CCIE R&S Written : Layer 2 Technologies
CDP and LLDP
Cisco Discovery Protocol -Cisco proprietary media discovery mechanism that operates on Layer 2 -uses MAC address well-known multicast address 01:00:0C:CC:CC:CC -by default, sent every 60 seconds out CDP enabled interfaces -runs all all Cisco devices -uses Type-Length-Value (TLV) to send additional optional data to neighbors, i.e. TLV is used to extend the capabilities of a protocol! It is like a "plug-in" to add more features to an existing protocol -Example of TLV, ISIS use to be for CLNS only, but with the use of TLV, it now can be used as an IPv4 protocol! -CDP TLV command "cdp tlv..." -Type is used to define the type of data of the value, Length defines the data length, and Value is the actual data -The size of the type and length fields is fixed at 2 bytes. The size of the value field is variable. The type is a numeric code that indicates the type of field that this part of the message represents, and the length is the size of the value field, in bytes. The value field contains the data for this part of the message. Link-Layer Discovery Protocol -device discovery protocol at layer 2, non-proprietary protocol -IEEE standard IEEE 802.1AB -LLDP for Media Endpoint Devices (LLDP-MED) is an extension to LLDP that operates between endpoint devices such as IP phones and network devices such as switches. It specifically provides support for voice over IP (VoIP) applications and provides additional TLVs for capabilities discovery, network policy, Power over Ethernet, inventory management, and location information. By default, all LLDP-MED TLVs are enabled. -LLDP-MED can be enabled because of an TLV, it can be enabled with global command "lldp med-tlv-select" -has multiple options in TLV command for additional features to add capabilities or advertise to neighbor defined set of information as well -LLDP-MED provides support to discover the following types of information, which are crucial to efficient operation and management of endpoint devices and the network devices supporting them: -Capabilities —Endpoints determine the types of capabilities that a connected device supports and which ones are enabled. -Inventory —LLDP-MED support exchange of hardware, software, and firmware versions, among other inventory details. -LAN speed and duplex —Devices discover mismatches in speed and duplex settings. -Location identification —An endpoint, particularly a telephone, learns its location from a network device. This location information may be used for location-based applications on the telephone and is important when emergency calls are placed. -Network policy —Network connectivity devices notify telephones about the VLANs they should use. -Power —Network connectivity devices and endpoints exchange power information. -LLDP-MED provides information about how much power a device needs and how a device is powered. LLDP-MED also determines the priority of the device for receiving power. -ODR (On-Demand Routing) uses Cisco Discovery Protocol to propagate IP address information in hub-and-spoke topologies. When ODR is enabled, spoke routers automatically advertise their subnets by using Cisco Discovery Protocol. -If the encapsulation of an interface is changed, Cisco Discovery Protocol is reenabled on that interface even if Cisco Discovery Protocol was previously disabled. -This protocol runs over the data-link layer -A switch cannot send LLDP and LLDP-MED simultaneously to an end point device. By default, a network device sends only LLDP packets until it receives LLDP-MED packets from an endpoint device. The network device then sends LLDP-MED packets until it receives only LLDP packets.
Compatibility between MST and RSTP
Compatibility between MST and RSTP -RSTP supports Version 2 BPDUs -MST supports Version 3 BPDUs -When MSTP switch receives a Version 2 BPDU on one of its interfaces, it will know that this is a boundary link
EhterChannel
EtherChannel -For LACP, the max number of ports in an EtherChannel is 16, with 8 being active and 8 being on standby -For PaGP, the max number of ports is 8, with 8 being active -EtherChannel Misconfiguration Guard ; when configured, it protects the switch EtherChannel ports by monitoring if the other side of the links are configured correctly to match the local configuration. Example, it checks if the other side has matching speed and duplex or if it matches as trunk ports. I.e. EtherChannel Misconfiguration Guard protects against EtherChannels between neighbors that do not have matching parameters -The number of EtherChannels is limited to 48. -You can use PAgP only in single-switch EtherChannel configurations; PAgP cannot be enabled on cross-stack EtherChannels i.e. Stackwise port f1/0/1 and ports f2/0/1 can't be part of the same PAgP PAgP -If your switch is connected to a partner that is PAgP-capable, you can configure the switch port for nonsilent operation by using the "non-silent" keyword. If you do not specify non-silent with the auto or desirable mode, silent mode is assumed. I.e. configure silent mode for connecting with non-PAgP compatible devices that do not send out data packets. Non-silent for PAgP compatible devices. -Use the silent mode when the switch is connected to a device that is not PAgP-capable and seldom, if ever, sends packets. An example of a silent partner is a file server or a packet analyzer that is not generating traffic -In Layer 2 EtherChannels, the first port in the channel that comes up provides its MAC address to the EtherChannel. If this port is removed from the bundle, one of the remaining ports in the bundle provides its MAC address to the EtherChannel. For Layer 3 EtherChannels, the MAC address is allocated by the stack master as soon as the interface is created (through the interface port-channel global configuration command). -Trunk ports send and receive PAgP protocol data units (PDUs) on the lowest numbered VLAN. -PAgP cannot be enabled on cross-stack EtherChannels I.e. on a stacked Cisco switch, can't create PAgP etherchannel on ports g1/0/1 and g2/0/1 -Network devices are classified as PAgP physical learners or aggregate-port learners. A device is a physical learner if it learns MAC addresses by physical ports and directs transmissions based on that knowledge. A device is an aggregate-port learner if it learns addresses by aggregate (logical) ports. The learn method must be configured the same at both ends of the link. -You also can configure a single port within the group for all transmissions and use other ports for hot standby. The unused ports in the group can be swapped into operation in just a few seconds if the selected single port loses hardware-signal detection. You can configure which port is always selected for packet transmission by changing its priority with the pagp port-priority interface configuration command. The higher the priority, the more likely that the port will be selected. -PAgP cannot automatically detect when the partner device is a physical learner or when the local device is an aggregate-port learner. Therefore, you must manually set the learning method on the local device to learn addresses by physical ports. You also must set the load-distribution method to source-based distribution, so that any given source MAC address is always sent on the same physical port. LACP -Trunk ports send and receive LACP PDUs on the lowest numbered VLAN. -Configuring LACP Hot-Standby Ports When enabled, LACP tries to configure the maximum number of LACP-compatible ports in a channel, up to a maximum of 16 ports. Only eight LACP links can be active at one time. -If you configure more than eight links for an EtherChannel group, the software automatically decides which of the hot-standby ports to make active based on the LACP priority. -In priority comparisons, numerically lower values have higher priority. The priority decides which ports should be put in standby mode when there is a hardware limitation that prevents all compatible ports from aggregating. -Determining which ports are active and which are hot standby is a two-step procedure. First the system with a numerically lower system priority and system-id is placed in charge of the decision. Next, that system decides which ports are active and which are hot standby, based on its values for port priority and port number. The port-priority and port-number values for the other system are not used. EtherChannel Guard -You can use EtherChannel guard to detect an EtherChannel misconfiguration between the switch and a connected device. A misconfiguration can occur if the switch interfaces are configured in an EtherChannel, but the interfaces on the other device are not. A misconfiguration can also occur if the channel parameters are not the same at both ends of the EtherChannel
Layer 2 WAN Circuit Technology
High Level Data Link (HDLC) -High-Level Data Link Control (HDLC) is a bit-oriented code-transparent synchronous data link layer protocol developed by the International Organization for Standardization (ISO). HDLC frames can be transmitted over synchronous or asynchronous serial communication links. -It's a layer 2 point-to-point protocol and it's the default for serial interfaces on Cisco routers. But can also be used for Point-to-Multipoint -HDLC and its Cisco implementation is the default encapsulation for serial lines and only point-to-point connections are allowed. -original ISO HDLC is not multi-protocol, so Cisco introduced the type field to make its HDLC multi-protocol -HDLC is a standard but running HDLC between routers from different vendors is not going to work. Keep this in mind. Every vendor has a proprietary field in their HDLC implementation which is what makes it incompatible between vendors. -standard HDLC does not support multiple protocols -HDLC is an ISO standard, not IEEE -Cisco HDLC, cHDLC, allows for multiple protocol support -on cHDLC, requesting DHCP addresses on a serial link is used by Serial Link ARP (SLARP). SLARP has two functions: dynamic IP address determination and serial line keepalive. A router with a serial interface configured with "ip address slarp retry [interval]" command will automatically obtain an IP address from its neighbor on the other end of the serial connection if the neighbor has the IP address that has a /30 mask ONLY! i.e. neighbor interface serial3/0 "ip address 10.0.0.5 255.255.255.252" then the local router will pick up 10.0.0.6/30. And if neighbor has 10.0.0.6/30 then local router will have 10.0.0.5/30 -serial interface will rely on DHCP option first, then BootP, and then SLARP in order of obtaining IP address -There is a Cisco implementation of HDLC, which is the default encapsulation for serial lines. Cisco HDLC is very streamlined; there is no windowing or flow control, and only point-to-point connections are allowed. The Cisco HDLC implementation includes proprietary extensions in the data field. The extensions allowed multiprotocol support at a time before PPP was specified. Because of the modification, the Cisco HDLC implementation will not inter-operate with other HDLC implementations. HDLC encapsulations vary; however, PPP should be used when interoperability is required. Point-to-Point (PPP) Protocol -PPP contains three main components: HDLC-like framing for transporting multiprotocol packets over point-to-point links. Extensible Link Control Protocol (LCP) for establishing, configuring, and testing the data-link connection. Family of Network Control Protocols (NCPs) for establishing and configuring different network layer protocols. PPP allows the simultaneous use of multiple network layer protocols. Some of the more common NCPs are Internet Protocol (IPv4) Control Protocol, IPv6 Control Protocol, AppleTalk Control Protocol, Novell IPX Control Protocol, Cisco Systems Control Protocol, SNA Control Protocol, and Compression Control Protocol. -The only absolute requirement imposed by PPP is a full-duplex circuit, either dedicated or switched, that can operate in either an asynchronous or synchronous bit-serial mode, transparent to PPP link layer frames. -The LCP sets up the PPP connection and its parameters, the NCPs handle higher layer protocol configurations, and the LCP terminates the PPP connection. -The only absolute requirement imposed by PPP is a full-duplex circuit, either dedicated or switched, that can operate in either an asynchronous or synchronous bit-serial mode, transparent to PPP link layer frames. -Authentication- Either PAP or CHAP or both can be enabled. If both methods are enabled, the first method specified is requested during link negotiation -PAP and CHAP uses unidirectional authentication one-way authentication in that their is an authenticating server and a responding client PPP - Password Authentication Protocol (PAP) -PAP provides a simple method for a remote node to establish its identity using a two-way handshake. -passwords are sent in clear text -One of the many features of PPP is that it performs Layer 2 authentication in addition to other layers of authentication, encryption, access control, and general security procedures. -After authentication is established with PAP, it does not reauthenticate. -server config "ppp authenticate pap" PPP - Challenge Handshake Authentication Protocol (CHAP) -uses three-way handshake to authenticate user -server sends challenge, client must have username (server's router name) and matching password. Server must have username (client IP address) and matching password -CHAP is considered to be more secure because the user password is never sent across the connection. -Unlike PAP, which only authenticates once, CHAP conducts periodic challenges to make sure that the remote node still has a valid password value. The password value is variable and changes unpredictably while the link exists. -server config "ppp authenticate chap" -CHAP is defined as a one-way authentication method. However, you use CHAP in both directions to create a two-way authentication. Hence, with two-way CHAP, a separate three-way handshake is initiated by each side. -one way MD5 hash is obtained by combining the ID + random number that the authenticator sent combined with the locally configured password to generate a calculated hash. The hash value is then encapsulated and sent to the authenticator to validate. PPPoE -PPPoE provides an emulated (and optionally authenticated) point-to-point link across a shared medium, typically a broadband aggregation network such as those found in DSL service providers. -servers use virtual interface and clients use dialer interface -Before you can configure the PPPoE on Ethernet feature, you need to configure a broadband access (BBA) group using the bba-group pppoe command and specify a virtual template for PPPoE sessions. -since it is a PPP link, it will still use the same encapsulation method, LCP to establish and maintain the session, and NCP to negotiate the upper layer protocols Multil-Link PPP -Multilink PPP allows packets to be fragmented and fragments to be sent at the same time over multiple point-to-point links to the same remote address. -Multilink PPP combines multiple physical links into a logical bundle called a Multilink PPP bundle. A Multilink PPP bundle is a single, virtual interface that connects to the peer system. -MLPPP supports up to 10 serial links in the bundle -MLPPP supports other links such as Ethernet, ATM, VLAN, etc. -With LFI (Latency Fragmentation and Interleaving), the latency of delay-sensitive traffic is minimized because Multilink PPP breaks the nonpriority or nonlatency-sensitive traffic into smaller fragments. The delay-sensitive traffic is then PPP encapsulated and interleaved with nonpriority Multilink PPP fragments or packets. At the receiver, Multilink PPP fragments or packets are reordered and reassembled while the PPP-encapsulated packets are received and immediately forwarded. -Multilink PPP bundle interfaces can be one of the following types: Multilink group interfaces - are static interfaces, ties a user to a specific interface, used to monitor user/client traffic. Used in leased-line environments Virtual access interfaces (VAIs) - are dynamic interfaces, used on broadband -MLPPP connections are handled by the router's CPU -Multilink PPP also provides packet fragmentation and reassembly, proper sequencing, multivendor interoperability, and load balancing on inbound and outbound traffic.
IGMP
IGMP -IGMPv1 and IGMPv2 Hosts only send membership suppression if they are on the same subnet. A host suppresses General Membership on a subnet because it hears that another host on the same subnet has already sent a request, this reduces the number of reports that need to be sent to the Querier. -Querier is selected based on the lowest IP address on the subnet -In IGMPv1, there is no election of an IGMP querier. If more than one device on the segment exists, all the routers/queriers send periodic IGMP queries -IGMPv2 extends IGMP functionality by providing such features as the IGMP leave process to reduce leave latency, group-specific queries, and an explicit maximum query response time. IGMPv2 also adds the capability for routers to elect the IGMP querier without depending on the multicast protocol to perform this task. For more information, see RFC 2236. - IGMPv3 hosts do not perform IGMP membership report suppression. IGMPv3 membership reports are destined to the address 224.0.0.22; all IGMPv3-capable multicast devices must listen to this address -IGMP filtering applies only to the dynamic learning of IP multicast group addresses, not static configuration. -With the IGMP throttling feature, you can set the maximum number of IGMP groups that a Layer 2 interface can join. -IGMP Proxy allows hosts in a UDLR (Unidirectional Link Routing) topology that are not directly connected to a downstream router to join a multicast group from an upstream router by using a back channel. UDLR is when traffic only goes one way, e.g. satellite networks, where the upstream router sends data to the downstream, but the downstream cannot send traffic back. To solve this, we can use a back channel. The back channel is a regular interface, like an Internet connection. The downstream router can use the back channel to inform the upstream router that it wants to receive certain multicast traffic. It does this by "proxying" an IGMP membership report. IGMP Snooping -The IGMP snooping software examines IGMP protocol messages within a VLAN to discover which interfaces are connected to hosts or other devices interested in receiving this traffic. IGMP snooping monitors the Layer 3 IGMP traffic. -The IGMP snooping feature tracks which ports are attached to multicast-capable routers to help it manage the forwarding of IGMP membership reports. The IGMP snooping software responds to topology change notifications. -The IGMP snooping querier sends IGMPv3 querier messages. Although the IGMP version 2 of the querier is not configurable, the snooping querier is compatible with IGMPv2 hosts. Snooping Querier can be configured on the switch to act as the IGMP Querier in the absence of a router to send Membership Queries (general or group specific) -When there is no multicast router in the VLAN to originate the queries, you must configure an IGMP snooping querier to send membership queries. -IGMP snooping immediate-leave processing allows IGMP snooping to remove a Layer 2 LAN interface from the forwarding-table entry without first sending out IGMP group-specific queries to the interface. Upon receiving a group-specific IGMPv2 leave message, IGMP snooping immediately removes the interface from the Layer 2 forwarding table entry for that multicast group, unless a multicast router was learned on the port -The explicit-tracking database is used for immediate-leave processing for IGMPv3 hosts, proxy reporting, and statistics collection. IGMP Filtering -IGMP filtering allows users to configure filters on a switch virtual interface (SVI), a per-port, or a per-port per-VLAN basis to control the propagation of IGMP traffic through the network. By managing the IGMP traffic, IGMP filtering provides the capability to manage IGMP snooping, which in turn controls the forwarding of multicast traffic. -The IGMP filtering features will work only if IGMP snooping is enabled (either on the interface or globally). -filtering could be applied on per physical interface, VLAN, access port, or trunk port -filtering could be to limit what port gets to receive what multicast group traffic, limit the total number of multicast groups that are allowed to join per interface or VLAN, and also to filtering out certain versions i.g. no IGMPv1 messages -Filter Hierarchy for Access ports: Filter configuration applied to the physical port first then to the SVI -Filter Hierarchy for Trunk ports: Filter for VLAN specific on trunk first, then filtering next configured trunk filter, then check SVI filters -when one hierarchical layer filtered is applied, the next ones in line will be ignored Router Guard -configured on the layer 2 switch to designate a port to only be a host port. This helps prevent host ports from becoming multicast router ports -When configured, the Router Guard feature makes the specified port a host port only. The port is prevented from becoming a router port, even if a multicast router control packets are received. -The Router Guard feature does not require IGMP snooping to be enabled. -Router Guard is implemented only for IPv4 IGMP Proxy -IGMP Proxy allows hosts in a UDLR (Unidirectional Link Routing) topology that are not directly connected to a downstream router to join a multicast group from an upstream router by using a back channel. Multicast Listener Discovery (MLD) -IPv6 protocol used for Multicast traffic, similar to IGMPv2 -MLDv1 is to IGMPV2 and MLDv2 is similar to IGMPv3 -Hosts use MLD Report messages to signal joining a multicast group -MLD uses the Internet Control Message Protocol (ICMPv6) to carry its messages. -MLD Messages; Query, Report, and Done -All MLD messages are link-local with a hop limit of 1, and they all have the alert option set. PIM Snooping -To use PIM snooping, you must enable IGMP snooping on the switch. -PIM Snooping is a feature on Cisco switches to be used in network designs where the switch is connected to multiple multicast routers. When a downstream host sends a join message, the switch would be default forward the request to all upstream PIM routers. This is a waste of resources because not all multicast packets should be forwarded to routers that are not part of the multicast group. PIM Snooping enables the switch to listen in on PIM messages such as Hellos, Join, Prune, etc. to map which router is part of which multicast group
L2 MTU
L2 MTU -18 bytes for header and FCS
MAC Address Learning
MAC Learning -MAC addresses can be learned dynamically or statically configured -MAC entry shows source MAC, VLAN, and interface learned on -you can enter a multicast address as a statically configured MAC address. A multicast address can accept more than one interface as its destination. -You cannot disable MAC address learning on a VLAN that is used internally by the router. If the VLAN ID that you enter is an internal VLAN, the switch generates an error message and rejects the command. -If you disable MAC address learning on a VLAN that includes a secure port, MAC address learning is not disabled on that port. -can disable MAC learning on interface or VLAN -caveat! Disabling MAC learning on VLAN always causes flooding on that VLAN and its associated interfaces Configuring -If you enable the "auto-learn" option when configuring static MACs, the switch will update the entry if the same MAC address is seen on a different port
-WAN rate‐based ethernet circuits
Metro Ethernet -allows the customer network to extend Ethernet based connections across WAN -Ethernet was designed initially to only support LAN -The MEF (Metro Ethernet Forum) is a non-profit consortium that defines standards and services for Metro Ethernet. -E-Line (Ethernet Line Service) The Ethernet Line Service is the simplest Metro Ethernet service, it's a point-to-point connection between two sites. The P2P connection is called an Ethernet Virtual Circuit (EVC). This is considered a point-to-point EVC -When you use multiple E-lines on a single physical interface, we use 802.1Q trunking and a different VLAN for each E-line (EVPL). User Network Interfaces (UNI) such that the connection appears like a virtual private line to the customer. VLAN transparency and control protocol tunnelling are supplied by the implementation of 802.1Q-in-Q tag-stacking technology. -User Network Interface (UNI): the physical demarcation point between the responsibility of the Service Provider and the responsibility of the Subscriber i.e. the physical connection between the ISP and the customer. -Another common name for E-Line is VPWS (Virtual Private Wire Service). This name is used when the provider uses MPLS on their network, transporting Ethernet over the MPLS network. -E-LAN (Ethernet LAN Service) -If you have a lot of sites and you want each site to be able to send frames directly to any other site, you might want to use an E-LAN. It's a full-mesh topology that acts like a big switch, point-to-multipoint. This is considered a multipoint-to-multipoint EVC. -Another common name for E-LAN is VPLS (Virtual Private LAN Service). -E-Tree (Ethernet Tree Service) i.e. Rooted Multipoint EVC -The third topology is the E-Tree, this topology is useful if you have a central site and some other sites that mostly need to access resources at the central site. I.e. like a Layer 2 Hub and Spoke. Summary E-Line: point-to-point connection between two sites. E-Lan: full-mesh network between different sites, i.e. multipoint-to-multipoint. E-Tree: root and leaves topology where the central site is the root of the tree and the other sites are the leaves. -Metro Ethernet is defined by two types: Port-Based or VLAN-Based -Port-Based : All-to-one bundling. These are referred to as "private." -E-lines (EVCs) are called Ethernet Private Lines (EPL) -E-LANs (ELAN) are called Ethernet Virtual Private LANs (EPLAN) -E-Tree called EP-Tree Multiple VLAN Support for EPL and ELAN -VLAN-Based : Services are multiplexed. The EVC is identified by a VLAN ID. These are referred as "virtual private." -E-lines (EVC) are called Ethernet Virtual Private Line (EVPL); supports hub and spoke topology -E-LANs (ELAN) are called Ethernet Virtual Private LAN (EVPLAN) -E-Tree are called EVP-Tree Ethernet Private Line (EPL) -An Ethernet Virtual Circuit (EVC) connects two physical User-to-Network Interfaces (UNI) such that the connection appears like a virtual private line to the customer. -Point-To-Point Connection between two UNIs (interfaces that connect ISP and CE) -One EVC per UNI -Uses 802.1Q tagging Q-in-Q technology in the ISP side to identify which EVCs belong to which -VLAN transparency and control protocol tunneling are supplied by the implementation of 802.1Q-in-Q tag-stacking technology. Packets received on one UNI are transported directly to the other corresponding UNI. Ethernet Virtual Private Line (EVPL) -Each EVC is distinguished by 802.1q VLAN tag identification. -EVPL provides for multiplexing multiple point-to-point connections over a single physical link. -In the case of EVPL, the physical link is Ethernet, typically FastEthernet or Gigabit Ethernet, and the multiple circuits are identified as VLANs by way of an 802.1q trunk. -Supports multiple VLANs -only for Point-to-Point connections -trunked handoff Ethernet Private LAN (EPLAN) -supports Point-To-Multipoint -only one VLAN supported Ethernet Virtual Private LAN (EVPLAN) -supports point-to-multipoint -supports multiple VLANs -trunked handoff -e.g. VPLS Everything that ends in a "L" is a point-to-point link. Everything that ends with "LAN" is a point-to-multipoint link If it has "V" in it, then it supports multiple VLANs. If it doesn't have "V" in it, then it doesn't support multiple VLANs. Thus: EPL - point-to-point, single VLAN EVPL - point-to-point, multiple VLANs EPLAN - point-to-multipoint or multipoint-to-multipoint, single VLAN EVPLAN - point-to-mutlipoint or multipoint-to-multipoint, multiple VLANs
Spanning Tree
PVST+ -PVST encapsulated frames in ISL trunks, whereas PVST+ encapsulates frames in 802.1Q trunks -IEEE STP instances run Mono Spanning-Tree (MST) which only runs one STP instance for all VLANs -in order for Cisco to interoperate with IEEE STP, Cisco switches will run PVST+ on the 802.1Q trunks with IEEE STP on the other end. PVST+ will then choose default native VLAN 1 to run STP with IEEE (because IEEE only uses one STP instance for all VLANs) -To communicate with the IEEE STP instances, Cisco switches will send IEEE STP BPDUs corresponding to VLAN 1 to IEEE STP MAC address i.e. Cisco switches will send VLAN 1 BPDUs to IEEE switches STP MAC address. -In addtion, also Cisco PVST+ sends special Shared Spanning-Tree (SSTP) BPDUs with MAC multicast 0100.0ccc.cccd to the IEEE STP instances, these SSTP BUDUs for VLAN 1 are sent untagged, however for VLANs 2-4094 Cisco switches will send SSTP BPDUs for these VLANs but tagged for VLAN identification on the other side. The SSTP BPDUs have a special TLV field that identifies the source VLAN. These special SSTP BPDUs won't be used by the IEEE switches, but the goal is to inform the potential other Cisco switches that maybe on the IEEE side of the network of Native VLAN 1 -if there is a IEEE switch between Cisco Switch A and Cisco Switch B, the IEEE will form STP instances with A and B for VLAN 1 only because it only uses one STP instances, BUT it will relay the SSTP BPDUs sent from the Cisco RB to the other Cisco switches! Therefore, if there is a native VLAN mismatch between the Cisco switches, they will know because the IEEE switch relays the message for them to each other! To summarize, if you have a group of Cisco switches connected to the same MSTP cloud (other vendor's switches) observe the following rules: 1) Use the same interface types - i.e. either all switches are connected using access ports or using trunk ports. 2) Ensure Native VLAN (PVID) is the same on all trunks used to connect to an MST region. -PVST+ is used on 802.1q trunks to tunnel PVST instances across an MST cloud and build a CST consisting of PVST VLAN 1 and IEEE MST. PVST+ BPDUs contain special TLV with the source VLAN ID, which allows interconnected Cisco switches to detect inconsitencies or misconfigurations. PVST+ Backbonefast -usually when a switch loses connection to root bridge, it sends out BPDU to other ports claiming itself to be the new root. When this happens the other neighbor switches ignore this new inferior BPDU because itself has connection to the old superior root. However, this happens by waiting for the STP timers to expire on the port, then the neighbor will send out its own BPDU saying there is a better root and then the original switch will now know. Backbonefast allows the option to quickly transition and bypass stp timer wait period. Does this by sending out Root Link Query out all non-designated ports and waits for RLQ Response message from Root. PVST+ UplinkFast -The UplinkFast feature dramatically decreases the convergence time of the STP in the event of the failure of an uplink on an access switch. -When uplinkfast is enabled a non-designated port will go to forwarding state immediately if the root port fails. Instead of 30 seconds downtime connectivity is restored immediately. STP Timers -Hello - 2 seconds by default, the timer in which to know when to send out a BPDU, i.e. send out BPDU every 2 seconds -Forwarding Delay - 15 seconds by default, time spent before transition to another state. Only in Listening and Learning i.e. 15s in listening transit to learning, 15s in learning transit to Forwarding state -Max Age - 20s by default, how long I will hold the information I received in from my neighbor and use it before discard the BPDU, Max Age is refreshed e.g. reset to 20s after every BPDU received from same neighbor/link -Message Age - determines how far the original BPDU has traveled from the sender. e.g. Message Age 0 begins from RP, then next hop sets to Message Age 1, then next switch Message Age 2, etc. -0180.C200.0000 is for spanning tree in the native VLAN -0100.0CCC.CCCC is for CDP -0100.0CCC.CCCD is for PVST+ in non-native VLANs Rapid PVST+ - IEEE 802.1w -Improve features and convergence speed compared to STP IEEE 802.1D - An alternate port receives more useful BPDUs from another bridge and is a port blocked. -A backup port receives more useful BPDUs from the same bridge it is on and is a port blocked. -Unlike 802.1D STP which rarely sends BPDUs and mostly relays the RP's BPDU, now every Bridge sends its own BPDU -A bridge now sends a BPDU with its current information every <hello-time> seconds (2 by default), even if it does not receive any from the root bridge. BPDU are sent every hello-time on every switch and not simply relayed anymore. -Unlike 802.1D in which any transition between the blocking and the forwarding state causes a topology change, only transitions from the blocking to the forwarding state cause a topology change with RSTP (only an increase in connectivity is considered a topology change). -All ports must finish the synchronization state in the local bridge before STP allows ports to be unblocked and traffic to flow. A port is considered in the sync state when it is in either the blocking state or the edge port state. Designated ports will be placed in blocking state (Designated Discarding state) until proposals agree which switch has superior BPDU. This essentially means that during the STP convergence, all non-edge ports are in blocking state during sync -If a designated discarding port does not receive an agreement after it sends a proposal, it slowly transitions to the forwarding state, and falls back to the traditional 802.1D listening-learning sequence. This can occur if the remote bridge does not understand RSTP BPDUs, or if the port of the remote bridge is blocking. -RSTP uses TC BPDUs, no longer uses TCN BPDUs. When TC BPDU is received, local bridge flushes MAC on all ports and forwards TC BPDU out designated and root port, till this reaches RB -The RSTP does not have a separate topology change notification (TCN) BPDU. It uses the topology change (TC) flag to show the topology changes. However, for interoperability with 802.1D switches, the RSTP switch processes and generates TCN BPDUs when detects neighbor uses 802.1D -When an RSTP switch receives a TC message from another switch through a designated or root port, it propagates the topology change to all of its nonedge, edge, designated ports, and root port (excluding the port on which it is received). The switch starts the TC-while timer for all such ports and flushes the information learned on them. -Compatibility with 802.1D -When a switch running RSTP learns that one of it's link is connected to a switch running 802.1D (learned via BPDU), it will then send out regular STP BPDUs on this link in order to converge with the switch running the 802.1D protocol -For backward compatibility with 802.1D switches, RSTP selectively sends 802.1D configuration BPDUs and TCN BPDUs on a per-port basis. If the switch receives an 802.1D BPDU after the port's migration-delay timer has expired, it assumes that it is connected to an 802.1D switch and starts using only 802.1D BPDUs. However, if the RSTP switch is using 802.1D BPDUs on a port and receives an RSTP BPDU after the timer has expired, it restarts the timer and starts using RSTP BPDUs on that port. - When better root bridge information is received, or root port changes, the local bridge blocks all non-edge designated ports. Then proposal messages are sent out of all downstream designated ports, this is to determine which side of the link should be forwarding and which should discard RSTP Timers -RSTP doesn't rely on timers for convergence, it instead uses the synchronization proposal/agreement messages for convergence MSTP -IEEE 802.1s Multiple Spanning-Tree Protocol -Only Internal Spanning-Tree (IST) number 0 is designated to carry all STP related information to and from each bridge. -initially, all VLANs are mapped to IST 0, then separate logical instances could be created to separate the VLAN to instance mappings -other instances called Multiple Spanning-Tree Instance (MSTI) are separate instances that can map a selected number of VLAN to the instance. However, the STP related information is stilled carried only by the IST by using a special field in the BPDU called the M-Record, which stores MSTI priority, path cost, etc. information for that instance. The IST is the only spanning-tree instance that sends and receives BPDUs; all of the other spanning-tree instance information is contained in M-records, which are encapsulated within MSTP BPDUs. Because the MSTP BPDU carries information for all instances, the number of BPDUs that need to be processed by a switch to support multiple spanning-tree instances is significantly reduced. -STP will be ran separately for IST and other created MSTIs. Timer information can only be configured for IST, which MSTI uses the timers as well -IST can also be referred to as MSTI 0 -STP Dispute ; designated port contention between two switches sharing a link. When the upstream switch receives a BPDU with Designated bit set from a downstream bridge, it will put the port in blocking state and marks it with the STP Dispute state -There is one IST (MSTI0) for every region, when there are multiple regions, there are multiple MSTI0, one for each region. Within every different region, there will be a separate Regional Root, but also there will be one CIST Root connecting them all. If the regions are to connect, then there will be a need for Common IST (CIST), which is basically used to connect all the regions ISTs together. The CIST across all region boundaries, and one CIST Root is elected. i.e. each region will still have it's own IST to manage but will also all regions will share a single CIST -CIST Root is the bridge that has the lowest Bridge ID among ALL regions. This could be a bridge inside a region or a boundary switch in a region. -CIST Regional Root is a boundary switch elected for every region based on the shortest external path cost to reach the CIST Root (regardless of priority within the region). Path cost is calculated based on costs of the links connecting the regions, excluding the internal regional paths. CIST Regional Root becomes the root of the IST for the given region as well. -The switch that plays the role of the CIST Regional Root is also the IST Root for that particular region -all MSTP instances see the root port (towards the CIST Root) of the CIST Regional Bridge as a special Master Port connecting them to the CIST Root bridge. This port serves the purpose of the "gateway" linking MSTI's to other regions. The Master Port is also where all regional MSTIs are mapped to the CIST. -MSTIs in every region are independent, any change affecting MSTI in one region will not affect MSTIs in other regions. This is a direct result of the fact that M-Record information is not exchanged between the regions. -I.E. the CIST runs one STP instance for multiple MSTP regions, other than that all regions have their own IST and MSTI STP instances that only run in that particular region -An MST switch can also detect that a port is at the boundary of a region when it receives a legacy BPDU, an MST BPDU (version 3) associated with a different region, or an RST BPDU (version 2). -MSTP runs RSTP as the underlying protocol for convergence. Uses RSTP BPDU Version 3 -If MSTP is to interoperate with PVST+, then make sure to design it to where the CIST Root is only within the MSTP region. If STP determines that the CIST Root is in the PVST+ region, inconsistencies will appear and STP will not function correctly -The IST and MST instances do not use the message-age and maximum-age information in the configuration BPDU to compute the spanning-tree topology. Instead, they use the path cost to the root and a hop-count mechanism similar to the IP time-to-live (TTL) mechanism.
SPAN
SPAN -a session can have multiple different source interfaces and\or multiple destination interfaces, but must be from same session -Ingress Forwarding - the 'destination port' in a SPAN typically never accepts any incoming traffic at all. However, this 'ingress' command is used for when you need to receive some traffic incoming on the 'destination port'. Assume you have some device on that port that is listening to the SPAN traffic and needs to take some action - to send some traffic. If you then configure this 'destination port' with 'ingress vlan 33', it would mean that incoming untagged traffic on the destination port will be sent into vlan 33. "monitor session 5 destination interface Fa0/0 ingress vlan 146" would mean to take the incoming native (Untagged) frames on the destination interface, and forward it into vlan 146. -When ingress is enabled, the SPAN destination port accepts incoming packets (potentially tagged depending on the specified encapsulation mode) and switches them normally. I.e. usually destination ports don't do anything but receive mirrored traffic, with the the "ingress" keyword, other untagged traffic will get tagged and forwarded normally on the destination port, this can be useful in situations where the destination port also has a host that is, for example, like an IDS that can act based on the received traffic -Enter ingress with keywords to enable forwarding of incoming traffic on the destination port and to specify the encapsulation type Local SPAN -on local SPAN only, with "encapsulation replicate" keyword configured it means that the mirrored traffic will keep its traffic tagged, because by default all mirrored traffic is sent untagged to destination port -when you enter the "encapsulation replicate" keywords when configuring a destination port, these changes occur: Packets are sent on the destination port with the same encapsulation—untagged or IEEE 802.1Q—that they had on the source port. Packets of all types, including BPDU and Layer 2 protocol packets, are monitored. RSPAN -For RSPAN configuration, you can distribute the source ports and the destination ports across multiple switches in your network. -If the RSPAN VLAN-ID is in the normal range (lower than 1005) and VTP is enabled in the network, you can create the RSPAN VLAN in one switch, and VTP propagates it to the other switches in the VTP domain. For extended-range VLANs (greater than 1005), you must configure RSPAN VLAN on both source and destination switches and any intermediate switches. -"encapsulation replicate" is not supported for RSPAN. The original VLAN ID is overwritten by the RSPAN VLAN ID, and all packets appear on the destination port as untagged. ERSPAN
STP Assurance
STP Assurance -Bridge Assurance is enabled by default and can only be disabled globally (on compatible devices). Also, Bridge Assurance is enabled only on spanning tree network ports that are point-to-point links. Finally, both ends of the link must have Bridge Assurance enabled. If the device on one side of the link has Bridge Assurance enabled and the device on the other side either does not support Bridge Assurance or does not have this feature enabled, the connecting port is blocked. -With Bridge Assurance enabled, BPDUs are sent out on all operational network ports, including alternate and backup ports, for each hello time period. If the port does not receive a BPDU for a specified period, the port moves into an inconsistent state (blocking). and is not used in the root port calculation. Once that port receives a BPDU, it resumes the normal spanning tree transitions. - When bridge assurance is enabled, BPDUs are sent on all interfaces of your switch, including blocked interfaces like the alternate or backup port. When an interface doesn't receive a BPDU for a certain time, the interface goes into the blocking state. -Once the interface receives BPDUs again, the interface is unblocked and goes through the normal spanning-tree port states again. -Bridge assurance is only supported by RapidPVST+ and MST. -supported on Nexus 5k/7k switches -Bridge Assurance can be enabled only on spanning tree network ports that are point-to-point links. Finally, both ends of the link must have Bridge Assurance enabled.
STP Dispute
STP Dispute -Caused when 2 switches sharing the same link both have the Designated Role bit set -The problem can be caused by improper STP or EtherChannel configuration, or by an uni-directional link -Cisco's implementation of MSTP allows for detecting unidirection condition, by comparing the downstream port state reported in BPDUs. If the upstream switch sends superior root bridge information (include cost to Root Bridge) to the downstream bridge but receives the BPDUs with Designated bit set, the upstream switch concludes that the downstream does not hear its BPDU's. The upstream switch then blocks the downstream port and marks it as STP dispute link.
Describe chassis virtualization and aggregation technologies
Switch Aggregation -Multichassis EtherChannel ; when there are two separate switches that are linked together (not Stackwise) even though they are separate entities. The two separate switches are linked by Ethernet and connected via port-channel. Then on the down stream side, the downstream switches can connect to both upstream switches and an EtherChannel with the 2 separate switches, but the downstream will only see one logical switch -e.g. an Aggregated Core switch can connect down to Distribution Switches that are stacked, and thus Core and Distribution layer will appear as only 2 separate logical switches instead of many different physical switches VSS (Virtual Switching System) -A VSS combines a pair of Catalyst 6500 series switches into a single network element. The VSS manages the redundant links, which externally act as a single port channel. -When you create or restart a VSS, the peer chassis negotiate their roles. One chassis becomes the VSS active chassis, and the other chassis becomes the VSS standby. -The virtual switch link (VSL) is a special link that carries control and data traffic between the two chassis of a VSS -The VSS active and VSS standby chassis perform packet forwarding for ingress data traffic on their locally hosted interfaces. However, the VSS standby chassis sends all control traffic to the VSS active chassis for processing. -The VSS supports a maximum of 512 Multichassis EtherChannels. -In a VSS, supervisor engine redundancy operates between the VSS active and VSS standby chassis, using stateful switchover (SSO) and nonstop forwarding (NSF). This is used to maintain the state of the VSS pair. -The VSS active supervisor engine acts as a single point of control for the VSS. Alternatives to STP -Multi System Link Aggregation (MLAG) -Shortest Path Bridging (SPB) -TRILL (Transparent Interconnection of Lots of Links) -VXLAN Stackwise -Individual switches intelligently join to create a single switching unit with a 32-Gbps swit ching stack interconnect. -Up to nine separate switches can be joined together -Switches can be added and deleted to a working stack without affecting stack performance. -StackWise Plus supports destination striping, unlike StackWise support of source stripping. -Stackwise Plus can locally switch traffic
Unidirectional Link Detection
UDLD -UDLD is Cisco Proprietary layer 2 technology -in regards to Layer 2, issues where on a given point-to-point link, if one side of the link had layer 1 or blocking issues where the BPDU from one side couldn't reach the switch on the other side, then the neighbor will not receive the BPDU, and if the neighbor's link was in STP blocking mode, it will move to forwarding when it stops hearing BPDU after the timeout period expires. This can layer 2 network loops -UDLD can run on both Ethernet and Fiber connections, but usually is implemented on the fiber links which are more prone to unidirectional problems. Fiber carries data in light and sends it in a one-way path, one way send and one way receive on the link -Each switch port configured for UDLD sends UDLD protocol packets (Echo) that contain the port's own device/port ID, and the neighbor's device/port IDs seen by UDLD on that port. Neighboring ports should see their own device/port ID (echo) in the packets received from the other side. -If the port does not see its own device/port ID in the incoming UDLD packets for a specific duration of time, the link is considered unidirectional.
Normal, Extended VLAN, Voice VLAN
VLAN -Range from 1-4094 -VTP version 1 and version 2 support only normal-range VLANs (VLAN IDs 1 to 1005) i.e. you cannot configure Extended VLANs on VTPv1 and VTPv2 -range 1002-1005 is specially assigned to Token Ring and FDDI -Extended range VLANs (VLANs 1006 to 4094) are supported only in VTP version 3 -If you enter an extended-range VLAN ID that is already assigned to an internal VLAN, an error message is generated, and the extended-range VLAN is rejected. Extended VLANs -not stored in the NVRAM, but it is stored in the running-config -not stored in the VLAN database -only works with VTPv3 or only works in transparent mode for VTPv1/v2 Voice VLANs -Sends VoIP data traffic to switch, the phone sends voice traffic with Layer 3 IP precedence and Layer 2 class of service (CoS) values, which are both set to 5 by default. Control VoIP traffic is marked as 3 by default. -The QoS values sent from the Cisco phone, when they enter the switch, the switch port has a configuration to ignore the CoS or IP Precedence values. This is in regards to the trust state. By default the switches have ports in untrusted state, i.e do not trust the QoS markings of incoming pakets. But can be configured to trust the port "auto qos trust voip" to automatically trust the packet markings from the phones -Could also enable interface to trust VoIP traffic with interface command "mls qos trust cos" command. However, to use this command, make sure to enable QoS globally with global config command "mls qos" -Voice VLAN configuration is only supported on switch access ports; voice VLAN configuration is not supported on trunk ports. -Portfast is automatically enabled and configured on an interface that has "switchport voice vlan..."configured i.e. if you configure a voice VLAN on an interface, it will enable Portfast as well -dot1p—Configure the phone to use IEEE 802.1p priority tagging for voice traffic and to use the default native VLAN (VLAN 0) to carry all traffic. By default, the Cisco IP Phone forwards the voice traffic with an IEEE 802.1p priority of 5. Cisco Voice Interface Configuration: "switchport voice vlan..." -none—Allow the phone to use its own configuration to send untagged voice traffic. -untagged—Configure the phone to send untagged voice traffic. -The switch can also tell the phone on what the phone should do with the priority tagged traffic that is coming from the PC port as well. The switch can either tell the phone to trust the markings from the PC, "switchport priority extend trust" or it can tell the phone not to trust the markings of the PC and set new CoS markings, "switchport priority extend cos [0-7]" DTP -DTP can be used for 802.1q or ISL -To autonegotiate trunking, the interfaces must be in the same VTP domain. -a Point-to-Point Protocol -To enable trunking to a device that does not support DTP, use the switchport mode trunk and switchport nonegotiate interface configuration commands to cause the interface to become a trunk but to not generate DTP frames. -therefore, to disable DTP on an interface, use the interface command "switchport nonegotiate" -You can also specify on DTP interfaces whether the trunk uses ISL or IEEE 802.1Q encapsulation or if the encapsulation type is autonegotiated. The DTP supports autonegotiation of both ISL and IEEE 802.1Q trunks. -you can negotiate DTP for trunking or access mode, you can also negotiate the trunking encapsulation to be 802.1Q or ISL
VTP
VTP -used to send VLAN information across a domain, information only sent through trunk ports -VTP Pruning refers to when a switch refrains from forwarding broadcast or unicast traffic to a neighbor out an interface because it knows that the neighbor has never requested traffic for it in the past -When VTP pruning is enabled on a VTP server, pruning is enabled for the entire management domain. -VLAN 1 and VLANs 1002 to 1005 are always pruning-ineligible; traffic from these VLANs cannot be pruned. Extended-range VLANs (VLAN IDs greater than 1005) are also pruning-ineligible. VTPv3 -Configuration option on a per port base instead of only a global scheme -support for MST database - In addition to the three well-known roles in VTP, client, server, and transparent, a fourth role called off is now available -As with both earlier VTP versions, pruning is available with VTP version 3 for the first 1k VLANs except VLAN1. -With VTP version 3 the addition of a configured switch imposes no threat from an unintended update, since only a switch in VTP primary server mode is able to update the domain. A former primary server that is reconnected to a domain after a reload will revert automatically to secondary server mode. -VTP3 interoperates with VTP version 2 but not VTP version 1. -After receiving VTP version 2 advertisements, a VTP version 3 device sends, on a per port basis, in addition to VTP version 3 messages, a VTP version 2-compatible database or message out of that receiving link. This behavior will continue as long a VTP version 2 messages are being received. -support for MST. MST has VLAN mapping tables to the 64 instances available. This mapping table can be exchanged using VTP version 3. Two TLVs are used to transfer the MST table. One TLV stores the configuration name and revision number. This allows receiving devices to determine if the information corresponds to the local configuration. The second TLV carries the VLAN or VLAN group mapping to an MST instance. -To use VTP version 3 for MST the role has to be changed from transparent to server. Promotion of the device where the configuration will be changed to become a primary server is necessary -VTP version 2 supports token ring VLANs, 1 does not. VTP Transparent mode doesn't care for same domain name before relaying VTP messages, version 1 for transparent mode requires domain to be same. EtherChannel -For LACP, the max number of ports in an EtherChannel is 16, with 8 being active and 8 being on standby -For PaGP, the max number of ports is 8, with 8 being active -EtherChannel Misconfiguration Guard ; when configured, it protects the switch EtherChannel ports by monitoring if the other side of the links are configured correctly to match the local configuration. Example, it checks if the other side has matching speed and duplex or if it matches as trunk ports. I.e. EtherChannel Misconfiguration Guard protects against EtherChannels between neighbors that do not have matching parameters
