Recently I needed to renew my Cisco CCNPs, that is both CCNP Routing and Switching as well as CCNP Security. While working with Cisco products (well now they own SourceFire, so exclude these) is not within my daily duties, I still thought it was important for me to maintain these two credentials. As a result, I've put together my notes below focusing on the key points I used to study. I believe that someone else may find them useful.
- does load sharing over multiple router gateways
- Uses a single Virtual IP but multiple virtual MAC addresses
- The forwarding load is shared amongst all routers in the GLBP group
- All hosts are configured with the same virtual IP
- All host in the group forward packets
- Hello messages sent every 3 seconds
- Multicast address is 224.0.0.102:3222
- One group member is elected to be the Active Virtual Gateway (AVG)
- Other group members act as backup if the AVG fails
- The AVG assigns a virtual mac-address to each member of the group
- Each gateway assumes responsibility for traffic sent to its mac-address. These are known as active virtual forwarders
- AVG is responsible for answer ARP Request for the virtual IP
- Load sharing is achieved by the AVG responding with a different MAC address for the virutal IP
- If the AVG does not have an active Virtual Forwarder it responds with the MAC address of the first listening virtual forwarder. This causes traffic to route via another gateway until the Virtual Forwarder once again becomes the current AVG
- Important to note is that GLBP does load sharing
- GLBP allows up to 4 virtual MAC addresses per group
- The AVG is responsible for assigning the virtual mac addresses
- Group members request a virtual MAC address from the AVG via hello messages
- Gateways are assigned the next mac-address in the sequence
- A virtual forwarder that is assigned a virtual mac-address by the AVG is called a primary virtual forwarder
- Virtual forwarders that learns their virtual mac address via hello messages are known as a secondary virtual forwarder
- One device is elected AVG, another gateway is elected as standby other devices place in listening state
- after AVG fails, the standby takes overs and a new standby is elected
- The "Redirect Time" is the time while hosts are being continued to be redirected to the old MAC address
- When the "Redirect Time" expires, the AVG stops using the old forwarder MAC address in ARP replies.
- "Secondary" hold time is the interval for which the virtual router is valid.
- When secondary holdtime expires, the virtual router is removed from all gateways in the group
- The expired virtual forwarder number becomes eligible for reassignment
- Router with higher priority is elected as AVG
- After Priority, Higher IP wins
- Backup gateway can only become the AVG if the current AVG fails, regardless of priorities
- Can use thresholding can be used to control forwarding
- Default delay is 30 seconds
- Uses a client cache which contains hosts that are using the GLBP group as the default gateway
- Entries are added based on ARP request or IPv6 neighbor discovery
- Information is host that sent the ARP and which forwarder was assigned to it. Also the protocol address and time elapsed since the host was updated
- Client cache can store information for up to 2000 hosts for a GLBP group
- Expected normal configuration is 1000 hosts
- Cache is cleared based on least updated address
- For each host at least 20 bytes is required
- Supports in service software upgrades. Meaning that the devices can operate on two different software versions
- Each gateway in a group must be configured with the same group number
- At least one device must be configured with the virtual IP address
- All other required parameters can be learned
- Default Hello Time 3 seconds
- Default Hold Time 10
References:
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp_fhrp/configuration/12-4/fhp-12-4-book/fhp-glbp.html
Sunday, December 31, 2017
Cisco CCNP:300-115 - 3.0 Infrastructure Services: 3.1 Configure and verify first-hop redundancy protocols: 3.1.b VRRP
Recently I needed to renew my Cisco CCNPs, that is both CCNP Routing and Switching as well as CCNP Security. While working with Cisco products (well now they own SourceFire, so exclude these) is not within my daily duties, I still thought it was important for me to maintain these two credentials. As a result, I've put together my notes below focusing on the key points I used to study. I believe that someone else may find them useful.
- designed for use over multiaccess, multicast, or broadcast capable Ethernet LANs
- VRRP is supported on Ethernet, Fast Ethernet, Bridge Group Virtual Interface (BVI), and Gigabit Ethernet interfaces, and on Multiprotocol Label Switching (MPLS) Virtual Private Networks (VPNs), VRF-aware MPLS VPNs, and VLANs
- The address of the virtual router is the same as that of the physical interface of a router. This host is called the "virtual router master"
- Every other router in the VRRP group are called "Virtual Router Backup"
- "Virtual Router Master" uses the IP address of the physical interface
- "Virtual Router Master" is also known as the IP owner
- If the "Virtual Router Master" fails, the router with the highest priority becomes the "Virtual Router Master"
- When the original Master recovers it becomes the Master once again
- Can be configured to share the traffic
- Provides Redundancy, Load Balancing, Multiple Virtual IPs, Authentication, preemption, advertisement protocol and object tracking
- Supports up to 255 Virtual Router - depending on resources, etc.
- Uses MD5 authentication to mitigate spoofing
- Uses multicat IP 224.0.0.18
- Can track interfaces, route state
- The host owning the IP address on the physical interface which maps the gateway becomes the "Virtual Router Master"
- Like HSRP highest priority wins when electing a master if the primary fails
- Unlike HSRP priority which goes from 0 - 255, VRRP goes from 1-254
- Like HSRP if the priority is the same on two devices, then the higher IP wins
- Advertisements are sent to devices in the same group
- Default advertisements are sent every second
- While the RFC does not support milliseconds timer, Cisco support allows you to do so
- Milliseconds seconds support needs to be configured manually on both primary and backup devices
- Milliseconds support works only with Cisco devices
- VRRP can track interface, reachability of a route along with state of an IP route
- Default authentication type is "text", you can also use MD5 Key string or MD5 key chains
- Can have different IOS version on primary and backup
- It is recommended to customize VRRP before enabling as it can become the master of a group
- The device with the owner IP will preempt regardless of preempt configuration
- All devices in the VRRP group must use the same timer values
- If timer values not set devices in the group will not communicate and any misconfigured router will change it state to master
References:
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp_fhrp/configuration/12-4/fhp-12-4-book/fhp-vrrp.html
- designed for use over multiaccess, multicast, or broadcast capable Ethernet LANs
- VRRP is supported on Ethernet, Fast Ethernet, Bridge Group Virtual Interface (BVI), and Gigabit Ethernet interfaces, and on Multiprotocol Label Switching (MPLS) Virtual Private Networks (VPNs), VRF-aware MPLS VPNs, and VLANs
- The address of the virtual router is the same as that of the physical interface of a router. This host is called the "virtual router master"
- Every other router in the VRRP group are called "Virtual Router Backup"
- "Virtual Router Master" uses the IP address of the physical interface
- "Virtual Router Master" is also known as the IP owner
- If the "Virtual Router Master" fails, the router with the highest priority becomes the "Virtual Router Master"
- When the original Master recovers it becomes the Master once again
- Can be configured to share the traffic
- Provides Redundancy, Load Balancing, Multiple Virtual IPs, Authentication, preemption, advertisement protocol and object tracking
- Supports up to 255 Virtual Router - depending on resources, etc.
- Uses MD5 authentication to mitigate spoofing
- Uses multicat IP 224.0.0.18
- Can track interfaces, route state
- The host owning the IP address on the physical interface which maps the gateway becomes the "Virtual Router Master"
- Like HSRP highest priority wins when electing a master if the primary fails
- Unlike HSRP priority which goes from 0 - 255, VRRP goes from 1-254
- Like HSRP if the priority is the same on two devices, then the higher IP wins
- Advertisements are sent to devices in the same group
- Default advertisements are sent every second
- While the RFC does not support milliseconds timer, Cisco support allows you to do so
- Milliseconds seconds support needs to be configured manually on both primary and backup devices
- Milliseconds support works only with Cisco devices
- VRRP can track interface, reachability of a route along with state of an IP route
- Default authentication type is "text", you can also use MD5 Key string or MD5 key chains
- Can have different IOS version on primary and backup
- It is recommended to customize VRRP before enabling as it can become the master of a group
- The device with the owner IP will preempt regardless of preempt configuration
- All devices in the VRRP group must use the same timer values
- If timer values not set devices in the group will not communicate and any misconfigured router will change it state to master
References:
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp_fhrp/configuration/12-4/fhp-12-4-book/fhp-vrrp.html
Cisco CCNP:300-115 - 3.0 Infrastructure Services: 3.1 Configure and verify first-hop redundancy protocols: 3.1.a HSRP
Recently I needed to renew my Cisco CCNPs, that is both CCNP Routing and Switching as well as CCNP Security. While working with Cisco products (well now they own SourceFire, so exclude these) is not within my daily duties, I still thought it was important for me to maintain these two credentials. As a result, I've put together my notes below focusing on the key points I used to study. I believe that someone else may find them useful.
- Typically used at Layer 3 providing redundancy for IP traffic
- Layer 2 used for cluster management
- two or more HSRP-configured routers to use the MAC address and IP network address of a virtual route
- HSRP can be used on routed interfaces or SVI
- When HSRP is configured on an interface, ICMP redirects is also automatically enabled for the interface.
- HSRP v1 group number can be from 0-255
- HSRP v1 uses multicat address 224.0.0.2 to send hello packets
- you cannot enable Cisco Group Management Protocol (CGMP) and HSRP at the same time because they use the same multicast address 224.0.0.2:1985
- HSRP v2 Matches group number to VLAN IDs
- Can use 0 - 4095 group numbers.
- MAC address can be from 0000.0C9F.F000 to 0000.0C9F.FFFF
- Uses Multicast address 224.0.0.12
- Both CGMP and HSRP can be enabled
- Has a different packet format from v1
- HSRP v2 uses TLVs - Type/Length/Values
- HSRP v2 can identify the sending router
- If an interface running HSRPv1 gets an HSRPv2 packet, the type field is ignore
- MHSRP - Multiple HSRP
- Allows load sharing between 2 or more groups (and paths)
- Highest Priority Wins when selecting Active Router
- Ensure you enter "standby preempt" to ensure load sharing continues when the down device comes back online.
- Default "Hello Time" 3 seconds
- Default "Hold Time" 10 seconds
- Default "Track" decrements 10 seconds
- Default "Priority" 100
- Cannot enable HSRP for IPv4 and IPv6 at the same time
- HSRP v1 and v2 cannot be enabled at the same time
- Can have up to 32 instances of HSRP groups
- If you configure the same HSRP group number on multiple interfaces, the switch counts each interface as one instance
- Interface must be a Layer 3 interface
- Can run on Layer 3 Etherchannel ports
- All Layer 3 interfaces must have an assigned IP
- Version can be changed from v2 to v1 only if the group numbers are less than 256
- HSRP v2 and HSRP for IPv6 requires ranges that are multiples of 256
- If no IP is specify via the "standby IP" command, one is learned through the standby function.
- priority is based on "Highest Priority" -> "Highest IP"
- When routing is first enabled, it does not have to have a complete routing table.
- Can still preempt even thought it cannot provide full routing services
- Delay can be used allow the router to update its routing table
- "delay" causes the local router to postpone taking over the active role for the shown number of seconds. The range is 0 to 3600(1 hour); the default is 0 (no delay before taking over)
- Default HSRP string is Cisco
- Only "Active" and "Standby" routers sends "Hello" messages. All other routers remain in listening states
References:
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp_fhrp/configuration/12-4/fhp-12-4-book/fhp-hsrp.html
- Typically used at Layer 3 providing redundancy for IP traffic
- Layer 2 used for cluster management
- two or more HSRP-configured routers to use the MAC address and IP network address of a virtual route
- HSRP can be used on routed interfaces or SVI
- When HSRP is configured on an interface, ICMP redirects is also automatically enabled for the interface.
- HSRP v1 group number can be from 0-255
- HSRP v1 uses multicat address 224.0.0.2 to send hello packets
- you cannot enable Cisco Group Management Protocol (CGMP) and HSRP at the same time because they use the same multicast address 224.0.0.2:1985
- HSRP v2 Matches group number to VLAN IDs
- Can use 0 - 4095 group numbers.
- MAC address can be from 0000.0C9F.F000 to 0000.0C9F.FFFF
- Uses Multicast address 224.0.0.12
- Both CGMP and HSRP can be enabled
- Has a different packet format from v1
- HSRP v2 uses TLVs - Type/Length/Values
- HSRP v2 can identify the sending router
- If an interface running HSRPv1 gets an HSRPv2 packet, the type field is ignore
- MHSRP - Multiple HSRP
- Allows load sharing between 2 or more groups (and paths)
- Highest Priority Wins when selecting Active Router
- Ensure you enter "standby preempt" to ensure load sharing continues when the down device comes back online.
- Default "Hello Time" 3 seconds
- Default "Hold Time" 10 seconds
- Default "Track" decrements 10 seconds
- Default "Priority" 100
- Cannot enable HSRP for IPv4 and IPv6 at the same time
- HSRP v1 and v2 cannot be enabled at the same time
- Can have up to 32 instances of HSRP groups
- If you configure the same HSRP group number on multiple interfaces, the switch counts each interface as one instance
- Interface must be a Layer 3 interface
- Can run on Layer 3 Etherchannel ports
- All Layer 3 interfaces must have an assigned IP
- Version can be changed from v2 to v1 only if the group numbers are less than 256
- HSRP v2 and HSRP for IPv6 requires ranges that are multiples of 256
- If no IP is specify via the "standby IP" command, one is learned through the standby function.
- priority is based on "Highest Priority" -> "Highest IP"
- When routing is first enabled, it does not have to have a complete routing table.
- Can still preempt even thought it cannot provide full routing services
- Delay can be used allow the router to update its routing table
- "delay" causes the local router to postpone taking over the active role for the shown number of seconds. The range is 0 to 3600(1 hour); the default is 0 (no delay before taking over)
- Default HSRP string is Cisco
- Only "Active" and "Standby" routers sends "Hello" messages. All other routers remain in listening states
References:
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp_fhrp/configuration/12-4/fhp-12-4-book/fhp-hsrp.html
Cisco CCNP:300-115 - 2.1 Configure and verify switch security features:2.1.f Storm control
Recently I needed to renew my Cisco CCNPs, that is both CCNP Routing and Switching as well as CCNP Security. While working with Cisco products (well now they own SourceFire, so exclude these) is not within my daily duties, I still thought it was important for me to maintain these two credentials. As a result, I've put together my notes below focusing on the key points I used to study. I believe that someone else may find them useful.
- Storm Control prevents LAN ports from being disrupted by broadcast, multicast or unicast traffic storms on physical interface
- Storms can occur for multiple reasons including network misconfiguration, users issuing denial-of-service attacks
- Storm control level is a percentage of the total available bandwidth of the port
- Each port has a single traffic storm control level which is used for all traffic (broadcast, multicast and unicast)
- Does not suppress spanning tree packets
- Does not differentiate control traffic from data traffic outside of spanning tree
- When broadcast storm control is enabled and traffic exceeds the threshold, storm control drops all broadcast traffic until the end of the traffic storm control interval
- If both broadcast and multicast traffic control mechanisms are in place and the combine traffic exceeds the threshold, storm control drops all broadcast and multicast traffic
- If both broadcast and multicast traffic control mechanisms are in place and either of the two traffic exceeds the threshold, storm control drops all broadcast and multicast traffic
- While storm control is supported on physical interfaces, it can still be configured on EtherChannel.
- When storm control is configured on an EtherChannel, the storm control settings propagate to the physical interfaces in the channel
- Configuring storm control on EhterChannel ports put the interface in suspended state
Storm control can use:
- Bandwidth
- A percentage of total bandwidth of the port that can be used by broadcast, multicast or unicast
- Traffic Rate in packets per second
- rate at which broadcast, unicast or multicast is received
- Traffic rate in bits per second
- rate at which broadcast, unicast or multicast is received
- Traffic rate in packets per second and for small frame. Enabled globally. Threshold for small frames is configured on each interface
- With each of the above, the port remains blocked until the traffic rate has dropped below the falling threshold (optional) and then resumes forwarding
- If falling suppression rate is not set, the switch blocks traffic until the rate drops below the rising suppression level
- The higher the level, the less effective the protection against broadcast storms
- When the threshold is met for multicast, all multicast traffic is blocked except for control traffic such as BPDU and CDP. Routing updates are blocked
- Higher level such as 100 percent means no limit is placed on the traffic
- Lower value such as 0 means all broadcast, multicast or unicast traffic on that port is blocked
- By default storm control is disabled. There is a suppression of 100
- Storm control is configured on a per port basis
- storm control actions are shutdown and trap. However the default is to filter out the traffic and not send traps
- The switchport blocks traffic (shutdown) when the rising level is met
- The switchport forwards traffic when traffic drops below the falling threshold
References:
https://www.cisco.com/c/en/us/td/docs/routers/7600/ios/12-1E/configuration/guide/storm.html
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_53_se/configuration/guide/3750xscg/swtrafc.html
- Storm Control prevents LAN ports from being disrupted by broadcast, multicast or unicast traffic storms on physical interface
- Storms can occur for multiple reasons including network misconfiguration, users issuing denial-of-service attacks
- Storm control level is a percentage of the total available bandwidth of the port
- Each port has a single traffic storm control level which is used for all traffic (broadcast, multicast and unicast)
- Does not suppress spanning tree packets
- Does not differentiate control traffic from data traffic outside of spanning tree
- When broadcast storm control is enabled and traffic exceeds the threshold, storm control drops all broadcast traffic until the end of the traffic storm control interval
- If both broadcast and multicast traffic control mechanisms are in place and the combine traffic exceeds the threshold, storm control drops all broadcast and multicast traffic
- If both broadcast and multicast traffic control mechanisms are in place and either of the two traffic exceeds the threshold, storm control drops all broadcast and multicast traffic
- While storm control is supported on physical interfaces, it can still be configured on EtherChannel.
- When storm control is configured on an EtherChannel, the storm control settings propagate to the physical interfaces in the channel
- Configuring storm control on EhterChannel ports put the interface in suspended state
Storm control can use:
- Bandwidth
- A percentage of total bandwidth of the port that can be used by broadcast, multicast or unicast
- Traffic Rate in packets per second
- rate at which broadcast, unicast or multicast is received
- Traffic rate in bits per second
- rate at which broadcast, unicast or multicast is received
- Traffic rate in packets per second and for small frame. Enabled globally. Threshold for small frames is configured on each interface
- With each of the above, the port remains blocked until the traffic rate has dropped below the falling threshold (optional) and then resumes forwarding
- If falling suppression rate is not set, the switch blocks traffic until the rate drops below the rising suppression level
- The higher the level, the less effective the protection against broadcast storms
- When the threshold is met for multicast, all multicast traffic is blocked except for control traffic such as BPDU and CDP. Routing updates are blocked
- Higher level such as 100 percent means no limit is placed on the traffic
- Lower value such as 0 means all broadcast, multicast or unicast traffic on that port is blocked
- By default storm control is disabled. There is a suppression of 100
- Storm control is configured on a per port basis
- storm control actions are shutdown and trap. However the default is to filter out the traffic and not send traps
- The switchport blocks traffic (shutdown) when the rising level is met
- The switchport forwards traffic when traffic drops below the falling threshold
References:
https://www.cisco.com/c/en/us/td/docs/routers/7600/ios/12-1E/configuration/guide/storm.html
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_53_se/configuration/guide/3750xscg/swtrafc.html
Cisco CCNP:300-115 - 2.1 Configure and verify switch security features: 2.1.d Port security
Recently I needed to renew my Cisco CCNPs, that is both CCNP Routing and Switching as well as CCNP Security. While working with Cisco products (well now they own SourceFire, so exclude these) is not within my daily duties, I still thought it was important for me to maintain these two credentials. As a result, I've put together my notes below focusing on the key points I used to study. I believe that someone else may find them useful.
- Used to restrict input to an interface by limiting and identifying MAC addresses
- When the maximum number of MAC addresses are reached on a secure port, a security violation occurs
- Port Security is disabled by default
- When enabled the port is shutdown when the maximum number of secure MAC addresses have been exceeded
- Static secure MAC addresses - manually configured. Stored in the address table and added to the switch running config
- Dynamic Secure MAC Addresses - dynamically configured and only stored in the address table and removed when the switch restarts
- Sticky secure MAC addresses - learned dynamically or manually configured, stored in the address table and added to the running configuration
- All sticky MAC addresses are added to the running configuration
Violation occurs for any of the following:
- Maximum number of secure MAC address have been added to the address table and a new station attempts to access the interface
- An address learned or configured on one secure interface is seen on another secure interface
- Violation modes are:
- Protect
- Packets from unknown sources are dropped when the maximum number of MAC addresses are reached on an interface
- You must either remove a sufficient number of uknown MAC addresses or increase the number of allowable addresses
- Notificaton is provided that a violation has occurred
- No notification is provided that a security violation has occurred
- Restrict
- Packets from unknown sources are dropped when the maximum number of MAC addresses are reached on an interface
- You must either remove a sufficient number of uknown MAC addresses or increase the number of allowable addresses
- Notificaton is provided that a violation has occurred
- SNMP traps is sent, syslog message is logged and violation counter increases
- Shutdown
- This is the default mode
- When a violation occurs, the interfaces becomes error-disabled and is shutdown immediately
- Port leds are turned off
- SNMP trap is sent, a syslog message is looged and violation counter increases
- Can leverage the following command to bring the interface out of error-disable state within a specific time:
SW2(config)#errdisable recovery cause psecure-violation
- Alternatively you can manually reenable it by "shutdown" followed by "shutdown"
- Shutdown VLAN
- Sets the security violation mode per-VLAN
- Puts the VLAN in error disabled instead of the port when a violation occurs
- Port security can be configured on static access or trunk port only.
- Secure port cannot be a dynamic access port
- A secure port cannot be a destination port for SPAN
- Secure ports cannot belong to a Gigabit EtherChannel port group
- Note, Voice VLAN is only available on access port and not trunk ports
- Secure ports cannot be a private-VLAN port
- When using port-security with voice VLANs, set the max allowable MAC to 2 on the port
References:
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_53_se/configuration/guide/3750xscg/swtrafc.html
- Used to restrict input to an interface by limiting and identifying MAC addresses
- When the maximum number of MAC addresses are reached on a secure port, a security violation occurs
- Port Security is disabled by default
- When enabled the port is shutdown when the maximum number of secure MAC addresses have been exceeded
- Static secure MAC addresses - manually configured. Stored in the address table and added to the switch running config
- Dynamic Secure MAC Addresses - dynamically configured and only stored in the address table and removed when the switch restarts
- Sticky secure MAC addresses - learned dynamically or manually configured, stored in the address table and added to the running configuration
- All sticky MAC addresses are added to the running configuration
Violation occurs for any of the following:
- Maximum number of secure MAC address have been added to the address table and a new station attempts to access the interface
- An address learned or configured on one secure interface is seen on another secure interface
- Violation modes are:
- Protect
- Packets from unknown sources are dropped when the maximum number of MAC addresses are reached on an interface
- You must either remove a sufficient number of uknown MAC addresses or increase the number of allowable addresses
- Notificaton is provided that a violation has occurred
- No notification is provided that a security violation has occurred
- Restrict
- Packets from unknown sources are dropped when the maximum number of MAC addresses are reached on an interface
- You must either remove a sufficient number of uknown MAC addresses or increase the number of allowable addresses
- Notificaton is provided that a violation has occurred
- SNMP traps is sent, syslog message is logged and violation counter increases
- Shutdown
- This is the default mode
- When a violation occurs, the interfaces becomes error-disabled and is shutdown immediately
- Port leds are turned off
- SNMP trap is sent, a syslog message is looged and violation counter increases
- Can leverage the following command to bring the interface out of error-disable state within a specific time:
SW2(config)#errdisable recovery cause psecure-violation
- Alternatively you can manually reenable it by "shutdown" followed by "shutdown"
- Shutdown VLAN
- Sets the security violation mode per-VLAN
- Puts the VLAN in error disabled instead of the port when a violation occurs
- Port security can be configured on static access or trunk port only.
- Secure port cannot be a dynamic access port
- A secure port cannot be a destination port for SPAN
- Secure ports cannot belong to a Gigabit EtherChannel port group
- Note, Voice VLAN is only available on access port and not trunk ports
- Secure ports cannot be a private-VLAN port
- When using port-security with voice VLANs, set the max allowable MAC to 2 on the port
References:
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_53_se/configuration/guide/3750xscg/swtrafc.html
Cisco CCNP:300-115 - 2.1 Configure and verify switch security features: 2.1.c Dynamic ARP inspection
Recently I needed to renew my Cisco CCNPs, that is both CCNP Routing and Switching as well as CCNP Security. While working with Cisco products (well now they own SourceFire, so exclude these) is not within my daily duties, I still thought it was important for me to maintain these two credentials. As a result, I've put together my notes below focusing on the key points I used to study. I believe that someone else may find them useful.
- Security feature which validates ARP packets in a network
- Dynamic ARP inspects, intercepts, logs and discards ARP pakcets with invalid iP-to-MAC address bindins
- Can protect from certain man-in-the-middle attack
- Ensures only valid ARP requests and responses are relayed
- First step is to intercept all ARP requests and response on untrusted ports
- Next step is to verify the IP-to-MAC binding is valid before updaing the local ARP cache or forwarding the packet to the correct destination
- Drop Invalid ARP Packets
- Validit of an ARP packet is based on valid IP-to-KAC address biding which are stroed in the trusted database known as the DHCP snooping binding database
- The DHCP binding database is built by DHCP snooping if it is enabled on the VLANs and on the switchc
- ARP packets received on trusted interfaces are forwarded without any checks
- ARP packets on untrusted interfaces are only forwarded if they are valid
- Dynamic ARP inspection is enabled on a per VLAN basis using:
SW2(config)#ip arp inspection vlan 30
- Dynamic ARP can also be used in non-DHCP environments
- Dynamic ARP Inspection can be configured to drop packets when the IP address in the packets are invalid
- Dynamic ARP inspection can also drop packets when the MAC address in the body of the ARP packets do not match the address specified in the Ethernet header
Trust States and Network Security
- Dynamic ARP Inspection associates each interface with a trust state
- Traffic coming in on trusted interfaces bypass all dynamic ARP validation checks
- Traffic arriving on untrusted interfaces undergoes the dynamic ARP inspection validation process
- To configure trust setting, use:
SW2(config-if)#ip arp inspection trust
- Configuring interfaces as untrusted when they should be trusted can result in a loss of conectivity
- Dynamic ARP inspection ensures hosts connected to untrusted ports do not poison the ARP caches of other hosts on the network
- By default the rate of untrusted packets is 15 packets per second (pps)
- Trusted interfaces are not rate limited
- When the rate of incoming packets exceeds the configured limit, the interface is placed in "err-disabled" state
- When the port goes into "err-disabled" state, manual intervention is required if global recovery is not configured
- If EtherChannel is in use, each switchport in the Channel operates at 20 pps. If any switch exceeds the limit, the entire Channel is placed in "err-disabled" state
- Dynamic ARP inspection uses the DHCP snooping binding database
- Switches compare ARP packets to user-configured ARP ACLS
- If the ARP ACL denies the ARP packet, then the switch also denies the packet. This is so even if a valid binding exists in the DHCP snooping database
- By Default Dynamic ARP Inspection is disabled on all VLANs
- By Default All interfaces are untrusted
- Dynamic ARP inspection is an ingress security feature
- Dynamic ARP inspection does not perform any egress checking
- Dynamic ARP inspection relies on entries in the DHCP snooping binding database to verify IP-to-MAC address bindings in incoming ARP requests and responses
- Dynamic ARP inspection is supported on access, trunk, EtherChannel and private VLAN ports
- Dynamic ARP inspection should not be enabled on RSPAN VLANs. Packets may not reach the RSPAN destination port
- Physical ports can join the channel group only when the trust state of the physical port matches that of the channel. Otherwise ports remain suspended in the channel
- The rate of incoming packets on a physical port is is checked again the port-channel configs rather than the physical ports configs
- When the EtherChannel receives more packets than the configured rate the interfaces in the channel and the channel are placed in "err-disabled" state
- When Dynamic ARP inspection is configured, ARP traffic policiers are no longer valid
- To see current Dynamic ARP inspection interface status use
SW2#show ip arp inspection interfaces
Interface Trust State Rate (pps) Burst Interval
--------------- ----------- ---------- --------------
Gi1/0/1 Untrusted 15 1
Gi1/0/2 Untrusted 15 1
Gi1/0/3 Untrusted 15 1
.....
Gi1/0/23 Trusted None N/A
References:
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750xscg/swdynarp.html
Cisco CCNP:300-115 - 2.1 Configure and verify switch security features: 2.1.b IP Source Guard
Recently I needed to renew my Cisco CCNPs, that is both CCNP Routing and Switching as well as CCNP Security. While working with Cisco products (well now they own SourceFire, so exclude these) is not within my daily duties, I still thought it was important for me to maintain these two credentials. As a result, I've put together my notes below focusing on the key points I used to study. I believe that someone else may find them useful.
- Restricts IP traffic on non-routed ports
- Filters Layer 2 traffic by leveraging the DHCP snooping binding database and on manuall configured IP source bindings
- Can be used to prevent traffic attacks whens host tries to use its neighbour address
- IP Source Guard can be enabled when DHCP snooping is enabled on an untrusted
- Once enabled, IPSG blocks all IP traffic received on an interface except for DHCP packets allowed by DHCP snooping
- Leverages port ACL
- Port ACLs only allow IP traffic whose source IP is in the IP source binding table and denies all other traffic
- IP source binding table bindings are learned by DHCP snooping or manually configured (tatic IP source bindings)
- Works on Layer 2 ports, including trunks and access ports
- Can use either source IP address filtering or source IP and MAC address filtering
- Source IP Address filtering
- Filtering done based on source IP address
- IP traffic is forwarded when the source IP matches in an entry in the DHCP snooping binding database or a binding in the IP source binding table
- Source IP and MAC Address Filtering
- Traffic filtered based on the source IP and MAC address
- The switch forward traffic only if the source IP and MAC address matches an entry in the IP source binding table
- The switch uses port security to filter source MAC addresses
- Interface can shutdown when port-security violation occurs
- IP SourceGuard is not supported on EtherChannels
- Can leverage 802.1x port based authentication
- In a stack environment, IP Source Guard is configred on the stack member interface
References:
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750xscg/swdhcp82.html
https://www.cisco.com/c/en/us/support/docs/switches/catalyst-3750-series-switches/72846-layer2-secftrs-catl3fixed.html
- Restricts IP traffic on non-routed ports
- Filters Layer 2 traffic by leveraging the DHCP snooping binding database and on manuall configured IP source bindings
- Can be used to prevent traffic attacks whens host tries to use its neighbour address
- IP Source Guard can be enabled when DHCP snooping is enabled on an untrusted
- Once enabled, IPSG blocks all IP traffic received on an interface except for DHCP packets allowed by DHCP snooping
- Leverages port ACL
- Port ACLs only allow IP traffic whose source IP is in the IP source binding table and denies all other traffic
- IP source binding table bindings are learned by DHCP snooping or manually configured (tatic IP source bindings)
- Works on Layer 2 ports, including trunks and access ports
- Can use either source IP address filtering or source IP and MAC address filtering
- Source IP Address filtering
- Filtering done based on source IP address
- IP traffic is forwarded when the source IP matches in an entry in the DHCP snooping binding database or a binding in the IP source binding table
- Source IP and MAC Address Filtering
- Traffic filtered based on the source IP and MAC address
- The switch forward traffic only if the source IP and MAC address matches an entry in the IP source binding table
- The switch uses port security to filter source MAC addresses
- Interface can shutdown when port-security violation occurs
- IP SourceGuard is not supported on EtherChannels
- Can leverage 802.1x port based authentication
- In a stack environment, IP Source Guard is configred on the stack member interface
References:
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750xscg/swdhcp82.html
https://www.cisco.com/c/en/us/support/docs/switches/catalyst-3750-series-switches/72846-layer2-secftrs-catl3fixed.html
Cisco CCNP:300-115 - 2.1 Configure and verify switch security features: 2.1.a DHCP snooping
Recently I needed to renew my Cisco CCNPs, that is both CCNP Routing and Switching as well as CCNP Security. While working with Cisco products (well now they own SourceFire, so exclude these) is not within my daily duties, I still thought it was important for me to maintain these two credentials. As a result, I've put together my notes below focusing on the key points I used to study. I believe that someone else may find them useful.
- DHCP Snooping filters untrusted DHCP messages by building and maintaining a DHCP snooping binding database
- The DHCP snooping binding database is also known as snooping binding table
- DHCP snooping acts like a firewall between untrusted hosts and DHCP servers
- Used to differentiate between untrusted interfaces connected to endpoint and trusted interfaces connected to DHCP servers or other switches
- For DHCP snooping to function, all DHCP servers must be connected to trusted switch interfaces
- Messages from unknown devices are untrusted
- DHCP snooping binding database contains the MAC address, IP address, Lease time, binding type, VLAN number and interface information
- DHCP snooping binding database contains information relating to local untrusted interfaces of a switch
- DHCP snooping binding database does not contain information relating to host on trusted interfaces
- Comparison is done between the source MAC address and the DHCP client hardware address
- If the addresses match, the packet is forward
- if the addresses do not match, the switch drops the packet
- Packets get dropped for the following reasons:
- DHCP messages received from outside the network or firewall
- Packet received on an untrusted interface and the source MAC and DHCP client hardware address does not match
- DHCP broadcast message that has a MAC address in the DHCP snooping binding database but the information in the database does not match the interface on which the message was received
- A DHCP relay agent forwards a DHCP packet that includes a relay-agent IP address that is not 0.0.0.0
- the relay agent forwards a packet that includes option-82 information to an untrusted port.
- DHCP option-82 feature is only supported when DHCP snooping is enabled globally
- Users must be in tethe VLAN configured for DHCP snooping to take advantage of it
- When DHCP snooping is enabled, the switch use the DHCP snooping binding database to store information about untrusted interfaces
- The DHCP snooping binding database can store up to 8192 bindings
- Database agent stores the bindings in a faile at a configured location
- To keep the entry when the switch reloads, the DHCP snooping database agent must be used
- DHCP snooping is managed on the stack master
- All statistics are generated on the stack master. When the stack master changes, the statistics counters get reset
- DHCP snooping is not active until DHCP snooping is enabled on a VLAN
- DHCP Snooping can be configured on Private VLANs
- When DHCP snooping is enabled on a Private VLANs, the configuration is propagated to both the primarily VLAN and its associated secondary VLANs.
- If DHCP snooping is enabled on the primary VLAN, it is also configured on the secondary VLAN
- If configuration changes are made on the secondary VLAN after configuring the primary VLAN, the changes made to the secondary VLAN does not take effect
- DHCP snooping must be configured on the primary VLAN
References:
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750xscg/swdhcp82.html
https://www.cisco.com/c/en/us/support/docs/switches/catalyst-3750-series-switches/72846-layer2-secftrs-catl3fixed.html
- DHCP Snooping filters untrusted DHCP messages by building and maintaining a DHCP snooping binding database
- The DHCP snooping binding database is also known as snooping binding table
- DHCP snooping acts like a firewall between untrusted hosts and DHCP servers
- Used to differentiate between untrusted interfaces connected to endpoint and trusted interfaces connected to DHCP servers or other switches
- For DHCP snooping to function, all DHCP servers must be connected to trusted switch interfaces
- Messages from unknown devices are untrusted
- DHCP snooping binding database contains the MAC address, IP address, Lease time, binding type, VLAN number and interface information
- DHCP snooping binding database contains information relating to local untrusted interfaces of a switch
- DHCP snooping binding database does not contain information relating to host on trusted interfaces
- Comparison is done between the source MAC address and the DHCP client hardware address
- If the addresses match, the packet is forward
- if the addresses do not match, the switch drops the packet
- Packets get dropped for the following reasons:
- DHCP messages received from outside the network or firewall
- Packet received on an untrusted interface and the source MAC and DHCP client hardware address does not match
- DHCP broadcast message that has a MAC address in the DHCP snooping binding database but the information in the database does not match the interface on which the message was received
- A DHCP relay agent forwards a DHCP packet that includes a relay-agent IP address that is not 0.0.0.0
- the relay agent forwards a packet that includes option-82 information to an untrusted port.
- DHCP option-82 feature is only supported when DHCP snooping is enabled globally
- Users must be in tethe VLAN configured for DHCP snooping to take advantage of it
- When DHCP snooping is enabled, the switch use the DHCP snooping binding database to store information about untrusted interfaces
- The DHCP snooping binding database can store up to 8192 bindings
- Database agent stores the bindings in a faile at a configured location
- To keep the entry when the switch reloads, the DHCP snooping database agent must be used
- DHCP snooping is managed on the stack master
- All statistics are generated on the stack master. When the stack master changes, the statistics counters get reset
- DHCP snooping is not active until DHCP snooping is enabled on a VLAN
- DHCP Snooping can be configured on Private VLANs
- When DHCP snooping is enabled on a Private VLANs, the configuration is propagated to both the primarily VLAN and its associated secondary VLANs.
- If DHCP snooping is enabled on the primary VLAN, it is also configured on the secondary VLAN
- If configuration changes are made on the secondary VLAN after configuring the primary VLAN, the changes made to the secondary VLAN does not take effect
- DHCP snooping must be configured on the primary VLAN
References:
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750xscg/swdhcp82.html
https://www.cisco.com/c/en/us/support/docs/switches/catalyst-3750-series-switches/72846-layer2-secftrs-catl3fixed.html
Cisco CCNP:300-115 - 1.8.a Stackwise
Recently I needed to renew my Cisco CCNPs, that is both CCNP Routing and Switching as well as CCNP Security. While working with Cisco products (well now they own SourceFire, so exclude these) is not within my daily duties, I still thought it was important for me to maintain these two credentials. As a result, I've put together my notes below focusing on the key points I used to study. I believe that someone else may find them useful.
- Up to 9 switches can be stack together
- Uses the stackwise cable
- Make multiple physical switch into one logical switch
- If one cable is removed the loop will be broken but the stack will continue to works
- One switch in the stack becomes the "Master" and does all management tasks
- All switches other than the "Master" are "Members"
- Election process starts at installation or reboot of the entire stack
- Election process used:
"User Priority" Defined by user -> "Hardware/Software Priority" Switch with most extensive services get higher priority -> "Default configuration". Switch with configuration wins out switch with default configuration -> "Longest Uptime" -> "Lowest Mac Address"
- User priority is typically used to configure a master
- All switches share the same management IP, hostname, configuration, routing, topology, etc
- VSS (4500/6500) is the same as stackwise (3750)
- Stack is managed by the "Master" unit
- Both "Master" and "Member" switches act as forwarders
- Single IP used for management applies to: fault detection, virtual LAN (VLAN) creation and modification, security, and QoS controls
- Each stack has one only one configuration file which is distributed to each member of the stack
- Any member can become a master if the master fails
- Up to 9 3750 switches in a single unit
- Traffic flows in 16G per direction for a total of 32 GBPs across the stack
- When a new switch is added, the "Master" switch automatically configures the unit with the IOS image and the configuration of the stack
- The network manager does not need to do anything to bring up the switch
- Switches can be removed without any operational effect
- A break in any one of the cable will result in the bandwidth being reduced to half
- Uses subsecond
1:N master redundancy allows each stack member to serve as master
- 1:N If one switch fails all other units can continue to forward traffic
- When a new master is selected, it applies the configuration from the previous master
- master switch keeps a table of all the mac-addresses
- Master switch creates a map of all mac-address in the entire stack and distribute it to the subordinates
- each switch then becomes aware of every port in the stack
- subordinate switches keep their own spanning tree for each vlan they support
- Stackwise ring ports are never put into Spanning Tree protocol blocking state
- Master switch keeps a copy of all the spanning tree tables for each vlan in the stack
- Multiple switches in a stack can create an etherchannel
- Loss of connectivity in an individual switch will not effect the connectivity for other switches
- Switches can support dual homing to different routers for redundancy
- RPR+ for layer 3 resiliency: Each switch is initialized for routing capability and is ready to be elected as master if the master fails
- Layer 3 Nonstop Forwarding (NSF) is also supported in stacks of 2 or more
- Layer 2 is done in distributed method
- Layer 3 is done via centralized manner
- All units in the stack must use the same Cisco IOS software
- Recommended that the stack has the same feature set on each unit. However, not mandatory
- Later versions require that all switches be at the same version as the master
- If switch versions are not the same, one of 3 things happen.
1. If the hardware is supported, the master will download the IOS version it has in flash memory to the new switch, send the configur and bring the device online
2. If the hardware is supported and TFTP has been configured the Master will download and configure the new device
3. If hardware not supported, the new switch will be in suspended mode, noify the user of version incompatability and wait until the master is upgraded to an IOS version that support both types of hardware. Master then upgrades the rest of the stack, including the new switch
- Upgrade applies to all devices in the stack
- If there are different supported images in use, after the upgrade all members of the stack will have the same software
- Each data packet is put on the stack only once
- Each data packet has a 24 byte header
- Etherchannel technology can operate across multiple devices in the stack
- Etherchannel can aggregate up to 8 ports from any switches in the stack
- Up to 48 Etherchannel groups are supported on a stack
- Stackwise plus support destination stripping
- Stackwise supports source stripping
- highest priority number in the stack wins
- Lowest Mac Address wins
- Stack members cannot have the same number
- Cisco recommends specifying the stack master through the highest priority value
- Up to 9 switches can be stack together
- Uses the stackwise cable
- Make multiple physical switch into one logical switch
- If one cable is removed the loop will be broken but the stack will continue to works
- One switch in the stack becomes the "Master" and does all management tasks
- All switches other than the "Master" are "Members"
- Election process starts at installation or reboot of the entire stack
- Election process used:
"User Priority" Defined by user -> "Hardware/Software Priority" Switch with most extensive services get higher priority -> "Default configuration". Switch with configuration wins out switch with default configuration -> "Longest Uptime" -> "Lowest Mac Address"
- User priority is typically used to configure a master
- All switches share the same management IP, hostname, configuration, routing, topology, etc
- VSS (4500/6500) is the same as stackwise (3750)
- Stack is managed by the "Master" unit
- Both "Master" and "Member" switches act as forwarders
- Single IP used for management applies to: fault detection, virtual LAN (VLAN) creation and modification, security, and QoS controls
- Each stack has one only one configuration file which is distributed to each member of the stack
- Any member can become a master if the master fails
- Up to 9 3750 switches in a single unit
- Traffic flows in 16G per direction for a total of 32 GBPs across the stack
- When a new switch is added, the "Master" switch automatically configures the unit with the IOS image and the configuration of the stack
- The network manager does not need to do anything to bring up the switch
- Switches can be removed without any operational effect
- A break in any one of the cable will result in the bandwidth being reduced to half
- Uses subsecond
1:N master redundancy allows each stack member to serve as master
- 1:N If one switch fails all other units can continue to forward traffic
- When a new master is selected, it applies the configuration from the previous master
- master switch keeps a table of all the mac-addresses
- Master switch creates a map of all mac-address in the entire stack and distribute it to the subordinates
- each switch then becomes aware of every port in the stack
- subordinate switches keep their own spanning tree for each vlan they support
- Stackwise ring ports are never put into Spanning Tree protocol blocking state
- Master switch keeps a copy of all the spanning tree tables for each vlan in the stack
- Multiple switches in a stack can create an etherchannel
- Loss of connectivity in an individual switch will not effect the connectivity for other switches
- Switches can support dual homing to different routers for redundancy
- RPR+ for layer 3 resiliency: Each switch is initialized for routing capability and is ready to be elected as master if the master fails
- Layer 3 Nonstop Forwarding (NSF) is also supported in stacks of 2 or more
- Layer 2 is done in distributed method
- Layer 3 is done via centralized manner
- All units in the stack must use the same Cisco IOS software
- Recommended that the stack has the same feature set on each unit. However, not mandatory
- Later versions require that all switches be at the same version as the master
- If switch versions are not the same, one of 3 things happen.
1. If the hardware is supported, the master will download the IOS version it has in flash memory to the new switch, send the configur and bring the device online
2. If the hardware is supported and TFTP has been configured the Master will download and configure the new device
3. If hardware not supported, the new switch will be in suspended mode, noify the user of version incompatability and wait until the master is upgraded to an IOS version that support both types of hardware. Master then upgrades the rest of the stack, including the new switch
- Upgrade applies to all devices in the stack
- If there are different supported images in use, after the upgrade all members of the stack will have the same software
- Each data packet is put on the stack only once
- Each data packet has a 24 byte header
- Etherchannel technology can operate across multiple devices in the stack
- Etherchannel can aggregate up to 8 ports from any switches in the stack
- Up to 48 Etherchannel groups are supported on a stack
- Stackwise plus support destination stripping
- Stackwise supports source stripping
- highest priority number in the stack wins
- Lowest Mac Address wins
- Stack members cannot have the same number
- Cisco recommends specifying the stack master through the highest priority value
Cisco CCNP:300-115 - 1.7.a SPAN, RSPAN
Recently I needed to renew my Cisco CCNPs, that is both CCNP Routing and Switching as well as CCNP Security. While working with Cisco products (well now they own SourceFire, so exclude these) is not within my daily duties, I still thought it was important for me to maintain these two credentials. As a result, I've put together my notes below focusing on the key points I used to study. I believe that someone else may find them useful.
- SPAN
- Supports SPAN session entirely within one switch
- All source ports, source VLANs and destination ports are all part of the same switch
- Copies traffic from one or more source port or VLANs to a destination port for analysis
- Sources can be ports or VLANs
- Cannot mix source port and source VLANs in the same session
- Up to 2 source sessions (local and RSPAN sessions) support
- Can run both local SPAN and a RSPAN source session in the same switch
- Supports up to 66 source and RSPAN destination sessions
- Can have up to 64 destination ports in a SPAN session
- Can have two separate SPAN or RSPAN source sessions
- Both switched and routed ports can be configured as SPAN sources and destinations
- SPAN sessions can be configured on disabled ports
- If configured on disabled ports, the session does not become active unless a destination port and at least one source port or VLAN is enabled for that session
- The combination or SPAN and RSPAN in a single session
- RSPAN source session cannot have a local destination port
- RSPAN destination session cannot have a local source port
- RSPAN destination session and a RSPAN source session that are using the same RSPAN VLAN cannot run on the same switch
- Default confiuration for local SPAN session port is to send all packets untagged
- SPAN does not typically monitor BPDU, CDP, VTP, DTP, STP, PAgP
- Supports a max of 2 sessions (local or RSPAN)
- You cannot mix ports and VLANs in a single session
- Source ports can be monitored in multiple SPAN sessions
- Each source port can be configured with a direction or ingress, egress or both to be monitored
- Source ports
- Association of a destination port with aset of source ports or VLANs on a single switch
- Can have multiple SPAN session in a switched network
- SPAN sessions does not interfere with normal operations of the switch
- SPAN can be enabled or disabled via CLI or SNMP
- SPAN or RSPAN destination and source session remains inactive until the destination port or source port or RSPAN VLAN becomes active
- Destination Port
- If configuration change is made to the port while it is acting as a SPAN destination, the change does not take effect until the SPAN destination configuration has been removed
- If the destination port was in an EtherChannel group, it is removed from the group
- Can be an Ethernet physical port
- It cannot be a secure port
- It cannot be a source port
- It cannot be an EtherChannel group or VLAN
- Can participate in only one SPAN session at a time
- Does not participat in Layer 2 protocols such as STP, VTP, CDP, DTP, PAgP`
- Destination port which belongs to any source VLAN of any SPAN session is excluded from the source list and is not monitored
- If the destination port was a routed port, it no longer is a routed port
- Also called the monitor port
- destination port does not forward any traffic except those required for the SPAN session
- By default active destination port disables incoming traffic
- If incoming traffic is enabled on the destination port, the traffic is switch in the native VLAN of the destination port
- The destination port does not particpate in spanning tree while the SPAN session is active
- Only one destination port allowed per SPAN session
- Same port cannot be a destination for multiple SPAN sessions
- Destination port cannot be configured as a source port or a reflector port
- EtherChannel ports cannot be SPAN destination ports
- For multicast packets, only a single packet is sent to the SPAN. It does not reflect the number of times the multicast packet is sent
- A private-VLAN port cannot be a SPAN destination port
- A secoure port cannot be a SPAN destination
- Do not enable port security on port with monitored egress when ingress forwarding is enabled on the destination port
- For RSPAN source sessions, do not enable port security on any ports with monitored egress
- 802.1x port can be a SPAN Source
- While 802.1x can be configured on SPAN destination, 802.1x is disabled until the port is removed as a SPAN destination
- Source Port
- Traffic can be categorized as ingress, egress or both
- Can monitor one or more source ports in a single SPAN session
- Source ports can be in any VLAN
- VLANs can be source port. This means all ports in the specified VLANs are source ports for the SPAN session
- Source ports are administaative or operational or both
- Admin source ports are specified during SPAN session configuration
- Operational source ports are monitored by destination ports
- Operational sources are always active ports
- If the port is not in the spanning tree it is not an operational source
- All physical ports in a EtherChannel source are included in operational sources if the logical port is includes in the spanning tree
- A port can be in multiple active SPAN sessions
- An active source port cannot be a destination or reflector port in a SPAN session
- If a SPAN session is inactive, the "oper source" field does not update until the session becomes active
- Both trunk and non trunk ports can be used as source ports
- Trunk settings on the destination port during the SPAN session determines the encapsulation of the packets that are forwarded by the destination port
- Source Ports can be EtherChannel, Fast Ethernet, Gigabit Ethernet, etc
- Traffic can be monitored on the entire EtherChannel or on specific ports as it participates in the channel
- Can be access port, trunk port, routed port or voice VLAN
- Source ports cannot also be a destination port
- Source ports can be in the same or different VLAN
- Can monitor multiple source ports in a single session
EtherChannel considerations
- When EtherChannel group is configured as a SPAN source, the entire group is monitored
- If a port is added or removed from the EtherChannel it is automatically added or removed from the SPAN source port list
- A physical port that belongs to an EtherChannel group can be conigured as a SPAN source port and still be part of the EtherChannel. In this case data from the physical interface is monitored as it participates in the EtherChanngel.
- Physical interfaces which are part of an EtherChannel group and configured as a SPAN destination are removed from the group
- When a destintion port is removed from a SPAN group it rejoins the EtherChannel group it was part of
- Ports removed from an EtherChannel group remain menbers of the group but are in the "inactie" or "suspended" state
- A physical destination interfance which is part of an EtherChannel group and the EtherChannel is a source, the port is removed from the EtherChannel group and from the list of monitored ports
- Soure VLANs
- Monitoring of network traffic in one or more VLANs
- Traffic is monitoroed on all port for the VLAN
- All active ports in the source VLAN are included as source ports
- ports can be monitored in both direction
- Only traffic on the monitored VLAN is sent to the destination port
- If destination port belongs to a source VLAN, it is excluded from the source list and not monitored
- For ports added or removed from the VLAN, traffic is adjusted accordingly
- Filter VLANs cannot be used in the same session with VLAN sources
- Only Ethernet VLANs can be monitored
Trunk VLAN Filtering
- Applies only to trunk ports or to voice VLAN ports
- Only allowed on port-based sessions and is not allowed in session with VLAN sources
- uses the filter keyword
- Analysis of traffic on a specified set of VLANs on trunked source ports
- Traffic is limited to the specified VLANs
- Trunked VLAN can be applied with source ports
- VLAN filtering can be used with RSPAN
- Use VLAN filtering only with trunk source port
- When VLAN is cleared it is removed from the VLAN filter list
- A SPAN session is disabled if the VLAN filter list becomes empty
- Trunk VLAN filtering not applicable to VPSAN sessions
- Trunk VLAN filtering is available for local and RSPAN sessions
- SPAN monitors all network traffic
- RSPAn does not support monitoring of BPDU packets
- RSPAN
- Consists of at least one RSPAN source session, a RSPAN VLAN and at least one RSPAN destination session
- Supports source ports, source VLANs and destination port on different switches
- Traffic is carried over a user specified RSPAN sessions in all participating switches
- Destination is always a physical port
- RSPAN strips off the VLAN tag and presents them on the destination port
- Results in each monitored packet being transmitted twice. One as normal traffic and the other as a monitoried packet
- All traffic in the RSPAN VLAN is always flooded
- No MAC Address learning occurs on the RSPAN VLAN
- RSPAN VLAN traffic only slows on trunk ports
- uses "remote-span" VLAN configurate mode
- STP can run on RSPAN VLAN trunks but not on SPAN destination ports
- if RSPAN VLAN ID is in the extended VLAN range, it must be manually configured on all intermedidate switches
- Normal to have multiple RSPAN VLANs in a network at the same time
References:
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_52_se/configuration/guide/3560scg/swspan.html
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4000/8-2glx/configuration/guide/span.html
- SPAN
- Supports SPAN session entirely within one switch
- All source ports, source VLANs and destination ports are all part of the same switch
- Copies traffic from one or more source port or VLANs to a destination port for analysis
- Sources can be ports or VLANs
- Cannot mix source port and source VLANs in the same session
- Up to 2 source sessions (local and RSPAN sessions) support
- Can run both local SPAN and a RSPAN source session in the same switch
- Supports up to 66 source and RSPAN destination sessions
- Can have up to 64 destination ports in a SPAN session
- Can have two separate SPAN or RSPAN source sessions
- Both switched and routed ports can be configured as SPAN sources and destinations
- SPAN sessions can be configured on disabled ports
- If configured on disabled ports, the session does not become active unless a destination port and at least one source port or VLAN is enabled for that session
- The combination or SPAN and RSPAN in a single session
- RSPAN source session cannot have a local destination port
- RSPAN destination session cannot have a local source port
- RSPAN destination session and a RSPAN source session that are using the same RSPAN VLAN cannot run on the same switch
- Default confiuration for local SPAN session port is to send all packets untagged
- SPAN does not typically monitor BPDU, CDP, VTP, DTP, STP, PAgP
- Supports a max of 2 sessions (local or RSPAN)
- You cannot mix ports and VLANs in a single session
- Source ports can be monitored in multiple SPAN sessions
- Each source port can be configured with a direction or ingress, egress or both to be monitored
- Source ports
- Association of a destination port with aset of source ports or VLANs on a single switch
- Can have multiple SPAN session in a switched network
- SPAN sessions does not interfere with normal operations of the switch
- SPAN can be enabled or disabled via CLI or SNMP
- SPAN or RSPAN destination and source session remains inactive until the destination port or source port or RSPAN VLAN becomes active
- Destination Port
- If configuration change is made to the port while it is acting as a SPAN destination, the change does not take effect until the SPAN destination configuration has been removed
- If the destination port was in an EtherChannel group, it is removed from the group
- Can be an Ethernet physical port
- It cannot be a secure port
- It cannot be a source port
- It cannot be an EtherChannel group or VLAN
- Can participate in only one SPAN session at a time
- Does not participat in Layer 2 protocols such as STP, VTP, CDP, DTP, PAgP`
- Destination port which belongs to any source VLAN of any SPAN session is excluded from the source list and is not monitored
- If the destination port was a routed port, it no longer is a routed port
- Also called the monitor port
- destination port does not forward any traffic except those required for the SPAN session
- By default active destination port disables incoming traffic
- If incoming traffic is enabled on the destination port, the traffic is switch in the native VLAN of the destination port
- The destination port does not particpate in spanning tree while the SPAN session is active
- Only one destination port allowed per SPAN session
- Same port cannot be a destination for multiple SPAN sessions
- Destination port cannot be configured as a source port or a reflector port
- EtherChannel ports cannot be SPAN destination ports
- For multicast packets, only a single packet is sent to the SPAN. It does not reflect the number of times the multicast packet is sent
- A private-VLAN port cannot be a SPAN destination port
- A secoure port cannot be a SPAN destination
- Do not enable port security on port with monitored egress when ingress forwarding is enabled on the destination port
- For RSPAN source sessions, do not enable port security on any ports with monitored egress
- 802.1x port can be a SPAN Source
- While 802.1x can be configured on SPAN destination, 802.1x is disabled until the port is removed as a SPAN destination
- Source Port
- Traffic can be categorized as ingress, egress or both
- Can monitor one or more source ports in a single SPAN session
- Source ports can be in any VLAN
- VLANs can be source port. This means all ports in the specified VLANs are source ports for the SPAN session
- Source ports are administaative or operational or both
- Admin source ports are specified during SPAN session configuration
- Operational source ports are monitored by destination ports
- Operational sources are always active ports
- If the port is not in the spanning tree it is not an operational source
- All physical ports in a EtherChannel source are included in operational sources if the logical port is includes in the spanning tree
- A port can be in multiple active SPAN sessions
- An active source port cannot be a destination or reflector port in a SPAN session
- If a SPAN session is inactive, the "oper source" field does not update until the session becomes active
- Both trunk and non trunk ports can be used as source ports
- Trunk settings on the destination port during the SPAN session determines the encapsulation of the packets that are forwarded by the destination port
- Source Ports can be EtherChannel, Fast Ethernet, Gigabit Ethernet, etc
- Traffic can be monitored on the entire EtherChannel or on specific ports as it participates in the channel
- Can be access port, trunk port, routed port or voice VLAN
- Source ports cannot also be a destination port
- Source ports can be in the same or different VLAN
- Can monitor multiple source ports in a single session
EtherChannel considerations
- When EtherChannel group is configured as a SPAN source, the entire group is monitored
- If a port is added or removed from the EtherChannel it is automatically added or removed from the SPAN source port list
- A physical port that belongs to an EtherChannel group can be conigured as a SPAN source port and still be part of the EtherChannel. In this case data from the physical interface is monitored as it participates in the EtherChanngel.
- Physical interfaces which are part of an EtherChannel group and configured as a SPAN destination are removed from the group
- When a destintion port is removed from a SPAN group it rejoins the EtherChannel group it was part of
- Ports removed from an EtherChannel group remain menbers of the group but are in the "inactie" or "suspended" state
- A physical destination interfance which is part of an EtherChannel group and the EtherChannel is a source, the port is removed from the EtherChannel group and from the list of monitored ports
- Soure VLANs
- Monitoring of network traffic in one or more VLANs
- Traffic is monitoroed on all port for the VLAN
- All active ports in the source VLAN are included as source ports
- ports can be monitored in both direction
- Only traffic on the monitored VLAN is sent to the destination port
- If destination port belongs to a source VLAN, it is excluded from the source list and not monitored
- For ports added or removed from the VLAN, traffic is adjusted accordingly
- Filter VLANs cannot be used in the same session with VLAN sources
- Only Ethernet VLANs can be monitored
Trunk VLAN Filtering
- Applies only to trunk ports or to voice VLAN ports
- Only allowed on port-based sessions and is not allowed in session with VLAN sources
- uses the filter keyword
- Analysis of traffic on a specified set of VLANs on trunked source ports
- Traffic is limited to the specified VLANs
- Trunked VLAN can be applied with source ports
- VLAN filtering can be used with RSPAN
- Use VLAN filtering only with trunk source port
- When VLAN is cleared it is removed from the VLAN filter list
- A SPAN session is disabled if the VLAN filter list becomes empty
- Trunk VLAN filtering not applicable to VPSAN sessions
- Trunk VLAN filtering is available for local and RSPAN sessions
- SPAN monitors all network traffic
- RSPAn does not support monitoring of BPDU packets
- RSPAN
- Consists of at least one RSPAN source session, a RSPAN VLAN and at least one RSPAN destination session
- Supports source ports, source VLANs and destination port on different switches
- Traffic is carried over a user specified RSPAN sessions in all participating switches
- Destination is always a physical port
- RSPAN strips off the VLAN tag and presents them on the destination port
- Results in each monitored packet being transmitted twice. One as normal traffic and the other as a monitoried packet
- All traffic in the RSPAN VLAN is always flooded
- No MAC Address learning occurs on the RSPAN VLAN
- RSPAN VLAN traffic only slows on trunk ports
- uses "remote-span" VLAN configurate mode
- STP can run on RSPAN VLAN trunks but not on SPAN destination ports
- if RSPAN VLAN ID is in the extended VLAN range, it must be manually configured on all intermedidate switches
- Normal to have multiple RSPAN VLANs in a network at the same time
References:
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_52_se/configuration/guide/3560scg/swspan.html
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4000/8-2glx/configuration/guide/span.html
Cisco CCNP:300-115 - 1.6.d Loopguard and Rootguard
Recently I needed to renew my Cisco CCNPs, that is both CCNP Routing and Switching as well as CCNP Security. While working with Cisco products (well now they own SourceFire, so exclude these) is not within my daily duties, I still thought it was important for me to maintain these two credentials. As a result, I've put together my notes below focusing on the key points I used to study. I believe that someone else may find them useful.
- Root Guard
- If spanning-tree calculations causes a interface to be selected as a root when it should not, the interface is placed in "root-inconsistent" blocked state.
- root-inconsistent prevents the other switch from becoming the root switch or being the parth to the root port
- Spanning-tree selects a new root switch when an interface goes into root-inconsistent state
- If the switch is in MST, the root forces the interface to be a designated port
- When boundary port is blocked in an Internal Spanning Tree (IST) instance because of root guard, the interface becomes blocked for all MST instances
- Root guard enabled on an interface applies to all VLANs to which the interface belongs
- Should not be enabled on interfaces to be used by UplinkFast feature
- If root guard is enabled on backup interfaces used by UplinkFast, those interfaces are placed in a root-inconsistent state (blocked) thus preventing them from reaching the forwarding state
- Both root guard and loop guard cannot be enabled at the same time
- To configure use the following:
spanning-tree guard root
- Loopguard
- used to prevent alternate or root ports from becoming designated ports
- Loop guard helps with failures which leads to unidirectional link
- Most effective when enabled on the entire block
- Prevents alternate and root ports from becoming designated ports
- Spanning-tree does not send BPDUs on root or alternate ports
SW2(CONFI)# spanning-tree loopguard default
- When the switch is in MST mode, BPDUs are not sent on nonboundary ports
- On a boundary port, loop guard blocks the interfae in all MST instances
- Most effective when configured on the entire switch
- Operates only on interfaces that are considered point-to-point by the spanning-tree
- Both loop guard and root guard cannot be enabled at the same time
References:
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_55_se/configuration/guide/3560_scg/swstpopt.html
- Root Guard
- If spanning-tree calculations causes a interface to be selected as a root when it should not, the interface is placed in "root-inconsistent" blocked state.
- root-inconsistent prevents the other switch from becoming the root switch or being the parth to the root port
- Spanning-tree selects a new root switch when an interface goes into root-inconsistent state
- If the switch is in MST, the root forces the interface to be a designated port
- When boundary port is blocked in an Internal Spanning Tree (IST) instance because of root guard, the interface becomes blocked for all MST instances
- Root guard enabled on an interface applies to all VLANs to which the interface belongs
- Should not be enabled on interfaces to be used by UplinkFast feature
- If root guard is enabled on backup interfaces used by UplinkFast, those interfaces are placed in a root-inconsistent state (blocked) thus preventing them from reaching the forwarding state
- Both root guard and loop guard cannot be enabled at the same time
- To configure use the following:
spanning-tree guard root
- Loopguard
- used to prevent alternate or root ports from becoming designated ports
- Loop guard helps with failures which leads to unidirectional link
- Most effective when enabled on the entire block
- Prevents alternate and root ports from becoming designated ports
- Spanning-tree does not send BPDUs on root or alternate ports
SW2(CONFI)# spanning-tree loopguard default
- When the switch is in MST mode, BPDUs are not sent on nonboundary ports
- On a boundary port, loop guard blocks the interfae in all MST instances
- Most effective when configured on the entire switch
- Operates only on interfaces that are considered point-to-point by the spanning-tree
- Both loop guard and root guard cannot be enabled at the same time
References:
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_55_se/configuration/guide/3560_scg/swstpopt.html
Cisco CCNP:300-115 - 1.6.c PortFast, BPDUguard, BPDUfilter
Recently I needed to renew my Cisco CCNPs, that is both CCNP Routing and Switching as well as CCNP Security. While working with Cisco products (well now they own SourceFire, so exclude these) is not within my daily duties, I still thought it was important for me to maintain these two credentials. As a result, I've put together my notes below focusing on the key points I used to study. I believe that someone else may find them useful.
- Portfast
- Immediately brings an interface to forwarding state, bypassing listening and learning states
- use when connected to single endpoint such as a server or workstation
- Connected device does not need to wait for spanning tree to convergence
- Portfast configured interfaces goes through the normal spanning-tree cycle when the switch is restarted
- Configuring portfast on interfaces connected to another switch may result in loops
- Portfast is cofigured via:
SW2(config-if)#int fa1/5
SW2(config-if)#spanning-tree portfast
- BPDU Guard
- Can be enabled globally or per port
- At the global level, BPDU guard is enable on portfast enaled interfaces using:
SW2(config)#spanning-tree portfast bpduguard default
- Ports that are in portfast are shutdown if any BPDU is received on them
- In valid configuration, portfast enabled ports do not receive BPDU
- BPDU guard put the port in error-disabled state, which causes the switch to shutdown the entire port on which the violation occurred
- To prevent the port from shutting down you can instead shutdown the offending VLAN on the port where the violation occurred using the following:
SW2(config)#errdisable detect cause bpduguard shutdown vlan
- BPDU Guard at the interface level can be configured using:
SW2(config)#int fa1/5
SW2(config)#spanning-tree bpduguard enable
- When the port receives a BPDU, it puts the interface in error-disabled state
- You must manually put the interface back in service
- BPDU Filtering
- Can be enabled globally or per interface
- When enabling globally on port fast enabled interfaces, use:
SW2(config)#spanning-tree portfast bpdufilter default
- Prevents portfast interfaces from sending or receiving BPDUs
- At linkup the interface sends a few BPDUs
- If a BPDU is received on a portfast enabled interface, the interface loses its portfast operational status and BPDU filtering is disabled
- At the interface level, BPDU filtering is enabled using:
SW2(config)#spanning-tree bpdufilter enable
- The above command can be used without portfast feature
- Prevents interfaces from sending or receiving BPDUs
- Disables spanning tree and may result in spanning-tree loops
- Uplink Fast
- Configured via global config
- speeds up the process of selecting a new root port when a link or switch fails or spanning tree re-configures itself
- root port transitions to the forwarding state immediately
- Does not go through the listening and learning states, as is done with normal spanning-tree
- Default max-update-rate parameter is 150 packets per second
- Most appropriate for connections at the access or edge of the network
- Not appropriate for backbone devies
- Provides fast convergence after a direct link failure
- Uses uplink groups
- Cannot be enabled on VLANs that have been configured with a switch priority
- Switch priority must be restored to the default before enabling UplinkFast on a VLAN
- Enabling UplinkFast affects all VLANs on the switch
- UplinkFast cannot be configured on individual VLAN
- Can be used with rapid PVST+ or MSTP
- Spanning-tree mode must be changed to PVST+ before this can take effect
- Enabling UplinkFast sets the switch priority for all VLANs to 49152
- Changing the path cost to a value less than 3000 when enabling (or already enabled) UplinkFast causes the path cost for all interfaces to be increased by 3000
- If path cost is changed to greater than 3000, the path cost is not altered
- Disabling UplinkFast sets the switch priorities for all VLANs and path costs for all interface to th default value if they were not modified
-
- Use the following command to enable uplinkfast:
SW2(config)#spanning-tree uplinkfast
References:
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_55_se/configuration/guide/3560_scg/swstpopt.html
- Portfast
- Immediately brings an interface to forwarding state, bypassing listening and learning states
- use when connected to single endpoint such as a server or workstation
- Connected device does not need to wait for spanning tree to convergence
- Portfast configured interfaces goes through the normal spanning-tree cycle when the switch is restarted
- Configuring portfast on interfaces connected to another switch may result in loops
- Portfast is cofigured via:
SW2(config-if)#int fa1/5
SW2(config-if)#spanning-tree portfast
- BPDU Guard
- Can be enabled globally or per port
- At the global level, BPDU guard is enable on portfast enaled interfaces using:
SW2(config)#spanning-tree portfast bpduguard default
- Ports that are in portfast are shutdown if any BPDU is received on them
- In valid configuration, portfast enabled ports do not receive BPDU
- BPDU guard put the port in error-disabled state, which causes the switch to shutdown the entire port on which the violation occurred
- To prevent the port from shutting down you can instead shutdown the offending VLAN on the port where the violation occurred using the following:
SW2(config)#errdisable detect cause bpduguard shutdown vlan
- BPDU Guard at the interface level can be configured using:
SW2(config)#int fa1/5
SW2(config)#spanning-tree bpduguard enable
- When the port receives a BPDU, it puts the interface in error-disabled state
- You must manually put the interface back in service
- BPDU Filtering
- Can be enabled globally or per interface
- When enabling globally on port fast enabled interfaces, use:
SW2(config)#spanning-tree portfast bpdufilter default
- Prevents portfast interfaces from sending or receiving BPDUs
- At linkup the interface sends a few BPDUs
- If a BPDU is received on a portfast enabled interface, the interface loses its portfast operational status and BPDU filtering is disabled
- At the interface level, BPDU filtering is enabled using:
SW2(config)#spanning-tree bpdufilter enable
- The above command can be used without portfast feature
- Prevents interfaces from sending or receiving BPDUs
- Disables spanning tree and may result in spanning-tree loops
- Uplink Fast
- Configured via global config
- speeds up the process of selecting a new root port when a link or switch fails or spanning tree re-configures itself
- root port transitions to the forwarding state immediately
- Does not go through the listening and learning states, as is done with normal spanning-tree
- Default max-update-rate parameter is 150 packets per second
- Most appropriate for connections at the access or edge of the network
- Not appropriate for backbone devies
- Provides fast convergence after a direct link failure
- Uses uplink groups
- Cannot be enabled on VLANs that have been configured with a switch priority
- Switch priority must be restored to the default before enabling UplinkFast on a VLAN
- Enabling UplinkFast affects all VLANs on the switch
- UplinkFast cannot be configured on individual VLAN
- Can be used with rapid PVST+ or MSTP
- Spanning-tree mode must be changed to PVST+ before this can take effect
- Enabling UplinkFast sets the switch priority for all VLANs to 49152
- Changing the path cost to a value less than 3000 when enabling (or already enabled) UplinkFast causes the path cost for all interfaces to be increased by 3000
- If path cost is changed to greater than 3000, the path cost is not altered
- Disabling UplinkFast sets the switch priorities for all VLANs and path costs for all interface to th default value if they were not modified
-
- Use the following command to enable uplinkfast:
SW2(config)#spanning-tree uplinkfast
References:
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_55_se/configuration/guide/3560_scg/swstpopt.html
Cisco CCNP:300-115 - 1.6 Configure and verify spanning tree: 1.6.a PVST+, RPVST+, MST
Recently I needed to renew my Cisco CCNPs, that is both CCNP Routing and Switching as well as CCNP Security. While working with Cisco products (well now they own SourceFire, so exclude these) is not within my daily duties, I still thought it was important for me to maintain these two credentials. As a result, I've put together my notes below focusing on the key points I used to study. I believe that someone else may find them useful.
- The switch creates up to 128 spanning-tree instances
- One spanning-tree instance is allowed per VLAN
- PVST+ is based on IEEE 802.1D standard
- Rapid per-VLAN spanning-tree plus (rapid-PVST+) based on IEEE 802.1w standard
- Switch stack appears as a single spanning-tree mode to the rest of the network
- All stack members use the same bridge ID
- In a switch stack, one member is elected as the stack root switch
- The stack root switch contains the outgoing root port
Default state of spappning tree is enabled
- Enabled
- Spanning-tree mode PVST+
- Switch Priority 32768
- Port Cost 4 -> 1000 Mb/s
19 -> 100 Mb/s
100 -> 100 Mb/s
- Spanning-tree VLAN priority 128
- Spannint-tree timers
- Hello Time -> 2 seconds
- Forward Delay -> 15 seconds
- Maximum aging -> 20 seconds
- Transmit Hold -> 6 BPDUs
STP Overview
- Layer 2 link management protocol
- Enabled by default
- Provides path redundancy while preventing loops in the network
- Roles are assigned to each port based on the role of the port in the active topology
- Port states
- Root: Forwarding port elected for the spanning tree topology
- Designated: forwarding port elected for every switch segment
- Alternate: Blocked port providing alternate path to the root bridge
- Backup: Blocked port in a loopback configuration
- The which which has all of its ports as either designated or backup role is the root switch
- The switch which has at least 1 of its port in the designated role is called the designated switch
- Redundant data paths are forced into standy (blocked) state
- Spanning Tree frame are called Bridge Protocol Data Units (BPDU)
- BPDU contains information about the sending switch and its port.
- Information included in BPDU are:
- switch and mac-addresses
- switch priority
- Port priority
- Represents the location of a port in the network topology
- Port priority range is from 0-240
- Done in increments of 16, eg. 0,16,32,48, ...., 208,224,240
- Default is 128
- path cost
- Represents media speed
- Cost is used when selecting an interface to put in forwarding state when a loop occurs
- Lower cost wins
- If all interfaces have the same cost value the interface with the lowest interfance wins and goes into forwarding state
- Cost goes from 1 to 200,000,000
- VLAN Priority
- ranges from 0 - 61440
- Incremetns of 4096
- The four pieces of information identifed above are used to elect the root switch and the root port for the switched network
- The four pieces of information identifed above are used to elect the root port and designated port for each switched segment
- Port priority and path cost control which port is put in forward and block states when a looped link is encountered
- Port identifier is made up of port priority and its MAC address
- When switches are powered up, each operates as a root switch
- Configuration BPDU are sent out all ports
- Configuration BPDUs contain the following:
- Unique bridge ID of the switch the sending switch thinks is the root
- Spanning-tree path cost to the root
- The bridge ID of the sending switch
- Message age
- The identifier of the sending interface
- Values for the hello, forward delay and max-age control timers
- BPDUs that contain lower bridge ID, lower path cost, etc are considered to be superior
- When superior BPDUs are received on the root port of the switch, the switch forwards them with an updated message to all of the designated switch LANs
- Inferior BPDUs are discarded
- Basically inferior information is discarded and superior information is propogated
- The switch with the lowest numerical priority value for each VLAN is considered the root switch.
- Lowest numerical priority is highest priority. Highest priority wins
- If all switches are configured with default priority, the switch with the lowest MAC address wins
- Switch priority is found in the most significant bits of the bridge ID
- A root port is selected for each switch except the root switch
- root port provides the best path (lowest cost) when forwarding packets to the root switch
- On a switch stack, the following sequence is used to select a root port.
- Lowest root bridge ID -> lowest path cost to the root switch -> lowest designated bridge ID -> lowest designated path cost -> lowest port ID
- Only one outgoing port on the stack is selected as the root port. The remaining switches in the stack becomes designated switches
- Path cost is used to calculate the shortest distance to the root switch
- A designated switch for each VLAN is selected
- The port which connects to the designated switch to the LAN is called the designated port
- The unique bridge ID is made up of extended system ID, switch priority and spanning-tree allocated MAC address
- Configuring a high priority value reduces the chances of a switch becoming the root
- Configuring a lower priority value, increases the chances of a switch becoming the root
- Spanning tree interface states are as follows:
- blocking:
- No participation in frame forwarding
- Interfaces always enter the blocking state after inititalization
- Frames received on the interface are discarded
- Does not learn addresses
- Receives BPDU
- Listening:
- first state as it transitions from blocking
- Interface will participate in spanning-tree
- Discard frames received on the interface
- Does not learn addresses
- Receives BPDUs
- Learning
- preprating to participate in frame forwarding
- Discard frames received on the interfaces
- Learns addresses
- Receives BPDUs
- Forwarding:
- forwarding of frames
- Learns addresses
- Receives BPDUs
- Disabled:
- Not participating in spanning tree. Possible shutdown port, no link or no spanning-tree instance running on the port
- Discards frames received on the interface
- Does not learn addresses
- Does not receive BPDUs
- Interface transition states
- blocking -> [listening|disabled] -> [learning|disabled] -> [forwarding|disabled] -> forwarding -> disabled
- When all switches in the spanning-tree have the same settings, the swich with the lowest MAC address becomes the root
- You should aim to make the fastest link the root port
- Spanning Tree Modes
- PVST+
- Based on 802.1D
- Default spanning-tree mode on all ethernet port based VLANs
- Runs on each VLAN on the switch
- Provides L2 load balancing
- Each instance has a single root switch on a VLAN
- Rapid PVST+
- Same as PVST+, except it uses rapid convergence
- Based on 802.1w standard
- uses the same configuration as PVST
- Allows for fast convergence of spanning tree
- Eliminates the forward delay
- Quickly trnaisitions root ports and designated ports for to forwarding state
- Cannot run MSTP without RSTP or CSRT
- MSTP
- Based on 802.1s standard
- Can map multiple VLANs to the same spanning-tree instance
- Runs on RSTP (Based on 802.1w)
- Most common deployment is the backbone and distribution layers
- in PVST+ or rapid-PVST+ mode there can be up to 128 spanning-tree instances
- in MSTP mode, there can be up to 65 MST instances
- Number of VLANs which can be mapped to MST is unlimited
- Common-tree (CST) root must be inside the MST backbone
- PVST+ switch cannot be connect to multiple MST regions
- All stack members run the same version of spanning tree
- STP and trunking
- The standard requires only one spanning-tree instance for all VLANs
- Cisco switches maintains one spanning per VLAN instance
- When a Cisco switch is connected to a non-Cisco switch PVST+ is used. The switches may use PVST+ if enabled
- PVST+ is automatically enabled on IEE802.1Q trunks
- Caution: Switches that are not running spanning tree still forwards BPDUs that are received
- To force a switch to become the root, use:
SW2(config)#spanning-tree vlan 30 root primary
- When the above command is issues, the switch sets it priority to 24576, if this value will cause it to become the root
- If an existing switch has a priority lower than 24576, the root switch sets it priority to 4096 less than the other switch value to become the root
- The root switch for each spanning-tree instance should be a backbone or distribution switch.
- Do not configure an access switch as the spanning-tree primary root
References:
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_52_se/configuration/guide/3560scg/swvlan.html
- The switch creates up to 128 spanning-tree instances
- One spanning-tree instance is allowed per VLAN
- PVST+ is based on IEEE 802.1D standard
- Rapid per-VLAN spanning-tree plus (rapid-PVST+) based on IEEE 802.1w standard
- Switch stack appears as a single spanning-tree mode to the rest of the network
- All stack members use the same bridge ID
- In a switch stack, one member is elected as the stack root switch
- The stack root switch contains the outgoing root port
Default state of spappning tree is enabled
- Enabled
- Spanning-tree mode PVST+
- Switch Priority 32768
- Port Cost 4 -> 1000 Mb/s
19 -> 100 Mb/s
100 -> 100 Mb/s
- Spanning-tree VLAN priority 128
- Spannint-tree timers
- Hello Time -> 2 seconds
- Forward Delay -> 15 seconds
- Maximum aging -> 20 seconds
- Transmit Hold -> 6 BPDUs
STP Overview
- Layer 2 link management protocol
- Enabled by default
- Provides path redundancy while preventing loops in the network
- Roles are assigned to each port based on the role of the port in the active topology
- Port states
- Root: Forwarding port elected for the spanning tree topology
- Designated: forwarding port elected for every switch segment
- Alternate: Blocked port providing alternate path to the root bridge
- Backup: Blocked port in a loopback configuration
- The which which has all of its ports as either designated or backup role is the root switch
- The switch which has at least 1 of its port in the designated role is called the designated switch
- Redundant data paths are forced into standy (blocked) state
- Spanning Tree frame are called Bridge Protocol Data Units (BPDU)
- BPDU contains information about the sending switch and its port.
- Information included in BPDU are:
- switch and mac-addresses
- switch priority
- Port priority
- Represents the location of a port in the network topology
- Port priority range is from 0-240
- Done in increments of 16, eg. 0,16,32,48, ...., 208,224,240
- Default is 128
- path cost
- Represents media speed
- Cost is used when selecting an interface to put in forwarding state when a loop occurs
- Lower cost wins
- If all interfaces have the same cost value the interface with the lowest interfance wins and goes into forwarding state
- Cost goes from 1 to 200,000,000
- VLAN Priority
- ranges from 0 - 61440
- Incremetns of 4096
- The four pieces of information identifed above are used to elect the root switch and the root port for the switched network
- The four pieces of information identifed above are used to elect the root port and designated port for each switched segment
- Port priority and path cost control which port is put in forward and block states when a looped link is encountered
- Port identifier is made up of port priority and its MAC address
- When switches are powered up, each operates as a root switch
- Configuration BPDU are sent out all ports
- Configuration BPDUs contain the following:
- Unique bridge ID of the switch the sending switch thinks is the root
- Spanning-tree path cost to the root
- The bridge ID of the sending switch
- Message age
- The identifier of the sending interface
- Values for the hello, forward delay and max-age control timers
- BPDUs that contain lower bridge ID, lower path cost, etc are considered to be superior
- When superior BPDUs are received on the root port of the switch, the switch forwards them with an updated message to all of the designated switch LANs
- Inferior BPDUs are discarded
- Basically inferior information is discarded and superior information is propogated
- The switch with the lowest numerical priority value for each VLAN is considered the root switch.
- Lowest numerical priority is highest priority. Highest priority wins
- If all switches are configured with default priority, the switch with the lowest MAC address wins
- Switch priority is found in the most significant bits of the bridge ID
- A root port is selected for each switch except the root switch
- root port provides the best path (lowest cost) when forwarding packets to the root switch
- On a switch stack, the following sequence is used to select a root port.
- Lowest root bridge ID -> lowest path cost to the root switch -> lowest designated bridge ID -> lowest designated path cost -> lowest port ID
- Only one outgoing port on the stack is selected as the root port. The remaining switches in the stack becomes designated switches
- Path cost is used to calculate the shortest distance to the root switch
- A designated switch for each VLAN is selected
- The port which connects to the designated switch to the LAN is called the designated port
- The unique bridge ID is made up of extended system ID, switch priority and spanning-tree allocated MAC address
- Configuring a high priority value reduces the chances of a switch becoming the root
- Configuring a lower priority value, increases the chances of a switch becoming the root
- Spanning tree interface states are as follows:
- blocking:
- No participation in frame forwarding
- Interfaces always enter the blocking state after inititalization
- Frames received on the interface are discarded
- Does not learn addresses
- Receives BPDU
- Listening:
- first state as it transitions from blocking
- Interface will participate in spanning-tree
- Discard frames received on the interface
- Does not learn addresses
- Receives BPDUs
- Learning
- preprating to participate in frame forwarding
- Discard frames received on the interfaces
- Learns addresses
- Receives BPDUs
- Forwarding:
- forwarding of frames
- Learns addresses
- Receives BPDUs
- Disabled:
- Not participating in spanning tree. Possible shutdown port, no link or no spanning-tree instance running on the port
- Discards frames received on the interface
- Does not learn addresses
- Does not receive BPDUs
- Interface transition states
- blocking -> [listening|disabled] -> [learning|disabled] -> [forwarding|disabled] -> forwarding -> disabled
- When all switches in the spanning-tree have the same settings, the swich with the lowest MAC address becomes the root
- You should aim to make the fastest link the root port
- Spanning Tree Modes
- PVST+
- Based on 802.1D
- Default spanning-tree mode on all ethernet port based VLANs
- Runs on each VLAN on the switch
- Provides L2 load balancing
- Each instance has a single root switch on a VLAN
- Rapid PVST+
- Same as PVST+, except it uses rapid convergence
- Based on 802.1w standard
- uses the same configuration as PVST
- Allows for fast convergence of spanning tree
- Eliminates the forward delay
- Quickly trnaisitions root ports and designated ports for to forwarding state
- Cannot run MSTP without RSTP or CSRT
- MSTP
- Based on 802.1s standard
- Can map multiple VLANs to the same spanning-tree instance
- Runs on RSTP (Based on 802.1w)
- Most common deployment is the backbone and distribution layers
- in PVST+ or rapid-PVST+ mode there can be up to 128 spanning-tree instances
- in MSTP mode, there can be up to 65 MST instances
- Number of VLANs which can be mapped to MST is unlimited
- Common-tree (CST) root must be inside the MST backbone
- PVST+ switch cannot be connect to multiple MST regions
- All stack members run the same version of spanning tree
- STP and trunking
- The standard requires only one spanning-tree instance for all VLANs
- Cisco switches maintains one spanning per VLAN instance
- When a Cisco switch is connected to a non-Cisco switch PVST+ is used. The switches may use PVST+ if enabled
- PVST+ is automatically enabled on IEE802.1Q trunks
- Caution: Switches that are not running spanning tree still forwards BPDUs that are received
- To force a switch to become the root, use:
SW2(config)#spanning-tree vlan 30 root primary
- When the above command is issues, the switch sets it priority to 24576, if this value will cause it to become the root
- If an existing switch has a priority lower than 24576, the root switch sets it priority to 4096 less than the other switch value to become the root
- The root switch for each spanning-tree instance should be a backbone or distribution switch.
- Do not configure an access switch as the spanning-tree primary root
References:
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_52_se/configuration/guide/3560scg/swvlan.html
Subscribe to:
Posts (Atom)