Tag Archives: CCNP Switch

How to configure 802.1X with AAA – Cisco Switch config

Posted on by
Reply

Below is a quick guide on 802.1x port-based authentication using a radius server for authentication.

 

– Firstly enable AAA

 

ALS1(config)#aaa new-model

 

– Configure the location of the Radius-server

 

ALS1(config)#radius-server host 172.16.1.1 key abc123

 

– Then configure what exactly needs authentication, along with how to authenticate it. In this case dot1x, using radius as the authentication method.

 

ALS1(config)#aaa authentication dot1x default group radius

– To globally enable dot1x (note this just “enables” the feature as such)

 

ALS1(config)#dot1x system-auth-control

 

– Following that, is configuring the access port, or group of access ports to use 802.1x to authenticate users against radius. Note, IOS may not show dot1x sub-commands if you haven’t configured the port as an access port.

 

ALS1(config-if)#int fa0/6

ALS1(config-if)#switchport mode access

ALS1(config-if)#dot1x port-control ?

auto PortState will be set to AUTO

force-authorized PortState set to Authorized

force-unauthorized PortState will be set to UnAuthorized

 

ALS1(config-if)#dot1x port-control auto

 

Auto

– Enables 802.1x port-based Authentication

 

Force-authorized

– Disables 802.1x on the port, and the port will auto transition to the authorized state.

 

Force-Unauthorized

– Causes the port to remain in the unauthorised state, effectively making the port useless.

 

Implementing Cisco Switched Networks Chapter 6 Review

Posted on by
Reply

This is my review and notes of Chapter 6 of “Implementing Cisco Switched Networks Foundation Learning Guide”.

Implementing-Cisco-IP-Switched-Networks-SWITCH-Foundation-Learning-Guide-Froom-CCIE-No-EB9781587141645

Chapter 6: Securing the Campus Infrastructure

Wasn’t too much of a fan of this chapter. It could just be because I’m pretty over reading this book. I feel like this chapter was generally alright, and I would recommend it if you’re looking into security for your campus network, but I still felt like at points it waffled on, and particularly had content which I highly doubt will be in the exam. Specifically some features that are only available on certain Cisco high end platforms.

What’s probably going to be in the exam:
– Switch Security Fundamentals
– Different types of L2 attacks and mitigation
– Port Security
– Brief understanding of different attack types (Mac spoofing, VLAN hopping, ARP Spoofing, DHCP attacks)
– VACLs
– IP Source Guard
– Dynamic ARP Inspection
– DHCP Snooping
– Understanding/recommendations on services to lock down on Cisco devices e.g. CDP, HTTP
– AAA ← I haven’t done very good notes on this, but I think it’s probably going to be pretty important for the exam.
– 802.1X
– SPAN/RSPAN

What the chapter also covers:
– SPAN to monitor CPU
– ERSPAN
– L2 Tracelog
– IOS Embedded Event Manager
– Network Analysis Module

Security at each layer

CORE—————-Server Farm
|
|
Distribution
|
|
Access

Server Farm
Use host and network based IPS, private VLANs, ACLs and secure passwords

Core
– Do not implement any packet manipulation here.

Distribution
– Use access lists to provide security.

Access
– Use switch port security to control access to the network.

Layer 2 Attack Methods

– MAC layer attacks
– VLAN attacks
– Spoofing attacks
– Attacks on switch devices

Attack methods and steps to Mitigate

Mac address flooding
Switch mac address table gets filled up causing the switch to then behave like a hub and flood traffic out all ports.

Enable port security methods

VLAN hopping
By altering the VLAN ID on packets encapsulated for trunking, an attacking device can send or receive packets on various VLANs, bypassing L3 security mechanisms.

Remove dynamic trunk negotiations on ports

Attacks between devices on a common VLAN
Different customers on same subnet in service provider network.

Implement Private VLANs.

DHCP starvation and DHCP spoofing
Attacker uses all available DHCP addresses or establishes itself as a DHCP server in man-in-the-middle attack.

Use DHCP snooping

STP compromises
Spoofs root bridge. If successful, attacker can see a variety of frames.

Proactively configure the Root Bridge and backup. Enable Root Guard.

MAC spoofing
Attacker spoofs valid host’s MAC addrss.

Use DHCP Snooping and Port Security.

ARP Spoofing
Attacker crafts ARP Replies intended for valid hosts.

Use Dynamic ARP Inspection, DHCP snooping, and port security.

CDP Manipulation
CDP info is sent in clear text and unauthenticated allowing it to be captured.

Disable CDP.

SSH and Telnet attacks
Telnet is in clear text.

Use SSH version 2, and only use Telnet with ACLs setup for specific hosts.

Port Security

S1(config-if)#switchport port-security ← Enables port security
S1(config-if)#switchport port-security maximum ← Specify max allowed MAC addresses
S1(config-if)#switchport port-security mac-address xxx ← Manually specify MAC
S1(config-if)#switchport port-security violation {shutdown | restrict | protect }

Shutdown – IF any frames are seen from a non-allowed address, the interface is errdisabled, a log entry is made, an SNMP trap is sent , and manual intervention or errdisable recovery must be used to make the interface useable. Shutdown mode is the default for violation.

Restrict – Frames from non-allowed address are dropped. A log message is created, and SNMP trap sent

Protect – Frames from the nonallowed address are dropped, but there is no log violation created.

Verify: S1(config-if)#show port-security [interface] [address]

Port Security with Mac Address Sticky

Port security can mitigate spoofing attacks by limiting access through each switch port to a single MAC address. This prevents intruders from using multiple MAC addresses over a short time period but does not limit port access to a specific MAC address.

Port security has a sticky MAC address feature that can limit switch port access to a single, specific MAC address without the network administrator having to gather the MAC address of every legitimate device and manually associate it with a particular switch port.

To Enable:
S1(config-if)#switchport port-security
S1(config-if)#switch port-security mac-address sticky

Verify with show run int x

Blocking Unicast Flooding on Desired Ports
This feature basically stops flooding of unicast frames when the switch doesn’t know where the destination MAC address is.

This is useful when other switch ports have been configured with a static mac address or mac address sticky, and is likely to be the only host on that port.

This stops devices on those ports receiving abiet not much, but unnecessary traffic caused by above.

To Configure: int fa0/1, switchport block {unicast | multicast}

Understanding and Protecting Against VLAN Attacks

VLAN Hopping
Basically an attack method where a device is able to send/receive/capture packets in a VLAN that it should not be able to access. This attack is accomplished by tagging traffic with a specific VLAN ID, or by negotiating a trunk with a switch that has DTP enabled. This is done by switch spoofing or double tagging.

So as above, if a switch has port settings on default (aka DTP enabled) they could connect an unauthorised Cisco switch and negotiate a trunk, therefore having access to all VLANs, or a pc with an app that generates DTP packets.

Another method is double tagging. This is where the attacker sends in frames that have two 802.1Q tags configured. For this attack to work, the attacker needs the recipient to be connected via another switch. It also requires both switches to be connected in the same VLAN as the attacking switch port or native VLAN of the trunk between the switch and the attacked VLAN. I think what that means is if the attacker is in VLAN10 on switch A, switch B also needs to have a host in VLAN 10.

Possibly see Wikipedia for more: http://en.wikipedia.org/wiki/VLAN_hopping#Double_tagging

Mitigation
– Configure all unused ports as access ports
– Place unused ports in shutdown state and put them in a VLAN specifically for unused ports.

When configuring Trunk links:
– Configure the native VLAN to be different from any data VLANs
– Trunking set to On, or Nonegotiate
– Trunks configured to only carry specific VLANs

VLAN Access Control Lists

Cisco Multi-Layer Switches support 3 types of ACLs:
– Router Access Control List (RACL) – Supported in the TCAM Hardware. RACLs can be applied to any routed interface, e.g. SVIs, or L3 Router interfaces.
– Port Access Control List (PACL) – Filters at the port level. Can be applied on L2 switchport, trunk port, or EtherChannel. Act at the L2 port level but can filter based on L3/L4 info.
– VLAN Access Control List (VACL) – Aka VLAN access-maps, apply to all traffic in a VLAN. VACLs support filtering based on Ethertype, and MAC Addresses. VACLs are order-sensitive, similar to route-maps. VACLs can control traffic flowing within the VLAN or control switched traffic, whereas RACLs control only routed traffic.

Configuring VACLs
Apply to all traffic on the VLAN. You can configure VACLs for IP and MAC-layer traffic.
– VACLs follow Route-map conventions, in which map sequences are checked in order.
– There are a few actions such as Permit, Redirect, Deny, VACL Capture, and VACL redirect, which are only available on the Catalyst 6500.

S1(config)#access-list 100 permit ip 10.1.1.1 0.0.0.255 any ← Identifying L3 list
S1(config)#mac access-list extended BACKUP_SERVER ← Identifying L2 list
S1(config-ext-mac)#permit any host 0000.1111.2222
S1(config)#vlan access-map ABC 10 ← Definding the VACL
S1(config-map)#match ip address 100 ← Matching previous L3 ACL
S1(config-map)#action drop ← Action
S1(config-map)#vlan access-map ABC 20
S1(config-map)#match mac address BACKUP_SERVER ← Matching previous L2 ACL
S1(config-map)#action drop
S1(config-map)#vlan access-map ABC 30
S1(config-map)#action forward
S1(config-map)#vlan filter ABC vlan-list 10,20

Spoofing Attacks
– Port security prevents MAC flooding attacks
– DHCP snooping prevents client attacks on the DHCP server and switch.
– Dynamic ARP inspection adds security to ARP using DHCP snooping table to minimise the impact of ARP poisoning and spoofing the attacks.
– IP Source Guard prevents IP spoofing addresses using DHCP the snooping table.

DHCP Spoofing Attack
Basically the attacker has a rogue DHCP server attached to the same segment which replies to DHCP requests before the valid DHCP server does. The attacker DHCP server gives the victim the attackers DNS and Default Gateway settings effectively making the attacker a man-in-the-middle.

Another method of attack is sending thousands of DHCP requests, potentially then exhausting the available addresses in the DHCP address pool.

DHCP Snooping
DHCP Snooping is a feature that determines which switch ports are “trusted” and allowed to response to DHCP requests.
– Per-port security mechanism used to differentiate an untrusted switch port connected to an end user from a trusted switch port connected to a DHCP server or another switch.
– Can be enabled on a per-VLAN basis.
– Trusted ports can either have a DHCP server on it, or be an uplink port towards another DHCP server.
– If an attacker connects a rogue DHCP server on an untrusted port, in which it attempts to reply to a DHCP request, the port is shutdown.

To configure:
S1(config)#ip dhcp snooping
S1(config)#ip dhcp snooping information option ← Enables DHCP option 82. Optional. Switch info such as port ID of the DHCP request.
S1(config-if)#ip dhcp snooping trust ← Enable on the DHCP server port or uplink port.
S1(config-if)#ip dhcp snooping limit rate rate ← Used to stop the DHCP server from being overwhelmed in the case of an attack to use up the DHCP pool.
S1(config)#ip dhcp snooping vlan number X ← Enable on a specific interface.
Verify: show ip dhcp snooping

ARP Spoofing Attack
In normal network operation, if a device doesn’t know the MAC address location of a host, it broadcasts an ARP request, asking for the MAC address of where the device is in the network.

ARP Spoofing is an attack where the attacker device sends out a gratuitous ARP (Unsolicited message/frame) with its’ own MAC address telling other hosts that it is the location for IP address X. Other hosts then install in their ARP caches that device X is at the MAC address of the attacker.

To prevent this, use Dynamic ARP inspection

Dynamic ARP inspection prevents man-in-the-middle attacks by not relaying invalid or gratuitous ARP replies out to other ports in the same VLAN.

– D ARP inspection intercepts all ARP requests and all replies on untrusted ports.
– Each intercepted packet is verified for valid IP-to-MAC bindings that are gathered via DHCP snooping.
– Denied ARP packets are either dropped or logged by the switch for auditing, so ARP poisoning attacks are stopped.
– Incoming ARP packets on trusted ports are not inspected.
– D ARP inspection can also rate-limit ARP requests from client ports to minimize port scanning mechanisms.

So to use DAI, you need to have DHCP snooping on. This is because it uses DHCP snooping to validate the DHCP/MAC address bindings.

In the case of static address configurations, DAI can also validate ARP packets against user-configured ARP ACLs.

Configuration
S1(config)#ip arp inspection vlan X
S1(config)#int x/x
S1(config-if)# ip arp inspection trust ← with arp inspection, you only need to do config on the trusted ports, such as trunk links. All other ports are automatically considered untrusted.
S1(config)#ip arp inspection validate [src-mac|dst-mac|ip] ← Configures DAI to drop ARP packets when the IP addresses are invalid, or when the MAC addresses in the body of the ARP packets do not match the addresses specified in the Ethernet header.

Verify:
show ip arp inspection interfaces
show ip arp inspection vlan x
show ip dhcp snooping binding

Default action if the switch now receives a bogus ARP request is to simply drop the request. The switch can also be configured to err-disable or shut down the port and generate a syslog message.

IP Spoofing and IP Source Guard
IP spoofing is where an attacker is impersonating a legitimate host on the network.
– IP Source Guard prevents a malicious host from attacking the network by hijacking its neighbor’s IP address.
– Provides per-port IP traffic filtering of the assigned source IP addresses at wire speed.
– Dynamically maintains per-port VLAN ACLs based on IP-to-MAC-to-switch port bindings.
– IP Source Guard is typing deployed for untrusted switch ports in the access layer.

IP source Guard works closely with DHCP Snooping. This feature can be enabled on a DHCP snooping untrusted L2 port to prevent IP address spoofing.

When a client receives a valid IP address from the DHCP server, or when a static IP source binding is configured by the user, a per-port and VLAN Access Control List (PVACL) is installed on the port.

Methods of IP Source Guard filtering:
– Source IP address filter
– Source IP and MAC address filter

Configuration
S1(config)#ip dhcp snooping ← enables globally
S1(config)#ip dhcp snooping vlan X
S1(config-if)#ip verify source vlan dhcp-snooping ← Enables IP Source Guard filtering
OR S1(config)#ip verify source vlan dhcp-snooping port-security ← Above with MAC filtering.
S1(config)#ip source binding x.x.x.x ip vlan X interface fax/x ← Static binding on port.

Verify using ‘show ip source binding’

IP Source Guard can only be configured on L2 interfaces.

Securing Network Switches

This section covers protocols such as CDP, SSH, Telnet, VTY ACLs, HTTP Secure Server, AAA, and 802.1x.

Network Discovery Protocols
Covers CDP (Cisco Proprietary) and LLDP (IEEE equivalent).

CDP (Cisco Discovery Protocol)
– Enabled by default.
– ‘no cdp run’ – disables CDP globally
– ‘no cdp enable’ – disables on an interface
– ‘show cdp neighbor [detail]’ – Displays a summary of which devices are seen on which ports.

LLDP (Link Local Discovery Protocol)
– Disabled by default
– ‘lldp run’ enables globally
– ‘lldp enable’ enables on specific interface.
– ‘show lldp neighbor [detail]’ – Similar to CDP.

CDP is a powerful tool in the hands of an attacker, as it gives them a reconnaissance view of the network. Some programs such as CiscoWorks require the use of CDP (or at least are heavily limited without it), so rather than disable it globally, selectively disable it on all ports except trunk ports and management ports.

Telnet
– Convenient, but don’t use it. All data is in plain text. Use SSH instead.
– If Telnet must be used, configure VTY line ACLs to only allow connections from management IPs.

SSH
– Everything is encrypted.

Config:
S1(config)#username matt password cisco
S1(config)#ip domain-name abc.com
S1(config)#crypto key generate rsa
S1(config)#ip ssh version 2
S1(config)#line vty 0 15
S1(config-line)#login local
S1(config-line)#transport input ssh

VTY ACLs
S1(config)#access-list 100 permit ip 10.1.1.1 0.0.0.255 any
S1(config)#line vty 0 15
S1(config)#access-call 100 in

HTTP Secure Server
– Use HTTPS instead of unprotected HTTP by using the command ‘ip http secure-server’. Make sure to disable the unsecure by issuing ‘no ip http server’
– To use HTTPs, you need to have a certificate on the switch. This is done through ‘crypto key generate rsa’ (you need a domain name configured to do this though).
– Configure an ACL so only the management IPs can access the switch web server. Apply it using ‘http access-class XX’
– Configure users, if the switch needs configuration done via the web server. Apply it using ‘http authentication local’.

Authentication Authorisation Accounting (AAA)
See wiki for description of each: http://en.wikipedia.org/wiki/AAA_protocol

AAA is actually quite important. Although my notes here are small, it’s something that will probably be in the exam and something you should make sure you understand, and can configure.

Configuration
Varies depending on what exactly you’re trying to achieve.

Authentication example using Tacacs+:
S1(config)#aaa new-model ← Globally enables AAA
S1(config)#aaa authentication login TEST tacacs+
S1(config)#tacacs-server host 192.168.1.1
S1(config)#line vty 0 4
S1(config)#login authentication TEST

Authorisation example using Tacacs+:
S1(config)#aaa new-model
s1(config)#aaa authorization commands 0 default if-authenticated group tacas+
S1(config)#line vty 0 4
S1(config-line)#authorization commands 0 default.

Accounting example using Tacacs+:
S1(config)#aaa new-model
S1(config)#aaa accounting exec default start-stop group tacacs+
S1(config)#line vty 0 4
S1(config-line)#accounting exec default

Security Using IEEE 802.1X Port-Based Authentication
Basically when a device is attached to the network, a user needs to log in via their user credentials which are stored in an Authentication Server database typically done by RADIUS.

Until the workstation is authenticated, 8021X access control enable only Extensible Authentication Protocol over LAN (EAPOL) traffic on the port.

Configuration
dot1x port-control {auto | force-authorized | force-unauthorized}
force-authorized
– Disables 802.1x port-based authentication and causes the oprt to transition to the authorized state without any authentication exchange required.
– Default Setting

force-unauthorized
– Causes the port to remain in the unauthorized state, ignoring all attempts by the client to authenticate.
– Use this on ports where you don’t want any users to be able to connect from. I can’t see why you wouldn’t just shutdown the port instead…

auto
– Enables 802.1x port-based authentication.
– Port initializes in the unauthorised state, enabling only EAPOL packets
– The authentication process begins when either the link is brought up (authenticator initiation), or a client sends an EAPOL-start frame and the switch receives it (supplicant initiation).
– After this, the switch requests info identifying the client and this information is relayed between the switch and the authentication server.
– Clients are uniquely identified by their MAC address. This means that only an 802.1x capable host is connected to each access port.

When a client logs out, it sends an EAPOL-logout message, causing the switch port to transition to the unauthorised state.

Configuration

S1(config)#aaa new-model ← Enable AAA
S1(config)#radius-server host 10.1.1.1 auth-port 1821 key abc123
S1(config)#aaa authentication dot1x {default} group method1… ← Create an 802.1x port-based authentication method list
S1(config)#dot1x system-auth-control ← Enable 802.1x port authentication globally. Remember the global default for 802.1x is “force-authorized” which effectively allows anyone access on the ports.
S1(config)#int fa0/1
S1(config-if)#dot1x port-control auto ← Enabling authentication method on the interface

Switch Security Considerations
This section basically covers the thoughts and questions that should be asked when an organization is thinking about what it should cover in terms of security in their network.

One major point to consider is the a balance of reasonable network security against administrative overhead that is required for management of the network.

Cisco recommended minimum security configuration:
– Configure strong system passwords.
– Restrict management access using ACLs.
– Secure physical access to the console.
– Secure access to vty lines.
– Configure system warning banners.
– Disable unneeded or unused services.
– Trim and minimize the use of CDP/LLDP.
– Disable the inegreated HTTP daemon (where appropriate.)
– Configure basic system logging (syslog).
– Secure SNMP.
– Limit trunking connections and propagated VLANs.
– Secure STP.

Troubleshooting Performance and Connectivity

Techniques to Enhance Performance
I wasn’t going to include this, but I thought it was 3 good points for consideration within a production network:

– User performance
Based off the response time it takes for a user when using daily tools such as server databases. This variable gives the user their own perception of the reliability and performance of the network.

– Capacity Planning
This covers the idea of determining future network resource requirements to prevent a performance or availability impact on business-critical applications.

– Proactive fault management
– Responding to faults as they occur, and implementing solutions to prevent further faults in that area. This also comes under PPDIOO.

The next few pages of the book basically go into an analysis look of what things you should consider when looking at network performance, and trying to cover all necessary bases for a continual stable network.

Monitoring Performance with SPAN and VSPAN
Switched Port Analyzer is an important tool aiding in performance and troubleshooting in a network.

It’s basically mirrors all traffic in a VLAN or port[s] to a specific port. That port then usually has some form of network analyser (e.g. wireshark) connected to it.

Local SPAN is where the analyzer port and ports to be mirrored are all within the same switch.

VSPAN refers to mirroring of a VLAN to a single port.

SPAN supports capture of traffic in ingress, egress or both at the same time.

Configuration
S1(config)#monitor session 1 source interface fa0/1
S1(config)#monitor session 1 destination interface fa0/2
S1(config)#end
S1#show monitor session 1

Using SPAN to Monitor the CPU Interface of Switches
From what I understood, I believe this may only be on switches such as the Catalyst 4500 series.

It is helpful though as it gives you a view of what traffic is being processed by the SuperVisor CPU Engine.

cat4506(config)#monitor session 1 source cpu <>
cat4506(config)#monitor session 1 destination interface fa0/1
cat4506(config)#show monitor session 1

RSPAN (Remote Switched Port Analyser)
Similar to SPAN, but supports source ports, source VLANs, and destination ports on different switches, which provide remote monitoring of multiple switches across across a switched network.

– Each RSPAN session carries the SPAN traffic over a user-specified RSPAN VLAN. This VLAN is dedicated for that RSPAN session in all participating switches.

RSPAN consists of an RSPAN source session, an RSPAN VLAN, and an RSPAN destination session.

– It is advisable to configure separate RSPAN source sessions and destination sessions on different network devices.
– To configure an RSPAN source session on one network device, associate a set of source ports and VLANs with an RSPAN VLAN.
– To configure an RSPAN destination session on another device, associate the destination port with the RSPAN VLAN.

RSPAN Guidelines
– Configure the RSPAN VLANs in all source, intermediate, and destination network devices. If enabled, VTP can propagate configurations of VLANS numbered 1 through 1024 as RSPAN VLANs.
– Switches don’t impose a limit on the number of RSPAN VLANs allowed.
– Configure any VLAN as an RSPAN VLAN as long as all participating network devices support configuration of RSPAN VLANs, and use the same RSPAN VLAN for each RSPAN session.

Configuration

-Create the RSPAN transport VLAN:
S1(config)#vlan 901
S1(config)#remote span
S1(config)#end

– Configure the ports you want to mirror on the remote switch:
S1(config)#no monitor session 1
S1(config)#monitor session 1 source interface gigabitethernet0/1 tx
S1(config)#monitor session 1 source interface gigabitethernet0/2 rx
S1(config)#monitor session 1 source interface port-channel 2
S1(config)#monitor session 1 destination remote vlan 901
S1(config)#end

– Configure the destination Switch
S2(config)# monitor session 1 source remote vlan 901
S2(config)# monitor session 1 destination interface gigabitethernet0/1
S2(config)# end

Verify:
Show monitor

Monitoring performance with ERSPAN
Enhanced Remote SPAN.

Features:
– support for source ports, source VLANs, and destination ports on different switches, even across L3 links.
– Carries SPAN traffic over a GRE tunnel.
– Currently only supported on Catalyst 6500 switches.

Config not listed as I doubt this will be in the exam.

Monitoring Performance using VACLs with the Capture Option
– Currently only supported on Catalyst 6500 series.

Basically it’s using a VACL on a SPAN port to filter at Layers 2,3, or 4 to only match traffic the administrator is interested in.

Troubleshooting Using L2 Traceroute
Behaves similarly to traceroute for L3, in which you specify the source and dest MAC addresses, and it will tell you the path the device takes to reach the Dest.
– Requires all switches along the way support L2 tracelog.
– Requires CDP to be on with neighboring switches.

To execute:
S1# traceroute mac 0000.0000.0002 0000.0000.1234

Last things the chapter talks about is Cisco Embedded Event Manager, and Catalyst 6500 Network Analysis Module. Both of which I doubt will be in the Switch exam.

Implementing Cisco Switched Networks Chapter 3 Review

Posted on by
Reply

This is my review and notes of Chapter 3 of “Implementing Cisco Switched Networks Foundation Learning Guide”.

Implementing-Cisco-IP-Switched-Networks-SWITCH-Foundation-Learning-Guide-Froom-CCIE-No-EB9781587141645

Chapter 3

I found this chapter a hard read. The different versions of spanning-tree along with enhancements can be a hard area to stomach. For me, the problem is that the different versions along with enhancements, are similar enough that I find it hard to distinguish the differences between each protocol, along with what each of the different “Port Guards” and “Port Filters” do. This is no fault of the book, but something I felt I needed to say anyway.

I think this chapter also could have been written better. There were a few paragraphs I quite plainly did not understand, until I looked at a different source for an explanation and then reread the text book. It felt like, ‘oh I can now see what they’re trying to say’, but the writer was coming from a background of already knowing what they were writing about. For someone new, or coming from CCNA, I think they could struggle reading some of this.

On the positive, I think the layout of the chapter is generally okay. It initially goes through each version/type of Spanning-Tree along with modes and distinguishing features between them. The seconds half of the chapter is dedicated to STP enhancements.

If you want a really good how-to with examples, see How to Master CCNP Switch. I think it does this well. I feel the goal of the book is not to throw a whole lot of theory at you, but give you just enough theory that you actually understand each feature through examples. If I manage to get through the foundation learning guide with enough time before my exam, I may read all of the gns3vault book.

Having just finished this chapter, it feels like it was written by multiple people, where there were some things said at one point, that had some disconnection to something else at another point. As in, you could be reading about feature X on one page, and something related to feature X was said on another page later on, but there was no connection made between the two things, or re-affirming the earlier point. An example being Cisco PortFast, and RSTP Edge port. Both are very similar but still

In terms of the CCNP exam, probably need to know:
– Core basics of STP
– Enough to understand PVST+ and configure it
– Possibly some RSTP/MST
– Spanning-Tree Enhancements

Covers:
– Background of STP
– Spanning-tree basics
– RSTP (+ Port states, Roles etc.)
– Basics of PVRST+ along with configuration
– MST (Basics + MST Regions, and Configuration)
– Spanning Tree Enhancements (BPDU Guard/Filter, Root Guard, Loop Guard)
– UDLD, Flex Links
– Recommended STP practices

STP

INSERT IMAGE HERE

CST – Common Spanning Tree
– 1 STP instance, regardless of no. of VLANs
– Low Resources needed.
– Slow to converge
– Sub-optimal traffic flow can occur if more than one VLAN due to all traffic being required to take the same path.

Per VLAN Spanning-tree Plus
– Enhancement of STP with multiple instances, 1 for each VLAN.
– Includes several enhancements such as PortFast, BPDU Guard, BPDU Filter, Root Guard, Loop Guard
– Higher Resources needed.
– Each VLAN has a root bridge, allowing for optimisation of traffic flows for each VLAN.

Rapid STP – 802.1W
– Evolution of STP allowing for fast convergence.
– Medium Resources
– Still only single STP instance.

Multiple Spanning-Tree
– Maps multiple VLANs that have the same traffic flow requirements into the same STP instance.
– Cisco implementation provides up to 16 instances of RSTP and combines many VLANs with the same physical and logical topology into a common RSTP instance.

Per VLAN Rapid Spanning Tree Plus
– Cisco enhanced version of RSTP similar to PVST+
– Provides a separate instance of 802.1W per VLAN
– Fast
– Resources needed = very high.

PVST+ is Cisco default.

STP Operation

STP initially converges on a logically loop free topology by performing these steps:

1. Elects one Root Bridge
– All active ports are Designated Fowarding
– These ports send/recv traffic and configuration messages (BPDUs)
– Lowest priority switch becomes Root Bridge.

2. Selects the Root port on all Non-Root Switches
– Each switch in the spanning tree has a port it uses to reach the root bridge. This is known as the root port and is the port used to send/receive traffic to/through other switches.
– Root port is the lowest cost path from the non-root bridge to the root bridge.
– If non-root bridge has two or more equal cost paths to the root bridge, it selects the port that has the lowest port ID.
– Port-ID consists of a configurable priority + port number.

3. Selects the Designated port on each segment.
– On each segment, STP establishes one designated port on the bridge that has the lowest path cost to the root bridge.
– All ports that are up on the root bridge are Designated Forwarding.
– The Switch primarily chooses a designated port as the least-cost path to the root bridge. In the event of a tie, the bridge ID acts as the tiebreaker.

What the heck does that mean? The below image should explain it.

STP

Looking at the example, each switch has a port it uses to reach the root bridge known as the root port. It is possible for the switch to have other ports still fowarding to other switches though, and not have any loops caused. For example, the link between B and D. B’s down link is Designated Forwarding, while the port on D is the Root Port. As we have a loop between B and C, C loses the tie breaker and marks the port as nondesignated/blocked.

STP Port States

Blocking
– NonDesignated port and does not participate in frame forwarding.
– Port receives BPDUs to determine the location and rootID of the root switch and which port roles (root, designated, or nondesignated) each switch port should assume in the final active STP topology.
– Default time in this state is 20 seconds (MaxAage)

Listening
– STP has established that the port can participate in the STP topology.
– In this state, port is both receiving and sending BPDUs to neighbors.
– Default time in this state is 15 seconds (Forward Delay).

Learning
– Port prepares to participate in frame forwarding and begins to populate the CAM table.
– Default time in this state is 15 seconds (Forward Delay).

Forwarding
– Port is actively forwarding traffic with other switches in topology.
– Port sends/receives BPDUs.

Disabled
– Does not participate in STP nor forward frames.

So how does the switch determine which port should be the Root Port?
– Through a cost value associated with the port.
– Swith port cost is based on link speed.

The cost to the root bridge is calculated using the cumulative costs of all links between the local switch and the root bridge and becomes the path cost.

Default port cost values:
10 Gbit – Cost 1
1 Gbit – Cost 4
100 Mbit – Cost 19

What happens when you have two paths with the same accumulative cost?

The Tie breaker is the PortID. PortID is a combination of a default value and port number. The default value is 128. So port 1’s port ID is a priority of 128.1.

Lowest PortID wins.

RSTP – Rapid Spanning Tree Protocol 801.1W

Enhancements over STP:
– A lot faster at converging
– Introduces several new port roles (Alternate and Backup)
– Simplified port states (Discarding, Learning, Forwarding)
– Backwards compatible with STP

RSTP Port States

Discarding
– Represents STP’s Disabled, Blocking, Listening states
– State is seen in both a stable active topology and during topology snchronisation and changes.
– Discarding state prevents the forwarding of traffic therefore no network loop.

Learning
– Seen in both stable active topology and topology synchronisation and changes.
– Accepts data frames to populate the MAC table to limit flooding of unknown unicast frames.

Forwarding
– Only seen in stable active topologies.
– Self explanatory (data is forwarding).

RSTP Port Roles

Root
– Switch port on every non-root switch that is chosen as the path to the root bridge.
– Only 1 root port can be on each switch.
– See STP operation above. Same as STP.

Designated
– See STP operation above. Same as STP.

Alternate
– Switch port that offers an alternative path toward the root bridge.
– Assumes a discarding state in a stable environment.
– Present on nondesignated switches and makes a transition to designated port if the current designated path fails. See below image for what this looks like.

Backup
– If two switches have two redundant links, one link will be Designated (with Root Port at the other end), and the other link as Designated (with Backup at the other end). See below image.
– A backup port has a higher port ID than the designated port on the designated switch.
– The backup port assumes the discarding state in a stable environment.

Rapid Transitioning to Forwarding

RSTP introduces two new variables called Link type (Probably not important to know for the exam), and Edge port.

Link Type
– Provides categorisation for each port participating in RSTP.
– Derived from port duplex mode. Full Duplex is considered to be a point to point link, where as half duplex is probably on a shared medium.
– I’m not sure how much this still plays a part in networks today…

Only thing more to be aware of, is of Root, Alternate, Blocking and Designated, only Designated Ports really makes use of the link type parameter.

Edge Ports
– Port configured on the switch to be connected to a host.
– Equivilent to Cisco PortFast feature
– Allows the port to transition directly to forwarding, skipping the listening and learning stages.
– Doesn’t generate a topology Change (TCN) when its’ link transitions to up.
– If an edge port receives a BPDU, it immediately loses its’ edge port status and becomes a normal STP port. This is different behavior to Cisco PortFast. <— This is from the book. I have yet to find out how Edge Ports and PortFast totally differ.

Bridge Idenfier for PVRST+

Because PVST+ or PVRST+ requires that a separate instance of spanning tree run for each VLAN, the BID field is required to carry VLAN ID info.

Bridge ID in this case, is made up of:

Bridge Priority: default is 32768. This is only a 4-bit field, so the value increments by 4096.
Extended system ID: 12 bit field carrying in this case, the VID
MAC Address: 6 byte field with MAC address of single switch.

If no priority has been configured, every switch will have the same default priority, and the election of the root for each VLAN is based on the MAC address. Because this can result in a random switch becoming the root bridge, it is advisable to lower the bridge priority on the switch that should be the root bridge in your network.

MST – Multiple Spanning Tree

– Purpose is to reduce the total number of STP instances to match the physical topology of the network and thus reduce the CPU cycles of a switch.

– MST enables you to build multiple spanning trees over trunks by grouping VLANs and associating them with STP instances. Each instance can havee a topology independent of other spanning-tree instances. This architechture provides multiple active forwarding paths for data traffic and enables load balancing.

MST Regions

The main enhancement introduced by MST is the ability to map several VLANs to a single spanning-tree instance. The problem with this though, is how do you known what VLAN should be associated with which instance.

Each switch that runs MST in the network has a single MST config that consists of:
– Alphanumeric config name
– Config rev. no.
– 4096 element table that associates each of the potential 4096 VLANs supports on the switch to a given instance.

Extended System ID for MST
– Consists of Bridge priority + Extended System ID + MAC Address.
In the case of MST, the Extended Sys ID is the MST Instance Number.

Configuring MST

S1(config)#spanning-tree mst configuration
S1(config-mst)#show current – Display the current configuration before making changes
S1(config-mst)#name ____
S1(config-mst)#revision ___
S1(config-mst)#instance ___ vlan ___
S1(config-mst)#show pending – MST config to be applied
S1(config-mst)#end – Applies the config
S1(config-mst)#spanning-tree mst instance-no root primary|secondary
S1(config-mst)#spanning-tree extend system-id – Enables MAC addr reduction
S1(config-mst)#spanning-tree mst pre-standard – Cmd required IF neighbor is using a prestandard version of MST.

Spanning Tree Enhancements

BPDU Guard
– Prevents accidential connection of an STP switch to a PortFast enabled port.

BPDU Guard puts an interface configured for STP PortFast in the err-disabled state upon receipt of a BPDU. The Switch disables the interface[s] as a preventitive step to avoid potential bridging loops.

Once a port has been put in the err-disabled state, the switch requires manual intervention by ‘no shut’ing the port. Alternatively BPDU Guard can be configured to that after a set interval, the port will be ‘no shut’, but will again shutdown for a specified amount of time if it receives another BPDU.

To enable globally: “spanning-tree portfast edge bpduguard default”
Alternatively under each desired port: “spanning-tree bpduguard enable”
To verify: “Show Spanning-tree summary totals”

BPDU Filter
– Restricts the switch from sending BPDUs out access ports.

When enabled globally, BPDU filtering has the following effect:
– Affects all operational PortFast ports that do not have BPDU filtering configured on the individual ports (well no duh!)
– If BPDUs are seen, the port loses its’ PortFast state, BPDU filtering is disabled, and STP begins to send/receive BPDUs on that port.
– On switch/port start up, the port transmits 10 BPDUs. If this port receives any BPDUs during that time, PortFast and PortFast BPDU filtering are disabled.

When enabled on an individual port:
– Ignores all BPDUs received.
– Sends no BPDUs.

If you enable BPDU Guard on the same interface as BPDU Filtering, BPDU Guard has no effect because BPDU filtering takes precedence over BPDU Guard.

To enable globally: “spanning-tree portfast bpdufilter default”
To enable PortFast BPDU filtering on a specific port: “ spanning-tree bpdufilter enable”
Verify config: “show spanning-tree summary”

Root Guard
– Prevents switches connected on ports configured as access ports from becoming the root switch.

– Root Guard provides a way to enforce the root bridge placement in the network.

– If the bridge receives superior STP BPDUs on a Root Guard-enabled port, the port moves to a root-inconsistent STP state (effectively equal to a listening state, and the switch does not forward traffic out of that port. Because of this, this feature effectively enforces the position of the root bridge.

Best practice is to enable Root Guard on all access ports so that a root bridge is not established through these ports.

If a superior BPDU is received on a Root Bridge port, the port goes into root-inconsistent state (effectively same as listening state). At this point, a log message will appear in the buffer. The port will stay in this state as long as superier BPDUs are being received. Once superior BPDUs are no longer received, the port will transition to the forwarding state. Recovery is automatic, and no user intervention is required.

To enable on an interface: spanning-tree guard root
Verify: Show spanning-tree inconsistentports

Preventing Forwarding Loops and Black Holes

Loop Guard

Loop Guard provides additional layer 2 protection against forwarding loops.

Loop Guard places a port in STP loop-inconsistent state when it stops receiving BPDUs, and will recover when BPDUs are again recieved.

This is to stop the port transitioning to the listening/learning/forwarding state after the MaxAge timer has expired when that port should in fact be receiving BPDUs. Why could this happen? If there’s an issue with the physical link (e.g. Unidirectional link failure) between the two switches for whatever reason, the switch with a port currently blocking may still be able to send traffic. So when this link comes up, in at least 1 direction we have a loop in the network.

A port in the STP loop-inconsistent state does not pass data traffic, hence, a bridging looop does not occur. The loop-inconsistent state is effectively equal to the blocking state.

Loop Guard is configured on a per port basis, although the feature blocks inconsistent ports on a per-VLAN basis.

Enable Loop Guard on all Non-Designated ports (E.g. Root Port, Alternate Port)

To enable on an interface: spanning-tree guard loop
Globally: spanning-tree loopguard default
Verify: Show spanning-tree interface __ detail

UDLD

A unidirectional link occurs when traffic is transmitted between neighbors in one direction only. This can cause spanning-tree loops.

UDLD enables a device to shutdown a link when a unidirectional link is detected.

UDLD is most useful on fibre links, but can also be configured on ethernet.

With UDLD enabled, the switch periodically sends UDLD protocol packets to its’ neighbor and expects the packets to be echoed back before a predetermined timer expires. Default interval is 15 seconds.

A UDLD-enabled switch sends UDLD protocol packets with its own device ID and port ID to the neighboring device. The UDLD is in determined status if the switch sees its own information in the packet sent by the neighbor. If the device does not see itself in the neighboring device’s UDLD protocol packets, the link is determined as unidirectional.

To enable udld globally: udld enable [aggressive]
to enable on an interface: udld enable [aggressive]

In normal mode: UDLD marks this port as “Undetermined”, but does NOT shut down or disable the port, which continues to operate under it’s current STP status. This mode of operations is informational and potentially less disruptive (though it does not prevent STP loops).

In aggressive mode: When a port stops receiving UDLD packets, UDLD tries to reestablish the connection with the neighbor. After 8 failed attempts, the port state changes to err-disable state, which effectively disables the port. To get out of this state, the port needs to be shut, then no shut. Alternatively also enable “errdisable recovery” to auto recover from such issues.

Comparason between Aggressive Mode UDLD and Loop Guard

While these two features overlap in what they offer, they differ in their approach to the problem and in functionality. Both complement eachother and it can be advisable to enable both features at the same time.

Loop Guard focuses on problems around BPDUs being received, and the STP daemon. UDLD focuses from the perspective of miswiring or other cabling issues.

In the case of EtherChannel, if BPDUs are not being received, the whole aggregator will shutdown with LoopGuard. Meanwhile, if the problem is physical in terms of one of the links in the EtherChannel, Aggressive UDLD can detect this issue and only shut down the affected cable.

Flex Links

– Simple alternative to STP.
– This enhancement enables a convergence time of less than 50 milliseconds.
– Convergence time remains consistent regardless of the number of VLANs or MAC addresses configured on uplink ports.
– Only supported on Layer 2 ports and port channels, not on VLANs or on L3 ports.
– STP is disabled on Flex Link ports.

Config:
S1(config)#interface fa0/1
S1(config)#switchport backup interface fa0/2
S1(config)#end
S1#show int switchport backup

Recommended Spanning Tree Practices

– Loop Guard is implemented on the L2 ports between distribution switches and on the uplink ports from the access switches to the distribution switches.

– Root Guard is configured on the distribution swtich ports facing the access switches.

– UplinkFast is implemented on the uplink ports from the access switches to the distribution switches.

– BPDU Guard or Root Guard is configured on ports from the access switches to the end devcies, as is PortFast.

– UDLD enables devices to monitor the physical configuration of the cables and detect when a unidirectional link exists. When a unidirectional link is detected, UDLD shuts down the affected LAN port. UDLD is often configured on ports linking switches.

– Depending on the security requirements of an organisation, the port security feature can be used to restrict a port’s ingress traffic by limiting the MAC addresses that are allowed to send traffic into the port.

Troubleshooting

Check the Port Status:

– Blocked ports: Check to make sure the switch reports receiving BPDUs periodically on the root and blocked ports. To check BPDUs on ports:
– show spanning-tree vlan __ detail

– Duplex mismatch: check on both ends of the link
– show interface
– Port Utilisation: An overloaded port may fail to transmit vital BPDUs and is also and indication of a possible bridging loop.
– Show interface

– Frame curruption: Unlikely issue, but check the input error fields using ‘show interface’.

Implementing Cisco Switched Networks Chapter 2 Review

Posted on by
Reply

This is my review and notes of Chapter 2 of “Implementing Cisco Switched Networks Foundation Learning Guide”.

Implementing-Cisco-IP-Switched-Networks-SWITCH-Foundation-Learning-Guide-Froom-CCIE-No-EB9781587141645

Chapter 2

Chapter is a pretty good refresher for a lot of things around VLANs. Having not used Cisco switches for a while, the show commands are a pretty helpful reminder of some available commands other vendors may not have. The chapter also somewhat applies some of the models discussed in chapter 1 in terms of the VLAN implementation around PPDIOO.

Later the chapter covers Private VLANs and EtherChannel. Personally felt the Private VLAN explanation was too confusing and instead resorted to an explanation from How to Master CCNP Switch.

In terms of the CCNP exam, probably need to know:
– Understand VLAN configuration and show commands
– Correct trunking configuration
– Different modes of DTP. Possibly some VTP.
– Private VLANs
– EtherChannel

Covers:
– End to End VLAN, and Local VLAN models
– VLAN configuration and show commands
– Trunking – briefly ISL, which doesn’t matter, and 802.1Q
– DTP – Dynamic Trunking Protocol
– VTP – VLAN Trunking Protocol
– Private VLANs
– EtherChannel covering PAgp, LACP, and includes load balancing techniques.

VLAN Models

End to End VLAN
– Each VLAN spans the network geographically.
– Users are grouped into each VLAN regardless of physical location
– As users move througout the campus, the VLAN membership of that user remains the same (probably through 802.1x)
– Users are typically associated with a given VLAN for network management reason hence why they are kept in the same VLAN.
→ Switches typically use VTP in server/client mode.

Local VLAN – Choice for Campus Enterprise Architechture.
– VLANs are configured for each floor or building
→ In other words, local VLANs are created with physical boundries in mind rather than the job function of the user.
– Generally local VLANs exist between the access and distribution levels.
– Traffic is routed at Distribution and Core to reach other destinations on the network.
– Usual reccommendation is max of 3 VLANs per access layer switch.
→ VTP configured in transparent mode as no vlans should be advertised to other switches, nor need to be created on any other switches.

=> A network that consists of entirely locla VLANs can benefit from increased convergence times offered via routing protocols, instead of spanning-tree for layer 2 networks.

Helpful VLAN configuration commands:

Switchport mode host
– This is a macro for enabling spanning-tree PortFast and disabling etherchannel on a per port basis.

Show vlan
Show vlan br
Show vlan id X
Show vlan name X
– Pretty helpful generic vlan command

Show run int fa0/0
Display current config on a particular port

Show interfaces
Show int fa0/0 switchport
– Switchport characteristics
– Private VLAN and trunking info

Show mac-address-table interface __ vlan __
– Displays MAC address table info for specified interface in specified vlan.
– Very helpful in determining if attached devices are sending packets to the correct VLAN.

DTP – Dynamic Trunking Protocol
– Cisco proprietary point-to-point protocol for switches to negotiate trunk links

Modes:
Access – Port is permanently configured for nontrucking.
Trunk – Port is permanently configured for trunking.
– Other End of link needs to be trunk/dynamic desirable, or dynamic auto.
Nonegotiate – Puts port in permanent trunking mode BUT port will not send out DTP frames.
– Other end of link needs to be either trunk or nonegotiate.
Dynamic Desirable – Interface activel attempts to convert the link to a trunk link.
– Trunk forms if neighbor interface is set to trunk/desirable, or auto
Dynamic Auto – Interface willing to convert the link to a trunk link.
– Trunk only form if neighbor set to desirable or trunk.

Trunking verification commands
Show run int X
Show int X switchport
Show int X trunk

VTP – VLAN Trunking Protocol
– Cisco proprietary protocol that is used to synchronise and distribution VLAN databases throughout a switched network.
– Cisco switches transmit VTP info only on trunk links.
– VTP info is multicast.

VTP Modes and operation
Client
– Can’t create,change, or delete VLANs
– Forwards advertisements to other switches
– Synchronizes VLAN config with latest info received from other switches in management domain.
– Does not save VLAN config in NVRAM.

Server
– Creates, modifies, and deletes VLANs.
– Sends and forwards advertisements to other switches.
– Synchronizes VLAN config with latest info received from other switches in VTP domain
– Saves VLAN config in NVRAM.

Transparent
– Creates, deletes, and modifies VLANs only from and on the local switch
– Fowards VTP advertisements received from other switches in same VTP domain.
– Saves VLAN config in NVRAM.

There’s a bit more to VTP such as importance of sequence number etc but this isn’t stuff I feel I personally need notes on.

VTP Pruning
– Probably one of the main advantages to using VTP.
– VTP pruning uses VLAN advertisements to determine when a trunk connection is flooding traffic over trunk links needlessly. By default, a trunk connection carries traffic for all VLANs in the VTP management domain.
– VTP pruning increases available bandwidth by restricting flooded traffic to those turnk links that the traffic must use to access the appropriate network devices.

VTP has 3 versions. Version 2 is most commonly used.

If all switches in a domain are capable of running VTP version 2, enable VTP version 2 on one VTP server. The VTP server propogates the version number to the other VTP version 2 capable switches in the VTP domain.

Private VLANs

I found the implementing switch chapter pretty confusing on this subject, and instead looked at How to Master CCNP Switch. From the brief look I’ve had at this book, I think it’s pretty good, and avoids a lot of the waffle that you find in the Cisco press books. If I had more time before my exam, I would have liked to read this book in more detail. Anywho on to private VLANs!

A private VLAN is simply a vlan that has limited communication with other ports on the switch, depending on configuration.

A private VLAN always has one primary VLAN. Within the primary VLAN you will find the promiscuous port.

Secondary VLANs can always communicate with the promiscuous port but they can never communicate with other secondary VLANs.

Private VLANs can also be carried over 802.1Q trunk links. Configuration is basically the same on the other switch. You only need to add the vlans to the trunk link.

Private VLAN port types:

Isolated
Complete layer 2 separation from other ports within the same private VLAN, except promiscuous ports.

Promiscuous
– Can communicate with all ports within the private VLAN, including community and isoldate ports.
– Only part of 1 primary VLAN, but each promiscuous port can map to more than one secuary private VLAN.
– Promiscuous ports are generally router ports, backup or shared servers, or VLAN interfaces.

Community
– Community ports communicates among themselves and with their promiscuous ports.
– Isolated at layer 2 from other interfaces in other communities, or in isolated ports within their private VLAN.

Private VLAN configuration

Using an example borrowed from Renés Mastering CCNP Switch book:

Firstly configure the switch to VTP mode transparent.

– Primary VLAN of 500
– Secondary Community VLAN is 501
– Secondary Isolated VLAN is 502

####### Configuring Primary VLAN and Secondary Community VLAN ########
S1(config)#vtp mode transparent
S1(config)#vlan 501
S1(config-vlan)#private-vlan community
S1(config-vlan)#vlan 500
S1(config-vlan)#private-vlan primary
S1(config-vlan)#private-vlan association add 501

##### Assigning private vlan, along with primary to switch ports ##########
S1(config)#interface range fa0/1 – 2
S1(config-if)#switchport mode private-vlan host
S1(config-if)#switchport private-vlan host-association 500 501

##### Configuring Promiscuous port #####
S1(config)#interface fa0/24
S1(config-if)#switchport mode private-vlan promiscuous
S1(config-if)#switchport private-vlan mapping 500 501

####### Configuring Isolated VLAN ########
S1(config)#vlan 502
S1(config-vlan)#private-vlan isolated
S1(config-vlan)#vlan 500
S1(config-vlan)#private-vlan primary
S1(config-vlan)#private-vlan assocation add 502

##### Assigning private vlan, along with primary to switch ports ##########
S1(config)#interface range fa0/3 – 4
S1(config-if)#switchport mode private-vlan host
S1(config-if)#switchport private-vlan host-association 500 502

##### Configuring Promiscuous port #####
S1(config)#interface fa0/24
S1(config-if)#switchport mode private-vlan promiscuous
S1(config-if)#switchport private-vlan mapping 500 502

##### Verification #####
S1#show interfaces fa0/1 switchport
S1#show interfaces fa0/24 switchport
S1#show vlan private-vlan
S1#show vlan private-vlan type

Cisco Port Protect Feature
– Very simple version of private-vlans for lower end switches
– Traffic can only flow between a protected and unprotected port
– If two ports are port protected, they can not communicate with eachother.
EtherChannel – Pagp and LACP

Apologies if this section lacks more detail. It’s not an area I personally need many notes on.

PAgP – Port Aggregation Protocol
– Cisco Propritary
– Packets sent every 30 seconds. PagP checks for config consistency and manages link additions and failures between two switches.

Modes

Auto
– Default
– Passive state in which the ports respond to PagP packets that it receives but does not initiate PagP negotiation.

Desirable
– Active negotiating state

On
– Forces interface to channel without PagP
– Does not exchange PagP packets.
– Other side also needs to be configured with ‘on’.

Non-silent
– If a switch is connected to a PAgP capable partner, add this keyword on when configuring auto or desirable. If you do not specify this, silent is assumed. Silent is for connections to file servers or wireshark (why??)

So if doing PAgP, make sure to also add ‘non-silent’

LACP – Link Aggregation Control Protocol
Basically identical to PAgP but IEEE open version.

Modes

Passive
– Default
– Passive negotiating state (responds to LACP packets, but doesn’t initiate EtherChannel).

Active
– Active negotiating state
– Will form EtherChannel with partner as Active or Passive

On
– Forces interface to channel without PAgP or LACP.

Additional Parameters

System priority – Each switch running LACP must have a system priority. This is automatic, but user can also manually configure. Switch uses MAC address and system priority to form the system ID.

Port priority – Same as above. Switch uses the port priority to decide which ports to put in standby mode when a hardware limitation prevents all compatible ports from aggregating.

Administrative key – As above, auto but can be manually done. Defines the capability of a port to aggregate with other ports e.g. physical port characterisitcs incl speed/duplex etc.

EtherChannel Load Balancing Options

One thing people often get wrong when it comes to EtherChannel or aggregator links, is they think that because they have two 1gbit links in an aggregator, that they now have 2gbit of bandwidth for any of their traffic. This is only slightly true, as aggregators use a load balancing technique to ‘balance’ traffic over the two links. Depending on source/destination traffic that flows through the link, you may or may not maximise available bandwidth. See below on different balancing techniques.

Cisco offers:
Src-mac
dst-mac
src-dst-mac
src-ip
src-dst-ip
src-port
dst-port
src-dst-port

Use “Show etherchannel load-balance” to see what mode is in effect. ‘Conf t > port-channel load-balance’ to change it.