CCNP Switching (300-115)

 Basic of Switch.
 CDP: Cisco Discovery Protocol.
 VLAN: Virtual Local Area Network.
 Trunking.
 VTP: Vlan Trunking Protocol.
 Etherchannel.
 STP: Spanning Tree Protocol.
 STP Protection.
 RSTP: Rapid Spanning Tree Protocol.
 MSTP: Multi Spanning Tree Protocol.
 MLS: Multi Layer Switch.
 High Availability (HSRP, VRRP, GLBP).
 IP Telephony.
 Wireless.
 AAA Authentication, Authorization, Accounting.
 Layer 2 security: (DHCP Snooping, IP Source Guard,
Dynamic ARP inspection, VLAN Hoping, VLAN ACL,
Protected port, Private VLAN, storm control, Span, Port
based security).
Switching

 switching is a process in which data will be switch from source to destination

Types of Switching

 Layer 2 switching
 Layer 3 switching
 Multi-Layer switching

Layer 2 Switching

 process in which data can be forword on the basis of layer 2 addresses.

Types of layer 2 switching

 Ethernet switch
 Frame-Relay switch
 ATM switch

Ethernet Switching

 process in which we forword traffic on basis of mac address.

Function / Process of layer2 ethernet switch

 Address Learning
 Filtering and Forwording Decision
 Loop Avoidance

Layer3 Devices can perform three types of switching

Process Switching: desvices perform routing lookup for each received packet

Fast Switching: RP will lookup routing table for first packet after that SE will generate a short-cut entry in
cache memory and for next packet SE will check short-cut entry. and RP will get free.

CEF switching (cisco express forwording)

cef create two table FIB and Adjecancy table

FIB: it is a replica of routing table.

Packet Rewriter: when a packet cross a layer3 device, it will always responsible to rewrite header checksum,
layer2 information and TTL.

how switch learn mac address

Dynamically: switch can learn mac address automatically of devices in its cam table.

Statically: we can manually enter the mac address of devices in cam table. we can generate cam table manually
to stop unknown unicast broadcasting.

 switch#show mac-address-table dynamic / interface fa 0/1

 switch#show mac-address-table static
 switch#show mac-address-table
how to generate mac address table statically

 sw(config)#mac-address-table static 0000.0000.0001 vlan 1 interface fa 0/1

 sw(config)#mac-address-table static 0000.0000.0001 drop

How to recover any port from error disable

 switch(config-if)#errordisable recovery cause all

 switch(config-if)#errordisable recovery interval 60

how to change aging time

 switch(config)#mac address-table aging-time 200

how to create smart port macro

 sw(config)#define interface-range test fa 0/1 - 4 , fa 0/7 , fa 0/10

 sw(config)#interface range macro test
 sw(config-if-range)#

how to give description to any port

 switch(config-if)#description 'this port is connected to printer'

 switch# show interface fa 0/1

how to specify the speed on a particular port

 switch(config-if)#speed 10/100/1000/auto

how to change link mode on a port

 switch(config-if)#duplex auto/half/full
 switch#show interface fa 0/1

CDP Cisco Discovery Protocol

 it is a cisco proprietary protocol

 it works on layer2
 it is bydefault enabled on cisco devices
 it is used to discover the information about its immediate neighbor
 this information will helpfull in case troubleshooting
 cdp timer 60sec, holddown 180sec
 multicast mac address 0100.0CCC.CCCC
 switch# show cdp neighbor details
 switch# show cdp neighbor

how to enable cdp

 switch(config)#cdp run
 switch(config)#no cdp run
 switch(config-if)# cdp enable
 switch(config-if)# no cdp enable

how to change cdp timer

 switch(config)# cdp timer 80

 switch(config)# cdp holddown 200
LLDP Link Layer Discovery Protocol

 it is a open standard protocol

 it is used to discover the information about its immediate neighbor
 this information will helpfull in case troubleshooting
 LLDP timer 30sec, LLDP holddown 120sec
 it will send its all information in TLV (type length value)

LLDP configuration

 switch(config)#lldp run
 switch(config-if)# lldp transmit
 switch(config-if)# lldp receive
 switch# show lldp
 switch# show lldp neighbors
 switch# show lldp entry

VLAN virtual local area network

 To break broadcast domain at layer2 we use vlan and one vlan defines one broadcast domain.
 vlan identify by a number and it is in 12bits.
 range of vlan from 0 to 4095 (normal= 1 to 1005, extended=1006 to 4094)
 default vlan is vlan1
 vlan database save in vlan.dat file in flash memory.

how to create vlan

 switch(config)#vlan 10
 switch(config-vlan)#name sales
 switch#show vlan brief

how to assing port to any vlan

static vlan assing:

 switch(config-if)# switchport access vlan 10

 switch#show vlan brief
 switch#show vlan id 10

dynamic vlan assign

 VMPS VLan Management Policy Server

 AAA Authentication, Authorization and Accounting.

Switchport

a switch which has capability to do layer2 address switching

 Access port- carry single vlan data

 Trunk port - carry multiple vlan data
DTP Dynamic Trunking Protocol

 it is a cisco proprietory protocol

 bydefault it is enabled on all ports of switch.
 it create access port and trunk port dynamically
 periodic msg 30sec
 multicast mac address 0100.0CCC.CCCC.
 DTP mode: 1 dynamic auto. 2 dynamic desirable.

how to create manual access port or trunk port

 switch(config-if)#switchport mode access

 switch(config-if)#switchport mode trunk
 switch#show interface fa 0/1 switchport
 switch#show interface trunk / status
 switch#show interface fa 0/1 trunk

how to create dynamic access port or trunk port

 switch(config-if)#switchport mode dynamic desirable

 switch(config-if)# switchport mode dynamic auto

how to disable DTP

 switch(config-if)#switchport mode access

 switch(config-if)#switchport nonegotiate

note: if we create manual access to any port, dtp will get disable.

how to change encapsulation type

 switch(config-if)#switchport trunk encapsulation dot1q/isl

 switch(config-if)#switchport trunk encapsulation negociate

how to allow vlan list on trunk port

 sw(config-if)#switchport trunk allowed vlan all/none/add/re

Native VLan

 it is used to support untaged data on trunk port. only dot1Q is support native vlan, not ISL.

how to create native vlan to any vlan on trunk

 switch(config-if)#switchport trunk native vlan 2

IVR inter-lan routing

 it is used to communicate between two different vlans

VTP VLan Trunking Protocol

 it is a cisco proprietory protocol.

 it works at layer2.
 it is used to transfer vlan information from one switch to another switch
 centeralized vlan management
 it uses multicast mac address 0100.OCCC.CCCC for vtp updates (CDP,VTP,UDLD)
VTP Modes

 Server Mode
 Client Mode
 Transparent Mode

Server Mode

 in this mode we can add, remove and edit vlan.

 it is default mode of vtp on most of series of switches
 it save vlan information in vlan.dat file in flash memory.
 in this mode vtp can generate vtp update
 it work as a relay agent
 it support only normal range of vlan

Client Mode

 in this mode we can't add, remove and edit vlan.

 it also stores vlan information in its vlan.dat file
 it support only normal range of vlan
 it also work as a relay agent
 it can receive vlan from another switch

Transparent Mode

 in this mode we can add, remove or edit vlan.

 it is default mode of vtp on some plateform
 it doesn't update its own vlan database based on received vtp updates from its neighbors switch.
 it doesn't forword its own vlan information to any other switch
 it doesn't generate vtp updates
 it support normal range vlan as well as extended range of vlan
 it store vlan information in its vlan.dat file and also in running-config
 it also work as relay agent

VTP requirement

 trunking should be enable between two switch

 vtp domain name must match
 vtp password must match (optional)

Types of VTP update

 Triggered update
 Periodic update

C.R. Number (configuration Revision)

 it is in 32 bits
 this number is always represented in decimal.
 bydefault C.R. number is 0.
 it will always incremented by one whenever any vlan added or removed in vlan database
Types of VTP messages

 summary advertisement
 subset advertisement
 advertisement request from client

summary advertisement

 vtp server generate summary advertisement msg in every 300sec and everytime when vlan database
change occurs.
 it check only C.R. number

contents of summary advertisement

 domain name
 version
 C.R. number
 MD5 digest value (domain, password, cr number)
 total number of subset advertisement msg.

Subset advertisement

 it contain actual information of vlan.

 it will generated when vlan changes will occur. or in the response of subset req.

advertisement request from client

 client switch might be reset and its vlan database have cleared, after that generate a client adv req msg
and vtp server will repond with summary adv and subset adv to bring it up to date.

Note: Server mode switch will not generate any vtp update untill its domain name is Null

note: md5 Digest value calculated with domain name, password, CR Number.

note: switch will recalculate its md5 digest value if any update received with highter CR number.

note: cr number will become 0, when we will change domain name.

note: cr number will increment by 1 if we will change version.

note: vtp password not required on transparent mode switch.

VTP configuration

 switch(config)#vtp mode server/client/transparent

 switch(config)#vtp domain cisco
 switch(config)#vtp password ccie
 switch#show vtp status
 switch#show vtp counters
 switch#debug sw-vlan vtp event

Types of VTP version

 version1: doesn't support GVRP and token ring

 version2: support GVRP and token ring
 version3
vtp version 3

 we can create extended vlan in server mode

 we can create private vlan in server mode and can propogate private vlan to another switch
 we can encrypt password
 modes : 1 server 2 client 3 transparent 4 off mode

Updater-ID

 To find out that which switch is giving vtp update.

 we can create updater-id by creating svi interface.
 lower svi ip address will become updater-id.

VTP Prunning

 it is used to stop unwanted broadcast to any switch which not exist any computer in that vlan.
 transparent switch not support vtp prunning.
 enable vtp prunning on server mode switch, client switch will automatically get enabled.
 vlan 1 can't be prunn.

how to enable vtp prunning

 switch(config)#vtp prunning
 switch#show int fa 0/24 prunning
 switch(config-if)#switchport trunk pruning vlan remove 10 (on trunk for not prunn to any vlan)

GVRP genric vlan registration protocol

 it is open standard protocol

 it is used to transfer vlan information from one switch to another.

Etherchannel

 it is also called Link Aggregation

 it is used to aggregate multiple physical link into a single logical link.
 That logical link called port channel.

Requirement of etherchannel

 Duplex must match

 Speed must match
 etherchannel standard must match
 Trunk allowed vlan list must match
 native vlan must match
 trunk encapsulation protocol must match
 prunning eligibility list must match

Note:- after creating etherchannel stp will not work for switchport which are member of port channel.

Types of etherchannel

 Static
 PAGP
 LACP
PAGP

 It stand for port aggregation protocol.

 it is a cisco proprietory protocol
 aggregate up to 8 link
 Modes: 1. Auto 2 Desirable

PAGP Directional mode

Silent : it will create portchannel without checking bydirectional connectivity for every port.

Non-silent: it will check bydirectional connectivity for every port,both side need diserable.it is used for fiber-
optic.

LACP

 It stand for link aggregation control protocol

 it is open standard protocol
 it can aggregate up to 16 links in a single channel group
 only 8 link will participate actively at a time
 remaining port will remain in hot-stand by state.
 modes: 1 Active 2 Passive

LACP Sys-ID

 main switch will elect with using lacp system id(lower)

 that main switch will elect active port by using port id and it will negociate with neighbor.

Election of main switch

 1) sys-priority (default 32768) 2) sys- mac (base mac)

LACP Port-ID

 it will elect active port and negociate with neighbor.

Election of active port

 1) port-priority(default 32768) 2) interface-ID

etherchannel load-balancing algorithem

 source mac
 destination mac
 source and destination mac
 source ip address
 destination ip address
 source and destination ip address
 source port number
 destination port number
 source and destination port number

configure static etherchannel

 switch (config-if-range)#channel-group 10 mode on

 switch#show etherchannel
 switch#show etherchannel summary
  Switch# show interface port-channel 10
 switch# show spanning-tree
 switch# show ip interface brief
 switch# show etherchannel load-balancing

configuration of PAGP

 (config-if-range)#channel-group 20 mode desirable/non-silent

 switch(config-if-range)#channel-group 20 mode auto

onfiguration of LACP

 switch(config-if-range)#channel-group 20 mode active

 switch(config-if-range)#channel-group 20 mode passsive
 switch# show etherchannel
 switch#show lacp sys-id
 switch#show lacp internal
 switch(config)#lacp system-priority (1-65535)
 switch(config-if)#lacp port-priority (0-65535)
 switch(config)#port-channel load-balancing ?

layer3 etherchannel

 if there is 8link in etherchannel than 8 neighborship will establish.

 8 neighbors entry in neighbor table.
 if any port goes down, neighborship will down
 if we have 8link than we have to give ip in 8 subnets.
 more cpu utalization
 to solve this problem we will use layer3 etherchannel

configuration of layer3 etherchannel

 switch1(config-if-range)#no switchport
 switch1(config-if-range)#channel-group 20 mode on/desirable/active
 switch2(config-if-range)#no switchport
 switch2(config-if-range)# channel-group 20 mode on/auto/passive
 switch1(config)#interface port-channel 20
 switch1(config-if)# ip address 10.0.0.1 255.0.0.0
 switch1(config-if)#no shutdown
 switch2(config)#interface port-channel 20
 switch2(config-if)# ip address 10.0.0.2 255.0.0.0
 switch2(config-if)#no shutdown

STP Spanning Tree Protocol

 it is a open standard protocol

 IEEE standard is 802.1d
 it is a layer 2 protocol
 it will always mulsticast bpdu 0180.c200.0000
 it is used to prevent switched network topology from bridging loops by putting some interfaces into
forwording state and some interfaces into blocking state.
STP Terminology

 Root Bridge
 BPDU
 Root Port /designated port
 Cost
 Alternet Port/ Blocking Port

STP performs three major tasks

 Root Bridge Election

 Root Port election
 Designated port election

root port and designated port election criteria

 lowest cost to reach root bridge

 lowest designated bridge id
 lowest designated port id

Root Bridge

 A switch which has best bridge id (lowest) will become root bridge.

Bridge ID: it is a 8byte long id

 1 Bridge priority(2bytes): bydefault 32768 , 0 to 65535

 2 Bridge mac (6bytes)

BPDU Bridge Protocol Data Unit

 BPDU will share Bridge id between switches to elect the root bridge
 STP generate hello msg after every 2 sec that is called BPDU msg
 A BPDU which has best Bridge-id(lowest) will always superior BPDU.

types of BPDU msg

 configuration BPDU
 TCN BPDU

configuration BPDU

 this BPDU msg will be generated periodically in every 2 seconds

contents of configuration BPDU message

 version (1byte)
 Protocol-id (2 byte)
 type (configuration or TCN BPDU) (1byte)
 flag (1byte)
 Root Bridge id (8byte)
 designated Bridge-id (8byte)
 camulative cost to reach root Bridge (4byte)
 designated port id (2byte)
 max age (2byte)
 message age (2byte)
 forword delay timer (2byte)
  hello timer (2byte)

TCN BPDU

 STP will generate tcn pdu when change is occur in topology

 it will inform that there is change in topology.

Contents of TCN BPDU

 version
 protocol id
 type

Note: root bridge will always generate zero cost bpdu

Note: after election of root bridge only root bridge will be responsible to generate configuration bpdu

STP path cost

 10Mbps - 100
 100Mbps - 19
 1Gbps - 4
 10Gbps - 2

Note: we can modify these cost value according to requirement.

Note: when a switch receive a superior BPDU than it will immediately stop to announce itself as a root Bridge.

Root Port: RP is that port which receive lower cost BPDU msg

designated port: A port which transmit lower cost BPDU msg.

Port-ID

 1 port priority (bydefault 128)

 2 interface ID (lowest)

Note: all port of root bridge will always remain as DP

Note: root port election will be performed only on non-root bridge.

Note: one non-root bridge can have maximum one root port

Note: on a single segment both end cant be either dp or non-dp

Note: dp and rp will always remain in forwording state

Note: tcn will be send after learning state.

STP port States

 disable: cant send or receive data

 blocking: can receive bpdu, cant send, receive data , learn mac.
 listening:can send receive bpdu.cant send,receive data,learn mac
 learning: can send, receive bpdu, , cant send,receive data,learn mac
 forwording: can send, receive bpdu, learn mac, data send and recieve.
Types of topology change

 insignificant topology change

 direct topology change
 indirect topology change
Insignificant topology change
 when access port goes down and comes up thn switches generate tcn bpdu and these kind of changes
known as insignificant topology change.

Note: if any link status goes down or come up, the switch must see that as a topology change and inform to the
root bridge.

step1: if the pc on switch C is turned off. the switch detects the link status going down

step2: switch c begins sending tcn bpdu toward the root bridge over its port 0/2

step3: the root bridge sends a tcn ack back to switch c and thn sends a configuration bpdu withthe tcn flag bit set
to all down stream switches. this is done to inform every switch of a topology changes somewhere in the
network.

step4: the tcn flag is received from the root, so both switch set there mac aging time 300sec to 15sec. the aging
time stays short for the duration of the forword delay time.

PortFast

we enable portfast on access port, after enabling portfast access port directly move in forwording state without
delay time, and switches will not generate tcn bpdu. if switches not generate tcn thn switches will not configure
there aging time 300sec to 15sec.

sw# show spanning-tree

mac aging time 300sec

sw# debug spanning-tree events on all switches

R1(config-if)#shutdown

sw#show spanning-tree

aging time 15sec and port will take 30sec to come in forwording state.

how to enable portfast

sw(config-if)# spanning-tree portfast

r1(config-if)#shutdown

switch port directly jump to forwording state without dalay time, mac aging time will not configure 300 to
15sec.

Direct Topology Change

when switch have minimum one alternet port available thn direct topology change will occur if any port goes
down or come up. convergence time in direct topolog y change is 30sec.

step1: if link goes down between switchA and switchC. both switch detects a link is down, immediatly switchA
and switchC will delete there mac entry of those ports.

switchC will remove the previous best bpdu tht is received from the root bridge over port 0/2. and port 0/2 is
now down so that Bpdu is no longer valid.

step2: switchA will send conf bpdu with tcn flag bit set to switchB, and switchB will forword that bpdu toward
switchc. and all switches will change there aging time 300 to 15sec.

step3: switchC will receive superior bpdu from root through switchB and switchC port 0/1 will become RP in
listening state for 15sec.
step4: after 15sec all switches mac table will flush. and port 0/1 of switchC will change state from listening to
learing for 15sec. between these 15sec (learning state) if pc1A send data frame to pc1B, switchB will flood this
frame(unknown unicast flooding).

step5: after completing 15sec, port 0/1 of swtichC change its state from learing to forwording, now switchC can
send data frame from its port 0/1 after that switchB and switchA recieve frame and build mac table.

uplink fast

it is used to reduce the convergence time 30sec when direct topology change occurs. if any RP port goes down
thn uplink fast immediatly create new RP (in mili sec) to alternet port in forwording state without any delay
time.

0100.0ccd.cdcd

requirement of uplink fast

 minimum one alternet port must be availble on switch

 priority must be default on switches

configure uplink fast

R# ping 12.1.1.2 repeat 10000

it will ping continously

sw2#debug spanning-tree events

Sw2(config)#interface fastethernet 0/21

sw2(config-if)#shutdown

ping will break and drop 15packets arround 30sec.

enable uplink fast

sw2(config)#spanning-tree uplinkfast

sw2# show spanning-tree uplinkfast

sw2(config)#interface fastethernet 0/21

sw2(config-if)#shutdown

now only one packet will drop in pinging bcz 0/22 will directly move into forwording state
indirect topology change

step1 link goes down between switchA and switchB

step2 switchA and switchB will generate TCN bpdu towards switchC and all switches will change there aging
time from 300sec to 15sec.

step3 switchB was receiving superior bpdu only on port 0/1 but after link down of 0/1, switchB will start to
announce itself as root bridge. so SwichB will generate inferior bpdu towards switchC

Note: if any switch annouce itself as root bridge in the presence of root bridge, that bpdu of new root bridge is
called as inferior bpdu.

step4 when switchC receive inferior bpdu, it will start max age timer(20sec) of superior bpdu.

step5 after expire max age timer of superior bpdu switchC will compaire and declair that switchA is root
Bridge. so switchC will change its port state from blocking to listening of 0/1.

step6 now switchC will send a copy of bpdu that is received from switchA towords switchB. and switchB will
change its port0/2 from Dp to RP.

backbone fast

backbone fast shoud be enable on every switch. it will reduce 20sec of max age timer. after enabling backbone
fast if any indirect toplogy change occur in the network. port will change there state from blocking to
forwording state in 30 without delay of max age20sec. it will not take 50sec for convergence.

how to work backbone fast

step1 after enabling backbone fast if any link goes down between switchA and switchB.

step2 switchB will send inferior bpdu to switchC.

step3 when switchC receive inferior bpdu thn switchC send RLQ request msg to root bridge switch.

step4 switchA will receive rlq request msg and give rlq reponse that im root bridge to switchC
step5 switchC will immediately change port state of 0/1 from blocking to listening state without dalay of max
age 20sec

step6 now switchC will send superior bpdu to switchB. and switchB will stop to announce root bridge itself.

configure backbone Fas

sw#debug spanning-tree events

enable debuging on all switches

switch2(config)#interface fastethernet 0/21

switch2(config-if)#shutdown

now port 0/23 of switch3 will take 50min to come up

enable backbone fast

sw(config)#spanning-tree backbonefast

enable on all switches

sw#debug spanning-tree backbonefast (on all switch)

switch2(config)#interface fastethernet 0/21

switch2(config-if)#shutdown

now port 0/23 of switch3 will take 30sec to come up.

Types of STP

 CST
 PVST
 PVST+

CST

 it stand for common spanning tree

 A single instance of stp for all vlan
 it reduce the switch cpu load during stp calculations
  no capability for load balancing
 it was open stardard

PVST

 it stand for per vlan spanning tree

 it is a cisco propriotry protocol
 it operate a separate instance of stp for each individual vlan
 capability for load balancing
 it support isl only

PVST+
 it stand for per vlan spanning tree plus
 it operate a separate instance of stp for each individual vlan
 capability for load balancing
 it support ISL and DOT1Q both.
 work same as pvst
 it is default on every cisco switches

sw(config)#vlan 1-10

sw#show spanning-tree

it will show different instance for all vlans

how to create root bridge to any switch for all vlan

sw(config)#spanning-tree vlan 1-4094 priority 0 (increment of 4096)

sw#show spanning-tree vlan 1

sw#show spanning-tree vlan

how to create root bridge to any switch for specific vlan

sw(config)#spanning-tree vlan 2 priority 0

primary and secondary root bridge

 it is used for load balancing and fault tolerance

 primary - priority 24576
 secondary- priority 28

sw1(config)#spanning-tree vlan 1-5 root primary

sw1(config)#spanning-tree vlan 6-10 root secondary

sw2(config)#spanning-tree vlan 1-5 root secondary

sw2(config)#spanning-tree vlan 6-10 root primary

sw1#show spanning-tree vlan 4 (root bridge)

sw1#show spanning-tree vlan 7 (non-root bridge)

sw2#show spanning-tree vlan 7 (root bridge)

sw2#show spanning-tree vlan 4 (non-root bridge)

how to create primary and secondary root bridge manually

sw1(config)#spanning-tree vlan 1-5 priority 0

sw1(config)#spanning-tree vlan 6-10 priority 4096

sw2(config)#spanning-tree vlan 1-5 priority 4096

sw2(config)#spanning-tree vlan 6-10 priority 0

change stp timer through diameter in primary keyword

sw(config)#spanning-tree vlan 1-5 root primary diameter 4

sw#show spanning-tree

note: we change timer for fast convergence but switch overhead will increase.

Rule of 4096 increment in priority

 to make different bridge id for every vlan

  separate vlan instance with the help of sys-id-ext-1
 system id extended is bydefault enabled
 it is support by pvst in cisco switches

problem

 vlan1 priority 10 priority 11

 vlan3 priority 8 priority 11

solution

 vlan1 priority0 priority 1

 vlan2 priority0 priority 2
 vlan3 priority0 priority 3
 vlan4 priority4096 priority 5000
 vlan5 priority4096 priority 5001

switch(config)#spanning-tree vlan 1-10 priority ?

election of RP on the behalf of cost

sw2#show spanning-tree vlan 1 interface fastethernet 0/21 details

sw2#show spanning-tree vlan 1 interface fastethernet 0/22 details

 it will show path cost 19

sw2(config)#interface fastethernet 0/22

sw2(config-if)#spanning-tree cost 18 (for all vlan)

sw2(config-if)#spanning-tree vlan 1-5 cost 18 (for specific vlan)

sw2#show spanning-tree

note: cost will always calculate on non-dp

election of RP on the behalf of port-id

 port-id always change on dp

 bydefault port priority is 128
 port priority can change in the increment of 16
sw1#show spanning-tree vlan 1 interface fastethernet 0/22 details

sw1(config)#interface fastethernet 0/21

sw1(config-if)#spanning-tree port-priority 144 (for all vlan)

sw1(config-if)#spanning-tree vlan 6-10 port-priority 144 (specific vlan)

sw#show spanning-tree

STP Protection

 Root Guard
 Loop Guard
 BPDU Guard
 BPDU filter
 UDLD Unidirectional Link Detection.

Root Guard

Root guard is a security feature of stp and it will be enabled only on DP trunk port. after enbling root guard if
any dp port receive any bpdu message on dp trunk port thn it will immediatly put that switchport into root-
inconsistent state. we cant enable root guard for per vlan.

enable root guard on all dp trunk port.

how to configure root guard

sw1(config)#spanning-tree vlan 1-4094 riority 4096

sw1(config)#interface range fastethernet 0/19 , fa 0/21

sw1(config-if-range)#spanning-tree Guard root

sw3(config)#spanning-tree vlan 1 priority 0

sw1#show spanning-tree

0/19, 0/21 root_inconsistant state.

sw3(config)#no spanning-tree vlan 1 priority 0

port will automatically remove from root inconsistant state immediatly.

Loop Guard

step1 bpdu not receiving on switchC port 0/2 due to traffic congession or any other problem like ios bugs.

step2 switchC will wait for bpdu for 20sec on port 0/2 bcz bpdu max-age timer is 20sec.

step3 switchC will change its state of 0/1 port from blocking to R.P.

step4 switchC change its state of port 0/2 from RP to dp (this port will not come in blocking state bcz no bpdus
are receiving on that port)

step5 now loop is occur in this topology bcz both port are in forwording state between switchA and switchC

sw(config-if)#spanning-tree guard loop

note: loop guard will be enable on non-dp

after enabling loop guard on all non-dp port, if any root port not receive bpdu thn it will wait for 20sec and after
20sec this port will become loop_inconsistant state. now there is no chance of loops. we cant enable for per vlan
bases.
BPDU guard

 it enable on all access port not on trunk port

 enable on all switch port where stp portfast is enabled.
 after enabling bpdu guard on access port, if that port receive any bpdu msg, it will immediatly move
into errordisable state.
 it protect from attackers

sw(config-if)#spanning-tree bpduguard enable

sw(config-if)# spanning-tree bpduguard disable
sw(config)#spanning-tree portfast default
sw(config)#spanning-tree portfast bpduguard default

BPDU Filter

 it also enable on all access port

 it is also protect form attackers.
 after enabling bpdu filter on access port and after that any bpdu receive on that port it will simply
discard this bpdu and it will not process this bpdu. and also not forword any bpdu from this port.
 it will not put any port in error disable state if any bpdu receive.

note: if we used both bpdu guard and bpdu filter switch will process to bpdu filter.

sw(config-if)#spanning-tree bpdufilter enable

sw(config-if)#spanning-tree bpdufilter disable

sw(config)#spanning-tree portfast default
sw(config)#spanning-tree portfast bpdufilter default

UDLD unidirectional link detection

 it protect from unidirectional link

 it is a cisco propriotry protocol
 it will always multicast to udld msg 0100.0ccc.cccc
 this feature is used for fiber optic cable

there is two types of udld mode

normal

 it is like bpdu filter

 udld msg 7sec
 if any port found unidirectional thn it will generate a log msg

aggresive

 it is like bpdu guard

 udld msg 15sec
 if any port found unidirectional thn port will goes in error disable.

configuration of normal mode

sw1(config)#udld enable

sw1(config-if-range)#udld port

sw2(config)#udld enable

sw2(config-if-range)#udld port

sw#show udld fastethernet 0/19

configuration of aggressive mode

sw1(config)#udld enable

sw1(config-if-range)#udld port aggressive

sw2(config)#udld enable

sw2(config-if-range)#udld port aggressive

sw#show udld fastethernet 0/19

RSTP Rapid spanning tree protocol

 rapid pvst
 it is a cisco proprietory protocol
 IEEE standard is 802.1w.
 it has fast convergence.
 all switches generate proposal bpdu

Feature of rstp

 built-in uplink fast.

 built-in backbone fast.
 portfast will require to enable on all access port.

Note: root bridge election, RP, DP and non-DP election criterea is same as stp.

STP state vs rstp state

 disable -----------
 blockING ------------
 listening discarding
 learning learning 15sec
  forwording forwording

RSTP Convergence process

step1 when switches will come up both switch will announce that im root bridge and both ports will become
DP.

step2 both ports will send proposal bpdu

step3 sw2 will receive superior bpdu and it will immedialty perform synchronization, and it will stop to
announce that im root bridge. and it will lost its DP state of port and swA simply keep sending proposal bpdu.

note: in synchronization switch will put its all interfaces in discarding state to avoid loops

step4 swB will elect RP port and generate Aggrement toward swA through RP port. immedaitly both port wil
change there state directly into forwording state without delay time (port which send and receive aggrement)
step1: sw1 and sw2 will send proposal bpdu from its both port

step2 sw2 will receive superior bpdu on 0/1 port, when sw2 receive superior bpdu it will perform
synchronization.

step3 sw2 will change its port state of 0/1 from dp to RP.

step4 sw2 port 0/1 will generate aggrement from this port and send it toword sw1 on port 0/1. and it will put
both port in forwording state immediatly.

step5 sw1 port 0/2 will not receive aggrement bcz sw2 port 0/2 is in discarding state so sw1 port 0/2 will come
in forwording state from discarding and learning.

step6 if rp goes down thn alternet port 0/2 will change its state from discarding to RP in forwording state
without delay time bcz uplink fast feature is bydefault enabled in rstp.

configuration of rstp

sw1(config)# spanning-tree mode rapid-pvst

sw2(config)#spanning-tree mode rapid-pvst

sw(config)#interface range fa 0/21 - 22

sw(config-if-range)#shutdown

sw#debug spanning-tree events

sw(config-if-range)#no shutdown

note: we can change RP port on the behalf of cost and port id same as pvst+
MSTP/MST

 it stand for multi spanning-tree protocol / multiple spanning-tree

cst:- single instance

pvst+: -per vlan instance

mstp: multiple instance for multiple vlan

 convergance same as rstp

 it is open standard protocol
 we can map multiple vlan into a single instance of stp
 bydefault it works as a cst, bcz all vlan are mapped into a single instance of stp (instance 0).
 feature of mstp is same as rstp (uplinkfast, backbone fast)
 there is two types of mstp: 1 intra domain/region. 2 inter domain/region
 it support max 16 instance on single switch.
 instance 0 is called as cist(common internal spanning-tree)

MSTP Attributes

 Name (32 charector)

 revision number (0-65535) bydefault 0
 instance (0-4094) bydefault 0

contents of M-record

 Name
 revision
 hash value

sw(config)#spanning-tree mode mst (on all switches)

sw1(config)#vlan 1-10

sw# show spanning-tree (to check mst enabled or not)

sw#show spanning-tree mst configuration

sw(config)#spanning-tree mst configuration

sw(config-mst)#name cisco

sw(config-mst)#revision 1

sw(config-mst)#instance 1 vlan 1-5

sw(config-mst)#instance 2 vlan 6-10

same configuration of all switches

Load balancing in mstp

Sw1(config)#spanning-tree mst 1 root primary

Sw1(config)#spanning-tree mst 2 root secondary

Sw2(config)#spanning-tree mst 1 root secondary

Sw1(config)#spanning-tree mst 2 root parimary

Sw1(config)#spanning-tree mst 1 priority 0

Sw1(config)#spanning-tree mst 2 priority 4096

Sw2(config)#spanning-tree mst 1 priority 4096

Sw2(config)#spanning-tree mst 2 priority 0

sw2(config)#interface fastethernet 0/22

sw2(config-if)#spanning-tree mst 2 cost 199999

sw2#show spanning-tree mst 1/2

 or

sw2(config)#interface fastethernet 0/21

sw2(config-if)#spanning-tree mst 2 port-priority 144

sw2#show spanning-tree mst 1/2

sw#show spanning-tree mst 1 interface fa 0/21

MLS multi-layer switching

 CEF cisco express forwording

 intervlan routing
 DHCP server configuration for multiple vlan's

types of switching

 process switching
 fast switching
 CEF switching

process switching

in process switching router will perform routing lookup for every packet

fast switching

RP router will perform routing lookup for first packet only, generate cache

SE router will forword next packet through cache memory.

MLS Generations:

 1st generation: fast switching(rp, se)

 2nd generation: CEF cisco express forwording.

component of router or MLS

Control plane: handle routing protocol, also handle routing table

Data plane: it will handle transit traffic

Type of adjacency table

Null adjacency: null adj table will be responsible to handle all those packet which are forworded towards nulls
interface

Drop adjacency: this table is basically responsible to handle all those packet which are encounteredwith
mismatch of encapsulation or crc error.

Discard adjacency: this table is resonsible to handle all those packet which are discarded by an acl

Glean adjacency: this table is responsible to have information about all directly connected network and
whenever a packet will mode to a any directly connected network thn all those packet will be handled by glean
adjacency.

Punt adjacency: this table is reponsible to handle those packet which is not processed by cef and forworded to
control plane to process these packet

CEF works into two mode:

Ccef: centeralized CEF (common FIB and adj.)

Dcef: distributed CEF (copy of FIB and adj. on all line card)
how to enable CEF

router(config)#IP CEF

router#show ip cef

router#show ip cef adjacency glean

router# show ip cef summary

router#show ip cef details

r(config)#no ip cef

r(config)#no ip route-cache

DHCP/Intervlan routing in MLS

sw1(config)#spanning-tree port fast default

sw1(config)#vlan 10,20,30,100

sw1(config)#interface fastethernet 0/1

sw1(config-if)#switchport access vlan 100

sw1(config)#interface fastethernet 0/2

sw1(config-if)#switchport access vlan 10

sw2(config)#interface fastethernet 0/3

sw1(config-if)#switchport access vlan 20

configure DHCP and pool

r1(config)#ip dhcp pool vlan10

r1(dhcp-config)#network 192.168.10.0 /24

r1(dhcp-config)#default-router 192.168.10.1

r1(config)#ip dhcp pool vlan20

r1(dhcp-config)#network 192.168.20.0 /24

r1(dhcp-config)#default-router 192.168.20.1
R1# show ip dhcp pool

r1(config)#ip dhcp pool vlan30

r1(dhcp-config)#network 192.168.30.0 /24

r1(dhcp-config)#default-router 192.168.30.1

R1# show ip dhcp pool

R2(config)#interface fastethernet 0/0

R2(config-if)#ip address dhcp

R2(config-if)#no shutdown

r2#debug ip dhcp

note: dhcp server will not offer ip address to client

create svi on sw1 for vlan10,100 / configure relay agent

sw1(config)#interface vlan 10

sw1(config-vlan)#ip address 192.168.10.1 255.255.255.0

sw1(config)#interface vlan 100

sw1(config-vlan)#ip address 100.1.1.2 255.255.255.0

sw1(config)#ip routing

sw1#ping 100.1.1.1 (it should ping)

sw1(config)#interface vlan 10

sw1(config-vlan)#ip helper-address 100.1.1.1

note: if still dhcp is not providing ip address than configure routing

sw1(config)#router eigrp 10

sw1(config-router)#no auto-summary

sw1(config-router)#network 0.0.0.0

r1(config)#router eigrp 10

r1(config-router)#no auto-summary

r1(config-router)#network 0.0.0.0

create svi on sw1 for vlan20/ configure dhcp relay-agent

r3(config)#interface fastethernet 0/0

r3(config-if)#ip address dhcp

r3#debug ip dhcp
note: dhcp will not provide ip address

sw1(config)#interface vlan 20

sw1(config-vlan)#ip address 192.168.20.1 255.255.255.0

sw1(config-vlan)#ip helper-address 100.1.1.1

note: now r3 will get ip address from dhcp

provide ip address in vlan30 on switch2

sw1(config)#interface fastethernet 0/21

sw1(config-if)#no switchport

sw1(config-if)#ip address 102.1.1.1 255.255.255.0

sw2(config)#ip routing

sw2(config)#interface fa 0/21

sw2(config-if)#no switchport

sw2(config-if)#ip address 102.1.1.2 255.255.255.30

sw2(config-if)#no shutdown

sw2(config)#router eigrp 10

sw2(config-router)#no auto-summary

sw2(config-router)#network 0.0.0.0

sw2(config)#vlan 30

sw2(config)#interface fa 0/2

sw2(config-if)#switchport access vlan 30

sw2(config)#interface vlan 30

sw2(config-vlan)#ip address 192.168.30.1 255.255.255.0

sw2(config-vlan)#ip helper-address 100.1.1.1

DHCP snooping

if any machine get ip address from rogue dhcp server that machine cant access internet or printer or can't
communicate with other computers

configure dhcp snooping

after enabling dhcp snooping on switch, all switchport will become untrusted, so we have to make trusted port to
that port which is connected to dhcp server.

sw1(config)#ip dhcp snooping

sw1(config)#ip dhcp snooping vlan1

sw1#show ip dhcp snooping (no port will show as trusted)

sw1(config-if)#ip dhcp snooping trust

note: dhcp will not provide ip address bcz swtich is working as a relay agent and there is no helper address on
switch

there is two option to provide ip address

1 add helper address on switch 1

sw1(config)#int vlan 1

sw1(config-if)#ip address 192.168.1.10 255.255.255.0

sw1(config-if)#ip helper-address 192.168.1.1

2 disable option 82

sw1(config)#int vlan 1

sw1(config-if)#no ip address

sw1(config-if)#no ip helper-address

sw1(config)#no ip dhcp snooping information option

sw# show ip dhcp snooping

IP source Guard

it is same as port security, in ip source guard we can bind ip address with switch port. dhcp snooping is required
for ip source guard.

sw1(config)#ip source binding 0000.0000.0001 vlan 1 10.0.0.1 int fa 0/1

sw1(config)#interface fa 0/1

sw1(config-if)#ip verify source

DAI Dynamic ARP Inspection

 it is use to prevent switched network from MIM attack (man in middle). dhcp snooping is require for
DAI.

what is mim attack.

a attacker computer which is giving the response of arp req on the behalf of other computer. after that whn the
computer will receive data frame it can capture the traffic.
how DAI will work

note: when we enable dhcp snooping switch will create snooping database table when dhcp server will provide
ip address.

step1: pcB wants to communicate with pcD (src1.2, dst 1.4) pcB will generate a arp req

step2 when switch will receive this arp req than it will check src ip and src mac in dhcp snooping database. if
these contents is matching in database than it is valid arp req. otherwise it will drop.

step3 arp req is valid so switch will broadcast this arp req.

step4 now computer C wants to give arp response on this behalf of computerD. switch will receive arp reponse
from attacker pcD

now switch will compaire this arp reponse details in snooping database and it will not match so it will drop this
arp response

step5 only original user can give arp response.

how to configure DAI on switch

sw(config)#ip arp inspection vlan 1

r2(config-if)#ip address dhcp

r3(config-if)#ip address dhcp

sw#show ip dhcp snooping binding (to chck snooping database)

Note: dhcp server cant communicate bcz its ip is manually configured and its database is not present in snooping
database.

we can manually make this trusted

switch(config)#int fa 0/1

switch(config-if)#ip arp inspection trust

switch#show ip arp inspection

we can create arp acl for static ip / manual database

sw1(config)#arp access-list test

sw1(config-arp-nacl)#permit ip host 192.168.1.1 mac host 0000.0000.0001

sw1(config)#ip arp inspection filter test vlan 1

sw#show ip arp inspection vlan 1

vlan hoping

step1 attacker wants to make down FTP server with some virus or files. but attacker machine can't
communicate bcz it is in different vlan.

step2 attacker will generate frame with tagging of vlan20 from computer itself with the help of some
applications. now data will go to switch. witch will check that this data is coming from native vlan1. bcz it
received on port 0/1 and this port is in native vlan1. so it will send data without tagging on trunk port.

step3 when sw2 will receive data thn it will check tagging, it wil found tag of vlan20 so it will forword data to
ftp server bcz it is in vlan20

step4 now ftp will not give response bcz destination is in different vlan.

solution: change native vlan to prevent this kind of attack.

VLAN Acl

we can filter traffic between vlans with using vlan acl

how to filter telnet through vlan acl

r4(config)#username cisco password cisco

r4(config)#line vty 0 4

r4(config-line)#tranport input telnet

r4(config-line)#login local

now all devices can access telnet of r4

sw1(config)#access-list 101 permit tcp any any eq telnet

sw1(config)#vlan access-map test 10

sw1(config-access-map)#match ip address 101

sw1(config-access-map)#action drop

sw1(config)#vlan access-map test 20

sw1(config-access-map)#action forword

sw1(config)#vlan filter test vlan-list 20 (vlan id)

sw#show vlan access-map

how to filter icmp

sw1(config)#access-list 102 permit icmp any any

sw1(config)#vlan access-map test 11

sw1(config-access-map)#match ip addess 102

sw1(config-access-map)#action drop
Protected Port

protected port will not communicate with protected port. it will work for local switchport

sw(config-if)#switchport protected

Private Vlan

we can create private vlan only in transparent mode switch

there are two types of private vlan

primary vlan: it is a main vlan like vlan 100

secondary vlan: we can create secondary vlan under primary vlan

community:

 machine can communicate in intra-community

 machine can't communicate in inter-community

Isolated:

 machine can't communicate in inter-isolate and intra-isolate

 it is a stand alone vlan
 we can create only one isolated

switchport mode in private vlan

Host: member of private vlan

promiscous: member of primary vlan

configuration of private vlan

 sw1(config)#vtp mode transparent

 sw1(config)#vlan 10
 sw1(config-vlan)#private-vlan community
 sw1(config)#vlan 20
 sw1(config-vlan)#private-vlan community
 sw1(config)#vlan 30
 sw1(config-vlan)#private-vlan isolated
 sw1(config)#vlan 100
 sw1(config-vlan)#private-vlan primary
 sw1(config-vlan)#private-vlan association 10,20,30
 sw1#show vlan private-vlan
assign port to vlan

 sw1(config)#int fa 0/2
 sw1(config-if)#switchport mode private-vlan host
 sw1(config-if)#switchport private-vlan host-association 100 10
 sw1(config)# int fa 0/3
 sw1(config-if)#switchport mode private-vlan host
 sw1(config-if)#switchport private-vlan host-association 100 10
 sw1(config)#int fa 0/4
 sw1(config-if)#switchport mode private-vlan host
 sw1(config-if)#switchport private-vlan host-association 100 20
 sw1(config)#int fa 0/5
 sw1(config-if)#switchport mode private-vlan host
 sw1(config-if)#switchport private-vlan host-association 100 20
 sw1(config)#int fa 0/6
 sw1(config-if)#switchport mode private-vlan host
 sw1(config-if)#switchport private-vlan host-association 100 30
 sw1(config)#int fa 0/7
 sw1(config-if)#switchport mode private-vlan host
 sw1(config-if)#switchport private-vlan host-association 100 30
 sw1(config)#int fa 0/1
 sw1(config-if)#switchport mode private-vlan promiscous
 sw1(config-if)# switchport private-vlan mapping 100 10,20,30
 sw1#show vlan private-vlan.

Storm control

this feature prevents lan port from broadcast flooding, multicast flooding and unicast flooding on physical
interfaces.

storm control moniters the level of each traffic type for which you have enabled it.

shutdown: when a traffic storm occurs, traffic storm control puts the port into the error-disable state. to re-
enable port, we can use the error-disable detection and recovery feature or the shutdown and no shutdown
command.

Trap: when a traffic storm occurs, traffic storm control generates an snmp trap

configure storm control for broadcast flooding

 sw1(config-if)#storm-control broadcast level bps 100

  sw1(config-if)#storm-control action shutdown
 sw1(config-if)#storm-control action trap
 sw1#show interfaces status err-disable
 R#ping 10.0.0.2
 R#show ip arp

sw1 port 0/1 will shutdown and arp will not resolved

configure storm control for multicast flooding and unicast flooding

 sw1(config-if)#storm-control multicast/unicast level bps 100

 sw1(config-if)#storm-control action shutdown
 sw1(config-if)#storm-control action trap

note: we can configure storm control for layer3 port also after assigning ip address.

SPAN

 it stand for switchport analyzer

 it is also called port mirroring.
 to analyz network traffic passing through port by using span.
 it will send a copy of the traffic to another port on the switch
 span moniters received or sent (both) traffic on one or more source port to a destination port for
analysis.
 only traffic that is entered or leaves source ports can be monitered

source port characterstics

 it can be any port type (etherchannel, fastethernet, gigaethernet.)

 it cant be a destination port
 each source port can be configured with a direction (ingress, egress, both)
 for etherchannel source, the monitered deirection would apply to all the physical port in the group
 source port can be in same or different vlan.
 we can configure a trunk port as a source port, all vlans active on the trunk are monitered.

destination port characterstics

 it can be any ethernet physical port.

 it cant be a source port
 it cant be a etherchannel group or a vlan.
 it can be a physical port that is assign to an etherchanel group, the port will be remove from the group
while it is configured as a span destination port
 the port does not transmit any traffic except that required for span session.
 when it is a destination port, it doesn't participate in any of the layer2 protocols (stp, vtp, cdp, dtp ,
pagp, lacp)
 no address learning occurs on the destination port.

Local Span

source and destination port are on a single switch that is called local span.
configure local span for a single source port

 sw1(config)#moniter session 1 source interface fastethernet 0/1 both

 sw1(config)#moniter session 1 destination interface fastethernet 0/5
 sw1#show interface fastethernet 0/1
 line protocol is down (monitering)
 sw1#show interfaces status
 fastethernet0/5 monitering
 r#ping 12.1.1.2 repeat 50
 sw1#show interface fastethernet 0/5
 packet output that is received
 sw1(config)#no moniter session 1/all

configure local span for source as multiple port

 sw1(config)#moniter session 10 source interface fastethernet 0/1-4 both

 sw1(config)#moniter session 10 destination interface fastethernet 0/5
 sw#show moniter session 10

configure local span for source vlan

 sw1(config)#moniter session 10 source vlan 1-5 both

 sw1(config)#moniter session 10 destination interface fastethernet 0/5
 sw1#show moniter session 10

configure local span for destination as multiple port

 sw1(config)#moniter session 10 source vlan 1 both

 sw1(config)#moniter session 10 destination interface fastethernet 0/5 -6
 sw#show moniter session 10
configure span for source as trunk port

 sw1(config)#moniter session 10 source interface fastethernet 0/21 both

 sw1(config)#moniter session 10 destination interface fastethernet 0/5
 sw1(config)#moniter session 10 filter vlan 5-6 (not moniter)

Rspan/remote span

source and destination ports are on different switches in this scanario we use rspan

 sw1(config)#vlan 100
 sw1(config-vlan)# remote-span
 sw2(config)#vlan 100
 sw2(config-vlan)# remote-span
 sw# show vlan remote-span
 sw1(config)#moniter session 1 source interface fastethernet 0/1 both
 sw1(config)#moniter session 1 destination remote vlan 100
 sw2(config)#moniter session 1 source remote vlan 100
 sw2(config)#moniter session 1 destination interface fastethernet 0/5

note: remote vlan must not be prunned.

Gateway high availability

 Gateway redundancy
 protocol used for providing high availablity
 HSRP: Hot standby router protocol
 VRRP: Virtual router redundancy protocol
  GLBP: Gateway load-balancing protocol
 Aggregates two or more physical gateways into a single virtual gateway

HSRP: Hot standby router protocol

 it is a cisco proprietry protocol.

 hello interval is 3sec
 hold interval is 10sec
 it uses udp port no 1985
 it uses multicast address to send its message 224.0.0.2
 bydefault its priority is 100
 it has built-in track command
 default decrement in priority is 10 with using track command.
 it supports authentication 1.plain text. 2. MD5.
 it supports maximum 256 groups, group range is (0-255)
 it uses virtual mac address 0000.0c07.acxx (xx group id)
 bydefault preemption is disable in HSRP for active router election.

HSRP states

 Disabled
 Init
 Speaking
 Listening
 Standby
 Active

note: for one group only one device can be in active state and one device can be in standby state and all others
will remain in listen state.

active router election process

 1 higher priority
 2 higher ip address* (in some specific case only)

standby router election process

 1 higher priority
 2 higher ip address
configuration of HSRP

 r1(config)#router eigrp 100

 r1(config-router)#no auto-summary
 r1(config-router)#network 0.0.0.0
 r1(config-router)#passive-interface fastethernet 0/0
 r2(config)#router eigrp 100
 r2(config-router)#no auto-summary
 r2(config-router)#network 0.0.0.0
 r2(config-router)#passive-interface fastethernet 0/0
 r3(config)#router eigrp 100
 r3(config-router)#no auto-summary
 r3(config-router)#network 0.0.0.0
 r3(config-router)#passive-interface fastethernet 0/0
 core(config)#router eigrp 100
 core(config-router)#no auto-summary
 core(config-router)#network 0.0.0.0

configure HSRP

 R1(config)# interface fastethernet 0/0

 r1(config-if)#standby 1 ip 192.168.101.100
 R2(config)# interface fastethernet 0/0
 r2(config-if)#standby 1 ip 192.168.101.100
 R3(config)# interface fastethernet 0/0
 r3(config-if)#standby 1 ip 192.168.101.100
 r#show standby

Note: if we enable hsrp on all router within 10second. hsrp will elect active router on the behalf of priority or
highest ip address.

Note: if we enable hsrp on r1 and wait for 10sec, thn r1 will elect as a active router
Note: preemption is enabled for standby state. if r2 is in standby state and we enable hsrp on r3 thn r3 will be in
standby state and r2 will change its state in listen bcz preemption is enable for standby state.

how to change priority

 r1(config)#interface fastethernet 0/0

 r1(config-if)#standby 1 priority 120

how to enable preemption for active router election

 r1(config-if)#standby 1 preempt

note: preemption will not work with highest ip address. it will work when priority is define on router.

how to configure tracking line-protocol

 r1(config)#interface fastethernet 0/0

 r1(config-if)#standby 1 track serial 0/0 21

note: preemption should be enable for tracking

configure tracking for specific route

 r1(config)#track 50 ip route 1.1.1.1 255.255.255.0 reachability

 r1(config)#interface fastethernet 0/0
 r1(config-if)#standby 1 track 50 decrement 21

Note: hsrp can provide gateway radundancy but not provide load-balancing.

how to change timers in hsrp

 r1(config-if)#standby 1 timers 1 5
 r1(config-if)## standby 1 timers msec 100 msec 300

authentication in hsrp

 r1(config-if)#standby 1 authentication md5 key-string cisco

 r2(config-if)#standby 1 authentication md5 key-string cisco
 r3(config-if)#standby 1 authentication md5 key-string cisco
how to provide Load-balancing in hsrp

how to configure hsrp in rack

VRRP virtual router redundancy protocol

 it is an open standard protocol.

 hello interval 1sec and hold interval 3sec.
 it uses multicast address 224.0.0.18.
 it uses ip protocol number 112.
 default priority is 100.
 bydefault preemption is enabled.
 no built-in track command but we can use external track.
  default decrement in priority is 10 with using external track.
 it supports authentication.
 after master election only master will send hello msg and others will receive.
 virtual mac address 0000.5E00.01xx.

VRRP states

 master
 backup

master election criterias

 higher priority
 higher ip address

Note: if priority is tie thn higher ip address will take place to elect master

configuration of VRRP
  R1(config)#interface fa 0/0
 R1(config-if)#vrrp 1 ip 192.168.101.100
 r2(config-if)#vrrp 1 ip 192.168.101.100
 r3(config-if)#vrrp 1 ip 192.168.101.100
 r#show vrrp
 r1(config-if)#vrrp 1 priority 120
 r1#debug ip packet details

Note: we can make master to any router by priority.

tracking for line protocol

 r1(config)#track 60 interface serial 0/0 line-protocol

 r1(config)#interface fa 0/0
 r1(config-if)#vrrp 1 track 60 / decrement 21
 r#show vrrp

tracking for specific route

 r2(config)#track 50 ip route 1.1.1.1 255.255.255.255 reachability

 r2(config)#int fa 0/0
 r2(config-if)#vrrp 1 track 50.

how to provide load balancing

 group1 ip 192.168.101.100 active r1 priority 101

 group2 ip 192.168.101.200 active r2 priority 101
 group3 ip 192.168.101.250 active r3 priority 101

how to set preemption delay

r1(config-if)#vrrp 1 preempt delay min 30

how to change timers

r1(config-if)#vrrp 1 timers advertise msec 100

how to configure authentication

r1(config-if)#vrrp 1 authentication md5 key-string cisco 123

r2(config-if)#vrrp 1 authentication md5 key-string cisco 123

r3(config-if)#vrrp 1 authentication md5 key-string cisco 123

GLBP gateway load balancing protocol

 hello interval 3sec, hold interval 10sec

 it uses udp port number 3222
 it uses multicast address 224.0.0.102
 default priority is 100
 default weight is 100
 bydefault preemption is disabled
 it support load balancing
 it uses mac address 0007.B400.xxxx

components of glbp

 AVG
 AVF

AVG active virtual gateway

 AVG election is same as hsrp

 it is responsible to provide arp response for all arp request which are coming from lan users based on
load balancing algorithem.

AVF active virtual forworder

 it is responsible to forword data

Note: all routers will work as a forworder

Note: in one group we can have max 4 forworder

Note: default forworder time out is 14400sec

Note:when we enable GLBP on any router it will become forworder1, when we enable glbp on second router it
will become forworder2. same thing will happen for r3. and when any forworder goes down thn eleciton will be
done between rest of two router.

tracking by weights with line-protocol

 r1(config)#track 1 interface serial 0/0 line-protocol

 r1(config-track)#
 r1(config)#interface fa 0/1
 r1(config-if)#glbp 1 weighting track 1 decrement 100

shutdown serial link than its weight value will go equal to lower value (1). so this router will not eligible for
active router. and it will take 30sec to make active to another router bcz preemption delay is 30sec.
tracking by weight with specific route

 r1(config)#track 10 ip route 1.1.1.1 255.255.255.0 reachability

 r1(config)#interface fa 0/1
 r1(config-if)#glbp 1 weighting track 10 decrement 100

load balancing algorithem

 round robin 1:1:1 (bydefault)

 weighting (3:2:1)
 host dependant

how to configure load balancing algorithem weighting

 r1(config-if)#glbp 1 load-balancing weighted

 r2(config-if)#glbp 1 load-balancing weighted
 r3(config-if)#glbp 1 load-balancing weighted
 r1(config-if)#glbp 1 weighting 300
 r2(config-if)#glbp 1 weighting 200
 r3(config-if)#glbp 1 weighting 100

note: we can change it on active avg router only

how to change load balancing algorithem host-dependnt

 r1(config-if)#glbp 1 load-balancing host-dependent

how to change hello and hold timer

 r1(config-if)#glbp timers msec 100 msec 1000

how to configure authentication

 r1(config-if)#glbp 1 authentication md5 key-string cisco123 (no all router)

IP Telephony
converge network

POE power over ethernet

how to configure PoE on switchport

sw(config-if)#power inline auto

sw#show power inline

real time data / traffic

 voice data, video data traffic

 udp protocol
 no need of tcp
 real time
 voice packet size 100bytes
 to give priority to voice data we uses QOS

voice vlan

to seperate voice base traffic on any interface we can configure voice vlan externally. in case of voice vlan
single switchport can be of multiple vlan
  sw(config)#int fa 0/1
 sw(config-if)#switchport mode access
 sw(config-if)#switchport access vlan 10
 sw(config-if)#switchport access voice vlan 20
 sw#sow vlan brief

network design

Access Layer: 2900,2950,2960

 in this layer end users are connected to the network
 these layer switches usually provide layer2 (vlan) connectivity
 high port density (switchport security)
 user access functions such as vlan membership, traffic and protocol filtering, and quality of services

distribution layer: 3500,3700,3800

 it provide interconnection between access and core layer

 aggregation of multiple access-layer devices
 high layer3 throughput for packet handling
 security and plicy based connectivity function through access lists or packet filtering
 Qos

core layer: 4500,6500

core layer provides connectivity of all distribution-layer device

it is a backbone of network

very high throughput at layer 3

no access list, packet filtering

redundancy for high availablity

advance Qos
hardware redundancy

in mls swithes there will be multiple sup card availabe and power supply for redundancy. one supcard will work
activly and second will be in standby mode. if first supcard goes down than second will become in active mode.

redundancy mode:

 RPR: (2min)
 RPR Plus: (30sec)
 SSO: statefull switch over (1sec)

how to configure redundancy mode

 router(config)#redundancy
 router(config-red)#mode rpr/rpr-plus/sso
 router#show redundancy states

NSF Nonstop forwording

 it is a cisco prorietry protocol

 we are using sso for redundancy. if active sup goes down than standby supcard will become active in
1sec but reliability is still on routing protocol. bcz when any sup will become active than routing
protocol will initiate and routing table will be gernerated again and it will take some time (10sec) bcz
eigrp and ospf convergence is slow as compaire sso.to avoid this problem we can enable NSF with sso
 if any active sup goes down than standby will become active than NSF immediatly coverge the routing
table
 NSF is required with sso
 device should be NSF aware

how to confgure NSF for eigrp

 router(config-router)#nsf

how to configure NSF for ospf

 router(config-router)#nsf
how to confgure NSF for BGP

 router(config-router)#bgp graceful-restart

AAA Authentication, Authorization, Accounting

 authentication: authenticate user id and password only

 authorization: how many commands user can run
 accounting: device will create records for monitering

types of AAA

Radius server remote access dial in user services

 it is open standard protocol

tacacs+ server

 it is cisco proprietory protocol

Note: we can configure router as a aaa server but we can not perform accounting.

 router(config)#aaa new-model
 router(config)#aaa authenti login ccie line group radius group tacacs+ local
 router(config)#radius-server host 100.1.1.100 key cisco@123
 router(config)#tacacs-server host 100.1.1.200
 router(config)#tacacs-server key cisco@12345
 router(config)#username cisco password cisco1 (local database)
 router(config)#line vty 0
 router(config-line)#login authentication ccie

Port-based authentication

 it uses 802.1x standard, extensible authentication protocol over lan (EAPOL).

 A switch port will not pass any traffic until a user has authenticated with the switchport.
 if authentication is successful, the user can use the port normally.
 switch and pc both must support the 802.1x standard.
 pc must have an 802.1x capable application or client software.
 switch(config)#aaa new-model
 sw(config)#aaa authentication dot1x default group radius group tacacs+ local
 switch(config)#radius-server host 100.1.1.1 key cisco123
 switch(config)#tacacs-server host 100.1.1.2
 swtich(config)#tacacs-server key cisco12345
 switch(config)#username cisco password cisco123
 sw(config)#dot1x system-auth-control (to enable dot1x)
 sw(config-if)#switchport mode access
 switch(config-if)#dot1x port-control auto