CCSG Chap 7,8,9 L2 switching, VLANs & STP

Layer 2 Switching

4 benefits of using layer 2 switching

Hardware-based bridging (ASICs)

Wire speed

Low latency

low cost

What command show the CAM or forward/filter MAC database on a switch? What info is found with this command.

switch# show mac address-table

VLAN, MAC how the address was learned and port.

Port Security

Most Cisco switches ship with their ports in desirable mode, which means those ports will desire to trunk when they sense another switch has been connected. So first we must change the port to and make it an access port instead.

Most Cisco switches ship with their ports in desirable mode, which means those ports will desire to trunk when they sense another switch has been connected. So first we must change the port to and make it an access port instead.

On switch port fa0/1 set up port security with mac address sticky with no more then 2 addresses. Set the violation mode to Restrict.

switch# config t

switch(config)# int fa0/1

switch (config-if)# switchport mode access

switch (config-if)# switchport port-security mac-address sticky

switch (config-if)# switchport port-security maximum 2

switch (config-if)# switchport port-security violation restrict.

what are the switchport port-security violation options?

Protect - drops packets with unknown source addresses until you remove enough secure MAC addresses to drop below max value

Restrict - Same as protects but also generates a log message which causes the security violation counter to increment and sends an SNMP trap

Shutdown - The default violation method. This option put the interface in error-disable state. The port is shutdown until a shut/no shut is performed on the interface. This option also generates a log message which causes the security violation counter to increment and sends an SNMP trap

Spanning Tree protocol takes about 50 seconds and you will see when first connecting to a switch port the LED color go from amber to green. This is normal behavior.

Spanning Tree protocol takes about 50 seconds and you will see when first connecting to a switch port the LED color go from amber to green. This is normal behavior.

When your switch port LED is alternating green and amber it means the port is experiencing errors. What should you check?

Host NIC or cabling

duplex setting on the switch port matching that of the host

switches have no AUX port

switches have no AUX port

how to set a default gateway on a switch?

S3# config t

S3(config)# ip default-gateway 192.168.10.30

What does the dash mean in the minutes column of the show ip arp output?

The dash (-) in the minutes column means that it is the physical interface of the device.

What are the 3 functions of a switch?

Address learning

forward/filtering decisions

loop avoidance

how to verify port security (3 ways)

show port-security

show port-security interface interfacename

show running-config

Which of the following commands in this config is a prerequisite for the other commands to function?

S3# conf t

S3(config)# int fa0/3

S3(config-if)# switchport port-security

S3(config-if)# switchport port-security maximum 3

S3(config-if)# switchport port-security violation restrict

S3(config-if)# switchport port-security aging timeout 10

switchport port-security command is required to be enabled on an interface

Which 2 of the following switchport violation modes will alert you via SNMP that a violation has occurred?

A Restrict

B Protect

C Shutdown

D Err-disable

Restrict and Shutdown will alert via SNMP that a violation has occurred.

On which default interface have you configured an ip address for a switch?

int vlan 1

IVR

InterVLAN Routing

Access Port

a type of switchport that belongs to and carries the traffic of only one VLAN. Traffic is both received and sent in native formats with no VLAN info (tagging) at all. Anything arriving on an access port is simply assume to belong to the VLAN assigned to the port.

Voice access port

Modern switches now allow a 2nd VLAN to an access port on a switch port for voice traffic, called the Voice VLAN.

Trunk ports

a type of switchport that can carry multiple VLAN traffic

Trunk link

point to point links between 2 switches, between a switch and a router, or even a switch and a server. It carries the traffic of multiple VLANS (1001 without extended VLANs and 4094 with extended VLANS)

switch fabric

group of switches that share the same VLAN info.

Inter-Switch Link (ISL)

Cisco propriety way of tagging VLAN info onto an ethernet frame. ISL functions at layer 2 by encapsulating a data frame with a new header and by performing a new CRC.

802.1q

IEEE standard method of frame tagging. This method inserts a field into the frame to ID the VLAN. If you are trunking between a Cisco switch and another brand you must use 802.1q. This method uses the Native VLAN (VLAN 1 by default). All traffic in a native VLAN is untagged.

The basic purpose of ISL and 802.1q frame-tagging method is to provide inter-switch VLAN commo. Remember that any ISL or 802.1q frame tagging is removed if a frame is forwarded out an access link- tagging is used internally and across trunk links only!

The basic purpose of ISL and 802.1q frame-tagging method is to provide inter-switch VLAN commo. Remember that any ISL or 802.1q frame tagging is removed if a frame is forwarded out an access link- tagging is used internally and across trunk links only!

How many VLANs can 802.1q carry info for

4,094 VLANs

ROAS

Router on a stick the method CCNA will ask you to configures. a router will have 1 interface for all of the VLANs on the connected switch. the router will have sub interfaces for each VLAN and will act as the default gateway for each VLAN/subnet.

Which VLANs are reserved in 802.1q?

VLAN 1, VLAN 1002 thru 1005. VLANs after 1005 are extended VLANs and wont be saved in the database unless your switch is set to VTP (VLAN Trunking Protocol).

what is the output for show vlan

VLAN ID, VLAN Name, status (active,inactive, suspended or shutdown) and Ports. It only shows access ports.

what is the output for show interfaces trunk

Port, Mode (desirable), Encapsulation, Status and Native VLAN

Pg 233

Remember that a created VLAN is unused until it is assigned to a switch port or ports and that all ports are always assigned to VLAN 1 unless set otherwise.

Remember that a created VLAN is unused until it is assigned to a switch port or ports and that all ports are always assigned to VLAN 1 unless set otherwise.

DTP (Dynamic Trunk Protocol)

DTP is a Cisco protocol for negotiating trunking between switches, functioning at Layer 2. It has several modes: Auto (waiting for trunk initiation), Desirable (actively seeking trunking), Access (configures as non-trunking), and Nonegotiate (disables DTP). DTP is used for negotiating trunking on a link between 2 devices as well as negotiating the encapsulation type of ISL or 802.1q.

switchport mode dynamic desirable is the default setting on modern switches.

What command will show you the trunked ports on a switch?

show interfaces trunk

What is the ouput of show interfaces interface switchport command?

Administrative mode, what type of port is it, frame tagging encapsulation method (ISL or 802.1q)

pg 234

make int fa0/1 an access port with vlan 3 and vlan 5 for voice.

S3# config t

S3(config)# int fa0/3

S3(config-if)# switchport mode access

S3(config-if)# switchport access vlan 3

S3(config-if)# switchport access voice vlan 5

create vlan 3 and name it Marketing

S3# config t

S3(conf)# vlan 3

S3(config-vlan)# name Marketing

configure f0/15-18 as trunk ports using 802.1q

s1(config)# int range f0/15-18

s1(config-if)# switchport trunk encapsulation dot1q

s1(config-if)# switchport mode trunk

switchport mode access

It puts the interface into a permanent nontrunking mode and negotiates to convert the link into a nontrunk link. The interface becomes a nontrunk interface regardless of whether the neighboring interface is a trunk interface.

switchport mode dynamic auto

This mode makes the interface able to convert the link to a trunk link. the interface becomes a trunk IF the neighboring interface is set to trunk or desirable mode.

switchport mode dynamic desirable

mode that makes the interface actively attempt to convert the link to a trunk link. The interface becomes a trunk interface if the neighboring interface is set to desirable, auto or trunk mode. It is now the default switch port mode for all Ethernet interfaces on all new Cisco switches.

switchport mode trunk

puts the interface into a permanent trunk mode and negotiates to convert the neighboring link into a trunk link. The interface becomes a trunk interface even if the neighboring interface isn’t a trunk link.

switchport nonegotiate

Prevents the interface from generating DTP frames. You can use this command only when the interface switchport mode is access or trunk. You must manually config the neighboring interface as a trunk interface to establish a trunk link.

how would you disable trunking on an interface?

use the switchport mode access command

remove vlan 4, 5, 6,7 and 8 from a trunk

s1(config-if)# switchport trunk allowed vlan remove 4-8

floating static route

a static route with an Administrative distance added. They are used when the routes found with a lower AD go down.

ip route 192.168.10.0 255.255.255.0 172.16.10.2 150

the output of show ip route would also show the AD

upstream routing

term used to describe the router that will provide inter VLAN routing with router on a stick.

for a switch make fa0/1 a trunk

S1# conf t

S2# int fa0/1

S3# switchport mode trunk

Config vlan 1 on a switch and set up a default gateway with the address of 192.168.10.1

S1# conf t

S1(config)# int vlan 1

S1(config-if)# ip address 192.168.10.2 255.255.255.0

S1(config-if)# no shut down

S1(config-if)# exit

S1(config)#ip default-gateway 192.168.10.1

Remember to check a switchports VLAN assignment when plugging in a new host.

Remember to check a switchports VLAN assignment when plugging in a new host.

How to provide inter VLAN routing with a layer 3 switch.

First you start the routing process with the command ip routing and then create a virtual interface for each vlan using the command interface vlan vlan# and then apply the IP address for that VLAN under that logical interface.

ex

MLS(config)# ip routing

MLS(config)# int vlan 10

MLS(config-if)#ip address 192.168.10.1 255.255.255.0

MLS(config)# int vlan 20

MLS(config-if)#ip address 192.168.20.1 255.255.255.0

In the following confg what cmd is missing from the creation of the vlan int?

2960#conf t

2960(config)# int vlan 1

2960(config-if)# ip address 192.168.10.2 255.255.255.0

2960(config-if)# exit

2960(config)# ip default-gateway 192.168.10.1

A no shutdown under int vlan 1

B encapsulation dot1q under int vlan 1

C switchport access vlan 1

D passive-interface

A no shutdown under int vlan 1

What are the steps to create a vlan, assign the interfaces to them, create a trunk and implement Intervlan routing?

From Switch create vlan and name it

S#vlan 2

S(config-vlan)# name Sales

For the Access Link go to interface, define it as an access link, assign interface to vlan

S#int fa/0

S(config-if)# switchport mode access

S(config-if)# switchport access vlan 2

For the Trunk got to interface, determine encapsulation method (dot1q), define interface as trunk, define vlans allowed on trunk

S(config)#int fa/5

S(config-if)#switchport trunk encapsulation dot1q

S(config-if)#switchport mode trunk

S(config-if)#switchport trunk allowed vlan 2

From the router create interface with IP and no shut, set its encapsulation. create sub interfaces and set their encapsulation and vlan id

ISR#int fa0/0

ISR(config-if)# ip address 192.168.10.1 255.255.255.240

ISR(config-if)#no shut

ISR(conf-int)#int fa0/0.2

ISR(conf-int)#encapsulation dot1q 2

ISR(conf-int)#ip address 192.168.10.17 255.255.255.240

What are the steps to create a Sales vlan, assign the interfaces to them, create a trunk and implement Intervlan routing?

From Switch create vlan and name it

S#vlan 2

S(config-vlan)# name Sales

For the Access Link go to interface, define it as an access link, assign interface to vlan

S#int fa/0

S(config-if)# switchport mode access

S(config-if)# switchport access vlan 2

For the Trunk got to interface, determine encapsulation methond (dot1q), define interface as trunk, define vlans allowed on trunk

S(config)#int fa/5

S(config-if)#switchport trunk encapsulation dot1q

S(config-if)#switchport mode trunk

S(config-if)#switchport trunk allowed vlan 2

From the router create interface with IP and no shut, set its encapsulation. create sub interfaces and set their encapsulation and vlan id

ISR#int fa0/0

ISR(config-if)# ip address 192.168.10.1 255.255.255.240

ISR(config-if)#no shut

ISR(conf-int)#int fa0/0.2

ISR(conf-int)#encapsulation dot1q 2

ISR(conf-int)#ip address 192.168.10.17 255.255.255.240

Root Bridge

Bridge with the lowest and thus the best ID.______ is elected by all the switches in the STP network. All decisions on which ports on the non-root bridges should be blocked is determined by the perspective of the _________. Once elected all other bridges must create a single path to it. The path with the the best path to the root bridge is called the root port.

non-root bridge

A non-root bridge is any bridge in a Spanning Tree Protocol (STP) network that is not the root bridge. ______ exchange BPDU with all of the other bridges and update the STP topology database on all switches. This prevents loops.

BPDU (Bridge Protocol Data Unit)

A BPDU is a data message used by switches in the Spanning Tree Protocol (STP) to share information about the network topology. Inside the BPDU is the Bridge ID.

Bridge ID

The Bridge ID is a unique identifier assigned to a bridge or switch within the Spanning Tree Protocol (STP). It is crucial for determining the role of the bridge in the network topology, as it is compared among other bridges to elect the Root Bridge. Each Bridge ID consists of a combination of the bridge priority (32,768) and its MAC address, which together define its identity and influence the STP decisions related to path selection and loop prevention.

The lowest Bridge ID is selected as root.

Port Cost

____ is a value used by STP to determine the best path when multiple links are used between 2 switches. the cost of a link is determined by bandwidth of a link.

Root port

The link with the lowest patch cost (BW) to the root bridge. When multiple links connect to the same service, the port connected to the lowest port number on the upstream switch will be the one that’s used. The root bridge can never have a root port designation, while every other switch in a network must have only one root port.

Designated Port

port with the best (lowest) cost to get on a given network segment compared to other ports on that segment. A designated port will be marked as a forwarding port and you on only have 1 forwarding port per segment.

Non-Designated Port

a port with a higher cost the the designated port. Non designated ports are put in blocking or discarding mode they are not forwarding ports.

Forwarding Port

a port that ____ frames and will be either root or a designated port.

Blocked Port

A port that wont forward frames in order to prevent loops. It will still listen to BPDU frames from its neighbor switches, but it will drop all frames received and will never transmit a frame. Blocked port is determined by which port will be forwarding. The forwarding port is determined by the lowest cost or lowest Bridge ID. The blocked port is then the port not forwarding.

Alternate Port

corresponds to the blocking state of 802.1d and is a term used with the newer 802.1w. An _____ port is located on a switch connected to a LAN segment with 2 or more switches connected, and one of the other switches holds the designated port.

Backup Port

corresponds to the blocking state of 802.1d and is a term now used with 802.1w. A ____ port is connected to a LAN segment wherein another port on that switch is the designated port.

Disabled State

A STP State. A port in the ______ state does not participate in frame forwarding or STP. A port in the _____ is virtually nonoperational.

Blocking State

A STP State that wont forward frames. It just listens for BPDUs. All ports are in ____ state when the switch is powered on.

Listening State

A STP State that listens for BPDUs . A port in ____ prepares to fwd data frames without popluating MAC address tables.

Learning State

A STP State that listens to BPDUs and ____ all the paths in the switched network. A port in ___ state populates the MAC address table but still does NOT forward data frames.

Forwarding State

A STP State that sends and receives all data frames on the bridged port. If the port is still a designated or root port at the end of the learning state, it will enter the forwarding state.

Forward Delay

the time it takes to transition to port listening to learning mode, or from learning to forwarding mode which is set to 15 seconds. This setting can be seen in the show spanning-tree output.

Switches populate the MAC address table in learning and forwarding modes only.

Switches populate the MAC address table in learning and forwarding modes only.

What is the STP cost for a 10 Mb/s link?

100

What is the STP cost for a 100 Mb/s link?

19

What is the STP cost for a 1000 Mb/s link?

4

What is the STP cost for a 10,000 Mb/s link?

2

Speed Cost

10 Mb/s 100

100 Mb/s 19

1,000 Mb/s (1 gigabit) 4

10,000 Mb/s (10 gigabits) 2

Speed Cost

10 Mb/s 100

100 Mb/s 19

1,000 Mb/s (1 gigabit) 4

10,000 Mb/s (10 gigabits) 2

The lower Bridge ID is the better one when electing a root bridge.

The lower Bridge ID is the better one when electing a root bridge.

IEEE 802.1d

original STP. slow but requires little bridge resources. Also called CSTP or common STP.

IEEE 802.1w

also called Rapid Spanning Tree (RSTP).

Converges much faster then STP (often within 3 hello cycles or 6 seconds)

PVST+

The Cisco default version. Called PerVLAN Spanning Tree Plus. This provides a separate 802.1d per VLAN. Still slow and more resources are used.

PVST+ adds a 12 bit field to the Bridge ID called Sys-id-ext in between the Priority and the MAC Address portions of the Bridge ID

Rapid PVST+

Cisco version of 802.1w (RSTP) that also uses PVST+ and provides a separate instance of 802.1w per VLAN. Its the fastest convergence but the most resource heavy of all options.

802.1s (MSTP)

IEEE standard that started off as Cisco’s MISTP. It maps multiple VLANs (with the same traffic flow requirements) into the same spanning tree instance to save processing on the switch, Its basically a spanning tree protocol on top of another spanning tree protocol.

Used instead of RSTP when you have multiple VLANs that is resulting in CPU and memory requirements that are too high.

RSTP only has 3 states and they are

Discarding

Learning

Forwarding

Steps to understand converged STP

Find the root bridge by looking at bridge IDs.

Determine your root ports by finding the lowest path cost to the root bridge.

Find your Designated ports by looking at Bridge IDs.

Steps to understand converged STP

Find the root bridge by looking at bridge IDs.

Determine your root ports by finding the lowest path cost to the root bridge.

Find your Designated ports by looking at Bridge IDs.

What is the output with show spanning-tree vlan#

Root bridge, priorities, root ports and designated or blocking/discarding ports for the vlan specified

How to config STP on a vlan 2?

spanning-tree vlan 2 priority 16384 (any # from 0 -61440 but has to be in increments on 4096)

or

spanning-tree vlan 2 root primary (or secondary)

PortFast

Cisco Propriety extension to 802.1d where port will not take 50 seconds to converge. Port will transition from blocking to Forwarding almost immediately.

enable PortFast on Int gi0/1 and gi0/2

S1#config t

S1(config)# int range ga0/1-2

S1(config-if)#spanning-tree portfast

When configing PortFast also config BPDU Guard.

When configing PortFast also config BPDU Guard.

What does BPDU Guard do?

It monitors ports for BPDU and if it encounters any it puts port in error disabled state. Basically it shutsdown a port if a switch or hub is plugged into a port that is not config to handle a switch/ hub and has BPDUGuard active.

You would only enable BPDU Guard on your Access layer switches.

You would only enable BPDU Guard on your Access layer switches.

Port channeling

refers to combining two-eight Fast Ethernet or two-Gigabit Ethernet ports together between 2 switches into one aggregated logical link to achieve more bandwidth and resiliency.

EtherChannel

Cisco Propriety term for port channeling.

PAgP

Cisco Propriety port channel negotiation protocol that aids in the automatic creation for EtherChannel links. All links in the bundle must match the same parameters (speed, duplex, VLAN info) and when ____identifies matched links, it groups the links into an EtherChannel. This is then added to STP as a single bridged port. At this point, PAgP’s job is to send packets every 30 seconds to manage the link for consistency, and link additions, and failures.

Port Aggregation Protocol

LACP (802.3ad)

not Cisco propriety port channel negotiation protocol. This can work among different vendors.

When configing Port channeling you can use PAgP or LACP.

The command is channel-group group# mode (active or passive for LACP)(auto or desirable for PAgP)

it can be active active or active passive but CANNOT passive passive

it can be desirable desirable or auto desirable but CANNOT be auto auto

When configing Port channeling you can use PAgP or LACP.

The command is channel-group group# mode (active or passive for LACP)(auto or desirable for PAgP)

it can be active active or active passive but CANNOT passive passive

it can be desirable desirable or auto desirable but CANNOT be auto auto

with Layer 3 EtherChannel you create a logical interface with the int port channel # command. You then assign the ip and mask to the logical interface. you then assigned the physical interfaces to the port-channel. The physical interfaces do not have an IP assigned to them specifically.

with Layer 3 EtherChannel you create a logical interface with the int port channel # command. You then assign the ip and mask to the logical interface. you then assigned the physical interfaces to the port-channel. The physical interfaces do not have an IP assigned to them specifically.

channel-group

a Cisco command on ethernet interface used to add the specified interface to a single EtherChannel. The # following this command is the port channel ID.

S1(config-if)#channel-group 1 mode active

S1(config-if)#exit

S1(config)#int port-channel 1

S1(config-if)#switchport trunk encapsulation dot1q

S1(config-if)#switchport mode trunk

S1(config-if)#switchport trunk allowed vlan 1,2,3

Router#config t

Router(conf)#int port-channel 1

Router(config-if)#ip address 20.2.2.2 255.255.255.0

Router(config-if)#int range g0/0-1

Router(config-if-range)#channel-group 1

interface port-channel

the command that creates the bundled logical interface. Ports can be added to this interface with the channel-group command. Keep in mind that the interface number must match the group number.

S1(config-if)#channel-group 1 mode active

S1(config-if)#exit

S1(config)#int port-channel 1

S1(config-if)#switchport trunk encapsulation dot1q

S1(config-if)#switchport mode trunk

S1(config-if)#swithcport trunk allowed vlan 1,2,3

Router#config t

Router(conf)#int port-channel 1

Router(config-if)#ip address 20.2.2.2 255.255.255.0

Router(config-if)#int range g0/0-1

Router(config-if-range)#channel-group 1