10/14/03
12:31 PM
Page i
BCMSN
Richard A. Deal
00 9911 fm
10/14/03
12:31 PM
Page ii
Publisher
Paul Boger
Executive Editor
Jeff Riley
Acquisitions Editor
Carol Ackerman
Development Editor
Michael Watson
Managing Editor
05
04
03
Charlotte Clapp
3
Project Editor
Trademarks
All terms mentioned in this book that are known to be trademarks or
service marks have been appropriately capitalized. Que Publishing cannot attest to the accuracy of this information. Use of a term in this
book should not be regarded as affecting the validity of any trademark
or service mark.
Tonya Simpson
Copy Editor
Mike Henry
Indexer
Tom Dinse
Proofreader
Wendy Ott
Technical Editors
Bulk Sales
Que Publishing offers excellent discounts on this book when ordered
in quantity for bulk purchases or special sales. For more information,
please contact
U.S. Corporate and Government Sales
1-800-382-3419
corpsales@pearsontechgroup.com
Michelle Plumb
Jacob Beach
Joshua Saul
Jeremy Cioara
Team Coordinator
Pamalee Nelson
Multimedia Developer
Dan Scherf
Page Layout
Ron Wise
00 9911 fm
10/14/03
12:31 PM
Page iii
00 9911 fm
10/14/03
12:31 PM
Page iv
Key terms and concepts for the topic, notes, exam alerts and tips
CCNP BSCI
Exam Cram 2,
Exam 642-801
CCNP CIT
Exam Cram 2,
Exam 642-831
CCNP BCRAN
Exam Cram 2,
Exam 642-821
ISBN: 0789730170
ISBN: 0789730219
ISBN: 0789730200
$29.99
$29.99
$29.99
www.examcram2.com
00 9911 fm
10/14/03
12:31 PM
Page v
00 9911 fm
vi
10/14/03
12:31 PM
Page vi
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
00 9911 fm
10/14/03
12:31 PM
Page vii
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
vii
00 9911 fm
viii
10/14/03
12:31 PM
Page viii
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Acknowledgments
This book would not have been possible without the support of my wife
Natalie. A book of this size is very time-consuming, especially when you have
to balance a book, a job, and, most importantly, a new baby on the way. My
wife provided endless encouragement to keep me writing when I was pressed
to meet deadlines for the book.
A special thanks to the team at Que Publishing, especially the books editors,
Carol Ackerman, Michael Watson, Tonya Simpson, and Mike Henry, and
technical editors, Michelle Plum, Jacob Beach, Joshua Saul, and Jeremy
Cioara.
Best wishes to all! And cheers!
Richard A. Deal
00 9911 fm
10/14/03
12:31 PM
Page ix
Contents at a Glance
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Introduction xx
Self-Assessment xxvii
1
Multicasts 217
10
11
12
13
14
15
00 9911 fm
10/14/03
12:31 PM
Page x
00 9911 fm
10/14/03
12:31 PM
Page xi
Table of Contents
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Introduction ......................................................................xx
Self-Assessment .............................................................xxvii
Chapter 1
Cisco Certification Exams ......................................................1
The Exam Situation 2
Exam Layout and Design 4
Exam-Taking Techniques 6
Question-Handling Strategies 7
Mastering the Inner Game 8
Additional Resources 9
Chapter 2
Designing Switched Networks ...............................................11
Network Design 12
AVVID 12
Network Model 13
Enterprise Model 16
Devices, Media Types, and Switching Roles 19
Devices 19
Media Types 22
Switching Roles 26
Introduction to the Command-Line Interface 29
CatOS and IOS Comparison 30
Configuration Introduction 31
Troubleshooting 35
Converting CatOS to IOS 36
Switch Fabric Module 37
Summary 39
Exam Prep Questions 40
Need to Know More? 43
00 9911 fm
xii
10/14/03
12:31 PM
Page xii
Table
. . . .of. Contents
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 3
VLANs, Trunks, and VTP ......................................................45
Virtual LANs 46
Advantages of VLANs 46
VLAN Implementations 48
VLAN Assignment 51
Trunks 56
Frame Tagging 56
Protocols 58
Dynamic Trunk Protocol 64
Configuring ISL and 802.1Q Trunks 66
Verifying Your Trunk Configuration 66
Troubleshooting Trunk Connections 68
VLAN Trunk Protocol 68
VTP Advantages 68
Management Domain 69
VTP Modes 69
VTP Messages 70
VTP Versions 72
VTP Pruning 73
Configuring VTP Domains 75
Verifying Your Configuration 75
Troubleshooting VTP Problems 76
Summary 76
Exam Prep Questions 78
Need to Know More? 82
Chapter 4
Spanning Tree Protocol .......................................................83
Transparent Bridging 84
Forwarding and Filtering 84
Learning 85
Loops 85
STP Introduction 86
Bridge Protocol Data Unit 86
STP Advantages 87
STP Components and Operation 87
Running the STP Algorithm 89
Root Switch Election Process 89
Selection of Root Ports 90
Designated Switches and Designated Ports
Bridging Loops 92
91
00 9911 fm
10/14/03
12:31 PM
Page xiii
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Table
. . .of. Contents
. . . . .
Port States 92
Convergence Issues 93
Transition of Port States 93
Spanning Trees 94
CST 95
PVST 96
PVST+ 97
Configuring and Verifying STP 97
Enabling and Disabling STP 97
Selecting the Root Switch 98
Influencing Path Selections 98
Verification of STP 100
Summary 101
Exam Prep Questions 102
Need to Know More? 105
Chapter 5
Enhancements to STP .......................................................107
Cisco Enhancements to STP 108
PortFast 108
UplinkFast 110
BackboneFast 112
Rapid STP 115
BPDUs 115
Port States 116
Port Roles 117
Convergence Features 117
Multiple Spanning Tree 120
MST Advantages and Disadvantages 121
Regions 121
Internal Spanning Tree 122
MST Configuration and Verification 123
EtherChannels 125
Operation of EtherChannels 125
Port Aggregation Protocol and Link Aggregation Control
Protocol 125
Configuring EtherChannels 127
Other STP Enhancement Features 131
BPDU Skewing 131
Root Guard 132
Unidirectional Link Detection 134
Loop Guard 135
Additional Troubleshooting Tips and Tools 137
xiii
00 9911 fm
xiv
10/14/03
12:31 PM
Page xiv
Table
. . . .of. Contents
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Summary 140
Exam Prep Questions 142
Need to Know More? 146
Chapter 6
Multilayer Switching ........................................................147
Routing Considerations 148
Client End Station Issues 149
Route Processor Issues 150
Configuring Routing Between VLANs 150
Configuring an Internal RP 151
Configuring an External RP 154
Verifying Your Routing Configuration 157
MLS Overview 158
Switching Architectures 159
MLS Implementation 162
Rewriting Frame and Packet Contents 163
Routable and Nonroutable Traffic 164
Address Tables 165
MLS Using CEF 166
CEF Limitations 167
CEF Tables 167
CEF Operation 168
Load Balancing 169
CEF Example 169
CEF Configuration 171
CEF Verification 172
CEF Troubleshooting 173
Summary 174
Exam Prep Questions 175
Need to Know More? 178
Chapter 7
Availability and Redundancy ...............................................179
Introduction to Availability and Redundancy
Component Redundancy 181
Chassis Redundancy 183
Hardware Redundancy 183
Power Supplies 184
Supervisor Engines 185
Layer 2 Redundancy 189
Uplink Interfaces 190
Switch Redundancy 191
180
00 9911 fm
10/14/03
12:31 PM
Page xv
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Table
. . .of. Contents
. . . . .
Chapter 8
Multicasts .....................................................................217
Overview of Traffic Types 218
Unicasts 218
Broadcasts 219
Multicasts 219
Multicast Addressing 220
Client Registration 222
Overview 222
IGMPv1 223
IGMPv2 225
IGMPv3 227
Multicast Routing 229
Overview of Routing Multicast Traffic 229
Multicast Distribution Trees 229
Shared Distribution Tree 230
Source-Based Distribution Tree 231
Multicast Routing Protocols 231
Dense Mode Routing Protocols 232
Sparse Mode Routing Protocols 232
Protocol Independent Multicast 234
Multicasting and Switches 236
Controlling Multicast Traffic 236
IGMP Snooping 237
Cisco Group Management Protocol 237
Configuring Your RPs 238
Basic PIM Configuration 238
Designated Routers 239
Configuring Rendezvous Points 240
Configuring PIMv2 242
Configuring CGMP 243
Verifying Your Multicast Configuration 244
xv
00 9911 fm
xvi
10/14/03
12:31 PM
Page xvi
Table
. . . .of. Contents
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Summary 245
Exam Prep Questions 247
Need to Know More? 251
Chapter 9
Quality of Service ............................................................253
Voice and Telephony 254
Key Services 255
Bandwidth 256
Power 257
Auxiliary VLANs 258
Good Design Practices 258
QoS Issues and Architectures 258
Problems 259
QoS Solutions 261
QoS Architectures 262
QoS Implementation 264
Classification and Marking of QoS 264
Managing Congestion with Queuing 266
Avoiding Congestion 270
Conditioning Traffic 272
Increasing Link Efficiency 273
Campus QoS 274
QoS Configuration and Verification 275
Modular QoS CLI 275
Queuing Methods 280
Congestion Avoidance Methods: WRED 287
debug Commands 288
Summary 289
Exam Prep Questions 290
Need to Know More? 293
Chapter 10
MLS Optimization and Security ............................................295
Performance 296
Switched Port Analyzer 296
Network Analysis Module 301
Securing Your Switch 306
What to Secure 306
Authentication, Authorization, and Accounting
Security for Your Network 312
Basic Port Security 313
308
00 9911 fm
10/14/03
12:31 PM
Page xvii
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Table
. . .of. Contents
. . . . .
Chapter 11
Metro Ethernet ................................................................331
Layer 1 and Layer 2 332
Cisco Metro Solutions 332
Services 333
Delivery Mechanisms 338
802.1Q Tunneling 342
Overview 343
Tag Stacking: Q-in-Q Tunneling
Q-in-Q Versus 802.1Q 348
Ethernet over MPLS 348
Overview 349
Process 349
Protocol Labeling 350
Connection Types 352
Summary 353
Exam Prep Questions 354
Need to Know More? 357
344
Chapter 12
Sample Test 1 ................................................................359
Questions, Questions, Questions 359
Picking Proper Answers 360
Decoding Ambiguity 361
Working Within the Framework 361
Deciding What to Memorize 362
Preparing for the Test 363
Taking the Test 363
Chapter 13
Answer Key 1 ..................................................................385
Chapter 14
Sample Test 2 ................................................................401
Chapter 15
Answer Key 2 .................................................................421
xvii
00 9911 fm
xviii
10/14/03
12:31 PM
Page xviii
Table
. . . .of. Contents
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Appendix A
Whats on the CD-ROM ......................................................439
The PrepLogic Practice Exams, Preview Edition Software
An Exclusive Electronic Version of the Text 440
439
Appendix B
Using the PrepLogic Practice Exams, Preview Edition Software .....441
The Exam Simulation 441
Question Quality 442
The Interface Design 442
The Effective Learning Environment 442
Software Requirements 442
Installing PrepLogic Practice Exams, Preview Edition 443
Removing PrepLogic Practice Exams, Preview Edition from Your
Computer 443
How to Use the Software 444
Starting a Practice Exam Mode Session 444
Starting a Flash Review Mode Session 445
Standard PrepLogic Practice Exams, Preview Edition
Options 445
Seeing Time Remaining 446
Getting Your Examination Score Report 446
Reviewing Your Exam 446
Contacting PrepLogic 447
Customer Service 447
Product Suggestions and Comments 447
License Agreement 447
Glossary .......................................................................449
Index ............................................................................471
00 9911 fm
10/14/03
12:32 PM
Page xix
xix
feedback@quepublishing.com
Mail:
Jeff Riley
Executive Editor
Que Publishing
800 East 96th Street
Indianapolis, IN 46240 USA
For more information about this book or another Que Publishing title, visit
our Web site at www.examcram2.com. Type the ISBN (excluding hyphens) or the
title of a book in the Search field to find the page youre looking for.
00 9911 fm
10/14/03
12:32 PM
Page xx
Introduction
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Welcome to BCMSN Exam Cram 2 (642-811). This book is intended to prepare you to take and pass the Cisco BCMSN Certification Exam 642-811, as
administered by both the Prometric and Pearson VUE testing organizations.
This introduction explains Ciscos BCMSN certification program in general
and talks about how the Exam Cram 2 series can help you prepare for that
certification exam. You can learn more about Prometric by visiting its Web
site at www.prometric.com, and you can learn more about Pearson VUE by
visiting its Web site at www.vue.com.
Exam Cram 2 books help you understand and appreciate the subjects and
materials you need to pass certification exams. Exam Cram 2 books are aimed
strictly at test preparation and review. They do not teach you everything you
need to know about a topic. Instead, the series presents and dissects the questions and problems that youre likely to encounter on a test. In preparing this
book, weve worked from preparation guides and tests and from a battery of
third-party test-preparation tools. The aim of the Exam Cram 2 series is to
bring together as much information as possible about the certification exams.
Nevertheless, to completely prepare yourself for any test, we recommend
that you begin by taking the self-assessment immediately following this
introduction. This tool will help you evaluate your knowledge base against
the requirements for the Cisco BCMSN exam under both ideal and real
circumstances.
Based on what you learn from that exercise, you might decide to begin your
studies with some classroom training or to pick up and read one of the many
study guides available from third-party vendors, including Que
Certifications Training Guide series. We also strongly recommend that you
spend as much time as feasible configuring, optimizing, and monitoring
within the Cisco IOS as well as deploying the various BCMSN switching features in a real-world or test environment on actual Cisco switching devices.
00 9911 fm
10/14/03
12:32 PM
Page xxi
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Introduction
. . . . . . .
Network Associate (CCNA) certification and are preparing for the Cisco
BCMSN 642-811 examination.
Your job or work involves working in and around the Internet or inter-
networks, offering you experience and a basic working knowledge of scalable routing technologies.
Your job or work carries some specific networking considerations with it,
xxi
00 9911 fm
xxii
10/14/03
12:32 PM
Page xxii
Introduction
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
CCNPThe Cisco Certified Network Professional (CCNP) certification
confirms advanced or journeyman knowledge of networking. This certification requires you to pass two or four exams. For more information on
the CCNP certification, see http://cisco.com/en/US/learning/le3/le2/le37/
le10/learning_certification_type_home.html.
CCIPThe Cisco Certified Internetwork Professional (CCIP) certifica-
00 9911 fm
10/14/03
12:32 PM
Page xxiii
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Introduction
. . . . . . .
number. Citizens of other nations can use their taxpayer IDs or make
other arrangements with the order taker.
The name and number of the exam you want to take. For this book, the
you want to pay by check or another means, you have to obtain the necessary information from the Prometric or Pearson VUE representative
with whom you speak.
xxiii
00 9911 fm
xxiv
10/14/03
12:32 PM
Page xxiv
Introduction
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
techniques you must learn and understand before you can be fully conversant with that chapters subject matter. Following the hotlists are one
or two introductory paragraphs to set the stage for the rest of the chapter.
Topical coverageAfter the opening hotlists, each chapter covers a series of
at least four topics related to the chapters subject title. Throughout this
section, topics or concepts likely to appear on a test are highlighted in a
special Exam Alert layout, like this:
This is what an Exam Alert looks like. An Exam Alert normally stresses concepts,
terms, software, or activities that are likely to relate to one or more certification test
questions. For that reason, any information found offset in an Exam Alert is worthy
of unusual attentiveness on your part.
Pay close attention to material flagged as an Exam Alert; although all the
information in this book pertains to what you need to know to pass the
exam, we flag certain items that are really important. Youll find what
appears in the meat of each chapter to be worth knowing, too, when
preparing for the test.
Because this books material is very condensed, we recommend that you
use this book along with other resources to achieve the maximum benefit.
Practice questionsAlthough test questions and topics are discussed
throughout each chapter, the Exam Prep Questions section at the end
of each chapter presents a series of mock test questions and explanations
of both correct and incorrect answers.
Details and resourcesEvery chapter ends with a section titled Need to
00 9911 fm
10/14/03
12:32 PM
Page xxv
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Introduction
. . . . . . .
The bulk of the book follows this chapter structure slavishly, but there are a
few other elements wed like to point out. Chapters 12 and 14 each contain
an entire sample test that provides a good review of the material presented
throughout the book to ensure youre ready for the exam. Chapters 13 and
15 contain the corresponding answer keys to the sample test chapters that
precede them. Additionally, youll find appendixes at the back of the book
that include the following information:
An explanation of whats on the CD (Appendix A)
An explanation of how to use the software on the CD (Appendix B)
A glossary that explains terms
An index you can use to track down terms as they appear in the text
Finally, the tear-out cram sheet attached next to the inside front cover of this
Exam Cram 2 book represents a condensed and compiled collection of facts,
tricks, and tips that we think you should memorize before taking the test.
You might even want to look at it in the car or in the lobby of the testing center just before you walk in to take the test.
Typographic Conventions
In this book, configuration settings and script fragments are typeset in a
monospaced font, as in the following example:
Switch(config)# ip routing
Switch(config)# router rip
Switch(config-router)# network 192.168.1.0
Switch(config-router)# network 192.168.2.0
Switch(config-router)# exit
Switch(config)# vlan 1
Switch(config)# vlan 2
Switch(config)# interface vlan 1
Switch(config-if)# ip address 192.168.1.1 255.255.255.0
Switch(config-if)# no shutdown
Switch(config-if)# exit
Switch(config)# interface vlan 2
Switch(config-if)# ip address 192.168.2.1 255.255.255.0
Switch(config-if)# no shutdown
Switch(config-if)# end
Switch# copy running-config startup-config
This notation will be consistent with the exact syntax and structure of the
Cisco IOS on Cisco switches.
xxv
00 9911 fm
xxvi
10/14/03
12:32 PM
Page xxvi
Introduction
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
00 9911 fm
10/14/03
12:32 PM
Page xxvii
Self-Assessment
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
00 9911 fm
10/14/03
12:32 PM
Page xxviii
xxviii Self-Assessment
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
However, be keenly aware that it takes time, involves some expense, and
requires real effort to get through this process.
Thousands of IT professionals already hold Cisco networking certifications,
so it is an eminently attainable goal. You can get all the real-world motivation you need from knowing that many others have gone down a similar path
before you, so you should be able to follow in their footsteps. If youre willing to approach the process seriously and do what it takes to obtain the necessary experience and knowledge, you can takeand passthe BCMSN
exam. In fact, we have designed our Exam Cram 2 books to make it as easy
on you as possible to prepare for these exams. But prepare you must!
00 9911 fm
10/14/03
12:32 PM
Page xxix
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Self-Assessment
. . . . . . . . .
The BCMSN exam is often the first test taken on the path to CCNP, CCIP,
and CCDP certifications. These professional certifications generally endorse
an individuals networking skills at the mid-career level. Many BCMSN candidates already hold positions such as help-desk support, field technician,
systems administrator, network administrator, or technical trainer. As a
BCMSN exam candidate, you should already have knowledge of networking
at the small-office, home-office (SOHO) level as well as have the ability to
operate in a small business or organization with networks of fewer than 100
nodes. You also should presently be able to install and configure Cisco
routers in multiprotocol internetworks using LAN and WAN interfaces as
well as Cisco switches in small environments. In addition, you should be confident providing Level 1 troubleshooting support as well as optimizing network security and performance.
Fundamentally, this all boils down to about a bachelors degree in computer
science with a strong focus on networking, plus at least two years of experience
working in a position involving network design, installation, configuration,
maintenance, and/or security. We believe that fewer than half of all certification candidates meet these requirements and that, in fact, most meet less than
half of these requirementsat least, when they begin the certification process.
But because so many other IT professionals who already have been certified in
networking topics have survived this ordeal, you can survive it, too, especially
if you heed what our self-assessment can tell you about what you already know
and what you need to learn.
xxix
00 9911 fm
xxx
10/14/03
12:32 PM
Page xxx
Self-Assessment
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Before you begin this process, take this simple four-step walk-through to validate your readiness for the BCMSN exam:
1. Do you have a current CCNA certification (requires renewal every 3
and find out how you can recertify for your CCNA or take
the 640-801 exam (or both the 640-821 and 640-811 exams) for the first
time to achieve this certification.
www.cisco.com
Cisco also maintains a list of pointers to training venues on its Web site. Visit
http://cisco.com/en/US/learning/le31/learning_learning_resources_
home.html.
00 9911 fm
10/14/03
12:32 PM
Page xxxi
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Self-Assessment
. . . . . . . . .
Hands-on Experience
An important key to success on the BCMSN exam lies in obtaining hands-on
experience, especially with the Cisco IOS in the LAN and WAN environments. There is simply no substitute for time spent installing, configuring,
troubleshooting, securing, and optimizing a Cisco router and switch. If you
cannot afford your own equipment or lack the access at work, you can check
with companies on the Internet that rent router time. Some even provide
written labs specific to the BCMSN exam. Even www.ebay.com has many hardware packages at auction that you can bid on.
You can download objectives, practice exams, and other data about Cisco exams
from the official BCMSN Exam Web page at www.cisco.com/warp/public/10/
wwtraining/certprog/testing/current_exams/642-811.html.
xxxi
00 9911 fm
xxxii
10/14/03
12:32 PM
Page xxxii
Self-Assessment
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
For any given subject, consider taking a class if youve tackled self-study
materials, taken the test, and failed anyway. The opportunity to interact with
an instructor and fellow students can make all the difference in the world, if
you can afford that privilege.
When it comes to assessing your test-readiness, theres no better way than to take
a good-quality practice exam and pass with a score of 85% or better. When were
preparing ourselves, we shoot for more than 90%, just to leave room for the
weirdness factor that sometimes depresses exam scores when taking the real
thing. The passing score on BCMSN is 85% or higher; thats why we recommend
shooting for 90%: to leave some margin for the impact of stress when taking the
real thing.
1
Cisco Certification Exams
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter
. . . . .1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
No matter how well prepared you might be, exam taking is not something
that most people look forward to. In most cases, familiarity helps relieve test
anxiety. You probably wont be as nervous when you take your second or
third Cisco certification exam as youll be when you take your first one.
Whether its your second exam or your tenth, understanding the finer points
of exam taking (how much time to spend on questions, the setting youll be
in, and so on) and the exam software will help you concentrate on the questions at hand rather than on the surroundings. Likewise, mastering some
basic exam-taking skills should help you recognizeand perhaps even outsmartsome of the tricks and traps that youre bound to find in several of
the exam questions.
This chapterin addition to explaining the Cisco BCMSN exam environment and softwaredescribes some proven exam-taking strategies that you
should be able to use to your advantage.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Cisco
. . .Certification
. . . . . . Exams
. . . .
front of the computer and enter either your Social Security number or Cisco
identification number. At the beginning of each test is a tutorial that you can
go through if youre unfamiliar with the testing environment.
All Cisco certification exams allow a predetermined, maximum amount of
time in which to complete your work. This time is indicated on the exam by
an onscreen counter/clock in the upper-right corner of the screen, so you can
check the time remaining whenever you like. All exams are computer generated and use primarily a multiple-choice format with 25 simulation questions. These simulation questions test your real-world experience in the
actual Cisco interface. Youll be required to submit the proper series of commands to accomplish a particular configuration based on the given scenario
or diagram. Youll also encounter questions that demand a fill-in-the-blank
answer that represents the proper Cisco command. The Cisco BCMSN
exam consists of 6070 randomly selected questions from a pool of several
hundred questions. You can take up to 75 minutes to complete the exam.
Although that might sound quite simple, the questions are formulated to
thoroughly check your mastery of the material. Cisco exam questions are
also very adept at testing you on more than one area of knowledge with a single question; for example, testing your knowledge of the command syntax as
well as the proper command mode. Youll often be asked to provide more
than one answer to a question. Likewise, you might be asked to select the
best or most effective solution to a problem from a range of choices, all of
which are technically correct. Taking the exam is quite an adventure, and it
involves real thinking as well as skill and the ability to manage your time.
This book shows you what to expect and how to deal with the potential problems, puzzles, and predicaments you are likely to encounter.
When you complete a Cisco certification exam, the software will tell you
whether youve passed or failed. The results are then broken down into several main objectives or domain areas. Youll be shown the percentage that
you got correct for each individual domain. Even if you fail, you should ask
for (and keep) the detailed report that the test proctor prints for you. You can
use this report to help you prepare for another go-round, if necessary. If you
need to retake an exam, youll have to schedule a new test with Prometric or
VUE and pay for another exam. Keep in mind that because the questions
come from a pool, youll receive different questions the second time around.
Cisco also has a retake policy, which is that you must wait 72 hours between
exam attempts.
In the following section, youll learn more about how Cisco test questions
look and how they must be answered.
Chapter
. . . . .1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 1
When MLS rewrites frames in hardware, which of the following information is
not changed?
A. Source IP address
B. Destination MAC address
C. MAC frames CRC
D. IP TTL
Question 2
Which of the following items are not necessary when setting up routing in a
VLAN environment? (Choose two.)
A. Creating VLANs and associating user ports to them
B. Building trunks
C. Tuning STP
D. Configuring routing on an RP
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Cisco
. . .Certification
. . . . . . Exams
. . . .
Answers B and C are correct. Tuning STP is not necessary to set up routing
in a VLAN environment. Answer B is incorrect because it is required only
for a router-on-a-stick; but you can use access-links or MLS also. Answers A
and D are required, and therefore are incorrect answers.
For this type of question, more than one answer is required. Such questions
are scored as wrong unless all the required selections are chosen. In other
words, a partially correct answer does not result in partial credit when the
test is scored. If youre required to provide multiple answers and do not provide the number of answers the question asks for, the testing software indicates that you did not complete that question. For question 2, you have to
check the boxes next to answers B and C to obtain credit for this question.
Realize that choosing the correct answers also means knowing why the other
answers are incorrect!
Although these two basic types of questions can appear in many forms, they are
the foundation on which most of the BCMSN certification exam questions are
based. Some other complex questions might include exhibits, simple fill-inthe-blank questions, as well as simulation questions. For some of these questions, youll be asked to make a selection by clicking the portion of the exhibit
that answers the question or by typing the correct answer(s) in the testing
interface. Your knowledge and expertise of switch configuration must go well
beyond merely memorizing the purpose of various commands. The BCMSN
exam tests your ability to configure a switch in a variety of scenarios and configurations. Do not rely simply on your success at answering traditional multiplechoice questions. Although that type of question represents the core of the
exam, your failure to answer the many fill-in-the-blank, simulator, and configuration scenario type questions will lead to an unsuccessful testing session.
Other questions involving exhibits use charts or diagrams to help document
a network scenario that youll be asked to configure or troubleshoot. Careful
attention to such exhibits is the key to success. In these instances, you might
have to toggle between the exhibit and the question to absorb all the information being shown and to properly answer the question.
You also might see a question or two in which you must enter a simple command into an input box. You might be presented with a long list of available
commands as part of the testing interface. You will also encounter from one
to five simulation questions. You will be given a simulated scenario that you
must complete in the Cisco IOS environment. This generally involves performing a series of steps at the command line or possibly dragging and dropping the correct order of a certain procedure. Therefore, actual experience
with the Cisco switch IOS and real-world practice are critical to success on
the BCMSN exam.
Chapter
. . . . .1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Exam-Taking Techniques
A well-known principle when taking certification exams is to first read over
the entire exam from start to finish while answering only those questions you
feel absolutely sure of. The next time around, you can delve into the more
complex questions. Knowing how many such questions you have left helps
you spend your exam time wisely. Although this is good overall testing
advice, this capability is not available to you on the BCMSN exam 642-811.
To protect the integrity of the certifications, Cisco does not allow you to
mark and go back to review a previously answered question.
It is critical on a Cisco exam that you read each question thoroughly. After you input
your answer and move on to the next question, you cannot go back!
As you approach the end of your allotted testing time of 90 minutes, youre better
off guessing than leaving a question unanswered.
Please note that Cisco can, at any given time, change the number of questions on
the exam as well as the allotted time to complete the exam!
The most important advice about taking any exam is this: Read each question
carefully. Some questions are deliberately ambiguous, some use double negatives, and others use terminology in incredibly precise ways. Ive taken
numerous examsboth practice and liveand in nearly every one, I missed
at least one question because I didnt read it closely or carefully enough.
Here are some suggestions on how to deal with the tendency to jump to an
answer too quickly:
Make sure that you read every word in the question very carefully, even
do this, you should be able to pick the correct answer(s) much more easily.
Rereading a question sometimes enables you to see something you
understand about it, why the answers dont appear to make sense, or
what appears to be missing. If you think about the subject for a while,
your subconscious might provide the details that are lacking or you
might notice a trick that points to the correct answer.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Cisco
. . .Certification
. . . . . . Exams
. . . .
Above all, try to deal with each question by thinking through what you know
about switchingand the characteristics, behaviors, and facts involved. By
reviewing what you know (and what youve written down on your information sheet), youll often recall or understand enough to be able to deduce the
answer to the question.
Question-Handling Strategies
Based on exams Ive taken, some interesting trends have become apparent.
For those questions that take only a single answer, usually two or three of the
answers are obviously incorrect, and two of the answers are possibleof
course, only one can be correct. Unless the answer leaps out at you, begin the
process of answering by eliminating those answers that are most obviously
wrong. A word of caution: If the answer seems too obvious, reread the question to look for a trick. Often those are the ones you are most likely to get
wrong. If youve done your homework for an exam, no valid information
should be completely new to you. In that case, unfamiliar or bizarre terminology most likely indicates a bogus answer.
As you work your way through the exam, budget your time by making sure
that youve completed one quarter of the questions one quarter of the way
through the exam period and three quarters of them three quarters of the
way through the exam. This ensures that youll have time to go through
them all. As you know, there will be 6070 questions to answer in a 90minute time frame. That gives you an average of a minute to a minute-anda-half for each question. The simulation questions will probably take longer
than the multiple-choice questions, so give yourself ample time.
Be cautious about changing your answers and second-guessing yourself. Many
times the first selection is right and changing your answer might cause you to miss
questions that were originally answered correctly.
If you arent finished when 95% of the time has elapsed, use the last few minutes to guess your way through the remaining questions. Remember that
guessing is potentially more valuable than not answering because blank
answers are always wrong, but a guess might turn out to be right. If you dont
have a clue about any of the remaining questions, pick answers at random or
choose all As, Bs, and so on. The important thing is to submit an exam for
scoring that has an answer for every question.
Chapter
. . . . .1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
With the information in this book and the determination to supplement your
knowledge, you should be able to pass the certification exam. However, you
have to work at it. Otherwise, youll have to pay for the exam more than once
before you finally pass. As long as you get a good nights sleep and prepare
thoroughly, you should do just fine. Good luck!
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Cisco
. . .Certification
. . . . . . Exams
. . . .
Additional Resources
A good source of information about Cisco certification exams comes from
Cisco itself. The best place to go for exam-related information is online. The
Cisco CCNP Certification home page, which includes a link to BCMSN
information, resides at www.cisco.com/warp/public/10/wwtraining/certprog/lan/
programs/ccnp.html.
2
Designing Switched
Networks
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
12
Chapter
. . . . .2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
This chapter exposes a lot of different concepts to you. First, the chapter discusses Ciscos design philosophy for creating scalable campus networks,
including Ciscos old three-layer hierarchical model and Ciscos new
Enterprise Model design. Next, Ill compare and contrast the different types
of Layer 2 and Layer 3 solutions you can use in your campus network,
including the different Ethernet media types, as well as products that Cisco
recommends for the Enterprise Composite Network Model.
This chapter then discusses how to put a basic configuration on a Catalyst
switch, using native mode (using the IOS operating system). Its assumed that
you have basic knowledge of IOS commands, so this section is more of a
review of basic commands and configuration tasks. This is followed by the
optional Switch Fabric Module (SFM), which is supported in the Catalyst
6500 switches.
Network Design
The constant and variable changes in traffic patterns are just two things that
are reshaping the approach that designers have to take in designing campus
intranets. The following are important requirements in the new campus
intranet, at both Layers 2 and 3:
Adapting to topology changes very quickly
Reliability and redundancy in case of network failures
Being able to scale to a very large size
Accommodating large amounts of bandwidth
Being able to predict traffic patterns
Centralizing servers and applications to ease administration
Handling the increasing amount of multicast traffic and applications
Coping with traffic pattern changes from the 80/20 to the 20/80 rule
Supporting a diverse group of routed and bridged protocols
The following sections cover some concepts that Cisco uses when designing
campus networks.
AVVID
AVVID (Architecture for Voice, Video, and Integrated Data) is a process
Cisco developed to help design complex networks with multiple coexisting
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Designing
. . . . . .Switched
. . . . . Networks
. . . . .
software necessary to move traffic across the network between a user and
his resource. Those devices include routers, switches, firewalls, voice
gateways, and others.
Intelligent Network ServicesThis enables you to provide the appropriate
Network Model
Over the last few years, the design of campus networks has radically changed.
Traditionally, most services (sometimes even local services) were placed at
the center of the network, with Layer 2 switching providing the transport
between the users and their resources. Today, a three-layer design is used to
provide scalability and efficiency for a growing intranet. This three-layer
design is composed of the following layers:
Core layerProvides a high-speed switching backbone
Distribution layerImplements corporate policies
Access layerProvides users initial access to the network
Figure 2.1 displays the three-layer hierarchy and the devices at each layer.
13
14
Chapter
. . . . .2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Figure 2.1 Three-layer hierarchy.
Core Layer
The function of the core layer is to offer a high-speed Layer 2 switching
backbone between different distribution layers, which provides packet
switching that is as fast as possible.
Note that implementing Layer 3 services at the core is not recommended.
That means features such as packet filters and policy-based decisions should
not be performed here, but rather at the lower distribution layer. This is
applicable even to multilayer switching in the core because the core devices
must perform packet manipulating or rewriting to perform their services,
thereby slowing down the packet flow. Theres an exception to implementing Layer 3 services at the core: If the campus in question is very large and
youre having issues with Layer 3 convergence at the distribution layers, it
might be necessary to implement Layer 3 switching at the core. However,
this should be approached with caution.
Distribution Layer
The distribution layer provides the demarcation point between the core and
the access layers of a campus network. The distribution layer switches should
perform all Layer 3 and policy functions. These include the following tasks:
Connecting to access switches to provide workgroup and department
access
Implementing VLANs to handle broadcast issues
Routing between VLANs
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Designing
. . . . . .Switched
. . . . . Networks
. . . . .
Designing addressing and address summarization
Enforcing security policies
Translating between different media types such as FDDI, Ethernet, and
token ring
Because the distribution layer aggregates the connection of many different
access switches, the distribution switch needs a high-speed Layer 3 or multilayer switching function to handle all the intra- and inter-VLAN traffic.
Access Layer
The access layer provides the user entry point into the switched network. It
allows for the connection of different users and their servers.
At this layer, you can provide shared or switched access. An example of
shared access is when you have computers attached to a hub thats in turn
attached to a switch. Switched access occurs when a computer has its own
connection on the switchits not sharing bandwidth with other networking
devices. Switched access provides more bandwidth for users, but is more
costly because it requires more ports on your switch.
The following are some of the tasks and items that this layer handles:
Defining VLAN membership for users and services to restrict the prop-
Switches are the most common devices used at this layer to provide users
with their connections. Note that the access layer can include routers when
connecting branch offices to their corporate site by using technologies such
as frame relay, ISDN, or even dedicated links. It is sometimes mistaken that
the three layerscore, distribution, and accessmust exist in distinct physical entities, which obviously does not have to be the case. These layers are
defined more for representing functionality than for physical boundaries.
The way that the layers are implemented is based on your specific networking design. However, a hierarchical structure must be maintained for optimal
functionality.
15
16
Chapter
. . . . .2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The core provides high-speed switching between the distribution layers. The distribution layer provides Layer 3 services, including the containment of broadcasts and
STP problems. The access layer provides the users initial connection to the network.
Enterprise Model
One of the limitations of the three-layer hierarchical model is that it covers
only a single campus design and doesnt allow different types of treatments
based on the function of a particular layer(s) in a campus. Cisco has expanded on this and created the Enterprise Composite Network Model (ECNM),
which breaks a network into three functional areas, depicted in Figure 2.2:
Enterprise Campus
Enterprise Edge
Service Provider Edge
!
"
!
!$%
$
&
'
The main purpose of the ECNM is to define clear boundaries or demarcation points between different modules, or areas, of your network. By modularizing your network, your network becomes easier to troubleshoot and
maintain as well as more scalable. Also, by modularizing your network, it
becomes easier to add new modules to your existing design without having
to redesign your entire network infrastructure and services.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Designing
. . . . . .Switched
. . . . . Networks
. . . . .
Each of these functional areas can have its own access, distribution, and core.
Those three layers are typically contained within the Enterprise Campus
area, but the other functional areas can contain one, two, or all three of these.
The following three sections cover these functional areas.
Enterprise Campus
The Enterprise Campus area provides the three-layer hierarchical campus
model, but it doesnt include remote or Internet connections (these are in the
Enterprise Edge area). Within the Enterprise Campus module, youll find
the following sub-modules: Campus Infrastructure, Edge Distribution,
Server Farm, and Network Management.
The Campus Infrastructure module includes the following sub-modules:
Building Access (formerly the access layer of the three-layer hierarchical
model)Responsible for high-speed switching of traffic between building distribution modules, as well as QoS and, possibly, security and QoS.
Redundancy is provided by having dual connections to each building
distribution as well as the edge distribution.
In addition to these three sub-modules, Cisco has introduced some new
ones. The Edge Distribution sub-module is responsible for connecting to
the Enterprise Edge module, which separates you from the outside world
(Service Provider module). Its functions are similar to the Building
Distribution module in Campus Infrastructure. However, it can perform
additional security tasks as well as summarize routing information.
The Server Farm sub-module contains corporate resources, such as database
applications, corporate email, DNS and WINS, file and print services, and
so on. Because access to these resources is critical, dual connections are used
between the Server Farm and the Campus Backbone sub-modules. Please
note that you might have other servers in your network, typically at the
Building Distribution, for separate divisions or departments within your
company.
17
18
Chapter
. . . . .2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Enterprise Edge
The Enterprise Edge sub-module controls traffic between the Service
Provider Edge and the Enterprise Campus. The Enterprise Edge contains
four sub-modules: E-commerce, Internet Connectivity, Remote Access and
VPNs, and WAN Access.
The E-commerce sub-module contains services offered to the public. Those
services can include Web servers, database servers, online transactions, and
application servers. Theyre all protected by security products such as
authentication servers, firewalls, and intrusion detection.
The Internet Connectivity sub-module provides a connection between you
and the Internet. This sub-module contains the following services: DNS,
FTP, email, and Web servers. It is protected by security products such as firewalls, basic filtering on perimeter routers, and intrusion detection systems.
The Remote Access and VPN sub-module is responsible for remote access
and remote access VPN connections from your external users and sites. The
types of devices involved with this sub-module include dial-up access servers,
VPN concentrators, firewalls, routers, and intrusion detection systems.
The WAN Access sub-module is responsible for connecting remote sites to
the Enterprise Edge via a private network. Traffic from these sites does not
traverse a public network, like the Internet, and is therefore more secure.
Types of technologies employed for these connections included leased lines,
DSL, cable, optical, wireless, frame relay, ATM, and others.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Designing
. . . . . .Switched
. . . . . Networks
. . . . .
Devices
When dealing with a campus network, youll have to use many different
types of devices to deliver the services that your users need. The basic infrastructure of this network contains devices that move traffic between the users
and their services. Choosing the correct devices is therefore very important.
The following sections cover some of the basic kinds of devices that youll
typically use for your design: Layer 2 switches, routers, Layer 3 switches, and
multilayer switches.
Layer 2 Switches
Introduced in 1994, switches are weapons in a network administrators arsenal that can help him solve problems in a data network. Switches have many
things in common with bridges: Both are Layer 2 devices; both forward all
broadcasts and multicasts; both do not allow multiple paths to a destination;
both solve collision problems; both learn the locations of devices by putting
the source MAC address of a frame, along with its associated port, into a port
address or CAM table; both make switching decisions based on MAC
addresses; both allow an administrator to use existing equipment and cabling
with little or no upgrading.
With switches and bridges sharing so many of the same characteristics, many
people scratch their heads wondering what the differences are. One difference, although its somewhat minor, is that bridges usually have no more than
2 or 4 ports per bridge, whereas switches, with some vendors, can have 500
to 1,000 ports.
Even though most enterprise networks dont use bridges in their networks, you
might see questions about bridges on the BCMSN exam.
19
20
Chapter
. . . . .2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
In addition to having all the advantages of bridges, switches have many other
advantages:
Switching is performed in hardware by application-specific integrated
and ATM.
Switches support full and half duplexing.
Switches have faster backplane buses to support a higher port density
However, switches (and bridges) do not solve all the problems in a campus
network. There are two main problems with this technology: switches flood
broadcasts, multicasts, and unknown unicast destinations and the Spanning
Tree Protocol (STP), which is discussed in Chapter 4, Spanning Tree
Protocol, has convergence and scalability problems.
Routers
Routers, unlike bridges and switches, operate at Layer 3. Routers also make
forwarding and filtering decisions, but these decisions are based on Layer 3
addressing information, like the network numbers for IP addresses. Unlike
switches, routers are somewhat intrusive in a network. Each segment off a
port of a router must be assigned a network number, and each device connected to that segment must have that network number and a unique node
number as part of its Layer 3 address, including the router itself. The end
stations must also know about the router so that if they need to send information to a device thats not on the same segment, they know where to send
the information to get it to its final destination. In protocols such as IP, this
must be physically configured on the end users device or automatically
assigned via a DHCP server.
Routers solve two problems that have been discussed so far: Through segmentation, they can create multiple collision domains as well as multiple
broadcast domains. Unlike bridges, routers do not forward broadcasts, by
default. In networks where broadcasts are problematic, routers can help cut
down on the propagation of broadcastsbroadcasts stay local to the segment
where they were created. The advantage of this is that if a machine goes
crazy with broadcasts, it does not affect the whole network because its in a
flat, switched network. Routers create a lot more broadcast domains, but
each of these domains is smaller and has less broadcasts.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Designing
. . . . . .Switched
. . . . . Networks
. . . . .
Layer 3 Switches
A Layer 3 switch is an enhanced router. One problem of traditional routers
is that a generic processor performs most of the switching decisions. Using a
generic processor allows the router to perform all tasks, but it does not perform all of them well. To overcome this inefficiency, Layer 3 switches use
inexpensive ASICs to perform forwarding of frames. This allows Layer 3
switches to achieve very high forwarding rates, and in tandem with a generic process, still allows the Layer 3 switch to offer many of the other features
of a traditional router, such as
Routing Layer 3 traffic, such as IP packets, based on destination
addresses
Applying filtering based on configured policies
Verifying the checksum of the Layer 3 packet
Updating SNMP MIB information for management purposes
Running a Layer 3 routing protocol to help make switching decisions
21
22
Chapter
. . . . .2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Updating Layer 3 packet information, such as the Time-To-Live (TTL)
field in IP
Supporting quality of service (QoS)
Tracking information flows as traffic passes through them
A Layer 3 switch, for all intents and purposes, is a router. The main difference between a Layer 3 switch and a traditional router is that a Layer 3
switch switches all frames in hardware at wire speeds. The main downside of
a Layer 3 switch is in interface flexibility. For example, if you need WAN
interfaces, a traditional router typically offers this flexibility, whereas a Layer
3 switch doesnt.
Multilayer Switches
Multilayer switching combines Layer 2, Layer 3, and Layer 4 switching in
one chassis. These switches can examine information in the transport layer
segment (TCP and UDP) to help make intelligent switching decisions. To do
this, a multilayer switch routes the first packet in a packet stream but switches the rest, sometimes referred to as route once, switch many.
Ciscos Catalyst family of multilayer switches can switch based on Layer 2,
Layer 3, and Layer 4 information. Because these Catalyst switches perform
their switching (at all levels) in hardware, theres no difference in performance from switching at Layer 2 and switching at Layer 4. Multilayer switches and Layer 3 switches are discussed in more depth in Chapter 6,
Multilayer Switching.
Media Types
Ethernet comes in a variety of flavors: 10Mbps, 100Mbps, 1Gbps, and even
10Gbps. The following sections briefly cover some of the important topics
related to Ethernet media types.
Ethernet
All flavors of Ethernet use the same frame type. However, the physical
implementation of these implementations is different. All of these implementations support both copper and fiber. Its important to realize that
Ethernet is distance sensitive. That means for the CSMA/CD mechanism to
work correctly, youll have to stringently follow the cabling type (copper and
fiber) and distance specifications for Ethernet. Table 2.1 describes the
100-meter rules that you should follow for Category 5 cabling.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Designing
. . . . . .Switched
. . . . . Networks
. . . . .
Table 2.1 Rules for Cabling Category 5 Ethernet
Distance
Location
5 meters
90 meters
Used from the punch-down block to the wiring closets patch panel
5 meters
Fast Ethernet
Fast Ethernet is built on the same principles as Ethernet: It uses the same
frame type, length, and format; it implements CSMA/CD; it uses the same
MAC layer. The main difference between the two is that the physical layer
for Fast Ethernet is different. Fast Ethernet also supports half- and fullduplex connections. Table 2.2 describes the cabling types and distance limitations of Fast Ethernet for copper cabling.
Table 2.2 Fast Ethernet Media Types
Media Type
Distance (Meters)
Cabling
100BaseTX
100
Category 5 UTP
100BaseT4
100
Category 3, 4, 5 UTP
100BaseFX
Fast Ethernet, for the most part, has supplanted 10Mbps Ethernet. In most
designs, Fast Ethernet is used within the Building Access sub-module: It provides connections to users. Fast Ethernet can be used at the Building
Distribution (connections down to the access layer and to distribution layer
servers) and Campus Core sub-modules (connections within the core and to
Building Distribution sub-modules), but because of expanding bandwidth
needs, Gigabit Ethernet is a better solution for these locations.
23
24
Chapter
. . . . .2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
100BaseTX has a distance limitation of 100 meters. 100BaseFXs limitation is 400
meters half duplex and 2,000 meters full duplex.
Gigabit Ethernet
Gigabit Ethernet, supporting speeds of 1Gbps, can provide more than sufficient bandwidth to any bandwidth-intensive points in your intranet. The
physical layer of Gigabit Ethernet was developed from a mixture of technologies in the original Ethernet standards and includes the ANSI X3T11
Fiber Channel specification. Until recently, the most common was 802.3z,
which uses fiber at the physical layer. This is referred to as 1000Base-X. The
newer IEEE standard, 802.3ab, specifies copper, and is commonly referred
to as 1000BaseT.
Like Fast Ethernet, Gigabit Ethernet builds on the Ethernet protocol standard. There were some initial problems getting Gigabit Ethernet to perform
at gigabit speeds. To accomplish this, a few changes were made to its physical layer connectivity. This was facilitated by merging two existing standards:
IEEEs 802.3 Ethernet and ANSIs X3T11 Fiber Channel standards. The
MAC layer of Gigabit Ethernet uses the same CSMA/CD protocol as
Ethernet. Table 2.3 displays the cable types and distance limitations of different implementations of Gigabit Ethernet.
Table 2.3 Gigabit Ethernet Media Types
Media Type
Distance (Meters)
Cabling
1000BaseCX
25
STP
1000BaseT
100
Category 5 UTP
1000BaseSX
MMF
1000BaseLX
3,000-10,000
SMF
Cisco does not support 1000BaseCX in its products. The 1000BaseLX standard supports 3 kilometers, but Cisco has stretched this to 10 kilometers with
certain interface types.
Gigabit Ethernet can be deployed at all locations within the Enterprise
Campus module: Building Access, Building Distribution, Campus Core, and
Server Farm. Inside a building, it can aggregate multiple 10Mbps or 100Mbps
from the access layer switches to distribution layer switches. At the core, these
links can provide bandwidth capacity for streaming video or real-time
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Designing
. . . . . .Switched
. . . . . Networks
. . . . .
database enterprise application servers that are located in the server block.
Likewise, the links can be used in the core to connect two switch blocks when
the switch blocks are generating an inordinate amount of traffic between
themselves.
Gigabit Ethernet is not commonly used to connect user devices to access
layer switches. Not all computers and Gigabit Ethernet NICs can process
frames at Gigabit Ethernet speeds. Only high-end servers and expensive
Gigabit NICs with fast processors can approach this speed. For this reason,
it makes no sense to buy one of these cards for a small- to medium-sized file
server that handles only file and print services; it should be reserved for highend data or video servers. In many of these servers, the I/O subsystem connected to the disk drives cannot begin to attain these speeds even if the NIC
cards and the CPU can. Speeds in the range of 400 to 700Mbps are more
reasonable. If speeds higher than this are necessary, its better to buy a multiport Fast Ethernet ISL card and set up a full-duplex Fast EtherChannel.
(EtherChannels are discussed in Chapter 4.)
Distance limitations for Gigabit Ethernet include 25 meters for 1000BaseCX, 100
meters for 1000BaseT, 260550 meters for 1000BaseSX, and 3,00010,000 meters
for 1000BaseLX.
25
26
Chapter
. . . . .2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Switching Roles
One of the decisions youll have to make is to choose devices for each of your
Enterprise Campus sub-modules. Table 2.4 summarizes what types of
switches and media types should be used at various locations in your campus.
Table 2.4 Switch Roles and Media Types
Location
Switch Type
Media Type
Building Access
Layer 2 switch
Building
Distribution
Layer 3 or
multilayer switch
Campus Core
Layer 2 or Layer 3
switch
Layer 2 switches provide simple and fast, but not scalable, networks. Layer 3
switches support fast convergence, hierarchical designs, equal-cost path load
balancing, and better scalability than Layer 2 switches. The main downside
of Layer 3 switches is that they cost more than Layer 2 switches.
The Building Access module uses Layer 2 switches. Building Distribution uses
multilayer or Layer 3 switches. Campus Core uses Layer 2 or Layer 3 switches.
Design Practices
Youll want to include redundancy in any type of network design. Consider
Figure 2.3 as an example. In this design, the access layer switches have dual
connections to the redundant Building Distribution switches in the building
on the campus. STP removes any Layer 2 loops and Ciscos Hot Standby
Routing Protocol (HSRP) provides default gateway redundancy for users
inside the Building Access module. HSRP is discussed in Chapter 7,
Availability and Redundancy.
Notice that the core has two switches for redundancy, and the Building
Distribution switches have dual connections to each of these. By using a different VLAN for each connection, youre introducing redundancy at Layer
3 for your Layer 3 routing protocol. This provides two equal-cost paths for
a Building Distribution switch to reach locations across the Campus Core.
The next three sections discuss some design philosophies based on the size
of different campuses.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Designing
. . . . . .Switched
. . . . . Networks
. . . . .
27
28
Chapter
. . . . .2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Designing
. . . . . .Switched
. . . . . Networks
. . . . .
Server Farm
The Server Farm sub-module is connected to the Campus Core. It contains
application and transaction servers, file and print servers, email servers, voice
gateways, DNS servers, multimedia servers, and others. Maintaining access
to these services is critical.
You should treat the Server Farm sub-module as a special logical building
within your campus: It should have Building Distribution (Layer 3 devices)
and Building Access (Layer 2 devices) sub-modules. It is important to use a
Layer 3 device to separate the Campus Core from the Server Farm to contain Layer 2 problems such as broadcasts, multicasts, and STP.
The Building Access sub-module should contain Layer 2 switches. Cisco
recommends Catalyst 6500 or 4000 Series switches. All critical services here
should be dual-homed to separate access switches and implement redundancy. The Building Distribution sub-module should contain mid-to-high-end
Catalyst switches, such as the 6500, as well as other devices, such as caching
systems, load server load balancing, server content routing, and so on.
Ciscos Content Network Solutions can provide these services.
Enterprise Edge
The Enterprise Edge module defines the boundary between your site and
other sites or networks. Layer 2 switches are typically used for connectivity
within this module. Other devices, described in the Enterprise Edge section earlier in this chapter, provide most of the connectivity functions for this
module, such as firewalling, routing, intrusion detection, terminating VPN
end points, and so on.
29
30
Chapter
. . . . .2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Catalyst
2950
Catalyst
3550
Catalyst
4000
Catalyst
6500
CatOS
No
No
Supervisor
I and II
Yes
Hybrid
No
No
No
IOS
Yes
Yes
Supervisor
III and IV
Yes
CatOS and IOS support most of the same features; however, there are some
differences. For instance, CatOS supports dynamic VLANs and stateful
supervisor engine switchover/failover, whereas IOS doesnt. CatOS doesnt
support server load balancing, MPLS, and distributed Cisco Express
Forwarding (CEF), but IOS does.
CatOS is supported on the Catalyst 4000s and 6500s, and provides only Layer 2 processing. Hybrid mode is supported on the 4006 and 6500 when a routing card is
installedthe routing card has IOS and the Supervisor Engine has CatOS. Native
(IOS) mode only runs IOS on the switch, controlling both Layer 2 and Layer 3 functions. All of Ciscos switches support native mode.
If youve worked with CatOS in the past, the IOS interface and configuration will be noticeably different. Table 2.6 compares the configuration and
operation of the two operating systems.
One major difference between CatOS and IOS is that CatOS has only two
modes: User and Privilege EXEC, whereas IOS has three modes. Both
CatOS modes are similar to the equivalent IOS modes. The exception is that
in Privilege EXEC mode in CatOS, you can also execute configuration
commands, such as set and clear.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Designing
. . . . . .Switched
. . . . . Networks
. . . . .
Table 2.6 IOS Versus CatOS
OS Features
IOS
CatOS
Mode of ports
Layer 2
Default port
status
Number of
configuration
files
One
Modes
Configuration
commands
Configuration Introduction
The commands discussed in this book are used by the IOS operating system
(CatOS is not discussed, except in specific situations related to the exam).
This book assumes that you have a basic knowledge of IOS commands. As
youll see in this section, the commands used by IOS routers are basically the
same as those used on the Catalyst switches, with some differences. This
book assumes that you have basic IOS skills and have at least achieved the
CCNA certification, which thoroughly covers basic IOS commands.
Features such as context help, CLI editing, and command recall are all supported in native mode.
To access the switch and put an initial configuration on the switch, youll
have to set up a console connection from your PC to the switch. This
requires a RJ-45 rollover cable and a DB9-to-RJ45 terminal adapter. Youll
need a terminal emulation program running on your PC, configured for
9,600bps, 8 data bits, 1 stop bit, no parity, and no flow control.
31
32
Chapter
. . . . .2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Sample Configuration
Lets take a look at a basic configuration for an IOS-based switch, shown in
Listing 2.1.
Listing 2.1 Basic Configuration
Switch> enable
Switch# configure terminal
Switch(config)# hostname name_of_switch
Switch(config)# enable password password
Switch(config)# enable secret password
Switch(config)# service password-encryption
Switch(config)#
Switch(config)# line console 0
Switch(config-line)# password password
Switch(config-line)# exit
Switch(config)# line vty 0 4
Switch(config-line)# login
Switch(config-line)# password password
Switch(config-line)# access-class ACL_# in
Switch(config-line)# exit
Switch(config)# access-list 1-99 permit IP_address [wildcard_mask]
Switch(config)#
Switch(config)# interface vlan VLAN_#
Switch(config-if)# ip address IP_address subnet_mask
Switch(config-if)# no shutdown
Switch(config-if)# exit
Switch(config)# ip default-gateway router_IP_address
Switch(config)#
Switch(config)# interface type slot_#/port_#
Switch(config-if)# duplex auto|full|half
Switch(config-if)# speed 10|100|auto
Switch(config-if)# end
Switch# exit
The
There are two methods of accessing User EXEC mode on the switch: from the
console (line console 0) and from telnet (line vty 0 4). To secure the console
port, use the password command. To secure telnet access, authenticate logins
with the login command and assign a password with the password command.
Please note that the password created with the password command is stored in
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Designing
. . . . . .Switched
. . . . . Networks
. . . . .
clear text. Its recommended that you restrict telnet access to the switch by configuring a standard ACL with the access-list command and activating it on
your VTY lines with the access-class command. Use permit statements in the
ACL to match on networks or PCs that are allowed to telnet to the switch.
In-band management is management traffic, such as telnetting to the switch, that
crosses the switching backplane of the switch. Out-of-band management traffic,
such as accessing the switch through its console port, doesnt traverse the backplane of the switch.
To assign an IP address to the switch, you must create a logical VLAN interface. VLANs are discussed in Chapter 3. To create a logical VLAN interface,
use the interface vlan command, specifying the VLAN that the switch
should be associated with. Then assign an IP address to it with the ip address
command. By default, these logical interfaces are disabled, so enable them
with the no shutdown command. If the switch has no routing function (is configured only for or supports only Layer 2), assign a default gateway address
with the ip default-gateway command.
To configure interface settings, such as speed or duplexing, enter the physical
interface with the interface command. You must specify the type (fastethernet
or gigabitethernet), slot number (on the 2950, this is always 0), and the port
number. Once youre in the interface, use the duplex command to change the
duplexing (defaults to auto) and the speed command to change the speed
(defaults to auto for multispeed ports). If youre experiencing intermittent
connectivity problems or a large number of collisions on an interface,
autosensing could be the culprit. If this is the case, hardcode the speed and
duplexing on the interface.
To exit Configuration mode, use the end command or press the Ctrl+Z control sequence. To log out of the switch from either User or Privilege EXEC
mode, use the exit command. This is the crash course on basic switch
configuration.
Be familiar with the commands listed in Listing 2.1.
Please note that the Catalyst 1900, which is end-of-life (EOL), also has an IOS-based
interface. However, the commands to configure it are different from the ones presented earlier. Because the 1900 is EOL, this book focuses on IOS for only the newer
switches, which I discussed in Listing 2.1.
33
34
Chapter
. . . . .2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Manipulating Files
To view the active configuration file on a switch, use the show system:runningconfig command. To view a saved configuration file, use the show nvram:
startup-config command. Please note that the syntax listed earlier is the newer
syntax. The older syntax is still supported. In other words, you could omit the
location, like system: and nvram:, when performing certain copy functions.
When using native mode on a Catalyst switch, any configuration changes
that you make are not automatically saved to flash. This is different from
CatOS. To save your changes, use one of the following commands:
Switch# copy system:running-config nvram:startup-config
Switch# copy system:running-config tftp:[[[//IP_address]/
directory_name]/filename]
Switch# copy nvram:startup-config tftp:[[[//IP_address]/
directory_name]/filename]
Note that to use the copy command, you must be in Privilege EXEC mode.
The first command backs up the active configuration to flash. The second
command backs up the active configuration to a TFTP server. The third
command backs up the saved configuration to a TFTP server. To restore
your changes, use one of the preceding copy commands and revert the source
and destination information.
To view your operating system files in flash, use the show
command:
Switch# dir flash:
Directory of flash:/
2 -rwx
2664051
11.EA1.bin
3 -rwx
269
4 -rwx
1355
5 -rwx
5
7 drwx
704
flash
or dir
c2950-i6q4l2-mz.121-
Jan
Mar
Mar
Mar
env_vars
config.text
vlan.dat
html
01
12
12
01
1970
1993
1993
1993
00:01:51
01:49:50
01:49:50
00:03:55
flash:
The first file is the operating image (IOS). The config.text file is the saved
configuration and mimics NVRAM found on Cisco routers. The vlan.dat file
contains the VLAN database configuration discussed in Chapter 3. The html
directory contains the necessary files to access and manage the switch using
a Web browser.
To back up the native mode image in flash, use the copy flash tftp command.
Youll be prompted for the name of the IOS image to back up, the IP address
of the TFTP server, and what you want to name the IOS image on the
TFTP server. To upgrade the native mode image on your switch, use the copy
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Designing
. . . . . .Switched
. . . . . Networks
. . . . .
tftp flash command. Youll be prompted for the same three pieces of information as with the copy flash tftp command.
Troubleshooting
The switches support two basic troubleshooting commands: show and debug.
show commands display static information about the operation and configuration of the switch; in other words, the information is not updated on the
screen unless you re-execute the command. Table 2.7 lists some common
show commands.
Table 2.7 show Commands
Command
Explanation
show interfaces
show mac-address-table
show processes
show spanning-tree
show version
If you cant access the switch via IP or cannot access another device through
the switch, check the following:
Examine the cabling to make sure that youre using the correct type:
straight-through for DTE-DCE connections and crossover for DTEDTE and DCE-DCE connections. A DTE is a router, file server, or PC.
A DCE is a hub, bridge, or switch.
Examine the status of the interface to which the device is connected with
the show
interfaces
command.
interface with the show interfaces command. Also examine the switchs
default gateway address.
If the switch and other device are in different VLANs, make sure that
both devices are configured for the correct VLANs and have default
routes.
35
36
Chapter
. . . . .2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
debug commands have a dynamic display of events on your switch; that is,
they display events as they occur. You must be in Privilege EXEC mode to
execute debug commands. To add timestamps with the date and time to your
debug output, execute the service timestamps command. Because debug commands are process-intensive, you should disable them when youre finished.
Either preface the debug command with the no parameter to disable it, or use
the no debug all command.
debug commands are a very powerful tool. However, you should be very careful about
their use because they are very process-intensive and can affect the throughput of
traffic flowing through your switch. Do not use the debug all commanddoing so
will probably crash your switch.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Designing
. . . . . .Switched
. . . . . Networks
. . . . .
SFM Characteristics
The SFM provides a dedicated connection between modules that support
SFM connectivity. Modules thus have a connection to the 32Gbps bus as well
as to the bus on the SFM itself. The SFM card doesnt have any interfaces,
but it does have an LCD display that shows the utilization of the module.
With a 6513 chassis, the SFM is installed in slot 7 or 8, and slots 913 support dual-switch fabric interface modules, such as Fast and Gigabit Ethernet
modules. For all other model 6500 switches, the SFM is installed in either
slot 5 or 6. With all 6500s, you can install a redundant SFM in the remaining slot. One nice feature about dual SFMs is that it doesnt require any extra
configuration on your part.
The SFM expands the backplane of the switch from 32 to 256Gbps. In a 6513, the
SFM goes in slot 7 or 8, whereas in other 6500 chassis, it goes in slot 5 or 6. The
SFM supports dual cards, but requires a Supervisor Engine II card.
After you install the SFM, traffic can be moved between connected modules
via one of three modes:
Bus modeUsed to move traffic between non-fabric modules and for
traffic between fabric and non-fabric modules. All traffic is sent through
the local bus and Supervisor Engine bus.
37
38
Chapter
. . . . .2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Compact modeUsed to move traffic between fabric modules only, which
Configuration
Setting up and configuring the SFM is simple. You can place a restriction on
your 6500 operation with the following SFM command:
Switch(config)# fabric required
When you configure this command, youre telling the switch that if the SFM
fails or is removed, the switch will not process any traffic until the SFM is
repaired or re-installed. Actually, in this situation, all modules are powered
off until the SFM is reinstalled.
The SFM can operate in any of the three modes discussed in the last section,
including more than one mode at a time, based on the type of cards installed.
You can restrict its operation by enabling or disabling modes with the following command:
Switch(config)# [no] fabric switching-mode allow bus-mode|
truncated [threshold #]
With truncated mode, you can specify an optional threshold, which specifies
how many fabric-supported modules must be installed before truncated mode
takes effect. To verify the SFMs operation, use the commands in Table 2.8.
Table 2.8 Verifying the SFMs Operation
Command
Explanation
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Designing
. . . . . .Switched
. . . . . Networks
. . . . .
Summary
This chapter covered many introductory concepts of Ciscos switches and
how you use them in your network. AVVID is one of the core building blocks
that Cisco uses when creating a network design. AVVID includes three components: Network Infrastructure, Intelligent Network Services, and
Network Solutions.
Cisco uses a basic three-layer hierarchical model to describe the design
process: core, distribution, and access. The core layer provides high-speed
switching between distribution layers. The distribution layer provides Layer
3 services and separation of access and other distribution layers. The access
layer provides a users initial connection to the network.
Cisco expands on this model when designing campus networks. A campus
network is made up of modules: Enterprise Campus (the campus itself),
Enterprise Edge (buffer between remote sites), and Service Provider Edge
(solutions for remote access). Within the Enterprise Campus are sub-modules,
including Building Access, Building Distribution, Campus Core, and Server
Farm. Layer 2 switches are used in the Building Access sub-module, either
Layer 3 or multilayer switches are used in the Building Distribution submodule, and either Layer 2 or Layer 3 switches are used in the Campus Core
sub-modules.
There are three types of operating system modes for Catalyst switches:
CatOS, hybrid, and native. CatOS mode provides only Layer 2 functionality for Supervisor Engines. Hybrid mode handles the Layer 3 cards installed
in a CatOS switch. Native (IOS) mode handles both Layer 2 and Layer 3
processes in a Catalyst switch. The Switch Fabric Module (SFM) expands the
backplane capacity of a 6500 switch from 32Gbps to 256Gbps.
39
40
Chapter
. . . . .2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 2
Which layer provides filtering of traffic?
A. Access
B. Distribution
C. Core
D. Service Provider Edge
Answer B is correct. The distribution layer, part of Ciscos three-layer hierarchical design, provides Layer 3 services, including filtering of traffic.
Answer A provides a users access and answer C provides high-speed switching across the backbone, making them incorrect answers. Answer D is not
part of the three-layer hierarchy.
Question 3
Which Enterprise Composite Network Model component terminates VPN connections and provides firewall functions?
A. Enterprise Campus
B. Service Provider Edge
C. Distribution
D. Enterprise Edge
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Designing
. . . . . .Switched
. . . . . Networks
. . . . .
Question 4
When terminating a users Ethernet connection to a punch-down block, you
should not exceed ______ meters in the cable length.
A. 5
B. 10
C. 20
D. 90
Answer A is correct. You should not exceed 5 meters from the users Ethernet
desktop connection to the punch-down block or outlet. You should not
exceed 90 meters from the punch-down block to the wiring closets patch
panel, making answer D incorrect. In any situation, the total distance should
not exceed 100 meters. Answers B and C dont have anything to do with the
recommended distance limitations.
Question 5
In small campus networks, Cisco recommends the ________ switch at the
Campus Core.
A. 1900
B. 2950
C. 3550
D. 4006
Answer C is correct. Cisco recommends using the Catalyst 3550 for the
Campus Core of small campus networks. The 1900 is EOL, making answer
A incorrect. Answer B is used at the Building Access for small campus networks. Answer D is used in medium and large campus networks.
41
42
Chapter
. . . . .2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 6
What operating system mode is used to provide only Layer 2 functions on a
Catalyst switch?
A. Hybrid
B. Native
C. CatOS
D. Layer-2 OS
Question 7
What CatOS command is used to make configuration changes from
Configuration mode?
A. set
B. configure terminal
C. update
D. None of these answers
Question 8
Enter the switch configuration to restrict telnet access to the switch, allowing
traffic only from 192.168.1.0/24. Also allow login access for telnets and assign
a password of cisco: ________________________.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Designing
. . . . . .Switched
. . . . . Networks
. . . . .
Question 9
________ management affects the backplane of the switch.
A. Out-of-band
B. Network-band
C. Center-band
D. In-band
Answer D is correct. In-band management traffic travels across the backplane of the switch. Answer A is via the console port and doesnt traverse the
backplane of the switch, making it an incorrect answer. Answers B and C are
not types of management access.
Question 10
Which of the following is false concerning the Switch Fabric Module?
A. 256Gbps backplane capacity
B. Goes into slots 1 and 2 of the 6500 Catalyst switch
C. 30Mpps forwarding rate with CEF
D. Supports up to two SFMs for redundancy
Answer B is correct. The SFM goes into slot 7 or 8 of a Catalyst 6513 and
slot 5 or 6 of other 6500 switches. Answers A, C, and D are true, and therefore incorrect answers.
43
3
VLANs, Trunks, and VTP
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
46
Chapter
. . . . .3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
There are many definitions for a virtual LAN (or VLAN, for short). A VLAN
can be described as a grouping of ports on a switch or a grouping of ports on
different switches. It can also be characterized as a group of related users in
a data network or as a group of users at the same geographic location (which
is the most common). In the simplest terms, a VLAN is a broadcast domain.
In a bridged network, all devices are in the same broadcast domain. One of
the problems of using bridges for LAN segmentation is that they solve bandwidth problems, but not broadcast problems. Switches, even though they act
like bridges, have some additional features that make them more robust in
solving your networking problems.
The remainder of this chapter focuses on three areas: VLANs, trunking, and
the Virtual Trunk Protocol (VTP). All three of these areas play an integral
part in the setup of VLANs in your network.
Virtual LANs
Virtual LANs (VLANs) give an administrator the ability to break up a
switched Layer 2 network into multiple broadcast domains. The advantage
of this approach is that it can be done using switches that cost less than traditional routers. However, each broadcast domain is typically considered to
be a separate subnet. To go between subnets, a Layer 3 component, such as a
router, is still required.
VLANs can be based on the port identifier of a switch, on an end stations
MAC address or Layer 3 address, or on directory or application information.
They also can be implemented in many different ways, depending on the
media topology (Ethernet, FDDI, or ATM) thats deployed.
Advantages of VLANs
One of the main reasons that network administrators buy switches is to help
control bandwidth problems by creating multiple collision or bandwidth
domains, but they can also help contain broadcasts by implementing
VLANs. However, VLANs offer a network administrator many more advantages than just these. Here are some examples:
They ease adding, moving, or changing users in a network, thereby
groups.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VLANs,
. . . . Trunks,
. . . . and
. . .VTP
. .
They allow multiple parallel paths in a switched network for load bal-
Containment of Broadcasts
Broadcasts are a normal occurrence in LAN-based protocols such as IP, IPX,
and AppleTalk. In many cases, these broadcasts help users to find and use
services. Many applications also use multicasts to disseminate information,
which include LAN-based TV, video conferencing, routing protocols such as
OSPF and Ciscos Enhanced IGRP, and even the bridges and switches
Spanning Tree Protocol. Faulty network cards, Spanning Tree Protocol
problems, or an incorrect application or desktop configuration could cause a
flood of broadcasts or multicasts in a network. When switches see broadcasts
and multicasts, they treat them as unknown destinations and flood the frames
out all of their ports. Too many broadcasts, even from a single PC, can seriously slow a networks performance, if not bring it down completely.
From the users perspective, the use of broadcasts makes their lives easier.
However, from the network administrators perspective, broadcasts use up
bandwidth and affect every users desktop in the switched network. Some
mechanism is needed to reign in the propagation of broadcasts.
Routers were traditionally used to solve broadcast problems in data networks. Unfortunately, the use of routers on a port-by-port basis is a very
expensive solution for performing this barrier function. When switches were
first developed, they were essentially bridges with many ports. All ports were
in the same broadcast domain, just like a bridge. This is sometimes referred
to as a flat network.
47
48
Chapter
. . . . .3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
VLAN Implementations
Because broadcasts can be generated in all kinds of network operating systems and applications, you have a lot of flexibility in creating VLANs and
assigning people and computers to them. You can base VLANs on the
following items:
The Layer 3 protocols currently being used in the network
The groups, departments, or divisions in a company
The specific security needs of certain resources
The applications being used in the network
End-to-End VLANs
One of the unique properties of VLANs is that they can span multiple
switches. The physical boundaries of where people and resources are located are removed. In Figure 3.1, a switched network has three VLANs spread
across three switches: Accounting, Information Services, and Marketing.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VLANs,
. . . . Trunks,
. . . . and
. . .VTP
. .
Accounting
VLAN
Information
Services
VLAN
Marketing
VLAN
Note that all the servers are located off of one switch. In traditional networks, resources such as local file servers would usually be located in the
same place as the users. Spreading the resources like this makes their management much harder and security harder still. Using VLANs, an administrator can create the illusion that the file server is on the same segment as the
users that access it, even though the file server could be on a completely different floor in a completely different building. Figure 3.2 gives a detailed
view of both a physical and logical representation of this concept.
End-to-end VLANs have the following characteristics:
Users are grouped into a VLAN based on function, not location.
The user belongs to the same VLAN no matter where she plugs her PC
into the network (this requires Ciscos VMPS, which is discussed later in
this chapter).
End-to-end VLANs are typically used for security reasons or for appli-
49
50
Chapter
. . . . .3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Switch 1
Accounting
VLAN
Physical
View
Logical
View
Switch 2
Marketing
VLAN
Switch 3
Information
Services
VLAN
Local VLANs
The problem with end-to-end VLANs is that they become extremely difficult to maintain as the campus network grows and changes. Because of this,
most network administrators of campus environments use local VLANs.
Unlike end-to-end VLANs, local VLANs are very easy to plan and implement. Local VLANs are based on geographic locations by demarcation at a
hierarchical boundary (core, distribution, access). Therefore, a local VLAN
would never span from an access layer to a core block. Because VLANs are
created based on geographic or physical boundaries, its not uncommon to
see much of the traffic leaving the broadcast domain to access a resource.
There are two generic rules when dealing with traffic flow: 80/20 and 20/80.
The 80/20 rule assumes that 80% of the traffic stays local to a VLAN and
20% leaves a VLAN through a Layer 3 device. Local VLANs assume this
premise. Note that with this implementation, VLANs are solely used to solve
broadcast problems.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VLANs,
. . . . Trunks,
. . . . and
. . .VTP
. .
With the 20/80 rule, 20% of the traffic stays within the VLAN and 80%
leaves it. In this situation, a burden is placed on the Layer 3 device that is
used to interconnect VLANs. Although they do introduce a latency issue
because of the access of resources outside of the VLAN, this can easily be
solved with multilayer switching, which is discussed in Chapter 6,
Multilayer Switching.
VLAN Assignment
There are two methods that you can use to associate users to VLANs:
dynamic and static. The following two sections compare and contrast the
two methods.
Dynamic VLANs
Dynamic VLANs require you to assign a user to a VLAN, and switches
dynamically use this information to configure the port on the switch automatically. Dynamic VLANs can be based on the following items:
The MAC addresses of workstations
The Layer 3 addresses (such as IP addresses)
The protocol type (such as IP or IPX)
Directory information stored in Novells NDS or Microsofts Active
Directory
The advantage of using dynamic VLANs is that network technicians dont
have to worry about making any changes on a switch when they move a user
from one location to another, which is advantageous when end-to-end
VLANs are deployed. Cisco currently allows you to use CiscoWorks 2000 to
implement dynamic VLANs based on MAC addresses.
A VLAN Management Policy Server (VMPS) associates MAC addresses to
VLANs. When a user connects to a switch and the switch sees the users
MAC address, the switch sends the users MAC address to the VMPS server.
The server responds with the users VLAN and the switch associates this
VLAN with the users interface.
Problems with MAC-based dynamic VLANs include PC NICs failing, PCs
being upgraded, and new PCs continually being added to the network.
Managing these MAC addresses soon becomes a headache in a large-scale
switched network.
51
52
Chapter
. . . . .3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Therefore, most administrators choose to base VLAN membership on directory information. Out of all these mechanisms for implementing dynamic
VLANs, the use of directory information is the most flexible and the easiest
to maintain. The only time you would have to make changes to the VLAN
database is when a user is hired, fired, or changes departments. Many vendors, including Cisco, are developing directory-based dynamic VLANs. The
remainder of this chapter and book focus on static VLANs and their
configuration.
Dynamic VLANs use a VMPS to assign VLAN information to a switch, which is then
associated with a users port. This enables users to be located anywhere in the network and still be assigned to the correct VLAN. Membership is typically based on a
devices MAC address.
Static VLANs
Ciscos initial implementation of VLANs was based on the port that a user
was assigned to. This is sometimes referred to as port-based membership. Using
this initial implementation, you would configure every port on a switch to
reflect the appropriate VLAN for the users. This could easily be done either
via a command-line interface or an SNMP-based product using a graphical
interface. Anytime a user moved his workstation to a different area, you would
have to reconfigure only the port to which the user attaches.
Static VLANs are normally used in local VLAN implementations, where the
problem of containing broadcasts is more important than placing specific
users in certain VLANs. Use static VLANs when any of the following criteria apply to your situation:
You have tight control over the moving of users and resources in the
campus
You do not want the hassles of maintaining the large tables required of
dynamic VLANs
You have a management package that easily maintains VLANs in your
campus
Static VLANs are manually configured: You specify which interface belongs to which
VLAN. This configuration is typically used in a more stable or static environment.
Configuring static VLANs is a very simple process.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VLANs,
. . . . Trunks,
. . . . and
. . .VTP
. .
As you can see, the newer method is done from within Configuration mode.
To delete a VLAN, just preface the vlan command with the no parameter.
Cisco recommends that you perform all your VLAN configurations using the newer
method; that is, from Configuration mode.
Use the vlan command to create your VLANs. This can be done from Privilege EXEC
mode within the vlan database or from Configuration mode.
When youve entered the interface, use the switchport mode access command to
specify that this interface is associated with a single VLAN. The switchport
access vlan command associates a VLAN to this particular interface.
Depending on the model, there is at least one pre-configured VLAN on your switch:
VLAN 1. By default, all ports are associated with VLAN 1.
Use the switchport mode access command to define an interface as an access link
and the switchport access vlan command to associate an interface with a VLAN.
53
54
Chapter
. . . . .3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Without any of the optional parameters, all VLANs are listed. You can
optionally specify a VLAN number or name to examine a specific VLAN.
Heres an example of the use of this command:
Switch# show vlan
VLAN Name
---- -------------------------------1
default
10
VLAN0010
20
VLAN0020
VLAN
---1
10
20
Type
----enet
enet
enet
SAID
------100001
100010
100020
MTU
----1500
1500
1500
Parent
------
Status
--------active
active
active
RingNo
------
BridgeNo
--------
Mod/Ports
-----------------fa0/3-24
fa0/1-2
Stp
----
Trans1
-----0
0
0
Trans2
-----0
0
0
show
running-config
interface
show interfaces
Heres an example:
Switch# show interface fastethernet0/1 switchport
Name: Fa0/1
Switchport: Enabled
Administrative mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VLANs,
. . . . Trunks,
. . . . and
. . .VTP
. .
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Broadcast Suppression Level: 100
Multicast Suppression Level: 100
Unicast Suppression Level: 100
To see which MAC addresses are associated with which interfaces, as well as
which VLAN the interface is associated with, you can use the show mac-addresstable command, which displays the port address or CAM (content addressable memory) table:
Switch# show mac-address-table
Mac Address Table
-----------------------------------------Vlan
---1
Mac Address
----------0008.7422.1234
Type
---DYNAMIC
Ports
----Fa0/1
As you can see in this example, there is one MAC address in the table off of
interface fa0/1, which is associated with VLAN 1.
status of the interface with the show interfaces command. Use CDP
to check connectivity. Check the duplexing of the connection (auto
negotiation is a common problem with the negotiation of the duplexing mode).
2. Is your router and switch configuration correct? Verify that youve
sure that the appropriate interfaces are associated with the correct
VLANs.
55
56
Chapter
. . . . .3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Trunks
The previous sections discussed interfaces that belong to only one VLAN.
These are sometimes referred to as access links and are completely transparent to the users. The users have no knowledge of the existence of the VLAN.
However, to maintain VLAN information, the originating frame from a user
must contain VLAN information that the switch fabric can use to forward
the frame.
Frame Tagging
As a frame enters the switch fabric, its encapsulated or tagged with some
additional information that identifies VLAN properties for the frame as it is
switched through the switch fabric. This includes the VLAN ID or number,
sometimes referred to as the VLAN color. This additional information
remains on the frame as its forwarded across the switched backbone from
switch to switch.
A trunk link is a connection between two trunk-capable devices. These devices
could be two switches, a switch and a router, or even a switch and an end station. Trunking essentially extends the backplane of the switch. Normally, only
traffic from one VLAN can be associated with a port. The exception to this is
a trunk port. A trunk port allows multiple VLANs to cross it to a neighboring
device, unlike an access link. Trunking is performed by encapsulating or tagging frames in hardware by the ASICs on each port. Encapsulating or tagging
adds information, such as the VLAN number, to help in the forwarding of the
frame by other switches. By default, trunk links carry all VLAN traffic, but
you can restrict which VLANs can traverse a trunk.
The additional VLAN information remains on the frame until it reaches its
destination port, where it is then stripped off. This whole process occurs at
Layer 2 and is completely transparent to the user. At both the source and
destination, the users see the original frame, but as the frame is forwarded
between switches, the additional VLAN information is also seen.
Unlike an access (user) port that does not understand the frame encapsulating or tagging added by a switch, a trunk port expects that the device at the
other end of the connection does understand the frame tagging. Standard
Ethernet cards do not understand the additional VLAN information thats
been added to or inserted into a frame. When carrying information from
many VLANs between switches, you need this type of link. The destination
switch somehow needs to know what VLAN the frame originated from so
that it does not forward the frame out incorrect ports. You would not want a
broadcast from one VLAN to be propagated to other VLANs. In certain
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VLANs,
. . . . Trunks,
. . . . and
. . .VTP
. .
cases, as shown in Figure 3.3, it even makes sense to buy a special card that
does understand the tagging for an end station.
VLAN 1
VLAN 1
VL
AN
s1
-3
VLANs 1-3
VLAN 2
VLAN 2
-3
s1
AN
VL
VLAN 3
VLAN 3
EMAIL
Server
Figure 3.3 Tagging can be done between trunk-capable NICs, including switches, routers, and
file servers.
57
58
Chapter
. . . . .3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Protocols
One important aspect of VLANs is for the switch fabric to carry the VLAN
information across different media topologies, such as Ethernet, token ring,
FDDI, and ATM. Here are the four VLAN tagging mechanisms supported
by Cisco:
Ciscos proprietary InterSwitch Link (ISL): Ethernet and token ring
support
IEEEs 802.1Q: Ethernet and token ring support
Ciscos extension to 802.10: FDDI support
ATM Forums LAN Emulation (LANE): ATM support
Please note that not all Cisco devices support all the preceding trunking protocols. For example, Ciscos Catalyst 1900 switches support only ISL, the
Catalyst 2950s support only 802.1Q, and the discontinued Catalyst 5000s
supported all four. With FDDI, the Security Association Identifier (SAID) is
used to carry VLAN information across a FDDI backbone. This book focuses on Ciscos ISL and IEEEs 802.1Q trunking protocols.
ISL
ISL is a Cisco-proprietary technology for trunking VLANs at Layer 2.
Unlike normal Ethernet NICs, ISL cards cost more because specialized
ASICs and processors are included to support the framing encapsulation at
gigabit speeds. ISL adds a 26-byte header and a 4-byte trailer (which is a
CRC) to the original Ethernet frame, for a total of 30 bytes. Figure 3.4 shows
a picture of an ISL frame.
ISL Frame
ISL
Header
DA
Type
User SA Length
AAAA03
HSA
VLAN
BPDU Index
CRC
Res
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VLANs,
. . . . Trunks,
. . . . and
. . .VTP
. .
Some of the items included in the header are the source and destination MAC
address that are duplicated from the original frame, the type of frame
(Ethernet, FDDI, token ring, or ATM), the priority of the frame, the length
of the frame (not including the CRC), and the VLAN number (located in the
VLAN ID field). The BPDU field is a one-bit descriptor that signifies that the
encapsulated frame is either a Spanning Tree Protocol (STP), Bridge
Protocol Data Unit (BPDU), or Cisco Discover Protocol (CDP) information,
or is a normal Ethernet frame. There are two Field Checksum Sequence
(CRC) fields in an encapsulated frameone for the original Ethernet frame
and one for the ISL header and encapsulated Ethernet frame.
ISL requires a special Ethernet NIC that not only understands the VLAN
information in ISL frames but also allows the NIC to add VLAN information to frames. Some Cisco routers support ISL, some of Cisco switches support ISL, and third-party companies, such as Intel, produce ISL NICs. From
an end stations perspective with an ISL NIC, the software driver thats
loaded on the machine creates the illusion that there are many logical cards
connected to different Ethernet segments. The user would configure each
logical card with the appropriate network address that reflects the VLAN to
which the logical card belongs.
When setting up a trunk connection with ISL, both sides must be configured
with the same encapsulation. If one side is set to ISL and the other is set to
a normal Ethernet frame encapsulation, the normal Ethernet NIC wont
understand the VLAN tagging, and will mistake it for a normal Ethernet
frame. The problem that this typically causes is that a normal Ethernet frame
can be up to 1518 bytes in length, and ISL adds 30 bytes. If the MTU was
set to 1500 for the data, and 18 bytes for the MAC header information and
FCS, when you add 30 bytes for the ISL information, you exceed the maximum valid MTU size for an Ethernet frame (1548). A normal Ethernet NIC
would see this kind of frame as a giant and drop it.
802.1Q
Early in the summer of 1998, the IEEE standardized the frame tagging
process for trunking VLANs and produced the 802.1Q standard. One problem with Ciscos ISL frame encapsulation process is that other switching
vendors do not support it. In almost all cases, each vendor implements
VLANs differently, thus making it nearly impossible to use switches from
more than one vendor. Today, companies are no longer restricted to sticking
with just one vendor for their switching purchases. This is especially important with the great flux of changes occurring in todays industry. If a new
switching technology becomes available from a startup company, it becomes
much easier to integrate it into a corporations existing switched network.
59
60
Chapter
. . . . .3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
You no longer have to wait months for your preferred switching vendor to
either parallel the new technology or buy rights to it.
Both ISL and 802.1Q add VLAN information to the Ethernet frames explicitly. However, how they perform this process is different. With ISL, a 26-byte
header and a 4-byte trailer are added to the frame; the original frame is not
modified. This process is referred to as encapsulation. With 802.1Q, the actual frame is modified or tagged. To denote VLAN information, a 4-byte Tag
Protocol Identifier (TPID) and a 2-byte Tag Control Information (TCI) are
inserted between existing fields in the Ethernet frame, shown in Figure 3.5.
!
"
Because the information is inserted into the original Ethernet frame, the
original frames CRC is regenerated to accommodate the change. The
advantage of using the 802.1Q tagging process over ISL is that, in an ISL
trunking environment, ISL-aware cards must be used because a frame could
be larger than 1518 bytesthe maximum size of an Ethernet frame. With
802.1Q, the frame size is only increased by 4 bytes and can be forwarded by
a non-802.1Qaware device.
Because of the tagging information placed into a frame, 802.1Q provides
some advantages over ISL:
If the MTU is only 1500 bytes (plus the 18 bytes for the MAC header
and trailer), the 4-byte tag inserted into the frame totals 1522 bytes. By
adjusting the MTU to 1496, the 802.1Q frame does not exceed
Ethernets maximum MTU and therefore can be processed by non802.1Q devices, such as other switches. Other non-802.1Q switches
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VLANs,
. . . . Trunks,
. . . . and
. . .VTP
. .
process the frame like a normal Ethernet frame. (Remember that switches only need to see the destination MAC address to make a switching
decision as well as check the CRC if the switch is using store-and-forward
switching.)
802.1Q supports prioritization, which is processed as the tagged frame is
ISL encapsulates, whereas 802.1Q tags. ISL adds a 26-byte header and 4-byte trailer (CRC). 802.1Q inserts a 4-byte field and recomputes the frames CRC.
Native VLANs
802.1Q trunks support a native VLAN. A native VLAN is one that does not
tag frames. This is different from ISL, where all VLANs that traverse the
trunk carry VLAN information. Actually, a native VLAN has the following
criteria:
A native VLAN is the VLAN number associated with the interface for
nontagged frames.
The native VLAN defaults to VLAN 1 on Cisco switches, but can be
configured to any VLAN. Its important to point out that all 802.1Q
devices connected to the same trunk must use the same VLAN number
for the native VLAN.
802.1Q tagging devices and non-802.1Q devices can coexist on an
802.1Q trunk.
One advantage that native VLANs provide is that you can have both 802.1Q
and non-802.1Q devices on the same trunk connection, as is shown in Figure
3.6. In this example, assume the native VLAN is 1 and that PC-D and PC-E
are in this VLAN. As you can see from the figure, there is an 802.1Q trunk
between the switches, but a hub is providing connectivity. Plus, PC-E is connected to this hub. For PC-E to send traffic to PC-D, PC-E either needs an
802.1Q NIC or must be placed in the native VLAN. The other PCs, PC-A,
PC-B, and PC-C, are in another VLAN, such as VLAN 2, and can use normal NICs to communicate with each other. The trunk between the two
switches tags frames from these devices with a VLAN 2 identifier.
61
62
Chapter
. . . . .3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PC-A
PC-B
PC-C
802.1Q TRUNK
SwitchA
SwitchB
Hub
PC-D
PC-E
A native VLAN is a VLAN on an 802.1Q trunk where the frames for this VLAN are not
tagged. This allows non-802.1Q devices to also be connected to the trunk, but still
allows tagging of frames for other VLANs.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VLANs,
. . . . Trunks,
. . . . and
. . .VTP
. .
providers networkperhaps with 10,000 VLANs among all of these companies. Of course, 802.1Q wouldnt be able to handle this when trying to
keep all the VLANs straight among all the customers.
However, 802.1Q supports a tunneling feature that enables you to keep your
own VLAN numbers as they are transferred across someone elses network.
For this process to take place, the original Ethernet frame is tagged twice:
once by your own switch, and again by the providers switches. Figure 3.7
shows an example of this double tagging.
As you can see in this example, the top frame is the original Ethernet frame
and the middle frame is the frame that your switch tagged. The bottom
frame is the one tagged by the service provider. With the second tagging, the
service provider inserts its VLAN tag before your tag and then recomputes a
new FCS value. When the frame exits the service providers network and is
forwarded to your remote site, the service provider removes its tag and
recomputes the FCS value based on your original tagged frame. Through
this process, your 802.1Q frame can be transmitted transparently through
the service providers network, based on its own internal VLAN configurations. The second tag that the provider adds is sometimes called a metro tag.
Interestingly, multiple levels of tunneling (tagging) are possible, but Cisco currently
supports only one level on its Catalyst switches.
For nontagged frames that enter a service providers network from a native VLAN, the
service provider performs its normal tagging process, which is stripped off at the
service providers exit switch.
63
64
Chapter
. . . . .3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
When using tunneling, BPDUs from your internal switches, CDP information, and VTP information can be tunneled through a carriers network to
your remote switch or switches, enabling you to treat the service providers
network as transparent (invisible). If your provider doesnt support tunneling, the provider either processes or drops this information, and forwards
only user traffic. 802.1Q tunneling is discussed in more depth in Chapter 11,
Metro Ethernet.
An alternative solution is the use of the Generic Bridge PDU Tunneling
(GBPT) protocol. GBPT allows the service provider switch to change the
original destination multicast address in the frame to a Cisco-proprietary
one: 0100.0ccd.cdd0. This is then forwarded out all trunk connections in the
native VLAN. One restriction of this feature is that when you enable GBPT
on a port, frames from other enabled protocols are not sent out of the port.
Service providers use 802.1Q tunneling to tunnel tagged VLAN information across a
carriers backbone. This allows the carrier to connect to thousands of sites with different VLAN configurations and to treat them transparently.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VLANs,
. . . . Trunks,
. . . . and
. . .VTP
. .
trunking mode is dynamic auto, which means that the configuration of the
remote interface determines whether the interface becomes a trunk or
remains an access link connection.
Table 3.1 DTP Modes and Trunking Information
DTP Mode
Generate
DTP Frames?
Trunking?
Explanation
Trunk
Yes
Yes
Access
No
No
Dynamic
Desirable
Yes
No
Dynamic
Auto
No
No
Nonegotiate
No
Yes
Table 3.2 shows the combinations of modes that cause trunking to occur. Any
other combination of modes causes the interface to act as an access link
connection.
Table 3.2 When Trunks Are Formed
Side A Mode
Side B Mode(s)
Trunk
Dynamic Desirable
Nonegotiate
Nonegotiate
Know the DTP modes required on both switches in order to form a trunk, as shown
in Table 3.2.
65
66
Chapter
. . . . .3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Even though it isnt necessary to disable an interface when enabling trunking, doing so is recommended. You must first specify either ISL or 802.1Q
as the trunking type with the switchport trunk encapsulation command,
shown in Listing 3.1, and then specify the trunking mode with the switchport
mode trunk command. Refer to Table 3.1 for an explanation of the modes.
The switchport trunk native command is applicable only to 802.1Q trunks
and is optional. This command specifies the native VLAN number for the
trunk. By default, this is VLAN 1.
The switchport trunk allowed command is also an optional command. This
command enables you to manually prune off VLANs from a trunk. By
default, all VLANs are allowed to traverse a trunk. This is discussed in more
depth in the VTP Pruning section later in this chapter.
Use the switchport trunk encapsulation command to specify ISL or 802.1Q trunking. Use the switchport mode command to set the trunk. Remember the five modes:
trunk, dynamic desirable, dynamic auto, nonegotiate, and access. Use the switchport
trunk vlan allowed command to restrict VLANs on a trunk. Dont be surprised to see
a simulation question on this.
Lets take a look at the output of all three of these commands. Listing 3.2
shows an example of the first one.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VLANs,
. . . . Trunks,
. . . . and
. . .VTP
. .
Listing 3.2 show running-config interface Example
Switch# show running-config interface fastethernet 0/1
Building configuration...
!
Current configuration: 33 bytes
interface FastEthernet 0/1
switchport mode dynamic desirable
switchport trunk encapsulation dot1q
end
show
interfaces
The listing shows that one interface was set to a desirable DTP mode and
formed a trunk with the remote device.
67
68
Chapter
. . . . .3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
and that youre using the correct cable type (crossover versus straight).
Make sure that the trunking type (ISL or 802.1Q) is the same on both
sides and that the DTP modes are acceptable to forming a trunk.
For 802.1Q trunks, check that the native VLAN is the same on both sides.
VTP Advantages
Because many networks have mixed media or are going through a migration
to a new backbone media topology, such as Gigabit Ethernet or ATM, a special protocol is needed to provide compatibility for the implementation of
VLANs within these mixed-media topologies. Many networks today employ
Ethernet to the desktop, utilizing Fast Ethernet as a backbone solution. You
must first set up trunk connections for VTP to take place.
With VTP, a broadcast initiated in a VLAN from an Ethernet segment can
automatically be propagated to a FDDI backbone where servers belonging
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VLANs,
. . . . Trunks,
. . . . and
. . .VTP
. .
to that VLAN or servers performing trunking will also see the broadcast. In
traditional networks, a router would be required to perform this type of connectivity, but in todays switched networks, VTP can be used to integrate
mixed-media topologies, gaining you an increase in performance at a
reduced cost.
Another advantage of VTP is that it does not necessarily require that a new
VLAN be manually added to every switch in the network. By adding a
VLAN to one switch, VTP can propagate this information to every other
switch in the network, thus creating a consistent VLAN implementation. For
very large switched networks with tens or hundreds of switches, this becomes
a very important tool to help you manage your network.
VTP provides a consistent broadcast domain across a mixed-topology network as
well as the dynamic reporting of VLAN changes across your network. VTP information is shared across trunk connections only.
Management Domain
Using VTP requires setting up a management domain. A domain is a grouping of switches that will be sharing information about VLANs in a switched
network. Each domain must have a unique name, and every switch in a single domain must have the same configured domain name. A switch can
belong to only one management domain. However, switches of a management domain will contain the same VLAN information, thus providing a
consistent configuration. By default, a switch doesnt belong to any management domain. You must either configure a management domain or the
switch will learn it from a VTP advertisement on one of its trunks.
Each VTP-capable switch advertises VTP-multicast information periodically on its trunk ports on the factory-default VLAN. This includes information
about the management domain itself, the version of VTP in use, and VLANs
and their configuration. A switch can be configured in one of three different
VTP modes: server, client, and transparent.
VTP Modes
VTP servers and clients maintain all VLANs everywhere within the VTP
domain. A VTP domain defines the boundary of a particular VLAN. Servers
and clients transmit information through trunks to other attached switches
and receive updates from those trunks.
69
70
Chapter
. . . . .3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Mode
Add, Delete,
Change
VLANs?
Generate
VTP
Messages?
Process
VTP
Messages?
Save Config
in NVRAM?
Server
Yes
Yes
Yes
Yes
Client
No
Yes
Yes
No
Transparent
Yes
No
No
Yes
Be able to compare the three different VTP modes shown in Table 3.3.
VTP Messages
Switches belonging to the same VTP domain advertise information to each
other on their trunk ports. Servers and clients are responsible for making
sure that the VLANs in a network are consistent throughout the switched
network. When VTP messages are generated, they contain at least the
following information:
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VLANs,
. . . . Trunks,
. . . . and
. . .VTP
. .
VLAN numbers for ISL and 802.1Q Ethernet VLANs, ELAN names
Message
Originator
Summary
Server
Subset
Server
Request
Client
Explanation
Processing Messages
If the management domain name in a VTP message does not match that of
the receiving switch, the advertisement is ignored. Advertisements that are
generated by VTP switches contain a revision number. This number helps
receiving switches to determine whether the information contains a change
or is the same as the information it currently has. The VTP message with the
highest revision number is the most current. Whenever you make a VLAN
change on a server switch, the revision number is incremented and then
advertised out all of its trunk interfaces. Care must be taken because if all the
VLANs are deleted on a server switch with the highest revision number, all
the VLANs in the management domain would also be deleted. Remember
that VTP transparent switches do not process messages from server switches. On a transparent switch, the revision number is always 0, and all messages
from server switches are not processed.
71
72
Chapter
. . . . .3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
VTP also supports password authentication. If passwords are in use, an MD5 hashed value is included in the VTP advertisement. If the hashed values
between the two switches do not match, the message is ignored.
network yet).
2. Set the VTP domain name, change the VTP mode to client, and save
VTP Versions
There are two different versions of VTP: 1 and 2. VTP 2 is new as of CatOS
3.1(1), which is quite a while ago. Its important to point out that the two versions are not compatible with each other: All your switches have to run either
version 2 or 1. VTP version 2 has the following additional features that version 1 lacks:
Consistency checks are performed to make sure that VLAN names and
parent mode switches only forward messages if the VTP version and
domain name values in the message matches its own configured values.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VLANs,
. . . . Trunks,
. . . . and
. . .VTP
. .
Servers and clients propagate VTP messages out trunk interfaces even if
they dont understand the contents of the message (and store this in
NVRAM).
Know the differences between the VTP versions 1 and 2, as shown in the preceding
bullets.
If you need any of the features in the previous list, you need to enable VTP
version 2. To enable version 2, you have to enable it on only one server
switch in your network. That switch then propagates this information to all
the other switches in the VTP domain.
VTP Pruning
VTP pruning allows a switch to make more intelligent decisions concerning
the forwarding of multicast, broadcast, and unknown destinations across
trunk ports. VTP pruning is a method of traffic control that reduces unnecessary broadcast, multicast, and flooded unicast packets. This feature
restricts traffic that would normally be flooded out all trunks to only those
trunk links where the connected switches (or other networking devices) also
have ports in the associated VLAN.
Lets take a look at an example to explain the advantages of VTP pruning.
Figure 3.8 shows a network using VLANs and VTP.
73
74
Chapter
. . . . .3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VLANs,
. . . . Trunks,
. . . . and
. . .VTP
. .
The last command enables or disables version 2 of VTP. All the other commands are self-explanatory.
Use the vtp command to configure VTP. Know the commands in the preceding code
listing, especially the command to specify the VTP mode of the switch. Dont be surprised to see a simulation question on this.
vtp counters
In this example, there have been three configuration changes. The switch is
operating in server mode in the dealgroup domain. The following command
displays VTP statistics information concerning the VTP messages that have
been sent and received:
Switch# show vtp counters
VTP statistics:
Summary advertisements received : 12
Subset advertisements received : 5
Request advertisements received : 0
75
76
Chapter
. . . . .3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Summary advertisements transmitted : 93
Subset advertisements transmitted : 8
Request advertisements transmitted : 2
Number of config revision errors : 0
Number of config digest errors : 0
Number of V1 summary errors : 0
<--output omitted-->
In this example, you can see that the switch has sent and received VTP
messages.
vlan.dat
any changes.
Check to ensure that your trunks are configured properly between your
switches.
Verify that the VTP domain name (and password, if configured) match
Summary
The main use of VLANs is to contain broadcasts. To move traffic between
VLANs you need a Layer 3 device to route packets. End-to-end VLANs are
used when devices always need to belong to the same VLAN no matter
where the device is locatedtypically for security reasons. Local VLANs are
geographically based and are used to break up broadcast domains. Local
VLANs dont extend beyond a buildings access and distribution layers.
VLANs can be associated to a switch interface either dynamically or statically. Dynamic VLANs use a VMPS server to associate users to VLANs, but
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VLANs,
. . . . Trunks,
. . . . and
. . .VTP
. .
77
78
Chapter
. . . . .3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 2
You have users who continually move around in your network and youre very
concerned about security. What type of VLAN should you implement?
A. Local
B. Static
C. Dynamic
D. End-to-end
Answers C and D are correct. If you have users who are continually moving
around your network, dynamic VLANs are the best choice. In addition, if
youre concerned about security, you should implement end-to-end VLANs.
Local VLANs are typically used to control broadcasts, not security, making
answer A incorrect. Answer B is incorrect because static VLANs should be
used if users dont move around a lot.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VLANs,
. . . . Trunks,
. . . . and
. . .VTP
. .
Question 3
What command takes you into this configuration mode: Switch(vlan)#?
A. vlan
B. vtp
C. vlan database
D. vtp database
Answer C is correct. To enter the vlan database from Privilege EXEC mode,
use the vlan database command. Answer A is incorrect because it creates a
VLAN. Answer B is incorrect because it configures VTP parameters. Answer
D is incorrect because it is a nonexistent command.
Question 4
ISL adds a ______-byte header and a ______-byte trailer, whereas 802.1Q
inserts a ______-byte tag.
A. 26, 4, 4
B. 4, 26, 4
C. 4, 4, 4
D. 26, 4, 8
Answer A is correct. ISL adds a 26-byte header and a 4-byte trailer to a users
frame to encapsulate it. 802.1Q inserts a 4-byte field into the Ethernet
frame, which tags it. Answer B is incorrect because it mixed up the header
and trailer sizes for ISL. Answer C is incorrect because it has an incorrect
header size for ISL. Answer D is incorrect because it has an incorrect tag size
for 802.1Q.
Question 5
Which switch command specifies the DTP mode for trunking?
A. switchport trunk
B. switchport mode
C. switchport native
D. switchport vtp
79
80
Chapter
. . . . .3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 6
Youre experiencing problems on trunk interface fa1/1. What command would
you use to examine the trunking status?
A. show interface fa1/1 switchport
B. show trunk fa1/1
C. show trunk A
D. show interface fa1/1
Question 7
Which DTP mode should you use if youre connecting a Cisco switch to a Nortel
switch and want to form a trunk?
A. ISL
B. 802.1Q
C. Trunk
D. Nonegotiate
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VLANs,
. . . . Trunks,
. . . . and
. . .VTP
. .
Question 8
Which VTP mode processes VTP messages and saves VLAN information in
NVRAM?
A. Client
B. Server
C. Transparent
D. Client and Server
Question 9
You need to set up VTP on a switch. The management domain name is
dealgroup and the switch should be in client mode. Enter the configuration to
perform this: _________.
Enter the following commands from within either the vlan database or
Configuration mode:
vtp domain dealgroup
vtp client
Question 10
You suspect that VTP information is not being passed between two server
switches. Which of the following commands would not be helpful in troubleshooting this problem?
A. show interfaces type slot_#/port_# switchport
B. show vtp status
C. show interfaces type slot_#/port# trunk
D. show vlan
81
82
Chapter
. . . . .3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
because they show the status of trunking. Answer B is helpful, but incorrect
because this command shows your VTP configuration, including the domain
name, VTP mode, and VTP password configuration.
http://www.
cisco.com/pcgi-bin/Support/browse/psp_view.
pl?p=Internetworking:VLANs_and_VTP
http://standards.ieee.org/
getieee802/download/802.1Q-1998.pdf
4
Spanning Tree Protocol
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
84
Chapter
. . . . .4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The need for high reliability and availability in todays networks is extremely important. However, this redundancy can create problems in switched
networksspecifically, Layer 2 loops. The problem that loops create is that
a local broadcast or multicast is automatically forwarded by a switch. If a loop
exists, the broadcast would circle around the loop forever. Some solution is
needed to deal with this problem. The remainder of this chapter will focus
on the Spanning Tree Protocol (STP): its components, its operation, its configuration, and troubleshooting.
Transparent Bridging
Digital Equipment Corporation (DEC) was the first to come to market with
a transparent bridge in the early 1980s. IEEE eventually incorporated DECs
work into the 802.1D standard. The term transparent bridge was used because
the bridge is completely transparent to the end stations that it is interconnecting. Frames that pass through a transparent bridge are not modified:
What comes in on an interface will leave exactly the same way on another
interface. Transparent bridges perform three basic functions:
They make forwarding and filtering decisions based on the destination
Throughout the remainder of this chapter, Ill use the term switch, instead of bridge,
because most people deploy this kind of Layer 2 device in todays networks.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Spanning
. . . . . Tree
. . Protocol
. . . . .
the same way because bridges do not store these MAC addresses in their CAM
tables. Because forwarding decisions are made on MAC addresses, these must
be unique in a transparently bridged or switched network.
Learning
Besides examining the destination MAC address to make a forwarding decision, the switch also examines the source MAC address in the frame. After
examining the CAM table for a match and not finding one, the switch adds
the source MAC address to the CAM table with the addresss associated port.
If the frame is already in the CAM table, the switch resets its aging counter.
If a certain MAC address is not seen after a period of time, the entry eventually will be removed from the CAM table.
The advantage of a switch that dynamically learns the addresses of end stations is that you can plug the switch into the network and it will acquire
knowledge of the network without human intervention. If you move an end
station to a different segment, the switch will realize this and update its CAM
table appropriately. When transparent bridges were brought to market, they
did not have a learning capability, meaning that you had to manually configure the address table. Of course, todays bridges and switches have the capability to perform their learning function automatically.
Loops
The downside of transparent switches, however, is that no redundant connections or parallel paths are allowed, as shown in Figure 4.1.
Figure 4.1
85
86
Chapter
. . . . .4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
STP Introduction
STP is a self-configuring Layer 2 algorithm thats responsible for removing
loops in a switched network while still providing path redundancy. Because a
switch automatically forwards broadcasts and multicasts, STP is necessary to
make sure that this traffic is not continuously forwarded throughout a
switched network. Another problem with loops is that with the switchs
learning function, it might mistakenly update its address table with incorrect
information concerning an end station as a frame traverses a loop.
STP was developed by DEC and later incorporated into IEEEs standards as
802.1D. However, the two protocols are not compatible. In a bridged or
switched network, all Layer 2 devices must run the same STP algorithm.
a forwarding state.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Spanning
. . . . . Tree
. . Protocol
. . . . .
The TCNs are propagated throughout the network to ensure that all switches understand that a topology change has taken place. Note that STP is
transparent to end stations in that they are unaware of the fact that theyre
connected to switches running STP.
BPDU hello messages are generated every 2 seconds by switches. BPDUs elect the
root, elect one switch per segment to handle forwarding functions, and remove loops
by placing ports connected to a redundant path in a blocking state. TCN BPDUs are
generated whenever a topology change occurs.
STP Advantages
STP provides the following items:
The detection and elimination of loops
The capability to automatically detect failed active paths and to utilize
alternate paths
User-configurable parameters that enable a network administrator to
Description
Bridge Identifiers
Each bridge has a unique identifier that it uses when it multicasts its BPDUs. The identifier is made up of a bridge (switch)
priority and one of the switchs MAC addresses.
Path Costs
87
Chapter
. . . . .4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Table 4.1 Important STP Terms (continued)
Term
Description
Port Priority
Each port has a default priority. If two paths exist to a destination and the accumulated port path costs are the same, the
port that has the higher priority is preferredthe lower the
value, the higher the priority. If both priorities are the same,
the lower-numbered port is chosen on the bridge.
BPDU
The BPDU is a multicast frame that bridges periodically generate to share topology information and to elect a root switch to
build a spanning tree and to prune off redundant links, as
shown in Figure 4.2.
Figure 4.2
"
"
"
"
"
!
"
*OJAI
88
BPDU format.
A BPDU frame type is used by IEEEs 802.1D bridge management protocol for
STP. It is used to share information about the topology of the network among
the other switches. Table 4.2 displays the fields contained in the BPDU frame.
Table 4.2 BPDU Frame Contents
Term
Description
Protocol Identifier
Version
Message Type
Flags
Root Identifier
Defines the cost from the advertising switch to the root switch
in the network.
Bridge (Switch)
Identifier
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Spanning
. . . . . Tree
. . Protocol
. . . . .
Table 4.2 BPDU Frame Contents (continued)
Term
Description
Port Identifier
Defines from which port this BPDU message left the switch.
This is used by other switches to detect and remove loops in
a data network.
Message Age
Defines the last time the root switch advertised a BPDU message on which the current network configuration is based.
Maximum Age
Defines the age at which the protocol will remove the information from its database and initiate a topology change by rerunning the spanning tree algorithm. This parameter allows all
switches to age uniformly and to rerun the STP in parallel.
Hello Time
Forward Delay
The switch that becomes the root will determine the values of Message Age,
Maximum Age, Hello Time, and Forward Delay for all the switches in the
network. In other words, after the root is elected and is sending out its multicast BPDUs, the other switches in the network will take the timers in the
roots BPDU messages and change their own internal STP parameters to
match the roots.
89
90
Chapter
. . . . .4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
By default, all switches have the same configured priority, which means that
the switch with the lowest MAC address will be chosen as the root. This can
be customized, however. For optimal performance, its recommended that
you change the priority so that the switch at a central point in the broadcast
domain will be chosen as the root. In a hierarchical design, this should be one
of your distribution layer switches for the distribution and access layers and a
core switch for the core. One issue with STP is that it guarantees a loop-free
environment, but it does not guarantee an optimal configuration. For example, in Figure 4.3, Switch 1 is elected as the root switch. The root switch is
necessary to build a reference point to start the calculation of the algorithm.
All paths from all the switches must be able to trace a path back to the root.
The switch with the lowest bridge ID (priority + MAC address) is elected as the root.
:
:
! "
# $
% ! "
!" "
*
+ %%"##
,-./
,-./
,-./
,-./
,-./
00
00
00
00
00
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Spanning
. . . . . Tree
. . Protocol
. . . . .
a switch that has the lowest accumulated cost to the root switch. Figure 4.3
lists the root ports (R) for each bridge.
If a switch receives BPDUs from multiple ports, this indicates that there are
multiple paths to the root switch, and one of them will have to be chosen. If
a switch has two ports to the root switch, the path that has the lower path cost
is chosen. Here are the rules for choosing a root port:
1. Choose the path with the lowest accumulated path cost to the root
switch.
2. If there is a tie in path cost, choose the neighboring switch with the
91
92
Chapter
. . . . .4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Bridging Loops
After the designated ports and switches have been resolved for each LAN
segment, the ports on the switches connected to each segment will be placed
into either a blocking or forwarding mode. The root and designated ports
will be placed into forwarding mode and all other ports will be placed into a
blocking mode. After the completion of this process, no loops should exist in
the switched network, as shown in Figure 4.3. Note, though, that not every
path from one LAN segment to another is optimal. For LAN segment A to
get to LAN segment D, users must go through switches 3, 1, and then 5,
which is two extra hops.
Port States
In the previous section, two of the five port states were mentioned: blocking
and forwarding. Every time a change occurs in the status of the switched network, a recomputation of the STP algorithm must take place. Interestingly,
the root switch does not perform the calculation and pass its results to the
rest of the switches. Each switch runs STP in parallel, builds the same spanning tree, and derives the same results for the blocking and forwarding
modes for each of the switches ports.
One of the issues faced with changes is that it takes time for this convergence
to take place because each port might go through four different port states:
blocking, listening, learning, and forwarding, as described in Table 4.3.
Table 4.3 STP Port States
State
Description
Blocking
Listening
Learning
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Spanning
. . . . . Tree
. . Protocol
. . . . .
Table 4.3 STP Port States (continued)
State
Description
Forwarding
Disabled
Convergence Issues
BPDUs, as they are propagated through the switched network, will incur
delays. Because the delays incurred to propagate the BPDUs across the
bridged network might differ in length, how long it takes to incorporate the
topology changes in the network could be different. To prevent this type of
staggered convergence, STP uses timers. The STP algorithm is based on a
diameter of seven switches or fewer, with a Hello Timer value of 2 seconds.
The maximum age timer is 20 seconds (it can be between 640 seconds), and
the Forward Delay timer is 15 seconds. Cisco recommends that you adjust
these timers to reflect the diameter of your network.
Its recommended that you not change these parameters unless you know exactly
what youre doing and you understand the impact that the new timers will have on
your network. An incorrect setting of any of these timers could cause the creation of
loops due to the loss of BPDUs or not allowing enough time for the algorithm to run.
If you do change these timers, they only need to be changed on the root, which will
then propagate the timers to all other switches in its BPDU messages.
93
94
Chapter
. . . . .4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
uses a default value of 20 seconds for the Maximum Age timer (blocking) and
15 seconds for the Forward Delay timer (listening and learning), which is
used to measure the time a port stays in a specific state.
STP can take from 3050 seconds to converge: From blocking to listening20 seconds; from listening to learning15 seconds; from learning to forwarding15 seconds. This results in a 50-second hold-down value while a new topology is calculated. A port will start in a blocking state if a BPDU is received on a nonroot port with a
better cost to the root; otherwise, it starts in a listening state. This would be true for
a nondesignated port that becomes a designated port when the designated port fails.
During this convergence time, unfortunately, user data is not being forwarded
in the network, thus causing major disruptions. You can adjust these values,
where the Forward Delay value can be set as low as 4 seconds. Its recommended that if you change the timers, you should increase, not decrease,
them. By decreasing them, youll more than likely create problems. Having
a lower timer means that you might not be giving your network enough time
to propagate BPDUs, thus producing the likelihood of inadvertent Layer 2
loops. In times of STP instability, you should temporarily increase the
Forward Delay and Maximum Age timers.
Spanning Trees
The assumption made so far in this chapter is that all the switches are
running one instance of STP for the whole switched network. This is sometimes referred to as a Common Spanning Tree (CST). IEEE 802.1Q on nonCisco switches uses CST to remove loops.
Cisco, on the other hand, has two proprietary forms of STP implementations: Per-VLAN Spanning Tree or Shared Spanning Tree (PVST) and
PVST+. By default, PVST is used on ISL trunks and 802.1Q trunks between
Cisco switches, where a separate instance of STP is run for each VLAN. That
means for each VLAN you have, youll have a separate STP algorithm and
database, a separate root switch and BPDUs for each VLAN. PVST+ is used
in mixed trunk environments in which you have both ISL and 802.1Q
trunks. PVST+ allows CST BPDUs to be correctly incorporated into Ciscos
native PVST and vice versa.
CST is used on 802.1Q trunks connected to non-Cisco switches. PVST is used
between two Cisco switches on ISL and 802.1Q trunks.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Spanning
. . . . . Tree
. . Protocol
. . . . .
CST
With CST, only one instance of STP is running for all the VLANs. STP will
run in the default management VLAN, which is typically VLAN 1. Because
only one instance of STP exists, one root switch is elected and all loops are
removed.
CST has two advantages compared to PVST:
Only one set of BPDUs is created for STP.
Changes only have to be tracked for one instance of STP.
Figure 4.4 shows an example of CST, with Switch 1 being the root bridge for
the whole network (including both VLANs 1 and 2) and X representing
blocking links.
VLAN 1
Root Switch
VLAN 1
Switch 1
Switch 2
Switch 3
VLAN 1
VLAN 2
VLAN 1
VLAN 1
VLAN 2
VLAN 1
Switch 4
Switch 5
Switch 7
X
X Switch 8
Switch 6
VLAN 1
Switch 9
VLAN 1
VLAN 2
VLAN 1
VLAN 2
Figure 4.4
CST example.
There is a downside to CST, however. For one, it will likely create suboptimal paths in your switched network. This can be seen in Figure 4.4 with
VLAN 2. For VLAN 2, off of Switch 5, to get to the users off of Switch 8, it
has to go through an extra switch: Switch 4. And it is even worse if either of
these groups wants to access the same VLAN off of Switch 9. The other
downside of CST is that as your network grows, convergence problems
become worse, and STP eventually runs out of steam.
95
96
Chapter
. . . . .4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PVST
To solve the scalability and convergence problems of CST, Ciscos PVST
uses a separate instance of STP per VLAN. That means for each VLAN,
youll have a root, port costs, path costs, and prioritiesand all these can be
different per VLAN. To ensure unique bridge IDs for each VLAN, Cisco
switches have a pool of MAC addresses to choose from. For some switches,
this pool can include up to 1,024 MAC addresses.
Actually, its recommended that you tune STP per VLAN to create the most
optimal paths for each VLAN. The size of each STP topology is reduced
because only switches that connect a VLAN together are included, thereby
decreasing convergence time and increasing scalability. PVST is also more
stable because links connected to switches not connected to a specific VLAN
are not included in the STP topology.
Given this capability with PVST, VLAN 2s topology might look like that
shown in Figure 4.5, where Switch 8 is the root. In this example, notice that
not every switch has a path back to the root, such as Switch 4. Switch 4 and
the switches behind it do not have any ports associated with VLAN 2. One
nice feature of PVST is that if VLAN 2 is configured on any of these other
switches, STP will rerun and include a path to the new addition.
VLAN 1
VLAN 1
Switch 2
Switch 3
VLAN 1
X Switch 5
Switch 6
VLAN 1
Switch 1
VLAN 1
VLAN 2
VLAN 1
VLAN 1
VLAN 2
Switch 4
X
Switch 7
X
Switch 8
Root Switch
For VLAN 2
X
Switch 9
VLAN 1
VLAN 2
VLAN 1
VLAN 2
Figure 4.5
PVST example.
The downside of PVST is that the switch will be multicasting BPDUs on each
VLAN and must have a topology database for each VLAN, thus creating a lot
of additional overhead. Plus, to make your network optimal, youll have to
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Spanning
. . . . . Tree
. . Protocol
. . . . .
examine your network closely and make the appropriate STP configuration
changes for each VLAN, which is a time-consuming process.
PVST+
PVST+ is a Cisco extension to its PVST protocol. PVST+ allows the incorporation of both IEEEs 802.1Q CST and Ciscos PVST in a switched network.
One nice feature of PVST+ is that you do not have to configure anything on
your switches to use itit works automatically. It detects CST and PVST and
makes the appropriate changes or adjustments.
The following are some of the enhancements built into PVST+:
Tunneling PVST BPDUs across an 802.1Q trunk
Checking for VLAN and port inconsistencies
Placing a port in blocking mode when receiving inconsistent BPDUs
For a Catalyst switch, use the following command to enable or disable STP:
Switch(config)# [no] spanning-tree [vlan list_of_vlans]
97
98
Chapter
. . . . .4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
To change the priority (part of the bridge ID) to influence the root switch
selection process, use the following command:
Switch(config)# [no] spanning-tree [vlan list_of_vlans]
priority new_priority
Youll have to specify a priority less than 32,768 because this is the default
priority for all switches that use IEEEs STP. Remember that the switch with
the lowest bridge ID is elected as the root. Cisco recommends that the switch
that will become the root have a priority of 4,096 and the backup root should
have a priority of 8,096all other switches should use the default bridge
priority.
Each port has an associated cost thats applied to a BPDU when it arrives on
that port. These port costs are added as the BPDU is propagated through the
network: The more switches that a BPDU passes through, the higher its
cost. This value is called a path cost and is used to determine which port to
use, if multiple ports exist, to reach the root switch. The path with the lowest value is chosen. If two paths have the same cost, priorities of the respective ports are used as a tiebreaker.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Spanning
. . . . . Tree
. . Protocol
. . . . .
You can modify these parameters to influence the port that a specific switch
will use to reach the root. Cisco recommends, however, that you take care
when using these commands because an incorrect configuration can create
suboptimal paths, rather than solving them. Youll need to know all the path
costs for each switch involved. The correct choice of the root will usually
alleviate you from having to use these commands.
Port Cost
STP uses the cost of ports to determine which port will be chosen as a root
port and thereby automatically placed into forwarding mode. The switch will
automatically assign a default port cost based on the speed of the port. There
are two versions of the formula. The old version usually takes 1,000 divided
by the port speed in megabits per second. A 10Mbps port has a port cost of
100, whereas a 100Mbps port has a port cost of 10. The lower the number,
the more preferred the port. The newer specification uses a nonlinear scale
to assign costs to ports. Table 4.4 shows the old and new port costs. Its
important to point out that this algorithm for port cost is not carved in
stonedifferent vendors might use different costs for the same speed port or
even different switches among the same vendor.
Table 4.4 Port Costs
Port Speed
Old Specification
New Specification
10 Mbps
100
100
100 Mbps
10
19
1 Gbps
10 Gbps
Note that for 10/100Mbps auto-sensing ports, the cost is usually configured
to 10 or 19 (reflecting Fast Ethernet), no matter what the speed is.
Therefore, even if the port is configured as a 10Mbps port, the port cost is
10 and the switch will see it as equally as good as a 100Mbps link. Therefore,
you should manually change the port cost value if you have a mixture of 10
and 100 speeds on auto-sensing ports. The possible range of values is from 1
to 65,535. If youve done your homework and want to change the port cost
on a Catalyst switch, use the following configuration:
99
100 Chapter 4
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Switch(config)# interface type slot_#/port_#
Switch(config-if)# [no] spanning-tree [vlan list_of_vlans] cost new_cost
Port Priority
A port can be assigned a priority thats used as a tiebreaker when two equalcost paths to the root exist. The default port priority on a Catalyst switch is
128 and can be set from 0 to 240 in increments of 16 (0, 16, 32, 48, and so
on). The lower the number, the more likely it is that the port will be chosen
as a root port. If all ports have the same priority, the physically lowest numbered port is chosen by STP.
To change the priority on a Catalyst switch, use this configuration:
Switch(config)# interface type slot_#/port_#
Switch(config-if)# [no] spanning-tree vlan [list_of_vlans]
port-priority new_priority
Verification of STP
After youve made your changes, youll want to verify them to make sure that
STP is configured the way that you want it. On a Catalyst switch, you can
use the show spanning-tree command to see the changes:
Switch# show spanning-tree [vlan vlan_number]|
[interface type slot_#/port_#]
Note that if you do not specify a VLAN number after the command, the
information displayed will be for VLAN 1.
Switch# show spanning-tree
Spanning tree 1 is executing the IEEE compatible Spanning Tree protocol
Bridge Identifier has priority 32768, address 00e0.1e3d.002e
Configured hello time 2, max age 20, forward delay 15
Current root has priority 32768, address 00e0.1e2e.51f0
Root port is 10, cost of root path is 10
Topology change flag not set, detected flag not set, changes 1
Times: hold 1, topology change 25, notification 3
hello 2, max age 20, forward delay 15
Timers: hello 0, topology change 0, notification 0
Interface Fa0/1 in Spanning tree 1 is down
Port path cost 100, Port priority 128
Designated root has priority 32768, 00e0.1e2e.51f0
Designated bridge has priority 32768, address 00e0.1e3d.002e
Designated port is 1, path cost 10
Timers: message age 0, forward delay 0, hold 0
BPDU: sent 0, received 0
101
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Spanning
. . . . . Tree
. . Protocol
. . . . .
Use the show spanning-tree command to view the configuration and operation
of STP on your switch.
Summary
Transparent bridges and switches have three main functions: learn, forward,
and remove loops. Cisco switches use the 802.1D protocol to remove loops
in Layer 2 networks. BPDUs are used to discover the topology of the network, elect a root switch, and notify other switches of topology changes.
BPDUs hellos are generated every 2 seconds.
STP elects a root switch, which is switch with the lowest bridge ID (priority + MAC address). Each switch chooses the best port to reach the root,
called a root port: This is the port with the lowest accumulated path cost to
the root. Each segment has one designated port on one switch, which is used
to forward traffic to and from the segment. The switch with the lowest
accumulated path cost is chosen. All root and designated ports will move
from a blocking or listening state to learning and then forwarding. All other
ports remain in a blocked state. It can take between 3050 seconds for convergence to take place.
Non-Cisco switches use CST on 802.1Q trunks. Cisco switches support
PVST when connected to other Cisco switches on ISL or 802.1Q trunks. In
PVST, each VLAN has its own STP components: root switch, BPDUs, priorities, and port costs.
STP is enabled, by default, for all VLANs on Cisco switches. Use the
spanning-tree priority command to influence which switch will become
the root switch. Use the show spanning-tree command to view your STP
components and operation.
102 Chapter 4
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 2
The switch with the _________ is elected as the root.
A. Lowest MAC address
B. Highest bridge identifier
C. Lowest priority
D. Lowest bridge identifier
Answer D is correct. The switch with the lowest bridge ID (priority + MAC
address) is chosen as the root. A and C are incorrect because theyre missing
one of the two bridge ID components. Answer B is incorrect because it is the
lowest bridge ID, not the highest.
Question 3
A switch is choosing a root port. Two ports have the same lowest accumulated
path cost. Which is the tiebreaker?
A. Highest numbered port
B. Lowest neighboring bridge ID
C. Lowest numbered port
D. Lowest port priority
103
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Spanning
. . . . . Tree
. . Protocol
. . . . .
Question 4
When choosing a designated port, which switch is used when going through the
selection process?
A. The higher-modeled switch
B. The switch with the highest accumulated path cost
C. The switch with the lowest bridge ID
D. The switch with the highest priority
Question 5
In which port state does the CAM table begin to be built?
A. Forwarding
B. Learning
C. Listening
D. Blocking
Answer B is correct. The switch begins building the CAM table in the learning state. The switch also continues to build the CAM table and forwards
user frames in the forwarding state, making answer A incorrect. During the
listening and blocking states, the CAM table is not updated, making answers
C and D incorrect.
104 Chapter 4
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 6
It can take up to __________ seconds for STP to converge.
A. 2
B. 15
C. 50
D. 60
Question 7
PVST is supported on __________ trunks.
A. ISL
B. 802.1Q
C. ISL and 802.1Q
Question 8
Which switch command selects the root switch?
A. (config)# spanning-tree priority
B. (config-if)# spanning-tree priority
C. (config)# spanning-tree bridge-id
D. (config)# spanning-tree bridge-priority
105
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Spanning
. . . . . Tree
. . Protocol
. . . . .
Question 9
With the current 802.1D port cost standard, what is the cost of a Fast Ethernet
port?
A. 1
B. 4
C. 10
D. 19
Answer D is correct. The default port cost for a Fast Ethernet port in the
current 802.1D standard is 19. Answer A is incorrect because it is the old
port cost for a Gigabit Ethernet port. Answer B is incorrect because it is the
newer cost for a Gigabit port. Answer C is incorrect because it is the older
cost for a Fast Ethernet port.
Question 10
Which switch command displays the STP bridge identifier, as well as STP configuration for interfaces involved in STP?
A. show span
B. show span-tree
C. show spanning-tree
D. show stp
5
Enhancements to STP
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
108 Chapter 5
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PortFast
Ciscos proprietary PortFast feature reduces the size of the STP database by
excluding ports that do not have bridges or switches connected to them and
removing them from the STP topology, thereby minimizing downtime when
changes occur in a switched network. When a change occurs, STP flushes
the content-addressable memory (CAM) table, thereby preventing any communication between devices until STP has the ports go through the blocking, listening, learning, and forwarding states. Using the PortFast feature is
very important in environments where servers require constant communication between them and the end users devices or where changes are constantly taking place. Using the PortFast configuration commands greatly
reduces the number of ports in STP and therefore decreases the time it takes
for convergence to occur when changes take place in a switched network.
PortFast Operation
When a change occurs that causes STP to recalculate, ports enabled for
PortFast remain in a forwarding state and the entries in the CAM table for
these ports are not removed.
To take a port out of STP, you can place it in PortFast mode. When STP is
run and the ports go through the four different modes, ports in PortFast
mode are kept in a forwarding state. The advantage of this is that the ports
configured for PortFast do not have to wait 3050 seconds while the STP
algorithm is running. Make sure that you do this only for ports that you
know are not part of any Layer 2 loop. This is primarily used for ports connected to PCs, servers, and routers.
109
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enhancements
. . . . . . . . to
. .STP
. .
PortFast Configuration
To configure PortFast on a Catalyst switch, execute the following command:
Switch(config)# interface type slot_#/port_#
Switch(config-if)# [no] spanning-tree portfast
BPDU Guard
BPDU Guard is a Cisco feature that shuts down a PortFast port if a BPDU
is received on it. When the port is shut down, the status of the interface is
error disabled. BPDU Guard is disabled by default. To enable it, use the
following commands:
Switch(config)# interface type slot_#/port_#
Switch(config-if)# spanning-tree portfast bpduguard
110 Chapter 5
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show
spanning-tree
BPDU Filtering
The BPDU filtering feature enables you to filter BPDUs on ports of your
switch. This is handy for ports that you know should be connected only to
user devices. It prevents a switch that is mistakenly connected to one of these
ports from creating Layer 2 loops.
To configure BPDU filtering, you must first enable PortFast on the port.
After PortFast is enabled, you can enable BPDU filtering on the interface.
Heres an example of its configuration:
Switch(config)# interface type slot_#/port_#
Switch(config-if)# spanning-tree portfast bpdufilter default
UplinkFast
STP guarantees a loop-free environment. However, one large disadvantage
of STP is the 30- to 50-second convergence time before redundant links can
be used when failures occur. This is problematic in environments where realtime or bandwidth-intensive applications are deployed. Ciscos proprietary
UplinkFast feature allows the almost-immediate use of a redundant switched
connection (a blocked port) without recalculating STP when the primary
path fails. This reduces the transition period from 30 or 50 seconds to less
than 4 seconds.
The name of this feature describes its purpose. Its typically used on uplink
ports that connect access layer switches to distribution layer switches. An
example of this is shown in Figure 5.1. The left side shows two distribution
layer switches. The one on the left is the root and the one on the right is the
backup, or secondary, root. Note that the primary link is from the access layer
111
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enhancements
. . . . . . . . to
. .STP
. .
switch to the root switch located on the left. When the link on the left fails,
the access layer switch uses the backup link on the right within 2 to 4 seconds
after detecting the failure. It does this by placing the blocked port into a forwarding state, bypassing the listening and learning states of STP.
Distribution Layer
Root Switch
Distribution Layer
Backup Root Switch
Distribution Layer
Root Switch
Distribution Layer
Backup Root Switch
Primary Link
is Forwarding
X
Access Layer
Switch
Failed Link
Backup Link
is Forwarding
Access Layer
Switch
is disabled.
The switch must have one port in a blocking state. This means that
Its highly recommended that UplinkFast be configured on your access layer switches only. If a switch is the root of STP, the switch will automatically disable it even if
you have UplinkFast enabled. In other words, UplinkFast is a feature designed for nonroot, or leaf, switches.
112 Chapter 5
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
To turn on UplinkFast for your Catalyst switch, use the following command:
Switch(config)# [no] spanning-tree uplinkfast
[max-update-rate update_rate]
By default, the switch generates 150 multicasts every second. You can
increase or decrease this value, which either decreases the amount of time to
detect failures or increases it, respectively. Note that there is no option to
enable or disable this per interface or VLANyou either enable it for the
whole switch or you leave it disabled. To verify UplinkFasts configuration,
use the show spanning-tree summary command, which was shown earlier in the
chapter in the PortFast Configuration section. You can also use the show
spanning-tree uplinkfast command:
Switch> show spanning-tree uplinkfast
UplinkFast is enabled
Station update rate set to 150 packets/sec.
UplinkFast statistics
----------------------Number of transitions via uplinkFast (all VLANs)
: 7
Number of proxy multicast addresses transmitted (all VLANs): 4238
Name
Interface List
-------------------- ----------------------VLAN1
Fa0/1 (fwd), Fa(0/3)
<--output truncated-->
BackboneFast
Ciscos proprietary BackboneFast feature is an enhancement to STP that
provides scalability to STP on your backbone switches: Its not meant for
your access layer switches but rather for your core and distribution layer
switches. BackboneFast and UplinkFast are complementary STP enhancements. One major difference between UplinkFast and BackboneFast is that
UplinkFast works only for directly connected links that fail, whereas
BackboneFast has the capability to detect indirect link failuresthat is, links
not physically connected to a switch.
Lets take a look at how the BackboneFast feature works. Lets assume that
you have three core switches that are interconnected, as shown in step 1 of
Figure 5.2. Switch 1 is the root, and switch 2 is the designated bridge for the
segment between switch 2 and switch 3. Because of this, switch 3 places its
port on the left in a blocking state.
113
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enhancements
. . . . . . . . to
. .STP
. .
Switch 2
Switch 3
Switch 2
Switch 3
STP Blocked
Port
STP Blocked
Port
FAILED
LINK
2
Switch 1 (Root)
Switch 1 (Root)
Switch 2
FAILED
LINK
Switch 3
3
Switch 1 (Root)
114 Chapter 5
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
After BackboneFast is enabled, you can use the show spanning-tree summary
and show spanning-tree backbonefast commands to verify its configuration and
operation. Heres an example of the latter command:
Switch> show spanning-tree backbonefast
BackboneFast is enabled
BackboneFast statistics
----------------------Number of transition via backboneFast (all VLANs) : 0
Number of inferior BPDUs received (all VLANs)
: 0
Number of RLQ request BPDUs received (all VLANs) : 0
<--output truncated-->
115
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enhancements
. . . . . . . . to
. .STP
. .
Rapid STP
Because of convergence issues in the 802.1D STP algorithm, IEEE developed
802.1W. 802.1W, also called Rapid STP or RSTP, includes enhancements to
speed up the convergence with STP. One of the main problems of using
Ciscos STP enhancementsPortFast, UplinkFast, and BackboneFastis
that theyre proprietary and function only on Cisco switches. In most
instances, you can use RSTP instead of Ciscos proprietary STP enhancements and get the same or better performance from your STP process.
For trunk connections using ISL or 802.1Q between Cisco switches, Cisco
has enhanced PVST+ to allow RSTP to function correctly. Cisco calls this
enhancement RPVST+. You do not need to configure anything special on
the switch to use RPVST+.
BPDUs
Just as with STP, RSTP uses BPDUs to elect a root switch, discover the
topology of the network, share STP configuration information, notify other
switches of topology changes, and verify the continuing existence of other
switches. RSTP uses the same BPDU format as STP. If you recall from
Chapter 4, Spanning Tree Protocol, a BPDU frame contains a type field.
With 802.1D, the type field was used to encode two different STP messages:
a topology change notification and a topology change acknowledgment. Two
bits were used to encode these message types.
RSTP, on the other hand, uses all six of the remaining bits, but not the 2 bits
that STP uses. IEEE decided on this approach so that in a mixed environment
where some switches support RSTP and some support only STP, both types
of switches would understand the BPDU framing format. Also, RSTP switches would be able to easily detect BPDUs from STP switches by looking at the
2-bit values in the type fieldRSTP uses only the other 6 bits. Therefore,
there are two different versions of BPDUs: switches running STP (802.1D)
use version 1, and switches running RSTP (802.1W) use version 2.
Its important to point out that RSTP switches can understand STP BPDUs
and can incorporate STP switches into the current Layer 2 loop-free network. However, in a mixed network of RSTP and STP switches, the RSTP
switches lose all the fast convergence features that will be discussed later in
this section. In other words, in a mixed network, an RSTP switch essentially functions as an STP switch.
Besides the use of the type field in a BPDU frame, there is another difference between RSTP and STP. With STP, the root generates BPDUs every
116 Chapter 5
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2 seconds and other bridges relay these hellos. A nonroot switch generates a
BPDU only when it receives a BPDU on its root port. With STP, switches
detect failures by missed BPDUs from the root on forwarding ports.
RSTP has every switch generate BPDUs every 2 seconds. These BPDUs
contain the switchs RSTP configuration information. If one switch misses
three consecutive hello BPDUs from a neighboring switch, it considers the
connection between itself and the neighbor to have failed, allowing the
detection of failures to occur more quickly (6 seconds or less) than with
802.1D (20 seconds with the maximum age timer).
Port States
RSTP is based on 802.1D STP. RSTP chooses one switch to function as the
root and all switches then designate the appropriate port states for their ports
to ensure a loop-free topology. Many of the terms and concepts are the same
between the two STPssuch as port and path cost, port priority, switch or
bridge ID, and so on. However, compared to STP, RSTP contains two additional port rolesAlternate and Backupwhich help with fast convergence.
Table 5.1 lists RSTPs port states and their functions. As you can see from the
table, RSTP has only three port states, as compared to STPs five. STPs disabled, blocking, and listening states have been combined into a single RSTP
state: discarding.
Table 5.1 RSTP Port States
RSTP Port State
Port Included in
STP Topology?
Discarding
No
No
Learning
Yes
Yes
Forwarding
Yes
Yes
One problem with STP is that the state the port is placed in is directly associated with the role that the port plays. For example, a root or designated
port is in a forwarding state. With RSTP, the role and state that a port is
placed in are separate.
Know the three RSTP port states in Table 5.1: discarding, learning, and forwarding.
117
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enhancements
. . . . . . . . to
. .STP
. .
Port Roles
RSTP adds two additional port roles to help with convergence issues. Table
5.2 lists all the port roles used in RSTP. As you can see from this table, there
are two new port roles: alternate and backup. An alternate port backs up a
root port, whereas a backup port backs up a designated port.
Table 5.2 RSTP Port Roles
RSTP Port Role
Explanation
Root
Designated
Alternate
Backup
Disabled
Understand the RSTP port roles in Table 5.2: an alternate root port backs up the root
port and a backup port backs up the designated port.
One of the interesting things about RSTP is that it uses the same STP algorithm to calculate paths to the root. Therefore, a network using RSTP has
the same default loop-free topology that STP would have created. In other
words, there are no changes in choosing a root switch, calculating accumulated path costs, or choosing a root or designated port. The main difference
is what occurs when changes happen in the network that would normally
cause 802.1D STP to rerun, which, as you saw in the previous chapter, creates convergence issues.
Convergence Features
RSTP implements are a handful of features to speed up convergence. The
first of those features is similar to Ciscos BackboneFast STP enhancement.
With this feature, if an 802.1W switch receives an inferior BPDU (a root
118 Chapter 5
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
BPDU with a better accumulated path cost was received on a nonroot port),
the switch floods this new information to other switches and begins its STP
calculation process to choose a new root port and form a new loop-free
Layer 2 topology.
However, the main convergence enhancement of RSTP is a feature called
Rapid Transition to Forwarding (RTF). In 802.1D, switches had to wait for
ports to go through all of their states (3050 seconds) before a port could be
placed in a forwarding state and user traffic could be processed. In many
examples, this doesnt make sense, especially the Layer 2 disruption of a
switched network when only an insignificant topology change occurssuch
as when a port connected to a PC becomes active.
Explanation
Edge port
Link type
The edge port component is used to determine whether a switch is connected to your switch. It learns this by listening for BPDUs on the port. If your
switch doesnt receive any BPDUs on the port, the switch designates the port
as an edge port. Changes in the status of an edge port do not cause RSTP to
recalculate. In other words, if a PC is connected to your switch, this port is
considered an edge port. If you reboot your PC, your switch does not make
any changes in RSTP or notify any other devices about this change in port
state.
An edge port is left in a forwarding state unless a BPDU is received on it, at
which point an RSTP calculation occurs to ensure that no loops have been
created. The edge port then loses its status as an edge port and becomes a
normal STP port. Ciscos PortFast is similar to RSTPs edge port concept.
The major difference is that Ciscos PortFast feature always keeps a port in a
forwarding state even if a BPDU is received on it. Therefore, its possible to
have Layer 2 loops with Ciscos PortFast feature if you arent careful about
the ports on which you enable it. RSTPs edge port feature overcomes this
119
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enhancements
. . . . . . . . to
. .STP
. .
problem by listening for BPDUs on the port to ensure that no loops are or
will be created. If a port is either an edge port or is in a discarding state, the
port is said to be in sync.
The link type of a port is determined by the duplex setting on the port. If
your port is configured or detected as full duplex, the link type is considered
pt-pt. If your port is configured or detected as half-duplex, the link type is
considered as a shared medium.
Know how RSTP uses edge ports and link types in determining what a port is
connected to.
Topology Changes
When any topology change occurs in 802.1D, the root switch is notified first
and the root switch then propagates this information to all other switches.
When other bridges receive this update, they begin the recalculation process.
With RSTP, only changes on nonedge ports cause a topology change to
occur. Therefore, if someone turns on her PC, it does not cause RSTP to
perform a recalculation, but it would cause 802.1D to do so. When RSTP
detects a topology change, the switch performs the following actions:
1. The switch starts a timer (called TC While), which is set to two times
the hello interval for all nonedge ports, including all designated ports
and the root port, if necessary.
2. The switch removes all MAC addresses from the CAM table associated
120 Chapter 5
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
RSTP switch fails, RSTP automatically takes the port in an alternate state
(the port is still receiving BPDUs from the root) and immediately moves it
to a forwarding state.
121
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enhancements
. . . . . . . . to
. .STP
. .
PVST
X
CST
X
X
MST
Regions
A region in MST is where all the switches have the same base MST configuration. To belong to a region, switches must have the following information
identically configured on each switch:
The region name (32 bytes)
The revision number (2 bytes)
VLAN table contents (4,096 VLANs)
122 Chapter 5
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
If two switches have this information identically configured, the two switches belong to the same region. Otherwise, the switches are considered to be
in separate regions.
When multicasting BPDUs, switches include the three components from the
preceding list in the BPDUs. The exception to this is the VLAN table to
instance mapping. This table mapping is instead run through a digest function
and the output is included in the BPDU. This is to reduce the amount of information contained in the BPDU. The destination switch takes its own table and
runs it through the same digest function. If the output is the same, the VLAN
table mapping has been configured the same way on both switches.
To belong to the same region, all switches in the region must have the same region
name, revision number, and VLAN table mappings.
Switch 2
Switch 3
X
Switch 4
MST Region
Switch 6
X
Switch 7
Switch 8
Switch 9
123
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enhancements
. . . . . . . . to
. .STP
. .
Support?
PortFast
Yes
UplinkFast
No
BackboneFast
No
Yes
Private VLANs
After youve enabled MST, you must perform additional configuration tasks,
including the setup of your MST instances. Here are the commands to set
up your VLAN instances:
Switch(config)# spanning-tree mst configuration
Switch(config-mst)# name region_name
Switch(config-mst)# revision revision_number
Switch(config-mst)# instance instance_number vlan VLAN_range
Switch(config-mst)# show current|pending
Switch(config-mst)# end
124 Chapter 5
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The name of the region and the revision number of the region must be the
same on all switches if you want them to interact with each other. The
instance number specifies which VLANs will belong to the specified
instance. You can specify a single VLAN or a range of VLANs, such as 5-9.
The show current command displays the active MST configuration after you
exit your MST configuration. show pending displays the changes youve made
to MST. Note that both of these show commands are done within the MST
configuration section.
The show spanning-tree
MST configuration:
mst configuration
There are many optional parameters for the show spanning-tree mst command. If you use the interface parameter, the command displays the switch
ID, root switch, and the role, status, cost, priority, and link type of the specified interface. If you use the detail parameter, the command shows all MST
information, including each interfaces information.
125
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enhancements
. . . . . . . . to
. .STP
. .
EtherChannels
EtherChannels are technology that enables you to aggregate up to 8 Fast
Ethernet or Gigabit Ethernet connections, providing up to 1,600Mbps or
16Gbps of bandwidth (in full duplex mode). The channel is treated as one
logical connection between two switches. Even if one of the connections fails
in the EtherChannel, the other connections still operate properly.
EtherChannels are supported for both Layer 2 and Layer 3 connections.
Operation of EtherChannels
A link failure is transparent to the user because traffic is rerouted across
another of the channel connections in less than a handful of milliseconds.
When a failure occurs, the Ethernet controller sends information to the
switchs processor about the failure, and the processor correctly reroutes the
traffic across one of the other links in the EtherChannel.
EtherChannels also eliminate the problem of redundant links when STP
runs in a network. When running in a looped environment, STP removes
redundant connections by placing them in standby mode, thus reducing a
networks total available bandwidth. STP treats Fast EtherChannels as one
logical link. Even if one of the connections in the channel fails, the channel
itself is considered unchanged; STP isnt recalculated, thus avoiding the disruption of network services.
126 Chapter 5
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Table 5.5 PAgP and LACP Modes
Mode
Protocol
Description
on
Neither
auto
PAgP
desirable
PAgP
passive
LACP
active
LACP
Note that these modes are similar to the modes used by Ciscos DTP when
forming trunk connections between two Cisco switches. However, the
modes in Table 5.5 are used only to build EtherChannel connections
between Cisco switches.
Ports will form a channel with PAgP if one side is set to desirable and the
other side is set to desirable or auto. Two sets of ports in auto mode will not
form a channel.
The on mode should be used if you want to form a channel, but do not want to use
either LACP or PAgP to dynamically form channels.
127
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enhancements
. . . . . . . . to
. .STP
. .
Configuring EtherChannels
This section covers the basics of setting up and troubleshooting an
EtherChannel connection. Before I get started with the actual configuration
commands, there are some important guidelines that must be followed for
setting up a successful EtherChannel connection. These are discussed in the
next section.
EtherChannel Guidelines
When youre setting up a channel, each of the ports in the channel has to be
configured exactly the same; otherwise, an EtherChannel will not be formed.
Follow these guidelines when setting up EtherChannels:
Only eight interfaces are supported, but these interfaces do not have to
youre using manual pruning) must match on all trunks in the channel
this applies to Layer 2 channels.
The ports cannot be in a dynamic VLAN; otherwise, the switchs
128 Chapter 5
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The broadcast-suppression configuration must be specified as a percent-
Configuration Commands
There are two ways that you can create EtherChannels: based on Layer 2 or
Layer 3 connections. This is useful depending on how you want your two
connected switches to load-balance across the channelbased on MAC
addresses or Layer 3 (IP) addresses. Load balancing is discussed a little later
in this section.
If you want to create a Layer 2 EtherChannel, use the following commands:
Switch(config)# interface type slot_#/port_#
Switch(config-if)# channel-protocol lacp|pagp
Switch(config-if)# channel-group group_# [mode channel_mode]
Switch(config-if)# lacp system-priority priority_#
Switch(config-if)# lacp port-priority priority_#
Instead of configuring each interface individually, you can use this command
if the interfaces are contiguous on the same module:
Switch(config)# interface range type slot_#/start_port_# - end_port_#
When specifying the beginning and ending port numbers, you must separate
them by a space, a dash, and then a space, like this:
Switch(config)# interface range fastethernet 0/1 - 4
129
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enhancements
. . . . . . . . to
. .STP
. .
to the use of PAgP in Auto mode. The valid modes were listed previously in
Table 5.5.
Use the channel-group command to include an interface in an EtherChannel.
The two lacp commands configure the system and port priorities for use with
LACP.
To create a Layer 3 EtherChannel, first configure a Layer 2 EtherChannel.
After that, create a logical interface and assign an IP address to it, like this:
Switch(config)# interface port-channel channel_group_#
Switch(config-if)# no switchport
Switch(config-if)# ip address IP_address subnet_mask
Table 5.6 lists the valid modes that you can choose from when load balancing across an EtherChannel.
130 Chapter 5
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Table 5.6 Load Balancing Modes
Mode
Description
src-mac
dst-mac
src-dst-mac
Use both the source and destination MAC addresses in the frame
src-ip
dst-ip
src-dst-ip
src-port
Use the source TCP or UDP port number in the segment header
dst-port
src-dst-port
Use both the source and destination TCP or UDP port numbers in
the segment header
Verification Commands
You can use a variety of commands to examine the configuration and operation of your EtherChannels. This section takes a look at a few of them.
To view EtherChannel information for a specific interface, use the following
command:
Switch> show interfaces [type slot_#/port_#] etherchannel
Heres an example:
Switch> show interfaces etherchannel
---GigabitEthernet0/1:
Port state = Down Not-in-Bndl
Channel group = 1 Mode = Desirable-Sl Gcchange = 0
Port-channel = null GC = 0x00000000 Pseudo port-channel = Po1
Port index = 0 Load = 0x00
Flags: S - Device is sending Slow hello. C - Device is in Consistent state.
A - Device is in Auto mode. P - Device learns on physical port.
d - PAgP is down.
Timers: H - Hello timer is running. Q - Quit timer is running.
S - Switching timer is running. I - Interface timer is running.
Local information:
Hello Partner PAgP Learning Group
Port Flags State Timers Interval Count Priority Method Ifindex
Gi0/1 d U1/S1 1s 0 128 Any 0
Age of the port in the current state: 4d:02h:12m:15s
<--output truncated-->
If you specify a specific interface, you can see more details concerning the
channeling functions, including LACP and PAgP.
131
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enhancements
. . . . . . . . to
. .STP
. .
If you want to see information concerning the logical EtherChannel connection (port-channel), use the following command:
Switch> show etherchannel [channel_#] [port-channel|load-balance]
Heres an example:
Switch> show etherchannel 1 port-channel
Port-channels in the group:
---------------------Port-channel: Po1
-----------Age of the Port-channel = 00d:00h:03m:29s
Logical slot/port = 1/0 Number of ports = 2
GC = 0x00010001 HotStandBy port = null
Port state = Port-channel Ag-Inuse
Ports in the Port-channel:
Index Load
Port
EC state
------+------+------+-----------0
00
Gi0/1 desirable-sl
0
00
Gi0/2 desirable-sl
Time since last port bundled: 00d:00h:03m:21s Gi0/1
At the bottom of the display, you can see that this port-channel has two interfaces, with no current load on the connection. Also, PAgP is being used with
desirable mode configured.
To see what type of load balancing youre using on your channel, use the
parameter with the show command you saw earlier:
load-balance
In this example, both the source and destination IP addresses are used for
load balancing purposes.
BPDU Skewing
BPDU skewing refers to the time differential between when BPDUs are
expected to be received by a switch and when they are actually received.
BPDU skewing can occur in any of the following situations:
132 Chapter 5
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
STP topology changes occur
One of STPs timers expires
A BPDU is not received within the expected time interval
When any of these three occurrences happens, switches flood the network
with BPDUs to ensure that the most up-to-date information is contained in
the STP topology table.
When skewing occurs, a syslog message can be generated to indicate a possible problem. Of course, if its a time of very high network activity, and if
you are using PVST (BPDUs for each VLAN), this could create a lot of
unnecessary syslog messages.
BPDU skewing is disabled by default. When its enabled, BPDU skewing
ensures that syslog messages are generated only once every 60 seconds. To
enable BPDU skewing, you cannot use the IOSyou must use the CatOSs
set spantree bpdu-skewing command.
Root Guard
Root Guard is a Cisco feature that you can use to force a particular port to be
a designated port to ensure that any switch connected to it does not become
a root switch. Root Guard enables you to create an STP topology in which
you explicitly control which switch becomes and stays the root switch (barring
any failures). This is typically done to maintain an optimal configuration.
Lets look at an example in which Root Guard can help. Ill use the network
shown in the top-left portion of Figure 5.5. In this figure, there are two distribution layer switches and one access layer switch, with the left-side distribution layer switch being the root. In the bottom-right portion of the figure,
a new switch is directly connected to the access layer switch. This switch has
a lower switch ID than the current root, so the new switch is promoted as
root and a new topology is created. In this example, if you have other switches connected to the two distribution layer switches like switch 3, and if these
switches previously used switch 1 to reach the distribution layer, any
resources off of switch 2 would require a switching path of switch 1, switch
3, and then switch 2. This is not an optimal configuration; especially with
traffic flowing through a lower model, worse performing access layer switch.
During high traffic volumes, the performance of switch 3 could be affected
drastically.
Cisco highly stresses the use of this feature in switched networks.
133
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enhancements
. . . . . . . . to
. .STP
. .
X
!
Figure 5.5 STP root bridge problem.
Root Guard can be used to prevent this problem. It is configured on a perport basis and prevents a port from becoming a root port. When configured,
if a Root Guard port receives a BPDU with a better path to the root, the port
is disabled and the BPDU information is ignored. Heres the message that
you would see if this occurs:
%SPANTREE-2-ROOTGUARDBLOCK: Port 0/5 tried to become non-designated
in VLAN 3. Moved to root-inconsistent state.
Given our example in Figure 5.5, when switch 4 is connected to switch 3, and
if Root Guard is enabled on this port, switch 3 would disable the offending
port and ignore switch 4s BPDU. By doing this, the current STP topology
shown in the top-left corner of the figure would be preserved.
To enable Root Guard, use the following configuration:
Switch(config)# interface type slot_#/port_#
Switch(config-if)# spanning-tree guard root
134 Chapter 5
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
To examine your ports Root Guard configuration, use the show runningconfig interface command. To actually see the list of ports where Root Guard
has detected a violation, use this command:
Switch>
Name
------VLAN001
VLAN002
VLAN003
In this example, FastEthernet 0/5 has an inconsistency for VLANs 13. This
indicates that this is a trunk connection to another switch and that the other
switch is advertising a lower switch ID than the current root.
Root Guard forces a particular port to be a designated port to ensure that a switch
connected to it does not become a root switch. If a Root Guard port receives a BPDU
with a better path to the root, the port is disabled (marked as inconsistent) and the
BPDU information is ignored. Use the spanning-tree guard root command to enable
this feature.
135
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enhancements
. . . . . . . . to
. .STP
. .
If an interface has been disabled by UDLD and youve fixed the problem, use
the udld reset command to re-enable these interfaces. They will be automatically re-enabled when the problem is fixed and the timeout period expires.
To examine your UDLD configuration and operation, use this command:
Switch> show udld [type slot_#/port_#]
Loop Guard
The Loop Guard feature is similar to UDLD. Loop Guard is used to detect
loops caused typically by unidirectional connections. Lets take a look at the
example shown in Figure 5.6. In the left side of this example, there has been
a connection failure between switch 1 and switch 3, causing a unidirectional
connection where switch 3 can send to switch 1, but switch 1 cant send to
switch 3. Given this situation, switch 3 assumes a failure on its root port and
goes through the process of taking its backup port (to switch 2) and moving
it through the different port states, eventually ending in the forwarding state.
This would cause a one-direction loop in a clockwise direction.
136 Chapter 5
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Switch 1
Switch 2
XSTP Blocked
Unidirectional
Connection
PortMoved
To Forwarding
Switch 1
XSTP Blocked
Unidirectional
Connection
Switch 3
Unidirectional
Connection
Problem Without
Loop Guard
Switch 2
Switch 3
PortLoop
Inconsistent
State
Unidirectional
Connection
Problem with
Loop Guard
Loop Guard can be used to prevent this kind of problem. Loop Guard performs an additional check: If BPDUs are no longer being received on a nondesignated port, instead of moving a port through listening, learning, and
forwarding, Loop Guard instead places the port in a blocked state, marking
it as inconsistent. When this occurs, youll see the following message logged
to your console:
SPANTREE-2-LOOPGUARDBLOCK: No BPDUs were received on port 0/2 in
vlan 1. Moved to loop-inconsistent state.
One nice feature of Loop Guard, as compared to UDLD, is that when the
problem is fixed, Loop Guard has the ports transition back to the correct
states, as well as generate a message on the console indicating this process:
SPANTREE-2-LOOPGUARDUNBLOCK: port 0/2 restored in vlan 1.
Loop Guard is disabled by default. If you want to use this feature, you should
enable it on ports that are in a blocking state by default. For EtherChannels,
Loop Guard ensures that the entire channel is blocked for the appropriate
VLANs if a problem occurs (not just one interface in the channel). Use this
command to enable Loop Guard:
Switch(config)# interface type slot_#/port_#
Switch(config-if)# spanning-tree guard loop
Notice that this is the same command that enabled Root Guard. Loop Guard
and Root Guard are mutually inclusiveif you enable one, the other is
automatically enabled.
As you can see from this and the last section, Loop Guard and UDLD are
similar in function. Table 5.7 compares these two features.
137
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enhancements
. . . . . . . . to
. .STP
. .
Table 5.7 Comparing UDLD and Loop Guard
Operation
UDLD
Loop Guard
Configuration?
Uplink ports
Blocking affects?
Single port
Re-enabling inconsistent
ports?
After timeout
period expires
Unidirectional link
protection?
Yes
Yes
No
Yes
Yes
No
As you can see in Table 5.7, UDLD and Loop Guard have some similar functions, but differ in what they accomplish. If there is a software problem in
which a switch is prevented from sending BPDUs, Loop Guard will detect
it, but UDLD wont. However, if there is a shared medium connection, Loop
Guard wont function, but UDLD will. Another advantage of UDLD is that
if a connection failure causes a unidirectional connection on one connection
in an EtherChannel, UDLD disables only the specific connection in the
channel, whereas Loop Guard disables the entire channel for the specific
VLAN.
Know the similarities and differences between UDLD and Loop Guard features shown
in Table 5.7.
138 Chapter 5
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Problems
One of the first STP enhancement features discussed in this chapter was the
use of Ciscos PortFast feature to reduce the amount of times STP is run
based on port state changes. With PortFast, a port is kept in a forwarding
state and a change of state in PortFast doesnt cause STP to rerun. However,
if you attach a switch to a PortFast port and this switch has connections to
other parts of your network, you would inadvertently be creating Layer 2
loops. When using PortFast, you should complement it with the BPDU
Guard or filtering features.
Something as simple as mismatched duplexing can also create STP problems.
If one side is set to half-duplex and the other to full duplex through an autonegotiation problem, and both sides are sending frames simultaneously, a
collision occurs. Unfortunately, the collision detection mechanism on the fullduplex side wont be able to detect this. If this causes BPDUs to be missed, the
STP algorithm might rerun itself. In a worst-case situation, a loop might occur
while a port in a blocking state is accidentally brought to a forwarding state.
If a bad wire connection is corrupting some of your frames, it can also lead
to STP issues, especially if its the BPDUs that are being corrupted. Or, if
your switch is continually performing STP functions (which are done in software), this could create an over-utilization problem on your switch, causing
STP instability problems.
Troubleshooting Steps
Whenever you experience STP problems in your network, you should
approach the problem in a methodical manner. Use the following steps to
help you with your troubleshooting:
1. Have a network diagram in front of you that describes the physical
139
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enhancements
. . . . . . . . to
. .STP
. .
3. Examine the status of the interfaces to see the STP state that theyre in
debug Commands
Like Cisco routers, Catalyst switches support the debug command. This command enables you to display detailed events that are concerned with a specific
process. Care must be taken when using these commands because theyre very
resource-intensive. Use of these commands requires that you be in Privilege
EXEC mode when you execute them. Table 5.8 displays some of the more
common debug commands that you would use to troubleshoot STP problems.
Table 5.8 STP debug Commands
Command
Explanation
debug spanning-tree
backbonefast
debug spanning-tree
uplinkfast
140 Chapter 5
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Summary
PortFast, UplinkFast, and BackboneFast are Cisco proprietary STP
enhancement features. All are disabled by default. PortFast keeps a port in
forwarding mode, where it is not included in the STP algorithm. Nonswitch
and nonbridge devices should be connected to PortFast ports. To enable
PortFast, use the spanning-tree portfast interface command. To prevent
inadvertent switch connections to PortFast ports, you can use the BPDU
Guard and filter features. BPDU Guard shuts down a PortFast port if a
BPDU is received on it. If BPDU filtering detects more than 10 BPDUs on
a port, it disables PortFast on the port and treats it as a normal STP port.
UplinkFast provides fast convergence for uplink ports. If the root port fails,
a secondary uplink port can be immediately taken from a blocking state and
placed in a forwarding state. Use the spanning-tree uplinkfast command to
enable UplinkFast on your switch.
Unlike UplinkFast, BackboneFast can detect failures on connections not
directly connected to a switch. BackboneFast detects this condition by looking
for inferior BPDUs on blocking ports. When it sees an inferior BPDU show
up on a blocking port, it starts the STP process of moving the port from
blocking to listening and eventually to a forwarding state. Use the spanningtree backbonefast command to enable BackboneFast.
IEEE enhanced the 802.1D STP into RSTP (802.1W). RSTP provides better performance than Ciscos proprietary Fast features. RSTP only has three
port states: discarding, learning, and forwarding. There are two additional
port roles. An alternate port is a standby port for the primary root port. A
backup port is a standby port for a designated port. RSTP determines which
ports are edge ports and places them into a forwarding state. An edge port is
connected to a nonswitch device. This is similar to PortFast.
MST is IEEEs version of Ciscos PVST. MST is more scalable than Ciscos
PVST because MST uses instances for STP, and an instance can contain
multiple VLANs. Switches in an MST region have the same region name,
revision number, and VLAN table contents. For backward-compatibility
when connecting to a CST switch, MST has an IST, which makes the MST
region look like a single virtual switch to the CST switch.
EtherChannels enable you to take up to eight FastEthernet or Gigabit
Ethernet connections to supply 1.616Gbps of bandwidth (in a full-duplex
configuration). Connections in the channel must be configured identically to
be part of the EtherChannel. Channels provide an advantage in an STP
environment: If one connection fails in the channel, the link still remains
141
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enhancements
. . . . . . . . to
. .STP
. .
operational. PAgP (a Cisco protocol) and LACP (an IEEE protocol) allow
channels to be dynamically formed by sharing configuration information
across channel-capable connections. For PAgP, one side has to be set to
desirable and the other side has to be set to auto or desirable. For LACP, one
side has to be set to active and the other side has to be set to active or passive.
An on mode enables channeling, but disables PAgP and LACP. Use the
channel-group command to include an interface in a channel.
Root Guard enables you to force a particular port to be a designated port so
that a connected switch does not become a root switch. When a violation
occurs, the offending port is placed into an inconsistent state and an error
message is generated. This feature is disabled by default, but can be enabled
with the spanning-tree guard root command.
The UDLD feature checks to see whether any unidirectional connections
exist on the switchs interfaces. If any are found, the switch disables the interfaces. Unidirectional connections can cause one-way bridging loops. To
enable UDLD, use the udld enable command. UDLD is automatically
enabled on fiber-optic interfaces. Loop Guard is similar to UDLD. Loop
Guard typically detects STP software issues, whereas UDLD detects Layer
1 issues. To enable Loop Guard, use the spanning-tree guard loop command.
When troubleshooting STP issues, you should first have a network diagram
of your network layout, including your STP setup. Use show commands to
discover loops. Any loops that you discover should be broken up by disabling
interfaces. Examine the status of your interfaces to determine where loops
are, as well as the CPUs and interfaces utilization. In certain cases, you
might want to disable certain STP features to pinpoint a problem. The debug
spanning-tree events command is a useful command when youre troubleshooting STP issues, including loops.
142 Chapter 5
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 2
In order for UplinkFast to function, the redundant port must be in a __________
state.
A. Blocking
B. Listening
C. Learning
D. Forwarding
143
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enhancements
. . . . . . . . to
. .STP
. .
Question 3
In RSTP, what type of port is similar to Ciscos PortFast enhancement?
A. Backup
B. Secondary
C. Uplink
D. Edge
Question 4
Which RSTP port role allows a port to be a redundant designated port?
A. Root
B. Alternate
C. Backup
D. Secondary
Question 5
Which STP allows multiple VLANs to share the same STP instance?
A. MST
B. CST
C. PVST
D. IST
144 Chapter 5
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 6
Which of the following does not have to match in order for switches to belong
to the same MST region?
A. Region name
B. Revision number
C. VLAN table contents
D. Priority
Question 7
You can have up to _________ connections in an EtherChannel.
A. 2
B. 4
C. 8
D. 16
145
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enhancements
. . . . . . . . to
. .STP
. .
Question 8
Which EtherChannel protocol is used to negotiate channeling between a Cisco
and non-Cisco switch?
A. PAgP
B. DTP
C. VTP
D. LACP
Question 9
When youre using Root Guard and a port receives a BPDU with a better path to
the root, what happens to the port?
A. The port is marked as inconsistent and disabled.
B. The port is moved to a forwarding state.
C. The port is kept in the current state.
D. The port is placed in a discarding state.
146 Chapter 5
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 10
Which STP feature detects Layer 1 unidirectional connections and disables the
connection, even if it is part of an EtherChannel?
A. Loop Guard
B. Root Guard
C. UDLD
D. PortFast
Answer C is correct. UDLD can detect unidirectional connections and disable them. One advantage that UDLD has over Loop Guard is that UDLD
disables the particular connection, whereas Loop Guard disables the entire
channel, making answer A incorrect. Answer B is incorrect because Root
Guard is used to force a particular port to be a designated port, ensuring that
the switch it is connected to doesnt become a root switch. Answer D is
incorrect because the PortFast feature is used to place a nonswitch port into
a forwarding state and remove it from the STP topology.
http://
www.cisco.com/pcgi-bin/Support/browse/psp_view.pl?p=
Internetworking:Spanning_Tree
6
Multilayer Switching
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
148 Chapter 6
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
VLANs contain broadcasts, which enable you to scale your switched networks to much larger sizes. One of the downsides of this is that to pass traffic between VLANs (different subnets), youll need a Layer 3 device, such as
a traditional router or multilayer switch. This Layer 3 switching process is
defined in the network layer of the seven-layer OSI Reference Model. This
chapter covers both a traditional approach to this problem, using external
routers, as well as multilayer switching (MLS) with internal routers.
Because of the shift toward client/server applications, the deployment of
bandwidth-intensive multicasting applications, the need for improved
response time, the need for high-speed switching, and the centralization of
servers have all become critical components in a network design. To provide
the necessary scalability in todays large campus environments, new technologies are needed to enhance both Layer 2 and Layer 3 performance.
The last chapter discussed many enhancements that you can configure on
your switches to deal with STP. With the introduction of MLS, networks can
scale their applications to any size and contain their broadcast and multicast
problems. This enables them to take advantage of Layer 2 switching speeds
and price and still take advantage of the redundancy, convergence, and load
balancing of Layer 3 routing protocols, such as IS-IS, OSPF, and EIGRP.
Routing Considerations
When implementing VLANs, youll need some type of route processor (RP).
An RP is a device that can switch information either between logical subnets
(VLANs) or physical subnets (as in the traditional router). If the RP is performing a traditional routing role, it could be switching packets between different LAN media types, such as fiber distributed data interface (FDDI),
Ethernet, and token ring. For WAN connections, it provides access to
ISDN, frame relay, ATM, and dedicated circuit networks.
The RP is the main system processor in a Layer 3 device. It contains the
main CPU, the operating system software, and most of the system memory
components. Its primary function is to maintain and execute the management functions that control the Layer 3 device, including any routing protocols. The RP can be either an internal or external device. An example of an
external RP is a Cisco 3600 or 7600 Series router. An example of an internal
RP is the Multilayer Switch Feature Card (MSFC) thats installed on the
Supervisor Engine card in a Catalyst 6500 Series switch. For the purposes of
this book, all these Layer 3 functions are referred to as RPs.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Multilayer
. . . . . .Switching
. . . . .
Before you sit down and start configuring your RPs, youll first have to plan
out your VLANs and configure them on your switches. During this VLAN
planning process, keep the following items in mind:
Your Layer 3 addressing scheme
How many VLANs you have
What types of traffic are moving between VLANs
How much traffic is moving between VLANs
What kind of redundancy is required
Your choice of routing protocols
Layer 3 convergence issues
Load balancing Layer 3 traffic
The preceding list is important for the Switching exam.
Its important to point out one major difference between a Layer 2 and a
Layer 3 device. If a Layer 2 device, such as a switch, doesnt know how to
reach a destination, it will flood the frame. If a Layer 3 device, such as a
router, doesnt know how to reach a destination, it drops the frame.
149
150 Chapter 6
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring Routing
Between VLANs
Configuring routing for the Catalyst 3550 switch is similar to configuring
any Cisco router because all three use a similar IOS-based interface. This
section covers basic inter-VLAN routing with an internal RP (Catalyst 3550
switch) and an external RP. The purpose of this material is not to cover all
the routing commands you can execute or configure within the IOS, but
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Multilayer
. . . . . .Switching
. . . . .
rather to show you how to configure the IOS to support inter-VLAN routing. Its assumed that you are familiar with configuring Cisco routers and
their command-line interface (CLI).
To route between VLANs, you first need to set up your VLANs and associate your
users to these VLANs. Second, set up any trunks between devices. Third, configure
routing on an internal or external RP.
Configuring an Internal RP
Youll first need to access the CLI of your switch. Im assuming that youre
using a Catalyst 3550 switch. Youll set up routing in two steps. First, configure Layer 2 connectivity by creating your VLANs and placing ports in
them. This was discussed in Chapter 3. Second, set up Layer 3 connectivity
by creating VLAN interfaces and enabling a routing protocol.
Before you begin your Layer 3 setup, youll first need to configure your
Layer 2 information. This includes creating your VLANs, placing ports in
them, creating trunks, and tuning STP.
151
152 Chapter 6
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
interface on a router. You would typically set up a port as a routed port if you
need to directly connect your switch to a router, and you want to make the
switch appear as a router (not a switch) to its connected neighboring router.
Youll first have to enable IP routing with the ip routing command. Next,
configure the appropriate Layer 2 port as a routed port, enter the interface,
and disable Layer 2 functions with the no switchport command. Then assign
an IP address to it with the ip address command. To route between routed
interfaces, youll have to enable a routing protocol with the router command.
An SVI interface is a logical interface on the switch. This interface is similar
to a loopback interface on a router. A loopback interface is an imaginary
interface on a router that is always in an up-and-up state. Loopback interfaces
are typically used for testing purposes as well as terminating connections on
the router. On the switch, a virtual interface is typically used to associate the
switchs personal IP address with a VLAN (placing it in a management
VLAN). This is accomplished by creating a VLAN with the vlan command,
creating the virtual interface with the interface vlan command, and then
assigning an IP address to it with the ip address command. Only one SVI
can be associated to each VLAN. SVIs can also be used to handle internal
routing on the switch. If you want to enable Layer 3 routing on your switch,
use the ip routing command and enable a routing protocol with the router
command.
There is no software restriction on the switch for the number of routed and/or SVI
ports. However, the more of these types of ports that you have on the switch, the
more affect youll have on your switchs CPU utilization. Therefore, you should carefully watch your CPU utilization after you set up these ports to ensure that you dont
overburden your switch.
Use the no switchport command to enable Layer 3 processing on a physical interface of a 3550 switch. To create an SVI interface, use the interface vlan command.
(continued)
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Multilayer
. . . . . .Switching
. . . . .
Listing 6.1 IOS Catalyst Configuration Commands (continued)
Switch(config)# interface vlan VLAN_#
Switch(config-if)# ip address IP_address subnet_mask
Switch(config-if)# no shutdown
Remember the preceding syntax for setting up routing on your Catalyst switch.
First, enable IP routing on your Catalyst switch with the ip routing command. Next, configure a routing protocol with the router and network commands. The network commands should include the IP addresses configured
on your SVI interfaces.
For each VLAN that youve already created on your Catalyst switch, youll have
to create a separate VLAN interface (interface vlan). The interface number
must match the number of the corresponding VLAN. When within the SVI,
configure your Layer 3 addressing information as well as bring the interface up
with the no shutdown command. The VLAN interface will remain administratively down until you execute this command. Remember to save your configuration with the copy running-config startup-config Privilege EXEC command.
Lets look at an example to clarify this configuration. Ill use the network
shown on the left side of Figure 6.1. In this example, the Catalyst switch is
performing the routing function. Ill assume that RIP is the routing protocol
that this switch is running.
The routing configuration for the switch is shown in Listing 6.2.
Listing 6.2 Routing for an Internal RP
Switch(config)# ip routing
Switch(config)# router rip
Switch(config-router)# network 192.168.1.0
Switch(config-router)# network 192.168.2.0
Switch(config-router)# exit
Switch(config)# vlan 1
Switch(config)# vlan 2
Switch(config)# interface vlan 1
Switch(config-if)# ip address 192.168.1.1 255.255.255.0
Switch(config-if)# no shutdown
Switch(config-if)# exit
Switch(config)# interface vlan 2
Switch(config-if)# ip address 192.168.2.1 255.255.255.0
Switch(config-if)# no shutdown
Switch(config-if)# end
Switch# copy running-config startup-config
153
154 Chapter 6
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
In this example, the ip routing command enables IP routing and the router
rip and network statements include VLAN 1 and VLAN 2 for routing. The
two vlan commands create VLAN 1 and VLAN 2. The two SVI interfaces
have an IP address configured on them and have been enabled. Remember
that devices in VLAN 1 and 2 should use these IP addresses as their respective default gateway addresses.
Configuring an External RP
There are two ways to set up an external RP: traditional (normal) router
setup and a router-on-a-stick setup. The following two sections cover both
methods of configuration.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Multilayer
. . . . . .Switching
. . . . .
There are two important differences when comparing this example to the
internal RP example. First, notice that there is no ip routing command
thats because IP routing is enabled, by default, on Cisco routers. Second, the
IP addressing configuration is done on the appropriate physical Ethernet
interfaces; because there are two VLANs, you need two interfaces.
Router-on-a-Stick Setup
One problem with a traditional router setup is that it doesnt scale very well.
The more VLANs you have, the more interfaces you need on your router.
This solution becomes very costly when you reach 5 or 10 interfacesyou
need Ciscos higher-end routers to provide this number of interfaces.
To solve this problem, you can use a router-on-a-stick. The right side of
Figure 6.1 shows an example of a router-on-a-stick. In this example, there is
a trunk connection between the router and the switch. The trunk is terminated on the router on a trunk-capable interface. Not all Cisco routers support trunking. For instance, the 1750 and higher routers, with the correct
interfaces, support trunking. 802.1Q and ISL are supported on the routers,
but ISL is supported only on Fast Ethernet or faster ports.
Advantages: A router-on-a-stick is available on a wide-range of Cisco router platforms; it only requires a single interface.
Disadvantages: Based on the topology of your network, a router-on-a-stick can
cause performance issues. Because a single connection is used, there is a single
point of failure as well as an increased likelihood that youll experience congestion
when routing between VLANs.
155
156 Chapter 6
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
On the physical interface, youll want to configure your interface characteristics, such as duplexing and speed, and then enable the physical interface
with the no shutdown command. The rest of the configuration will be done on
subinterfacesone subinterface per VLAN.
Next, create your subinterface. This is done by specifying the physical interface and following it with a period and then a subinterface number. A common convention is to use the VLAN number as the subinterface number;
however, these two numbers have nothing in common and you can use any
unique subinterface number. To associate a VLAN to a subinterface, use the
encapsulation isl command followed by the VLAN number associated with
the subinterface. If the preceding trunk is using 802.1Q, you would replace
the isl encapsulation parameter with dot1q. You do not need to enable the
subinterfaces: Theyre automatically enabled when you create them (assuming that the physical interface is enabled). However, you can shut down an
individual subinterface without affecting the rest of the processing on the
other subinterfaces.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Multilayer
. . . . . .Switching
. . . . .
When setting up a router-on-a-stick, create a subinterface for each VLAN and place
your Layer 3 addressing there. Also, specify the trunking encapsulation type with the
encapsulation isl|dot1q command, followed by the VLAN number that the subinterface is responsible for.
Based on the network example shown on the right side of Figure 6.1, heres
the RPs configuration, shown in Listing 6.5.
Listing 6.5 Router-on-a-Stick Example
Router(config)# router rip
Router(config-router)# network 192.168.1.0
Router(config-router)# network 192.168.2.0
Router(config-router)# exit
Router(config)# interface fastethernet 0/0
Router(config-if)# full-duplex
Router(config-if)# no shutdown
Router(config-if)# exit
Router(config)# interface fastethernet 0/0.1
Router(config-if)# encapsulation dot1q 1
Router(config-if)# ip address 192.168.1.1 255.255.255.0
Router(config-if)# exit
Router(config)# interface fastethernet 0/0.2
Router(config-if)# encapsulation dot1q 2
Router(config-if)# ip address 192.168.2.1 255.255.255.0
Router(config-if)# end
Router# copy running-config startup-config
157
158 Chapter 6
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Routing Information Sources:
Gateway
Distance
192.168.2.2
120
Distance: (default is 120)
Last Update
00:00:22
ip route
command. Heres
In this example, the internal RP is learning about two remote RIP routes
from a neighboring RP (192.168.1.2).
MLS Overview
Multilayer switching (MLS) is a technology that implements both Layer 3
and Layer 2 switching in hardware application-specific integrated circuits
(ASICs). To provide for Layer 3 speeds, the hardware ASICs handle the
process-intensive switching thats normally done by a central processor.
Because ASICs are less expensive than CPUs, MLS switches provide a decided cost advantage over the traditional CPU-based router.
Given the advantage of price and performance, you might wonder why anyone would still purchase a traditional router. Unfortunately, ASICs can do
only a small number of tasks, but they do those tasks very efficiently. Cisco
currently supports IP and IPX Layer 3 switching in its Catalyst switches.
Therefore, for a multiprotocol campus that includes protocols such as
AppleTalk, DECNet, or others, a Layer 3 switch would not be a good solution. When it comes to support for almost every flavor of media typesuch
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Multilayer
. . . . . .Switching
. . . . .
as serial, fiber-distributed data interface (FDDI), token ring, ATM, and others
the traditional router is still the platform of choice. Please note that some
Cisco router platforms support advanced switching technologies, which are
discussed in this chapter.
Switching Architectures
Switching refers to the movement of traffic from one interface to another.
This process can occur at Layer 2 or Layer 3. At Layer 2, switches look at
the destination MAC address to make switching decisions. At Layer 3, RPs
look at the destination network address, such as an IP address, to make
switching decisions.
A handful of switching architectures are used in todays switching and routing equipment: processor, ASIC, route caching (NetFlow-based switching),
centralized, distributed, and topology based. The following sections discuss
each of these in more depth.
159
160 Chapter 6
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Remember the differences between processors and ASICs: ASICs are used for
multilayer switching, rewriting, and switching frames in hardware.
Centralized Switching
In a centralized switching architecture, all switching decisions are handled by
a central, single forwarding table. A centralized switching device can contain
both Layer 2 and Layer 3 functionality. In other words, this table can contain both Layer 2 and Layer 3 addressing and protocol information as well as
access control list (ACL) and quality of service (QoS) information. The main
concern with centralized switching is that the MLS switch must handle a lot
of traffic, including Layer 3 processing. Therefore, performance is a concern. A central forwarding engine (a special type of ASIC) is typically used to
handle processing of this table at very high speeds.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Multilayer
. . . . . .Switching
. . . . .
The Catalyst 4000 and 6500 support centralized forwarding.
Distributed Switching
In a distributed switching architecture, switching decisions are decentralized.
As a simple example, a 6500 switch has each port (or module) make its own
switching decision for inbound frames while a main processor or ASIC handles routing functions and ensures that each port has the most up-to-date
switching table.
With the centralized approach, the central switching device has a single
switching table containing all Layer 2 and Layer 3 switching information.
One advantage of the distributed implementation approach is that by having
each port or module make its own switching decision, youre placing less of
a burden on your main CPU or forwarding ASICyoure distributing the
processing across multiple ASICs. In this case, a separate forwarding engine
(ASIC) is used for each port and each port has its own small switching table.
With this approach, you can achieve much greater speeds than a switch that
uses central forwarding for switchingrates of more than 100 mpps.
The main downside of distributed switching is maintaining the information
in each ports switching table. To handle this function, a primary forwarding
engine is used. When topology changes occur, the forwarding engine makes
sure that the appropriate port tables are updated.
The Catalyst 3550 and 6500 with the distributed forwarding card (DFC) support
distributed switching.
Topology-Based Switching
Topology-based switching uses a forward information base (FIB) to assist in
Layer 3 switching. This type of switching pre-populates the cache by using
the information in the RPs routing table. If there is a topology change and
the routing table is updated, the RP will mirror the change in the FIB.
Basically, the FIB contains a list of routes with next-hop addresses to reach
those routes.
The advantage of topology-based switching over route caching or NetFlow
switching is that because the information is pre-populated, the cache table
doesnt have to be built, which speeds up access. However, one problem with
161
162 Chapter 6
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
MLS Implementation
Before I begin explaining how an MLS device performs its switching, lets
take a quick overview of how a normal Layer 2 switch performs its switching
function. When a Layer 2 switch receives an inbound frame on a port, the
first thing the switch does is look up the destination MAC address in the
CAM table. The switch then compares the inbound frame with any ACL
applied to the interface. Assuming that the frame is permitted by the ACL,
the switch then checks its inbound QoS policy to see how to process the
frame. After this, the switch checks to see whether the outbound port has an
outbound ACL. If so, the switch checks to see whether the frame is permitted to exit the outbound port. If the frame is permitted, the switch examines
its QoS policies to see what type of queuing is required for this frame. The
frame is then queued up and eventually forwarded out of the interface.
Multilayer switching is more complicated. When dealing with Layer 3 information encapsulated in a frame, there are two ways a multilayer switch can
handle this information. If the Layer 3 source and destination are in the same
VLAN, the process I described in the previous section for Layer 2 switches
is applied. If the inbound frame contains an encapsulated packet where the
source and destination addresses are in different VLANs, the process
involves more steps. In this case, the following steps are performed:
1. When an inbound frame is received on a port, the MLS switch looks
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Multilayer
. . . . . .Switching
. . . . .
2. If a Layer 2 ACL is applied inbound on the interface, the MLS switch
Layer 3 ACL or QoS policies and determines which VLAN the packet
should be forwarded to. If any outbound Layer 3 ACL or QoS polices
have been configured, theyre applied.
6. The RP, in hardware, rewrites the Layer 2 information in the Ethernet
frame and passes the frame to the Layer 2 component of the MLS switch.
7. The Layer 2 component applies any outbound Layer 2 ACLs and/or
QoS policies and then queues up the frame appropriately. The Layer 2
component then forwards the frame.
163
164 Chapter 6
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
!
!
"
With MLS, in the Ethernet frame, the source and destination MAC addresses and the
CRC are changed. In the IP packet, the TTL field is decremented and the CRC is
changed.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Multilayer
. . . . . .Switching
. . . . .
Address Tables
By now, you should be very familiar with what a CAM table is and how a
Layer 2 switch uses it to make switching decisions. However, depending on
the architecture of your switch, it might contain only a CAM table, or a
CAM table plus a ternary CAM (TCAM) table.
As a refresher, a CAM table is a special form of high-speed memory where the
switchs Layer 2 switching table is stored. This table contains a list of MAC
addresses, which ports they are located off of, and which VLAN they belong
to. With MLS switches, these tables can also include Layer 3 protocol and
addressing information. To make a switching decision when a frame comes
into a port, an efficient search algorithm is used to find the destination
address in the CAM table. An exact match must be found in the CAM table
in order to forward the frame intelligently. Matching is performed by comparing the binary value of the destination MAC address in the frame with the
entries in the CAM table. If the destination address is not found in the CAM
table, the frame is flooded out all remaining ports in the VLAN.
The problem with a standard CAM table is that it must examine all entries in
the table for a match and it always looks for an exact match. This can be problematic for very large CAM tables because searching these tables can be slow.
Plus, there might be instances in which you want to match on some things in
the CAM table, but not all things. For example, you might want to match on
the first 24 bits of a MAC address and dont care about the last 24 bits.
A TCAM table is a part of memory reserved for quick table lookups of information that need to be processed by an access control list (ACL). An ACL
looks for matches on certain components, which sometimes fall in a range or
are wildcarded. These components can include the protocol, source and destination addresses, and protocol information. TCAM tables have a small
number of entries in them that are necessary for ACL processing. These
entries, 32 to 128 bits in length, contain pattern values and mask values along
165
166 Chapter 6
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
with a matching result. Cisco calls these Value, Mask, and Result (VMR) entries.
Values include IP addresses, IP protocols, and IP protocol information. Masks
include wildcard masks that tell what components of the values are important.
The result of a match can be a simple permit or deny, or a pointer to another entry in the TCAM table. When matching packet contents to TCAM
entries, the MLS switch can base matches on three values, as compared to a
CAM tables two values (0 or 1 in binary). With a TCAM match, the MLS
switch can look for a 0 in a bit position, a 1, or either a 0 or a 1.
One unique thing about TCAM tables is that when finding a match in the
TCAM table, all TCAM entries are processed in parallel. Therefore, performance of a lookup is independent of the number of entries in the TCAM
table. The length of the search is based on not how many entries exist in the
TCAM table, but the number used. When performing a search, only those
table entries that are required for processing are used.
To assist in this process, a TCAM table is broken into three general types of
regions, shown in Table 6.1. The following Cisco Catalyst switches use
TCAM tables for Layer 3 switching: Catalyst 3550, 4000, and 6500.
Table 6.1 TCAM Regions
Region Type
Explanation
Exact-Match
Longest-Match
First-Match
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Multilayer
. . . . . .Switching
. . . . .
CEF separates switching into two components: control and data. Control components handle things such as building and maintaining the routing and FIB tables. Data
components handle Layer 3 switching in hardware.
CEF Limitations
There are situations where switching decisions must be performed in software by the main processor. If your CEF switch sees any of the following
traffic, the main processor is interrupted to handle it:
IEEE 802.3 packets (for IP, make sure that all devices are using
CEF Tables
CEF uses three tables to make its switching decisions: FIB, adjacency, and
TCAM (commonly called CEF) tables. The FIB is built from the MLS
switchs routing table and is sorted to optimize searches. The FIB table
lookup for a destination is based on finding the longest matching prefix for
the destination Layer 3 (IP) address. The FIB table is updated whenever one
of the following three things occurs:
The next-hop address for a routing entry changes
A prefix changes for a routing entry
ARP information changes for a next-hop address
A route is no longer reachable
The adjacency table is built from the MLS switchs ARP table. This table
contains Layer 2 information of neighbors MAC addresses that will help the
MLS switch rewrite Ethernet frames. The adjacency table is stored in
double-data-rate DRAM. If the adjacency table becomes full, neighbors not
167
168 Chapter 6
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
listed in the adjacency table will have packets switched by the main processor whenever packets are sent to these neighbors (that is, theyll be software
switched).
The CEF table contains IP destination prefixes that are sorted from the most
specific to least specific to speed up searches. To provide for accurate tracking of statistics, the CEF table contains a separate entry for each adjacency.
If the CEF table becomes full, a special entry, called a wildcard entry, is used
to redirect switching decisions to the main processor (or ASIC), where
switching occurs in software.
CEF Operation
The operation of CEF is similar to the process described earlier in the MLS
Implementation and Rewriting Frame and Packet Contents sections.
This section covers the operation of CEF as it relates to multilayer switching. Three basic steps occur during CEFs operation:
1. When a Layer 3 packet is received, find a match in the CEF (TCAM)
table.
2. Based on the CEF entry, find the adjacent information that will be
Of course, CEFs process is not as simple as the preceding three steps. Before
any user frames are handled by CEF, the MLS switch first needs a MAC
address that will represent itself when sending rewritten frames to a destination. The Layer 3 engine on the MLS switch assigns this MAC address from
the chassis MAC address range and this address is used by all VLANs
remember that a MAC address has to be unique only in a broadcast domain
(VLAN). Anytime frames are rewritten, the MLS switch will use this MAC
address as the source MAC address in the frame.
Second, the MLS switch will install wildcard entries in its CEF table, which
are for when a lookup occurs and connection information is not found.
Basically, this tells the data ASICs that to switch the frame, the Layer 3 forwarding engine will have to handle the task (at a much slower rate).
Third, the Layer 3 forwarding engine will notify each interface that has been
set up for CEF, as well as any CEF-specific features for that interface. Only
interfaces enabled with CEF can have data ASICs (the ones on interfaces or
line cards) perform the rewriting of frames. The MLS switch then sends the
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Multilayer
. . . . . .Switching
. . . . .
Layer 2 CAM table to the Layer 3 forwarding engine, which is used to build
the CEF table.
Once traffic begins to cross VLAN boundaries, the MLS process begins. For
each initial packet from a source to a specific destination, called a flow, the
data ASICs must have the Layer 3 forwarding engine handle the switching
of the frame. The Layer 3 forwarding engine will then populate the CEF and
adjacency tables and forward the frame. At this point, any flow from the same
source to the same destination can be rewritten by the data ASIC for the
inbound port.
Load Balancing
MLS with CEF supports per-flow load balancing (sharing). Load balancing
can be done on both an equal or unequal cost basis to a destination. For
example, if your MLS switchs routing table has three paths to a destination,
CEF can use all three paths in load balancing. CEFs FIB can contain up to
six pointers to entries in the adjacency table for load balancing.
When load balancing, the MLS switch takes the source and destination IP
addresses, as well as the transport layer source and destination port numbers,
and runs them through a hash function. The result of this function is used to
pick one of the multiple paths to the destination. As you can see from this
function, this is more of a flow load balancing process. In other words, load
balancing is not done on a packet-by-packet basis. Load sharing becomes
more distributed as traffic from different sources and applications is sent to
a single destination. Also, load sharing is automatically enabled when you
configure IP routing on the Layer 3 forwarding engine.
CEF, by default, load balances across six paths to a destination. This load balancing
is done on a connection-by-connection basis.
CEF Example
To illustrate this process in a little more depth, lets take a look at an example. Ill use the network shown in Figure 6.3. In this example:
1. PC-1 creates an IP packet destined to PC-2: 192.168.1.11
169
170 Chapter 6
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
MAC address as the source and the MLS switchs MAC address as the
destination and forwards the frame.
2. The MLS switch receives the frame and begins processing it. Because this
is the first time that PC-1 sent something to PC-2, the data ASIC on the
inbound interface cant find an entry in the CEF table, so it interrupts the
Layer 3 forwarding engine (L3FE) to process the inbound frame.
3. In step 3, the L3F3 examines its ARP table to see whether it knows
about PC-2. If not, the L3FE ARPs for PC-2s MAC address, using its
chassis address as the source. During this ARP process, the L3FE
implements an ARP throttling policy. While waiting for the ARP
response, if the L3FE receives any other packets to PC-2, it will not
generate additional ARPs. This is used to prevent the L3FE from creating excessive ARPs and thereby possibly creating an ARP denial-ofservice (DoS) attack. After the ARP response is received, the L3FE
adds this information to its ARP table and creates an adjacency entry in
its adjacency table. When the adjacency information is built, the L3FE
uses the information in PC-1s frame and packet to create an entry in
the CEF table that points to the newly created entry in the adjacency
table. After the entry has been built, the L3FE rewrites the frame and
packet with this information and forwards it to the destination.
4. In step 4, PC-2 receives PC-1s information. If PC-2 were to respond
subsequent traffic from PC-1 to PC-2 would have the data ASIC
directly rewrite PC-1s frame and packet information in hardware and
forward it out the interface to PC-2. Note that in this situation, the
L3FE isnt involved in the forwarding process.
CEF entries are unidirectionalfor communications between two devices, youll
have two entries. To repress unnecessary ARPs, the L3FE will generate only one ARP
and wait for the response to that ARP.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Multilayer
. . . . . .Switching
. . . . .
MLS Switch
with CEF
VLAN 1
IP = 192.168.1.1
MAC = 0011.3333.3333
VLAN 2
IP = 192.168.2.1
MAC = 0011.4444.4444
2
3
SRC IP = 192.168.1.11
DST IP = 192.168.2.22
SRC IP = 192.168.1.11
DST IP = 192.168.2.22
1
4
5
PC-1
PC-2
VLAN 1
IP = 192.168.1.11
MAC = 0011.1111.1111
VLAN 2
IP = 192.168.2.22
MAC = 0011.2222.2222
CEF Configuration
One of the great features of configuring CEF is that the Catalyst switches
that support it already assume that youll be using it. Therefore, CEF is
enabled by default. On the Catalyst 6500 with the Supervisor Engine II,
CEF cannot be disabled if you have any of the following cards: Policy
Feature Card 2 (PFC2), Multilayer Switch Feature Card 2 (MSFC2), or the
Distributed Feature Card 2 (DFC2).
With the Catalyst 4000, you can disable CEF with the no ip cef command
at Global Configuration modethis disables CEF on the entire switch. You
can also use this command to disable CEF on an interface by first going into
the interface and then executing this command. With the Catalyst 3550, you
can disable CEF with the no ip route-cache cef command at Global
Configuration modethis disables CEF on the entire switch. You can also use
this command to disable CEF on an interface by first going into the interface and then executing this command.
171
172 Chapter 6
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
CEF, by default, is enabled on the Catalyst 3550, 4000, and 6500 switches. You can
disable CEF on the 4000 with the no ip cef command and disable it on the 3550 with
the no ip route-cache cef command. You cannot disable it on the 6500.
CEF Verification
After youve enabled CEF, there are a handful of show commands that you can
use to examine its operation. To display general statistics about Layer 3 traffic switched in hardware, use this command:
Switch> show interfaces type slot_#/port_# | begin L3
ip cef
command. Heres
The detail parameter lists all FIB information for all FIB entries.
To see the adjacency table, use the show adjacency command. These statistics
are updated every 60 seconds. Heres an example of this command with the
detail parameter:
Switch> show adjacency detail
Protocol Interface
Address
IP
FastEthernet3/3 192.168.2.2(3045)
0 packets, 0 bytes
000000000FF9200003
00605C865B2800D0BB
ARP 02:48:09
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Multilayer
. . . . . .Switching
. . . . .
IP
FastEthernet3/3
192.168.2.3(11)
0 packets, 0 bytes
000000000FF9200003
00801C93804000D0BB
ARP 02:48:03
In addition to listing the next-hop address for the adjacency, other types of
adjacencies can appear, as shown in Table 6.2.
Table 6.2 Adjacency Types
Adjacency
Explanation
Discard
Drop
Glean
For hosts directly connected to the RP, the subnet prefix is listed.
Null
Punt
CEF Troubleshooting
If youre experiencing problems with CEF, you can use debug and ping commands to troubleshoot the problem. Use this command to perform detailed
troubleshooting of CEF:
Switch# debug ip cef drops|receive|events|prefix-ipc|table|
ipc|interface-ipc
Explanation
drops
receive
events
prefix-ipc
table
Optionally, you can add an ACL to the debug command to limit the amount
of output you see in your terminal session.
173
174 Chapter 6
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
You can also use Ciscos extended ping command. This command is executed by itself at Privilege EXEC mode, and it prompts you for all the ICMP
information for IP. One nice feature is that you can change the source IP
address that will be used with the ping. This is normally the IP address of the
exit interface of the IOS device, but you can change it to any IP address on
the IOS device. This is useful for advanced testing of the reachability of a
device.
Summary
To route between VLANs, you need an RP. When setting up routing between
VLANs, first create your VLANs and assign switch ports to them; second,
create your trunks; third, configure routing. An RP can be internal or external. If the RP is external and has a trunk connection to a switch, it is called a
router-on-a-stick. This type of RP is configured using subinterfaces. For an
internal RP, a Catalyst switch supports two routing interfaces: routed and
SVI. An SVI is typically used and is created with the interface vlan command.
MLS allows Layer 2 and Layer 3 hardware switching to exist in the same
chassis. The first packet is routed in software and all other packets in the
same connection are rewritten in hardware and switched at Layer 2 speeds.
The source MAC, destination MAC, and CRC in the frame are rewritten
and the IP TTL field and CRC are rewritten.
NetFlow switching is a Cisco-proprietary form of route caching. This type
of switching has the RP and the ASICs work together to cache and switch
packets. With centralized switching, all Layer 2 and Layer 3 switching information is maintained in a central location in the switch. With distributed
switching, each port or module contains part of the switching tables and can
make switching decisions locally.
Ciscos CEF is an example of topology-based switching. This type of switching uses a FIB. A FIB contains information from the routing table. Ciscos
CEF also has an adjacency table (neighboring devices) and a TCAM table
(contains connection information). The combination of these tables helps
CEF perform MLS. By default, CEF is enabled on all of Ciscos Catalyst
switchesit cannot be disabled on the 6500. CEF can load balance traffic to
a destination across a maximum of six links.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Multilayer
. . . . . .Switching
. . . . .
Answers B and C are correct. Tuning STP is not necessary to set up routing
in a VLAN environment. B is required only for a router-on-a-stick, but you
can use access links or MLS also. Answers A and D are required, and therefore are incorrect answers.
Question 2
You need to create an SVI interface for VLAN 10 on your Catalyst switch. Enter
the command to do this: _________.
Question 3
Which command enables routing on a physical port of a Catalyst switch?
A. switchport mode routing
B. no switchport
C. no switchport mode access
D. switchport mode route
Answer B is correct. To change a physical interface from Layer 2 to Layer 3 processing, use the no switchport command. Answers A and D are incorrect because
these are nonexistent commands. Answer C is incorrect because this command
changes the interface to automatically sense for an access link or trunk port.
175
176 Chapter 6
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 4
Which form of switching pre-populates the switching table with information
from the routing table?
A. NetFlow
B. Distributed
C. Centralized
D. Topology-based
Question 5
Which Catalyst switches support centralized forwarding?
A. 3550
B. 3550 and 4000
C. 6500
D. 4000 and 6500
Answer D is correct. Both the 4000 and 6500 support centralized forwarding. Answers A and B are incorrect because they include the 3550, which
supports only distributed switching. Answer C is incorrect because it doesnt
include the 4000.
Question 6
When MLS rewrites frames in hardware, which of the following information is
not changed?
A. Source IP address
B. Destination MAC address
C. MAC frames CRC
D. IP TTL
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Multilayer
. . . . . .Switching
. . . . .
Answer A is correct. The IP addresses are not changed when MLS rewrites
frame and packet information. Answers B, C, and D are rewritten by an MLS
switch.
Question 7
CEF will work for IP if which of the following is true?
A. Ethernet II frames are used
B. Packets require fragmentation
C. Packets forwarded out a tunnel interface
D. IP packet contains header options
Answer A is correct. If you want to use CEF with IP traffic, the data link
layer must use an Ethernet II frame type. Answers B, C, and D will cause
CEF to pass these packets to the RP to be processed in software.
Question 8
Which CEF table is built from the ARP table?
A. CAM
B. TCAM
C. Adjacency
D. FIB
Answer C is correct. The CEF adjacency table is built from the ARP table.
Answer A is incorrect because the Layer 2 switch builds this when performing its learning function. Answer B is incorrect because CEF builds this
based on connection information in the frames and packets it sees. Answer D
is incorrect because the FIB is built from the routing table.
Question 9
CEF can load balance across a maximum of _____ paths.
A. One
B. Four
C. Six
D. Eight
177
178 Chapter 6
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Answer C is correct. CEF supports up to six equal or unequal cost paths for
load balancing, making answers A, B, and D incorrect.
Question 10
Which command must you execute to enable CEF on a Cisco switch?
A. ip cef
B. ip cef enable
C. cef enable
D. No command is required
7
Availability and
Redundancy
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
180 Chapter 7
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
As you deploy more and more critical services in your network, redundancy
and availability become key issues. There are many types of availability and
redundancy. This chapter focuses on three: hardware, Layer 2, and Layer 3.
With hardware redundancy, youre concerned with the reliability of your
hardware components within a chassis. For example, if your networking
device has only one power supply, and it fails, the network device would fail.
Depending on your product, you might have several choices of hardware
redundancy options: redundant power supplies, redundant supervisor
engines, redundant RP cards, and redundant line cards. The first section of
this chapter focuses on Cisco solutions for hardware redundancy.
In Layer 2 redundancy, youre concerned about either switching paths or
switches in your network failing. This could be problematic if you have only
a single path to use between two devices. The second part of this chapter
focuses on Layer 2 redundancy solutions.
Recall from Chapter 2, Designing Switched Networks, that traffic that
needs to leave a switch block travels through the distribution layer, where an
RP handles the path decisions. The use of a router at the distribution layer
contains many networking problems and issues. If you have only a single RP
and it fails, networking resources in other parts of the network will not be
reachable. Layer 3 redundancy can be accomplished in many ways. Your end
stations could use IRDP or Proxy ARP, or they could run a routing protocol
that is compatible with the RP distribution devices. However, each of these
possibilities presents its own set of problems. Ciscos Hot Standby Routing
Protocol (HSRP) solves these problems. It provides a backup solution for
default gateways that is transparent to the end stations. Other solutions
include the Virtual Router Redundancy Protocol (VRRP), Gateway Load
Balancing Protocol (GLBP), Single Router Mode (SRM), and Server Load
Balancing (SLB). The third, and most important part of this chapter focuses
on these Layer 3 redundancy and availability solutions.
Introduction to Availability
and Redundancy
There are two methods of providing basic redundancy services: chassis
redundancy and component redundancy. Chassis redundancy has another
networking device, with the same functionality, that provides redundant
services in case the primary device fails. Component redundancy provides for
redundant components inside the same chassis. Six key components are used
to reach a high level of availability (as close to 100% as possible):
181
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Availability
. . . . . . and
. . Redundancy
. . . . . . .
Network device reliabilityRedundant hardware components and
timeframe, a network design must exist to make use of a fast convergence solution, such as UplinkFast for STP or component redundancy
in key networking devices.
Documented networkA well-documented network helps to pinpoint
Component Redundancy
One type of redundancy is component redundancy. This type of redundancy
provides protection against component failures inside the same chassis.
Components that can be protected in some Catalyst switches include
Supervisor Engines, modules (hot-swappable), power supplies, and fans.
If you decide to implement only component redundancy (no backup devices),
your network would look something like the one shown on the left side of
Figure 7.1. Notice that there are no redundant devices in this example.
However, there are redundant connections between the devices, which you
can see in the figure, and redundant components within those devices.
182 Chapter 7
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Component Redundancy
Chassis Redundancy
Server
Distribution
MLS Switch
Server
Distribution
MLS Switches
Core
Switch
Distribution
MLS Switch
Core
Switches
Distribution
MLS Switches
Access
Switch
Access
Switches
User
User
area.
Minimizes convergence because this process takes place within a device
183
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Availability
. . . . . . and
. . Redundancy
. . . . . . .
Chassis Redundancy
Chassis redundancy provides redundant networking devices. An example of
this is shown on the right side of Figure 7.1. In this example, there are redundant switches at each layer of the design. Enhanced STP features are used to
provide quick STP convergence in case of a Layer 2 failure, and an intelligent routing protocol such as OSPF or EIGRP provides quick Layer 3
convergence.
This type of design provides the following advantages:
You do not need to provide a high-level of fault tolerance within one
right protocol with the right feature, you can ensure quick convergence.
A correct network design and implementation should enable you to use
both the primary and secondary devices. For example, with STP, you
can load-balance VLANs across uplink connections by having different
root switches at the distribution layer by using PVST or MST.
Given these advantages, there are two main disadvantages to chassis redundancy: You need more data link layer connections, and because there are
more devices, managing and troubleshooting this kind of network is much
more difficult than with component redundancy.
Its important to point out that a well-designed redundant solution can
include both types of redundancy. Remember that you need to determine
what level of redundancy is required for the different components in your
network.
Hardware Redundancy
This section focuses on the Catalyst 6500 switches hardware redundancy
capabilities. These features include redundant power supplies, a hotswappable fan, hot-swappable modules, redundant Supervisor Engines, and
184 Chapter 7
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
redundant Route Processors. Please note that the Catalyst 4500s, 3550s, and
2950s support some of these features, but not necessarily all of them.
Power Supplies
Some of the first things considered in redundancy are your power source and
power supplies. Without an Uninterruptible Power Supply (UPS) system, a
loss of power, even with redundant power supplies, is going to do no good.
Likewise, if you have redundant power supplies, you want to ensure that they
are connected to different power circuits. If you connect both power supplies
to the same circuit and that circuit fails, your switch also fails. In addition, a
fluctuation in a power source can affect the lifetime of a power supply or even
destroy it.
Most of Ciscos Catalyst switches support either internal redundant power
supplies, or have the option of connecting a redundant external power supply to the switch. On Catalyst 6500 switches, the power supplies can operate
in two modes: combined and redundant.
In combined mode, the power is generated from both power supplies and
supplied to the switch. This mode is necessary if a single power supply
doesnt have sufficient power to supply to all the cards in the switchs chassis.
In this mode, if one of the two power supplies fails and the remaining power
supply doesnt have enough power to power up the cards in the chassis, the
switch shuts down enough modules so that it can remain up.
In redundant mode, the primary power supply supplies power to the switch
while the other is in standby mode. If the primary power supply fails, the
standby power supply supplies power to the chassis. In this mode, no power
sharing occurs between the two power supplies.
To configure redundant power supplies on a 6500 switch, use the following
command:
Switch(config)# power redundancy-mode combined|redundant
If you want to power-down a module in the chassis of the switch, use the
following command:
Switch(config)# no power enable module slot_#
Enter the slot number of the card that you want to power-down. If you just
want to power-cycle a card without rebooting the switch, use the following
command:
Switch(config)# power cycle module slot_#
185
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Availability
. . . . . . and
. . Redundancy
. . . . . . .
This command turns off the specified card for 5 seconds and then turns it
back on.
To display the status of the power supplies, use the show
this:
Router# show
system power
system power
system power
system power
FRU-type
power-supply
module
module
module
power
command, like
power
redundancy mode = redundant
total = 27.460A
used = 13.990A
available = 13.470A
# current admin state oper
1 27.460A on
on
1 3.300A
on
on
5 2.800A
on
on
6 1.900A
on
on
Supervisor Engines
The Supervisor Engines (SEs) support two types of redundancy: redundancy for the SEs themselves and redundancy for the feature cards installed on
the SEs. The Supervisor Engine is the brains of the switch and contains the
IOS software. SEs are installed in slots 1 and 2 in the 6500 chassis. By
default, when the switch boots up, the first slot becomes the primary SE and
the second slot becomes the secondary SE. The secondary SE is in standby
mode and doesnt do anything except monitor the primary SE. The one
exception to this is that the Gigabit Ethernet uplink interfaces on the standby SE are active and they can process traffic. If the primary SE fails, the secondary SE initiates a switchover within seconds.
When setting up redundant SEs, the SEs must go in slots 1 and 2. One SE is active
and the other is in standby mode. The uplink interfaces of the standby SE can be
used even though the SE is in a standby state.
RPR
Starting with IOS 12.1(13)E and later, the Catalyst 6500 supports SE redundancy with both Route Processor Redundancy and Route Processor
Redundancy Plus (RPR+). These two features allow hardware redundancy
for the Multilayer Switch Feature Card (MSFC) and Policy Feature Card
(PFC or PFC2). This essentially provides Layer 3 redundancy for the
Catalyst 6500.
RPR provides a Supervisor Engine redundancy for route processing (routing). One SE is primary and the other is secondary. When the switch boots,
the RPR that boots up first (slot 1 or slot 2), becomes the primary SE. The
186 Chapter 7
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
MSFC and PFC/PFC2 are used on the primary while these cards are in a
standby mode on the secondary SE. When the primary MSFC/PFC fails, it
can take between 24 minutes for the secondary SEs MSFC/PFC to take
over. The reason for the slow switchover is that when the secondary SE boots
up, it does not initialize its MSFC/PFC cards.
RPR Features
RPR supports automatic startup of both SEs and has the primary SE automatically synchronize the bootvar files with the secondary SE. (The bootvar
files are used to boot up and configure the SEs.) The two SEs use hardware
signals to detect each other and to determine who will be playing the primary
and secondary roles. Every 60 seconds, the primary SE synchronizes its clock
with the secondary SE. When the MSFC and PFC fail on the primary SE
and the secondary SE promotes itself to a primary role, the former primary
SE becomes the secondary. In this role, even if its MSFC/PFC have failed, it
can still provide SE redundancy. Another nice feature of RPR is that it supports fast software upgrades. Upgrading the primary unit automatically causes the secondary to by synchronized with the same information. This is also
true of configuration changes: making a configuration change on the primary
is automatically copied to the secondary.
RPR Events
Any of the following events causes RPR to perform a switchover:
A manual switchover is initiated from the CLI.
Either the MSFC or PFC fails on the primary SE.
There is a clock synchronization failure between the primary and
secondary SEs.
Remember the three items that can cause RPR to perform a switchover.
187
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Availability
. . . . . . and
. . Redundancy
. . . . . . .
RPR+ Overview
The main difference between RPR and RPR+ is that the secondary SE is
fully initialized and configuredthe MSFC and PFC on the secondary are
operational. When the primary fails, the secondary almost immediately handles these functions. It takes only between 3060 seconds for this switchover
to occur.
Its important to point out that with RPR+, the secondary SEs MSFC and
PFC are operational. When you make configuration changes on the primary
SE, theyre automatically synchronized to the secondary SE. This includes
both running and startup configurations. Please note that during the bootup
of the SEs, the primary SE copies both of these configurations to the secondary. After bootup, any configuration changes done on the primary are
copied to the secondaryonly the change itself is copied, which reduces
overhead processing on the SEs.
Actually, you can make configuration changes only on the primarythe secondary only keeps tabs on the primary and accepts and processes synchronization information. Also, card state information is synchronized between
the primary and secondary SEs, including MSFC and PFC information.
Here is a list of advantages that RPR+ has over RPR:
Faster switchover time: 3060 seconds instead of 24 minutes.
The promoted secondary SE does not reset its modules.
You can hot-swap SEs without causing problems. Cisco calls this online
insertion and removal (OIR). You can easily add or remove SEs without
affecting the RPR+ process. When hot-swapping, the same switchover
time period applies.
Remember the advantages that RPR+ has over RPR as listed in the bullet points.
188 Chapter 7
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Second, you cannot use the VLAN Database Privilege EXEC mode commands to configure your VLANsyou must do it from Configuration mode.
Third, SNMP changes made on the primary are not automatically synchronized to the secondary SE. You must execute the copy running-config startupconfig command on the primary SE.
While using RPR+, only the primary SE is processing traffic while the secondary is in a standby state. The exception to this is the Gigabit uplink ports,
which are in an active state. There will be a disruption in traffic during a
switchover. When a failure occurs on the primary SEs MSFC/PFC, the primary first performs a core dump. When the core dump is completed, the secondary SE can start processing.
It can take up to 15 minutes for a core dump to complete! Therefore, if youre concerned about convergence, you might want to disable core dumps on your switch.
The disadvantage of this is that if there is a problem, you wont have any detailed
information to send to Cisco.
189
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Availability
. . . . . . and
. . Redundancy
. . . . . . .
This enables RPR. To enable RPR+, also execute the following command:
Switch(config)# mode rpr-plus
All configuration is done on the primary SE. Use the redundancy command followed
by the mode rpr-plus command to enable RPR+.
redundancy
switchover
In this example, you can see that one switchover has taken place. Using the
states parameter produces this output:
Switch# show redundancy states
my state = 13 -ACTIVE
peer state = 1 -DISABLED
Mode = Simplex
Unit = Primary
Unit ID = 1
Redundancy Mode (Operational) = Route Processor Redundancy
Redundancy Mode (Configured) = Route Processor Redundancy
Split Mode = Disabled
Manual Swact = Disabled Reason: Simplex mode
Communications = Down Reason: Simplex mode
client count = 11
client_notification_TMR = 30000 milliseconds
keep_alive TMR = 4000 milliseconds
keep_alive count = 0
keep_alive threshold = 7
RF debug mask = 0x0
In this example, this switch is the primary switch (ACTIVE state) and RPR
has been configured and is operational.
Layer 2 Redundancy
This section discusses some basics about Layer 2 redundancy design methods and Cisco solutions. Because STP and its operation and enhancements
were already discussed in Chapters 3 and 4, they are not mentioned here.
190 Chapter 7
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Uplink Interfaces
A switchs SE contains two Gigabit Ethernet uplink interfaces. Cisco assumes
that youll use these interfaces to connect to a switch at either a higher or
lower layer in Ciscos three-layer hierarchy: core, distribution, and access. Of
course, you can connect anything you want to these interfaces. However, you
do have to take care of setting up redundant connections between a higher
and lower layer.
For example, lets look at the right side of Figure 7.1, where there are redundant connections between a switch and its lower- or upper-layer neighbor.
Ill focus on the Distribution MLS switches at the bottom of this diagram.
Lets assume that the distribution layer is using Catalyst 6500 switches with
dual SE cards: primary and secondary. The left side of Figure 7.2 shows a
diagram of the connections on the Catalyst 6500 to the two switches at the
core layer (the backbone switches). Notice that the primary SEs two Gigabit
uplinks are used in this design. The main problem with this approach is that
if the primary (top slot) SE fails and the secondary is promoted, all connectivity to the backbone is lost because both connections were connected to the
SE in the top slot.
Same Module Uplink
Left Core
Switch
Right Core
Switch
A better solution is shown in the right side of Figure 7.2. In this example, the
two connections to the two core switches are placed on different cards (the
two uplink ports on the SEs). Remember that you can do this with the
191
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Availability
. . . . . . and
. . Redundancy
. . . . . . .
Switch Redundancy
In most situations, if youre really concerned about redundancy, you should
use chassis redundancy rather than component redundancy. Chassis redundancy provides a more robust form of redundancy, but requires you to buy
two switches at the distribution and core layers, which can be costly. The
right side of Figure 7.1 shows an example of this approach.
Remember that in this design, the distribution layer contains a Layer 3
process that provides a boundary between the access layers and the core
layer. This is used to contain Layer 2 problems, such as STP issues, broadcast storms, and so on. You must create your VLANs correctly, tune STP, set
up a routing protocol, and possibly configure MLS to create a well-designed,
highly optimized, redundant topology. All of these tasks were covered in
chapters leading up to this one.
Layer 3 Redundancy
The remainder of this chapter focuses on Layer 3 redundancy issues. When
you think of Layer 3 redundancy, youre normally dealing with having multiple paths to a destination. This section, however, deals with another type of
Layer 3 redundancy: default gateways and server load balancing. Ill begin by
talking about some of the issues of default gateway redundancy and some of
the solutions that are available, but dont work very well. The main part of
this section deals with Ciscos Hot Standby Routing Protocol (HSRP), as
well as other solutions that are better at dealing with default gateway redundancy, such as the Single Router Mode (SRM) redundancy and Gateway
Load Balancing Protocol (GLBP) solutions.
192 Chapter 7
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
193
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Availability
. . . . . . and
. . Redundancy
. . . . . . .
With IRDP, end stations can dynamically discover other RPs when their primary default gateway fails. However, this might take up to 30 minutes, based
on the lifetime value in the original multicast packet from the RP. And even
if you might consider using IRDP with your access layer devices, most endstation IP protocol stacks do not support IRDP.
IRDP extends ICMP by allowing an end station to dynamically learn the default gateways that exist in the VLAN. RPs announce themselves every 510 minutes and end
stations hold this information for up to 30 minutes. The main problem with IRDP is
that if the primary RP fails, it might take up to 30 minutes before using a different RP.
HSRP
HSRP is a Cisco-proprietary protocol that provides a single definition of a
default gateway on the end station and Layer 3 redundancy for overcoming
the issues of IRDP, Proxy ARP, and end-station routing protocols. Unlike
the four previous solutions, HSRP is completely transparent to the end stationsyou do not have to perform any additional configuration on the end
stations themselves. HSRP allows Cisco RPs to monitor each others status,
which provides a very quick failover when a primary default gateway fails.
This is done by establishing HSRP groups.
194 Chapter 7
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
With HSRP, a group of RPs represent a single virtual default gateway. This
virtual default gateway has a virtual IP address and a virtual MAC address. If
the primary RP fails, another RP in the HSRP group takes over and processes the frames sent by the end stations to the virtual MAC address.
An advantage of HSRP groups is that different subnets (VLANs) can have different default gateways, thus providing load balancing. Also, within each
HSRP group, there is a primary default gateway and the capability to use multiple routers to perform a backup function. You can have up to 255 standby
groups per RP, providing up to 255 default gateways. RPs can provide backup for multiple primary default gateways. Each standby group keeps track of
the primary RP thats currently forwarding traffic sent to the virtual MAC
address. Note that only one RP is actually forwarding traffic with HSRP.
Once nice feature of HSRP is that you can customize it based on the size of
your network. For instance, if you have a VLAN with 1,000 devices in it, you
can set up two HSRP groups: one group for 500 devices and another group
for the other 500 devices. You can then assign RPs to each group. For example, if you had only two RPs, you could have RP1 be the active RP for group
1, but the standby for group 2 and vice versa for RP2. Through this process,
you can have both of your RPs forwarding traffic while still providing redundancyif the active RP in either group fails, the other RP promotes itself to
an active state.
HSRP is a Cisco-proprietary protocol that provides default gateway redundancy. You
can create a total of 255 groups, allowing for load balancing between RPs. A router
can belong to several groups.
HSRP Operation
As mentioned in the previous section, only one RP actually forwards traffic
for an HSRP group. Using a priority scheme, one RP is elected as the forwarding router and the others perform as backups for a group. Each RP has
a default priority of 100, which you can manipulate. The RP with the highest priority in the group is elected as the active router, and the other RPs are
placed in standby mode. The active RP responds to any ARP packets from
end stations and replies with the virtual MAC address of the group.
Each HSRP group must have a unique virtual IP address and a virtual MAC
address, which means these numbers must be unique across different groups.
This MAC address is 0000.0c07.acXX. The 0000.0c is Ciscos vendor code.
The 07-ac is HSRPs well-known address. The XX is the group number (in
hexadecimal) for the HSRP group. Therefore, each HSRP group must have
a unique number to ensure that the MAC address is unique in a VLAN.
195
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Availability
. . . . . . and
. . Redundancy
. . . . . . .
With HSRP, the end stations would perform an IP-ARP with the virtual IP
address, requesting the virtual MAC address of the default gateway RP. Note
that in this setting, the end stations are completely unaware of the actual RPs
handling traffic destined for a virtual router. Even when the primary fails and
the standby RP starts handling traffic for the broadcast domain, the end stations still think theyre talking to the same RP.
Types of RPs
Every HSRP group contains RPs that perform certain roles. Each HSRP
group of RPs contains the following types of RPs:
Virtual RP
Active RP
Standby RP
Other HSRP RPs
196 Chapter 7
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
frames sent to the virtual MAC address and one of the other HSRP routers
in the group is elected to the standby role.
Each group has a virtual IP and MAC address associated with it, which end stations
use to send traffic. The MAC address is 0000.0c07.acXX, where XX represents the
HSRP group number in hex. The active RP forwards traffic to and from the VLAN.
The standby RP watches to make sure that the active RP sends out its hellosif it
doesnt, the standby RP promotes itself to an active state.
If any end station uses a real MAC address of one of the RPs in the broadcast domain,
that specific RPwhether it is active, standby, or another RPprocesses and
forwards the frame.
process as well as by the active and standby RPs when they have
been elected.
Resign messagesThese messages are used by an RP when it wants to
197
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Availability
. . . . . . and
. . Redundancy
. . . . . . .
Authentication password, if configured.
Virtual IP address of the HSRP groupthe default gateway IP address
HSRP States
HSRP supports six different states. An RP may go through all these states or
only a few of them, depending on whether it becomes an active or standby RP.
Initial
Learning
Listening
Speaking
Standby
Active
When the RPs are enabled, they start in an initial state. Note that they have
not begun the HSRP process in an initial stateonly the RPs themselves and
their associated interfaces have been activated. In a learning state, an RP listens for an active RP. The RP initially has no knowledge of any other HSRP
routers. In this state, its purpose is to discover the current active and standby RPs and the virtual IP address for the group.
After the RP sees a multicast from the active/standby RP, it learns about the
virtual IP address. This is called the listening state. In this state, the RP is
neither the active nor standby RP. If theres already a standby and active RP,
the listening RP remains in this state and does not proceed to any of the next
three states. The exception to this is if youve configured preemption. With
preemption, a new RP with a higher priority can usurp an existing active or
standby RP.
If the RP enters the speaking state, the RP propagates multicast messages so
that it can participate in the election process for the standby or active role.
These hellos are sent out periodically so that other RPs in the group know
about everyones existence. Note that for an RP to enter this state, it must
have the virtual IP address configured on it.
Based on the RPs priority, it either becomes a standby or active RP. In a
standby state, the RP is the next in line to assume the role of the active RP if
the active RP fails. In an active state, the RP is responsible for forwarding all
traffic sent to the virtual MAC address of the broadcast domain. There can
be only one active and one standby RP. Both of these RPs generate periodic
198 Chapter 7
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
hellos to other RPs in the group to guarantee that end stations always have a
default gateway that can forward their traffic if either of them fails.
Its important to point out that if you dont configure preemption, the first
RP that comes up takes on the active role and the second RP takes on the
standby role. Therefore, if youre setting up load balancing between RPs so
that certain RPs handle traffic for certain VLANs and other RPs handle traffic for other VLANs, youll want to use preemption so that whenever a failed
RP comes back online, it resumes its former role.
Remember the HSRP states, the order in which they are processed, and what
happens in each state.
HSRP Configuration
Only one command is necessary to enable HSRP. To do so, execute the following standby command on the RPs interface. Use a subinterface for a trunk
port and a VLAN interface for an internal RP:
Router(config)# interface type [slot_#/]port_#
or
Switch(config)# interface vlan VLAN_#
Switch(config-if)# standby [group_#] ip IP_address
After you execute this command on an active interface, the RP enters the
learning state. In this command, group_# is optional. If you omit it, it defaults
to 0. Note that group_# is required if you have multiple standby groups.
Remember that the IP address you specify in the standby command is not the
actual IP address thats on the interface, but rather the virtual IP address. You
need to take the virtual IP address and either hard-code it as the default gateway address on end stations or put it in your DHCP server configuration.
To ensure that the end stations do not discover the real MAC address of the
RPs LAN interface, enabling HSRP disables ICMP redirects. Youll see the
no ip redirects command appear on the RPs interface.
To influence which RPs perform the active and standby roles, you can
increase the RPs priorities. To do so, execute the following standby command
on the RPs interface:
Switch(config-if)# standby [group-number] priority new_priority
Remember that the higher the priority, the more likely it is that the RP will
become a standby or active RP. The priority defaults to 100 but can be set
199
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Availability
. . . . . . and
. . Redundancy
. . . . . . .
from 0 to 255. To configure an RP so that it can preempt the current standby or active RP, use the preempt parameter:
Switch(config-if)# standby [group-number] preempt [delay delay_value]
The default delay is 0 seconds, which causes the RP to immediately begin the
preemption process. You can delay this by putting in a delay value from 0 to
3,600 seconds (one hour). The one problem with preemption is that it causes a slight disruption in traffic as the currently active RP demotes itself and
the new RP promotes itself.
To modify the hello and hold-down times, execute the following
command:
standby
Here, hello_time defaults to 3 seconds and can range from 0 to 255 seconds.
holddown_time defaults to 10 seconds and has the same range of valid values.
Note that holddown_time should be at least three times greater than hello_time
to ensure proper functioning of HSRP.
It is a common practice to adjust these timers to smaller values to speed up HSRP
convergence. However, care must be taken to not set these values too small, which
might cause inadvertent switchovers.
standby
com-
Interface Tracking
In certain cases, it might be necessary for the active RP to step down from its
role and let another RP assume the role. Consider the example shown in Figure
7.3. In this example, RP-B is the active RP for VLAN 20. If RP-B fails, RP-A
notices this after missing the hello messages from RP-B. RP-A promotes itself
and starts forwarding frames that are destined to the virtual MAC address.
200 Chapter 7
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Interface vlan40
Interface vlan20
RP-A
Interface vlan40
Interface vlan20
RP-B
Interface vlan40
Interface vlan30
RP-C
Interface vlan40
Interface vlan30
RP-D
Lets assume, however, that RP-B does not fail but instead its interface vlan40
fails (connected to the core), as shown in Figure 7.4. Without HSRP running, RP-B would detect the failure and generate an ICMP redirect message
to RP-A. This would allow RP-A to handle the redirected traffic. However,
if RP-A and RP-B are participating in an HSRP group, ICMP redirects are
disabled. This means that RP-B still functions as the active RP and handles
all traffic sent to the virtual MAC address. The problem that this causes is
that after the Layer-3 routing protocol has converged, the traffic still reaches its destination. However, to reach the destination, the traffic must pass
through both RP-B and RP-A, thus introducing unnecessary latency.
X
Interface vlan40
Interface vlan20
RP-A
Interface vlan40
Interface vlan20
RP-B
Interface vlan40
Interface vlan30
RP-C
Interface vlan40
Interface vlan30
RP-D
201
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Availability
. . . . . . and
. . Redundancy
. . . . . . .
To overcome this problem and still be able to deploy HSRP, you can employ
the HSRP interface tracking feature. Interface tracking allows the active RP
to lower its priority when one of the interfaces that its tracking fails. This
would allow another RP to assume the active role. In the example shown in
Figure 7.4, RP-B, with interface tracking configured, would lower its priorityessentially telling the other RPs that it no longer wants to serve as the
active RP. When RP-A sees that RP-B is advertising a lower priority than
itself, RP-A promotes itself and handles all traffic destined for the virtual
MAC address. The advantage of this approach is that the traffic from the
user will only traverse one RP: RP-A.
To configure interface tracking, execute the following command on the
HSRP group interface:
Switch(config-if)# standby [group_#] track interface_type interface_#
[decrement_value]
The track parameter is used to enter the interface that you want the HSRP
RP to track. If this interface fails, for whatever reason, the active RP decrements its HSRP priority by the configured value. Note that decrement_value
is optional and, if omitted, defaults to a decrement of 10 for the priority.
Verifying HSRP
To verify the overall operation of HSRP, use the
the RP:
show standby
command on
In the preceding output, you can see that the active RP is 172.16.10.1 and
the standby RP is 172.16.10.2
For a shorter description, add the
mand:
brief
Active
Standby Group
addr
addr
addr
172.17.10.2 local
172.16.10.254
202 Chapter 7
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
In this example, this router, for VLAN 1, is in a standby state and the virtual IP address for the standby group is 172.16.10.254.
For additional troubleshooting, you can use the debug standby command from
Privilege EXEC mode. This command displays all HSRP messages that have
been sent and received by the RP.
same configuration.
The SEs must be configured for high availability.
SRM Basics
With SRM, one MSFC card is the designated RP and the other is the nondesignated RP. The designated RP is responsible for forwarding all Layer 3
traffic. The nondesignated RP has the same configuration as the designated
RP and supports auto-synchronization between the designated and nondesignated RPs. Actually, you can configure only the designated RP. The nondesignated RP is in an operational state, but all of its interfaces are disabled
(down and down). The nondesignated card is invisible to other Layer 3
devices in the network; its basically in a passive state. The nondesignated
card keeps tabs on the designated card.
SRM has the following advantages over HSRP:
Only one set of IP addresses is used, which conserves address space
both the designated and nondesignated RPs use the same IP addresses.
Because only one RP is active at a time, there are fewer routing peers to
203
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Availability
. . . . . . and
. . Redundancy
. . . . . . .
SRM Operation
If the designated card fails, the nondesignated card enables its interfaces,
builds a routing table, and starts forwarding traffic. Here is a detailed list of
the steps that occur when the designated RP fails:
1. The nondesignated RP activates its interfaces.
2. The new designated RP begins to build a routing table.
3. The SE maintains the old FIB table for two minutes and uses this
is built and downloaded from the MSFC to the SE. This is true
whether or not the RP has completed Layer 3 convergence.
SRMs advantages include the following: only one set of IP addresses, fewer RP
peers, and less configuration. Remember the four steps that SRM goes through
when the active MSFC card fails and the redundant card takes over.
You can actually use any name you want for the backup file. When this is
done, youre ready to enable SRM. The configuration of SRM is very simple:
Switch(config)# redundancy
Switch(config-r)# high-availability
Switch(config-r)# single-router-mode
Notice that you are taken into a Subconfiguration mode where you must
enter the high-availability and single-router-mode commands. After this is
done, you can use the show redundancy command to verify the configuration
of SRM:
Switch# show redundancy
Designated Router: 1
Non-designated Router:2
Redundancy Status: non-designated
Config Sync AdminStatus : enabled
Config Sync RuntimeStatus: enabled
204 Chapter 7
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
205
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Availability
. . . . . . and
. . Redundancy
. . . . . . .
GLBP Operation
In GLBP, there are two types of routers: Active Virtual Gateway (AVG) and
Active Virtual Forwarder (AVF). The AVG is the master gateway device and
is responsible for assigning virtual MAC addresses to end stations when the
end stations perform an ARP for the GLBP default gateway address. Basically,
the AVG is responsible for address management in the GLBP group.
An AVF is an RP that forwards traffic for a GLBP group. The AVG is also an
AVF. Basically, up to four RPs configured in the same GLBP group are AVFs.
Ill use Figure 7.5 to give a basic illustration of how GLBP works. In this
example, RP-A is the master (AVG). When PC-A sends an ARP request for
the default gateway MAC address, the AVG is responsible for responding
back with a virtual MAC address to the end station. In this example, it
responded back with its own virtual MAC address. PC-B then ARPs for the
same gateway address. RP-A responds back with a virtual MAC address.
Based on the load-balancing algorithm used by GLBP, RP-A responds back
with a different virtual MAC address (RP-Bs). Load balancing is discussed in
the next section. As you can see from this example, both RP-A and RP-B are
forwarding traffic for the same VLAN.
!!!!!!!!!!!
!!!!!!!!!!!
!!!!!!!!!!!
!!!!!!!!!!!
206 Chapter 7
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
207
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Availability
. . . . . . and
. . Redundancy
. . . . . . .
your security.
Because end-station requests are distributed among a group of servers,
end stations dont need to know about these changes because theyre
made on the IOS device performing SLB.
SLB Operation
SLB operates by having end stations send their traffic to a virtual IP address.
SLB has a group of real servers associated with the virtual IP address and
redirects the request to one of the internal servers. Two load-balancing algorithms can be used with SLB:
Directed mode
Dispatched mode
With directed mode, the IP address chosen for the virtual address is not configured on any of the servers in the SLB group. In this sense, it is similar to
the virtual address used by HSRP. In directed mode, SLB performs Network
Address Translation (NAT) on the packets to and from the real server.
In dispatched mode, an IP address you choose is known to all the real servers.
When in dispatched mode, SLB uses the real MAC address of the server that
will have traffic redirected to it. The best way to remember the difference
between directed and dispatched mode is that directed mode basically performs at Layer 3 while dispatched mode performs at Layer 2.
SLB has end stations send their traffic to a virtual IP address. SLB has a group of
real servers associated with the virtual IP address and redirects the request to one
of the real servers. In directed mode, the virtual IP address is unknown to the real
servers: SLB performs NAT on the packet. In dispatch mode, the real servers know
about the virtual IP address. SLB changes the MAC address to one of the real
servers MACs.
208 Chapter 7
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
to do is to define your server farm, which specifies the IP addresses your real
servers are using. Heres the configuration to use:
Switch(config)# ip slb serverfarm server_farm_name
Switch(config-slb-sfarm)# real real_IP_address_of_the_server
Switch(config-slb-real)# inservice
Switch(config-slb-real)# exit
The first command, ip slb serverfarm, assigns a name to the group of real
servers and takes you into a subconfiguration mode to specify your real servers IP addresses. Use the real command to specify the IP address used on the
servers NIC. When youve entered the real command, youre taken into a
sub-subconfiguration mode, where you must enable the use of the real server with the inservice command. To add another server, use the exit command to back up one level and use the real command again to enter the next
servers IP address.
When youve created your group of servers, youre ready to associate them
with a virtual IP address. Use the following configuration to do so:
Switch(config)# ip slb vserver virtual_server_name
Switch(config-slb-vserver)# virtual IP_address [tcp|udp port_#]
Switch(config-slb-vserver)# serverfarm server_farm_name
Switch(config-slb-vserver)# inservice
Switch(config-slb-vserver)# client IP_address [subnet_mask]
To create your virtual server information, use the ip slb vserver command.
This command assigns a name to your virtual server and takes you into a subconfiguration mode. In the subconfiguration mode, use the virtual command to assign the virtual IP address used by the end stations. You can
optionally specify that only traffic destined to the configured TCP or UDP
port number should be redirectedyou can specify the port number or its
name.
Follow this with the serverfarm command, which references the name of the
server farm you created with the ip slb serverfarm command discussed previously. The inservice command activates the use of SLB with the virtual
address. Optionally, you can use the client command to restrict which end
stations can use SLBby default, all end stations use SLB if they have the
virtual IP address in their packets. You can use the subnet mask value to cover
a single client or clients from a range of addresses.
After youve configured SLB, you can use a handful of show commands to verify your configuration:
Switch# show ip slb vserver|cons|stats
209
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Availability
. . . . . . and
. . Redundancy
. . . . . . .
Heres an example of the preceding show command with the vserver parameter:
Switch# show ip
slb vserver
--------------HTTP_Server
slb vserver
prot virtual
state
cons
----- -------------- ----------- ---TCP
192.168.1.5:80 OPERATIONAL
0
This command shows the connections that SLB is monitoring. In this example, a TCP HTTP connection is completing between an end station
(200.200.200.20) and a real server (192.168.1.10).
Summary
To reach a high level of availability, you have to focus on these areas: network
device reliability, device redundancy, link redundancy, fast convergence, a
correct network design, and a well-documented network. There are two
general types of redundancy: component and chassis. Component redundancy provides protection against a component failing inside a chassis. Chassis
redundancy protects against failure of a device.
In hardware redundancy, if youre going to have dual SEs, they must be in
slots 1 and 2. The secondary SE is in a standby state, with the exception of
its uplink interfaces, which can be used. RPR provides hardware redundancy
for the MSFC and PFC cards. The primary SE uses its own MSFC card,
whereas the secondary is in a standby state. When a switchover occurs, it can
take from 24 minutes because the MSFC card must be initialized. A
switchover occurs if the MSFC and PFC fail on the primary, there is a clock
synchronization problem, or a manual switchover is initiated. RPR+ has the
secondary MSFC fully operational, which means the switchover takes only
between 3060 seconds. To configure RPR+, use the redundancy and mode rprplus commands.
Proxy ARP allows for a basic level of redundancy for default gatewaysif a
device ARPs for a destination that is not on the same segment, a Cisco router
210 Chapter 7
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
can respond back with its own personal MAC address. Proxy ARP has problems with dealing of failures of the default gatewayit is typically used to
dynamically discover it, though. IRDP uses ICMP to dynamically discover
default gateways. RPs announce themselves and then end stations use them.
The problem with IRDP is that when an active RP fails, it can take up to 30
minutes for the end station to start using another RP.
HSRP is a Cisco-proprietary protocol that provides default gateway redundancy and is invisible to the end stations in the VLAN. A single virtual IP
and MAC address is used per group. An active RP, elected by the RP with the
highest priority (or IP address, if a tie occurs), forwards traffic. A standby RP
monitors the active RP. There are six stages an HSRP might go through: initial, learning, listening, speaking, standby, and active. An RP goes into a
speaking state when an election occurs, or if it is the active or standby RP.
The active RP can tell the rest of the RPs about the virtual addresses. To
enable HSRP, use the standby ip command on an RPs interface. HSRP supports both preemption and interface tracking.
SRM provides Layer 3 redundancy between dual MSFC cards. One is the
designated RP and the other is nondesignated. The nondesignated RP is
operational, but all of its interfaces are disabled. SRMs advantages include
using only one set of IP addresses, fewer RP peers, and configuration needs
to be done only on the designated RP.
VRRP is an open standard for default gateway redundancy and works on
Ethernet, VLANs, and MPLS VPN media types. VRRP has a master and
backup RPs. Either a virtual IP address or a real IP address (of the master) is
used.
GLBP is an enhanced version of HSRP. It allows for up to four RPs to forward traffic from the group. RPs are grouped together and each group is
assigned one or more virtual addresses. The AVG is responsible for address
management, whereas the AVFs forward trafficthe AVG can also be an
AVF. GLBP supports three types of load balancing: round-robin (default),
weighted, and host-dependent.
SLB allows an IOS RP to load-balance traffic across a group of real servers.
An end station sends traffic to a virtual IP address and the RP forwards this
traffic to one real server in the SLB group. In directed mode, SLB performs
NAT on the end-stations packet; in dispatched mode, SLB puts a real servers MAC address in the packet, but leaves the virtual IP address as is (it is
assumed that the real server understands about the virtual address).
211
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Availability
. . . . . . and
. . Redundancy
. . . . . . .
Question 2
Youve configured RPR on your Catalyst 6500 switch. Which of the following
does not cause a switchover?
A. Failed PFC
B. Clock synchronization failure
C. Failed line card
D. None of these
Answer C is correct. RPR provides redundancy for the MSFC and PFC, not
line cards. Answers A and B will cause a failover and are therefore incorrect.
Because there is a correct answer, answer D is incorrect.
Question 3
Which of the following uses ICMP to discover default gateways?
A. Proxy ARP
B. IRDP
C. RIP
D. DHCP
212 Chapter 7
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 4
If a default gateway fails and youre using IRDP, it can take up to __________
minutes to discover an alternative default gateway.
A. 5
B. 10
C. 15
D. 30
Question 5
Which of the following MAC addresses is an example of a MAC address used by
HSRP group 10?
A. 0000.0c07.ac10
B. 0000.0c07.ac0a
C. 0000.aaaa.ac0a
D. 0000.0c11.ac0a
Answer B is correct. HSRP addresses begin with 0000.0c07.ac and are followed by the group number in hex. Answer A is incorrect because it represents 16 in decimal. Answers C and D are incorrect because they begin with
the wrong MAC address value.
213
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Availability
. . . . . . and
. . Redundancy
. . . . . . .
Question 6
HSRP routers send out hellos every _________ seconds.
A. 1
B. 3
C. 5
D. 10
Question 7
In which HSRP state does an election process occur?
A. Listening
B. Speaking
C. Standby
D. Initial
Question 8
Which command enables HSRP on an RP?
A. (config)# hsrp enable
B. (config-if)# standby enable
C. (config-if)# standby ip
D. (config-if)# hsrp enable
214 Chapter 7
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 9
What type of redundancy can use either a virtual or real address for a default
gateway?
A. HSRP
B. VRRP
C. GLBP
D. SLB
Answer B is correct. VRRP can use either a virtual or real address of a default
gateway when providing redundancy. Answers A and C are incorrect because
only a virtual address can be used. SLB can use both sets of addresses, but
only for load balancing to servers, not for default gateway redundancy, making answer D incorrect.
Question 10
With GLBP, how many RPs in a group can forward traffic?
A. 1
B. 2
C. 4
D. As many as there are in the VLAN
215
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Availability
. . . . . . and
. . Redundancy
. . . . . . .
8
Multicasts
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
218 Chapter 8
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The bulk of communications in campus networks today involve unicast traffic. Because of the deployment of video applications in a campus network, as
well as broader use of multicast applications on the Internet, bandwidth on
campus networks is becoming saturated. Those campus network video applications might include desktop video conferencing, LAN TV and radio, and
collaborative computing. A multicast, like a unicast, is both a Layer 2 and
Layer 3 process. However, with a multicast, a group of machines can be the
destination of the traffic, whereas a unicast has only one destination.
As an example, consider a LAN-based TV multicast application that generates 1Mbps of traffic from the server. By default, this traffic must be dispersed to every segment that has a participating multicast client. Because of
the increased use of these applications, it is critical to understand traffic and
bandwidth characteristics when designing a scalable network that wont
affect every end station.
Unicasts
Unicasts are the most common form of communication because most traffic
that is generated is sent to a specific machine, such as accessing a Web page
or sending an email to an SMTP server.
With unicasts, a separate packet must be sent to each destination. In a shared environment, every network device on the segment will see the packet, but only the actual destination will process it. In a switched environment, only devices on the source
and destination segments will actually see the frame.
219
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Multicasts
. . . . .
Broadcasts
To solve the scalability problem of unicasts, you could use broadcasts to disseminate the servers information to all the participating clients.
When a broadcast packet is generated, everyone in the broadcast domain will see
this packet and process it.
In a broadcast design, the server generates a single packet that every client
will see. One advantage of this approach is that no matter how many clients
are participating in the application, the server generates only one feed. Using
the previous example of 100 clients, only 1Mbps of bandwidth is created to
generate the video feed.
Unfortunately, broadcasts have some downsides. Because of the way broadcasts are implemented, they traverse every segment in a VLAN. Also, when
an end station receives this broadcast, the NIC assumes that the frame is to
be processed, even if the application isnt running on the end station, which
affects its CPU cycles. Another problem is that if the server is in one broadcast domain and the clients are in another, an RP, by default, will not forward
the broadcast traffic. Recall that an RP is a Layer 3 device with a route
processor.
Multicasts
Because of the issues associated with unicasts and broadcasts for disseminating information to many end stations, the recommended approach is to use
multicasts.
When a multicast frame is generated, everyone in the broadcast domain will see this
packet, but only a group of machinesthose running that multicast applicationwill
process it. Multicasting is the transmission of a packet to a host group, which can
contain from zero to many end stations. Like broadcasts, they are sent with a best
effort reliabilitytheres no guarantee that all the machines will see the multicast.
220 Chapter 8
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Layer 2, whether to send the frame to the CPU for further processing or to
discard it. This creates a more user-friendly environment for the end station.
Like unicasts, multicast traffic can be intelligently routed to only those segments that have participating end stations.
Here are some important characteristics of multicast traffic:
Capability to send traffic from zero to an infinite number of end stations.
Designed to accommodate clients dynamically joining and leaving the
multicast application.
Allows an end station to simultaneously participate with multiple multi-
cast applications.
Like broadcasts, multicasts provide a best effort delivery of information;
theres no guarantee that all the server information will get to the end
station.
Uses a separate multicast address for each multicast application.
With TCP/IP, multicasting is implemented using UDP. UDP provides no error correction, no flow control, and no reliabilityunlike TCP. However, UDP has much less
overhead in its packet header, making it a more efficient protocol to use when disseminating a large multicast stream of data.
To receive multicast information, a device joins a multicast group. A multicast group is a loose grouping of devices that want to receive the same information. The membership of the group is dynamicend stations can come
and go as they choose. When an end station joins a particular multicast
group, it processes traffic sent to the destination multicast address. When an
end station leaves a multicast group, it ignores multicast information sent to
it for the old group.
Multicast Addressing
Because networking devices talk to each other with both Layer 3 and Layer
2 addresses, multicasting must address both these issues. There must be a
Layer 3 destination address that the multicast server can use to send out its
traffic feed to any participating end stations. There also must be a Layer 2
address that NICs can use to correctly process the information. Within IP,
Class D addresses have been reserved for Layer 3 addressing.
221
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Multicasts
. . . . .
With Class D addresses, the first four high-order bits are 1110, providing addresses
ranging from 224.0.0.0 through 239.255.255.255. To provide a Layer 2 MAC
address, part of the corresponding IP multicast address will be mapped to the end
of a reserved range of MAC addresses: 28 bits.
which are used to communicate with devices on the same LAN segment.
The TTL (Time-To-Live) field is set to 1 and routers never forward
these multicasts. Table 8.1 displays some of the most often used reserved
link local multicast addresses.
Globally scoped addressesThey range from 224.0.1.0238.255.255.255,
in RFC 2770. These addresses are reserved for sites with assigned
autonomous system (AS) numbers. The autonomous system number (16
bits) is converted into hexadecimal and the resulting four hexadecimal
digits are broken into two sets. These two hexadecimal sets of numbers
are then converted to decimal and are inserted into the second and third
octets of the multicast address. The fourth octet can then be used for
specific multicast addresses for the AS. For example, if you had an AS
number of 62009, it would be F230 in hex. Convert F2 and 30 to decimal and you have 242 and 57, which results in the following multicast
range: 233.242.57.0233.242.57255.
Limited score addressesThey range from 239.0.0.0239.255.255.255.
222 Chapter 8
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Table 8.1 Common Multicast Addresses
Address
Description
224.0.0.1
224.0.0.2
224.0.0.5
224.0.0.6
224.0.0.13
All messages sent to the group address 224.0.0.1 (the all-host group) have their TTL
field in the IP packet set to 1. This ensures that the RP will not forward them to other
segments.
Client Registration
One of the issues that must be dealt with in multicasting is the discovery of
the end stations that will be participating in a multicast group. Preferably,
you want the end stations to advertise the fact that they will be participating
and have your RPs and switches use this information to intelligently forward
multicast traffic from the multicast server to the end stations. Without this
type of information, the network would have to flood the traffic to every
segment.
The solution provided for IP networks is called the Internet Group
Management Protocol (IGMP), which works between end stations and RPs.
End stations send out advertisements to the RPs, denoting which multicast
application (or applications) theyre participating in. The RPs then forward
the multicast traffic from the server to the clients segment. The RP maintains a list of participating clients, updating it as clients join and leave multicast groups. To ensure the validity of its client list, the RP periodically sends
out a query to the end stations on its different segments. In this manner, the
RP forwards multicast traffic only to segments that have active multicast
clients. RPs then share this information with each other via a multicast routing protocol so that multicast traffic from a server can be routed to participating end stations. As long as theres one active station on a given segment,
the RP continues to forward the multicast stream to the segment.
Overview
IGMP provides a standardized, dynamic, client registration process in which
clients advertise the multicast applications they want to participate in to their
223
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Multicasts
. . . . .
connected RPs. The three different versions of IGMP are v1, v2, and v3. In all
versions of IGMP, youll find two basic components: multicast hosts and multicast queriers. These two components share two different types of messages:
Query messages are used by the RP to discover the end stations on a
IGMPv1
IGMP is an IP protocol. Using 28-byte IP packets, information is transmitted to members of the multicast groups. The top part of Figure 8.1 displays
the format of an IGMPv1 message.
IGMPv1
IGMPv2
Version
Type
Unused
CRC
4 bits
4 bits
8 bits
16 bits
32 bits
Type
Maxium
Response Time
CRC
8 bits
8 bits
16 bits
32 bits
Theres a 4-bit version field, which is set to 1 for IGMPv1 messages and
defines which of the two message types this iseither a host membership
query or a host membership report. The last part of the message is the multicast group address of the application. For query messages, this field contains
zeroes and is ignored by the end stations. For report messages, the field contains the multicast address of the application that the host is participating in.
224 Chapter 8
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
wait for the RP to generate a query message. When a host wants to join a
multicast group, it generates an IGMP message that contains the group
address of the multicast application in which it wants to participate. This
message is called a host membership report and is sent to the all-router group
(224.0.0.2). By doing this, the end station speeds up the process by notifying
the RP that the RP needs to start forwarding multicast information to the
segment.
The second way that a host can join a multicast group is if an RP generates
a query message and the host responds back with the multicast application
address it wants to access. This message is called a host membership query and
is sent to the all-hosts group. It uses a destination address of 224.0.0.1 in the
IP packet to do this. The querys TTL is set to 1 so that any other RP on the
segment does not inadvertently forward it to a different segment. Any packet with a destination IP address ranging from 224.0.0.0 through 224.0.0.255
should never be forwarded by an RP. By default, Cisco RPs generate this
query every 60 seconds.
If multiple RPs are on the same segment as the hosts, its left to the implementation of the multicast routing protocol to limit the number of RPs that
actively participate in the query process. If the interface on the RP has just
been enabled, the RP, instead of using its 60-second timer for generating
queries, will fire off a handful of IGMP queries to speed up the discovery
process and the forwarding of multicast traffic. After so many of these quickfire queries, the RP will settle down and generate queries based only on its
configured timer.
225
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Multicasts
. . . . .
random time value between 0 and 10 and then counting down the seconds,
the host checks whether another host has generated a membership report in
response to the RPs query. If the host sees a response, it cancels its countdown timer and does not generate a report. However, if the hosts timer
expires and it has not seen a response from another host, it generates the
report itself and sends it to the all-router group.
IGMPv2
IGMP version 2 adds some additional features and improvements to the earlier version. Like IGMPv1, IGMPv2 uses IP packets to transfer its messages.
Also just like IGMPv1, the IGMPv2 messages are 28 bytes long. The bottom
part of Figure 8.1 displays the format of IGMPv2 messages. The Type field
describes the different message types. The four message types are as follows:
Membership query, IGMPv1 membership report, IGMPv2 membership
report, and a leave report. The second field, Maximum Response Time, is
used to specify the maximum time allowed before sending a responding
report. The default value is 10 seconds.
IGMPv2 deals with the deficiencies of the join-and-leave process in
IGMPv1. One of the issues with IGMPv1 is that it might take a while before
an IGMP RP discovers the fact that no end stations are participating in a
multicast group or that an end station wants to participate in a multicast
group. In addition, theres no process to ensure that only one RP plays an
active role and forwards multicast traffic to the segment. When theres more
than one RP on a segment, it could create the unnecessary forwarding of
multicast traffic.
One new addition to IGMPv2 is the group-specific query message. This
allows an RP to send a specific query to only one multicast group on a segment. In IGMPv1, the RP can discover whether an end station has left only
after it has sent its periodic query. To speed up the process, the end station
can send a leave report message, thus reducing the latency involved for the
RP to stop forwarding multicast traffic to segments that no longer have
participating hosts. Version 2 RPs can generate version 1 messages for
226 Chapter 8
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
backward-compatibility purposes. This is proven by the two different membership report message types that the IGMPv2 packet supports.
227
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Multicasts
. . . . .
from each group will respond to each specific multicast group address query.
If there are five different multicast applications with five unique multicast
addresses, the RP generates five IGMP queries and expects five different
responses.
IGMPv3
IGMPv3 is an enhancement of IGMPv2. IGMPv3 allows an end station to
tell an RP which multicast groups it wants to participate in as well as from
which source servers it wants to receive this information. The RP can then
forward multicast traffic to the end station from one of the specified source
servers. This is called source filtering.
228 Chapter 8
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IGMPv3
Query
Report:
INCLUDE
Report:
EXCLUDE
!!
)$
!!
" #
$$
%!
%!
&' (
* +,#
!!
!!&'
*
)$
)$
IGMP v3lite
Because many vendors have not included support for IGMPv3 in their operating systems, Cisco has developed a proprietary version of IGMPv3 as a
temporary solution. IGMP v3lite, which contains a subset of IGMPv3 features and functions, allows Cisco partners to develop applications that take
advantage of PIM and SSM, allowing for a very scalable multicast solution.
If you install v3lite on an end station that already supports IGMPv3, the
v3lite software will have the IGMPv3 component of the operating system
handle IGMP processing.
IGMPv3 is disabled by default on Cisco routers. You can enable it by using
the following configuration:
Router(config)# interface type [slot#/]port_#
Router(config-if)# ip igmp v3lite
229
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Multicasts
. . . . .
Multicast Routing
The sending of multicast traffic and the reception of this traffic by end stations will require you to coordinate the actions of your RPs and switches.
The previous section discussed how the RPs discovered the end stations and
the multicast applications in which theyre participating. This section discusses how information gets from the server to the end stations, along with
the following multicast routing issues:
RPs discovering multicast end stations and servers
RPs sharing multicast information with each other and establishing a
230 Chapter 8
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
used by switches to remove Layer 2 loops. Using a distribution tree, the RPs
can ensure that a multicast frame traverses a segment only once in the network. This minimizes the bandwidth impact, which is accomplished by making sure that theres one and only one path from the source of the multicast
traffic to each of the end stations that wants to see it.
These trees are loop-free, which means that multicast frames are replicated
only when the tree branches, and then its guaranteed that the multicast
frame will not return to a branch that it has already traversed. Only segments
that have either multicast clients or the paths required to reach those multicast clients will have multicast traffic traversing them. Because group members can join and leave at any time, the distribution tree thats built by the
RPs must have the capability to be updated based on these changes. When a
segment no longer has participating multicast end stations, the RP connected to it should prune that segment from the tree.
This tree structure is very similar to common STP: For the entire switched
network, theres only one tree structure, with the rendezvous point functioning as the root of the tree.
One advantage of this approach is that theres only the overhead of creating
and maintaining a single-tree structure. The downside, however, is that in
many instances, suboptimal paths exist between the source application server and the destination end stations, thus resulting in undesirable latency.
This could be problematic for delay-sensitive multicast applications. The
other disadvantage of this approach is that the rendezvous router could create a bottleneck if your multicast servers are generating a large amount of
multicast traffic.
231
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Multicasts
. . . . .
232 Chapter 8
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
233
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Multicasts
. . . . .
Multicast
Server
Multicast
Server
Multicast
Stream
Multicast
Stream
X
X
PC A
(Doesnt want
to see multicast
Information)
PC B
(Wants
to see multicast
Information)
PC A
(Doesnt want
to see multicast
Information)
PC B
(Wants
to see multicast
Information)
234 Chapter 8
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Multicast
Server
Multicast
Server
Multicast
Stream
Multicast
Stream
X
X
X
PC A
(Doesnt want
to see multicast
Information)
PC B
(Wants
to see multicast
Information)
PC A
(Doesnt want
to see multicast
Information)
PC B
(Wants
to see multicast
Information)
235
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Multicasts
. . . . .
PIM-DM
Dense mode should be used when your campus network meets one of the
following criteria:
The multicast servers and end stations are located close to each other.
The number of multicast servers is few, but the number of end stations
is very many.
Multicast traffic is constantly being generated and forwarded.
The amount of multicast traffic is very large.
PIM-SM
Sparse mode should be used when your campus network meets one of the
following criteria:
The multicast servers and clients are separated by a WAN.
Each multicast group in your campus has very few clients.
The multicast traffic that the servers generate is not constant.
PIM-SM is useful when you have a campus environment with many small
bandwidth-generating multicast applications: The number of participants is
small and the amount of traffic is small.
Unlike PIM-DM, PIM-SM does not use reverse path forwarding. Actually,
in this type of setting, implementing reverse path forwarding does not make
any sense. To flood your campus network with a stream of multicast traffic
to deliver it to only a handful of end stations is very wasteful of your networks resources.
To be more efficient, PIM-SM uses a rendezvous point. The RP performing
this responsibility serves as a registration point. It contains a list of all multicast applications and their respective servers that are generating the multicast
236 Chapter 8
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
locations.
Switches can gather IGMP end station information from an IGMP RP.
237
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Multicasts
. . . . .
forward the multicast data stream. The problem with this approach is that if
the membership of the multicast group is constantly changing, manually
updating the address table becomes an impossible task.
IGMP Snooping
The third solution to controlling multicast traffic is to have the switch
dynamically keep track of joining and leaving members of a multicast group.
The switch does this by snooping the IGMP queries that RPs generate and
the reports that multicast end stations reply with. The problem with this
approach is that the switch must examine every multicast frame, which is
very process intensive and introduces a lot of latency in the switching of
everyones frames, including the multicast traffic. Therefore, IGMP snooping should not be used on lower-end switches, but only on higher-end
switches that can perform snooping in hardware using ASICs.
238 Chapter 8
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
the end station. Switches take this information and examine their CAM table
for a matching MAC address and an associated port. If a switch finds the endstations address in its port address table, it adds an additional entry for the
Layer 2 multicast address and the same port number that the client resides
off of. If the switch does not find the end-stations address, it basically ignores
the CGMP message. With CGMP enabled, however, the switch will not
flood multicast trafficit depends on the RP to tell the switch which end stations are participating in multicast groups.
dense-mode
If you choose dense-mode, the RP adds the interface to its multicast routing
table and forwards multicast traffic out of all interfaces with PIM dense mode
enabled. Through a discovery process, segments without any participating
end stations are eventually pruned from the distribution tree.
239
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Multicasts
. . . . .
sparse-mode
If you enter sparse-mode, interfaces are included in the table only if they
receive downstream join messages from other PIM RPs or if IGMP report
responses to the RPs IGMP queries. Forwarding will occur for multicast
traffic only if a rendezvous point is known. When the rendezvous point is
known, the RP connected to the multicast server encapsulates the multicast
packets into unicast packets and forwards them to the rendezvous point. On
receiving these encapsulated multicasts, the rendezvous point strips off the
encapsulation and forwards the multicast traffic. The rendezvous point is
essentially acting as a central point of distribution for the multicast traffic. If
theres no known rendezvous point, the RP will act in a dense-mode fashion.
Therefore, when you configure interfaces in sparse-mode, youll need to set up
at least one rendezvous point.
sparse-dense-mode
When youre configuring the mode on the interface, specifying sparse-mode
or dense-mode forces the interface to act accordingly. However, this might not
be very efficient in some campus networks. There might be certain parts of
your campus where dense mode is appropriate and other parts where sparse
mode is more desirable. If you configure the interface in sparse-dense-mode,
the interface is set up in dense-mode if the multicast group is operating in
dense mode or sparse-mode if its operating in sparse mode. Note that for you
to use sparse mode, you must configure a rendezvous point.
Designated Routers
PIM uses designated routers (DRs) on a segment to reduce the number of
IGMP queries created and the number of IGMP reports sent back in
response. Each PIM-enabled interface on an RP periodically generates a
PIM router-query message. The PIM RP on a LAN segment with the highest IP address is automatically elected as the DR. If the DR fails, a new DR
will be elected using the same election process. As mentioned with the show
ip pim interface command, theres no need to have DRs on point-to-point
links such as serial connections. Theyre needed only for multiaccess segments such as Ethernet. Show commands are discussed in more depth later in
this chapter.
The DRs responsibility is to generate IGMP queries to determine which, if
any, end stations are participating in any multicast applications. Note that
only the DR will generate IGMP queries, but all RPs on the segment will
process the responding IGMP reports from participating clients. To view the
list of neighbors for a PIM RP, use the show ip pim neighbor command.
240 Chapter 8
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
In this example, 192.168.1.1 is the rendezvous point for all sparse-mode multicast streams.
241
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Multicasts
. . . . .
Switch(config)# ip pim send-rp-announce
interface_type interface_number
scope time_to_live
[group-list access_list_number]
242 Chapter 8
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The scope parameter is used to keep the discovery messages within a certain
hop count, perhaps preventing these messages from leaving the campus to a
remote location. For example, to restrain the messages from traveling more
than four hops, use this configuration:
Switch(config)# ip pim send-rp-discovery scope 4
Configuring PIMv2
PIMv2 is an extension of PIMv1 and is currently on track to becoming an
IETF standard. It has the following enhancements:
Sparse and dense modes are defined per group, not per interface.
PIM uses its own packet format instead of IGMP to transport routing
information.
Dynamic rendezvous point discovery is provided by a bootstrap router
Auto-discovery of rendezvous points (auto-RP) and BSR in PIMv2 are mutually exclusive. Auto-RP is Cisco-proprietary, whereas BSR will shortly be an
IETF standard. Using BSR is recommended if you have only PIMv2 routers;
otherwise, use auto-RP.
Interoperability
If you have a mixture of PIMv1 and v2 RPs in the same network, the v2 RPs
downgrade themselves to v1. This enables you to slowly migrate from v1 to
v2. During this process, you should perform the following:
Use sparse-dense mode for PIM.
Use auto-RP.
For a rendezvous point, use a v2 or v1 PIM RP; however, in a mixed
243
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Multicasts
. . . . .
Configuration
Use the following configuration to set up PIMv2:
Switch(config)# interface type [slot_#/]port_#
Switch(config-if)# ip pim version 1|2
You can either specify version 1 or 2. For example, if you want to run PIM
version 1 on Ethernet0/1, use this configuration:
Switch(config)# interface ethernet 0/1
Switch(config-if)# ip pim version 1
After youve configured the version, you need to configure the following
rendezvous point as well as the BSR:
Switch(config)# ip pim rp-candidate
interface_type interface_number
time_to_live
[group-list access_list_number]
Switch(config)# ip pim bsr-candidate
interface_type interface_number
[priority]
For example, if you had only PIMv2 routers, use the latter command, like
this:
Switch(config)# ip pim bsr-candidate ethernet0/1
Switch(config)# ip pim bsr-candidate ethernet0/2
This enables PIMv2 rendezvous points (BSR) for both Ethernet interfaces
on this RP.
Configuring CGMP
Configuring CGMP on an RP is a simple process. On your RP, configure the
following:
Switch(config)# interface type [slot_#/]port_#
Switch(config-if)# ip cgmp
which we dis-
244 Chapter 8
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Interface
Mode
192.168.1.1
192.168.3.1
192.168.4.1
VLAN10
VLAN20
VLAN30
Dense
Dense
Dense
Neighbor
Count
1
1
1
Query
Interval
30
30
30
DR
192.168.1.2
192.168.3.2
192.168.4.2
The first IP address listed is the IP address of the next-hop RP off of the
interface listed after it. The Mode field describes the mode that the interface
on the RP is operating as. The Neighbor Count field lists the number of
down/upstream neighbors off this interface. The Query Interval field lists
the interval, in seconds, of how often the RP generates PIM router-query
messages on the interface. The default is 30 seconds. The last field, DR, lists
the designated RP for the LAN segment. This is important for determining
which RP on a LAN segment will be generating IGMP query messages.
Serial links do not have DRs; therefore, you would see an IP address of
0.0.0.0.
To see a list of PIM neighbors, use the show
is an example:
ip pim neighbor
command. Here
In this example, the router has one PIM neighbor (192.168.1.2) off of
Ethernet0/1. This neighbor has been reachable for more than two hours.
The version of PIM is 2 (v2) and is running in sparse mode (S).
To verify that PIM is learning about multicast groups and updating its routing table correctly, use the show ip mroute command. In the following example, youll look at a multicast routing table to examine an RSM that has
dense-mode interfaces:
Switch# show ip mroute
IP Multicast Routing Table
Flags: D - Dense, S - Sparse, C - Connected, L - Local,
P - Pruned, R - RP-bit set, F - Register flag,
T - SPT-bit set
Timers: Uptime/Expires
Interface state: Interface, Next-Hop, State/Mode
(*, 224.0.252.1), uptime 1:37:38, expires 0:01:43,
245
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Multicasts
. . . . .
RP is 0.0.0.0, flags: DC
Incoming interface: Null, RPF neighbor 0.0.0.0
Outgoing interface list:
VLAN10, Forward/Dense, 0:15:31/0:00:00
VLAN20, Forward/Dense, 0:15:45/0:00:00
VLAN30, Forward/Dense, 0:16:37/0:00:00
(192.168.1.1/32, 224.0.252.1), uptime 2:00:21, expires 0:03:32,
flags: C
Incoming interface: Vlan10, RPF neighbor 192.168.3.17
Outgoing interface list:
VLAN20, Forward/Dense, 20:20:00/0:02:52
VLAN30, Forward/Dense, 20:19:37/0:03:21
There are two entries in parentheses for each multicast route. The first entry
is the IP address of the source RP, followed by the IP address of the multicast application. If you see an asterisk (*) as in the first entry, it means that all
interfaces are sources. This basically means that the source router is
unknown at this point, and will flood the multicast traffic out all its interfaces. The second listing knows of the source router, which is 192.168.1.1.
There are two types of timers. The uptime timer displays the amount of time
since the multicast application has been discovered, and the expires timer displays how long until the entry in the routing tabled will be removed without
receiving information from a downstream RP or IGMP-capable end station.
The RP field after the expired timer represents the rendezvous point RP, if
known. This will more than likely contain an entry if the mode specified is
sparse-mode. The flags following this describe the type of route. In the case of
the first one, DC, the route is dense mode and is directly connected to the RP.
The Incoming Interface field describes the expected source interface for the
multicast packet, given the listed multicast application address. If the packet
is not received on this interface, its discarded. The RP assumes in this
instance that the incoming interface is where the multicast server is located
and that any other interfaces are branches from this root interface. The RPF
neighbor field is the IP address of the next upstream RP thats closest to the
source multicast server.
The outgoing interface field lists the interfaces to which the multicast packets will be forwarded. The fields listed contain the outgoing interface, the
forwarding mode, and the update and expiration timers.
Summary
There are three ways of disseminating information: unicasts, broadcasts, and
multicasts. With a unicast, a packet is sent to each destination individually.
With a broadcast, a single packet is generated and every destination receives
it. With a multicast, a single packet is sent to a group of devices. Class D
246 Chapter 8
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
247
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Multicasts
. . . . .
Question 2
Which multicast address is used to send information to all RPs in a subnet?
A. 224.0.0.1
B. 224.0.0.2
C. 224.0.0.5
D. 224.0.0.6
Answer B is correct. When information needs to be sent to all RPs on a segment, use 224.0.0.2 as a multicast address. 224.0.0.1 is the all-host group (all
devices), making answer A incorrect. Answers C and D are incorrect because
OSPF uses these addresses.
Question 3
What protocol is used by an RP to discover which end stations want to receive
multicast traffic?
A. PIM
B. CGMP
C. ICMP
D. IGMP
248 Chapter 8
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Answer D is correct. IGMP is used to determine what clients are participating in multicast groups. Answer A is incorrect because PIM is used to route
multicast traffic. Answer B is incorrect because CGMP is used to help
switches learn locations of multicast clients. Answer C is incorrect because
this is used to test IP connections.
Question 4
In IGMPv2, the router with the _________ IP address is elected as the active
querier.
A. Lowest
B. Highest
Question 5
Which version of IGMP allows a client to determine which sources can be used
for multicast feeds?
A. v1
B. v2
C. v3
D. v2 and v3
Question 6
Which distribution tree uses a rendezvous point to build a single-tree structure
for multicast routing?
A. PIM
B. Source
C. Shared
D. CGMP
249
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Multicasts
. . . . .
Question 7
The president of your company will be making a live presentation on Friday at 3
p.m. and every employee needs to see it. In what mode would you configure
PIM for this multicast feed?
A. Sparse
B. Dense
Answer B is correct. Use dense mode if most clients need to see the multicast feed. Sparse mode is used when only a few, geographically dispersed
clients need to see a feed, making answer A incorrect.
Question 8
PIM-DM uses ______ to build its distribution tree.
A. Spanning tree
B. IGMP
C. Reverse path forwarding
D. Rendezvous point
250 Chapter 8
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 9
Which method is recommended to control the switching of multicast traffic?
A. VLANs
B. IGMP snooping
C. Static multicast CAM entries
D. CGMP
Answer D is correct. CGMP is recommended to intelligently switch multicast traffic. VLANs and static multicast CAM entries dont scale well, making answers A and C incorrect. IGMP snooping has performance problems
on lower-end switches, making answer B incorrect.
Question 10
If you have two multicast feeds, one where everyone needs to see the multicast
feed and the other where only a handful need to see it, which PIM mode would
you use with the ip pim Interface command?
A. dense-mode
B. sparse-mode
C. sparse-dense-mode
D. spare-and-dense-mode
Answer C is correct. When you have different multicast feeds with different
user needs, use the ip pim sparse-dense-mode command. Answer A is incorrect
because dense-mode should be used only when all devices need to see all multicast feeds. Answer B is incorrect because sparse-mode should be used when
only a small number of users need to see all multicast feeds. Answer D is
incorrect because it is a nonexistent parameter.
251
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Multicasts
. . . . .
9
Quality of Service
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
254 Chapter 9
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
In network environments that have voice, video, and data, quality of service
(QoS) becomes an important issue. Certain applications, especially voice and
video, need to have a necessary infrastructure to support their needs. For
instance, if not enough bandwidth is given to these applications, or if too
much delay or jitter occurs, voice and video quality suffers. QoS provides
solutions to these problems. QoS solutions can be something as complex as
providing end-to-end guarantees for a connection or something as simple as
prioritizing traffic through queuing. This chapter starts off by discussing IP
telephony and some of its issues and solutions, and then delves into QoS in
more depth, discussing QoS components and architecture of QoS, and the
configuration of various QoS solutions.
telephony? VLANs are typically used to separate data and voice traffic.
QoS solutions are required to ensure that the necessary amount of bandwidth and minimal delay are provided for IP telephony.
Do you have enough bandwidth for call control and voice traffic?
255
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Quality
. . . .of. Service
. . . .
Key Services
When implementing an IP telephony solution, you need to consider the four
following areas:
Network management
High availability
Security
QoS
Remember the preceding four components when developing an IP telephony solution.
256 Chapter 9
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Acceptable delayMinimal amount of time it takes to transport voice traf-
fic to a destination; too much time can create echo in the conversation.
Acceptable jitterAverage amount of time between the receipt of each
packet; too much jitter can make the voice conversation sound choppy.
Acceptable lossLoss of some packets in a voice conversation does not
typically affect the quality of the phone call. However, dropping too
many packets will be obvious to the person listening on the other end.
QoS includes solutions such as traffic classification and traffic prioritization
and queuing, detecting and avoiding congestion, shaping traffic to avoid congestion, and using compression to more fully utilize available bandwidth.
Picking the right solution or solutions can be a difficult task because each has
its own advantages and disadvantages. Later sections in this chapter deal with
these topics.
Bandwidth
One key component in providing scalable, yet reliable, IP telephony solutions is ensuring that your voice traffic receives adequate bandwidth. IP
telephony consists of two connections: a call control signaling connection
and a voice connection.
The call control signaling connection is used to establish the voice connection, which carries the actual voice traffic. This control connection can use
many different standards, such as H.323 or the Media Gateway Control
Protocol (MGCP), to establish the voice connection.
As to design issues, both of these connections require bandwidth inside your
network. A normal rule of thumb is to ensure that each of your links do not,
on average, exceed 75% of the total capacity of a link. This leaves ample
room for bursts in traffic as well as handling QoS issues for voice traffic.
However, for networks that have little bandwidth, youll have to determine
how much bandwidth you need for voice connections to ensure that you can
support them. VoIP connections typically use the Real Time Transport
Protocol (RTP) to set up and maintain voice connections. This information
is encapsulated in a UDP segment at the transport layer and an IP packet at
the network layer. All of these protocols incur additional overhead (header
information), as well as the overhead involved with the Layer 2 transport,
which is typically Ethernet. RTP uses 12 bytes, UDP has an 8-byte header, IP
has a 20-byte header, and Ethernet has a 14-byte header (plus an ending
CRC). All of this additional information must be included in your calculation.
257
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Quality
. . . .of. Service
. . . .
Use this formula to figure out how much bandwidth you need to support a
single voice connection:
Bandwidth = (packet payload + all overhead) * packets generated per second
The number of packets generated per second is based on the amount of time
to generate a packet. For example, if you have a 20-millisecond packet period, this allows an IP phone to generate 50 pps. Of course, youll need to figure out how many simultaneous voice connections youll need to support for
uplink and backbone connections.
Power
Similar to a normal phone, an IP phone requires some sort of power to function. A normal phone draws a small amount of current so that features such
as dial tone, ringing, and so on, can be provided. An IP phone is no different. Without some sort of power, an IP phone does not function. You need
to consider two components when dealing with power: a power source and
an uninterruptible power supply (UPS).
First, you need some type of power source for your IP phones. Ciscos
Catalyst switches can provide this power over a Category 5 cablethe same
cable provides both power to the IP phone as well as Ethernet connectivity.
On Ciscos Catalyst switches, this requires you to purchase an Ethernet module that supports inline power on each of its Ethernet ports. Your second
option is to use a special form of patch panel that can provide a power source
to the IP phones when connecting the IP phones to a patch panel. A third
choice is to use an external power supply that is directly attached to the
phone (assuming that the phone supports this option).
The second issue deals with UPS systems and redundancy. One of the reasons that a normal telephone doesnt use an electrical outlet for power is that
if you lose electricity in your home, the phone still works because the power
it receives is from a separate connection from power you get from the electric company. This enables you to make phone calls in emergency situations
when youve lost power. Power for IP phones is just as important. If your
Catalyst switch or patch panel loses power, you wont be able to use your IP
phone. Therefore, you need to implement a very reliable UPS system to prevent against power loss (which is why using an external power supply for an
IP phone is not recommended). This should include a robust UPS and generator backup system, 247 UPS monitoring, and a 4-hour service-level
agreement with your UPS vendor to deal with UPS problems.
258 Chapter 9
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Auxiliary VLANs
Auxiliary VLANs are a feature of Cisco Catalyst switches that allow IP
phones to be placed in their own VLANs. You normally want to separate
your VoIP traffic from your data traffic. You can easily do so with static
VLAN configurations, but it becomes an issue if your IP phones are constantly being moved around the network.
With auxiliary VLANs, no end-user intervention is required to put the IP
phone in the correct VLAN. Auxiliary VLANs use 802.1Q and 802.1P in
order to put IP phones in the correct VLAN. Using DHCP, IP phones can
correctly be assigned the right IP addressing information for the auxiliary
VLAN theyre associated with. A physical connection can even be associated
with an auxiliary VLAN for IP phones and a separate VLAN for data traffic.
Notice that you are taken into a Subconfiguration mode, where you must
enter the high-availability and single-router-mode commands.
259
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Quality
. . . .of. Service
. . . .
To deal with QoS issues, you first need to classify your traffic based on issues
such as bandwidth, delay, jitter, and loss requirements. Based on this information, youll want to implement one or more QoS solutions for important
traffic to ensure that it gets its necessary level of service. As youll see
throughout the rest of this chapter, Catalyst switches and routers support
many QoS features that allow for traffic prioritization.
Some QoS features dynamically prioritize traffic for you, whereas others require
manual configuration of prioritization, giving you the ability to create your own QoS
policies. If you have three kinds of traffic, such as voice/video, transactional applications, and data transfers, the three would typically be prioritized as listed.
Problems
QoS needs to deal with four basic problems: amount of bandwidth, delay, jitter, and packet loss. Bandwidth is the amount of throughput a connection
needs to support its level of service. However, delay, jitter, and packet loss
can also affect a connections level of service. The next sections cover the last
three items.
Delay
Delay is the amount of time it takes for a packet to go from the source to the
destination. Within this transmission, there are two general types of delays
that affect the total delay: fixed delay and variable delay. Fixed delay deals with
the amount of time it takes to encapsulate and de-encapsulate information as
well as to physically transfer information on a wire. Variable delay occurs with
devices handling traffic where things such as congestion can occur. Here is a
list of all the factors for both types of delay that your traffic is subject to:
PacketizationThe time it takes to segment information, sample and
encode any signals, process the traffic, and then encapsulate the data in
packets
SerializationThe time it takes to encapsulate a packet in a frame and
place the frame in the input queue, and take the frame from the input
queue and place it in the output queue of the outbound interface
QueuingThe time a packet stays in the output queue before being for-
260 Chapter 9
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
With VoIP traffic, its important to minimize delay to prevent echo problems.
Remember the different types of delay in the preceding bulleted list, especially
packetization, serialization, and propagation delays.
Jitter
Jitter, or delay variation, is the amount of delay between receiving two packets. The delay variation is the difference between the amounts of time. For
example, if it takes only 135ms to receive one packet and 128ms to receive a
second packet, the delay variation is 7ms. Cisco uses a buffer to reduce jitter
issues. The buffer essentially smoothes out the differences before forwarding
the traffic to the application so that it appears the packets are being received
within the same time delay variation. The jitter buffer can dynamically adjust
itself for changing delay variations. This kind of buffering is very important
for voice and video traffic; otherwise, the conversation or picture appears
choppy. If your internal buffer has issues handling incoming packets, one of
the following problems is occurring:
OverrunThe jitter buffer cannot resize itself to handle the changes in
that the jitter buffer cannot smooth out the delay variation, causing
choppiness.
Either of these situations degrades the quality of a voice or video connection.
Packet Loss
Packet loss is when a networking device has to drop packets, typically because
of a queuing problem. Queuing occurs on the ingress (entering an interface)
and egress (leaving an interface) of a networking device. Most queuing problems occur on the egress because of congestion issues. With egress queuing
and congestion, tail drop packet loss is common. With a tail drop, the first
part of the data from a connection is queued, but when the queue has filled
up, the remaining data from the connection must be dropped. Specialized
queuing and congestion avoidance methods should be implemented to deal
with packet loss of sensitive data, such as voice and video.
If youre experiencing ingress packet loss based on ignore, input, no buffer,
or overrun problems, you probably need to upgrade your hardware to deal
with these problems.
261
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Quality
. . . .of. Service
. . . .
When dealing with VoIP, packet loss should be less than 1%, one-way delay should
be less than 60ms per call leg, and jitter should be less than 20ms in order to provide
a good-quality voice connection.
QoS Solutions
Using QoS solutions in your network can deal with the three problems that
were just mentioned. QoS should be able to predict the amount of time it
takes to transmit information between two devices for delay-sensitive applications and ensure that delay and jitter are minimized. A prioritization
scheme is typically used to prioritize time-sensitive traffic (voice and video)
over traffic that isnt time-sensitive (data).
Likewise, for certain applications, such as data transfers, data loss is not acceptable because dropped information must be re-sent. With video and voice, some
packets can be dropped without affecting the quality of the connection.
Therefore, a QoS solution should provide enough bandwidth for applications
and should balance packet loss based on the type of application being used.
A well-designed QoS solution should be able to deal with all of these issues.
At best, it should avoid congestion, and at worst, manageably deal with congestion without affecting application function. When providing a solution,
QoS typically has to deal with the following components:
ClassificationSorts, or classifies, traffic into different distinct groups.
MarkingPlaces information in a packet or frame indicating the priority
queue.
Shaping trafficSends traffic out at a constant, even pace (essentially
removing the jitter from a traffic stream and enforcing a bandwidth limit).
DroppingDrops packets in an intelligent way to reduce congestion, yet
262 Chapter 9
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Please note that all of these components have to be dealt with not just within a single networking device, but across all network devices between the
beginning and end points of a connection.
QoS Architectures
QoS architectures fall under one of three services, as listed in Table 9.1. Best
Effort services should be used only in environments where QoS is not needed. If you have voice and/or video traffic, youll probably have to implement
QoS solutions, especially if you experience temporary congestion problems
in your network.
Table 9.1 QoS Architectures
Architecture
Explanation
When to Use
Best Effort
Integrated Services
(IntServ, or
hard QoS)
Reserves resources
via the Resource
Reservation
Protocol (RSVP)
from end-to-end for
each connection
Absolute guarantees
for traffic
Differentiated
Services (DiffServ,
or soft QoS)
Reserves resources
on a hop-by-hop
basis for traffic
classifications
through queuing
and congestion
avoidance techniques
Optimal guarantees;
costs less than
IntServ and is
easier to implement
Remember the Best Effort, IntServ, and DiffServ information in Table 9.1.
Best Effort
Best Effort tries its very best to get information to a destination in a timely
fashion, but doesnt provide any guarantees. It typically uses a FIFO (first-infirst-out) queuing method. FIFO doesnt provide any type of QoSthe first
packet or frame received is the first one queued. It is typically used for
263
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Quality
. . . .of. Service
. . . .
connections that dont require QoS, such as data transfers. FIFO is discussed
later in this chapter in more depth.
IntServ
IntServ is defined in RFC 1633 and provides a guarantee for QoS for an
application connection. This is different from DiffServ, which does this
based on traffic classifications, not specific connections. IntServ is implemented using RSVP on all devices handling the connection, including the
source and destination. RSVP uses signaling to set up the connection and to
maintain QoS. When a new connection is being established, RSVP has to
determine what paths and devices are used to support the connection. The
Common Open Policy Service (COPS) is used to centralize the setup and
maintenance of the connection.
The two main problems with IntServ are that it is not very scalable (you have to
enable RSVP on all devices) and extra bandwidth is required for each connection
to handle RSVP signaling. However, its main advantage is that it provides a guarantee for a data connection that DiffServ cant. For example, if you have a
hospital application that sets up connections between devices that transmit data
in a real-time fashion, and this data is monitoring someones vital signs in an
intensive care unit, you absolutely need to guarantee that each connection for
this critical application is serviced so as not to cause any type of data disruption.
DiffServ
DiffServ uses a multiple-service model to implement QoS. With DiffServ,
applications do not signal their QoS requirements before sending their data.
Instead, DiffServ is implemented within your network infrastructure: routers
and switches. This provides an advantage over IntServ because you dont
need to modify any end stations.
DiffServ marks the Type of Service (TOS) field in the IP packet as well as the
Tag field (three bits are used for Class of Service, or CoS) in an IEEE 802.1Q/P
frame. When performing its marking, DiffServ can assign up to 64 traffic classifications called Differentiated Services Code Points (DSCPs), which are used
to prioritize traffic. In the TOS field, the six higher-order bits are used for the
DSCP value and the two lower-order bits are used to indicate congestion.
Each networking device along the way to the destination uses this information
to handle the packet or frame, providing a hop-by-hop QoS implementation.
This is different from IntServ, which implements QoS on a connection-byconnection basis. DiffServ is preferred in the campus backbone environment
because it typically deals with types of traffic, versus the complex management
of QoS on a connection-by-connection basis.
264 Chapter 9
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
QoS Implementation
Implementing QoS covers these categories: classification and marking of traffic, choosing a queuing method, conditioning traffic (shaping and policing),
and efficiently using bandwidth. The following section deals with these categories, and examines how these components are implemented in a network.
Classification Methods
With IP traffic, the TOS field is used to classify traffic. The TOS field
enables you to assign traffic to one of six classes (05). Non-IP traffic is more
difficult to classify because non-IP Layer 3 traffic typically doesnt have a
265
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Quality
. . . .of. Service
. . . .
Route maps
PBR enables you to route packets based on more than just the destination
address in the packet. For instance, if a packet is going to a certain destination and is coming from a particular source address or network, you might
want to route it across a different path than what is currently in the routing
table. ACLs and route maps are typically used to perform the matching. PBR
is beyond the scope of this book, but it is covered in Ciscos BSCI course.
Priority and custom queuing are used to queue and service traffic on egress
ports based on a configured prioritization. CAR and class-based policing
affect how traffic is transmitted to ensure that it operates under expected
conditions, like using an expected amount of bandwidth. These methods are
discussed later in this chapter.
Marking Options
After traffic is classified by a trusted device, it must be marked so that other
trusted devices can implement the appropriate QoS policy. Marking can
occur at Layer 2, Layer 3, or both.
At Layer 2, the CoS (tag) field is used in the IEEE 802.1P frame. This field
is also used by 802.1Q and contains a priority field (CoS) as well as a VLAN
ID. CoS supports the seven different priorities displayed in Table 9.3.
266 Chapter 9
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Table 9.3 802.1P CoS Priorities
Priority
Explanation
Medium priority
High priority
Video conferencing
Voice channel
67
Reserved
A Layer 3 device typically uses ACLs to place traffic into the appropriate traffic class. Assuming that the Layer 3 protocol is IP, marking in an IP packet is
done in the ToS field, which is 1 byte in length. There are two methods to
implement marking: IP precedence, which is used in IPv4, and DiffServ. Both
of these marking methods use the ToS field. With IP precedence, the three
high-order bits are used to mark the traffics class and the remaining five bits
are not used. In DiffServ, the six high-order bits are used to contain the DSCP
class value and the lower two bits contain flow control information.
802.1Q/P is used to mark Layer 2 frames with CoS information. The IP TOS field is
used to carry QoS information in IP packets. This can be accomplished by using IP
precedence or DiffServ.
267
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Quality
. . . .of. Service
. . . .
traffic is inserted in the queue, and how the queue is processed. Table 9.4 displays some of the queuing methods available and the DiffServ method they
are grouped under.
Table 9.4 Queuing Methods
Queuing Method
DiffServ Method
AF
AF
AF
EF
IP RTP prioritization
EF
EF
The following sections cover different types of queuing, including the ones
just mentioned.
FIFO Queuing
FIFO, first-in-first-out, doesnt provide any type of QoSthe first packet or
frame received is the first one queued up. Traffic is not associated with any
class; instead, priority is defined by when the packet comes into an interface.
The default queuing method on Cisco Catalyst switches is FIFO queuing,
which performs queuing in hardware.
Cisco supports a software-based version of FIFO queuing, which breaks up
RAM into four queueseach serviced with best-effort delivery. Each queue
is processed in a weighted round-robin (WRR) fashion. This enables you to
implement a very basic form of QoS and give general preference to one
queue over another.
Priority Queuing
Priority queuing (PQ) also has four queues. However, each queue has a distinct priority: high, medium, normal, or low. Strict priority is enforced in this
scheme. First, the high queue is emptied. When the high priority queue is
emptied, the IOS checks to make sure that no new packets have been added
to it. If so, the high queue is processed again. The medium queue is
processed only when the IOS checks the high queue and finds it empty. Both
the high and medium queues must be empty for the normal queue to be
processed and the high, medium, and low queues must be emptied before the
low queue is processed.
268 Chapter 9
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Therefore, given this priority scheme, there is a chance that the lower-end
queues might never be processed. It is therefore very important to know what
traffic is placed into what queues. This is typically done based on the protocol of the packet, the ingress interface, the size of the packet, and ACLs.
The one advantage that priority queuing has is that any traffic classified and placed in
the high queue is always guaranteed to be serviced.
Custom Queuing
Unlike priority queuing, custom queuing (CQ) has 16 queues. The same
classification techniques used in PQ are used to place packets into one of the
16 queues in CQ. The main difference between PQ and CQ is that PQ guarantees only that the high queue will be processed; CQ guarantees that every
queue will be processed. In CQ, queues are processed in a round-robin fashion. To give preference to one queue over another, you specify the amount
of traffic that is allowed to be processed from a given queue.
As an example, if you wanted to give preference to queue 1 over 2, you can
allow queue 1 to process twice as much information as queue 2 when the IOS
is servicing the queues. Because CQ processes all queues, no one type of traffic will ever be starved for bandwidth. The main problem of CQ and PQ is
that they cannot adjust to changing network conditions; how traffic is placed
into queues and how much traffic is processed from the queues is hardconfigured.
269
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Quality
. . . .of. Service
. . . .
270 Chapter 9
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Avoiding Congestion
Congestion avoidance is a QoS technique that allows packet dropping, but it
presumes that dropping certain packets will not cause problems for the connections on which the packets were dropped as well as decrease congestion
issues. This section covers three types of congestion avoidance techniques.
271
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Quality
. . . .of. Service
. . . .
Tail Dropping
Tail dropping is one of the most common forms of dealing with congestion
during egress queuing. When queuing up packets during a period of heavy
congestion, the queue will fill up at some point in time, leaving no room for
more packets. During this period, any newly arrived packets for the egress
queue are dropped. With tail dropping, all traffic is treated equally. In other
words, the IOS doesnt look at whether this is UDP or TCP traffic, or data
or voice. This can be detrimental for TCP-based connections because dropping one packet from a connection can cause the retransmission of multiple
packets. In a network that heavily utilizes TCP, using tail dropping can actually create more congestion than it reduces.
Tail dropping has the following problems:
Tail dropping doesnt differentiate between different traffic types.
When congestion occurs and dropping begins, delay- and jitter-sensitive
272 Chapter 9
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Conditioning Traffic
There are two basic methods to conditioning traffic: policing and shaping.
Both methods are used to limit the rate of traffic leaving an interface. These
methods are typically used in WAN environments, such as ATM or Frame
Relay, where the virtual circuits are guaranteed only a certain amount of
bandwidth inside the carriers network. To enforce a rate limit on the interface, the IOS has to measure (meter) traffic rate. It then enforces rates by
273
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Quality
. . . .of. Service
. . . .
comparing traffic to limits assigned to it. The IOS handles this process by
using tokens and buckets.
Of the two methods, policing is the simplest to implement. In policing, if traffic exceeds its assigned rate limit, the IOS either drops or marks the offending
traffic. As an example, a certain type of traffic, such as FTP, might be assigned
a bandwidth limit of 1Mbps. With policing, any traffic sent beyond the limit is
either dropped or marked as low priority. This process requires few resources
on the IOS device because the device doesnt need to use memory to buffer
traffic. However, policing can cause problems with connection-oriented protocols such as TCP. There are two policing methods the IOS uses:
Class-based policing
Committed access rate
Shaping, on the other hand, buffers traffic that exceeds its assigned rate limit
and transmits the traffic when bandwidth is available. Because shaping
buffers traffic, it requires more resources on the device. However, shaping is
more user-friendly to traffic than policing because it doesnt drop traffic
unless its buffer is filled up. During this buffering period, the traffic is
delayed. Therefore, shaping is not typically used for voice or video traffic
because a delay occurs. In addition, the delay can lead to jitter, which creates
problems for voice and video. Shaping is best used for data types that dont
react to data loss very well, such as TCP and other connection-oriented protocols. There are three shaping methods used by the IOS:
Class-based shaping
Frame relay traffic shaping
Generic traffic shaping
274 Chapter 9
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Header compression
Payload compression
Link fragmentation and interleaving (LFI)
Campus QoS
Now that you have a better understanding of QoS, lets take a look at where
QoS should be implemented in a campus network: access, distribution,
and core.
At the access layer, switches are the typical devices connected to end users.
Switches provide segmentation through the use of VLANs, and switches can
275
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Quality
. . . .of. Service
. . . .
perform the creation of CoS values, at Layer 2, for ingress frames. If the
access layer device is a router, it can also mark DSCP information in the IP
packet header.
The distribution layer typically contains Layer 3 devices. This is where most
of your QoS setup occurs. Here is where you enable QoS, set up a CoS-toDSCP table to correctly map Layer 2 QoS information into the IP ToS field,
and configure policies that classify any traffic not already marked by your
access layer devices. The access layer, the distribution layer, or both layers
are responsible for the following QoS functions:
Classifying packets based on configured policies
Admitting and managing connections
Managing QoS configuration
The function of the core layer is to not classify or mark any traffic; this
should already have been done at either the access or distribution layer. The
core layer should instead enforce QoS policies. With a high-speed backbone,
this should be a moot point. In most instances, low-latency queuing is used
to process egress traffic. The core and the distribution layers are responsible
for managing and avoiding congestion.
Classification and marking should occur as close to the source as possible, which is
typically the access layer.
276 Chapter 9
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Creating Classes
When dealing with MQC, one of the first things you do is define what traffic
is to be grouped together within a class. Here are the commands youll use:
match-all|m
match-any]
Switch(config)# class-map class_map_name [m
name ACL_name
Switch(config-cmap)# match access-group ACL_#|n
Switch(config-cmap)# match input-interface interface_name
Switch(config-cmap)# match protocol protocol_name
Creating Policies
The second thing you do when configuring MQC is to define your traffic
policies. This is done with the policy-map command:
Switch(config)# policy-map policy_map_name
Switch(config-pmap)# class class_map_name
Switch(config-pmap-c) bandwidth Kbps_value
Switch(config-pmap-c) queue-limit #_of_packets
277
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Quality
. . . .of. Service
. . . .
The policy-map command creates your policies. The class command within
the policy configuration specifies the name of the class of traffic that should
be processed by this policy (created with the class-map command). This takes
you into a subconfiguration mode in which you can limit the amount of
bandwidth (bandwidth) and the number of packets in the queue (queue-limit)
for the class. You can include multiple classes in the same policy map. Please
note that there are additional policy commands that you can use for your
included classes. Listing 9.1 shows a simple example.
Listing 9.1 A Policy Map Example
Switch(config)# access-list 1 permit 192.168.1.0 0.0.0.255
Switch(config)# class-map map-one match-all
Switch(config-cmap)# match access-group 1
Switch(config-cmap)# exit
Switch(config)# policy-map policy-one
Switch(config-pmap)# class map-one
Switch(config-pmap-c)# bandwidth 1000
Switch(config-pmap-c)# queue-limit 150
In this example, any traffic from 192.168.1.0 is associated with a map class
called map-one. That class is then associated with a policy, called policy-one,
that restricts the traffic to 1Mbps and a queue limit of 150 packets.
Classification and marking are used to mark packets and/or frames with QoS
prioritization information. At Layer 2, CoS information is included. With IP,
the TOS field is either marked using IP precedence or DSCP. This process
is sometimes referred to as coloring. Listing 9.2 shows the configuration performed within your policy map.
Listing 9.2 Policy Map Configuration
Switch(config)# policy-map policy_map_name
Switch(config-pmap)# class class_map_name
Switch(config-pmap-c) set cos cos_value
Switch(config-pmap-c) set ip precedence precedence_value
Switch(config-pmap-c) set dscp DSCP_value
If you dont use the set commands, no traffic is marked as it exits an interface. Listing 9.3 shows a simple example.
Listing 9.3 A Coloring Example
Switch(config)# access-list 2 permit 192.168.2.0 0.0.0.255
Switch(config)# class-map map-two match-all
Switch(config-cmap)# match access-group 2
Switch(config-cmap)# exit
Switch(config)# policy-map policy-two
Switch(config-pmap)# set cos 1
278 Chapter 9
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
In this example, any traffic from 192.168.2.0 is associated with a map class
called map-two. That class is then associated with a policy, called policy-two,
that marks this traffic with a COS value of 1.
Activating Policies
After youve created your classes and associated them with a policy map, you
need to activate your policy map on an interface:
Switch(config)# interface type slot_#/port_#
output policy_map_name
Switch(config-if)# service-policy input|o
After you enter an interface, use the service-policy command to activate the
name of the policy map created with the policy-map command. Note that you
can specify the direction of the policy on the interface: inbound (input) or
outbound (output).
To activate the two policies created in the last section, use this configuration:
Switch(config)# interface fastethernet0/1
Switch(config-if)# service-policy input policy-one
Switch(config-if)# service-policy input policy-two
By default, QoS is disabled on your switch. You can enable it with the following command:
Switch(config)# mls qos
If you dont specify any parameters, both DSCP and CoS parameters are
examined. Please note that there are match commands within a class-map configuration that enable you to match on this kind of traffic.
Given our previous configuration examples, heres how you would enable
QoS:
Switch(config)# mls qos
Notice that because I didnt execute the mls qos trust command on fastethernet0/1, any QoS markings coming into this interface will be ignored and
the policy and class maps I created earlier will be used instead.
279
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Quality
. . . .of. Service
. . . .
Classification of traffic is done with the class-map commands. The policy-map commands associate your QoS parameters to your traffic classes. The service-policy
command activates your QoS policies on an interface. To enable QoS, use the mls
qos command.
In this example, there are two map classes: class1 and class2. class1 includes
all traffic specified by permit statements in ACL 101. class2 specifies that all
IP traffic coming into Etherent1/1 is included.
The show
policy-map
In this example, there is one policy map, policy1, on the switch. It uses WFQ
for queuing and contains two classes. Each class is allowed 64Kbps of bandwidth and each is allowed to queue up 64 packets. To see whether a policy
map has been activated on an interface, use the show policy-map interface
command:
Switch# show policy-map interface Ethernet1/1
Ethernet1/1
Service-policy output: policy1
Class-map: class1 (match any)
0 packets, 0 bytes
5 minute rate 5ps
Match: access-group 101
<--output omitted-->
280 Chapter 9
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Queuing Methods
This section covers the configuration of six different queuing methods:
WFQ, PQ, CQ, IP RTP-PQ, LLQ, and WRRB. Please note that the configuration discussed here provides only the very basic information to set up
these queuing methods.
Configuring WFQ
WFQ is the default queuing method on serial interfaces. WFQ breaks traffic streams into conversations of two types: low volume (such as telnets) and
high volume (such as file transfers). It gives preference to the low volume
over high volume. But within a conversation type, such as two file transfers,
WFQ uses a round-robin and treats the streams equally. WFQ dispatches
information based on conversations.
WFQ is the default queuing method on routers with a serial interface at E1
(2.048Mbps) speeds or less. You dont need to do anything to enable it, but
you can change the threshold at which WFQ begins dropping packets.
The default congestive discard threshold for WFQ is 64 packets. This
threshold is used to queue packets for a conversation. A conversation is
essentially a single connection. If a conversation reaches this limit, the conversations newly arriving packets are dropped. This threshold ensures that
one conversation doesnt hog all the buffer space. The configuration to
change this threshold is as follows:
Router(config)# interface type slot_#/port_#
Router(config-if)# priority-group packet_threshold
281
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Quality
. . . .of. Service
. . . .
Configuring PQ
To prioritize your traffic for PQ, use priority-list commands:
Router(config)# priority-list list_# protocol name of protocol
high|m
medium|n
normal|l
low additional_parameters
Router(config)# priority-list list_# interface interface_name
After you do this, the router no longer uses WFQ on the interface, but uses
PQ instead.
Here is a simple example of a PQ configuration:
Router(config)# priority-list 1 protocol appletalk high
Router(config)# priority-list 1 protocol ip normal
Router(config)# interface serial0
Router(config-if)# priority-group 1
In this example, a priority list was created placing AppleTalk traffic in the
high queue and IP traffic in the normal queue. The list was then activated on
the routers serial interface.
282 Chapter 9
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show interfaces
or
PQ has four queues: high, medium, normal, and low. The high queue is guaranteed
to be serviced. Use the priority-list commands to specify what traffic goes into what
queue and activate the PQ list with the priority-group command.
Configuring CQ
To prioritize your traffic for CQ, use queue-list commands:
Router(config)# queue-list list_# protocol name_of_protocol
Queue_# additional_parameters
Router(config)# queue-list list_# interface interface_name
The commands are processed top-down by the router, which places the traffic in the appropriate queue. You can create up to 16 lists in CQ. Unlike PQ,
there is no default queue in CQ. Traffic that is not specified for a certain
queue is dropped. However, you can create a default queue. To change the
default queue, use the following command:
Router(config)# queue-list list_# default queue_#
Given our previous example, all other traffic will be placed in queue 3:
Router(config)# queue-list 1 default 3
The default number of packets that a CQ queue can hold is 20. If youre
dropping packets, you want to increase that number with the following
command:
Router(config)# queue-list list # queue queue # limit #_of_packets
For our previous example, lets increase the size of the queue IP traffic is held
in, doubling its size:
Router(config)# queue-list 1 queue 2 limit 40
283
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Quality
. . . .of. Service
. . . .
Given our previous example, lets double the threshold for AppleTalk traffic,
giving it preference over IP traffic:
Router(config)# queue-list 1 queue 1 byte-count 1500
Note that this is the command in which you can give larger or smaller
amounts of bandwidth to specific traffic typesits not traffic shaping, but it
comes somewhat close to it.
After youve created your queue list for CQ, you need to activate it on one
(or more) of your interfaces:
Router(config)# interface type slot_#/port_#
Router(config-if)# custom-queue-list list_#
After you do this, the router no longer uses WFQ on the interface, but uses
CQ instead.
To complete our previous example of CQ list 1, heres how to activate it on
serial0:
Router(config)# interface serial0
Router(config-if)# custom-queue-list 1
show interfaces
or
CQ has 16 queues that are processed in a round-robin fashion. Use the queue-list
command to configure CQ. You can give preference to a queue by specifying the
amount of traffic a queue can process with the byte-count parameter. Use the
custom-queue-list command to active CQ.
Configuring IP RTP-PQ
RTP handles real-time data streams, such as voice and video. RTP-PQ is a
combination of PQ and WFQ methods to handle the prioritization of RTP
traffic in a mixed-traffic network. RTP packet streams are given a strict priority over other types of packets. When the IOS processes the RTP-PQ
284 Chapter 9
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
queue, all traffic in the RTP, or priority queue, is processed first. All other
traffic is processed using WFQ or CBWFQ, depending on what you have
enabled on the interfacethese are the only other two queuing methods
supported with RTP-PQ. One nice feature of RTP-PQ is that this process
does not occur on the interface until the interface experiences congestion.
To configure RTP-PQ, use the following configuration:
Switch(config)# interface type slot_#/port_#
Switch(config-if)# ip rtp priority starting_port_# total_#_of_ports
bandwidth
Switch(config-if)# max-reserved-bandwidth percentage
The ip rtp priority command specifies the starting port number of the RTP
application(s) and the total number of ports, beginning with the starting port
number, that should be included in the prioritization. This is followed by the
amount of total bandwidth, in Kbps, that is reserved for this RTP traffic on
the interface.
The total amount of bandwidth available to RTP-PQ, LLQ, and other types
of queuing cannot exceed 75% of the total bandwidth of the interface, by
default. This takes into account overhead such as the headers of IP, RTP, and
UDP. However, it doesnt take into account the Layer 2 overhead.
Therefore, if youre trying to squeeze as much bandwidth as possible from a
link, and you realize that you can get another 5% out of the link (perhaps
through compression or some other means), you can change the maximum
percentage with the max-reserved-bandwidth command. However, care must be
taken when changing this value: If you set it too high, you might be starving
other types of traffic, including control traffic.
Heres a simple example of prioritizing traffic for RealNetworks RealPlayer
product:
Switch(config)# interface vlan 3
Switch(config-if)# ip rtp priority 6970 200 10000
In this example, RTP traffic (ports 6,970 to 7,170) for interface VLAN 3 is
reserved 10Mbps of bandwidth (10,000Kbps) if it needs it.
After youve configured RTP-PQ, you can examine the queuing configuration on your interface with the show queue command.
Configuring LLQ
Configuring LLQ is fairly simple: Its configuration is done within a priority
map, which was explained earlier. Heres the configuration for LLQ:
Switch(config)# policy-map policy_map_name
Switch(config-pmap)# class class_map_name
percent percentage [bust_value]
Switch(config-pmap-c) priority BW_Kbps|p
285
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Quality
. . . .of. Service
. . . .
As you can see from this example, LLQ configuration is done with the
priority command within the class configuration in the policy map. You have
two options for configuring the priority: maximum amount of bandwidth
allocated to the prioritized information, or a percentage of the total interface
bandwidth. You can optionally specify a burst value, which allows the prioritized traffic to burst up to this level temporarily. If you dont specify a burst
value, it defaults to one of the two configured values.
One interesting thing about this bandwidth allocation is that it applies only
during times of congestion. During congestion, traffic is processed up to the
configured level, and then temporarily up to the burst level. Traffic above
these levels is dropped. However, if no congestion is occurring on the interface, the prioritized traffic can exceed the configured parameters.
The priority command serves a similar function compared to the bandwidth
command. However, the bandwidth class command doesnt prioritize one type
of traffic over another. Within the class configuration, you can use either the
priority or bandwidth command, but not both. However, multiple classes can
use the priority command. In this situation, all the classes with a configured
priority are associated with the high priority queuein other words, you
cant give different levels of priority to different classes of traffic. Listing 9.4
shows a simple example.
Listing 9.4 Using the priority Command
Switch(config)# access-list 3 permit 192.168.3.0 0.0.0.255
Switch(config)# class-map map-three match-all
Switch(config-cmap)# match access-group 3
Switch(config-cmap)# exit
Switch(config)# policy-map policy-three
Switch(config-pmap)# class map-three
Switch(config-pmap-c)# priority 10000
In this example, any traffic from 192.168.3.0 is associated with a map class
called map-three. That class is then associated with a policy, called policythree, that gives this traffic 10Mbps of bandwidth over other types of traffic
that might be associated with policy map policy-three.
Use the priority command to enable a priority queue with LLQ.
Table 9.5 lists three show commands that you can use to verify your LLQ
configuration and operation.
286 Chapter 9
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Table 9.5 802.1P CoS Priorities
Command
Explanation
show queue
show policy-map
Configuring WRRQ
WRRQ is the default queuing method used on Layer 3 Catalyst switches. To
use WRRQ, you must first enable QoS; by default, QoS is disabled on your
switch. Globally enable QoS with the mls qos command:
Switch(config)# mls qos
When WRRQ is enabled, youre ready to configure it. Listing 9.5 shows
WRRQs configuration done at the interface level.
Listing 9.5 Configuring WRRQ
Switch(config)# interface type slot_#/port_#
Switch(config-if)# wrr-queue random-detect max-threshold queue_#
threshold-percentage1 threshold-percentage2
Switch(config-if)# wwr-queue cos-map
queue_# COS_value1 COS_value2...COS_value_8
Switch(config-if) priority-queue out
Switch(config-if)# wrr-queue bandwidth queue_1_weight
queue_2_weight queue_3_weight queue_4_weight
Switch(config-if)# wrr-queue queue-limit weight1 weight2 weight3 weight4
Minimum Threshold
Maximum Threshold
50
100
70
100
50
100
70
100
287
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Quality
. . . .of. Service
. . . .
The wrr-queue cos-map command assigns a COS to one of the four queues
used by WWRQ. Queue numbers can range from 14. By default, queue 4
is the expedite (high priority queue) and COS 67 are assigned to it. COS
45 are assigned to queue 3, COS 23 are assigned to queue 2, and COS 01
are assigned to queue 1.
Please note that you do not have to use all four queues. By default, the expedite queue is disabled. You can enable it with the priority-queue out command.
The wrr-queue bandwidth command enables you to change the weights of the
four queues. The weights are used to determine the ratio of the frequency of
how often each queues is serviced. By default, each weight is set to 25, meaning that each queue gets 1/4 of the bandwidth. The exception to this is when
the expedite queue is enabled. In that case, the expedite queue is always emptied before the other three queues are processed.
The wrr-queue queue-limit command specifies the amount of buffer space
assigned to each of the four queues. The weight value specifies the ratio of
queue space assigned to the queue when compared to all four weights. The
weight value is between 1100. By default, all four queues have a weight of
25, which means that each queue gets 25% of the queue space. Listing 9.6
shows a simple example.
Listing 9.6 Assigning Buffer Space
Switch(config)# mls qos
Switch(config)# interface gigabit0/1
Switch(config-if)# wrr-queue cos-map
Switch(config-if)# wrr-queue cos-map
Switch(config-if)# wrr-queue cos-map
Switch(config-if)# wrr-queue cos-map
1
2
3
4
6
4
2
0
7
5
3
1
In this example, queue 1 is has COS 6 and 7 traffic placed in it; queue 2 has
COS 4 and 5; queue 3 has COS 2 and 3; and queue 4 has COS 0 and 1.
Use the show mls
and operation.
qos interface
288 Chapter 9
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
queueing
interface
debug Commands
There are many debug commands that you can use to troubleshoot your QoS
configuration and operation. However, Im only mentioning two of the more
important ones. The debug ip rsvp command debugs RSVP QoS. You must
be very careful with this command because it can be very resource-intensive.
The debug priority command displays information about priority queuing. It
displays priority queuing operations, in a real-time fashion, including what
traffic is placed in what queue and when that traffic gets serviced.
There are many, many other commands that you can use to troubleshoot
QoS, but these commands are beyond the scope of this book. See the Need
to Know More? section at the end of this chapter for a reference to Ciscos
site on debug commands.
289
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Quality
. . . .of. Service
. . . .
Use the debug priority command to troubleshoot in PQ.
Summary
IP telephony is one of the three components of Ciscos AVVID framework.
When implementing an IP telephony solution, you must consider network
management, high availability, security, and QoS. QoS can guarantee necessary bandwidth and acceptable delay, jitter, and packet loss. For VoIP traffic,
packet loss should be less than 1%, one-way delay less than 60ms per leg, and
jitter less than 20ms. QoS does this through prioritization. Voice and video,
transactional applications, and data transfers are typically prioritized as listed.
QoS includes classification, marking, forwarding, policing, queuing, scheduling, shaping, and dropping of traffic. FIFO lacks QoS. IntServ provides
QoS on a connection-by-connection basis, whereas DiffServ provides QoS
on a hop-by-hop basis. DiffServ uses CoS with IEEE 802.1Q/P frames and
either DSCP or IP precedence in the IP TOS packet field. Classification is
the process of grouping traffic into classes by using the class-map command.
Traffic policies are defined within the policy-map command. You activate
your policies with the service-policy command. Marking can be used so that
other devices in the network know how to prioritize traffic. Queuing can
then be used to implement your QoS policies.
WFQ is the default queuing method used on serial interfaces running at E1
speeds or less. It separates conversations into low and high priority based on
Layer 3 and Layer 4 header information. PQ has four queues and the high
queue always has precedence over the lower queues. Use the priority-list
command to associate traffic with one of the four queues. CQ has 16 queues
and processes them in a round-robin fashion. You can change the byte count
for a queue to allow it to process more or less information when its turn
arrives. Use the queue-list command to associate traffic with one of the
queues. LLQ uses both PQ and CB-WFQ. WRRQ is the default queuing
method on Ciscos Layer 3 switches. Use the priority command to specify an
expedite queue. In WRRQ, there are four queues with weights assigned to
them. The better the weight value, the more preference the queue is given.
If packets must be dropped, it is typically the tail end of the conversations
that are dropped. WRED is used to drop packets before congestion becomes
an issue, which is different from queuing. Conditioning of traffic shapes it to
remove the burstiness from it, thereby reducing jitter problems.
290 Chapter 9
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 2
______ is the amount of time it takes to encapsulate a packet in a frame and put
the bits on a wire.
A. Packetization
B. Serialization
C. Propagation
D. Processing
Answer B is correct. Serialization is the amount of time it takes to encapsulate a packet in a frame and put the bits of a frame on a wire. Answer A is
incorrect because packetization is the amount of time it takes to segment
information, sample and encode any signals, process the traffic, and then
encapsulate the data in packets. Propagation is the amount of time it takes to
transmit the bits of a frame across a wire to the next networking device, making C incorrect. Processing is the amount of time it takes a networking
device to process a received frame, including queuing, making answer D
incorrect.
291
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Quality
. . . .of. Service
. . . .
Question 3
Which QoS architecture guarantees QoS parameters on a connection-byconnection basis?
A. FIFO
B. DiffServ
C. IntServ
D. LLQ
Answer C is correct. IntServ reserves resources via RSVP to provide a connection-guaranteed QoS. FIFO provides no QoS, making A incorrect.
DiffServ provides QoS on a hop-by-hop basis, making B incorrect. LLQ is a
queuing method, not a QoS architecture, making D incorrect.
Question 4
Which marking option is used to denote QoS information in an IEEE frame?
A. 802.1P
B. 802.3P
C. 802.1D
D. 802.1W
Question 5
What command specifies which traffic goes into which queue with priority
queuing?
A. queue-list
B. priority-queue
C. fair-queue
D. priority-list
292 Chapter 9
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 6
What is the default queuing method used on serial interfaces clocked at E1
speeds or less?
A. WRRQ
B. CQ
C. WFQ
D. PQ
Question 7
Which QoS tool can be used to avoid congestion?
A. WRED
B. LLQ
C. WFQ
D. WRRQ
Question 8
Marking of traffic should occur where?
A. Access layer
B. Distribution layer
C. Access and distribution layer
D. Core layer
293
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Quality
. . . .of. Service
. . . .
Question 9
Which command specifies your traffic policing policies for QoS?
A. class-map
B. policy-map
C. match
D. service-policy
Answer B is correct. The policy-map command specifies your policing policies for classes of traffic. The class-map command is used to classify traffic,
not assign policies, making answer A incorrect. The match command is used
within the class-map command to match on classes of traffic; therefore,
answer C is incorrect. The service-policy command is used to activate your
QoS policies, making answer D incorrect.
Question 10
QoS, by default, is enabled on Ciscos Layer 3 switches.
A. True
B. False
Answer B is correct. You must use the mls qos command to enable QoS on
Cisco Layer 3 switchesanswer A is therefore incorrect.
10
MLS Optimization
and Security
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
296 Chapter 10
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
This chapter focuses on two areas: capturing traffic to optimize your network
and switch security features. The first half of this chapter is dedicated to the
SPAN feature of Catalyst switches. This feature enables you to capture traffic from one or more ports and redirect it to a port with a protocol analyzer
or probe attached to it. The captured information can then be analyzed to
assist you in troubleshooting and capacity planning.
The second half of this chapter covers some of the security features included with the IOS switching software. This includes basic security, such as
assigning passwords, restricting access, and authenticating users (AAA and
802.1x). It also includes restricting traffic between ports on the switch by
using VLAN access control lists (ACLs), port security, and private VLANs.
Performance
Networks will always experience problems. One of your goals is to make sure
that you maximize your performance while minimizing your problems. You
have to deal with three main issues while balancing networking performance
and problems: application performance, capacity planning, and fault
management.
The first thing youll want to do is to develop a baseline of the performance
of your existing network. You need to document your existing network,
including the layout of your devices and their current operation, CPU and
buffer utilization, memory usage, and throughput. You also need to determine adequate response times for your users and their applications.
After building a baseline, you need to take the growth in your network into
consideration and perform capacity planning. You also need to use monitoring tools so that you can closely watch the operation of your network.
Monitoring tools can also be used to help troubleshoot networking problems
and issues, from connection problems to bandwidth issues.
The following sections discuss the use of the switched port analyzer (SPAN)
feature and the Network Analysis Module (NAM).
297
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .MLS
. . Optimization
. . . . . . . and
. . .Security
. . . .
One nice feature of SPAN on Ciscos Catalyst switches is that it does not
affect the performance of the switch, which is based on the switching process
in the switch. For example, the Cisco 6000 moves a frame from an interface
to the bus. Any other switch port can move that frame from the bus to the
ports outbound buffer. The switching engine in the switch then tells which
interfaces to drop the frame, indicating that the frame is not to be further
processed by those interfaces. With SPAN, there is no extra overhead
involved in the switching process because the frame is already copied into the
buffer by the SPAN port.
SPAN enables you to capture traffic on one or more ports, including VLANs, and redirect it to a port with a protocol analyzer or probe connected to it. When capturing
traffic from a VLAN, this process is commonly referred to as VSPAN.
SPAN Types
There are two basic types of SPAN: local and remote. Local span has interfaces on the local switch redirected to a local port with an analyzer connected to it. The local SPAN feature supports the mirroring of traffic from both
source ports and VLANs to one or more destination ports. If youre mirroring traffic in the inbound direction, it is called ingress SPAN. If youre mirroring traffic in the outbound direction, this is called egress SPAN. Remote
SPAN is discussed later.
SPAN Configuration
Before you set out to configure local SPAN on your Catalyst switch, you
should be aware of the following:
After you enable SPAN, all traffic from the associated ports is mirrored,
SPAN.
298 Chapter 10
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
You cannot have both individual ports and VLANs as a source.
You cannot have VLANs as a source and performing filtering of VLANs
Setting up SPAN is a two-step process: You must first specify which traffic to
mirror and then specify which interface is the SPAN port. Use this command
to specify the mirrored traffic:
Switch(config)# monitor session session_#
{source interface type/port_#}|{vlan VLAN_#}
[,|-|rx|tx|both]
After youve specified the mirrored traffic, you next need to specify the
SPAN port itself:
Switch(config)# monitor session session_# destination interface type/port_#
[encapsulation isl|dot1q]
The session number you specify here references the session number of the
source ports. You follow this with the destination interface. If the interface is
a trunk, you can optionally specify the encapsulation type (this is only for IOS
switches that support both trunking types). For the 2950, you dont need to
specify the trunking encapsulation because the 2950 supports only 802.1Q.
Heres a simple example of specifying the SPAN port for our previous monitoring session (1):
Switch(config)# monitor session 1 destination interface fastethernet0/5
299
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .MLS
. . Optimization
. . . . . . . and
. . .Security
. . . .
Remote SPAN
Remote SPAN (RSPAN) is an extension of local SPAN. With local SPAN,
all the source and destination ports are on the same switch. With RSPAN,
these ports can be on different switches. This is very handy if you have only
a limited number of network analyzers or RMON probes, but still want to
see certain traffic across all your switches in an area.
RSPAN enables you to capture traffic on one switch, but redirect it to a port on another
switch.
300 Chapter 10
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
RSPAN traffic is not flooded across your entire network, but is contained
within only those switches from the source port(s) to the destination. Third,
to reduce any STP issues, BPDUs are not mirrored with RSPAN. If you have
any performance issues with the amount of RSPAN traffic youre mirroring,
you can use ACLs to filter information that is sent to the destination port
with the analyzer or probe.
In this example, VLAN 100 is set up as the RSPAN VLAN:
Switch(config)# vlan 100
Switch(config-vlan)# remote-span
After youve configured your RSPAN VLAN, you must set up monitoring
for your source ports. This is the same command that you used in the local
SPAN configuration (monitor session source). After defining the source ports
on a switch, you have to specify the destination port. If the network analyzer or RMON probe is on a different switch, use the following command:
Switch(config)# monitor session session_# destination remote vlan VLAN_#
This command specifies the RSPAN VLAN to use to get the mirrored traffic to the destination.
The RSPAN VLAN traffic traverses trunk links. If performance is a problem, manually
prune this VLAN from your trunks and set up a dedicated access-link connection to
carry this traffic.
Heres a simple example where traffic from session 1 is sent out any interface(s) associated with the RSPAN VLAN:
Switch(config)# monitor session 1 destination remote vlan 100
On the switch that has the network analyzer or probe connected to it, use the
following configuration:
Switch(config)# monitor session session_# remote vlan VLAN_#
Switch(config)# monitor session session_# destination interface type/port_#
The first command specifies that traffic coming into the switch in the
RSPAN VLAN should be mirrored. That traffic is mirrored to the port specified by the second command.
Heres a simple example:
Switch(config)# monitor session 1 remote vlan 100
Switch(config)# monitor session 1 destination interface fastethernet0/5
301
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .MLS
. . Optimization
. . . . . . . and
. . .Security
. . . .
Its important to point out that you do not have to configure anything special on intermediate switches that do not have any source portsjust make
sure that these switches have the RSPAN VLAN in their configuration.
SPAN Verification
When youve configured SPAN or RSPAN, you can verify your configuration with this command:
Switch(config)# show monitor session
This is an example of local SPAN, where the source ports are fa0/1-3 and the
destination port is fa0/5 (attached probe).
Initial Configuration
The purpose of this section is not to show you the complete configuration
process that you have to go through to set up a NAM. Instead, Ill cover the
302 Chapter 10
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
very basic configuration steps pertaining to the NAM. After you have the
NAM up and running, most of the configuration is typically done via an
SNMP-based product, such as CiscoWorks 2000, and all the data gathering
is done from TrafficDirector or a similar RMON product.
PCMCIA
LEDs
Shutdown
Button
PCMCIA
Slots
M
TE
S
SY
HD
SHUTDOWN
System Status
LED
Hard Drive
LED
As youll notice in Figure 10.1, the NAM does not have external connections,
like a console or Ethernet interfaces. Instead, all interaction with the NAM
is done across the backplane of the Catalyst 6000 Series switch.
To log in to the NAM, you first log in to your Catalyst switch and use the
following command:
Switch# session slot slot_# processor 1
You are then logged in to the NAM, where youll be prompted for a username and password. To make configuration changes on the NAM, youll
have to log in to the root account.
If you arent sure which slot your NAM is located in, use the
command:
show module
303
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .MLS
. . Optimization
. . . . . . . and
. . .Security
. . . .
Switch# show module
Mod Ports Card Type
--- ----- -----------------------------------2
2
Catalyst 6000 supervisor 2 (Active)
3
48
48 port 10/100 mb RJ-45 ethernet
5
0
Switching Fabric Module (Active)
6
2
Network Analysis Module
Model
----------------WS-X6K-SUP2-2GE
WS-X6248-RJ-45
WS-C6500-SFM
WS-X6380-NAM
Serial No.
----------SAD04450LF2
SAD03181469
SAD04420JR3
SAD05130AXD
When youre in the NAM, youll have to enable basic IP connectivity. Doing
so allows an external management device, such as TrafficDirector, to access
the NAM. Heres the basic IP configuration you should perform, shown in
Listing 10.1.
Listing 10.1 NAM IP Configuration Commands
root@localhost#
root@localhost#
root@localhost#
root@localhost#
root@localhost#
root@localhost#
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
304 Chapter 10
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip
command:
root@localhost# show ip
IP address: 172.16.254.8
Subnet mask: 255.255.255.0
IP Broadcast: 172.16.254.255
DNS Name: nam1.dealgroup.com
Default Gateway: 172.16.254.254
Nameserver(s): 172.16.253.2
snmp
snmp
snmp
snmp
snmp
location descriptive_location_information
contact name_of_a_contact_person
name SNMP_name_of_NAM
community string_value rw
community string_value ro
If you experience connectivity problems with the NAM, reboot it and try
again.
After youve finished your IP configuration, you must enable the HTTP
server on the NAM:
root@localhost# ip http server enable
This enables you to access the NAM via a Web browser interface. You can
optionally use a secure HTTP server, but its configuration is beyond the
305
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .MLS
. . Optimization
. . . . . . . and
. . .Security
. . . .
scope of this book. Please refer to the NAM reference in the Need to Know
More? section at the end of this chapter for additional information.
Autostart Configuration
Autostart is a NAM feature that enables you to gather RMON statistics of
the Catalyst 6000 switch that the NAM is installed in (without having to set
up SPAN). As soon as your switch is booted up and the NAM initializes, the
NAM can begin gathering these statistics. However, this function is disabled
by default. To enable it, use the following command:
root@localhost# autostart collection_name enable
The collection names you can specify include addressmap, art, etherstat,
priostats, and vlanstats. The art collection state is for gathering application
response time information based on sending and receiving data at the transport layer of the OSI Reference Model. This feature is not included with the
basic NAM module; it requires the purchase of an additional software
license. You can disable a collection name by using the keyword disable
instead of enable.
When youve either enabled or disabled a specific collection name, youll
have to reboot the NAM.
The NAM can gather RMON statistics for the Catalyst switch it is installed in. The processing of traffic must be done by a remote RMON management station, such as
TrafficDirector.
Switch Configuration
After youve prepared the NAM for gathering traffic, you can set up the
Catalyst 6000 Series switch to interface with the NAM. This requires two
different configurations. First, you have to associate the NAMs IP address
with a VLAN. Second, you have to associate it as a destination port for
SPAN.
In Figure 10.1, you can see that the NAM doesnt have any physical interfaces. Instead, it has two logical interfaces: 0 and 1. Interface 0 is associated
with IP and interface 1 is associated with the SPAN function.
Because the NAM has an IP address, youll want to associate the IP interface
with the VLAN where your management devices are located by using the
following configuration:
Switch(config)# interface gigabit slot_#/0
Switch(config-if)# switchport access vlan VLAN_#
306 Chapter 10
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
In this example, gigabit 3/1 (the NAMs monitoring port) has traffic from
session 3 mirrored to it.
The NAM has two logical ports: 0 is for the IP addressing information and 1 captures
traffic.
What to Secure
With a basic security setup, youll want to secure access to the EXEC modes
on the Catalyst switch. Listing 10.4 shows the basic commands to do so.
Listing 10.4 Basic Security Setup
Switch(config)# line
Switch(config-line)#
Switch(config-line)#
Switch(config)# line
Switch(config-line)#
console 0
password password
exit
vty 0 4
login
(continued)
307
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .MLS
. . Optimization
. . . . . . . and
. . .Security
. . . .
Listing 10.4 Basic Security Setup (continued)
Switch(config-line)# password password
Switch(config-line)# access-class standard_ACL_# in
Switch(config-line)# exit
Switch(config-line)# access-list 1-99 permit source_address [wildcard_mask]
Switch(config)# enable secret Privilege_EXEC_password
Table 10.1 lists some other things you should do to secure your switch.
Table 10.1 Securing Your Switch
Security Component
Explanation
Login Warnings
Unnecessary Services
SNMP
SSH
Cisco Discovery
Protocol (CDP)
308 Chapter 10
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Table 10.1 Securing Your Switch (continued)
Security Component
Explanation
Logging
Trunking
STP
Authentication, Authorization,
and Accounting
One of the problems with authentication in the previous section is that no matter who accesses your switch, that person uses the same password based on the
type of EXEC access she is attempting. For example, all administrators accessing Privilege EXEC mode must use the same password. First, this creates
accountability problems: You never know who made what changes on the
switch because you dont know specifically who logged in to the switch. Second,
you cant limit what an administrator does on the switch. Privilege EXEC access
is an all-or-nothing proposition. Third, its difficult to manage your passwords.
If you need to change the Privilege EXEC password for administrator access,
you probably need to do it on all of your switches, which is cumbersome.
Overview of AAA
AAA centralizes authentication, authorization, and accounting functions and
solves the three problems just discussed. AAA breaks up security into three
components:
AuthenticationProvides a means for identifying an individual and vali-
309
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .MLS
. . Optimization
. . . . . . . and
. . .Security
. . . .
Enable AAA
Before I begin a discussion of how to implement AAA, I must mention that
the configuration information is a brief overview of setting up AAA. For a
more thorough discussion, review Ciscos SECUR materials (formerly
MCNS). The configuration of AAA on an IOS-based switch is actually the
same as configuring it on an IOS-based router. Please see the Need to
Know More? section at the end of this book for more information regarding AAA.
The very first thing you need to do is to activate AAA on your switch:
Switch(config)# aaa new-model
There are two basic ways that you can use AAA on your switch: have the
switch itself act as a security server or use an external security server, such as
Cisco Secure ACS. To configure the switch to hold usernames and passwords, use the username command:
Switch(config)# username users_name password password
The username command creates a users name and password that will be used
to authenticate access to the switch.
One major disadvantage of using the switch as a server is that, unfortunately,
it can only perform AAA functions for itselfit cant act as a server for other
devices. To use an external AAA server, youll have to specify a security protocol to use, the AAA server itself, and a key used to authenticate access to the
server. There are two security protocols: TACACS+ (Cisco-proprietary) and
RADIUS (open-standard). The following commands accomplish this:
Switch(config)# aaa new-model
Switch(config)# tacacs-server host AAA_servers_IP_address key string
Switch(config)# radius-server host AAA_servers_IP_address key string
The aaa new-model command enables AAA. The tacacs-server command specifies access to a TACACS+ server, and the radius-server command specifies
access to a RADIUS server.
Heres a simple example of using 192.168.1.5 as a security server:
Switch(config)# aaa new-model
Switch(config)# tacacs-server host 192.168.1.5 key ThisPasswordIsSecret
310 Chapter 10
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Authentication Configuration
When youve enabled AAA and either defined a local username database or
an external security server, youre ready to configure login authentication
and how it should be performed. This is accomplished with the aaa
authentication login command:
Switch(config)# aaa authentication login default|list_name method1 method2...
There are actually many things AAA can authenticate, but this book focuses
only on login authentication using the aaa authentication login command. If
you specify the default parameter, this command is used for all login authentication processes on the switch. You can override this by specifying a list
name and then, for specific type of access, referencing the list for authentication, like this:
Switch(config)# aaa authentication login telnet tacacs+
Switch(config)# line vty 0 4
Switch(config-line)# login authentication telnet
311
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .MLS
. . Optimization
. . . . . . . and
. . .Security
. . . .
Authorization
Authorization is used to restrict what tasks a user can perform after he is
authenticated. The aaa authorization command is used. You can again enable
authorization for many functions of the switch and router. However, Im
going to discuss only three of them. Heres the command you should use to
enable authorization:
Switch(config)# aaa authorization exec|commands command_level|configuration
default|list_name method1 method2...
Accounting
AAAs accounting is used to keep track of what a user has done. Unlike
authentication and authorization, to keep track of AAA events, you must
have an external AAA security server. You cant record AAA events local to
the switch itself. Use the aaa accounting command to set up accounting:
Switch(config)# aaa accounting event_type record_method
default group tacacs+|group radius
Table 10.2 lists the types of events that you can capture accounting information for. Please note that there are more events in addition to those listed,
but Table 10.2 covers the most common ones.
312 Chapter 10
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Table 10.2 AAA Accounting Events
Event Name
Description
commands command_level
connection
Record an accounting event when someone tries to telnet from the switch to another device
exec
system
There are three ways the event can be recorded, as shown in Table 10.3.
After specifying the recording method, you need to specify the type of AAA
server: RADIUS or TACACS+.
Table 10.3 Accounting Recording Methods
Method
Action
stop-only
start-stop
wait-start
If the AAA server is not reachable, dont allow the user to perform
the action; otherwise, act like start-stop.
Please note that the AAA information in this book provides a crash course on implementing AAA on an IOS-based switch. There are many more features and functions to
AAA in addition to those discussed here.
313
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .MLS
. . Optimization
. . . . . . . and
. . .Security
. . . .
Port Security
The port security feature is also known as MAC address lockdown and works
on access link portsit is not supported on trunks. Likewise, not all Catalyst
switches support port security.
With Catalyst switches, by default, all addresses are allowed to be associated
with any particular port. In port security, a users MAC address is associated
with a specific port. If a different source MAC address is seen off of the port
than those allowed, the switch can disable the port and turn the ports LED
to amber.
There are two ways that you can associate an address with a port with port
security:
StaticYou manually assign which MAC addresses should be off of
which port.
DynamicYou allow the switch to learn which address or addresses are
allowed to be off of a port, and then have the switch save them in its
permanent configuration.
Static configuration is not very manageable in a large network. Most administrators use the dynamic method, sometimes referred to as sticky learning.
With the dynamic method, between 1132 MAC addresses can be dynamically learned from a port (you control the number of addresses). Dynamically
learned addresses are placed in the switchs configuration and saved. If the
switch is rebooted, the dynamically learned addresses will still be in the
switchs configuration.
Two things can cause a security violation:
When the switch learns the maximum configured number of addresses,
any other addresses over the maximum value are seen as security violations
A MAC address associated with a secured port is seen off of another port
314 Chapter 10
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
When a security violation occurs, the switch can take one of the three actions
listed in Table 10.4.
Table 10.4 Security Violation Actions
Parameter
Action
protect
restrict
shutdown
315
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .MLS
. . Optimization
. . . . . . . and
. . .Security
. . . .
To verify your port security configuration and operation, use the following
command:
Switch# show port security [address|interface type slot_#/port_#]
port security
CurrentAddr
(Count)
10
1
SecurityViolation
(Count)
0
0
Security Action
Restrict
Restrict
In this example, you can see the maximum allowed secured addresses, the
current number, the number of violations, and the security action for each
port.
To view port security information for a particular interface, use the interface
parameter, like this:
Switch# show port-security interface fastethernet0/1
Port Security: Enabled
Port status: SecureUp
Violation mode: Shutdown
Maximum MAC Addresses :50
Total MAC Addresses: 10
Configured MAC Addresses: 1
Sticky MAC Addresses :9
Aging time: 20 mins
Aging type: Inactivity
SecureStatic address aging: Enabled
Security Violation count: 0
In this example, you can see that nine addresses were learned via sticky learning
and one was statically configured.
To see the CAM table information related to port security, use the
parameter, like this:
Switch# show port-security address
= Secure Mac Address Table
----------------------------------------------------------Vlan Mac Address Type
Ports Remaining Age
(mins)
---- ----------- -------- ------------1 0000.0a00.1234 SecureDynamic
Fa0/1 1 0000.0a02.5678 SecureDynamic
Fa0/1 1 0000.0200.1111 SecureConfigured Fa0/1 <--output omitted-->
----------------------------------------------------------Total Addresses in System :10
Max Addresses limit in System :10
address
316 Chapter 10
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
In this example, the first two addresses were learned via sticky learning and
the third one was statically configured.
Port security allows up to 132 devices to be secured on a port. If done dynamically,
it is called sticky learning. Use the switchport port-security command to configure
port security. There are three violation types: protect, restrict (default), and
shutdown (disables the interface).
317
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .MLS
. . Optimization
. . . . . . . and
. . .Security
. . . .
Table 10.5 802.1X Port Modes
Authentication Mode
Description
auto
force-authorized
force-unauthorized
show dot1x
Authorized
yes
802.1X performs user authentication using AAA with RADIUS to authenticate users
before the switch enables its port to the users traffic.
318 Chapter 10
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
You should be familiar with standard and extended ACLs from your CCNA
studies. With standard and extended ACLs, you build a list of statements and
then apply the list of statements to an interface. The configuration of VACLs
is conceptually different from standard and extended ACLs. First, you create
a VACL map that specifies what traffic to match on and what to do when
there is a match. The VACL is then activated for a VLAN or list of VLANs
or one or more of the switchs interfaces.
There are three types of ACLS supported by Layer 2 switches: router ACLs, QoS
ACLs, and VLAN ACLs.
VACL Configuration
To create a VACL map, use the configuration in Listing 10.8.
Listing 10.8 VACL Map Configuration
Switch(config)# vlan access-map name_of_map [sequence_#]
Switch(config-access-map)# match ip address 1-199|1300-2699|ACL_name
Switch(config-access-map)# match ipx address 800-999|ACL_name
Switch(config-access-map)# match mac address ACL_name
Switch(config-access-map)# action {drop [log]}|{forward [capture]}|
{redirect (type slot_#/port_# | port-channel channel_#)}
319
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .MLS
. . Optimization
. . . . . . . and
. . .Security
. . . .
can be used with SPAN. The redirect parameter has two options: redirect
matching traffic to a specific interface or an EtherChannel.
VACL Activation
After youve created your VACL map, activate it with the following command:
Switch(config)# vlan filter VACL_map_name
{vlan-list vlan_list|interface type slot_#/port_#}
Notice that with this command, you can activate a VACL on a VLAN or list
of VLANs, or for a specified interface. Please note that you can use the interface option only for WAN interfaces installed on the Catalyst 6500s. Listing
10.9 shows a simple example.
Listing 10.9 Using the vlan filter Command
Switch(config)# access-list 1 permit 192.168.1.0 0.0.0.255
Switch(config)# vlan access-map VMAP 10
Switch(config-access-map)# match ip address 1
Switch(config-access-map)# action forward
Switch(config-access-map)# exit
Switch(config)# vlan filter VMAP vlan-list 5
vlan access-map
and
Private VLANs
VLANs are used to group ports together in a broadcast domain. Private
VLANs (PVLANs) provide Layer 2 isolation between devices within the same
private VLAN. At first, this sounds confusing. Probably the best way of looking at a bunch of devices is in a broadcast domain, where rules dictate how
traffic travels between devices. Private VLANs are used to enforce these rules.
For example, you might have a group of devices that you want to put in the
same broadcast domain, but you want to limit what each of these devices can
access within the same domain. One solution would be to use ACLs, which
are not very scalable in a dynamic and growing network. PVLANs, on the
other hand, provide flexibility. In our example, you might have a server farm
and users accessing the server farm. The rules are that the devices in the server farm should be able to communicate with themselves and the users. The
users should be able to communicate with only the servers, but not each
other. PVLANs can provide this type of cookie-cutter process to Layer 2
separation within the same broadcast domain.
320 Chapter 10
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PVLANs provide Layer 2 isolation between devices within the same private VLAN.
Advantages
PVLANs provide the following advantages:
Because devices are in the same broadcast domain, but still allow logical
addresses.
You can still maintain VLAN integrity across trunks.
Remember the advantages that PVLANs provide.
Components
There are two sets of components in private VLANs: PVLAN type and port
type. There are two types of PVLANS with private VLANs: primary, which
is used to connect multiple secondary PVLANs together, and secondary,
which is used to separate devices with PVLANs.
In addition to the two PVLAN types, there are three types of ports:
PromiscuousCan communicate with all ports in a PVLAN; these are
well as a promiscuous port; these are typically user and/or server ports
IsolatedCan communicate only with a promiscuous port; these are
Primary PVLANs contain promiscuous ports. These ports enable connectivity between devices in the PVLAN, if it is allowed. Community and
321
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .MLS
. . Optimization
. . . . . . . and
. . .Security
. . . .
Private VLAN
Promiscuous Port
Secondary
VLAN 102
COMMUNITY
Primary
VLAN 100
Distribution
Layer Switch
Trunk
Trunk
Access Layer
Switch
Secondary
VLAN 102
COMMUNITY
Access Layer
Switch
PC-A
PC-F
Secondary
VLAN 101
ISOLATED
PC-B
PC-C
PC-D
PC-E
322 Chapter 10
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Creating PVLANs
After youve placed your switch in VTP transparent mode, youre ready to
create your PVLAN:
Switch(config)# vlan VLAN_#
Switch(config-vlan)# private-vlan primary|isolated|community
First, create a VLAN with the vlan command, and then specify the PVLAN
type with the private-vlan command. The isolated and community parameters
specify that the PVLAN is a secondary PVLAN.
Given our example in Figure 10.1, the configuration would look like that
shown in Listing 10.10 on the three switches.
Listing 10.10 PVLAN Example
Switch(config)# vlan
Switch(config-vlan)#
Switch(config-vlan)#
Switch(config)# vlan
100
private-vlan primary
exit
101
(continued)
323
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .MLS
. . Optimization
. . . . . . . and
. . .Security
. . . .
Listing 10.10 PVLAN Example (continued)
Switch(config-vlan)#
Switch(config-vlan)#
Switch(config)# vlan
Switch(config-vlan)#
Switch(config-vlan)#
private-vlan isolated
exit
102
private-vlan community
exit
After youve created all of your primary and secondary PVLANs, you must
associate the secondary PVLANs with their respective primary PVLANs.
This is accomplished by going into the primary PVLAN and using the
private-vlan association command, shown in Listing 10.11.
Listing 10.11 PVLAN Association Configuration
Switch(config)# vlan
Switch(config-vlan)#
Switch(config-vlan)#
Switch(config-vlan)#
Switch(config-vlan)#
VLAN_#_of_primary_PVLAN
private-vlan primary
private-vlan association secondary_PVLAN_#(s)
private-vlan association add secondary_PVLAN_list(s)
private-vlan association remove secondary_PVLAN_list(s)
The first association command specifies the list of secondary PVLANs that
are associated with this primary PVLAN. By using the add parameter, you
can add other secondary PVLANs to your existing list. The remove parameter removes secondary PVLANs from the association. To list multiple
PVLANs, separate them by a comma, like so: 105, 108, 110. You can also use
a range by specifying the beginning PVLAN number, immediately followed
by a dash, and then the ending PVLAN number; for example: 100-102. You
can also mix the two types, like 100-102, 105, 108, 110.
Going with our previous example shown in Figure 10.2, heres the association
configuration:
Switch(config)# vlan 100
Switch(config-vlan)# private-vlan primary
Switch(config-vlan)# private-vlan association 101-102
show vlan
Secondary
--------101
102
vlan private-vlan
command:
private-vlan
Type
Interfaces
----------------- ---------------------------isolated
community
324 Chapter 10
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The switchport mode command specifies that this is a secondary PVLAN port.
The switchport private-vlan host-association port specifies the primary
PVLAN that this port is associated with and the secondary PVLAN assigned
to it.
If the interface is a Layer 3 interface (performing routing), use the following:
Switch(config)# interface vlan VLAN_#
Switch(config-if)# private-vlan mapping secondary_VLAN_list
Summary
SPAN enables you to capture traffic on one or more ports, including
VLANs, and to redirect the captured traffic to a port with a protocol analyzer or probe connected to it. RSPAN has the destination port located on a
different switch. You can capture traffic from Layer 2 and Layer 3 interfaces,
including EtherChannels. Use the monitor session command to set up SPAN.
The NAM is an RMON probe that fits into the chassis of a Catalyst 6500
switch. It has no physical ports, but two logical ports. It requires an RMON
management station to process the captured traffic.
325
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .MLS
. . Optimization
. . . . . . . and
. . .Security
. . . .
You should assign passwords to your switch with the password and enable
secret commands as well as restricting telnets with the access-list and
access-class commands.
You can implement AAA (authentication, authorization, and accounting) to
create a more robust security solution. AAA can be performed by the switch
or by an external security server running TACACS+ or RADIUS. 802.1X
can be used to authenticate users before theyre allowed access to the
switched network. Until authenticated, the users port allows only EAPOL
authentication trafficall other traffic is dropped.
Port security can be used to lock down which users are allowed to be connected to which ports. This can be done statically or dynamically. You can
have a maximum of 132 secured addresses associated with a port. Use the
switchport port-security command to enable port security. If the switch port
is disabled because of a security violation, it turns amber.
VACLs enable you to filter VLAN traffic. You create a VLAN map with the
command. This map specifies matching traffic (match command) and the action to perform when a match occurs (action command).
The VACL is then activated with the vlan filter command.
vlan access-map
326 Chapter 10
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Answer C is correct. The source ports that you can capture traffic from
include Layer 2, Layer 3, and EtherChannels. Answers A and B are incorrect
because both are supported. D is incorrect because you cant capture traffic
from a specific interface in a channelonly the entire channel.
Question 2
Enter the switch command to display the slot the NAM is installed in:
___________.
show module.
module
Question 3
You want to restrict Telnet access to the switch based on source addresses.
What command would you use to activate your restrictions on your VTYs?
A. password
B. access-group
C. vacl-filter
D. access-class
327
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .MLS
. . Optimization
. . . . . . . and
. . .Security
. . . .
Question 4
Enter the switch command to enable AAA: __________.
aaa new-model.
aaa new-model
command.
Question 5
With port security, up to _________ addresses off a port can be secured.
A. 1
B. 10
C. 64
D. 132
Question 6
The IEEE ______ standard defines user authentication for switch port access
using EAPOL for communication.
A. 802.1D
B. 802.1X
C. 802.11
D. 802.3Z
328 Chapter 10
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 7
Which is not an ACL type supported by Layer 3 switches?
A. Private ACL
B. Router ACL
C. VLAN ACL
D. QoS ACL
Question 8
Which PVLAN port type is supported only in a secondary PVLAN?
A. Restricted
B. Promiscuous
C. Secured
D. Community
Answer D is correct. Community and isolated ports are associated with secondary PVLANs. Answers A and C are incorrect because they are not
PVLAN port types. Answer B is incorrect because promiscuous ports are in
primary PVLANs.
Question 9
You have an isolated port in a primary PVLAN. What other ports can it talk to?
A. Promiscuous
B. Isolated
C. Community
D. None of these
329
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .MLS
. . Optimization
. . . . . . . and
. . .Security
. . . .
Question 10
Which command enables port security on a switch?
A. switchport secure
B. switchport port-security
C. port-security
D. security
11
Metro Ethernet
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
332 Chapter 11
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Until recently, most WAN and MAN (metropolitan area network) connections required you to use WAN connection services, such as Frame Relay,
ATM, and dedicated leased lines. There are problems with deploying these
solutions, though. First, you must use some type of Layer 3 device that supports these WAN connections. This means that for a MAN, you cannot connect one Ethernet switch at one site directly to an Ethernet switch at a
remote siteyoure forced to purchase a router. Second, youre introducing
a delay in your traffic streams because your Layer 3 device must encapsulate
your users data in a different Layer 2 frame format. This can create problems for delay-sensitive traffic such as voice and video.
To deal with these and other problems, carriers have developed MAN solutions that more easily fit into a customers network. Basically, carriers allow
their customers to send Ethernet frames into the carriers networks. However,
this presents problems to carriers in how Ethernet frames should be transferred over a Layer-2 transport that is not typically used for Ethernet and how
the carrier should establish and maintain these connections for hundreds of
customers at a time. This chapter focuses on the problems and solutions that
carriers use to transport Ethernet across their MAN backbones.
333
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Metro
. . . .Ethernet
. . . .
Cisco provides both Catalyst switch and router solutions. Routers are sometimes used when complex queuing mechanisms are required or when you
already have a router in place that performs the connectivity job adequately.
Table 11.1 Cisco Metro Solutions
Features
Catalyst
3550
Catalyst
4000
Catalyst
6500
7600 Router
Maximum ports
96
240
576
Flexible
Forwarding rate
(pps)
13 million
24
million
210
million
Hardware
dependent
Bandwidth policing
Yes
No
Yes
Yes
1,000
Real-Time
Streaming Protocol
(RSTP)
Yes
Yes
Yes
Yes
UplinkFast and
BackboneFast
Yes
Yes
Yes
Yes
Port Security
Yes
No
No
No
UDLD
Yes
Yes
Yes
Yes
Jumbo frames
Yes
Yes
Yes
Yes
Etherchannels
Yes
Yes
Yes
Yes
Services
Ethernet is set up over SONET services by carriers that offer MAN services. Carriers use SONET because of its flexibility in its capability to transport
multiple services, such as Ethernet and ATM, and because of its ability to
reach across long distances. For a company that has a large Ethernet infrastructure, this makes it easy to extend Ethernet connectivity across a carriers
network to other remote sites. This can be done using either routers or
switches. For smaller companies, this reduces the number of Layer 3 devices
that you need because Layer 2 Ethernet switches can be used for the MAN
connections. Therefore, you dont need to deploy a separate router for each
site, but deploy them only where theyre necessary.
When using Ethernet as a MAN solution, you should consider the following
five items:
Cost
Scalability
334 Chapter 11
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Transparency
Level of service
Connection type
When choosing a MAN service, consider cost, scalability, transparency, level of
service, and the type of connection needed.
One of the foremost items you should consider is how cost effective an
Ethernet service is for MAN connectivity. When evaluating costs, you
should examine both the equipment costs as well as the ongoing connection
and maintenance costs.
The second thing you should consider is scalability. Scalability is not an issue
when youre connecting a small number of sites together across a MAN.
However, you should weigh how scalable a service providers solution is if
your network is dynamic and/or growing. From a dynamic perspective, how
easy and quick is it to connect to the carrier? How fast can the service
provider change services for you if your bandwidth needs change?
The third item you should consider is transparency. One of the main reasons
customers enjoy Ethernet services in a MAN environment is that the MAN
is treated as a transparent networkits invisible to the customers equipment, whether the equipment be a switch or a router. In other words, the
service provider creates a logical connection between two or more peering
devices. From the customers perspective, it appears that the equipment is
directly connected together via the same physical layer connection. If you
want multiple devices (Layer 2 or Layer 3) to appear to be on the same segment, the service provider makes it appear that these devices are connected
via a hub even though the carrier is typically using other methods to provide
for this connectivity.
The fourth item you should consider is level of service. As you saw in
Chapter 9, Quality of Service, Ciscos switches can support a level of service infrastructure, favoring some types of traffic over others by enforcing
Quality of Service (QoS) policies. Based on the behavior and needs of your
traffic, you should consider a service provider that can meet these needs.
The last item you should consider is the type of connection that youll need
across the MAN. There are two basic types of connections: point-to-point
and multipoint. Point-to-point connections are very common in WAN and
335
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Metro
. . . .Ethernet
. . . .
MAN environments because they are simple to set up for the service
provider. However, there might be situations in which you want the
providers network to appear as a hub, where all your edge MAN devices
appear to be directly connected together. If this is the case, youll need to
choose a MAN provider that can deal with issues such as trunking between
devices as well as maintaining your STP topologyboth of these issues
should be dealt with transparently by the service provider. The next section
covers the two different services that providers use for these connections:
Transparent LAN services
Directed VLAN services
336 Chapter 11
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
placing them in a providers VLAN. This is used to separate your traffic from
other customers traffic. However, one serious limitation that the service
provider faces is the number of VLANs that its switches can support. With
802.1Q, the VLAN limit is 4,096. Therefore, the service provider wouldnt
be able to support more than 4,096 customers with this implementation.
802.1Q functions at Layer 2. Multiprotocol label switching (MPLS) also
allows tunneling if information crosses a carriers backbone. MPLS functions
at Layer 3. Both solutions are covered later.
However, even given these problems, TLS does have a place in a network
design. If you have only a small number of sites that need to be connected
and not much traffic is sent between sites, TLS provides an excellent fit.
Switch 1
Access Link
Ac
ce
ss
Li
nk
Service Provider
Switch
Switch 2
Ac
ce
ss
Li
nk
Switch 3
337
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Metro
. . . .Ethernet
. . . .
TR
UN
TRUNK
Service Provider
Switch
Switch 2
VLAN
10
VLAN
20
Switch 3
VLAN
20
VLAN
30
TR
UN
Switch 4
VLAN
10
VLAN
30
You can use two basic design approaches for connectivity: put a router at a
single location for inter-VLAN routing, or put a router at each location.
Because DLS uses trunks, its safe to assume that you have multiple VLANs
in your network. Therefore, youll need some type of Layer 3 device to handle
inter-VLAN traffic. If you have a router at only a single location, inter-VLAN
traffic from other sites will have to travel across the MAN to be routed, as
shown in Figure 11.3. This is an example of a hub-and-spoke design.
In this example, for VLAN 1 off of Switch1 to reach VLAN 2 off of Switch2,
the traffic must be sent across the MAN to the router to be routed. Plus,
broadcast traffic that occurs at remote sites will have to traverse the MAN.
For example, a broadcast in VLAN 1 will be sent to all your devices connected to the MAN: the router, Switch1, Switch2, and Switch3. For multicast traffic, this can seriously affect your performance.
If you place a router at each site, youre increasing your equipment costs.
Therefore, youll have to look carefully at your traffic characteristics when
deciding how many routers you should purchase and the location(s) at which
they should be installed.
One concern with DVS is that the carrier switch that is connected to your
switch must know what VLANs are being used in your network so that
PVST+ and pruning can be implemented efficiently. This brings up a problem: If a carriers network supports only 4,096 VLANs with 802.1Q, and
338 Chapter 11
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
each customer has about 100 VLANs, only 40 customers could be supported
in the carriers network. From a carriers point-of-view, this is even more limiting than TLS. However, as youll see later in this chapter, Cisco can tunnel
802.1Q trunking information between two sites. This allows the carrier
switches to tunnel your VLAN information inside the carriers tagged frames,
which enables the carrier to keep different customers traffic separate while
still maintaining the VLAN infrastructure youve built for your own network.
Service Provider
Switch
Trunk
Tr
u
nk
Trunk
Router
Switch 1
VLAN
10
Switch 2
VLAN
20
Tr
u
nk
Switch 3
VLAN
30
Delivery Mechanisms
When a service provider designs a MAN solution, the physical layer contains
fiber cabling. Actually, there are many solutions that the carrier could use on
the fiber cabling to transport Ethernet between a customers various sites.
However, the carrier typically doesnt use a physical layer implementation of
Ethernet. Instead, the carrier will use SONET, dense wave division multiplexing (DWDM), or coarse wave division multiplexing (CWDM). The following sections briefly cover these three implementations.
339
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Metro
. . . .Ethernet
. . . .
CPE Switch 1
ONS
15454
CPE Switch 2
ONS
15454
ONS
15454
ONS
15454
CPE Switch 3
SONET
Ring
340 Chapter 11
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
In the example shown in Figure 11.4, the solid lines indicate the physical
connections, and the dotted lines indicate the logical connections. Notice that
from the customer premise equipment (CPE) switchs perspective, it looks
like a hub-and-spoke design, with a provider switch in the middle. Ciscos
ONS 15454 switches can provide 802.1Q trunk or access link connections to
the user, and transfer Ethernet frames around the ring using SONET.
SONET is generally available in MAN services, supports multiple connection types (such as Ethernet, ATM, IP, and leased circuits), and has built-in
redundancy. However, SONET does have its drawbacks. It supports bandwidth only in increments of 51.84 Mbps, which is typically too much bandwidth for a customer. This results in poor bandwidth usage by the provider.
In addition, SONET was not developed for carrying Ethernet traffic: It was
developed for low-speed voice connections. Also, as part of its redundancy
mechanism, one ring sits idle, which is a waste of bandwidth.
The dual ring mechanism has one huge advantage: redundancy. For example, imagine a situation in which a carrier employee accidentally damages a fiber connection in
the ring during a maintenance check. In that example, the ring would wrap and maintain connectivity, causing little, if any, disruption for customers.
SONET, which uses fiber-optic cabling, can carry multiple transports, including
Ethernet, IP, ATM, and other services. It supports a dual-ring topology for redundancy.
Its main disadvantage is that it uses bandwidth inefficiently.
341
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Metro
. . . .Ethernet
. . . .
Two transmissions are used with DWDM: 1310 nanometer and 1550
nanometer (nm). These transmissions refer to the gap in wavelengths. 1310
transmissions are more popular in short-distance environments, such as
MANs, because of their lower cost. 1550 transmissions cost more, but can
span larger distances. Both types of transmission support redundancy.
With DWDM, point-to-point connections are built between sites. The CPE
typically connects via Fast or Gigabit Ethernet to the carrier, and the carrier uses an optical switch to convert the Ethernet frames into a wavelength
frequency. From the CPEs perspective, it appears that the two devices connected via the MAN are really directly connected to each other via a pointto-point Ethernet connection. And because point-to-point connections are
used, as long as you use a hub-and-spoke design (no Layer 2 loops), you
should not have to deal with STP issues across the MAN.
Cisco supports two DWDM products: ONS 15200 and ONS 15540. Ciscos
product provides the following advantages: it has a low cost for connecting
to buildings with a small number of customers; it doesnt require Gigabit
Ethernet connectivity within the carriers network; and it is easy to install,
test, and maintain.
DWDMs advantages include high data rates (Gbps) and scalability, easy
setup, transparency to the CPE, and optical protection (similar to SONET).
However, DWDM needs its own fiber connection and cannot run over
SONET. Therefore, if youre already using a SONET connection for voice
and want to integrate data, youll have to do it on different fiber cable. In that
situation, youll need to hope that the carrier has some spare dark fiber for
your data connection. Dark fiber is extra fiber that the carrier has run, but is
not currently using.
342 Chapter 11
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
CWDM uses optical add/drop multiplexors (mux) to provide for the physical ring topology. These multiplexors are connected to the ring and the customers equipment is then connected to the multiplexor.
Instead of deploying expensive 10Gb Ethernet connections that would
require DWDM, CWDM enables you to deploy multiple 1Gb Ethernet connections that you can form into an EtherChannel. CWDM is supported by
the Catalyst 6500, 4000, 3550, and 2950 switches as well as the ONS 154xx
and 153xx optical switches. Cisco switches support 8 CWDM wavelengths.
DWDM supports multiple wavelength frequencies on a single strand of fiber (up to
200). It supports very high data rages (Gbps). One advantage that it has over SONET
is that SONET uses TDM, which wastes bandwidth. CWDM is a last-mile technology
and supports up to 8 wavelength frequencies. It is used for short distances, such as
customers located in the same building.
802.1Q Tunneling
A carrier can use four methods to transport your Ethernet frames between
MAN sites:
Access link
802.1Q
802.1Q tunneling (802.1Q-in-Q [or Q-in-Q, for short])
Ethernet over MPLS (EoMPLS) using Layer 3 tunneling
Access links and 802.1Q were discussed previously. The access link method
is equivalent to TLS and is typically implemented using SONET. One problem with access link connections is that they dont scale: The service provider
is limited to 4,096 801.1Q VLANs on his trunk, which limits the number of
customers it can support. Another problem with access links is that it
becomes more difficult for a service provider to manage as you continually
add MAN connections. The more connections you have, the more impact
they will have on the providers network. Your connected switches flood
broadcasts and multicasts into the carriers network. And because the carrier
typically uses SONET, it becomes difficult for the carrier to implement service level agreements and traffic policing.
The 802.1Q method is equivalent to DVS. As a service provider MAN transport method, 802.1Q actually provides many advantages. First, it is costeffective and can easily be integrated into an existing network. Because
connectivity within a customer is done within a VLAN or VLANs, it is easy
343
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Metro
. . . .Ethernet
. . . .
Overview
Before I begin discussing the Q-in-Q transport method, Id like to quickly
refresh you on some important aspects of 802.1Q itself because Q-in-Q solely relies on 802.1Q for transporting your information across the MAN.
Recall from Chapter 3, VLANs, Trunks, and VTP, that 802.1Q is a trunking mechanism. For trunk connections, there are two types of frames: tagged
and untagged. Untagged frames are associated with the native VLAN. These
frames are unmodified Ethernet frames. Tagged frames carry VLAN information in them and have a 4-byte tag inserted into them. Given these supported framing types, 802.1Q and normal Ethernet devices can coexist on
the same segment.
For tagged trunk connections, 802.1Q inserts a 4-byte value between the
source MAC address and the length or type field of the Ethernet frame. This
4-byte value contains two components: a 2-byte TPID field and a 2-byte
TCI field. The TCI fields first 3 bits are used to assign a priority (802.1P),
the next bit is a canonical form indicator, and the last 12 bits are for VLAN
identifiers (4,096 VLANs can be specified here). When inserting this 4-byte
value, the length of the frame is extended to a maximum of 1522 bytes. And
because the frame is modified, 802.1Q devices will recompute the FCS
(checksum) value at the end of the frame.
344 Chapter 11
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
802.1Q actually specifies much more than just the frame encapsulation. It
also includes the General Attribute Registration Protocol (GARP), 801.1P
QoS tagging, and STP enhancements.
802.1Q inserts a 4-byte value between the source MAC address and the length/type
field: a 2-byte TPID and a 2-byte TCI. The first 3 bits of the TCI field contain the
priority (802.1Q/P) and the next 12 bits are for VLANs (4,096).
Encapsulation Process
Lets look at the encapsulation process used in tag stacking. Ill use Figure
11.5 as an example. At the top of the figure is the users original Ethernet
frame. When this frame hits your switched network and traverses your internal 802.1Q trunks, it is tagged with your personal VLAN information, as
shown in the middle part of the figure.
345
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Metro
. . . .Ethernet
. . . .
Original Ethernet Frame
Destination
MAC
Source
MAC
Length or
Type
Original
FCS
Data
Source
MAC
Your
Tag
Length or
Type
Data
Your New
FCS
Source
MAC
SPs
Tag
Your
Tag
Length or
Type
Data
SPs
FCS
When this frame traverses an 802.1Q trunk and is received by the provider,
the provider inserts its own tag before yours and recomputes a new FCS. This
is shown in the bottom part of Figure 11.5. This tag includes both a TPID
and TCI 4-byte field, as described in Chapter 3. At this point, the frame has
two tags: the providers and your own. The service provider uses its tag to
make switching decisions inside its network.
Before the frame leaves the providers network, the provider strips off its tag
and recomputes the FCS value. When your remote network receives this
frame, it appears as it did when it left the other side of your network.
STP
As I mentioned in the Tag Stacking: Q-in-Q Tunneling section, Q-in-Q
tunnels STP BPDUs. This is important for networks like the one shown in
Figure 11.6. In this example, two networks are connected via 802.1Q trunks,
and are transparently connected via Q-in-Q. The providers network is
transparent, so from the networks perspective, it appears that Switch1 and
Switch4 are on the same segment.
As I mentioned earlier, you have two choices with STP: have the provider tunnel your CDP and BPDUs between sites or have the provider drop these frames.
If you choose the former case, one switch in this network is chosen as the root.
Based on the root, accumulated path costs, and priorities, a single loop-free
topology is created. However, STP never guarantees a loop-free topology. So,
the topology that STP comes up with might be optimal for one site but not
another. Therefore, youll have to spend a lot of time tuning STP to optimize it.
346 Chapter 11
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Service Provider
Switch
Switch 1
Trunk
Trunk
Switch 5
Switch 2
Switch 3
Switch 4
Switch 6
Your other choice is to have the provider drop BPDU and CDP frames. In this
instance, each site is its own STP island, with its own root and its own STP
topology. Using this approach, it becomes much easier to tune STP on a siteby-site basis. Care must be taken in this example if you have a partially meshed
design in the MAN. For instance, you might have three sites connected
together: sites 1, 2, and 3. Site 1 is connected to site 2, site 2 is connected to
site 3, and site 3 is connected to site 1. In this situation, there is a Layer 2 loop
within the providers network. If you have this type of design, you must enable
BPDUs across the providers network to detect and remove loops from your
own infrastructure. Otherwise, youll create a broadcast storm between your
sites and wasting bandwidth.
STP issues can become complicated when using Q-in-Q. Lets look at another
example by examining Figure 11.7. Lets assume that these are three separate
companies, where Switches 1, 2, and 3 are in one company, Switches 4, 5, and
6 are in a second company, and Switches 7, 8, and 9 are in a third company.
In the first company, there are redundant links to the carrier via Switch 1 and
Switch 3, where a loop is formed between Switch 1, 3, and the providers
switch (SP Switch 1). You have to remember that the providers switches will
not participate in your STP processthey either drop your BPDUs or tunnel them. If the provider drops the frames, you have a Layer 2 loop that STP
347
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Metro
. . . .Ethernet
. . . .
will not detect. If the carrier tunnels the frames, Switch 1 and Switch 3 will
see two connections to themselves, and either use the direct connection or
disable one of the provider connections.
Service Provider
Switch
Switch 1
SP Switch 1
Trunk
Switch 2
Trunk
k
Tru
n
Trunk
Tru
n
SP Switch 2
EtherChannel
Switch 8
Switch 3
Switch 7
Switch 4
Switch 9
Switch 5
Switch 6
If you want to use both connections, you might want to consider using an
EtherChannel between you and the provider, as shown with Switch 7 in
Figure 11.7. This increases your bandwidth, but its main disadvantage is a
single point of failure: both with your switch and the providers switch.
I already talked about dual-homing your location to the MAN in the last
paragraph, so lets discuss your second option: having your switch connected
to two different provider switches, as shown by Switch 4 in Figure 11.7. If
the provider is dropping your BPDUs, youve created a loop from Switch 4
to itself. And if you have the provider tunnel STP information, the switch
will see that it has a connection, via the provider, that appears to be connected back to itself on a different port. In this situation, STP will disable
one of the two ports to the carrier.
As you can see from these examples, dealing with STP in a MAN is not a
simple task.
348 Chapter 11
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
implementation.
Service providers can easily offer and implement it.
Supports multiple STPs if you have multiple VLANs on your trunks.
Providers offer both point-to-point and point-to-multipoint solutions.
problems.
It is proprietary to Cisco.
It is supported only for Ethernet connections.
The provider is limited to 4,096 VLANs.
The main advantage of Q-in-Q is that the providers network is transparent. The main
disadvantages of Q-in-Q are dealing with Layer 2 loop issues, attempting to implement redundancy on a large scale, and using a provider that supports Ciscos
proprietary Q-in-Q feature.
service provider.
Because of these two advantages, service providers prefer EoMPLS over
Q-in-Q. EoMPLS, like Q-in-Q, is a tunneling mechanism that tunnels your
349
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Metro
. . . .Ethernet
. . . .
Overview
EoMPLS can deliver Transport Layer Security (TLS) for customers
Ethernet connections. TLS provides a logical connection between two sites
across a point-to-point connection. From the customers perspective, this
logical connection appears as an Ethernet segment. Some of the advantages
that EoMPLS have are that because EoMPLS is based on a Layer 3 process,
Layer 2 problems and management are not an issue for the service provider.
For instance, with Q-in-Q, which is a Layer 2 process, the provider must
deal with internal STP, MAC address learning and forwarding, and other
Layer 2 processes. EoMPLS with TLS doesnt have this limitation because
the provider deals with internal traffic from a Layer 3 perspective. This provides much more scalability and control over traffic.
Process
Before I begin discussing how EoMPLS functions, you need to be familiar
with some important terms that MPLS uses, as shown in Table 11.2.
Table 11.2 MPLS Terms
Term
Definition
Label distribution
protocol (LDP)
The LER takes traffic from the customer, labels it, and
switches the labeled frames; it is also responsible for
stripping off labels on egress ports.
350 Chapter 11
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Remember the terms in Table 11.2.
Service Provider
LDP
LER
LER
LSR
LSC
LER
Protocol Labeling
EoMPLS is implemented by a service provider and is a point-to-point connection, with LERs being the endpoints of the connection. The ingress LER
attaches two labels to incoming frames: a tunnel and a virtual circuit (VC)
label. The tunnel label is used to determine what egress LER device the traffic should be forwarded to. The VC label determines the egress port on the
egress device.
351
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Metro
. . . .Ethernet
. . . .
It is important to point out that each customer needs its own physical interface on an LER. Each customer typically has one VC associated with the
interface. However, if more than one VC is associated with the interface, the
customer must tell the serviced provider how traffic should be mapped to
specific VCs.
The ingress LER performs two functions on a frame received from the customer: frame marking/classification and encapsulation. On receiving a
frame, the LER first maps the frame to a tunnel label switch path (LSP),
which is the path that the frame will take through the providers network.
Next, the LER marks the frame with a CoS value, which becomes part of the
tunnel tag. With DiffServ, the frame is marked either E-LSP (queuing,
scheduling, and drop policy information) or L-LSP (drop policy information). The CoS information is inserted into a tunnel label in a 3-bit field
called EXP. The CoS can be statically assigned by the provider based on how
the customer purchased the service, or the provider can map the 802.1Q/P
information from the customers frame into the equivalent CoS that the
provider has configured.
The ingress LER then adds the VC label, which is used by the egress LER to
forward the traffic out the correct destination port. Both the tunnel and VC
labels are included in an EoMPLS encapsulation, as shown in Figure 11.9.
EoMPLS Frame
Destination Source
MAC
MAC
Ethernet
Type
0x8847
Tunnel
Label
VC
Label
Original
Ethernet
Header
Original
Ethernet
Payload
When an internal LSR receives the labeled frame, it examines the destination MAC address to determine whether it needs to process the frame. The
LSR then examines the tunnel tag to determine how to switch the frame.
When switching the frame, it rewrites the Layer 2 header according to its
own source and next-hops destination MAC addresses.
When the egress LER receives the labeled frame, it removes the header and
tunnel label. The LER examines the VC label to determine which physical
interface the frame should exit, and then strips this off and queues up the
frame on the egress port.
352 Chapter 11
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
EoMPLS uses two tags: a tunnel tag and a VC tag. The tunnel tag describes how to
get the users data across the EoMPLS network, and contains CoS information. The
VC tag is used by the egress carrier device to determine the exit port to use to
forward the frame to the customer.
Connection Types
EoMPLS currently offers point-to-point connections. Development on
point-to-multipoint is being worked on. The next two sections examine
these two types of connection solutions.
Point-to-Point
Providers like point-to-point solutions because theyre easy to provision and
maintain, and are compatible with a backbone solution that uses MPLS.
With EoMPLS, you have better service provider scalability than with Q-inQ because you arent limited to 4,096 VLANs in the providers core. The
provider can actually use up to 20 bits to differentiate between customers,
even in a fully meshed network.
However, point-to-point connections have problems fully meshing a network because it cannot be done via trunking. You have to use separate
VLANs for separate sites for connectivity, where the provider separates the
traffic across different VCs. You then need an RP to route between the
VLANs. You could use separate physical connections between different sites,
but this would increase your costs. Either way, there are customer scalability
problems with point-to-point connections.
Multipoint
In a multipoint EoMPLS solution, the service provider emulates an Ethernet
switch. This is typically done via a point-to-multipoint VC, which emulates
a broadcast medium. From a providers perspective, the main problem with
this approach is that it is difficult to set up and maintainespecially with
QoS support. When many sites must be meshed, customers like this type of
solution because it simplifies their connection process and the operation of
their switches across the MAN.
353
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Metro
. . . .Ethernet
. . . .
Summary
When choosing a MAN solution, you should consider cost, scalability, transparency, level of service, and type of connection(s) needed. There are many
solutions to provide MAN services, including SONET, DWDM, CWDM,
Ethernet, IP, and ATM. SONET is good for point-to-point connections.
CWDM is used for last-mile connections and DWDM is used as the infrastructure for a MAN backbone.
There are different methods of attaching to a MAN: TLS (access link) and
DVS (802.1Q trunk). Both have problems with scalability. The service
provider can support only 4,096 VLANs for all customers. Q-in-Q (tag stacking) and EoMPLS address this issue. All of these solutions have issues when
customer redundancy is implemented, especially when it comes to STP.
Q-in-Q has the provider insert an additional 4-byte VLAN tag before your
trunking tag. This is a proprietary Cisco method that is currently in an RFC
draft state. Q-in-Q allows the tunneling of BPDUs and CDP frames. One
limitation of Q-in-Q is that the provider is still limited to 4,096 internal
VLANs. EoMPLS overcomes this by using a larger tag value. EoMPLS utilizes a tunnel and VC tag. The tunnel tag is used to switch the frame through
the providers network and the VC tag is used to find the exit interface on the
providers egress device.
354 Chapter 11
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 2
Which type of MAN service uses access link connections?
A. Directed VLAN service
B. Directed LAN service
C. Transparent LAN service
D. Transparent VLAN service
Question 3
Which is true concerning SONET?
A. Uses fiber cabling
B. Uses a single ring
C. Uses copper cabling
D. Uses a dual ring
Answers A and D are correct. SONET uses fiber cabling and a dual ring (for
redundancy), which makes answers B and C incorrect.
355
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Metro
. . . .Ethernet
. . . .
Question 4
Which of the following MAN services is the most scalable?
A. SONET
B. DWDM
C. CWDM
Question 5
With Q-in-Q, the service provider
A. Replaces your 802.1Q VLAN tag with its own
B. Inserts its VLAN tag before yours
C. Encapsulates your VLAN frame in its own
D. None of these answers
Answer B is correct. With Q-in-Q (tag stacking), the provider inserts its own
VLAN tag before yours and recomputes the FCS value. Therefore, answers
A and C are incorrect. C is incorrect because the frame is tagged, not encapsulated. And because there is a correct answer, D is also incorrect.
Question 6
With tag stacking, CDP and BPDU information can be tunneled through a
providers network.
A. True
B. False
Answer A is correct. STP information, including BPDUs and CDP information, can be tunneled through a providers network with Q-in-Q (tag
stacking). Therefore, answer B is incorrect.
356 Chapter 11
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 7
Which of the following is not an advantage of Q-in-Q?
A. PVST is supported.
B. The providers VLAN implementation is transparent to your
implementation.
C. It supports both point-to-point and point-to-multipoint connections.
D. It is an open standard.
Question 8
Q-in-Q supports how many VLANs by the provider?
A. 64
B. 256
C. 4,096
D. No restrictions
Question 9
Which of the following is true concerning EoMPLS?
A. Uses a Layer 2 core
B. Users MAN connections appear as a logical switch
C. Requires multipoint connections
D. Supports more than 4,096 VLANs
Answer D is correct. EoMPLS is more scalable than Q-in-Q because it supports more than 4,096 internal VLANs for the provider. EoMPLS provides
a Layer 3 core, making answer A incorrect. The users MAN connections
appear as a logical segment, not a switch, which makes answer B incorrect.
EoMPLS supports point-to-point connections, which makes answer C
incorrect.
357
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Metro
. . . .Ethernet
. . . .
Question 10
How many tags does EoMPLS use?
A. 1
B. 2
C. 3
D. None
12 9911 ch12
10/14/03
12:32 PM
Page 359
12
Sample Test 1
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
descriptions
Simulations in which you type configuration commands to simulate
12 9911 ch12
10/14/03
12:32 PM
Page 360
360 Chapter 12
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
You should always take the time to read a question at least twice before
selecting an answer, and you should always look for an Exhibit button as you
examine each question. Exhibits include graphics information related to a
question. An exhibit is usually a screen capture of program output or GUI
information that you must examine to analyze the questions contents and
formulate an answer. The Exhibit button displays graphics and charts used to
help explain a question, provide additional data, or illustrate page layout or
program behavior.
Not every question has only one answer; many questions require multiple
answers. Therefore, you should read each question carefully, determine how
many answers are necessary or possible, and look for additional hints or
instructions when selecting answers. Such instructions often appear in brackets immediately following the question itself (for multiple-answer questions).
imaginary state.
The answer can be eliminated because of information in the question
itself.
After you eliminate all answers that are obviously wrong, you can apply your
retained knowledge to eliminate further answers. Look for items that sound
correct but refer to actions, commands, or features that are not present or
not available in the situation that the question describes.
If youre still faced with a blind guess among two or more potentially correct
answers, reread the question. Try to picture how each of the possible remaining answers would alter the situation. Be especially sensitive to terminology;
sometimes the choice of words (remove instead of disable) can be the difference between a right answer and a wrong one.
12 9911 ch12
10/14/03
12:32 PM
Page 361
361
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sample
. . . . .Test
. . 1.
Only when youve exhausted your ability to eliminate answers but remain
unclear about which of the remaining possibilities is correct should you guess
at an answer. An unanswered question offers you no points, but guessing
gives you at least some chance of getting a question right; just dont be too
hasty when making a blind guess.
Decoding Ambiguity
Cisco exams have a reputation for including questions that can be difficult to
interpret, confusing, or ambiguous. In my experience with numerous exams,
I consider this reputation to be completely justified. The Cisco exams are
tough, and theyre deliberately made that way.
The only way to beat Cisco at its own game is to be prepared. Youll discover that many exam questions test your knowledge of things that are not
directly related to the issue raised by a question. This means that the answers
you must choose from, even incorrect ones, are just as much a part of the skill
assessment as the question itself. If you dont know something about most
aspects of the IOS and protocols, you might not be able to eliminate answers
that are wrong because they relate to the definition of an acronym other than
the one thats addressed by the question at hand. In other words, the more
you know about the acronyms, the easier it will be for you to tell right from
wrong.
Questions often give away their answers, but you have to be Sherlock
Holmes to see the clues. Subtle hints often appear in the question text in
such a way that they seem almost irrelevant to the situation. You must realize that each question is a test unto itself and that you need to inspect and
successfully navigate each question to pass the exam.
Another common difficulty with certification exams is vocabulary. Cisco has
an entire language using acronyms. Be very comfortable with all the
acronyms and their meanings. Be sure to brush up on the key terms presented at the beginning of each chapter of this book. You might also want to read
the glossary at the end of this book on the day before you take the test.
12 9911 ch12
10/14/03
12:32 PM
Page 362
362 Chapter 12
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
doesnt mean you cant take notes on what you see early in the test in the
hope that it might help you later in the test.
For Cisco exams, dont be afraid to take notes on what you see in various questions.
Sometimes, what you record from one question can help you on later questions,
especially if its not as familiar as it should be or it reminds you of the name or use
of some utility or interface details.
If you work your way through this book while accessing the IOS interface as
well as diagramming the topologies as theyre discussed throughout, you
should have little or no difficulty mastering this material. Also, dont forget
that the Cram Sheet at the front of the book is designed to capture the material thats most important to memorizeuse it to guide your studies as well.
12 9911 ch12
10/14/03
12:32 PM
Page 363
363
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sample
. . . . .Test
. . 1.
12 9911 ch12
10/14/03
12:32 PM
Page 364
364 Chapter 12
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 1
You issue the following command on your Catalyst 4000 Series switch:
Switch# show spanning-tree vlan 1
VLAN1 is executing the ieee
compatible Spanning Tree protocol
Bridge Identifier has priority 8192, address 0030.94fc.0a00
Configured hello time 2, max age 20, forward delay 15
We are the root of the spanning tree
Topology change flag set, detected flag set
Number of topology changes 3 last
change occurred 00:00:09 ago
Times: hold 1, topology change 35, notification 2
hello 2, max age 20, forward delay 15
Timers:hello 0, topology change 25,
notification 0, aging 15
Port 323 (FastEthernet6/3) of VLAN1 is forwarding
Port path cost 19, Port priority 128,
Port Identifier 129.67.
Designated root has priority 8192, address 0030.94fc.0a00
Designated bridge has priority 8192, address 0030.94fc.0a00
Designated port id is 129.67, designated path cost 0
Timers:message age 0, forward delay 0, hold 0
Number of transitions to forwarding state:1
BPDU:sent 9, received 105
Port 324 (FastEthernet6/4) of VLAN1 is listening
Port path cost 19, Port priority 128,
Port Identifier 129.68.
Designated root has priority 8192, address 0030.94fc.0a00
Designated bridge has priority 8192, address 0030.94fc.0a00
Designated port id is 129.68, designated path cost 0
Timers:message age 0, forward delay 5, hold 0
Number of transitions to forwarding state:0
BPDU:sent 6, received 102
Switch#
What can you determine from this output? (Choose all that apply.)
A. This switch is the designated bridge.
B. This switch is the root bridge.
C. The spanning tree timers have been modified.
D. The default diameter is set.
12 9911 ch12
10/14/03
12:32 PM
Page 365
365
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sample
. . . . .Test
. . 1.
Question 2
The Cisco AVVID framework supports the key components of network infrastructure, intelligent network services, and network solutions. Which of the
following are examples of network solutions? (Choose all that apply.)
A. Quality of service
B. IP multicast
C. Content networking
D. Storage networking
E. Network management
Question 3
The Campus Infrastructure model includes three modules: Building Access,
Building Distribution, and Campus Backbone. Which of these submodules provides aggregation of Layer 2 devices, often using Layer 3 switching and also
features quality of service and access control?
A. Building Access
B. Building Distribution
C. Campus Backbone
D. Enterprise Core
Question 4
Youre considering implementing a high-speed, VLAN-based switched network
for your Enterprise Campus. What mechanism provides the ability to transmit
traffic between VLANs?
A. Core switch
B. Software-based bridge
C. Route processor
D. Switch fabric card
12 9911 ch12
10/14/03
12:32 PM
Page 366
366 Chapter 12
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 5
The Campus Infrastructure model includes three modules: Building Access,
Building Distribution, and Campus Backbone. Which of these submodules typically includes Layer 2 switching?
A. Building Access
B. Building Distribution
C. Campus Backbone
D. Enterprise Core
Question 6
Youre configuring a new campus network and are encountering a major problem.
Youre working in the Building Access layer and a host cannot communicate
with the Layer 2 Catalyst switch. Youve verified that other hosts connected to
this switch can communicate fine, and youve also verified that the NIC on the
client system is fully functional. What other steps should you take to correct this
problem? (Choose all that apply.)
A. Ensure that the host speed and duplex setting match that of the
switch.
B. Ensure that the switch is learning the MAC address of the host.
C. Check the status of the port connection.
D. If the host is in the same subnet as the switch interface, ensure that
the default gateway is properly configured on the host.
Question 7
Youre considering implementing VLANs in your campus network. How does the
use of VLANs improve the design of your network? (Choose all that apply.)
A. The VLAN design enables you to reduce the number of collision
domains that must be created.
B. The VLAN design enables you to increase the number of broadcast
domains.
C. The VLAN design can help you increase security in the campus network.
D. The VLAN design eliminates the need for Layer 3 routing of traffic.
12 9911 ch12
10/14/03
12:32 PM
Page 367
367
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sample
. . . . .Test
. . 1.
Question 8
Youre responsible for designing a new campus network infrastructure within
your company. Youre designing your Enterprise Campus network with the centralization of key resources in mind. Given this design goal, what type of VLAN
model should you consider implementing?
A. Auxiliary VLANs
B. Dynamic VLANs
C. End to end VLANs
D. Local VLANs
Question 9
Which of the following commands creates a VLAN in your campus network?
(Choose all that apply.)
A. Switch(config-if)# vlan 3
B. Switch# vlan 3
C. Switch(vlan)# vlan 3
D. Switch(config)# vlan 3
Question 10
Examine the following configuration. You want to configure the Fast Ethernet
port 5/6 as an access port in VLAN 200. What is the correct command that is
missing from this configuration?
Switch# configure terminal
Switch(config)# interface fastethernet 5/6
Switch(config-if)# switchport mode access
MISSING COMMAND
Switch(config-if)# end
Switch# exit
12 9911 ch12
10/14/03
12:32 PM
Page 368
368 Chapter 12
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 11
Which switch port Dynamic Trunking Protocol mode sets the switch port to
actively send and respond to DTP negotiation frames without tagging frames?
A. trunk
B. nonegotiate
C. dynamic desirable
D. dynamic auto
Question 12
Which trunking protocol adds a tag to a standard Layer 2 Ethernet data frame,
recalculates the CRC for the entire frame with the tag, and inserts a new CRC
value in the FCS field?
A. ISL
B. 802.1Q
C. DTP
D. VTP
Question 13
Which of the following VTP modes allows for the creation, modification, and
deletion of VLANs on the local switch? (Choose all that apply.)
A. Server
B. Slave
C. Client
D. Transparent
E. Master
12 9911 ch12
10/14/03
12:32 PM
Page 369
369
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sample
. . . . .Test
. . 1.
Question 14
Which of the following statements are correct with regard to VTP pruning?
(Choose all that apply.)
A. VTP pruning increases available bandwidth by restricted flooded traffic.
B. VTP pruning must be set on all switches that participate in VLANs.
C. VTP pruning might have a negative impact on network update
performance.
D. VTP pruning eliminates the propagation of all Spanning Tree Protocol
information.
Question 15
What are the port states of Rapid Spanning Tree Protocol? (Choose all that
apply.)
A. Blocking
B. Forwarding
C. Listening
D. Learning
E. Discarding
Question 16
RSTP defines additional roles for ports in order to encourage quicker convergence for topology changes. Which port role allows a port to quickly assume the
role of root port?
A. Root port
B. Designated port
C. Alternate port
D. Backup port
E. Disabled port
12 9911 ch12
10/14/03
12:32 PM
Page 370
370 Chapter 12
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 17
Which Spanning Tree Protocol enhancement seeks to reduce the total number
of spanning-tree instances to match the physical topology of the network and
thus reduce CPU cycles on a switch?
A. PVST+
B. CST
C. MST
D. PVST
Question 18
Which switching technology relies on a forwarding information base and adjacency tables in order to accomplish high-speed data transfers?
A. Netflow-based switching
B. Distributed forwarding
C. Topology-based switching
D. Centralized forwarding
Question 19
Which interface/port type represents a VLAN of switch ports as one interface to
the routing or bridging function in the system?
A. Access port
B. Trunk port
C. Switch virtual interface
D. Routed port
12 9911 ch12
10/14/03
12:32 PM
Page 371
371
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sample
. . . . .Test
. . 1.
Question 20
Which HSRP state causes the route processor to send periodic hello messages,
participate in the election of the active and standby router, and know the virtual
router IP address?
A. Initial state
B. Listen state
C. Speak state
D. Standby state
E. Active state
Question 21
Which multicast protocol is a Cisco-developed transitional solution for application developers to immediately start programming source-specific multicast
applications?
A. CGMP
B. IGMP v3lite
C. PIM DM
D. IGMP Snooping
Question 22
Youve configured various enhancements to the Spanning Tree Protocol in your
campus network. What enhancement mechanism can be verified with the command show spanning-tree inconsistent ports?
A. Unidirectional Link Detection
B. Root Guard
C. BPDU Guard
D. EtherChannel
12 9911 ch12
10/14/03
12:32 PM
Page 372
372 Chapter 12
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 23
What is the purpose of the following switch configuration?
Switch# configure terminal
Switch(config)# interface fastethernet 5/8
Switch(config-if)# spanning-tree vlan 200 cost 20
Switch(config-if)# end
A. The spanning tree VLAN port cost of the Fast Ethernet interface is modified to 20 to make the port less likely to be placed in forwarding mode
when compared to a Fast Ethernet port in the default configuration.
B. The spanning tree VLAN port cost of the Fast Ethernet interface is modified to 20 to make the port more likely to be placed in forwarding mode
when compared to a Fast Ethernet port in the default configuration.
C. The spanning tree VLAN port cost of the Fast Ethernet interface is
modified to 20; this configuration has no basis on root bridge
selection.
D. The spanning tree VLAN port cost of the Fast Ethernet interface is
modified to 20 to make the switch more likely to be elected the root
bridge.
Question 24
Which of the following bridge priority values is commonly used to set a switch
to the role of secondary root bridge?
A. 32768
B. 4096
C. 24982
D. 8192
Question 25
Which of the following spanning tree transition states are based on the forward
delay timer value? (Choose all that apply.)
A. Blocking
B. Listening
C. Learning
D. Forwarding
12 9911 ch12
10/14/03
12:32 PM
Page 373
373
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sample
. . . . .Test
. . 1.
Question 26
What is the correct order of the decision-making process used in spanning tree
topology calculations?
A. Lowest port ID lowest sender bridge ID lowest path cost to the
root bridge lowest root bridge ID
B. Lowest sender bridge ID - lowest port ID lowest path cost to the root
bridge lowest root bridge ID
C. Lowest root bridge ID - lowest path cost to the root bridge lowest
sender bridge ID - lowest port ID
D. Lowest root bridge ID - lowest path cost to the root bridge - lowest
port ID - lowest sender bridge ID
Question 27
Youre interested in fine-tuning the timers used in spanning tree. What is the
default value of the maximum-aging time used with spanning tree?
A. 15
B. 20
C. 30
D. 50
Question 28
Which of the following commands enables IP multicast routing on a Cisco route
processor?
A. multicast-routing
B. ip multicast-routing
C. ip mcast
D. set ip multicast-routing enable
12 9911 ch12
10/14/03
12:32 PM
Page 374
374 Chapter 12
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 29
You must configure an ISL Ethernet trunk link between two of your Cisco
switches. Which of the following is not required for the trunk to operate
correctly?
A. Identical speed settings at each end of the link
B. Identical duplex settings at each end of the link
C. Identical trunk encapsulation parameters at each end of the link
D. Identical trunk negotiation parameters at each end of the link
Question 30
Youre a network consultant assisting a local company. The existing network is
in need of additional bandwidth. However, you do not want to make the network
overly complicated and the company has a limited budget. Youre considering
the implementation of hardware-based bridging. Which OSI layer is associated
with these functions?
A. Presentation
B. Network
C. Data Link
D. Transport
Question 31
A company has followed your recommendations and redesigned its campus
network to support three switch blocks. These switch blocks include broadcast
domains that are confined within each individual switch block. Your design also
allows inter-VLAN routing within and between switch blocks. What is the most
appropriate device at the access layer within these switch blocks if the end-user
base consists of less than 100 desktops?
A. 8500
B. 4000
C. 6500
D. 2900
12 9911 ch12
10/14/03
12:32 PM
Page 375
375
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sample
. . . . .Test
. . 1.
Question 32
Which of the following are valid guidelines or restrictions for the use of local
SPAN? (Choose all that apply.)
A. Only Layer 2 switched ports may function as SPAN sources.
B. A port specified as a destination port in one SPAN cannot be a destination
port for another SPAN.
C. A port channel interface can be a source.
D. A port configured as a destination port cannot be configured as a
source port.
Question 33
Which of the following are valid guidelines or restrictions for the use of remote
SPAN? (Choose all that apply.)
A. Networks impose a limit of one RSPAN VLAN per LAN.
B. RSPAN VLANs can be used only for RSPAN traffic.
C. Do not configure any ports in an RSPAN VLAN except those selected
to carry RSPAN traffic.
D. RSPAN does not support BPDU monitoring.
Question 34
What module for the 6000 and 6500 Series switches provides a network
management and monitoring solution?
A. FlexWAN module
B. RMON probe
C. IDS Sensor module
D. Network Analysis module
12 9911 ch12
10/14/03
12:32 PM
Page 376
376 Chapter 12
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 35
Examine the following configuration. What does the configuration accomplish?
Switch(config)# aaa authentication login
securelist tacacs+ local
Switch(config)# line con 0
Switch(config-line)# login authentication securelist
Question 36
Which of the following Cisco switch prompts indicates that youre in a VLAN
database configuration mode?
A. Switch(config)#
B. Switch(config-if)#
C. Switch(vlan)#
D. Switch(config-vlan)#
Question 37
Which of the following is not a valid definition of an 802.1Q native VLAN?
A. The VLAN that receives untagged frames on an 802.1Q trunk link
B. The VLAN that a port belongs to when not in trunking mode
C. The VLAN from which untagged frames source over an 802.1Q trunk
link
D. The VLAN used to represent multiple spanning tree instances to a
common spanning tree domain
12 9911 ch12
10/14/03
12:32 PM
Page 377
377
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sample
. . . . .Test
. . 1.
Question 38
Youre interested in tunneling traffic such as CDP, VTP, and STP through a service provider network to your remote switches. Which technology option is
appropriate?
A. GBPT
B. RSTP
C. MST
D. PVST+
Question 39
Which of the following statements are true regarding ISL versus 802.1Q trunking protocols? (Choose all that apply.)
A. ISL is Cisco proprietary.
B. 802.1Q is protocol independent.
C. ISL demonstrates true encapsulation.
D. The 802.1Q frame contains two FCS fields.
Question 40
Which switch port DTP mode puts the interface into permanent trunking mode
and prevents the interface from generating DTP frames?
A. access
B. nonegotiate
C. dynamic desirable
D. dynamic auto
Question 41
802.1Q tunneling allows service providers to transmit VLAN traffic for multiple
customers. What type of link is used between the customer device and the service provider edge switch?
A. Trunk
B. Asymmetric
C. Tunnel
D. Access
12 9911 ch12
10/14/03
12:32 PM
Page 378
378 Chapter 12
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 42
Youre having problems configuring a trunk between two of your switches. What
troubleshooting steps should you consider? (Choose all that apply.)
A. Check the interface mode at each end of the link.
B. Check the encapsulation type at each end of the link.
C. Check the native VLAN configuration at each end of the link.
D. Check the ISL to 802.1Q VLAN mapping statements.
Question 43
Which of the following commands sets the native VLAN of an 802.1Q trunk port
to VLAN 10?
A. native 10
B. switchport encapsulation dot1Q native 10
C. switchport trunk native vlan 10
D. switchport trunk vlan 10
E. switchport trunk vlan 10 native
Question 44
Youre in the process of verifying VTP on your Catalyst 2950 access layer
switch. You issue the following command:
Switch# show vtp status
VTP Version : 2
Configuration Revision : 25
Maximum VLANs supported locally : 250
Number of existing VLANs : 69
VTP Operating Mode : Server
VTP Domain Name : test
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x59 0xBA 0x92 0xA4 0x74 0xD5 0x42 0x29
Configuration last modified by 0.0.0.0 at 3-1-93 00:18:42
Local updater ID is 10.1.1.59 on interface Vl1
(lowest numbered VLAN interface found)
12 9911 ch12
10/14/03
12:32 PM
Page 379
379
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sample
. . . . .Test
. . 1.
Based on the preceding output, which of the following statements are true?
(Choose all that apply.)
A. The switch is running VTP version 2.
B. VTP pruning is not enabled on the switch.
C. VLANs cannot be created on this switch.
D. The VLAN domain name is test.
Question 45
Youre troubleshooting VTP in your campus network. If you notice that VLAN
information is not propagating throughout your domain, which items should
you check? (Choose all that apply.)
A. Ensure that all devices are in VTP server mode.
B. Ensure that all VTP versions are set to 3 or higher.
C. Ensure that trunks are appropriately configured between all devices.
D. Ensure that the VTP domain name is properly configured on all
devices.
Question 46
What statements are correct in regard to transparent bridging? (Choose all that
apply.)
A. Transparent bridges must not modify the frames that are forwarded.
B. MAC addresses are learned by examining source MAC addresses.
C. Transparent bridges must forward all broadcasts out all ports except
for the port from which the broadcast originated.
D. Transparent bridges must forward unknown unicast packets out of the
interface specified in the CAM table.
Question 47
Which two components make up a Bridge ID in Spanning Tree Protocol?
(Choose two.)
A. Bridge Priority
B. Port Cost
C. MAC address
D. Instance ID
12 9911 ch12
10/14/03
12:32 PM
Page 380
380 Chapter 12
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 48
What are two advantages of metro Ethernet over DWDM? (Choose all that apply.)
A. Transparency
B. Scalability
C. Distance capabilities
D. Ease of configuration
E. Statistical multiplexing provisions
Question 49
Which of the following features are congestion management tools? (Choose all
that apply.)
A. LFI
B. LLQ
C. WFQ
D. CBWFQ
Question 50
Youre configuring low-latency queuing. Which command reserves a strict priority queue for CBWFQ traffic?
A. fair-queue
B. priority bandwidth
C. class-map class-name
D. policy-map policy-name
Question 51
You would like to display priority queuing output in real time on your Cisco
switch. Which command should you use?
A. debug ip rsvp
B. debug priority
C. debug multilink ppp
D. debug ppp multilink fragments
12 9911 ch12
10/14/03
12:32 PM
Page 381
381
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sample
. . . . .Test
. . 1.
Question 52
The Cisco IOS switches support various types of ACL implementations. Which
of the following is not an ACL type supported by the IOS?
A. Ether ACL
B. VACL
C. Router ACL
D. QoS ACL
Question 53
Private VLANs feature a port that is completely separated from other ports
except one. What is this type of port called?
A. Isolated
B. Separated
C. Community
D. Promiscuous
Question 54
You need to enable the preferred mode of PIM for IP multicast on your Catalyst
switch. Which command should you use?
A. ip pim dense-mode
B. ip pim sparse-mode
C. ip pim sparse-dense-mode
D. ip pim dense-sparse-mode
Question 55
Which of the following Cisco proprietary Spanning Tree enhancements reduces
the time to convergence when a directly connected link fails?
A. PortFast
B. UplinkFast
C. BackboneFast
D. RSTP
12 9911 ch12
10/14/03
12:32 PM
Page 382
382 Chapter 12
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 56
Which of the following IEEE standards support VLAN trunking? (Choose all that
apply.)
A. 802.10
B. 802.1d
C. 802.1q
D. 802.4
Question 57
Youre comparing trunk ports in your campus network to access ports. Which
of the following statements best describes an access link?
A. An access link can carry multiple VLANs.
B. An access link belongs to only one VLAN.
C. An access link can receive both tagged and untagged frames.
D. An access link is typically used to connect access layer switches with
distribution layer switches.
Question 58
You need to connect a switch to another switch in your campus network topology. What cable type should you use?
A. Straight-through
B. Rollover
C. Crossover
D. Null-modem
Question 59
What prefix indicates a multicast frame?
A. 01:5e:00
B. 01:00:5e
C. 5e:00:01
D. 00:01:5e
12 9911 ch12
10/14/03
12:32 PM
Page 383
383
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sample
. . . . .Test
. . 1.
Question 60
Which of the following protocols are multicast routing protocols? (Choose all
that apply.)
A. CBT (Core Based Trees)
B. PIM (Protocol Independent Multicast)
C. DVMRP (Distance Vector Multicast Routing Protocol)
D. IGMP (Internet Group Management Protocol)
12 9911 ch12
10/14/03
12:32 PM
Page 384
13 9911 ch13
10/14/03
12:33 PM
Page 385
13
Answer Key 1
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1. B, D
21. B
41. B
2. C, D
22. B
42. A, B, C
3. B
23. A
43. C
4. C
24. D
44. B, D
5. A
25. B, C
45. C, D
6. A, B, C
26. C
46. A, B, C
7. B, C
27. B
47. A, C
8. D
28. B
48. A, D
9. C, D
29. D
49. B, C, D
10. C
30. C
50. B
11. C
31. D
51. B
12. B
32. B, C, D
52. A
13. A, D
33. B, C, D
53. A
14. A, C
34. D
54. C
15. B, D, E
35. A
55. B
16. C
36. C
56. A, C
17. C
37. D
57. B
18. C
38. A
58. C
19. C
39. A, C
59. B
20. C
40. B
60. A, B, C
13 9911 ch13
10/14/03
12:33 PM
Page 386
386 Chapter 13
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 1
Answers B and D are correct. The output shows that the switch is the root
bridge. This can be learned from the line, We are the root of the spanning tree. The diameter value has not been modified from the default as
evidenced by the spanning tree timers that are at their default parameters.
This is evidenced by the line, hello 2, max age 20, forward delay 15.
Answer A is incorrect because this switch is functioning as the root bridge; it
is not the designated bridge. Answer C is incorrect. The output hello 2,
max age 20, forward delay 15 shows us that the spanning tree timers have
not been modified.
Question 2
Answers C and D are correct. Examples of network solutions are IP telephony, multi-unit applications, content networking, and storage networking.
Answer A is incorrect because quality of service is an example of an intelligent network service. Answer B is also incorrect because it is an intelligent
network service. Finally, answer E is also incorrect because it is an intelligent
network service as well.
Question 3
Answer B is correct. The Building Distribution layer provides aggregation of
Building Access devices often using Layer 3 switching. Answer A is incorrect
because the Building Access layer provides connectivity to end-user systems
in the campus. Answers C and D are incorrect because the Enterprise Core
and the Campus Backbone each describe the same layers. They provide
redundant and fast-converging connectivity between buildings.
Question 4
Answer C is correct. A route processor is required to move traffic between
VLANs in a campus network. That route processor can be internal in a multilayer switch, or it can be an external device such as a classic Cisco router.
An example of an internal route processor would be a route switch module
(RSM) or a multilayer switch feature card (MSFC). Answer A is incorrect. A
core layer switch does not necessarily contain a route processor, which is
13 9911 ch13
10/14/03
12:33 PM
Page 387
387
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Answer
. . . . Key
. . 1.
Question 5
Answer A is correct. The Building Access layer typically contains Layer 2
switching that provides simple and fast access for end users systems in need
of network connectivity. Answer B is incorrect. The Building Distribution
layer also typically features Layer 3 switching because this is an aggregation
point that requires routing. Answers C and D are incorrect. The Enterprise
Core and the Campus Backbone each describe the same layers. They provide
redundant and fast-converging connectivity between buildings and utilize
either Layer 2 or Layer 3 switching.
Question 6
Answers A, B, and C are correct. Speed and duplex mismatches are a common misconfiguration between the host and switches. You should ensure that
this isnt the problem. Use the show mac dynamic command to ensure that
the switch is properly learning the MAC address of the host as it should. You
should also check the status of the port connectionthe status should appear
as connectedyou can use the show interfaces command. Answer D is
incorrect because the host does not need a default gateway configured to
communicate with its local switch port.
Question 7
Answers B and C are correct. The VLAN design enables you to increase the
number of broadcast domains and allows for greater security. The increase of
broadcast domains means smaller broadcast domains overall and a far lighter
burden on end user systems due to large amounts of broadcast traffic. Answer
A is incorrect because the creation of VLANs does not reduce the number of
collision domains. Collision domains are increased with switching in general;
in fact, this is a benefit of using switches in your design. Answer D is also
incorrect. Using VLANs actually requires that you use Layer 3 routing in
your design. With todays fast Layer 3 switches, this is not a disadvantage.
13 9911 ch13
10/14/03
12:33 PM
Page 388
388 Chapter 13
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 8
Answer D is correct. The local VLAN approach is used most often now in
campus networksespecially ones that feature centralized resources. As corporations have moved to centralize their resources, end-to-end VLANs have
become more difficult to maintain. Users might use many different
resources, including many that are no longer in their VLAN. Answer A is
incorrect. Auxiliary VLANs are typically used for voice traffic. Answer B is
incorrect because dynamic VLANs are not typically used due to the high
administrative overhead involved as well as potential performance issues.
Answer C is also incorrect because end-to-end VLANs are too difficult to
maintain in most modern networks.
Question 9
Answers C and D are correct. You can create VLANs in two main ways on
Catalyst switches. Some switches allow the creation of VLANs in global configuration mode, whereas others require the use of the VLAN database mode.
Answers A and B are both incorrect. You cannot create VLANs in Privilege
EXEC mode, nor can you create VLANs in Interface configuration mode.
Question 10
Answer C is correct. The switchport access vlan 200 command places the
port in VLAN 200. If the VLAN you specify does not exist, the port will not
become operational until you create the VLAN. Answers A, B, and D are
incorrect. Each of these commands is invalid and will produce syntax error.
Question 11
Answer C is correct. The dynamic desirable switch port DTP setting doesnt
tag frames, but does cause the switch port to actively send and respond to
DTP negotiation frames. Answer A is incorrect. The trunk mode sets the
switch port to unconditional trunking mode and negotiates the port to
become a trunk link. Answer B is also incorrect. The Nonegotiate option
specifies that DTP negotiation packets are not sent on the interface. Finally,
answer D is also incorrect. The Dynamic Auto setting has the port respond,
but not to actively send DTP negotiation frames.
13 9911 ch13
10/14/03
12:33 PM
Page 389
389
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Answer
. . . . Key
. . 1.
Question 12
Answer B is correct. The 802.1Q Trunking protocol actually modifies the
original Ethernet data frame. Answer A is incorrect. ISL encapsulation does
not modify the original data frame. It adds a new header to the frame as it is
carried over the trunk link. Answer C is incorrect because DTP allows for
the dynamic negotiation of trunk links. Finally, answer D is also incorrect
because VTP allows for the management of VLAN information in a campus
network.
Question 13
Answers A and D are correct. Both server mode and transparent mode allow
for the creation, deletion, and modification of VLANs on the switch.
Transparent mode will not propagate this information to other switches,
however. Answer B is incorrect. There is no such mode as slave mode.
Answer C is also incorrect because client mode does not allow for the creation, modification, and deletion of VLANs on the switch. Answer E is
incorrect because there is no such mode as master mode.
Question 14
Answers A and C are correct. VTP pruning increases available bandwidth by
restricting the flooding of traffic to those trunk links that the traffic must use
to access the appropriate network devices. It might have a negative impact on
network update performance. Answer B is incorrect. You can implement
VTP pruning only on VTP serversthe setting cannot be configured on a
client. Also answer D is incorrect. VTP pruning does not block spanning
tree information.
Question 15
Answers B, D, and E are correct. The three port states identified in RSTP
(802.1w) are discarding, learning, and forwarding. Answers A and C are
incorrect. The blocking and listening states are used in STP (802.1D) and
are not used in RSTP.
13 9911 ch13
10/14/03
12:33 PM
Page 390
390 Chapter 13
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 16
Answer C is correct. An alternate port is a port blocked by receiving more
useful BPDUs from another bridge. The alternate port becomes the root
port if the active root port fails. Answer A is incorrect because the root port
is the closet to the root bridge. Answer B is also incorrect. The designated
port is the port on the designated bridge for each segment. Answer D is
incorrect because the backup port becomes the designated port if the existing designated port fails. Finally, answer E is incorrect because the disabled
port has no role within the operation of spanning tree.
Question 17
Answer C is correct. The Multiple Spanning Tree enhancement from the
IEEE enables the network administrator to map VLANs to spanning tree
topologies as needed to properly model the physical topology. This enables
the administrator to reduce the number of spanning tree topologies but still
load-balance. Answer A is incorrect. PVST+ features a separate spanning
tree instance for each VLAN. Answer B is incorrect because CST features a
single instance of spanning tree for all VLANs. Finally, answer D is incorrect
because PVST features a separate spanning tree instance for each VLAN.
Question 18
Answer C is correct. Cisco relies on CEF (Cisco Express Forwarding) to
implement topology-based switching. Answer A is incorrect. NetFlow-based
switching uses multilayer forwarding engines. ASICs and the route processor work together to forward data at high speeds. Answer B is also incorrect.
With distributed forwarding, the switching decision is made at the port or
module level. Finally, answer D is also incorrect. With centralized forwarding, a single central forwarding table is used.
Question 19
Answer C is correct. A switch virtual interface must be created when you
want to route between VLANs, fallback-bridge non-routable protocols
between VLANs, or to provide IP host connectivity to the switch. Answer A
is incorrect because an access port carries the traffic of and belongs to only
13 9911 ch13
10/14/03
12:33 PM
Page 391
391
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Answer
. . . . Key
. . 1.
one VLAN. Answer B is also incorrect. A trunk port carries the traffic of
multiple VLANs and is a member of all VLANs by default. Finally, answer
D is incorrect. A routed port acts just like the port of a router.
Question 20
Answer C is correct. In the speak state, the route processor sends periodic
hello messages and actively participates in the election of the active and/or
standby router. Answer A is incorrect. HSRP is not running in the initial
state. Answer B is also incorrect. In the listen state, the router listens for hello
messages. Answer D is also incorrect. In the standby state, the route processor is a candidate to become the next active router. Finally, answer E is also
incorrect. In the active state, the router is currently forwarding packets that
are sent to the virtual MAC address of the group.
Question 21
Answer B is correct. In SSM deployment cases where IGMPv3 cannot be
used because it isnt supported by the receiver host or the receiver applications, there are two Cisco-developed transition solutions that enable the
immediate deployment of SSM services: URL Rendezvous Directory (URD)
and IGMP Version 3 lite (IGMP v3lite). Answer A is incorrect. Cisco Group
Management Protocol (CGMP) limits the forwarding of IP multicast packets to only those ports associated with IP multicast clients. Answer C is also
incorrect. Protocol Independent Multicast is a routing protocol for multicast
traffic, there are two types of PIM protocols: Dense Mode (DM) and Sparse
Mode (SM). Finally, answer D is also incorrect. IGMP snooping allows a
switch to snoop or capture information from IGMP packets being sent back
and forth between hosts and a router.
Question 22
Answer B is correct. The show spanning-tree inconsistentports command
enables you to quickly determine whether any ports are in the root-inconsistent
state under root guard. Answers A, C, and D are incorrect. Unidirectional
Link Detection does not place ports in the inconsistent state, nor does
BDPU Guard or EtherChannel.
13 9911 ch13
10/14/03
12:33 PM
Page 392
392 Chapter 13
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 23
Answer A is correct. The default port cost for Fast Ethernet is 19. Setting the
VLAN port cost to 20 makes it less likely to be placed in forwarding mode
when compared to a default configuration of Fast Ethernet. Answer B is
incorrect. Because the default cost is 19, this port is less likely to be in forwarding mode. Answer C is incorrect. Although manipulating the port cost
value does not directly influence root bridge selection, it does manipulate the
forwarding state of the port. Finally, answer D is incorrect. To influence the
root bridge selection, you should use bridge priority.
Question 24
Answer D is correct. The standard value for secondary root bridge operation
is 8192. Answer A is incorrect. The value 32768 is the default priority value.
Answer B is incorrect. The value of 4096 is typically used to set the device as
the root bridge. Answer C is also incorrect. 24982 is not a typical priority
setting.
Question 25
Answers B and C are correct. The listening and learning states are affected
by the Forward Delay timer, which has a default of 15 seconds. Answer A is
incorrect. The blocking state is directly affected by the Max Age value.
Answer D is also incorrect. The forwarding state is not directly attributed to
a timer.
Question 26
Answer C is correct. Four criteria are used in the decision-making process,
and they are used in the following order: lowest root bridge ID; lowest path
cost to the root bridge; lowest sender bridge ID; lowest port ID. Answers A,
B, and D are incorrect. These options do not convey the correct order of the
four criteria that are used in the decision-making process.
13 9911 ch13
10/14/03
12:33 PM
Page 393
393
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Answer
. . . . Key
. . 1.
Question 27
Answer B is correct. The default timer setting for Max Age is 20 seconds; the
possible range is 6 to 40 seconds. Answer A is incorrect. 15 seconds is the
default value for the forward delay value, not max age. Answer C is also
incorrect. 30 seconds is not a valid timer default. Finally, answer D is also
incorrect. 50 seconds is the default time that a port takes to transition from
the blocking state to the forwarding state.
Question 28
Answer B is correct. To globally enable the IP multicast routing protocol, use
the global configuration command: ip multicast-routing. Answers A, C, and
D are incorrect. These commands are invalid and all produce syntax errors.
Question 29
Answer D is correct. Negotiation parameters do not need to be identical. For
example, one side of the trunk may be set to desirable, while the other is set
to auto. In fact, this is the most common configuration with Cisco equipment.
Answers A, B, and C are incorrect. Identical speed settings, identical duplex
settings, and identical trunk encapsulation parameters are all required.
Question 30
Answer C is correct. The data link layer encompasses hardware-based bridging. Answer A is incorrect. The presentation layer is concerned with data
encryption and presentationincluding formatting issues. Answer B is also
incorrect. The network layer involves routing. Finally, answer D is also incorrect. The transport layer encompasses an addressing system used for delivery.
Question 31
Answer D is correct. The 2900 series switches are perfect for the access layer
and provide high port densities at a low cost. Answer A is incorrect. The
Catalyst 8500 family of Cisco devices is often found in the core layer in order
13 9911 ch13
10/14/03
12:33 PM
Page 394
394 Chapter 13
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
to provide very high data transfers from one area of the network to another.
Answer B is incorrect. The Catalyst 4000 series provides control from the
backbone to the network edge. This series of switches has the ability to provide intelligent network services including advanced quality of service (QoS),
scalable performance, security, and simple manageability. Answer C is also
incorrect. Although the 6500 Series can function at any layer of the campus,
it is most often appropriate for the distribution or core layers.
Question 32
Answers B, C, and D are all correct. A destination port in one SPAN cannot
be a destination port for another SPAN. EtherChannel interfaces can be
SPAN sources. Ports cannot be configured as both sources and destinations.
Answer A is incorrect. Layer 2 switched ports and Layer 3 ports may function as SPAN sources or destinations.
Question 33
Answers B, C, and D are correct. RSPAN VLANs can be used only for
RSPAN traffic, and you cannot configure any ports in an RSPAN VLAN
except those selected to carry RSPAN traffic. Finally, RSPAN does not support BPDU monitoring. Answer A is incorrect. Networks impose no limit on
the number of RSPAN VLANs that the network can carry.
Question 34
Answer D is correct. The Network Analysis module gathers multilayer information about data and voice flows. Answer A is incorrect. The FlexWAN
module allows WAN connectivity via the 6000/6500 series switches. Answer
B is also incorrect. An RMON probe is a dedicated hardware device for monitoring the network and is not a module. Answer C is also incorrect. An IDS
module allows the 6000/6500 to monitor traffic for security breaches.
Question 35
Answer A is correct. These commands create an authentication list named
securelist. It is applied to the console port and indicates that TACACS+
should authenticate logins. If the service is not available, the local security
13 9911 ch13
10/14/03
12:33 PM
Page 395
395
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Answer
. . . . Key
. . 1.
Question 36
Answer C is correct. To enter VLAN database configuration mode, the
VLAN database command is issued from Privilege EXEC mode. Answer A
is incorrect. (config) indicates global configuration mode. Answer B is
incorrect. (config-if) indicates interface configuration mode. Answer D is
also incorrect. (config-vlan) indicates VLAN configuration mode.
Question 37
Answer D is correct. The native VLAN is not used to represent multiple
spanning tree instances to common spanning tree domains. Answers A, B,
and C are incorrect because they are valid statements. The native VLAN
allows untagged frames to be sourced and received over 802.1Q trunks. This
VLAN also becomes the VLAN of a trunk port if it is in nonoperational
trunk mode.
Question 38
Answer A is correct. The Generic Bridge PDU Tunneling (GBPT) solution
allows the tunneling of protocol data units through a service provider cloud.
Answer B is incorrect. RSTP enhanced standard spanning tree technologies
for faster convergence. Answer C is incorrect. Multiple spanning tree
enhances the 802.1Q protocol to support multiple instances of spanning
tree. Finally, answer D is also incorrect. PVST+ is Ciscos implementation of
multiple spanning trees.
Question 39
Answers A and C are correct. ISL is proprietary to Cisco and is not supported on switches from many other vendors. It demonstrates true encapsulation
by placing a new header and frame check sequence (FCS) on the original
13 9911 ch13
10/14/03
12:33 PM
Page 396
396 Chapter 13
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 40
Answer B is correct. Nonegotiate causes the port not to participate in DTP.
You must configure the other port in the trunk link for trunking manually.
Answer A is incorrectaccess causes permanent nontrunking mode and
DTP frames are sent. Answer C is also incorrect. Dynamic desirable causes
the link to attempt to trunkDTP frames are sent. Finally, answer D is also
incorrect. Dynamic auto makes the interface willing to trunkDTP frames
are used.
Question 41
Answer B is correct. The link between the customer device and the service
provider edge switch is called an asymmetric link because one end is a trunk
port and the other is a tunnel port. Answer A is incorrect. A trunk link is not
used between the enterprise and the service provider. Answers C and D are
incorrect. A tunnel link is not used in 802.1Q tunneling, nor is an access link.
Question 42
Answers A, B, and C are correct. Common troubleshooting steps include
verifying encapsulations, switch port modes, and native VLAN configurations in the case of 802.1Q. Answer D is incorrect. VLAN mapping is not a
valid troubleshooting step.
Question 43
Answer C is correct. Use the switchport trunk native VLAN command to
specify the native VLAN. VLAN 1 is the default. Answers A, B, D, and E are
incorrect. Native 10 produces a syntax error, as does every other option
presented.
13 9911 ch13
10/14/03
12:33 PM
Page 397
397
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Answer
. . . . Key
. . 1.
Question 44
Answers B and D are correct. VTP pruning is disabled on this switch as evidenced by the VTP Pruning Mode : Disabled output. Also, the domain name
is test as evidenced by the output: VTP Domain Name : test. Answers A and
C are incorrect. The switch is not running VTP version 2 as evidenced by
the output VTP V2 Mode : Disabled. Because this switch is running in server mode, VLANs can be created, modified, and deleted on this device.
Question 45
Answers C and D are correct. The most common cause for the nonpropagation of VLAN information over VTP domains is the misconfiguration of
trunk links or domain names on devices. Answer A is incorrect. Only one or
two VTP server systems should exist in the network. Answer B is also incorrect. Currently, only two versions of VTP exist: version 1 and version 2.
Question 46
Answers A, B, and C are correct. All of these statements accurately describe
transparent bridging. Answer D is incorrect. Unknown unicast destination
addresses are floodedKnown unicast destination addresses are intelligently forwarded.
Question 47
Answers A and C are correct. Each switch in a Spanning Tree topology has
a unique Bridge ID value. It is made up of a Bridge Priority value and a MAC
address. Answer B is incorrect. Port Cost is a Spanning Tree value, but it is
not part of the Bridge ID. Answer D is also incorrectinstance ID is not a
valid Spanning Tree component.
Question 48
Answers A and D are correct. Metro Ethernet over DWDM is an implementation option that provides gigabit rates with easy configuration and
transparency. It is typically used in the long-distance, ultra-high-bandwidth
13 9911 ch13
10/14/03
12:33 PM
Page 398
398 Chapter 13
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 49
Answers B, C, and D are all correct. Low latency queuing, weighted fair
queuing, and class-based weighted fair queuing are all congestion management tools available for use in campus networks. Answer A is incorrect
because link fragmentation and interleaving is considered a link efficiency
mechanism, not a congestion management tool.
Question 50
Answer B is correct. The priority command is used to allow delay-sensitive
data to be dequeued and sent first. Answer A is incorrect. You use the fairqueue interface configuration command to enable weighted fair queuing
(WFQ) for an interface. Answer C is incorrect. You use the class-map global configuration command to create a class map to be used for matching
packets to a specified class. Finally, answer D is incorrect. You use the policymap command to access the QoS policy map configuration mode to configure
the QoS policy map.
Question 51
Answer B is correct. You should use the debug priority command in order to
display priority queuing output. Answer A is incorrect. The debug ip rsvp
command displays information about Subnetwork Bandwidth Manager (SBM)
message processing and other RSVP-related parameters. Answer C is incorrect. The debug multilink ppp command is not valid. Finally, answer D is
incorrect. Use the debug ppp multilink fragments command to display information about individual multilink fragments and important multilink events.
Question 52
Answer A is correct. An Ether ACL is a non-existent ACL type. Answers B, C,
and D are incorrect because router, VLAN, and QoS are valid types of ACLs.
13 9911 ch13
10/14/03
12:33 PM
Page 399
399
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Answer
. . . . Key
. . 1.
Question 53
Answer A is correct. Private VLAN infrastructures define isolated, community, and promiscuous ports. An isolated port features complete Layer 2 separation from other ports within the same private VLAN except for the
promiscuous port. Answer B is incorrect. There is no separated port in a private VLAN. Answer C is also incorrect. Community ports feature the ability to communicate amongst themselves and with promiscuous ports. Answer
D is also incorrect. Promiscuous ports (as their name implies) communicate
with all interfaces.
Question 54
Answer C is correct. The recommended configuration of PIM on a specific
interface is to use ip pim sparse-dense-mode. In this case, the interface is
treated as dense mode if the group is in dense modeor sparse mode if the
group is in sparse mode. Answer A is incorrect. ip pim dense-mode configures the interface for dense mode. Answer B is also incorrect. ip pim
sparse-mode configures the interface for sparse mode. Finally, answer D is
also incorrect. ip pim dense-sparse-mode is not a valid command.
Question 55
Answer B is correct. If UplinkFast is enabled on a root port and the link that
is directly connected to that port fails, the port can transition from the blocking state to the forwarding state in as little as 3 seconds after the detection of
the failure. Answer A is incorrect. PortFast eliminates the delay encountered
by computers that are connected directly to a switch in an STP network.
Enabling PortFast on a port allows it to begin forwarding as soon as the connected computer boots, rather than waiting the default 50 seconds. Answer
C is incorrect. BackboneFast reduces the convergence time that results when
an inferior Bridge Protocol Data Unit (BPDU) is detected. Finally, answer
D is also incorrect. RSTP is not a Cisco proprietary mechanism.
Question 56
Answers A and C are correct. VLAN trunking is supported by the IEEE
standards 802.10 and 802.1q. IEEE 802.10 defines VLAN trunking over
13 9911 ch13
10/14/03
12:33 PM
Page 400
400 Chapter 13
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
FDDI. IEEE 802.1q defines a standardized method of trunking between different vendors devices. Answers B and D are incorrect. 802.1d defines
Spanning Tree Protocol, and 802.4 defines the Token Bus standard.
Question 57
Answer B is correct. An access link can be a member of only one VLAN.
Answer A is incorrect. A trunk link (not an access link) carries multiple
VLAN traffic. Answer C is also incorrect. 802.1Q trunk ports may receive
tagged and untagged frames. Answer D is also incorrect. Trunk ports are typically used to connect access layer and distribution layer switches.
Question 58
Answer C is correct. A crossover cable is used to connect like devices; in this
case, two switches. Answer A is incorrect. A straight-through cable is used to
connect unlike devices. For example, a switch and an end-user workstation.
Answer B is incorrect. A rollover cable is used to connect to the console port of
the switch. Finally, answer D is incorrect. A null-modem cable is not used to
connect switches to other switches, but is sometimes used for serial connections.
Question 59
Answer B is correct. All multicast frames have the same prefix of 01:00:5e.
This is the first 24 bits of the MAC address in question. The remainder of
the MAC address is derived from the IP multicast address. Answers A, C, and
D are incorrect because they do not specify 01:00:5e.
Question 60
Answers A, B, and C are correct. Core-Based Trees (CBT) is not typically
implemented today. It was the first initial and experimental center-based tree
multicast routing protocol. Protocol Independent Multicast is commonly
used, however. DVMRP is a multicast routing protocol that uses a technique
known as reverse path forwarding. Answer D is incorrect. IGMP is used with
multicast, but it is not a routing protocol. IGMP provides a way for an
Internet computer to report its multicast group membership to adjacent
routers.
14 9911 ch14
10/14/03
12:33 PM
Page 401
14
Sample Test 2
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 1
Which definition correctly describes the broadcast transmission method?
A. One copy of each frame is sent to every client that requires the data.
B. A single copy of each frame is sent, using an address that reaches all
clients.
C. A single copy of each frame is sent, using a special address that
allows each client to decide whether it wants to receive the frame.
D. No frames are sent.
Question 2
In which transmission method are frames replicated as needed for transmission
to specific hosts?
A. Unicast
B. Multicast
C. Broadcast
D. Anycast
14 9911 ch14
10/14/03
12:33 PM
Page 402
402 Chapter 14
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 3
Which statement about multicast transmission is true?
A. One copy of each packet is sent to every client.
B. A new packet is sent each time the client requests it.
C. Only one copy of each packet is sent, using an address that reaches all
the clients.
D. One copy of each packet is sent, using a special address that allows
each client to choose whether it receives the packet.
Question 4
Which of the following MAC addresses is a multicast address?
A. 00-00-5E-0A-08-05
B. 00-01-5E-0A-08-05
C. 01-00-5E-0A-08-05
D. 01-00-5F-0A-08-05
Question 5
IGMP query messages are addressed to the all-host group (224.0.0.1) with the
TTL set to 1. What is the purpose of setting the TTL to 1?
A. This ensures that all multicast routers see the query message.
B. This ensures that all multicast routers forward the query message.
C. This ensures flooding of the query message.
D. This ensures the query message remains in the subnetwork.
Question 6
Which of the following multicast address ranges are reserved?
A. 224.0.0.0 to 239.255.255.255
B. 192.168.2.1 to 192.168.2.100
C. 224.0.0.0 to 224.0.0.255
D. 234.0.0.0 to 234.0.0.255
14 9911 ch14
10/14/03
12:33 PM
Page 403
403
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sample
. . . . .Test
. . 2.
Question 7
________ is a Cisco-developed protocol that allows Catalyst switches to learn
about the existence of multicast clients from Cisco routers and Layer 3 switches.
A. IGMP Version 1
B. IGMP Version 2
C. CGMP
D. MCAST
Question 8
You have a network monitoring probe installed in your campus LAN. You would
like to monitor all the packets that emanate from a particular VLAN. What should
you configure?
A. SPAN
B. RSPAN
C. VSPAN
D. IGMP
Question 9
What is the purpose of the following command?
Switch(config)# monitor session 1 source
interface fastethernet 5/1 both
14 9911 ch14
10/14/03
12:33 PM
Page 404
404 Chapter 14
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 10
Youre contemplating the purchase of a Network Analysis module for your
Catalyst 6500. What protocol does the NAM utilize to monitor and analyze
traffic?
A. ICMP
B. SMTP
C. TFTP
D. CDP
E. RMON
Question 11
Examine the following command output. Which command was used to generate the output?
my state = 13 -ACTIVE
peer state = 1 -DISABLED
Mode = Simplex
Unit = Primary
Unit ID = 1
Redundancy Mode (Operational) = Route Processor
Redundancy Plus
Redundancy Mode (Configured) = Route Processor
Redundancy Plus
Split Mode = Disabled
Manual Swact = Disabled Reason: Simplex mode
Communications = Down Reason: Simplex mode
client count = 11
client_notification_TMR = 30000 milliseconds
keep_alive TMR = 4000 milliseconds
keep_alive count = 0
keep_alive threshold = 7
RF debug mask = 0x0
A. show redundancy
B. show redundancy counters
C. show redundancy switchover
D. show redundancy states
14 9911 ch14
10/14/03
12:33 PM
Page 405
405
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sample
. . . . .Test
. . 2.
Question 12
You need to configure redundancy for the two supervisor engines youve
installed. Youre interested in a solution that allows switchover in two to four
minutes. Which solution meets this requirement?
A. RPR
B. RPR+
C. HSRP
D. VRRP
Question 13
Youre responsible for the network security of your campus network infrastructure. Which of the following are recommended security configurations for your
Catalyst switches? (Choose all that apply.)
A. Secure access to VTY ports
B. Secure SNMP
C. Secure physical access to the console
D. Enable HTTP services and choose a non-default HTTP port
E. Engage in CDP trimming
Question 14
Which component of AAA services provides a method of collecting and sending
security server information used for billing, auditing, and reporting?
A. Authorization
B. Accounting
C. Authentication
D. Auditing
14 9911 ch14
10/14/03
12:33 PM
Page 406
406 Chapter 14
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 15
Youre considering port security in your Catalyst switch environment. Youre
examining the command:
Switch(config-if)# switchport port-security [maximum value]
violation {protect | restrict | shutdown}
Question 16
Youre considering implementing 802.1X port-based authentication in your network. What role does your Catalyst switch play in this security scheme?
A. Client
B. Authentication server
C. Authenticator
D. Workstation
Question 17
What command produces the following output?
Secure Mac Address Table
----------------------------------------------------------Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- ------------1 0001.0001.0001 SecureDynamic Fa5/1 15 (I)
1 0001.0001.0002 SecureDynamic Fa5/1 15 (I)
1 0001.0001.1111 SecureConfigured Fa5/1 16 (I)
1 0001.0001.1112 SecureConfigured Fa5/1 1 0001.0001.1113 SecureConfigured Fa5/1 1 0005.0005.0001 SecureConfigured Fa5/5 23
1 0005.0005.0002 SecureConfigured Fa5/5 23
1 0005.0005.0003 SecureConfigured Fa5/5 23
1 0011.0011.0001 SecureConfigured Fa5/11 25 (I)
14 9911 ch14
10/14/03
12:33 PM
Page 407
407
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sample
. . . . .Test
. . 2.
A. show port-security
B. show port-security interface fastethernet 5/1
C. show port-security address
D. show port-security MAC
Question 18
Which of the following are valid actions that are permitted when using VACLs?
(Choose all that apply.)
A. Permit
B. Redirect
C. Deny
D. Log
Question 19
Youre considering the implementation of private VLANs in your campus network. Which of the following is the correct description of a community port?
A. A port that can communicate with all interfaces
B. A port that has complete separation from other ports in the private
VLAN, with the exception of the promiscuous port
C. A port that communicates with other ports and the promiscuous port
D. A port that cannot communicate with any other port
Question 20
IP telephony, multiunit applications, content networking, and storage networking are all examples of what part of the Cisco AVVID architecture?
A. Network infrastructure
B. Intelligent network services
C. Network solutions
D. Vertical solutions
14 9911 ch14
10/14/03
12:33 PM
Page 408
408 Chapter 14
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 21
Which of the following are best practices for the server farm distribution layer?
(Choose all that apply.)
A. Deploy caching systems where appropriate
B. Implement server load balancing
C. Implement server content routing
D. Deploy a single device with redundant logical elements
Question 22
Youre having trouble communicating with your switch from a terminal thats
connected to the console port. Which of the following troubleshooting steps are
appropriate? (Choose all that apply.)
A. Ensure that the cable type is correct
B. Ensure the terminal configuration matches the switch console port
configuration
C. Ensure that there is a console password configured
D. Ensure that the cable pinouts are correct for the supervisor engine
Question 23
Which of the following issues do VLAN designs help solve in a campus network? (Choose all that apply.)
A. Efficient bandwidth utilization
B. Security
C. Load balancing
D. Increased availability
E. Isolation of failure domains
14 9911 ch14
10/14/03
12:33 PM
Page 409
409
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sample
. . . . .Test
. . 2.
Question 24
You need to assign the Fast Ethernet 5/1 port to VLAN number 20. What is the
correct command to make this configuration?
A. Switch(config-if)#switchport access vlan 20
B. Switch(config-if)#switchport vlan 20
C. Switch(config-if)#vlan 20
D. Switch(config-if)#switchport mode access vlan 20
Question 25
Youre verifying the VLAN configuration in your campus network. Which of the
following commands produces the output shown here?
Name: Gi0/1
Switchport: Enabled
Administrative Mode: dynamic desirable
Operational Mode: static access
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Port Protected: Off
Unknown Unicast Traffic: Allowed
Unknown Multicast Traffic: Allowed
Broadcast Suppression Level: 100
Multicast Suppression Level: 100
Unicast Suppression Level: 100
14 9911 ch14
10/14/03
12:33 PM
Page 410
410 Chapter 14
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 26
Which Dynamic Trunking Protocol option places an interface in permanent
trunking mode and prevents the interface from generating DTP frames?
A. access
B. trunk
C. nonegotiate
D. dynamic desirable
E. dynamic auto
Question 27
Which of the following statements regarding 802.1Q native VLANs are correct?
(Choose all that apply.)
A. The native VLAN is the VLAN that a port is in when not in operational
trunking mode.
B. Native VLAN traffic is sent untagged on the network.
C. The default native VLAN is 1000.
D. Every 802.1Q port is assigned a PVID value based on the port ID.
Question 28
Youre being forced to troubleshoot your campus network because a trunk link
cannot be established between two of your Catalyst switches. Youre attempting
to configure 802.1Q as the trunking mechanism. What are troubleshooting
steps that you should perform?
A. Ensure the interface mode configured at each end is valid
B. Ensure compatible trunk encapsulation types
C. Verify the VTP domain name and password at each end of the link
D. Ensure the native VLAN matches at each end of the link
14 9911 ch14
10/14/03
12:33 PM
Page 411
411
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sample
. . . . .Test
. . 2.
Question 29
One of the most critical components of VTP is the configuration revision number.
What is the configuration revision number on a transparent mode VTP device?
A. 1
B. 2
C. Unknown
D. 0
Question 30
Youre examining the different features available with VLAN Trunking Protocol.
What is the purpose of VLAN pruning?
A. VTP pruning uses VLAN advertisements to determine when a trunk
connection is flooding traffic needlessly.
B. VTP pruning reduces the number of VTP advertisements that switches
must send.
C. VTP pruning eliminates the need for a configuration revision number.
D. VTP pruning eliminates the propagation of native VLAN frames.
Question 31
Youre troubleshooting your VTP configuration in your campus network. You
cannot get VLAN information shared between two devices in the network.
Youve taken the following steps:
Ensured that the VTP domain name is properly configured on both devices
Verified that the devices are not in VTP transparent mode
Verified that the password is set on both devices
14 9911 ch14
10/14/03
12:33 PM
Page 412
412 Chapter 14
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 32
What is the default spanning tree priority value for a Cisco switch?
A. 4096
B. 8192
C. 32,768
D. 0
Question 33
Which of the following describes the Building Distribution block of the campus
infrastructure?
A. A module that contains end-user workstations, IP phones, and Layer 2
access switches that connect devices to the server farm
B. A module that contains email and corporate servers providing application, file, print, email, and DNS services to internal users
C. Aggregates the connectivity from the various elements of the
Enterprise Edge functional area and routes the traffic into the Campus
Backbone
D. Aggregates the building access devices, often using Layer 3 switching;
it also performs routing, QoS, and access control
Question 34
VLANs operate at Layer 2 of the OSI model. Which of the following devices allow
communication between VLANs? (Choose all that apply.)
A. Hub
B. Layer 2 switch
C. Layer 3 switch
D. Translational bridge
E. Router
14 9911 ch14
10/14/03
12:33 PM
Page 413
413
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sample
. . . . .Test
. . 2.
Question 35
Which of the following commands assigns a port to a VLAN?
A. Switch(config)# interface FastEthernet 0/1 vlan 3
B. Switch(config)# switchport mode access 3 vlan
C. Switch(config-if)# switchport mode access 3 vlan
D. Switch(config-if)# switchport vlan 3 static
E. Switch(config-if)# switchport access vlan 3
Question 36
Which of the following trunking protocols encapsulates the frame?
A. 802.1Q
B. ISL
C. VTP
D. 802.10
Question 37
Spanning Tree Protocol (STP) helps prevent bridging loops in Cisco campus
networks. Which of the following would cause STP to fail in its efforts to prevent loops? (Choose all that apply.)
A. Duplex mismatch
B. Frame corruption
C. Broadcasts
D. Corrupted CAM table
E. Unidirectional link failure
Question 38
Which type of multilayer switching uses a FIB? (Choose all that apply.)
A. Route caching
B. Flow-based switching
C. Demand-based switching
D. Topology-based switching
E. CEF
14 9911 ch14
10/14/03
12:33 PM
Page 414
414 Chapter 14
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 39
Youre examining the adjacency table in CEF-based multilayer switching through
the use of the show adjacency command. Which type of adjacency entry is used
for features that require special handling or for features that are not yet supported in conjunction with CEF switching paths?
A. null adjacency
B. punt adjacency
C. glean adjacency
D. next-hop adjacency
Question 40
Youre comparing redundancy features for your Catalyst 6500 Series switch.
Youve invested in dual supervisor engines for your Catalyst 6509. Which is not
an advantage that RPR+ has over RPR?
A. Reduced switchover time
B. Online insertion and removal of the redundant supervisor engine
C. Auto VLAN database configuration
D. Running configuration is saved
Question 41
Which technology uses ICMP router advertisements and router solicitation
messages to allow a host to discover the addresses of operational routers on a
subnet?
A. HSRP
B. VRRP
C. IRDP
D. OSPF
14 9911 ch14
10/14/03
12:33 PM
Page 415
415
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sample
. . . . .Test
. . 2.
Question 42
Youre configuring HSRP in the redundant distribution layer of your campus network. You have routers configured with the following settings:
RouterA:
Priority 200
IP address: 172.16.10.169
MAC: 0010.0c07.ac2f
Group 47
RouterB:
Priority 150
IP address: 172.16.10.169
MAC: 0010.0c07.d000
Group 47
RouterC:
Priority 125
IP address: 172.16.10.169
MAC: 0010.0c07.23a0
Group 47
RouterD:
Priority 200
IP address: 172.16.10.82
MAC: 0010.0c07.45c3
Group 48
14 9911 ch14
10/14/03
12:33 PM
Page 416
416 Chapter 14
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 43
Which of the following HSRP states indicates that the router is a candidate for
active router, causes the router to send periodic hello messages, and ensures
that the router knows the virtual router IP address?
A. initial
B. listen
C. standby
D. speak
E. active
Question 44
What protocol provides redundancy for either a real IP address of a router or a
virtual IP address shared among its members, and considers all nonmaster
routers as backups?
A. VRRP
B. HSRP
C. IRDP
D. GLBP
Question 45
Youre interested in designing a redundant distribution layer in your campus
network. Youd like to ensure that the standby members of the redundant group
are not underutilized along with their upstream bandwidth. Which protocol
should you consider?
A. HSRP
B. VRRP
C. GLBP
D. SRM
14 9911 ch14
10/14/03
12:33 PM
Page 417
417
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sample
. . . . .Test
. . 2.
Question 46
Youre interested in configuring single router mode on your Catalyst 6500
switch. Which of the following commands enables this configuration?
A. Switch(config)# single-router-mode
B. Switch(config-r)# single-router-mode
C. Switch(config-r-ha)# single-router-mode
D. Switch(config-r)# srm
Question 47
Which of the following commands correctly specifies an IP address of a server
to be a member of an SLB server farm?
A. Switch(config)# real 10.64.164.1
B. Switch(config-slb-sfarm)# real 10.64.164.1
C. Switch(config)# ip slb serverfarm 10.64.164.1
D. Switch(config-slb-sfarm)# ip slb serverfarm 10.64.164.1
Question 48
What is a benefit of the auxiliary VLAN feature of Catalyst switches?
A. Increased availably
B. Easier network management
C. Reduced bandwidth utilization
D. Network segmentation and control
Question 49
Which is not a network availability issue that QoS addresses?
A. Jitter
B. Delay
C. Reliability
D. Packet loss
14 9911 ch14
10/14/03
12:33 PM
Page 418
418 Chapter 14
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 50
Which queuing method provides strict priority queuing, enabling you to configure the priority status for a class within class-based weighted fair queuing?
A. CQ
B. PQ
C. FIFO
D. LLQ
E. WFQ
F. WRR
Question 51
What is the purpose of the ToS field in an IP header?
A. Identifies the type of payload in the IP packet
B. Identifies network control information for the packet
C. Assigns a priority to an IP packet as it traverses the network
D. Indicates the proper queue for an IP packet as it traverses the network
Question 52
On which network links is LFI especially useful?
A. On fast links whose speed is greater than 1.544Mbps
B. On slow-speed links whose speed is less than 64Kbps
C. On slow-speed links whose speed is less than 768Kbps
D. On slow-speed links whose speed is less than 1.544Mbps
Question 53
Weighted random early detection (WRED) generally drops packets selectively
based on what value?
A. Queue size
B. IP precedence or DSCP
C. TCP congestion control
D. Random early detection (RED)
14 9911 ch14
10/14/03
12:33 PM
Page 419
419
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sample
. . . . .Test
. . 2.
Question 54
Which Cisco IOS command displays priority queuing output?
A. debug ip rsvp
B. debug priority
C. debug multilink ppp
D. debug ppp multilink fragments
Question 55
Youre interested in assigning a traffic policy that youve created to an interface
in your campus network. What is the correct command to accomplish this?
A. class-map
B. policy-map
C. service-policy
D. mls qos
E. mls qos trust
Question 56
What module for the 6000 and 6500 Series switches provides a network management and monitoring solution?
A. FlexWAN module
B. IDS Sensor
C. Network Analysis module
D. Supervisor Engine
Question 57
Which command correctly configures a SPAN interface to monitor only ingress
traffic?
A. monitor session 1 source interface fastethernet 5/1 rx
B. monitor session 1 source interface fastethernet 5/1 tx
C. monitor session 1 destination interface fastethernet 5/1
D. monitor session 1 source interface fastethernet 5/1 both
14 9911 ch14
10/14/03
12:33 PM
Page 420
420 Chapter 14
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 58
Which of the following commands globally enables AAA on a Cisco switch?
A. aaa authentication login
B. ppp authorization
C. new aaa model
D. aaa new-model
Question 59
Youre considering the use of port security to help secure your enterprise campus network. Youd like an interface to enter an error-disabled state when a
security violation occurs. What command should you use?
A. Switch(config-if)# switchport port-security 1 violation protect
B. Switch(config-if)# switchport port-security 1 violation restrict
C. Switch(config-if)# switchport port-security 1 violation shutdown
D. Switch(config-if)# switchport port-security 1 violation null
Question 60
Which of the following Metro Ethernet tunneling options features the drawback
of poor scalability?
A. 802.1Q
B. 802.1Q-in-Q
C. EoMPLS
D. EoMPLS Encapsulation Point-to-Multipoint
15 9911 ch15
10/14/03
12:33 PM
Page 421
15
Answer Key 2
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1. B
21. A, B, C
41. C
2. A
22. A, B, D
42. B
3. D
23. A, B, C, E
43. C
4. C
24. A
44. A
5. D
25. D
45. C
6. C
26. C
46. C
7. C
27. A, B
47. B
8. C
28. A, B, D
48. D
9. A
29. D
49. C
10. E
30. A
50. D
11. D
31. C
51. C
12. A
32. C
52. C
13. A, B, C, E
33. D
53. B
14. B
34. C, E
54. B
15. B
35. E
55. C
16. C
36. B
56. C
17. C
37. A, B, E
57. A
18. A, B, C
38. D, E
58. D
19. C
39. B
59. C
20. C
40. C
60. A
15 9911 ch15
10/14/03
12:33 PM
Page 422
422 Chapter 15
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 1
Answer B is correct. In a broadcast design, an application sends only one
copy of each packet using a broadcast address. Answer A is incorrect. In a
unicast design, one copy of each frame is sent to every client that requires the
data. Answer C is incorrect. In a multicast design, a single copy of each frame
is sent using a special address that allows each client to decide whether it
wants to receive the frame. Finally, answer D is incorrect. Frames are sent in
a broadcast design.
Question 2
Answer A is correct. Unicast transmissions involve the replications of frames
for the specific clients that require the data. Answers B, C, and D are incorrect. In a multicast, broadcast, or anycast design, packets do not require
replication for transmission to multiple hosts.
Question 3
Answer D is correct. Multicast designs involve sending one copy of each
packet, using a special address that allows each client to choose whether it
receives the packet. Answer A is incorrect. Under multicast, packets are not
replicated and sent to clients. Answer B is also incorrect. New packets are not
sent per client requests. Also answer C is incorrect. Under multicast, a
broadcast address is not used.
Question 4
Answer C is correct. Multicast MAC addresses begin with the prefix 01-005E. Answers A, B, and D are incorrect. All the other MAC address examples
here do not begin with 01-00-5E.
Question 5
Answer D is correct. Setting the TTL value to 1 ensures that the query message stays within the local subnetwork. Remember, routers decrement the
TTL when they forward packets. Answer A is incorrect. A TTL of 1 ensures
15 9911 ch15
10/14/03
12:33 PM
Page 423
423
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Answer
. . . . Key
. . 2.
that all multicast routers do not see the message. Answer B is incorrect.
Multicast routers will not forward the query message due to the TTL of 1.
Answer C is also incorrect. This message is also not flooded by multicast
routers.
Question 6
Answer C is correct. Addresses ranging from 224.0.0.0 to 224.0.0.255 are
reserved for local purposesmulticast routers do not forward datagrams
destined for this range of addresses. Answer A is incorrect because 224.0.0.0
to 239.255.255.255 describes the entire range of Class D addresses. Answer
B is incorrect because 192.168.2.1 to 192.168.2.100 is not a valid multicast
address range. Finally, answer D is incorrect because 234.0.0.0 to
234.0.0.255 is a valid multicast range, but it is not reserved.
Question 7
Answer C is correct. Cisco Group Management Protocol (CGMP) limits the
forwarding of IP multicast packets to only those ports associated with IP
multicast clients. Switches learn about multicast members from multicast
route processors. Answers A and B are incorrect. Internet Group
Management Protocol (IGMP) versions 1 and 2 are protocols used by IPv4
systems to report IP multicast memberships to neighboring multicast
routers. These are not Cisco proprietary protocols. Finally, answer D is
incorrect as well. MCAST is not a valid protocol name.
Question 8
Answer C is correct. VSPAN refers to using a source VLAN for the SPAN
configuration. You may monitor all the traffic leading into or coming from a
VLAN. This is the easiest way to configure the requirement presented in this
question. Answer A is incorrect. SPAN enables you to monitor port(s).
Answer B is incorrect. Remote SPAN enables you to monitor ports from several switches. Finally, answer D is also incorrect. IGMP is a multicast protocol and has nothing to do with port monitoring.
15 9911 ch15
10/14/03
12:33 PM
Page 424
424 Chapter 15
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 9
Answer A is correct. With this command, the FastEthernet 5/1 interface is
configured as a SPAN sourceinbound and outbound traffic is monitored.
Answer B is incorrect because this command does not configure a destination SPAN port. Answer C is incorrect because it does not configure both
sources and destinations. Finally, answer D is incorrect because there is no
such mode as switchport monitor mode.
Question 10
Answer E is correct. The NAM uses remote monitoring (RMON) to monitor and analyze network traffic. Answer A is incorrect. ICMP (Internet
Control Message Protocol) is a message control and error-reporting protocol between a host server and a gateway to the Internet. Answer B is incorrect. Simple Mail Transfer Protocol (SMTP) is used to move mail via the
Internet. Answer C is incorrect. Trivial File Transfer Protocol (TFTP) is
used to move files via the Internet. Answer D is incorrect. The Cisco
Discovery Protocol (CDP) is used to discover connected devices.
Question 11
Answer D is correct. This output is a result of the show redundancy states
command. It displays the redundancy facility state information. Answer A is
incorrect. The show redundancy command is not a valid command without
parameters. Answer B is incorrect. The show redundancy counters command displays the redundancy facility counter information. Answer C is
incorrect. The show redundancy switchover command displays the
switchover counts, the uptime since active, and the total system uptime.
Question 12
Answer A is correct. RPR supports a switchover time of 2 to 4 minutes.
Answer B is incorrect. RPR+ supports a switchover time of 30 to 60 seconds.
Also, answers C and D are incorrect. HSRP and VRRP are not used for
supervisor engine redundancytheyre used for router redundancy for client
systems.
15 9911 ch15
10/14/03
12:33 PM
Page 425
425
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Answer
. . . . Key
. . 2.
Question 13
Answers A, B, C, and E are correct. You should protect your VTY ports to
secure Telnet access. This includes assigning passwords and using ACLs. You
should secure SNMP by prohibiting read/write access wherever possible.
You must also secure access to the console port. Physical access to this port
allows a user to circumvent all security mechanisms. You should also trim
CDP by disabling the protocol on ports that connect to external users.
Answer D is incorrect. To secure your system, you should disable the builtin HTTP server.
Question 14
Answer B is correct. Accounting services are a component of AAA. Security
experts can use this information gained from this service to audit and
improve security. Answer A is incorrect. Authorization provides the method
for remote access control. Answer C is incorrect. Authentication provides
the method of identifying users, including login and password information.
Answer D is incorrect. Auditing is not one of the AAA services.
Question 15
Answer B is correct. The Maximum Value option allows the network administrator to define the maximum number of MAC addresses that can be supported by the port. Answer A is incorrect. The value has nothing to do with
the duration of connections. Answers C and D are also incorrect. The value
does not control the number of frames that may be received or sent.
Question 16
Answer C is correct. The switch is called the authenticator in the 802.1X
security environment. Answer A is incorrect. The client is the workstation
that requests access to the LAN. Answer B is incorrect. The authentication
server performs the actual authentication. Answer D is incorrect. The workstation is the client in the 802.1X environment.
15 9911 ch15
10/14/03
12:33 PM
Page 426
426 Chapter 15
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 17
Answer C is correct. When used with the show port-security command, the
address parameter displays the MAC address table security information.
Answer A is incorrect. show port-security displays security information for
all interfaces. Answer B is also incorrect. The interface argument restricts the
output to a specific interface. Answer D is incorrect because there is no such
parameter as the MAC keyword.
Question 18
Answers A, B, and C are correct. Three VACL actions are permitted: Permit,
Redirect, and Deny. Answer D is incorrect. There is no such VACL option
as Log. Deny with logging is capable on the Cat 6500 only.
Question 19
Answer C is correct. A community port can communicate with other community ports and the promiscuous ports. Answer A is incorrect. The promiscuous port can communicate with all interfaces. Answer B is incorrect. An
isolated port has complete Layer 2 separation from other ports except the
promiscuous port. There is no port that features complete isolation as indicated in answer D.
Question 20
Answer C is correct. Network solutions allow enterprises to make business
decisions about the business itself as well as about networks and the technologies and applications that run on them. Answers A, B, and D are incorrect. Examples of network infrastructure components include devices such as
routers, LAN switches, WAN switches, and PBXs. Intelligent network services include security, network management, quality of service, IP multicast,
and high availability. Vertical solutions and markets include health care,
retail, and financial services.
15 9911 ch15
10/14/03
12:33 PM
Page 427
427
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Answer
. . . . Key
. . 2.
Question 21
Answers A, B, and C are correct. Cisco recommends caching systems, server
load balancing, and server content routing in the distribution layer of the
server farm. These are all possible with Ciscos Content Networking solutions. Answer D is incorrect. In a very large network, you should deploy multiple network devices. In smaller networks, a single device with redundant
logical elements is appropriate.
Question 22
Answers A, B, and D are correct. When youre troubleshooting console port
connectivity, you should make sure that youre using the correct type of
cable. You should also ensure the terminal configuration matches the switch
console port configuration. This is typically 9600 baud, 8 data bits, no parity, 1 stop bit. You should also make sure that the cable pinouts are correct for
your supervisor engine. Answer C is incorrect. A console password does not
need to be configured on the switch.
Question 23
Answers A, B, C, and E are correct. Through the division of the network into
smaller broadcast domains, bandwidth is used more efficiently. VLANs
improve security by segregating frames into smaller groups. Combined with
routing, VLANs can be used to improve load balancing over multiple paths.
VLANs also help to reduce the impact of network problems. Answer D is
incorrect. VLANs do not directly improve the availability of network
resources.
Question 24
Answer A is correct. To add the interface to the VLAN, use the switchport
access vlan command. Answers B, C, and D are incorrect. All other syntax
examples here produce errors on the switch because theyre invalid commands.
15 9911 ch15
10/14/03
12:33 PM
Page 428
428 Chapter 15
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 25
Answer D is correct. The show interface gigabitEthernet 0/1 switchport command displays switch port information for the gigabitEthernet 0/1
interface. Answers A, B, and C are incorrect. All other syntax examples here
produce errors on the switch because theyre invalid commands.
Question 26
Answer C is correct. The nonegotiate option can be used to force trunking,
and prevents an interface from sending DTP frames. Answer A is incorrect.
Access places an interface into nontrunking mode. Answer B is incorrect.
Trunk does force trunking, but also sends DTP frames. Answer D is incorrect. Dynamic desirable sends DTP frames. Finally, answer E is incorrect
because dynamic auto does not force trunking.
Question 27
Answers A and B are correct. A native VLAN is the VLAN that a port
belongs to when not in operational trunking mode. Also, when in trunking
mode, the port sends traffic from this VLAN untagged. Answers C and D are
incorrect. The default native VLAN is VLAN 1. Each physical port does
have a PVID value, but it is based on the native VLAN ID.
Question 28
Answers A, B, and D are correct. To troubleshoot a trunk link issue, you
should ensure that the interface modes are properly configured; for example,
dynamic desirable at one end and dynamic auto at the other. You should also
ensure the trunk encapsulation type configured at each end is compatible.
Finally, ensure that the native VLAN configuration matches at each end.
Answer C is incorrect. The VTP configuration does not affect the trunk
configuration.
15 9911 ch15
10/14/03
12:33 PM
Page 429
429
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Answer
. . . . Key
. . 2.
Question 29
Answer D is correct. The configuration revision number is used to track
VLAN changes. The configuration revision number in transparent mode is
always 0. This ensures the device does not participate in VTP. Answers A, B,
and C are incorrect. The configuration revision number in transparent mode
is always 0, and therefore cannot be any other value.
Question 30
Answer A is correct. VTP pruning increases available bandwidth by restricting flooded traffic to those trunk links that the traffic must use to access the
appropriate network devices. Answer B is incorrect. VTP does not affect the
number of VLAN advertisements that are sent. Answer C is incorrect. VTP
does not eliminate the need for a configuration revision number. Finally,
answer D is incorrect. VTP pruning does not affect the propagation of native
VLAN frames.
Question 31
Answer C is correct. For VTP information to pass from switch to switch, the
switches must be connected by trunks. Answer A is incorrect. It is recommended that you configure at least two switches in server mode. However, it
is not recommended for all switches to be in such a configuration. Answer B
is incorrect. All switches do not need to be VTP version 2 compatible.
Finally, answer D is incorrect. Configuring all switches as clients is not a
valid configuration.
Question 32
Answer C is correct. The default spanning tree priority value is 32,768.
Answer A is incorrect. 4096 is the recommended root bridge priority value.
Answer B is incorrect. 8192 is the recommended secondary root bridge priority value. Answer D is also incorrect. 0 is never recommended by Cisco.
15 9911 ch15
10/14/03
12:33 PM
Page 430
430 Chapter 15
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 33
Answer D is correct. The Building Distribution block connects end users
with the campus backbone and provides routing, QoS, and access control.
Answer A is incorrect. The Building Access module contains end user workstations and IP phones. Answer B is incorrect. The Server Farm module contains email and other such servers. Answer C is incorrect. The Edge
Distribution module aggregates the connectivity from the various elements
at the enterprise edge and routes the traffic into the campus backbone.
Question 34
Answers C and E are correct. Inter-VLAN communication requires the use
of a router or Layer 3 switch. This is due to inter-VLAN communications
requiring routing. Answer A is incorrect. A hub is a Layer 1 device that is
incapable of routing traffic. Answers B and D are incorrect. A Layer 2 switch
also does not possess routing capabilities, nor does a translational bridge.
Question 35
Answer E is correct. The correct command to assign an access port to a
VLAN is Switch(config-if)# switchport access vlan vlan-id. Answers
A, B, C, and D are incorrect. All other syntax examples in this question
would produce a syntax error.
Question 36
Answer B is correct. ISL engages in true encapsulation. It places a new header and trailer on a frame prior to transporting the frame over a trunk link.
Answer A is incorrect. 802.1Q tags frames with VLAN informationit does
not encapsulate the data frame. Answer C is incorrect. VTP is not a trunk
protocol. Answer D is incorrect. 802.10 is used for the transmission of
VLAN information in FFDI environments. Once again, true encapsulation
is not used.
15 9911 ch15
10/14/03
12:33 PM
Page 431
431
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Answer
. . . . Key
. . 2.
Question 37
Answers A, B, and E are correct. When troubleshooting STP, potential problems include duplex mismatch, unidirectional link failure, frame corruption,
resource errors, PortFast configuration errors, and exceeding STP diameters. Answer C is incorrect. Broadcasts do not cause problems for STP; in
fact, STP helps to ensure that broadcasts do not negatively impact the network. Also, answer D is incorrect. CAM table corruption also does not cause
STP-related issues.
Question 38
Answers D and E are correct. Topology-based switching relies on a forwarding information base (FIB) and an adjacency table. Ciscos implementation of
topology-based switching is called Cisco Express Forwarding (CEF). Answers
A, B, and C are incorrect. Route caching, flow-based switching, and demandbased switching are descriptions of legacy multilayer switching technologies
that rely on packet flows for cached forwarding information.
Question 39
Answer B is correct. Punt adjacency deals with features that require special
handling or features that are not yet supported. For example, if the packet
requires CPU processing. Answer A is incorrect. A null adjacency refers to
packets destined for the Null0 interface. These packets are dropped. Answer
C is incorrect. The glean adjacency is used for the subnet prefix when more
than one host is attached to the switch from the same VLAN. Answer D is
incorrect because there is no such adjacency as the next-hop adjacency.
Question 40
Answer C is correct. RPR+ does not feature auto VLAN database configuration. Answers A, B, and D are incorrect. RPR+ features many improvements
over RPR. These include reduced convergence time, online insertion and
removal of the redundant Supervisor Engine, synchronization of running configurations and startup configurations, and the synchronization of OIR events.
15 9911 ch15
10/14/03
12:33 PM
Page 432
432 Chapter 15
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 41
Answer C is correct. IRDP uses Internet Control Message Protocol (ICMP)
router advertisements and router solicitation messages to allow a host to discover the addresses of operational routers on the subnet. Hosts must discover routers before they can send IP datagrams outside their subnet. Router
discovery allows a host to discover the addresses of operational routers on
the subnet. Answer A is incorrect. HSRP is a routing protocol that provides
backup to a router in the event of failure. Answer B is incorrect. The Virtual
Router Redundancy Protocol (VRRP) eliminates the single point of failure
inherent in the static default routed environment. VRRP specifies an election protocol that dynamically assigns responsibility for a virtual router to
one of the VPN Concentrators on a LAN. Answer D is incorrect. Open
Shortest Path First (OSPF) is a routing protocol developed for Internet
Protocol (IP) networks by the interior gateway protocol (IGP) working
group of the Internet Engineering Task Force (IETF).
Question 42
Answer B is correct. The router in the group with the next highest priority
takes over the active router role in an HSRP group. In this case, that router
is RouterB. Answer A is incorrect. RouterA was the active router that failed.
Answers C and D are also incorrect. RouterC does not have the highest
remaining priority, and RouterD is not in the HSRP group where the failure
occurred. Answer E is also incorrect. RouterB becomes the active router.
Question 43
Answer C is correct. When a router is in the standby state, the router is a
candidate to become the next active router and sends periodic hello messages. There must be one standby router in the HSRP group. Answer A is
incorrect. The initial state indicates that HSRP is not running. Answer B is
incorrect. The listen state indicates the router is not the active or the standby router. Answer D is incorrect. The speak state indicates the router is participating in the election of the active router. Answer E is also incorrect. The
active state indicates the router is the active router.
15 9911 ch15
10/14/03
12:33 PM
Page 433
433
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Answer
. . . . Key
. . 2.
Question 44
Answer A is correct. Virtual Router Redundancy Protocol (VRRP) can provide redundancy for a real IP address of a router or a virtual IP address
shared among the VRRP group members. Answer B is incorrect. HSRP is a
routing protocol that provides backup to a router in the event of failure.
Answer C is incorrect. IRDP uses Internet Control Message Protocol
(ICMP) router advertisements and router solicitation messages to allow a
host to discover the addresses of operational routers on the subnet. Answer
D is incorrect. Gateway Load Balancing Protocol (GLBP) protects data traffic from a failed router or circuit, like Hot Standby Router Protocol (HSRP)
and Virtual Router Redundancy Protocol (VRRP), while allowing packet
load sharing between a group of redundant routers.
Question 45
Answer C is correct. GLBP allows automatic selection and simultaneous use of
multiple, available gateways, and to provide automatic detection and failover to
a redundant path in the event of failure to any active gateway. Answers A and
B are incorrect. HSRP and VRRP both provide gateway resiliency. The standby members of the redundancy group are underutilized along with their
upstream bandwidth. Answer D is also incorrect. Single router mode allows for
redundancy of supervisor engines in a single switch chassis.
Question 46
Answer C is correct. To configure single router mode, you use the singlerouter-mode command in high availability configuration mode. Answers A
and B are incorrect. The single-router-mode command produces a syntax
error if attempted in another mode. Answer D is also incorrect. There is no
such command as srm.
Question 47
Answer B is correct. You use the real command in server farm configuration
mode to specify the IP address of a real server in the server farm. Answer A
is incorrect. The real command is not a global configuration command.
Answers C and D are incorrect. The ip slb serverfarm command creates a
server farm definition and enters server farm configuration mode.
15 9911 ch15
10/14/03
12:33 PM
Page 434
434 Chapter 15
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 48
Answer D is correct. The advantage that auxiliary VLANs bring for voice
traffic is increased network segmentation and control. Answer A is incorrect.
Auxiliary VLANs by themselves do not increase availability. Answer B is
incorrect. They increase the amount of network management that must be
performed. Answer C is incorrect. They also do not reduce the bandwidth
that is consumed due to voice.
Question 49
Answer C is correct. Reliability is not directly impacted by QoS. Answers A,
B, and D are incorrect. As Cisco defines QoS, it addresses delay, jitter (variable delay), and packet loss.
Question 50
Answer D is correct. Low latency queuing provides strict priority queuing.
This feature enables you to configure the priority status for a class within
class-based weighted fair queuing. Answer A is incorrect. CQ allows a fairness not provided with priority queuing (PQ). With CQ, you can control the
available bandwidth on an interface when it is unable to accommodate the
aggregate traffic that is enqueued. Answer B is incorrect. PQ ensures that
important traffic gets the fastest handling at each point where it is used. It
was designed to give strict priority to important traffic. Answer C is incorrect. First In, First Out (FIFO) queuing packets are forwarded in the same
order in which they arrive at the interface. Answer E is incorrect. WFQ is
one of Ciscos premier queuing techniques. It is a flow-based queuing algorithm that does two things simultaneously: It schedules interactive traffic to
the front of the queue to reduce response time, and it fairly shares the
remaining bandwidth between high-bandwidth flows. Finally, Answer F is
incorrect. WRR provides bandwidth to higher priority applications (using IP
precedence) and also grants access to lower-priority queues. The frame
schedule affords each queue the bandwidth allotted to it by the network
administrator. This mapping is configurable both at the system and interface
levels.
15 9911 ch15
10/14/03
12:34 PM
Page 435
435
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Answer
. . . . Key
. . 2.
Question 51
Answer C is correct. The ToS field in an IP packet is used to assign a priority
to the packet. Answer A is incorrect. The ToS field does not identify the type
of payloadit indicates priority. Answers B and D are also incorrect. It neither
identifies network control information, nor indicates a particular queue.
Question 52
Answer C is correct. Link fragmentation and interleaving is appropriate for
slow linkslinks with a bandwidth of less than 768 Kbps. Answers A, B, and
D are incorrect. LFI is not appropriate for high-speed links. Cisco considers
slow-speed links to be less than 768 Kbps.
Question 53
Answer B is correct. Weighted Random Early Detection uses IP precedence
or DSCP values to selectively drop packets. Answers A, C, and D are incorrect. WRED uses IP precedence or DSCP to selectively drop packetsit
uses no other mechanism for this determination.
Question 54
Answer B is correct. To display priority queuing output, use the debug
Privilege EXEC command. Answer A is incorrect. Use the debug
ip rsvp command to enable logging of significant Resource Reservation
Protocol (RSVP) events. Answer C is incorrect. There is no such command
as debug multilink ppp. Answer D is also incorrect. Use the debug ppp
multilink fragments command to display information about individual
multilink fragments and important multilink events.
priority
Question 55
Answer C is correct. The service-policy command is used to apply a policy to a particular interface. Answer A is incorrect. The class-map command
15 9911 ch15
10/14/03
12:34 PM
Page 436
436 Chapter 15
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 56
Answer C is correct. The Network Analysis Module (NAM) provides monitoring functions for your 6000/6500 Series Catalyst switch. Answer A is
incorrect. The FlexWAN module provides T1 WAN interfaces for distribution layer capabilities. Answer B is incorrect. The IDS sensor adds security
monitoring. Answer D is incorrect. The Supervisor Engine is the required
brains of the 6000/6500 Series switch.
Question 57
Answer A is correct. The appropriate command to monitor ingress traffic for
a SPAN session is monitor session 1 source interface fastethernet 5/1
rx. This command monitors traffic inbound on the Fast Ethernet interface
5/1. Answer B is incorrect. The command monitor session 1 source
interface fastethernet 5/1 tx monitors traffic on the Fast Ethernet interface, but monitors only traffic that is transmitted. Answer C is incorrect.
monitor session 1 destination interface fastethernet 5/1 configures
a SPAN destination interface, not a SPAN source interface. Finally, answer
D is incorrect. monitor session 1 source interface fastethernet 5/1
monitors the Fast Ethernet interface for both ingress and egress traffic.
Question 58
Answer D is correct. The aaa new-model command enables AAA globally on
the switch. Answer A is incorrect. The aaa authentication login command
creates a new authentication list. Answer B is incorrect. The ppp authorization command applies a names authorization list to an interface. Answer C
is also incorrect. There is no such command as new aaa model.
15 9911 ch15
10/14/03
12:34 PM
Page 437
437
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Answer
. . . . Key
. . 2.
Question 59
Answer C is correct. To cause a port to enter the error-disable state with port
security, you must use the shutdown keyword. Answer A is incorrect. The
protect keyword causes packets with unknown source addresses to be
dropped until a sufficient number of MAC addresses are removed. Answer B
is incorrect. With the restrict option, data is restricted and the
SecurityViolation counter increments. Answer D is incorrect. There is no
such option as the null option.
Question 60
Answer A is correct. With no encapsulation, this Metro Ethernet tunneling
option does not scale well. It is sometimes efficient to support a network of
a single enterprise. Answer B is incorrect. Tag stacking provides isolation of
enterprise traffic through the service provider. Answers C and D are incorrect. Ethernet over multiprotocol label switching is a scalable tunneling
mechanism that maps VLANs through an MPLS core.
15 9911 ch15
10/14/03
12:34 PM
Page 438
16 9911 app a
10/14/03
12:34 PM
Page 439
A
Whats on the CD-ROM
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
This appendix provides a brief summary of what youll find on the CD-ROM
that accompanies this book. For a more detailed description of the PrepLogic
Practice Exams, Preview Edition exam simulation software, see Appendix B,
Using the PrepLogic Practice Exams, Preview Edition Software. In
addition to the PrepLogic Practice Exams, Preview Edition software, the
CD-ROM includes an electronic version of the book in portable document
format (PDF) and the source code used in the book.
16 9911 app a
10/14/03
12:34 PM
Page 440
440 Appendix A
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PrepLogic Practice Exams, Preview Edition exhibits all the full-test simulation
functionality of the Premium Edition, but offers only a fraction of the total
questions. To get the complete set of practice questions, visit www.preplogic.com
and order the Premium Edition for this and other challenging exam training
guides.
For a more detailed description of the features of the PrepLogic Practice
Exams, Preview Edition software, see Appendix B.
17 9911 app b
10/14/03
12:34 PM
Page 441
B
Using the PrepLogic
Practice Exams, Preview
Edition Software
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
This book includes a special version of the PrepLogic Practice Exams software, a revolutionary test engine designed to give you the best in certification exam preparation. PrepLogic offers sample and practice exams for many
of todays most in-demand and challenging technical certifications. A special
Preview Edition of the PrepLogic Practice Exams software is included with
this book as a tool to use in assessing your knowledge of the training guide
material while also providing you with the experience of taking an electronic
exam.
This appendix describes in detail what PrepLogic Practice Exams, Preview
Edition is, how it works, and what it can do to help you prepare for the exam.
Note that although the Preview Edition includes all the test simulation functions of the complete retail version, it contains only a single practice test.
The Premium Edition, available at www.preplogic.com, contains a complete set
of challenging practice exams designed to optimize your learning experience.
17 9911 app b
10/14/03
12:34 PM
Page 442
442 Appendix B
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question Quality
The questions provided in PrepLogic Practice Exams, Preview Edition are
written to the highest standards of technical accuracy. The questions tap the
content of this books chapters and help you review and assess your knowledge
before you take the actual exam.
Software Requirements
PrepLogic Practice Exams requires a computer with the following:
Microsoft Windows 98, Windows Me, Windows NT 4.0, Windows
2000, or Windows XP
A 166MHz or faster processor
A minimum of 32MB of RAM
10MB of hard drive space
17 9911 app b
10/14/03
12:34 PM
Page 443
443
. . . . . . . . . . . . . . . Using
. . . the
. . PrepLogic
. . . . . . Practice
. . . . .Exams,
. . . .Preview
. . . . Edition
. . . . Software
. . . . .
Performance
As with any Windows application, the more available memory, the better the performance.
Edition files to your hard drive. It then adds PrepLogic Practice Exams,
Preview Edition to your desktop and the Program menu. Finally, it
installs test engine components to the appropriate system folders.
17 9911 app b
10/14/03
12:34 PM
Page 444
444 Appendix B
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
button, which makes it possible for you to view the correct answer(s)
and full explanation for each question during the exam. When this
option is not enabled, you must wait until after your exam has been
graded to view the correct answer(s) and explanation for each question.
Enable Item ReviewClicking this button activates the Item Review but-
ton, which enables you to view your answer choices. This option also
facilitates navigation between questions.
Randomize ChoicesYou can randomize answer choices from one exam
session to the next. This makes memorizing question choices more difficult, thereby keeping questions fresh and challenging longer.
On the left side of the main exam customization screen, youre presented
with the option of selecting the preconfigured practice test or creating your
own custom test. The preconfigured test has a fixed time limit and number
of questions. Custom tests enable you to configure the time limit and the
number of questions in your exam.
17 9911 app b
10/14/03
12:34 PM
Page 445
445
. . . . . . . . . . . . . . . Using
. . . the
. . PrepLogic
. . . . . . Practice
. . . . .Exams,
. . . .Preview
. . . . Edition
. . . . Software
. . . . .
Button Status
Depending on the options, some of the buttons will be grayed out and inaccessibleor they
might be missing completely. Buttons that are appropriate are active.
Item Review screen, from which you can see all questions, your answers,
and your marked items. You can also see correct answers listed here,
when appropriate.
Show AnswerThis option displays the correct answer, with an explana-
tion about why it is correct. If you select this option, the current question is not scored.
Mark ItemYou can check this box to flag a question that you need to
review further. You can view and navigate your marked items by clicking
the Item Review button (if it is enabled). When your exam is being
graded, youre notified if you have any marked items remaining.
17 9911 app b
10/14/03
12:34 PM
Page 446
446 Appendix B
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Previous ItemYou can use this option to view the previous question.
Next ItemYou can use this option to view the next question.
Grade ExamWhen youve completed your exam, you can click Grade
Exam to end your exam and view your detailed score report. If you have
unanswered or marked items remaining, you are asked whether you
would like to continue taking your exam or view the exam report.
17 9911 app b
10/14/03
12:34 PM
Page 447
447
. . . . . . . . . . . . . . . Using
. . . the
. . PrepLogic
. . . . . . Practice
. . . . .Exams,
. . . .Preview
. . . . Edition
. . . . Software
. . . . .
Contacting PrepLogic
If you would like to contact PrepLogic for any reason, including getting
information about its extensive line of certification practice tests, you can do
so online at www.preplogic.com.
Customer Service
If you have a damaged product and need to contact customer service, please call
800-858-7674.
License Agreement
YOU MUST AGREE TO THE TERMS AND CONDITIONS OUTLINED IN THE END USER LICENSE AGREEMENT (EULA)
PRESENTED TO YOU DURING THE INSTALLATION PROCESS.
IF YOU DO NOT AGREE TO THESE TERMS, DO NOT INSTALL
THE SOFTWARE.
17 9911 app b
10/14/03
12:34 PM
Page 448
18 9911 glos
10/14/03
12:34 PM
Page 449
Glossary
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
802.1D
See Spanning Tree Protocol.
802.1Q
802.1Q is an IEEE trunking mechanism that is an open standard.
Both ISL and 802.1Q add VLAN
information to the Ethernet frames
explicitly. However, the way in
which they perform this process is
different. With ISL, a 26-byte
header and a 4-byte trailer are
added to the frame: The original
frame is not modified. This process
is referred to as encapsulation. With
802.1Q, the actual frame is modified, or tagged. To denote VLAN
information, a 4-byte Tag Protocol
Identifier (TPID) and a 2-byte Tag
Control Information (TCI) are
inserted between existing fields in
the Ethernet frame.
802.1Q Tunneling
Q-in-Q tunneling, proprietary to
Cisco, is commonly referred to as
tag stacking. When you send tagged
VLAN traffic into a service
802.1W
See Rapid STP.
802.1X
IEEEs 802.1x standard defines
how to authenticate and control
port access. A switchs port state
(with 802.1x enabled) is initially in
an unauthorized state. The switch
allows only Extensible
Authentication over LAN
(EAPOL) traffic through the port
until the user has been authenticated. 802.1x uses EAPOL to perform
authentication. When the user is
18 9911 glos
10/14/03
12:34 PM
Page 450
450 802.1X
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Access Layer
Alternate Port
This RSTP port serves as a secondary root port in case the primary root port failsit is in a
discarding port state unless a failure
of the root port or connection
occurs, in which case it is moved
to a forwarding state.
Access Link
An access link is a connection that
belongs to a single VLAN and is
completely transparent to the
users. They have no knowledge of
the existence of the VLAN.
However, to maintain VLAN
information, the originating frame
from a user must contain VLAN
information that the switch fabric
can use to forward the frame.
Active RP
In HSRP, the role of the active and
standby RPs is based on the priority of the RPs in the HSRP group.
The RP with the highest priority is
elected as the active RP and the
one with the second highest is
elected as standby RP. If the priorities are the same, the IP address of
the RP is used as a tiebreaker. In
this situation, the RP with the
higher IP address is elected for the
role. The active RP is responsible
for forwarding all traffic destined
to the virtual RPs MAC address. A
18 9911 glos
10/14/03
12:34 PM
Page 451
451
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . BPDU
. . . .Guard
. . .
Authentication, Authorization,
and Accounting (AAA)
AAA centralizes authentication,
authorization, and accounting
functions. Authentication provides
a means for identifying an individual and validating her access to a
device. Authorization verifies what
specific tasks a user can perform on
a device. Accounting keeps a
record of what a user did on a
device.
BackboneFast
BackboneFast is a Cisco-proprietary
enhancement to STP that provides
scalability to STP on your backbone switches (core and distribution layer). BackboneFast and
UplinkFast are complementary
STP enhancements. One major
difference between UplinkFast and
BackboneFast is that UplinkFast
works only for directly connected
links that fail, whereas BackboneFast
has the capability to detect indirect
link failuresthat is, links not
physically associated with a
switch.
Backup Port
This RSTP port serves as a secondary designated port in case the
primary designated port fails. It is
in a discarding port state unless a
Blocking Port
In STP, a blocking port listens only
for BPDUs from other switches; it
does not forward any user frames.
A port enters this state when it
doesnt detect a BPDU within the
maximum age timer interval.
Bridge Identifier
Each bridge has a unique identifier
that it uses when it multicasts its
BPDUs. The identifier is made up
of a bridge (switch) priority and
one of the switchs MAC addresses.
BPDU Guard
BPDU Guard is a Cisco feature
that will shut down a PortFast port
if a BPDU is received on it. After
18 9911 glos
10/14/03
12:34 PM
Page 452
BPDU Skewing
Broadcast
When a broadcast packet is generated, everyone in the broadcast
domain sees this packet and
processes it. However, theres no
guarantee that any or all destinations will receive the broadcast.
Centralized Switching
In a centralized switching architecture, all switching decisions are
handled by a central, single forwarding table. A centralized
switching device can contain both
Layer 2 and Layer 3 functionality.
In other words, this table can contain both Layer 2 and Layer 3
addressing and protocol information as well as access control list
(ACL) and quality of service (QoS)
information.
18 9911 glos
10/14/03
12:34 PM
Page 453
453
. . . . . . . . . . . . . . . . . . . . . . . . . Dense
. . . .Wave
. . .Division
. . . . Multiplexing
. . . . . . . (DWDM)
. . . . .
Core Layer
The core layer is one of three layers of Ciscos hierarchical design
model. The function of the core
layer is to offer an extremely highspeed Layer 2 switching backbone
between different distribution layers to provide packet switching that
is as fast as possible.
18 9911 glos
10/14/03
12:34 PM
Page 454
Designated Port
Designated Switch
See Designated Port.
DiffServ
DiffServ uses a multiple-service
model to implement QoS. With
DiffServ, applications do not signal
their QoS requirements before
sending their data. Instead,
DiffServ is implemented within
your network infrastructure and
groups related traffic types together, marking them with classification
information. This provides an
advantage over IntServer because
you dont need to modify any end
stations.
Distributed Switching
In a distributed switching architecture, switching decisions are decentralized. As a simple example, a
6500 switch has each port (or module) make its own switching decision for inbound frames while a
main processor or ASIC handles
routing functions and ensures that
each port has the most up-to-date
switching table. One advantage of
the distributed implementation
approach is that by having each
port or module make its own
switching decision, youre placing
less of a burden on your main CPU
or forwarding ASIC because youre
distributing the processing across
multiple ASICs. In this case, a separate forwarding engine (ASIC) is
used for each port and each port
has its own small switching table.
With this approach, you can
achieve much greater speeds than a
switch that uses central forwarding
for switchingrates of more than
100Mpps.
18 9911 glos
10/14/03
12:34 PM
Page 455
455
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Enterprise
. . . . . Edge
. . .
Distribution Layer
The distribution layer is one of
three layers of Ciscos hierarchical
design model. The distribution
layer is the demarcation point
between the core and the access
layers of a campus network. The
distribution layer switches should
perform all Layer 3 and policy
functions. These include the following tasks: connecting to access
switches to provide workgroup and
department access; implementing
VLANs to handle broadcast issues;
routing between VLANs; designing
addressing and address summarization; enforcing security policies;
translating between different media
types such as FDDI, Ethernet, and
token ring.
Distribution Tree
To forward multicast traffic intelligently, RPs must be able to build a
distribution tree. A distribution
tree is somewhat similar to the
spanning tree used by switches to
remove Layer 2 loops. Using a distribution tree, RPs can ensure that
a multicast frame traverses a segment only once in the network.
This minimizes the bandwidth
impact, which is accomplished by
making sure that theres one and
only one path from the source of
the multicast traffic to each of the
end stations that wants to see it.
Dynamic VLANs
Dynamic VLANs require you to
assign a user to a VLAN once, and
switches dynamically use this information to configure the port on
the switch automatically. Dynamic
VLANs can be based on the following items: the MAC addresses
of workstations, the Layer 3
addresses (such as IP addresses),
the protocol type (such as IP or
IPX), or directory information
stored in Novells NDS or
Microsofts Active Directory.
Enterprise Campus
The Enterprise Campus provides
the three-layer hierarchical campus
model, but doesnt include remote
or Internet connections (these are
in the Enterprise Edge). Within
the Enterprise Campus model,
youll find the following submodules: Campus Infrastructure,
Network Management, Server
Farms, and Edge Distribution.
Enterprise Edge
The Enterprise Edge controls traffic between the Service Provider
Edge and the Enterprise Campus.
The Enterprise Edge contains four
sub-modules: E-commerce,
Internet Connectivity, Remote
Access and VPNs, and WAN
Access.
18 9911 glos
10/14/03
12:34 PM
Page 456
Enterprise Model
One of the limitations of the threelayer hierarchical model is that it
covers only a single campus design.
Cisco has expanded on this and
created the Enterprise Composite
Network Model (ECNM), which
breaks up a network into three
functional areas: Enterprise
Campus, Enterprise Edge, and
Service Provider Edge. The main
purpose of the ECNM is to define
clear boundaries, or demarcation
points, between different modules,
or areas, of your network.
EtherChannel
EtherChannels are technology that
allows you up to 8 Fast Ethernet or
Gigabit Ethernet connections that
provide up to 1,600Mbps or
16Gbps of bandwidth in fullduplex mode. The channel is treated as one logical connection
between two switches. Even if one
of the connections fails in the
EtherChannel, the other connection(s) still operate properly.
Forwarding Port
After finally completing the learning state in STP, a port is placed
into a forwarding state in which
the bridge performs its normal
functioning. It learns source MAC
addresses and updates the switchs
CAM table as well as forward user
frames through the switch itself.
18 9911 glos
10/14/03
12:34 PM
Page 457
457
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .IGMP
. . .Snooping
. . . . .
IGMP Snooping
18 9911 glos
10/14/03
12:34 PM
Page 458
IntServ
IntServ is defined in RFC 1633 and
provides a guarantee for QoS for
an application connection. This is
different from DiffServ, which does
this based on traffic classifications,
not specific connections. IntServ is
implemented using RSVP on all
devices handling the connection,
including the source and destination. RSVP uses signaling to set up
the connection and to maintain
QoS. When a new connection is
being established, RSVP needs to
determine what paths and devices
are used to support the connection.
The Common Open Policy Service
(COPS) is used to centralize the
setup and maintenance of the
connection.
Layer 3 Switch
A Layer 3 switch is an enhanced
router. One problem of traditional
routers is that a generic processor
performs most of the switching
decisions. Using a generic processor allows the router to perform
all tasks, but it doesnt perform all
of them well. To overcome this
Learning Port
Upon the completion of the listening state in STP, a port moves into
a learning state. In this state, a port
examines user frames for source
MAC addresses and places them in
the switchs CAM table. Still, no
user frames are forwarded through
the switch.
Listening Port
Passing from a blocking state in
STP, a port enters into a listening
state. In this state, a port listens for
frames to detect available paths to
the root switch, but does not take
any source MAC addresses of end
stations and place them in the
CAM table. Likewise, the switch
does not forward any user frames.
18 9911 glos
10/14/03
12:34 PM
Page 459
459
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Multiple
. . . . . STP
. . .(MST)
. . .
Loop Guard
Multicast
Multilayer Switch
Multilayer switching combines
Layer 2, Layer 3, and Layer 4
switching, all in one chassis. These
switches can examine information
in the transport layer segment
(TCP and UDP) to help make
intelligent switching decisions. To
do this, a multilayer switch routes
the first packet in a packet stream
but switches the rest, sometimes
referred to as route once, switch
many.
18 9911 glos
10/14/03
12:34 PM
Page 460
NetFlow Switching
Path Costs
Native VLAN
PVST+
PVST+ is a Cisco extension to its
PVST protocol. PVST+ allows the
incorporation of both IEEEs
802.1Q CST and Ciscos PVST in
a switched network. One nice feature of PVST+ is that you do not
have to configure anything on your
18 9911 glos
10/14/03
12:34 PM
Page 461
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Proxy
. . . .ARP
. .
Protocol Independent
Multicast (PIM)
PIM is a multicast routing protocol
thats currently being defined by a
draft RFC. The Internet
Engineering Task Force (IETF) is
discussing PIMs ongoing development. PIM is unique in that it supports both dense and sparse modes,
making it much more flexible than
other multicast routing protocols.
PIM uses IGMP to transport its
routing information.
PortFast
PortFast, a Cisco-proprietary STP
enhancement, reduces the size of
the STP database by excluding
ports that do not have bridges or
switches connected to them and
removing them from the STP
topology, thereby minimizing
downtime when changes occur in a
switched network. PortFast should
only be used to connect to nonbridge and nonswitch devices, like
a PC, router, or file server; otherwise, you might inadvertently
create Layer 2 loops.
Proxy ARP
Proxy ARP is used when an end station ARPs for a destination devices
MAC address that is on a different
subnet. A Cisco RP can respond
back to the end station with its own
MAC address, making it appear that
the destination is on the same segment. Proxy ARP is enabled, by
default, on Cisco RPs. The main
disadvantage is that if the RP fails,
the end station wont discover this
unless it reboots or re-ARPs.
461
18 9911 glos
10/14/03
12:34 PM
Page 462
Q-in-Q Tunneling
See 802.1Q Tunneling.
18 9911 glos
10/14/03
12:34 PM
Page 463
463
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Server
. . . Load
. . . Balancing
. . . . . .(SLB)
. . .
Root Guard
Root Guard is a Cisco feature that
you can use to force a particular
port to be a designated port to
ensure that switches connected to
it do not become a root switch.
Root Guard enables you to create
an STP topology in which you
explicitly control which switch
becomes and stays the root switch
(barring any failures).
Root Port
After the root switch is elected,
each switch determines which port,
called the root port, it uses to reach
the root switch. The root port is a
port on a switch that has the lowest
accumulated cost to the root
switch.
Route Caching
In route caching, the first time a
destination is seen by the router,
the CPU processes the packet and
forwards the packet to the destination. During that process, the
router places the routing information for this destination in a highspeed cache. The second time that
the router needs to forward traffic
to the destination, it consults its
high-speed cache before using the
CPU to process the packet.
Router-on-a-Stick
A router-on-a-stick is a trunk connection between an external router
and a switch. The trunk is terminated on the router on a trunkcapable interface and the router
uses this single interface to route
between VLANs.
18 9911 glos
10/14/03
12:34 PM
Page 464
18 9911 glos
10/14/03
12:34 PM
Page 465
465
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Switched
. . . . . .Port
. . Analyzer
. . . . . (SPAN)
. . . .
Standby RP
See Active RP.
Static VLAN
Ciscos initial implementation of
VLANs is based on the port that a
user was assigned to. This is sometimes referred to as port-based membership. Using this initial implementation, you configure every
port on a switch to reflect the
appropriate VLAN for the users.
This could easily be done either via
a command-line interface or an
SNMP-based product using a
graphical interface.
18 9911 glos
10/14/03
12:34 PM
Page 466
Tail Dropping
Tail dropping is one of the most
common forms of dealing with
congestion during egress queuing.
When queuing packets during a
period of heavy congestion, the
queue will at some point fill up,
leaving no room for more packets.
During this period, any newly
arrived packets for the egress
queue are dropped. With tail dropping, all traffic is treated equally. In
other words, the IOS doesnt look
at whether this is UDP or TCP
traffic, or data or voice. This can
be detrimental for TCP-based connections because dropping one
packet from a connection can cause
the retransmission of multiple
packets. In a network that heavily
utilizes TCP, using tail dropping
could actually create more congestion than it reduces.
Topology-Based Switching
Topology-based switching uses a
forward information base (FIB) to
assist in Layer 3 switching. This
type of switching pre-populates the
Transparent Bridging
A transparent bridge is used to
connect similar media types
together to solve bandwidth and
collision problems, but to still
maintain the same broadcast
domain. The term transparent
bridge is used because the bridge is
completely transparent to the end
stations that it is interconnecting.
Frames that pass through a transparent bridge are not modified:
What comes in on an interface
leaves exactly the same way on
another interface. Transparent
bridges perform three basic functions: They make forwarding and
filtering decisions based on the
destination MAC address in a
frame, they learn where end stations reside in the network, and
they remove loops.
18 9911 glos
10/14/03
12:34 PM
Page 467
467
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . UplinkFast
. . . . . .
Unicast
Trunk Link
A trunk link is a connection
between two trunk-capable devices.
These could be two switches, a
switch and a router, or even a
switch and an end station.
Trunking basically extends the
backplane of the switch. Normally,
only traffic from one VLAN can be
associated with a port. The exception to this is a trunk port. A trunk
port allows multiple VLANs to
cross it to a neighboring device,
unlike an access link. Trunking is
performed by encapsulating or tagging frames in hardware by the
ASICs on each port. Encapsulating
or tagging adds information, such
as the VLAN number (referred to
as the VLANs color) to help in the
forwarding of the frame by other
switches.
UplinkFast
STP guarantees a loop-free environment; however, one large disadvantage of STP is the 3050
second convergence time before
redundant links can be used when
failures occur. This is problematic
in environments where real-time or
bandwidth-intensive applications
are deployed. UplinkFast, a Ciscoproprietary STP enhancement,
allows the almost-immediate use of
18 9911 glos
10/14/03
12:34 PM
Page 468
468 UplinkFast
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Virtual RP
In HSRP, the role of the virtual RP
is to provide a single RP thats
always available to the end stations.
It isnt a real RP because the IP
and MAC addresses of the virtual
18 9911 glos
10/14/03
12:34 PM
Page 469
469
. . . . . . . . . . . . . . . . . . . . . . . . . . Weighted
. . . . . Round-Robin
. . . . . . . .Queuing
. . . . (WRRQ)
. . . . .
VTP Pruning
VTP pruning allows a switch to
make more intelligent decisions
concerning the forwarding of multicast, broadcast, and unknown destinations across trunk ports. VTP
pruning is a method of traffic control that reduces unnecessary broadcast, multicast, and flooded unicast
packets. This feature restricts traffic
that is normally flooded out all
trunks to only those trunk links
where the connected switches (or
other networking devices) also have
ports in the associated VLAN.
18 9911 glos
10/14/03
12:34 PM
Page 470
19 9911 ndx
10/14/03
12:34 PM
Page 471
Index
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Numbers
10 Gigabit Ethernet, physical
implementation, 25
802.1P, CoS priorities, 265
802.1Q
compared to Q-in-Q transport,
348
native VLANs, 61
trunks, configuring, 66-67
tunneling, MANs and, 342-343
tunneling feature, 62-64
VLANs, 59-61
supported ranges, 62
802.1W. See RSTP
802.1X, port-based authentication,
316-317
A
aaa accounting command, 311
aaa authentication login command,
310
aaa authorization command, 311
access layer, 15
19 9911 ndx
10/14/03
12:34 PM
Page 472
472 autostart
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
B
BackboneFast (STP), 112-114
enabling, 114
nonconnected interfaces, 114
backup ports, 117
bandwidth
calculating need for VoIP
connections, 257
increasing, compression methods,
273-274
IP telephony, QoS (Quality of
Service), 256-257
Best Effort architecture, IP telephony,
262
blocking state (switch ports), 92
BPDU (Bridge Protocol Data Unit),
88
frame fields, 88
filtering (FastPort), 110
Guard (FastPort), 109
inferior, 113
RSTP, propagating information,
118-119
RSTP use of, 115-116
skewing (STP), 131-132
staggered convergence, preventing,
93
STP (Spanning Tree Protocol)
and, 86-87
bridge (switch) identifier (BPDU
frame field), 88
bridge identifiers (STP), 87
C
cabling
Ethernet, 22
Fast Ethernet, 23
call control signaling connections
(telephony), 256
CallManager (IP telephony), 255
CAM (content addressable memory)
tables, 84
automatically updating, 85
CAM tables, 165-166
multicasting traffic control,
CGMP and, 237
Campus Infrastructure module, 17
campus intranets
10 Gigabit Ethernet, physical
implementation, 25
access layer, 15
AVVID components, 12-13
core layer, 14
design recommendations, 26
Enterprise Edge module, 29
large campus, 28
medium campus, 28
Server Farm module, 29
small campus, 27
devices, 19
Layer 2 switches, 19-20
Layer 3 switches, 21-22
multilayer switches, 22
19 9911 ndx
10/14/03
12:34 PM
Page 473
473
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . chassis
. . . . .redundancy
. . . . . .
routers, 20-21
usage recommendations, 26
distribution layer, 14-15
Enterprise Campus, 17-18
Enterprise Composite Network
Model (ECNM), 16-17
Enterprise Edge module, 18
Ethernet, physical implementation,
22-23
Fast Ethernet, physical
implementation, 23
Gigabit Ethernet, physical
implementation, 24-25
Long Reach Ethernet, physical
implementation, 25
Metro Gigabit Ethernet, physical
implementation, 25
requirements, 12
Service Provider Edge module, 18
three-layer hierarchical model, 13
campus networks, QoS
implementation, 274-275
CAR (Committed Access Rate), IP
telephony, 265
Catalyst switches
AAA, 308
accounting configuration,
311-312
authentication configuration,
310-311
authorization configuration,
311
enabling, 309
debug commands, 139
enabling/disabling STP, 97
NAM (Network Analysis
Module), configuring, 302-306
autostart, 305
switch interface, 305-306
port priority, 100
19 9911 ndx
10/14/03
12:34 PM
Page 474
authentication
AAA, 310-311
HSRP, 199
Catalyst switches, redundant
power supplies, 184
CEF, 171
CQ (custom queuing), 282-283
EtherChannel, 127
guidelines for, 127-128
Layer 2 commands, 128-129
Layer 3 commands, 129
verifying configuration,
130-131
FastPort, 109
HSRP, 198-199
LLQ (low latency queuing),
284-286
MQC
activating policies, 278
creating classes, 276
creating policies, 276-278
verifying, 279
MST (Multiple Spanning Tree),
123-124
multicasting, verifying, 244-245
NAM (Network Analysis
Module), 301-305
autostart, 305
switch interface, 305-306
port security, 314
PQ (priority queuing),
281-282
PVLANs, 322
associating ports, 323-324
creating, 322-323
routing, 150
external RPs, 154-155
internal RPs, 151-154
router-on-a-stick, 155-157
verifying, 157
19 9911 ndx
10/14/03
12:34 PM
Page 475
475
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . dense
. . . .mode
. . . protocols
. . . . .
D
database (STP), reducing size, 108
debug commands
Catalyst switches, 139
QoS, 288
switches, troubleshooting, 36
default gateways, failover protection,
194
delay issues (IP telephony), 259-260
dense mode protocols, multicast
routing, 232
19 9911 ndx
10/14/03
12:34 PM
Page 476
design issues
campus intranets, 26-28
IP telephony, 258
telephony networks, 254-255
designated routers, PIM, 239
devices
campus intranets, 19
Layer 2 switches, 19-20
Layer 3 switches, 21-22
multilayer switches, 22
routers, 20-21
usage recommendations, 26
chassis redundancy, 183
Differentiated Services Code Points
(DSCPs), 263
DiffServ architecture, IP telephony,
263-264
disabled state (switch ports), 93
distributed switching architecture),
161
distribution layer, 14-15
switches as root switches, 98
distribution trees, multicasts, 229-230
shared distribution trees, 230
source-based distribution trees,
231
domains
broadcasts and, 219
configuring, VTP (VLAN Trunk
Protocol), 75-76
VTP (VLAN Trunk Protocol),
management domains, 69
DSCPs (Differentiated Services
Code Points), 263
DTP (Dynamic Trunk Protocol)
principles of operation, 64-65
trunking modes, 65
dual-ring topology, SONET, 339
DVS (directed VLAN services),
MANs and, 336-338
E
ECNM (Enterprise Composite
Network Model), 16-17
Enterprise Campus functional
area, 17-18
Enterprise Edge module, 18
Service Provider Edge module, 18
Edge Distribution module, 17
edge port component (RSTP),
118-119
EF (Expedited Forwarding), 264
enable command, switch configuration, 32
encapsulation isl command, 156
end-to-end VLANs, 48-51
Enterprise Composite Network
Model (ECNM), 16-17
Enterprise Edge module, campus
intranets, 29
EoMPLS (Ethernet over MPLS),
348-349
multipoint connections, 352
point-to-point connections, 352
protocol labeling, 350-351
terminology, 349-350
usefulness of, 349
EtherChannel, 125
configuring, 127
guidelines for, 127-128
Layer 2 commands, 128-129
Layer 3 commands, 129
verifying configuration,
130-131
load balancing, 129-130
19 9911 ndx
10/14/03
12:34 PM
Page 477
477
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .hardware
. . . . .redundancy
. . . . . .
operation, 125
PAgP (Port Aggregation
Protocol), 125-127
Ethernet
campus intranets, physical
implementation, 22-23
MANs (metropolitan area networks), planning considerations,
333-335
802.1Q Q-in-Q transport,
343-344
802.1Q tunneling, 342-343
tag stacking, 344-345
over CWDM, 341-342
over DWDM, 340-341
over SONET, 339-340
events
AAA accounting, 311
RPR (Route Processor
Redundancy), 186
exams
question format, 4-5
strategies, 6-7
question handling, 7
test exams, 359, 401
answer keys, 385, 421
test-taking environment, 2-3
Expedited Forwarding (IP telephony), 264
external RPs, 148
configuration, 154
router-on-a-stick, 155-157
usual setup, 154-155
G
gateways, failover protection for, 194
GBPT (Generic Bridge PDU
Tunneling) protocol, 64
Gigabit Ethernet, physical
implementation, 24-25
GLBP (Gateway Load Balancing
Protocol), 204-205
load balancing with, 206
operation of, 205-206
globally scoped addresses,
multicasting, 221
GLOP addresses, multicasting, 221
H
F
failovers, HSRP and, 193-194
Fast Ethernet, physical implementation, 23
19 9911 ndx
10/14/03
12:34 PM
Page 478
I-J-K
IANA (Internet Assigned Numbers
Authority), multicast addresses, 221
ICMP Router Discovery Protocol
issues, redundancy issues, 192-193
IGMP (Internet Group Management
Protocol), multicasting client registration, 222-228
IGMP snooping, multicasting traffic
control, 237
in-band management, 33
inferior BPDUs, 113
information resources, 9
initial state (HSRP state), 197
19 9911 ndx
10/14/03
12:34 PM
Page 479
479
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .jitter
. .
19 9911 ndx
10/14/03
12:34 PM
Page 480
480 LACP
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
L
LACP (Link Aggregation Control
Protocol), channel modes, 125-126
lacp commands, 129
Layer 2
addresses, multicasting, 220
devices, compared to Layer 3, 149
EtherChannel configuration commands, 128-129
network model, 14
networks, VLANs, 46
redundancy, 180
switch redundancy, 191
uplink interfaces, 190-191
switches, campus intranets, 19-20
switching, principles of operation,
162
telephony, convergence with
Layer 3, 258
Layer 3
addresses, multicasting, 220
devices, compared to Layer 2, 149
EtherChannel configuration
commands, 129
network model, 14
redundancy, 180, 191
end station issues, 193
ICMP Router Discovery
Protocol issues, 192-193
Proxy ARP issues, 192
routing protocol issues, 193
routers, 20
switches, campus intranets, 21-22
telephony, convergence with
Layer 2, 258
learning state (HSRP state), 197
learning state (switch ports), 92
limited scope addresses, multicasting,
221
M
MAC addresses
associating to VLANs, 51
Layer 2, multicasting, 221
lockdown, 313
root switch election and, 90
switches, updating CAM tables
automatically, 85
VLANs, show mac-address-table
command, 55
management domains, VTP (VLAN
Trunk Protocol), 69
19 9911 ndx
10/14/03
12:34 PM
Page 481
481
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .multicasts
. . . . .
19 9911 ndx
10/14/03
12:34 PM
Page 482
482 multicasts
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
N-O
native VLANs, 802.1Q, 61
NBAR (network-based application
recognition), IP telephony, 264
NetFlow switching (switching
architecture), 160
Network Management module, 18
networks
campus intranets, 12-18
segments, designated ports and
switches, 91
STP, tracking, 101
TCNs (topology change
notifications), 86
P
packetization (IP telephony), 259
packets
broadcasts, 219
IP telephony
delay issues, 259-260
packet loss, 260
multicasts, 219
NAM (Network Analysis
Module), 301-306
RSPAN (Remote Switched Port
Analyzer), 299-301
SPAN (Switched Port Analyzer),
296-301
unicasts, 218
PAgP (Port Aggregation Protocol),
125-127
password command, switch
configuration, 32
passwords
Catalyst switches, 307
HSRP configuration, 199
path costs (STP), 87
payload compression, 274
PBR (Policy-Based Routing), IP
telephony, 265
19 9911 ndx
10/14/03
12:34 PM
Page 483
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ports
. . .
performance
CPU utilization, routed and SVI
ports, 152
NAM (Network Analysis
Module), 301
configuring, 301-305
configuring autostart, 305
configuring switch interface,
305-306
planning, 296
router-on-a-stick issues, 155
RSPAN (Remote Switched Port
Analyzer), 299
configuring, 299-301
SPAN (Switched Port Analyzer),
296-297
configuration verification, 301
configuring, 297-299
types, 297
physical setup, end-to-end VLANs,
49
PIM (Protocol Independent
Multicast), 234
designated routers, 239
RPs, 238-239
PIM-DM multicast protocol, 235
PIM-SM multicast protocol, 235-236
PIMv2, configuring, 242-243
ping command, testing routing
configuration, 157
point-to-point connections,
EoMPLS, 352
policies (MQC), 276-278
policing traffic, 273
policy-map command, 277
port address tables, forwarding and
filtering frames, 84
Port Aggregation Protocol. See PAgP
port identifier (BPDU frame field),
89
483
19 9911 ndx
10/14/03
12:34 PM
Page 484
484 ports
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
states, 92-93
STP
bridging loops, 92
cost, 99-100
designation, 91
priority, 100
verification, 100-101
timer values, changing, 93-94
UplinkFast (STP), 110-112
VLANS, trunk ports, 56
power sources, IP telephony and,
257
power supplies, Catalyst switches,
184-185
PQ (priority queuing), 267-268
configuring, 281-282
PrepLogic Practice Exams
contact information, 447
Flash Review Mode sessions, 445
installing, 443
options, 445-446
overview, 441-442
removing, 443
requirements, software, 442
reviewing exams, 446
running, 444
priority and custom queuing (IP
telephony), 265
priority command, 285
priority traffic queuing, IP telephony,
267-268
processing (IP telephony), 259
propagation (IP telephony), 259
protocol identifier (BPDU frame
field), 88
Protocol Independent Multicast.
See PIM
protocols
DTP (Dynamic Trunk Protocol),
principles of operation, 64-65
Q
Q-in-Q transport
advantages/disadvantages, 348
compared to 802.1Q, 348
MANs and, 343-344
QoS (Quality of Service)
campus network implementation,
274-275
debug commands, 288
implementation, 264-266
IP telephony, 261-264
policing traffic, 273
RED (random early detection),
272
shaping traffic, 273
19 9911 ndx
10/14/03
12:34 PM
Page 485
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Route
. . . .Processor
. . . . . Redundancy
. . . . . . .
R
random early detection (RED), IP
telephony traffic congestion
avoidance, 272
random-detect dscp command,
288
rapid STP. See RSTP
Rapid Transition to Forwarding
(RTF), 118
Real-Time Transport Protocol
(RTP), 256
real-time transport protocol priority
queuing (RTP-PQ), IP telephony,
269-270
RED (random early detection),
congestion avoidance, 272
redundancy
chassis, 183
component, 181-182
dual-ring topology, MANs and,
340
GLBP (Gateway Load Balancing
Protocol), 204-205
load balancing with, 206
operation of, 205-206
hardware, 180
Catalyst switches, 184-189
HSRP, 193-196
Layer 2, 180, 190-191
Layer 3, 180, 191-193
SRM (Single Router Mode),
202-203
types of, 180-181
VRRP (Virtual Router
Redundancy Protocol), 204
redundancy command, 189
regions, MST (Multiple Spanning
Tree), 121-122
rendezvous points, 230
configuring, 240-242
reserved link local addresses,
multicasting, 221
resign messages (HSRP), 196
resources, information resources, 9
response suppression (IGMP traffic),
224
reverse path forwarding (RPF),
231
root identifier (BPDU frame field),
88
Root Link Query PDU (RPDU),
114
root path cost (BPDU frame field),
88
root switches
election by STP, 89-90
timer control by, 89
UplinkFast (STP), 111
RootGuard (STP), 132-134
routable traffic, MLS handling,
164-165
route caching (switching architecture), 160
Route Processor Redundancy (RPR),
Catalyst switches, 185-186
485
19 9911 ndx
10/14/03
12:34 PM
Page 486
S
sample tests, 359, 401
answer keys, 385, 421
scalability
MANs (metropolitan area networks), Ethernet considerations,
334
unicasting and, 218
security
Catalyst switches
802.1X authentication,
316-317
AAA, 308
components, 307-308
19 9911 ndx
10/14/03
12:34 PM
Page 487
487
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .spanning-tree
. . . . . . . uplinkfast
. . . . . .command
. . . . .
configuring, 306-307
configuring AAA, 311-312
enabling AAA, 309
port security, 313-316
VACLs, 317
activating, 319
configuring, 318-319
segments (networks), designated
ports and switches, 91
serialization (IP telephony), 259
Server Farm module, 17
campus intranets, 29
Server Load Balancing. See SLB
service level (MANs), Ethernet
considerations, 334
service password-encryption command, switch configuration, 32
Service Provider Edge module, 18
services, Catalyst switch security, 307
SEs (Supervisor Engines), 185-189
set spantree bpdu-skewing command,
132
SFM (Switch Fabric Module), 37-38
shaping traffic, 273
shared access (access layer), 15
shared distribution trees, multicasts,
230
shared environments, unicast
packets, 218
Shared Spanning Tree. See PVST
show commands, troubleshooting
switches, 35
show interface switchport command,
trunk configuration, 67
show interface trunk command,
trunk configuration, 67
show interfaces command, 54
show ip pim interface command, 239
show ip pim neighbor command, 239
show ip protocols command, 157
19 9911 ndx
10/14/03
12:34 PM
Page 488
19 9911 ndx
10/14/03
12:34 PM
Page 489
489
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . TCP/IP
. . . .
configuration, 31
converting CatOS to IOS,
36-37
sample configuration, 32-33
viewing configuration files, 34
CST (Common Spanning Tree),
95
designated port and switch
resolution, 91
forwarding and filtering frames,
84-85
identifiers, 89
IP addresses, assigning to, 33
Layer 2 redundancy, 191
MANs, list of Cisco solutions,
332-333
MST (Multiple Spanning Tree),
IST and, 122-123
multicasting, 236
CGMP traffic control
protocol, 237-238
IGMP snooping, 237
traffic control methods,
236-237
multilayer, campus intranets, 22
PVST, 96-97
PVST+, 97
root
election by STP, 89-90
timer control by, 89
root port selection, 90-91
RSTP behavior in an STP
network, 115
SFM, 37-38
STP (Spanning Tree Protocol)
bridging loops, 92
configuring, 97
enabling/disabling, 97
overview, 86
path selection, 98-99
T
tag stacking
encapsulation, 344-345
MANs and, 344
tail dropping (congestion avoidance),
271
TC While timers, 119
TCAM tables, 165-166
TCNs (topology change notifications),
eliminating loops, 86
TCP header compression, 274
TCP/IP, multicasting, 220
19 9911 ndx
10/14/03
12:34 PM
Page 490
490 telephony
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
telephony
auxiliary VLANs, 258
congestion avoidance
RED (random early detection),
272
tail dropping, 271
WRED (weighted random
early detection), 272, 287-288
network design considerations,
254-255
network management strategy,
255
policing traffic, 273
power requirements, 257
QoS (Quality of Service)
architectures, 262
bandwidth, 256-257
Best Effort architecture, 262
components, 255-256
delay issues, 259-260
DiffServ architecture, 263-264
IntServ architecture, 263
jitter, 260
overview, 258-259
packet loss, 260
solution characteristics,
261-262
scalability, design issues, 258
shaping traffic, 273
traffic congestion
class-based weighted fair
queuing, 269
custom queuing, 268
FIFO queuing, 267
low latency queuing, 269
priority queuing, 267-268
queuing, 266-267
real-time transport protocol
priority queuing (RTP-PQ),
269-270
19 9911 ndx
10/14/03
12:34 PM
Page 491
491
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VLANs
. . . .
trunking
Catalyst switch security, 308
PR interfaces and, 150
router-on-a-stick configuration,
155
trunks
configuring, 66
verifying configuration, 66-67
troubleshooting connections, 68
VTP (VLAN Trunk Protocol),
68-72
tunneling, 802.1Q (VLANs), 62-64
U
UDLD (Unidirectional Link
Detection), 134-135
compared to Loop Guard,
136-137
UDP, multicasts, 220
underrun (IP telephony), 260
unicasts, 218
Uninterruptible Power Supply.
See UPS
uplink interfaces, Layer 2
redundancy, 190-191
UplinkFast (STP), 110-112
UPS (Uninterruptible Power Supply)
importance of, 184
IP telephony, 257
username command, AAA and, 309
V
VACLs, 317-319
verification
CEF, 172-173
HSRP operation, 201-202
19 9911 ndx
10/14/03
12:34 PM
Page 492
492 VLANs
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
implementation, 48-51
IOS routing configuration,
150-154
IP telephony and, 258
NICs, 57
port-based membership, 52
ports, associating, 53
protocols, 58
802.1Q, 59-61
ISL (InterSwitch Link), 58-59
supported ranges, 62
tunneling 802.1Q, 62-64
removing from trunks, 73-74
route processors, 148-149
switches, adding, 72
token-ring support, 58-59
troubleshooting, 55
trunk links, 56
trunk ports, 56
user assignment, 51-52
VMPS (VLAN Management Policy
Server), 51
VMR entries (TCAM tables), 166
VoIP, 256. See also IP telephony
VRRP (Virtual Router Redundancy
Protocol), 204
VTP (VLAN Trunk Protocol), 68
advantages, 68-69
domains, 75-76
management domain, 69
W-X-Y-Z
weighted fair traffic queuing, IP
telephony, 268
weighted random early detection
(WRED), IP telephony traffic
congestion avoidance, 272
weighted round-robin queuing
(WRRQ), IP telephony, 270
WFQ (weighted fair queuing), 268
configuring, 280
WRED (weighted random early
detection), congestion avoidance,
272, 287-288
wrr-queue bandwidth command, 287
wrr-queue queue-limit command,
287
WRRQ (weighted round-robin
queuing), 270
configuring, 286-287
20 QUESafari6x9.QXD
10/14/03
12:35 PM
Page 493
What if Que
Immediate results.
As an InformIT partner,
Que has shared the
informit.com/onlinebooks
21 QUEInformIT6x9.qxd
10/14/03
12:35 PM
Page 494
Your Guide to
Information Technology
www.informit.com
Articles
Keep your edge with thousands of free articles, in-depth
features, interviews, and information technology reference
recommendations all written by experts you know and trust.
Online Books
Answers in an instant from InformIT Online Books
600+ fully searchable online books. Sign up now
and get your first 14 days free.
Catalog
Review online sample chapters and author biographies
to choose exactly the right book from a selection of more than
5,000 titles.
w w w. q u e p u b l i s h i n g . c o m
22 vue ad 6x9
10/14/03
12:35 PM
Page 495
23 CS_ad_6x9.qxd
10/14/03
12:35 PM
Page 496
CramSession.com is #1
for IT Certification on the 'Net.
Jami Costin,
Product Specialist
www.cramsession.com