R&S Blog

Just another WordPress.com site

Archive for the month “February, 2012”


As the layer 2 network grows managing the vlan numbers and allowed list involves large administration overhead. The Vlan trunking protocol is a way to manage vlans across multiple switches to ensure all vlan’s are consistent.

VLAN Trunk Protocol used to dynamically advertise the addition,removal, deletion of Vlan properties by incrementing the revision number and then replicates those changes to other switches in the same VTP domain. This does not affect the actual vlan port assignment.

Negotiate Trunking allowed list VTP Pruning discussed later…

How it Works ?

VTP Mode
– Controls who can advertise new/modified information modes are…
• Server
• Client
• Transparent

VTP Revision Number
– Sequence number to ensure consistent databases
– Higher revision indicates newer database

VTP Server Mode
• Default mode
• Allows addition, deletion, and modification of VLAN information
• Changes on server overwrite the rest of the domain
• Configured as vtp mode server

VTP Client Mode
• Cannot add, remove, or modify VLAN information
• Listens for advertisements originated by a server, installs them, and passes them on
• Configured as vtp mode client

VTP Transparent Mode
• Keeps a separate VTP database from the rest of the domain
• Does not originate advertisements
• “Transparently” passes received advertisements through without installing them
• Needed for some applications like Private VLANs
• Configured as vtp mode transparent

VTP Security
• VTP susceptible to attacks or misconfiguration where VLANs are deleted
– Access ports in a VLAN that does not exist cannot forward traffic
• MD5 authentication prevents against attack
– vtp password [password]
• Does not prevent against misconfiguration
– VTP transparent mode recommendation

When does VLAN pruning occur

what triggers VLAN pruning? Specifically, will a switch only allow pruning of a VLAN from a trunk if it has no access ports configured for that VLAN? Or is it enough to have merely no active ports?

Consider a simple trunking scenario:


Switch 1 is the VTP server, and has propagated VLANs 10, 20, and 30 to switch 2. The interfaces to which hosts A and B attach are configured as access ports in VLAN 10, and an 802.1Q trunk is formed between the two switches. By examining the trunk status on either switch we can verify that VLANs 1 and 10 are being passed while the others are pruned in both directions.

S1# show interface trunk

Port        Mode         Encapsulation  Status        Native vlan
Gi0/1       on           802.1q         trunking      1

Port      Vlans allowed on trunk
Gi0/1       1-4094

Port        Vlans allowed and active in management domain
Gi0/1       1,10,20,30

Port        Vlans in spanning tree forwarding state and not pruned
Gi0/1       1,10

Switch 2:

S2# show interface trunk
Port        Vlans in spanning tree forwarding state and not pruned
Fa0/1       1,10

When host B is disconnected, its interface on switch 2 becomes inactive. As switch 2 has no remaining active ports in VLAN 10, VLAN 10 becomes eligible for pruning. After roughly 30 seconds pass, we can see that switch 1 is now pruning VLAN 10 from the trunk (VLAN 10 is absent from the last line of the output):

S1# show interface trunk
Port        Vlans in spanning tree forwarding state and not pruned
Gi0/1       1

The VLAN remains unpruned on switch 2’s end of the trunk, because it knows switch 1 still has at least one active port in VLAN 10:

S2# show interface trunk
Port        Vlans in spanning tree forwarding state and not pruned
Fa0/1       1,10

Network Design and Planning

Hierarchical Network Design

Understanding traffic flow is an important step when designing a campus network, The network traffic then can be effectively moved and managed, and you can scale the campus network to support future needs. Ideally you network should be designed, so that the users resources are in the same building.

Traffic flows in a campus network can be classified as three types, based on where the network service or resource is located in relation to the end user. Table 12-2 lists these types, along with the extent of the campus network that is crossed going from any user to the service.

Table 12-2. Types of Network Services

Service Type Location of Service Extent of Traffic Flow
Local Same segment/VLAN as user Access layer only
Remote Different segment/VLAN as user Access to distribution layers
Enterprise Central to all campus users Access to distribution to core layers

Cisco have adopted a there layer hierarchical which makes the network easier to understand,troubleshoot and scale future changes, these are known as the building blocks

What are the building Blocks ?

– Access layer

– Distribution layer

– Core (backbone) layer

Access Layer

The access layer is were the end user connects to the network i.e. PC’s,Printers and IP Phones, the access access layer usually provide layer 2 VLAN’s between the users,sometimes called building access switches, should have the following capabilities:

  • QoS (marking, policing, etc.)
  • Scalable uplinks to higher layers
  • Security (802.1x, port security, DAI, etc.)
  • Multicast traffic management (IGMP Snooping)
  • Broadcast domain segmentation (VLANs)
  • Resiliency through multiple uplinks

Distribution Layer

The distribution-layer switches must be capable of processing the total volume of traffic from all the connected devices, the distribution layer usually is a Layer 3 boundary, where routing meets the VLANs of the access layer.

  • Multiple connections to upstream to Core and downstream to Access
  • Offers services such as
    – Gateway redundancy (HSRP/VRRP/GLBP)
    – Bandwidth aggregation (EtherChannel/802.3ad)
    – Load balancing
    – Topology summarization
  • High Layer 3 throughput for packet handling

Core Layer

A campus network’s core layer provides connectivity of all distribution-layer devices. The core, sometimes referred to as the backbone, must be capable of switching traffic as efficiently as possible. Core devices, sometimes called campus backbone switches, should have the following attributes:

  • Must be fast and reliable as all other blocks depend on it
  • Typically hardware accelerated Layer 3 Switches
  • Offers services such as
    – Wire speed forwarding
    – Fast convergence around a link or node failure
    – Efficient bandwidth utilization

Network Device Roles

To first understand how the different devices interact, we must understand what role different devices play in the network.

Hubs and Repeaters

  • Work at layer 1 of OSI mode
  • When a frame is received it is sent back out all ports– i.e. “multiport repeater”
  • Typically unintelligent and unmanaged
  • Does not inspect frame at all before forwarding
  • Accepts no user-defined configuration
  • Devices connected to a hub are in the same… Collision domain
    • i.e. Ethernet CSMA/CD Half-Duplex transmission Broadcast domain

Layer 2 Bridges & Switches

  • Work at layer 2 of OSI model can be managed or unmanaged
  • For Ethernet, “frames” are forwarded based on destination layer 2 MAC address
  •  “CAM” table used for decisions
  • Devices connected to a bridge/switch are… in the same broadcast domain but not in the same collision domain
  • Operates at Full-Duplex transmission

CAM Table Limitations

  • Switches use the MAC address (CAM) table to do destination based switching
  •  CAM table cannot be summarized like IP routing 50,000 hosts in the network, 50,000 MAC addresses per CAM per switch
  • When CAM is full, switch acts like a hub

Broadcast Domain Limitations

  • Devices in the same VLAN, or everyone in a flat network, are directly addressable via FFFF.FFFF.FFFF
  • Larger the broadcast domain, more likelihood of a “broadcast storm”
  • Limiting hosts per VLAN limits broadcast domain size
  • Usually one VLAN per /24 IP subnet is a good rule

Layer 3 Routers

  • Work at layer 3 of OSI model
  • “Packets” are forwarded based on destination layer 3 address
  • Rebuilds layer 2 frame header at every hop
  • All router links are in separate collision and broadcast domains

Switch Port Configuration

Port Duplex Mode

If a 10/100 or a 10/100/1000 port is assigned a speed of auto, both it speed and duplex mode will be negotiated.

If port is set to Auto and the other end is set to Full the port will be set to the default of Half Duplex due to duplex mismatch, a general rule of thumb make sure both ends have the same speed and duplex settings to avoid any duplex mismatch.

To configure:

Switch(Config-if)# duplex (Auto | Full | Half)

Switch(config)# interface gig 3/1 Switch(config-if)# speed auto Switch(config-if)# duplex auto Switch(config-if)# interface gig 3/2 Switch(config-if)# speed 100 Switch(config-if)# duplex full

Looking for Speed and Duplex Mismatches

The host was configured at 100 mb Full Duplex and  the switch was set to Auto, the negotiation process fails and sets the port to half duplex on the switch, to fix this issue either set the host port duplex setting to Auto or set the switchport to Full-Duplex

Switch# show interfaces fastethernet 1/0/13
FastEthernet1/0/13 is up, line protocol is up
  Hardware is Fast Ethernet, address is 00d0.589c.3e8d (bia 00d0.589c.3e8d)
  MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
     reliability 255/255, txload 2/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive not set
 Auto-duplex (Half), Auto Speed (100), 100BASETX/FX  ARP type: ARPA, ARP
    Timeout 04:00:00
 Last input never, output 00:00:01, output hang never
  Last clearing of "show interface" counters never
  Queueing strategy: fifo
  Output queue 0/40, 0 drops; input queue 0/75, 0 drops
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 81000 bits/sec, 49 packets/sec
     500867 packets input, 89215950 bytes
     Received 12912 broadcasts, 374879 runts, 0 giants, 0 throttles
     374879 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

Managing Error Conditions On a Switch Port

By default a Catalyst switch detects an error for every possible cause, if an error condition is detected it put the port status into errdiable, you can tune this behaviour on a global level is that only certain causes trigger a port to be errdisabled.

Switch(config)# [no] errdisable detect cause [all | cause-name]

You can repeat this command to enable or disable more than on e cause

List of causes:

  • all— Detects every possible cause
  • arp-inspection— Detects errors with dynamic ARP inspection
  • bpduguard— Detects when a spanning-tree bridge protocol data unit (BPDU) is received on a port configured for STP PortFast
  • channel-misconfig— Detects an error with an EtherChannel bundle
  • dhcp-rate-limit— Detects an error with DHCP snooping
  • dtp-flap— Detects when trunking encapsulation is changing from one type to another
  • gbic-invalid— Detects the presence of an invalid GBIC or SFP module
  • ilpower— Detects an error with offering inline power
  • l2ptguard— Detects an error with Layer 2 Protocol Tunneling
  • link-flap— Detects when the port link state is “flapping” between the up and down states
  • loopback— Detects when an interface has been looped back
  • pagp-flap— Detects when an EtherChannel bundle’s ports no longer have consistent configurations
  • psecure-violation— Detects conditions that trigger port security configured on a port
  • rootguard— Detects when an STP BPDU is received from the root bridge on an unexpected port
  • security-violation— Detects errors related to port security
  • storm-control— Detects when a storm control threshold has been exceeded on a port
  • udld— Detects when a link is seen to be unidirectional (data passing in only one direction)
  • unicast-flood— Detects conditions that trigger unicast flood blocking on a port
  • vmps— Detects errors when assigning a port to a dynamic VLAN through VLAN membership policy server (VMPS)

Automatically Recover From Error Conditions

By default ports in the errdisbale state must be manually shutdown and re-enabled by using the no shut command under the interface, you can configure a port to automatically reenable a port, you first have to specify the errdisable cause:

Switch(config)# errdisable recovery cause [all | cause-name]

If any errdisable causes are configured for automatic recovery, the errdisabled port stays down for 300 seconds, by default. To change the recovery timer, use the following command in global configuration mode:

Switch(config)# errdisable recovery interval seconds

If the errdisbale cause is configured for automatic recovery it stay down for 300 sec

you could use the following commands to configure all switch ports to be reenabled automatically in 1 hour after a port security violation has been detected:

Switch(config)# errdisable recovery cause psecurity-violation
Switch(config)# errdisable recovery interval 3600

Looking for Port Sates

Switch# show interfaces fastethernet 1/0/1 FastEthernet1/0/1 is up, line protocol is up Hardware is Fast Ethernet, address is 0009.b7ee.9801 (bia 0009.b7ee.9801) MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255

The first up tell us that the physical links is up, the 2nd up tells us that line protocol is up this relates to the layer 2 status

To quicky see a list of all states use the show interface status command, to see ports in the errdisable status use the show interface status status err-disabled

Spanning Tree Election

How does STP works?

Spanning Tree Protocol – A network protocol that ensures loop free topology. Switches send BPDUs to discover loops. BPDUs helps elect the core of the network switch which is root bridge.

1st step – Selects a root bridge –


  1. By selecting the Bridge ID (lowest is better)

Each bridge has a unique ID & configurable priority #

Value between 0 & 61440 (default is 32768)

Tie Breaker?

2.By selecting the MAC address (lowest is better)

The older the switch is, the lower its MAC address

2nd step

Selects Root port – Each bridge determines primary port facing root. This is per the lowest path cost to the root bridge.

Root port: used to reach the root bridge

3rd step

Selects Designated port – used to send and received packets on a specific segment

How? Port elects per lower path cost to the root bridge per segment.

Designated port: forwarding port, one per link


Block ports with loops – all non-root and non-designated ports are blocked. The switch with the highest MAC address will block its link.

able 3-2. Three Major 802.1d STP Process Steps

Major Step Description
Elect the root switch The switch with the lowest bridge ID wins; the standard bridge ID is 2-byte priority followed by a MAC address unique to that switch.
Determine each switch’s Root Port The one port on each switch with the least cost path back to the root.
Determine the Designated Port for each segment When multiple switches connect to the same segment, this is the switch that forwards the least cost Hello onto a segment.

How STP finds the Best Path

1st step: Elect the Root Bridge

2nd step: Switches find lowest cost path to root

Bandwidth STP Cost Value
4 Mbps 250
10 Mbps 100
16 Mbps 62
45 Mbps 39
100 Mbps 19
155 Mbps 14
622 Mbps 6
1 Gbps 4
10 Gbps 2


3rd step: What if the cost is tie? Bridge ID (priority + MAC address)

4th step: What if Bridge ID is tie? It will look for the lower port. Example: fa0/0 rather than fa0/1


We determined the root bridge and compute the port roles. (root, designated or blocked). The bridge sends BPDU to exchange information about the Bridge ID and root path costs.

A bridge sends a BPDU frame using the unique MAC address of the port itself as a source address, and a destination address of the STP multicast address 01:80:C2:00:00:00.

There are three types of BPDUs:

  • Configuration BPDU (CBPDU), used for Spanning Tree computation
  • Topology Change Notification (TCN) BPDU, used to announce changes in the network topology

Informs switches of any (up/down) port changes.

  • Topology Change Notification Acknowledgment (TCA)

BPDU’s are being sent every 2 seconds so that the switches can keep track of the network changes and to start and stop forwarding at ports.

STP switch port states

  • Blocking – A port that blocks a switching loop.
  • Listening – The switch processes BPDUs and awaits possible new information that would cause it to return to the blocking state.
  • Learning – While the port does not yet forward frames (packets)  it does learn source addresses from frames received and adds them to the filtering database (switching database)
  • Forwarding – A port receiving and sending data, normal operation. This happens when you connect a host or a server to a switch.

Types of STP

PVST (Per VLAN Spanning Tree) – A Network switches where multiple VLANs coexist. Run 1 instance per VLAN.

Adds VLAN inside the BPDU header (priority + MAC address). PVST (Priority + VLAN + MAC Address).

Pros: 1 Root Bridge per VLAN & Load balancing

Cons: Cisco proprietary – only works in ISL

Post Navigation