CCNP Study Guide

CCNP SWITCH (300-115) Study Guide
By: Steve Simeus

1.0
Layer 2 Technologies
1. 1.1 Configure andverifyswitchadministration
1. 1.1.a SDM templates
SDM stands for Switching Database Manager. It manages layer 2 and layer 3 switching
information.
2. 1.1.b Managing MAC address table
1. The MAC address table contains address information that the switch uses to
forward traffic between ports. All MAC addresses in the address table are
associated with one or more ports.The address table includes these types of
addresses:
2. • Dynamic address:a source MAC address that the switch learns and then
ages when it is not in use.
3. • Static address:a manually entered unicast address that does not age and
that is not lost when the switch resets.
4. The address table lists the destination MAC address,the associated VLAN ID,
and port number associated with the address and the type (static or dynamic).
5. MAC address table management can be used with the STP, MSTP, and REP
features.
* By default, MAC address learning is enabled on all interfaces and VLANs on the router.
*Disabling MAC address learning on an interface or VLAN could cause flooding in the network.
*We recommend that you disable MAC address learning only in VLANs with two ports. If you disable
MAC address learning on a VL` ``AN with more than two ports,every packet entering the switch is
flooded in that VLAN domain.
3. 1.1.c TroubleshootErr-disable recovery
1. Error Disable Recovery is the act of a switch detecting an error condition and
then automatically turns the err-disabled interface back on after a default time.
2. When a port goes into err-disabled it will shut down and stop sending and
receiving traffic. The LED changes to orange and err-disabled will be shown
under the show interfaces command.
* The reason why an interface would go into err-disable is because of an error condition. This tells a
network engineer there is a problem with the port and prevents the port from causing other ports to fail.
COMMANDS:
SW#show errdisable recovery to display the Err Disable Reason column and find out if you
have auto recovery enabled.
errdisable recovery cause cause-name To enable auto recovery
SW#show interfaces status err-disabled will display any interfaces currently in err-
disabled status.

SW#show errdisable detect to showthe current settings of err disable. Mainly to check if err
disable detection is enabled for different settings.
errdisable recovery interval timer_interval_seconds To automatically recover. To
re-enable an err-disabled port, you must shutdown the port and issue a no shutdown command.
2. 1.2 Configure andverifyLayer2 protocols
1. 1.2.a CDP,LLDP
Using CDP, a device can advertise its existence to other devices and receive information
about other devices on the same LAN or on the remote side of a WAN. Runs on all
media that support SNAP, including LANs, Frame Relay, and ATM media.
* Cisco Discovery Protocol. Media- and protocol-independent device-discovery
protocol that runs on all Cisco-manufactured equipment including routers, access
servers, bridges, and switches.
* Layer 2 protocol- CDP is enabled on Cisco routers by default.
* When a large amount of CDP neighbor announcements are sent, it is possible
to consume all memory of an available device. This causes a crash or other abnormal
behavior.
COMMANDS:
No cdp run to disable it.
cdp run to re-enable CDP. In global configuration mode.
show cdp neighbors to verify whether CDP is enabled or disabled on your Cisco device.
show cdp neighbors detail and show cdp entry commands displays additional
information about the neighboring devices that include network-layer protocol
information and version.
LLDP-Link Layer Discover Protocol IEEE 802.1AB
To support non-Cisco devices, LLDP is a neighbor discovery protocol that is used
for network devices to advertise information about themselves to other devices on the
network. This protocol runs over the data-link layer, which allows two systems running
different network layer protocols to learn about each other.

*LLDP supports a set of attributes that it uses to discover neighbor devices.
*These attributes contain type, length, and value descriptions and are referred
to as TLVs.
*By default, all LLDP-MED TLVs are enabled.
MANDATORY LLDP TLVs
• Port description TLV
• System name TLV
• System description TLV
• System capabilities TLV
• Management address TLV
LLDP holdtime (before discarding) 120 seconds
LLDP timer (packet update frequency) 30 seconds
LLDP reinitialization delay 2 seconds
COMMANDS:
Enabling LLDP
Beginning in privileged EXEC mode, follow these steps to enable LLDP:
Command Purpose
Step 1 configure terminal Enter global configuration mode.
Step 2 lldp run Enable LLDP globally on the switch.
Step 3 interface interface-id Specify the interface on which you are enabling
LLDP, and enter interface configuration mode.
Step 4 lldp transmit Enable the interface to send LLDP packets.
Step 5 lldp receive Enable the interface to receive LLDP packets.
Step 6 end Return to privileged EXEC mode.
Step 7 showlldp Verify the configuration.
Step 8 copy running-config
startup-config
(Optional) Save your entries in the configuration
file.
To disable LLDP, use the no lldp run global configuration command. To disable LLDP on an interface,
use the no lldp transmit and the no lldp receive interface configuration commands.

This example shows how to globally enable LLDP.
Switch# configure terminal
Switch(config)# lldp run
Switch(config)# end
This example shows how to enable LLDP on an interface.
Switch# configure terminal
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# lldp transmit
Switch(config-if)# lldp receive
Switch(config-if)# end
2. 1.2.b UDLD
1. UDLD is a Layer 2 protocol that enables devices connected
through fiber-optic or twisted-pair Ethernet cables to monitor the
physical configuration of the cables and detect when a
unidirectional linkexists. All connected devices must support
UDLD for the protocol to successfully identify and disable
unidirectional links. When UDLD detects a unidirectional link, it
disables the affected port and alerts you. Unidirectional links can
cause a variety of problems, including spanning-tree topology
loops.
* UDLD supports two modes of operation: normal (the default) and aggressive.
Normal Mode- UDLD can detect unidirectional links due to misconnected ports
on fiber-optic connections.
Aggressive Mode- UDLD can also detect unidirectional links due to one-way
traffic on fiber-optic and twisted-pair links and to misconnected ports on fiber-optic
links.
* A unidirectional link occurs whenever traffic sent by a local device is received by its
neighbor but traffic from the neighbor is not received by the local device.
* In a point-to-point link, UDLD hello packets can be considered as a heartbeat whose
presence guarantees the health of the link. Conversely, the loss of the heart beat means
that the link must be shut down if it is not possible to re-establish a bidirectional link.

Feature Default Setting
UDLD global enable state Globally disabled
UDLD per-port enable state for fiber-
optic media
Disabled on all Ethernet fiber-optic ports
UDLD per-port enable state for twisted-
pair (copper) media
Disabled on all Ethernet 10/100 and
1000BASE-TX ports
UDLD aggressive mode Disabled
Configuration Guidelines
These are the UDLD configuration guidelines:
• UDLD is not supported on ATM ports.
• A UDLD-capable port cannot detect a unidirectional link if it is connected to a UDLD-incapable port
of another switch.
• When configuring the mode (normal or aggressive),make sure that the same mode is configured on
both sides of the link.
COMMANDS:
Command Purpose
Step 1 configure terminal Enter global configuration mode.
Step 2 udld {aggressive |
enable | message
time message-
timer-interval}
Specify the UDLD mode of operation:
• aggressive—Enables UDLD in
aggressive mode on all fiber-optic ports.
• enable—Enables UDLD in normal mode
on all fiber-optic ports on the switch. UDLD is
disabled by default.
An individual interface configuration overrides
the setting of the udld enable global
configuration command.
For more information about aggressive and
normal modes, see the "Modes of Operation"
section.
• message time message-timer-interval—
Configures the period of time between UDLD
probe messages on ports that are in the
advertisement phase and are detected to be

bidirectional. The range is from 1 to 90
seconds. The default value is 15.
Note This command affects fiber-optic ports
only. Use the udld interface configuration
command to enable UDLD on other port types.
For more information, see the "Enabling
UDLD on an Interface"section.
Step 3 end Return to privileged EXEC mode.
Step 4 showudld Verify your entries.
Step 5 copy running-
config startup-
config
(Optional) Save your entries in the
configuration file.
3. 1.3 Configure andverifyVLANs
A VLAN defines a broadcast domain. A VLAN is a switched network that is
logically segmented by function, project team, or application, without
regard to the physical locations of the users. VLANs have the same attributes
as physical LANs, but you can group end stations even if they are not
physically located on the same LAN segment. Any switch port can belong to a
VLAN, and unicast, broadcast, and multicast packets are forwarded and
flooded only to end stations in the VLAN. Each VLAN is considered a logical
network, and packets destined for stations that do not belong to the VLAN
must be forwarded through a router or a switch supporting fallback bridging.
Because a VLAN is considered a separate logical network, it contains its own
bridge Management Information Base (MIB) information and can support its
own implementation of spanning tree.

1. 1.3.a Accessports
* An access port can have only one VLAN configured on the
interface; it can carry traffic for only one VLAN.
*If an access port receives a packet with an 802.1Q tag in the
header other than the access VLAN value, that port drops the packet
without learning its MAC source address.
* Access Ports: hosts and peripherals, who can't send bpdu (like a switch)
and neither VLAN information’s.
* BPDU (Bridge Protocol Data Unit)- are data messages that are
exchanged across the switches within an extended LAN that uses a spanning tree
protocol topology. BPDU packets contain information on ports, addresses,
priorities and costs and ensure that the data ends up where it was intended to
go.
2. 1.3.b VLAN database
1. Whenthe switchis in VTPserveror transparentmode,youcan
configure VLANsinthe VLAN database mode. Whenyouconfigure
VLANsinVLAN database mode,the VLAN configurationissavedin
the vlan.dat file,notthe running-configorstartup-configfiles.To
displaythe VLAN configuration,enterthe showrunning-config
vlan command.

 Commands:
Command Purpose
Step 1 Switch# vlan
database
Enters VLAN database mode.
Step 2 Switch(vlan)#
vlan vlan_ID
Adds an Ethernet VLAN.
Note You cannot delete the default VLANs for these media
types: Ethernet VLAN 1 and FDDI or Token Ring
VLANs 1002 to 1005.
When you delete a VLAN, any LAN interfaces
configured as access ports assigned to that VLAN
become inactive. They remain associated with the
VLAN (and thus inactive) until you assign them to a
new VLAN.
You can use the no keyword to delete a VLAN.
Step 3 Switch(vlan)#
exit
Returns to enable mode.
Step 4 Switch# show
vlan [id |
name]
vlan_name
Verifies the VLAN configuration.
VTP Modes:
o Server
o Creates, modifies, and deletes VLANs
o Sends and forwards advertisement’s
o Synchronizes VLAN configurations
o Client
o Cannot create, modify, or delete VLANs
o Sends and forwards advertisement’s
o Synchronizes VLAN Configurations
o Transparent
o Creates, modifies, and deletes local VLANs only
o Forwards advertisements
o Does not synchronize VLAN configuration

1. 1.3.c Normal,extendedVLAN,voice VLAN
 VLAN Ranges:
VLANs Range Usage
Propagate
d
by VTP
0, 4095 Reserved For system use only. You cannotsee or use these
VLANs.
N/A
1 Normal Cisco default.You can use this VLAN but you cannot
delete it.
Yes
2-1001 Normal Used for EthernetVLANs; you can create, use,and delete
these VLANs.
Yes
1002-1005 Normal Cisco defaults for FDDI and Token Ring.You cannot
delete VLANs 1002-1005.
Yes
1006-4094 Extended For Ethernet VLANs only. When configuring extended-
range VLANs, note the following:
• Layer 3 ports and some software features require
internal VLANs. Internal VLANs are allocated from
1006 and up. You cannot use a VLAN that has been
allocated for such use.To displaythe VLANs used
internally, enter the show vlan internal
usagecommand.
• Switches running Catalystproductfamily software
do not supportconfiguration ofVLANs 1006-1024.If
you configure VLANs 1006-1024,ensure thatthe
VLANs do not extend to any switches running
Catalyst productfamily software.
• You mustenable the extended system ID to use
extended range VLANs. See the"Enabling the
Extended System ID" section.
No
 You can configure extended-range VLANs only in global
configuration mode.
o Voice
o Some benefits of converged voice, video, and data into a single network include:
o Expense reducer – if only a single cable drop is required per user,cabling
and network provisioning costs go down. PSTN costs also go down as more
calls can use the existing data network and not the public phone service.
o Efficiencies in bandwidth – for example, if a voice call is not in progress,
data can be transmitted on the same link. That’s not the case with traditional
phone lines.
o Innovative features - VoIP allows new services to be added including
unifying several modes of communication (ex. voicemail, email, IM).
Service providers can also sell new services and provide more flexible
pricing arrangements.

VoIP network
Requirements
• Low bandwidth, delay,
jitter, packet loss
• PoE
• Medium security
• High management
• Highly available network
Video network
Requirements
• Low delay, jitter, and
packet loss
• Medium security and
management
• High availability
Data network
Requirements
• High bandwidth,
availability, and security
• Jitter and delay are not that
crucial
• Medium management
o Call Signaling
o The first is the call control signaling, used to setup,tear-down, maintain, and redirect
calls. Some examples of call signaling protocols include H.323, SIP, and MGCP. Make
sure you do not confuse these protocols with the voice compression protocols like G.729
and G.711 (for bandwidth (voice codecs)).
o The second is the actual UDP voice traffic itself, which used RTP (Real-Time Transport
Protocol) to encapsulate the traffic.
o Voice Vlan’s
o Voice VLANs are a way for Cisco switches to dynamically tag and assign voice traffic
including placing it in its own separate VLAN/subnet.
o Voice VLANs are disabled by default.
Cisco IP phones have a small internal switch that places an 802.1q tag on the voice traffic and marks the
Class of Service (CoS) bits in the tag. Data traffic (from the attached PC) is sent over the native VLAN,
while all voice traffic is sent over the configured VLAN on the access port. Cisco calls this setup a multi-
VLAN access port. This whole process of enabling voice VLANs also enables the switch to forward frames
with specific 802.1P markings. 802.1P designates howQoS is applied at the MAC layer.
POE Switches- Two different power standards exist for PoE, Cisco Inline PoE and IEEE 802.3af.
 IEEE 802.3af- Relies on the devices to let the switch know how much power it
needs.
 Cisco Inline POE- Cisco’s devices can additionally use CDP
 The new 802.3at standard,also known as PoE+, will specify up to 30 Watts of
power. Some current Cisco switches can supply up to 20W.
 Note: Non-CDP devices always get 15.4 W allocated to them.
POE Configuration- Cisco switches automatically detect and provide power, but if you need to disable it or
re-enable it, use the following commands:
 Switch(config-if)# power inline {never | auto}
To view power information for all ports:
 Switch# show power inline [interface]

Video
Video traffic, from Cisco’s perspective, falls into one of three categories:
Many to many
• Examples include Telepresence,
WebEx,
peer-to-peer video apps
• Data flows client-to-client or
MCU-to-client
• Bandwidth requirements for
high-def
video can be up to 12 Mbs
per location (with compression)
Many to few
• Examples include IP
surveillance cameras.
• Typically require up to 4 Mbs of
bandwidth
Few to many
• Example is Internet streaming
from a
single source
• Quality not as critical
• Traffic flows storage to client or
server to
client
QOS(Quality of Service)- Quality of Service is a very important part of operating a VoIP platform on a
campus network. There are three main drivers for applying QoS: jitter, packet loss,and delay.
Trust Boundaries- The place where a decision about priority marking on incoming frames/packets is done
is called the trust boundary.When IP traffic comes into an interface and is already marked, the switch has
the following options:
• Trust the DSCP value
• Trust the IP Precedence value
• Trust the CoS value in the frame
• Classify the traffic based on an IP ACL or MAC ACL
Cisco recommends marking the traffic as close to the source as possible.IP phones can mark their own
traffic and otherclients can be marked at the access switch. If that is not an option - mark at the distribution
layer, but never at the core. Marking slows traffic down, so it has no place being in the core. All devices
within the network path should be configured to trust the marking and provide service based on that.
Configure QOS:
Before rolling out VoIP in your environment, think through the following planning steps:
1. PoE - Ensure there is enough power for all the phones and has a UPS backup
2. Voice VLAN - Think through the number of VLANs/subnets required, add DHCP scopes for the
phones,add voice networks to routing protocols
3. QoS - Decide on which marking and queues you plan on using. Cisco recommends implementing
AutoQoS and then tuning as needed.
4. Fast Convergence - tune routing and HSRP/VRRP/GLBP timers
5. Test Plan - Test the implementation before rolling it out to real users.Some things to look for include
making sure the phone and PC have the correct IP addresses,the phone registers itself, and calls can be
made.
Configuring Auto QoS
Configures the interface to trust CoS on incoming traffic
Switch(config-if)# auto qos voip trust
Configures the interface to trust CoS only if Cisco phone is connected (requires CDP)
Switch(config-if)# auto qos voip cisco-phone

Displays the Auto QoS configuration
Switch# show auto qos
Manual QoS Configuration
Switch(config-if)# switchport voice vlan vlan-ID
Associates a voice VLAN with a switch port
Switch(config-if)# mls qos trust {dscp | cos}
Trustmarkings on traffic entering an interface. Effectively moves the trust boundary to the attached
device (often an IP phone or server).
Switch(config-if)# mls qos trust device cisco-phone
Trustmarkings only if a Cisco phone is connected
Switch(config-if)# switchport priority extend cos cos-value
Instructs the IP phone to set/overwrite CoS value for data coming from a PC attached the phone.
The phone would then be the new trust boundary because it is now doing the marking on the data traffic. Also
important to note that the CoS vlaue assigned at the end of the statement is a number between 0 and 7.. 7
being the highest priority and 0 being the default value.
Switch(config-if)# switchport priority extend trust
Instructs the phone to trust the priority of the data coming from the attached PC.
Switch# show interfaces interface-id switchport
Verify interface parameters
Switch# show mls qos interface interface-id
Verify QoS parameters on an interface
 1.4 Configure andverifytrunking
o 1.4.a VTPv1, VTPv2, VTPv3, VTP pruning
 Vtp has two versions (1&2) that are not
interoperable. All that is required to change from v1
to v2 across the network is to change one server
Switch to v2 and it will send out an advertisement
to all other switches to make the change as well.
V1 is the default.
 A third version of VTP address some of the
traditional shortcomings. For example, VTP version
supports extended VLAN numbers (1 to 4095) that
are compatible with the IEEE 802.1Q trunkning
standard

Configure:
Switch(config)# vtp version 2
NOTE: VTP information will not be exchange without first configure the
VTP domain name.
COMMANDS:
Switch# config t
Switch(config)# vtp mode server
Switch(config)# vtp domain domain_name
 VTP Pruning
o VTP Pruning makes more efficient use of trunk bandwidth by reducing
unnecessary flooded traffic over trunk links.
o By default, VTP Pruning is disable; to enable it: (go to the server device)
 Switch(config)#Vtp pruning
o When pruning is enable on a server, it propagates the pruning to all
switches in the management domain.
o Vlans 2-1001 is eligible for pruning by default.
 1.4.b dot1Q
o 802.1Q isan openstandard,insertsitsown4 byte tag withinframe and
recalculatesthe CRCvalue,allowsfornative VLANs(untaggedframestogo
through).
o 802.1Q is often used by service providers for tunneling secure VPNs.
802.1Q tunneling feature allows ISPs to segregate different customer’s
traffic throughout their infrastructure.
o 802.1Q can be used for VLAN identification w/Ethernet trunks.
 Trunk (Middle Solution/to carry traffic for multiple VLANS)
 By default, all Vlans are allowed on a Trunk.
 Before allowed on a trunk, it must be tagged (802.1Q/ISL)

 1.4.c Native VLAN (don’tputany traffic/managementonly)
o 802.1Q introduce the concept of a native VLAN on a trunk.
o Frames belonging to this VLAN are not encapsulated with any tagging information.
o Native VLAN is the “default” VLAN that allows frames to be passed through the trunk
untagged.
 1.4.d Manual pruning
o To modify the default list of pruning eligibility with the following
interface-configuration command:
 Switch(config)# interface type mod/num
 Switch(config-if)# switchport trunk pruning vlan {{{add | except |
remove | vlan-list} | none}
 1.5 Configure andverify EtherChannels
 EtherChannel isatermusedto describe bundlingoraggregating 2-8 parallel linksinto
one.
 EtherChannel providesalevelof linkredundancy
 “For each EtherChannel onaswitch,youmustchoose the EtherChannel negotiation
protocol and assignindividual switchportstothe EtherChannel.”
o *If there are two redundantEtherChannel bundles,one entireEtherChannel
will be blockedbySTPto preventaloop.
o 1.5.a LACP,PAgP,manual
 LACP(LinkAggregationControl Protocol)
 “The switchwiththe lowestsystempriority(a2-byte priorityvalue
followedbya 6-byte switchMACaddress) isallowedtomake decisions
aboutwhat portsactivelyare participatinginthe EtherChannelata
giventime.”

 An openstandardto PAgp
 IEEE 802.3ab
 Uses prioritysystemforend switches
 Switchwiththe lowestsystempriority(2byte value followedby
MAC – lowestwins) determineswhichportsare active inthe
Ether Channel atanygiventime.
 Uses portpriorityto determinewhichportstoplace instandby
mode if hardware limitationsdonnotallow all portsto
participate inthe EtherChannel.
 Most leave the systemandportpriorityto defaults

 EtherChannel NegotiationProtocolsSummary

o Configuration
o “Switch(config)#lacpsystem-prioritypriority
o Switch(config)#interface type member/module/number
o Switch(config-if)#channel-protocol lacp
o Switch(config-if)#channel-groupnumbermode {on| passive | active}
o Switch(config-if)#lacpport-prioritypriority”
 PAgP (Port AggregationProtocol)
o CiscoProprietary
o FormsEtherChannel onlyif portsare configuredfor
identical staticVLAN ortrunking
o Will automaticallymodifyinterface parametersonall
ports inthe bundle if the EtherChannel interface is
changed.
o STP sendspacketsoveronlyone physical linkinaPAgP
bundle.Because STP’salgorithmusesthe lowestport
priority(priority+portID), if defaultsare set,STPwill
alwaysuse the lowestnumberportforBPDUs.
o “By default,PAgPoperatesinsilentsubmode withthe
desirable andautomodes”
 PAgP aids in the automatic creation of EtherChannel links.PAgP packets are
sentbetween EtherChannel-capable ports in order to negotiate the formation ofa
channel.Some restrictions are deliberatelyintroduced into PAgP. The restrictions
are:

o PAgP does notform a bundle on ports that are configured for dynamic VLANs. PAgP requires that
all ports in the channel belong to the same VLAN or are configured as trunk ports.When a bundle
already exists and a VLAN of a port is modified,all ports in the bundle are modified to match that
VLAN.
o PAgP does notgroup ports that operate at different speeds or portduplex. If speed and duplex
change when a bundle exists,PAgP changes the portspeed and duplexfor all ports in the bundle.
o PAgP modes are off, auto, desirable,and on.Only the combinations auto-desirable,desirable-
desirable,and on-on allow the formation ofa channel.The device on the other side musthave
PAgP setto on if a device on one side of the channel does notsupportPAgP, such as a router.
o Configuration
 “Switch(config)#interface type member/module/number
 Switch(config-if)#channel-protocol pagp
 Switch(config-if)#channel-groupnumbermode {on| {{auto |
desirable}
 [non-silent]}}”
o 1.5.c Load balancing
 Ether Channel load balancing can use MAC addresses,IP addresses,or Layer 4
port numbers with a Policy Feature Card 2 (PFC2) and either source mode,
destination mode,or both. The mode you selectapplies to all Ether Channels
that you configure on the switch.
Configure Load Balancing:
 SW1#config t
 SW1(config)#port-channel load-balance method
Methods:
• src-ip source IP
• dst-ip destination IP
• src-dst-ip source and destination IP (XOR)
**DEFAULT METHOD**
• src-mac source MAC
• dst-mac destination MAC
• src-dst-mac source and destination MAC
(XOR)
• src-port source port
• dst-port destination port
• src-dst-port source and destination port (XOR)
 1.5.d Ether Channel misconfigurationguard
o You can use Ether Channel guard to detect an Ether Channel
misconfiguration between the switch and a connected device.
o If the switch detects a misconfiguration on the other device, Ether
Channel guard places the switch interfaces in the error-disabled state,
and displays an error message.

 Configuration-
 You can enable this feature by using the spanning-tree etherchannel guard
misconfig global configuration command.
o 1.6 Configure andverifyspanningtree
o Spanning Tree Protocol (STP) is designed to prevent problems related to
bridging loops. STP solves the problem by blocking redundant paths
and allowing only a single active path. Spanning tree works by selecting a
root switch then selecting a loop-free path from the root switch to every
other switch. To do that spanning tree must choose a single root bridge, one
root port for each non-root switch, and a single designated port for each
network segment.
STP Path Selection
o Spanning tree builds thetree
structureattemptingto use the
fastest links it has available for the
active paths. STP uses the
following steps to select its paths:
o 1. Lowest root bridge ID (BID)
o 2. Lowest path cost to theroot
o 3. Lowest sender bridge ID
o 4. Lowest sender port ID (PID)
STP Definitions
o Bridge ID – bridge priority +
MAC Address
o Bridge Priority – 0-65,535
o Default Priority – 32,768
o Port ID – port priority + port
number
o Port Priority – 0-240 (default is
128, increments of 16)
o Path Cost – The cumulative cost
of all links between the switch and
the root bridge.
STP Convergence
1. Root bridge election
Each VLAN elects one root bridge. All ports on the root bridge act as designated ports,which send and
receive traffic as well as BPDUs. The bridge with the lowest priority becomes root.
2. Root ports are determined on all non-root bridges
Each non-root bridge is assigned a single root port that sends and receives traffic. The root port is chosen
based on the port with the lowest-cost path between the non-root bridge and the root bridge. If two paths
are equal cost,the port with the lowest port ID (priority + port number) will win.
3. Designated port selection
Each segment has a single designated port. Designated ports are chosen from on non-root ports that have
the lowest path cost to the root bridge. In the event of a tie, the bridge ID acts as a tiebreaker (lowest wins).
All ports on a root bridge are designated ports.

STP Port Roles
Root port
• On non-root bridges only
• Forwards traffic towards the
root bridge
• Only one per switch
• Can populate the MAC
table
Designated port
• On root and non-root bridges
• All ports on root bridge are
designated ports
• Receives and forwards
frames towards the root
bridge as needed
• Only one per segment
• Can populate the MAC
table
Non-designated port
• Does not forward packets
(blocking)
• Does not populate the MAC
table
• Disabled port
o A port that is shut down
Spanning-tree uses a link cost calculation to determine the root ports on non-root switches. It is calculated
by adding the costs ofall links between the
root bridge and the local switch.
10 Gbps > Cost 2
1 Gbps > Cost 4
100 Mbps > Cost 19
10 Mbps > Cost 100
1. 1.6.a
1. PVST + - One instance of STP per VLAN, more resources required, slow convergence
still, includes port fast, BPDU guard, BPDU filter, Root Guard, and Loop Guard.
RPVST+ - Rapid Spanning Tree Protocol (IEEE 802.1w) was introduced to dramatically speed up STP’s
convergence when network changes occur. RSTP can revert to 802.1D (common spanning-tree) to inter-
operate with legacy bridges on a per-port basis.A rapid version of PVST+, RPVST+ is a per-VLAN
implementation of rapid spanning-tree.
RSTP Port States
Discarding
• Merges the former disabled, blocking, and
listening states
• Prevents the forwarding of frames
• Seen in both stable/active and
synchronization/changes
Learning
• Receives frames to populate the MAC table
• Seen in both stable/active and
synchronization/changes
Forwarding
• Forwarding ports determine the active topology
• An agreement process between switches occurs
before frames can be forwarded
• Only seen in stable/active topologies
2. MST - Multiple SpanningTree extendsthe IEEE802.1w RST algorithmto
multiple spanningtrees. The mainpurpose of MST is to reduce the total
numberof spanning-treeinstancesto matchthe physical topologyof the
networkandthusreduce the CPU cyclesof a switch.

3. In mostnetworks,asingle MST regionissufficient,althoughyoucanconfigure
more than one region.Withinthe region,all switchesmustrunthe instance of
MST that isdefinedbythe followingattributes:
1. MST configuration name (32characters)
2. MST configuration revisionnumber(0to65535)
3. MST instance-to-VLANmappingtable (4096entries)
1. QuickTipsMST:
 MST allowsyoutomap multiple VLANstosingle
spanning-treeinstances.
 WithMST, use trunksand do notprune VLANsfrom
trunks.
 MST instance 0 isthe onlyone that communicatesto
otherregionsandnon-MSTswitches.
1.
1. Configuration/ Enable MST
1. Switch(config)#spanning-treemode mst
2. Switch(config)#spanning-treemstconfiguration
3. Assigna regionconfigurationname (upto32
characters):Switch(config-mst)#name name
4. Assigna regionconfigurationrevisionnumber(0to65,535):
Switch(config-mst)#revisionversion
5. Map VLANstoan MST instance: Switch(config-mst)#instance
instance-id vlanvlan-list
6. Switch(config-mst)#show pending
7. Switch(config-mst)#show current
8. Switch(config-mst)# exit
2. 1.6.b Switchpriority- EachVLAN onthe switchhas a unique 8-byte bridge ID.
The 2 most-significantbytesare usedforthe switchpriority,andthe remaining
6 bytesare derivedfromthe switchMACaddress. (SwitchPriorityis32768 by
default)
Switch Priority Value ExtendedSystem ID (Set Equalto the VLAN ID)
Bit
16
Bit
15
Bit
14
Bit
13
Bit
12
Bit
11
Bit
10
Bit
9
Bit
8
Bit
7
Bit
6
Bit
5
Bit
4
Bit
3
Bit
2 Bit 1
32768 16384 8192 4096 2048 1024 512 256 128 64 32 1
6
8 4 2 1
3. Switch port priority- If a loopoccurs, spanningtree usesthe portprioritywhen
selectinganinterface toputintothe forwardingstate.
1. Configuration:

2. Switch#configt
3. Switch(Config) #interface port-channel
4. Switch(Config-if) #spanning-tree port-priority
5. Switch(Config-if) #spanning-tree vlan(vlan-id) priority
6. Switch#end
4. Switch path cost- The spanning-tree pathcostdefaultvalue isderivedfromthe
mediaspeedof aninterface.
1. If a loopoccurs,spanningtree usescostwhenselectinganinterface to
put inthe forwardingstate.
2. You can assignlowercostvaluestointerfacesthatyouwant selected
firstand highercostvaluesthatyouwant selectedlast.
3. If all interfaceshave the same costvalue,spanningtree putsthe
interface withthe lowestinterfacenumberinthe forwardingstate and
blocksthe otherinterfaces.
4. Configuration:
1. Switch#configt
2. Switch(config) #interface (interface-id)
3. Switch(config-if)#spanning-treecost
4. Switch(config-if)#spanning-treevlan(vlan-id) cost(cost)
5. End
6. Verifyyourentries:Switch#Show spanning-treeinterface
STP timers - There are several STPtimers,asthislistshows:
• Hello—The hellotime isthe time betweeneachbridge protocol dataunit(BPDU) thatis sent
on a port. Thistime isequal to2 seconds(sec) bydefault,butyoucantune the time to
be between1and 10 sec.
• Forward delay—The forwarddelayisthe time thatisspentinthe listeningandlearningstate.
Thistime isequal to 15 secby default,butyoucan tune the time to be between4and
30 sec.
• Max age—The max age timercontrolsthe maximumlengthof time thatpassesbefore a
bridge portsavesitsconfigurationBPDUinformation. Thistime is20sec by default,but
youcan tune the time tobe between6and40 sec.
Each configurationBPDUcontainsthese three parameters.Inaddition,eachBPDUconfiguration
containsanothertime-relatedparameterthatisknownasthe message age.The message age is
not a fixedvalue.The messageage containsthe lengthof time thathaspassedsince the root
bridge initiallyoriginatedthe BPDU. The root bridge sendsall its BPDUs with a message age
value of 0, and all subsequentswitchesadd1 to thisvalue. Effectively,thisvalue containsthe
informationon how far you are from the root bridge when you receive a BPDU.This diagram
illustratesthe concept:

 Configure STP timers:
o HelloTimer
 Switch#configt
 Switch(config) #spanning-tree vlan(vlan-id) hello-timeer(seconds)
 End
o ForwardDelayTimer
 Switch#configt
 Switch(config) #spanning-tree vlan(vlan-id) forward-time(seconds)
 End
o Max Age Timer
 Switch#configt
 Switch(config) #spanning-tree vlan(vlan-id) max-age (seconds)
 End
2. 1.6.c
1. Port Fast
Spanning Tree Port fast causes layer 2 switch interfaces to enter forwarding state
immediately, bypassing the listening and learning states.It should be used on ports
connected directly to end hosts like servers or workstations.
*Note: If Port fast isn’t enabled, DHCP timeouts can occur while STP
converges,causing more problems.
Configure
2. Switch#config t
3. Switch(config)# int fa 3/1
4. Switch(config-int) [no] spanning-tree port fast
3. To verify port fast on an interface:
1. Switch# sh spanning-tree int fa 3/1 port fast

1. Bridge Protocol Data Unit-Bridge Protocol Data Units (BPDUs) are framesthat contain
informationaboutthe Spanningtree protocol (STP).Switchessend BPDUsusinga
unique MACaddressfromitsoriginport anda multicastaddressasdestinationMAC
(01:80:C2:00:00:00).
2. BPDU guard- Prevents problems related to switches accidentally being connected to Port Fast-
enabled ports.Bridging loops would normally instantly occur. It places the port in err-disable state
if it receives a BPDU - disabling the interface.
1. Configure:
1. To enable BPDU Guard globally on the switch:
Switch(config)# spanning-tree port fast edge bpdu guard default
2. To enable BPDU Guard at the interface level:
Switch(config-if)# spanning-tree bpdu guard enable
Example case: BPDU guardis a port fast feature thatprotectsyourspanningtree onedge ports
(Accessports). It(inlayman'sterms) monitorsyourportfor BPDUs. If it see'sone (presumably
froma switch),itshutsthe portdown(err-disabled). Thisfeature ensuresthatthe device
connectedtoa particularport is NOTcapable of sendingaBPDU (possiblysuperiortoyourroot
bridge) toyournetworkandpotentiallybecomingRootBridge,whichcanhave some very
seriousimplicationsinaswitchedenvironment.
3. BPDU filter- WhenPortFast isenabledona port,the port will sendoutBPDUsand will
accept andprocessreceivedBPDUs.The BPDU Guard feature preventsthe portfrom
receivinganyBPDUsbut doesnotpreventitfromsendingthem. The BPDU Filter
feature effectivelydisablesSTPonthe selectedportsbypreventingthemfromsending
or receivinganyBPDUs.
1. Configure:
2. Switch# config t
3. Switch(config) #spanning-tree portfast bpdufilter default < To enable BPDU filtering
globally on the switch>
4. Switch (config-itf # spanning-tree bpdufilter enable < To enable BPDU filtering at the
interface level>
5. Switch#sho spanning-tree summary < to verify Portfast BPDU Filter Default is enable>
4. 1.6.d
1. Loopguard- Most bridging loops that occur when STP is active happen when a port in
blocking state stops receiving BPDUs on the interface and therefore transition the port to
forwarding state – creating an all-ports-forwarding loop. It blocks ports on a per-VLAN
basis,so on trunks it will only block that VLAN – not the whole trunk. Loop guard
should be applied to all non-designated ports (ex. root, alternate).
1. Configuration:
2. Globally
3. Switch# config t
4. Switch(config) #spanning-tree loopguard default
5. Interface
6. Switch# config t
8. Switch(config-if) #spanning-tree loopguard default

2. Rootguard - Root guard was developed to control where root bridges can be located
within the network. Switches learn about and elect root bridges based on BPDUs they
receive, so if a new switch is added to the environment with a lower bridge priority
than the current root bridge, the new switch will become root –and in turn disrupt
your carefully planned traffic patterns. To prevent this from occurring, root guard can
be applied to interface where a root bridge should never been seen.
1. Configuration:
2. Switch# config t
4. Switch(config-int) #spanning-tree guard root
1.7 Configure andverifyotherLAN switchingtechnologies - You can analyze network traffic passing
through ports or VLANs by using SPAN or RSPAN to send a copy of the traffic to another port on the switch
or on another switch that has been connected to a network analyzer or other monitoring or security device.
1.7.a SPAN(SwitchPortAnalyzer)- copies (or mirrors) traffic received or sent(or both) on source ports or
source VLANs to a destination portfor analysis.SPAN does not affect the switching ofnetwork traffic on the
source ports or VLANs. You mustdedicate the destination portfor SPAN use.
Configuration:
 Switch1#configure terminal
 Switch1(config)#monitorsession1source interface fastEthernet0/2
 Switch1(config)#monitorsession1destinationinterfacefastEthernet0/24
 Switch1(config)#end
1.7.b RSPAN-Anextensionof SPAN calledremoteSPAN orRSPAN.RSPAN allowsyoutomonitor
trafficfromsource ports distributedovermultiple switches,whichmeansthatyoucan
centralize yournetworkcapture,devices.RSPAN worksbymirroringthe trafficfrom the source
ports of an RSPAN sessionontoaVLAN that isdedicatedforthe RSPAN session.ThisVLAN is
thentrunkedtootherswitches,allowingthe RSPAN sessiontraffictobe transportedacross
multiple switches.Onthe switchthatcontainsthe destinationportforthe session,trafficfrom
the RSPAN sessionVLAN issimplymirroredoutthe destinationport.

Configuration:
 Create a RSPAN VLAN Switch1
 Switch1(config)#vlan200
 Switch1(config-vlan)#remote-span
 Switch1(config-vlan)#end
 Create a RSPAN VLAN Switch2
 Switch2(config)#vlan200
 Switch2(config-vlan)#remote-span
 Switch2(config-vlan)#end
 Configure the RSPAN onSource switch
 Switch1(config)#monitorsession1source interface fastEthernet0/2rx
 Switch1(config)#monitorsession1destinationremote vlan200
 reflector-portfastEthernet0/24
 Switch1(config)#exit
 Configure the RSPAN onDestinationswitch
 Switch2(config)#monitorsession1source remote vlan200
 Switch2(config)#monitorsession1destinationinterfacefastEthernet0/3
 Switch2(config)#exit
1.8 Describe chassis virtualizationand aggregation technologies- A Virtual SwitchingSystem
(VSS) combinesapairof Catalyst6500 seriesswitchesintoasingle logical networkelement. An
access switchconnectstobothchassisof the VSSusingone logical portchannel. The VSS
managesthe redundantlinks,whichexternallyactas a single portchannel.The VSSsimplifies
networkconfigurationandoperationbyreducingthe numberof Layer3 routingneighborsand
by providingaloop-freeLayer2topology.

1.8.a Stackwise- A switch stack is a set of up to nine stacking-capable switches connected through their
Stack Wise Plus or Stack Wise ports. You can connect only one switch type in a stack, or you can connect a
mix of Catalyst 3750-X, Catalyst 3750-E, and Catalyst 3750 switches in the stack. Catalyst 3750-X and
Catalyst 3750-E stackmembers have Stack Wise Plus ports, and Catalyst 3750 members have Stack Wise
ports.The stack can have one of these configurations:
• Homogeneous stack—A Catalyst 3750-E-only stack with only Catalyst 3750-E switches as stack
members or a Catalyst 3750-X-only stack with only Catalyst 3750-X switches as stack members.
• Mixed stack
1. 2.1 Configure andverifyswitchsecurityfeatures
2.1.a DHCP snooping- DHCP snooping protects against DHCP spoofing attacks and is a
security feature that when enabled, only ports that uplink to an authorized DHCP server are trusted and
allowed to pass all DCHP traffic. All other ports are untrusted (default) and can only send DHCP
requests.If a DCHP response (“offer”) is heard on an untrusted interface, it is shutdown.
Configuration:
 Switch# config t
1. Switch(config) ip dhcp snooping
2.1.b IP Source Guard- IP Source Guard can be applied to access ports.IP Source Guard keeps track of
the host’s IP address and/orMAC address associated with each port. If traffic sourced from another address
enters that interface, it is
dropped.
Configuration:
 Switch(config)# int (port number)
 Switch(config-if)# ip verify source (uses just IP address filtering)
 Switch# sho IP source binding
2.1.c DynamicARPinspection - Dynamic ARP Inspection (DAI) is a security mechanism that works
with DHCP snooping to define trusted and untrusted interfaces.DAI intercepts, logs,
and drops ARP messages on untrusted ports that do not match the DHCP snooping MAC/IP bindings.All
traffic that matches is passed; all traffic that does not match is dropped.
DIA is supported on access ports,trunk ports,Ether Channels, and private VLAN interfaces. Dynamic ARP
Inspection should be only applied to ingress interfaces. All access ports should be untrusted and all trunks
(including connections to routers) should be configured as trusted.Enable DAI on one or more VLANs,
and then configure the trusted interfaces. It matches IP and MAC by default.
Configuration:
 Switch(config)# ip arp inspection vlan vlan-id
 Switch(config-if)# ip arp inspection trust
2.1.d Portsecurity - Port security can put limits on both what MAC addresses are allowed to be
connected to a switch port and how many at any given time. Using port security specific MACs can be
statically allowed, or dynamically “learned” using the sticky command.
Configuration:
 Switch(config)# interface fa 1/1
 Switch(config-if)# switchport port-security
 Specify the maximum number of MACs allowed (default is one)
 Switch(config-if)# switchport port-security maximum number

2.1.e Private VLAN- A private VLAN partitions the Layer 2 broadcastdomain ofa VLAN into subdomains,
allowing you to isolate the ports on the switch from each other. A subdomain consists ofa primary VLAN
and one or more secondaryVLANs. All VLANs in a private VLAN domain share the same primaryVLAN.
The secondaryVLAN ID differentiates one subdomain from another.The secondaryVLANs may either be
isolated VLANs or communityVLANs. A hoston an isolated VLAN can only communicate with the
associated promiscuous portin its primary VLAN. Hosts on communityVLANs can communicate among
themselves and with their associated promiscuous portbutnot with ports in other communityVLANs.
*Note You mustfirstcreate the VLAN before you can convert it to a private VLAN, either primary
or secondary.
A private VLAN domain has only one primary VLAN. Each port in a private VLAN domain is a member
of the primary VLAN; the primary VLAN is the entire private VLAN domain.
Secondary VLANs provide isolation between ports within the same private VLAN domain. The following
two types are secondary VLANs within a primary VLAN:
 Isolated VLANs—Ports within an isolated VLAN cannot communicate directly with each other at
the Layer 2 level.
 Community VLANs—Ports within a community VLAN can communicate with each other but
cannot communicate with ports in other community VLANs or in any isolated VLANs at the
Layer 2 level.

The types of private VLAN ports are as follows:
 Promiscuous—A promiscuous port belongs to the primary VLAN.
 Isolated VLAN —An isolated VLAN is a secondary VLAN that carries unidirectional traffic
upstreamfrom the hosts toward the promiscuous ports.
 Community VLAN—A community VLAN is a secondary VLAN that carries upstream traffic
from the community ports to the promiscuous port and to other host ports in the same community.
Configuration:
This example shows how to assign VLAN 5 to a private VLAN as the primary VLAN:
switch# configure terminal
switch(config)# vlan 5
switch(config-vlan)# private-vlan primary
This example shows how to assign VLAN 100 to a private VLAN as a community
VLAN:
switch(config-vlan)# exit
switch(config-vlan)# private-vlan community
This example shows how to assign VLAN 109 to a private VLAN as an insolated VLAN:
switch(config-vlan)# exit
switch(config-vlan)# private-vlan isolated
 2.1.f Storm control - which allows an administrator to suppress excessive inbound
unicast,multicast, or broadcast traffic on layer two interfaces. This can be handy to
protect against broadcast storms resulting from spanning tree misconfiguration, or
even unicast storms created by malfunction host NICs.
o Configuration:
 Switch(config)# interface fa 1/1
o Switch(config-if)# storm control broadcast
level bps 1m 500k
 In the above example, we have configured stormcontrol for broadcast traffic with a
1 Mbps rising threshold and a 500 Kbps falling threshold. Note that specifying a
falling threshold is optional; if omitted, the falling threshold will default to the value
of the rising threshold (effectively removing it).

 2.2 Describe device securityusingCiscoIOSAAA withTACACS+andRADIUS
 2.2.a AAA with TACACS+ and RADIUS - Access controlis the way you control
who is allowed access to the network server and what services they are allowed to
use once they have access. Authentication,authorization, and accounting (AAA)
network security services provide the primary framework through which you set up
access control on your router or access server.
 Remote security servers, such as RADIUS and TACACS+, authorize users for
specific rights by associating attribute-value (AV) pairs, which define those rights
with the appropriate user. All authorization methods must be defined through AAA.
 *Radiusis the onlysupportedservertype!
o Configuration:
o Switch(config)#aaanew-model (enablesAAA globally,withdefault
listsappliedtothe VTYs)
o Switch(config)#aaaauthenticationdot1x defaultgroupradius
o Switch(config)#dot1x system-auth-control(globallyenables802.1x
on switch)
2.2.b Local privilege authorizationfallback
The local database can act as a fallback method for several functions.This behavior is designed to help
prevent accidental lockout . For users who need fallback support,it is recommended that their usernames
and passwords in the local database match their usernames and passwords in the AAA servers.This
provides transparent fallback support.Because the user cannot determine whether a AAA server or the
local database is providing the service, using usernames and passwords on AAA servers that are different
than the usernames and passwords in the local database means that the user cannot be certain which
username and password should be given.
The local database supports the following fallback functions:
● Console and enable password authentication—When you use the aaa authentication console
command, you can add the LOCAL keyword after the AAA server group tag.If the servers in the group all
are unavailable, the security appliance uses the local database to authenticate administrative access.This
can include enable password authentication,too.
● Command authorization—When you use the aaa authorization command command, you can add the
LOCAL keyword after the AAA server group tag. If the TACACS + servers in the group all are
unavailable, the local database is used to authorize commands based on privilege levels.
● VPN authentication and authorization—VPN authentication and authorization are supported to enable
remote access to the security appliance if AAA servers that normally support these VPN services are
unavailable. The authentication-server-group command, available in tunnel-group general attributes mode,
lets you specify the LOCAL keyword when you are configuring attributes of a tunnel group.When VPN
client of an administrator specifies a tunnel group configured to fallback to the local database,the VPN
tunnel can be established even if the AAA server group is unavailable, provided that the local database is
configured with the necessary attributes.


3.1 Configure andverifyfirst-hopredundancyprotocols
1. 3.1.a Hot Standby Router Protocol (HSRP) - HSRP is Cisco's standard method of providing
high network availability by providing first-hop redundancy for IP hosts on an IEEE 802 LAN
configured with a default gateway IP address.HSRP routes IP traffic without relying on the
availability of any single router. It enables a set of router interfaces to work togetherto present the
appearance of a single virtual router or default gateway to the hosts on a LAN.
HSRP Operation
With HSRP, two routers Router1 and Router2 in this case will be seen as only one router. HSRP uses a
virtual MAC and IP address for the two routers to represent with hosts as a single default gateway. For
example, the virtual IP address is 192.168.1.254 and the virtual MAC is 0000.0c07.AC0A. All the
hosts will point their default gateway to this IP address.
One router, through the election process,is designated as active router while the otherrouter is
designated as standby router. Both active and standby routerlisten but only the active router proceed
and forwards packets. Standby router is backup when active router fails by monitoring periodic
hellos sent by the active router (multicast to 224.0.0.2, UDP port 1985) to detect a failure of the active
router.
When a failure on the active router detected,the standby routerassumes the role of the forwarding router.
Because the new forwarding router uses the same (virtual) IP and MAC addresses,the hosts see no
disruption in communication. A new standby routeris also elected at that time (in the case of there are
more than two routers in a HSRP group).
Note: All routers in a HSRP group send hello packets.
By default, the hello timer is set to 3 seconds and the dead timer is set to 10 seconds.
It means that a hello packet is sent between the HSRP standby group devices every 3 seconds,and
the standby device becomes active when a hello packet has not been received for 10 seconds

Note: The virtual MAC address ofHSRP version 1 is 0000.0C07.ACxx, where xx is the HSRP group
number in hexadecimal based on the respective interface. For example, HSRP group 10 uses the HSRP
virtual MAC address of 0000.0C07.AC0A. HSRP version 2 uses a virtual MAC address of
0000.0C9F.FXXX
2. HSRP States
HSRP consists of5 states:
State Description
Initial
This is the beginning state.It indicates HSRP is not running. It happens when the configuration
changes or the interface is first turned on
Listen
The router knows both IP and MAC address of the virtual router but it is not the active or standby
router. For example, if there are 3 routers in HSRP group, the router which is not in active or
standby state will remain in listen state.
Speak
The router sends periodic HSRP hellos and participates in the election of the active or standby
router.
Standby
In this state,the router monitors hellos from the active router and it will take the active state when
the current active router fails (no packets heard from active router)
Active
The router forwards packets that are sent to the HSRP group. The router also sends periodic hello
messages
Fun Facts:
HSRP is Cisco proprietary which allows several routers or multilayer switches to appear as a single
gateway IP address.
+ HSRP has 5 states: Initial, listen, speak, standby and active.
+ HSRP allows multiple routers to share a virtual IP and MAC address so that the end-userhosts
do not realize when a failure occurs.
+ The active (or Master) router uses the virtual IP and MAC addresses.
+ Standby routers listen for Hellos from the Active router. A hello packet is sent every 3 seconds by
default. The hold time (dead interval) is 10 seconds.
+ Virtual MAC of 0000.0C07.ACxx , where xx is the hexadecimal number of HSRP group.
+ The group numbers of HSRP version 1 range from 0 to 255.HSRP does support group number of
0 so HSRP version 1 supports up to 256 group numbers. HSRP version 2 supports 4096 group
numbers.
 Configuration:
 Switch(config)# int (interface number)
 HSRP Configuration
o Switch(config-if)# standby (group-number 0-255) ip (enter ip-address)
 To set HSRP priority value for a router
o Switch(config-if)# standby (group-number 0-255) priority (priority-value)
 To change active router to the router you want to be active
o Switch(config-if)# standby (group-number 0-255) preempt

HSRP Timers- HSRP uses two important timers between the active/standby routers.Hello timers are used
to exchange HSRP information while the hold down timer is used to determine how long before a router is
declared to be down in a group. The default hello times are 3 seconds and the default hold down timer is
10 seconds.That means there could be up to a 10 second delay before the standby routerbegins forwarding
traffic if the active goes down. To tune the timers (in seconds):
 Configuration:
o Switch(config-if)# standby (group-number 0-255)timers {hello time} {hold time}
o Example: Switch(config-if)# standby 10 timers 1 3
HSRP Version: HSRP comes in two versions,1 and 2. The most significant difference is that v1 only
allows up to 255 group numbers and v2 allows up to 4095 – making it now possible to correspond group
numbers with VLAN IDs.
2. 3.1.b VRRP- VRRP is an open standard redundancy protocol that is similar to Cisco’s HSRP.
One difference is that the virtual IP can either be a virtual one (as is the case with HSRP) or it
can be the actual IP address of the active router.
The VRRP ”master” forwards the traffic and is chosen because it owns the real IP address or has
the highest priority (default is 100). The “backup” router takes over if the master fails. Priority
values are between 1-255.
If the master router fails, it advertises a priority of 0, forcing an election amongst the backup
routers without waiting for the hold down timer to expire.
Configuration:
o Switch#config t
o Switch(config)# int (interface –id)
o Switch(config-if) # vrrp (group-number 0-255) ip (virtual-ip-address)
o Switch(config-if) #vrrp group-number 0-255) priority (priority-Value)
VRRP Timers
 Advertisements,or hellos – default 1 second
 • Master down interval = 3 times the advertisement time + skew (essentially the same as HSRP’s
hold down timer)
 • Skew time = (256-priority)/256. Used to ensure the highest priority backup router becomes
master.
o Note: Make changes on the master because changes in timers are then propagated to the
backups automatically
o Configuration:
 Switch#config t
 Switch(config)# int (interface –id)
 Switch(config-if)# vrrp (group-number 0-255) advertise (time-in-seconds)

3.1.c GLBP - One of the major limitations to both HSRP and VRRP is that a single router handles traffic
for the whole group, leaving the others inactive until the master router fails. GLBP or Gateway Load
Balancing Protocol solves this dilemma by load balancing traffic over up to four gateways,
maximizing bandwidth. One virtual IP is used,but each participating router uses a virtual MAC address,
which is used to respond to ARP requests.
There are three load-sharing options:
Weighted load balancing- based on preconfigured weights assigned to gateways
Host-dependent load balancing – each hosts uses a specific gateway
Round-robin load balancing – Each MAC is used to respond in turn (default)
The routers running GLBP elect a single Active Virtual Gateway (AVG), which manages the load
balancing and respondsto ARPs. The highest priority router wins; in a tie highest IP address wins. Group
member’s sends hello multicasts every 3 seconds (multicast address 224.0.0.102), if a router goes down,
anotherwill answer for its requests. The job of the AVG is to assignvirtual MAC addresses to each of
the otherGLBP routers and to assigneach network host to one of the GLBP routers. The routers that
receive the MAC address assignment are the Active Virtual Forwarders, or AVFs
 Configuratuion:
o Switch#config t
o Switch(config)# int (interface –id)
o Switch(config-if) # glbp (group-number 0-255) ip (virtual-ip-address)
o Switch(config-if) #glbp (group-number 0-255) priority (priority-Value)
Note* Remember that the default gateway IP address that is configured on the end hosts should
be set to the virtual IP address.
IRDP-
Some newer hosts use the ICMP Router Discovery Protocol (RFC 1256) to find a new router when a
route becomes available. A host running IRDP listens for hello multicast messages from its configured
router and uses an alternate router when that router is no longer available. It is not necessary to understand
the technical details of how IRDP works, but be aware that it is a valid first hop redundancy protocol.

Security Simulation
Example:
PROBLEM
The Fresh Fish Factory is a growing mid-size company with a specialty in producing tasteless crustaceans
to retail chains at the lowest possible cost.After a recent financial server security breach, they decide to
make security a priority - beginning with their HR Accounting VLAN.
The Fresh Fish Factory has decided to restrict access to VLAN 35 to the 10.1.35.0 /24 range as well as
implement 802.1x port security on all access switches for enhanced user authentication.Please complete
the following:
1. Configure port-based authentications on AccessSW that will be done using a Radius server.
Radius server IP address:10.1.1.29.
Radius key: pass123
2. Restrict VLAN 35 to devices in the 10.1.35.0 /24 address range.
3. Packets from devices in any other network range should be explicitly dropped.
4. Filtering should be implemented as close to the server farm as possible.
You are able to make any necessary configuration changes to both AccessSW and DistSW.

SOLUTION
Configure AccessSW:
1. Enable AAA on the switch:
1. AccessSW# configure terminal
2. AccessSW(config)# aaa new-model
2. Define the Radius server with the shared secret key:
1. AccessSW(config)# radius-server host 10.1.1.29 key pass123
3. Enable Radius server authentication on the switch:
1. AccessSW(config)# aaa authentication dot1x default group radius
4. Enable 802.1x on the switch:
1. AccessSW# configure terminal
2. AccessSW(config)# dot1x system-auth-control
5. Configure interface Fast Ethernet 0/12 for 802.1x:
1. AccessSW(config)# interface fa 0/12
2. AccessSW(config-if)# switchport mode access
3. AccessSW(config-if)# dot1x port-control auto
4. AccessSW(config-if)# exit
Configure DistSW
1. Create an access list:
1. DistSW(config)# ip access-list standard 10
2. DistSW(config-std-nacl)# permit 10.1.35.0 0.0.0.255
3. DistSW(config-std-nacl)# exit
2. Define an access map that uses the access list we just created:
1. DistSW(config)# vlan access-map TEST 1
2. DistSW(config-access-map)# match ip address 10
3. DistSW(config-access-map)# action forward
4. DistSW(config-access-map)# exit
5. DistSW(config)# vlan access-map TEST 2
6. DistSW(config-access-map)# action drop
7. DistSW(config-access-map)# exit
3. Apply the VLAN map to VLAN 35:
1. DistSW(config)# vlan filter TEST vlan-list 35

EtherChannel + STP
Simulation Example:
PROBLEM
The Better Butter Company has recently replaced an edge switch in a wiring closet due to a hardware
failure. Unfortunately the
configuration was not backed up and now you are tasked with getting the new switch (AccessSW)up and
running as fast as possible
based on the following requirements.
• DistSW should not need any configuration changes made, as it worked properly before the outage.It is
running rapid spanning tree and VTP
transparent mode.
• AccessSW needs to have three VLANs configured on the correct interfaces as shown in the diagram
below. It also needs to be running the
same VTP and STP mode as DistSW. DistSW must remain the spanning tree root bridge for all active
VLANs.
• The connection between the two switches must be configured using a redundant,non-proprietary protocol
with DistSW controlling the
activation. VLANs should be manually pruned to prevent unnecessary broadcast propagation.
• All VLANs traversing the trunk need to be tagged except for VLAN 99, which should not be tagged.
Additional requirements for AccessSW:
- All active access ports must transition immediately to forwarding state
- No routing is supported on AccessSW
- SVI VLAN 1 needs to be configured with IP address 192.168.1.22 /24

SOLUTION
4. Create the VLAN 1’s SVI:
1. AccessSW# conft
2. AccessSW(config)# interface vlan 1
3. AccessSW(config-if)# ip address 192.168.1.22 255.255.255.0
4. AccessSW(config-if)# no shut
5. AccessSW(config-if)# exit
6. Configure STP:
1. AccessSW(config)# spanning-tree mode rapid-pvst
2. AccessSW(config)# spanning-tree vlan 1,50-52 priority 65535
7. Configure VTP mode:
1. AccessSW(config)# vtp mode transparent
4. Configure the access ports:
AccessSW(config)# interface range fastEthernet 0/11-12
AccessSW(config-if)# switchport mode access
AccessSW(config-if)# switchport access vlan 50
AccessSW(config-if)# spanning-tree portfast
AccessSW(config-if)# no shut
AccessSW(config-if)# exit
5. Next, configure the trunking ports for a non-proprietary EtherChannel:
AccessSW(config-if)# channel-protocol lacp
AccessSW(config-if)# channel-group 1 mode passive
6. Finally, create the EtherChannel and configure trunk:
AccessSW(config)# interface port-channel1
AccessSW(config-if)# switchport trunk encapsulation dot1q
AccessSW(config-if)# switchport mode trunk
AccessSW(config-if)# switchport trunk allowed vlan 1,99,50-52
AccessSW(config-if)# switchport trunk native vlan 99

MLS Simulation Example:
PROBLEM
VLANs 2, 3, and 4 were recently added to the multilayer switch shown in the diagram to the right and have
not been configured. Users in all three VLAN need to be able to connect to the server, which resides behind
the router. You have been tasked with configuring layer 3 connectivity on the multilayer switch so that PCs
in all three VLANs can successfully ping the server.
Additional requirements:
• All routed ports and SVIs must use the lowest available IP address within its subnet.
• Use EIGRP for dynamic routing, no static routes or other routing protocols can be used.
• EIGRP AS 700 needs to be configured
• The access ports are already configured, so do not make any changes to
their configurations

SOLUTION
1. Configure the switch’s routed interface:
1. Switch# configure terminal
2. Switch(config)# int gi 0/1
3. Switch(config-if)#no switchport
4. Switch(config-if)# ip address 10.10.10.1 255.255.255.0
5. Switch(config-if)# no shutdown
6. Switch(config-if)# exit
1. Configure the VLAN SVIs:
1. Switch(config)# int vlan 2
4. Switch(config-if)# int vlan 3
7. Switch(config-if)# int vlan 4
10. Switch(config-if)#exit
1. Enable and configure routing:
1. Switch(config)# ip routing
2. Switch(config)# router eigrp 700
3. Switch(config-router)# network 10.10.10.0 0.0.0.255
7. Switch(config-router)# exit

Adam, Paul (2014-07-12). All-in-One CCIE V5 Written Exam Guide (Kindle Locations 5123-5133). .
Kindle Edition.
CCNP Cisco Certified Network Professional Switch Study Guide Exam 300-115 3rd edition.
CCNPGuide.com
Adam, Paul (2014-07-12). All-in-One CCIE V5 Written Exam Guide (Kindle Locations 5123-5133). .
Kindle Edition.

CCNP Study Guide

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a CCNP Study Guide

Similar a CCNP Study Guide (20)

CCNP Study Guide