Cisco CCNP SWITCH v1.

0 Exam Review
INTRODUCTION
This document provides a comprehensible guide to review every concept on the CCNP SWITCH v1.0 exam. This document was created by a student for students; in no way this replaces studying resources. This is a guide to easily review and remember forgotten concepts. Ive made efforts to make diagrams readable, understandable, and have used color coding to easily identify commands, output to watch out for and comments. However, Im not a graphic designer so This is an example:
Normal network device output (Switches and Routers) are displayed on green Commands are displayed on blue Lines that need attention that help troubleshooting easier are on red My own comments to explain certain are on yellow

Please forward all feedback, questions and suggestions to ddiaz@ieee.org

1.1

VLAN FOUNDATIONS

VLANs are used to logically group users, configure specific access controls and help implement quality of service. Broadcast traffic is restrained to the specific VLAN segment; not forwarded through all switch ports Trunk Ports forward traffic from ALL VLANs Native VLAN is the VLAN assigned for all untagged packets (default native VLAN is 1) received on Trunk Links 1 VLAN = 1 Subnet

1.1.1 Local VLANs

VLANs spanning the local switch block only

1.1.1 End to End VLANs

VLANs spanning all switches

Local VLANs should not extend beyond the distribution layer!

1.2

VLAN CONFIGURATION

Before configuring VLANs, lets look at the current existing VLANs

Switch#show vlan brief VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10, Fa0/11, Fa0/12 Fa0/13, Fa0/14, Fa0/15, Fa0/16 Fa0/17, Fa0/18, Fa0/19, Fa0/20 Fa0/21, Fa0/22, Fa0/23, Fa0/24 Gig1/1, Gig1/2 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup

Creating VLANs
Switch#configure terminal Switch(config)#vlan 10 Switch(config-vlan)#name CCNP Switch(config-vlan)#end

Verifying VLANs
Switch#show vlan brief VLAN Name Status ---- -------------------------------- --------1 default active #This is the native (default) #vlan

Ports ------------------------------Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10, Fa0/11, Fa0/12 Fa0/13, Fa0/14, Fa0/15, Fa0/16 Fa0/17, Fa0/18, Fa0/19, Fa0/20 Fa0/21, Fa0/22, Fa0/23, Fa0/24 Gig1/1, Gig1/2 #Unused VLANs added by Cisco to be #Industry compliant # #

10 1002 1003 1004 1005

CCNP fddi-default token-ring-default fddinet-default trnet-default

active active active active active

Adding switchports to a VLAN

Switch#configure terminal Switch(config)#interface range fa0/10 - 20 Switch(config-if-range)#switchport mode access Switch(config-if-range)#switchport access vlan 10 Switch(config-if-range)#end

Verifying switchport VLAN configuration

Switch#show vlan brief VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/21, Fa0/22, Fa0/23 Fa0/24, Gig1/1, Gig1/2 10 CCNP active Fa0/10, Fa0/11, Fa0/12, Fa0/13 Fa0/14, Fa0/15, Fa0/16, Fa0/17 Fa0/18, Fa0/19, Fa0/20 1002 fddi-default active 1003 token-ring-default active 1004 fddinet-default active 1005 trnet-default active

VLAN information is not stored with the configuration file!, instead, the VLAN information is stored on Flash on the file: vlan.dat. When clearing a switch, dont forget to erase this file along with its startup-config with:
Switch#erase startup-config Erasing the nvram filesystem will remove all configuration files! Continue? [confirm] [OK] Erase of nvram: complete %SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvram Switch#delete flash:vlan.dat Delete filename [vlan.dat]? Delete flash:/vlan.dat? [confirm]

1.3

VLAN TRUNKING

Trunking forwards packets from ALL VLANs through the trunking interfaces; leaves tags ON. The switch adds VLAN information into each frame (does not encapsulate) Trunking is a Layer 2 feature

1.3.1 Inter-Switch Link (ISL)

Cisco Propietary Encapsulates the frames Not available in new switches

1.3.1 802.1Q
Industry Standard Inserts a tag on the frame only

1.3.2 Trunk Negotiation

DTP (Dynamic Trunking Protocol) is the protocol used to negotiate trunk between switches Default DTP mode is Dynamic Desirable (attempts to negotiate a trunk with the other side) DTP Modes: Access: Used to configure ports connecting to servers, computers and other end devices Trunk: Used to hard code a trunk relationship; used on ports that connect to other switches Dynamic Auto: Will listen for DTP requests, only forms a trunk if the other side is Dynamic Desirable Dynamic Desirable: Default, will send DTP requests to attempt to form a trunk. Non-negotiate: Will not attempt and will not respond to DTP requests. Verifying DTP Configuration on specific ports
Switch#show interfaces fastEthernet 0/10 switchport Name: Fa0/10 Switchport: Enabled Administrative Mode: static access Operational Mode: static access Administrative Trunking Encapsulation: dot1q Operational Trunking Encapsulation: native Negotiation of Trunking: Off Access Mode VLAN: 10 (CCNP) #Output omitted

Dynamic Auto Dynamic Auto Dynamic Desirable Trunk Trunk & Nonegotiate Access Access Trunk Trunk Limited Connectivity Access

Dynamic Desirable Trunk Trunk Trunk Limited Connectivity Access

Trunk Trunk Trunk Trunk Trunk Limited Connectivity

Trunk & Nonegotiate Limited Connectivity Limited Connectivity Trunk Trunk Limited Connectivity

Access Access Access Limited Connectivity Limited Connectivity Access

Configuring Trunk Links

Switch#configure terminal Switch(config)#interface fastEthernet 0/1 Switch(config-if)#switchport mode trunk Switch(config-if)#switchport trunk native vlan 99 #Other side still has native VLAN 1 Switch(config-if)# %LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up #Fa0/1 comes up as the trunk is established. Other side is already configured. %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on FastEthernet0/1 (99), with Switch FastEthernet0/1 (1). %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on FastEthernet0/1 (99), with Switch FastEthernet0/1 (1). #Notice native VLAN mismatch the other side has native VLAN 1. Once other side changes to 99 this message disappears. Switch(config-if)#switchport mode trunk allowed vlan 10,20,9 #This command restricts what VLANs are allowed on this specific trunk link on this interface

Verifying Trunk Link

Switch#show interface fastEthernet 0/1 switchport Name: Fa0/1 Switchport: Enabled Administrative Mode: trunk Operational Mode: trunk Administrative Trunking Encapsulation: dot1q Operational Trunking Encapsulation: dot1q Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 99 (Inactive) #Output omitted

1.4

VTP

The goal is to replicate VLANs among 2 or more Switches. All new switches start with rev0. As VLAN changes are made, revision is increased by 1. If a higher revision is detected on a neighbor switch, the local switch will replace its VLAN information with the neighbors since its a Newer version of the VLAN database on the network. For replication to take place, the switches must share the following parameters: VTP Version: Version 2 is the latest one VTP Domain: When Default (NULL), it will inherit the first domain it sees on the network. CASE SENSITIVE! VTP Password: Ignored if password is blank VTP Modes Server (Default): Can change VLAN information; sends/receives VTP Updates to other switches Client: Cannot change VLAN information; sends/receive VTP Updates from Server to other clients Transparent: Can change VLAN information; ignores updates from server BUT passes through these updates to other switches; does not send updates generated by itself. When in transparent mode, the revision will always be 0. VTP Pruning stops the switch from sending broadcast to other switches if they do not know about the VLAN where the broadcast generated.

1.3.2 Verifying VTP

Initial VTP status on a new switch. Check default mode, version, revision, etc
Switch#show vtp status VTP Version : 2 Configuration Revision : 0 Maximum VLANs supported locally : 255 Number of existing VLANs : 5 VTP Operating Mode : Server VTP Domain Name : VTP Pruning Mode : Disabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled MD5 digest : 0x7D 0x5A 0xA6 0x0E 0x9A 0x72 0xA0 0x3A Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00 Local updater ID is 0.0.0.0 (no valid interface found) #The last 2 lines will indicate what switch gave us the current revision update.

Configuring and verifying the different modes

Switch#configure terminal Switch(config)#vtp mode client Setting device to VTP CLIENT mode. Switch(config)#do show vtp status #Output omitted VTP Operating Mode : Client #Output omitted Switch(config)#vtp mode transparent Setting device to VTP TRANSPARENT mode. Switch(config)#do show vtp status #Output omitted VTP Operating Mode : Transparent #Output omitted

Configuring VTP Domain, password and verification

Switch(config)#vtp domain ccnp Changing VTP domain name from NULL to ccnp Switch(config)#vtp password ccnp Setting device VLAN database password to ccnp Switch(config)#do show vtp status #Output omitted VTP Operating Mode : Transparent VTP Domain Name : ccnp #Output omitted

Creating VLANs and verifying revision numbers

Switch(config)#do show vtp status VTP Version : 2 Configuration Revision : 0 #Output omitted Switch(config)#vlan 10 Switch(config-vlan)#name CCNP Switch(config-vlan)#do show vtp status VTP Version : 2 Configuration Revision : 1 #Output omitted Switch(config-vlan)#vlan 20 Switch(config-vlan)#name CCSP Switch(config-vlan)#do show vtp status VTP Version : 2 Configuration Revision : 2 #Output omitted

Configuring VTP Pruning

Switch(config)#vtp pruning

2.1 SPANNING-TREE
By default, switches forward ALL broadcast packets out of every port except the one it received it from. Business requirements drive us to build redundant systems, networks, and infrastructure Spanning-tree allows us to build redundant network links while avoiding switching loops Original spanning-tree (802.1d) was designed to detect and prevent switch loops BPDUs (Bridge Protocol Data Units) are sent on every switchport as broadcast; if a specific BPDU arrives to the originating switch, spanning-tree will realize theres a loop somewhere and start blocking ports BPDUs also designate one of the switches to be the root bridge BPDUs are sent every 2 seconds The root bridge becomes the privileged switch; all ports become designated ports All the other switches find the best port to reach the root bridge (root port) and all other redundant links are evaluated to decide who blocks what. On every link, there must be at least 1 designated port. Bridge ID is determined by: Priority.MAC-Address.PortNumber. Lowest is better! (MACAddress of the switch, not the switchport!) MAC-Address of the switch port can be found with the `show version` command By default, the priority is 32,768; changeable every 4096 (for PVSTP) Lowest priority is 0, highest is 61,440 Link cost relates to link speed: 10Mbps = Cost 100 100Mbps = Cost 19 1Gbps = Cost 4 10Gbps = Cost 2 Switches will calculate the cost to reach the root bridge to find the best link Spanning-tree runs straight out of the box, no need to turn it on Edge ports are ports that connect to end devices, configured with the spanning-tree portfast command

2.1.1 Spanning-Tree in Action

2.1.2 PVST
PVST makes STP run individual instances for each VLAN All switches now support PVST PVST Changes the Bridge ID by adding the VLAN number to the Priority. For example, for VLAN1, the priority would be 32769 instead of 32768. Helps with load balancing as vlan traffic can be distributed among 2 or more switches. Usually the distribution switches are configured each to be the root bridge for different VLANs. Enabling PVST
Switch(config)#spanning-tree mode pvst

Verifying STP on root bridge (SwitchA)

SwitchA#show spanning-tree VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 32769 #Adds VLAN number (1) Address 0006.2A9A.4388 This bridge is the root #We are the root bridge for VLAN 1 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority Address Hello Time Aging Time 32769 (priority 32768 sys-id-ext 1) #Ourselves 0006.2A9A.4388 2 sec Max Age 20 sec Forward Delay 15 sec 20

Interface Role ---------------- ---Fa0/1 Desg Fa0/3 Desg #Designates all ports

Sts Cost Prio.Nbr Type --- --------- -------- -------------------------------FWD 19 128.1 P2p FWD 19 128.3 P2p on FWD (Forwarding) State, cost is 19 so these are 100Mbps Links

Verifying STP on non-root bridge (SwitchB)

SwitchB#show spanning-tree VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 32769 Address 0006.2A9A.4388 #MAC Address of root bridge Cost 19 #Cost to get to root bridge Port 3(FastEthernet0/3) #Interface used to get to root bridge Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority Address Hello Time Aging Time 32769 (priority 32768 sys-id-ext 1) 0050.0FB5.B5B0 2 sec Max Age 20 sec Forward Delay 15 sec 20

Interface Role ---------------- ---Fa0/2 Desg Fa0/3 Root #One root port and at

Sts Cost Prio.Nbr Type --- --------- -------- -------------------------------FWD 19 128.2 P2p FWD 19 128.3 P2p least 1 Designated port per link (SwitchC must be blocking)

Verifying STP on non-root bridge (SwitchC)

SwitchC#show spanning-tree VLAN0001 #Output omitted Interface Role Sts Cost Prio.Nbr Type ---------------- ---- --- --------- -------- -------------------------------Fa0/1 Root FWD 19 128.1 P2p Fa0/2 Altn BLK 19 128.2 P2p #In fact, SwitchC has an Alternate (Blocking) port to the root bridge, and a root port

Configuring SwitchB as the root bridge for VLAN 1

SwitchB(config)#spanning-tree vlan 1 root primary %SYS-5-CONFIG_I: Configured from console by console SwitchB(config)#do show spanning-tree VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 24577 #PVST calculates the new priority Address 0050.0FB5.B5B0 This bridge is the root #In fact, we are the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority Address Hello Time Aging Time Role ---Desg Desg Root 24577 (priority 24576 sys-id-ext 1) 0050.0FB5.B5B0 2 sec Max Age 20 sec Forward Delay 15 sec 20

Interface ---------------Fa0/2 Fa0/3 #Fa0/3 which was

Sts Cost Prio.Nbr Type --- --------- -------- -------------------------------FWD 19 128.2 P2p FWD 19 128.3 P2p port before, has become Designated since we are the root bridge

SwitchAs new spanning-tree output

Switch1#show spanning-tree VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 24577 Address 0050.0FB5.B5B0 #MAC Address of root bridge Cost 19 #Cost to get to root bridge Port 3(FastEthernet0/3) #Interface used to get to root bridge Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority Address Hello Time Aging Time 32769 (priority 32768 sys-id-ext 1) 0006.2A9A.4388 2 sec Max Age 20 sec Forward Delay 15 sec 20

Interface Role ---------------- ---Fa0/1 Desg Fa0/3 Root #One root port and at

Sts Cost Prio.Nbr Type --- --------- -------- -------------------------------FWD 19 128.1 P2p FWD 19 128.3 P2p least 1 Designated port per link (SwitchC must be blocking)

2.1.2 STP Port States

Blocking

If a port is blocked and link to root is lost, this port will stay blocked for 20 seconds to see if root link comes back up before it enables the failover link If link doesnt come up, the port moves to Listening (LST) state and waits 15 Seconds to send/receive BPDUs to detect loops After listening, the port starts to Learn (LRN) for the next 15 seconds to fill up CAM table with MAC Addresses

Listening

Learning

Forwarding

Port is promoted to the Forwarding (FWD) state

Takes up to 50 seconds to failover (OUCH!). Because STP was designed decades ago, this wasnt too much of a problem. Nowadays networks are way faster and can transfer data much quicker. Need for Speed

2.1.3 RSTP (Rapid Spanning-Tree)

Have you ever had that problem when you boot your PC and by the time the PC boots you dont have network connection and logging on to the domain takes forever because it cannot contact active directory, and if it does it cannot load your account profile? This is because PCs boot quick and run DHCPClient before the switch can transition the port to forwarding state. The result is a PC without an IP trying to talk to the network. To get around this, we enable portfast on switchports that we know connect to an end device
Switch(config-if)#spanning-tree portfast %Warning: portfast should only be enabled on ports connected to a single host. Connecting hubs, concentrators, switches, bridges, etc... to this interface when portfast is enabled, can cause temporary bridging loops. Use with CAUTION %Portfast has been configured on FastEthernet0/10 but will only have effect when the interface is in a non-trunking mode.

RSTP (802.1w) redefines port states, lowers the timers and can converge almost instantly; no more waiting 50 seconds. Must be enabled on ALL switches for it to work properly

2.1.4 RSTP Port States

Discarding Replaces Blocking (BLK) to prevent loops Port starts to Learn (LRN) for the next 15 seconds to fill up CAM table with MAC Addresses

Learning

Forwarding

Port is promoted to the Forwarding (FWD) state

2.1.4 RSTP Roles

The root bridge becomes the privileged switch; all ports become designated ports All the other switches find the best port to reach the root bridge (root port) and all other redundant links are evaluated to decide who blocks what. On every link, there must be at least 1 designated port. The blocking port roles from STP are now alternate ports. The switch will remember this path as a possible link to reach the root bridge. This allows RSTP to failover to this alternate port without having to re-learn the topology Edge ports are ports that connect to end devices, configured with the spanning-tree portfast command

2.1.5 RSTP Configuration

Enabling rapid-pvst
Switch(config)#spanning-tree mode rapid-pvst

3.1 ETHERCHANNEL
Etherchannel allows us to use multiple physical connections and put them together as one virtual link. This virtual link is called a channel group. Provides automatic failover; if one of the physical links fails, the channel group simply uses the rest of the links in the group. Protocols for Etherchannel are PAgP (Port Aggregation Protocol) and LACP (Link Aggregation Control Protocol). Make sure the interfaces configured with Etherchannel belong to the same VLAN! And on both sides! Changes made to the port-channel interface affects all switchports members of the channel

3.1.1 PAgP
Cisco Propietary Port Modes: On, Desirable, Auto PAgP On Desirable Auto On On On On

3.1.1 LACP
Industry Standard (802.3ad) Port Modes: On, Active, Passive Desirable On On On Auto On On Off

LACP On Active Passive

On On On On

Active On On On

Passive On On Off

3.1.2 Layer 2 Etherchannel

SwitchA(config)#interface range fa0/1 - 3 SwitchA(config-if-range)#channel-group 1 mode ? active Enable LACP unconditionally auto Enable PAgP only if a PAgP device is detected desirable Enable PAgP unconditionally on Enable Etherchannel only passive Enable LACP only if a LACP device is detected SwitchA(config-if-range)#channel-group 1 mode on

3.1.3 Verifying Layer 2 Etherchannel

Verifying Etherchannel. Other verification commands include show etherchannel detail
SwitchA#show etherchannel port-channel Channel-group listing: ---------------------Group: 1 ---------Port-channels in the group: --------------------------Port-channel: Po1 -----------Age of the Port-channel = 00d:00h:02m:25s Logical slot/port = 2/1 Number of ports = 3 GC = 0x00000000 HotStandBy port = null Port state = Port-channel Protocol = PAGP Port Security = Disabled Ports in the Port-channel: Index Load Port EC state No of bits ------+------+------+------------------+----------0 00 Fa0/1 On 0 0 00 Fa0/2 On 0 0 00 Fa0/3 On 0 Time since last port bundled: 00d:00h:02m:25s Fa0/3 SwitchA#show etherchannel summary Number of channel-groups in use: 1 Number of aggregators: 1 Group Port-channel Protocol Ports ------+-------------+-----------+---------------------------------------------1 Po1(SU) PAgP Fa0/1(P) Fa0/2(P) Fa0/3(P) Switch#show etherchannel Channel-group listing: ---------------------Group: 1 ---------Group state = L2 Ports: 3 Maxports = 8 Port-channels: 1 Max Port-channels = 1 Protocol: -

3.1.4 Layer 3 Etherchannel

Same steps as Layer2, except now we can give a routable IP address to the channel-group through the port-channel interface We must remove Layer 2 features from the switch ports with the command no switchport before activating the Etherchannel

SwitchA(config)#interface range fa0/1 - 3 SwitchA(config-if-range)#channel-group 1 mode on SwitchA(config-if-range)#no switchport #Interface Port-Channel 1 was just created SwitchA(config-if-range)#end SwitchA#show ip interface brief #Output omitted Port-channel 1 unassigned YES unset up SwitchA#configure terminal SwitchA(config)#interface port-channel 1 SwitchA(config-if)#no switchport SwitchA(config-if)#ip address 10.1.1.1 255.255.255.0

up

4.1

INTER-VLAN ROUTING

Done through Router-on-a-stick or Layer 3 Switch routing Needed to allow devices on one VLAN to talk to another device on a different VLAN 1. PC1 sends ARP request for its default gateway (a sub-interface on the router) 2. Router responds with the MAC address for this sub-interface 3. PC1 sends packet with VLAN 20 destination IP to Router 4. Switch forwards packet through trunk link to Router 5. Router detects the destination to be connected to his VLAN 20 sub interface 6. Router does ARP to contact PC2 7. PC2 responds to ARP 8. Router forwards packet to PC2 Etc

4.1.1 Router-on-a-stick Configuration

Easy to setup, very low cost Congestion on the link (imagine all broadcast from all vlans, all traffic from all machines in and out the network flows through this link TWICE, single point of failure, and last but not least; routing speed is slow compared to a switch
Switch(config)#interface fast Ethernet 0/1 Switch(config-if)#switchport mode trunk Switch(config)#interface fast Ethernet 0/10 Switch(config-if)#switchport mode access Switch(config-if)#switchport access vlan 10 Switch(config)#interface fast Ethernet 0/20 Switch(config-if)#switchport mode access Switch(config-if)#switchport access vlan 20 Router(config)#interface fa0/1 Router(config-if)#no shutdown Router(config-if)#interface fa0/1.10 Router(config-subif)#encapsulation dot1Q 10 Router(config-subif)#ip address 10.10.1.1 255.255.255.0 Router(config-subif)#interface fa0/1.20 Router(config-subif)#encapsulation dot1Q 20 Router(config-subif)#ip address 10.20.1.1 255.255.255.0 #Sub-interface ID .10 does NOT have to match the vlan number. Just better practice

4.1.2 Layer 3 Switch Routing Configuration

Routing at wire speed! Cost of a layer 3 switch, can be expensive, especially if deploying redundant devices
#We must enable IP Routing Switch(config)#ip routing
#Using SVIs

Switch(config)#interface fast Ethernet 0/10 Switch(config-if)#switchport mode access Switch(config-if)#switchport access vlan 10 Switch(config)#interface fast Ethernet 0/20 Switch(config-if)#switchport mode access Switch(config-if)#switchport access vlan 20 Switch(config)#interface vlan 10 #SVI vlan 10 has just been created Switch(config-if)#ip address 10.10.1.1 255.255.255.0 Switch(config)#interface vlan 20 #SVI vlan 10 has just been created Switch(config-if)#ip address 10.20.1.1 255.255.255.0 #Using Physical Interfaces Switch(config)#interface fast Ethernet Switch(config-if)#no switchport Switch(config-if)#ip address 10.10.1.1 Switch(config)#interface fast Ethernet Switch(config-if)#no switchport Switch(config-if)#ip address 10.20.1.1 0/10 255.255.255.0 0/20 255.255.255.0

5.1

GATEWAY REDUNDANCY

Redundancy protocols, allow you to configure many gateways as a single virtual gateway, transparent to clients. HSRP (Hot Standby Router Protocol), VRRP (Virtual Router Redundancy Protocol) and GLBP (Gateway Load Balancing Protocol) Automatic failover to backup gateway if the main one goes down Interface tracking allows you to detect specific link status and reduce priority accordingly to replace active gateway

5.1.1 HSRP
Hellos every 3 seconds, hold timer is 10 seconds (Default) Virtual IP & Virtual MAC shared by gateways Virtual MAC: 0000.0c07.ac?? (Group #) One Active, Others Standby Organized in Standby Groups Cisco Proprietary Init, Speak, Active, Standby

5.1.1 VRRP
Hellos every 1 second, hold timer is 3 seconds (Default) Virtual IP & Virtual MAC shared by gateways Virtual MAC: 0000.5e00.01?? (Group #) One Master, One Backup Organized in VRRP Groups Industry Standard (IETF)

5.1.1 GLBP
Hellos every 3 seconds, hold timer is 10 seconds (Default) Virtual IP & multiple virtual MAC Addresses from AVFs All gateways are loadbalanced One AVG, many AVFs Cisco Propietary

5.1.2 Configuring HSRP

Creating Standby Groups
SwitchA(config)#interface vlan 1 SwitchA(config-if)#ip address 10.1.1.1 255.255.255.0 SwitchA(config-if)#standby 1 ip 10.1.1.254 SwitchA(config-if)#standby 1 priority 150 SwitchA(config-if)#standby 1 preempt SwitchB(config)#interface vlan 1 SwitchB(config-if)#ip address 10.1.1.2 255.255.255.0 SwitchB(config-if)#standby 1 ip 10.1.1.254 SwitchB(config-if)#standby 1 preempt #Default priority is 100

5.1.3 Verifying HSRP

Verify standy configuration, who is active who is on standby. Hello messages are sent when state is Speak, Active and Standby
SwitchA#show standby Vlan 1 - Group 1 State is Listen Virtual IP address is 10.1.1.254 Active virtual MAC address is unknown Local virtual MAC address is 0000.0c07.ac01 (v1 default) Hello time 3 sec, hold time 10 sec Preemption enabled Active router is unknown Standby router is unknown Priority 150 (configured 150) IP redundancy name is "hsrp-Fa0/0-1" (default) #Its listening... after a few moments... Mar 1 00:05:53.255: %HSRP-5-STATECHANGE: Vlan 1 Grp 1 state Speak -> Standby Mar 1 00:05:53.755: %HSRP-5-STATECHANGE: Vlan 1 Grp 1 state Standby -> Active SwitchA#show standby Vlan 1 - Group 1 State is Active 2 state changes, last state change 00:01:41 Virtual IP address is 10.1.1.254 Active virtual MAC address is 0000.0c07.ac01 Local virtual MAC address is 0000.0c07.ac01 (v1 default) Hello time 3 sec, hold time 10 sec Next hello sent in 0.460 secs Preemption enabled Active router is local Standby router is 10.1.1.1, priority 100 (expires in 8.968 sec) Priority 150 (configured 150) IP redundancy name is "hsrp-Fa0/0-1" (default)

5.1.4 Tuning HSRP

Tuning commands for HSRP; Hello and Hold Down timers should be the same on all routers! Setting up tracking for WAN interfaces; if that links goes down we decrement the priority so the other switch takes over! (only effective with preempt enabled)

SwitchA(config)#interface vlan 1 SwitchA(config-if)#standby 1 timers msec 50 msec 200 SwitchB(config)#interface vlan 1 SwitchB(config-if)#standby 1 timers msec 50 msec 200 #This changes hello timer to 50msecs and hold down to 200msecs SwitchA(config-if)#standby 1 track fa0/1 60 #Now we tell it to decrement priority by 60 if fa0/1 dies SwitchA(config-if)#interface fast Ethernet 0/1 SwitchA(config-if)#shutdown Mar 1 00:22:37.719: %HSRP-5-STATECHANGE: FastEthernet0/1 Grp 1 state Active -> Init SwitchA(config-if)#do show standby Vlan 1 - Group 1 State is Init (interface down) #Output omitted; the standby switch has taken over! Hello time 50 msec, hold time 200 msec Priority 90 (configured 150) Track interface FastEthernet0/0 state Down decrement 60 IP redundancy name is "hsrp-Fa0/0-1" (default)

We should determine a timer that activates as soon as the switch becomes active. This timer will determine whats the minimum amount of time the switch will stay as active; this is to avoid problems with flapping interfaces, or if the active reboots, we dont want to give the active role to a router that is just learning routes!
SwitchA(config-if)#standby 1 preempt delay minimum 180 #Waits 180 seconds before giving up the active role after its promoted SwitchA(config-if)#standby 1 preempt delay reload 180 #Waits 180 seconds before preempting the active one after a reload

5.1.5 Configuring VRRP Creating VRRP Groups

SwitchA(config)#interface vlan 1 SwitchA(config-if)#ip address 10.1.1.1 255.255.255.0 SwitchA(config-if)#vrrp 1 ip 10.1.1.254 SwitchA(config-if)#vrrp 1 preempt SwitchA(config-if)#vrrp 1 timers ? advertise Set the Advertisement timer learn Learn timer values from current Master #On the master we only configure the advertise timer #The Backup devices automatically learn the timers SwitchA(config-if)#vrrp 1 timers advertise msec 60 SwitchB(config)#interface vlan 1 SwitchB(config-if)#ip address 10.1.1.2 255.255.255.0 SwitchB(config-if)#vrrp 1 ip 10.1.1.254 SwitchB(config-if)#vrrp 1 preempt SwitchB(config-if)#vrrp 1 priority 90 #Default priority is also 100

5.1.3 Verifying VRRP

Verify VRRP configuration, who is master who is backup
SwitchA#show vrrp Vlan 1 - Group 1 State is Master Virtual IP address is 10.1.1.254 Virtual MAC address is 0000.5e00.0101 Advertisement interval is 0.060 sec Preemption enabled Priority is 100 Master Router is 10.1.1.1 (local), priority is 100 Master Advertisement interval is 0.060 sec Master Down interval is 0.789 sec #Its the master SwitchB#show vrrp Vlan 1 - Group 1 State is Backup Virtual IP address is 10.1.1.254 Virtual MAC address is 0000.5e00.0101 Advertisement interval is 1.000 sec Preemption enabled Priority is 90 Master Router is 10.1.1.1, priority is 100 Master Advertisement interval is 1.000 sec Master Down interval is 3.648 sec (expires in 3.572 sec)

5.1.4 Tuning VRRP

Only the delay minimum command is available
SwitchA(config-if)#vrrp 1 preempt delay minimum 180 #Waits 180 seconds before giving up the active role after its promoted

5.1.5 Configuring GLBP

In GLBP, the priority elects who will be the AVG (Active Virtual Gateway). The rest of routers on the group will be designed as AVFs (Active Virtual Forwarders).
SwitchA(config-if)#glbp 1 SwitchA(config-if)#glbp 1 SwitchA(config-if)#glbp 1 SwitchA(config-if)#glbp 1 #This changes hello timer SwitchB(config-if)#glbp 1 SwitchB(config-if)#glbp 1 SwitchB(config-if)#glbp 1 SwitchB(config-if)#glbp 1 ip 10.1.1.254 priority 150 preempt timer msec 60 msec 200 to 60msecs and hold down to 200msecs ip 10.1.1.254 priority 90 preempt timer msec 60 msec 200

5.1.6 Verifying GLBP

We can look at whos the gateway and who are the forwarders, virtual mac addresses, etc
SwitchA#show glbp Vlan 1 - Group 1 State is Active 2 state changes, last state change 00:03:34 Virtual IP address is 10.1.1.254 Hello time 60 msec, hold time 200 msec Next hello sent in 0.044 secs Redirect time 600 sec, forwarder time-out 14400 sec Preemption enabled Active is local Standby is 10.1.1.2, priority 90 (expires in 0.148 sec) Priority 150 (configured) Weighting 100 (default 100), thresholds: lower 1, upper 100 Load balancing: round-robin Group members: cc00.1060.0000 (10.1.1.1) local cc01.1060.0000 (10.1.1.2) There are 2 forwarders (1 active) Forwarder 1 State is Active 1 state change, last state change 00:03:24 MAC address is 0007.b400.0101 (default) Owner ID is cc00.1060.0000 Redirection enabled Preemption enabled, min delay 30 sec Active is local, weighting 100 Forwarder 2 State is Listen MAC address is 0007.b400.0102 (learnt) Owner ID is cc01.1060.0000 Redirection enabled, 599.992 sec remaining (maximum 600 sec) Time to live: 14399.992 sec (maximum 14400 sec) Preemption enabled, min delay 30 sec Active is 10.1.1.2 (primary), weighting 100 (expires in 0.188 sec)

5.1.4 Tuning GLBP

Only the delay minimum command is available
SwitchA(config-if)#glbp 1 preempt delay minimum 180 #Waits 180 seconds before giving up the active role after its promoted

Additional tuning is possible with GLBP for configuring weights, load-balancing, etc; however its not covered on the exam.

6.1

WIRELESS LANS

WAPs (Wireless Access Points) communicate like hubs. Only one wireless client can talk at a time since its a shared signal in half duplex. Wireless works on Layer1 and Layer2 of the OSI model. Uses CSMA/CA (Collition Avoidance) instead of CSMA/CD (Collition Detection) used in Ethernet technology Suffers from interference from other devices using radio frequency (wireless phones, microwaves), and other physical obstacles (walls, columns, etc) Wireless is an extension to a physical network. A Workgroup Bridge connects two LANs through a wireless connection. Number of users connecting through a workgroup bridge is very limited; enough for about 10 people. Can be used to connect branches in the same MAN (Metropolitan Area Network) in a cost effective way without having to lease lines, run own cables and without paying monthly fees.

6.1.1 SSIDs
Service Set Identifier (SSID) is a unique identifier that represents a VLAN or a network. Connecting to an SSID

Figure 1 Figure 2

Figure 3

Figure 4

Figure 1 When a client first tries to connect, it will send a probe as a broadcast, requesting all access points that it can reach to reply a beacon Figure 2 The Access Points that were able to hear the probe will reply with a beacon to the host. This can be disabled. Figure 3 The client will choose one from the list of beacons that replied (the list of wireless networks available to you in Windows). Figure 4 Assuming there is no security enabled, the wireless access point will add the MAC address of the new wireless client to the list of connected devices and provide it with an IP if DHCP is available and enabled.

6.1.2 WLAN Design

Repeaters should have a 50% area overlap to be able to reproduce signals properly APs should have up to 15% area overlap to be able to roam from one to another without losing connection to an SSID Neighbor Access Points must use non-overlapping channels

6.1.3 WLAN Roaming

Seamless hand off from one Access Point to another; as soon as a stronger AP signal is detected. Not supported by normal wireless routers such as netgear, Linksys, etc. Designed to provide coverage over wide areas, but can be quite costly. Overlapping shouldnt be less than 15% or packets way be lost and roaming might not be successful

As the client gets far from its AP, beacons from the AP starts to miss probes (which are sent periodically from the client), signal starts to get weaker. As signal gets weaker, the client analyzes other Access Points with the same SSID that may provide better signal. If so, it attempts to roam to this new access point. Wireless Access Points can support multiple VLANs. This means we can create different SSIDs (one per VLAN), each one can have different security mechanisms, and the AP would trunk to a switch to allow communication for all VLANs.

6.1.4 WLAN Frequencies

900Mhz range: 902 928 2.4Ghz range: 2,400 2,483 5Ghz range: 5,150 5,350 High Frequency = Higher data rates = Shorter ranges

6.1.5 802.11a
Up to 54Mbps NOT Compatible with b or g 12 to 23 non overlapping channels

6.1.5 802.11b
Up to 11Mbps Most popular standard 3 non overlapping channels: 1,6,11

6.1.5 802.11g
Up to 54Mbps Compatible with b 3 non overlapping channels: 1,6,11

6.1.6 WLAN Security

WEP (Wired Equivalent Protection), 802.1X EAP, WPA (Wi-fi Protected Access) and WPA2 (802.11I) Hardware that supports WEP can also support WPA; not WPA2 WPA uses TKIP (Temporal Key Integration Protocol) WPA2 uses TKIP and AES (Advanced Encryption Standard)

6.1.7 WLAN Hardware

Two types of Access Points; Autonomous APs and Lightweight APs.

6.1.7.1 Autonomous AP
Stand Alone Controlled with WDS (Wireless Domain Services) for Roaming Managed with WLSE (WLAN Solution Engine) through Ciscoworks IOS Based with web interface Costs more, can convert into Lightweight AP based on IOS

6.1.7.1 Lightweight AP
Server-Dependant or Controller Based Controlled using WLC (Wireless LAN Controller)

Managed with WCS (Wireless Control System)

Donwloads config. from WLC

Only Lightweight

6.1.8 Lightweight APs

Lightweight Access Point Protocol (LWAPP) is used on the links between a wireless controller (WLC) and the Access points Controller is the brain; APs just process packets from/to wireless clients

Split MAC topology

6.1.9 PoE (Power over Ethernet)

802.3af (PoE) is the industry standard; Ability of a device to send power along the Ethernet connection to an end device; such as ip phones, APs, printers, etc. Both devices must support PoE, and same standard, whether it is 802.3af , Ciscos proprietary PoE, or any other third party PoE proprietary standards. Cisco switches support 802.3af and its proprietary protocol

6.1.10 WLAN Antennas

3 Types of antennas: Omni-Directional, Directional and Yagi Antennas

6.1.11 Omni

6.1.11 Directional

6.1.11 Yagi

Equal coverage all around

No signal behind the antenna which is aimed towards the desired area

Antenna pointed towards desired area, much more range and the angle of beam can be adjusted; the small it is the more powerful the signal and the longer it can travel

7.1

VoIP

VoIP used to save costs on voice transmission Low Bandwidth, centralized data and voice Saves costs on staff and move, add and changes PC daisy chains to the network through the switch 64Kbps that take a normal voice line converts to 8Kbps through VoIP Integration of data world and voice world.

7.1.1 How VoIP Works

Phones talk to Call Manager using the Skinny protocol. The communication happens whenever an event occurs that require the phone to act. IP Phones are dumb terminals. They dont know anything other than to do what Call Manager says How a call works: -Once a handset is picked up, the phone will tell CCM that the handset has been picked up. -CCM tells the phone to play a dialtone -Every time a key is pressed the phone talks to CCM through skinny -When CCM recognizes a dialed number as a pattern, extension, etc, it will instruct the phone to play the ringing tone and will instruct the other phone to ring -Once the other phone picks up CCM instructs both phones to establish a connection using RTP (real-time transmission protocol) -RTP must be prioritized for QoS

7.1.2 Dual VLANs

Switchport is configured as access mode, as part of vlan 200. Then, the voice vlan is added as vlan 100. Cisco implements CDP to recognize the phone through this switchport

SwitchA(config-if)#switchport mode access SwitchA(config-if)#switchport access vlan 200 SwitchA(config-if)#switchport voice vlan 100 #The switch will send CDP packets to make sure a Cisco phone is plugged in

7.1.3 QoS
-Marking packets for QoS:

Class of Service (CoS): Layer 2

Type of Service (ToS): Layer 3

Classification of packets occur when a packet is inspected to see what kind of traffic it contains Packets can be categorized with access-lists, source ports, etc. Classification is CPU intensive CoS is marking frames at Layer 2. No deep packet inspection; looks at CoS tag on the frame, 3 Bits of marking for 7 levels of marking (0 to 7). For Example, all SQL traffic can be marked. Levels 6 and 7 are reserved by Cisco for routing protocols, etc. At Layer3, CoS is dropped since its Layer 2 and replaced with ToS. IP Precedence was the old way of marking at Layer 3, up to 7 levels of marking. DSCP now provides up to 64. Routers can look at the ToS to determine priority without having to do deep packet inspection

7.1.3 Configuring QoS

SwitchA(config-if)#mls qos trust cos #Means I will trust the CoS marking on this port; implemented on ports connecting to phones SwitchA(config-if)#mls qos trust device cisco-phone #For security measures, this will trust the CoS on this port only if a cisco phone is detected on the other side through CDP.

Auto QoS is available to automatically implement the most appropriate QoS parameters on the interface based on bandwidth, switchport, etc. to meet Ciscos best practices
SwitchA(config-if)#auto qos voip cisco-phone #This auto detects the best priority for this type of traffic

7.1.3 Verifying Auto QoS

SwitchA#show run int fa0/1 interface FastEthernet0/1 switchport access vlan 200 switchport mode access switchport access vlan 100 mls qos trust device cisco-phone mls qos trust cos auto qos voip cisco-phone wrr-queue bandwidth 10 20 70 1 wrr-queue min-reserve 1 5 wrr-queue min-reserve 2 6 wrr-queue min-reserve 3 7 wrr-queue min-reserve 4 8 wrr-queue cos-map 1 0 1 wrr-queue cos-map 2 2 4 wrr-queue cos-map 3 3 6 7 wrr-queue cos-map 4 5 priority-queue out end #All these lines were applied by auto qos