About the Author

Steve McQuerry, CCIE No. 6108, is a consulting systems engineer with Cisco focused on data center architecture. Steve works with enterprise customers in the Midwestern United States to help them plan their data center architectures. Steve has been an active member of the internetworking community since 1991 and has held multiple certifications from Novell, Microsoft, and Cisco. Before joining Cisco, Steve worked as an independent contractor with Global Knowledge, where he taught and developed...

ACL Operation

ACLs express the set of rules that give added control for packets that enter inbound interfaces, packets that relay through the router, and packets that exit outbound interfaces of the router. ACLs do not act on packets that originate from the router. Instead, ACLs are statements that specify conditions of how the router handles the traffic flow through specified interfaces. Inbound ACLs Incoming packets are processed before they are routed to an outbound interface. An inbound ACL is efficient...

ACL Wildcard Masking

Address filtering occurs when you use ACL address wildcard masking to identify how to check or ignore corresponding IP address bits. Wildcard masking for IP address bits uses the numbers 1 and 0 to identify how to treat the corresponding IP address bits, as follows Wildcard mask bit 0 Match the corresponding bit value in the address. Wildcard mask bit 1 Do not check (ignore) the corresponding bit value in the address. NOTE A wildcard mask is sometimes referred to as an inverse mask. By...

Adding Comments to Named or Numbered ACLs

Comments, also known as remarks, are ACL statements that are not processed. They are simple descriptive statements you can use to better understand and troubleshoot either named or numbered ACLs. Each remark line is limited to 100 characters. The remark can go before or after a permit or deny statement. You should be consistent about where you put the remark so it is clear which remark describes which permit or deny statement. It would be confusing to have some remarks before the associated...

Adding VLANs and Port Membership

After you create a new VLAN, be sure to make the necessary changes to the VLAN port assignments. Separate VLANs typically imply separate IP networks. Be sure to plan the new IP addressing scheme and its deployment to stations before moving users to the new VLAN. Separate VLANs also require inter-VLAN routing to permit users in the new VLAN to communicate with other VLANs. Inter-VLAN routing includes setting up the appropriate IP parameters and services, including default gateway and DHCP.

Additional Types of ACLs

Standard and extended ACLs can become the basis for other types of ACLs that provide additional functionality. These other types of ACLs include the following Dynamic ACLs (lock-and-key) Dynamic ACLs depend on Telnet connectivity, authentication (local or remote), and extended ACLs. Lock-and-key configuration starts with the application of an extended ACL to block traffic through the router. Users who want to traverse the router are blocked by the extended ACL until they use Telnet to connect...

All Ports Inactive After Power Cycle

Switch ports move to the inactive state when they are members of VLANs that do not exist in the VLAN database. A common issue is all the ports moving to this inactive state after a power cycle. Generally, you see this issue when the switch is configured as a VTP client with the uplink trunk port on a VLAN other than VLAN1. Because the switch is in VTP client mode, when the switch resets, it loses its VLAN database and causes the uplink port and any other ports that were not members of VLAN1 to...

Applying IP Address Space in the Enterprise Network

The Cisco Enterprise Architecture model provides a modular framework for designing and deploying networks. It also provides the ideal structure for overlaying a hierarchical IP addressing scheme. Following are some guidelines Design the IP addressing scheme so that blocks of 2n contiguous network numbers (such as 4, 8, 16, 32, 64, and so on) can be assigned to the subnets in a given building distribution and access switch block. This approach lets you summarize each switch block into one large...

Authorized Self Study Guide

Interconnecting Cisco Network Devices, Part 2 (ICND2) Copyright 2008 Cisco Systems, Inc. Published by Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the publisher, except for the inclusion of brief quotations in a review. Printed in the...

Br

The configuration in Example 6-4 provides a solution for this example. Example 6-4 Access List Preventing Traffic Originating from a Specific Subnet RouterX(config) access-list 1 deny 172.16.4.0 0.0.0.255 RouterX(config) access-list 1 permit any (access-list 1 deny 0.0.0.0 255.255.255.255) RouterX(config) interface ethernet 0 RouterX(config-if) ip access-group 1 out Table 6-4 describes the command syntax that is presented in Example 6-4. Table 6-4 Numbered Standard IPv4 ACL Example Denying a...

Changing VLANs and Port Membership

To modify VLAN attributes, such as VLAN name, use the vlan vlan-id global configuration command. NOTE You cannot change the VLAN number. To use a different VLAN number, create a new VLAN using a new number and then reassign all ports to this VLAN. To move a port into a different VLAN, use the same commands that you used to make the original assignments. You do not need to first remove a port from a VLAN to make this change. After you reassign a port to a new VLAN, that port is automatically...

Chapter Objectives

Upon completing this chapter, you will be able to expand a small-sized, switched LAN to a medium-sized LAN with multiple switches, supporting VLANs, trunking, and a spanning tree. This ability includes being able to meet these objectives Describe how and when to implement and verify VLANs and trunking, and then implement them on the network Describe situations in which a spanning tree is used, and implement it on the network Describe the application and configuration of inter-VLAN routing for a...

Chapter Organization

This book is divided into eight chapters and an appendix and is designed to be read in order because many chapters build on content from previous chapters. Chapter 1, Review of Cisco IOS for Routers and Switches, provides a review of the Cisco IOS. This is an assumed knowledge for readers, but this chapter provides a brief review of command structure that is used throughout the other chapters of the book. Chapter 2, Medium-Sized Switched Network Construction, explores the operation and...

Chapter Summary

The list that follows summarizes the key points that were discussed in this chapter. When expanding a company network, VLANs, VTP, and trunking give a switched network infrastructure segmentation, flexibility, and security. The STP and its successor RSTP resolve bridging loops that are an inherent part of redundant switched networks. One way to accomplish inter-VLAN routing is to configure a router on a stick using subinterfaces and 802.1Q trunking. Troubleshooting a switched network requires...

Choosing Interconnection Technologies

A number of technologies are available to interconnect devices in a switched network. The interconnection technology that you select depends on the amount of traffic the link must carry. You will likely use a mixture of copper and fiber-optic cabling based on distances, noise immunity requirements, security, and other business requirements. Figure 2-14 illustrates different connectivity for network devices providing services in the enterprise. Some of the more common interconnection...

Cisco Catalyst Switches Do Not Exchange VTP Information

When Cisco switches do not exchange VTP information, you need to be able to determine why they are not functioning properly. Use the following guidelines to troubleshoot this problem There are several reasons why VTP fails to exchange the VLAN information. Verify these items if switches that run VTP fail to exchange VLAN information. VTP information passes only through a trunk port. Ensure that all ports that interconnect switches are configured as trunks and are actually trunking. Ensure that...

Command Syntax Conventions

The conventions used to present command syntax in this book are the same conventions used in the IOS Command Reference. The Command Reference describes these conventions as follows Boldface indicates commands and keywords that are entered literally as shown. In actual configuration examples and output (not general command syntax), boldface indicates commands that are manually input by the user (such as a show command). Italics indicate arguments for which you supply actual values. Vertical bars...

Components of Troubleshooting EIGRP

When troubleshooting any network protocol, it is important to follow a defined flow or methodology. The main aspect of troubleshooting routing protocols involves ensuring that communication exists between the routers. The following sections describe the basic components of troubleshooting a network that is running EIGRP. Figure 5-8 shows an example of the flow used for diagnosing EIGRP problems. The major components of EIGRP troubleshooting include the following items EIGRP neighbor...

Components of Troubleshooting OSPF

Troubleshooting OSPF requires an understanding of the operation of the protocol as well as a specific approach methodology. Figure 4-8 shows the major components of OSPF troubleshooting and the order in which the process flows. Figure 4-8 Components of Troubleshooting OSPF Figure 4-8 Components of Troubleshooting OSPF The major components of OSPF troubleshooting include the following

Configuration Issues

Configuration of the port is another possible reason the port may be experiencing connectivity issues. Some of the common configuration issues are as follows The VLAN to which the port belongs has disappeared Each port in a switch belongs to a VLAN. If the VLAN is deleted, then the port becomes inactive. The following set of code illustrates that the command show interface interface will not reveal a problem when a port is configured to be part of a VLAN that does not exist. FastEthernet0 2 is...

Configuring ACLs

This section describes the steps to configure named and numbered, standard and extended ACLs. This section also explains how to verify that the ACLs function properly and discusses some common configuration errors to avoid. Standard IPv4 ACLs, numbered 1 to 99 and 1300 to 1999 or named, filter packets based on a source address and mask, and they permit or deny the entire TCP IP protocol suite. This standard ACL filtering may not provide the filtering control you require. You may need a more...

Configuring and Verifying OSPF

The router ospf command uses a process identifier as an argument. The process ID is a unique, arbitrary number that you select to identify the routing process. The process ID does not need to match the OSPF process ID on other OSPF routers. The network command identifies which IP networks on the router are part of the OSPF network. For each network, you must also identify the OSPF area to which the networks belong. The network command takes the three arguments listed in Table 4-1. The table...

Configuring InterVLAN Routing

To be able to route between VLANs on a switch, you will need to be able to configure inter-VLAN routing. In Figure 2-33, the FastEthernet 0 0 interface is divided into multiple subinterfaces FastEthernet 0 0.1 and FastEthernet 0 0.2. Each subinterface represents the router in each of the VLANs for which it routes. Figure 2-33 Inter-VLAN Routing Configuration Figure 2-33 Inter-VLAN Routing Configuration Use the encapsulation dot1q vlan identifier command (where vlan identifier is the VLAN...

Configuring Named ACLs

The named ACL feature allows you to identify standard and extended IP ACLs with an alphanumeric string (name) instead of the current numeric representations. Named IP ACLs allow you to delete individual entries in a specific ACL. If you are using Cisco IOS Release 12.3, you can use sequence numbers to insert statements anywhere in the named ACL. If you are using a software version earlier than Cisco IOS Release 12.3, you can insert statements only at the bottom of the named ACL. Because you can...

Configuring VLANs and Trunks

By default, all the ports on a Catalyst switch are in VLAN 1. If you want to use VLANs and trunks, you need to configure them on the switches throughout the network. The steps you use to configure and verify VLANs on a switched network include the following Determine whether to use VTP. If VTP will be used, enable VTP in server, client, or transparent mode. Enable trunking on the inter-switch connections. Create the VLANs on a VTP server and have those VLANs propagate to other switches. Assign...

Considering Traffic Source to Destination Paths

When you are designing and implementing networks, a key factor for VLAN deployment is understanding the traffic patterns and the various traffic types. Figure 2-4 displays some common components of a network this along with the traffic requirements should be a baseline for designing VLANs. Figure 2-4 Network Enterprise Components Figure 2-4 Network Enterprise Components Table 2-5 lists the common types of network traffic that should be considered before placing devices and configuring the VLAN....

Contents

Chapter 1 Review of Cisco IOS for Routers and Switches 3 Chapter Objectives 3 Cisco IOS CLI Functions 4 Configuration Modes of Cisco IOS Software 4 Help Facilities of the Cisco IOS CLI 6 Commands Review 7 Summary of Cisco IOS CLI Commands 8 Chapter Summary 8 Review Questions 8 Chapter 2 Medium-Sized Switched Network Construction 13 Chapter Objectives 13 Implementing VLANs and Trunks 13 Understanding VLANs 14 VLAN Overview 15 Grouping Business Functions into VLANs 16 Applying IP Address Space in...

Contents at a Glance

Chapter 1 Review of Cisco IOS for Routers and Switches 3 Chapter 2 Medium-Sized Switched Network Construction 13 Chapter 3 Medium-Sized Routed Network Construction 97 Chapter 4 Single-Area OSPF Implementation 139 Chapter 5 Implementing EIGRP 171 Chapter 6 Managing Traffic with Access Control Lists 205 Chapter 7 Managing Address Spaces with NAT and IPv6 249 Chapter 8 Extending the Network into the WAN 297 Appendix Answers to Chapter Review Questions 361

Controlling Access to the Router Using ACLs

To control traffic into and out of the router (not through the router), you will protect the router virtual ports. A virtual port is called a vty. By default, there are five such virtual terminal lines, numbered vty 0 through vty 4. When configured, Cisco IOS Software images can support more than five vty ports. Restricting vty access is primarily a technique for increasing network security and defining which addresses are allowed Telnet access to the router EXEC process. Filtering Telnet...

Corporate and Government Sales

The publisher offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales, which may include electronic versions and or custom covers and content particular to your business, training goals, marketing focus, and branding interests. For more information, please contact U.S. Corporate and Government Sales 1-800-382-3419 corpsales pearsontechgroup.com For sales outside the United States please contact International Sales international pearsoned.com

Deleting VLANs and Port Membership

When you delete a VLAN from a switch that is in VTP server mode, the VLAN is removed from all switches in the VTP domain. When you delete a VLAN from a switch that is in VTP transparent mode, the VLAN is deleted only on that specific switch. Use the global configuration command no vlan vlan-id to remove a VLAN. NOTE Before deleting a VLAN, be sure to reassign all member ports to a different VLAN. Any ports that are not moved to an active VLAN are unable to communicate with other stations after...

Describing Port Security

Port security is a feature supported on Cisco Catalyst switches that restricts a switch port to a specific set or number of MAC addresses. The switch can learn these addresses dynamically, or you can configure them statically. Figure 2-35 shows how the switch interacts with port security. A port that is configured with port security accepts frames only from those addresses that it has learned or that you have configured. Port security has several implementations Dynamic You specify how many...

Designate the Root Bridge

Often, information about the location of the spanning-tree root bridge is not available at troubleshooting time. Do not let STP decide which switch becomes the root bridge. For each VLAN, you can usually identify which switch can best serve as the root bridge. Which switch would make the best root bridge depends on the design of the network. Generally, choose a powerful switch in the middle of the network. If you put the root bridge in the center of the network with direct connection to the...

Determining Equipment and Cabling Needs

The design of any high-performance network has four objectives security, availability, scalability, and manageability. This list describes the equipment and cabling decisions that you should consider when altering the infrastructure Replace hubs and legacy switches with new switches at the building access layer. Select equipment with the appropriate port density at the access layer to support the current user base while preparing for growth. Some designers begin by planning for about 30 percent...

Ether Channel Overview

The increasing deployment of switched Ethernet to the desktop can be attributed to the proliferation of bandwidth-intensive applications. Any-to-any communications of new applications, such as video to the desktop, interactive messaging, and collaborative white-boarding, increase the need for scalable bandwidth. At the same time, mission-critical applications call for resilient network designs. With the wide deployment of faster switched Ethernet links in the campus, organizations either need...

Example Broadcast Storms

Figure 2-18 illustrates the problem of a broadcast storm. The following describes the sequence of events that start a broadcast storm 1. When host X sends a broadcast frame, such as an Address Resolution Protocol (ARP) for its default gateway (Router Y), switch A receives the frame. Figure 2-18 Broadcast Storm Server Host X 2. Switch A examines the destination address field in the frame and determines that the frame must be flooded onto the lower Ethernet link, segment 2. 3. When this copy of...

Example Multiple Transmissions

Figure 2-19 illustrates how multiple transmissions can occur. Figure 2-19 Multiple Frame Transmissions Server Host X The following describes how multiple copies of the same frame can arrive at the intended host 1. When host X sends a unicast frame to Router Y, one copy is received over the direct Ethernet connection, segment 1. At more or less the same time, switch A receives a copy of the frame and puts it into its buffers. 2. If switch A examines the destination address field in the frame and...

Example Network Design

A business with approximately 250 employees wants to migrate to the Cisco Enterprise Architecture. Table 2-1 shows the number of users in each department. Six VLANs are required to accommodate one VLAN per user community. Following the guidelines of the Cisco Enterprise Architecture, six IP subnets are required. The business has decided to use network 10.0.0.0 as its base address. To accommodate future growth, there will be one block of IP addresses per building, as follows Building A is...

Example Router on a Stick

Figure 2-31 illustrates a router attached to a core switch. The configuration between a router and a core switch is sometimes referred to as a router on a stick. The router can receive packets on one VLAN and forward them to another VLAN. To perform inter-VLAN routing functions, the router must know how to reach all VLANs being interconnected. Each VLAN must have a separate connection on the router, and you must enable 802.1Q trunking on those connections. The router already knows about...

Example Spanning Tree Operation

The best way to understand how spanning tree operates is to look at an operation example. Figure 2-26 shows a sample network spanning tree topology and the relevant information used by spanning tree. Root Bridge Default Priority 32768 MAC 0c00.1111.0000 MAC 0c00.1111.1111 MAC 0c00.1111.2222 MAC 0c00.1111.1111 MAC 0c00.1111.2222 The following describes the STP port states illustrated in Figure 2-26 The root bridge is switch Z, which has the lowest BID. The root port is port 0 on switches X and...

Example Spanning Tree Path Cost

The spanning-tree path cost is an accumulated total path cost based on the bandwidth of all the links in the path. In the figure, some of the path costs specified in the 802.1D specification are shown. The 802.1D specification has been revised in the older specification, the cost was calculated based on a bandwidth of 1000 Mbps. The calculation of the new specification uses a nonlinear scale to accommodate higher-speed interfaces. NOTE Most Cisco Catalyst switches incorporate the revised cost...

Example Spanning Tree Recalculation

In Figure 2-27, if switch Z (the root bridge) fails and does not send a BPDU to switch Y within the max_age time (default is 20 seconds, which equals 10 missed BPDUs), switch Y detects the missing BPDU from the root bridge. When the max_age timer on switch Y expires before a new BPDU has been received from switch Z, a spanning-tree recalculation is initiated. Switch Y transitions its blocking port (port 1) from the blocking state to the listening state to the learning state, and then finally to...

Example VTP Configuration

Example 2-1 demonstrates the commands that you would enter to configure VTP and display VTP status. The characteristics of the switch in this example are as follows The switch is transparent in the VTP domain. The configuration revision is 0. NOTE In the output from the show vtp status command, VTP Version identifies what version of VTP the switch is capable of running, and VTP V2 Mode indicates whether VTP Version 2 is being used. If VTP V2 Mode shows disabled, VTP Version 1 is being used....

Features

This book features actual router and switch output to aid in the discussion of the configuration of these devices. Many notes, tips, and cautions are also spread throughout the text. In addition, you can find many references to standards, documents, books, and websites to help you understand networking concepts. At the end of each chapter, your comprehension and knowledge are tested by review questions prepared by a certified Cisco instructor. NOTE The operating systems used in this book are...

Feedback Information

At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members from the professional technical community. Readers' feedback is a natural continuation of this process. If you have any comments regarding how we could improve the quality of this book, or otherwise alter it to better suit your needs, you can contact us through email at...

Foreword

Cisco certification self-study guides are excellent self-study resources for networking professionals to maintain and increase internetworking skills, and to prepare for Cisco Career Certification exams. Cisco Career Certifications are recognized worldwide and provide valuable, measurable rewards to networking professionals and their employers. Cisco Press exam certification guides and preparation materials offer exceptional and flexible access to the knowledge and information required to stay...

Hardware Issues

Hardware issues can be one of the reasons a switch has connectivity issues. To rule out hardware issues, verify the following The port status for both ports involved in the link Ensure that neither is shut down. The administrator may have manually shut down one or both ports, or the switch software may have shut down one of the ports because of a configuration error. If one side is shut down and the other is not, the status on the enabled side will be notconnected (because it does not sense a...

Identify a Bridging Loop

It used to be that a broadcast storm could have a disastrous effect on the network. Today, with high-speed links and devices that provide switching at the hardware level, it is not likely that a single host, such as a server, will bring down a network through broadcasts. The best way to identify a bridging loop is to capture the traffic on a saturated link and verify that you see similar packets multiple times. Realistically, however, if all users in a certain bridge domain have connectivity...

Implementing VLANs and Trunks

A VLAN is a logical broadcast domain that can span multiple physical LAN segments. It is used to group end stations that have a common set of requirements, independent of their physical locations. A VLAN has the same attributes as a physical LAN, except that it lets you group end stations even when they are not physically located on the same LAN segment. A VLAN also lets you group ports on a switch so that you can limit unicast, multicast, and broadcast traffic flooding. Flooded traffic that...

Improving Performance with Spanning Tree

Most complex networks include redundant devices to avoid single points of failure. Although a redundant topology eliminates some problems, it can introduce other problems. STP is a Layer 2 link management protocol that provides path redundancy while preventing undesirable loops in a switched network. It is a standard protocol as defined by IEEE 802.1D. This section identifies the problems caused by redundant switched-network topologies and the functionality of STP to prevent these problems.

Info

List of All Best Routes from EIGRP Topology Table and the Other Routing Processes In EIGRP, the best route is called a successor route while a backup route is called the feasible successor. To determine the best route (successor) and the backup route (feasible successor) to a destination, EIGRP uses the following two parameters Advertised distance The EIGRP metric for an EIGRP neighbor to reach a particular network Feasible distance The advertised distance for a particular network learned from...

InterVLAN Connectivity

Most of the time, inter-VLAN connectivity issues are the result of user misconfiguration. For example, if you incorrectly configure a router on a stick or Multilayer Switching (Cisco Express Forwarding), then packets from one VLAN may not reach another VLAN. To avoid misconfiguration and to troubleshoot efficiently, you should understand the mechanism used by the Layer 3 forwarding device. If you are sure that the equipment is properly configured, yet hardware switching is not taking place,...

Introducing EIGRP

EIGRP is a Cisco-proprietary routing protocol that combines the advantages of link-state and distance vector routing protocols. EIGRP is an advanced distance vector or hybrid routing protocol that includes the following features Rapid convergence EIGRP uses the Diffusing Update Algorithm (DUAL) to achieve rapid convergence. A router that uses EIGRP stores all available backup routes for destinations so that it can quickly adapt to alternate routes. If no appropriate route or backup route exists...

Introducing OSPF

Open Shortest Path First is a link-state routing protocol. You can think of a link as an interface on a router. The state of the link is a description of that interface and of its relationship to its neighboring routers. A description of the interface would include, for example, the IP address of the interface, the subnet mask, the type of network to which it is connected, the routers that are connected to that network, and so on. The collection of all of these link states forms a link-state...

Introducing VLSMs

When an IP network is assigned more than one subnet mask for a given major network, it is considered a network with VLSMs, overcoming the limitation of a fixed number of fixed-size subnetworks imposed by a single subnet mask. Figure 3-30 shows the 172.16.0.0 network with four separate subnet masks. VLSMs provide the capability to include more than one subnet mask within a network and the capability to subnet an already subnetted network address. In addition, VLSM offers the following benefits...

Log STP Events

If you cannot precisely identify the source of the problem, or if the problem is transient, enable the logging of STP events on the switches of the network that experiences the failure. If you want to limit the number of devices to configure, at least enable this logging on devices that host blocked ports the transition of a blocked port is what creates a loop. Issue the privileged EXEC command debug spanning-tree events to enable STP debug information. Issue the global configuration mode...

Managing Address Spaces with NAT and IPv6

One of the most important drawbacks to IP version 4 (IPv4) is the limited number of unique network addresses the Internet is running out of address space. Two solutions to this dilemma are Network Address Translation (NAT) and IP version 6 (IPv6). NAT provides a short-term solution to this problem by translating private IPv4 addresses into globally unique, routable IPv4 addresses. IPv6 is the long-term solution. By increasing the size of an IP address to 128 bits, IPv6 increases the total...

Managing Traffic with Access Control Lists

Standard and extended Cisco IOS access control lists (ACLs) can be used to classify IP packets. Using ACLs, you can apply a number of features, such as encryption, policy-based routing, quality of service (QoS), dial-on-demand routing (DDR), Network Address Translation (NAT), and Port Address Translation (PAT), to the classified packets. You can also configure standard and extended Cisco IOS ACLs on router interfaces for access control (security) to control the type of traffic that is permitted...

Medium Sized Routed Network Construction

Routing is the process of determining where to send data packets that are destined for addresses outside the local network. Routers gather and maintain routing information to enable the transmission and receipt of these data packets. Routing information takes the form of entries in a routing table, with one entry for each identified route. The router can use a routing protocol to create and maintain the routing table dynamically so that network changes can be accommodated whenever they occur....

Mitigating Compromises Launched Through a Switch

Follow these recommended practices to mitigate compromises through a switch Proactively configure unused router and switch ports Execute the shut command on all unused ports and interfaces. Place all unused ports in a parking-lot VLAN, which is dedicated to grouping unused ports until they are proactively placed into service. Configure all unused ports as access ports, disallowing automatic trunk negotiation. Consider trunk links By default, Cisco Catalyst switches that are running Cisco IOS...

Multiple Frame Transmissions

In a redundant topology, multiple copies of the same frame can arrive at the intended host, potentially causing problems with the receiving protocol. Most protocols are not designed to recognize or cope with duplicate transmissions. In general, protocols that use a sequence-numbering mechanism like TCP assume that many transmissions have failed and that the sequence number has recycled. Other protocols attempt to hand the duplicate transmission to the appropriate upper-layer protocol (ULP),...

Multiple Spanning Tree Protocol

Multiple Spanning Tree Protocol (MSTP), originally defined in IEEE 802.1s and later merged into IEEE 802.1Q-2003, defines a spanning-tree protocol that has several spanning-tree instances running for the network. But unlike PVRST+, which has one instance of RSTP per VLAN, MSTP reduces the switch load by allowing a single instance of spanning tree to run for multiple VLANs.

Native VLAN Mismatches

The native VLAN that is configured on each end of an IEEE 802.1Q trunk must be the same. Remember that a switch receiving an untagged frame assigns the frame to the native VLAN of the trunk. If one end of the trunk is configured for native VLAN 1 and the other end is configured for native VLAN 2, a frame sent from VLAN 1 on one side is received on VLAN 2 on the other. VLAN 1 leaks into the VLAN 2 segment. There is no reason this behavior would be required, and connectivity issues will occur in...

Overview of Switch Security Concerns

Much industry attention surrounds security attacks from outside the walls of an organization and at the upper Open Systems Interconnection (OSI) layers. Network security often focuses on edge routing devices and the filtering of packets based on Layer 3 and Layer 4 headers, ports, stateful packet inspection, and so on. This focus includes all issues surrounding Layer 3 and above, as traffic makes its way into the campus network from the Internet. Campus access devices and Layer 2 communication...

Per VLAN Spanning Tree

The 802.1D standard defines a Common Spanning Tree (CST) that assumes only one spanning-tree instance for the entire switched network, regardless of the number of VLANs. In a network running CST, these statements are true No load sharing is possible one uplink must block for all VLANs. The CPU is spared only one instance of spanning tree must be computed. Per VLAN Spanning Tree Plus (PVST+) defines a spanning-tree protocol that has several spanning-tree instances running for the network, one...

Problem Host Connectivity

Host 10.1.1.1 has no connectivity with 10.100.100.1. The following output reveals information about the access list(s) in place to help determine the possible cause of the problem 10 deny 10.1.1.0, wildcard bits 20 permit 10.1.1.1 30 permit ip any any The cause of this problem is that Host 10.1.1.1 has no connectivity with 10.100.100.1 because of the order of the access list 10 rules. Because the router processes ACLs from the top down, statement 10 would deny host 10.1.1.1, and statement 20...

Process for Configuring Port Security

Table 2-14 describes the process that can achieve the desired results for this scenario. Port security is configured to allow only five connections on that port, and one entry is configured for each of the five allowed MAC addresses. This step populates the MAC address table with five entries for that port and allows no additional entries to be learned dynamically. When frames arrive on the switch port, their source MAC address is checked against the MAC address table. If the source MAC address...

PVST Operation

In a Cisco PVST+ environment, you can tune the spanning-tree parameters so that half of the VLANs forward on each uplink trunk. To easily achieve this, you configure one switch to be elected the root bridge for half of the total number of VLANs in the network and a second switch to be elected the root bridge for the other half of the VLANs. Providing different STP root switches per VLAN creates a more redundant network. Spanning-tree operation requires that each switch has a unique BID. In the...

Q Frame

IEEE 802.1Q uses an internal tagging mechanism that inserts a four-byte tag field into the original Ethernet frame between the Source Address and Type or Length fields. Because 802.1Q alters the frame, the trunking device recomputes the frame check sequence (FCS) on the modified frame. It is the responsibility of the Ethernet switch to look at the four-byte tag field and determine where to deliver the frame. An Ether Type of 0x8100 indicates to devices that the frame has an 802.1Q tag. A tiny...

Q Native VLAN

An 802.1Q trunk and its associated trunk ports have a native VLAN value. 802.1Q does not tag frames for the native VLAN. Therefore, ordinary stations can read the native untagged frames but cannot read any other frame because the frames are tagged. Figure 2-10 shows a frame from the native VLAN being distributed across the network trunks untagged.

Q Trunking Configuration

The 802.1Q protocol carries traffic for multiple VLANs over a single link on a multivendor network. 802.1Q trunks impose several limitations on the trunking strategy for a network. You should consider the following Ensure that the native VLAN for an 802.1Q trunk is the same on both ends of the trunk link. If they are different, spanning-tree loops might result. Native VLAN frames are untagged. Table 2-6 shows how 802.1Q trunking interacts with other switch features. Table 2-6 Switch Feature...

Rapid Spanning Tree Protocol

Rapid Spanning Tree Protocol (RSTP), specified in the IEEE 802.1w standard, supersedes STP as specified in 802.1D, while remaining compatible with STP. RSTP can be seen as an evolution of the 802.1D standard rather than a revolution. The 802.1D terminology remains primarily the same. Most parameters have been left unchanged, so users familiar with 802.1D can configure the new protocol comfortably. Bridge ID Without the Extended System ID RSTP significantly reduces the time to reconverge the...

Recently Installed Switch Causes Network Problems

A newly installed switch can cause problems in the network when all the switches in your network are in the same VTP domain, and you add a switch into the network that does not have the default VTP and VLAN configuration. If the configuration revision number of the switch that you insert into the VTP domain is higher than the configuration revision number on the existing switches of the VTP domain, your recently introduced switch overwrites the VLAN database of the domain with its own VLAN...

Redundant Topology

Redundant topology can be accomplished using multiple links, multiple devices, or both. The key is to provide multiple pathways and eliminate a single point of failure. Figure 2-16 shows a simple redundant topology between segment 1 and segment 2. Although redundant designs can eliminate the possibility of a single point of failure causing a loss of function for the entire switched or bridged network, you must consider problems that redundant designs can cause. Some of the problems that can...

Resolving Issues with STP

STP provides loop resolution by managing the physical paths to given network segments. STP allows physical path redundancy while preventing the undesirable effects of active loops in the network. STP is an IEEE committee standard defined as 802.1D. Figure 2-21 illustrates how a blocked port would prevent traffic flow between the segments. STP forces certain ports into a standby state so that they do not listen to, forward, or flood data frames. The overall effect is that there is only one path...

Review Questions

Use the questions here to review what you learned in this chapter. The correct answers and solutions are found in the appendix, Answers to Chapter Review Questions. 1. Which feature is required for multiple VLANs to span multiple switches a. A trunk to connect the switches b. A router to connect the switches c. A bridge to connect the switches d. A VLAN configured between the switches 2. What does a VMPS map to VLAN assignments 3. What are two reasons for using 802.1Q (Choose two.) a. To allow...

Reviewing Subnets

Prior to working with VLSM, it is important to have a firm grasp on IP subnetting. When you are creating subnets, you must determine the optimal number of subnets and hosts. Computing Usable Subnetworks and Hosts Remember that an IP address has 32 bits and comprises two parts a network ID and a host ID. The length of the network ID and host ID depends on the class of the IP address. The number of hosts available also depends on the class of the IP address. The default number of bits in the...

RSTP Port Roles

RSTP defines the port roles as follows Root A forwarding port elected for the spanning-tree topology. Designated A forwarding port elected for every switched LAN segment. Alternate An alternate path to the root bridge that is different from the path that the root port takes. Backup A backup path that provides a redundant (but less desirable) connection to a segment to which another switch port already connects. Backup ports can exist only where two ports are connected in a loopback by a...

Securing Switch Devices

You should use your security policy to determine how to configure security on your various network devices. Best practices for securing these devices also exist. Follow these recommended practices for secure switch access Set system passwords Use the enable secret command to set the password that grants privileged access to the Cisco IOS system. Because the enable secret command simply implements a Message Digest 5 (MD5) hash on the configured password, that password remains vulnerable to...

Securing Switch Protocols

Follow these recommended practices to secure the switch protocols Manage Cisco Discovery Protocol Cisco Discovery Protocol does not reveal security-specific information, but it is possible for an attacker to exploit this information in a reconnaissance attack, whereby an attacker learns device and IP address information to launch other types of attacks. You should follow two practical guidelines for Cisco Discovery Protocol If Cisco Discovery Protocol is not required, or if the device is...

Single Area OSPF Implementation

This chapter examines Open Shortest Path First (OSPF), which is one of the most commonly used Interior Gateway Protocols (IGPs) in IP networking. OSPF is an open-standard, classless IGP. OSPF is based primarily on RFC 2328 and is designated by the Internet Engineering Task Force (IETF) as one of several IGPs. Because of the complexity and widespread use of OSPF, knowledge of its configuration and maintenance is essential. This chapter describes the function of OSPF and explains how to configure...

Spanning Tree Operation

STP performs three steps to provide a loop-free logical network topology 1. Elects one root bridge STP has a process to elect a root bridge. Only one bridge can act as the root bridge in a given network. On the root bridge, all ports are designated ports. Designated ports are in the forwarding state and are designated to forward traffic for a given segment. When in the forwarding state, a port can send and receive traffic. In Figure 2-22, switch X is elected as the root bridge. 2. Selects the...

STP Convergence

Convergence in STP is a state in which all the switch and bridge ports have transitioned to either the forwarding or the blocking state. Convergence is necessary for normal network operations. For a switched or bridged network, a key issue is the time required for convergence when the network topology changes. Fast convergence is a desirable network feature because it reduces the time that bridge and switch ports are in transitional states and not sending user traffic. The normal convergence...

Summary of ACL Operations

The following summarizes the key points that were discussed in this section ACLs can be used for IP packet filtering or to identify traffic to assign it special handling. ACLs perform top-down processing and can be configured for incoming or outgoing traffic. You can create an ACL using a named or numbered ACL. Named or numbered ACLs can be configured as standard or extended ACLs, which determines what they can filter. Reflexive, dynamic, and time-based ACLs add more functionality to standard...

Summary of Implementing EIGRP

The following summarizes the key points that were discussed in the previous sections EIGRP is a classless, advanced distance vector routing protocol that runs the DUAL algorithm. EIGRP requires you to configure an autonomous system number that must match on all routers to exchange routes. EIGRP is capable of load balancing across unequal-cost paths. EIGRP supports MD5 authentication to protect against unauthorized, rogue routers entering your network.

Summary of Implementing Variable Length Subnet Masks

The following list summarizes the key points discussed in this section Subnetting lets you efficiently allocate addresses by taking one large broadcast domain and breaking it up into smaller, more manageable broadcast domains. VLSMs let you more efficiently allocate IP addresses by adding multiple layers of the addressing hierarchy. The benefits of route summarization include smaller routing tables and the ability to isolate topology changes.

Summary of Implementing VLANs and Trunks

The following list summarizes the key points that were discussed in this section. A poorly designed network has increased support costs, reduced service availability, and limited support for new applications and solutions. VLANs provide broadcast segmentation and organizational flexibility. Ethernet trunks carry the traffic of multiple VLANs over a single link and allow you to extend VLANs across an entire network. VTP is a Layer 2 messaging protocol that maintains VLAN configuration...

Summary of OSPF Introduction

The following summarizes the key points that were discussed in this section OSPF is a classless, link-state routing protocol that uses an area hierarchy for fast convergence. OSPF exchanges hello packets to establish neighbor adjacencies between routers. The SPF algorithm uses a cost metric to determine the best path. Lower costs indicate a better path. The router ospf process-id command is used to enable OSPF on the router. Use a loopback interface to keep the OSPF router ID consistent. The...

Summary of Reviewing Routing Operations

The following list summarizes the key points discussed in this section Dynamic routing requires administrators to configure either a distance vector or a link-state routing protocol. Distance vector routing protocols incorporate solutions such as split horizon, route poisoning, and hold-down timers to prevent routing loops. Link-state routing protocols scale to large network infrastructures better than distance vector routing protocols, but they require more planning to implement.

Summary of Troubleshooting ACLs

The following summarizes the key points that were discussed in this section An improperly configured access list can prevent legitimate traffic from passing through a router or allow unauthorized traffic to pass through the router. You can use the show access-lists command to verify the configuration of an access list on a router. You can use the show ip interface command to verify where the access list is applied to an interface and what direction it is applied in.

Summary of Troubleshooting EIGRP

The following summarizes the key points that were discussed in this section Troubleshooting EIGRP includes several aspects, such as resolving neighbor relationships, routing table issues, and authentication problems. Issues that can cause EIGRP neighbor problems include incorrect network commands and hello packet information mismatches. Use the show ip eigrp neighbors command to help troubleshoot these issues. Missing EIGRP routes from the routing table can be because of route filtering or...

Summary of Troubleshooting OSPF

Troubleshooting OSPF is an important skill. Most OSPF problems are related to configuration and will most likely show themselves when the routers attempt to form OSPF adjacencies. The following summarizes the key points that were discussed in this section Troubleshooting OSPF involves looking at neighbor adjacencies, routing tables, and authentication issues. Use the show ip interface command to verify the MTU of an OSPF interface. Use the show ip ospf interface command to help troubleshoot...

Summary of Troubleshooting Switched Networks

The list that follows summarizes the key points that were discussed in this section. Effective switched-network troubleshooting begins by understanding what makes a network function correctly. Hardware issues and port configuration errors can cause port connectivity issues. Native VLAN mismatches and trunk mode mismatches can prevent a trunk link from being established. Understanding how VTP works is the best defense when troubleshooting VTP problems. One of the primary objectives when dealing...

Switch Behavior with Broadcast Frames

Switches handle broadcast and multicast frames differently from the way they handle unicast frames. Because broadcast and multicast frames may be of interest to all stations, the switch or bridge normally floods broadcast and multicast frames to all ports except the originating port. A switch or bridge never learns a broadcast or multicast address because broadcast and multicast addresses never appear as the source address of a frame. This flooding of broadcast and multicast frames can cause a...

Trademark Acknowledgments

All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized. Cisco Press or Cisco Systems, Inc., cannot attest to the accuracy of this information. Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark. Americas Headquarters Asia Pacific H Cisco Systems, Ina Cisco Systems, Inc. Cisco Systems International BV 170 West Tasman Drive 168 Robinson Road Haarler berg park San Jose. CA...

Troubleshooting ACLs

When you finish the ACL configuration, use the show commands to verify the configuration. Use the show access-lists command to display the contents of all ACLs, as demonstrated in Example 6-13. By entering the ACL name or number as an option for this command, you can display a specific ACL. To display only the contents of all IP ACLs, use the show ip access-list command. Example 6-13 Verifying Access List Configuration 10 deny 10.1.1.0, wildcard bits 0.0.0.255 20 permit 10.3.3.1 30 permit...

Troubleshooting Port Connectivity

If you are experiencing connectivity problems, the first thing to check is the port. Ports are the foundation of the switched network. If they do not work, nothing works Some ports have special significance because of their location in the network and the amount of traffic they carry. These include ports that have connections to other switches, routers, and servers. They can be more complicated to troubleshoot because they often take advantage of special features, such as trunking and...

Troubleshooting Switches

There are many ways to troubleshoot a switch. Developing a troubleshooting approach or test plan works much better than using a hit-or-miss approach. Here are some general suggestions to make troubleshooting more effective Take the time to become familiar with normal switch operation The Cisco website (Cisco.com) has a lot of technical information that describes how its switches work. The configuration guides in particular are helpful. For more large multiswitch environments, have an accurate...

Trunk Mode Mismatches

You should statically configure trunk links whenever possible. However, Cisco Catalyst switch ports run DTP by default, which tries to automatically negotiate a trunk link. This Cisco proprietary protocol can determine an operational trunking mode and protocol on a switch port when it is connected to another device that is also capable of dynamic trunk negotiation. Table 2-15 outlines DTP mode operations. Creates the trunk link based on the DTP request from the neighboring switch. Dynamic Auto...

Types of ACLs

These differing ACLs are used depending on the functionality required. The types of ACLs can be classified as follows Standard ACLs Standard IP ACLs check the source addresses of packets that can be routed. The result either permits or denies the output for an entire protocol suite, based on the source network, subnet, or host IP address. Extended ACLs Extended IP ACLs check both the source and destination packet addresses. They can also check for specific...