CCNP SWITCH

1.1 – Configure and verify switch administration.

SDM – switching database manager

4 Templates – Access, Vlan, Routing and Default.

SDM templates are used to manage and adjust system resources on a switch

“show sdm prefer (template name)” - shows template name and memory for items

“no sdm prefer” – default sdm profile, must be reloaded after, in a stack must use the same
template. IF a new switch is added, it is overridden by the master switch

CAM – content addressable memory

Stores learnt mac address information. Mac address learnt are time framed, renews each frame,
removes idle mac address after 300 seconds, works at layer 2.

“show mac address-table”

“mac address-table static …” – to add static mac address
“mac address-table aging-time …” timeout timer for mac address

TCAM – ternary content addressable memory

Layer 3 version of CAM, works at wire speeds, uses a chip “ASICS” with CAM to route, ACL’s and
QoS via hardware.

“show platform tcam utilisation” shows usage

Error-disable recovery

If port has an error, IOS will shut it down and port led will turn orange. A shut/no shut will reset
the port.

“show interface (interface name)” - to see is error is there.

“show interface status” to see if error there

“show interface status err-disabled” shows effected ports and the reason of error

“errdisable recovery cause (name of issue)” – sets errdisable to occur on specified condition
“errdisable recovery interval (30)” – sets automatic way of upping a port. Default timer is 300
seconds, or you can specify a timer
 1.2 – Configure and verify layer 2 protocols.

CDP – cisco discovery protocol

Allows you to see directly connected devices, cisco proprietary, enabled by default. Sends
out updates to multicast address every 60 seconds, used in PoE negotiations. Version 2
shows more info such as native vlan.

“show cdp neighbours” – shows device ID, local interface, device name
“show cdp neighbours detail” – shows device ID, ip address, device name, local interface
“show cdp entry (device ID)” – shows device ID, ip address, device name, local interface
“no cdp run” – disables cdp globally
“no cdp enable” – disables cdp on interface

LLDP – link layer discovery protocol

Open standard, same command as CDP.

“lldp run” – enables lldp globally

“show lldp traffic” – shows statistics

UDLD – unidirectional link detection

Mainly used on fibre cable and sometimes copper, to detect physical damage. Not part of
STP, cisco proprietary, works at layer 2. Sends pings to the other switch and vice versa as a
keep alive every 15 seconds, if one side stops sending port is err-disabled. Fibre optic cable
has 2 strands, one for receive and one for sending. Sends ping to fake max address
0100.0CCC.CCCC
TX----------RX
RX----------TX

2 modes: normal and aggressive

Normal – if device doesn’t receive a ping, port will still function, marked as undetermined
and a syslog message is generated.
Aggressive – retries sending ping every second 8 times, if unsuccessful the port goes into
err-disabled.

“udld enable” – enables on all ports

“udld port (aggressive)” – enables on specific port
“show udld” – to see info
 1.3 – configure & verify VLANS

Access ports – Configured where end hosts are connected

VLAN data base – when the switch is in VTP server or transparent mode, you can configure
vlans in database mode. Information is saved in vlan.dat.

Vlan ranges: 1 – 4095

Normal range: 1 – 1001
Extended range: 1006 – 4094
Reserved: 0, 1002 – 1005, 4095

1.4 – configure and verify trunking

Trunking

Trunking (tagging) passes multi-vlan information between switches. 802.1q = vlans

“show interfaces trunk” – shows which interface is trunking and encapsulation

802.1q when enables squeezes in a 4-byte header

16 bits = tells us its 802.1q
12 bits = used for vlan tag
3 bits = CoS (class of service) = QoS at layer 2
1 bit = discard eligible = helps windowing

“switch port trunk encapsulation dot1q”

“switch port mode trunk”

“show interface (name) switchport” shows all aspects of trunking on the interface

DTP – dynamic trunking protocol

DTP allows switches to automatically configure trunking, Cisco proprietary

2 main modes: auto – port is passive and will accept trunking is asked to
desirable – will trunk if asked to and will try to initiate

“switchport mode (dynamic/auto)”

Manual pruning – allows specified vlans only over trunk

“switchport trunk allowed vlan add …” – must be added on both sides of connection
 Native vlan

Native vlan by default is vlan 1. If a packet is received with no tag, then it goes to native vlan.

“switchport trunk native vlan …” – changes native vlan

VTP – VLAN trunking protocol

VTP is used to exchange vlan information with other switches within the same VTP domain.
Cisco proprietary.

Version 1 – supports upto 1024 vlans

Version 2 – added token ring support
Version 3 – all vlans allowed, private vlans allowed, vtp password is now secured. Does not
support null domain

4 states: Server – all vlan changes will effect VTP neighbours

Client – can only add vlans from the VTP server
Transparent – Switch does not participate in VTP but does forward VTP
advertisement
Off (version 3) – Switch does not participate in VTP and does not forward any VTP
advertisement

Null domain – switches must use the same domain name, a null domain will accept whatever
VTP domain if port if configured

VTP pruning – If a switch is in a VTP domain but the switch doesn’t have any interfaces in the
vlan, then that specific vlan info will not be sent to it

“vtp pruning” – Enables VTP pruning

VTP Configuration:
“vtp domain (name)”
“vtp version (#)”
“vtp password (#)”
“vtp mode (#)”

“show vlan”
“show vtp status”
“show vtp counters”
1) Put all switches in same VTP domain
2) Create vlan 60 on SW1
3) VTP creates vlan on SW2 and SW3 and saves it as rev 1
4) Anytime you create a vlan, rev number increases and replaces whole vlan.dat
5) SW4 has rev 18, since this rev is higher, all switches will accept SW4 vlan data. Therefor
when adding a switch to a VTP domain, make sure vlan.dat is empty

SW1 SW2 SW3 SW4

1.5 – configure & verify EtherChannel

EtherChannel

EtherChannel allows you to bundle up to 8 ports into a single channel, which allows for
increased redundancy and bandwidth.
It will use up the bandwidth on the first link and then forward the traffic onto the second
link and so on. Will appear as 1 link in STP. Virtual interface is called port-channel.

LACP – link aggregation control protocol

802.1ax, dynamic aggregation, open standard.

Port modes: Active – will initiate
Passive – will respond but not initiate

PAgP – port aggregation protocol

Cisco proprietary
Port modes: Desirable – will initiate
Auto – will respond but not initiate

Layer 2 config:
“int range (#)”
“channel group 1 mode (desirable/active…)”

Layer 3 config:
“int range (#)”
“no switchport”
“channel group 1 mode (desirable/active…)”
“interface port-channel 1”
“ip address 192.168.0.1 255.255.255.0”
 Load balancing

Can define what port to use. Ie: a source mac address will always use the same port
“port-channel load balance (#)”

EtherChannel misconfiguration guard

Detects misconfigured config. Moves failed ports to err-disabled

“spanning-tree etherchannel guard misconfig”

“show etherchannel summary”

“show (pagp/lacp) neighbour”
“show etherchannel detail”

1.6 – configure & verify STP

STP – spanning tree protocol

STP is a loop prevention protocol, 802.1D

BPDU (bridge protocol data unit)

Hello – 2seconds, Max age – 20 seconds, Forward – 15 seconds

STP process:
1) A root bridge is elected by: switch with lowest priority between 0 – 65533, default value is
32768 and or lowest mac address.
All ports are marked as designated and BPDUs are sent out of all ports

2) All other switches select root port by:

lowest cost to the root bridge: 10gb/s = 2, 1gb/s = 4, 100mb/s = 19, 10mb/s = 100
Non-root bridge that the lowest BID Lowest bridge ID, switchport that has the lowest
number

3) Loop are identified and blocked with nondesignated port`

Port states:
Blocking – 20 seconds, receives BPDU but does not act on them
Listening – 15 seconds, receives and transmits BPDU but does not update MAC address table
Learning – 15 seconds, begins populating the MAC address table
Forwarding – regular traffic resumes
Disabled – port not participating in STP
“spanning-tree vlan (#) priority (#)” or “spanning-tree vlan (#) root (primary/secondary)”

“interface (#)”
“spanning-tree vlan (#) cost (#)” – To set the path cost of the interface for STP calculations

“show spanning-tree”
“show spanning-tree vlan (#)”
“show spanning-tree interface (#)

STP – 802.1D, PVST+, RSTP – 802.1W, PVRST+, mst 802.1S

Uplink fast

Uplink fast deals with direct failures, cisco proprietary. The alternate/backup port does not
go through listening or learning phase. A group called “uplink group” is created in which root
ports are in. If the root port goes down, another port from the “uplink group” is instantly up

“spanning-tree uplinkfast”

Backbone fast

Backbone fast deals with indirect failures, cisco proprietary. IF a non-root switch has a link
failure to the root, it will send a BPDU stating it’s the Root. Backbone fast nulls out the max
age timer so that the convergence time is shorter. Listening + learning = 30 secs

“spanning-tree backbonefast”

Portfast

PortFast causes a switch or trunk port to enter the spanning tree forwarding state
immediately, bypassing the listening and learning states.

“spanning-tree portfast”

BPDU guard

If a port which should not be receiving any BPDU ie: access port, somehow receives a BPDU,
it will go into err-disabled. Port first must be under portfast”

“spanning-tree portfast bpduguard default” – Enables globally

“spanning-tree bpduguard enable” – Enables on port
 BPDU filter

BPDU filter stops specified ports from sending or receiving BPDU

“spanning-tree portfast bpdufilter default” – Enables globally
“spanning-tree bpdufilter enable” – Enables on port

Root guard

If a superior BPDU comes on the port, it will go into root inconsistent until the BPDU stops
“spanning-tree guard root” – Under interface

Loop guard

If a blocking port stops receiving BPDU’s, instead of transitioning into a designated port it
goes into “loop inconsistent”
“spanning-tree guard loop” – Under interface

RSTP – rapid spanning tree protocol

RSTP reduces convergence states of: discarding, learning and forwarding

PVST – per vlan spanning tree

STP instance is run for each VLAN, bridge ID: 2-byte priority. 6-byte mac address

PVRST – per vlan rapid spanning tree

RSTP implemented per VLAN. Very resources intensive

“spanning-tree mode rapid-pvst”

MST – multiple spanning tree

VLANs are grouped into regions allowing for less STP instances. Therefore, its less resource
intensive
“spanning-tree mode mst”
“spanning-tree mst config”
“name harries”
“revision 1”
“instance 1 vlan 1-3”
“instance 2 vlan 4-7”
“spanning-tree mst 2 root primary”

Instance 0 is used to communicate with common STP, all vlans not assigned in mst instances
are assigned to instance 0
 1.7 – SPAN: switch port analysis

SPAN is used to analyse traffic

“monitor session 1 source int (#)”
“monitor session 1 destination int (#)”

“show monitor”

RSPAN – remote switch port analyser

Allows you to create a designated VLAN to send traffic remotely

SW1:
“vlan 999”
“remote span”
“monitor session 1 source remote vlan 999”
“monitor session 1 destination int (#)”

SW2:
“vlan 999”
“remote span”
“monitor session 1 source int (#)”
“monitor session 1 destination remote vlan 999”
 1.8 – cisco switchwise

Cisco switchwise connects up to 9 switches to act as 1 virtual switch. It allows for better
redundancy. It is a feature of the catalyst 3750 switches; cascade cables are used between
the switches.
A master switch handles all the configuration. All switches must use the same SDM
template, if a new switch is added to the stack its config is overridden

Priority order:
1) Priority – highest
2) Switch uses use the non-default Interface config
3) Ios version
4) Uptime
5) Lowest mac address

“switch number 1”
“switch priority (1-15)”

“show switch”
“show switch detail”
“show switch stack-ring speed” – Shows cable status

DHCP – dynamic host control protocol

DHCP uses an ip-helper address to forward a broadcast to a DHCP server, only specific UDP
port traffic is sent. An ip helper address coverts a UDP broadcast to a unicast

Vlan 10 – “ip address 10.10.10.1 255.255.255.0”

DHCP server
“ip helper-address 10.10.8.1”
10.10.8.1

To not forward specific UDP protocols, you have to rule them out.
“no ip forward-protocol udp 69”

Broadcast from the user is converted to unicast on the L3 switch. The source is IP of the
interface ip, destination IP is the DHCP IP. Which is how the DHCP server decides which pool
of IP’s to use.
 2.1 – Switch security

DHCP – snooping
Host A DHCP SERVER
DHCP DISCOVER ->
<- DHCP OFFER
DHCP REQUEST ->
<- DHCP ACK
DHCP DISCOVER (broadcast) – used to locate DHCP server
DHCP OFFER (unicast) – server sends an offer with configured parameters (IP address,
MAC address, domain name, ETC)
DHCP REQUEST (broadcast) – client sends a request for the parameters/offer
DHCP ACK (unicast) – DHCP sends a confirmation that the IP address has been assigned

DHCP snooping – only allows trusted ports to allow DHCP OFFER packets
IPDHCP snooping binding table – creates a table of all the MAC address’s that it has seen
DHCP REQUESTS for and the IP address they have been assigned

1) Enable DHCP globally:

“ip dhcp snooping”

2) Enable trusted ports:

“int (#)”
“ip dhcp snooping trust”
“ip dhcp snooping rate limit 100” – only 100 packers per second

3) Enable snooping on vlans:

“ip dhcp snooping vlan (#)”

“show ip dhcp snooping”

“show ip dhcp binding”
“show ip dhcp statistics”
IP source guard

IP source guard allows you to bind an IP address to a port

“int (#)”
“ip verify source port-security” filters with MAC and IP address
“ip verify source” – filters with IP address

1) Add IP source guard to a port

2) All traffic except DHCP is blocked
3) When an IP is received, a per-port & vlan ACL is automatically installed binding the IP to
the port

Can be done static:

“ip source binding (mac)(vlan #)(ip) interface (#)”
 DAI – Dynamic ARP inspection

DAI determines the validity of an ARP packet based on valid IP-to-MAC address bindings
stored in the DHCP snooping binding database.
“ip arp inspection vlan (#)”

Trusted ports bypass security:

“ip arp inspection trust" – configured under interface

“show ip arp inspection interfaces”

“show ip arp inspection statistics”

Port security

Allows you to restrict connections to the LAN by:

 Limiting the number of mac address on a port
 1 mac address on a port

3 modes:
 Shutdown – port is err-disabled
 Protect – packets with unknown source addresses are dropped until you remove a
sufficient number of secure MAC addresses to drop below the maximum value.
 Restrict – same as protect but also logs it by incrementing the security violation
counter

“int (#)”
“switchport mode access”
“switchport port-security”
“switchport port-security maximum (#)”
“switchport port-security violation (mode)”

“show port-security int (#)”

 2.2 – Cisco switch control

Cisco switch control allows you to control broadcast, unicast and multicast by limiting it
Is it configured per interface. Percentage of all traffic on a port or specific limits are used to
control it, while using rising and falling threshold. Measured on a timer interval of 1 second.

“int (#)”
“storm-control (broadcast/multicast/unicast) level (%value) or (bps/pps)
(value(rising))(value(falling))”

“storm-control action (shut/trap)”

If broadcast traffic goes above rising threshold then for 1 sec all broadcast traffic is dropped

2.3 – Private vlans

Private vlans are used to provide a layer of isolation within a vlan

3 different port types:

 Isolated – Only traffic between the port and promiscuous port is allowed
 Promiscuous – allows traffic from all community and isolated ports
 Community – allows traffic between the same community and promiscuous port

Vlan 10

Isolated 50 50 Promiscuous
port

20
Community 22

20
 Community – 205
Isolated - 210

“vtp mode transparent”

“vlan 200”
“private-vlan primary”

“vlan 205”
“private-vlan community”
“vlan 210”
“private-vlan isolated”

“vlan 200”
“private-vlan association add 205, 210”

“int 0/4”
“switchport mode private-vlan host”
“switchport private-vlan host association 200 205”
“int 0/3”
“switchport mode private-vlan host”
“switchport private-vlan host association 200 205”

“int fa0/2”
“switchport mode private-vlan host”
“switchport private-vlan host association 200 210”

“int fa0/1”
“switchport mode private-vlan promiscuous”
“switchport private-vlan mapping 200 205 210”

“show vlan private-vlan”

 2.4 – AAA: Authentication, Authorization and Accounting

Access control allows you to control who is allowed access to the network server and what
services they are allowed to use. Supported by ACS server by default

Authentication – validates who you are

Authorization – what you can do
Accounting – tracks what you did

“aaa new-model”
“aaa authentication login default group radius” – uses radius group to authenticate

“aaa authentication login no-login none”

“line con 0”
“login authentication no-login” – console connection needs no login

“aaa authorization exec default group radius if – authenticated”

Exec commands allowed even if the radius server is down

3.1 – HSRP: hot standby router protocol

HSRP is cisco proprietary. The router with the highest priority becomes the active and the
rest become standby. The routers share a virtual IP address and a virtual MAC address

Default priority = 100

Hello timer = 3 seconds
Dead timer = 10 seconds
States: initial, listen, speak, standby and active

[00:00:0C]:[07:AC]:[00-FF]
00:00:0C = Cisco id 07:AC = HSRP id v1 00-FF = standby group number 0 – 255

SW1
“int vlan 1”
“standby 1 ip 172.30.70.1”
“standby 1 priority 110”
L2 “standby 1 track fa0/1 20” – if int goes down priority minuses 20
“standby 1 preempt”

SW2
“int vlan 1”
“standby 1 ip 172.30.70.1”
“standby 1 preempt”

“show standby 1”
 3.2 – VRRP: virtual router redundancy protocol

VRRP is open standard. The router with the highest priority becomes the master and the rest
become backups. The master can be configured with a virtual IP and always remain master
or it can share it

Hello timer = 1 second

Dead timer = 3x hello timer + skew timer
Skew timer adds a little extra time to allow hello timers to come through. Higher the priority
the less the skew timer. VRRP can learn the timers from the master
Multicast advertisements are sent to 224.0.0.18

“int fa0/1”
“vrrp 1 192.168.16.20”
“vrrp 1 prioirty 110”
“vrrp 1 preempt”
“track 1 interface fa0/1 line protocol”
“vrrp 1 track 1 decrement 20”

“show vrrp”

3.2 – GLBP: gateway load balancing protocol

GLBP is cisco proprietary and available on high end switches. 1 VIP but there are multiple
MACS.

All switches are active gateways. Each gateway has a unique MAC, if a gateway goes down
another gateway will take over its MAC

AVG – active virtual gateway: servers as the master and assigns MAC’s to AVF’s
AVF – active virtual forwarding: all other gateways

Load balancing:
 Host dependent: use source mac
 Route-robin: alternate routers
 Weighted: distribute according to weight

“int fa0/1”
“glbp 1 ip 192.168.10.1”
“glbp 1 load balancing weighted”
“glbp 1 weighted 100 lower 85 upper 95”
“glbp 1 track 1 decrement 0”

“show glbp”