InterVLAN Routing

Recall that a Layer 2 network is defined as a broadcast domain. A Layer 2 network also can exist as a VLAN inside one or more switches. VLANs essentially are isolated from each other so that packets in one VLAN cannot cross into another VLAN. To transport packets between VLANs, you must use a Layer 3 device. Traditionally, this has been a router's function. The router must have a physical or logical connection to each VLAN so that it can forward packets between them. This is known as interVLAN...

Topology Changes

To announce a change in the active network topology, switches send a TCN BPDU. Table 8-4 shows the format of these messages. Table 8-4 Topology Change Notification BPDU Message Content Table 8-4 Topology Change Notification BPDU Message Content Message Type (Configuration or TCN BPDU) A topology change occurs when a switch either moves a port into the Forwarding state or moves a port from the Forwarding or Learning states into the Blocking state. In other words, a port on an active switch comes...

Protecting Against Unexpected BPDUs

A network running STP uses BPDUs to communicate between switches (bridges). Switches become aware of each other and of the topology that interconnects them. After a Root Bridge is elected, BPDUs are generated by the root and are relayed down through the spanning-tree topology. Eventually, all switches in the STP domain receive the root's BPDUs so that the network converges and a stable loop-free topology forms. To maintain an efficient topology, the placement of the Root Bridge must be...

Verifying Voice QoS

A switch port can be configured with a QoS trust state with the connected device. If that device is an IP Phone, the switch can instruct the phone on whether to extend QoS trust to an attached PC. To verify how QoS trust has been extended to the IP Phone itself, use the following EXEC command Switch show mls qos interface type mod num If the port is trusted, all traffic forwarded by the IP Phone is accepted with the QoS information left intact. If the port is not trusted, even the voice packets...

Foundation Summary

The Foundation Summary is a collection of information that provides a convenient review of many key concepts in this chapter. If you are already comfortable with the topics in this chapter, this summary can help you recall a few details. If you just read this chapter, this review should help solidify some key facts. If you are doing your final preparation before the exam, this information is a convenient way to review the day before the exam. STP has a progression of states that each port moves...

Protecting Against Sudden Loss of BPDUs

STP BPDUs are used as probes to learn about a network topology. When the switches participating in STP converge on a common and consistent loop-free topology, BPDUs still must be sent by the Root Bridge and must be relayed by every other switch in the STP domain. The STP topology's integrity then depends on a continuous and regular flow of BPDUs from the root. What happens if a switch doesn't receive BPDUs in a timely manner or when it doesn't receive any The switch can view that condition as...

Uplink Fast Access Layer Uplinks

Consider an access-layer switch that has redundant uplink connections to two distribution-layer switches. Normally, one uplink would be in the Forwarding state and the other would be in the Blocking state. If the primary uplink went down, up to 50 seconds could elapse before the redundant uplink could be used. The UplinkFast feature on Catalyst switches enables leaf-node switches or switches at the ends of the spanning-tree branches to have a functioning root port while keeping one or more...

Selecting Ports to Configure

Before you can modify port settings, you must select one or more switch ports. Catalyst switches running the Catalyst operating system (CatOS) refer to these as ports, whereas switches running the Cisco IOS Software refer to them as interfaces. The BCMSN exam is based on IOS-based switches only. To select a single switch port, enter the following command in global configuration mode Switch(config) interface type module number The port is identified by its Ethernet type (fastethernet,...

RSTP Port Behavior

In 802.1D, each switch port is assigned a role and a state at any given time. Depending on the port's proximity to the Root Bridge, it takes on one of the following roles Blocking port (neither root nor designated) The Cisco-proprietary UplinkFast feature also reserved a hidden alternate port role for ports that offered parallel paths to the root but were in the Blocking state. Recall that each switch port also is assigned one of five possible states Only the Forwarding state allows data to be...

LAN Segmentation Model

Referred to as network segmentation, localizing the traffic and effectively reducing the number of stations on a segment is necessary to prevent collisions and broadcasts from reducing a network segment's performance. By reducing the number of stations, the probability of a collision decreases because fewer stations can be transmitting at a given time. For broadcast containment, the idea is to provide a barrier at the edge of a LAN segment so that broadcasts cannot pass outward or be forwarded....

Redundant Power Supplies

The Cisco Catalyst 6500 and 4500R platforms can accept two power supply modules in a single chassis. The power supplies must be identical, having the same power input and maximum power output ratings. The switch can be configured to operate in one of two possible power modes Combined mode Both power supplies work together to share the total power load for all modules that are installed in the switch chassis. The total load required can exceed the maximum power output rating of one power supply...

WLC Configuration

A Cisco WLC has several types of interfaces that are used for various purposes. Perhaps the most difficult part of configuring a WLC is deciding how to lay out and connect the interfaces. Regardless of the hardware model, a WLC has the following interface types. Refer to Figure 19-14, which depicts the interfaces as they are commonly used in a network. Management An interface with a static IP address used for in-band management traffic you connect to this interface for web, Secure Shell (SSH),...

Spanning Tree Customization

The most important decision you can make when designing your spanning-tree topology is the placement of the Root Bridge. Other decisions, such as the exact loop-free path structure, will occur automatically as a result of the Spanning Tree Algorithm (STA). Occasionally, the path might need additional tuning, but only under special circumstances and after careful consideration. Recall the sequence of four criteria that STP uses to choose a path The previous section discussed how to tune a...

VTP Advertisements

Each Cisco switch participating in VTP advertises VLANs (only VLANs 1 to 1005), revision numbers, and VLAN parameters on its trunk ports to notify other switches in the management domain. VTP advertisements are sent as multicast frames. The switch intercepts frames sent to the VTP multicast address and processes them with its supervisory processor. VTP frames are forwarded out trunk links as a special case. Because all switches in a management domain learn of new VLAN configuration changes, a...

Hot Standby Router Protocol

HSRP is a Cisco-proprietary protocol developed to allow several routers (or multilayer switches) to appear as a single gateway IP address. RFC 2281 describes this protocol in more detail. Basically, each of the routers that provides redundancy for a given gateway address is assigned to a common HSRP group. One router is elected as the primary, or active, HSRP router another is elected as the standby HSRP router and all the others remain in the listen HSRP state. The routers exchange HSRP hello...

Redundant Switch Supervisors

Modular switch platforms such as the Catalyst 4500R and 6500 can accept two supervisor modules installed in a single chassis. The first supervisor module to successfully boot up becomes the active supervisor for the chassis. The other supervisor remains in a standby role, waiting for the active supervisor to fail. The active supervisor always is allowed to boot up and become fully initialized and operational. All switching functions are provided by the active supervisor. The standby supervisor,...

Using AutoQoS to Simplify a Configuration

You can also configure Cisco switches to support a variety of other QoS mechanisms and parameters. The list of features and configuration commands can be overwhelming, and the actual configuration can be quite complex. This is one reason why the bulk of QoS topics are no longer covered in the BCMSN course and exam. Courses and testing aside, you will sometimes need to configure some advanced QoS features on a switch. To reduce the complexity, Cisco introduced the Auto-QoS feature on most switch...

Gateway Load Balancing Protocol

You should now know how both HSRP and VRRP can effectively provide a redundant gateway (virtual router) address. You can accomplish load balancing by configuring only multiple HSRP VRRP groups to have multiple virtual router addresses. More manual configuration is needed so that the client machines are divided among the virtual routers. Each group of clients must point to the appropriate virtual router. This makes load balancing somewhat labor-intensive, having a more or less fixed, or static,...

Layer 3 QoS Classification with DSCP

From the beginning, IP packets have always had a type of service (ToS) byte that can be used to mark packets. This byte is divided into a 3-bit IP Precedence value and a 4-bit ToS value. This offers a rather limited mechanism for QoS because only the 3 bits of IP Precedence are used to describe the per-hop QoS behavior. The DiffServ model keeps the existing IP ToS byte but uses it in a more scalable fashion. This byte also is referred to as the Differentiated Services (DS) field, with a...

T

Show cdp neighbors detail Catalyst 3550 192.168.254.17 Switch-C Catalyst 3550 192.168.254.199 Switch-C Catalyst 3550 192.168.254.199 At the top of the figure, you don't know whether Switch-A is in the core, distribution, or access layer. Actually, you don't even know whether this network has been built in layers. When you are connected and in the privileged EXEC or enable mode, you can begin looking for CDP information by using the show cdp neighbors command. At Switch-A, suppose the command...

RSTP Convergence

The convergence of STP in a network is the process that takes all switches from a state of independence (each thinks it must be the STP root) to one of uniformity, in which each switch has a place in a loop-free tree topology. You can think of convergence as a two-stage process 1. One common Root Bridge must be elected, and all switches must know about it. 2. The state of every switch port in the STP domain must be brought from a Blocking state to the appropriate state to prevent loops....

Do I Know This Already Quiz

The purpose of the Do I Know This Already quiz is to help you decide whether you need to read the entire chapter. If you already intend to read the entire chapter, you do not necessarily need to answer these questions now. The 11-question quiz, derived from the major sections in the Foundation Topics portion of the chapter, helps you determine how to spend your limited study time. Table 4-1 outlines the major topics discussed in this chapter and the Do I Know This Already quiz questions that...

Configuring a PAgP Ether Channel

To configure switch ports for PAgP negotiation (the default), use the following commands Switch(config) interface type mod num Switch(config-if) channel-protocol pagp Switch(config-if) channel-group number mode on I auto I desirable non-silent On all Cisco IOS-based Catalyst models (2970, 3560, 4500, and 6500), you can select between PAgP and LACP as a channel-negotiation protocol. Older models such as the Catalyst 2950, however, offer only PAgP, so the channel-protocol command is not...

VLAN Frame Identification

Because a trunk link can transport many VLANs, a switch must identify frames with their respective VLANs as they are sent and received over a trunk link. Frame identification, or tagging, assigns a unique user-defined ID to each frame transported on a trunk link. Think of this ID as the VLAN number or VLAN color, as if each VLAN were drawn on a network diagram in a unique color. VLAN frame identification was developed for switched networks. As each frame is transmitted over a trunk link, a...

Layer 2 Switch Operation

Recall that with shared Ethernet networks using hubs, many hosts are connected to a single broadcast and collision domain. In other words, shared Ethernet media operate at OSI Layer 1. Each host must share the available bandwidth with every other connected host. When more than one host tries to talk at one time, a collision occurs, and everyone must back off and wait to talk again. This forces every host to operate in half-duplex mode, by either talking or listening at any given time. In...

Virtual Router Redundancy Protocol

The Virtual Router Redundancy Protocol (VRRP) is a standards-based alternative to HSRP, defined in IETF standard RFC 2338. VRRP is so similar to HSRP that you need to learn only slightly different terminology and a couple of slight functional differences. When you understand HSRP operation and configuration, you will also understand VRRP. This section is brief, highlighting only the differences between HSRP and VRRP. VRRP provides one redundant gateway address from a group of routers. The...

Voice VLAN Configuration

Although you can configure the IP Phone uplink as a trunk or nontrunk, the real consideration pertains to how the voice traffic will be encapsulated. The voice packets must be carried over a unique voice VLAN (known as the voice VLAN ID or WD) or over the regular data VLAN (known as the native VLAN or the port VLAN ID, PVID). The QoS information from the voice packets also must be carried. To configure the IP Phone uplink, just configure the switch port where it connects. The switch instructs...

Implementing QoS for Voice

To manipulate packets according to QoS policies, a switch somehow must identify which level of service each packet should receive. This process is known as classification. Each packet is classified according to the type of traffic (UDP or TCP port number, for example), according to parameters matched by an access list or something more complex, such as by stateful inspection of a traffic flow. Recall that IP packets carry a ToS or DSCP value within their headers as they travel around a network....

Configuring Ether Channel Load Balancing

The hashing operation can be performed on either MAC or IP addresses and can be based solely on source or destination addresses, or both. Use the following command to configure frame distribution for all EtherChannel switch links Switch(config) port-channel load-balance method Notice that the load-balancing method is set with a global configuration command. You must set the method globally for the switch, not on a per-port basis. Table 7-3 lists the possible values for the method variable,...

RF Characteristics

Signal Scattering

RF signals travel through the air as electromagnetic waves. In an ideal setting, a signal would arrive at the receiver exactly as it was sent by the transmitter. In the real world, this isn't always the case. RF signals are affected by the objects and materials they meet as they travel from the transmitter to the receiver. This section briefly explores the conditions that can affect wireless signal propagation. If an RF signal traveling through the air as a wave meets a dense reflective...

DHCP Snooping

A DHCP server normally provides all the basic information a client PC needs to operate on a network. For example, the client might receive an IP address, a subnet mask, a default gateway address, DNS addresses, and so on. Suppose that an attacker could bring up a rogue DHCP server on a machine in the same subnet as that same client PC. Now when the client broadcasts its DHCP request, the rogue server could send a carefully crafted DHCP reply with its own IP address substituted as the default...

Modular Network Design

Server Block Cisco

Recall from Chapter 1, Campus Network Overview, that a network is best constructed and maintained using a three-tiered hierarchical approach. Making a given network conform to a layered architecture might seem a little confusing. You can design a campus network in a logical manner, using a modular approach. In this approach, each layer of the hierarchical network model can be broken into basic functional units. These units, or modules, then can be sized appropriately and connected, while...

Modifying STP Timers

Recall that STP uses three timers to keep track of various port operation states and communication between bridges. The three STP timers can be adjusted by using the commands documented in the sections that follow. Remember that the timers need to be modified only on the Root Bridge because the Root Bridge propagates all three timer values throughout the network as fields in the configuration BPDU. Use one or more of the following global configuration commands to modify STP timers...

Multilayer Switch Operation

Catalyst switches, such as the 3560 (with the appropriate Cisco IOS Software image), 4500, and 6500, also can forward frames based on Layer 3 and 4 information contained in packets. This is known as multilayer switching (MLS). Naturally, Layer 2 switching is performed at the same time because even the higher-layer encapsulations still are contained in Ethernet frames. Catalyst switches have supported two basic generations or types of MLS route caching (first generation MLS) and topology based...

RF Signal Strength Terminology

Because so many variables exist in a wireless environment, being able to quantify an RF signal as it is transmitted and received is handy. Other factors that affect the signal strength can be taken into account, too. An RF signal can be measured as a function of its power or energy in units of Watts (W) or milliWatts (mW) one milliWatt is one-thousandth of one Watt. To put signal power into perspective, Table 17-3 shows typical power output from a variety of sources. Power values can vary over...

LAP Configuration

Cisco lightweight APs are designed to be zero-touch devices, which can be installed and used with little or no manual intervention. The WLC can manage every aspect of LAP operation, including code image synchronization, so almost no information needs to be primed or preconfigured in the LAP itself. This section covers the tasks you should consider prior to an LAP installation. A lightweight AP can require up to 15 W of power at 48 VDC. The exact amount of power depends upon the model and the...

Port Security

In some environments, a network must be secured by controlling what stations can gain access to the network itself. Where user workstations are stationary, their MAC addresses always can be expected to connect to the same access-layer switch ports. If stations are mobile, their MAC addresses can be learned dynamically or added to a list of addresses to expect on a switch port. Catalyst switches offer the port security feature to control port access based on MAC addresses. To configure port...

VLAN Membership

When a VLAN is provided at an access-layer switch, an end user must have some means of gaining membership to it. Two membership methods exist on Cisco Catalyst switches Static VLANs offer port-based membership, in which switch ports are assigned to specific VLANs. End user devices become members in a VLAN based on the physical switch port to which they are connected. No handshaking or unique VLAN membership protocol is needed for the end devices they automatically assume VLAN connectivity when...

Root Bridge Placement

Although STP is wonderfully automatic with its default values and election processes, the resulting tree structure might perform quite differently than expected. The Root Bridge election is based on the idea that one switch is chosen as a common reference point, and all other switches choose ports that have the best-cost path to the root. The Root Bridge election is also based on the idea that the Root Bridge can become a central hub that interconnects other legs of the network. Therefore, the...

Best Practices for Securing Switches

You can configure and use many different features on Cisco Catalyst switches. You should be aware of some common weaknesses that can be exploited. In other words, don't become complacent and assume that everyone connected to your network will be good citizens and play by the rules. Think ahead and try to prevent as many things as possible that might be leveraged to assist an attacker. This section presents a brief overview of many best-practice suggestions that will help secure your switched...

Cisco Unified Wireless Network Architecture

Cisco has collected a complete set of functions that are integral to wireless LANs and called them the Cisco Unified Wireless Network. This new architecture offers the following capabilities, which are centralized so that they affect wireless LAN devices located anywhere in the network To centralize these aspects of a WLAN, many of the functions found within autonomous APs have to be shifted toward some central location. The top portion of Figure 19-3 lists most of the activities performed by...

CCNP Exam Topics

Carefully consider the exam topics Cisco has posted on its website as you study, particularly for clues to how deeply you should know each topic. Beyond that, you cannot go wrong by developing a broader knowledge of the subject matter. You can do that by reading and studying the topics presented in this book. Remember that it is in your best interest to become proficient in each of the CCNP subjects. When it is time to use what you have learned, being well rounded counts more than being well...