Beruflich Dokumente
Kultur Dokumente
0 (2012-14)
Contents
PLANNING & DESIGN
ETHERNET
VLANs
SPANNING TREE PROTOCOL
L2 SECURITY
HIGH AVAILABILITY
APPENDIXES
1
9
30
60
103
124
145
PLANNING &
DESIGN
CISCO Design Recommendations
Enterprise Campus Network Design
test the design on a pilot network first before deploying in on the corporate network
when planning for High Availability, use correct technology and redundancy within that technology
a documented rollback plan should be a part of any implementation plan
VLAN approach recommended whenever possible:
o
o
o
SECURITY PLANNING
VLAN PLANNING
organizational objectives to keep in mind when developing a VLAN implementation plan could include:
o
o
o
have a summary implementation plan that lays out the implementation overview
incremental implementation of components is the recommended approach when defining a VLAN implementation plan
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
SONA
CISCO model that provides guidance, best practices, and blueprints for connecting network services and applications to enable business solutions
SONA outlines three layers for the enterprise network:
o
o
o
NETWORK INFRASTRUCTURE LAYER where all the network devices are connected (network, servers, storage etc.)
INTERACTIVE SERVICES LAYER allocated resources to applications delivered through the network infrastructure layer
APPLICATION LAYER includes business applications
PPDIOO
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
a design based around organising the network into distinct layers of devices
traffic flow is the most important factor in the design (not traffic type)
the network should be design so that all end users are located at a consistent distance from the resources they need to use
the resulting network is: efficient, intelligent, scalable, and easily managed
traffic flow can be classified as three types (based on where the network service / resources are located in relation to the end user):
o
o
o
LOCAL same segment / VLAN as user (traffic can access ACCESS layer only)
REMOTE different segment / VLAN as user (traffic can access DISTRIBUTION layer)
ENTERPRISE central to all campus users (traffic can access DISTRIBUTION and CORE layers)
ACCESS LAYER
DISTRIBUTION LAYER
CORE LAYER
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
each layer of the hierarchical network model can be broken into basic functional units
the modules can then be sized appropriately and connected, while allowing for future scalability and expansion
enterprise campus network can be divided into the following units:
o
o
SWITCH BLOCK
CORE BLOCK
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
SWITCH BLOCK
devices at the DISTRIBUTION layer become bottlenecks (due to the volume of inter-VLAN traffic, CPU intensive filtering and packet manipulation etc.)
broadcast / multicast traffic slows down the traffic
x2 DISTRIBUTION switches per SWITCH BLOCK with ACCESS switches having two uplinks (connecting to each DISTRIBUTION switch)
all L2 connectivity should be contained within ACCESS layer
only L3 connectivity at DISTRIBUTION layer
L2 / 3 ACCESS SWITCHES
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
CORE BLOCK
COLLAPSED CORE
DUAL CORE
COLLAPSED CORE
CORE and DISTRIBUTION layers merged together (their functions are provided by the same devices)
smaller campus networks (a separate CORE layer is now warranted)
each ACCESS switch has a redundant link to each DISTRIBUTION / CORE switch
all L3 subnets presents in the ACCESS layer terminate at the DISTRIBUTION switches L3 ports
DISTRIBUTION / CORE switches are interconnected with one or more links
at L3 redundancy is provided through a redundant gateway protocol (HSRP, VRRP, GLBP)
the CORE is not scalable when more SWITCH BLOCKS are added!
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
DUAL CORE
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
SWITCH
Ethernet Standard
Ethernet Switch
Switchport
Etherchannel
ETHERNET STANDARD
ETHERNET OVERVIEW
a LAN technology
the medium should be chosen in accordance to the needs and requirements
Ethernet is popular because of its low cost, market availability, and scalability to higher bandwidths
ETHERNET STANDARDS
NAME
ETHERNET
FAST ETHERNET
GIGABIT ETHERNET
STANDARD
OVERVIEW
802.3
10 Mbps
CSMA/CD
half / full duplex
100 m. cable limit
usually used to connect ACCESS switches to end devices
802.3u
100 Mbps
CSMA/CD
half / full duplex
100 m. cable limit
usually used to connect ACCESS to DISTRIBUTION switches
same L2 as 802.3, different L1
backward compatibility with 802.3u allows for operation at maximum common level
1,000 Mpbs
full-duplex (auto-negotiation is not possible)
the L1 has been modified:
o
802.3z
10 GIGABIT ETHERNET
802.3ae
COMMENTS
The half-duplex and collisions issues are
non-existent in switched Ethernet.
IEEE 802.3 Ethernet provided frame format, CSMA/CD, full duplex and other Ethernet
characteristics
ANSI X3T11 FibreChannel provided a base of high-speed ASICs, optical components,
encoding/decoding and serialization mechanisms
10,000 Mpbs
same frame format allows backward compatibility
full-duplex mode exclusively
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
10
ETHERNET SWITCH
ETHERNET SWITCH OVERVIEW
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
11
PURPOSE
LEARNING
COMMENTS
upon arrival on a switchport , every frames source MAC address is examined and compared to entries in the CAM table
if no entry is present, the MAC address is mapped to the port it arrived on and the entry is time-stamped
if an entry is present, the timestamp is updated
if the entry is present but the MAC arrived on a different port, the entry is deleted and MAC is mapped to the
most recent arrival port
AGING
entries in the CAM table are kept for 300 sec. before being deleted
the timer is reset when the switch receives a frame from a node on the same port
FLOODING
the switch floods the frame (sends it on all operational ports) when no entries in the CAM tables can be found
also known as unknown unicast flooding
SELECTIVE FORWARDING
FILTERING
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
12
ingress queues inbound frames are placed in one of the switches ingress queues with each
having different priority or service levels
security ACLs (TCAM) used for inbound / outbound frames filtering
QoS ACLs (TCAM) - used to classify frames and apply policies
L2 forwarding table destination MAC address is used as an index to the CAM table
egress queues outbound frames are placed here; determined by QoS values
contained in the frame or passed along with the frame
The decisions where and whether at all forward the frame are made simultaneously!
LAYER 3 SWITCHING
L2 forwarding table destination MAC address is used as an index to the CAM table
L3 forwarding table destination IP address is used as an index to the FIB table
security ACLs (TCAM) used for inbound / outbound frames filtering
QoS ACLs (TCAM) - used to classify frames and apply policies
The decisions where and whether at all forward the frame are made simultaneously!
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
13
Process Switching
o
each packet is examined by the internal processor and is handled in software (only used in routers)
the route processor tracks the first packets flow and sets up a shortcut for the remaining packets to avoid software-based routing (immediately forwarding in hardware)
used by both routers and L3 Switches
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
14
OVERVIEW
COMMENTS
Stale entries are aged out after 300 sec. and deleted.
TSHOOT
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
15
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
16
SWITCHPORT
SWITCHPORT CONFIGURATIONS
PORT SELECTION
ITEM
SINGLE PORT
MULTIPLE PORTS
COMMANDS
COMMENTS
MACROS
PORT ID
DESCRIPTION
SPEED
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
17
DUPLEX MODE
TECHNOLOGY
100BASE-T4
100BASE-TX
10BASE-T
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
18
ERROR MANAGEMENT
<S1(config)#errdisable detect cause (all | cause name)>
TRIGGER
all
arp-inspection
bpduguard
channel-misconfig
dhcp-rate-limit
DETECTION SCOPE
EtherChannel bundle
DHCP snooping
inline power
link-flap
link flapping
udld
inpower
storm-control
<S1(config-if)#shutdown>
<S1(config-if)#no shutdown>
DTP flapping
security-violation
dtp-flap
rootguard
Manual:
SCOPE
ERROR RECOVERY
Automatic:
<S1(config)#errdisable recovery (all | cause name)>
<S1(config)#errdisable recovery interval (300, 30-86400)>
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
19
VERIFIES / DISPLAYS
EXAMPLE / SCREENSHOT
port status
description
encapsulation
keepalive mechanism
duplex mode
port speed
show interfaces
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
20
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
21
ETHERCHANNEL
ETHERCHANEL OVERVIEW
a method of aggregating from 2 up to 8 links (of same media type and speed) together into a single logical link
the bundle provides a full-duplex bandwidth
can operate either as an access or trunk link
traffic is distributed across the individual links within the bundle
if one of the links within the bundle fails, traffic is automatically moved to an adjacent link
all links must have identical VLAN settings
all links must have identical speed and duplex settings
all links must have identical trunk port settings
all links must have identical STP settings
none of the individual ports can have switch port security enabled
none of the individual ports can be a SPAN port
frames are forwarded on a specific link as a result of a hashing algorithm
can be established using the following mechanisms: PAgP, LACP (IEEE 802.3ad) or static persistence
if settings are applied to bundle --> apply to member ports
if settings are applied to a member --> leave member in the bundle but suspend it
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
22
COMMAND
COMMENTS
HASH INPUT
OPS
src-ip
source IP address
bits
dst-ip
destination IP address
bits
src-dst-ip
XOR
src-mac
bits
dst-mac
bits
XOR
src-dst-mac
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
23
ETHERCHANNEL CONFIGURATIONS
PAgP EtherChannel
COMMAND
COMMENTS
When ports are configured as member ports of an EtherChannel, a logical portchannel interface is automatically created.
*<S1(config-if)#shutdown>
Good practice to shut down the ports that are being configured.
<S1(config-if)#channel-protocol pagp>
<S1(config-if)#channel-group (1-64) mode (auto | desirable) *(silent)>
NOTE: it may take as long as 50 sec. for the data to start flowing through
the bundle first 15 sec. are result of PAgP silent mode waiting to
receive inbound PAgP messages, and the final 30 sec. are the result of
the STP moving through the LISTENING and LEARNING
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
24
LACP
COMMAND
COMMENTS
The lower the value the higher the priority (MAC is used as tie-breaker).
<S1(config-if)#channel-protocol lacp>
<S1(config-if)#channel-group (1-64) mode (passive | active)>
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
25
NON-NEGOTIATE
COMMAND
COMMENTS
When ports are configured as member ports of an EtherChannel, a logical portchannel interface is automatically created.
*<S1(configif)#shutdown>
Good practice to shut down the ports that are being configured.
LAYER 3 EtherChannel
STEP #
COMMAND
COMMENTS
*<S1(configif)#shutdown>
Good practice to shut down the ports that are being configured.
DISABLE SWITCHING
<S1(config-if)#no switchport>
<S1(config-if)#no switchport>
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
26
show etherchannel
show etherchannel detail
show etherchannel summary
show etherchannel load-balance
show etherchannel (1-64) port-channel
show etherchannel (1-64) protocol
show (pagp | lacp) neighbor
show etherchannel (1-64) summary
show lacp sys-id
COMMAND
VERIFIES / DISPLAYS
EXAMPLE / SCREENSHOT
show etherchannel
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
27
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
28
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
29
VLANs
VLANs
Trunks
DTP
VTP
Inter-VLAN Routing
VLANs
OVERVIEW
Virtual LANs
logical network segments
promote security sensitive traffic can be separated from the rest of the network
promote cost reduction less need for hardware upgrade and more efficient use of existing bandwidth
promote better performance by containing broadcasts to a single VLAN and avoiding broadcast storms
promote higher efficiency by making it easier to manage network
VLAN member devices do not have to be physically connected but there has to be end-to-end connectivity
VLAN membership can either be assigned statically (port-based membership) or dynamically (MAC-based membership)
no negotiation protocol is used devices automatically assume connectivity to a VLAN when they connect to a port
upon assignment to a VLAN, a port receives a Port VLAN ID (PVID) that associates it with a VLAN number
ports on a single switch can be assigned to multiple VLANs
traffic will not flow between ports associated with two different VLANs (unless L3 routing is configured)
end-to-end VLANs span the entire L2 of a network
local VLANs small percent of the traffic is local, while the majority is remote
recommended one-to-one correspondence between VLANs and IP subnets
VLANs should not extend beyond the L2 domain of the DISTRIBUTION switch (should not enter the CORE and another switch block)
VLAN ID RANGES
NORMAL RANGE
o
o
o
o
o
1 1005
1002 1005 are reserved for Token Ring and FDDI VLANs
1, 1002 1005 are created automatically and cannot be removed
stored in NVRAM
stored in vlan.dat in flash memory
EXTENDED RANGE
o
o
o
o
1006 4094
designed for ISPs
stored in running-config
not learned by VTP!
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
31
VLAN TYPES
DATA VLAN
o
o
DEFAULT VLAN
o
o
o
o
o
MANAGEMENT VLAN
o
o
the VLAN all switch ports become members of upon switch boot up
for CISCO switches this is VLAN 1
cannot be renamed or deleted
L2 control traffic, e.g. CDP, will always be sent on default VLAN (this behaviour cannot be changed!)
security best practice associate all switch ports with a VLAN other than VLAN 1 after switch boot up
NATIVE VLAN
o
o
o
o
VOICE VLAN
o
o
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
32
COMMANDS
COMMENTS
SINGLE:
<S1(config)#vlan (1-1001, 1006-4094)>
CREATE A VLAN
RANGE:
<S1(config)#vlan (vlan id),(vlan id)-(vlan-id)>
*<S1(config-vlan)#name (name; up to 32 characters)>
*ADD DESCRIPTION
*ADD NAME
<S1(config-vlan)#name (name)>
<S1(config)#interace (interface)>
<S1(config-if)#switchport mode access>
ASSIGN PORTS
*ADMINISTRATIVE
SHUTDOWN
<S1(config-vlan)#(no) shutdown>
TSHOOT
show vlan
show vlan brief
show vlan summary
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
33
TRUNKS
OVERVIEW
a point-to-point link between one or more Ethernet switch interfaces and another networking device e.g. router or switch
acts as a conduit for VLANs between routers and switches
carries traffic of multiple VLANs over a single link
allows to extend a VLAN across the entire network
ISL
o
o
o
o
o
o
Inter-Switch Link
CISCO proprietary
adds a 26-byte header and 4-byte trailer to the frame (30 byte overhead total) (double tagging)
a 15-bit source VLAN ID is placed in the header
the trailer contains CRC information
does not support untagged frames!
IEEE 802.1q
o
o
o
o
open standard
VLAND ID is embedded into the existing frame (single tagging)
the VLAN ID is contained in the last 12 bits of the tag (0-4095; except for 0,1,4095)
supports untagged frames but only on the native VLAN
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
34
TRUNK CONFIGURATIONS
The following parameters must be agreeable on both ends:
COMMENTS
SELECT PORTS
HARDCODE L2 MODE
SELECT ENCAPSULATION
COMMANDS
*<S1(configif)#shutdown>
<S1(config-if)#switchport>
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
35
TSHOOT
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
36
DTP
OVERVIEW
DTP MODES
MODE
OVERVIEW
COMMENTS
If this mode is used, DTP on the port should be
disabled.
TRUNK
To hardcode mode on an interface:
DYNAMIC AUTO
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
37
NO-NEGOTIATE
<S1(config-if)#switchport nonegotiate>
ACCESS
TRUNK
DYNAMIC AUTO
DYNAMIC DESIRABLE
NO-NEGOTIATE
ACCESS
ACCESS
MISMATCH
ACCESS
ACCESS
MISMATCH
TRUNK
MISMATCH
TRUNK
TRUNK
TRUNK
TRUNK
DYNAMIC AUTO
ACCESS
TRUNK
ACCESS
TRUNK
MISMATCH
DYNAMIC DESIRABLE
ACCESS
TRUNK
TRUNK
TRUNK
MISMATCH
NO-NEGOTIATE
MISMATCH
TRUNK
MISMATCH
MISMATCH
TRUNK
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
38
VTP
OVERVIEW
VTP VERSIONS
VER. 1
default version
in TRANSPARENT mode, VTP Version and VTP Domain are checked before forwarding the frame to other switches using VTP
VER. 2
in TRANSPARENT mode, frame are forwarded without checking the VTP Version and VTP Domain first
consistency checks are performed before forwarding the frame
supports Token Ring switching and VLANs
supports unrecognized TLV
VER. 3
VTP DOMAINS
network segment consisting of a single or more interconnected switches that share same VLANs information using VTP
VTP area with common VTP requirements
domains boundary is defined by a router or a L3 switch in each domain
a switch can only be a member of a single domain
switches in different VTP Domains do not share VTP information
domain name is propagated by the VTP Server and accepted by VTP enabled switches with lower revision number
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
39
VTP MODES
SERVER
CLIENT
TRANSPARENT
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
40
VTP ADVERTISEMENTS
SUMMARY
VTP version
number of subset advertisement to follow
domain length
domain name
revision number
ID of the switch that last update the rev. #
time stamp
MD5 encryption hash code
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
41
Included information:
SUBSET
REQUEST
sent to the SERVER to request any VLAN information the switch is lacking
replied with SUMMARY followed by SUBSET
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
42
a 32-bit index used by VTP switches to keep track of the most recent information change
revision number from the last heard VTP advertisement is recorded
the VTP advertisement process always starts with configuration revision number 0 (zero)
when changes are made on the VTP server, the revision number is incremented +1 before the advertisements are sent
when listening switches (configured as member of the same domain as the advertising switch) receive an advertisement with greater revision number than stored locally, the
advertisement overwrites any stored VLAN information
VTP revision number is stored in NVRAM and is not altered by a power cycle of the switch
to reset the revision number:
o
o
change the VTP mode to TRANSPARENT and then change it back to SERVER
change the VTP domain name to a nonexistent VTP domain and then change it back to original name
if the VTP revision number is not reset to 0 before adding it to the network, a pre-existing revision number can cause to other switches to clear their VTP database
VTP PRUNING
removes unnecessary trunk broadcast traffic on switches with no active ports for the specific VLAN
broadcast and unknown unicast frames on a VLAN are forwarded over a trunk only if the switch on the receiving end of the trunk has ports in that VLAN
when associating a switch port with a VLAN, the switch sends a special advertisement to its neighbors that it has active ports in that VLAN
pruning only needs to be enabled on the VTP Server
VLANS are pruning eligible when there are no active access ports associated with it
pruning has no effect on switches in VTP Transparent mode!
VLAN 1 is considered pruning ineligible!
disabled by default
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
43
VTP CONFIGURATIONS
VTP Version = 1
VTP Domain Name = null
VTP Mode = Server
Config Revision = 0
VLANs = 1
STEP #
COMMANDS
COMMENTS
CONFIGURE DOMAIN
DTP sends the VTP Domain Name in its packets. If two ends of
a link belong to different VTP Domains, the trunk will not form
(if DTP is used to negotiate a trunk).
The exceptions to the above:
both ends have default DTP settings (VTP Domain = null)
one end has hardcoded DTP Domain the other is left at
default (in this case, the DTP Domain is learned and
adopted)
Because a switch can only be configured with a single VTP
Domain, it will only listen and act on VTP advertisements it
hears that match its own VTP Domain Name
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
44
CONFIGURE MODE
CONFIGURE PASSWORD
CONFIGURE VERSION
<S1(config)#vtp pruning>
CONFIGURE PRUNING
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
45
DISPLAYS / VERIFIES
EXAMPLE SCREENSHOT
VTP Version
VTP Domain
VTP Mode
VTP Revision
VTP Encryption
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
46
INTER-VLAN ROUTING
OVERVIEW
DEVICE: ROUTER
OPTION 1: SVI
OPTION 2: ROUTED PORTS
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
47
ADVANTAGES:
o
simple configuration
DISADVANTAGES:
o
low scalability (number of supported VLANs is limited to the number of available ports on the router)
OPTION 2: ROUTER-ON-A-STICK
ADVANTAGES:
o
o
simple configuration
the switch does not have to support L3 (just VLANs and trunking)
DISADVANTAGES:
o
o
o
o
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
48
EXAMPLE USE:
To configure an SVI:
<S1(config)#ip routing>
<S1(config)#vlan 100>
<S1(config-vlan)#exit>
<S1(config)#interface vlan 100>
<S1(config-if#)ip address A.A.A.A M.M.M.M>
<S1(config-if)#switchport autostate exlude>
<-- exclude a switchport from the autostate calculations (the SVI will stay UP even though the associated VLAN is DOWN)
To confirm:
<S1#show interface (interface)>
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
49
To configure a L2 port:
<S1(config-if)#switchport>
To configure a L3 port:
<S1(config)#ip routing>
<S1(config-if)#no switchport>
To verify:
<S1#show interface (interface) switchport>
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
50
Process Switching
o
each packet is examined by the internal processor and is handled in software (only used in routers)
the route processor tracks the flows first packet and sets up a shortcut for the remaining packets to avoid software-based routing (immediately forwarding in hardware)
used by both routers and L3 Switches
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
51
Layer 3 Engine
o
o
Routing Table
ARP Table
FIB
Adjacency Table
Rewrite Engine
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
52
ADJACENCY TABLE
To view the table content:
<R1#show adjacency (interface | vlan (vlan id)) (summary | detail)>
database that stores L2 information for every next-hop entry (called adjacency)
consists of the MAC addresses of nodes that can be reached in a single L2 hop
entries include both the IP and MAC address
adjacencies are kept for each next-hop router and the host that is directly connected
adjacencies are built from the ARP table
ADJACENY TYPE
OVERVIEW
NULL
PUNT
GLEAN
DROP
DISCARD
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
53
REWRITE ENGINE
L2 ADDR DESTINATION
L2 ADDR SRC
L3 IP TTL
L3 CHECKSUM
L2 CHECKSUM
NEXT-HOP L2 ADDR
OUTBOUND PORT L2 ADDR
DECREMANTED BY 1
RECALCULATE
RECALCULATE
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
54
VERIFIES
SCREENSHOT
L2 / L3 capabilities
operational mode
trunk encapsulation
native VLAN
allowed VLANs
pruning
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
55
show ip cef
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
56
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
57
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
58
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
59
SPANNING TREE
PROTOCOL
STP Overview
STP Concepts
STP Convergence
STP Topology Change
STP Configurations
STP Extensions
STP Verification and Tshooting
STP Flavours
Rapid Spanning Tree
Multiple Spanning Tree
STP OVERVIEW
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
61
STP CONCEPTS
ROOT BRIDGE
a designated switch under the STP instance that servers as a reference point for all STP calculations
selected through an election process by exchanging BPDUs by every switch on the network
initially the root ID matches the local BID (which causes all switches to identify themselves as root bridges upon boot up, before any BPDUs are exchanged)
ideally placed in Distribution Layer i.e. in the centre of the network
the bridge advertising the lowest BID become the root bridge
BEST PRACTICE:
<-- sets priority to a value lower than the one of the active root (guarantees root election)
<-- sets priority to 28672; does not guarantee that the switch becomes the new root if the primary fails
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
62
BPDU
Bridge Protocol Distribution Unit
STP message
sent to a well-known multicast address: 01-80-C2-00-00-00
x2 types: Configuration BPDUs and TCN (Topology Change Notification) BPDUs
contain x12 fields used to exchange path and priority information that STP uses to determine the root bridge and paths to it and to maintain stable, loop-free topology
Configuration BPDU
TCN BPDU
FIELD #
BYTES
FIELD
FUNCTION
Protocol ID
(always set to 0)
Version
(always set to 0)
Msg. Type
(Configuration or TCN)
Flags
Root ID
Root Cost
BID
Port ID
Msg. Age
Time elapsed since the root sent conf. msg. on which the current msg. is based (in 256th of a sec.)
10
Max Age
The maximum time the root should be considered live and operational (in 256th of a sec.) (20, 6-40)
11
Hello Time
The time interval between successive BPDUs generated by the root (in 256th of a sec.) (2, 1-10)
12
Forward Delay
The delay that the switches should wait before transitioning to another STP state (256th of a sec.) (15, 4-30)
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
63
BRIDGE ID
bridge priority
extended system ID
MAC address
BITS
NO EXTENDED ID:
16
48
BRIDGE PRIORITY
MAC ADDRESS
BITS
WITH EXTENDED ID:
FIELD
12
48
BRIDGE PRIORITY
EXTENDED SYS ID
MAC ADDRESS
OVERVIEW
COMMENTS
The lower the value the higher the priority.
To configure:
Method 1:
BRIDGE PRIORITY
Method 2:
set the local priority value to match the one of the root
(but only if local MAC is lower than the one of the root)
set the local priority the next 4096 increment below the
priority of the active root
NOTE: if the next increment is less than 4096 the switch will not
set the priority to 0 (zero) - it will have to be done manually
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
64
EXTENDED SYS ID
To enable:
<S1(config)#spanning-tree extend system-id>
lower MAC address breaks the tie if switches have the same bridge priority
The MAC used for STP can come from the Supervisor module,
the backplane or a pool of 1024 addresses that are assigned to
every supervisor or backplane (depending on the switch model).
Because by default every bridge is configured with the same
priority value, the MAC address is the deciding factor for root
bridge election.
If election is performed according to the default settings, this
will most likely mean that the physically oldest switch on the
network becomes the root.
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
65
PORT COST
the default port costs are defined by the speed at which the port operates
not carried in the BPDUs (only the root path cost is)
DEFAULTS:
COST: RSTP
250
5,000,000
10
100
2,000,000
16
62
1,250,000
100
19
200,000
1,000
20,000
2,000
10,000
10,000
2,000
<-- if the vlan parameter is omitted, the change will apply to every VLAN
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
66
root bridge generates a BPDU with the root path cost = 0 (zero) because all of its ports sit directly to the root
as the BPDU is received by the next-closes neighbour, it adds the path cost of its own receiving port to the root path cost
the BPDU is sent out with the updated root path cost value
as each switch receives the BPDU, the root path cost is incremented by the ingress port path cost
After incriminating the root path cost the switch locally stores the updated value when a BPDU is received on another port and the new root path cost is lower than the recorded one, the
lower value becomes the new root path cost and the root port is updated accordingly.
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
67
PORT ROLES
the location of the root bridge in the network topology determines how port roles are calculated
the following are the roles that switch ports are automatically configured for during the STP process:
o
o
o
o
root port
designated port
non-designated port
disabled port
ROLE
ROOT
DESIGNATED
NON-DESIGNATED
OVERVIEW
COMMENTS
x1 per switch
exists only on the non-root bridges
only one allowed per bridge
switchport with the best (lowest) root path cost
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
68
PORT STATES
each switch port transitions through x5 different states during the convergence process
STATE
DISABLED
OVERVIEW
COMMENTS
Possible reasons for this state:
BLOCKING
LISTENING
LEARNING
root and designated ports start to process user frames (but only to populate the MAC table)
user frames are not forwarded
duration: 15 sec. (FORWARD DELAY TIMER)
FORWARDING
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
69
BPDU TIMERS
the timers dictate how long a port will stay in a given state
the default timer values allow an adequate time for convergence in a network with a switch diameter of 7
diameter = a number of switches a frame has to traverse to travel from the two farthest points on the broadcast domain
it is recommended they are not adjusted directly because the timer values have been optimized for the 7 switch diameter
if necessary, the diameter should be adjusted and let the timers be adjusted automatically
timers should only be adjusted on the root bridge who will propagate the values in its BPDU across the network!
OVERVIEW
HELLO
the interval at which the root bridge sends the Configuration BPDUs
the hello timer interval set on the root determines the timer for all non-root bridges since they only relay the BPDUs originated by the root
all switches use the locally defined value for transmission of the TCN BPDUs
To adjust:
<S1(config)#spanning-tree timer (*vlan (vlan-id )) hello-time (2, 1-10 sec.)>
OR
<S1(config)#spannig-tree vlan 100 root primary diameter (diameter) hello-time (2, 1-10 sec.)>
FORWARD DELAY
To adjust:
<S1(config)#spanning-tree timer (*vlan (vlan-id )) forward-time (15, 4-30 sec.)>
MAXIMUM AGE
time spent in the BLOCKING state (while the root bridge election and port roles assignment are taking place)
controls the maximum length of time a switch port retains best Configuration BPDU
To adjust:
S1(config)#spanning-tree timer (*vlan (vlan-id )) max-age (20, 6-40 sec.)>
NOTE: if vlan parameter is omitted, the change is applied to all the VLANs
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
70
STP CONVERGENCE
the election of root bridge and port roles takes place simultaneously
the port roles may change multiple times before the convergence has finished
select the switch with the lowest bridge priority (default = 32768)
select the switch with the lowest MAC address
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
71
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
72
occurs when a port transitions into FORWARDING state OR when a port in FORWARDING or LEARNING state transitions into BLOCKING state
the switch sends out a TCN BPDU on its root port, which forwarded until it reaches the root bridge
TCN BPDU carries no data and only informs recipients that the change has occurred
the switch continues to send TCN BPDU every HELLO TIME interval until an ACK from its upstream neighbour is received
when the root bridge receives the TCN BPDU it then sets Topology Change flag in its Configuration BPDU, which is relayed to every other bridge in the network
all other switches shorten their TABLE AGE TIME (default = 300 sec.) timer to FORWARD DELAY value (default = 15 sec.)
this condition causes the entries in the switches MAC tables to be flushed out much sooner than they normally would but devices communicating actively during that period are kept in the
MAC table
EXAMPLE:
1.
2.
3.
CAT C removes its best BPDU it had received from the root bridge since the link is DOWN
4.
TCN BPDU is not sent by CAT C because its root port is down
5.
CAT A sends a Configuration BPDU with the TCN bit set on fa1/1 (only link that is UP)
6.
This BPDU is received and relayed to each switch along the way
7.
CAT A and B shorten their TABLE AGE TIMER to FORWAD DELAY value (300 --> 15 sec.)
8.
(the timer is shorten for the duration of (MAX AGE + FORWARD DELAY))
9.
CAT C fa1/2 becomes the root port because it received the best BPDU from the root
10. CAT C fa1/2 transitions through all STP states: LISTENING, LEARNING and FORWARDING
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
73
occurs when a theres no link failure but the flow of data is still compromised
e.g. a firewall is blocking the traffic
EXAMPLE:
1.
The link between CAT A and CAT C is UP | UP but theres no data flow
2.
3.
After the MAX AGE timer has expired, the CAT C flushes its best BPDU
4.
The next BPDU received is on port fa1/2 (currently in the BLOCKING state)
5.
The fa1/2 port is now the root port for CAT C and transitions through all states
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
74
EXAMPLE:
1.
2.
The state of the link will change every time the PC is booted / shut down
3.
If the link goes DOWN, CAT C sends away the TCN BPDU
4.
5.
6.
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
75
STP CONFIGURATIONS
ITEM
NETWORK DIAMETER
COMMANDS
COMMENTS
OR
BRIDGE PRIORITY
To verify:
<S1#show spanning-tree bridge>
To enable:
PORT COSTS
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
76
PORT PRIORITY
TIMERS
Increments of 16
To adjust:
o
HELLO
FORWARD DELAY
<S1(config)#spanning-tree timer (*vlan (vlan-id )) forward-time (15, 4-30 sec.)>
To adjust:
MAXIMUM AGE
S1(config)#spanning-tree timer (*vlan (vlan-id )) max-age (20, 6-40 sec.)>
To enable PVRST+ mode:
<S1(config)#spanning-tree mode rapid-pvst>
PVRST+
clear spannig-tree detected protocols forces the renegotiation with adjacent switches
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
77
STP EXTENSIONS
COMPARSION
GLOBAL
SCOPE
INTERFACE
VIOLATION / PURPOSE
VIOLATION / PURPOSE
BPDU is received
strip the PortFast status
place port in LISTENING state
cycle through STP states
BPDU is received
strip the PortFast status
state FORWARDING? --> do not place in LISTENING
state BLOCKING?
--> cycle through STP states
BPDU is received
place port in err-disabled state
BPDU is received
place port in root-inconsistent state
PortFast
BPDUGuard
BPDUFilter
RootGuard
---
UplinkFast
SWITCH
---
BackboneFast
SWITCH
---
---
LoopGuard
non-designated ports
UDLD
SWITCH
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
78
PortFast
CISCO proprietary
enabled on ports in access mode on links on which a loop should never occur (e.g. port is connected to an end-device)
immediate transition of the port from BLOCKING into FORWARDING state (unless loop detected then keep BLOCKING)
a flapping PortFast enabled port does not generate the TCN
disabled by default
<-- causes the ports to start forwarding traffic immediately (unless a BPDU is ever received on that port)
<-- causes the port to unconditionally become a PortFast port (received BPDU will not force the port to fall back to
LISTENING or LEARNING states i.e. it will remain FORWARDING in case it had been doing so the PortFast status will
be lost and if after that port goes into BLOCKING and it will behave as per standard STP behaviour
To verify:
<S1#show spanning-tree interface (interface) portfast>
BPDU Guard
if a BPDU is received on a port with PortFast and BPDU Guard enabled, the port is put into errdisable state (shutdown with error condition only BPDUs are allowed to be received / transmitted!)
the port remains in this state (even when BPDU stop arriving) until it has been manually re-enabled
recommended to enable on all PortFast ports
not recommended to enable on uplinks where the root is located
disabled by default
To enable BPDU Guard on all PortFast enabled ports (PortFast has to be enabled):
<S1(config)#spanning-tree portfast bpduguard default>
To enable BPDU Guard on a per interface basis (does not have to be PortFast enabled):
<S1(config-if)#spanning-tree bpduguard enable>
To view err-disabled ports:
<S1#show interfaces status err-disabled>
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
79
BPDU Filter
CISCO proprietary
filters BPDUs on a port effectively disables STP on a port
possible use --> to define demarcation points
takes precedence over BPDUGuard (if both are enabled)
disabled by default
To enable BPDU Filter on all PortFast ports (filters OUTBOUND BPDUs on all PortFast enabled ports):
<S1(config)#spanning-tree portfast bpdu filter default>
To enable BPDU Filter on a single port (filters INBOUND / OUTBOUND BPDUs on a port; does not have to be PortFast enabled):
<S1(config-if)#spanning-tree bpdufilter (enable | disable)>
UplinkFast
CISCO proprietary
should be enabled on the ACCESS LAYER switches only! (since they are not supposed to become a transit path for any traffic)
should the root port fail, the alternate port is transitioned into FORWARDING state immediately
keeps a record of all parallel path to the root bridge and puts ports to the same destination in port groups
when the root port fails, the most favourable port in the port group (with the next-lowest root path cost; either in BLOCKING or FORWARDING states) becomes the new root port
enabled for the entire switch and all VLANs BUT cannot be enabled on the root bridge
when enabled, the bridge priority is changed to 49152 and the port cost for every port is incremented by 3000 (to ensure the switch is never elected as the root bridge OR transit to root)
upon link switchover, the switch starts sending dummy multicast packets to 0100.0ccd.cdcd, using the entries in the MAC table as the source, to let the upstream devices know that they
can be reach via the originating switch over the newly nominated root port (NOTE: no packets are sent once the primary root port restores!)
disabled by default
To enable UplinkFast:
<S1(config)#spanning-tree uplinkfast (max-update-rate (packets per sec; 150, 0-65535))>
<-- causes an alternative port to start forwarding immediately upon the root ports failure
To verify:
<S1#show spanning-tree uplinkfast>
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
80
BackboneFast
CISCO proprietary
when enabled, the switch actively searches for alternative path to the root bridge after an indirect link failure is discovered (a link not directly connected to the switch fails)
operates by short-circuiting the MAX AGE timer
alternative paths to the root bridge are determined according to the port types that receive an inferior BPDUs:
if the inferior BPDU arrives at a BLOCKING port, the switch considers the root port and all other BLOCKING ports to be alternative paths to the root bridge
if the inferior BPDU arrives at the root port, the switch considers all BLOCKING ports to be alternative paths to the root bridge
if the inferior BPDU arrives at the root port and no ports are BLOCKING, the switch assumes connectivity to the root has been lost and now considers itself the root (bypass MAX AGE)
RLQ (Root Link Query):
o
o
o
o
if used, BackboneFast should be enabled on every switch in the STP domain because of its reliance on RLQ Request and Reply mechanisms
disabled by default
To enable BackboneFast:
<S1(config)#spanning-tree backbonefast>
To verify:
<S1#show spanning-tree backbonefast>
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
81
Root Guard
used to protect the current root bridge from being overthrown by another switch with a better BID
enabled on a per port basis towards ports that connect to switches that should never become the root bridge
if a better BPDU is received on a root port with Root Guard enabled, that port is put into root-inconsistent state (which basically is equal to LISTENING state)
the root-inconsistent state is maintained as long as superior BPDUs are being received
once superior BPDUs stop incoming, the port is cycled through normal STP states to return to FORWARDING state
once Root Guard is enabled on a port it is applied to all VLANs
disabled by default
To enable BackboneFast:
<S1(config-if)#spanning-tree guard root>
To verify:
<S1#show spanning-tree detail>
To view blocked ports:
<S1#show spanning-tree inconsistentports>
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
82
Loop Guard
CISCO proprietary
keeps track of BPDU activity on non-designated ports
as long as BPDUs are being received, the port operates normally
if BPDUs are stopped being received, the port is put into loop-inconsistent state (effectively it is BLOCKING but its non-designated state is maintained)
once BPDU are received again the switchport is recovered automatically
the corrective blocking action is taken on a per-VLAN basis
when BPDUs are being received again, the port is allowed to go through the normal STP states
can be enabled on every single port regardless of its role switch figures out which ports are non-designated
recommended to enable on all uplinks
if a port is part of an EtherChannel bundle and is deemed unidirectional, the entire bundle (port channel) is placed in err-disabled state!
disabled by default
<-- only the offending VLANs are blocked; not the port itself
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
83
UDLD
CISCO proprietary
helps discovering unidirectional links before the STP has had time to converge
proactively monitors the link to ensure traffic flows in both directions
a special L2 UDLD frame identifying the originating port is transmitted at regular intervals (Layer 2 PING)
an echo message from the far end is expected in return identifying the far end port
if echo is received the switch assumes the link is bidirectional
if echo is not received the switch assumes the link is unidirectional the switchport is placed into err-disabled state
a unidirectional link is detected approximately after 45 sec.
UDLD feature must be enabled on both ends to work properly
UDLD frames are sent independently off each other (timers do not have to match)
only after an echo message has been received, UDLD will block the port once further echos stopped incoming
x2 modes of operation:
o
o
NORMAL port status marked as having an undetermined state; syslog message generated; port allowed to continue its operation
AGGRESSIVE actions are taken to re-establish the link: x1 frame a second for 8 seconds are sent; if no echo is received the port is put into err-disable state
if a port is part of an EtherChannel bundle and is deemed unidirectional, only that single port is put into err-disable state not the entire bundle
does not require STP
disabled by default
OR
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
84
show spanning-tree
show spanning-tree detail
show spanning-tree summary
show spanning-tree root
show spanning-tree bridge
show spanning-tree interface (interface)
show spanning-tree interface (interface) portfast
show spanning-tree uplinkfast
show spanning-tree backbonefast
show spanning-tree inconsistentports
show udld (interface)
debug spanning-tree switch state
COMMAND
VERIFIES
SCREENSHOT
Root ID
Bridge ID
Interfaces Roles / States / Costs / Types
show spanning-tree
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
85
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
86
STP FLAVOURS
CST
IEEE 802.1q
Common Spanning Tree
x1 instance of STP
BPDUs are sent on the native VLAN with untagged frames
requires 802.1q encapsulation of trunks
PVST
PVST+
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
87
RSTP
MST
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
88
802.1w
developed to use 802.1ds concepts and make the convergence faster
can be used as the underlying mechanism with: PVST+ (--> RPVST+ (Rapid Per VLAN Spanning Tree+)) and MST
achieves its rapid nature by letting each switch interact with its neighbours through each port
requires a full-duplex point-to-point connections between switches to achieve fast convergence
proactive and for this reason RSTP does not need to use CSP delay timers
backward compatible with 802.1d (can revert to 802.1d on a per-port basis)
CISCO STP extensions are transparent and integrated into the protocol at a low lever (because of that UplinkFast and BackboneFast cannot be run with RSPT)
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
89
RSTP BPDU
BYTES
FIELD
Protocol ID
Version
Msg. Type
Flags
BIT #
FIELD
Root ID
TCN
Root Cost
PROPOSAL
BID
4-5
PORT ROLE
Port ID
LEARNING
Msg. Age
FORWARDING
10
Max Age
AGREEMENT
11
Hello Time
TCA
12
Forward Delay
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
90
POINT-TO-POINT
OVERVIEW
COMMENTS
SHARED
<S1(config-if)#spanning-tree portfast>
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
91
OVERVIEW
as per 802.1d
as per 802.1d
COMMENTS
ROOT
DESIGNATED
ALTERNATE
BACKUP
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
92
OVERVIEW
DISCARDING
LEARNING
FORWARDING
COMMENTS
802.1D
802.1W
DISABLED
DISABLED
ENABLED
BLOCKING
ENABLED
LISTENING
ENABLED
LEARNING
LEARNING
ENABLED
FORWARDING
FORWARDING
DISCARDING
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
93
RSTP CONVERGENCE
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
94
EXAMPLE:
INITIAL STATE:
RSTP is enabled
all switchport are disabled (shutdown)
SW3 has the best BiD
1.
2.
3.
full-duplex
--> POINT-TO-POINT
ROLE
STATE
--> DESIGNATED
--> DISCARDING
4.
Send BPDU with proposal bit (0100 0000) set - advertise self as the root bridge
5.
Compare BPDUs:
6.
SW1
SW2
ROLE
STATE
--> ROOT
--> DISCARDING
7.
SW2 sends out BPDU with agreement bit set (0000 0010)
8.
9.
ROLE
STATE
--> ROOT
--> FORWARDING
ROLE
STATE
--> DESIGNATED
--> FORWARDING
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
95
10. SW1 fa1/1 and SW4 fa1/1 are enabled (no shutdown)
11. Link type is negotiated:
full-duplex
--> POINT-TO-POINT
ROLE
STATE
--> DESIGNATED
--> DISCARDING
13. SW2: send BPDU with proposal bit (0100 0000) set advertising SW1 as the root bridge
14. SW4 send BPDU with proposal bit (0100 0000) set advertising self as the root bridge
15. SYNC started, place all non-edge ports into:
ROLE
STATE
--> DESIGNATED
--> DISCARDING
SW2
SW4
ROLE
STATE
--> ROOT
--> DISCARDING
18. SW4 sends out BPDU with agreement bit set (0000 0010)
19. SW4 puts fa1/1 in:
ROLE
STATE
--> ROOT
--> FORWARDING
20. SW2 receives the agreement and puts its fa1/1 in:
ROLE
STATE
--> DESIGNATED
--> FORWARDING
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
96
21. SW3 fa0/1 and SW4 fa0/1 are enabled (no shutdown)
22. Link type is negotiated:
full-duplex
--> POINT-TO-POINT
ROLE
STATE
--> DESIGNATED
--> DISCARDING
24. Send BPDU with proposal bit (0100 0000) set advertising self as the root bridge
25. SYNC started, place all non-edge ports into:
ROLE
STATE
--> DESIGNATED
--> DISCARDING
SW4
SW3
ROLE
STATE
--> ROOT
--> DISCARDING
28. SW3 sends out BPDU with agreement bit set (0000 0010)
29. SW4 receives the agreement and puts its fa0/1 in:
ROLE
STATE
--> DESIGNATED
--> FORWARDING
ROLE
STATE
--> ROOT
--> FORWARDING
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
97
detected when a non-edge port transitions into FORWARDING state (a link failure is not a trigger!)
topology changes are detected only so that bridging tables can be updated and corrected as host appear first on a failed port and then on a different functioning port
TC (Topology Change) messages (BPDU with TC bit set) are sent out all the non-edge DESIGNATED ports (for the duration of x2 hello interval)
all MAC addresses associated with the non-edge DESIGNATED ports are flushed from the CAM table (forces the addresses to be re-learnt after the change)
all neighboring switches that receive the TC message must flush the MAC addresses learnt on all ports except the one that receives the TC message
switches forward TC on their DESIGNATED ports
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
98
802.1s
developed to address the surplus or lack of STP instances
allows for configuration of the exact number of STP instances needed
one or more VLANs are mapped to a single MST instance
multiple instances can be used, each supporting different set of VLANs
switches are grouped into regions (black box bridge), where very switch in a region must run MST with compatible parameters
in most cases, a single MST region is sufficient (more can be configured)
within a region, all switches must run the same instance of MST, meaning the following need to be identical:
o
o
o
if two switches have the same set of attributes, they belong to the same MST region
if two switches do not have the same set of attributes, they belong to different MST regions
MST BPDUs contain configuration attributes, which are compared by the switches:
o
o
if all attributes match, the STP instances within MST can be shared as part of the same region
if all attributes do not match, the switch is seen to be at the MST boundary (one region meets another OR region meets traditional 802.1d)
VLAN-to-instance mapping is configured on each switch and is not sent in MST BPDUs
MST BPDU contain hash computed from the instance table
IST (Internal Spanning Tree) works out a loop free topology inside a MST region and between links connecting the regions / switches running 802.1.d
IST presents the entire region as a single virtual bridge to the CST outside (BPDUs are exchanged at the region boundary only over the native VLAN of trunks)
IST = MST Instance 0
MST Instances combine with the IST at the region boundary to form a sub-tree of CST
only IST BPDUs are sent into and out of a region
MST uses RSTP as the underlying mechanism (uses RSTP port costs)
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
99
MST CONFIGURATIONS
CONFIGURATION
STEP #
CONFIGURE REGION
COMMANDS
COMMENTS
<S1(config-mst)#>
<S1(config-mst)#show current>
Regions are identified by having the same name, revision
number and VLAN-to-instance assignments. If any of these
differs, regions fall back to RPVST+.
NAME
REVISION NUMBER
<S1(config-mst)#revision (0-65535)>
CONFIRM CHANGES
<S1(config-mst)#show pending>
IMPLEMENT CHANGES
<S1(config-mst)#exit>
ABORT CHANGES
<S1(conifg-mst)#abort>
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
100
TUNING
TIMERS
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
101
VERIFIES
SCREENSHOT
Root ID
Bridge ID
Interfaces Roles / States / Costs / Types
Name
Revision #
VLANs-to-Instance mappings
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
102
L2 SECURITY
Port Security
Port Based Authentication
L2 Attacks Mitigation
VLANs Security
Network Monitoring
PORT SECURITY
OVERVIEW
the port security feature on Catalyst switches allows to control port access based on MAC addresses
can only be enabled on ports explicitly set to access mode!
CONFIGURATION
STEP #
COMMAND
<S1(config-if)#switchport port-security>
COMMENTS
<S1(config-if)#shut>
<S1(config-if)#no shut
OR
TSHOOT
show port-security
show port-security interface (interface)
show interfaces status err-disabled
clear port-security dynamic (address (H.H.H) | interface (interface)>
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
104
802.1x
a combination of port security and AAA
only supported by RADIUS servers
when enabled, the switch will not pass any traffic until the user has authenticated with the switch
i.e. any services offered by the switch will not be made available to the connected device until authentication takes place
both the switch and the end users PC must support the 802.1x standard
it uses EAPOL (Extensible Authentication Protocol over LAN) a shell that stores the authentication information (the switch does not check the content just passes it to defined server)
either the switch or the client can initiate an 802.1x session
if the client is configured for 802.1x but the switch is not, the client abandons the protocol and continues to communicate normally
if the switch is configured for 802.1x but the client is not, the switchport remains in the unauthorized state that will not forward any traffic to the client
protocols allowed through the switchport before authentication takes place:
o
o
o
EAPOL
STP
CDP
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
105
802.1x CONFIGURATION
STEP #
COMMAND
ENABLE AAA
<S1(config)#aaa new-model>
ENABLE 802.1X
COMMENTS
CONFIGURE PORTS
TSHOOT
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
106
L2 ATTACKS MITIGATION
DHCP SPOOFING
the attacker responds to DHCP Requests, listing himself as the default gateway or DNS server
CONFIGURATION
STEP #
COMMAND
COMMENTS
No limit by default.
*OPTION-82
Enabled be default.
TSHOOT
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
107
ADDRESS SPOOFING
CONFIGURATION
STEP #
ENABLE PORT-SECURITY
COMMAND
<S1(config)#ip dhcp snooping>
<S1(config-if)#switchport port-security>
<S1(config)#ip source binding (mac addres) vlan (vlan id) (A.A.A.A) interface (interface)>
TSHOOT
STATIC IP BINDINGS
COMMENTS
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
108
the attacker sends own, crafted ARP Reply to a broadcasted ARP Request thus wedges into the normal forwarding path
packets will be sent to attacker instead of the legitimate destination
CONFIGURATION
STEP #
ENABLE DAI
COMMAND
COMMENTS
*VALIDATE L2 HEADER
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
109
<S1(config-if)#ip arp inspection filter (ARP ACL name) vlan (vlan id) (*static)>
TSHOOT
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
110
the attacker floods the LAN with packets creating excessive traffic and hurting network performance
can increase the CPU utilization on a switch to 100%
CONFIGURATION
STEP #
COMMAND
COMMENTS
level (level-low)
bps (bps-low)
pps (pps-low)
TSHOOT
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
111
SWITCH SPOOFING
MITIGATION:
Explicitly set switchport mode to access:
<S1(config-if)#switchport mode access>
Disable DTP:
<S1(config-if)#switchport nonegotiate>
Shutdown any used ports:
<S1(config-if)#shut>
VLAN HOPPING
the attacker crafts and sends frames with spoofed 802.1Q tags
the payload arrives on a totally different VLAN, without the use of a L3 device
the attacks is possible when:
o
o
o
MITIGATION:
To force a switch to tag the native VLAN on all its 802.1q trunks:
<S1(config)#vlan dot1q tag native>
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
112
VLANs SECURITY
VACLs
VACLs CONFIGURATIONS
STEP #
COMMANDS
COMMENTS
DEFINE ACTION
APPLY TO VLAN
TSHOOT
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
113
PRIVATE VLANs
OVERVIEW
PROMISCIOUS communicates with every port within the PRIMARY and SECONDARY VLANs
HOST can communicate with only PROMISCIOUS port or ports within the COMMUNITY VLAN
if PRIVATE VLANs are to be implemented the switch has to be set to VTP TRANSPARENT mode!
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
114
COMMANDS
COMMENTS
<S1(config-vlan)#private-vlan primary>
LAYER 2
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
115
LAYER 3
TSHOOT
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
116
NETWORK MONITORING
SYSLOG
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
117
SYSLOG CONFIGURATIONS
STEP #
COMMANDS
<Router(config)#logging host (hostname | A.A.A.A)>
COMMENTS
SERVER
CONSOLE
BUFFER
LVL
LINES
<Router(config)#logging on>
<Router#terminal monitor>
ENABLE LOGGING
KEYWORD
EMERGENCIES
ALERTS
CRITICAL
ERRORS
WARNINGS
NOTIFICATIONS
INFORMATIONAL
DEBUGGING
TSHOOT
show logging
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
118
SNMP
SNMP network management applications periodically use UDP to poll the agent residing on a managed device for useful, predetermined information
SNMP traps are sent when certain events take place
the data collected by the agent is stored in the MIB
community strings are used to provide a level authorization RO (Read Only) and RW (Read Write)
versions:
o
o
o
SNMP CONFIGURATIONS
STEP #
COMMANDS
COMMENTS
TSHOOT
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
119
IP SLA
IP SLA OPERATION:
1.
source sends an IP SLA control message with the configured operation to the responder (UDP 1967) (protocol, port, and duration)
2.
3.
4.
the responder sends a confirmation message back to the source router and listens on the specified port
if the response from the control message is OK, it begins sending probe packets
the responder responds to the incoming probe packets for the predetermined time
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
120
IP SLA CONFIGURATIONS
COMPONENTS
COMMANDS
COMMENTS
PROBE
SCHEDULE
<Router(config)#ip sla schedule (probe number 1-2147483647) (life (0-2147483647 sec.) | forever))
start-time (hh:mm:ss | now | pending)>
To verify:
TRACKING
OBJECTS
<Router#show track>
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
121
RESPONDERS
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
122
VERIFIES
operation ID
type of operation
start time
latest return code: OK | FAIL
number of successes / failures
operation TTL
type of operation
target address / source interface
schedule
threshold
statistics
EXAMPLE
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
123
HIGH
AVAILABILITY
Redundant Supervisory Engines
First Hop Redundancy Protocols
RPR
RPR+
SSO
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
125
RPR
RPR+
SSO
Stateful Switchover
redundant supervisor is fully booted and initialized
startup and running configurations, ACLs, L2 + L3 tables are synced between the ACTIVE and STANDBY modules
L2 information and switch ports states are maintained on both supervisors (hardware switching is not affected during failover)
FAILOVER TIME 0 - 3 sec. (C6500) | < 1 sec. (C4500)
ENABLE REDUNDANCY
TSHOOT
COMMANDS
COMMENTS
<Router(config)#redundancy>
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
126
NSF
BGP
OSPF
EIGRP
IS-IS
NSF CONFIGURATIONS
PROTOCOL
BGP
EIGRP
OSFP
COMMANDS
COMMENTS
IS-IS
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
127
VRRP
GLBP
STANDARD
CISCO
RFC 3768
CISCO
MULTICAST
224.0.0.2
224.0.0.18
224.0.0.102
TRANSPORT
UDP 1985
IP 112
UDP 3222
vIP
0000.0c07.acxx
0000.5e00.01xx
0007.b4xx.xxyy
LOAD BALANCING
NO
NO
YES
IPv6
YES
NO
YES
GROUP
0-255
1-255
0-1023
PRIORITY
100 (0-255)
100 (1-254)
100 (1-255)
HELLO
3 (1-254)
1 (1-255)
3 (1-254)
PREEMPT
YES (DISABLED)
YES (ENABLED)
YES (DISABLED)
TRACKING
YES (INTERFACE)
ROLES
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
128
HSRP
OVERVIEW
ver. 1
ver. 2
CISCO VENDOR ID
HSRP ID
x - STANDBY GROUP #
0000.0C
07.AC
xx
CISCO VENDOR ID
HSRP ID
x - STANDBY GROUP #
0000.0C
9F.FX
xx
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
129
HSRP STATES
INITIAL
HSRP has not been enabled (state is entered through a configuration change OR when an interface first becomes available)
LEARN
Awaiting HELLOs from the ACTIVE router (the vIP has not yet been configured and no HELLO has been received from the ACTIVE router)
LISTEN
SPEAK
Active participation in the ACTIVE / STANDBY router election (note: to enter this state, a router has to have a vIP configured)
STANDBY
ACTIVE
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
130
HSRP CONFIGURATIONS
STEP #
COMMANDS
COMMENTS
ACTIVIATION
VERSION
<Router(config-if)#standby (group number; 0-255) name (group name; 25 char max., no spaces)>
NAME
GROUP PRIORITY
vIP
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
131
TUNING
<Router(config-if)#standby (group number) preempt (*delay (minimum (0-3600 sec.)) (reload (0-3600 sec.)))>
PREEMPTION
TRACKING
TIMERS
STANDBY ACTIVE
LISTEN STANDBY
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
132
AUTHENTICATION
o
PLAIN-TEXT
MD5
LOAD BALACING
CatalystA(conifg)#interface vlan50
CatalystA(config-if)#ip addresss 192.168.1.0 255.255.255.0
CatalystA(conifg-if)#standby 1 priority 200
CatalystA(conifg-if)#standby 1 preempt
CatalystA(conifg-if)#standby 1 ip 192.168.1.1
CatalystA(conifg-if)#standby 1 authentication cisco123
CatalystA(conifg-if)#standby 2 priority 100
CatalystA(conifg-if)#standby 2 ip 192.168.1.2
CatalystA(conifg-if)#standby 2 authentication cisco123
CatalystB(config)#interface vlan50
CatalystB(config-if)#ip addresss 192.168.1.0 255.255.255.0
CatalystB(config-if)#standby 1 priority 100
CatalystB(config-if)#standby 1 ip 192.168.1.1
CatalystB(config-if)#standby 1 authentication cisco123
CatalystB(config-if)#standby 2 priority 200
CatalystB(config-if)#standby 2 preempt
CatalystB(config-if)#standby 2 ip 192.168.1.2
CatalystB(config-if)#standby 2 authentication cisco123
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
133
show standby
show standby brief
show standby neighbors
debug standby (errors | events | packets)
COMMAND
VERIFIES
SCREENSHOT
show standby
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
134
VRRP
OVERVIEW
VENDOR ID
VRRP ID
x - VRID
0000
5E00
01xx
VRRP STATES
INITIALIZE
BACKUP
MASTER
Responds to traffic sent on vIP (once elected, it: broadcasts gratuitous ARP with vMAC:vIP and multicasts HELLOs with vMAC:own IP
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
135
VRRP CONFIGURATIONS
STEP #
COMMANDS
COMMENTS
ACTIVATION
DESCRIPTION
GROUP PRIORITY
*NOTE: when the current Master fails, it advertises priority = 0 forcing the election process
vIP
PREEMPTION
TRACKING
TIMERS
Enabled by default
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
136
AUTHENTICATION
o
PLAIN-TEXT
MD5
<Router(config-keychain-key)#key-string (0 | 7) (string)>
<Router(config-if)#vrrp (group name) authentication md5 key-chain (chain name)>
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
137
show vrrp
VERIFIES
SCREENSHOT
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
138
GLBP
OVERVIEW
the router in the group with the highest configured priority OR highest IP address
manages the load balancing and responds to ARPs send on the vIP
assigns vMAC addresses to itself and AVFs
listens to all ARP request on a given subnet and responds with a vMAC using one of the load balancing algorithms
also functions as an AVF
a router participating in the GLBP group that was assigned this role by the AVG
CISCO VENDOR ID
GLBP ID
AVF#
0007
B4xx
xxyy
weighted based on the preconfigured value of weighting (the gateways forwarding capacity the higher the value the more frequent ARP replies)
host-dependant each host always uses the same specific AVF
round robin each vMAC is used to respond in turn
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
139
GLBP STATES
AVG
DISABLED
Indicates that the vIP address has not been configured or learned yet, but other GLBP configuration exists.
INITIAL
The vIP address has been configured or learned, but virtual gateway configuration is not complete (vIP has not been configured / check IP routing on the interface)
LISTEN
Virtual gateway is receiving HELLOs packets and is ready to change to the SPEAK state (if the ACTIVE or STANDBY AVG becomes unavailable)
SPEAK
STANDBY
ACTIVE
AVF
DISABLED
Indicates that the vMAC has not been assigned or learned (this is a transitory state because a virtual forwarder changing to a DISABLED state is deleted)
INITIAL
The vIP address has been configured or learned, but virtual gateway configuration is not complete (vIP has not been configured / check IP routing on the interface)
LISTEN
Virtual forwarder is receiving HELLOs and is ready to change to the ACTIVE state if the current ACTIVE AVF becomes unavailable.
ACTIVE
Indicates that this gateway is the AVF (is responsible for forwarding packets sent to the virtual forwarder MAC)
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
140
GLBP CONFIGURATIONS
ACTIVIATION
STEP #
COMMANDS
*NAME
PRIORITY
VIRTUAL IP
COMMENTS
TUNING
PREEMPT
LOAD-BALANCING
WEIGHTINING
<Router(config-if)#glbp (group number) weighting (100, 1-254) (lower (1-99) upper (1-100))>
TRACKING
<Router(config-if)#glbp (group number) weighting track (tracked object; 1-500) decrement (1-255)>
<Router(config)#track (object; 1-500) interface (interface) (line-protocol | ip routing)>
<Router(config-if)#standby (group number) timers (hello; 3, 1-254 sec.) (hold; 10, 1-254 sec.)>
TIMERS
<Router(config-if)#standby (group number) timers msec (hello; 15-999 msec.) msec (hold; 50-3000 msec.)>
<Router(config-if)#standby (group number) timers redirect (600, 0-3600 sec.) (timeout; 14400, 622-64600 sec.)>
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
141
AUTHENTICATION
o
PLAIN-TEXT
MD5
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
142
VERIFIES
SCREENSHOT
show glbp
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
143
debug glbp
ADVANCED SWITCHING ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2013-14
144
APPENDIXES
IPv4 Subnetting
RIP
EIGRP
OSPF
IS-IS
BGP
NAT
IPSec
IPv6
EtherChannel considerations
By stretch | Monday, January 18, 2010 at 4:04 a.m. UTC
EtherChannel is Cisco's term for bundling two or more physical Ethernet links for the purposes of aggregating available bandwidth
and, to a lesser extent, providing a measure of physical redundancy. Under normal conditions, all but one redundant physical link
between two switches will be disabled by STP at one end.
With EtherChannel configured, multiple links are grouped into a port-channel, which is assigned its own configurable virtual
interface. The bundle is treated as a single link.
EtherChannel Negotiation
An EtherChannel can be established using one of three mechanisms:
Any of these three mechanisms will suffice for most scenarios, however the choice does deserve some consideration. PAgP, while
perfectly able, should probably be disqualified as a legacy proprietary protocol unless you have a specific need for it (such as
ancient hardware). That leaves LACP and "on", both of which have a specific benefit.
LACP helps protect against switching loops caused by misconfiguration; when enabled, an EtherChannel will only be formed after
successful negotiation between its two ends. However, this negotiation introduces an overhead and delay in initialization. Statically
configuring an EtherChannel ("on") imposes no delay yet can cause serious problems if not properly configured at both ends.
To configure an EtherChannel using LACP negotiation, each side must be set to either active or passive; only interfaces
configured in active mode will attempt to negotiate an EtherChannel. Passive interfaces merely respond to LACP requests. PAgP
behaves the same, but its two modes are refered to as desirable and auto.
http://packetlife.net/blog/2010/jan/18/etherchannel-considerations/
Page 1
desirable
on
passive
1
1
1
1
00:45:50.647:
00:45:50.683:
00:45:50.691:
00:45:53.487:
%LINK-3-UPDOWN:
%LINK-3-UPDOWN:
%LINK-3-UPDOWN:
%LINK-3-UPDOWN:
Interface
Interface
Interface
Interface
to up
to up
to up
up
Almost a full three seconds elapsed between the member ports transitioning to the up state and the port-channel interface coming
up. Once it did, we can see the state of the EtherChannel has changed to "in use":
S1# show etherchannel summary
Flags: D - down
P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3
S - Layer2
U - in use
f - failed to allocate aggregator
M - not in use, minimum links not met
u - unsuitable for bundling
http://packetlife.net/blog/2010/jan/18/etherchannel-considerations/
Page 2
w - waiting to be aggregated
d - default port
Number of channel-groups in use: 1
Number of aggregators:
1
Group Port-channel Protocol
Ports
------+-------------+-----------+----------------------------------------------1
Po1(SU)
LACP
Fa0/13(P)
Fa0/14(P)
Fa0/15(P)
Note the S indicating layer two operation; on multilayer platforms, EtherChannel interfaces can be configured for routed operation
as well.
For comparison, let's reconfigure the EtherChannel to function without a negtiation protocol ("on" mode):
S1(config)# no interface po1
S1(config)# interface range f0/13 -15
S1(config-if-range)# channel-group 1 mode on
Creating a port-channel interface Port-channel 1
S1(config-if-range)# no shutdown
This time we observe that the port-channel interface is enabled as soon as its first member port comes up, as there is no delay
imposed by negotiation:
*Mar
*Mar
*Mar
*Mar
1
1
1
1
00:56:12.271:
00:56:12.287:
00:56:12.291:
00:56:12.307:
%LINK-3-UPDOWN:
%LINK-3-UPDOWN:
%LINK-3-UPDOWN:
%LINK-3-UPDOWN:
Interface
Interface
Interface
Interface
to up
up
to up
to up
In the Campus Network High Availability Design Guide, Cisco recommend forgoing the use of a negotiation protocol and
configuring EtherChannels for static "on/on" operation; however they also caution that this approach offers no protection against
the effect of misconfigurations.
EtherChannel Load-Balancing
Another consideration to make when implementing EtherChannels is the type of load-balancing in effect. EtherChannel provides
load-balancing only per frame, not per bit. A switch decides which member link a frame will traverse by the outcome of a hash
function performed against one or more fields of each frame. Which fields are considered is dependent on the switch platform and
configuration. For example, a Catalyst 3550 can match only against a frame's destination or source MAC address:
S1(config)# port-channel load-balance ?
dst-mac Dst Mac Addr
src-mac Src Mac Addr
The show etherchannel load-balance command reveals that source MAC address load-balancing is default on the
Catalyst 3550:
S1# show etherchannel load-balance
EtherChannel Load-Balancing Configuration:
src-mac
EtherChannel Load-Balancing Addresses Used Per-Protocol:
Non-IP: Source MAC address
IPv4: Source MAC address
http://packetlife.net/blog/2010/jan/18/etherchannel-considerations/
Page 3
More powerful platforms can match against IP address(es) or layer four port(s). Generally speaking, higher layer fields are more
favorable as they tend to be more dynamic, resulting in a more granular distribution of traffic across member links.
Direction of flow is also an important detail. For example, consider the following topology:
Routed packets entering the subnet from S1 are always sourced from the MAC address of the VLAN interface. If source MAC
load-balancing is in use, these frames will be forwarded down only one member link, because the outcome of the hash function will
always be the same. Configuring destination MAC load-balancing on S1 is recommended to achieve a more varied distribution of
frames and make better use of the available bandwidth.
The opposite is true on S2: Since all frames entering the EtherChannel from LAN hosts are destined for the MAC address of the
gateway (VLAN interface), source MAC address load-balancing works better here.
http://packetlife.net/blog/2010/jan/18/etherchannel-considerations/
Page 4
IOS Etherchannel allows multiple physical links to be bonded via a single virtual interface so that their bandwidth is aggregated and
each link bears a (roughly) equal share of the traffic load. However, extra consideration should be paid when designing
Etherchannel links, as member links can fail, decreasing the aggregate link bandwidth without taking down the link.
Layer Two
In the above topology, three Etherchannels have been configured between the three switches, each composed of three 100 Mbps
member links. S1 is the spanning tree root. The Etherchannels were deployed with two design goals in mind:
Provide n + 1 redundancy (the Etherchannel will remain up with a single failed link).
We can see that each Etherchannel, having an aggregate bandwidth of 300 Mbps, is assigned a spanning tree cost of 9:
S1# show spanning-tree vlan 1
VLAN0001
Spanning tree enabled protocol rstp
Root ID
Priority
1
Address
0013.c412.0f00
This bridge is the root
Hello Time
2 sec Max Age 20 sec
Bridge ID
Priority
1
(priority 0 sys-id-ext 1)
Address
0013.c412.0f00
Hello Time
2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Interface
------------------Fa0/1
Fa0/3
Fa0/5
Fa0/9
Fa0/19
Fa0/20
Fa0/21
Po13
Role
---Desg
Desg
Desg
Desg
Desg
Desg
Desg
Desg
Sts
--FWD
FWD
FWD
FWD
FWD
FWD
FWD
FWD
Cost
--------19
19
19
19
19
19
19
9
Prio.Nbr
-------128.1
128.3
128.5
128.9
128.19
128.20
128.21
128.65
Type
-------------------------------P2p
P2p
P2p
P2p
P2p Peer(STP)
P2p Peer(STP)
P2p Peer(STP)
P2p
http://packetlife.net/blog/2009/dec/10/etherchannel-costs-and-failover/
Page 1
Po12
Desg FWD 9
128.66
P2p
What happens if one of the member links between S1 and S2 fails? The aggregate bandwidth of the Etherchannel is recalculated
as 200 Mbps, and the STP cost rises from 9 to 12:
S2# show spanning-tree vlan 1
...
Interface
Role Sts Cost
------------------- ---- --- --------...
Po23
Altn BLK 9
Po12
Root FWD 12
Prio.Nbr Type
-------- -------------------------------128.65
128.66
P2p
P2p
Our spanning topology remains unchanged: although the cost of S2's direct path to root has been raised from 9 to 12, 12 is still
lower than the aggregate cost to root (via S3) of 18 (9 + 9).
However, if a second link in the Etherchannel fails, leaving only a single 100 Mbps member link, its bandwidth is further reduced to
100 Mbps and its cost raised to 19. At this point, the alternate path to root via S3 has a lower cost. The spanning tree topology
reconverges to reflect this:
S2# show spanning-tree vlan 1
...
Interface
Role Sts Cost
------------------- ---- --- --------...
Po23
Root FWD 9
Po12
Altn BLK 19
Prio.Nbr Type
-------- -------------------------------128.65
128.66
P2p
P2p
Layer Three
Port-channel interfaces can operate as routed interfaces with IP addresses. The following snippet shows how a simple layer three
Etherchannel is configured:
interface Port-channel12
no switchport
ip address 10.0.12.1 255.255.255.0
!
interface FastEthernet0/13
no switchport
no ip address
channel-group 12 mode active
http://packetlife.net/blog/2009/dec/10/etherchannel-costs-and-failover/
Page 2
!
interface FastEthernet0/14
no switchport
no ip address
channel-group 12 mode active
!
interface FastEthernet0/15
no switchport
no ip address
channel-group 12 mode active
OSPF is a good choice as an IGP for this setup because it bases interface metrics on bandwidth. However, the default OSPF
reference bandwidth is only 100 Mbps; any interface equal to or higher than 100 Mbps receives a cost of 1, which doesn't allow
differentiation between healthy and partially-failed Etherchannels.
S1# show ip ospf interface brief
Interface
PID
Area
Lo0
1
0
Po12
1
0
Po13
1
0
IP Address/Mask
10.0.0.1/32
10.0.12.1/24
10.0.13.1/24
Cost
1
1
1
State
P2P
BDR
BDR
Nbrs F/C
0/0
1/1
1/1
To resolve this, we raise the OSPF reference bandwidth to something much higher (say, 100 Gbps):
S1(config)# router ospf 1
S1(config-router)# auto-cost reference-bandwidth ?
The reference bandwidth in terms of Mbits per second
S1(config-router)# auto-cost reference-bandwidth 100000
% OSPF: Reference bandwidth is changed.
Please ensure reference bandwidth is consistent across all
S1(config-router)# ^Z
S1# show ip ospf interface brief
Interface
PID
Area
IP Address/Mask
Cost State
Lo0
1
0
10.0.0.1/32
1
P2P
Po12
1
0
10.0.12.1/24
333
BDR
Po13
1
0
10.0.13.1/24
333
BDR
routers.
Nbrs F/C
0/0
1/1
1/1
As you've probably predicted, the cost for S2 to reach the loopback interface of S1 (10.0.0.1/32) is 334 (333 for the Etherchannel
plus a metric of 1 for the loopback interface):
S2# show ip route 10.0.0.1
Routing entry for 10.0.0.1/32
Known via "ospf 1", distance 110, metric 334, type intra area
Last update from 10.0.12.1 on Port-channel12, 00:00:16 ago
Routing Descriptor Blocks:
* 10.0.12.1, from 10.0.0.1, 00:00:16 ago, via Port-channel12
Route metric is 334, traffic share count is 1
Revisiting our scenario with a failed member link between S1 and S2, we can observe very similar failover behavior (or rather, a
lack thereof):
S2# show ip route 10.0.0.1
Routing entry for 10.0.0.1/32
Known via "ospf 1", distance 110, metric 501, type intra area
Last update from 10.0.12.1 on Port-channel12, 00:00:02 ago
http://packetlife.net/blog/2009/dec/10/etherchannel-costs-and-failover/
Page 3
http://packetlife.net/blog/2009/dec/10/etherchannel-costs-and-failover/
Page 4
Cisco's Dynamic Trunking Protocol can facilitate the automatic creation of trunks between two switches. When two connected
ports are configured in dynamic mode, and at least one of the ports is configured as desirable, the two switches will negotiate the
formation of a trunk across the link. DTP isn't to be confused with VLAN Trunking Protocol (VTP), although the VTP domain does
come into play.
DTP on the wire is pretty simple, essentially only advertising the VTP domain, the status of the interface, and it's DTP type. These
packets are transmitted in the native (or access) VLAN every 60 seconds both natively and with ISL encapsulation (tagged as
VLAN 1) when DTP is enabled.
DTP is enabled by default on all modern Cisco switches. But a responsible network engineer has to ask himself, "why?" Do you
really want switches to form trunks on their own? I certainly don't, for several reasons.
First, it's simply bad design; trunks should be present where they were intended, and only where they were intended. Second,
leaving switch ports set to dynamic mode is a gaping security hole. If all it takes is the right DTP packet to form a trunk from an
access port, an intruder can easily inject traffic into whatever VLANs are allowed on the port (by default, all of them). Fortunately,
these two issues can be resolved by configuring a static switchport mode, either "access" or "trunk", as best practice dictates.
! Access port
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 10
! Trunk port
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk encapsulation dot1q
However, even when a port is statically configured in such a manner, DTP is still active on the port. If you've ever attempted to
setup a trunk between two switches in different VTP domains and received the following error, you can thank DTP:
%DTP-5-DOMAINMISMATCH: Unable to perform trunk negotiation on port Fa0/1 because of
VTP domain mismatch.
Recall that DTP advertisements include the VTP domain name. A switch won't form a trunk on a DTP-enabled port to a switch
advertising a different VTP domain, even if the ports are manually configured in trunking mode. Nice, eh? Fortunately we can kill
http://packetlife.net/blog/2008/sep/30/disabling-dynamic-trunking-protocol-dtp/
Page 1
DTP once and for all with the switchport nonegotiate command on the interface.
Switch(config-if)# switchport nonegotiate
This configuration prevents DTP packets from being sent, effectively disabling trunk negotiation and evaluation of the VTP domain.
Posted in Security, Switching
http://packetlife.net/blog/2008/sep/30/disabling-dynamic-trunking-protocol-dtp/
Page 2
sgtcasey over on networking-forum.com recently posed in an interesting question: what triggers VLAN pruning? Specifically, will a
switch only allow pruning of a VLAN from a trunk if it has no access ports configured for that VLAN? Or is it enough to have merely
no active ports?
Consider a simple trunking scenario:
Switch 1 is the VTP server, and has propagated VLANs 10, 20, and 30 to switch 2. The interfaces to which hosts A and B attach
are configured as access ports in VLAN 10, and an 802.1Q trunk is formed between the two switches. By examining the trunk
status on either switch we can verify that VLANs 1 and 10 are being passed while the others are pruned in both directions.
S1# show interface trunk
Port
Gi0/1
Port
Gi0/1
Mode
on
Encapsulation
802.1q
Status
trunking
Native vlan
1
Port
Gi0/1
Port
Gi0/1
Switch 2:
S2# show interface trunk
...
Port
Vlans in spanning tree forwarding state and not pruned
Fa0/1
1,10
When host B is disconnected, its interface on switch 2 becomes inactive. As switch 2 has no remaining active ports in VLAN 10,
VLAN 10 becomes eligible for pruning. After roughly 30 seconds pass, we can see that switch 1 is now pruning VLAN 10 from the
trunk (VLAN 10 is absent from the last line of the output):
S1# show interface trunk
...
Port
Vlans in spanning tree forwarding state and not pruned
Gi0/1
1
The VLAN remains unpruned on switch 2's end of the trunk, because it knows switch 1 still has at least one active port in VLAN 10:
S2# show interface trunk
...
Port
Vlans in spanning tree forwarding state and not pruned
Fa0/1
1,10
http://packetlife.net/blog/2008/jun/26/when-does-vlan-pruning-occur/
Page 1
Posted in Switching
http://packetlife.net/blog/2008/jun/26/when-does-vlan-pruning-occur/
Page 2
packetlife.net
Algorithm Legacy ST
Defined By 802.1D-1998
Instances 1
Trunking N/A
PVST
PVST+
RSTP
RPVST+
MST
Legacy ST
Legacy ST
Rapid ST
Rapid ST
Rapid ST
Cisco
Cisco
802.1w,
802.1D-2004
Cisco
802.1s,
802.1Q-2003
Per VLAN
Per VLAN
Per VLAN
Configurable
ISL
802.1Q, ISL
N/A
802.1Q, ISL
802.1Q, ISL
PVST+
VLAN 1,10 Root
VLAN 20,30 Root
Root
A
All VLANs
xx xx
BPDU Format
Field
MST
MSTI 0 Root
MSTI 1 Root
A
VLAN 1
VLAN 10
VLAN 20
VLAN 30
Link Costs
Bits
802.1s
802.1Q-2003
802.1Q-2005
Bandwidth
Cost
4 Mbps
250
10 Mbps
100
16 Mbps
62
45 Mbps
39
100 Mbps
19
155 Mbps
14
622 Mbps
Protocol ID
16
Version
BPDU Type
Flags
Root ID
64
32
Bridge ID
64
Port ID
16
1 Gbps
Message Age
16
10 Gbps
Max Age
16
20+ Gbps
Hello Time
16
Forward Delay
16
802.1D-1998
802.1Q-1998
IEEE
ISL
Forward Delay
15s
Max Age
20s
Cisco
2s
PVST
802.1w
PVST+
2
3
4
Port States
Legacy ST
Rapid ST
Disabled
Blocking
Listening
Learning
Learning
Forwarding
Forwarding
RPVST+
Default Timers
Hello
802.1D-2004
Discarding
Port Roles
Legacy ST
Rapid ST
Root
Root
Designated
Designated
Blocking
Alternate
Backup
by Jeremy Stretch
v3.0
packetlife.net
MST Configuration
spanning-tree mode mst
! MST Configuration
spanning-tree mst configuration
name MyTree
revision 1
! Map VLANs to instances
instance 1 vlan 20, 30
instance 2 vlan 40, 50
! Bridge priority (per instance)
spanning-tree mst 1 priority 32768
! Timers, in seconds
spanning-tree mst hello-time 2
spanning-tree mst forward-time 15
spanning-tree mst max-age 20
! Maximum hops for BPDUs
spanning-tree mst max-hops 20
Bridge ID Format
4
12
48
Pri
Sys ID Ext
MAC Address
Priority
4-bit bridge priority (configurable from 0 to 61440 in
increments of 4096)
System ID Extension
12-bit value taken from VLAN number (IEEE 802.1t)
MAC Address
48-bit unique identifier
Path Selection
1 Bridge with lowest root ID becomes the root
2 Prefer the neighbor with the lowest cost to root
3 Prefer the neighbor with the lowest bridge ID
4 Prefer the lowest sender port ID
Optional PVST+ Ehancements
PortFast
Enables immediate transition into the forwarding state
(designates edge ports under MST)
UplinkFast
Enables switches to maintain backup paths to root
BackboneFast
Enables immediate expiration of the Max Age timer in
the event of an indirect link failure
Spanning Tree Protection
Root Guard
Prevents a port from becoming the root port
BPDU Guard
Error-disables a port if a BPDU is received
Loop Guard
Prevents a blocked port from transitioning to listening
after the Max Age timer has expired
BPDU Filter
Blocks BPDUs on an interface (disables STP)
RSTP Link Types
Point-to-Point
Connects to exactly one other bridge (full duplex)
Shared
Potentially connects to multiple bridges (half duplex)
Edge
Connects to a single host; designated by PortFast
Troubleshooting
! Interface attributes
interface FastEthernet0/1
spanning-tree mst 1 port-priority 128
spanning-tree mst 1 cost 19
by Jeremy Stretch
v3.0
Port Security
By stretch | Monday, May 3, 2010 at 4:21 a.m. UTC
Port security is a layer two traffic control feature on Cisco Catalyst switches. It enables an administrator configure individual switch
ports to allow only a specified number of source MAC addresses ingressing the port. Its primary use is to deter the addition by
users of "dumb" switches to illegally extend the reach of the network (e.g. so that two or three users can share a single access
port). The addition of unmanaged devices complicates troubleshooting by administrators and is best avoided.
interface f0/13
: Enabled
: Secure-down
: Shutdown
: 0 mins
: Absolute
: Disabled
: 1
: 0
: 0
: 0
: 0000.0000.0000:0
: 0
As you can see, there are a number of attributes which can be adjusted. We'll cover these in a moment. When a host connects to
the switch port, the port learns the host's MAC address as the first frame is received:
Switch# show port-security
Port Security
Port Status
Violation Mode
Aging Time
Aging Type
SecureStatic Address Aging
Maximum MAC Addresses
Total MAC Addresses
Configured MAC Addresses
Sticky MAC Addresses
Last Source Address:Vlan
Security Violation Count
interface f0/13
: Enabled
: Secure-up
: Shutdown
: 0 mins
: Absolute
: Disabled
: 1
: 1
: 0
: 0
: 001b.d41b.a4d8:10
: 0
Now, we disconnect the host from the port, connect a small switch or hub, and reconnect the original host plus a second,
unauthorized host so that they both attempt to share the access port. Observe what happens as soon as the second host attempts
to send traffic:
http://packetlife.net/blog/2010/may/3/port-security/
Page 1
Page 2
:
:
:
:
:
:
1
1
0
0
0021.55c8.f13c:10
3
Unfortunately, violating traffic will continue to trigger log notifications, and the violation counter will continue to increase, until the
violating host is dealt with.
Page 3
Switch(config-if)# ^Z
Switch# show port-security
Port Security
Port Status
Violation Mode
Aging Time
Aging Type
SecureStatic Address Aging
Maximum MAC Addresses
Total MAC Addresses
Configured MAC Addresses
Sticky MAC Addresses
Last Source Address:Vlan
Security Violation Count
interface f0/13
: Enabled
: Secure-up
: Restrict
: 0 mins
: Absolute
: Disabled
: 1
: 1
: 0
: 1
: 001b.d41b.a4d8:10
: 0
After a MAC address has been learned, it is recorded to the configuration similarly to as if it were entered manually:
Switch# show running-config interface f0/13
Building configuration...
Current configuration : 311 bytes
!
interface FastEthernet0/13
switchport access vlan 10
switchport mode access
switchport voice vlan 20
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky 001b.d41b.a4d8
spanning-tree portfast
end
Page 4
: 0
After five minutes of inactivity, we can see that the address has been purged:
Switch# show port-security
Port Security
Port Status
Violation Mode
Aging Time
Aging Type
SecureStatic Address Aging
Maximum MAC Addresses
Total MAC Addresses
Configured MAC Addresses
Sticky MAC Addresses
Last Source Address:Vlan
Security Violation Count
interface f0/13
: Enabled
: Secure-up
: Restrict
: 5 mins
: Inactivity
: Disabled
: 1
: 0
: 0
: 0
: 001b.d41b.a4d8:10
: 0
At this point, the old address will be re-learned the next time a frame is sent from that host, or a new host can take its place.
Auto-recovery
To avoid having to manually intervene every time a port-security violation forces an interface into the error-disabled state, one can
enable auto-recovery for port security violations. A recovery interval is configured in seconds.
Switch(config)# errdisable recovery cause psecure-violation
Switch(config)# errdisable recovery interval 600
Ten minutes after a port was error-disabled, we can see that the port is automatically transitioned back into operation:
%PM-4-ERR_RECOVER: Attempting to recover from psecure-violation err-disable state on Fa0/13
%LINK-3-UPDOWN: Interface FastEthernet0/13, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/13, changed state to up
This is a great way to automatically clear port security violations after the user has been given an opportunity to remove the
offending host(s). Note that is the cause is not cleared, the violation will trigger again after the port comes back up, re-initating the
auto-recovery cycle.
Footnote
Although a deterrent, port security is not a reliable security feature, as MAC addresses are trivially spoofed, and multiple hosts can
still easily be hidden behind a small router. IEEE 802.1X is a much more robust access edge security solution.
Posted in Security, Switching
http://packetlife.net/blog/2010/may/3/port-security/
Page 5
IEEE 802.1X
packetlife.net
802.1X Header
1
Version
1
Type
Terminology
2
Length
EAP
EAP Header
1
Code
1
Identifier
2
Length
Data
Authenticator
Supplicant
The device (client) attached to an access link that requests
authentication by the authenticator
Authenticator
The device that controls the status of a link; typically a
wired switch or wireless access point
Authentication
Authentication Server
Server
A backend server which authenticates the credentials
provided by supplicants (for example, a RADIUS server)
Guest VLAN
Fallback VLAN for clients not 802.1X-capable
Restricted VLAN
Fallback VLAN for clients which fail authentication
Identity Request
Identity Response
Access Request
Challenge Request
Challenge Response
Access Challenge
Access Request
1 Request
1 EAPOL-Start
2 Response
2 EAPOL-Logoff
3 Success
3 EAPOL-Key
4 Failure
4 EAPOL-Encap-ASF-Alert
Success
Access Accept
EAP
RADIUS
Configuration
Global Configuration
! Define a RADIUS server
radius-server host 10.0.0.100
radius-server key MyRadiusKey
! Configure 802.1X to authenticate via AAA
aaa new-model
aaa authentication dot1x default group radius
! Enable 802.1X authentication globally
dot1x system-auth-control
EAP Codes
Interface Defaults
Max Auth Requests 2
Reauthentication Off
Quiet Period 60s
Port-Control Options
Interface Configuration
by Jeremy Stretch
force-authorized
Port will always remain in authorized state (default)
force-unauthorized
Always unauthorized; authentication attempts are ignored
auto
Supplicants must authenticate to gain access
Troubleshooting
show dot1x [statistics] [interface <interface>]
dot1x test eapol-capable [interface <interface>]
dot1x re-authenticate interface <interface>
v2.0
packetlife.net
Protocols
Attributes
HSRP
Transport UDP/1985
Default Priority 100
Standby
200
GLBP
RFC 3768
Cisco
No
Yes
No
Yes
IP/112
UDP/3222
100
100
1 sec
3 sec
224.0.0.18
224.0.0.102
VRRP
100
Active
VRRP
Listen
100
200
Backup
Master
HSRP Configuration
interface FastEthernet0/0
ip address 10.0.1.2 255.255.255.0
standby version {1 | 2}
standby 1 ip 10.0.1.1
standby 1 timers <hello> <dead>
standby 1 priority <priority>
standby 1 preempt
standby 1 authentication md5 key-string <password>
standby 1 track <interface> <value>
standby 1 track <object> decrement <value>
GLBP
100
Backup
100
200
AVF
100
AVF
AVG
AVF
VRRP Configuration
interface FastEthernet0/0
ip address 10.0.1.2 255.255.255.0
vrrp 1 ip 10.0.1.1
vrrp 1 timers {advertise <hello> | learn}
vrrp 1 priority <priority>
vrrp 1 preempt
vrrp 1 authentication md5 key-string <password>
vrrp 1 track <object> decrement <value>
GLBP Configuration
interface FastEthernet0/0
ip address 10.0.1.2 255.255.255.0
glbp 1 ip 10.0.1.1
glbp 1 timers <hello> <dead>
glbp 1 timers redirect <redirect> <time-out>
glbp 1 priority <priority>
glbp 1 preempt
glbp 1 forwarder preempt
glbp 1 authentication md5 key-string <password>
glbp 1 load-balancing <method>
glbp 1 weighting <weight> lower <lower> upper <upper>
glbp 1 weighting track <object> decrement <value>
by Jeremy Stretch
GLBP Roles
Active Virtual Gateway (AVG)
Answers for the virtual router and assigns
virtual MAC addresses to group members
Active Virtual Forwarder (AVF)
All routers which forward traffic for the group
GLBP Load Balancing
Round-Robin (default)
The AVG answers host ARP requests for the
virtual router with the next router in the cycle
Host-Dependent
Round-robin cycling is used while a consistent
AVF is maintained for each host
Weighted
Determines the proportionate share of hosts
handled by each AVF
Troubleshooting
show standby [brief]