Switching Review
Remember your subnet masks, review subletting if needed.
/24 255.255.255.0
/25 255.255.255.128
/26 255.255.255.192
/27 255.255.255.224
/28 255.255.255.240
/29 255.255.255.248
/30 255.255.255.252
/31 255.255.255.254
Converting to hexadecimal
You might have to convert a hsrp group number so you can identify the mac address. It shouldn't be a big number.
hex = 6 decimal = 10 hexadecimal is base 16
0 A = 10
1 B = 11
2 C = 12
3 D = 13
4 E = 14
5 F= 15
6
7
8
9
We take our decimal number and divide by 16 until we can't anymore. We divide the remainder one last time for the last character.
17 divided by 16 goes in 1 time with remainder 1
1 divided by 16 goes in 0 times with remainder 1
17 in hex is 0x11
18 divided by 16 goes in 1 time with remainder 2
2 divided by 16 goes in 0 times with remainder 2
18 in hex is 0x12
Standards
802.1d Spanning Tree Protocol (STP)
802.1w Rapid Spanning Tree Protocol (RSTP)
802.1q Dot1q VLAN trunking
802.1p Quality of service (QoS) part of 802.1q
802.1s Multiple spanning tree (MST)
802.1ad QinQ allows second vlan tag to be added to a single tagged frame
L2/L3
L2 switching is based on destination MAC addresses
L3 switching looks at IP address ports etc
Don't forget OSI model
7 Application---------Away----------All
6 Presentation-------Pizza----------People
5 Session---------------Sausage-----Seem
4 Transport-----------Throw---------To
3 Network-------------Not-------------Need
2 Data link------------Do---------------Data
1 Physical--------------Please---------Processing
What a switch does when it gets a packet
Forward (send it out an interface)
Flood (copy the packet and send it out 2 or more interfaces, flood a vlan etc)
Discard (can't deal with this right now, don't know how to deal with this packet drop it)
Inter-vlan routing
Verify trunking config of a router
show vlans
show ip route
MAC address table commands
mac address-table aging-time <secs>
Adding a static mac address for hosts that never send
mac address-table static <mac> vlan <id> interface <type/number>
show mac address-table <dynamic> <address|value>
show mac address-table count
VLANs and Trunks
Groups of users separated into different broadcast domains VLANs.
Stop flooding of traffic from one group into another
Security
ISL is Cisco proprietary
ISL does not modify the original frame
26 byte header
4 byte trailer (FCS error checking)
Supports legacy protocols
802.1q (IEEE standard) (mostly used in the wild)
802.1q does modify the original frame
Native VLAN concept (untagged)
other VLANs (tagged)
VLAN ranges
VLAN 1 = default cisco native vlan
VLAN's 2 - 1001 = normal vlans can be created,used and deleted
VLAN's 1006 - 4096 = extended vlan range can't be pruned with VTP
VTPv3 adds support for privat vlans / extended range
Looking for native VLAN mismatch between SW1 and SW2
Run the command below on both switches:
show interfaces FastEthernet 0/1 trunk
Check the native vlan matches on both sides, it should match. If it does not match the issue will be a native vlan mismatch
show interfaces trunk
show interfaces switchport
show interface fa0/1 status
Global command to only accept tagged packets on trunks
vlan dot1q native global
DTP dynamic trunking protocol
ISL = Cisco proprietary
802.1q = open standard IEEE smaller than ISL so its what is used today everywhere
4 bytes
Normal TCP packet
6 bytes 6 bytes 2 bytes Up to 1500b 4bytes
[ D MAC ] [ S MAC ] [ type field ] [ Ethernet Frame ] [ CRC ]
802.1q tagged packet
6 bytes 6 bytes 4 bytes 2 bytes Up to 1500b 4bytes
[ D MAC ] [ S MAC ] [802.1q tag] [ type field ] [ Ethernet Frame ] [ CRC ]
4 bytes = 32 bits
Zoom in on the 802.1q tag
TPID (16 bits) - Basically says this is 802.1q
Priority (3 bits) - QoS 802.1p
CFI (1 bit) - Used for compatibility
VID (12 bits) The Vlan tag 2^12 = 4096 the max number of VLANs
Don't allow vlans 3 and 4 on this trunk
switchport trunk allowed vlan remove 3-4
VLAN range 1 - 4094
1 - 1001 normal VLAN range
1002 - 1005 reserved for token ring not used anymore
1006 - 4094 extended range (must be in VTP tranparent mode or VTPv3
most switch don't support VTPv3.
Not stored in vlan.dat file, converting back is a big manual job
Trunk port setup
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport trunk allowed vlan 1-5,99,1002-1005
switchport mode trunk
switchport nonegotiate (disable DTP, both sides must be manually configured as trunk)
no shutdown
Configuring VLANs
legacy VLAN database (old, don't use, new features won't work)
Modern vlan <vlan id>
Show the vlans on a trunk interface
show interfaces fastethernet 0/1 trunk
Ether-channel (LAG)
More bandwidth with 2 or more cables without STP blocking us.
PAgP (port aggregation protocol cisco proprietary)
LACP (IEEE 802.1ax (year 2008) open standard)
LACP old open standard ieee 802.3ad (year 2000)
LACP only works on full duplex ports (who wants half duplex anyway)
PAGP works on half but who wants to use that
PAGP allows 8 active ports
LACP allows 8 active ports but more standby ports
LACP is better ?
LACP system priority
Switch will have a system priority 32768 (lower the better)
32768 is the default system priority
Each port will also have a priority. Priority is used first then port number (lower number is better)
LACP has passive (auto) and active modes (desirable)
PAGP has auto and desirable
What variable is used to do load balancing
show etherchannel load-balance
There are many options here
Test the load balancing
test etherchannel load-balance interface port-channel 1
Test to see what port will be used
Force ether channel
channel-group [x] mode on (no pagp no lcap, forcing ether channel)
This manually creates an etherchannel without using a negotiation protocol like pagp or lacp.
Configured etherchannel as layer 3
Cnfigure member ports
interface gigabitEthernet 0/3
no switchport
channel-group 10 mode desirable
exit
interface gigabitEthernet 0/4
no switchport
channel-group 10 mode desirable
exit
Configure the ip on the port channel interface
interface port-channel 10
no switchport
ip address 10.1.1.50 255.255.255.0
Switch Design big picture
Cisco has enterprise composite model online which you can use.
Typical design
Router/Firewall
L3 switches (Core) Moves data between buildings
L2 switches (Distribution) (inside each building)
L2 Switches connected to user devices (access) (inside each building)
Many smaller designs merge Core/Distribution into the same layer.
Router/Firewall
L3 Core/Distribution
L2 Access
Switch stacks and redundant links are used.
In the beginning: the flat network
Small business usually start with 1 switch and then they expand and keep adding on. Often daisy chaining devices with lots of single points of failure. One large failure domain. Later a network admin will come in and organize things adding redundancy, creating VLANs etc.
Switching is moving towards using L3 switches and protocols in the distribution layer and even the access layer. Not everyone can afford L3 switches at the access layer. They might not have the staff with the skills to administer it either.
L3 to the distribution layer
L3 to the access layer
We have gigabit switches now so we have the speed to do this.
We eliminate STP from the egress interfaces on the access switches up
We implement routing protocols EIGRP/OSPF for fast fail over and equal cost load balancing.
The egress links become point to point WAN links
We still need STP on the ports that are connected to users
The Campus network design (hierarchical design)
Its modular design that can expand as the business grows
Access layer (user desktops plug in here)
Normally L2 switches but could be L3
VLANs,
QOS, (marking policing)
Security (802.1x, port security)
Multicast traffic management (IGMP snooping)
Inline power (PoE for IP phones WAPs etc)
Distribution
Normally L3 switching (could be L2 too but will hit scaling limit)
Multiple connections down to access devices
Multiple connections up to core devices
Gateway redundancy (HSRP. VRRP, GLBP)
Ether channel Nic teaming/ link bundling 802.3ad (LAG)
Load balancing (OSPF cost, PVSTP etc)
Summarization
Core
High power devices
CRS (in the ISP)
6500's
Typically L3
The fastest and most reliable devices
The blocks can be replicated. Troubleshooting and fault isolation is easier.
100,000 hosts (laptops, phones, printers etc)
The CAM table becomes too large.
If the CAM table fills up the switch starts acting like a hub.
L3 routing segments the L2/L3 domain
Broadcast storms also can hurt L2 networks
Should have arp requests, windows filesharing etc.
As the L2 network grows so does the broadcast domain.
If there is too many broadcasts the networks slows down to unusable.
L2 switches stick to one media (ethernet)
L3 switches can mix media because they are based on IP addresses
L3 switch is a hardware accelerated router.
VLANS, Trunking and VTP
Separating broadcast domains
Each VLAN has its own CAM table
ARP uses broadcasts so only works within a VLAN. Needs L3 to get to other VLANS.
The old rule was 80/20, 80% local traffic 20% to a remote destination
Today its flipped 20/80
1 vlan per subnet
When a packet is received the switch sees what VLAN its was received on and looks in that CAM table for the MAC address.
exec mode -> vlan database mode is for old devices, no one uses this anymore
Normally we will use global configuration mode
the vlan assignments was inside vlan.dat
Spaces are not allowed in VTP domain names
VTP default authentication is MD5
Adding a VLAN with vlan database mode
vlan database
vlan 10 name ACCOUNTING
exit
Adding a VLAN with global config mode
conf t
vlan 20
name SALES
exit
vlan 30,40,50-55 (notice we can add several VLANs at the same time)
end
Port types
Access ports (one vlan per port)
switchport mode access
Trunk ports (Multiple VLANs per port)
switchport mode trunk
Dynamic ports (automatically choose access or trunk)
Normally used for IP phones, usually a security risk so people don't use them
Good command as it shows lots of information in one screen
show int status
Show mac addresses learned in vlan 1
show mac address-table dynamic vlan 1
show details of the port what features were turned on what mode is it in, what voice vlan is assigned
show interfaces fa0/1 switchport
Quick way to see what ports are assigned to what vlans
show vlan brief
Incomplete in sh arp means we sent out an arp but we got nothing back.
VLAN trunks
Trunk links are used to transport traffic for multiple VLANs between devices (switches)
ISL and 802.1Q are protocols for doing this.
ISL is Cisco proprietary
802.1Q is IEEE (open) standard is the one used in the wild.
CAM table
Finding where a host is plugged in
ping 192.168.1.10
arp -a (see the mac address)
In switch
show mac address-table xx-xx-xx-xx-xx-xx
Switch will tell you what ports it sees that address on
show mac address-table interface fa0/1
If we see lots of mac addresses on that interface then its probably an uplink to another switch
Again good idea to give your uplinks descriptions, always use the highest ports, use color coded cables
show cup neighbours
TCAM ternary (L3 table)
Routing at wire speed
Why don’t we replace all routers (software based) with L3 switches
IOS is feature rich
Adding features in software is easier than building ASICs
No ASIC for NAT
show platform tcam util
SDM templates (switch database management templates)
Allow you to allocate resources to your TCAM table
conf t
sdm prefer [access | default | dual-ipv6-ipv6 | ipe | routing | vlan]
CDP (cisco discovery protocol)
LLDP (link layer discover protocol)
CDP MAC address: 01:00:0c:cc:cc:cc
LLDP MAC address: 01:80:c2:00:00:xx
CDP is cisco only. Shows only directly connected devices.
Helps you get your bearings can build network diagrams from it.
Cisco Discovery Protocol (CDP) is very crucial in the operation of a
Cisco IP phone. It not only provides the AUX (Voice) VLAN ID for the
phone to being sending traffic on the AUX VLAN, it also allows the phone
to automatically negotiate power settings.
Enabling a voice vlan automatically enableds portfast
switchport mode access
switchport voice vlan 10
WIth the config above "spanning-tree portfast" will autmatically be enabled
CDP commands
show cdp neighbours
show cdp neighbours detail
show cdp entry xx*
cdp run (turn on CDP globally)
no cdp run (turn off CDP globally)
no cdp enable (turn off CDP under a specific interface)
Don't advertise native vlan and VTP domain anymore
no cdp advertise-v2
LLDP
lldp run
int fa0/1
lldp ?
LLDP you can select which ports you send/receive on
LLDP can gather more information than CDP
LLDP
lldp default timer is 30 seconds
LLDP will probably replace CDP as time goes on.
Key interface counters
sh interface fa0/1
fa0/1 is up line protocol is up. We want to see up up
Next look at full Duplex
Last clearing of interface counters
clear interface counters see if the error is still happening
Next look at the input queue
Runts likely a half duplex, severed packets
Input errors on their own with no runts it could be a cable
late collision again could be a duplex mismatch or indicate a Ethernet cable that is too long
giants are jumbo frames 9000 bytes of data you need to configure jumbo frames
Ethernet to fiber transceivers
Handling error disable ports
Switch detects some issue with the port and gets error disabled
Won’t come back unless the net admin does a shut, no shut
show int fa0/1
the interface shows as down down with the message (err-disabled)
Find ports that are err-disabled
show interfaces status err-disabled
shows the ports that are err-disabled and the reason
err-disabled ports usually get disabled for a good reason
Power over ethernet
IP phones, security cameras and Wireless APs
The idea of having a single VLAN across multiple switches is going away as L3 moves towards the access layer
VLANs are still used on ESX servers, management VLAN
QinQ (802.1ad)
802.1Q is the VLAN tagging protocol
VLAN 10 in corp offices goes through the WAN cloud to another side where VLAN10 is plugged in
Service provider adds their own outer tag
VLANs VTP
Simplifies your VLAN configuration
All devices are members of a VTP domain
Once you add/remove a VLAN on a device it replicates to the rest
This is extremely useful and dangerous
Still need to assigne the VLAN to a port but don't have to create it on 100 devices
VLAN pruning
I don’t have any ports in VLAN 10 so stop sending me data for VLAN 10
VLANs that are not allowed, never get their data frames sent, regardless of vtp pruning being on or off.
Issuing the switchport trunk allowed vlan remove 20 will remove that VLAN completely off of the trunk link. A safer method would be to enable VTP pruning
conf
vtp pruning
Define which vlans should not be pruned (remove them from pruning)
switchport trunk pruning vlan remove 30,40
VTP rev number increases as VLANs are created
Devices will always update to the highest rev
Version1
First version 1993ish
Version2
1999
Version3
More recent
Complete re-write
Manually configure VTP domain name and password, VTP password will be encrypted
Private VLANs, VLANs inside of VLANs
They addressed the concerns but people still didn’t want to use
FYI there are security issues with VTP this is why it is often off
IF you go L3 switching VLANs are locally significant so you don't need VTP.
VTP Modes
Server
Create/Delete VLANS
Client
Can only add VLANs from the central
Transparent
Hear VTP and pass through but don’t do anything with it.
Off
Same as transparent but does not VTP to pass through
VTP rev number
sh vtp status will show the rev number
All switches should agree
VTP advertisements contain
- Password
- Revision number
- Management domain name
VLAN Trunking in depth
Trunk interfaces is a Cisco word. Other vendors call it tagged interfaces,
If you enable a trunk port by default it will send all VLANs.
Other vendors you have to add the VLANs into the trunk.
802.1.q
4byte / 32 bit piece goes into the header of the Ethernet frame
First 16 bits basically say this is 802.1q
12 bits are used for the VLAN tag (2^12 = 4096) that's the number of VLANs you can have
3 bits are used for PRI (Class of service used for QOS at layer 2)
1 DE discard eligible can be used to ease congestion before TCP windowing kicks in
All of the above is in the 4byte header
Trunking can be negotiated (with DynamicTrunkingProtocol) but that is not recommended
See all the details about trunking on a port
show interface fa/01 switchport
Enable a trunk interface
int fa0/1
switchport mode trunk (enable it as a trunk)
switchport trunk encapsulation dot1q (use 802.1q)
switchport trunk allowed vlan 1,10 (allow vlans 1 and 10)
switchport nonegotiate (turn off DTP because it slows down convergence)
Show interface trunk
See all trunk interfaces and what VLANs are allowed on those trunks
Its best practice to manually prune
Add a new vlan to the trunk
int fa0/1
switchport trunk allowed vlan add 20 (this will append vlan 20 to the currently allowed vlans)
switchport trunk allowed vlan 20 (this will replaces whatever is there with just vlan 20)
Native VLAN
The native VLAN is for devices that don't know about VLANs.
When we receive a packet that is not tagged then it is on the native VLAN
DHCP in VLAN environment
IP helper command is commonly used for DHCP servers.
All broadcasts are UDP based
These ports are forwarded with the ip helper-address command
You can remove ports you don't want to send with another command see below
69 TFTP
67 BOOTP client
68 BOOTP Server
37 Time protocol (NTP)
49 TACACS
53 DNS
137 NetBios
138 NetBios Datagram
Converts whatever broadcasts match the ports to a uni-cast and send it to the specified server
We can have 1 DHCP server for several VLANs
Using IP helper but don't forward TFTP
interface vlan 10
ip helper-address 10.55.55.10
exit
no ip forward-protocol udp 69
You can set it globally too.
STP back to the core
Spanning tree is good because it allows us to have redundant links without causing a loop
It elects a root bridge
Looks at the bridge priority and the mac address which gets call the bridge ID
32768 default priority
lowest mac address will win, usually the oldest device
Etherchannel can provide more bandwidth on key links
Elect the root bridge
All the other's find the best path to the root bridge
Lowest cost (if your links are the same speed go to next level)
Lowest bridge ID (if you have an ether channel the bridge ID will be the same, so go to next level)
Lowest port number on the root bridge
Default costs
10Mbps 100
100Mbps 19
1000Mbps 4
10000Mbps 2
STP 802.1D default timers
hello 2 seconds
max age 20 seconds
forward delay 15 seconds
Get a trunk to use portfast (port is connected to server)
spanning-tree portfast trunk
STP priority
- Lowest value will become the root
- Set a high value if we don't want to be the the root for that vlan
spanning-tree vlan 100 priority 4096 (we want to be root)
spanning-tree vlan 100 priority 61440 (we don't want to be root)
Vale increment 4096
Lowest value 4096
Default value 32768
Highest value 61440
4096
8192
12288
16384
20480
24576
28672
32768
.
.
61440
Find ports blocked by root guard
show spanning-tree inconsistentports
STP standards
There are 5 different modes of STP.
Normal STP (802.1d)
PVST+
PerVlan spanning tree chopped up the priority and left space of the VLAN ID
You have have different devices be the RB for different VLANS
This makes sense for larger networks
Rapid spanning tree (802.1w) is a faster version of normal STP (802.1d)
Rapid STP is more proactive and communicative than normal STP
Cisco creates per vlan rapid spanning tree (PVRST)
Multiple spanning tree protocol (MSTP 802.1s)
Consider 3 switches connected in an STP triangle
A pri 0x8002 mac:00:00:00:12:12:12
B pri 0x8000 mac:00:00:00:13:13:13
C pri 0x8003 mac:00:00:00:11:11:11
A gig0/1 -> gig0/1 B
A gig0/2 -> gig0/2 C
B gig0/1 -> gig0/1 A
B gig0/2 -> gig0/1 C
C gig0/2 -> gig0/2 A
C gig0/1 -> gig0/2 B
Switch B will become root because it has lowest priority. If priorities matched the MAC address would be used to break the tie.
On root bridge/switch all ports will be unblocked they will be designated ports in the forwarding state
B gig0/1 -> gig0/1 A
B gig0/2 -> gig0/1 C
The downstream switches path to the root are called "root" ports
A gig0/1 -> gig0/1 B
C gig0/1 -> gig0/2 B
Now A and C must decide which port between them should be designated port, backup path to the root. And one side should block their port. Their cost to B is the same so priority is used. Switch A has the lower priority. Switch A gig0/2 becomes a designated port.
Switch C's gig 0/2 becomes a blocked port
When STP standards interfere with each other
STP and RSTP are designed to be backwards compatible. RSTP can run normal STP on a per port basis obviously you lose the advantages of RSTP.
STP and PerVlanSTP
PVST <> STP
PerVLan with tagg each packet with the vlan it belongs to
There will be some untagged vlan, thats the one the STP will run on
PVLAN tags will pass through STP switches as if they are not there
No pervlanSTP just passes them through and ignores them
MSTP
Allows you to create different regions
Groups of VLANs instead of single vlans
MSTI0 is the STP instance that runns for all the VLANs not assigned to a region
MSTP switch reaches a non compatible switch, MSTP will create a boundary and you will be handled by MTSI0
MSTP pretends that its a PerVlanSTP switch to other PVSTP switches,
You must make the root bridge somewhere inside the MSTP network otherwise there will be issues.
See how many BPDU's have been sent
show spanning-tree mst detail
show spanning-tree detail
STP uplinkfast,backbonefast, RSTP
Failure with normal with STP (a link goes down)
Uplinkfast deals with direct failures
STP detects it, 15 seconds listening for other BPDU
15 seconds of learning of the mac addresses on the backup port
Transitions into forwarding
Uplinkfast
After the election other switches stop sending BPDUs
The root keeps sending BPDUs
Uplinkfast proprietary cisco version of RSTP
Uplinkgroup is a list of ports that can get to the root bridge
RSTP does the same thing but meets the standards
When RSTP fails over. It enables the new root port and blocks all other switch links to avoid any loops. The other switches ask them to unblock that port.
Backbone fast deals with failures that happen on other switches
S3 I'm getting BPDU's on my blocked port and my root port
S2 loses his root port so assumes he's the root
S2 starts sending BPDU's to S3 on its blocked port
S3 ignores S2 for 20 seconds (max age/10 BPDUs) in case the link comes back
20 secs +15 listening + 15 learning = 50 seconds
Cisco came up with backbone fast to avoid this
If S3 gets BPDUs from S2 that now claims to be root
The only way we would be receiving this is if he lost connection and declared himself the root
S3 gets rid of the max age, just go ahead and deal with it
So it goes down from 50 to 30 seconds
RSTP adopted ciscos idea
If you get this inferior BDPU
RSTP says immediate transition the port
Send the BPDU through to get S2 back up asap
STP vlan cost
SW1(config)# spanning-tree vlan 1 priority 23189
SW1(config)# spanning-tree vlan 101 priority 32768
SW1(config)# int fa0/2
SW1(config-if)#spanning-tree vlan 202 cost 2
RSTP states
Discarding
Learning
Forwarding
What happens if S3 receives a superior BPDU from S2
Its because priority its probably lower on S2
STP this causes the whole topology to change
RSTP accepts it straight away.
Ports towards the new root are unblocked other ports are blocked
BPDUGuard and BPDUFilter
BPDUGuard is to protect you from users bringing in their own devices that participate in spanning tree. These can cause lots of issues.
BPDUGuard should be turned on on all ports connected to users.
If it see's a BPDU come in on a port it will error disable the port.
spanning-tree bpduguard enable
show cdp neigh
How to get an error disabled port back up
int fa2/0/1
shut
no shut
Every port that gets configured for portfast gets BPDUguard turned on too
spanning-tree portfast bpduguard default
BPDUfilter
Ignores BPDU's on an interface.
Act like a hub on that port, don't participate in STP
Its a good idea not to use this.
int fa1/0/2
switchport mode access
spanning-tree portfast
spanning-tree bpdufilter enable
VLANS, SVI and Routed Port
Configuring VLANs
vlan 10
int fa0/1
spanning-tree portfast
switchport mode access
switchport access vlan 10
Configuring SVIs (Switched Virtual Interface)
conf t
interface vlan 10
ip address 10.1.10.1 255.255.255.0
no shut
Configuring a routed port
interface fa0/24
no switchport
ip address 172.16.1.2 255.255.255.0
Configuring routing
ip routing (some L3 switches you need to turn it on)
router eigrp 10
no auto summary
network 10.0.0.0
network 172.16.0.0
(same config on the other side)
show ip eigrp neighbor
show ip route
STP: configuring RSTP and MSTP
show spanning-tree
802.1d is normally turned on by default
Turn on per vlan rapid spanning tree
spanning-tree mode rapid-pvst
MST region (NAME, REV, VLAN INST MAPPING)
spanning-tree mst conf
name mymstregion
rev 1
instance 1 vlan 1-3
instance 2 vlan 4-6
spanning-tree mode mst (turn it all on)
show spanning-tree
Set this device as root bridge for vlans 1-3 (three instances of STP)
spanning-tree vlan 1-3 root primary
Set this device as root bridge for instance 2 (one instance of STP)
spanning-tree mst instance 2 root primary
Ether-channel
Bundle up to 8 ports together
Ether channel load balances the traffic
Say you have 8 1Gbps ports. The most you can get on one connection is 1Gbps.
LACP, PAgP, Manual (LAG)
PAgP (cisco proprietary)
LACP (IEEE)
Layer 2 and Layer 3
With L3 switches you can do no switchport and create a L3 ether-channel
interface range fa0/1-2
switchport mode access
channel-group 1 mode active (LACP)
channel-group 1 mode passive (LACP)
channel-group 1 mode auto (PAgP)
channel-group 1 mode desirable (PAgP)
channel-group 1 mode on (manual)
auto = passive will make a relationship if asked but won't ask the other side
active = desirable will ask to make a relationship
Best practice is to set one side active and the other passive but you can set both to active and it will work.
If both are passive a relationship won't be formed.
Find etherchannel info
show etherchannel summary
show etherchannel detail
show etherchannel port
Find etherchannel cost cost
show spanning tree
port-channel load-balance
L3 Etherchannel
higher capacity routed interface, high bandwidth routed link
SW1
conf t
interface port-channel 1
no switchport
ip address 172.16.1.1 255.255.255.0
interface range fa 0/23-24
channel-protocol lacp
channel-group 1 mode active
no switchport
SW2
conf t
interface port-channel 1
no switchport
ip address 172.16.1.2 255.255.255.0
interface range fa 0/23-24
channel-protocol lacp
channel-group 1 mode passive
no switchport
SW1
ping 172.16.1.1
SW2
ping 172.16.1.2
show etherchannel
show lacp ?
STP: Best practice
Out of the box most devices use common spanning tree and its slow by today's standards
Move to RSTP
PVSTP / MST (does the same thing as RSTP but you can split up VLANs)
Choose root bridge and backup root bridge carefully
Turn BPDUGUARD on all access ports in case user plug a switch in
ROOTGUARD on distro/core uplinks, use root guard carefully
Don't daisy-chain more than 7 switches
Don't use VTP (you need to config ports anyway why risk it)
Don't disable spanning tree
Document everything
STP port-priority and cost
To set an interface priority when two bridges compete for position as the root bridge, use the
spanning-tree port-priority command. The priority you set breaks the tie. Highest priority is less preferred. Lower wins.
Going away from the root of the tree use priority whereas, when going towards the root of the tree use cost. Both priority and cost lower value is better.
Root port = the port with the lowest cost to the root switch/bridge
Use port
cost to affect the root port selection on the local switch
Use
port-priority to affect downstream switches
To make the local switch the root bridge/switch
spanning-tree vlan 100 priority 4096
If we don't want the local to be switch root to be root bridge/switch use
spanning-tree vlan 100 priority 61440
Port priority default value
128
Port priority valid Values
0, 32, 64, 96,
128, 160, 192, and 224
Port speed cost defaults
10 Mbps 100
100 Mbps 19
1 Gbps 4
10 gig 2
Configuring cost and priority
sw2(config)# spanning-tree vlan a priority 61440
sw2(config)# int G1/0/2
sw2(config-if)# spanning-tree vlan b cost 1
sw2(config)# int G1/0/1
sw2(config-if)# spanning-tree vlan c port-priority 64
L3 switching
Before VLANs we had to create separate physical switches.
VLANs were great
However if you get a huge amount of VLANs if can be an issue
Large enterprise solution is L3 switching
SVI (Switch virtual interface replaces the router on a stick)
interface vlan 10
We get ASIC based routing with the L3 switch
Routing at wirespeed
Creating a routed port
interface gig0/1
no switchport
Routing protocols are faster than RSTP.
Sub second convergence
Old (most common) method is to span VLAN across your network
New approach is to localize VLANS / STP
Going further they want you to use L3 switches for all switches
Then we would have a spanning tree free network.
Anything can fail anywhere and we have sub second convergence
Access switches still need STP as users might plug anything in
L3 switches everywhere are too expensive for most.
Most small/medium business don't need the sub second convergence either.
Continue HERE
STP: RootGuard, LoopGuard and UDLD
Rootguard - protects the root bridge (switch). Its to protect yourself from misconfig by you or by bob.
STP is unsecured because of the root election being based on the bridge mac address and priority. Older devices have lower mac addresses so if two devices have a priority of 0 the older device will always win. Rootguard protects the root bridge.
You need to select your root. Turn on rootguard for any port that goes to another switch. If a superior BPDU comes in it goes into loop inconsistant state until they stop sending the BPDU's. Its called
loop inconsistent state. Access layer switches.
interface fa/0/1
spanning-tree guard root
See if root guard is enabled
show spanning-tree detail
"Root guard is enabled on the port"
LoopGuard is to protect against a malfunctioning switch. A switch IOS has crashed but its still forwarding traffic. It stops sending BPDUs so the other side unblocks the port creating a loop in the network. Puts the port into
loop inconsistent state until it gets BPDUs again.
interface fa/0/1
spanning-tree guard loop
UDLD (proprietary protocol)
Unidirectional link detection. Does the same thing Rootguard/Loopguard but without STP. The error disable does not recover unless you have that enabled its not the same as loop consistent like in loopguard/rootguard.
Generally used with fibre in places where we don't enable STP because we wanted fast failover.
When UDLD is first enabled and does not detect a neighbor the link state
is considered unknown, which is not necessarily an error condition.
SW1
int fa0/1
UDLD port aggressive
SW2
int fa0/2
UDLD port aggressive
After enabling UDLD on the connected interface of the other switch, we
can see that the local switch has detected its neighbor and updated the
link's status to bidirectional.
show udld fa0/1
UDLD port (Log if there is an issue but keep the port up
UDLD port aggressive (If there is an issue, tries to bring the connection back up if it can't disables the link)
UDLD aggresive mode will first try to re-establish but if it fails it will put the port into errdisable
If we want to bring a port back up that was error disabled by udld we can shut/no shut or
conf t
udld reset
First Hop Redundancy Protocol
FHRP's
- HSRP (Cisco proprietary)
- VRRP (Open IETF)
- GLBP (Cisco proprietary)
RTRA x.x.x.2 (real IP)
RTRB x.x.x.3 (real IP)
Virtual IP x.x.x.1
A virtual MAC address is also shared between RTRA and RTRB
Decrement mean reduce your priority
Preempt means take over
HSRP 1994 (cisco)
VRRP 1999 (industry standard)
They are almost identical.
Primary Backup
HSRP: Active Standby
VRRP: Master Backup
VRRP
Allows you to assign the master IP to one of the devices so you only need 2 IP addresses instead of 3.
Default timers (can be changed for both to even millisecond)
HSRP hello 3 dead 10
VRRP hello 1 dead 3
GLBP 2005
Gateway Load Balancing protocol
The only protocol that has active/active, both units can send/recieve
Pretty much identical to HSRP outside of the active/active setup
You may have to set STP cost to something high like 2000
on the link between your routers
This way the links from the inside are active and the failover cable is blocked
Single VIP, multiple MAC addresses
Active active active depending on number of nodes.
If we have 4 nodes
Each has a virtual mac
If 3 nodes go down the last node takes over the other 3 virtual mac addresses
So 1 node responding to 4 virtual mac addresses
AVG = active virtual gateway is like the primary
AVF = devices taking part in the GLBP
There will always be 1 AVG which is an AVF, and muliple AVFs
glbp 1 ip 172.30.80.1
glbp 1 priority 150 (controls who is the AVG)
glbp 1 timers msec 50 msec 150
AVF
glbp 1 ip 172.30.80.1
glbp 1 timers msec 50 msec 150
Can track interfaces and change member weights
glbp 1 weighting track
GLBP
MAC address: 0007.b400.XXYY
1 AVG per group (active virtual gateway)
UP to 4 AVF per group (active virtual forwarder)
AVG is also an AVF
HSRP 1994
Cisco protocol
Active and standby
hello every 3 seconds
dead timer 10 seconds
virtual mac address [0000.0c] [07.ac] [xx]
[cisco vendor id] [HSRP version1 id] [Standby Group Number 0-255]
You may be asked to pick the HSRP mac out of a list
Configuring HSRP
RTR1: 172.30.70.2
RTR2: 172.30.70.3
VIP: 172.30.70.1
conf t
interface vlan 1
standby 1
[group ID]
standby 1 ip 172.30.70.1
[virtual IP, sn mask is taken from real address]
standby 1 priority 110
[110 becomes the active, standby is at 100]
standby 1 track fa0/1 20
[if the interface fails take 20 off its priority]
standby 1 preempt delay reload 60 [
make sure its up and working for 60s before letting it take over]
show standby
show standby brief
If the interface goes down we take 20 off the priority 110 - 20 = 90 so the other unit sitting on 100 will be the active.
We need the preempt command. It tells the standby device to say if you find you are the higher priority then take over. The preempt command is really important
Configuring hello and dead times down for faster failover
standby 1 timers msec 200 msec 650
HSRP states
Initial
This is the state at the start. This state indicates that HSRP does not run. This state is entered through a configuration change or when an interface first becomes available.
Learn
The router has not determined the virtual IP address and has not yet seen an authenticated hello message from the active router. In this state, the router still waits to hear from the active router.
Listen
The router knows the virtual IP address, but the router is neither the active router nor the standby router. It listens for hello messages from those routers.
Speak
The router sends periodic hello messages and actively participates in the election of the active and/or standby router. A router cannot enter speak state unless the router has the virtual IP address.
Standby
The router is a candidate to become the next active router and sends periodic hello messages. With the exclusion of transient conditions, there is, at most, one router in the group in standby state.
Active
The router currently forwards packets that are sent to the group virtual MAC address. The router sends periodic hello messages. With the exclusion of transient conditions, there must be, at most, one router in active state in the group.
HSRP versions (v1 and v2)
Default version is v1
v1 MAC: 0000.0c07.acXX [XX is group number in hex]
v1 broadcast: 224.0.0.2
v2 supports more groups and IPv6
v2 MAC range: 0000.0c9F.FXXX - 0000.0C9F.FFFF
[XXX is group number]
v2 boadvast: 224.0.0.102
VRRP
Gateways will be in VRRP groups (multiple devices responding to on VIP)
One master, multiple backups
VIP can be assigned to the master.
hello 1 second dead timer 3 seconds
VRRP can be very quick to failover
skew 256 - priority (100) / 256. Can google how priority affects failover time
Priority 100 basically adds a half second
Preemption is turn on by default in VRRP
Can track interfaces. For example track your internet connection. Works with IP SLA.
VRRP config
interface FastEthernet0/0
ip address 10.0.1.2 255.255.255.0
vrrp 1 ip 10.0.1.1
vrrp 1 timers 1 3
vrrp 1 priority 140
vrrp 1 preempt
vrrp 1 authentication md5 key-string password
vrrp 1 track 50 decrement 80
Show IP sla config
sh run | i track
show track
show ip sla configuration
conf t
int fa0/1
vrrp 1 ip 172.30.50.1
vrrp 1 priority 110 (I want this device to be master)
vrrp 1 preempt delay
no vrrp 1 timers learn
vrrp 1 timers advertise msec 50
interface tracking (can use IP SLA)
track 50 interface fa0/1 line-prtocol
vrrp 1 track 50 decrement 20
show vrrp
FHRP and STP
Following Cisco designs we have L3 at the top and L2 at the access layer.
Local VLANs (VLANS don't span across switches)
L3 link between the core switches.
L3 core swithes become the default GW for each local VLAN
Need SVI's for each local VLAN on the core switches
Core SW A with SVI for vlan 10 (10.1.50.2)
Core SW B with SVI for vlan 10 (10.1.50.3)
The primary HSRP etc device should be the root bridge
If you use L3 switches everywhere you use local vlans on access layer switches broadcasts stop at L3 links. Failover is very quick we don't have to wait for STP because we don't use STP. However having L3 switches everywhere is expensive.
If VLANs span across switches we need STP.
With GLBP you need to make the links to the access switches active and block the link between the core swtiches. You go under the interface for the links between the core switches and change the STP cost.
Understanding and config port-security
Common attacks
- MAC attack, CAM table overflow
Switch becomes a hub, attacker can listen to all traffic. To mitigate limit the number of mac addresses per port, even if we set
it to 50 per port it would be better than nothing. A value of 2 - 5
would be good.
Flood the DHCP use up all the IP addresses, new clients can't get an IP can't use the network. This would be a good time for an attacked to setup their own rouge DHCP server. To mitigate we can restrict what ports are allowed to respond to DHCP requests. We can also limit the amount of DHCP requests coming from one port.
- Man in the middle attack / rouge DHCP server
Attacker pretends to be DHCP server. Gives your clients an IP. Clients send their traffic to the attacker who is listening. Man in the middle attack. To mitigate enable dhcp snooping / DAI etc.
port security modes
- shutdown = error disables
- protect = limit the numbers ignores the rest
- restrict = limit the numbers ignores the rest and log
You should use shutdown or restrict
A switch port must be in access mode to use port-security
switchport mode access
switchport port-security (default limits to 1 mac address)
switchport port-security maximum 10 (10 macs)
Statically assign the next learned mac address
switchport port-security mac-address sticky
Shutdown the port if something violates port securirty
switchport port-security violation shutdown
shutdown is harsh shuts down
restrict just logs doesn't do anything
Usually err-disabled ports are shut down for good reason
No need for an admin to get on and shut/no shut
errdisable recovery cause psecurity-violation
sh errdisable recovery (default timer is 300 seconds)
after 5 min the interface will turn itself back on
Mac address states
Secureconfigured = in run cfg but not saved in startup config
DynamicLearned = put in run cfg and saved in startup config
See what ports have port-security enabled
show port-security
Get more info on that port like
show port-security interface fa0/2
Port security gotcha
You cannot enable port security under under ether channels on trunks when DTP is enabled or on destination port for SPAN
DHCP Snooping Configuration
User plugs in router which starts handing out 192.168.1.0.
Hackers will create a DHCP server for man in the middle attack
You can mitigate this with DHCP snooping.
We allow all ports to make requests but we only allow replies in from the DHCP server.
We turn on the trunk ports
ip dhcp snooping
ip dhcp snooping trust (run this on the trusted interfaces)
ip dhcp snooping vlan 10 (enable it on the vlan)
show ip dhcp snooping binding (see the DHCP bindings)
ARP snooping config
Enable DHCP snopping globally
Enable DHCP snooping for vlans 100,150
Enable DAI for vlans 100,150
Set fa0/1 as a trusted source for DHCP responses
enable
configure terminal
ip dhcp snooping
ip dhcp snooping vlan 100,150
ip arp inspection vlan 100,150
interface fastethernet 0/1
ip dhcp snooping trust
ip arp inspection trust
Show arp inspection interfaces
show ip arp inspection interfaces
Trusted ports likly connected to a DHCP server
Untrusted ports will be validated by arp inspection likely connected to clients
DHCP option 82
DHCP option 82 forwarded requests contain information about the switchport they originated fro.
If you enable ip dhcp snooping option 82 is inserted into DHCP packets as they pass through he switch. The option 82 information contains information on where the DHCP requests came from
ip dhcp snooping information option
This command will enable the switch to insert and remove DHCP relay information (option-82
field) in forwarded DHCP request messages to the DHCP server. This is
the default setting
enable
conf t
ip dhcp snooping information option
interface fastethernet 0/2
Rate limit to 10 DHCP packets per second
ip dhcp snooping limit rate 10
IP source guard and dynamic arp inspection
Typical man in the middle attack
host <-> badguy <-> destination
Anyone can come in, download cain and able and your switches are not protected by default.
IP source guard makes sure the source IP does not change in the middle of the exchange
First you must enable DHCP snooping globally
ip dhcp snooping
Next enable source guard on the interfaces you want to protect
int fa1/0/46
ip verify source
What if you have a printer on a static IP
ip source binding 1111.1111.1111 vlan 1 192.168.100.14 fa1/0/6
Dynamic ARP inspection, watches for suspicious arp replies.
sh ip dhcp snooping binding
ip arp inspection vlan 10
ip arp inspection trust (configure this on your trunks)
Storm control
Cisco storm control limits the amount of broadcast multicast and unknown unicast traffic on a given interface.
We can say broadcasts shouldn't go above 1Mpbs.
Sometimes when a network card breaks it starts sending out junk:
conf t
int fa0/1
storm-control broadcast level 20
Broadbasts exceed 20% of all the traffic coming in on this interface
You can also do
storm-control broadcast level bps 1m .5m (rising threshold / falling threshold)
Once you go above the rising threshold broadcasts (or other defined traffic) are dropped
They won't be allowed again until you are below the falling threshold
Private VLANs
Why use private VLANs ?
We want to separate customers but we don't want to waste IPs that will be used for network and broadcast addresses. They provide a method for isolation within a VLAN.
Isolated
If we have 3 devices all on PVLAN 40. They can't access each other.
However they can access the promiscuous
Community
Lets say we have community PVLAN 80. They can talk to other hosts in the community PVLAN. And the promiscuous. But no comms with the isolated ports. Community PLVANS on 80 and 85 and access each other and they can get to the promiscuous port
Promiscuous
Accessable by both isolated and community.
Configuring Private VLANs
Subnet is on vlan 200
web and sql server are in community vlan 205
ftp server on isolated vlan 210
need 3750 switch for private vlans
Only vtp v3 works with PVLAN, first check "show vtp status" to see the verison. If its version 2 then set it to transparent mode
vtp mode transparent
*** Setup the primary PLVAN
vlan 200 primary
*** Setup your community and isolated vlans
vlan 205
private vlan community
vlan 210
private vlan isolated
*** Go back under the primary vlan
*** Associate the primary vlan with the secondary vlans 205,210
vlan 200
private-vlan association 205,210
private-vlan association add 206 (to add another VLAN later)
sh vlan private vlan type
*** Add interfaces to community VLAN
int fa1/0/4
switchport mode private vlan host
switchport private vlan host association 200 205 (primary vlan, secondary vlan)
int fa1/0/5
switchport mode private vlan host
switchport private vlan host association 200 205 (primary vlan, secondary vlan)
*** Add interface to isolate vlan
int fa1/0/6
switchport mode private vlan host
switchport private vlan host association 200 210 (primary vlan, secondary vlan)
*** Set up the promiscuous port (towards the router/GW)
*** Map the primary vlan 200 to the secondary vlans 205 and 210
int fa1/0/1
switchport mode private-vlan promiscuous
switchport private vlan mapping 200 205,210 (what PLANS it should respond to)
*** show command
sh vlan private-vlan
show interface switchport
show interface fa0/1 switchport
VACL
vlan access-map ge1
match ip address tn1
action redirect gigabitethernet 4/1
exit
vlan filter ge1 vlan-list 22-33
AAA on switches
Authentication - Validates who you are
Authorization - What you can do
Accounting - Tracks what you did / logging
You can download a free radius server for linux or install NPS on windows server
Cisco TACACS+ is Cisco's offering which is paid
On server 2003 have to tick the box for unauthenticated but its
Google how to setup up radius server on windows for cicso. You need to set up policies.
need to find attribr values like "shell:priv-lvl=1" this is actually user mode.
"shell:priv-lvl=15" is exec mode.
aaa new-model
aaa authentication login default group radius local (all logins will go through radius if they are down it will use the local database)
aaa authentication login NO-LOGIN none
line con 0
exec-timeout 0 0
logging synchronous
login authentication NO-LOGIN (don't ask for logins on the console)
radius-server host 172.30.1.1
radius-server key cisco
aaa authorizaition exec default group radius if-authenticated
(if-authenticated lets you keep working if radius servers go down wile logged in)
debug radius authentication
SPAN and RSPAN
Sometimes we need to watch the traffic with wireshark. Its only good when we can see the traffic. Switchport anayser
monitor session 1 source int fa0/12 both
monitor session 1 destination int fa0/1
*** Note status of interface / source port in an active SPAN will be up (connected)
Anything send/recieved on port 12 will be sent to out port 1. We can have the wireshark here watching the traffic.
SPAN is great when we are sitting beside the switch. What about a remote switch ? Make a RSPAN VLAN and trunk it to your workstation
On remote switch
vlan 999 (will have to be added into trunks)
remote-span
exit
minitor session 1 source int fa0/10 both
monitor session 1 destination remote vlan 999 reflector-port fa0/11
Reflector port gives up its asic resources. Make sure its not in use
On the local switch
vlan 999
remote-span
exit
monitor session 2 source remote vlan 999
monitor session 2 destination interface fa0/1
RSPAN recap
1 - Setup RPSPAN vlan on all switches
2 - Setup monitor session 1 source interface (what we want to monitor)
3 - Setup monitor session 1 destination RSPAN VLAN
4 - Setup monitor session 2 source RSPAN VLAN
5 - Setup monitor session 2 destination interface (where we have wireshark)
SPAN and RSPAN
conf t
monitor session 1 source interfaces fa0/1
monitor session 1 destination interface fa0/23
Create your RSPAN vlan that you are not using
Then you can trunk it back through your network
*** Setup the RSPAN vlan on both switches (add to trunks if needed)
conf t
vlan 999
remote-span
*** setup monitor session
monitor session 1 source interface fa0/1
monitor session 1 destination remote vlan 999 reflector-port fa 0/22
*** Setup the destination switch
monitor session 2 source remote vlan 999
monitor session 2 destination interface fa0/5
SNMPv3
SNMPv1 - first implementation
SNMPv2 - added more features but had no real security
SNMPv3 - Addes the ability to do authentication and encryption
OID - Value for things like CPU usage like 90%
MIB - All the OIDs together and what they mean is the MIB. OID 1.3.6.7 = CPU usage.
Using a monitoring systemyou can monitor (and change) almost anything on devices.
SNMPv3
SNMP view. What they can see.
SNMP group. The view is associated with a group
SNMP user. Usrs are part of groups.
snmp-server view ALL-ACCESS iso included (included means everything below)
snmp-server view INT-ACCESS ifEntry included
snmp-server group GROUP 1 v3 priv read ALL-ACCESS (priv use auth and encryption)
snmp-server user JACK GROUP1 v3 auth sha UPASSWORD priv aes SKEYPASSWORD (monitoring system needs to support)
How to detect mac flaps cause by STP
mac-address-table notification mac-move
Mac flap = packets arrive at different interfaces with same source mac address
Fix "PBR requires enabling extend routing"
sdm prefer routing
Send SNMP trap when a broadcast storm is detected
storm-control action trap
NTP
Time sync is usually and after thought.
NTP is very import for accurate log files for investigating issues after the fact.
3/1/95 at midnight
Time sync is important for certificates
3 ways to sync time
Poll an NTP server
ntp server 111.111.111.111
Listen to NTP multicasts
Multicast 1 message out to all the hosts listening to NTP multicasts
Listen to NTP broadcasts
NTP server just broadcasts out NTP
NIST will give you free authenticated NTP.
show ntp associations
Cisco Stackwise
Used to connected switches with crossover cable. Had to admin the switches on their own.
Chassis switches all appeared as one switch.
Stackwise lets you link 3750's together. You can add more switches later. Up to 9 switches.
Once switch will be elected as the master.
show switch - can see which one is master
switch 1 priority - can be used to set the master
If the switches are on different SW versions, the lower version switches will be upgraded, reboot and join the stack.
Just in case add switches to the stack outside business hours as they can cause an outage.
VSS vs Stackwise
At a high level, both sort of
accomplish the same goals. VSS is a technology that we see in the 6500,
6800 and 4500 switches. It does not use special cables but establishes a
virtual switch link (VSL) between two switches using regular ethernet
cables (Gigabit, TenGigabit, etc). VSS is limited to two switches.
Stacking
is something we do with 3850, 3750 and 3750x. It uses a special stack
cable and is not limited to two switches (some models can stack up to 9
members). This is more of an access layer technology.
Both technologies make the connected switches appear as one.
StackWise vs. VSS:
StackWise can have more than 2 members, up to 9 on 3750-X.
VSS is always a pair of switches.
Logical result of both is the same
Stack uses dedicated propriatary cables
VSS works over 10gig ethernet (can work on fibre)
VSL (Virtual Switch link) is part of VSS (Virtual Switching System)
VSS
Can be used even in geographically distributed equipment
Is supported only on line 4500 and 6500
Uses 10Gbps interfaces
Stack:
Can be connected in up to 9 devices
Is supported only on line 3750 and (2960/3650/3850/3750+)
Uses proprietary cable for connection (a little over 10gbps)
Practice test notes
Verify inter vlan routing
Verify trunks on RTR
show ip route
show ip interface brief
Encsure encapsulation command is setup
int fa0/0.20
encapsulation dot1q 20
ip address 172.10.4.1 255.255.254.0
no shutdown
Check native VLAN
show int fa0/1 trunk
show interfaces trunk
Trunk port setup
switchport trunk encapsulation dot1q
switchport native vlan 2
switchport trunk allowed vlan 10,50
switchport mode trunk
switchport no negotiate
