%802.1q% Archives %%page%%

« Older Entries

Tag Archive for '802.1q'

BCMSN Trunking Lab 3

Published

Deon Botha

on June 10, 2008

in BCMSN, Certification, Cisco Systems and Trunk

. 0 Comments

Im grafting so quantity over quality… I will go over this sometime this coming weekend for mistakes

Trunking

This lab builds directly onto the previous lab where the default VLAN was shut and a new VLAN was created (basically to give practice for creating a vlan). This lab will now create trunk links between switches to allow more than a single VLANs information to traverse a link. If you are wondering why I am explicitly declaring trunks instead of allowing DTP to do its thing read this, and this.

Distribution Switch 1

Step 1: Setup the basics all of the following is CCNA level stuff and should easy if not second nature. This is to get the security and host name down before going onto the interface configuration.

Enter Privileged Mode switch>enable Enter Global Configuration Mode switch#configure terminal Change the hostname of the switch switch(config)#hostname DSW1 Enable secret and password DSW1(config)#enable secret ciscosystems DSW1(config)#enable password cisco Setup a local user database DSW1(config)#username admin@mydomain.com privilege 15 password cisco Setup the console port password DSW1(config)#line con 0 DSW1(config-line)#login local DSW1(config-line)#exit Setup the Virtual Teletype Terminal (VTY) Password DSW1(config)#line vty 0 4 DSW1(config-line)#password cisco DSW1(config-line)#login DSW1(config-line)#exit Setup the Auxiliary Password DSW1(config)#line aux 0 DSW1(config-line)#no exec DSW1(config-line)#exit

Step 2: Setup the management interface

Setup the default VLAN ip address from remote ip admin if there was a GUI and to Telnet to the switch DSW1(config)#interface vlan 1 DSW1(config-if)#ip address 192.168.1.1 255.255.255.0 NB I am shutting the interface DSW1(config-if)#shut DSW1(config-if)#exit

Step 3: Assign an ip address to the new VLAN to ping

Setup VLAN 100 ip address from remote ip admin if there was a GUI and to Telnet to the switch DSW1(config)#interface vlan 100 DSW1(config-if)#ip address 192.168.100.1 255.255.255.0 DSW1(config-if)#no shut DSW1(config-if)#exit

Step 4: Setup other interfaces

Setup Fastethernet Interfaces DSW1(config)#interface fastethernet 0/1 DSW1(config-if)#description DSW1 - ASW1 DSW1(config-if)#exit DSW1(config)#interface fastethernet 0/2 DSW1(config-if)#description DSW1 - ASW1 DSW1(config-if)#exit DSW1(config)#interface fastethernet 0/3 DSW1(config-if)#description DSW1 - ASW2 DSW1(config-if)#exit DSW1(config)#interface fastethernet 0/4 DSW1(config-if)#description DSW1 - ASW2 DSW1(config-if)#exit Create and Associate VLAN 100 with Fe 1 to 4 DSW1(config)#interface range fastethernet 0/1 - 4 DSW1(config-if-range)#speed 100 DSW1(config-if-range)#duplex auto DSW1(config-if-range)#switchport DSW1(config-if-range)#switchport trunk encapsulation dot1q DSW1(config-if-range)#switchport trunk native vlan 1 DSW1(config-if-range)#switchport trunk allowed vlan 1,100 DSW1(config-if-range)#switchport mode trunk DSW1(config-if-range)#exit DSW1(config)#interface fastethernet 0/11 DSW1(config-if)#description DSW1 - DSW2 DSW1(config-if)#exit DSW1(config)#interface fastethernet 0/12 DSW1(config-if)#description DSW1 - DSW2 DSW1(config-if)#exit Associate VLAN 100 with Fe 11 and 12 DSW1(config)#interface range fastethernet 0/11 - 12 DSW1(config-if-range)#speed 100 DSW1(config-if-range)#duplex auto DSW1(config-if-range)#switchport DSW1(config-if-range)#switchport trunk encapsulation dot1q DSW1(config-if-range)#switchport trunk native vlan 1 DSW1(config-if-range)#switchport trunk allowed vlan 1,100 DSW1(config-if-range)#switchport mode trunk DSW1(config-if-range)#exit

Step 5: Shut down non-used interfaces

Administratively shut down all ports not connected DSW1(config)#interface range fastethernet 0/5 - 10 DSW1(config-if-range)#shut DSW1(config-if-range)#exit Exit Global Configuration Mode DSW1(config)#exit

Step 6: Check your work

Check that you named the interfaces correctly, havent missed out on a connected interface and that the duplex and speed setting are correct DSW1#show interfaces status show the vlans that are configured DSW1#show vlan show switchport you can change the fastethernet 0/4 for any active port for information DSW1#show interface fasthethernet 0/4 switchport show which interfaces are trunking DSW1#show interfaces trunk show run the running configuration DSW1#show run

Step 7: Save your work

Copy the running configuration to the startup configuration. I got in the bad habbit to do this the other way around for a while (did it in an exam)... oops copy start run DSW1#copy run start

Distribution Switch 2

Enter Privileged Mode switch>enable Enter Global Configuration Mode switch#configure terminal Change the hostname of the switch switch(config)#hostname DSW2 Enable secret and password DSW2(config)#enable secret cisco DSW2(config)#enable password cisco Setup a local user database DSW2(config)#username admin@mydomain.com privilege 15 password cisco Setup the console port password DSW2(config)#line con 0 DSW2(config-line)#login local DSW2(config-line)#exit Setup the Virtual Teletype Terminal (VTY) Password DSW2(config)#line vty 0 4 DSW2(config-line)#password cisco DSW2(config-line)#login DSW2(config-line)#exit Setup the Auxiliary Password DSW2(config)#line aux 0 DSW2(config-line)#no exec DSW2(config-line)#exit

Step 2: Setup the management interface

Setup the default VLAN ip address from remote ip admin if there was a GUI and to Telnet to the switch DSW2(config)#interface vlan 1 DSW2(config-if)#ip address 192.168.1.50 255.255.255.0 NB I am shutting the interface DSW2(config-if)#shut DSW2(config-if)#exit

Step 3: Assign an ip address to the new VLAN to ping

Setup the VLAN ip address DSW2(config)#interface vlan 100 DSW2(config-if)#ip address 192.168.100.50 255.255.255.0 DSW2(config-if)#no shut DSW2(config-if)#exit

Step 4: Setup other interfaces

Setup Fastethernet Interfaces DSW2(config)#interface fastethernet 0/1 DSW2(config-if)#description DSW1 - ASW1 DSW2(config-if)#exit DSW2(config)#interface fastethernet 0/2 DSW2(config-if)#description DSW1 - ASW1 DSW2(config-if)#exit DSW2(config)#interface fastethernet 0/3 DSW2(config-if)#description DSW1 - ASW2 DSW2(config-if)#exit DSW2(config)#interface fastethernet 0/4 DSW2(config-if)#description DSW1 - ASW2 DSW2(config-if)#exit Create and Associate VLAN 100 with Fe 1 to 4 DSW2(config)#interface range fastethernet 0/1 - 4 DSW2(config-if-range)#speed 100 DSW2(config-if-range)#duplex full DSW2(config-if-range)#switchport DSW2(config-if-range)#switchport trunk encapsulation dot1q DSW2(config-if-range)#switchport trunk native vlan 1 DSW2(config-if-range)#switchport trunk allowed vlan 1,100 DSW2(config-if-range)#switchport mode trunk DSW2(config-if-range)#exit DSW2(config)#interface fastethernet 0/11 DSW2(config-if)#description DSW1 - DSW2 DSW2(config-if)#exit DSW2(config)#interface fastethernet 0/12 DSW2(config-if)#description DSW1 - DSW2 DSW2(config-if)#exit Associate VLAN 100 with Fe 11 and 12 DSW2(config)#interface range fastethernet 0/11 - 12 DSW2(config-if-range)#speed 100 DSW2(config-if-range)#duplex full DSW2(config-if-range)#switchport DSW2(config-if-range)#switchport trunk encapsulation dot1q DSW2(config-if-range)#switchport trunk native vlan 1 DSW2(config-if-range)#switchport trunk allowed vlan 1,100 DSW2(config-if-range)#switchport mode trunk DSW2(config-if-range)#exit

Step 5: Shut down non-used interfaces

Aministratively shutdown all ports not connected DSW2(config)#interface range fastethernet 0/5 - 10 DSW2(config-if-range)#shut DSW2(config-if-range)#exit Exit Global Configuration Mode DSW2(config)#exit

Step 6: Check your work

Check that you named the interfaces correctly, havent missed out on a connected interface and that the duplex and speed setting are correct DSW2#show interfaces status show the vlans that are configured DSW2#show vlan show switchport you can change the fastethernet 0/4 for any active port for information DSW2#show interface fasthethernet 0/4 switchport show which interfaces are trunking DSW2#show interfaces trunk show run the running configuration DSW2#show run

Step 7: Save your work

Copy the running configuration to the startup configuration. I got in the bad habbit to do this the other way around for a while (did it in an exam)... oops copy start run DSW2#copy run start

Access Switch 1

Enter Privileged Mode switch>enable Enter Global Configuration Mode switch#configure terminal Change the hostname of the switch switch(config)#hostname ASW1 Enable secret and password ASW1(config)#enable secret cisco ASW1(config)#enable password cisco Setup a local user database ASW1(config)#username admin@mydomain.com privilege 15 password cisco Setup the console port password ASW1(config)#line con 0 ASW1(config-line)#login local ASW1(config-line)#exit Setup the Virtual Teletype Terminal (VTY) Password ASW1(config)#line vty 0 4 ASW1(config-line)#password cisco ASW1(config-line)#login ASW1(config-line)#exit Setup the Auxiliary Password ASW1(config)#line aux 0 ASW1(config-line)#no exec ASW1(config-line)#exit

Step 2: Setup the management interface

Setup the default VLAN ip address from remote ip admin if there was a GUI and to Telnet to the switch ASW1(config)#interface vlan 1 ASW1(config-if)#ip address 192.168.1.100 255.255.255.0 NB I am shutting the interface ASW1(config-if)#shut ASW1(config-if)#exit

Step 3: Assign an ip address to the new VLAN to ping

Create VLAN 100 and Configure Interface ASW1(config)#vlan 100 name Marketing ASW1(config)#interface vlan 100 ASW1(config-if)#ip address 192.168.100.100 255.255.255.0 ASW1(config-if)#no shut ASW1(config-if)#exit

Step 4: Setup other interfaces

Setup Fastethernet Interfaces ASW1(config)#interface fastethernet 0/1 ASW1(config-if)#description DSW1 - ASW1 ASW1(config-if)#exit ASW1(config)#interface fastethernet 0/2 ASW1(config-if)#description DSW1 - ASW1 ASW1(config-if)#exit ASW1(config)#interface fastethernet 0/3 ASW1(config-if)#description DSW1 - ASW2 ASW1(config-if)#exit ASW1(config)#interface fastethernet 0/4 ASW1(config-if)#description DSW1 - ASW2 ASW1(config-if)#exit Associate VLAN 100 with Fe 1 to 4 ASW1(config)#interface range fastethernet 0/1 - 4 ASW1(config-if-range)#speed 100 ASW1(config-if-range)#duplex full ASW1(config-if-range)#switchport ASW1(config-if-range)#switchport trunk encapsulation dot1q ASW1(config-if-range)#switchport trunk native vlan 1 ASW1(config-if-range)#switchport trunk allowed vlan 1,100 ASW1(config-if-range)#switchport mode trunk ASW1(config-if-range)#exit

Step 5: This is where the ASW and the DSW switches differ. This connects to the Workstation end-point where the DSW switches use port 11/12 to provide failover for the distribution

Setup Fastethernet 0/12 for 10mbs half duplex as an access level end-point interface ASW1(config)#interface fastethernet 0/12 ASW1(config-if)#description ASW1 - PC1 ASW1(config-if)#speed 10 ASW1(config-if)#duplex half ASW1(config-if)#switchport Make the port as an access port ASW1(config-if)#switchport mode access Make the port an access port for VLAN 100 ASW1(config-if)#switchport access vlan 100 ASW1(config-if)#no shut ASW1(config-if)#exit

Step 6: Shut down non-used interfaces

Administratively shut down all ports not connected ASW1(config)#interface range fastethernet 0/5 - 11 ASW1(config-if-range)#shut ASW1(config-if-range)#exit Exit Global Configuration Mode ASW1(config)#exit

Step 7: Check your work

Check that you named the interfaces correctly, havent missed out on a connected interface and that the duplex and speed setting are correct ASW1#show interfaces status show the vlans that are configured ASW1#show vlan show switchport you can change the fastethernet 0/4 for any active port for information ASW1#show interface fasthethernet 0/4 switchport show which interfaces are trunking ASW1#show interfaces trunk show run the running configuration ASW1#show run

Step 8: Save your work

Copy the running configuration to the startup configuration. I got in the bad habit to do this the other way around for a while (did it in an exam)... oops copy start run ASW1#copy run start

Access Switch 2

Enter Privileged Mode switch>enable Enter Global Configuration Mode switch#configure terminal Change the hostname of the switch switch(config)#hostname ASW2 Enable secret and password ASW2(config)#enable secret cisco ASW2(config)#enable password cisco Setup a local user database ASW2(config)#username admin@mydomain.com privilege 15 password cisco Setup the console port password Setup the console port password ASW2(config)#line con 0 ASW2(config-line)#login local ASW2(config-line)#exit Setup the Auxiliary Password ASW2(config)#line aux 0 ASW2(config-line)#no exec ASW2(config-line)#exit Setup the Virtual Teletype Terminal (VTY) Password ASW2(config)#line vty 0 4 ASW2(config-line)#password cisco ASW2(config-line)#login ASW2(config-line)#exit

Step 2: Setup the management interface

Setup the default VLAN ip address from remote ip admin if there was a GUI and to Telnet to the switch ASW2(config)#interface vlan 1 ASW2(config-if)#ip address 192.168.1.200 255.255.255.0 NB I am shutting the interface ASW2(config-if)#shut ASW2(config-if)#exit

Step 3: Assign an ip address to the new VLAN to ping

Create VLAN 100 and Configure Interface ASW2(config)#vlan 100 name Marketing ASW2(config)#interface vlan 100 ASW2(config-if)#ip address 192.168.100.200 255.255.255.0 ASW2(config-if)#no shut ASW2(config-if)#exit

Step 4: Setup other interfaces

Setup Fastethernet Interfaces ASW2(config)#interface fastethernet 0/1 ASW2(config-if)#description DSW1 - ASW1 ASW2(config-if)#exit ASW2(config)#interface fastethernet 0/2 ASW2(config-if)#description DSW1 - ASW1 ASW2(config-if)#exit ASW2(config)#interface fastethernet 0/3 ASW2(config-if)#description DSW1 - ASW2 ASW2(config-if)#exit ASW2(config)#interface fastethernet 0/4 ASW2(config-if)#description DSW1 - ASW2 ASW2(config-if)#exit Associate VLAN 100 with Fe 1 to 4 ASW2(config)#interface range fastethernet 0/1 - 4 ASW2(config-if-range)#speed 100 ASW2(config-if-range)#duplex full ASW2(config-if-range)#switchport ASW2(config-if-range)#switchport trunk encapsulation dot1q ASW2(config-if-range)#switchport trunk native vlan 1 ASW2(config-if-range)#switchport trunk allowed vlan 1,100 ASW2(config-if-range)#switchport mode trunk ASW2(config-if-range)#exit

Step 5: This is where the ASW and the DSW switches differ. This connects to the Workstation end-point where the DSW switches use port 11/12 to provide failover for the distribution

Setup Fastethernet 0/12 for 10mbs half duplex as an access level end-point interface ASW2(config)#interface fastethernet 0/12 ASW2(config-if)#description ASW2 - PC2 ASW2(config-if)#speed 10 ASW2(config-if)#duplex half ASW1(config-if)#switchport Make the port as an access port ASW2(config-if)#switchport mode access Make the port an access port for VLAN 100 ASW2(config-if)#switchport access vlan 100 ASW2(config-if)#no shut ASW2(config-if)#exit

Step 6: Shut down non-used interfaces

Administratively shut down all ports not connected ASW2(config)#interface range fastethernet 0/5 - 11 ASW2(config-if-range)#shut ASW2(config-if-range)#exit Exit Global Configuration Mode ASW2(config)#exit

Step 7: Check your work

Check that you named the interfaces correctly, havent missed out on a connected interface and that the duplex and speed setting are correct ASW2#show interfaces status show the vlans that are configured ASW2#show vlan show switchport you can change the fastethernet 0/4 for any active port for information ASW2#show interface fasthethernet 0/4 switchport show which interfaces are trunking ASW2#show interfaces trunk show run the running configuration ASW2#show run

Step 8: Save your work

Copy the running configuration to the startup configuration. I got in the bad habit to do this the other way around for a while (did it in an exam)... oops copy start run ASW2#copy run start

Notes and Notices:

This is a part of my personal BCMSN notes and research to assist myself in learning and understanding the concepts and theory for the BCMSN exam. I learn by making notes reading and writing things down and wish to file them where I can’t lose them. These notes are not to be seen, judged or mistaken for replacements to Cisco recognized and authorized training which I personally support and attend and suggest you undertake if you are going for the BCMSN Certification.

Switch Security Layer-2 Attacks – Two

Published

Deon Botha

on May 27, 2008

in ACL, BCMSN, Certification, Cisco Systems, Concepts and Constructs, Switch Spoofing, Trunk, VACL, VLAN and VLAN Hopping

. 0 Comments

VLAN Hopping

VLAN Hopping is a network attack whereby an end-device sends packets to/or collects packets from a VLAN that should not be accessible to that end-device. This is done by tagging the invasive traffic with a specific VLAN ID (VID) or by negotiating a trunk link to send or receive traffic on penetrated VLANs. VLAN hopping can be done by switch spoofing or double tagging.

In a Switch spoofing attack the attacker configures an end-device to spoof itself as a switch (this can be a linux pc). The attack emulates Inter-Switch Link (ISL) or 802.1Q signaling along with Dynamic Trunk Protocol (DTP). This is signaling to attempt to establishing a trunk connection with the company switch.

Any switch port configured with DTP auto, upon receipt of a DTP packet generated by the attacking device, will become a trunk port and then accept traffic destined for any VLAN supported on any trunk on that link. The attacker can then send/collect packets from/to any VLAN.

Double Tagging is another method of VLAN Hopping, this is when a workstation generates frames for two 802.1Q headers, this causes the switch to forward the frames onto a VLAN that would normally be inaccessible to the attacker through legitimate means.

The first switch to encounter the double tagged 802.1Q frame strips the first header frame (native VLAN), and forwards the frame out a trunk link, the second switch then forwards the frame according to the other 802.1Q frame header. Should the tag not match the native VLAN of the attacker, the frame will go untagged and flooded to only the original frame.

Best Practices to Mitigate VLAN Hopping

Configure all unused ports as access ports so that trunking cannot be negotiated across those links.
Place all unused ports in the shutdown state and associate them with a VLAN designed for only unused ports, carrying no user data traffic (that means not the Native VLAN either).
When establishing a trunk link, purposefully configure arguments so that:
- The native VLAN will be different form any data VLANs
- Trunking is set up as “on” rather than as negotiated.
- The specific VLAN range will be carried on the trunk

Configuration
To Mitigate against VLAN hopping attacks the following is the config. First select a range of interfaces:
switch#configure terminal switch(config)#interface range gigabitethernet 0/1-48

Now configure the ports as access ports this in turn will turn off DTP

switch(config-if)#switchport mode access

Assign the ports to an unused VLAN (not the Native VLAN)

switch(config-if)#switchport access vlan vlan-id

NB the above commands will not work in VoIP (voice) networks. Cisco IP Phones use trunks (DTP).

VLAN Access Control Lists

There are three kinds of ACLs:

Router Access Control Lists (RACLs)supported in the TCAM hardware on Cisco Multi-layer switches (MLS). Can be applied to any router interface, such as a switch virtual interface (SVI) or Layer 3 routed port.
Port Access Control List (PACL)filters traffic at the port level. PACLs can be applied on a Layer-2 switch port, trunk port, or EtherChannel port.
Vlan Access Control Lists (VACLs)(a.k.a VLAN Access Maps) supported on software on Cisco MLS.

Cisco Catalyst switches support four ACL lookups per packet*:

ingress (1) and egress (2) security lookup
ingress (3) and egress (4) Quality of Service (QoS) look-up

This following section all went over my head or just about and I have no idea whether this works or not or is correct or not for more information.

There are cases where certain Access Control Entries (ACEs) must be combined in each ACLs due to limitations of TCAM hardware. The merge process is also responsible for other functions like expanding ACEs due to a lack of Layer 4 Operations Pointers (L4Op Pointers) or Logical Operational Units (LOUs).

Cisco catalyst Switches use two features to perform a merge

order independent algorithm merge
order dependant algorithm merge

Order Independent Merge (OIM) is based on Binary Decision Diagrams(BDD), ACLs are merged from a series of oder-dependant actions to a set of order-independent masks and patterns. The resulting ACE can be very large, and processor and memory intensive.

Order Dependant Merge (ODM) is not bit-based. The computation is much faster and is less processor intensive.

RACLs are supported in hardware through IP standard and IP extended ACSs, with permit and deny actions. ACL processing is an intrinsic part of the packet forwarding process. ACL entries are programmed in hardware. Lookups occur in the pipeline, whether ACLs are configured or not. With RACLs access list statistics and logging are not supported.

*You can get some switches with two security lookups and 1 QoS lookup in each direction (6 total).

Configuring VACLs

VACLs apply to all traffic on a VLAN. VACLs use standard and extended Cisco IOS IP and IPX ACLs, and MAC Layer-named ACLs and VLAN access-maps.

VACLs follow route-map conventions, in which map sequences are check in order (top-down).

Each VLAN access map can consist of one or more map sequence, each sequence with a match clause and an action clause. The match clause specifices IP, IPX, or MAC ACLs for traffic filtering and the action clause specifies the action to be taked when a match occurs. When a flow matches a permit ACL entry, the assciated action is taken and the flow is not checked against the remaining sequences. When a flow matches a deny ACL entry, it will be checked against the next ACL in the same sequence or the next sequence. If aflow does not match any ACL entry and at least on ACL is configured for that packet, the packet is denied.

Three VACL actions are permitted:

Permit (with capture, Catalyst 6500 only)
Redirect (Catalyst 6500 only)
Deny (with logging, Catalyst 6500 only)

Two features are supported on Catalyst 6500 only:

VACL Capturewhere Forwarded packets are captured on the capture port. The capture option is only permit ACEs. The capture port can be an IDS port or an Ethernet port. The capture port must be an egress VLAN for layer-3 switched traffic.

VACL Redirect where matching packets are redirected to specific ports. You can configure up to five redirect ports. Redirect ports must be in a VLAN where a VACL is applied.

Define a VLAN Access MAP

switch#configure terminal switch(config)#vlan access-map map-name seq# insert to/delete from

Configure the match clause in a VLAN access map sequence

switch(config-access-map)#match options

Configure actions

switch(config-access-map)#action options

Apply the VACL to VLANs

switch(config)#vlan filter map-name vlan-list list

Verify configuration

switch(config)#show vlan access-map map-name

Source for this Config document Section

Private VLANs

Internet Service Providers (ISP) often have devices from multiple clients, in addition to their own servers resident on a single demilitarized zone(DMZ) segment of VLAN. Cisco Catalyst 6500/4500 switches Private Virtual Local Area Networks (PVLAN) to keep some switch ports shared and some switch ports isolated, even if the ports exist in the same VLAN. The 2950 and 3550 support “protected ports”, which are functionally the same on a per-switch basis.

Traditionally ISPs used one VLAN per customer, with each VLAN having its own subnet. A layer 3 device the provides interconnectivity between VLANs and Internet destinations. Problems with this method:

Supporting a VLAN per customer may require a high number of interfaces on ISP network devices.
Spanning Tree becomes more complicated with many VLAN iterations.
Network address space must be divided into many subnets, which wastes space and increases management complexity.
Multiple ACL applications are required to maintain security on multiple VLANs, resulting in increased management complexity.

PVLANs provide Layer-2 isolation between ports within the same VLAN, thereby eliminating the need for VLAN and IP subnet per customer.

A Port in a PVLAN can be one of three types:

Isolated: port has complete Layer-2 separation from other ports within the same PVLAN, except for promiscuous ports; blocks all traffic to isolated ports except from promiscuous ports. Traffic received from an isolated port is forwarded only to promiscuous ports.
Promiscuous: ports can communicate with all ports within the PVLAN. The default Gateway (DG) is probably be hosted as a promiscuous port.
Community: ports communicate among themselves and their promiscuous ports. These interfaces are isolated at Layer-2 from all other interfaces in other communities, or in isolated ports within their PVLAN.

Trunks carry all VLAN traffic so isolated, promiscuous and community PVLAN traffic may enter and leave a switch through trunks

PVLAN ports are associated with a set of supporting VLANs that are used to create the PVLAN structure.

As a Primary VLAN: carrying traffic from promiscuous ports to isolated, community and other promiscuous ports in the same primary VLAN.
As an Isolated VLAN: carrying traffic from isolated ports to a promiscuous port.
As a Community VLAN: carrying traffic between secondary VLANs. You can extend PVLANs across multiple devices by trunking primary, isolated, and community VLANs to other devices that support PVLANs.

A promiscuous port can service only one primary VLAN. A promiscuous port can service one isolated VLAN or many community VLANs.

Configuring

Step 1: Set VTP Mode to Transparent

switch#configure terminal switch(config)#vtp mode transparent

You may also want to check VTP version, password and domain while you are at VTP configuration

Step 2: Create the secondary VLANs (Isolated and community VLANs are secondary VLANs)

switch#configure terminal switch(config)#vlan 102 switch(config-vlan)#private-vlan isolated switch(config-vlan)#end switch#show vlan private-vlan type

Step 3: Create the primary VLAN

switch#configure terminal switch(config)#vlan 100 switch(config-vlan)#private-vlan primary switch(config-vlan)#end switch#show vlan private-vlan type

Step 4: Associate the secondary VLAN with the primary VLAN. Only one isolated VLAN can be mapped to a primary VLAN, but more than one community VLAN can be mapped to a primary VLAN

switch#configure terminal switch(config)#vlan 100 switch(config-vlan)#private-vlan association add 102 switch(config-vlan)#end switch#show vlan private-vlan type

When associating secondary VLANs with primary VLANs use these best practices:

Make sure that the VLAN IDs contain only one isolated VLAN ID (VID)
Use the remove keyword with the secondary VID to clear association; there can only be one association.
Use the no keyword to clear all association from the primary VLAN.
Do not allow the command to take effect until you exit VLAN configuration submode.

Step 5: Configure an interface as an isolated or community port.

switch#configure terminal switch(config)#interface gigabitethernet 0/1 switch(config-if)#switchport mode private-vlan host switch(config-if)#end switch#show interfaces gigabitethernet 0/1 switchport

Step 6: Associate the isolated port or community port with the primary/secondary VLAN pair

switch#configure terminal switch(config)#interface gigabitethernet 0/1 switch(config-if)#switchport private-vlan mapping 100 102 switch(config-if)#end switch#show interfaces gigabitethernet 0/1 switchport

Step 7: Configure an interface as a promiscuous port

switch#configure terminal switch(config)#interface gigabitethernet 0/1 switch(config-if)#switchport mode private-vlan promiscuous switch(config-if)#end switch#show interfaces gigabitethernet 0/1 switchport

Step 8: Map the promiscuous port to the primary/secondary VLAN pair

switch#configure terminal switch(config)#interface gigabitethernet 0/1 switch(config-if)#switchport private-vlan host-association mapping 100 102 switch(config-if)#end switch#show interfaces gigabitethernet 0/1 switchport

Step 9: Permit Routing of Secondary VLAN Ingress Traffic

switch#configure terminal switch(config)#interface vlan 100 switch(config-if)#private-vlan mapping add 102 switch(config-if)#end switch#show interfaces private-vlan mapping

The sources for this config section include this Cisco 4500 document and this document. Finally CCIE Blog gave me a some insight and hint as to WTF the difference between the host and promiscious ports on the interface config was.

Definition

Logical Operation Unit (LOU) are hardware registers used to store {operator, operand} tuplesfor Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) port numbers specified in an IP extended ACL, VACL, or QoS ACL. These tuples are called Layer 4 Operations (L4Op).

Source

Notes and Notices:

References I want to rememeber:

Hucaby, D. (2007). CCNP Self-Study: CCNP BCMSN Official Exam Certification Guide, Fourth Ed, VLAN Access Lists (page. 413-414). Indianapolis: Cisco Press.

QoS and Voice Traffic

Published

Deon Botha

on May 22, 2008

in AutoQoS, BCMSN, Certification, Cisco Systems, CoS, Concepts and Constructs, NBAR, QoS and Trunk

. 0 Comments

Definitions

ingress: arrives/come in/enter

egress: leaving/exit/to go

Its the new words of the day so its going to be used alot

Introduction

Regardless of the speed of individual switches (slower/older vs. faster/newer switches) or links (10/100), speed mismatches (ingress 1000/egress 100), many-to-one switching fabrics(multiple access layer switches into a distribution layer switch), and aggregation (multiple devices communicating through a single connection or to a single device or server) may cause a device to experience congestion, which can result in latency that result in dropped packets.

If and inevitably when congestion occurs (I have heard of enterprise pay-rolls that cause certain amounts of congestion on a network at the end of each month) and congestion management features are not in place (QoS, load balancing on servers, etc) then some packets will be dropped, causing retransmission (TCP) that inevitably increase overall network load and if voice and video are on the network (UDP) the inevitable will be angry employees. QoS can to an extent mitigate latency caused by congestion.

QoS is implemented by classifying and marking traffic at one device while allowing other devices to prioritize or to queue the traffic according to those marks applied to individual frames or packets.

LAN-Based Classification and Marking of Traffic

Classification and marking of traffic is the process of identifying traffic for prioritization as that traffic moves across the network. Traffic is classified by examining information at various layers of the Open Systems Interconnection (OSI) model. IP traffic can be classified according to any values configurable in an access control list (ACL) or any of these layers:

Layer-2 parameters: MAC Address, Multiprotocol Label Switching (MPLS), ATM Cell Loss Priority (CLP) bit, Frame Relay discard eligible (DE) bit, ingress interface
Layer-3 parameters: IP precedence, DiffServ Code Point (DSCP), QoS group, IP Address, ingress interface
Layer-4 parameters: TCP or User Datagram Protocol (UDP) ports, ingress interface
Layer-7 parameters: Application signature, ingress interface

QoS marks (values) establish priority levels (priority classes of service) for network traffic as it is processed by each switch (Access, Distribution, or Core). Once traffic is marked with a QoS value, then QoS policies on switches and interfaces will handle traffic accordingly at the frame and packet level. As a result of classification and marking, traffic will be prioritized accordingly at each switch to ensure that delay-sensitive traffic receives priority processing (voice, video) while non-delay sensitive data traffic waits it’s turn as each switch manages congestion, delay, and bandwidth allocation.

Layer-2 Qos

QoS layer-2 classification occurs by examining information in the Ethernet or 802.1Q header (trunking), like destination MAC Address, Virtual Local Area Network (VLAN) ID. QoS layer-2 markings occur in the priority field of the 802.1q header (LAN layer-2 headers have no place for this so 802.1Q encapsulation must occur). The priority field is 3 bits long (a.k.a 802.1p User Priority or class of Service (CoS) value).

The 3-bit Priority field can carry a value of 1 to 7; 1 is associated with delay tolerant traffic like TCP/IP traffic. Voice traffic receiving a higher priority for Call Signalling receiving a 3 value and Voice bearer traffic 5 value.

As a result of Layer-2 Classifications and marking, these QoS operations can occur:

Input queue scheduling: when a frame enters a port, it can be assigned to one of a number of port-based queues before being scheduled for switching to an egress port. Typically, multiple queues are used where traffic requires different levels of service.
Policing: is the process of inspecting a frame to see if it has exceeded a predefined rate of traffic within a certain time frame that is typically a fixed number internal to a switch. If a frame is determined to be in excess of the predefined rate limit, it can either be dropped, or the CoS value be marked down.
Output Queue Scheduling: is where the switch will place the frame into an appropriate egress queue for switching. The switch will perform buffer management on this queue by ensuring that the buffer does not overflow.

Layer-3 QoS

QoS layer-3 classification occurs by examining information of the header values such as destination IP address or protocol. Qos Layer-3 markings occurs in the Type of Service (ToS) byte in the IP header. The first three bits of the ToS byte are occupied by IP precedence, which correlates to three CoS bits carried in the Layer-2 header.

The ToS byte can also be used for DSCP marking that allows prioritization hop by hop as packets are processed on each switch and interface.

Trust Boundaries

In QoS campus implementations, trust boundaries are defined/created where existing QoS values that are attached to frames and packets are to be accepted or altered. These “trusts” are established by configuring trust levels on the ports of key peripheral network devices where QoS policies will be enforced (trusted) as traffic makes its way into/onto the network. At this entry point traffic will be allowed or not allowed to retain its original QoS markings or will be ascribed new markings (best practice is to mark traffic as close to the source as possible).

In practice this means that if you have a network with a Desktop/Notebook attached to a Cisco IP Phone attached to a Catalyst Switch attached to a Cisco Router the trust boundary can be set at the Cisco IP Phone. Where the IP Phone attaches priority values which are then trusted.

Otherwise if there is a Desktop/Notebook with Softphone attached to a Catalyst Switch attached to a Router the trust boundary can be set to the Desktop/Notebook. Where the softphone attaches priority values which are then trusted.

Configuration IP Phone Attachment

This goes hand in hand with how to configure VLANs first off we create a VLAN

switch#configure terminal switch(config)#vlan 10 name 001-WORK-STATION switch(config)#vlan 100 name 001-IP-PHONE

Now we need to assign the Data and Voice VLAN to a interface

switch(config)#interface gigabitethernet 0/1 switch(config-if)#switchport voice vlan 100 switch(config-if)#switchport access vlan 10

Now we need to setup trust as they arrive at the switch port

switch(config-if)#mls qos trust cos

Finally set the trust conditional to a Cisco IP Phone being attached

switch(config-if)#mls qos trust device cisco-phone

Auto QoS

Cisco AutoQoS gives the ability to deploy QoS features for converged IP Telephony and allow for telephony networks to be deployed quicker and efficiently than if it had to be done manually. Cisco AutoQoS generates traffic classes and policy map command-line (CLI) templates across platforms that are the same where doing things manually might not have the same congruence. Cisco AutoQoS simplifies and automates the QoS CLI (MQC) definition of traffic classes and the creation and configuration of traffic policies.

AutoQos can be beneficial in these scenarios:

SMB that deploy IP Telephony quickly but lack experience and staffing to deploy IP QoS Services.
Large enterprises that need to deploy Cisco Systems Telephony solutions on a large scale, while reducing costs, complexity, and time frame for deployment, and ensuring that the appropriate QoS for voice applications is being set in a consistent fashion.
International enterprises or service providers requiring QoS for VoIP where little expertise exists in different regions of the world and where provisioning QoS remotely and across different time-zones is difficult.
Service providers requiring a template-driven approach to deliver managed services and QoS for voice traffic of customer premises devices.

Cisco AutoQoS simplifies and shortens the deployment cycle in the following ways:

Application classification: By leveraging intelligent classification on routers Cisco network-based application recognition (NBAR) provides stateful and deep packet inspection. Cisco AutoQos uses Cisco Discovery Protocol (CDP) for voice packets to ensure that end-device attached to the Local Area Network (LAN) is really an Cisco IP Phones (keep in mind that CDP is Cisco Proprietary).
Policy Generation: Cisco AutoQos evaluates the network environment and generates the initial policy. This feature automatically generates interface configurations, policy maps, class maps, and Access Control Lists (ACL).
Configurations: Using one command, Cisco AutoQoS configures the port to prioritize voice traffic without affecting other network traffic, while still offering the flexibility to adjust QoS settings for unique network requirements. Cisco AutoQoS will automatically detect Cisco IP Phones and enable QoS settings, in turn it will also disable QoS settings to prevent malicious activity when a Cisco IP Phone is relocated or moved.
Monitoring and reporting: Cisco AutoQoS provides visibility into the Class of Service (CoS) deployed via system logging and Simple Network Management Protocol (SNMP) traps, with notification of abnormal events(VoIP packet drops).
Consistency: Cisco AutoQoS configurations are consistent among router and switch platforms. This level of consistency ensures seamless QoS operation and interoperability within the network.

Cisco Catalyst Switch Configuration – Cat OS

To configure the global QoS settings

Console> (enable) set qos autoqos ......... All ingress and egress QoS scheduling parameters configured on all ports. CoS to DSCP, DSCP to CoS. Precedence to DSCP and policed dscp maps configured. Global QoS configured, port specific autoqos recommended: set port qos <mod/port> autoqos trust <cos/dscp> set port qos <mod/port> autoqos voip <ciscoipphone/ciscosoftphone>

To configure Cisco AutoQoS settings and the trusted boundary features on/for Cisco IP Phones, CDP V.2 or later needs to be enabled on a port. If the trusted boundary feature is enabled. You will receive a syslog warning message if CDP is not running or CDP V.1 is running.

CDP need not be enabled if you do not use the ciscoipphone QoS configuraiton.
Console> (enable) set port qos 4/1 autoqos voip ciscoipphone Warning: CDP is disabled or CDP version 1 is in use. Ensure that CDP version 2 is enabled globally, and also ensure that CDP is enabled on the port(s) you wish to configure autoqos on. Port 4/1 ingress QoS configures for ciscoipphone. It is recommended to execute the "set qos autoquos" gloval command if not executed previously. Console> (enable)

To configure the port-specific QoS macro that handles all inbound QoS configurations that are specific to a particular port. This should only be used when the port connects to other known switches or servers because the port tursts all inbound traffic marked.
Console> (enable) set port qos 4/1 autoqos voip code/dscp

Cisco Catalyst Switch Configuration – Cisco IOS

When Cisco AutoQos in enabled on the first interface, QoS is globally enabled. This would be like configuring this command

switch#configure terminal switch(config)msl qos

To in turn enable QoS on an interface use this command that tells the switch that the interface is connected to a trusted router/switch and that the VoIP classifications in the ingress packet should be trusted:

switch#configure terminal switch(config)#interface gigabitethernet 0/1 switch(config-if)#auto qos voip trust

OR that the interface is connected to a Cisco IP Phone, the QoS labels of incoming packets are trusted only when the IP Phone is detected; this enabled CDP to detect the IP Phones absence or presence.

switch#configure terminal switch(config)#interface gigabitethernet 0/1 switch(config-if)#auto qos voip cisco-phone
To check config use the following command
switch#show auto qos interface-id

Cisco AutoQoS Automation

Cisco AutoQoS automates several things when configured. It enforces trust boundaries on Cisco Catalyst switches access ports, uplinks and downlinks. Enables Catalyst strict priority queuing (PQ) (a.k.a expedited queuing) with weighted round-robin (WRR) scheduling for voice and data traffic. It configures queue admission criteria and finally modifies queue sizes and weights as needed.

Notes and Notices:

WLAN Infrastructure Topologies

Published

Deon Botha

on May 14, 2008

in 802.11, Access Point, BCMSN, Certification, Cisco Systems, Concepts and Constructs and Wireless

. 2 Comments

As talked about in the previous post the difference between a wired LAN and a Wireless Local Area Networks (WLANs) is that the Layer-1 transmission medium of a traditional wired local area network (LAN) (CAT-5 cable) is replaced with Radio Frequency (RF) transmissions.

What follows is the pimping of Cisco Aironet products and where they fit into three main wireless categories:

Wireless in-building LANs for client Access: The Cisco Aironet products can plug into an existing wired infrastructure and function like an overlay to the existing LAN or even replace the wired LAN.

Wireless Building-to-Building bridges: The Cisco Aironet products can provide wireless bridging to connect two or more networks that are physically separated to be connected on one LAN without the time or expense required to get physical lines to be installed.

Wireless mesh networks: Mesh networking is a mixture of the above two categories. Mesh networking provide dynamic, redundant, fault-tolerant links for building and client access.

Service Set Identifier (SSID)

Myth: Hidden (not broadcasting) the SSID makes a wireless network secure.

The SSID is the “name” of a wireless cell, this name is used to logically separate WLANs. The SSID must match exactly between the client and the access point for them to connect. The Access Point (AP) sends the SSID out in beacons.

The beacons are broadcasts that an AP sends to advertise available services, these beacons go out whether SSID is hidden or not (Clients can be configured without a SSID, where they learn the SSID from the beacons of the AP).

The Topology Basic

Extended Services Set: Two or more Basic Serve sets (Mobile clients use a single AP to connect) are connected by a common distribution system (backbone) An Extended Service Set includes a common SSID to allow roaming from AP to AP without client config.

The diagram shows the WLAN topology with 2 APs and some devices (Microsoft Icons) that I know to be Wi-Fi capable (from left to right tablet notebook, projector, PDA, smartphone, notebook).

Wireless Cell: The basic area is the RF coverage provided by an AP (Channel 1 or Channel 2 NOT both). This area is also called the “microcell“. To extend/enlarge/make bigger the basic area one simply adds APs (Recently microcell has moved to picocell reducing AP coverage by reducing power and increasing total number of AP deployed).

The basic area of an AP is called the service set, the basic area of the combined APs is called the extended services set (There is a recommended 10 – 15 % overlap between cells for data networks to allow roaming without losing RF connection. There is a 15 – 20% overlap for voice/data/video networks). Bordering cells should be set to different non-overlapping channels for best performance (more on this later).

Access Point: The name is self explanatory reverse the name Point “of” Access. As the name denotes this is the point at which client-devices connect/access the wireless network. The APs connect to then to the Ethernet backbone and facilitate the communication between wired and wireless networks

The AP is the master of a given cell and manages/controls traffic to and from the network (remote devices do not communicate with each other they communicate through the AP).

Picocell: the benefit of a picocell is better coverage, less interference, higher data rates, and fault tolerance through convergence. When an AP goes down, the neighbouring AP expands coverage by increasing power (this increases the RF range) to cover for the lost AP. (Look into WLAN Controllers cause this gets complicated to do manually quickly with say more than 5 APs)

Wireless Repeater

In environments (factory floors, doctors room, large retail, wholesale storehouses) where its just not practical to put down a wired LAN or the application of the network wouldn’t work with a wired system a wireless repeater can be put down.

A wireless repeater is a AP that is not connected to the Wired LAN (Requires 50% overlap of the AP on the Wired LAN side). This setup however has a large throughput impact where throughput is decreased by half due to the receive and retransmit time.

The SSID of the AP (the one on the left) must be configured on the wireless repeater (the one on the right). The wireless repeater uses the same channel as the AP (NB not all implementations support this).

Workgroup Bridge

Cisco Wireless Workgroup Bridge (WGB) (Reference Cisco Q&A Document) that connects to the Ethernet (RJ-45) port of any end-device (if it has a Ethernet port and is therefore network-able) that doesn’t have a WLAN Network Interface Card (NIC) (either because the end-device doesn’t have the option of a Peripheral Component Interconnect (PCI) slot, Personal Computer Memory Card International Association (PCMCIA) slot or USB slot, or software for WLAN connectivity).

A WGB provides a single MAC address connection into an AP and in turn then onto the Wired LAN backbone (The WGB cannot work in peer-to-peer mode). Another option is to connect a remote workgroups wired LAN. To implement a remote workgroup installation (i.e. multiple MAC addresses) the WGB is connected to a hub/switch switch with a Ethernet patch cable (for single MAC Address use a crossover cable) (NB not all implementations support this).

Ad-hoc mode

Wireless Ad Hoc Mode

Ad-Hoc Mode: This is called Independant Basic Service Set (IBSS). Mobile clients connect directly without an AP.

Peer-to-Peer (P2P) a.k.a Ad-hoc mode networking is the opposite of a Server-Client model (duh). This can be in a wired or wireless environment and is where a group of end-devices come together and form an ad-hoc/P2P network with each other to share files, pictures, music, movies and applications (The ease and current application (Kazaa and Torrents) of this type of network is the main reason the RIAA hates ad-hoc/P2P networks).

In a WLAN the coverage is very limited; where all users must be in wireless reception distance of each other. There are a couple of problems with P2P “office” networks one being that security is almost non-existent, other problems being that there is no central location for any files, applications, or printing.

In most P2P environments I have found that the receptionist is given the “server-role” Pc which creates other larger problems. The person at the front desk in a company is the receptionist, in case of a theft the first computer out the door is the server. In most cases the most “spam” is received by a receptionist (classing teddy-bears, hearts and hugs, chain-mail, friend-mail, etc. as spam) being on numerous forwarding lists increases the risk of virus, trojan, worm infection. If the company allows internet access to employees its only a matter of time before the “server” begins doing its own thing.

In a WLAN it is not a good idea (iow just don’t do it) to connect a Server, or a Server-Role computer using Wireless

Roaming

Wireless Roaming

The roaming “feature” on wireless allows a mobile user to move from one cell to another without a drop in signal or need to manually change network settings. Roaming is enabled by complete coverage with wireless cells.

Seamless roaming allows for users to move around from one cell to another.
Power management lengthens the battery life of portable devices (i.e. they don’t have to search for wireless networks all the time)
Dynamic Load Balancing distributes users among access points to increase throughput for each user.
AP with overlapping coverage cells and redundant switches provide fault tolerant WLAN networks.

A user experiences “roaming” when one of the following conditions is met:

The maximum data retry count is exceeded.
The client has missed too many beacons from the access point.
The client has reduced the data rate.
The client intends to search for a new AP at periodic intervals.

Roaming without service interruption requires identical SSIDs, VLANs and IP subnets on all APs. The client initiates the roaming when he/she searches for another AP with the same SSID and then sends a re-authentication request (for voice and video short roaming times are important).

Layer-2 and Layer-3 Roaming

Wireless Layer-2 and Layer-3 Roaming

Roaming from one AP to another AP on the same subnet (Cell 1 to Cell 2) would be considered Layer-2 roaming (data link layer). Roaming between APs that reside on different subnets (Cell 1 to Cell3) would be considered Layer-3 roaming (network layer).

Layer-2 roaming is managed by the AP, using mulicast packets that inform switches that a devices has moved. The protocol between the APs is called Inter-Access Point Protocol (IAPP).

Layer-3 roaming is managed by either Mobile IP or Lightweight Access Point Protocol (LWAPP) with a WLAN controller.

Mobile IP: allows fixed IP addresses in an IP Subnet of a network. It relies on devices like routers (home agents and foreign agents), to runel traffic for a mobile device. This was used in Legacy WLANs.

Wireless VLAN Support

Switches use VLANs to separate traffic. WLAN APs can in turn extend the VLANs by mapping VLANs to SSIDs. The VLANs then share the same wireless cell and channel end result being virtualization of the AP.

Through the use of trunking (ISL or 802.1q) the VLANs can be mapped to APs from a/the switch allowing roaming throughout the enterprise. A Cisco Aironet AP can be configured with 8 – 16 VLANs for system design flexibility. (Some client NICs require SSID broadcast, the AP can be configured for SSID broadcast per VLAN).

Wireless Enterprise (read business) Voice Architecture

Wired LAN Voice (IP Phone) networks can be extended using the 802.11e standard that specifies QoS upstream and downstram for WLAN networks. This is very important because of the delay sensitive nature of voice.

Wireless Mes Networks

A Mesh network infrastructure is decentralized and inexpensive because each node needs to transmit only as far as the next node (WirelessAfrica). The nodes act as repeaters to transmit data from nearby nodes to peers that are too far away to reach. The result is a network that can span a large area (cost effectively if each node is owned by individuals).

Mesh Networks are reliable because each node connects to several other nodes. Wireless Mesh networks differ from conventional infrastructure wireless networks in that only a subset of nodes need to be directly connected to the wired network. Extra capacity can be added by installing more nodes. Through the use of Cisco Adaptive Wireless Path Protocol (AWP(P)) each device can find a way back to wired APs and thus by extension the network. Paths (of which there are multiple) through the network can change in response traffic load, radio conditions, or traffic prioritization. The network can cover more distance by using wireless to wireless connectivity. Unlicensed bandwidth (cheap) and wireless routing allow microcells to interconnect over wireless backhaul links.

AWP Protocol

AWP allows APs to communicate with each other to determine the best path back to the wired network. After optimal path selection is estalbished, AWP continues to run as a background service to establish alternate paths to the wired network or if topology changes or other conditions causes the link streghth to diminish. (AWP runs on each AP)

AWP is a wireless protocol by design and takes into consideration wireless radio factors like interference to make a mesh network self-configuring and self-healing. Because wireless is dynamic, addition to the network causes AWP to reconfigure paths back to the wired network automatically. AWP also uses stickiness to mitigate route flaps (disconnection/temporary disruption doesnt cause mesh change).

Notes and Notices:

Hot Standy Router Protocol (HSRP)

Published

Deon Botha

on May 5, 2008

in BCMSN, Certification, Cisco Systems, Concepts and Constructs, HSRP, Hot Standby Router Protocol and Trunk

. 5 Comments

Hot Standby Router Protocol (HSRP) is the protocol mentioned in the previous post that rolls gateways, Proxy ARP and redundancy into one “protocol”.

HSRP defines a group of standby routers, with one active router. The protocol (HSRP) provides gateway redundancy by sharing an IP and MAC Address between the redundant gateways; this is all done transparently to the end-devices.

A HSRP group comprises of these “entities”:

One Active Router – the router that is currently forwarding packets for the virtual router
One Standby Router – The primary backup router for the virtual router
One Virtual Router – The set of routers participating in HSRP that jointly emulate a virtual router
Other Routers

An HSRP group is not a virtual router look carefully at the table, one of the HSRP elements that makes up the group is a virtual router.

HSRP Operation – Virtual Router

The virtual router is what the end-devices use for communicating with the “gateway”. This is the IP and MAC Address configured on the end-devices. NB The virtual router processes no physical frames.

HSRP Operation – Active Router

An HSRP group has one elected active router that physically forwards packets sent to the virtual router MAC address. This means that this active router responds to traffic.

If an end-device sends an ARP request to the virtual router IP Address, the active router replies with the virtual router MAC Address.

The HSRP active and standby routers send hello messages to the multicast address 224.0.0.2 User Datagram Protocol (UDP) port 1985

HSRP Operation – Standby Router

The function of the standby router is to monitor the operation of the HSRP group and quickly assume the packer-forwarding responsibility if the active router goes down.

The HSRP active and standby routers send hello messages to the multicast address 224.0.0.2 User Datagram Protocol (UDP) port 1985.

HSRP Operation – Other Router

There are or could be other routers in the HSRP group that are neither active nor in standby, these routers monitor the hello messages and ensure that an active and standby route exist. These “other” routers issue speak messages at every hello from the active and standby router. These routers forward packets addressed to their own IP Addresses but they do not forward packets for the virtual router.

HSRP Operation – Active and Standby

Because an HSRP group has at least two routers there is at least an active and standby router in the group at any one time.

When the Active Router fails the other routers stop seeing hello messages from the Active Router. The standby router will then assume the active role in this case. If there are other routers in the HSRP group they will then contend to become the new standby router.

In the unlikely event that both the active and standby router fails, all routers in the group will contend for the active and standby roles.

The settings that can be set for message intervals and delays as outlined below:

Hello Message Interval – Interval between successive HERP hello messages from a router is default 3 seconds.
Hold interval time – interval between receipt of hello and presumption that sending router has failed is default 10 second.

HSRP and ARP

The IP and MAC Address of the virtual router is maintained in each of the HSRP groups ARP tables. The command used to view the ARP cache on a Cisco Catalyst multilayer switch is:
switch#show ip arp
The output as I mentioned will show the ARP cache in a table output; the MAC Address will be in the following format, notice that end-devices have the starting digits normally 01 while the virtual router has a starting digit of 00.

HSRP MAC Address

HSRP States

Initial – This is the state at the start, this state indicates that HSRP does not run. This state is entered through a configuration change or when an interface first comes up.
Learn – The router is neither active or standby, nor does it have enough information to claim the active or standby role.
Listen – The router knows the virtual router IP Address but is not active or standy. It listens to the hello messages.
Speak – The router sends periodic hello messages and actively participates in the election of active or standby router. A router cannot enter this state unless the router has the Virtual IP address.
Standby – The router is a candidate to become the net active router and sends periodic hello messages. There is at most one router in this state (except for transition periods).
Active – The router that forwards packets for the virtual router MAC Address (also replies to ARP requests to virtual routers IP Address). The router sends periodic hello messages. There must be one route in the active state in the group (except for transition periods).

HSRP State Transition

All routers begin in the initial state, this starting state indicates that HSRP is not running on the router, this state is entered into via configuration changes (when HSRP is first brought up, when no shutdown is used). The listen state is there for routers to determine if there are already active or standby routers in the HSRP group. In the peak state, routers actively participate in the election of active routers or standby routers.

Active Timer – Used to monitor the active router, resets any time a router in standby group receives a hello packet from the active router. This timer expires the same as the hold time value set in the HSRP hello message.
Standby Timer – Used to monitor the standby router, resets any time a router in standby group receives a hello packet from from the standby router. This timer expires the same as the hold time value set in the respective packet.
Hello Timer – Used to clock hello packets, all HSRP routers in any HSRP state generate a hello packet when this timer expires.

Configuration

I created a fictional network because I work better when I can “see” what is going on, in the example you have a “distribution” and access portion of the network.

From top down you have two distribution multilayer switches connected to the single layer-2 switch that feeds out three end-devices (workstations in this case). Now the task is to configure HSRP on the MLSs at the distribution level. This will enable the end-devices to be configured with a single IP Address for a gateway and transparent failover should something go wrong.

HSRP Example

We start off with configuring HSRP on an interface (this includes the group number). The IP Address is that of the virtual gateway (default group number is 0). To disable add no to the front of the command.

switch>enable switch#config term switch(config)#interface gigabitethernet 0/1 switch(config-if)#standby 0 ip 192.168.0.1

To verify configuration of HSRP there is two commands. The first will show the configuration for everything so you can check all config.

switch#show run

The second command is standby (HSRP) specific, add commands (use ? to minimize on the amount of output)

switch#show standby

Note: While running HSRP, the standby routers IP address must not be visible (discovered or discoverable) to the end-devices. Any protocol that informs end-devices of routers actual IP Addresses must be disabled. When enabling HSRP on Cisco Catalyst Routers the interface auto disables Internet Control Message Protocol (ICMP) redirects (This causes problems later on).

HSRP Optimization

On Cisco Catalyst Layer-3 switches there are options available (optimization features) to take the guess work out of HSRP configuration and operations. HSRP options available:

Standby priority - Allows the network admin to control the order in which active routers for a group is selected.
Standby preempt - allows a router to regain its role of active router even if there is an existing active router on a segment.
Hellow message timer adjustment - configure the time between hello packets and the time before other routers declare active routers are down
HSRP Interface Tracking - interface configuration command ties the router hot standby priority to the availability of its interface and is useful for tracking interfaces that are not configured for HSRP.

Standby Priority

As explained each HSRP group has its own active and standby routers. A Network Admin can assign a priority to each router in the group allowing the admin to actively control in which order what router will assume active router status.

The router with the highest priority will become the HSRP group active router. In cases of a tie, the router with the highest configured IP address will become the HSRP group active router.

The command for this is (to reset to default no standby priority):
switch(config-if)#standby 1 priority priority-value

As with life there are exceptions and problems. In a network environment where as an example over time new equipment was added, lets say the old equipment is being used as failover standby kit. So lets say an 877 Series Router is standby for a 2851 Series. The speed difference between the routers would determine the HSRP Active router (the one that boots up first) and not the priority value UNLESS preempt is configured.

The command for this is:
switch(config-if)#standby 1 preempt

Standby Preempt

As explained in the paragraph above the command standby group-number preempt allows the network admin (you, me or whoever) to configure a HSRP group to respect the standby group-number priority.

Using my above example of our mixed router network (routers purchased over time as the business grew with demand), lets say that the 2851 router is configured to be our Active router (highest priority, highest IP address combination), with the 877 as standby.

If something were to happen or go wrong with the 2851, the natural progression would be 877 becomes the Active Router. When the 2851 comes back online unless something happens to the stability of the network again causing the 877 to fail the 2851 won’t become the active router (EVEN if it has a higher priority and IP address).

This is where standby group-number preempt comes in where the former active router is configured to resume the forwarding (active router) position role by preempting a router with a lower priority.

Now that we have a predictable failover and “recovery” what happens when maintenance occurs? In the boot process some interfaces and processes take longer than others. Optimally we want all interfaces and all processes stable before rejoining the HSRP group and becoming the Active Router.

To do this, measure the boot time (stopwatch) and set the HSRP preempt delay to a value 50 percent greater than the boot time. This ensures that the primary distribution switch establishes full connectivity to the network before HSRP communication occurs.

switch(config-if)#standby 1 preempt switch(config-if)#standby 1 delay minimum 180

HSRP Message Timers

The hello message contains the priority of the router and also the hellotime and holdtime parameter values.

hellotime holds the interval between the hello messages that the router sends.
holdtime holds the amount of time that the current hello message is considered valid.

The standby timer includes an msec parameter to allow for subsecond failover. Lowering the hello timer results in increased traffic for hello messages and should be used with caution.

The procedure is that when a router sends a hello message( every 3s), a receiving router considers that hello message to be valid for one hold time(every 10s). The holdimte value should be at least three times (x3) the value of the hellotime. the holdimte value must be greater than the value of the hellotime.

default HSRP hellotime 3 seconds

default HSRP holdtime 10 seconds

This means that failover could be as much as 10 seconds before communication is restored and end-devices begin communicating with a new gateway. The hellotime and holdtime intervals must be identical for ALL DEVICES in a HSRP group.

The configuration is with the 1 being the group-number, hellotime in seconds, holdtime in seconds both from 1 to 255 (to disable no standby group-number timers):
switch(config-if)#standby 1 timers [msec] hellotime holdtime

As said the HSRP hellotime and holdimte can be set in millisecond values so that HSRP failover occurs in less than 1 second.

switch(config-if)#standby 1 timers msec 250 msec 940

HSRP Interface Tracking

In some cases the status of an interface will directly affect which router needs to be the active router. This is true when each router in an HSRP group has a different path to different resources within a campus. Especially considering that some resources are more important than others in some topologies.

HSRP Interface Tracking The network diagram depicts two distribution areas connected via links A and B.

If the HSRP Active Router link between the buildings (A) were to KONK then a Internet Control Message Protocol (ICMP) redirect would be sent to the standby router to notify it of the problem; problem being that in HSRP ICMP is disabled.

So neither Active Router nor the Virtual Router sends a ICMP redirect. Added to that the Active Router link A remains down and is not able to send/receive packets yet the active router still communicates hello messages out link AA because, the router is still functioning fine, the link AA stil works (connection to Standby Router); i.e. there is no problem right?

To solve this problem interface tracking enables the priority of a router to be automatically adjusted dependant on a tracked interface of that router. So when a tracked interface on that router becomes unavailable (like in the example), the priority is adjusted (plus x or minus x depending on whether an interface comes online or goes offline).

So to restate the example with interface tracking if link A were to down (tracked interface) then the router automatically decreases the priority on that router and stops transmitting hello messages on AA. The standby Router assumes the Active Router role when no hello messages are detected (i.e. Standby Router assumes a failure) and takes over the building link.

Problem Solved.

To implement this use the following command string, standby group-number track interface 0/0 priority. This can be configured on a VLAN or a interface. Shown below is the application to an interface VLAN change the VLAN for a interface gigabitethernet 0/1

To disable this command use no standby group-number track:
switch(config)#interface vlan10 switch(config-if)#standby 1 track gigabitethernet 0/1 30

NB: preempt must be configured on all interfaces within this HSRP group.

The priority command is the value that HSRP will be decrements (minus) when disabled and incremented (plus) if enabled. The default is 10.

HSRP Load Sharing

All examples up until now have been a single HSRP group with a single “network”. This will allow for a single router (Active Router) in the HSRP group to forward packets for the virtual router for the entire network.

To facilitate load sharing where both routers participate in a HSRP group (see network diagram). In the example diagram a single router could be a member of both Groups. There can be up to 255 standby groups on a LAN but the needed groups should not be more than the number of needed Active Routers (in this case 2).

If a Router has to participate in more than one group, it increases the load on the router and thus decreases performance. If you want to be funny and use 255 groups then expect heavy performance impact.

The config for this would look something like this:
switchA(config)interface VLAN 10 switchA(config-if)ip address 192.168.0.32 255.255.255.0 switchA(config-if)no ip redirects switchA(config-if)standby 1 priority 150 switchA(config-if)standby 1 ip 192.168.0.100 switchA(config-if)standby 2 priority 50 switchA(config-if)standby 2 ip 192.168.0.110
Then on the other router:
switchB(config)interface VLAN 10 switchB(config-if)ip address 192.168.0.33 255.255.255.0 switchB(config-if)no ip redirects switchB(config-if)standby 1 priority 150 switchB(config-if)standby 1 ip 192.168.0.100 switchB(config-if)standby 2 priority 50 switchB(config-if)standby 2 ip 192.168.0.110
HSRP Accross Trunk Links
HSRP Per Vlan Load Sharing To start getting more practical (this is basically how Ive setup my network) with a distribution area feeding to an access area with multiple VLANs; I have each end-device in a separate VLAN (meaning each workstation in a VLAN in a range, each IP Phone in a VLAN in a range, printers, server and so on) this is heavy overkill but I wanted practice when I did the setup and needed to do some repetitive config work to make it stick in my head.

By configuring HSRP over trunk (802.1Q or ISL), we can eliminate situations where a single point of failure causes traffic interruptions. This inherently provides improvements in overall networking resilience by providing load balancing and redundancy capabilities between subnets and VLANs should one of the Distribution layer links or routers fail.

What was said in the previous section still applies; For each VLAN, a standby group, an IP Address, and a single well-known MAC address with a unique group ID is allocated (but as mentioned keep the groups to a minimum for performance reasons).
To configure this:
switchA(config)interface VLAN 2 switchA(config-if)ip address 192.168.20.1 255.255.255.0 switchA(config-if)no ip redirects switchA(config-if)standby 1 priority 150 switchA(config-if)standby 1 ip 192.168.0.102 switchA(config)interface VLAN 3 switchA(config-if)ip address 192.168.30.1 255.255.255.0 switchA(config-if)no ip redirects switchA(config-if)standby 2 priority 50 switchA(config-if)standby 2 ip 192.168.0.103
Then on the other router:
switchB(config)interface VLAN 2 switchB(config-if)ip address 192.168.20.2 255.255.255.0 switchB(config-if)no ip redirects switchB(config-if)standby 1 priority 150 switchB(config-if)standby 1 ip 192.168.0.102 switchB(config)interface VLAN 3 switchB(config-if)ip address 192.168.20.2 255.255.255.0 switchB(config-if)no ip redirects switchB(config-if)standby 1 priority 50 switchB(config-if)standby 1 ip 192.168.0.103
HSRP Debug

The commands used to debug HSRP are as follows:
switch#debug standby [errors] [events] [packets]
switch#debug standby terse
To kill debug output
switch#no debug standby
switch#no debug all

Be aware that debug processes are assigned a high CPU priority and any command that will cause LOTS of output, like all HSRP messages display WILL render the system unusable and mean you will need to reboot the router. (If you didn’t save changes you will wish you did)

Notes and Notices:

References I want to remember

Hucaby, D. (2007). CCNP Self-Study: CCNP BCMSN Official Exam Certification Guide, Fourth Ed, Router Redundancy in Multilayer Switching (page. 318-347). Indianapolis: Cisco Press.

Inter-VLAN Switching (MLS)

Published

Deon Botha

on April 23, 2008

in BCMSN, Certification, Cisco Systems, Concepts and Constructs and MLS

. 0 Comments

This post explains a bit how a MLS (layer-3) switch can be used or rather functions as a Inter-VLAN router. The topic of MLS was covered a bit in this post. Traditionally a switch makes forwarding decisions based on Layer-2 information (MAC Address) whereas a router uses Layer-3 information (IP Address).

The above was true when switches were always layer-2 (when hubs were just being dropped and switched networks were coming into fashion) and routers layer-3 but we now have Multilayer switches (MLS) that perform basically the same functions as routers with the ability to switch and forward on layer-2 and layer-3 information.

Now for every positive there is a negative. A router cost more than switches per port this is because routers in essence can “do” more than switches (interconnections instead of just connections) and workgroup switch costing per port around $30 with a MLS around $80 per port; we could go Power over Ethernet and Gigabit to the Desktop and that $80 per port quickly goes to $280.*

The above just highlights that a MLS should be placed where needed and not just anywhere because it is not just “another” switch for access. Now Layer-2 forwarding is based on the destination MAC Address. A switch learns the source MAC Address, populates a MAC address table, and lists MAC address with VLAN pairs with associated interfaces.

Layer-3 forwarding is based on the destination IP address. Layer-3 forwarding happens when a packet is routed from a source subnet to a destination on another subnet. When MLS sees its own MAC address in the layer-2 header, it recognizes that the packet is either destined for itself or has been sent to the default gateway. If the packet is not destined for the MLS, then the IP address is compared to the Layer-3 forwarding table for the longest match; additionally ACL checks are also performed.

Layer-3 Switch Virtual Interfaces (SVI):

An SVI is a virtual interface as the name suggests (there is no physical interface) for the VLAN. The SVI accepts configuration parameters applied to any layer-3 router interface and provides processing for packets from all switch ports associated with that VLAN. Only one SVI can be associated with a VLAN. Use of a SVI is for these reasons:

To provide a default gateway for a VLAN so that traffic can be routed between VLANs
To provide fallback bridging if it is required for non-routable protocols
To provide layer-3 connectivity to the switch
To support routing protocol and bridging configurations

By default a SVI is created for the default VLAN (vlan 1, a.k.a native vlan) to permit remote switch management. SVIs are created in interface configuration mode:

switch(config)#interface vlan 1 switch(config-if)#

The VLAN corresponds with the VID used on the trunk (ISL or 802.1q). Configure and assign a ip address and mask for each VLAN SVI to route traffic off and onto the local VLAN.

Configuration:

To configure Inter-VLAN routing on a MLS the following commands are used. First we enable layer-3 routing on the switch:
switch(config)#ip routing
Now we create a SVI and move into interface configuration mode to be able to assign an ip address and mask:
switch(config)#interface vlan 1-4094 switch(config-if)#ip address 172.0.0.1 255.255.255.0
A good thing now would be to have a dynamic routing protocol setup on the network (router) so that paths can be learnt dynamically.
switch(config)#router protocol (options)
Testing the routing protocol and routing:
switch#show ip route

Layer-3 Routed Ports
Routed ports are exactly what they sound like and the opposite of switch(ed) ports. They are configured by typically taking away the switch capability (no switchport command). A routed ports have these characteristics and functions:

The port is a physical port with layer-3 capability.
The port is not associated with a particular VLAN.
The port serves as the default gateway for devices OUT that switch port.
Layer-2 port functionality is removed before the port becomes a routed port.

Configuration:

To configure routed ports on a switch these are the commands that need to be entered. First we enable routing on the switch:
switch(config)#ip routing
Now we enter the interface (note the difference between SVI and router ports)
switch(config)#interface gigabitethernet 0/1
Here is the extra command taking the switch port features away and making it a routed port:
switch(config)#no switchport
Assign an ip address and mask to the port and we are done with the interface:
switch(config)#ip address 172.0.0.1 255.255.255.0
A good thing now would be to have a dynamic routing protocol setup on the network (router) so that paths can be learnt dynamically.
switch(config)#router protocol (options)
Testing the routing protocol and routing:
switch#show ip route

*This is rough estimated Dollar pricing for a WS-C2950-24, WS-C3560-24TS-S, and WS-C3560G-24PS-E switches, you are paying for more than just ports though with IOS, kind/type of chassis, SFP ports and other things coming in to play. But this is a good example to illustrate the price difference.

Notes and Notices:

This is a part of my personal BCMSN notes and research to assist myself in learning and understanding the concepts and theory for the BCMSN exam. I learn by making notes reading and writing things down and wish to file them where I can’t lose them. These notes are not to be seen, judged or mistaken for replacements to Cisco recognized and authorized training which I personally support and attend and suggest you undertake if you are going for the BCMSN Certification.

Inter-VLAN Routing (Router on a Stick)

Published

Deon Botha

on April 22, 2008

in BCMSN, Certification, Cisco Systems and Inter-Vlan Routing

. 0 Comments

When a switch supports multiple VLANs but has no Layer-3 capability, the switch must be connected to an external Layer-3 device (router). This is done by creating a trunk link (isl or 802.1q) between the switch and router that can carry all VLAN information and provide inter-VLAN routing (a.k.a. Routing on a stick). The interface must be FastEthernet or better preferably.

There are some advantages and disadvantages to Inter-VLAN routing:

Advantages are that it is simple to implement, A Layer-3 switch (expensive) is not required, The router provides communication between VLANs.
Disadvantages are that the router is the single point of failure for the network, the single trunk link may become congested, Latency may be introduced as frames leave the switch.

Configuration

There are a couple of things that are needed to configure inter-VLAN routing. First things first would be that you need VLANs to route. I jumped the gun here and explained the entire process of Inter-VLAN routing; what can I say I was excited

So to in revision lets create some VLANs

switch>enable switch#config term switch(config)#vlan 100 name Inter switch(config)#vlan 200 name VLAN switch(config)#vlan 300 name Routing

Now lets configure an interface as a trunk on the switch

switch(config)#interface gigabitethernet 0/1-28 switch(config)#switchport trunk encapsulation dot1q switch(config)#switchport mode trunk

The switch now has VLANs and a Trunk Link onto the router

router>enable switch#config term switch(config)#interface fastethernet 0 switch(config)#no ip address switch(config)#description trunk-link switch(config)#interface fastethernet 0/0.1 switch(config)#description Native-vlan switch(config)#ip address 192.168.1.1 255.255.255.0 switch(config)#encapsulation dot1q native switch(config)#interface fastethernet 0/0.100 switch(config)#description Inter-vlan switch(config)#ip address 192.168.2.1 255.255.255.0 switch(config)#encapsulation dot1q 100 switch(config)#interface fastethernet 0/0.200 switch(config)#description VLAN-vlan switch(config)#ip address 192.168.2.1 255.255.255.0 switch(config)#encapsulation dot1q 200 switch(config)#interface fastethernet 0/0.300 switch(config)#description Routing-vlan switch(config)#ip address 192.168.3.1 255.255.255.0 switch(config)#encapsulation dot1q 300
To check the configuration use the following commands
router#show vlan 100
router#show ip protocols
router#show ip route
To verify and test connectivity do the following two things: First you ping from the router a host in each VLAN to confirm connectivty from the router to the separate hosts and VLANs.
router#ping instert.host.address.here Sending 5, 100-byte ICMP Echos to insert.host.address.here, timout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Second go to hosts (in our case 3 hosts one in VLAN 100, 200, 300) and ping other hosts in other VLANs (make sure the hosts you are pinging to are in other VLANs otherwise you aren’t testing Inter-VLAN connectivity). So a host on VLAN 100 will ping hosts in 200 and 300, a host in VLAN 200 will ping hosts in 100 and 300 and VLAN 300 will ping hosts in 100 and 200….
C:\Users\Administrator>ping insert.host.address.here Pinging insert.host.address.here with 32 bytes of data: Reply from insert.host.address.here: bytes=32 time<1ms TTL=127 Reply from insert.host.address.here: bytes=32 time<9ms TTL=127 Reply from insert.host.address.here: bytes=32 time<8ms TTL=127 Reply from insert.host.address.here: bytes=32 time<1ms TTL=127 Ping Statistics for insert.host.address.here: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 9ms, Average = 4ms C:\Users\Administrator>

Multiple Spanning Tree Protocol

Published

Deon Botha

on April 18, 2008

in BCMSN, Certification, Cisco Systems, Concepts and Constructs and MSTP

. 2 Comments

I noticed a hole in my notes that I was getting confuzzled with. Here are the standards that link to the protocols

STP IEEE 802.1D
MSTP IEEE 802.1S (MERGED LATER INTO IEEE 802.1Q-2003)
RSTP IEEE 802.1W (NOW IEEE 802.1D-2004)
PVST and PVST+ are both Cisco Proprietary and don’t have IEEE standards

There is one basic problem with Per-VLAN Spanning Tree (PVST) and that is when there are many VLANs present the processing required will create considerable load. Also keep in mind (N.B.) that PVST is only supported on ISL and not 802.1Q (this has problems of its own with ISL not supported on all Catalyst switch platforms)

</p>The alternative to this is Multiple Spanning Tree Protocol (MSTP) that creates a single instance of spanning tree (Common Spanning Tree or CST) to run on multiple VLANs. The objective is to reduce the number of instances to match the physical topology thereby reducing CPU load. The instances of spanning tree are reduced to the number of active links available.

Implemented on a large network any given switch would run 4094 instances of spanning tree, each with its own BPDU conversations, root bridge election and path selections. With MSTP one path runs some VLANs and another path runs the other VLANs then there are only 2 instances of spanning tree.

Using this method MSTP converges even faster than PVST+ and is backward compatible with 802.1D STP, 802.1w Rapid Spanning Tree Protocol (RSTP), and the Cisco Proprietary PVST+ architecture. This implementation is not a requirement of ECNM as the number of active VLAN instances in the model is small and very stable due to design.

MSTP allows one to build multiple spanning trees over trunks and grouping them by VLAN. Each instance can be topology independant of other instances. MSTP provides multiple forwarding paths (instances) for data traffic and enables load balancing.

A set of bridges are configured with the same MSTP configuration, which allows them to participate in a specific set of spanning tree instances. Interconnected bridges that have the same MSTP configuration are referred to as a Multiple Spanning Tree (MST) region. Bridges with a different config or legacy bridges (802.1d) are considered a different region.

Network Fault Tolerance is improved over Common Spanning Tree (CST) because failure in one instance (forwarding path) does not affect another instance. This VLAN-to-MSTP must be consistent across bridges within a MST region.

In PVST+ environments, the spanning tree parameters are tuned so that half the VLANs are forwarding on each up-link trunk. With this configuration the following is true:

Load balancing is achieved
One spanning tree for each VLAN is maintained

MST Regions:

MSTP differs from other spanning tree implementations in that it combines some (if not all) VLANs into a logical spanning tree. This brings with it that the BPDU must be tagged with the VLAN information to be able to say which VLAN goes where.

To provide for this each switch running in a MSTP region passes the following information:

An Alphanumeric name (32 bytes)
A configuration revision number (2 bytes)
A 4096-element table that associates the potential VLANs with the given instance.

As said to part of a given MSTP (MST) region the passed information must share the same configuration.

BID

As with PVST the Extended System ID is used in MSTP where the instance number is carried in the Extended ID field. In 802.1D STP each bridge must have a unique identifier. In PVST each VLAN needs a unique identifier. Before only 1023 VLANs were supported now all 4000 VLANs are supported by MAC address reduction.

MST Interactions with 802.1Q

An issue arises with MSTP design with the interoperability with the CST implementation in IEEE 802.1D. According to IEEE 802.1s a MSTP switch must be able to handle at least one Internal Spanning Tree (IST). The MST region consists of one IST and an arbitrary (one or many) number of MSTP instances.

The MSTP instances are simply RSTP instances that only operate within a region (MST). The IST (instance 0) runs on all bridges within a MST. It provides interaction at the boundary with other MST regions and compatibility with 802.1D (CST) and PVST+ networks connected to that given region.

IST receives and sends BPDUs to the CST for compatibility with 802.1D STP. IST is capable of representing the MST as a CST virtual bridge to switches networks outside the MST region. Think of the MST not of many independant switches but one “virtual bridge unit”.

The MST region appears as a single virtual bridge to adjacent CST and MST regions. The MST region uses RSTP port roles and operation.
MSTP switches run IST, augmenting CST information and internal information about the MST region.
IST connects all the MSTP switches in the region and any CST switched domains.
MSTP establishes and maintains additional spanning trees within each MST region. These spanning trees are termed MSTP instances. The IST is numbered 0, and the MSTP instances are numbered 1,2,3 up to 15. Any MSTP instance is local to the MST and is independent of other MST regions.
M-Record is a sub-field, within the BPDU of MSTP instances that enables corresponding instances to calculate a final topology.
MSTP instances combine at the MST regions to become the CST: M-Records are encapsulated within MSTP BPDUs. The original spanning trees (M-trees) are active only within the MST. M-trees merge with the IST at the MST Region to form the CST.
MSTP supports some of the PVST extensions: PortFast is supported, BPDU filter and BPDU Guard supported in MSTP mode, Loop guard and root guard supported in MSTP mode, and private VLANs (PVLANs), you must map a secondary VLAN to the same instance as the primary.

Configuration of MSTP

Entering the MSTP configuration Mode:
switch(config)#spanning-tree mst configuration
Displaying the current MSTP configuration on the Switch:
switch(config-mst)#show current
Setting the MST region name:
switch(config-mst)#name region_1
Set the MSTP configuration revision number:
switch(config-mst)#revision 1

Take note of the revision number, treat this number like a software version number in programming start from 1 and work upwards (1,2,3,4 etc). Keep in mind that you have to change it manually (this isn’t VTP) on all MST switches it doesn’t update automatically

Map the MSTP instance to VLANs:
instance 1 vlan 1-50 OR 1
Show the configuration that hasn’t been applied yet:
switch(config-mst)#show pending
Assign the current switch you are on as the primary or secondary Root:
switch(config-mst)#spanning-tree mst 1 root primary secondary
Apply the configuration and exit MSTP configuration mode:
switch(config-mst)#end
Enable MAC Address reduction (a.k.a Extended System ID):
switch(config)#spanning-tree extend system-id
If a neighbouring switch is using a pre-standard version of 802.1s:
switch(config-if)#spanning-tree mst pre-standard
Display general spanning-tree information for MSTP:
switch#show spanning-tree mst
Displaying the spanning-tree configuration:
switch#show spanning-tree mst configuration
Displaying the spanning-tree configuration for a specific instance:
switch#show spanning-tree mst 1
Displaying the spanning-tree configuration for a specific interface:
switch#show spanning-tree mst interface fastethernet 1/1
Displaying the spanning-tree configuration for a specific instance on a specific interface:
switch#show spanning-tree mst 1 interface fastethernet 1/1
Finally for DETAILED information on a specific instance:
switch#show spanning-tree mst 1 detail
In a situation when a legacy switch is placed then removed and it doesn’t revert back to PVRST+ or MSTP mode:
switch#clear spanning-tree detected-protocols

References:

MST based on IEEE 802.1s

VLAN Configuration Errors

Published

Deon Botha

on April 14, 2008

in BCMSN, Certification, Cisco Systems, Concepts and Constructs, Trunk, VLAN and VTP

. 1 Comment

Common VLAN configuration errors made when configuring VLANs are listed below.

802.1Q Native VLAN Problem

An 802.1Q trunk link doesn’t encapsulate frames but adds a tag and re-calculates the frame-check sequence (FCS) of the frame. The 802.1Q trunk also allows for untagged frames to pass through the trunk on the NATIVE VLAN. A common configuration error is when there is a trunk link and the NATIVE VLAN is not the same on both sides of the trunk causing connectivity issues.

802.1Q Native VLAN Resolution

NATIVE VLANs must coincide on both ends of the trunk link otherwise a trunk link may not form.
Cisco NATIVE VLAN is default VLAN 1, for security purposes make the NATIVE VLAN something that is not used for normal purposes.switch(config-if)#switchport trunk native vlan 1-4094
If there is a NATIVE VLAN mismatch CDP (if used and active) will issue a “native VLAN mismatch” error.
On select versions of IOS CDP may not be transmitted if VLAN 1 is not working or automatically be disabled on the trunk.
If there is a NATIVE VLAN mismatch on either side of an 802.1Q trunk, layer-2 loops may occur because VLAN 1 STP bridge protocol data units (BPDUs) are sent to the IEEE STP MAC untagged.
When troubleshooting VLANs note that a link can have one NATIVE VLAN association when in access mode and another when in trunk mode.

Trunk Link Problems

There are certain elements that determine whether a trunk link is formed or not, the elements that determine this are the trunking mode, the encapsulation type, the VTP domain, and the hardware capabilities of the connected ports.

Trunks can be configured to either statically or autonegotiate trunks with the use of Dynamic Trunking Protocol (DTP), for autonegotiation the switches must be in the same VTP Domain. There are however certain other small things to take note of about the configuration with trunk links.

Through the use of the switchport command trunks can be autonegotiated. There are certain variations of the command that will not setup a successful trunk through; the command is below and there are some of the options available: swtich(config-if)#switchport mode dynamic / auto / desirable / trunk We wish to config a trunk link the following options will not create a trunk. swtich1(config-if)#switchport mode auto swtich2(config-if)#switchport mode autoThis shows both interfaces in switchport mode auto and will not config a trunk.swtich1(config-if)#switchport mode dynamic swtich2(config-if)#switchport mode accessThis shows one interface switchport mode dynamic desirable and the other static access and will not config a trunk.swtich1(config-if)#switchport mode trunk swtich2(config-if)#switchport mode auto

This shows one interface switchport mode trunk and the other interface switchport interface auto. This config will not create a trunk because the interface set to trunk will not send DTP frames and then the auto interface will switch to being an access port.

This topic is something I can feel in my bones will come up in tests you either have this topic down or don’t have a clue and guestimate. I think I am going to try and know it because it’s easy enough to make a table and just learn; check out CCIE Pursuit for a table on the 3550/3560 routers and bitmindframes for more info on each DTP config state.

DTP Requirements

The reason a Network Administrator would deploy DTP is to automate to a degree the trunking process. To give you more of an explanation if a port can become a trunk (switch-switch not supported on routers), it may also be able to trunk automatically, and in some cases even negotiate the type of trunk (ISL/802.1Q). This is where DTP comes in to provide the negotiation of the trunking method with the neighbour device.

There are however requirements for DTP the main one being support for ISL or 802.1Q on both ends of the trunk (Switch A and Switch B must support and be configured with one or the other) so that DTP can do its job.

This can be expanded slightly where the switch platform does or doesn’t provide support for ISL but does support 802.1Q trunking and supports DTP like the Catalyst 4500/4000 (CatOS), which includes 2948G/2980G/4912G also the Catalyst 2950/2955/2940 series. This simply means all trunking will be done using 802.1Q.

Lastly where both ISL and 802.1Q is supported but DTP is not like the Catalyst 2900XL/3500XL/2948G-L3/4908G-L3/4840G/8500 Series.

Trunk Link Resolution

Trunk Negotiation is managed by DTP, which is Cisco proprietary, and is a point-to-point protocol (see any problems with this yet) when using DTP make sure that both ends of the link are in the same VTP Domain otherwise it wont work. Secondly because it is Cisco proprietary certain network devices wont support DTP which could cause misconfiguration cross-brands (when configuring on an interface that is connected so something non-cisco turn off DTP). Find some more information here that’s doesn’t assume you know something about DTP before jumping right in and also covers some other topics in the same post.

The correct way then to configure a port to either trunk or not would be for access ports swtich(config-if)#switchport mode access for trunking without DTP swtich(config-if)#switchport mode trunk swtich(config-if)#switchport mode nonegotiate then finally for encapsulation type on the trunk port swtich(config-if)#switchport trunk encapsulation dot1q swtich(config-if)#switchport trunk encapsulation isl. Keeping in mind that dot1q is cross-vendor and isl is also Cisco proprietary.

VTP Problems

Problem	Possible Causes
Updates not received as expected	VTP Domain name and password must match with the server. (case sensitive) VTP version must be compatible with the other switches on the domain. Ensure that there is at least one server in the VTP Domain. check that a trunk link exists to the VTP Server
Missing VLANs	Upon initial configuration, the VTP Server may have been a partial VLAN database, and it overwrote the existing, more complete, database on the existing switch. VLANs were deleted individually at the VTP server, and those deletions will be propagated in the domain. Not all Cisco switches support extended VLANs.
Too many VLANs	The VTP Server has a VLAN list that is more complete than the list needed by other switches in the domain.

The VTP Resolution and best practices are dealt with in a previous post

Trunk and VLAN Specific

Sometimes it is needed to only carry specific/certain VLANs accross trunk links. You will remember from the CCNA that by default all VLANs are allowed across a trunk link when it is created unless specifically told otherwise. This will mean that VLAN 1 through x will traverse a trunk unless you as Admin say otherwise. In some situations having all vlans moving across trunks is not the desired sitatuation.

As an example if you have VLAN 1 through 10, assume 1,3,6, and 9 is actively used on one Switch 1 and 2,4,6,8 and 10 on Switch 2.

There is no “active” users for VLANs 2,4,6,8, and 10 on Switch 1 and no active users for VLaN 1,3,6, and 9 on Switch 2 why then send these VLANs all over the place when this will be wasteful? To change this situation one can use any one of these commands:

Switch(config-if)switchport trunk allowed vlan remove/except/add x,x,x

Using either the remove 2,4,6,8 and 10, except 2,4,6,8,10 or add 1,3,6,9 command will have the same end result of allowing only 1,3,6, and 9 across the trunk link.

VLAN Ranges

Published

Deon Botha

on April 10, 2008

in BCMSN, Certification, Cisco Systems, Concepts and Constructs and VLAN

. 1 Comment

This topic is interlinked to VLANs and as such an understanding of that topic is important. On a network each VLAN must have a unique VLAN ID (VID). The valid range depends on the trunking protocol used. This depends on how VTP Advertisements will be handled in the end accross switches in the enterprise.

ISL supports VIDs from 1 to 1023
802.1Q supports VIDs from 1 to 2094

VLAN RANGE	RANGE	USE	VTP PROPOGATED
0, 4095	Reserved	System use only	-
1	Normal	Cisco Default (Admin). Can be used; Cannot be modified or deleted.	Yes
2-1001	Normal	VLANs can be used, created and deleted.	Yes
1002-1005	Normal	Cisco Default for FDDI and Token Ring. Cannot be deleted.	Yes
1006-4096	Extended	Ethernet Only.Layer 3 ports and some software require internal VLANs. Internal VLANs in this range cannot be used if it has been allocated for this function. To display show vlan internal usage Switches running CatOS do not support this feature Best practice begin at 4094 and work downwards when using this range.	No

Network Ninja

Tag Archive for '802.1q'

BCMSN Trunking Lab 3

Switch Security Layer-2 Attacks – Two

QoS and Voice Traffic

WLAN Infrastructure Topologies

Hot Standy Router Protocol (HSRP)

Inter-VLAN Switching (MLS)

Inter-VLAN Routing (Router on a Stick)

Multiple Spanning Tree Protocol

VLAN Configuration Errors

VLAN Ranges

Search

About

Latest

Archives

Categories