Implementing Cisco Switched Networks Chapter 4 Review

This is my review and notes of Chapter 4 of “Implementing Cisco Switched Networks Foundation Learning Guide”.


Chapter 4 – Implementing Inter-VLAN Routing

Sorry if this chapter is a bit short on notes. I don’t find inter-vlan routing a hard topic to grasp, so don’t need many notes.

Probably said above a bit too soon. Found this chapter pretty boring when it got to how the CAM and TCAM work. I think it was just too detailed. Some may like it, and it will probably help them with their understanding, but for me it wasn’t presented in a way that I found easy to keep concentrated. Thing is, I think this is a pretty important concept to grasp. If you understand how a switch does its’ thing at each layer, it definitely helps with your troubleshooting of a device.

Whohoo! Chapter got a bit better at the end from page 230. Chapter finally had some examples and how to apply troubleshooting switching issues around CEF. I’m still not convinced this chapter did a fantastic explanation of CEF, but then again I’m a visual learner and would have probably benefited from a more graphical explanation.

In terms of the CCNP exam, probably need to know:
– Inter-VLAN routing using SVI.
– How to configure Routed Ports.
– Understand how a DHCP server works, and how to use DHCP Relay.
– Basic understanding of Cisco CEF and how to troubleshoot it.

– All of the above plus:
– Router on a stick
– Layer 3 EtherChannels
– Each different type of switching method (fast switching, process switching, CEF)

A switch is typically a layer 2 device. At layer 2, the switch is probably capable of creating VLANs and configuring each port to be in a different VLAN. Each created VLAN will typically have layer 3 devices configured in it such as hosts, and each vlan should only have 1 subnet in use within it.

This is all fine until you have devices that need communication between say two VLANs. This is what we call Inter-VLAN routing, and there are two methods capable of achieving this.

1. ROAST (Router on a Stick)
2. SVI (Switched Virtual Interface)

Router on a stick is where you configure a trunk port on your layer 2 switch with the VLANs you want routing to be achieved between. Connected to that port is a router capable of trunking, in which you configure sub-interfaces on the router port, with an IP address in each VLAN. Hosts on the switch then configure their default gateway to be the associated IP address to that VLAN on the router.

ROAST is the old way of doing it and I won’t go any further into it.

An SVI is simply a VLAN on a switch that has an IP address configured on it. Your switch needs to be layer 3 for routing to function on it.

An SVI is created when a user types ‘int vlan X’ in global config mode.

Different types of Layer 3 interfaces on a MLS (MultiLayer Switch)

– Routed Port: This is a purely layer 3 interface similar to a router port on an actual router.
– SVI: – As above
– Bridge Virtual interface (BVI): An L3 virtual bridging interface

Routed Port
– A routed port is a physical port that acts similarly to a port on a traditional router with a Layer 3 address configured.
– Unlike an access port, a routed port is not associated with a particular VLAN.
– Has all layer 2 switching functionality removed (Except EtherChannel which can function at L3).
– Used for Point to Point Links.
– To configure, under the interface issue the command “no switchport”.

When configuring SVIs:
Make sure to “no shut” the interface, and enable IP routing if you want to be able to communicate the VLANs subnets to other routers, otherwise this is not essential.

SVI Autostate
– Basically refers to the need of having at least port up in a vlan before the Layer 3 SVI is also up. In other words, if all ports in a VLAN are shutdown or unplugged, the SVI will also go down.
– You can ensure the SVI stays up, by manually configuring on the port “switchport autostate exclude”. If the port goes down, the SVI will still stay up. The concern of this is things like blackhole routing, and should not be enabled without some valid consideration.

Configuring a Layer 3 EtherChannel
So this is something that was actually new to me. To configure a Layer 3 EtherChannel, you make it like a routed port by removing the switchport functionality.
To configure:
S1(config)#interface port-channel 1
S1(config-if)#no switchport
S1(config-if)#ip add xxxxx xxxxx
S1(config)#interface range xx-xx
S1(config-if-range)#no switchport
S1(config-if-range)#channel-group 1 mode __

Implementing DHCP in a Multilayer Switched Environment
– Know how DHCP works (DORA: Discover Offer Response Acknowledge)

ip dhcp excluded-address ip dhcp pool XYZ
option 150 lease 0 8 0 int vlan10
ip add

Important point is Cisco switches can only offer a DHCP range that it actually has an IP address in.

Configure DHCP Relay

Host——-—-Switch———DHCP Server

DHCP Relay is a feature needed when your DHCP server does not reside in the same subnet as your hosts. In the example above, the host currently does not have an IP address, but resides in the VLAN that has the subnet. When the host boots up, it will broadcast a DHCP Discover frame. With DHCP Relay configured on the switch, the switch will see this broadcast frame, and unicast forward the request on to the DHCP server. The DHCP server will reply with an Offer frame and both will complete the rest of DORA.
To configure, on the VLAN interface, configure the command “ip helper-address address of dhcp server
Verify DHCP operation: ‘show ip dhcp binding’, and ‘debug ip dhcp server packet’.

CEF-Based Multilayer Switching
I might be a bit brief on this area, but it’s an importance concept to understand. This area looks at the process a switch goes through in terms of the layers between hardware, and the high level application protocols running on the switch.

Explaining Layer 3 Switch Processing
A layer 3 switch performs 3 main functions:
– Packet switching
– Route processing
– Intelligent network services

CAM and TCAM Tables
Multilayer switches build routing, bridging, QoS, and ACL tables for centralized or distribution switching in hardware using high-speed memory tables. Switches perform lookups in these tables for result information, such as to determine whether a packet with a specific destination IP address is supposed to be dropped according to an ACL. These tables support high-performance lookups and search algorithms such that multilayer switches maintain line-rate performance.

Cam Table (Content Addressable Memory)

– The primary table used to make Layer 2 forwarding decisions.
– Table Lookups are performed with efficient search algorithms.
– CAM tables provide only two results: 0 (true), or 1 (false).
– The table is built by recording the source MAC address and inbound port of all incoming frames.
– When a frame arrives at the switch with a destination MAC address of an entry in the CAM table, the frame is forwarded out through only the port that is associated with that specific MAC address.

A key is created to compare the frame to the table content:
– E.g. DST MAC and Vlan ID of a frame would constitute the key for layer 2 table lookup.
– The key is input into a hashing algorithm, which produces, as the output, a pointer into the table.
– The system uses the pointer to access a specific entry in the table, thus eliminating the need to search the entire system.

TCAM (Ternary Content Addressable Memory)
– Stores ACLs, QoS, and other information generally associated with Layer 3 and up layer processing.
– TCAM provides 3 results: 0 (true) 1 (false), and “don’t care”.
– Portion of memory designed for rapid, hardware-based table lookups of layer 3 and 4 info.
– Single lookup provides all layer 2 and layer 3 forwarding info for frames, including CAM and ACL info.
– Memory structure is broken into a series of patterns and associated masks.
TCAM Method of matching entries in tables

Exact-match region
Where the whole match needs to be exact e.g. IP next-hop info (MAC Address)

Longest-match region
Book explanation was terrible. Basically this is the entry in hardware with the longest prefix that matches the lookup. Did that make sense? So with IP prefix or IP Multicast prefix, you might be looking up where to find host You have two routes in hardware. One for and one for The longest match in this case is the latter.

First-match region
Look up is stopped after first match on entry, e.g. ACL entries

Cisco Switching Methods

Process Switching
– Router strips off the layer 2 header for each incoming frame, looks up the Layer 3 destination network address in the routing table for each packet, and then sends the frame with the rewritten Layer 2 header, including CRC, to outgoing interface.
– Done by software (CPU), not hardware (ASIC).
– Most CPU intensive method.
Fast Switching
– Does same as packet switching for first packet, then installs that info into fast switching cache.
– Frame is rewritten with corresponding link address and is sent over the outgoing interface.

CEF (Cisco Express Forwarding)
– Default switching method
– Less CPU intensive than other above methods
– Router builds Forwarding Information Base (FIB) and Adjacency table from other tables build by CPU such as routing and ARP tables.
– These tables are then used to make hardware based forwarding decisions.

At this point in the chapter I felt it had a lot of WAFFLE and could have explained it all a lot easier by using an example.

See the following image.

This shows the top down approach of what happens from the high layer routing protocol, in this case BGP, to the low level in hardware/ASIC.

Quick explanation from Cisco:

The Forwarding Information Base (FIB) table – CEF uses a FIB to make IP destination prefix-based switching decisions. The FIB is conceptually similar to a routing table or information base. It maintains a mirror image of the forwarding information contained in the IP routing table.
When routing or topology changes occur in the network, the IP routing table is updated, and these changes are reflected in the FIB. The FIB maintains next-hop address information based on the information in the IP routing table.
Because there is a one-to-one correlation between FIB entries and routing table entries, the FIB contains all known routes and eliminates the need for route cache maintenance that is associated with switching paths such as fast switching and optimum switching.

Adjacency table – Nodes in the network are said to be adjacent if they can reach each other with a single hop across a link layer. In addition to the FIB, CEF uses adjacency tables to prepend Layer 2 addressing information. The adjacency table maintains Layer 2 next-hop addresses for all FIB entries.

Not all packets can be processed in Hardware, e.g. Tunnel interface traffic, NAT.
– A glen adjacency is in the CEF adjacency table when multiple hosts are directly connected to the MLS through a single port or interface. Lol what? There’s more on glen adjacencies in the book, but I doubt there will be anything on this in the exam.

Okay, I gave up all hope on this chapter too early. Page 230 has a sample of CEF operation…Could be worth looking at if CEF isn’t making that much sense. Sorry I haven’t got more on it. I’d suggest doing a google on CEF operation for more info.

CEF-Based MLS Verification

Show interface __
Provides stats for hardware switching Layer 3 packets

Show ip cef [___]
Verifies the FIB

Show adjacency [___]
Verify adjacency table

Show cef drops
Packets being dropped by hardware.

Implementing Cisco Switched Networks Chapter 3 Review

This is my review and notes of Chapter 3 of “Implementing Cisco Switched Networks Foundation Learning Guide”.


Chapter 3

I found this chapter a hard read. The different versions of spanning-tree along with enhancements can be a hard area to stomach. For me, the problem is that the different versions along with enhancements, are similar enough that I find it hard to distinguish the differences between each protocol, along with what each of the different “Port Guards” and “Port Filters” do. This is no fault of the book, but something I felt I needed to say anyway.

I think this chapter also could have been written better. There were a few paragraphs I quite plainly did not understand, until I looked at a different source for an explanation and then reread the text book. It felt like, ‘oh I can now see what they’re trying to say’, but the writer was coming from a background of already knowing what they were writing about. For someone new, or coming from CCNA, I think they could struggle reading some of this.

On the positive, I think the layout of the chapter is generally okay. It initially goes through each version/type of Spanning-Tree along with modes and distinguishing features between them. The seconds half of the chapter is dedicated to STP enhancements.

If you want a really good how-to with examples, see How to Master CCNP Switch. I think it does this well. I feel the goal of the book is not to throw a whole lot of theory at you, but give you just enough theory that you actually understand each feature through examples. If I manage to get through the foundation learning guide with enough time before my exam, I may read all of the gns3vault book.

Having just finished this chapter, it feels like it was written by multiple people, where there were some things said at one point, that had some disconnection to something else at another point. As in, you could be reading about feature X on one page, and something related to feature X was said on another page later on, but there was no connection made between the two things, or re-affirming the earlier point. An example being Cisco PortFast, and RSTP Edge port. Both are very similar but still

In terms of the CCNP exam, probably need to know:
– Core basics of STP
– Enough to understand PVST+ and configure it
– Possibly some RSTP/MST
– Spanning-Tree Enhancements

– Background of STP
– Spanning-tree basics
– RSTP (+ Port states, Roles etc.)
– Basics of PVRST+ along with configuration
– MST (Basics + MST Regions, and Configuration)
– Spanning Tree Enhancements (BPDU Guard/Filter, Root Guard, Loop Guard)
– UDLD, Flex Links
– Recommended STP practices



CST – Common Spanning Tree
– 1 STP instance, regardless of no. of VLANs
– Low Resources needed.
– Slow to converge
– Sub-optimal traffic flow can occur if more than one VLAN due to all traffic being required to take the same path.

Per VLAN Spanning-tree Plus
– Enhancement of STP with multiple instances, 1 for each VLAN.
– Includes several enhancements such as PortFast, BPDU Guard, BPDU Filter, Root Guard, Loop Guard
– Higher Resources needed.
– Each VLAN has a root bridge, allowing for optimisation of traffic flows for each VLAN.

Rapid STP – 802.1W
– Evolution of STP allowing for fast convergence.
– Medium Resources
– Still only single STP instance.

Multiple Spanning-Tree
– Maps multiple VLANs that have the same traffic flow requirements into the same STP instance.
– Cisco implementation provides up to 16 instances of RSTP and combines many VLANs with the same physical and logical topology into a common RSTP instance.

Per VLAN Rapid Spanning Tree Plus
– Cisco enhanced version of RSTP similar to PVST+
– Provides a separate instance of 802.1W per VLAN
– Fast
– Resources needed = very high.

PVST+ is Cisco default.

STP Operation

STP initially converges on a logically loop free topology by performing these steps:

1. Elects one Root Bridge
– All active ports are Designated Fowarding
– These ports send/recv traffic and configuration messages (BPDUs)
– Lowest priority switch becomes Root Bridge.

2. Selects the Root port on all Non-Root Switches
– Each switch in the spanning tree has a port it uses to reach the root bridge. This is known as the root port and is the port used to send/receive traffic to/through other switches.
– Root port is the lowest cost path from the non-root bridge to the root bridge.
– If non-root bridge has two or more equal cost paths to the root bridge, it selects the port that has the lowest port ID.
– Port-ID consists of a configurable priority + port number.

3. Selects the Designated port on each segment.
– On each segment, STP establishes one designated port on the bridge that has the lowest path cost to the root bridge.
– All ports that are up on the root bridge are Designated Forwarding.
– The Switch primarily chooses a designated port as the least-cost path to the root bridge. In the event of a tie, the bridge ID acts as the tiebreaker.

What the heck does that mean? The below image should explain it.


Looking at the example, each switch has a port it uses to reach the root bridge known as the root port. It is possible for the switch to have other ports still fowarding to other switches though, and not have any loops caused. For example, the link between B and D. B’s down link is Designated Forwarding, while the port on D is the Root Port. As we have a loop between B and C, C loses the tie breaker and marks the port as nondesignated/blocked.

STP Port States

– NonDesignated port and does not participate in frame forwarding.
– Port receives BPDUs to determine the location and rootID of the root switch and which port roles (root, designated, or nondesignated) each switch port should assume in the final active STP topology.
– Default time in this state is 20 seconds (MaxAage)

– STP has established that the port can participate in the STP topology.
– In this state, port is both receiving and sending BPDUs to neighbors.
– Default time in this state is 15 seconds (Forward Delay).

– Port prepares to participate in frame forwarding and begins to populate the CAM table.
– Default time in this state is 15 seconds (Forward Delay).

– Port is actively forwarding traffic with other switches in topology.
– Port sends/receives BPDUs.

– Does not participate in STP nor forward frames.

So how does the switch determine which port should be the Root Port?
– Through a cost value associated with the port.
– Swith port cost is based on link speed.

The cost to the root bridge is calculated using the cumulative costs of all links between the local switch and the root bridge and becomes the path cost.

Default port cost values:
10 Gbit – Cost 1
1 Gbit – Cost 4
100 Mbit – Cost 19

What happens when you have two paths with the same accumulative cost?

The Tie breaker is the PortID. PortID is a combination of a default value and port number. The default value is 128. So port 1’s port ID is a priority of 128.1.

Lowest PortID wins.

RSTP – Rapid Spanning Tree Protocol 801.1W

Enhancements over STP:
– A lot faster at converging
– Introduces several new port roles (Alternate and Backup)
– Simplified port states (Discarding, Learning, Forwarding)
– Backwards compatible with STP

RSTP Port States

– Represents STP’s Disabled, Blocking, Listening states
– State is seen in both a stable active topology and during topology snchronisation and changes.
– Discarding state prevents the forwarding of traffic therefore no network loop.

– Seen in both stable active topology and topology synchronisation and changes.
– Accepts data frames to populate the MAC table to limit flooding of unknown unicast frames.

– Only seen in stable active topologies.
– Self explanatory (data is forwarding).

RSTP Port Roles

– Switch port on every non-root switch that is chosen as the path to the root bridge.
– Only 1 root port can be on each switch.
– See STP operation above. Same as STP.

– See STP operation above. Same as STP.

– Switch port that offers an alternative path toward the root bridge.
– Assumes a discarding state in a stable environment.
– Present on nondesignated switches and makes a transition to designated port if the current designated path fails. See below image for what this looks like.

– If two switches have two redundant links, one link will be Designated (with Root Port at the other end), and the other link as Designated (with Backup at the other end). See below image.
– A backup port has a higher port ID than the designated port on the designated switch.
– The backup port assumes the discarding state in a stable environment.

Rapid Transitioning to Forwarding

RSTP introduces two new variables called Link type (Probably not important to know for the exam), and Edge port.

Link Type
– Provides categorisation for each port participating in RSTP.
– Derived from port duplex mode. Full Duplex is considered to be a point to point link, where as half duplex is probably on a shared medium.
– I’m not sure how much this still plays a part in networks today…

Only thing more to be aware of, is of Root, Alternate, Blocking and Designated, only Designated Ports really makes use of the link type parameter.

Edge Ports
– Port configured on the switch to be connected to a host.
– Equivilent to Cisco PortFast feature
– Allows the port to transition directly to forwarding, skipping the listening and learning stages.
– Doesn’t generate a topology Change (TCN) when its’ link transitions to up.
– If an edge port receives a BPDU, it immediately loses its’ edge port status and becomes a normal STP port. This is different behavior to Cisco PortFast. <— This is from the book. I have yet to find out how Edge Ports and PortFast totally differ.

Bridge Idenfier for PVRST+

Because PVST+ or PVRST+ requires that a separate instance of spanning tree run for each VLAN, the BID field is required to carry VLAN ID info.

Bridge ID in this case, is made up of:

Bridge Priority: default is 32768. This is only a 4-bit field, so the value increments by 4096.
Extended system ID: 12 bit field carrying in this case, the VID
MAC Address: 6 byte field with MAC address of single switch.

If no priority has been configured, every switch will have the same default priority, and the election of the root for each VLAN is based on the MAC address. Because this can result in a random switch becoming the root bridge, it is advisable to lower the bridge priority on the switch that should be the root bridge in your network.

MST – Multiple Spanning Tree

– Purpose is to reduce the total number of STP instances to match the physical topology of the network and thus reduce the CPU cycles of a switch.

– MST enables you to build multiple spanning trees over trunks by grouping VLANs and associating them with STP instances. Each instance can havee a topology independent of other spanning-tree instances. This architechture provides multiple active forwarding paths for data traffic and enables load balancing.

MST Regions

The main enhancement introduced by MST is the ability to map several VLANs to a single spanning-tree instance. The problem with this though, is how do you known what VLAN should be associated with which instance.

Each switch that runs MST in the network has a single MST config that consists of:
– Alphanumeric config name
– Config rev. no.
– 4096 element table that associates each of the potential 4096 VLANs supports on the switch to a given instance.

Extended System ID for MST
– Consists of Bridge priority + Extended System ID + MAC Address.
In the case of MST, the Extended Sys ID is the MST Instance Number.

Configuring MST

S1(config)#spanning-tree mst configuration
S1(config-mst)#show current – Display the current configuration before making changes
S1(config-mst)#name ____
S1(config-mst)#revision ___
S1(config-mst)#instance ___ vlan ___
S1(config-mst)#show pending – MST config to be applied
S1(config-mst)#end – Applies the config
S1(config-mst)#spanning-tree mst instance-no root primary|secondary
S1(config-mst)#spanning-tree extend system-id – Enables MAC addr reduction
S1(config-mst)#spanning-tree mst pre-standard – Cmd required IF neighbor is using a prestandard version of MST.

Spanning Tree Enhancements

BPDU Guard
– Prevents accidential connection of an STP switch to a PortFast enabled port.

BPDU Guard puts an interface configured for STP PortFast in the err-disabled state upon receipt of a BPDU. The Switch disables the interface[s] as a preventitive step to avoid potential bridging loops.

Once a port has been put in the err-disabled state, the switch requires manual intervention by ‘no shut’ing the port. Alternatively BPDU Guard can be configured to that after a set interval, the port will be ‘no shut’, but will again shutdown for a specified amount of time if it receives another BPDU.

To enable globally: “spanning-tree portfast edge bpduguard default”
Alternatively under each desired port: “spanning-tree bpduguard enable”
To verify: “Show Spanning-tree summary totals”

BPDU Filter
– Restricts the switch from sending BPDUs out access ports.

When enabled globally, BPDU filtering has the following effect:
– Affects all operational PortFast ports that do not have BPDU filtering configured on the individual ports (well no duh!)
– If BPDUs are seen, the port loses its’ PortFast state, BPDU filtering is disabled, and STP begins to send/receive BPDUs on that port.
– On switch/port start up, the port transmits 10 BPDUs. If this port receives any BPDUs during that time, PortFast and PortFast BPDU filtering are disabled.

When enabled on an individual port:
– Ignores all BPDUs received.
– Sends no BPDUs.

If you enable BPDU Guard on the same interface as BPDU Filtering, BPDU Guard has no effect because BPDU filtering takes precedence over BPDU Guard.

To enable globally: “spanning-tree portfast bpdufilter default”
To enable PortFast BPDU filtering on a specific port: “ spanning-tree bpdufilter enable”
Verify config: “show spanning-tree summary”

Root Guard
– Prevents switches connected on ports configured as access ports from becoming the root switch.

– Root Guard provides a way to enforce the root bridge placement in the network.

– If the bridge receives superior STP BPDUs on a Root Guard-enabled port, the port moves to a root-inconsistent STP state (effectively equal to a listening state, and the switch does not forward traffic out of that port. Because of this, this feature effectively enforces the position of the root bridge.

Best practice is to enable Root Guard on all access ports so that a root bridge is not established through these ports.

If a superior BPDU is received on a Root Bridge port, the port goes into root-inconsistent state (effectively same as listening state). At this point, a log message will appear in the buffer. The port will stay in this state as long as superier BPDUs are being received. Once superior BPDUs are no longer received, the port will transition to the forwarding state. Recovery is automatic, and no user intervention is required.

To enable on an interface: spanning-tree guard root
Verify: Show spanning-tree inconsistentports

Preventing Forwarding Loops and Black Holes

Loop Guard

Loop Guard provides additional layer 2 protection against forwarding loops.

Loop Guard places a port in STP loop-inconsistent state when it stops receiving BPDUs, and will recover when BPDUs are again recieved.

This is to stop the port transitioning to the listening/learning/forwarding state after the MaxAge timer has expired when that port should in fact be receiving BPDUs. Why could this happen? If there’s an issue with the physical link (e.g. Unidirectional link failure) between the two switches for whatever reason, the switch with a port currently blocking may still be able to send traffic. So when this link comes up, in at least 1 direction we have a loop in the network.

A port in the STP loop-inconsistent state does not pass data traffic, hence, a bridging looop does not occur. The loop-inconsistent state is effectively equal to the blocking state.

Loop Guard is configured on a per port basis, although the feature blocks inconsistent ports on a per-VLAN basis.

Enable Loop Guard on all Non-Designated ports (E.g. Root Port, Alternate Port)

To enable on an interface: spanning-tree guard loop
Globally: spanning-tree loopguard default
Verify: Show spanning-tree interface __ detail


A unidirectional link occurs when traffic is transmitted between neighbors in one direction only. This can cause spanning-tree loops.

UDLD enables a device to shutdown a link when a unidirectional link is detected.

UDLD is most useful on fibre links, but can also be configured on ethernet.

With UDLD enabled, the switch periodically sends UDLD protocol packets to its’ neighbor and expects the packets to be echoed back before a predetermined timer expires. Default interval is 15 seconds.

A UDLD-enabled switch sends UDLD protocol packets with its own device ID and port ID to the neighboring device. The UDLD is in determined status if the switch sees its own information in the packet sent by the neighbor. If the device does not see itself in the neighboring device’s UDLD protocol packets, the link is determined as unidirectional.

To enable udld globally: udld enable [aggressive]
to enable on an interface: udld enable [aggressive]

In normal mode: UDLD marks this port as “Undetermined”, but does NOT shut down or disable the port, which continues to operate under it’s current STP status. This mode of operations is informational and potentially less disruptive (though it does not prevent STP loops).

In aggressive mode: When a port stops receiving UDLD packets, UDLD tries to reestablish the connection with the neighbor. After 8 failed attempts, the port state changes to err-disable state, which effectively disables the port. To get out of this state, the port needs to be shut, then no shut. Alternatively also enable “errdisable recovery” to auto recover from such issues.

Comparason between Aggressive Mode UDLD and Loop Guard

While these two features overlap in what they offer, they differ in their approach to the problem and in functionality. Both complement eachother and it can be advisable to enable both features at the same time.

Loop Guard focuses on problems around BPDUs being received, and the STP daemon. UDLD focuses from the perspective of miswiring or other cabling issues.

In the case of EtherChannel, if BPDUs are not being received, the whole aggregator will shutdown with LoopGuard. Meanwhile, if the problem is physical in terms of one of the links in the EtherChannel, Aggressive UDLD can detect this issue and only shut down the affected cable.

Flex Links

– Simple alternative to STP.
– This enhancement enables a convergence time of less than 50 milliseconds.
– Convergence time remains consistent regardless of the number of VLANs or MAC addresses configured on uplink ports.
– Only supported on Layer 2 ports and port channels, not on VLANs or on L3 ports.
– STP is disabled on Flex Link ports.

S1(config)#interface fa0/1
S1(config)#switchport backup interface fa0/2
S1#show int switchport backup

Recommended Spanning Tree Practices

– Loop Guard is implemented on the L2 ports between distribution switches and on the uplink ports from the access switches to the distribution switches.

– Root Guard is configured on the distribution swtich ports facing the access switches.

– UplinkFast is implemented on the uplink ports from the access switches to the distribution switches.

– BPDU Guard or Root Guard is configured on ports from the access switches to the end devcies, as is PortFast.

– UDLD enables devices to monitor the physical configuration of the cables and detect when a unidirectional link exists. When a unidirectional link is detected, UDLD shuts down the affected LAN port. UDLD is often configured on ports linking switches.

– Depending on the security requirements of an organisation, the port security feature can be used to restrict a port’s ingress traffic by limiting the MAC addresses that are allowed to send traffic into the port.


Check the Port Status:

– Blocked ports: Check to make sure the switch reports receiving BPDUs periodically on the root and blocked ports. To check BPDUs on ports:
– show spanning-tree vlan __ detail

– Duplex mismatch: check on both ends of the link
– show interface
– Port Utilisation: An overloaded port may fail to transmit vital BPDUs and is also and indication of a possible bridging loop.
– Show interface

– Frame curruption: Unlikely issue, but check the input error fields using ‘show interface’.

Implementing Cisco Switched Networks Chapter 2 Review

This is my review and notes of Chapter 2 of “Implementing Cisco Switched Networks Foundation Learning Guide”.


Chapter 2

Chapter is a pretty good refresher for a lot of things around VLANs. Having not used Cisco switches for a while, the show commands are a pretty helpful reminder of some available commands other vendors may not have. The chapter also somewhat applies some of the models discussed in chapter 1 in terms of the VLAN implementation around PPDIOO.

Later the chapter covers Private VLANs and EtherChannel. Personally felt the Private VLAN explanation was too confusing and instead resorted to an explanation from How to Master CCNP Switch.

In terms of the CCNP exam, probably need to know:
– Understand VLAN configuration and show commands
– Correct trunking configuration
– Different modes of DTP. Possibly some VTP.
– Private VLANs
– EtherChannel

– End to End VLAN, and Local VLAN models
– VLAN configuration and show commands
– Trunking – briefly ISL, which doesn’t matter, and 802.1Q
– DTP – Dynamic Trunking Protocol
– VTP – VLAN Trunking Protocol
– Private VLANs
– EtherChannel covering PAgp, LACP, and includes load balancing techniques.

VLAN Models

End to End VLAN
– Each VLAN spans the network geographically.
– Users are grouped into each VLAN regardless of physical location
– As users move througout the campus, the VLAN membership of that user remains the same (probably through 802.1x)
– Users are typically associated with a given VLAN for network management reason hence why they are kept in the same VLAN.
→ Switches typically use VTP in server/client mode.

Local VLAN – Choice for Campus Enterprise Architechture.
– VLANs are configured for each floor or building
→ In other words, local VLANs are created with physical boundries in mind rather than the job function of the user.
– Generally local VLANs exist between the access and distribution levels.
– Traffic is routed at Distribution and Core to reach other destinations on the network.
– Usual reccommendation is max of 3 VLANs per access layer switch.
→ VTP configured in transparent mode as no vlans should be advertised to other switches, nor need to be created on any other switches.

=> A network that consists of entirely locla VLANs can benefit from increased convergence times offered via routing protocols, instead of spanning-tree for layer 2 networks.

Helpful VLAN configuration commands:

Switchport mode host
– This is a macro for enabling spanning-tree PortFast and disabling etherchannel on a per port basis.

Show vlan
Show vlan br
Show vlan id X
Show vlan name X
– Pretty helpful generic vlan command

Show run int fa0/0
Display current config on a particular port

Show interfaces
Show int fa0/0 switchport
– Switchport characteristics
– Private VLAN and trunking info

Show mac-address-table interface __ vlan __
– Displays MAC address table info for specified interface in specified vlan.
– Very helpful in determining if attached devices are sending packets to the correct VLAN.

DTP – Dynamic Trunking Protocol
– Cisco proprietary point-to-point protocol for switches to negotiate trunk links

Access – Port is permanently configured for nontrucking.
Trunk – Port is permanently configured for trunking.
– Other End of link needs to be trunk/dynamic desirable, or dynamic auto.
Nonegotiate – Puts port in permanent trunking mode BUT port will not send out DTP frames.
– Other end of link needs to be either trunk or nonegotiate.
Dynamic Desirable – Interface activel attempts to convert the link to a trunk link.
– Trunk forms if neighbor interface is set to trunk/desirable, or auto
Dynamic Auto – Interface willing to convert the link to a trunk link.
– Trunk only form if neighbor set to desirable or trunk.

Trunking verification commands
Show run int X
Show int X switchport
Show int X trunk

VTP – VLAN Trunking Protocol
– Cisco proprietary protocol that is used to synchronise and distribution VLAN databases throughout a switched network.
– Cisco switches transmit VTP info only on trunk links.
– VTP info is multicast.

VTP Modes and operation
– Can’t create,change, or delete VLANs
– Forwards advertisements to other switches
– Synchronizes VLAN config with latest info received from other switches in management domain.
– Does not save VLAN config in NVRAM.

– Creates, modifies, and deletes VLANs.
– Sends and forwards advertisements to other switches.
– Synchronizes VLAN config with latest info received from other switches in VTP domain
– Saves VLAN config in NVRAM.

– Creates, deletes, and modifies VLANs only from and on the local switch
– Fowards VTP advertisements received from other switches in same VTP domain.
– Saves VLAN config in NVRAM.

There’s a bit more to VTP such as importance of sequence number etc but this isn’t stuff I feel I personally need notes on.

VTP Pruning
– Probably one of the main advantages to using VTP.
– VTP pruning uses VLAN advertisements to determine when a trunk connection is flooding traffic over trunk links needlessly. By default, a trunk connection carries traffic for all VLANs in the VTP management domain.
– VTP pruning increases available bandwidth by restricting flooded traffic to those turnk links that the traffic must use to access the appropriate network devices.

VTP has 3 versions. Version 2 is most commonly used.

If all switches in a domain are capable of running VTP version 2, enable VTP version 2 on one VTP server. The VTP server propogates the version number to the other VTP version 2 capable switches in the VTP domain.

Private VLANs

I found the implementing switch chapter pretty confusing on this subject, and instead looked at How to Master CCNP Switch. From the brief look I’ve had at this book, I think it’s pretty good, and avoids a lot of the waffle that you find in the Cisco press books. If I had more time before my exam, I would have liked to read this book in more detail. Anywho on to private VLANs!

A private VLAN is simply a vlan that has limited communication with other ports on the switch, depending on configuration.

A private VLAN always has one primary VLAN. Within the primary VLAN you will find the promiscuous port.

Secondary VLANs can always communicate with the promiscuous port but they can never communicate with other secondary VLANs.

Private VLANs can also be carried over 802.1Q trunk links. Configuration is basically the same on the other switch. You only need to add the vlans to the trunk link.

Private VLAN port types:

Complete layer 2 separation from other ports within the same private VLAN, except promiscuous ports.

– Can communicate with all ports within the private VLAN, including community and isoldate ports.
– Only part of 1 primary VLAN, but each promiscuous port can map to more than one secuary private VLAN.
– Promiscuous ports are generally router ports, backup or shared servers, or VLAN interfaces.

– Community ports communicates among themselves and with their promiscuous ports.
– Isolated at layer 2 from other interfaces in other communities, or in isolated ports within their private VLAN.

Private VLAN configuration

Using an example borrowed from Renés Mastering CCNP Switch book:

Firstly configure the switch to VTP mode transparent.

– Primary VLAN of 500
– Secondary Community VLAN is 501
– Secondary Isolated VLAN is 502

####### Configuring Primary VLAN and Secondary Community VLAN ########
S1(config)#vtp mode transparent
S1(config)#vlan 501
S1(config-vlan)#private-vlan community
S1(config-vlan)#vlan 500
S1(config-vlan)#private-vlan primary
S1(config-vlan)#private-vlan association add 501

##### Assigning private vlan, along with primary to switch ports ##########
S1(config)#interface range fa0/1 – 2
S1(config-if)#switchport mode private-vlan host
S1(config-if)#switchport private-vlan host-association 500 501

##### Configuring Promiscuous port #####
S1(config)#interface fa0/24
S1(config-if)#switchport mode private-vlan promiscuous
S1(config-if)#switchport private-vlan mapping 500 501

####### Configuring Isolated VLAN ########
S1(config)#vlan 502
S1(config-vlan)#private-vlan isolated
S1(config-vlan)#vlan 500
S1(config-vlan)#private-vlan primary
S1(config-vlan)#private-vlan assocation add 502

##### Assigning private vlan, along with primary to switch ports ##########
S1(config)#interface range fa0/3 – 4
S1(config-if)#switchport mode private-vlan host
S1(config-if)#switchport private-vlan host-association 500 502

##### Configuring Promiscuous port #####
S1(config)#interface fa0/24
S1(config-if)#switchport mode private-vlan promiscuous
S1(config-if)#switchport private-vlan mapping 500 502

##### Verification #####
S1#show interfaces fa0/1 switchport
S1#show interfaces fa0/24 switchport
S1#show vlan private-vlan
S1#show vlan private-vlan type

Cisco Port Protect Feature
– Very simple version of private-vlans for lower end switches
– Traffic can only flow between a protected and unprotected port
– If two ports are port protected, they can not communicate with eachother.
EtherChannel – Pagp and LACP

Apologies if this section lacks more detail. It’s not an area I personally need many notes on.

PAgP – Port Aggregation Protocol
– Cisco Propritary
– Packets sent every 30 seconds. PagP checks for config consistency and manages link additions and failures between two switches.


– Default
– Passive state in which the ports respond to PagP packets that it receives but does not initiate PagP negotiation.

– Active negotiating state

– Forces interface to channel without PagP
– Does not exchange PagP packets.
– Other side also needs to be configured with ‘on’.

– If a switch is connected to a PAgP capable partner, add this keyword on when configuring auto or desirable. If you do not specify this, silent is assumed. Silent is for connections to file servers or wireshark (why??)

So if doing PAgP, make sure to also add ‘non-silent’

LACP – Link Aggregation Control Protocol
Basically identical to PAgP but IEEE open version.


– Default
– Passive negotiating state (responds to LACP packets, but doesn’t initiate EtherChannel).

– Active negotiating state
– Will form EtherChannel with partner as Active or Passive

– Forces interface to channel without PAgP or LACP.

Additional Parameters

System priority – Each switch running LACP must have a system priority. This is automatic, but user can also manually configure. Switch uses MAC address and system priority to form the system ID.

Port priority – Same as above. Switch uses the port priority to decide which ports to put in standby mode when a hardware limitation prevents all compatible ports from aggregating.

Administrative key – As above, auto but can be manually done. Defines the capability of a port to aggregate with other ports e.g. physical port characterisitcs incl speed/duplex etc.

EtherChannel Load Balancing Options

One thing people often get wrong when it comes to EtherChannel or aggregator links, is they think that because they have two 1gbit links in an aggregator, that they now have 2gbit of bandwidth for any of their traffic. This is only slightly true, as aggregators use a load balancing technique to ‘balance’ traffic over the two links. Depending on source/destination traffic that flows through the link, you may or may not maximise available bandwidth. See below on different balancing techniques.

Cisco offers:

Use “Show etherchannel load-balance” to see what mode is in effect. ‘Conf t > port-channel load-balance’ to change it.

Implementing Cisco Switched Networks Chapter 1 Review

This is my review and notes of Chapter 1 of “Implementing Cisco Switched Networks Foundation Learning Guide”.


Chapter 1

Chapter 1 was incredibly boring to read. As per the covered summary below, the chapter was attempting to get the reader in the mind set of different models Cisco has created that can be used as a guideline when creating a network, whether large or medium, and in either a campus or enterprise network.

In terms of the CCNP exam, probably need to know:
– The 3 campus design best practices
– Be able to successfully identify where different features belong in a network using the Hierarchical Network design mode.
– Know the 3 different layers of SONA
– Be able to successfully identify what happens at each step of the PPDIOO model.

– Different models of Cisco switches e.g. Catalyst, Nexus
– Campus Design best practices
– Hierarchical Network Design Model
– SONA (Serivce-Oriented Network Architecture
– PPDIOO (Prepare Plan Design Implement Operate Optimise)

Campus Design best practises
Basically summed up as create a network that is:
– Modular (like building blocks and scales well)
– Resilient (HA characteristics with uptime nearly 100%)
– Flexibility (Businesses are constatntly changing. Able to adapt to new business structures etc).

Hierarchical Network Design Model

Core Layer
– High Speed
– High Availability
– Adapt to changes quickly

– Basically aggregates all the distribution layer switches together with the remainder of the enterprise network.
– Provides aggregation points with redundancy through fast convergence and HA.
– Designed to scale as the distribtuion and consequently the access layer scale with future growth.

Distribution Layer
– Segment parts of the network and isolate network problems in a campus environment
– Aggregate WAN connections at the edge
– Provide a level of security
– Often acts as a service and control boundry between access and core layers

– Availability, load balancing, QoS
– HA through dual paths to Core and Access
– Provides default GW redundancy via HSRP/GLBP/VRRP
– Connects network resources to the access layer, and implements policies for QoS, Security, traffic loading, and routing.

Access Layer
– Edge devices
– Application of security, access control, filters, management etc.

– Access to default gateway redundancy (so dual links to distribution layer switches with e.g. HSRP)
– Converged – So PoE switch with IP Phones and WLAN devices attached.
– Security through: Port Security, DHCP Snooping, Dynamic ARP Inspection, IP SRC Guard.

SONA (Service-Oriented Network Architechture)

Below is my notes from when reading the book. To be honest it all just sounds like a bunch of buzz words and personally don’t feel it was explained very well. Haven’t looked any further into it.

Application Layer
– E.g. Business Apps
– Layer objective is to meet business requirements and achieve efficencies by leveraging the interactive services layer.

Interactive Services Layer
– Enables efficient allocation of resources to applications and business processes delivered through the networked infrastructure

Network Infrastructure Layer
– Where all IT resources (servers/SANs etc) are interconnected across a converged network foundation.
– Represents how resources exist in different places in the network, e.g. branch, data center, WAN etc.

PPDIOO ( Prepare Plan Design Implement Operate Optimise)

– Establishing organisational requirements
– Developing Network Strategy
– High-level conceptal Network Architechture
– Identifying HW and Costs

– Initial network requirements based on goals, facilities, user needs etc.
– Assessing current network and ensuring it will work with what is being proposed

– Well throught out detailed design that meets current business and techical requirements and incorporates specifications to support availability, reliability, security, scalability, and performance.
– Design is basis for implementation.

– Network is built to design specs, with goal of integrating devices without disrupting existing network.

– Final test of the appropriateness of the design
– Involves maintaining network health through day to day operation.

– Proactive management of the network
– Goal of this is to identify and resolve issues before they affect the organisation.
– Reactive fault detection and correction (Troubleshooting) is needed when proactive management can not predict and mitigate failures.