Implementing Cisco Switched Networks Chapter 5 Review

This is my review and notes of Chapter 5 of “Implementing Cisco Switched Networks Foundation Learning Guide”.


Chapter 5: Implementing High Availability and Redundancy in a Campus Network

I think this chapter was probably quite good. Although I did find it pretty long, and there were various points I wish it would have just finished.

It followed a structure of theory behind High Availability trying to get the reader to think about why they’re implementing it, along with how they should implement it.

It then covered a bit on Cisco’s chassis or stack based HA options (failover methods of bad HW etc), and then moved into different monitoring methods (SNMP, IP SLA, Syslog etc).

Following that was a look at First Hop redundancy with HSRP, VRRP, and GLBP. Lastly was Cisco IOS Server Load Balancing (which I highly doubt is in the exam).

I find it hard to fault much in this chapter, there was just a lot there.

What’s probably going to be in the exam:
– Possibly a question on the 5 components of HA (Redundancy, Technology, People, Processes and Tools).
Definitely on Network Monitoring (SNMP, Syslog, IP SLA)
– Very likely something on HSRP, VRRP, and GLBP.

What the chapter covers:
– The above summarises it quite well.

High Availability
High availability is technology that enables network wide resilience to increase IP network availability.

5 Components of High Availability

Attempts to eliminate single points of failure, where one failed device or design element brings down service.

Technology (HW/SW features)
Several Cisco routing continuity options such as Cisco Nonstop Forwarding (NSF) and Stateful Switchover (SSO) exist, and graceful restart capabilities improve availability. These technologies allow processor failover without a link flap, continued fowarding of packets, and maintenance of BGP adjacencies.

Redundant equipment and links and advanced technology are just the beginning of high availability. In PPDIOO, the people component is vitally important too. Staff work habits and skills can impact high availability.

Sound, repeatable processes can lead to high availability. Continual process improvement as part of PPDIOO plays a role in achieving high availability.

Use tools that provide performance thresholds and reporting to get a good understanding of how the network behaves in a good state. Also use tools for monitoring network uptime, with triggers that activate in the event of a service or device failure.

Cisco NSF (NonStop Forwarding) with SSO (Stateful SwitchOver)
All you probably need to know is that it’s a supervisor redundancy mechanism in IOS that allows a standby RP (Route Processor) to take over the device after a hardware or software fault on the Active RP. Works at layers 2-4.

Implementing Network Monitoring

This can be through:
– Syslog

If you’ve ever used a cisco device, you should know what syslog is. Important things to note for it are that you can modify the event/reporting level, where messages are reported to (local buffer, console, tty or remote syslog server).

Learn the Syslog severity levels for the exam
It’s the type of thing a question will probably be on. Level 0 = highest severity. Level 7 = Lowest.

Level 0 – Emergency
Level 1 – Alert
Level 2 – Critical
Level 3 – Error
Level 4 – Warning
Level 5 – Notice
Level 6 – Informational
Level 7 – Debug

Emerald Alley Cats Enjoy Whiskas Naturally Insightful Dinners

To time stamp log messages: conf t, service time-stamps [debug|log|datetime uptime|localtime|msec|show-timezone|year]

Configuring Syslog
To configure a syslog server: logging x.x.x.x
To configure which severity gets logged: logging trap ____
To configure local logs: logging buffered


– Only disadvantage the book says is that there is a delay between the time that an event occurs and the time that it is noticed by the NMS. There is a trade-off between polling frequency and badwidth usage.
– SNMP uses UDP

SNMP Versions

– Version 1 and 2 both lack security
– Version 3 has security

SNMP Message types

1. Get Request – Retrieves value of specific MIB variable
2. Get Next Request – Retrieves next issuance of MIB variable
3. Set Request – Modifies the value of a MIB variable.
4. Get Response – Contains values of requested variable.
5. Trap – Transmits an unsolicited alarm condition

New SNMP Message types in version 2
– Get Bulk Request – Reduces repetitive requests/replies and improves performance when retrieving large amounts of data (e.g. tables)
– Inform Request – Alert SNMP manager of specific conditions (differs from SNMP traps as traps are udp and Inform request actually gets an ACK from the NMS)

SNMPv3 adds
NoAuthNoPriv – no authentication required
authNoPriv – Authentication with either HMAC-MD5 or HMAC-SHA
authPriv – CVC-DES encryption

Configuring SNMP

1. Configure SNMP access lists (So only authorised hosts have access)
2. Configure SNMP community strings
3. Configure SNMP trap receiver
4. Configure SNMPv3 user

S1(config)#access-list 100 permit ip any
S1(config)#snmp-server community RO-PASSWORD RO 100
S1(config)#snmp-server community RW-PASSWORD RW 100
S1(config)#snmp-server trap

IP Service Level Agreement

An SLA is a contract between the network provider and its customers, or between a network department and internal corporate customers. It provides a form of guarantee to customers about the level of user experience.

Typically, the technical components of an SLA contain a guarantee level for network availability, network performance, in terms of route-trip time, and network response in terms of latency, jitter, and packet loss.

Common types of monitoring used by IP SLAs
– Edge to edge network availability monitoring
– Network performance monitoring and network performance visibility
– VoIP, video, and VPN monitoring
– IP service network health readiness or assessment
– MPLS network monitoring
– Troubleshooting of network operation

IP SLA Operations

– Network admin configures a target device, protocol, and UDP or TCP port numbers on the IP SLA source for each operation
– Operation can be encrypted with MD5
-Target could be DNS or HTTP, with the device being any suitable computer.

While the target can be “anything” as such, measurement accuracy is improved with an IP SLA Responder. An IP SLA responder is a device that runs IOS and is configured as an IP SLA reasurement responder with the command “ip sla monitor responder”

Operation with Responder

1. At the start of the control phase, the IP SLA source sends a control message with the configured IP SLA operation information to IP SLA control port UDP 1967 on the target router. The control message carries information such as protocol, port number, duration, and if configured, MD5 authentication.
2. If the responder processes the control message, it sends an OK message to the source router and listens on the port specified in the control message for a specified duration.
3. If the return code of control message is OK, the IP SLA operation moves ot the proving phase, where it sends one or more test packets to the responder for response time computations. Use “Show ip sla statistics” to view.
4. The responder accepts the test packets and responds. Based on the type of operation, the responder might add an “in” timestamp and an “out” timestamp in the response payload to account for CPU time spent in measuring 1-way packet loss, latency, and jitter. These timestamps help the IP SLA source to make accurate assessments on one-way delay, and the processing time in the target routers.

So basically, it’s two stages, initially setting up with the control phase (asks target to open port, target responses) and Probing Phase (Sends test IP SLA packet, responder accepts and responds).

IP SLA Timestamps
IP SLA source uses four time stamps for the round-trip time (RTT) calculation. The IP SLA source sends a test packet at time T1. The IP SLA responder includes both the receipt time (T2) and the transmitted time (T3). Because of other high-priority processes, routers can take tens of milliseconds to process incoming packets. The delay affects the response times because the reply to the test packets might be sitting in a queue while waiting to be processed.

The delta value is then subtracted from the overall RTT.

Configuring IP SLA

1. Configure IP SLA probe.
2. Activate probe.
3. Configure tracking object.
4. Configure action on tracking object.

S1(config)#ip sla monitor 11
S1(config-sla)#type echo prot ipIcmpEcho source-int fa0/1
S1(config-sla)#frequency 10
S1(config-sla)#ip sla monitor schedule 11 life forever start-time now
S1(config-sla)#track 1 ip sla 11 reachability

S2(config)#ip sla responder

Verify: show ip sla statistics, show ip sla configuration

Implementing Redundant Supervisor Engines in Catalyst Switches
The next 8ish pages is on this. I’m pretty confident the exam won’t have anything on this, so hardly any notes.

– Found in Calalyst 4500 and 6500.

– RPR (Route Processor Redundancy) and RPR+

No longer preferred option. NSF with SSO = best.

– SSO (Stateful Switch Over)
– NSF (Non-stop Forwarding) with SSO.

NSF Offers:
– Improved network availability: NSF continues forwarding network traffic and application state information so that user traffic is not interrupted after a Supervisor switchover.
– Overall network stability: Improved by maintaining routing protocol neighbor relationships during Supervisor failover.

Understanding First Hop Redundancy Protocols

Refers to Default Gateway redundancy.


Proxy ARP
Before default gateway was supported on most IP clients, networks were relying on the proxy ARP feature to reach IP devices outside the IP client subnet.

From wikipedia: Proxy ARP (Address Resolution Protocol) is a technique by which a device on a given network answers the ARP queries for a network address that is not on that network. The ARP Proxy is aware of the location of the traffic’s destination, and offers its own MAC address in reply, effectively saying, “send it to me, and I’ll get it to where it needs to go.” Serving as an ARP Proxy for another host effectively directs LAN traffic to the Proxy.

Static Default Gateway
Now that a default gateway is configured on most devices, the Proxy ARP feature is not used anymore. Nevertheless, each client receives only one default gateway; there is not means by which to configure a secondary gateway, even if a second route exists to carry packets off the local segment.

Hot Standby Router Protocol (HSRP)
– Cisco Proprietary

With HSRP configured between a set of routers, they work in concert to present the appearance of a single virtual router to the hosts on the LAN.

The IP address of the virtual router will be configured as the default gateway for the workstations on a specific IP segment. When frames are to be sent from the host to the default GW, the host uses ARP to resolve the MAC address associated with the IP address of the default gateway. The ARP resolution returns the MAC address of the virtual router.

HSRP active and standby routers send hello messages to multicast address UDP.

All HSRP routers need to be L2 adjacent to that hello packets can be exchanged.

HSRP Roles:
Virtual Router – IP and MAC address pair that end devices have configured as their default GW.

Active Router – Within an HSRP group, one router is elected to be the active router. The active router physically forwards packets sent to the MAC address of the virtual router. There is one active router in an HSRP group.

Standby Router – Listens for periodic hello messages. If it fails to receive a hello, the standby router then assumes the role of the active router. There is one standby router in an HSRP group.

Other Routers – There can be more than two routers in an HSRP group, but only one active and one standby router. All routers in the group contend for the active and standby roles.

HSRP States

Beginning state. Indicates that HSRP does not run. This state is entered via a config change, or when the associated interface first comes up.
The router knows the virtual IP address, but the router is neither the active router nor the standby router. It listens for hello messages from those routers.
Router sends periodic hello messages and actively participates in the election of the active or standby router.
The router is a candidate to become the next active router and sends periodic hello messages.
The router is currently forwarding packets that are sent to the group virtual MAC address. Router sends periodic hello messages.

When two routers participate in an election process, a priority can be configured to determine which router should be active. Without specific priority configuration, each router has a default priority of 100, and the router with the highest IP address is elected as the active router.

When STP is configured in the network, ensure that the active HSRP router is also the STP Root bridge, otherwise sub-optimal routing may occur.

Configuring HSRP
S1(config-if)#standby X ip x.x.x.x ← Group is optional. If none specific, 0 is used.

HSRP Priority and Preempt
S1(config-if)#standby x priority x ← Priority can be 0-255. Default = 100. Highest = best.

If the routers do not have preempt configured, a router that boots up significantly faster than the others in the standby group becomes the active router, regardless of the configured priority. The former active router can be configured to resume the forwarding router role by preempting a router with a lower priority.

S1(config-if)#standby x preempt {delay} [minimum delay]

HSRP Authentication
S1(config-if)#standby x authentication xxxxxxxx

HSRP Timers
By default, HSRP hellotime is 3 seconds, and hold time is 10 seconds, which means that failover time could be as much as 10 seconds for clients to start communicating with the new default GW.

The hold time value should be at least 3 times the value of the helllo time. To tune the timers:

S1(config-if)#standby x timers [msec] hellotime holdtime

As mentioned earlier, preempt is an important feature of HSRP that enables the primary router to resume the active role when it comes back online after failure or maintenance event.

If modifying the preempt timer, the rec for it should be the value of 50% greater than the device boot time.

S1(config-if)#standby 10 preempt delay minimum x

HSRP Versions

2 versions exist. Not backwards compatible.

HSRP Interface Tracking
Interface tracking enables the priority of a standby group router to be automatically adjusted, based on the availability of the router interfaces. When a tracked interface becomes unavailable, the HSRP priority of the router is decreased. When properly configured, the HSRP tracking feature ensures that a router with an unavailable key interface will relinquish the active router role.

In other words, if the active HSRP router loses it’s own router uplink, tracking ensures that the standby HSRP router’s priority is increased and takes over the active role.

To configure:

1. Configure the standby group.
2. Configure priority (default 100).
3. Configure preempt on all devices within the HSRP group.
4. Configure the tracked interfaces and decrement (default decrement 10).

S1(config-if)standby X track interface [interface-priority]

HSRP Object Tracking

HSRP also offers tracking by an object, such as:
– An interface – Like above
– IP route
– A list of different objects

Multiple HSRP Groups
Multigroup HSRP enables routers to simultaneously provide redundant backup and perform load sharing across different IP subnets. In other words, if at the access layer you have two VLANs, configure each distribution layer switch to be in different HSRP Groups, so each of your distribution switches is a HSRP active device for each vlan.

HSRP Monitoring

– Show standby brief
– Show standby
– Show standby neighbor vlanX

Virtual Router Redundancy Protocol (VRRP)
IEEE version of HSRP

Comparison with HSRP
– A HSRP group has one active router, one standby router, and potentially many listeners
– A VRRP group has one master router, and one or more backup routers.
– HSRP has max 16 Groups. VRRP is 255.
– In HSRP, the Virtual IP is different from Active and Standby routers real IP addresses. In VRRP, the Virtual IP can be the same as one of the group members real IP addresses.
– HSRP uses for hello packets. VRRP uses
– VRRP timers are a lot shorter by default.
– HSRP can track interfaces or objects. VRRP can only track objects.

VRRP features

– VRRP provides redundancy for the real IP address of a router or for a virtual IP address shared among the VRRP group members.
– If a real IP address is used, the router with that address becomes the master. If a virtual IP address is used, the master is the router with the highest priority.
– A VRRP group has one master router and one or more backup routers. The master router uses VRRP messages to inform group members that it is the master.

– If the Virtual IP is set to that of a physical interface, the router with that config is set to the VRRP Master with a priority of 255. Default backup priority is 100.

– The priority value 0 can not be configured, and indicates that the current master has stopped participating in VRRP. This setting is used to trigger backup routers to quickly transition to the master without having to wait for the current master to time out.

– With VRRP, only the master sends out hellos.

VRRP Transition Process
– 3 timers: Advertisement interval (1 second), Master Down interval(3x Advertisement = 3 seconds), and skew time (256 – priority / 256. Ensures that the backup router with highest priority wins).

In the case of an orderly shutdown of the VRRP Master, it sends an advertisement with a priority of 0. This priority setting then triggers the backup router to take over quicker by waiting only the skew time instead of the master down interval.

VRRP Configuration

S1(config-if)#vrrp group ip virtual-gw-ip
S1(config-if)#vrrp X priority x
S1(config-if)#vrrp x timers advertise X
S1(config-if)#vrrp x timers learn ←Learns the timers from the VRRP Master

Show vrrp interface vlan x

The main different between VRRP and HSRP, is the backup router does not send advertisements. Therefore, the VRRP Master is not aware of the current backup router.

Gateway Load Balancing Protocol

Cisco Proprietary solution created to enable automatic selection and simultaneous use of multiple available gateways in addition to automatic failover between those gateways.

HSRP is typically used in CIsco networks as usually there are only two gateways for any subnet. GLBP can be used if more than two gateways exist for subnets to load share across the gateways.

GLBP Functions

– GLBP active virtual gateway (AVG) – Members of a GLBP group elect one gateway to be the AVG for that group.

– GLBP active virtual forwarder (AVF) – Each gateway assumes responsibility for forwarding packets that are sent to the virtual MAC address assigned to that gateway by the AVG. These gateways are known as AVFs for their virtual MAC address

– GLBP communication: GLVP members send hello messages to eachover via multicast every 3 seconds.

GLBP Features

– Load sharing
Multiple routers can share traffic from LAN clients

– Multiple virtual routers
Supports up to 1024 virtual routers (groups) on each physical interface and up to four virtual forwarders per group.

– Preemption
Enables you to preempt an AVG with a higher priority backup virtual gateway that has become available.

– Efficient resource utilization
Makes it possible for any router in a group to server as a backup, which eliminates the need for a dedicated backup router.

GLBP Operations

– Each member of the GLBP group elect one gateway to be the AVG for that group. Other members of the group provide backup for the AVG if it becomes unavailable.
– The AVG assigns a virtual MAC address to each member of the GLBP group. All routers become AVFs for frames addressed to that virtual MAC address.
– As clients send ARP requests for the address of the default gateway, the AFG sends these virtual MAC address in the ARP replies.
– A GLBP group can have up to 4 group members.

Load Balancing Methods

– Weighted load-balancing algorithm
– Host-dependent load-balancing algorithm
– Round-robin load-balancing algorithm
– default

GLBP, like HSRP, is also capable of being configured using interface tracking.

GLBP Weighting Mechanism

– Differs from HSRP/VRRP.
– With GLBP, two thresholds are defined.
– 1 lower threshold that applies when the router loses weight.
– 1 upper threshold when the router regains weight.
– This double threshold mechanism enables more flexibility than the single threshold system.

Do a google if you want to know more on this. I’m taking a bet it won’t be in the exam.

GLBP Configuration

S1(config-if)#glbp X ip X
S1(config-if)#glbp x priority x ← highest wins. default 100
S1(config-if)# x timers x x

Cisco IOS Server Load Balancing

– layer 4 – 7 switching feature
– Again, I doubt this is in the exam so haven’t made any notes on it.

Implementing Cisco Switched Networks Chapter 4 Review

This is my review and notes of Chapter 4 of “Implementing Cisco Switched Networks Foundation Learning Guide”.


Chapter 4 – Implementing Inter-VLAN Routing

Sorry if this chapter is a bit short on notes. I don’t find inter-vlan routing a hard topic to grasp, so don’t need many notes.

Probably said above a bit too soon. Found this chapter pretty boring when it got to how the CAM and TCAM work. I think it was just too detailed. Some may like it, and it will probably help them with their understanding, but for me it wasn’t presented in a way that I found easy to keep concentrated. Thing is, I think this is a pretty important concept to grasp. If you understand how a switch does its’ thing at each layer, it definitely helps with your troubleshooting of a device.

Whohoo! Chapter got a bit better at the end from page 230. Chapter finally had some examples and how to apply troubleshooting switching issues around CEF. I’m still not convinced this chapter did a fantastic explanation of CEF, but then again I’m a visual learner and would have probably benefited from a more graphical explanation.

In terms of the CCNP exam, probably need to know:
– Inter-VLAN routing using SVI.
– How to configure Routed Ports.
– Understand how a DHCP server works, and how to use DHCP Relay.
– Basic understanding of Cisco CEF and how to troubleshoot it.

– All of the above plus:
– Router on a stick
– Layer 3 EtherChannels
– Each different type of switching method (fast switching, process switching, CEF)

A switch is typically a layer 2 device. At layer 2, the switch is probably capable of creating VLANs and configuring each port to be in a different VLAN. Each created VLAN will typically have layer 3 devices configured in it such as hosts, and each vlan should only have 1 subnet in use within it.

This is all fine until you have devices that need communication between say two VLANs. This is what we call Inter-VLAN routing, and there are two methods capable of achieving this.

1. ROAST (Router on a Stick)
2. SVI (Switched Virtual Interface)

Router on a stick is where you configure a trunk port on your layer 2 switch with the VLANs you want routing to be achieved between. Connected to that port is a router capable of trunking, in which you configure sub-interfaces on the router port, with an IP address in each VLAN. Hosts on the switch then configure their default gateway to be the associated IP address to that VLAN on the router.

ROAST is the old way of doing it and I won’t go any further into it.

An SVI is simply a VLAN on a switch that has an IP address configured on it. Your switch needs to be layer 3 for routing to function on it.

An SVI is created when a user types ‘int vlan X’ in global config mode.

Different types of Layer 3 interfaces on a MLS (MultiLayer Switch)

– Routed Port: This is a purely layer 3 interface similar to a router port on an actual router.
– SVI: – As above
– Bridge Virtual interface (BVI): An L3 virtual bridging interface

Routed Port
– A routed port is a physical port that acts similarly to a port on a traditional router with a Layer 3 address configured.
– Unlike an access port, a routed port is not associated with a particular VLAN.
– Has all layer 2 switching functionality removed (Except EtherChannel which can function at L3).
– Used for Point to Point Links.
– To configure, under the interface issue the command “no switchport”.

When configuring SVIs:
Make sure to “no shut” the interface, and enable IP routing if you want to be able to communicate the VLANs subnets to other routers, otherwise this is not essential.

SVI Autostate
– Basically refers to the need of having at least port up in a vlan before the Layer 3 SVI is also up. In other words, if all ports in a VLAN are shutdown or unplugged, the SVI will also go down.
– You can ensure the SVI stays up, by manually configuring on the port “switchport autostate exclude”. If the port goes down, the SVI will still stay up. The concern of this is things like blackhole routing, and should not be enabled without some valid consideration.

Configuring a Layer 3 EtherChannel
So this is something that was actually new to me. To configure a Layer 3 EtherChannel, you make it like a routed port by removing the switchport functionality.
To configure:
S1(config)#interface port-channel 1
S1(config-if)#no switchport
S1(config-if)#ip add xxxxx xxxxx
S1(config)#interface range xx-xx
S1(config-if-range)#no switchport
S1(config-if-range)#channel-group 1 mode __

Implementing DHCP in a Multilayer Switched Environment
– Know how DHCP works (DORA: Discover Offer Response Acknowledge)

ip dhcp excluded-address ip dhcp pool XYZ
option 150 lease 0 8 0 int vlan10
ip add

Important point is Cisco switches can only offer a DHCP range that it actually has an IP address in.

Configure DHCP Relay

Host——-—-Switch———DHCP Server

DHCP Relay is a feature needed when your DHCP server does not reside in the same subnet as your hosts. In the example above, the host currently does not have an IP address, but resides in the VLAN that has the subnet. When the host boots up, it will broadcast a DHCP Discover frame. With DHCP Relay configured on the switch, the switch will see this broadcast frame, and unicast forward the request on to the DHCP server. The DHCP server will reply with an Offer frame and both will complete the rest of DORA.
To configure, on the VLAN interface, configure the command “ip helper-address address of dhcp server
Verify DHCP operation: ‘show ip dhcp binding’, and ‘debug ip dhcp server packet’.

CEF-Based Multilayer Switching
I might be a bit brief on this area, but it’s an importance concept to understand. This area looks at the process a switch goes through in terms of the layers between hardware, and the high level application protocols running on the switch.

Explaining Layer 3 Switch Processing
A layer 3 switch performs 3 main functions:
– Packet switching
– Route processing
– Intelligent network services

CAM and TCAM Tables
Multilayer switches build routing, bridging, QoS, and ACL tables for centralized or distribution switching in hardware using high-speed memory tables. Switches perform lookups in these tables for result information, such as to determine whether a packet with a specific destination IP address is supposed to be dropped according to an ACL. These tables support high-performance lookups and search algorithms such that multilayer switches maintain line-rate performance.

Cam Table (Content Addressable Memory)

– The primary table used to make Layer 2 forwarding decisions.
– Table Lookups are performed with efficient search algorithms.
– CAM tables provide only two results: 0 (true), or 1 (false).
– The table is built by recording the source MAC address and inbound port of all incoming frames.
– When a frame arrives at the switch with a destination MAC address of an entry in the CAM table, the frame is forwarded out through only the port that is associated with that specific MAC address.

A key is created to compare the frame to the table content:
– E.g. DST MAC and Vlan ID of a frame would constitute the key for layer 2 table lookup.
– The key is input into a hashing algorithm, which produces, as the output, a pointer into the table.
– The system uses the pointer to access a specific entry in the table, thus eliminating the need to search the entire system.

TCAM (Ternary Content Addressable Memory)
– Stores ACLs, QoS, and other information generally associated with Layer 3 and up layer processing.
– TCAM provides 3 results: 0 (true) 1 (false), and “don’t care”.
– Portion of memory designed for rapid, hardware-based table lookups of layer 3 and 4 info.
– Single lookup provides all layer 2 and layer 3 forwarding info for frames, including CAM and ACL info.
– Memory structure is broken into a series of patterns and associated masks.
TCAM Method of matching entries in tables

Exact-match region
Where the whole match needs to be exact e.g. IP next-hop info (MAC Address)

Longest-match region
Book explanation was terrible. Basically this is the entry in hardware with the longest prefix that matches the lookup. Did that make sense? So with IP prefix or IP Multicast prefix, you might be looking up where to find host You have two routes in hardware. One for and one for The longest match in this case is the latter.

First-match region
Look up is stopped after first match on entry, e.g. ACL entries

Cisco Switching Methods

Process Switching
– Router strips off the layer 2 header for each incoming frame, looks up the Layer 3 destination network address in the routing table for each packet, and then sends the frame with the rewritten Layer 2 header, including CRC, to outgoing interface.
– Done by software (CPU), not hardware (ASIC).
– Most CPU intensive method.
Fast Switching
– Does same as packet switching for first packet, then installs that info into fast switching cache.
– Frame is rewritten with corresponding link address and is sent over the outgoing interface.

CEF (Cisco Express Forwarding)
– Default switching method
– Less CPU intensive than other above methods
– Router builds Forwarding Information Base (FIB) and Adjacency table from other tables build by CPU such as routing and ARP tables.
– These tables are then used to make hardware based forwarding decisions.

At this point in the chapter I felt it had a lot of WAFFLE and could have explained it all a lot easier by using an example.

See the following image.

This shows the top down approach of what happens from the high layer routing protocol, in this case BGP, to the low level in hardware/ASIC.

Quick explanation from Cisco:

The Forwarding Information Base (FIB) table – CEF uses a FIB to make IP destination prefix-based switching decisions. The FIB is conceptually similar to a routing table or information base. It maintains a mirror image of the forwarding information contained in the IP routing table.
When routing or topology changes occur in the network, the IP routing table is updated, and these changes are reflected in the FIB. The FIB maintains next-hop address information based on the information in the IP routing table.
Because there is a one-to-one correlation between FIB entries and routing table entries, the FIB contains all known routes and eliminates the need for route cache maintenance that is associated with switching paths such as fast switching and optimum switching.

Adjacency table – Nodes in the network are said to be adjacent if they can reach each other with a single hop across a link layer. In addition to the FIB, CEF uses adjacency tables to prepend Layer 2 addressing information. The adjacency table maintains Layer 2 next-hop addresses for all FIB entries.

Not all packets can be processed in Hardware, e.g. Tunnel interface traffic, NAT.
– A glen adjacency is in the CEF adjacency table when multiple hosts are directly connected to the MLS through a single port or interface. Lol what? There’s more on glen adjacencies in the book, but I doubt there will be anything on this in the exam.

Okay, I gave up all hope on this chapter too early. Page 230 has a sample of CEF operation…Could be worth looking at if CEF isn’t making that much sense. Sorry I haven’t got more on it. I’d suggest doing a google on CEF operation for more info.

CEF-Based MLS Verification

Show interface __
Provides stats for hardware switching Layer 3 packets

Show ip cef [___]
Verifies the FIB

Show adjacency [___]
Verify adjacency table

Show cef drops
Packets being dropped by hardware.

Implementing Cisco Switched Networks Chapter 3 Review

This is my review and notes of Chapter 3 of “Implementing Cisco Switched Networks Foundation Learning Guide”.


Chapter 3

I found this chapter a hard read. The different versions of spanning-tree along with enhancements can be a hard area to stomach. For me, the problem is that the different versions along with enhancements, are similar enough that I find it hard to distinguish the differences between each protocol, along with what each of the different “Port Guards” and “Port Filters” do. This is no fault of the book, but something I felt I needed to say anyway.

I think this chapter also could have been written better. There were a few paragraphs I quite plainly did not understand, until I looked at a different source for an explanation and then reread the text book. It felt like, ‘oh I can now see what they’re trying to say’, but the writer was coming from a background of already knowing what they were writing about. For someone new, or coming from CCNA, I think they could struggle reading some of this.

On the positive, I think the layout of the chapter is generally okay. It initially goes through each version/type of Spanning-Tree along with modes and distinguishing features between them. The seconds half of the chapter is dedicated to STP enhancements.

If you want a really good how-to with examples, see How to Master CCNP Switch. I think it does this well. I feel the goal of the book is not to throw a whole lot of theory at you, but give you just enough theory that you actually understand each feature through examples. If I manage to get through the foundation learning guide with enough time before my exam, I may read all of the gns3vault book.

Having just finished this chapter, it feels like it was written by multiple people, where there were some things said at one point, that had some disconnection to something else at another point. As in, you could be reading about feature X on one page, and something related to feature X was said on another page later on, but there was no connection made between the two things, or re-affirming the earlier point. An example being Cisco PortFast, and RSTP Edge port. Both are very similar but still

In terms of the CCNP exam, probably need to know:
– Core basics of STP
– Enough to understand PVST+ and configure it
– Possibly some RSTP/MST
– Spanning-Tree Enhancements

– Background of STP
– Spanning-tree basics
– RSTP (+ Port states, Roles etc.)
– Basics of PVRST+ along with configuration
– MST (Basics + MST Regions, and Configuration)
– Spanning Tree Enhancements (BPDU Guard/Filter, Root Guard, Loop Guard)
– UDLD, Flex Links
– Recommended STP practices



CST – Common Spanning Tree
– 1 STP instance, regardless of no. of VLANs
– Low Resources needed.
– Slow to converge
– Sub-optimal traffic flow can occur if more than one VLAN due to all traffic being required to take the same path.

Per VLAN Spanning-tree Plus
– Enhancement of STP with multiple instances, 1 for each VLAN.
– Includes several enhancements such as PortFast, BPDU Guard, BPDU Filter, Root Guard, Loop Guard
– Higher Resources needed.
– Each VLAN has a root bridge, allowing for optimisation of traffic flows for each VLAN.

Rapid STP – 802.1W
– Evolution of STP allowing for fast convergence.
– Medium Resources
– Still only single STP instance.

Multiple Spanning-Tree
– Maps multiple VLANs that have the same traffic flow requirements into the same STP instance.
– Cisco implementation provides up to 16 instances of RSTP and combines many VLANs with the same physical and logical topology into a common RSTP instance.

Per VLAN Rapid Spanning Tree Plus
– Cisco enhanced version of RSTP similar to PVST+
– Provides a separate instance of 802.1W per VLAN
– Fast
– Resources needed = very high.

PVST+ is Cisco default.

STP Operation

STP initially converges on a logically loop free topology by performing these steps:

1. Elects one Root Bridge
– All active ports are Designated Fowarding
– These ports send/recv traffic and configuration messages (BPDUs)
– Lowest priority switch becomes Root Bridge.

2. Selects the Root port on all Non-Root Switches
– Each switch in the spanning tree has a port it uses to reach the root bridge. This is known as the root port and is the port used to send/receive traffic to/through other switches.
– Root port is the lowest cost path from the non-root bridge to the root bridge.
– If non-root bridge has two or more equal cost paths to the root bridge, it selects the port that has the lowest port ID.
– Port-ID consists of a configurable priority + port number.

3. Selects the Designated port on each segment.
– On each segment, STP establishes one designated port on the bridge that has the lowest path cost to the root bridge.
– All ports that are up on the root bridge are Designated Forwarding.
– The Switch primarily chooses a designated port as the least-cost path to the root bridge. In the event of a tie, the bridge ID acts as the tiebreaker.

What the heck does that mean? The below image should explain it.


Looking at the example, each switch has a port it uses to reach the root bridge known as the root port. It is possible for the switch to have other ports still fowarding to other switches though, and not have any loops caused. For example, the link between B and D. B’s down link is Designated Forwarding, while the port on D is the Root Port. As we have a loop between B and C, C loses the tie breaker and marks the port as nondesignated/blocked.

STP Port States

– NonDesignated port and does not participate in frame forwarding.
– Port receives BPDUs to determine the location and rootID of the root switch and which port roles (root, designated, or nondesignated) each switch port should assume in the final active STP topology.
– Default time in this state is 20 seconds (MaxAage)

– STP has established that the port can participate in the STP topology.
– In this state, port is both receiving and sending BPDUs to neighbors.
– Default time in this state is 15 seconds (Forward Delay).

– Port prepares to participate in frame forwarding and begins to populate the CAM table.
– Default time in this state is 15 seconds (Forward Delay).

– Port is actively forwarding traffic with other switches in topology.
– Port sends/receives BPDUs.

– Does not participate in STP nor forward frames.

So how does the switch determine which port should be the Root Port?
– Through a cost value associated with the port.
– Swith port cost is based on link speed.

The cost to the root bridge is calculated using the cumulative costs of all links between the local switch and the root bridge and becomes the path cost.

Default port cost values:
10 Gbit – Cost 1
1 Gbit – Cost 4
100 Mbit – Cost 19

What happens when you have two paths with the same accumulative cost?

The Tie breaker is the PortID. PortID is a combination of a default value and port number. The default value is 128. So port 1’s port ID is a priority of 128.1.

Lowest PortID wins.

RSTP – Rapid Spanning Tree Protocol 801.1W

Enhancements over STP:
– A lot faster at converging
– Introduces several new port roles (Alternate and Backup)
– Simplified port states (Discarding, Learning, Forwarding)
– Backwards compatible with STP

RSTP Port States

– Represents STP’s Disabled, Blocking, Listening states
– State is seen in both a stable active topology and during topology snchronisation and changes.
– Discarding state prevents the forwarding of traffic therefore no network loop.

– Seen in both stable active topology and topology synchronisation and changes.
– Accepts data frames to populate the MAC table to limit flooding of unknown unicast frames.

– Only seen in stable active topologies.
– Self explanatory (data is forwarding).

RSTP Port Roles

– Switch port on every non-root switch that is chosen as the path to the root bridge.
– Only 1 root port can be on each switch.
– See STP operation above. Same as STP.

– See STP operation above. Same as STP.

– Switch port that offers an alternative path toward the root bridge.
– Assumes a discarding state in a stable environment.
– Present on nondesignated switches and makes a transition to designated port if the current designated path fails. See below image for what this looks like.

– If two switches have two redundant links, one link will be Designated (with Root Port at the other end), and the other link as Designated (with Backup at the other end). See below image.
– A backup port has a higher port ID than the designated port on the designated switch.
– The backup port assumes the discarding state in a stable environment.

Rapid Transitioning to Forwarding

RSTP introduces two new variables called Link type (Probably not important to know for the exam), and Edge port.

Link Type
– Provides categorisation for each port participating in RSTP.
– Derived from port duplex mode. Full Duplex is considered to be a point to point link, where as half duplex is probably on a shared medium.
– I’m not sure how much this still plays a part in networks today…

Only thing more to be aware of, is of Root, Alternate, Blocking and Designated, only Designated Ports really makes use of the link type parameter.

Edge Ports
– Port configured on the switch to be connected to a host.
– Equivilent to Cisco PortFast feature
– Allows the port to transition directly to forwarding, skipping the listening and learning stages.
– Doesn’t generate a topology Change (TCN) when its’ link transitions to up.
– If an edge port receives a BPDU, it immediately loses its’ edge port status and becomes a normal STP port. This is different behavior to Cisco PortFast. <— This is from the book. I have yet to find out how Edge Ports and PortFast totally differ.

Bridge Idenfier for PVRST+

Because PVST+ or PVRST+ requires that a separate instance of spanning tree run for each VLAN, the BID field is required to carry VLAN ID info.

Bridge ID in this case, is made up of:

Bridge Priority: default is 32768. This is only a 4-bit field, so the value increments by 4096.
Extended system ID: 12 bit field carrying in this case, the VID
MAC Address: 6 byte field with MAC address of single switch.

If no priority has been configured, every switch will have the same default priority, and the election of the root for each VLAN is based on the MAC address. Because this can result in a random switch becoming the root bridge, it is advisable to lower the bridge priority on the switch that should be the root bridge in your network.

MST – Multiple Spanning Tree

– Purpose is to reduce the total number of STP instances to match the physical topology of the network and thus reduce the CPU cycles of a switch.

– MST enables you to build multiple spanning trees over trunks by grouping VLANs and associating them with STP instances. Each instance can havee a topology independent of other spanning-tree instances. This architechture provides multiple active forwarding paths for data traffic and enables load balancing.

MST Regions

The main enhancement introduced by MST is the ability to map several VLANs to a single spanning-tree instance. The problem with this though, is how do you known what VLAN should be associated with which instance.

Each switch that runs MST in the network has a single MST config that consists of:
– Alphanumeric config name
– Config rev. no.
– 4096 element table that associates each of the potential 4096 VLANs supports on the switch to a given instance.

Extended System ID for MST
– Consists of Bridge priority + Extended System ID + MAC Address.
In the case of MST, the Extended Sys ID is the MST Instance Number.

Configuring MST

S1(config)#spanning-tree mst configuration
S1(config-mst)#show current – Display the current configuration before making changes
S1(config-mst)#name ____
S1(config-mst)#revision ___
S1(config-mst)#instance ___ vlan ___
S1(config-mst)#show pending – MST config to be applied
S1(config-mst)#end – Applies the config
S1(config-mst)#spanning-tree mst instance-no root primary|secondary
S1(config-mst)#spanning-tree extend system-id – Enables MAC addr reduction
S1(config-mst)#spanning-tree mst pre-standard – Cmd required IF neighbor is using a prestandard version of MST.

Spanning Tree Enhancements

BPDU Guard
– Prevents accidential connection of an STP switch to a PortFast enabled port.

BPDU Guard puts an interface configured for STP PortFast in the err-disabled state upon receipt of a BPDU. The Switch disables the interface[s] as a preventitive step to avoid potential bridging loops.

Once a port has been put in the err-disabled state, the switch requires manual intervention by ‘no shut’ing the port. Alternatively BPDU Guard can be configured to that after a set interval, the port will be ‘no shut’, but will again shutdown for a specified amount of time if it receives another BPDU.

To enable globally: “spanning-tree portfast edge bpduguard default”
Alternatively under each desired port: “spanning-tree bpduguard enable”
To verify: “Show Spanning-tree summary totals”

BPDU Filter
– Restricts the switch from sending BPDUs out access ports.

When enabled globally, BPDU filtering has the following effect:
– Affects all operational PortFast ports that do not have BPDU filtering configured on the individual ports (well no duh!)
– If BPDUs are seen, the port loses its’ PortFast state, BPDU filtering is disabled, and STP begins to send/receive BPDUs on that port.
– On switch/port start up, the port transmits 10 BPDUs. If this port receives any BPDUs during that time, PortFast and PortFast BPDU filtering are disabled.

When enabled on an individual port:
– Ignores all BPDUs received.
– Sends no BPDUs.

If you enable BPDU Guard on the same interface as BPDU Filtering, BPDU Guard has no effect because BPDU filtering takes precedence over BPDU Guard.

To enable globally: “spanning-tree portfast bpdufilter default”
To enable PortFast BPDU filtering on a specific port: “ spanning-tree bpdufilter enable”
Verify config: “show spanning-tree summary”

Root Guard
– Prevents switches connected on ports configured as access ports from becoming the root switch.

– Root Guard provides a way to enforce the root bridge placement in the network.

– If the bridge receives superior STP BPDUs on a Root Guard-enabled port, the port moves to a root-inconsistent STP state (effectively equal to a listening state, and the switch does not forward traffic out of that port. Because of this, this feature effectively enforces the position of the root bridge.

Best practice is to enable Root Guard on all access ports so that a root bridge is not established through these ports.

If a superior BPDU is received on a Root Bridge port, the port goes into root-inconsistent state (effectively same as listening state). At this point, a log message will appear in the buffer. The port will stay in this state as long as superier BPDUs are being received. Once superior BPDUs are no longer received, the port will transition to the forwarding state. Recovery is automatic, and no user intervention is required.

To enable on an interface: spanning-tree guard root
Verify: Show spanning-tree inconsistentports

Preventing Forwarding Loops and Black Holes

Loop Guard

Loop Guard provides additional layer 2 protection against forwarding loops.

Loop Guard places a port in STP loop-inconsistent state when it stops receiving BPDUs, and will recover when BPDUs are again recieved.

This is to stop the port transitioning to the listening/learning/forwarding state after the MaxAge timer has expired when that port should in fact be receiving BPDUs. Why could this happen? If there’s an issue with the physical link (e.g. Unidirectional link failure) between the two switches for whatever reason, the switch with a port currently blocking may still be able to send traffic. So when this link comes up, in at least 1 direction we have a loop in the network.

A port in the STP loop-inconsistent state does not pass data traffic, hence, a bridging looop does not occur. The loop-inconsistent state is effectively equal to the blocking state.

Loop Guard is configured on a per port basis, although the feature blocks inconsistent ports on a per-VLAN basis.

Enable Loop Guard on all Non-Designated ports (E.g. Root Port, Alternate Port)

To enable on an interface: spanning-tree guard loop
Globally: spanning-tree loopguard default
Verify: Show spanning-tree interface __ detail


A unidirectional link occurs when traffic is transmitted between neighbors in one direction only. This can cause spanning-tree loops.

UDLD enables a device to shutdown a link when a unidirectional link is detected.

UDLD is most useful on fibre links, but can also be configured on ethernet.

With UDLD enabled, the switch periodically sends UDLD protocol packets to its’ neighbor and expects the packets to be echoed back before a predetermined timer expires. Default interval is 15 seconds.

A UDLD-enabled switch sends UDLD protocol packets with its own device ID and port ID to the neighboring device. The UDLD is in determined status if the switch sees its own information in the packet sent by the neighbor. If the device does not see itself in the neighboring device’s UDLD protocol packets, the link is determined as unidirectional.

To enable udld globally: udld enable [aggressive]
to enable on an interface: udld enable [aggressive]

In normal mode: UDLD marks this port as “Undetermined”, but does NOT shut down or disable the port, which continues to operate under it’s current STP status. This mode of operations is informational and potentially less disruptive (though it does not prevent STP loops).

In aggressive mode: When a port stops receiving UDLD packets, UDLD tries to reestablish the connection with the neighbor. After 8 failed attempts, the port state changes to err-disable state, which effectively disables the port. To get out of this state, the port needs to be shut, then no shut. Alternatively also enable “errdisable recovery” to auto recover from such issues.

Comparason between Aggressive Mode UDLD and Loop Guard

While these two features overlap in what they offer, they differ in their approach to the problem and in functionality. Both complement eachother and it can be advisable to enable both features at the same time.

Loop Guard focuses on problems around BPDUs being received, and the STP daemon. UDLD focuses from the perspective of miswiring or other cabling issues.

In the case of EtherChannel, if BPDUs are not being received, the whole aggregator will shutdown with LoopGuard. Meanwhile, if the problem is physical in terms of one of the links in the EtherChannel, Aggressive UDLD can detect this issue and only shut down the affected cable.

Flex Links

– Simple alternative to STP.
– This enhancement enables a convergence time of less than 50 milliseconds.
– Convergence time remains consistent regardless of the number of VLANs or MAC addresses configured on uplink ports.
– Only supported on Layer 2 ports and port channels, not on VLANs or on L3 ports.
– STP is disabled on Flex Link ports.

S1(config)#interface fa0/1
S1(config)#switchport backup interface fa0/2
S1#show int switchport backup

Recommended Spanning Tree Practices

– Loop Guard is implemented on the L2 ports between distribution switches and on the uplink ports from the access switches to the distribution switches.

– Root Guard is configured on the distribution swtich ports facing the access switches.

– UplinkFast is implemented on the uplink ports from the access switches to the distribution switches.

– BPDU Guard or Root Guard is configured on ports from the access switches to the end devcies, as is PortFast.

– UDLD enables devices to monitor the physical configuration of the cables and detect when a unidirectional link exists. When a unidirectional link is detected, UDLD shuts down the affected LAN port. UDLD is often configured on ports linking switches.

– Depending on the security requirements of an organisation, the port security feature can be used to restrict a port’s ingress traffic by limiting the MAC addresses that are allowed to send traffic into the port.


Check the Port Status:

– Blocked ports: Check to make sure the switch reports receiving BPDUs periodically on the root and blocked ports. To check BPDUs on ports:
– show spanning-tree vlan __ detail

– Duplex mismatch: check on both ends of the link
– show interface
– Port Utilisation: An overloaded port may fail to transmit vital BPDUs and is also and indication of a possible bridging loop.
– Show interface

– Frame curruption: Unlikely issue, but check the input error fields using ‘show interface’.

Implementing Cisco Switched Networks Chapter 2 Review

This is my review and notes of Chapter 2 of “Implementing Cisco Switched Networks Foundation Learning Guide”.


Chapter 2

Chapter is a pretty good refresher for a lot of things around VLANs. Having not used Cisco switches for a while, the show commands are a pretty helpful reminder of some available commands other vendors may not have. The chapter also somewhat applies some of the models discussed in chapter 1 in terms of the VLAN implementation around PPDIOO.

Later the chapter covers Private VLANs and EtherChannel. Personally felt the Private VLAN explanation was too confusing and instead resorted to an explanation from How to Master CCNP Switch.

In terms of the CCNP exam, probably need to know:
– Understand VLAN configuration and show commands
– Correct trunking configuration
– Different modes of DTP. Possibly some VTP.
– Private VLANs
– EtherChannel

– End to End VLAN, and Local VLAN models
– VLAN configuration and show commands
– Trunking – briefly ISL, which doesn’t matter, and 802.1Q
– DTP – Dynamic Trunking Protocol
– VTP – VLAN Trunking Protocol
– Private VLANs
– EtherChannel covering PAgp, LACP, and includes load balancing techniques.

VLAN Models

End to End VLAN
– Each VLAN spans the network geographically.
– Users are grouped into each VLAN regardless of physical location
– As users move througout the campus, the VLAN membership of that user remains the same (probably through 802.1x)
– Users are typically associated with a given VLAN for network management reason hence why they are kept in the same VLAN.
→ Switches typically use VTP in server/client mode.

Local VLAN – Choice for Campus Enterprise Architechture.
– VLANs are configured for each floor or building
→ In other words, local VLANs are created with physical boundries in mind rather than the job function of the user.
– Generally local VLANs exist between the access and distribution levels.
– Traffic is routed at Distribution and Core to reach other destinations on the network.
– Usual reccommendation is max of 3 VLANs per access layer switch.
→ VTP configured in transparent mode as no vlans should be advertised to other switches, nor need to be created on any other switches.

=> A network that consists of entirely locla VLANs can benefit from increased convergence times offered via routing protocols, instead of spanning-tree for layer 2 networks.

Helpful VLAN configuration commands:

Switchport mode host
– This is a macro for enabling spanning-tree PortFast and disabling etherchannel on a per port basis.

Show vlan
Show vlan br
Show vlan id X
Show vlan name X
– Pretty helpful generic vlan command

Show run int fa0/0
Display current config on a particular port

Show interfaces
Show int fa0/0 switchport
– Switchport characteristics
– Private VLAN and trunking info

Show mac-address-table interface __ vlan __
– Displays MAC address table info for specified interface in specified vlan.
– Very helpful in determining if attached devices are sending packets to the correct VLAN.

DTP – Dynamic Trunking Protocol
– Cisco proprietary point-to-point protocol for switches to negotiate trunk links

Access – Port is permanently configured for nontrucking.
Trunk – Port is permanently configured for trunking.
– Other End of link needs to be trunk/dynamic desirable, or dynamic auto.
Nonegotiate – Puts port in permanent trunking mode BUT port will not send out DTP frames.
– Other end of link needs to be either trunk or nonegotiate.
Dynamic Desirable – Interface activel attempts to convert the link to a trunk link.
– Trunk forms if neighbor interface is set to trunk/desirable, or auto
Dynamic Auto – Interface willing to convert the link to a trunk link.
– Trunk only form if neighbor set to desirable or trunk.

Trunking verification commands
Show run int X
Show int X switchport
Show int X trunk

VTP – VLAN Trunking Protocol
– Cisco proprietary protocol that is used to synchronise and distribution VLAN databases throughout a switched network.
– Cisco switches transmit VTP info only on trunk links.
– VTP info is multicast.

VTP Modes and operation
– Can’t create,change, or delete VLANs
– Forwards advertisements to other switches
– Synchronizes VLAN config with latest info received from other switches in management domain.
– Does not save VLAN config in NVRAM.

– Creates, modifies, and deletes VLANs.
– Sends and forwards advertisements to other switches.
– Synchronizes VLAN config with latest info received from other switches in VTP domain
– Saves VLAN config in NVRAM.

– Creates, deletes, and modifies VLANs only from and on the local switch
– Fowards VTP advertisements received from other switches in same VTP domain.
– Saves VLAN config in NVRAM.

There’s a bit more to VTP such as importance of sequence number etc but this isn’t stuff I feel I personally need notes on.

VTP Pruning
– Probably one of the main advantages to using VTP.
– VTP pruning uses VLAN advertisements to determine when a trunk connection is flooding traffic over trunk links needlessly. By default, a trunk connection carries traffic for all VLANs in the VTP management domain.
– VTP pruning increases available bandwidth by restricting flooded traffic to those turnk links that the traffic must use to access the appropriate network devices.

VTP has 3 versions. Version 2 is most commonly used.

If all switches in a domain are capable of running VTP version 2, enable VTP version 2 on one VTP server. The VTP server propogates the version number to the other VTP version 2 capable switches in the VTP domain.

Private VLANs

I found the implementing switch chapter pretty confusing on this subject, and instead looked at How to Master CCNP Switch. From the brief look I’ve had at this book, I think it’s pretty good, and avoids a lot of the waffle that you find in the Cisco press books. If I had more time before my exam, I would have liked to read this book in more detail. Anywho on to private VLANs!

A private VLAN is simply a vlan that has limited communication with other ports on the switch, depending on configuration.

A private VLAN always has one primary VLAN. Within the primary VLAN you will find the promiscuous port.

Secondary VLANs can always communicate with the promiscuous port but they can never communicate with other secondary VLANs.

Private VLANs can also be carried over 802.1Q trunk links. Configuration is basically the same on the other switch. You only need to add the vlans to the trunk link.

Private VLAN port types:

Complete layer 2 separation from other ports within the same private VLAN, except promiscuous ports.

– Can communicate with all ports within the private VLAN, including community and isoldate ports.
– Only part of 1 primary VLAN, but each promiscuous port can map to more than one secuary private VLAN.
– Promiscuous ports are generally router ports, backup or shared servers, or VLAN interfaces.

– Community ports communicates among themselves and with their promiscuous ports.
– Isolated at layer 2 from other interfaces in other communities, or in isolated ports within their private VLAN.

Private VLAN configuration

Using an example borrowed from Renés Mastering CCNP Switch book:

Firstly configure the switch to VTP mode transparent.

– Primary VLAN of 500
– Secondary Community VLAN is 501
– Secondary Isolated VLAN is 502

####### Configuring Primary VLAN and Secondary Community VLAN ########
S1(config)#vtp mode transparent
S1(config)#vlan 501
S1(config-vlan)#private-vlan community
S1(config-vlan)#vlan 500
S1(config-vlan)#private-vlan primary
S1(config-vlan)#private-vlan association add 501

##### Assigning private vlan, along with primary to switch ports ##########
S1(config)#interface range fa0/1 – 2
S1(config-if)#switchport mode private-vlan host
S1(config-if)#switchport private-vlan host-association 500 501

##### Configuring Promiscuous port #####
S1(config)#interface fa0/24
S1(config-if)#switchport mode private-vlan promiscuous
S1(config-if)#switchport private-vlan mapping 500 501

####### Configuring Isolated VLAN ########
S1(config)#vlan 502
S1(config-vlan)#private-vlan isolated
S1(config-vlan)#vlan 500
S1(config-vlan)#private-vlan primary
S1(config-vlan)#private-vlan assocation add 502

##### Assigning private vlan, along with primary to switch ports ##########
S1(config)#interface range fa0/3 – 4
S1(config-if)#switchport mode private-vlan host
S1(config-if)#switchport private-vlan host-association 500 502

##### Configuring Promiscuous port #####
S1(config)#interface fa0/24
S1(config-if)#switchport mode private-vlan promiscuous
S1(config-if)#switchport private-vlan mapping 500 502

##### Verification #####
S1#show interfaces fa0/1 switchport
S1#show interfaces fa0/24 switchport
S1#show vlan private-vlan
S1#show vlan private-vlan type

Cisco Port Protect Feature
– Very simple version of private-vlans for lower end switches
– Traffic can only flow between a protected and unprotected port
– If two ports are port protected, they can not communicate with eachother.
EtherChannel – Pagp and LACP

Apologies if this section lacks more detail. It’s not an area I personally need many notes on.

PAgP – Port Aggregation Protocol
– Cisco Propritary
– Packets sent every 30 seconds. PagP checks for config consistency and manages link additions and failures between two switches.


– Default
– Passive state in which the ports respond to PagP packets that it receives but does not initiate PagP negotiation.

– Active negotiating state

– Forces interface to channel without PagP
– Does not exchange PagP packets.
– Other side also needs to be configured with ‘on’.

– If a switch is connected to a PAgP capable partner, add this keyword on when configuring auto or desirable. If you do not specify this, silent is assumed. Silent is for connections to file servers or wireshark (why??)

So if doing PAgP, make sure to also add ‘non-silent’

LACP – Link Aggregation Control Protocol
Basically identical to PAgP but IEEE open version.


– Default
– Passive negotiating state (responds to LACP packets, but doesn’t initiate EtherChannel).

– Active negotiating state
– Will form EtherChannel with partner as Active or Passive

– Forces interface to channel without PAgP or LACP.

Additional Parameters

System priority – Each switch running LACP must have a system priority. This is automatic, but user can also manually configure. Switch uses MAC address and system priority to form the system ID.

Port priority – Same as above. Switch uses the port priority to decide which ports to put in standby mode when a hardware limitation prevents all compatible ports from aggregating.

Administrative key – As above, auto but can be manually done. Defines the capability of a port to aggregate with other ports e.g. physical port characterisitcs incl speed/duplex etc.

EtherChannel Load Balancing Options

One thing people often get wrong when it comes to EtherChannel or aggregator links, is they think that because they have two 1gbit links in an aggregator, that they now have 2gbit of bandwidth for any of their traffic. This is only slightly true, as aggregators use a load balancing technique to ‘balance’ traffic over the two links. Depending on source/destination traffic that flows through the link, you may or may not maximise available bandwidth. See below on different balancing techniques.

Cisco offers:

Use “Show etherchannel load-balance” to see what mode is in effect. ‘Conf t > port-channel load-balance’ to change it.