The Bryant Advantage CCNP SWITCH Study Guide - Ebook download as PDF File .pdf), Text File .txt) or read book online. Free PDF's. Post navigation. ← Paid PDF's Free CCNA Course · Free CCNP ROUTE & TSHOOT Course · Free CCNP SWITCH & TSHOOT Course · Free. the bryant advantage ccnp pdf the bryant advantage ccnp switch study guide Earn your CCENT, CCNA, CCNP, and Security certifications with Chris Bryant.
|Language:||English, Spanish, German|
|Genre:||Academic & Education|
|Distribution:||Free* [*Sign up for free]|
Free videos and tutorials, Study Guides, flash cards, and practice exams. Home - The Bryant Advantage. The Bryant Advantage CCNP SWITCH Study Guide Pdf. Chris Bryant's Ccnp Route Study Guide Pdf security certification lessons covered by other authors the bryant advantage ccnp switch study guide. The Bryant Advantage CCNP ROUTE Study Guide Pdf - eBook PHP The CCNP SWITCH exam is the first hurdle between you and the CCNP, and my.
Bear with me here.
The first reason was a mistyped password - and number three is coming up. This mode can come in handy in certain situations, but be aware of the differences between Transparent and Server mode. VTP Version 1: The Transparent switch will forward that advertisement's information only if the VTP version number and domain name on that switch is the same as that of downstream switches. SW1's configuration and the resulting output of show vtp status is shown below.
Also, switches do not advertise their VTP mode. You have to decide this for yourself in your production network, but I will share a simple method that's always worked for me - if you can physically secure a switch, make it a VTP server. If multiple admins will have access to the switch, you may consider making that switch a VTP Client in order to minimize the chance of unwanted or unauthorized changes being made to your VLAN scheme.
The only devices that need the VTP advertisements are other switches that are trunking with the local switch, so VTP advertisements are sent out trunk ports only.
VTP advertisements are sent when there has been a change in a switch's VLAN database, and this configuration revision number increments by one before it is sent. To illustrate, let's look at the revision number on Sw1. The current revision number is 1. We'll now go to R2 to check the revision number, add a VLAN, and then check the revision number again. The revision number was 1, then a VLAN was added.
The revision number incremented to 2 before the VTP advertisement reflecting this change was sent to this switch's neighbors. Let's check the revision number on SW1 now. The revision number has incremented to 2, as you'd expect.
But what exactly happened? Before accepting the changes reflected in the advertisement, SW1 compares the revision number in the advertisement to its own revision number. In this case, the revision number on the incoming advertisement was 2 and SW1's revision number was 1.
In the following example, SW2 is sending out an advertisement with revision number The three switches are running VLANs 10, 20, 30, 40, and 50, and everything's just fine.
Now, a switch that was at another client site is brought to this client and installed in the CCNP domain. The other switches will receive a VTP advertisement with a higher revision number than the one currently in their VTP database, so they'll synchronize their databases in accordance with the new advertisement. I've seen this happen with switches that were brought it to swap out with an out-of-service switch.
That revision number has to be reset to zero! If you ever see VLAN connectivity suddenly lost in your network, but the switches are all functional, you should immediately check to see if a new switch was recently installed. If the answer is yes, I can practically guarantee that the revision number is the issue. Cisco theory holds that there are two ways to reset a switch's revision number to zero: 1. Note this is the only state in which the port is actually forwarding frames.
To see the STP mode of a given interface, use the show spanning-tree interface command. What you might not have known is that if you decide to change any and all of these timers, that change must be configured on the root bridge. The root bridge will inform the nonroot switches of the change via BPDUs.
We'll prove that very shortly. Right now, let's review the STP timer basics. By default, this is set to 2 seconds. Forward Delay is the length of both the listening and learning STP stages, with a default value of 15 seconds for each stage. Maximum Age, referred to by the switch as MaxAge, is the amount of time a switch will retain the superior BPDU's contents before discarding it. The default is 20 seconds. The value of these timers can be changed with the spanning-tree vlan command shown below.
The timers should always be changed on the root switch, and the current secondary switch as well. Verify the changes with the show spanning-tree command.
SW1 config spanning-tree vlan 1? In the following example, we'll change the STP timers on a nonroot switch and then run show spanning-tree. We'll change the STP timers on this switch. The nonroot switch will allow you to change the STP timers, but these new settings will not be advertised via BPDUs unless this local switch later becomes the root bridge.
If you feel the need to change STP timers, it's a good idea to change them on both the root and secondary root switches. That allows the secondary root to keep the same timers if the root goes down and the secondary then becomes the primary root. Deterministic Root Switch Placement You might have noticed some other options with the spanning-tree vlan command Worse, that single switch is going to be selected because it has a lower MAC address than every other switch, which isn't exactly the criteria you want to use to select a single root bridge.
The time will definitely come when you want to determine a particular switch to be the root bridge for your VLANs, or when you will want to spread the root bridge workload. You can make this happen with the spanning-tree vlan root command. I've created three new VLANs, as seen in the output of show vlan brief. To make this happen, we'll go to SW 2 and use the spanning-tree vlan root primary command.
Notice that the priority value has changed from the default. This command has another option you should be aware of: SW2 config spanning-tree vlan 30 root? If you want a certain switch to take over as root bridge if the current root bridge goes down, run this command with the secondary option. This will change the priority just enough so that the secondary root doesn't become the primary immediately, but will become the primary if the current primary goes down.
Let's take a look at the root secondary command in action. We have a three-switch topology for this example. Which switch would become the root if SW3 went down? But what if we want SW1 to become the root if SW3 goes down? We use the root secondary command on SW1! A priority value of is an excellent tipoff that the root secondary command has been used on a switch. The config itself shows this command as well: Ever wondered how the STP process decides what priority should be set when the spanning-tree vlan root command is used?
After all, we're not configuring an exact priority with that command. Here's how the STP process handles this: If the current root bridge's priority is greater than 24,, the switch sets its priority to in order to become the root. You saw that in the previous example. If the current root bridge's priority is less than 24,, the switch subtracts from the root bridge's priority in order to become the root.
There is another way to make a switch the root bridge, and that's to change its priority with the spanning-tree vlan priority command. I personally prefer the spanning-tree vlan root command, since that command ensures that the priority on the local switch is lowered sufficiently for it to become the root. With the spanning-tree vlan priority command, you have to make sure the new priority is low enough for the local switch to become the root switch. As you'll see, you also have to enter the new priority in multiples of SW2 config spanning-tree vlan 10 priority?
Access switches are those found closest to the end users, and the root bridge should not be an access-layer switch. Ideally, the root bridge should be a core switch, which allows for the highest optimization of STP. What you don't want to do is just blindly select a centrally located switch, particularly if you're visiting a client who has a configuration like this: Don't be tempted to make SW3 the root switch just because it's got the most connections to other switches.
You should never make an access- layer switch the root switch! The best choice here is one of the core layer switches, which generally will be a physically central switch in your network. If for some reason you can't make a core switch the root, make it one of the distribution switches. The TCN doesn't say exactly what happened, just that something happened. This indicates to all receiving switches that the aging time for their MAC tables should be changed from the default of seconds to whatever the Forward Delay value is - by default, that's 15 seconds.
That allows the switch to quickly rid itself of now-invalid MAC address table entries while keeping entries for hosts that are currently sending frames to that switch. Portfast-enabled ports cannot result in TCN generation, which makes perfect sense. The most common usage of Portfast is when a single PC is connected directly to the switch port, and since such a port going into Forwarding mode doesn't impact STP operation, there's no need to alert the entire network about it.
And if you're fuzzy on what Portfast is and what it does, that and many other Cisco switch features are covered in the next section! Let's take a look at the default behavior of a trunk between two switches when we have ten VLANs, and then change this behavior just a bit with the port-priority command.
I've created ten VLANs, 11 - 20, for this example. Before we go forward, using your knowledge of switching, how many port or ports in this example will be in STP Blocking mode? Which one s? Let's check with show spanning vlan 11 on both switches. If your answer was "one", you're correct! Don't forget to use the VLAN range option with the spanning-tree command - this will save you quite a bit of typing and time on your exam. WORD vlan range, example: In many instances, you'll configure an Etherchannel here rather than using port priority to load balance over the trunk lines.
In Ciscoland, it's always a good idea to know more than one way to do something - especially when you're studying for an exam! We're all familiar with show interface x, but there's a slight variation on this command when it comes to Cisco switches that will give you a great deal of helpful information when it comes to troubleshooting - show interface x switchport.
There's actually a very common issue indicated in this output - can you spot it? Enabled Administrative Mode: ALL Protected: This is an excellent VLAN and trunking troubleshooting command. And the problem? I left the interface shut down. Here's what the output looks like when the interface is open. Here's what the output looks like when a trunk port is specified. The extended VLANs will be numbered - You can't use this feature on all Cisco switches, though.
It is enabled by default on and switches with an IOS version of Here's how to disable the Extended System ID: SW2 config no spanning extend system-id You may have noticed something odd about the Bridge ID with the switches used in this section, all of which are running the Extended System ID feature by default: Disabled by default, it can be enabled with the set spantree macreduction command.
Portfast Suitable only for switch ports connected directly to a single host, Portfast allows a port running STP to go directly from blocking to forwarding mode. If you have an issue with a host acquiring an IP address via DHCP, configuring Portfast on the switch port in question just might solve the issue. A Cisco router will give you an interesting warning when you configure Portfast: Connecting hubs, concentrators, switches, bridges, etc SW1 config-if That is one long warning.
Not only will the switch warn you about the proper usage of Portfast, but you must put the port into access mode "non-trunking" before Portfast will take effect.
If a switchport has a workstation connected to a port, that workstation will still have to wait 30 seconds for the listening and learning stages of STP to run before it can communicate successfully with the DHCP server. We all know that 30 seconds seems like 30 minutes to end users, especially first thing in the morning! Running Portfast on the appropriate switch ports did speed up their initial network connectivity. Portfast can also be enabled globally, but we'll get another warning when we do so: You should now disable portfast explicitly on switched ports leading to hubs, switches and bridges as they may create temporary bridging loops.
Personally, I like to configure it on a per-port basis, but make sure you know both ways to configure Portfast. It never hurts to know more than one way to do things on a Cisco exam. There's a command related to portfast that I want to share with you - note the three effects of this command as explained by IOS Help: SW1 config-if switchport host? Uplinkfast When a port goes through the transition from blocking to forwarding, you're looking at a second delay before that port can actually begin forwarding frames.
Configuring a port with Portfast is one way to get around that, but again, you can only use it when a single host device is found off the port. What if the device connected to a port is another switch? SW3 has two paths to the root switch. STP will only allow one path to be available, but if the open path between SW3 and SW1 goes down, there will be approximately a second delay before the currently blocked path will be available.
The delay is there to prevent switching loops, and we can't use Portfast to shorten the delay since these are switches, not host devices. What we can use is Uplinkfast. The ports that SW3 could potentially use to reach the root switch are collectively referred to as an uplink group.
The uplink group includes the ports in forwarding and blocking mode. If the forwarding port in the uplink group sees that the link has gone down, another port in the uplink group will be transitioned from blocking to forwarding immediately. Uplinkfast is pretty much Portfast for wiring closets. Cisco recommends that Uplinkfast not be used on switches in the distribution and core layers. Some additional details regarding Uplinkfast: The actual transition from blocking to forwarding isn't really "immediate" - it actually takes 1 - 3 seconds.
Next to a second delay, that certainly seems immediate! Uplinkfast cannot be configured on a root switch. The original root port will become the root port again when it detects that its link to the root switch has come back up. This does not take place immediately. The switch uses the following formula to determine how long to wait before transitioning the original root port back to the forwarding state: First, the switch priority will be set to 49,, which means that if all other switches are still at their default priority, they'd all have to go down before this switch can possibly become the root switch.
Additionally, the STP Port Cost will be increased by , making it highly unlikely that this switch will be used to reach the root switch by any downstream switches. And you just know there's got to be at least one option with this command, right? Let's run IOS Help and see.
SW2 config spanning-tree uplinkfast? The max-update-rate value determines how many of these frames will be sent in a millisecond time period. Where To Apply Uplinkfast As with all the topics in this section, it's not enough to know the definition of Uplinkfast and what it does - you've got to know where to configure it for best results.
Uplinkfast is a wiring-closet switch feature - it's not recommended for core and distribution-layer switches. Uplinkfast should be configured only on access-layer switches. It's a safe bet that the root switches are going to be found in the core layer, and the switches that are farthest away from the root switches will be the access switches.
The access switches will be the ones closest to the end users. Backbonefast Uplinkfast and Portfast are great, but they've got limitations on when they can and should be run. You definitely can't run either one in a network backbone, but the Cisco-proprietary feature Backbonefast can be used to help recover from indirect link failures. The key word there is indirect. If a core switch detects an indirect link failure - a failure of a link that is not directly connected to the core switch in question - Backbonefast goes into action.
This indirect link failure is detected when an inferior BPDU is received. Let's take a look at a three-switch setup where all links are working and STP is running as expected, paying particular attention to the STP states on SW3.
All links are assumed to be running at the same speed. All is well, until SW2 loses its connection to SW1, as shown below - which means that SW2 will start announcing itself as the root switch. SW3 will now be receiving two separate BPDUs from two separate switches, both claiming to be the root switch.
We really don't want to wait that long, and with Backbonefast, we don't have to! When BackboneFast is configured, this process skips the MaxAge stage.
While this does not eliminate delays as efficiently as PortFast and UplinkFast, but the delay is cut from 50 seconds to MaxAge's default value is 20 seconds, but the second Listening and Learning stages still have to run.
RLQ uses a series of requests and responses to detect indirect link outages. The purpose of these RLQ requests is to ensure that the local switch still has connectivity to the root switch.
The RLQ request identifies the bridge that is considered the root bridge, and the RLQ response will identify the root bridge that can be accessed via that port. If they're one and the same, everything's fine. Upon receiving a RLQ request, a switch will answer immediately under one of two conditions: The receiving switch is indeed the root bridge named in the RLQ request The receiving switch has no connectivity to the root bridge named in the RLQ request, because it considers another switch to be the root bridge The third possibility is that the receiving switch is not the root, but considers the root switch named in the RLQ request to indeed be the root switch.
In that case, the RLQ request is relayed toward the root switch by sending it out the root port. To put BackboneFast into action in our network, we have to know more than the command!
We've got to know where to configure it as well. Since all switches in the network have to be able to send, relay, and respond to RLQ requests, and RLQ is enabled by enabling BackboneFast, every switch in the network should be configured for BackboneFast when using this feature. This feature is enabled globally, and it's simple to configure - and believe it or not, there are no additional timers or options with this command.
A true Cisco rarity! The command to verify BackboneFast is just as simple and is shown below. SW1 config spanning-tree backbonefast SW1 show spanning-tree backbonefast BackboneFast is enabled Root Guard You know that the root switch is the switch with the lowest BID, and that a secondary root is also elected - that's the switch with the next-lowest BID.
You also know that you can use the spanning-tree vlan root command to make sure that a given switch becomes the root or the secondary root. SW1 config spanning-tree vlan 23 root? For clarity's sake, the full BID is not shown - just the switch priority.
Nothing wrong here, everything's fine The problem here is that SW4 is going to become the root switch, and SW1 is going to become the secondary root.
Depending on the design of your network, this change in root switches can have a negative effect on traffic flow. There's also a delay involved while the switches converge on the new STP topology. Worse yet, there's always the possibility that R4 isn't even under your administrative control - it belongs to another network!
STP has no default behavior to prevent this from happening; the spanning-tree vlan root command helps you determine which switches become the root and secondary root, but does nothing to disqualify a switch from becoming the root. To prevent SW4 from becoming the root in this network, Root Guard must be configured. Root Guard is configured at the port level, and disqualifies any switch that is downstream from that port from becoming the root or secondary root.
Root Guard will actually block that superior BPDU, discard it, and put the port into root-inconsistent state. Configuring Root Guard is simple: There is no interface reset or reload necessary, but note that Root Guard- enabled ports act as designated ports until a superior BPDU is received, of course. Here's the console message we receive as a result on R3: Additionally, there's a spanning-tree command that will show you a list of ports that have been put into root-inconsistent state, but it's not as obvious as some of the other show spanning-tree commands we've seen: SW3 show spanning-tree?
This is the resulting topology: Now, you'd think that would be enough of a warning, right? But there is a chance - just a chance - that someone is going to manage to connect a switch to a port running Portfast, which in turn creates the possibility of a switching loop.
BPDU Guard protects against this possibility. If any BPDU, superior or inferior, comes in on a port that's running BPDU Guard, the port will be shut down and placed into error disabled state, shown on the switch as err-disabled. SW1 config-if spanning-tree bpduguard?
SW1 config spanning-tree portfast bpduguard default Note that this command is a variation of the portfast command. You can use BPDU Filtering, but you have to be careful how you configure it - this feature works differently when it's configured globally as opposed to configuring it on a per-interface level. SW1 config spanning portfast bpdufilter? SW1 show spanning-tree summary totals Switch is in rapid-pvst mode Root bridge for: Designated root has priority , address e. Particularly with fiber optic, there are situations where a physical layer issue disables data transfer in one direction, but not the other.
If a UDLD frame is received in return, that indicates a bidirectional link, and all is well. If a UDLD frame is not received in return, the link is considered unidirectional. It's really like a Layer 2 ping. If the UDLD "echo" is seen, there's bidirectional communication; if the "echo" is not seen, there isn't! UDLD has two modes of operation, normal and aggressive. When a unidirectional link is detected in normal mode, UDLD generates a syslog message but does not shut the port down.
In aggressive mode, the port will be put into error disabled state "err- disabled" after eight UDLD messages receive no echo from the remote switch.
Why is it called "aggressive"? Because the UDLD messages will go out at a rate of one per second when a potential unidirectional link is found. UDLD can be enabled globally or on a per-port level. To enable UDLD globally, run the udld enable command.
In this case, "globally" means that UDLD will run on all fiber optic interfaces. For aggressive mode, run udld aggressive. There is no udld normal command. SW2 config udld? For example, in the previous two-switch examples, UDLD would have to be configured on both switches, either on the switch ports or globally.
Now, you may be thinking the same thing I did when I first read about aggressive mode If aggressive mode shuts a port down after failing to receive an echo to eight consecutive UDLD frames, won't the port always shut down when you first configure UDLD?
When UDLD's aggressive mode is first configured on the local switch, the port will start sending UDLD frames, but will not shut down the port when it doesn't hear back from a remote switch within 8 seconds.
The remote switch will first have to answer back with a UDLD frame, which makes the local switch aware of the remote switch. Then, if the remote frame stops sending back an echo frame, the local switch will shut the port down.
Duplex Mismatches And Switching Loops A duplex mismatch between two trunking switches isn't quite a unidirectional link, but it can indeed lead to a switching loop. You're not often going to change switch duplex settings, especially on trunk ports, but if you change one switch port's duplex setting, change that of any trunking partner! We all know what happens then! One collision does not a switching loop make, but if the full-duplex port sends enough traffic, it effectively drowns out anything that the half-duplex port tries to send.
Depending on the location of the root switch in this network or if one of these switches is the root switch , a switching loop may well occur. Keep your ports in the same duplex mode and you don't have to worry about this! Loop Guard! You can probably guess that the "loop" being guarded against is a switching loop Let's revisit an earlier example to see how the absence of BPDUs can result in a switching loop.
In this network, only one port will be in blocking mode BLK. Ports in blocking mode still receive BPDUs, and right now everything's as we would want it to be. SW3 will wait for the duration of the MaxAge timer - by default, 20 seconds - and will then begin to transition the port facing SW2 from blocking to forwarding mode.
With all six ports in Forwarding mode, we've got ourselves a switching loop. Loop Guard does not allow a port to go from blocking to forwarding in this situation. With Loop Guard enabled, the port will go from blocking to loop- inconsistent, which is basically still blocking mode, and a switching loop will not form. Once the unidirectional link issue is cleared up and SW3 begins to receive BPDUs again, the port will come out of loop-inconsistent state and will be treated as an STP port would normally be.
Loop Guard is disabled on all ports by default, and is enabled at the port level: SW1 config spanning-tree loopguard default Strange But True: This should happen quickly all around, since the root bridge will be sending a BPDU every two seconds by default "hello time" , and the switches should relay the BDPUs fast enough so every switch is seeing a BPDU every two seconds.
That's in a perfect world, though, and there are plenty of imperfect networks out there! That two-second hello time value doesn't give the switches much leeway, but we don't want the STP topology recalculated unnecessarily either.
Skew Detection will not take action to prevent STP recalculation when BPDUs are not being relayed quickly enough by the switches, but it will send a syslog message informing the network administrator of the problem.
The syslog messages will be limited to one every 60 seconds, unless the "skew time" is at a critical level. In that case, the syslog message will be sent immediately with no one-per-minute limit. The second delay caused by the listening and learning states was once considered an acceptable delay. Then again, a floppy disk used to be considered all the storage space anyone would ever need, and that theory didn't exactly stand the test of time!
Note that SW3 has multiple connections to the ethernet segment. All nonroot switches will select a root port, and this port is the one reflecting the lowest root path cost. Assuming all links in this network are running at the same speed, SW2 and SW3 will both select the port directly connected to SW1 as their root ports. There will be no root port on a root bridge. An RSTP designated port is the port with the best root path cost.
The ports on the root switch will obviously have the lowest root path cost for that network segment, and will be the DP for that segment. RSTP's answer to a blocked port is an alternate port. In this segment, SW2's port leading to SW3 is an alternate port. In this network, SW3 has two separate ports on the same physical segment. One port has already been selected as the designated port for that segment, and the other port will become the backup port. This port gives a redundant path to that segment, but doesn't guarantee that the root switch will still be accessible.
The "rapid" in RSTP comes in with the new port states. RSTP ports transition from the discarding state to the learning state, where incoming frames are still discarded; however, the MAC addresses are now being learned by the switch. Let's compare the transition states: An edge port is just what it sounds like - a port on the edge of the network. In this case, it's a switch port that is connected to a single host, most likely an end user's PC.
So why do we care? More about that in just a few seconds. A point-to-point port is any port running in full-duplex mode.
Any ports running half-duplex are shared ports. Rather, I should say that they don't play a role, because RSTP considers a topology change to have taken place when a port moves into Forwarding mode - unless that port is an edge port. When an edge port moves into Forwarding mode, RSTP doesn't consider that a topology change, since only a single host will be connected to that particular port.
While the concept of a Portfast-enabled port and an Edge port in RSTP are the same - both go immediately to the Forwarding state and should be connected only to a single host - there is a major difference in their behavior when a BPDU is received on such a port. This change not only allows all switches in the network to have a role in detecting link failures, but discovery of link failures is faster.
The switch then immediately ages out all information concerning that port. Let's compare the two protocols and their link failure detection times. By default, MaxAge is 20 seconds.
The details of this negotiation are out of the scope of the exam, but can easily be found on the Internet by searching for "RSTP" in your favorite search engine. No additional config is needed to gain the benefits of all three. The Good: The Bad: The Ugly: Cisco being Cisco, you just know they have to have their own version of STP!
The good news is that the command is very simple, and we'll use IOS Help to look at some other options: SW1 config spanning-tree mode? If you choose to make this change, it's a good idea to do so when end users aren't around.
Defined by IEEE MST was designed with enterprise networks in mind, so while it can be very useful in the right environment, it's not for every network.
The configuration of MST involves logically dividing the switches into regions, and the switches in any given region must agree of the following: The MST configuration name 2. The MST configuration revision number If any of these three values are not agreed upon by two given switches, they are in different regions. MST configurations can become quite complex and a great deal of planning is recommended before implementing it.
CST doesn't know what's going on inside the region, and it doesn't want to know. Occasionally the first ten MST instances are referred to as "00" - "09".
These are not hex values - they're regular old decimals. Each and every switch in your MST deployment must be configured manually. No, I'm not kidding! When you create VLAN mappings in MST, you've got to configure every switch in your network with those mappings - they're not advertised. A good place to start is to enable MST on the switch: SW2 config spanning-tree mode mst The name and revision number must now be set.
SW2 config-mst instance 1 10,13, Note that I could use commas to separate individual VLANs or use a hyphen to indicate a range of them. Like the TCP vs. This is a decision you have to make in accordance with the switch's available resource and the workload PVST will put on your switch.
Just keep the resource hit in mind as your network grows - and the number of VLANs in that network with it! Etherchannels Etherchannels aren't just important for your Cisco studies, they're a vital part of many of today's networks. Knowing how to configure and troubleshoot them is a vital skill that any CCNP must have. You may not have even seen an Etherchannel question on your CCNA exam, so we're going to begin this section with a review of what an Etherchannel is and why we would configure one.
After that review, we'll begin an in-depth examination of how Etherchannels work, and I'll show you some real-world examples of common Etherchannel configuration errors to help you master this skill for the exam and for the real world. What Is An Etherchannel? An Etherchannel is the logical bundling of two to eight parallel Ethernet trunks. This bundling of trunks is also referred to as aggregation. This provides greater throughput, and is another effective way to avoid the second wait between blocking and forwarding states in case of a link failure.
STP sees only the Etherchannel, and a single link failure will not bring an Etherchannel down. In this example, there are three trunks between two switches. In the meantime, communication between the two switches is lost. This temporary lack of a forwarding port can be avoided with an Etherchannel.
By combining the three physical ports into a single logical link, not only is the bandwidth of the three links combined, but the failure of a single link will not force STP to recalculate the spanning tree. After configuring an Etherchannel on each switch with the interface-level command channel-group, the output of commands show interface trunk and show spanning vlan 10 show STP now sees the three physical links as one logical link.
If one of the three physical links goes down, STP will not recalculate. While some bandwidth is obviously lost, the logical link itself stays up. Data that is traveling over the downed physical link will be rerouted to another physical link in a matter of milliseconds - it will happen so fast that you won't even hear about it from your end users! Negotiating An Etherchannel There are two protocols that can be used to negotiate an etherchannel. PAgP packets are sent between Cisco switches via ports that have the capacity to be placed into an etherchannel.
First, the PAgP packets will check the capabilities of the remote ports against those of the local switch ports. The remote ports are checked for two important values: The remote port group number must match the number configured on the local switch The device ID of all remote ports must be the same - after all, if the remote ports are on separate switches, that would defeat the purpose of configuring an etherchannel!
PAgP also has the capability of changing a characteristic of the etherchannel as a whole if one of the ports in the etherchannel is changed. If you change the speed of one of the ports in an etherchannel, PAgP will allow the etherchannel to dynamically adapt to this change. The industry standard bundling protocol defined in You can actually assign up to 16 ports to belong to an LACP-negotiated etherchannel, but only the eight ports with the lowest port priority will be bundled.
The other ports will be bundled only if one or more of the bundled ports fails. PAgP has a dynamic mode and auto mode. A port in dynamic mode will initiate bundling with a remote switch, while a port in auto mode waits for the remote switch to do so. LACP uses active and passive modes, where active ports initiate bundling and passive ports wait for the remote switch to do so. There's a third option, on, which means that there is no negotiation at all, and neither LACP nor PAgP are used in the construction of the etherchannel.
Configuring Etherchannels To select a particular negotiation protocol, use the channel-protocol command. SW1 config-if channel-protocol? SW1 config-if channel-group 1 mode? To enable the etherchannel with no negotiation, use the on option.
For an EC to form, LACP must have at least one of the two ports on each physical link set for "active"; if both ports are set to "passive", no EC will be built. The same can be said for PAgP and the settings "auto" and "desirable" - if both ports are set to auto, the link won't join the EC. To illustrate, I've created an EC using channel-group 1 and the desirable option, meaning that PAgP is enabled unconditionally. The number you see below in each command is the channel group number.
SW1 show pagp 1 neighbor Flags: S - Device is sending Slow hello. C - Device is in Consistent state. A - Device is in Auto mode. P - Device learns on physical port. We can verify this with the command show etherchannel brief.
SW1 show etherchannel brief Channel-group listing: We're on an L3 switch right now, which gives us the ability to create an L3 EC. We'll create an L3 etherchannel in the Multilayer Switching section, and here's a sneak peek! With an L2 EC, we bundled the ports by configuring each port with the channel-group command, which automatically created the port-channel interface.
When configuring an L3 interface, you must create the port- channel interface first, then put the ports into the EC with the port-channel command. IP routing must be enabled on the L3 switch, and all involved ports must be configured as routed ports with the switchport command.
SW1 config port-channel load-balance? Verify with show etherchannel load-balance. Troubleshooting EtherChannels Once you get an EC up and running, it generally stays that way - unless a port setting changes. From personal experience, here are a few things to watch out for: Changing the VLAN assignment mode to dynamic.
Here's a reenactment of an EC issue I ran into once. The configuration of the channel-group looked just fine That will prevent an EC from working correctly. Here's the error message that occurs in a scenario like this: Ports need to be running the same speed, duplex, native VLAN, and just about any other value you can think of!
If you change a port setting and the EC comes down, you know what to do - change the port setting back! The IP address. Naturally, this is for L3 etherchannels only - be sure to assign the IP address to the logical representation of the etherchannel, the port-channel interface, not to the physical interfaces bundled in the etherchannel.
You can also see the ports in the channel. SW1 show etherchannel summary Flags: Flex Links In the very rare case that you don't want to run STP, configuring Flex Links allows you to have a backup link that will be up and running in less than 50 milliseconds.
It's doubtful you'd use Flex Links in a typical production network, but it can come in handy in service provider networks where running STP might not be feasible. We actually apply no configuration to the primary active port.
All Flex Links commands will be placed on the standby port. Plenty o' rules for this feature: One backup interface per active interface, please, and an interface can belong to only one set of Flex Links. Obviously, the active and backup interfaces cannot be one and the same. Ports inside an Etherchannel cannot be individually assigned as backup or active Flex Ports, BUT an entire Etherchannel can be assigned as either.
An Etherchannel can be assigned as the active port for a physical port, and vice versa. This isn't required reading, but here's some additional info from Cisco regarding this feature: When we think of network security, we tend to focus on protecting our network from attacks originating outside the network.
That's half the battle - but it's important to remember that many successful network attacks are launched from the inside, and from some seemingly innocent sources, such as So while it's wise to protect our network from the outside, we better take some measures to protect us from.. Cue dramatic music. Seriously, we've got some important work to do here - so let's get to it. The first methods of security I'm going to talk about in this chapter aren't fancy, they aren't exciting, and they don't cost an arm and a leg.
But the basic security features are the ones to start with, and I use a four-step approach to basic network security: Physical security - lock those servers, routers, and switches up! This is the most basic form of network security, and it's also the most ignored. Passwords - set 'em, change 'em on occasion. If you're relatively new to a particular job site, be ready for a fight on this point from other admins. Different privilege levels - not every user needs the same level of access to potentially destructive commands, because not every user can handle the responsibility.
Grant remote access only to those who absolutely, positively need it -- and when users do connect remotely, make that communication as secure as possible. Physical security is just that. Get the routers and switches locked up! Steps two and three go hand in hand, and much of what follows may be familiar to you. Don't skip this part, though, because we're going to tie in privilege levels when it comes to telnet access. You know how to configure the basic passwords on a switch: All passwords appear in the configuration in clear text by default except the enable secret.
The command service password-encryption will encrypt the remaining passwords. The login message shown when the login command is used in the above example simply means that a password needs to be set to enable this feature.
As long as you enter both the login and password commands, it does not matter in what order you enter them. Cisco switches have more VTY lines than routers. Routers allow up to five simultaneous Telnet sessions, and obviously switches allow more! The default behavior is the same, however. Any user who telnets in to the switch will be placed into user exec mode, and will then be prompted for the proper enable mode password. If neither the enable secret nor the enable password has been set, the user will not be able to enter enable mode.
To place users coming into the switch via telnet straight into enable mode, use the command privilege level 15 under the VTY lines. SW2 config-line privilege level 15 Note below how the configuration appears on the switch when it comes to the VTY lines.
If you want a command to be applied to all 16 lines, you don't have to use "line vty 0 4" and then "line vty 5 15" - just run the command line vty 0 It's easy to configure, but maybe we don't want to give that high level of access so easily. Consider a situation where a tech support person has to telnet into a router. Maybe they know what they're doing, and with all due respect, maybe they don't.
Do you want this person making changes to the router without you knowing about it? It may be better to assign privilege level 15 to yourself while assigning the default value of 0 to others. I also don't like having one password for all telnet users. I prefer a scheme where each individual user has their own password. Creating a local database of users and privilege levels allows us to do this, and it's a simple procedure.
As a matter of fact, you already did this at least once during your CCNA studies. If none is specified, level 0 is the default.
With the above configuration, the first user would be placed into privileged exec mode when connecting via telnet, while the other two users would be required to enter the enable password before they could enter that mode. The login local command is required to have the switch look to a local database for authentication information.
Port Security Here's another basic security feature that's regularly overlooked, but is very powerful. Port security uses a host's MAC address as a password However, if a device with a different MAC address sends frames to the switch on that port, the port will take action - by default, it will shut down and go into error-disabled state.
By default, that state requires manual intervention on the part of the network admin to reopen the port. The switchport port-security command enables this feature, and then we have quite a few options to consider. SW2 config-if switchport mode access SW2 config-if switchport access vlan 10 Before we can consider the options, we have to make the port in question a non-trunking port. Port security can't be configured on a port that even has a possibility of becoming a trunk port. Configuring a port as an access port is the equivalent of turning trunking to "off".
Now, let's get back to those options! SW2 config-if switchport port-security? This is the maximum number of secure MAC addresses allowed on the port. This number can vary - I've seen Cisco switches that would allow up to , but this will only allow These addresses can be configured statically with the mac-address option, they can be learned dynamically, or you can allow a port to do both.
More on that in just a moment. SW2 config-if switchport port-security maximum? H 48 bit mac address Now we need to decide the action the port should take in case frames with a non-secure MAC address arrive on the port. The default port security mode is shutdown, and it's just what it sounds like - the port is placed into error-disabled state and manual intervention is needed to reopen the port.
An SNMP trap message is also generated. You can also use the errdisable recovery command to specify how long the port should remain in that state before the switch itself resets the port. SW2 config-if switchport port-security violation? Restrict mode is our middle ground - this mode drops the offending frames and will generate both an SNMP trap notification and syslog message regarding the violation, but the port does not go into err-disabled state.
Before we continue, a note of caution - throughout this course, you'll see ports shut down for one reason or another, particularly in the Advanced STP section. Note that not all of these features force the port into err- disabled mode.
Be sure you're very familiar with the different states these ports are put into. I'll have a chart at the end of that section listing each port state.
Let's take a look at the console messages you'll see when running port security in its default mode, shutdown. I configured a port on this switch with port security, one secure MAC address, and made sure it didn't match the host that would be sending frames on that port.
Sure enough, within seconds all of this happened: SW1 config-if Security violation occurred, caused by MAC address f. There is a little "gotcha" with port security that you need to be aware of.
What if you allow for more secure MAC address than you actually configure manually, as shown below? SW1 config-if switchport port-security SW1 config-if switchport port-security maximum 3 SW1 config-if switchport port-security mac-address aaaa. Be careful! In that configuration, these three addresses would be considered secure: To verify your port security configuration, run show port-security interface.
Enabled Port Status: Secure-up Violation Mode: Shutdown Aging Time: Absolute SecureStatic Address Aging: In this scenario, the port will be shut down if the number of secure MAC addresses is reached and a host whose MAC address is not among those secure addresses connects to this port. Note that "aging time" is set to zero - that actually means that secure MAC addresses on this port will never age out, not that they have zero minutes before aging out.
You can change this value with the switchport port- security aging command. This particular switch accepts the value set in minutes; many older models want this entered in seconds. Always use IOS Help to double-check a command's metric! SW1 config-if switchport port-security aging time? Enter a value between 1 and The aging type value determines whether a secure MAC address will absolutely expire after a certain amount of time, or whether aging should be based on inactivity SW1 config-if switchport port-security aging type?
There are a few port types that you can't configure with port security: We know a MAC address can be dynamically learned by the switch as secure, and we may want that address marked as secure in the running configuration. To do so, enable sticky learning with this command: By configuring sticky learning, the dynamically learned secure MAC addresses are written to the running configuration, which in turn helps to prevent unauthorized network access via MAC spoofing.
To save these dynamically learned static addresses to the startup configuration, you'll need to copy the run config over the startup config before reloading the switch. Dot1x Port-Based Authentication Port security is good, but we can take it a step further with dot1x port- based authentication. The name refers to IEEE One major difference between dot1x port-based authentication and port security is that both the host and switch port must be configured for That's a major departure from many of the switch features we've studied to date, since most other switch features don't require anything of the host.
Usually the PC isn't aware of what the switch is doing, and doesn't need to know. Not this time! Keeping those rules in mind, a typical dot1x deployment involves: But it's not quite as simple as that. You were waiting for that, right? The PC has a single physical port connected to the switch, but that physical port is logically divided into two ports by dot1x - the controlled and uncontrolled ports.
Unlike the subinterfaces you've studied and created to date, you and I as the network admins do not have to configure the controlled and uncontrolled ports.
Dot1x will take care of that - of course, as long as we remember to configure the supplicant for dot1x to begin with! The controlled port cannot transmit data until authentication actually takes place. The uncontrolled port can transmit without authentication, but only the following protocols can be transmitted: To configure dot1x, AAA must first be enabled.
As with previous configurations, a method list must be created. And again, as with previous configurations, you should use line as the last choice, just in case something happens regarding your login with the other methods. SW2 config aaa new-model SW2 config aaa authentication dot1x? WORD Named authentication list. SW2 config aaa authentication dot1x default? To enable dot1x on the switch: SW2 config dot1x? SW2 config-if dot1x port-control?
Basically, there is no authentication on this port type. A port in force-unauthorized state literally has the port unable to authorize any client - even clients who could otherwise successfully authenticate!
The auto setting enables dot1x on the port, which will begin the process as unauthorized. Once the authentication is complete, normal transmission and receiving can begin. Not surprisingly, this is the most common setting. SPAN Operation And Configuration We've secured the ports, but there will also come a time when we want to connect a network analyzer to a switch port. A common situation is illustrated below, where we want to analyze traffic sourced from the three PCs.
To properly analyze the traffic, the network analyzer needs a copy of every frame the hosts are sending - but how are we going to get it there? SPAN allows the switch to mirror the traffic from the source port s to the destination port to which the network analyzer is attached. In some Cisco documentation, the destination port is referred to as the monitor port. SPAN works very well, and the basic operation is simple.
The versions are much the same, though; the real difference comes in when you define the source ports. It's the location of the source ports that determines the SPAN version that needs to run on the switch. In the above example, we're running Local SPAN, since the destination and source ports are all on the same switch.
The command monitor session starts a SPAN session, along with allowing the configuration of the source and destination. The sessions are totally separate operations, but the number of simultaneous sessions you can run differs from one switch platform to another. Cat s and s support only two, but more powerful switches can run as many as 64 sessions at once.
SW2 config monitor session?