mutually exclusive
same
forward
privileged exec mode
about RP fails
L2 and local L3
but no neighbor
tell the neighbor
no need neighbor
physical
routing on the router
routing in the switch (L3)
one per LAN
one per switch
one per segment
how long it's still alive, not wait for time out
other side runs classic STP (not RSTP)
CCNP-ENCOR
layer2
layer3
Address Resolution Protocol (ARP)
broadcast type
unicast
broadcast
known
unknown
multicast
collision domains
switch is in the same broadcast domain (except configured vlan)
each connection between the router and router is one broadcast domain
broadcast domains
all the links with a hub are in the same collision domain
each link between switch and switch is one collision domain
aging-time
300 seconds as default
mac address-table aging-time 0
no mac address-table aging-time
reset as default
disable to permanent
MAC address table
learning
static
clearing
count
flitering output
show mac address-table learning
no mac address-table learning vlan 10,12-14
mac address-table static aaaa.aaaa.aaaa vlan 1 interface f0/1
mac address-table static d8bb.c1cc.ff76 vlan 1 drop
clear mac address-table dynamic
show mac address-table count
MAC address
48bits
hexadecimal
OUI
NIC
network interface card
organizationally unique identifier
operations
XOR
AND
compare
within a LAN
between networks (routing)
forwarding decisions (routing table)
configuring IPv4 address
verifying IPv4 address
directed broadcast
source IP
destination IP
same
0
different
1
compare
XOR result
subnet musk
both 1
1
other
0
send the packet directly to t he destination host
sending host checks its ARP cache
yes
forwarding
no
send ARP request
all ff:ff...
reply is unicast
send the packet to the gateway (MAC address)
gateway check if within a LAN
yes
no
next hop
destination host MAC address
TTL
longest prefix length
AD (administrative distance)
Metric
determine which protocol wins each network
allows nested
in the same protocol
which path wins
RIB (routing info base)
FIB (forwarding info base)
internet protocol processing disabled
does not yet have an IP address
the same interface
show running-config interface g0/0
can have several secondary IP addresses
but only one primary IP address
show ip interface brief
only show the primary IP address
manual
configured but not save
NVRAM
be set as start-up config
copy running-config startup-config
unset
hasn't been configured
show ip interface g0/0
directed broadcast forwarding is disabled
send to the broadcast address of another subnet
routers will forward this packet as normal packet
when the router knows the subnet broadcast address, it will drop it as default
ip directed-broadcast
the last router will reply it as itself using the last previous subnet IP address
but not the IP address in the broadcast subnet
status
disable
enable
the last router
the destination router
anyone in the same destination broadcast subnet will reply
show ip protocols
check path
on host
traceroute A.B.C.D
on router
show ip route A.B.C.D
different functionality
intro of ARP
message format
process
proxy ARP
gratuitous ARP
commands
layer3
end-to-end addressing
from the source host to the destination host
layer2
hop-to-hop addressing
within each network segment
deals with directly connected devices
deals with indirectly (and directly) connected devices
layer3 packet is destined for the end host, and layer2 addressing is used to
pass the packet to the next hop in the path to the end host
bridge between L2 and L3
map a known L3 address to an unknown L2 address
originally defined in RFC826
designed for Ethernet, but can be used with a variety address types
sender will use ARP to learn the MAC of the next hop
(not necessarily Dst. IP of the packet)
information is stored in a cache, doesn't have to be done for every single packet
encapsulated directly within an Ethernet header/trailer
no IP header
octet offset
(28 bytes)
hardware type (HTYPE)
value 1 indicates Ethernet
protocol type (PTYPE)
0x0800 (hex) indicates IPv4
hardware address length (HLEN)
value of 6 for MAC address
protocol address length (PLEN)
value of 4 for IPv4 address
operation (OPER)
1 for ARP request
2 for ARP reply
sender hardware address (SHA)
L2 address of the sender
sender protocol address (SPA)
L3 address of the sender
target hardware address (THA)
L2 address of the intended receiver
target protocol address (TPA)
L3 address of the intended receiver
check ARP cache for an entry matching the ARP Dst. Host's IP
there is, no need
no entry, create an incomplete entry
generate an broadcast ARP request message
Dst. Host receives the request and updates its ARP cache (the sender's)
Dst. Host generates and sends ARP reply message (unicast)
update ARP cache of the Dst. Host's IP address and tie incomplate entry will now be complete
prefix 0x means hexadecimal
ARP table (IOS)
protocol
internet means L3 protocol address
age time
4 hours/14400 seconds as default
plus a random jitter
type
ARPA = Ethernet II
interface
static ARP table entry is added for the router's own IP/MAC
originally defined in RFC 1027
allows a device (usually a router) to respound to ARP requests for IP that are not its own
modern use cases
end hosts with incorrect subnet masks
directly connected static routes
NAT
enable globally and on each router interface by default (in Cisco IOS)
avoid the ARP strom
ARP replay (operation code 2)
message sent without receiving an ARP request
reasons
announcing when an interface is enabled
announcing a change in MAC address
failover between redundant devices (FHRP)
servers the purpose of update switches' MAC address tables and hosts' ARP tables
Cisco IOS devices will refresh an existing ARP table entry
will not create a new one
when the time reaches 0
unicast
try twice to refresh
and the third one (last one)
one minute apart
debug arp
show arp
show ip arp
show arp ip-address detail
clear arp
#
(config)#
[no] ip arp proxy disable
arp ip-address mac-address arpa
(config-if)#
[no] ip prox-arp
[no] ip local-proxy-arp
arp timeout seconds
maximum transmition unit (MTU)
when adding the static ARP, the router won't send the request message until it will use it
static route
recursive static route
has the next hop
directly-connected static route
doesn't have the next hop
exchange the ARP immediately
when using the ARP then request
Ethernet MTU (interface MTU)
only the layer2 payload
IP MTU
exceed the MTU will be dropped
no L2 header/trailer
1500 as default
IP packet
size
1500
default
1500 < 1600
baby giant
1600 < 9000
jumbo frames
pros and cons
larger
increase network efficiency
smaller
increase delay between packets
the data: header ratio is increased
each individual packet takes more time to send
increase impact of network errors
greater chance of a corrupt bit in each packet
<1500
runt
opposite
layer2 doesn't offer fragmentation capabilities
9000 <
super jumbo frames
+4 bytes for 802.1q tag
exceed the MTU will be fragmented
DF-bit
set
dropped
not set
fragmented
only applies to layer3 ports
layer2 ports are not L3-aware
flags
bit 0
reserved (always 0)
bit 1
DF-bit (don't fragment)
bit 2
MF-bit (more fragments)
can't be greater than ethernet MTU
will be automatically increased to match the ethernet MTU if it is changed
IPv6 MTU
separate value from the IP MTU (but the functions are the same)
doesn't have any fields provide fragmentation but can use Extension
headers for additional features such as fragmentation
types
system MTU
system Jumbo MTU
system Alternate MTU
routing MTU
interface MTU is priority
GRE tunnel
GRE header (24 bytes)
GRE MTU is 1476 (1500-24) automatic
IP 20
GRE 4
exceed will be fragmented
path MTU discovery
PMTUD allows deivce to dynamically discover the lowest MTU value in the path
enabled by default
avoid fragmentation of IP packets
process
enable set the DF-bit on outgoing IP packets
send an ICMP message
reduce the MTU and re-send
receive the result
repeated until the packe is able to reach the dest without fragementation
commands
#
ping
ping ip-address [size bytes] [df-bit]
(config-if)#
mtu butes
ip mtu bytes
ipv6 mtu bytes
show system mtu
(config)#
system mtu bytes
system mtu jumbo bytes
system mtu routing bytes
show ip traffic interface g0/0
TCP MSS
TCP Header
3-way handshake
MSS
path MTU discovery
MSS adjustment
20 default
40 optional
4 port
source
destination
4 sequence number
4 ACK
4
include flag
NS
CWR
ECE
ACK
SYN
FIN
……
4 checksum
window size
SYN
SYN, ACK
ACK
default
536
IPv4
1220
IPv6
datagram size
including IP + TCP headers
576
1280
IPv4
IPv6
conform to the lower MSS value
common MMS value is 1460
might block ICMP traffic
fragment needed
affect the SYN packet
commands
(config)#
(config -if)#
#
ip tcp mss bytes
ip tcp adjust-mss bytes
debug ip tcp adjust-mss
debug ip tcp transactions
show tcp
data offset
reserved
Cisco Express Forwarding (CEF)
Forwarding
router types
software-based
hardware-based
hybrid
process switching
routing lookup using the CPU for every packet
fast switching
CEF (Cisco express forwarding)
layer2
exact match the MAC
layer3
partial match
frames are forwarded as-is
no need to change src/dest MAC
more easily implemented in hardware
ASICs
CAM
no need to consult the CPU
much faster
routers need to
decrement the TTL
recompute the IP header
change the src/dest MAC
recompute FCS
done by CPU
hardware
ASICs
TCAM
ternary content-addressable memory
0, 1, X (meaning "anything" or "don't care"
control and data planes are shared
not separate components of the device
general-purpose CPU is responsible for all operations
slow and smart
control and data planes are separate
CPU handles the control plane
ASICs are purpose-made for forwarding packets
fast and dumb
CPU only handles packets that the ASIC can't
middle-ground solution
CPU handles the control plane
NP (network processor) forwards packets
CPU only handles packets that the NP can't
switching refers to layer 3 forwarding, not layer 2
IP Input process is responsible for forwarding packets
slower than CEF
as a fallback
CPU performs a lookup in routing table and ARP table
cache in memory
first packet to a destination is process-switched
next-hop info is stored in the cache
not used today
allows packets to be switched intirely in the data plane
no need for routing/ARP table lookups
punted to be handled by the IP Input process
packets destined for the router itself
ACL logging
packets without a layer 2 adjacency
packets too complex for hardware to handle (with IP options)
capable of handling lots of features
QoS
ACLs
NAT
IPSec
GRE
FIB
next-hop
adjacency
Prefix
interface
0.0.0.0/0 no route (no default)
drop
receive
attached
the other side of the router
IP address / CIDR
info base
method
per-destination
per-packet
info base
protocol
interface
address
Dst + Src + Type
contains layer 2 next-hop info
pre-builds the ethernet header
commands
#
(config-if)#
show process cpu
show ip cef
show ip cef detail
clear cef table ipv4
show adjacency
show adjacency detail
ip load-sharing per-packet
Distributed CEF (dCEF)
server racks
1 unit
1.75''
chassis router
backplane
switch fabric
hardware
line cards
route switch processor (RSP)
so called supervisor cards
control plane functions
packet switching decisions
switch fabric
management interfaces, console ports
route processor (RP) cards
fabric control (FC) cards
field replaceable units (FRUs)
backplane components are not FRUs
fabric interface chip (FIC)
centralized CEF
CEF is in the router processor
distributed CEF
CEF is in the line card
switch stacking
Virtual Switching System (VSS)
StackWise
StackWise Virtual
tech
combine multiple physical switches into one logical switch
Multi-chassis EtherChannel (MEC)
Multi-chassis Link Aggregation Group (MLAG or MC-LAG)
interface numbering
switch/slot/interface
only two switches
Catalyst 4500/6500/6800
connected via the VSL (virtual switch link)
can use fiber-optic cabling
VSS control
Data
VSLP (virtual switch link protocol)
establish and maintain the VSL/VSS
component protocols
LMP (link management protocol)
RRP (role resolution protocol)
verifies link integrity
exchanges switch IDs
exchanges other required info
determines if the hard and software versions are compatible
determines the ACTIVE switch and STANDBY switch
modes
RPR (route-processor redundancy)
NSF/SSO (nonstop forwarding/stateful switchover)
data plane: standby
data plane: active
up to 8 (or 9)
3750/3850, 9200/9300 series
using special stack ports
stack cables
do not support long distances
0.5m
1m
3m
ring topology
fails = half speed
initialization
SDP (stack discovery protocol) broadcast messages to discover the topology
after discovered, determine the switch number
elect ACTIVE
automatically
manually changed
2 mins election window
highest priority
defalut
highest
1
15
lowest MAC
after the election
elect standby
same way
other switches will be members
active in forwarding but not ready to take over
new switches will become members
two or more switches
Catalyst 9400/9500/9600 series
connected via the SVL (stackwise virtual link)
initialization
can use fiber-optic cabling
stackwise virtual control
data
frames
SVH/L2/L3/L4/DATA/CRC
SVL enabled
protocols
LMP (link management protocol)
SDP (stackwise discovery protocol)
verifies link integrity
sends hello message to maintain SVL
exchange other required info
determines if the hard and software versions are compatible
determines the ACTIVE switch and STANDBY switch
SSO (stateful switchover)
SSO
NSF (Non-stop forwarding)
GR (graceful restart)
NSR (Non-stop routing)
pre-SSO
HSA (high system availability)
standby RP will reboot t he router and take over as ACTIVE
cold restart
RPR (route processor redundancy)
standby RP is partically initialized, IOS image is booted (cold boot)
startup-config is synced
changes are not synced
L2 and L3 protocols are not initialized on standby
standby RP reads startup-config, reloads line cards, restarts system
2~4 mins
RPR+
config changes are synced
no need to reload and reinitialize the standby RP and line cards
L2 and L3 protocols are not initialized on standby
30~60 sec
SSO
fully boots and initializes the standby RP
standby RP boot and perform bulk synchronization from ACTIVE
after booting
incremental synchronization syncs any changes
running-config
interface states
L2 protocols are initialized on standby RP, states preserved
L2 forwarding is maintained, no traffic loss
L4 forwarding is interrupted
allow line cards to forward packets at L3
enable by default if SSO is enable, can not be configured
FIB is transferred to standby RP
checkpointing of FIB
routing protocol adjacencies are interrupted
local device can forward packets
neighboring devices will drop this device
L3 traffic flow is interrupted
does not require cooperation with neighbor
allows peers to maintain
maintains L3
keep sending packets
length of time is called grace period
requires communication and cooperation with neighbor
GR-capable and GR-aware
maintain neighbor adjacencies
doesn't require cooperation
checkpointing FIB and routing protocol states info
unaware
HSRP
two physical devices are linked
can handle if one device's RP are all failed
switching database manager (SDM)
internet control message protocol (ICMP)
traceroute
debug
VLAN
templates
configuring and verifying
allocate the TCAM resources for different purposes
L2
MAC address
L2 + L3
balance of MAC and L3 routes
ACLs, NAT, QoS
info
C9300
access
NAT
C9600
core
NAT
distribution
C3750
access
default
routing
VLAN
change will affect when reload
no need to save in running-config
if full, flood and use CPU
SDM use the stack master's template
some commands depand on the template
commands
#
show sdm prefer
(config)#
sdm prefer template-name
show plateform tcam utilization
info
types
ICMPv6
error
query
destination unreachable
redirect
time exceeded
echo request
echo reply
IP devices MUST support ICMP
ICMP messages are encapsulated in IP packets with a protocol number of 1
used by
send error
make routing suggestions
other functions
type
indicates the type of ICMP
code
additional info (why)
checksum
check for errors in the ICMP header and encapsulated data
rest of header
4 bytes
error: IP header + first 8 bytes of the IP payload
echo
request
reply
type
3
code
0
1
2
3
4
13
dest network unreachable
dest host unreacheable
dest protocol unreachable
dest port unreachable
fragmentation needed and DF-bit set
communication administratively prohibited
type
5
code
0
redirect for network
1
2
3
for host
for ToS and network
for ToS and host
IP address = should be sent to (instead of this router)
will send the first packet
type
11
code
0
1
TTL exceeded in transit
fragment reassembly time exceeded
TTL
before forwards, decrements by 1
after, if itself, receive
or drop and send ICMP
type
8
type
0
code
0
code
0
identifier
used by a device to keep track of pings it sends
incremeted by 1 for each series
reply use the same
sequence
start with 0
pair request and reply
payload
a string of ASCII
reply = request
can be sent with no payload
size
28 bytes
IP header
ICMP header
20
8
can be interpreted
BE (big endian)
LE (little endian)
0x0002 (0d2)
0x0200 (0d512)
IPv6
NDP (neighbor discovery protocol)
uses a protocol number of 58 in the next header field of the IPv6 header
start with 0
how it works
in windows
in cisco ios
limitation
to trace the path from source to destination
if unreachable, how far
TTL from 1 and +1
in linux
hostname + IP address + RTT (round-trip time) x3
tracert
ICMP request (ping)
final dest will send echo reply
UDP segments
dest port starts with 33434 then +1
3 segments per TTL
final dest will send destination unreachable (code 3 = port unreachable)
traceroute with options
numeric
load-balance traffic
IP LOAD-SHARING PER-PACKET
info
conditional
OSPF
ip packet
generate Syslog messages
wherever debugging (level 7) logging is enable
show logging
if via VTY (SSH), need to use terminal monitor command to view
commands
#
show debug
show logging
debug adjacency
clear adjacency
with caution
before, look at CPU load
overloaded
priorize console output ahead of others
are sent to the console line by default
always disable when done
undebug all
no debug all
OR not AND
can't be removed using undebug
undebug condition all
no debug condition all
MTU leads DOWN
doesn't match
can show src and dest
don't show if CEF handles
ACL
just show matched not deny
debug ip packet detail 101 (ACL number)
debug ip ospf adj
overview
creating
shutdown and suspend
internal VLANs
access and trunk
inter-VLAN routing
segment a LAN into multiple virtual LANs (broadcast domains)
layer 2
stretched VLANs
local VLANs
same name and ID, but apples and oranges
multiple subnets per VLAN
SVI
secondary IP on the VLAN's SVI
ROAS
secondary IP on sub-interface for the VLAN
affect only after end or create a new vlan
shutdown
suspend
stop layer 3 but layes still works
stop layer 3 and layer 2 and in the same VTP domain
still in the VLAN database
act/lshut (local shut)
no switchport
layer 3 route port
vlan internal allocation policy {ascending | descending}
ascending
1006
descending
4094
show vlan internal usage
access VLAN
untagged ports
voice VLAN
tagged
trunk
tagged
server running VMs
switchport mode access
switchport access vlan ID
commands
802.1Q
layer 2
seperate connection per VLAN to a router
router-on-stick (trunk connection between two devices)
switch virtual interfaces (SVIs)
approaches
Dynamic Trunking Protocol (DTP)
purpose
negotiation
frames
operational mode
operational trunking encapsulation
commands
allows Cisco switches to automatically determine the mode and encapsulation
operational status is prior than encapsulation
if the mode is manual
the trunking encapsulation must be manual
trunk
access
dynamic desirable
dynamic auto
not actively set trunk
negotiate
802.1Q
ISL
ISL
manually configuring a trunk mode
doesn't disable DTP on the interface
will disable DTP
based on DTP is on
IEEE 802.3 ethernet
destination
multicast
length
logical-link control (LLC Header)
SNAP extension
contents of the DTP message
version
unit
TLV (type-length-value)
type
length
value
domain
type: domain (0x0001)
length: 9
domain: ccnp
trunk status
type: trunk status (0x0002)
length: 5
value: trunk/desirable (0x83)
...
INFO on interface
TOS/TAS/TNS
TOT/TAT/TNT
TO and TN should be the same
trunk operation status
trunk administrative status
trunk negotitation status
trunk operation type
trunk administrative type
trunk negotitation type
#
show dtp interface
VLAN trunking protocol (VTP)
overview
modes
authentication
version comparison
messages
purning
enables switches to synchronize their VLAN database with other switches
in a VTP domain
adding
deleting
naming and renaming
NOT assigning access ports to vlans
allowing vlans on trunks
NULL (no domain)
won't sent VTP advertisements
adopt
default
version = v1
can move to v2 when receives a VTP advertisement
will not move to V3 unless configure manually
revision number
in the same VTP domain
changing the VTP version can increase the revision number
only sent over trunk links
version
v1 and v2
support normal-range
1 - 1005
v3
support nurmal and extended
1006 - 4094
exception
some devices
extended-range in v3
or in V1 and V2 but only locally
server
client
transparent
off
Spanning Tree Protocol (STP) Algorithm
function
STP states and timers
default
create, delete, rename, modify the VTP version for the domain (v1/v2)
version 3
only the primary server can modify VLANs
others are secondary servers
command
vtp primary
cannot create, delete, rename, modify the version
if the switch can locally create extended-range VLANs in v1/v2,
it can do so in client mode (in v1/v2)
won't propagate the VLANs using VTP
will transmit and receive VTP ad, and sync its VLAN database
locally create, delete, modify VLANs
won't participate in VTP
not sync
will forward VTP ad
the same domain
or NULL (forward everything)
VTPv3
different drop
VTP is disabled
locally create, delete, modify VLANs
won't participate in VTP
won't forward VTP ad
if the switch supports VTPv3, can be configured as OFF mode even using v1 or v2
vtp password
sync only with the matched password
transparent will forward VTP ad even if the password is different
v3
paramater
hidden
secret
v1 and v2 are very similar
v3 added new features
enhanced authentication
hidden
secret
extended-range VLAN support
propagate
private VLAN support
multiple spanning tree protocol support
primary/secondary servers
only one primary server in the domain can configure
primary status is lost if
device reloads
parameters changed (version)
password is configured
solves the problem of a new switch connected
all sent to multicast MAC 0100.0ccc.cccc
types
summary advertisement
inform other switches of domain name and revision number
once every five minutes
also sent when VLAN database is changed
subset advertisement
contains VLAN info (database)
depending on the number of vlans
multiple subse ad might be needed
sent when VLAN database is changed (along with the summary ad)
advertisement request
situation
switch reset
domain change
switch received a summary advertisement with a higher version number
when receives a ad request, it will reply with a summary ad and one or more subset ad
automatically removes VLANs from trunk ports
it prevents frames from being flooded in a direction where there are no hosts to receive the frame
disable by default
enable command
(config)# vtp pruning
only need to enable pruning on one VTP server in the domain
manual pruning is the process of manually configuring the allowed VLANs on a trunk port
commands
#
(config)#
(config-if)#
show vtp status
show vtp devices
show vtp password
vtp primary
vtp domain
vtp version
vtp mode
vtp password Secret [hidden | secret]
vtp purning
vtp
need
algorithm
root bridge election
root port selection
designated port selection
STP topology changes
STP tuning
redundant connections
BUM traffic
broadcast
unknown unicast
multicast frames
loops
without IP header, the ethernet header has no field to prevent a message from a looping indefinitely
lowest BID
lowest root cost
lowest neighbor BID
lowest neighbor port ID
lowest local port ID
port on switch with lowest root cost
port on switch with lowest BID
lowest local port ID
orientate to root
orientate to leaf
bridge protocol data unit (BPDU)
root bridge generates new BPDUs
after booting up, eatch switch believes it is a root bridge
bridge priority (16 bits)
MAC address (48 bits)
priority
VLAN ID
32768
1
10 Mbps = 100
100 Mbps = 19
1 Gbps = 4
10 Gbps = 2
cost
config
speed
affect the physical
bandwith
affect STP but not physical
spanning-tree vlan <id> cost <value>
set the cost directly
states
blocking
listening
learning
forwarding
(disabled)
timers
hello timer
forward delay timer
max age timer
15 sec per state
total 30 sec
20 sec - hop
govern STP state transitions
stable
transitional
transitional
stable
non-designated
root and designated
not active in STP
do not
receive/forward/flood regular frames
forward STP BPDUs
learn MAC
do
process received STP BPDUs
do not
do
receive/forward/flood regular frames
learn MAC
forward STP BPDUs (designated)
process received STP BPDUs
do not
do
receive/forward/flood regular frames
learn MAC
process received STP BPDUs
do
receive/forward/flood regular frames
learn MAC
forward STP BPDUs (designated)
process received STP BPDUs
forward STP BPDUs (designated)
every 2 sec
port enable initially
notifying the root bridge
notifying the rest of the LAN
flushing MAC address
STP reconvergence
TCN (topology change notification)
TCA (topology change acknowledgment)
topology change's trigger
any port transitions to the forwarding state
from learning or forwarding state transitions to the bolcking or disabled state
from the changed switch out of its root port to root bridge
respound to the TCN sender
other switch will forward it to root bridge
root bridge will respond TCA and TC flag
TCN will be sent one every hello interval until it receives a TCA
BPDU type
configuration
TCN
TC flag (topology change)
from root bridge to LAN
duration 35 sec
when receives a configuration BPDU with TC bit set
shortens the MAC aging timer to forward delay (15 sec)
don't communicate within 15 sec will be flushed
with communicate will be maintained
three examples
bridge priority
port cost
port priority
STP algorithm
root bridge election (one per LAN)
lowest BID
root port selection (one per switch)
lowest root cost
lowest neighbor BID
lowest neighbor root port ID
lowest local port ID
designated port selection (one per segment)
port on switch with lowest root cost
port on switch with lowest BID
lowest local port ID
bridge ID
bridge priority (16 bits)
MAC address (48 bits)
minimum increment is 4096
fixed
two ways
spanning-tree vlan <vlan-id> root {primary|secondary}
spanning-tree vlan <vlan-id> priority <priority>
not recommended
primary
set priority to 24576 or 4096 lower than the current root bridge
exclude the vlan ID
won't update
secondary
set priority to 28672
won't set to 0
prior than interface
ON THE SWITCH: switch's port with the lowest ROOT COST becomes it's ROOT PORT
ON THE LINK: the port on the switch with t he lowest root cost will become the designated port
two ways
(config-if)# spanning-tree cost <cost>
affects all vlans
(config-if)# spanning-tree vlan <vlan-id> cost <cost>
affects only the specified vlans
plays a role in both root port and designated port selection
G0/0 = 128.1
G0/1 = 128.2
G0/2 = 128.3
STP uplinkFast & backboneFast
STP portFast & BPDU Guard
STP root guard & loop guard
Rapid STP
sync process
topology changes
MSTP (multiple)
MSTP & PVST+
MSTP & VTP
uplinkFast
backboneFast
recovery from direct link failures
recovery from indirect link failures
allows the switch to transition a non-designated
from blocking
to forwarding
after root port failure
switch has at least one non-designated port
command
(config)#
spanning-tree uplinkfast
an indirect link failure is a failure
skip the
max age timer
put non-designated port into listening after receiving inferior BPDU from a neighbor
command
(config)#
spanning-tree backbonefast
process
after receiving interior BPDU
send a Root Link Query (RLQ) Request out of its root port
to check if the switch it thinks is the root bridge
root bridge confirms by sending an RLQ response
after receiving RLQ respounse, makes the port in the listening state, bypassing the
max age timer
access layer
uplinkfast
backbonefast
distribution layer
backbonefast
portFast
immediate transition to the forwarding state
BPDU Guard/ Filter
control how the switch reacts to BPDUs on portfast ports
non-switch devices
ways to configure
bypass the listening and learning states
per-port
globally
only access ports
unless virtual switch includes vlans (trunk)
commands
(config-if)#
spanning-tree portfast
(config)#
spanning-tree portfast default
spanning-tree portfast disable
spanning-tree portfast network
spanning-tree portfast (edge) trunk
does not disable STP on the port
still sends BPDUs out of the port
if receives a BPDU, will disable and operate like a regular STP port
end hosts
routers
don't send BPDUs
protect unauthorized switches being connected
continue to send BPDUs
if receives a BPDU
enters the error-disabled state
effectively shutting down the port
ways to config
per-port
globally
commands
spanning-tree portfast edge bpduguard default
(config-if)#
spanning-tree bpduguard enable
(config)#
when enable, only be activated on portfast-enabled ports
show errdisable detect
no errdisable detect cause
doesn't work for all causes
can't be disabled for BPDU guard
recover in two ways
manually
automatically
errdisable recovery
shutdown
no shutdown
Guard
Filter
blocks ports from sending BPDUs
ways to config
per-port
globally
if receives BPDUs
ignore and disabling STP
if receives BPDUs
disable filter
operates as a normal STP port
won't send BPDUs
won't send BPDUs
useful for disabling STP and saving bandwidth
commands
(config-if)#
spanning-tree bpdufilter enable
(config)#
spanning-tree portfast bpdufilter default
root guard
loop guard
prevent switches from accepting a new root bridge on specific ports
maneuver
between service provider and customer
if receives a superior BPDU, will enter the "root-inconsistent" state
will unblock after ceasing to receive the superior BPDUs
should be used
ports connecting to switches out of control
on distribution layer switches, to prevent an access layer switch from becoming root
on non-designated ports
prevent non-designated becoming designated
link failure
software malfunctions
commands
commands
(config-if)#
spanning-tree guard loop
(config)#
spanning-tree loopguard default
(config-if)#
spanning-tree guard root
no global config mode
if doesn't receive BPDU, will enter the "loop-inconsistent" state
port costs
RSTP port states
RSTP port roles
RSTP link types
same
fundamentals
elect one root bridge
non-root switch selects one root port
one designated port is selected for each link (collision domain)
remaining ports are non-designated (RSTP)
alternate
backup
tuning process
bridge priority
port cost
port priority
optional features
uplinkFast
backboneFast
incorporated
portFast
BPDU guard/Filter
root/loop guard
differences
port costs
port states
port roles
state transitions
topology changes
algorithm decides it will be
mechanism succeeds
from discarding to forwarding
mechanism fails
15 sec in discarding and 15 sec in learning
then forwarding
a designated or root port
an alternate or backup port
remains in discarding
alternate
backup
ready to take over and be the root port
up stream
ready to take over and be the designated port
down stream
P2P
shared
edge
full duplex
half duplex
P2P/edge
shared/edge
classic STP convergence
30 sec
rapid STP convergence
subsec
when the sync process fails
start in discarding state
proposal BPDU
proposal bit will be set in the BPDUs each switch sends out
agreement BPDU
sync only works on ports with P2P link type
shared link can't sync
if one of the side is STP, then RSTP will operate like STP
one step process
the experienced topogoly change switch sets the topology change (TC) bit on BPDUs
it sends, other switches propagate the TC info thoughout the LAN
trigger
any non-edge port transitions to the forwarding state
process
flushs all MAC address entries learned on non-edge ports
set the TC flag on BPDUs it sends for the duation of TCWhile timer (hello time*2 = 4 sec)
sends BPDUs with TC flag out of its
root port
doesn't send TC BPDUs out of edge ports
others receive a BPDU with the TC flag will flush all MAC address
set the TC flag on BPDUs and sends it for 4 sec
won't send the TC flag BPDU to the port which receives the TC flag BPDU
map multiple VLANs to a single spanning tree instance
uses RSTP's underlying mechanics
all vlans are assigned to MST instance 0
MSTI0 is called Internal Spanning Tree (IST)
can't be disabled
recommended to not use for active VLANs
always use long path cost
commands
#
show spanning-tree mst
(config)#
spanning-tree mst 1 priority 4096
spanning-tree mst 2 priority 8192
spanning-tree mst configuration
(config-mst)#
instance 1 vlan 1-50
instance 2 vlan 51-100
end
show spanning-tree mst configuration
basics
regions
MCID (MST configuration identifier)
connecting MST regions
IST (internal spanning tree)
CST (common spanning tree)
CIST (common and internal spanning tree)
same MCID are in the same MST region
appear as a single switch to "outside world"
a special MST instance runs in each MST region
the only instance sends and receives BPDUs
between MST regions and non-MSTP switches
combination of ISTs from all MST regions and the CST
four parts
configuration identifier format selector
fixed 0
configuration name
reigon name
configuration revision
two byte number can be incremented
configuration digest
a hash calculated from the switch's VLAN-to-MSTI mapping table
boundary port
CIST root
CIST regional root
which has the boundary ports
lowest external root path cost
between regions to reach the CIST root
only one active path to reach each other region
master port
root port
PVST simulation
CIST root in an MST region
CIST root in the PVST+ domain
Created With
MindMaster