STP:
· Port cost
influences how the local switch elects it’s root port upstream. It affects all
the downstream switches.
· Port
priority influences how a downstream switch elects it’s root port.
o
Priority is locally significant
between 2 directly connected switches
o
Show span vlan {id}
detail; look for ‘designated port id x.x’
To test BPDU filters from router connected to a
switch:
#bridge 1 protocol IEEE
#interface fa0/0/0
#bridge-group 1
· MSTP
o
MST (Multiple spanning
tree) was developed for IEEE 802.1q trunks and defined 802.1s
o
If no instance is defined,
all VLANs are mapped to instance 0 (zero).
o
Same election process as
STP. And only one election per user-defined instance.
o
MST also uses a cost value
derived from the inverse bandwidth of interface; higher the bandwidth, lower
the cost.
o
When MST is enabled, RSTP is automatically enabled.
o
Using MST, all VLANs in a
trunk must be either blocking or forwarding, depending on the forwarding state
of the native VLAN.
o MST requires that only
the native VLAN to send a BPDU. Other VLANs are not allowed to send BPDUs on an
MST Trunk.
o
MST native VLAN sends a
BPDU to the IEEE standard multicast MAC address of 01-80-C2-00-00-00
802.1D, STP, only
sends BPDU from the root. Non-root Bridge only will reply when it receives BPDU
on its root port.
802.1w, RSTP,
send BPDU every hello-time even if it doesn’t receive any from the root port,
sending it’s current info.
802.1w uses BPDU protocol version 2,
while 802.1D uses BPDU protocol
version 0.
802.1s, MSTP, is
an amendment to 802.1D and compatible with STP, RSTP, and Cisco’s PVST+.
· RSTP
o
RSTP is 802.1w Standard
IEEE for PVST+, which is Cisco Systems proprietary protocol.
o
PortFast, UplinkFast, and
BackboneFast are specified in 802.1w.
o The root dictates timer
values for all bridges in configuration BPDUs.
o
ALL the ports on
root-bridge are designated ports.
o
All other bridges determine
shortest path to this root bridge.
o
At most, there is one
designated bridge per Ethernet segment.
o
The designated bridge is
always the bridge with the shortest path to the root bridge.
o
There is an election
process to determine the designated bridge.
o
The designated bridge is
responsible for “advertising” BPDUs to other bridges out it's designated ports.
o
Backup port is a backup designated port.
o
Works only on
point-to-point links between two switches.
o
A full-duplex port is
considered a point-to-point link while half duplex is considered to be shared
link.
o
If a port is designated as
a shared link, RSTP fast transition is forbidden, regardless of duplex setting.
o
Configured with spanning-tree link-type {shared |
point-to-point}.
Rapid
Spanning Tree Protocol:
(RSTP; IEEE 802.1w) can be seen as an evolution of the
802.1D standard more than a revolution. The 802.1D terminology remains
primarily the same. Most parameters have been left unchanged so users familiar
with 802.1D can rapidly configure the new protocol comfortably. In most cases,
RSTP performs better than proprietary extensions of Cisco without any
additional configuration. 802.1w can also revert back to 802.1D in order to
interoperate with legacy bridges on a per-port basis.
This drops the benefits it introduces.
· Port Fast:
PortFast is for access (user) ports only. It causes the port
to bypass the STP listening and learning states, and transition directly to
forwarding. If a BPDU is received, PortFast is abandoned, the port placed in blocking, and the switch runs through the entire
Spanning Tree procedure.
(config-if)# spanning-tree portfast
· Uplink Fast:
Uplink Fast is for speeding convergence when a direct link
to an upstream switch fails. The switch identifies backup
ports for the root port (these are called an uplink group). If the root
port fails, one of the ports in the uplink group is unblocked and transitions
immediately to forwarding— bypassing the listening and learning stages. It
should be used in wiring closet switches with at least one blocked port. When
configuring UplinkFast, the local switch has a priority set
to 49,152, and it adds 3000 to the cost of all links.
(config)# spanning-tree uplinkfast
· Backbone Fast:
Backbone Fast is used for speeding convergence when a link
fails that is not directly connected to the switch. It helps the switch detect indirect failures. If a switch running
Backbone Fast receives an inferior
BPDU from its designated bridge, it knows a link on the path to the root has
failed. (An inferior BPDU
is one that lists the same switch for Root Bridge and Designated Bridge.)
The
switch then tries to find an alternate path to the root by sending a Root Link
Query (RLQ) protocol data unit (PDU) out all alternate ports. The
root then responds with a RLQ response, and the port receiving this response
can transition to forwarding. Alternate ports are determined in this way:
o If the
inferior BPDU was received on a blocked port; the root port and any other
blocked ports are considered alternates.
o If the
inferior BPDU was received on the root port, all blocked ports are considered
alternates.
o If the
inferior BPDU was received on the root port and there are no blocked ports, the
switch assumes it has lost connectivity with the root and advertises itself as
root. Configured by:
(config)#spanning-tree backbonefast
In IEEE 802.1D, an inferior
BPDU is discarded.
With BackboneFast, the switch tracks inferior BPDUs. We compare inferior BPDUs
to the stored BPDU to determine if there has been an indirect link failure.
Only inferior BPDUs sent by the designated bridge are tracked (i.e., inferior
BPDUs sent with the same BID as the stored BPDU). If a newly inserted bridge
starts sending inferior BPDUs, it will not trigger the Backbone Fast feature.
· BPDU Guard:
BPDU Guard prevents loops if another switch is attached to a
PortFast port. When BPDU Guard is enabled on an interface; it is put into an error-disabled state
(basically, shut down) if a BPDU is received on the interface. It can be
enabled at either global config mode—in which case it affects all PortFast
interfaces— or at interface mode. PortFast does not
have to be enabled for it to be configured at a specific interface.
(config)# spanning-tree portfast bpduguard
default
(config-if)# spanning-tree bpduguard enable
· BPDU Filtering:
BPDU filtering is another
way of preventing loops in the network. It also can be enabled either globally
or at the interface and functions differently at each. In global config, if a PortFast interface receives
any BPDUs, it is taken out of PortFast status. At interface config mode, it
prevents the port from sending or receiving BPDUs.
(config)# spanning-tree portfast bpdufilter
default
(config-if)# spanning-tree bpdufilter
enable
· Root Guard:
Root Guard is meant to prevent the wrong switch from
becoming the spanning-tree root. It is enabled on ports
other than the root port, on switches other than the root. If a Root Guard port receives a BPDU
that would cause it to become a root port, the port is put into root-inconsistent state and
does not pass traffic through it. If the port stops receiving these BPDUs, it
automatically re-enables itself.
(config-if)# spanning-tree guard root
· Loop Guard:
o Loop Guard
prevents loops that might develop if a port that should be blocking
inadvertently transitions to the forwarding state. This can happen if the port stops receiving BPDUs
(perhaps because of a unidirectional link or a software or configuration problem
in its neighbor switch). When one of the ports in a physically redundant topology stops receiving BPDUs, the STP
conceives the topology as loop-free. Eventually, the blocking port becomes designated, and moves to forwarding state, thus
creating a loop. With Loop Guard enabled, an additional check is made.
o Loop Guard
automatically re-enables the port if it starts receiving BPDUs once again. It
applies to ALL point-2-point connections along with UDLD feature.
o If no BPDUs
are received on a blocked port for a specific length of time, Loop Guard puts
that port into loop-inconsistent blocking
state, rather than transitioning to forwarding state. Loop Guard should be enabled on all switch ports
that have a chance of becoming root or designated ports. It is most
effective when enabled in the entire switched network, in conjunction with UDLD. To enable Loop Guard for all point-to-point links on the switch, use
the following
(config)# spanning-tree loopguard default
(config-if)# spanning-tree guard loop
· Unidirectional Link Detection (UDLD)
A switch notices when a physical connection is broken, by
the absence of Layer 1 electrical keepalives (Ethernet calls this a link beat).
But sometimes, a cable is intact enough to maintain keepalives, but not to pass
data in both directions. This is a unidirectional link. UDLD detects a
unidirectional link by sending periodic hellos out the interface. It also uses
probes, which must be acknowledged by the device on the other end of the link. UDLD operates at Layer 2. The port is
shut down if a unidirectional link is found.
(config)# udld enable
Although this command is given at global config
mode, it applies only to fiber ports. To enable UDLD on non-fiber ports, give
the same command at interface config mode.
To re-enable all interfaces shut by UDLD: #udld reset
To verify UDLD status:
#show
udld interface
spanning-tree
etherchannel guard misconfig # It allows EtherChannel to use STP to attempt to
find misconfigurations (including messed up cabling).
· When does a switch/bridge send out a TCN?
o
Any time a port transitions to forwarding state AND the bridge has at least
one designated port.
o
Any time a port transitions from the forwarding or learning state to the blocking
state.
errdisable recovery interval # global configuration command and has a value of 300 seconds by
default.
errdisable recovery cause udld
errdisable recovery cause
bpduguard
...
· SVI
VLAN interfaces give a Layer 3
switch a Layer 3 interface attached to a VLAN. Cisco sometimes refers to these
interfaces as switched virtual interfaces (SVIs).
To route between VLANs, a switch simply needs a virtual interface attached to
each VLAN, and each VLAN interface needs an IP address in the respective
subnets used on those VLANs.
· PVST
It was developed around ISL and maintains a
spanning tree for each active VLAN. Using PVST, each VLAN in a trunk
can be blocking or forwarding, individually.
A VLAN Blocks or Forwards on a trunk without any regard to what other
VLANs are doing on that same trunk. This
is because each VLAN sends its own BPDU.
PVST sends each BPDU to the IEEE standard multicast MAC
address of 01-80-C2-00-00-00.
· PVST+
It maintains a per-VLAN spanning tree for both 802.1Q and ISL.
PVST+ was developed to accommodate the IEEE 802.1Q standard
for VLAN trunking.
PVST+ can interoperate with MST domains (3rd party) while
maintaining a PVST for 802.1Q and/or ISL (no config required). For more info,
see An Engineering Guide to IEEE 802.1Q and IEEE 802.1p (ENG-18215)
PVST+ (main claim to fame) solves
the load balancing between switches by configuring cost per vlan.
It sends BPDU on native
VLAN to the IEEE address of 01-80-C2-00-00-00. On the non-native
VLANs, BPDUs will be sent to Cisco-Proprietary multicast address of 01-00-0c-cc-cc-cd. Non-native BPDUs are transparently tunneled through the non-Cisco
switch.
Administrative State STP State (802.1d STP) RSTP State (802.1w RSTP)
Disabled Disabled
Discarding
Enabled Blocking Discarding
Enabled Listening Discarding
Enabled Learning Learning
Enabled Forwarding Forwarding
What is the command to
automatically lower a bridge priority to 8192?
(config)#spanning tree vlan
<vlan-id> root
What is the command to manually
set the bridge priority to your own unique value?
(config)#spanning tree
vlan <vlan#> priority
-------------------------------------------------------------------------------
SWITCHING: L2:
·
Speed mismatch usually
cause a link to change to/from UP/DOWN
state
·
Duplex mismatch will bring
the link UP/UP, but will typically result in interface errors and packet loss.
·
Access Ports
o
specifies which VLAN will
carry the traffic for that interface.
o
Only one VLAN per interface
o
If none configured, the
interface will use default VLAN
·
Trunk Ports
o
Can have two or more VLANs
configure on the interface.
o
Can carry traffic for
several VLANs simultaneously by encapsulating the frame; ISL, dot1q.
o
Is configured statically
with switchport
mode trunk.
o
Is configured dynamically and
is the default by switchport mode dynamic auto|desirable.
o
Can be disabled only with switchport
nonegotiate.
o
Setting the interface to
statically with switchport mode access|trunk will not disable DTP.
o
Routers do not support DTP. A switch interface needs to be manually trunked to router’s trunk
interface.
·
Native VLAN
o
A trunk port can carry both
tagged and untagged packets
o
No tag is used for native
VLAN and default is 1
o
Native VLAN ID must match
on both ends of the trunk.
o
VLAN-1 is different from
other VLANs in that only data traffic is excluded.
o
Control traffic, CDP, VTP,
STP will still traverse the link using VLAN-1
·
802.1Q Tunnel
o
It is used to provide
transparent layer2 VPN over a switched Ethernet network
o
It uses dot1q inside dot1q
to tunnel layer2 traffic.
o
Can not be dynamically
negotiated and traffic is not encrypted.
o
When using dot1q tunnelling
CDP, STP and VTP are NOT carried across the tunnel unless enabled.
o
It supports ether-channel
o
Requires trunking
END-to-END.
o
System MTU must be 1504 and be aware of OSPF not coming up, remedy with ip ospf
mtu-ignore.
·
VTP
o
Server
is default mode
o
Changes are done only on
the VTP server
o
VLAN config is stored in
VLAN database, vlan.dat
on the flash:
o
VLANs 2-1000 are
configurable.
o
Client
receives it’s configuration from VTP server
o
VTP changes are not allowed
on the client
o
Transparent maintains a local database with VLAN config stored in the running-config.
o
Transparent is required for
extended VLANs, 1006-4096
o
VTP updates sent using TLV
format.
o
If domain name matches
locally configured transparent VTP domain name, in version 2, packets relayed
o
If version 1, then TLVs get
dropped.
o
A revision of 0 indicates a transparent mode switch is not participating
in VTP domain and will not increment.
o
show vtp status will display MD5 hashes of password, amongst other information.
o
if L2 is converged, all
switches should agree that VTP pruning is enabled.
o
Only VLANs 2-1000 are prune eligible. VLANS
1, 1002 through 1005, and EXTENDED VLANS are not prune eligible.
·
Link-State tracking
Also known as trunk failover,
is a feature that binds the link state of multiple interfaces on the switch and fails over to secondary from
primary transparently on failure, called ‘teaming’.
SW1(config)#link state track 1
SW1(config)#int
gi0/25
SW1(config-if)#link
state group 1 upstream
SW1(config-if)#
SW1(config-if)#int
gi0/26
SW1(config-if)#link
state group 1 downstream
SW1(config-if)#end
SW1#sh link state group 1 detail
Link State Group: 1 Status: Enabled, Up
Upstream Interfaces : Gi0/13(Up) Gi0/25(Dwn)
Downstream Interfaces :
Gi0/16(Up) Gi0/26(Dwn)
(Up):Interface up (Dwn):Interface Down (Dis):Interface disabled
SW1#
·
Flex Links
Flex Links are a pair of Layer 2 interfaces (switch ports or port channels) where one interface is configured to act
as a backup to the other. The feature provides an alternative solution to the
Spanning Tree Protocol (STP). Users can disable STP and still retain basic link
redundancy. You configure Flex Links on one Layer 2 interface (the active link)
by assigning another Layer 2 interface as the Flex
Link or backup link.
interface Port-channel12
switchport trunk encapsulation dot1q
switchport mode trunk
switchport backup interface Gi0/16
switchport backup interface Gi0/16 preemption
mode forced
switchport backup interface Gi0/16 preemption
delay 20
SW1#sh int switchport backup detail
Switch Backup Interface
Pairs:
Active Interface Backup Interface State
------------------------------------------------------------------------
Port-channel12 GigabitEthernet0/16 Active Up/Backup Standby
Preemption Mode : forced
Preemption Delay : 20 seconds
Multicast Fast Convergence : Off
Bandwidth : 2000000 Kbit (Po12),
1000000 Kbit (Gi0/16)
Mac Address Move Update Vlan : auto
SW1#
