with traffic flow (or flow-based switching).
- Transport layer switching use Layer 4 information to make forwarding decision. Switching
based on source and destination address and port. Greatest use in QoS application. This
type of switch is called Layer 4-7 switches, content switches, content services switches,
web switches, or application switches. Require large amount of memory to track all
applications.
Multicast address can be associated and placed in the CAM table.
MLS have logical interfaces called switched virtual interface (SVI) that can perform Layer 3
functions. This layer 3 address is the default gateway for VLANs. VLAN must be configured
before SVI can be enabled. VLAN and SVI are independent of each other even though they
interoperate.
You can verify with ‘show ip interface vlan VID’ command
Inter-VLAN routing on MLS: start the VLAN with ‘vlan X’, then assign it an IP address from
‘int vlan X’. These subnets appear as directly connected subnets.
You can configure a port to Layer 2 mode by ‘interface TYPE/NUM’ -> ‘switchport’.
To configure it to Layer 3 mode, use ‘no switchport’ instead.
Confirm with ‘show interface TYPE MOD/NUM switchport’ under ‘switchport:’ line. If
‘switchport:enabled’, this is a Layer 2 mode, otherwise, it’s in Layer 3 mode.
Note: EtherChannel port channel itself can also be in Layer 3 mode, you can assign a layer
3 address to that port channel only.
A Layer 2 port can be a routed port, a SVI interface, and an EtherChannel interface
LAN switching can be
- Symmetric: provide evenly distributed bandwidth to each port on the switch, such as an
all FastEthernet port switch.
- Asymmetric: have ports of unequal bandwidth such as FastEthernet, and Gigabit Ethernet
or 10/100/1000 ports. This is the most common.
These 2 planes are responsible for the building and actual forwarding of the routing table.
Control plane is responsible of gathering and organizing information. It runs routing
protocol, and other control information. It updates the routing table.
Data plane is where the actual forwarding occurs. Contain information from control plane.
Determine egress port for a packet.

CEF
CEF operates at the data plane and increase efficiency by using FIB and adjacency table.
The adjacency table is created to contain all connected next hops. As soon as a neighbor is
connected, it will use a MAC string/rewrite to reach that device, then an entry will be stored
in the adjacency table.
A CEF-based multilayer switch consists of two basic functional blocks:
- Layer 3 engine is involved in building routing information stored in FIB, which rearrange
the routing table so the most specific routes are placed in front of other routes. The entry
also include the next-hop address.
- Layer 3 forwarding engine that switch packets in hardware
The host route, or 255.255.255.255 is also found in the FIB. If change take place in
routing table or ARP table, it will be reflected on the FIB. To display FIB, use ‘show ip cef
[TYPE MOD/NUM | vlan VID] [PREF_IP MASK] [longer-prefixes] [detail]’
Most of the time, Layer 3 forwarding engine check the packet and forward it using
hardware, but in the following instances, these packets will be marked ‘CEF punt’ and send
to Layer 3 engine for further processing:
- Entry can’t be found in FIB
- FIB is full
- TTL is expired
- MTU is exceeded, fragmentation required
- ICMP redirect is involved
- Encapsulation type is not supported
- Packets are tunneled, requiring compression or encryption
- Involves ACL with ‘log’ keyword
- NAT operation (exception: Catalyst 6500 Supervisor 720 can handle NAT in hardware)
- ARP requests and replies
- IP packets that require a response from the router (such as decrementing TTL, MTU
match, fragmentation, etc)
- IP broadcast that will be relayed as unicast (IP helper-address)
- Routing protocol updates
- CDP packets
- IPX routing protocol and service advertisement
- Non IP or IPX protocol
Advanced CEF
As performance demand increase, Layer 3 engine also increased its capability. In Catalyst
6500, CEF is being optimized with special forwarding hardware and accelerated CEF or
distributed CEF.
Accelerated CEF allows a portion of the FIB to be distributed to capable line card modules
in the Catalyst 6500 switch. This allows the forwarding decision to be made on the local line
card using the locally stored scaled-down CEF table. In the event that FIB entries are not
found in the cache, requests are sent to the Layer 3 engine for more FIB information.
Distributed CEF refers to the use of multiple CEF tables distributed across multiple line
cards installed in the chassis. When using dCEF, the Layer 3 engine (MSFC) maintains the
routing table and generates the FIB, which is then dynamically downloaded in full to each of

the line cards, allowing for multiple Layer 3 data plane operations to be performed
simultaneously.
To enable CEF, use ‘(config)#ip cef [distributed]’. To disable, use ‘(config)#no ip cef
[distributed]’ or ‘(config)#no ip route-cache cef’.
Verify with ‘show ip cef [TYPE MOD/NUM] [detail]’
Fallback bridging
Not all routed protocols are supported. Depending on the platform, unsupported routed
protocol must be routed using software while some can’t even be routed. The non-routable
protocols can be bridged between different VLANs and routed interfaces of the same bridge
group using fallback bridging, which allows the switch to forward this traffic.
Fallback bridging is enabled by assigning 2 or more switch interfaces to a bridge group.
Once the interfaces have been assigned to a bridge group, the interfaces are able to bridge
all non-routed traffic between them and other member interfaces. BPDUs are exchanged
between members of same bridge group, but not between groups. Note:
- Up to a maximum of thirty two (32) bridge groups can be configured on the switch
- An interface (an SVI or routed port) can be a member of only one bridge group
- Use a different bridge group for each separately bridged network connected to the switch
- Do not configure fallback bridging on a switch configured with private VLANs
- When enabled, all protocols are bridged, except for the following:
IP Version 4
IP Version 6
Address Resolution Protocol (ARP)
Reverse ARP (RARP)
Frame Relay ARP
Shared STP packets are fallback bridged
Configure a bridge group with ‘(config)#bridge [1 - 255] protocol vlan-bridging’ command,
know that only 32 VLANs are supported. Then configured a L3 interface to participate in a
bridge group with ‘(config-if)#bridge-group [1 - 255]’
Verify with ‘show bridge [NO] [group] [verbose]’ command.
Adjacency table
Another table used for maintain a list of next-hop neighbor and directly connected hosts’
MAC address and its correspondent IP address; this table is called the adjacency table and
is built from the ARP table. You can display this table with ‘show adjacency [TYPE MOD/NUM
| vlan VID] [summary | detail].
You will see a line of hexadecimal values, the first 12 digits is the MAC address of the
attached host. Another 12 digits contain the MAC address of this Layer 3 engine’s interface,
with the last 4 digit denoting the EtherType.
If an ARP entry is missing, the corresponding FIB entry is marked “CEF glean”, meaning
the frame can’t be processed due to the missing of the layer 2 address. This causes the
layer 3 engine to generate an ARP request for that address. You can show a list of FIB
entries in ‘glean’ state with ‘show ip cef adjacency glean’ command.
When an entry is in glean state, packets for that destination is dropped to prevent sending
multiple ARP request, this is known as ARP throttling or throttling adjacency. If an ARP reply
is not received within the next 2 seconds, another ARP is released.
An adjacency refers to 2 MLS connected by a common link.

The adjacency table contain other types of adjacency relationships:
- Null adjacency: for switching packets to null interfaces
- Drop adjacency: drop packets due to some sort of error, including encapsulation failure,
unresolved address, unsupported protocol, no valid route, no valid adjacency, or checksum
error. You can view packets dropped by ‘show cef drop’
- Discard adjacency: dropped packet due to ACL or other policy actions
- Punt adjacency: packets send to the Layer 3 engine for further processing, display
statistics with ‘show cef not-cef-switched’ command. Here are the list of reasons why it
needs further processing:
. No_adj => incomplete adjacency
. No_encap => incomplete ARP resolution
. Unsupp’ted =>unsupported packet feature
. Redirect => ICMP redirect
. Receive => packets for the Layer 3 engine interfaces, for IP network or broadcast
address
. Options => IP options present
. Access => ACL failure
. Frag => fragmentation failure
Control and data plane
For Catalyst 6500, Supervisor 720 module is the where all the processing takes place. It
contains:
- MLS feature card 3 runs all software process and support both switch and route processor
(SP and RP). Build CEF FIB and download it to ASIC of PFC3 to make forwarding decision.
- Policy feature card 3 contain ASIC and perform routing and switching, implementing ACL,
QoS and multicast packet. Require RP to populate route cache or optimized route table
structure to perform L3 switching.
- Switch/switching fabric is the connection between multiple ports within a switch to
transport data.
3 refers to version 3, the current latest version.
To verify CEF is running well, use ‘show ip route’ and ‘show arp’ to verify correct
information. Display the content of FIB table with ‘show ip cef [distributed]’ command.
Detailed version of last command include ‘show ip cef [network [mask]] [longer-prefixes]
[checksum | detail | internal [checksum]]’ and ‘show ip cef [interface-type interface-number
[checksum | [detail | internal [checksum] | platform]]’
Adjacency table can be viewed with ‘show adjacency [ip-address] [interface-type interface-number
| null number | port-channel number | sysclock number | vlan number | ipv6-
address | fcpa number | serial number] [connectionid number] [link {ipv4 | ipv6 | mpls}]
[detail | encapsulation] and the show ip cef adjacency [interface-type] [interface-number]
[ip-prefix] [checksum | detail | epoch epoch-number | internal | platform | source]’
It’s possible for MSFC to process some packets instead. But to prevent oversubscription,
you should limit the rate at which PFC sends (or punts) frame to MSFC. This is controlled by
- CEF Receive: limit frames for switch’s own interfaces
- CEF Glean: when destination is not contained or can’t be relayed to the next hop, which
doesn’t exist and need an ARP request.
This feature is performed by ‘(config)#mls rate-limit unicast cef [glean | receive]’

Hardware
Switching fabric is a term used for communication channel used by the switch to transport
frames, carry forwarding decision information, and relay management information
throughout the switch. It’s responsible to relay frame from ingress port to an egress port.
There are 2 major types of switch fabric
- Shared bus: share the same method of switching. Use a central arbiter to determine how
and when to grant requests from each line card (port). Only one process occurring any
time.
When frame is received, it’s placed in a buffer (queue) and check for error. Line card local
arbiter request access to transit frame onto data bus. Defective frame are discarded.
Header is added to insist forwarding decision in data bus then transmit there.
Data bus send the frame to all ports (except where the frame come from), then the header
added will decide which port will forward. Certain ports transmit frame, while others discard
it.
- Crossbar solves the waiting problem in shared bus by using multiple line card that can
operate simultaneously. It’s available in SFM modules.
As oversubscription can occur any time, it’s a good idea to buffer excessive frames before
they are processed to prevent being dropped. 2 types of memory management is used to
act as switch frame buffer:
- Port buffer memory: high-speed memory specially designed store excessive frame. One/
port, drop frame if buffer full.
- Shared memory: old type of memory designed for port buffer. All ports share the same
buffer. Dynamically allocate memory for buffer. Vary by different platform, but usually
increment from 64 to 256 bytes.
Head-of-line blocking occurs whenever traffic waiting to be transmitted prevents or blocks
traffic destined elsewhere from being transmitted. This occurs when a receipt port is full and
can’t take further requests, or the sending port is too busy.
Cisco Catalyst switches provide many solutions, and one of them is port buffering. Note
that ingress queue is usually much smaller than egress queue as switch can process
incoming frames at a high speed.
Catalyst 5000/5500
Catalyst 5000/5500 (Project Synergy) contains the most fundamental parts of all Cisco
switches.
Catalyst 5000 switch introduced a 5-slot chassis with one slot for supervisor module, hot
swappable line modules, redundant power supply, redundant fans, and 1.2 Gbps backplane
bus.
Catalyst 5500 switches use aggregate switching bandwidth of 3.6 Gbps by using three 1.2
Gbps buses.
Most Catalyst switches are now modular and allow user replacement of components.
Chassis the place where all the components reside. It provides electrical connection
between Supervisor module and all other modules and line cards + system clock to the
power supply.
Model 5000 5002 5005 5009 5500
Catalyst 5000 series N-slot chassis 5 2 5 9 13

Supervisor Module is the brain of the switch. SM I had the following sub-components:
- Network management processor (NMP) handles administrative functions such as STP
calculation, virtual terminal session, SNMP, and synchronization of secondary Supervisor
Module.
- Master communications processor (MCP) communicates statistical and RMON information
to and from each line module’s local communication processor (LCP) to serial
communications protocol (SCP).
- NVRAM
- DRAM or RAM
- Flash memory
- CAM
Supervisor I contain following ASIC:
- Enhanced address recognition logic version (EARL) ASIC: create and update MAC address
to port mapping (CAM table) as well as performing lookups.
- Synergy advanced interface network termination (SAINT) ASIC: provide 10/100 MB
Ethernet controller powering the Supervisor’s Ethernet uplink port. One SAINT ASIC/uplink
port
- Synergy advanced multipurpose bus arbiter (SAMBA) ASIC: handles central arbitration and
access to data bus.
EARL v1 created CAM tables made up of MAC address, associated VID, and an index value.
The VID field takes 16 bits, but only 10 bits were used to identify a VLAN and the rest are:
- Aging bit: for aging addresses
- Trap bit: indicate an exception, such as filtering or blocking
- Static bit: indicate a MAC address is static
- Valid bit: indicate the entry has a running aging timer, meaning it’s still valid.
EARL v2 can rewrite header for each packet flow, or give out rewrite information to ASICs
capable of in-line rewrite.
Here are the different Supervisor Module versions:
- I: Layer 2 switching only, not upgradable. Support many different types of media, 2 uplink
ports. No redundancy. Not compatible with 5500
- II: Layer 2 switching only, support optional second supervisor to provide redundancy. 2
uplink ports with different media type.
- IIG: include NFFC and support an optional RSFC. Capable of MLS. Modular Fast and Gigabit
Ethernet uplink ports
- III: support integrated NFFC but not RSFC. Enable 3.6 Gbps crossbar switch fabric with
5500. Modular uplink Gigabit Ethernet ports similar to GBIC
- IIIG: integrated NFFC and support optional RSFC. Enable 3.6 Gbps crossbar switch fabric
with 5500. Modular uplink Gigabit Ethernet ports similar to GBIC
Catalyst 5500 contains 3 buses:
- Switching/data bus (dBus): used to switch frames between line cards. 48 bits wide and
clock rate of 25 MHz, gives 1.2 Gbps bus bandwidth
- Management bus (mBus): carries configuration information from NMP to each module and
back using SCP
- Results/index bus (ruBs): carries port-select information from the central EARL ASIC to
the ports. This information determines which ports forward the packet and which flush it
from the buffer.

Catalyst 3750
3750 series are fixed-configuration switches allowing expansion through the
interconnection or stacking of additional switches rather than adding more line modules.
Uses SFP uplink port.
Model Ports Modular Uplinks
WS-C3750-24 24 10/100 Ethernet 2 SFP
WS-C3750-48 48 10/100 Ethernet 4 SFP
WS-C3750G-24T 24 10/100/1000 Ethernet None
WS-C3750G-24TS 24 10/100/1000 Ethernet 4 SFP
Power supply uses external RPS 675, which can supply power to a maximum of 6 switches,
and provide immediate failover for internal power supply.
Stackwise switches are connected with 68-pin cables. When two or more switches are
connected via Stackwise cables, a switch fabric consisting of dual counter-rotating rings is
formed, with each ring providing 16 Gbps of bandwidth, resulting in 32 Gbps of total
bandwidth. Each ring carries data and is self healing via a loopback protection mechanism
that is enabled should a Stackwise cable or individual switch fail.
This provides high availability even when an ASIC fail.
3750 uses a shared token to determine the order in which port ASCIs may transmit data
onto the ring. The port ASIC can create a 24-byte header containing the necessary
information to make a forward decision.
When transferring a packet, the port ASIC will use the ring that the first token arrives on.
If token from both ring arrive at the same time, port ASIC chooses the least used ring.
The destination port ASIC copies the 24-byte header and the packet data from the ring
and forward it to the correct port.
Catalyst 4500
Model
Catalyst 4500 Series N-slot Chassis
4503 4506 4507R 4510R
3 6 7 10
Catalyst Platform Form Factor Switch Fabric Fabric Bandwidth
5000 Modular Shared bus 1.2 Gbps
5500 Modular Crossbar 3.6 Gbps
6000 Modular Shared bus 32 Gbps
6500 with SFM Modular Crossbar 256 Gbps
6500 with Supervisor 720 Modular Crossbar 360 Gbps (720 full duplex)
4500 Modular Centralized 64 Gbps
3750 Fixed-Stackable Dual Ring 32 Gbps
Switch performance is usually measured by bandwidth = data bus * clock speed and
packet per second it can handle.

Catalyst software, Cat OS
Cat OS is a part of Crescendo when it was purchased by Cisco. It uses ‘set’ and ‘clear’
commands instead of the IOS we currently use.
‘enable password’ = ‘set password’
‘hostname’ = ‘set system name’
‘show version’ = ‘show system’
‘show controller’ = ‘show environment’
‘show run’ + ‘show start’ = ‘show config’ <- no difference.
‘telnet XXX’ = ‘session XXX’
‘vlan VID’ = ‘set vlan VID’

Cables and connectors
FastEthernet 0/1/3, 0 = slot number, 1 = port adapter, 3 = port number
Fast Ethernet
Technology Wiring Type Pairs Cable Length
100BASE-TX EIA/TIA Category 5 UTP 2 100 m
100BASE-T2 EIA/TIA Category 3, 4, 5 UTP 2 100 m
100BASE-T4 EIA/TIA Category 3, 4, 5 UTP 4 100 m
100BASE-FX Multimode fiber (MMF); 62.5-micron core, 125-micron
outer cladding (62.5/125)
1 400 m half duplex or
2000 m full duplex
Single-mode fiber (SMF) 1 10 km
When both ends don’t agree on duplex setting (A is full, and B is half), A will think it can
transmit at any time and won’t stop for any reason. However, B might transmit when A will
and cause a collision. It will back off. This causes link and poor response times.
Priority 7 6 5 4 3 2 1
Ethernet
100BASE-T2
100BASE-TX
100BASE-T2
100BASE-T4 100BASE-TX 10BASE-T
Mode
(full duplex)
(full duplex)
(half duplex)
(full duplex)
10BASE-T
Fast Ethernet can use Fast EtherChannel (FEC) feature to allow up to 8 Ethernet links to
act as a single physical link.
100Base-FX uses MT-RJ or SC connector. MT-RJ connector has a tab on top for easy
removal, like RJ-45; it uses 2 fiber-optic strands. SC connector also use 2 strands but the
connector is square in shape.
Some people only install 2 pairs of wires in the UTP 4 cable to lessen their work, but this is
not good for future development or exchange of cables.
Autonegotiation is only allowed in UTP Fast Ethernet and Gigabit Ethernet links. When only
one side is set to auto-negotiate, duplex setting can’t be detected, so the port falls back to
half-duplex state.
Fast Ethernet defaults to use full duplex
Gigabit Ethernet
Gigabit Ethernet uses somewhat different physical layer standard, called ANSI X3T11
FibreChannel, which provide a base of high-speed ASICs, optical components, and
encoding/decoding and serialization mechanism.
802.3z Wiring Type Pairs Cable length
1000BASE-CX Shielded twisted pair (STP) 1 25 m
1000BASE-T EIA/TIA Category 5 UTP 4 100 m
1000BASE-SX Multimode fiber (MMF) with 62.5-micron core; 850-nm laser 1 275 m
MMF with 50-micron core; 850-nm laser 1 550 m
1000BASE-LX/LH MMF with 62.5-micron core; 1300-nm laser
MMF with 50-micron core; 1300-nm laser
SMF with 9-micron core; 1300-nm laser
111
550 m
550 m
10 km

1000BASE-ZX SMF with 9-micron core; 1550-nm laser
SMF with 8-micron core; 1550-nm laser
11
70 km
100 km
802.3ab standard provides Gigabit Ethernet over copper, which allow falling back of 10 and
100 Mbps, and allow autonegotiation as well, of which, 1000Base-T (full-duplex) has the
most priority, followed by 1000Base-T (half-duplex).
Gigabit EtherChannel (GEC) support 2 - 8 Gigabit Ethernet link to act as a single logical
link.
Connections are made using modules, usually GBIC or SFP. GBIC support SC and RJ-45,
while SFP support MJ-RT, LC, and RJ-45. These modules can use:
- 1000Base-SX - 1000Base-LX/LH - 1000Base-ZX
- Gigastack (a row of different connector in one module) - 1000Base-T
If UTP 5 cable is used 1, 2, 3, 4, 5, 6, 7, 8 on one end connects 3, 6, 1, 7, 8, 2, 4, 5 on the
other end.
Only 1000Base-T can use 1 Gbps, where other GBIC can operate at 10/100/1000 Mbps
10 Gigabit Ethernet
10 Gigabit Ethernet (802.3ae), or 10GbE, operate only at full duplex. The physical
connectors used are defined at physical media dependent (PMD), which can be:
- LAN PHY: interconnects switches in a campus network, predominantly in core layer
- WAN PHY: interfaces with SONET and SDH in MAN
PMD Type* Fiber Medium Max Length
10GBASE-SR/SW (850 nm serial) MMF: 50 micron
MMF: 50 micron (2GHz* km modal bandwidth)
MMF: 62.5 micron
66 m
300 m
33 m
10GBASE-LR/LW (1310 nm serial) SMF: 9 micron 10 km
10GBASE-ER/EW (1550 nm serial) SMF: 9 micron 40 km
10GBASE-LX4/LW4 (1310 nm WWDM) MMF: 50 micron
MMF: 62.5 micron
SMF: 9 micron
300 m
300 m
10 km
10GBASE-CX4 Copper: CX4 with Infiniband connectors 15 m
S = short L = long E = extra-long C = copper R = LAN PHY
W = WAN PHY X = (coding) WWDM = wide-wavelength division multiplexing
Cisco Catalyst switches support 10GbE PMD in XENPAK, X2, and SFP+ transceiver.
Generally, C2 is smaller than XENPAK, with SFP+ being the smallest; allowing more port
density.
10GbE can also be used in EtherChannel, called 10GEC. For EtherChannel to form, the
same protocol/standard must be used.
Autonegotiation
Priority Ethernet Specification Type of Duplex
1 1000BASE-T Full duplex
2 1000BASE-T Half duplex
3 100BASE-T2 Full duplex

4 100BASE-TX Full duplex
5 100BASE-T2 Half duplex
6 100BASE-T4 ---
7 100BASE-TX Half duplex
8 10BASE-T Full duplex
9 10BASE-T Half duplex
10Base-T didn’t have autonegotiation as part of its standard. However, it generates a pulse
called normal link pulse (NLP) every 16 millisecond on an idle link. This means that when
the link is not busy, 10Base-T sends the signal to keep the link from down. When NLP is not
received within a specified time slot, the link is considered down.
802.3u included autonegotiation and many different functions such as Remote Fault
Indication (detect L1 error) and Next Page Function (information about negotiation process).
802.3u is capable of communicating with dissimilar standards. For instance, it uses Parallel
Detection to make the link compatible with 10Base-T and generate NLP signals. The switch
also generate FLP signal every 2 ms to match with 802.3u devices.
Gigabit Ethernet require that all IEEE 802.3z devices have autonegotiation capability.
Software control of the device can override this function by ‘set port negotiation MOD/PORT
{enable | disable}’.
GE autonegotiation for 802.3z include:
- Duplex setting (full duplex only)
- Flow control (optional, ask sender to slow down transmission by sending a frame at
0180.c200.0001 to the transmitter. Sender then places the data in buffer. Note the latency
time. Use ‘set port flowcontrol MOD/PORT’)
- Remote fault information (detect L1 error)
Verify with ‘show port capabilities’ available on CatOS
Switch Port Gigabit Autonegotiation
Setting
NIC Gigabit
Autonegotiation Setting
Switch Link/NIC Link
Enabled Enabled Up Up
Disabled Disabled Up Up
Enabled Disabled Down Up
Disabled Enabled Up Down
Recommendation: autonegotiation on end devices, other critical devices such as routers
and other switches, must be hard coded with appropriate speed and duplex.
Configuration
NIC (Speed/
Duplex)
Configuration
Switch (Speed/
Duplex)
Resulting NIC
Speed/
Duplex
Resulting
Catalyst
Speed/Duplex
Comments
AUTO AUTO 100 Mbps, Full
duplex
100 Mbps, Full
duplex
Assuming maximum capability
of Catalyst switch and NIC is
100 full duplex.
100 Mbps, Full
duplex
AUTO 100 Mbps, Full
duplex
100 Mbps, Half
duplex
Duplex mismatch.
AUTO 100 Mbps, Full
duplex
100 Mbps, Half
duplex
100 Mbps, Full
duplex
Duplex mismatch.

100 Mbps, Full
duplex
100 Mbps, Full
duplex
100 Mbps, Full
duplex
100 Mbps, Full
duplex
Correct manual configuration.
100 Mbps, Half
duplex
AUTO 100 Mbps, Half
duplex
100 Mbps, Half
duplex
Link is established, but switch
does not see any
autonegotiation information
from NIC and defaults to half
duplex.
10 Mbps, Half
duplex
AUTO 10 Mbps, Half
duplex
10 Mbps, Half
duplex
Link is established, but switch
will not see FLP and will default
to 10 Mbps half duplex.
10 Mbps, Half
duplex
100 Mbps, Half
duplex
No Link No Link Neither side will establish link
because of speed mismatch.
AUTO 100 Mbps, Half
duplex
10 Mbps, Half
duplex
10 Mbps, Half
duplex
Link is established, but NIC will
not see FLP and default to 10
Mbps half duplex.
Summary
Only media or connector meeting the standard is not enough, to be able to use a standard,
you must verify the link from end-to-end.
Ethernet Type Media Type Distance Limitations
(meters)
Speed
(megabits)
Data Encoding
10BASE-T UTP Category 3 or above 100 10 Manchester
10BASE-FX – MMF MMF 2000 10 Manchester
100BASE-TX UTP Category 5 or above 100 100 4B/5B
100BASE-FX – MMF MMF 2000 100 4B/5B
100BASE-FX – SMF SMF 10000 100 4B/5B
1000BASE-SX MMF 2000 1000 8B/10B
1000BASE-LX SMF 5000[*] 1000 8B/10B
1000BASE-T UTP Category 5 or above 100 1000 PAM 5x5

VLAN
A network with only Layer 2 device is called a flat network topology. A switch provide VLAN
connectivity at Layer 2 of OSI model. A network shouldn’t have more than 30 VLANs.
Note that since extended VLAN are not stored in vlan.dat in the Flash, they are not
supported by VTP client or server. This means you must manually delete the VLANs and
reassign the ports when moving from transparent to client or server mode.
By default, all switch port are assigned to VLAN 1, VLAN type is Ethernet, and MTU = 1500
bytes. (VLAN 1 uses default value, and they can’t be changed unless the native VLAN is
change) VLAN 1 and 1002 - 1005 are for special purposes.
Extended VLAN can be used for WAN interfaces, L3 Ethernet ports, and sub-interfaces.
VLAN can be dynamically assigned with VMPS, cisco uses applications such as CiscoWorks.
When planning for VLAN, an important factor to consider is relationship between VLAN and
IP subnet; Cisco recommends one IP subnet/VLAN.
However, it’s possible to have more than 1 IP subnet/VLAN, example, VLAN 1.
A VLAN is active (or passing traffic) by default, however, you can force it into suspension
mode, which means the entire VTP domain won’t pass any traffic (as this mode
propagated). ‘(config-vlan)#state suspend’ only applies to standard range VLANs, you can’t
force an extended VLAN to suspend. ‘Status’ is ‘suspended’ in ‘show vlan [brief]’
On the other hand, if you ‘(config-vlan)#shutdown’ or ‘(config)#shutdown vlan’ a VLAN, it
will only be shut on that switch, rather than propagating throughout the domain. The
‘Status’ is shown as ‘act/lshut' in ‘show vlan [brief]’
In CatOS, ‘#vlan database’ + ‘(vlan)#vlan 20 name A’ + ‘(vlan)#apply’ = ‘(config)#vlan
20’ + ‘(config-vlan)#name A’ + ‘(config-vlan)#exit’.
Other options include ‘(vlan)#abort’, abandoning current configuration and return to #
mode. ‘(vlan)#reset’ abandon the current configuration. You can verify with ‘(vlan)#show
{current | proposed | difference}’
Cisco Catalyst 6500 series switches support an additional feature called VLAN locking that
allows administrators to provide an extra level of verification when moving ports from one
VLAN to another. This feature, which is enabled via the vlan port provisioning global
configuration command, requires that the VLAN name, NOT number, be entered when a port
is moved from one VLAN to another via the switchport access vlan [VLAN NAME]
interface configuration command.
‘(config)#spanning-tree extend system-id’ enable extended system-ID, on by default.
‘show interface TYPE/NO switchport’ show how a switch port is configured for trunking and
its status. ‘Operational Mode’ of static access means no trunk formed.
‘show interface TYPE/NO trunk’ display brief info about an interface’s trunk status.
To form a trunk between a DTP-capable device and a DTP-incapable device, you must force
both ports to be trunk by ‘switchport mode trunk’. Any other mode will not form a trunk.

This situation occur when switch forms a link with router, or switches between different VTP
domain want to form trunk. Unless you use ‘switchport nonegotiate’, DTP is always enabled
by default.
Access Dynamic Auto Dynamic Desirable Trunk
Access
Dynamic Auto
Dynamic Desirable
Trunk
Access Access Access Access
Access Access Trunk Trunk
Access Trunk Trunk Trunk
Access Trunk Trunk Trunk
For old switches, default mode is dynamic desirable. New switches defaults to use dynamic
auto. Confirm with ‘show dtp [interface TYPE MOD/NUM]’
DTP also chooses which trunking protocol a trunk link use. ISL is favored if both are
present. DTP sends message every second OR every 30 seconds after trunk formation.
VLAN 1
VLAN 1 contains control plane traffic and user traffic. Control plane traffic such as VTP, CDP
(advertisement every 60 second), and PAgP are tagged with VLAN 1 information and
forwarded across VLAN 1 regardless it’s been pruned.
sc0 is used for management of switch such as telnet, SNMP, and syslog. Redundant links in
management VLAN eliminate the need for STP as no loop would be created. If there are
redundant links, separate physical connections only supporting management VLAN are
needed. A good design shouldn’t place user traffic on the management VLAN.
Broadcast traffic should be less than 20% of overall traffic.
Trunk design
If the links between 2 switches are not trunk, then the 2 switches need to have n links for
n VLANs it has. Trunk is supported in Fast Ethernet and Gigabit Ethernet, and corresponding
EtherChannel links.
Frames traveling trunk links are tagged, while frames traveling access links are not.
End-to-end VLANs, also called campus-wide VLANs, distribute VLAN throughout the
network. End-to-end VLAN are not recommended since broadcast traffic are carried from
one end to the other, creating possibility for broadcast storms.
All users in a VLAN follow the 80/20 rule. Although only 20 percent of the traffic in a VLAN
is expected to cross the network core, this design can allow 100% of traffic within a single
VLAN to cross the core.
Local VLAN is the opposite of end-to-end VLAN. 20% traffic is kept for local while 80% for
the outside.
Trunking protocols
Trunking protocol header is inserted at the egress switch trunk port. Tag is removed at
ingress port.

ISL is a Cisco-proprietary trunking protocol that can be used on Ethernet, Token Ring,
FDDI, and ATM frame by using a ‘Frame Type’ field. ISL is sometimes called double tagging
for the extra encapsulation. ISL frames can’t pass through non-ISL switches and require a
minimum of FastEthernet connection. Header include source MAC address of the device that
added the encapsulation.
Old ISL doesn't support untagged VLAN and extended range VLAN, new version does. Use
multicast address of 0100.0c00.0000 or 0300.0C00.0000
802.1Q, on the other hand, is referred to as single, or internal tagging; it can be used on
Ethernet or Token Ring, as indicated by CFI bit, which is also known as canonical format,
little-endian or big-endian format.
The 4-byte header is added after source address field. The first 2 bytes are used as Tag
Protocol Identifier (TPI) that is always equal to 0x8100 (indicating 802.1Q frames here).
The remaining 2 bytes are used for Tag Control Identifier (TCI). The TCI information
contains a three-bit Priority field, for CoS functions in 802.1Q/802.1p with one bit for CFI.
The last 12 bits are used as a VID to indicate the source VLAN for the frame. The VID can
have values from 0 to 4095, but VLANs 0, 1, and 4095 are reserved.
802.1Q can pass through non-trunking switches due to 802.3ac
Native VLAN is used by the switch to carry specific protocol like VTP, CDP, PAGP, DTP, etc.
Native VLAN between trunks must match (use ‘switchport trunk native vlan’ command),
CDPv2 carry native VLAN information.
For a trunk to operate, these conditions must be the same: Trunking mode, Trunking
protocol, Native VLAN, if exist, and Allowed VLAN, if configured
A VLAN may be blocked traffic due to:
1) It’s not on Allowed VLAN list. If used with VTP pruning VLANs, allowed VLAN list takes
precedence.
2) VLAN is temporarily pruned by VTP, which stops traffic where it isn’t possible
3) VLAN doesn’t exist, or is not active
4) VLAN’s STP is not in a Forwarding State
VLANs traveling across a trunk can be reduced by:
- ‘switchport trunk allowed’ permits only certain VLANs manually, default to allow all. Check
with ‘Allowed VLAN’ in ‘show int trunk’
- Only active VLANs travel across a trunk, check with ‘Allowed and active’ in ‘show int trunk’
- After VTP pruning, rest of VLANs that can travel on the trunk are included in ‘Active and
not pruned’ list in ‘show int trunk’
InterVLAN routing
InterVLAN routing can be done in:
- Physical Router interface: simple and easy to implement (router simply use ‘no shut’ and
‘ip address’ commands). Not scalable, router only has a few physical ports.
- Router sub-interface (router-on-a-stick): scalable (use ‘encapsulation [dot1q | isl] VID’ +
‘ip address’ commands, need native VLAN and trunk links). Bandwidth of a single interface
is shared, thus easy bottleneck as VLANs grow. Single point of failure.
- SVI: recommended. Scalable, redundant, easy to configure. (interface vlan [same VLAN as
that assigned to hosts] + ip address + no shutdown)

Router can configure IP address of 802.1Q native VLAN on its physical interface. This way, a
sub-interface is reduced, so is ‘encapsulation dot1q N native’
802.1Q-in-Q tunneling
Traditionally, VLANs can’t extend beyond WAN boundary and it isn’t really a good design to
do so. However, to connect to remote networks, 802.1Q-in-Q, Ethernet over MPLS
(EoMPLS), Metro Ethernet and VLAN MPLS (VMPLS) can be used to extend VLAN across
WAN links.
Port that provide the tunnel is called a tunnel port, while the customer end uses 802.1Q
trunk (and disable DTP, use ‘switchport nonegotiate dot1q’). The link is also called
asymmetric. Always configure one VLAN for each tunnel.
No Layer 3 routing or usage of IP address unless tunnel port is SVI. Can’t be configured
with PVLAN, VoIP, fallback bridging, IP ACL, ToS ACL, DTP, .
Traffic including CDP (automatically disabled), STP BPDU (automatically filtered on tunnel
port), VTP, PAgP, EtherChannel, loopback detection and UDLD can pass transparently over
Q-in-Q tunnel.
Frame traffic from these protocols changes its destination MAC address when entering
service provider switch to 0100.0CCD.CDD0, then back to the original MAC address when
the frame is about to enter the client network. If, on the tunnel port, a frame with that
multicast MAC address is received, it’s shut down to prevent loops.
This tunnel is known as Layer 2 protocol tunnel. By default, it’s not created to transport
CDP, STP and VTP and all CoS value = 5. There is no default shutdown threshold. This
tunnel can’t be created unless both customer and service provider are access ports.
The basic idea of a Q-in-Q or Layer 2 protocol tunnel is that by encapsulating the original
802.1Q frame with another 802.1Q tag (when the frame enters the switch), the switch
strips it off during processing and add it before the frame leaves the switch.
On the switch between service provider and the customer, the switch strips the header
upon incoming frame but don’t add it back when the frame leaves the switch. This way, the
outer tag is transparent to the customer network.
Frames from customer network are tagged regardless it’s already tagged or not.
When serving different customer occupying the same range of VLAN, they will not get
mixed up because the outer tag (customer’s native VLAN assigned by service provider) is
different.
Also note that the service provider don’t have to use the same trunking protocol as the
client, or not trunking at all.
When the native VLAN (from the tunnel port) is untagged, it may get mixed with other
untagged native VLAN from other customers. If the outer tag have the same VLAN ID as the
inner tag, the outer tag is not applied. Solution:
- Use ISL on service provider network
- Tag all native VLANs frames using ‘(config)#vlan dot1q tag native’
- Ensure that native VLAN ID on the edge switch trunk port isn’t within the customer VLAN
range.
You can increase the system MTU due to the extra tag using ‘(config)#system mtu'

When 802.1Q trunks are used in these core switches, the native VLANs of the 802.1Q
trunks must not match any native VLAN of the nontrunking (tunneling) port on the same
switch because traffic on the native VLAN would not be tagged on the 802.1Q transmitting
trunk port.
PPPoE
PPP is widely used for dial up connection for PtP links. It was designed to work with serial
connections, but it can be encapsulated to work over Ethernet (PPPoE) or ATM (PPPoA).
PPP uses LCP to determine if a link can be established, if so, create a session between a PC
and ISP. LCP packets include fields to make that decision.
PPPoE provide support for DSL, but not for Frame Relay, or other LAN interfaces. PPPoE
use the standard method for encryption, authentication and compression used by PPP.
PPPoE create a virtual point-to-point connection between 2 Ethernet ports using special
software. PPPoE discovery:
1. Initiation: client software send PPPoE active discovery initiation (PADI) to the server to
initiate a connection.
2. Offer: if server accept, it responds with PPPoE active discovery offer (PADO)
3. Request: client send PPPoE active discovery request (PADR) packet to the server
4. Confirmation: server send a PPPoE active discovery session (PADS) packet that includes a
unique ID for the session.
PPPoE works with DHCP to manage the address pool when session is generated/ended.
PPPoE sample configuration:
EdgeRouter(config)# interface fa0/1
EdgeRouter(config-if)# ip address 192.168.100.1 255.255.255.0
EdgeRouter(config-if)# ip nat inside
EdgeRouter(config-if)# pppoe-client dial-pool-number 1
EdgeRouter(config-if)# exit
EdgeRouter(config)# interface dialer1
EdgeRouter(config-if)# mtu 1492
EdgeRouter(config-if)# encapsulation ppp
EdgeRouter(config-if)# ip address negotiated
EdgeRouter(config-if)# ppp authentication chap
EdgeRouter(config-if)# ip nat outside
EdgeRouter(config-if)# dialer pool 1
EdgeRouter(config-if)# dialer-group 1
EdgeRouter(config-if)# exit
EdgeRouter(config)# dialer-list 1 protocol ip permit
EdgeRouter(config)# ip nat inside source list 1 interface dialier1 overload
EdgeRouter(config)# access-list 1 permit 192.168.100.0 0.0.0.255
EdgeRouter(config)# ip route 0.0.0.0 0.0.0.0 dialer1

VTP
VTP messages are send as multicast frames at 0100-0CCC-CCCC, SNAP = AA and type =
0x2003. To clear the configuration version number (to ensure no wipeouts), perform the
following for any new switches introduced regardless of VTP mode.
- Change VTP mode to transparent (transparent mode always have revision number of 0)
then to server
- Change the VTP domain to another name, then back to the current name
Synchronization problem can occur when: 1) link to network using trunk links, 2) new
switch has same VTP domain, 3) higher revision number, or 4) same password.
VTP has 3 versions: v1 (default) doesn’t send all necessary updates, v2 is used in switches
with using IOS operating system, and v3 is used in switches using CatOS. VTP v3 allow
extended VLAN to be used and advertised but the version is not available in all IOS Catalyst
switches.
Version 1 and 2 are incompatible. Version 2 offers the following enhancement:
- Support Token Ring
- Perform consistency check on VTP and VLAN parameter to prevent error. No consistency
checks on VTP messages from trunk links, configuration, or database read from NVRAM.
- Switches in VTP version 1 don’t relay VTP information to other switches unless the domain
name, and version number match (support multiple domains). For version 2, the update
can be relayed even though the domain or version may not be the same (support single
domain). This also reduce CPU cycles
- Support advertisement of unrecognized TLV messages. Propagate the message and keep a
copy in NVRAM
Switches can start using VTP version 2 if a VTP message with a higher revision number
shows up.
VTP pruning allow efficient bandwidth usage by forward frame (for a VLAN) over a trunk
link only if the receiving switch has ports in that VLAN. VTP pruning uses join messages to
decide whether to forward. This feature is present in both V1 and V2, and is off by default.
‘vtp pruning’ has no effect on transparent switches because it can only prune VLANs from
2 to 1001 by default. Pruning in transparent mode must use ‘switchport trunk pruning vlan’
command. The command specify which VLANs can be pruned.
Verify with ‘show interface TYPE MOD/NUM switchport’
If a switch has no domain name, it will accept the domain that is being propagated to it
first. This means if there are 2 VTP domain, the first VTP update to reach that non-domain
switch will become the VTP domain that that switch. This is dynamic VTP.
VTP can only propagate information for up to 1024 VLANs (use 15 bits); this is why
extended VLANs are not advertised in the VTP domain.
VTP update advertisement
VTP updates VLAN information using 3 kinds of updates, generated by VTP client/server:
Advertisement request: request VTP information (summary + subset advertisement) by VTP
client. This happens when 1) a switch is reset, 2) VTP domain name change (which reset
revision number to 0), or 3) received a summary advertisement of higher revision number.

- The management domain length field is used to specify the length of the VTP management
domain, while the management domain name field specifies the actual name of the VTP
management domain.
- The starting advertisement field, or start byte, as it is sometimes referred to, contains the
starting VLAN ID of the first VLAN for which information is requested.
Type field = 1 <==> summary advertisement
Type field = 2 <==> subset advertisement
Type field = 3 <==> advertisement request
Summary advertisement: when vlan.dat changes. Updates every 5 min by client and Ser.
- The followers field indicates a following VTP Subset Advertisement packet.
- The updater identity field contains the IP address of the switch that is the last to have
incremented the configuration revision number.
- The update timestamp field shows the date and time of the last increment of the
configuration revision number.

Subset advertisement: after summary advertisement for a topology change or
advertisement request. Contain VLAN database information for a specific revision number.
This include VLAN status, VLAN type, MTU, VLAN name and number, SAID value.
Sequence number (like that in TCP) contain sequence of the packet in the stream of
packets that follow a summary advertisement; start with 1.
Lower VLANs occur before higher ones. Here is the VLAN information field, with 802.10
SAID indicate some security mechanism for Layer 2.

VTP version 3
VTP version 3 is the third version of the VLAN trunk protocol. This version of VTP enhances
its initial functions well beyond the handling of VLANs. VTP version 3 adds a number of
enhancements to VTP version 1 and VTP version 2, which include the following:
■ Support for a structured and secure VLAN environment (Private VLAN, or PVLAN)
■ Support for up to 4000 VLANs
■ Feature enhancement beyond support for a single database or VTP instance
■ Protection from unintended database overrides during insertion of new switches
■ Option of clear text or hidden password protection
■ Configuration option on a per-port basis instead of only a global scheme
■ Optimized resource handling and more efficient transfer of information
VTP version 3 differs from VTP versions 1 and 2 in that it distributes a list of opaque
databases over an administrative domain in situations where VTP version 1 and VTP version
2 interacted with the VLAN process directly. By offering a reliable and efficient transport
mechanism for a database, usability can be expanded from just serving the VLAN
environment.
VTP version 3 uses the same concept of domains as those used in VTP versions 1 and 2,
where only devices belonging to the same VTP domain are able to exchange and process
VTP information. However, unlike versions 1 and 2, which allow a new switch with the
default domain name to configure itself with the domain name in the first received VTP
message, VTP version 3 requires that the domain name be explicitly configured on each
switch. This means that the VTP domain name must be configured before VTP version 3 can
be enabled.
In addition to the traditional VTP roles of sever, client, and transparent, VTP version 3
supports an additional switch role called ‘off.' This mode is similar to transparent mode;
however, unlike a transparent mode switch that relays any received VTP messages, a switch
in off mode simply terminates the received messages and does not relay or forward them.
With VTP version 3, off mode can be configured globally or on a per-port basis. Turning VTP
to off allows a VTP domain to connect to devices in a different administrative domain.
Miscellaneous
• A VTP domain should have at least 1 VTP server. Cisco recommends 2 for redundancy.
• Errors can be found in ‘show vtp counters’ command along with statistic information.
• ‘show vtp status’ -> ‘VTP version: 2’ means this switch is version 2-capable.
• ‘vtp filename’ allow you to specify where to store VLAN information. By default, this is in
vlan.dat in Flash.
• ‘vtp interface TYPE MOD/NUM [only]’ command is used to specify the name of the
interface providing VTP ID. ‘only’ allow a singles IP address to be the VTP ID. Confirm at
‘show vtp status’
• You can debug with ‘debug sw-vlan vtp {events | packets | pruning | xmit}’
• CatOS support ‘off’ mode, which means a switch doesn’t participate in VTP.
• When using VTP with CatOS, avoid using VLAN 1006 to 1024
• VTP information is stored in vlan.dat in Flash for client and server. Transparent mode
store normal-range VLAN in vlan.dat and running-config (NVRAM), while extended range
VLAN are stored in NVRAM only.

EtherChannel
Port channel is name of the bundled logical interface while EtherChannel is the name of the
technology. EtherChannel prevent bridging loops and increase bandwidth by making itself a
single logical link. Note that traffic from a particular source MAC address (or whatever the
load-balance criteria is) always go through the same physical link, whether or not this is a
unicast, multicast, or broadcast frame.
These links can be used on any type of device as long as number of ports are sufficient.
All bundled ports must be in the same configuration such as VLAN, speed, duplex setting,
trunk status, and VTP setting. EtherChannel was primarily designed to operate on ISL.
EtherChannel can have different STP path cost.
Interface configuration applies to the interface on which it’s configured while port channel
configuration applies to the entire EtherChannel. Because, after the formation of
EtherChannel, a change to individual interface will be affected on every other interface, if
the port channel configuration and interface configuration mismatch, the latter configured
command is used.
EtherChannel can be dynamically established by using either PAgP (multicast 01-00-0C-CC-CC-
CC, Ethertype 0x0104), or port aggregation protocol (Cisco-proprietary) or LACP
(multicast 01-80-C2-00-00-02, Ethertype 0x8809), or link aggregation control protocol.
PAgP LACP Negotiation Packets Sent? Characteristics
On On No No All ports channeling
Auto Passive Yes No Waits to channel until asked; no Etherchannel if both
device use this mode. Slowly transition using STP.
Desirable Active Yes Yes Actively asks to form a channel
PAgP and LACP are incompatible.
PAgP
Neighbors are identified by neighbor ID and port group capability are learned to form
EtherChannel; different device, different device ID.
If any of the port setting is changed on one port, to keep the link active, all ports will
change to that setting to keep EtherChannel operating.
Default mode is ‘Auto’. Auto mode will negotiate with another PAgP port only if the port
receives a PAgP packet. This port will not actively send a PAgP packet.
Switches running PAgP can be physical learners or aggregate learners.
Physical learners are switches that learn MAC address using the physical port. The port of
a MAC address would be the name of the physical interface, such as F0/1. It will send
packet to the neighboring switch using the EtherChannel from which it learned the source
address. You should set the method to destination-based distribution.
Aggregate learners are switches that learn MAC address based on the logical port of
EtherChannel. The port would be something like PortChannel 1. Default on current Cisco
switches.
PAgP can’t detect learner type, while this must be the same for connection to establish,
you must manually adjust to make sure both switches are using the same learner type.
Management traffic are distributed over all physical interfaces, while PAgP PDU will only
send/receive on interfaces that are up and have PAgP in auto/desirable mode. If the port

channel is trunked, PAgP PDUs are transferred on VLAN with lowest VID or from port that
first come up.
You can verify this with ‘show pagp [CHANNEL_NO] neighbor’ or ‘show etherchannel
summary’. Port forwarding PDU traffic is marked as ‘Pd’
More to know: Cisco Virtual Switching System (VSS) is comprised of two physical Catalyst
6500 series switches acting as a single logical switch. In the VSS, one switch is selected as
the active switch while the other is selected as the standby switch. The two switches are
connected together via an EtherChannel, which allows for the sending and receiving of
control packets between them.
Access switches are connected to the VSS using Multichassis EtherChannel (MEC). An MEC is
simply an EtherChannel that spans the two physical Catalyst 6500 switches but terminates
to the single logical VSS. Enhanced PAgP (PAgP+) can be used to allow the Catalyst 6500
switches to communicate via the MEC in the event that the EtherChannel between them
fails, which would result in both switches assuming the active role (dual active), effectively
affecting forwarding of traffic within the switched network.
LACP, 802.3ad
One of the difference is that LACP can automatically create port channels by exchanging
LACP packets between ports. It gathers data about link capability and inform other ports.
Once done, it can match the links to become port channel.
LACP require all links to be full-duplex, half-duplex links are suspended (PAgP allow this).
LACP is a Layer 2, MAC-sublayer protocol.
A port using SPAN will be removed from EtherChannel group.
Links with different STP cost can be used to form EtherChannel.
LACP is composed of collector, distributor, LACP agent, and marker and marker response.
The collector assembles frames from physical link, they can parse marker to it then pass it
to LACP agent, which can also parse a marker.
Distributor transmits outgoing frames. It’s responsible fore distribution algorithm. Higher-layer
agents, such as LACP agent, instruct the redistribution in the marker packet. The
recipient agent will reply (instruct the distributor to create the marker response) with
marker response packet after successful transmission.
Passive mode will negotiate with another LACP port only if the port receives a LACP packet.
This port will not actively send a LACP packet. The port channel group attaches interface to
EtherChannel bundle. Default mode is passive
Note that if you convert a PAgP EtherChannel to LACP will cause all existing EtherChannel
to reset to default channel mode for new protocol.
After LACP PDUs are exchanged, the switches come to an agreement about each other’s
settings and decide whether the links can become an aggregation by:
- LACP System Priority: default to 32768. Used along with device MAC address to form
system ID. Configure with ‘(config)#lacp system-priority [1-65535]’ and ‘show lacp sys-id’.
Device with lower priority gets to decide which link are active and which are standby.
- LACP Port Priority: Decide whether link is active or standby. The lower, the better. If tied,
lower MAC address win. Port priority + port number = port identifier. By default, maximum
allowed is 16, 8 active and 8 standby. Use ‘(config-if)#lacp port-priority [1-65535]’ and
‘show lacp NO internal’
- LACP Administrative Key: automatically. Same administrative key, same port channel
group.

LACP allow redundancy by:
- HRSP: by default, 8 active links are allowed and minimum of 2 is needed. To change, use
‘(config-if)#lacp max-bundle NO’ and ‘(config-if)#port-channel min-links NO’ command.
- LACP 1:1 redundancy: this feature allow an active link to load its traffic to a standby link
when it fails, and regain the load after it comes back.
Configuration
All Cisco IOS model currently support both PAgP and LACP. You can tell the router to use
this protocol only with this/these interfaces by (config-if)#channel-protocol [pagp | lacp].
Assign the interface with ‘(config-if)#channel-group NUM mode {active | on | {auto [non-silent]}
| {desirable [non-silent]} | passive}. ‘on’, ‘auto [non-silent]’, and ‘desirable [non-silent]’
are use for PAgP, while, ‘on’, ‘passive’, and ‘active’ is used for LACP. The NUM must
be between 1 and 64.
By default, PAgP is in silent submode with desirable and auto modes, this is intended to
form EtherChannel with devices that are not EtherChannel-capable, such a file-server or
packet analyzer. No PAgP frames are required to form the connection.
If the other end of the connection is PAgP or LACP capable, then you can add the ‘non-silent’
keyword, telling the switch that you expect such a frame for the connection of the
link. If no such frames is heard on the active port, the port remains in the up state, but STP
will shut the port down.
Note that if both devices are using auto silent mode, it would take about 15 seconds for
the connection to establish, and 45 to 50 seconds if both using auto non-silent (30 seconds
come from STP).
If you would like to assign an IP address, you MUST assign it to ‘port-channel’ interface.
Display Function Command Syntax
Current EtherChannel status of each member port show etherchannel summary
show etherchannel port
Time stamps of EtherChannel changes show etherchannel port-channel
Detailed status about each EtherChannel component show etherchannel detail
Load-balancing hashing algorithm show etherchannel load-balance
Load-balancing port index used by hashing algorithm show etherchannel port-channel
EtherChannel neighbors on each port show {pagp | lacp} neighbor
When troubleshooting EtherChannel, check
- Mismatched port configuration: configuration of all ports involved in an EtherChannel must
be identical, any mismatch can cause problem
- Mismatched Etherchannel configuration: caused by using different negotiation protocol,
there are PAgP and LACP
- Inappropriate EtherChannel distribution algorithm: bad choice can cause some link to be
overloaded while others empty.

Algorithm
Due to the different load-balancing algorithm, the switch may provide different load to
different links, thus, each link may not have the same work load. When links fail or restore,
balance can be re-achieved very fast and transparent to the user.
Load-balancing in EtherChannel is performed by a hashing algorithm that chooses the
source/destination IP/MAC address, and/or UDP/TCP port information to calculate route to
take.
Depending on the criteria the algorithm chooses to use, for instance, source and
destination IP address, the last 1 bit is XORed if you have a 2-link EtherChannel, the last 2
bits are XORed to calculate a 4-link EtherChannel, and the last 3 bits are XORed for load
balance over 8-link EtherChannel. If a single criteria is used, such as the source MAC
address, only the last 1, 2, or 3 bits will be used.
By default, Catalyst 2970 and 3560 uses source MAC address as the criteria, but if Layer 3
switching is performed, source and destination IP address will be used by default. Here are
the list of options following ‘(config)#port-channel load-balance’ command:
Port-channel load-balance Hash Input Hash Operation Switch Model
src-ip Source IP address bits All models
dst-ip Destination IP address bits All models
src-dst-ip Source and destination IP address XOR All models
src-mac Source MAC address bits All models
dst-mac Destination MAC address bits All models
src-dst-mac Source and destination MAC XOR All models
src-port Source port number bits 6500, 4500
dst-port Destination port number bits 6500, 4500
src-dst-port Source and destination port XOR 6500, 4500
To show the statistics of the load balance, use ‘show etherchannel port-channel’ or ‘show
etherchannel load-balance’ command.
EtherChannel guard is a Cisco feature designed to detect EtherChannel misconfiguration. If
a misconfiguration is detected, EtherChannel place the switch interface in Errdisabled state
and print an error message on the console.
By default, this feature is enabled by default and can be disabled by ‘(config)#spanning-tree
EtherChannel guard misconfig’

STP
Spanning-tree protocol is enabled on all Catalyst switches by default. The algorithm
chooses a reference point (which is the root bridge) in the network and calculate all possible
paths to the reference point. If redundant paths are found, some of them are blocked to
prevent loop. When the current active path fails, the redundant links are re-activated.
STP is based on:
- All links are bidirectional and can both send and receive BPDUs
- Every switch is able to regularly receive, process, and send BPDUs
If a port fails, it can’t be calculated/participate in STP
802.1d also describes transparent bridging, which is the segmentation of networking into 2
or more collision domain, thus causing less collisions. The process of transparent bridging
contains 5 steps:
- Learning
- Flooding
- Filtering occurs when devices on the same collision of the bridge try to communicate with
each other
- Forwarding
- Aging ensure system only track active devices as a timer keeps note of which device is
active
Type of BDPU
BPDU has source address of the propagating switch and destination address of multicast
01-80-C2-00-00-00. There are 2 types of BPDU,
- Configuration BPDU, are exchanged to elect the root bridge. The election is ongoing and
depend on the BID, which is composed of Bridge priority and MAC address, lower one
wins. STP recalculation only occur when Root Bridge changes
Field Description Protoco
l ID = 0
Versio
n = 0
BPDU type =
0x0
Flags Root Bridge
BID
Cost to Root
Bridge (root port)
No. Of Bytes 2 1 1 1 8 4
Field Description Sender
BID
Port ID Message Age
(in 256ths of
a second)
Maximum Age
(in 256ths of a
second)
Hello Time (in
256ths of a
second)
Forward Delay (in
256ths of a
second)
No. Of Bytes 8 2 2 2 2 2
By default, no non-root bridge can distribute BPDU. However, a special case can happen in
UplinkFast.
The flags include TC (bit 0, LSB) and TCA (bit 7, MSB) bits, if TC is set, this is a
configuration BPDU in response to a topology change BPDU. If TCA bit is set, this is a
configuration BPDU to acknowledge the receipt of topology change BPDU. TCA BPDU is send
for every TC BPDU.
TC configuration BPDU is re-generated for every switch it passes, and TCA configuration
BPDU is replied by every other switch.
Note: BPDU type = 0 for configuration BPDU, BPDU type = 80 for TCN BPDU

- Topology Change Notification (TCN) BPDU, is for announcing changes in topology, when 1)
port move into forward state (has one designated port), or 2) Forward/learning ->
blocking state.
If PortFast is enabled at a port, STP is disabled.
TCN BPDU doesn’t carry data about the change but informs recipients that a change has
occurred. This BPDU is sent from the switch (Root Port) where change take place. Then, the
Root Bridge sends TCN BPDU for a period of (Forward Delay + Max Age =) 35 seconds,
when switches receive this BPDU, it will flush CAM entries inactive for 15 seconds instead of
300 seconds (default). This message include:
Field Description Protocol ID = 0 Version = 0 BPDU type = 0x80
No. Of bytes 2 1 1
All switches have a locally configured Hello Time to time TCN BPDU when they are
retransmitted. To change the timer, apply the change on the root bridge; not recommended.
It’s better to adjust the diameter of the network, which is, by default, 7 (including root
bridge) switches from root bridge outward.
Port costs
Path cost refers to the cumulative cost to a switch. Root path cost refers to the cumulative
cost needed to reach the root bridge. The cost is incremented at the ingress port. There are
2 sets of standards for 802.1D.
Link Bandwidth 4 Mbps 10 Mbps 16 Mbps 45 Mbps 100 Mbps 155 Mbps 622 Mbps 1 Gbps 10 Gbps
Old STP cost 250 100 63 22 10 6 2 1 0
New STP cost 250 100 62 39 19 14 6 4 2
Every switch always has a copy of the best BPDU. If a better cost comes up, the switch will
choose that as the new path cost.
The above standard uses 16-bit port cost value that can be manually assigned, only used
for ports that haven't been specifically configured for port cost.
802.1t standard uses 32-bit port cost = 200,000,000 / bandwidth (in Mbps). You can
configure to use this with ‘(config)#spanning-tree pathcost method {long | short}’.
Remember that lower cost are preferred and by default, 802.1d port cost is used.
A switch has only 1 designated port/segment and 1 root port/non-root bridge. 2 links to
the same segment will cause one to become blocked (unless EtherChannel is implemented),
the blocked port is elected by:
‣ Highest root bridge BID (priority + MAC address)
‣ Highest root path cost (to root bridge)
‣ Highest sender BID (priority + MAC address)
‣ Highest sender port ID (port priority + port number)
Note: EtherChannel ports has, by default, a high port ID, therefore, likely to be elected
blocked.
Port states
When a port first initializes, it’s in blocking state. Use ‘show spanning-tree interface [TYPE
MOD/NUM] [detail]’, and ‘debug spanning-tree state’ commands to verify the state.
STP State The Port Can... The Port Cannot... Duration
Disabled N/A Send or receive data N/A

Blocking Receive BPDUs Send or receive data or
learn MAC addresses
Indefinite if loop has been
detected
Listening Send and receive BPDUs Send or receive data or
learn MAC addresses
Forward Delay timer (15
seconds)
Learning Send and receive BPDUs and learn
MAC addresses
Send or receive data Forward Delay timer (15
seconds)
Forwarding Send and receive BPDUs, learn MAC
addresses, send and receive data
Indefinite as long as port is
up and loop is not detected
Note: only ports connect to other switches or bridges are considered STP ports
A port moves from blocking to listening if the port thinks it can become forwarding.
Types of STP
Here are some different types of STP:
Type of STP Function
CST 1 instance of STP for all VLANs, election on the native VLAN; 802.1Q-based
PVST 1 instance of STP per VLAN; Cisco ISL-based
PVST+ Provides interoperability between CST and PVST; operates over both 802.1Q and ISL
PVST+ can directly communicate with PVST using ISL trunks.
BPDUs are sends as untagged frame over the native VLAN PVST+ to communicate with
CST. Other types of STP can communicate with CST by tunneling through CST switches. CST
switches can pass on BPDUs they don’t understand, so the frames safely reach its
destination.
STP configuration
General
You can enable or disable an instance of spanning-tree by ‘(config)#spanning-tree vlan
VID’ for VLAN VID. To ensure a good STP design, the root bridge should be set in a pre-determined
fashion. A secondary switch should also be set up in case of failure.
The root bridge should be placed in the center of the network
Non-root bridge is known as Designated switch, which contain the Designated port of a
particular LAN segment.
To manually set a switch as the root bridge, either change the priority with
‘(config)#spanning-tree vlan VID priority PRI’ or use ‘(config)#spanning-tree vlan VID [root
{primary | secondary}] [diameter VAL]. Diameter range from 1 to 7.
The macro is a series of commands that make the switch favorable. It can’t work when the
current root bridge has priority that isn’t a multiple of 4096, but you can manually set the
priority to 0. This command only work once, because it won’t guard the configuration.
Secondary root has priority 20480 + root priority.
A switch usually has 1024 addresses to allocate for STP, one for each VLAN. After 802.1t
(extended system ID and default port cost) is introduced, only one MAC address is needed
for STP. When using 802.1t, BID = priority (in multiple of 4096) + VID + MAC address.
802.1t is enabled by default on most switches and is used for both standard and extended
VLAN. It can be enabled by ‘(config)#spanning-tree system-id’.

You can also manually change the cost of a path reaching the root bridge (for all VLANs or
for one VLAN) by ‘(config)#spanning-tree [vlan VID] cost VAL’ command. Display the cost of
a specific interface by ‘show spanning-tree interface TYPE/NO cost’. Only recommended to
change on the Root Bridge to prevent suboptimal switching.
Timers
To modify the timers, use ‘(config)#spanning-tree [vlan VID] [hello-time | forward-time |
max-age] SEC’ command. Hello time range from 1 to 10, forward delay range form 4 to 30,
and max-age range from 6 to 40 seconds.
If the timers of a non-root-bridge switch differ from the root bridge, it will change its timer
to match that of the root bridge.
Max Age timer must be the same for all BPDUs in the domain.
Message age timer display the age of the root bridge BPDU; increment by 1 for each
switch it passed through. BPDU from root bridge have message age = 0. Message age timer
can be used to determine:
- How far away is the Root Bridge
- The time before received BPDU is aged out.
- Aging time = Max Age - Message Age
Port ID
A port ID consist of port priority (8 bits) and port number (8 bits). The priority range from
0 to 240 (in increment of 16) and default to 128, and port number can be found as the last
number of the slash, but it’s not always this way.
Port ID for Port Channel is always higher than un-bundled ports; Po port are shared port.
All physical links will still participate in STP.
You can find the port ID at ‘show span int TYPE/NO [detail]’ under ‘Prio.Nbr’ section, where
PPP.NNN means port_priority.port_number. The priority can be changed by ‘(config-if)#
spanning-tree [vlan VID] port-priority PRI’
There are 2 types of port ID format, 802.1D and 802.1t:
- D: 8 bit of port priority + 8 bit of port number
- T: 4 bit of port priority + 12 bit of port number
PortFast and UplinkFast
Enable PortFast globally by ‘(config)#spanning-tree portfast default’ or portly by ‘(config-if)#
spanning-tree portfast’ to change to Forward state immediately. Having PortFast doesn’t
mean STP is disabled, the process will still take 20 seconds instead of 50.
PortFast stops the port from sending TCN BPDU and can be enabled at trunk ports with
‘(config-if)#spanning-tree portfast trunk’. Verify at ‘show spanning-tree summary’
UplinkFast is used when you have multiple paths (from the Access switch) to the
distribution layer. Failure of one would cause the other link (called alternate port) to transit
into Forwarding state in 1 to 3 seconds. This feature works on all VLANs for this switch.
This feature is not allowed for the Root Bridge, and change the priority to 49,152 and
increase port cost by 3000 to prevent this switch from becoming Root Bridge.
Enabled with ‘(config)#spanning-tree uplinkfast [max-update-rate PKT_PER_SEC]’. Verify
with ‘show spanning-tree [uplinkfast]’
As this feature may cause potential loop, the access switch floods dummy frames with
source MAC address in its CAM table (so other switches update their CAM table to hear the
latest news). The frames are send to 01-00-0C-CD-CD-CD so other switches can learn these

address. By default, these frames are send at 150 packets/second (or pps), but you can
change them with ‘max-update-rate’ parameter. The range is 0 - 65,535, with 0 means no
dummy frames sent.
BackboneFast
BackboneFast provide fast failover for indirect link failure. For instance, you have S1 as
Root Bridge, S2 and S3 are both connected to S1 and to each other. When link between S1
and S2 fails, S2 think it’s the Root Bridge and send out BPDU to S3.
S3 will ignore the BPDU (the link between S2 and S3 is inactive cuz one port is in Blocking)
until Max Age timer (of BPDU from Root Bridge) expires. S3’s Root Port is now in Listening
state and send out BPDU (from Root Bridge) to S2. S2 stops thinking its the Root Bridge
once it hears the better BPDU. This leaves S2 at least 50 seconds of no connectivity.
BackboneFast only works if a bridge detects a direct link failure. The purpose of this
feature is to reduce the Max Age timer as much as possible, thus, reducing STP process by
as much as 20 seconds.
BackboneFast send out a RLQ PDU request (Root Link Query + PDU) to all not-designated
port (Root Port + Blocking port) except the port where inferior BPDU is received. Switches
receiving this message will reply with RLQ response to indicate it’s alive. If such a reply is
received from the Root Bridge (from the Root Port), then S3 send Root Bridge’s BPDU to S2
(and move the port connect to S2 to Forwarding). If no such reply is received from Root
Port, then STP converges because Root Bridge can’t be heard.
If the inferior BPDU arrives on the Root Port and there are no Blocked ports, the switch will
assume it has lost connectivity with the Root Bridge. Unless it hears a better BPDU, it will
assume itself as the Root Bridge.
Note: RLQ PDU requests are send out S3’s Root Port, while RLQ PDU responses are send
back from Designated port. If there is another switch between S3 and S1, and that switch
has confirmed connectivity (Hello BPDUs) to S1, that switch will forward the response back
to S3 without passing it to S1. If there isn’t confirmed connectivity, that switch will relay the
frame to S1.
Note: RLQ PDU has same format as configuration BPDU but different SNAP address.
BackboneFast can be configured on every switch regardless of design consideration.
BackboneFast is not available on 802.1D but PVST+.
Configure with ‘(config)#spanning-tree backbonefast’, verify ‘show spanning-tree
summary’ or ‘show spanning-tree backbonefast’
Verification
Here is a list of show commands
Task Command Syntax
View all possible STP parameters for all VLANs.
# show spanning-tree
Port information is summarized.
View all possible STP information for all VLANs.
Port information is very detailed.
# show spanning-tree detail
View the total number of switch ports currently in
each of the STP states.
# show spanning-tree [vlan vlan-id] summary
Find the root bridge ID, the root port, and the root
path cost.
# show spanning-tree [vlan vlan-id] root

Show BID and STP timers for each VLAN of the
local switch.
# show spanning-tree [vlan vlan-id] bridge
Show the STP activity on a specific interface. # show spanning-tree interface type port
Show the STP UplinkFast status. # show spanning-tree uplinkfast
Show the STP BackboneFast status. # show spanning-tree backbonefast
Additional features
Root Guard
Root Guard prevent a Designated port from becoming a Root port (prevent change of Root
Bridge). This feature is enabled on a port (whose switch doesn’t have to be the root bridge)
so that a better configuration BPDU will put the port into a root-inconsistent state, which the
port can only forward BPDU. It can’t received BPDU and can’t send/receive data for any
VLANs. Once superior BPDU are no longer received, the port cycles through normal STP
state.
This feature should be enabled on all switches in a domain. It’s configured by ‘(config-if)#
spanning-tree guard root’. Verify with ‘show spanning-tree inconsistentports’ command
for error but only show with ‘show run’.
Can’t be used with BPDU Guard or Loop Guard.
BPDU Guard
Even when PortFast is enabled on a port, STP is disabled, but still can detect loop during
the first 50 seconds or so.
BPDU Guard is used to protect the PortFast port by putting the port into errdisable state
anytime a BPDU is received. The port remains in that state unless 1) ‘shut’ then ‘no shut’, or
2) ‘errdisable recovery cause bpduguard’ after 300 seconds (validate with ‘show errdisable
recovery’ and change timer with ‘(config)#errdisable recovery interval TIME’).
When the port times out, it returns to forwarding state through normal STP cycle.
By default, BPDU Guard is disabled, to enable it globally, use ‘(config)#spanning-tree
portfast bpduguard default’ or per-port with ‘(config-if)#spanning-tree bpduguard enable’.
BPDU Guard should be enabled on ports with PortFast on. Note that on the switch where
BPDU Guard is enabled, BPDU can be send out, but not received.
Ports connect to hubs should have BPDU Guard on as it may repeat BPDU from another
switch. You should not enable BPDU guard on any switch uplink.
BPDU Filter
If BPDU filter is enabled, the switch port can’t send or receive BPDU. It’s enabled with
‘(config)#spanning-tree portfast bpdufilter default’ or ‘(config-if)#spanning-tree bpdufilter
{enable | disable}’ command. It doesn’t put such a port in Errdisabled state, but it disables
STP on that port (in disabled state), validate with ‘show spanning-tree summary’.
Loop Guard
Loop Guard checks Root Ports and Blocked Ports (all non-designated ports), to ensure they
receive BPDU. A port can be brought up (from blocked state) because BPDU is no longer
detected (possibly unidirectional), which will cycle through STP state once Max Age timer for
the current BPDU expires. This would result in a loop.
Loop guard continuously monitor non-designated ports’ BPDU, if they go missing, the port
is placed into loop-inconsistent state. When BPDUs are received again, the Loop Guard

move through normal states. Loop Guard disable ports on a per-VLAN basis. Loop Guard
should
- Can’t be enabled on the same port as Root Guard
- Not affect UplinkFast or BackboneFast
- Be enabled on PtP (full-duplex) links only
- Not be affected by STP timer
- Can’t detect unidirectional link (best implemented with UDLD)
- Not be enabled on PortFast or Dynamic VLAN ports.
By default, Loop Guard is disabled. To enable it, use either ‘(config)#spanning-tree
loopguard default’ or ‘(Config-if)#spanning-tree guard loop’. Loop guard can be enabled on
any port without design consideration because it will only monitor the non-designated ports.
UDLD
All our cables are bidirectional, meaning we can both send/receive data. However,
sometimes, the link may become unidirectional, or it can only send data or received data.
This may cause the device on the other end to think its neighbor is no longer present and
chooses to open up the blocking port; this can easily cause a loop to form.
Unidirectional Link Detection (UDLD) solves this problem by monitor a port to see if it’s
truly unidirectional (if packets are being received on one side only).
A UDLD protocol packet (contain this device’s and neighbor’s port ID) is send to neighbor
switch every 15 seconds (to 01-00-0C-CC-CC-CC), which neighbor should echo back, along
with its acknowledgement (if not, the port is shut down). Link status can be determined
after 3 messages. This takes 45 seconds, or before STP moves another link to forwarding
state. Here are the fields contains in UDLD frame:
Field Description
Device ID This field contains the MAC address of the sending device.
Port ID This field contains the module and port number of the sending device.
Echo This field contains the module and port pair known by the sending device.
Message Interval This field contains the transmit interval of the sending device.
Timeout Interval This field contains the timeout interval of the sending device.
Device Name This field contains the CDP Device ID string of the sending device.
Sequence Number This field contains the number used to validate discovery packets.
Reserved These fields are reserved for future use.
Both ends must be configured for UDLD, this means on a link, there are 2 UDLD processes
running simultaneously and independently. UDLD can be enabled on any port without design
consideration. UDLD has 2 modes of operation
- Normal mode: when unidirectional link is detected, port is allowed to continue its
operation. UDLD marks the port as ‘undetermined’ and generate syslog message.
- Aggressive mode: when no acknowledgement is heard back (even if the message comes
back), switch will try to re-establish connection by sending messages every second for 8
seconds. If no reply is heard, port is placed under errdisable state. You can re-enable such
a port with ‘#udld reset’
To configure UDLD, you can enable it per/port by ‘(config-if)#udld {enable | disable |
aggressive}’. You can also enable it globally (for all fiber-optic switch ports) with
‘(config)#udld {enable | aggressive | message time SEC}’. Normal mode is enabled with
‘enable’ keyword, while ‘message time’ can range from 7 to 90 seconds.

Verify with ‘show udld [TYPE MOD/NUM]'
When UDLD is enabled for the first time, it will keep sending UDLD messages until it hears
a reply, which then start assessing whether a link is unidirectional.
A special cause of UDLD happens with EtherChannel. If a link in EtherChannel becomes
unidirectional, only that link is disabled instead of the entire port channel.
Functionality Loop Guard UDLD
Configuration Per-port Per-port
Action granularity Per-VLAN Per-port
Autorecover Yes Yes, with err-disable
timeout feature
Protection against STP failures
caused by unidirectional links
Yes, when enabled on all root and
alternate ports in redundant topology
Yes, when enabled on all
links in redundant topology
Protection against STP failures
caused by problems in the
software (designated switch does
not send BPDU)
Yes No
Protection against miswiring. No Yes

RSTP
When RSTP and STP are compared (without any additional commands), RSTP is better
because it’s less timer-dependent.
BPDU
RSTP BPDU has the same format as STP BPDU (thus, backward compatible), except its
protocol version identifier = 2.
Another difference is that RSTP utilize all 8 bits (instead of 2) of the flag byte to indicate
different types of BPDU.
Bit 0 Bit 1 Bit 2-3 Bit 4 Bit 5 Bit 6 Bit 7
TC Proposal Port Role Learning Forwarding Agreement TCA
RSTP BPDUs are send from every switch every 2 seconds. Max age is 6 seconds, and
message age is simply used as hop (or switch?) count instead of calculation.
Port
Here are the port states of RSTP
802.1D State 802.1w State Default Port
Operational Status
Port in Active
Topology?
Port Learning MAC
Addresses?
Disabled Discarding Enabled No No
Blocking Discarding Enabled No No
Listening Discarding Enabled Yes No
Learning Learning Enabled Yes Yes
Forwarding Forwarding Enabled Yes Yes
RSTP uses the following port roles:
- Root Port (forwarding): one per switch with no root port on the root bridge
- Designated Port (forwarding): one per network segment
- Alternate port (blocking): secondary, redundant Root Port
- Backup Port (blocking): secondary, redundant Designated Port
RSTP integrated UplinkFast and BackboneFast (non-Cisco version), so no configuration is
needed.
RSTP’s UplinkFast doesn’t send dummy multicast frames with source address from its CAM
table. Instead, it sends BPDU with TC bit set, so other switch change the source of address
learned from old port to the new port.
RSTP’s BackboneFast: S1 is Root Bridge, S2 and S3 connect to each other and to the Root
Bridge. Link between S2 and S1 breaks, and S2 sends a BPDU declaring it’s the Root Bridge.
Proposal and synchronization takes place between S3 and S2.
RSTP define different port types:
- Edge ports are ports that have PortFast enabled, it can be trunk or access. If BPDU is
received, the port moves to normal STP port type.
- Point-to-point port are links that are full duplex (communicate to switch using handshake).
Implements RSTP logic.

Verify with ‘show spanning-tree vlan’ command. A type of ‘P2p Peer (STP)’ indicate a
neighbor running STP. If necessary, you can override link type using ‘(config-if)#spanning-tree
link-type point-to-point’
Sender switch port identify its port role and port state.
Synchronization
Synchronization is the process of determining whether link should be up between 2 ports:
1) Switch A sends a proposal to Switch B from its designated port (which should be either
discarding or learning). The BPDU has proposal bit set and send to Switch B.
2) Switch B enable synchronization (once the BPDU arrives), which puts all non-edge ports
into discarding state to prevent conflict in port roles.
3) If switch B agrees (it moves the port into forwarding state, this is usually a Root Port to
pair with Designated port), it sends back a BPDU with agreement bit set. The port on
Switch A then changes to Forwarding (upon receipt of agreement BPDU).
4) If Switch B doesn’t send back an acknowledgement (refuses), that port on B slowly
transition to Forwarding state and use STP logic.
Note: it must be the designated bridge (switch with designated port) that should send the
proposal. If the proposal is send out root/blocked port, designated bridge refuses then it
restart the process by sending a proposal to non-designated bridge.
A proposal is send out when the port is in discarding or listening state only.
If a configuration BPDU is not heard back, switch assumes neighbor to be STP and start
using 802.1D logic.
Topology Change
A topology change in RSTP only occur when a non-edge port move to Forwarding state.
In STP, there is TC and TCA BPDU, whereas in RSTP, there is only TC Configuration BPDU
(no TCA BPDU and no more TCN BPDU) unless a STP bridge exist. In STP, the TCN BPDU is
generated by the switch where topology change and require Root Bridge send out
configuration BPDU with TC bit set.
In RSTP, the switch (where topology change takes place) can send out the TC BPDU. When
this BPDU is sent out, the switch starts a TC timer (by default, 4 seconds), for which it will
send the BPDU during this time. This switch will flush all MAC address except MAC address
of edge ports. In other words, all ports that send out TC BPDU will have its MAC address
flushed.
For switches that receive the TC BPDU, it will flush all MAC address except the one which
BPDU arrived on. It also start a TC timer for when it propagate the TC BPDU.
Verify with ‘show spanning-tree vlan’ command. A type of ‘P2p Peer (STP)’ indicate a
neighbor running STP.
Compatibility
By default, 802.1D drops 802.1W frames. This means that the 802.1D will send BPDUs
(thinking it’s the Root Bridge) because RSTP BPDU can’t be processed.
On the other hand, 802.1W switch send out RSTP BPDU (because no RSTP response is
heard) and start the migration delay timer, which is 3 seconds by default; now the port is

said to be in compatibility mode. This means the 802.1W switch will continue to send RSTP
BPDU every 3 seconds and the port can accept any type of BPDU.
When the migration timer ends, 802.1W switch checks the STP type. If STP BPDU has
been received, it will start to use STP BPDU (and logic) instead. Know that the RSTP switch
can’t revert back to RSTP. This continue of flow cause the entire switch domain to use STP.
Note: during migration delay timer, 802.1W switch can generate responses to 802.1D BPDU
such as TCN and TCA BPDU.
Note: if the TC timer is active on a Root Port connected to an 802.1D switch and a BPDU
with TCA bit set is received, the TC timer is reset.
RSTP, RPVST+, and MST
There are 2 types of RSTP, RPVST+ and MST; both are running RSTP, so everything it does
follow the rule of RSTP. To configure RPVST+, ‘(config)#spanning-tree mode rapid-pvst’, you
need to ‘reload’ the switch. Verify with ‘show spanning-tree summary’ or ‘show spanning-tree
bridge protocol’ command.
Multiple Spanning Tree (MST), defined in 802.1s, it has many advantages. All VLANs can
load balance, and the links are well-utilized and the burden on CPU is little.
A MST region defines the boundary within which MST operates. For switches to be in the
same region, these items must be the same
1. MST region name (< 32 bytes or characters), manually configured
2. Configuration revision number (0 - 65,535), manually configured and can’t be
dynamically changed or propagated
3. VLAN-to-Instance Mapping (0 - 4096 entries), even if that instance/VLAN doesn’t exist
on this switch. One VLAN can only be mapped to one instance.
A switch can belong to ONLY one MST region. Thus, that region must include all VLANs the
switch run.
MST region management can be performed by VTP v3.
There are 3 types of MST ports:
- Edge ports, for interfaces connected to end devices or hub
- Boundary ports, for interfaces connected to 1. Another MST region, 2. An 802.1D domain,
or 3. An 802.1W domain.
- Rest of the ports are simply known as internal MST ports.
MST BPDU has format similar to RSTP except that protocol version identifier = 3, and MST
only send one BPDU to each of its neighbor from each switch port. MST BPDU contain MST
extension field called M-record; M-record for IST MUST be transmitted, along with some
optional M-records (if that interface contain VLANs belonging to that instance). Flag byte is
the same as RSTP field.
‘MST configuration digest’ is a field in MST BPDU that is the hash result of VLAN to instance
mapping. This is used to verify both switches have the correct information.
When a switch port realize that its neighbor (on the same segment) is not running the
same MST as it is, it will detect its STP type from the BPDU it receives and try to cope with
the neighbor.
MST computation relies on hop count, default max hop count = 20.

Ccnpswitch

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Ccnpswitch

Similar to Ccnpswitch (20)

Recently uploaded

Recently uploaded (20)

Ccnpswitch