Options
300-115 Study Notes
These were the notes I wrote up the day before my Switch exam. I did intend to make it fairly comprehensive but more to the point then the books, however sometimes it was a bit tiring writing stuff I already knew well. I haven't actually read through it so would be good if someone who is currently studying for the exam can correct any spelling mistakes and add additional content they think will help.
Chapter 1
Core layer - Advanced QoS, L3 only. No Packet Manipulation (ACLs) .
ACLs at access and distribution layer.
Chapter 2
Switch Operation
IPv4 multicast address 01xx.xxxx.xxxx
IPv6 multicast 3333.xxxx.xxxx
CAM table for mac addresses
TCAM table for ACL & QoS
CAM & TCAM table lookup simultaneous
Route Cache routing = old way
CEF = Topology Based. Longest match
CEF builds a FIB table. Also looked up simultaneously
L3 packet rewrite still completed before sent to egress queue
L2 table says if L3 routing is required
# mac address-table aging-time 300 (by default)
old mac address purged straight away if found on a different interface
ACL’s are made up of ACE’s - Access Control Entries
Feature Manager manages ACE’s into the TCAM
Switching Database Manager (SDM - TCAM partitioning to optimise for switching/routing performance
values = 134 bits
masks = 134 bits
masks have lots of values to lookup
LOU - Logical Operation Unit for port ranges. Limited number supported and can be reused.
# show sdm prefer
# sdm prefer default (reload required if changing)
# show platform tcam utilization
SDM templates
default - mix of all functions
access - for ACL
vlan - for L2 only. No hardware routing
routing
dual-ipv4-and-ipv6
Chapter 3
Switchport config
Ethernet uses CSMA/CD when in half duplex mode
Ethernet is the same at layer 2. Different at layer 1
10Gb - full duplex operation only. Lower speeds negotiate
40/100Gb - 802.3ba
# no errdisable detect cause all
# errdisable recovery cause all
# errdisable recovery interval 300 (default timeout in seconds)
cdp - layer 2 protocol. Sent every 60 seconds by multicast
# no cdp run
-if)# no cdp enable
lldp sent every 30 seconds.
# lldp run
-if)# lldp receive
-if)# lldp transmit
Native vlan mismatch detected through CDPv2 or LLDP
LLDP MED = Media Endpoint Discovery for notifying the switch of the endpoints network requirements (PoE, QoS)
Can have custom TLV’s
802.3af = 15.4w.
802.3at = 30w. Negotiated once powered on.
Chapter 4
Vlans & Trunks
VLAN = logical network segment
Extended VLAN range only allowed in vtp transparent or v3.
VLAN name - 32 characters max
VLAN management Policy Server (VMPS) for dynamic allocation
ISL adds 26 byte header + 4 byte trailer to a frame
dot1q adds 4 bytes after ethernet source address
12 bit VLAN ID plus 3 byte CoS
DTP will form an ISL trunk if both sides support it
DTP still operates on switchport mode trunk
-if)# switchport mode dynamic auto (default otherside needs dynamic desirable or trunk to form)
DTP frames sent every 30 seconds
# show interface trunk
# show int gi1/0/1 switchport
# show dtp
Voice vlan required for QoS markings. Uses DTP & CDP
Voice vlan only seen through STP (not show vlan)
Lightweight WiFi traffic uses a CAPWAP tunnel
Chapter 5
VTP
VTP advertisements contain management domain, VTP revision number, known vlans and names
v3 required for 4094 VLANs, MSTP and primary and secondary servers
revision number starts at 0. Highest number overwrites previous database.
Retained after reload. Reset by changing domain or by going into transparent then back to server
summary advertisements every 300 seconds and when a change is made
subset advertisements contain the changes
advertisement request by clients
If update removes configured vlan, then interface is reset back to VLAN 1
VTP client with high revision number will update server
by default: VTP v1, domain = null and is vtp server. VTP pruning = off
Domain and version can be learnt from server, as well as VTP pruning
For VTP pruning, a switch tells its neighbors its active vlans.
# vtp version 3
# vtp domain CISCO
# vtp mode transparent
# vtp password VTPPASS
# vtp pruning
-if) switchport trunk pruning vlan add 100
# show vtp status
Chapter 6
STP
STP multicast address 0180.C200.0000
configuration BPDU to compute STP
Topology Change Notification (TCN) - to announce changes
BPDU’s sent every 2 seconds.
default Bridge Priority 32,768. Lower = better. Mac address beaks tie
Root bridge interface path cost = 0. Receiving switch adds its own cost
One designated port per segment
Redundant path = blocking, other side will be designated
Listening state, for sending and receiving BPDUs only. Learning, learns mac addresses
Hello timer = 2 seconds
Forward Delay Timer = 15 seconds
Max age = 20 seconds (time to hold a bpdu without hearing another)
Timers changed on root bridge, use network diameter instead of changing individual values
A TCN happens happens when a port goes into forwarding, or from forwarding/learning to blocking. Except when using portfast.
Root bridge sends acks.
TCN sent to every switch, macs flushed after 15 seconds (forward delay value) instead of 300.
Losing root port results in 2x forwarding delay outage (30s)
dot1q uses CST, BPDUs use native vlan
PVST for ISL only. PVST+ for dot1q and ISL
Chapter 7
STP Configuration
# no spanning-tree vlan 50
802.1t extended system ID
# spanning-tree vlan 1 - 4095 priority 4096
# spanning-tree vlan 1-4095 root primary (uses 24,576 otherwise 4096 if not low enough. 0 needs to be set manually)
-if)# spanning-tree vlan 10 cost 2 (changes the value to the root on the local switch)
-if)# spanning-tree port-priority 128 (changes the priority on the downstream remote switch.)
# spanning-tree hello-time 2
# spanning-tree forward-time 15 (listening & learning timer)
# spanning-tree max-age 20 (How long a blocking port will take to go listening)
# spanning-tree vlan 1 - 4095 root primary diameter 3 (automatically sets above timers properly)
# spanning-tree portfast default (all access ports to portfast)
uplinkfast - for direct link failures to the root. Next lowest cost port put into forwarding
Sets port cost to +3000 to stop it being used by downstream switches.
Bridge priority set to 49,152. Not allowed to be root switch
# spanning-tree uplinkfast
Backbone - for indirect failures
No longer has to wait max-age timer before acting on inferior bpdus
reduces convergence time from 50s to 30 (no mac-age timer)
# spanning-tree backbonefast (enable on all switches)
# show spanning-tree detail (to see received port priority.)
Chapter 8
Protecting STP
Root port - closest to root
designated port - a forwarding port - 1 per segment
blocking port - neither root nor designated
alternate port - used by uplinkfast - discarding
forwarding port - end user access
backup port - RSTP - alternate designated port to a segment (hub) -discarding
Root Guard and BPDU guard prevent unexpected root bridges
-if)# spanning-tree guard root (puts port into root inconsistent STP state. Goes forwarding when superior BPDUs stop. use where the root will never be found)
-if) spanning-tree bpduguard enable (enabled for portfast automatically. errdiables port)
If a port stops receiving BPDUs the port will transition to forwarding
loop guard keeps track of bpdus on non designated ports, if they go missing port enters STP loop inconsistent state
works on a per vlan basis, not per port
# spanning-tree loopguard default (disabled by default)
if)# spanning-tree guard loop
UDLD frames echoed back across a link. Both sides need to be configured, 2 processes per link
15 second interval
normal send syslog message, aggressive errdisables port after 8 missed replies
# udld aggressive (enables on all fibre ports)
-if)# udld enable
will not errdisable until 1 echo is heard
# udld reset
# show udld fa0/1 - unknown status until both sides are configured, then bidirectional
#spanning-tree portfast bpdufilter default
-if)# spanning-tree bpdufilter enable
Chapter 9
RSTP
No listening state
BPDU version 2. Hellos sent out all ports, regardless of recieving one
3 missed BPDUs and a neighbour is ages out (6 seconds)
slow STP can run on a per port basis (if it recieves a 802.1D version 0 BPDU)
Edge port = portfast
point-to-point = designated port (full duplex interface)
half duplex always reverts back to slow STP
RSTP syncronisation - no timers used
non edge ports start in discarding state. If a superior bpdu is received, port goes to root port
A proposal is sent. Ports only start forwarding if neighbour agrees with agreement message
A Topology Change )TC) message only when port goes into forwarding.
Mac addresses flushed on all ports except the one the TC was received on.
# spanning-tree mode rapid-pvst. (slow pvst used by default)
# show spanning-tree vlan 10
P2p = port running RSTP and full duplex interface
P2p Peer (STP) = 802.1d slow stp
Chapter 9
MSTP
configuration of below must match on all switches:
MST name (32 characters)
MST revision number (0 - 65,535) - increase this by 1 for every change
VLAN mapping table (4096 entries)
CST considers MST region as a single switch
Internal Spanning Tree to form a loop free topology to CST
16 MST instances (MSTI). IST is 0, allowing 1 - 15 configurable.
IST0 sends bpdus, all vlans mapped to this by default
# spanning-tree mode mst
# spanning-tree mst configuration
-mst)# name MSTREGION
-mst)# revision 0
-mst)# instance 1 vlan 10,11,12
-mst)# instance 2 vlan 20,21,22
-mst)# show pending
-mst)# exit - changes applied when exiting
802.1w - RSTP
802.1s - MST
Chapter 10
Aggregating Switch Links
Etherchannel of 2 criteria uses XOR, otherwise lower bits used
Load balance method doesn’t have to match both sides
source mac is default method. If using IP, with non IP traffic, it falls back to mac
active/passive - LACP. 16 configurable interfaces, 8 active. 2 byte priority, lower = better
Desirable/auto PAgP - silent by default and results in 15 second delay
LACP priority 1 - 65,535, 32,768 by default. Lowest mac breaks tie
# lacp system-priority 100 (for who leads negotiations)
-if)# lacp port-priority 100 (for which ports should be included if more than max configured)
# spanning-tree etherchannel guard misconfig (on by default)
-if)# channel-group 1 mode active
-if)# channel-protocol lacp
Chapter 11
Multilayer Switching
# interface vlan 100
-if)# switchport autostate excluded
Route once, switch many - old way. Uses Route Processor (RP) and then switching engine. Aka netflow switching or Route Cache.
CEF replaces Netflow, enabled by default
FIB - Forwarding Information base. Routing table with most specific route first. Contains adjacent hosts as /32.
Layer 3 engine updates FIB
# show ip cef (shows FIB table. Version = number of times a entry has been updated)
CEF punt = packets sent to L3 engine
Accelerated CEF - lacks full FIB on line card
Distributed CEF - Full FIB table on line card
Adjacency table - layer 2 information from ARP table
# show adjacency summary
CEF glean = a packet without a corresponding arp entry. Sent to L3 engine for arp request. packets for that destination dropped for 2 seconds due to ARP throttle
Ethernet header rewritten by packet reqrite engine (source mac etc)
# no ip route-cache cef
# no ip cef
Chapter 12
Configuring DHCP
Default gateway and broadcast address automatically excluded
# ip dhcp pool DHCPVLAN10
-dhcp)# network 10.0.10.0 255.255.255.0
-dhcp)# default-router 10.0.10.1
-dhcp)# host 10.0.10.10 255.255.255.0
# ip dhcp excluded address 10.0.10.2 10.0.10.9
#show ip dhcp bindings
DHCPv6 offered in RA, or client can request it
-if)# IPv6 nd other-config-flag
-if)# ipv6 dhcp relay destination 2001::11 (instead of ip helper-address)
Chapter 13
Switch Logging
stratum 1 = atomic clock
NTP version 3 by default. Version4 for IPv6
sntp = client only. ntp commands configure switch as a client and a server on all L3 interfaces
# service timestamps log datetime localtime show-timezone msec (to set switch clock for syslog message timestamps)
Chapter 14
SNMP
snmp manager = solarwinds
snmp agent = switch
MIB = Management Information Base
OID = Object Identifier
MIB is tree like structure, with a counter for an interface being on a OID address in the MIB.
UDP 161 for queries. UDP 162 for traps
Get request, get next request, get bulk request (2c only), set request
SNMP trap - no ack. Inform request echoed back to agent
SNMPv3 can define the MIB tree on a per group basis, can authenticate the integrity of packets (authnopriv), can encrypt too (authpriv). NoAuthNoPriv.
Chapter 15
IP SLA
IP SLA operations run every 60 seconds by default.
Schedule required, forever start-time now
Path-jitter and udp-jitter require IP SLA responder on target. UDP port 1967.
# ip sla responder
NTP required for accurate time stamps
# ip sla 100
-ip-sla)# icmp-echo 8.8.8.8
-ip-sla)# frequency 60
# ip sla schedule 100 life forever start-time now
#show ip sla statistics 100 - success/failures, last test stats
Use in HSRP
# track 1 ip sla 100 reachability
# interface vlan 100
-if)# standby 1 track 1 decrement 10
-if)# standby 1 preempt
default decrement = 10, multiple failures = multiple decrements.
Chapter 16
SPAN
Can SPAN a port channel
VSPAN - span whole vlan
mirrored frames dropped if they exceed egress port speed
can’t mix source interface and vlans
can’t span a SVI
only 1 destination, can’t be a port channel. Multiple sources allowed
add encapsulate replicate to include network management (VTP, CDP & STP)
add ingress to destination to allow traffic to be sent back
STP and mac address learning is deactivated on destination port
RSPAN - all switches in path need to support remote-span vlan
All ports with the RSPAN vlan get flooded with the traffic
cannot monitor bpdus with RSPAN, STP still runs on vlan
# vlan 600
-vlan)# remote-span
# monitor session 1 source interface gi1/1 both
# monitor session 1 destination remote vlan 600
# monitor session1 source remote vlan 600
# monitor session 1 destination interface gi 1/5
# no monitor session 1
# no monitor session local
# no monitor session all
# show monitor
Chapter 17
High Availability
RPR - modules reloaded, 2 mins +
RPR+ layer 2 functions restarted - 30s
SSO - L3+ restarted. - 1 second
# redundancy
-rcd)# mode sso
# show redundancy states
NSF - non stop forwarding - cisco proprietary
rebuilds routing RIB table after SSO.
Neighboring router also needs to be configured. Provides the RIB table
# router eigrp 1
# nsf
# router bgp 655530
# bgp graceful-restart
Chapter 18
HSRP
Router discovery in IPv6 can result in 40 seconds downtime
Active/Standby state
0000.0c07.acXX
224.0.0.2 hello multicast
Can reuse group number on different vlans
Default standby = 100. Highest wins. Highest IP breaks tie
Add delay if using routing protocols
plain text or MD5 authentication
-if)# standby 1 ip 10.0.0.1
-if)# standby 1 priority 120
-if)# standby 1 preempt
-if)# standby 1 timers msec 100 msec 350
# key chain HSRPCHAIN
-keychain)# key 1
-keychain-key)# key-string PASSWORD
-if)# standby group authentication md5 key-chain HSRPCHAIN
For IPv6
-if)# standby version 2
-if)# standby ipv6 autoconfig
# show standby vlan 50 brief - P means preempt
Can use the follow command to save resources on subinterfaces
A client takes its state from the master group it is following on the same physical interface
interface:
-if)# standby 1 name HSRPINT1
sub interface:
-if)# standby 2 follow HSRPINT1
CHAPTER 18
VRRP
Master and backup router
router priority 1 - 254. Default 100. Higher = better
groups 0 - 255
virtual mac 0000.5e00.01xx
1 second advertisement intervals
multicast address 224.0.0.18
preempt on by default
-if)# vrrp 1 priority 200
-if)# vrrp 1 ip 10.0.0.1
-if)# no vrrp 1 preempt
# show vrrp
Chapter 18
GLBP
AVG - highest priority, answers ARP requests and assigns a AVF
groups 0 - 1023. Priority 1 - 255, 100 default
3 second hello, 10 second hold
AVG advertises timers
virtual mac 0007.b4xx.xxYY x = group, Y = AVF number
Redirect timer is how long the failed AVF mac will be active on another router. Default 600s
max 4 AVFs, round robin allocation. Weighted or host dependant configurable
Active IP can be learned from AVG
Second highest AVG takes over
-if)# glbp 1 priority 200
-if)# glbp 1 ip 10.0.0.1
-if)# glbp 1 preempt
-if)# glbp 1 load balancing weighted
-if)# glbp 1 weighting 120 (used by tracking & load balancing)
-if)# glbp 1 weighting track 1 decrement 20
-if)# glbp 1 timers msec 100 msec 350
# track 1 interface gi1/1
# show glbp brief - top line is AVG process (with IP). Active = AVG, standby = second. Active with mac = AVF process
CHAPTER 19
Securing Switch
-if)# switchport port-security
-if)# switchport port-security 1
-if)# switchport port-security mac-address sticky
-if)# switchport port-security mac-address 0000.1111.2222
-if)# switchport port-security violation shutdown (default - errdisables port + trap/syslog)
restrict - drops illegal macs and sends traps/syslog/security violation counter increments
protect - drops illegal packets silently
# clear port-security interface fa1/1 forgets learned and sticky addresses
EAPOL 802.1x - layer 2 protocol
port stays unauthorised until dot1x capable device authenticates
# aaa new-model
# radius-server host 192.168.255.10 key RADIUSKEY
# aaa authentication dot1x default group radius
# dot1x system-auth-control
# int fa 1/1
if)# dot1x port-control auto
forced authorised is default, force unauthorised will never allow traffic
only 1 client allowed by default
-if)# dot1x host-mode multi-host
-if)# storm-control broadcast level 20
multicast, (unknown) unicast also configurable
-if)# storm-control action drop (default, trap and shutdown configurable.)
# access-list 10 permit 10.0.0.0 0.0.0.255
# ip http secure server
# ip http access-class 10
# line vty 0 15
# access-class 10 in
# ip ssh version 2
Chapter 20
Securing VLANs
# ip access-list standard ALV10
-acl)# permit 10.0.10.0 0.0.0.255
# vlan access-map AMV10 10
match ip address ALV10
action drop
# vlan filter AMV10 vlan-list 10
community vlan - talk to same community but not others
isolated vlan can only talk to primary
VTPv3 required, otherwise configure on every switch
promiscous port - connects to router
host port - can only talk to promiscuous port or those in the same community vlan. Just need to configure host-association, not access vlan.
hosts association to PVLAN, promiscuous ports have mapping
primary vlan association to private vlan
Interface SVI mapping to PVLAN
# vlan 10
-vlan)# private vlan community
# vlan 30
-vlan)# private-vlan isolated
# vlan 100
-vlan)# private-vlan primary
-vlan)# private-vlan association 10,30
# int range gi 1/1 - 3
-if)# switchport mode private-vlan host
-if)# switchport private-vlan association 100 10 (primary vlan then private)
#int range gi 1/4 - 7
-if)# switchport- mode private-vlan host
-if)# switchport private-vlan association 100 30
# int gi 1/48
-if)# switchport mode private-vlan promiscuous
-if)# switchport private-vlan mapping 100 10,30
# int vlan 100
-if)# private-vlan mapping 10,30
# vlan dot1q tag native
Chapter 21
Preventing Spoofing
DHCP snooping - all ports untrusted by default
Option 82 - DHCP relay agent validates source port - enabled by default
# ip dhcp snooping
# ip dhcp snooping vlan 50
# int range gi 1/1 - 47
-if)# ip dhcp snooping limit rate 3 (unlimited by default)
# int gi 1/48
-if)# ip dhcp snooping trust
# show ip dhcp snooping
ip source guard uses DHCP snooping database and static source bindings
enforces the use of an IP on a particular port. Adding port-security ensures correct mac
creates a dynamic port ACL to filter traffic by using port security
-if)# ip verify source
-if) ip verify source port-security
Dynamic ARP Inspection - inspects ARP packets on untrusted ports
Uses DHCP snooping database and checks contents against known values
Invalid replies are dropped and logged
All ports are untrusted by default. Uplinks need to be trusted
ACL for static entries checked before DHCP snooping
# ip arp inspection vlan 50
# ip arp inspection validate src-mac dst-mac ip
-if)# ip arp inspection trust
# arp access-list STATICARP
-acl)# permit ip host 10.0.0.10 mac host 0000.1111.2222
ip arp inspection filter STATICARP vlan 50
Chapter 22
Managing Switch Users
add a local user
# username USER password PASS
# aaa new-model
# tacacs-server host 192.168.255.10
# aaa group server tacacs+ ACSSERVER
-sg)# 192.168.255.1
# aaa authentication login LOGINORDER group ACSSERVER local
# line vty 0 15
-line)# login authentication LOGINORDER
Chapter 1
Core layer - Advanced QoS, L3 only. No Packet Manipulation (ACLs) .
ACLs at access and distribution layer.
Chapter 2
Switch Operation
IPv4 multicast address 01xx.xxxx.xxxx
IPv6 multicast 3333.xxxx.xxxx
CAM table for mac addresses
TCAM table for ACL & QoS
CAM & TCAM table lookup simultaneous
Route Cache routing = old way
CEF = Topology Based. Longest match
CEF builds a FIB table. Also looked up simultaneously
L3 packet rewrite still completed before sent to egress queue
L2 table says if L3 routing is required
# mac address-table aging-time 300 (by default)
old mac address purged straight away if found on a different interface
ACL’s are made up of ACE’s - Access Control Entries
Feature Manager manages ACE’s into the TCAM
Switching Database Manager (SDM - TCAM partitioning to optimise for switching/routing performance
values = 134 bits
masks = 134 bits
masks have lots of values to lookup
LOU - Logical Operation Unit for port ranges. Limited number supported and can be reused.
# show sdm prefer
# sdm prefer default (reload required if changing)
# show platform tcam utilization
SDM templates
default - mix of all functions
access - for ACL
vlan - for L2 only. No hardware routing
routing
dual-ipv4-and-ipv6
Chapter 3
Switchport config
Ethernet uses CSMA/CD when in half duplex mode
Ethernet is the same at layer 2. Different at layer 1
10Gb - full duplex operation only. Lower speeds negotiate
40/100Gb - 802.3ba
# no errdisable detect cause all
# errdisable recovery cause all
# errdisable recovery interval 300 (default timeout in seconds)
cdp - layer 2 protocol. Sent every 60 seconds by multicast
# no cdp run
-if)# no cdp enable
lldp sent every 30 seconds.
# lldp run
-if)# lldp receive
-if)# lldp transmit
Native vlan mismatch detected through CDPv2 or LLDP
LLDP MED = Media Endpoint Discovery for notifying the switch of the endpoints network requirements (PoE, QoS)
Can have custom TLV’s
802.3af = 15.4w.
802.3at = 30w. Negotiated once powered on.
Chapter 4
Vlans & Trunks
VLAN = logical network segment
Extended VLAN range only allowed in vtp transparent or v3.
VLAN name - 32 characters max
VLAN management Policy Server (VMPS) for dynamic allocation
ISL adds 26 byte header + 4 byte trailer to a frame
dot1q adds 4 bytes after ethernet source address
12 bit VLAN ID plus 3 byte CoS
DTP will form an ISL trunk if both sides support it
DTP still operates on switchport mode trunk
-if)# switchport mode dynamic auto (default otherside needs dynamic desirable or trunk to form)
DTP frames sent every 30 seconds
# show interface trunk
# show int gi1/0/1 switchport
# show dtp
Voice vlan required for QoS markings. Uses DTP & CDP
Voice vlan only seen through STP (not show vlan)
Lightweight WiFi traffic uses a CAPWAP tunnel
Chapter 5
VTP
VTP advertisements contain management domain, VTP revision number, known vlans and names
v3 required for 4094 VLANs, MSTP and primary and secondary servers
revision number starts at 0. Highest number overwrites previous database.
Retained after reload. Reset by changing domain or by going into transparent then back to server
summary advertisements every 300 seconds and when a change is made
subset advertisements contain the changes
advertisement request by clients
If update removes configured vlan, then interface is reset back to VLAN 1
VTP client with high revision number will update server
by default: VTP v1, domain = null and is vtp server. VTP pruning = off
Domain and version can be learnt from server, as well as VTP pruning
For VTP pruning, a switch tells its neighbors its active vlans.
# vtp version 3
# vtp domain CISCO
# vtp mode transparent
# vtp password VTPPASS
# vtp pruning
-if) switchport trunk pruning vlan add 100
# show vtp status
Chapter 6
STP
STP multicast address 0180.C200.0000
configuration BPDU to compute STP
Topology Change Notification (TCN) - to announce changes
BPDU’s sent every 2 seconds.
default Bridge Priority 32,768. Lower = better. Mac address beaks tie
Root bridge interface path cost = 0. Receiving switch adds its own cost
One designated port per segment
Redundant path = blocking, other side will be designated
Listening state, for sending and receiving BPDUs only. Learning, learns mac addresses
Hello timer = 2 seconds
Forward Delay Timer = 15 seconds
Max age = 20 seconds (time to hold a bpdu without hearing another)
Timers changed on root bridge, use network diameter instead of changing individual values
A TCN happens happens when a port goes into forwarding, or from forwarding/learning to blocking. Except when using portfast.
Root bridge sends acks.
TCN sent to every switch, macs flushed after 15 seconds (forward delay value) instead of 300.
Losing root port results in 2x forwarding delay outage (30s)
dot1q uses CST, BPDUs use native vlan
PVST for ISL only. PVST+ for dot1q and ISL
Chapter 7
STP Configuration
# no spanning-tree vlan 50
802.1t extended system ID
# spanning-tree vlan 1 - 4095 priority 4096
# spanning-tree vlan 1-4095 root primary (uses 24,576 otherwise 4096 if not low enough. 0 needs to be set manually)
-if)# spanning-tree vlan 10 cost 2 (changes the value to the root on the local switch)
-if)# spanning-tree port-priority 128 (changes the priority on the downstream remote switch.)
# spanning-tree hello-time 2
# spanning-tree forward-time 15 (listening & learning timer)
# spanning-tree max-age 20 (How long a blocking port will take to go listening)
# spanning-tree vlan 1 - 4095 root primary diameter 3 (automatically sets above timers properly)
# spanning-tree portfast default (all access ports to portfast)
uplinkfast - for direct link failures to the root. Next lowest cost port put into forwarding
Sets port cost to +3000 to stop it being used by downstream switches.
Bridge priority set to 49,152. Not allowed to be root switch
# spanning-tree uplinkfast
Backbone - for indirect failures
No longer has to wait max-age timer before acting on inferior bpdus
reduces convergence time from 50s to 30 (no mac-age timer)
# spanning-tree backbonefast (enable on all switches)
# show spanning-tree detail (to see received port priority.)
Chapter 8
Protecting STP
Root port - closest to root
designated port - a forwarding port - 1 per segment
blocking port - neither root nor designated
alternate port - used by uplinkfast - discarding
forwarding port - end user access
backup port - RSTP - alternate designated port to a segment (hub) -discarding
Root Guard and BPDU guard prevent unexpected root bridges
-if)# spanning-tree guard root (puts port into root inconsistent STP state. Goes forwarding when superior BPDUs stop. use where the root will never be found)
-if) spanning-tree bpduguard enable (enabled for portfast automatically. errdiables port)
If a port stops receiving BPDUs the port will transition to forwarding
loop guard keeps track of bpdus on non designated ports, if they go missing port enters STP loop inconsistent state
works on a per vlan basis, not per port
# spanning-tree loopguard default (disabled by default)
if)# spanning-tree guard loop
UDLD frames echoed back across a link. Both sides need to be configured, 2 processes per link
15 second interval
normal send syslog message, aggressive errdisables port after 8 missed replies
# udld aggressive (enables on all fibre ports)
-if)# udld enable
will not errdisable until 1 echo is heard
# udld reset
# show udld fa0/1 - unknown status until both sides are configured, then bidirectional
#spanning-tree portfast bpdufilter default
-if)# spanning-tree bpdufilter enable
Chapter 9
RSTP
No listening state
BPDU version 2. Hellos sent out all ports, regardless of recieving one
3 missed BPDUs and a neighbour is ages out (6 seconds)
slow STP can run on a per port basis (if it recieves a 802.1D version 0 BPDU)
Edge port = portfast
point-to-point = designated port (full duplex interface)
half duplex always reverts back to slow STP
RSTP syncronisation - no timers used
non edge ports start in discarding state. If a superior bpdu is received, port goes to root port
A proposal is sent. Ports only start forwarding if neighbour agrees with agreement message
A Topology Change )TC) message only when port goes into forwarding.
Mac addresses flushed on all ports except the one the TC was received on.
# spanning-tree mode rapid-pvst. (slow pvst used by default)
# show spanning-tree vlan 10
P2p = port running RSTP and full duplex interface
P2p Peer (STP) = 802.1d slow stp
Chapter 9
MSTP
configuration of below must match on all switches:
MST name (32 characters)
MST revision number (0 - 65,535) - increase this by 1 for every change
VLAN mapping table (4096 entries)
CST considers MST region as a single switch
Internal Spanning Tree to form a loop free topology to CST
16 MST instances (MSTI). IST is 0, allowing 1 - 15 configurable.
IST0 sends bpdus, all vlans mapped to this by default
# spanning-tree mode mst
# spanning-tree mst configuration
-mst)# name MSTREGION
-mst)# revision 0
-mst)# instance 1 vlan 10,11,12
-mst)# instance 2 vlan 20,21,22
-mst)# show pending
-mst)# exit - changes applied when exiting
802.1w - RSTP
802.1s - MST
Chapter 10
Aggregating Switch Links
Etherchannel of 2 criteria uses XOR, otherwise lower bits used
Load balance method doesn’t have to match both sides
source mac is default method. If using IP, with non IP traffic, it falls back to mac
active/passive - LACP. 16 configurable interfaces, 8 active. 2 byte priority, lower = better
Desirable/auto PAgP - silent by default and results in 15 second delay
LACP priority 1 - 65,535, 32,768 by default. Lowest mac breaks tie
# lacp system-priority 100 (for who leads negotiations)
-if)# lacp port-priority 100 (for which ports should be included if more than max configured)
# spanning-tree etherchannel guard misconfig (on by default)
-if)# channel-group 1 mode active
-if)# channel-protocol lacp
Chapter 11
Multilayer Switching
# interface vlan 100
-if)# switchport autostate excluded
Route once, switch many - old way. Uses Route Processor (RP) and then switching engine. Aka netflow switching or Route Cache.
CEF replaces Netflow, enabled by default
FIB - Forwarding Information base. Routing table with most specific route first. Contains adjacent hosts as /32.
Layer 3 engine updates FIB
# show ip cef (shows FIB table. Version = number of times a entry has been updated)
CEF punt = packets sent to L3 engine
Accelerated CEF - lacks full FIB on line card
Distributed CEF - Full FIB table on line card
Adjacency table - layer 2 information from ARP table
# show adjacency summary
CEF glean = a packet without a corresponding arp entry. Sent to L3 engine for arp request. packets for that destination dropped for 2 seconds due to ARP throttle
Ethernet header rewritten by packet reqrite engine (source mac etc)
# no ip route-cache cef
# no ip cef
Chapter 12
Configuring DHCP
Default gateway and broadcast address automatically excluded
# ip dhcp pool DHCPVLAN10
-dhcp)# network 10.0.10.0 255.255.255.0
-dhcp)# default-router 10.0.10.1
-dhcp)# host 10.0.10.10 255.255.255.0
# ip dhcp excluded address 10.0.10.2 10.0.10.9
#show ip dhcp bindings
DHCPv6 offered in RA, or client can request it
-if)# IPv6 nd other-config-flag
-if)# ipv6 dhcp relay destination 2001::11 (instead of ip helper-address)
Chapter 13
Switch Logging
stratum 1 = atomic clock
NTP version 3 by default. Version4 for IPv6
sntp = client only. ntp commands configure switch as a client and a server on all L3 interfaces
# service timestamps log datetime localtime show-timezone msec (to set switch clock for syslog message timestamps)
Chapter 14
SNMP
snmp manager = solarwinds
snmp agent = switch
MIB = Management Information Base
OID = Object Identifier
MIB is tree like structure, with a counter for an interface being on a OID address in the MIB.
UDP 161 for queries. UDP 162 for traps
Get request, get next request, get bulk request (2c only), set request
SNMP trap - no ack. Inform request echoed back to agent
SNMPv3 can define the MIB tree on a per group basis, can authenticate the integrity of packets (authnopriv), can encrypt too (authpriv). NoAuthNoPriv.
Chapter 15
IP SLA
IP SLA operations run every 60 seconds by default.
Schedule required, forever start-time now
Path-jitter and udp-jitter require IP SLA responder on target. UDP port 1967.
# ip sla responder
NTP required for accurate time stamps
# ip sla 100
-ip-sla)# icmp-echo 8.8.8.8
-ip-sla)# frequency 60
# ip sla schedule 100 life forever start-time now
#show ip sla statistics 100 - success/failures, last test stats
Use in HSRP
# track 1 ip sla 100 reachability
# interface vlan 100
-if)# standby 1 track 1 decrement 10
-if)# standby 1 preempt
default decrement = 10, multiple failures = multiple decrements.
Chapter 16
SPAN
Can SPAN a port channel
VSPAN - span whole vlan
mirrored frames dropped if they exceed egress port speed
can’t mix source interface and vlans
can’t span a SVI
only 1 destination, can’t be a port channel. Multiple sources allowed
add encapsulate replicate to include network management (VTP, CDP & STP)
add ingress to destination to allow traffic to be sent back
STP and mac address learning is deactivated on destination port
RSPAN - all switches in path need to support remote-span vlan
All ports with the RSPAN vlan get flooded with the traffic
cannot monitor bpdus with RSPAN, STP still runs on vlan
# vlan 600
-vlan)# remote-span
# monitor session 1 source interface gi1/1 both
# monitor session 1 destination remote vlan 600
# monitor session1 source remote vlan 600
# monitor session 1 destination interface gi 1/5
# no monitor session 1
# no monitor session local
# no monitor session all
# show monitor
Chapter 17
High Availability
RPR - modules reloaded, 2 mins +
RPR+ layer 2 functions restarted - 30s
SSO - L3+ restarted. - 1 second
# redundancy
-rcd)# mode sso
# show redundancy states
NSF - non stop forwarding - cisco proprietary
rebuilds routing RIB table after SSO.
Neighboring router also needs to be configured. Provides the RIB table
# router eigrp 1
# nsf
# router bgp 655530
# bgp graceful-restart
Chapter 18
HSRP
Router discovery in IPv6 can result in 40 seconds downtime
Active/Standby state
0000.0c07.acXX
224.0.0.2 hello multicast
Can reuse group number on different vlans
Default standby = 100. Highest wins. Highest IP breaks tie
Add delay if using routing protocols
plain text or MD5 authentication
-if)# standby 1 ip 10.0.0.1
-if)# standby 1 priority 120
-if)# standby 1 preempt
-if)# standby 1 timers msec 100 msec 350
# key chain HSRPCHAIN
-keychain)# key 1
-keychain-key)# key-string PASSWORD
-if)# standby group authentication md5 key-chain HSRPCHAIN
For IPv6
-if)# standby version 2
-if)# standby ipv6 autoconfig
# show standby vlan 50 brief - P means preempt
Can use the follow command to save resources on subinterfaces
A client takes its state from the master group it is following on the same physical interface
interface:
-if)# standby 1 name HSRPINT1
sub interface:
-if)# standby 2 follow HSRPINT1
CHAPTER 18
VRRP
Master and backup router
router priority 1 - 254. Default 100. Higher = better
groups 0 - 255
virtual mac 0000.5e00.01xx
1 second advertisement intervals
multicast address 224.0.0.18
preempt on by default
-if)# vrrp 1 priority 200
-if)# vrrp 1 ip 10.0.0.1
-if)# no vrrp 1 preempt
# show vrrp
Chapter 18
GLBP
AVG - highest priority, answers ARP requests and assigns a AVF
groups 0 - 1023. Priority 1 - 255, 100 default
3 second hello, 10 second hold
AVG advertises timers
virtual mac 0007.b4xx.xxYY x = group, Y = AVF number
Redirect timer is how long the failed AVF mac will be active on another router. Default 600s
max 4 AVFs, round robin allocation. Weighted or host dependant configurable
Active IP can be learned from AVG
Second highest AVG takes over
-if)# glbp 1 priority 200
-if)# glbp 1 ip 10.0.0.1
-if)# glbp 1 preempt
-if)# glbp 1 load balancing weighted
-if)# glbp 1 weighting 120 (used by tracking & load balancing)
-if)# glbp 1 weighting track 1 decrement 20
-if)# glbp 1 timers msec 100 msec 350
# track 1 interface gi1/1
# show glbp brief - top line is AVG process (with IP). Active = AVG, standby = second. Active with mac = AVF process
CHAPTER 19
Securing Switch
-if)# switchport port-security
-if)# switchport port-security 1
-if)# switchport port-security mac-address sticky
-if)# switchport port-security mac-address 0000.1111.2222
-if)# switchport port-security violation shutdown (default - errdisables port + trap/syslog)
restrict - drops illegal macs and sends traps/syslog/security violation counter increments
protect - drops illegal packets silently
# clear port-security interface fa1/1 forgets learned and sticky addresses
EAPOL 802.1x - layer 2 protocol
port stays unauthorised until dot1x capable device authenticates
# aaa new-model
# radius-server host 192.168.255.10 key RADIUSKEY
# aaa authentication dot1x default group radius
# dot1x system-auth-control
# int fa 1/1
if)# dot1x port-control auto
forced authorised is default, force unauthorised will never allow traffic
only 1 client allowed by default
-if)# dot1x host-mode multi-host
-if)# storm-control broadcast level 20
multicast, (unknown) unicast also configurable
-if)# storm-control action drop (default, trap and shutdown configurable.)
# access-list 10 permit 10.0.0.0 0.0.0.255
# ip http secure server
# ip http access-class 10
# line vty 0 15
# access-class 10 in
# ip ssh version 2
Chapter 20
Securing VLANs
# ip access-list standard ALV10
-acl)# permit 10.0.10.0 0.0.0.255
# vlan access-map AMV10 10
match ip address ALV10
action drop
# vlan filter AMV10 vlan-list 10
community vlan - talk to same community but not others
isolated vlan can only talk to primary
VTPv3 required, otherwise configure on every switch
promiscous port - connects to router
host port - can only talk to promiscuous port or those in the same community vlan. Just need to configure host-association, not access vlan.
hosts association to PVLAN, promiscuous ports have mapping
primary vlan association to private vlan
Interface SVI mapping to PVLAN
# vlan 10
-vlan)# private vlan community
# vlan 30
-vlan)# private-vlan isolated
# vlan 100
-vlan)# private-vlan primary
-vlan)# private-vlan association 10,30
# int range gi 1/1 - 3
-if)# switchport mode private-vlan host
-if)# switchport private-vlan association 100 10 (primary vlan then private)
#int range gi 1/4 - 7
-if)# switchport- mode private-vlan host
-if)# switchport private-vlan association 100 30
# int gi 1/48
-if)# switchport mode private-vlan promiscuous
-if)# switchport private-vlan mapping 100 10,30
# int vlan 100
-if)# private-vlan mapping 10,30
# vlan dot1q tag native
Chapter 21
Preventing Spoofing
DHCP snooping - all ports untrusted by default
Option 82 - DHCP relay agent validates source port - enabled by default
# ip dhcp snooping
# ip dhcp snooping vlan 50
# int range gi 1/1 - 47
-if)# ip dhcp snooping limit rate 3 (unlimited by default)
# int gi 1/48
-if)# ip dhcp snooping trust
# show ip dhcp snooping
ip source guard uses DHCP snooping database and static source bindings
enforces the use of an IP on a particular port. Adding port-security ensures correct mac
creates a dynamic port ACL to filter traffic by using port security
-if)# ip verify source
-if) ip verify source port-security
Dynamic ARP Inspection - inspects ARP packets on untrusted ports
Uses DHCP snooping database and checks contents against known values
Invalid replies are dropped and logged
All ports are untrusted by default. Uplinks need to be trusted
ACL for static entries checked before DHCP snooping
# ip arp inspection vlan 50
# ip arp inspection validate src-mac dst-mac ip
-if)# ip arp inspection trust
# arp access-list STATICARP
-acl)# permit ip host 10.0.0.10 mac host 0000.1111.2222
ip arp inspection filter STATICARP vlan 50
Chapter 22
Managing Switch Users
add a local user
# username USER password PASS
# aaa new-model
# tacacs-server host 192.168.255.10
# aaa group server tacacs+ ACSSERVER
-sg)# 192.168.255.1
# aaa authentication login LOGINORDER group ACSSERVER local
# line vty 0 15
-line)# login authentication LOGINORDER