Escolar Documentos
Profissional Documentos
Cultura Documentos
Cisco CCNP
Welcome To Your
BCMSN Video Boot
Camp!
Topics:
LAN Switching Basics
Virtual LANs (VLANs)
VLAN Trunking Protocol (VTP)
Spanning Tree Protocol (STP)
Advanced Spanning Tree Protocol Features
Etherchannels
Securing Switches
Multilayer Switching
IP Telephony & Cisco IP Phones
Wireless Networking
Network Design and Models
Queueing (Bonus Video)
Train Signal, Inc., 2002-2007
Your Instructor:
LAN Switching
Basics
Ethernet
Good old "basic" Ethernet is based on IEEE 802.3, and offers
a bandwidth of 10 MB to end users. The more users there are
on an Ethernet segment, the higher the chance of collisions,
which render signals sent by the hosts to an unusable
state. When the hosts are connected to their own individual
switch ports, they will each get a dedicated 10 MB and the
chance of collisions is eliminated. Each port on a switch is its
own collision domain.
Ethernet uses UTP cabling (Unshielded Twisted Pair), and
this cable type has a length limit of 100 meters. Referring to
the Cisco three-layer networking model, Ethernet is generally
going to be found at the access layer, connecting end users to
the network.
Train Signal, Inc., 2002-2007
Fast Ethernet
Part 1
Fast Ethernet is defined in IEEE 802.3u, and operates at 100
MB. FE can use UTP or fiber-optic wiring. When full-duplex
FE is in operation, the effective bandwidth is 200 MBPS, since
FE ports can send and receive at the same time.
You'll see "10/100" ports on many switches. This means that
the port will work with an Ethernet or Fast Ethernet
connection, and the port speed can be negotiated between
the switch and the connected device. To allow this
negotiation, both end devices should be set for "auto", short
for autonegotiation. And as you know, if you're connecting a
server, router, or workstation to a switch, you'll need a
straight-through cable.
Train Signal, Inc., 2002-2007
Fast Ethernet
Part 2
Fast Ethernet ports can also be used to create a Fast
EtherChannel. An Etherchannel, or EC, is a logical bundling
of physical connections between switches. A Fast EC can
bundle up to eight physical connections, resulting in
throughput of up to 1600 MBPS!
As with Ethernet, Fast Ethernet connections can connect end
users to the access-layer switches. FE ports can also be
used to form a trunk between the access and distributionlayer switches, but hopefully we've got some Gigabit Ethernet
ports to handle that.
Gigabit Ethernet
The next logical step is Gigabit Ethernet, often referred to as
"Gig Ethernet". Gig Ethernet will support speeds up to 1000
MBPS, or 1 Gigabit Per Second (GBPS).
The cabling you use with your Gig Ethernet ports is going to
vary widely. The necessary cable is determined by the
Gigabit Ethernet standard in use on your particular
switch. Some of the more common cable types to use with
Gigabit Ethernet are Shielded Twisted-Pair (STP), Multimode
Fiber (MMF) cable with either a 50- or 62.5 micron core, and
Single-Mode Fiber (SMF) with an 8-, 9-, or 50-micron core.
Make sure to check your switch's documentation before you
start buying cables!
Train Signal, Inc., 2002-2007
10 Gigabit
Ethernet
Long Range
Ethernet
No, LRE isn't faster than 10 Gig Ethernet! LRE
can use preexisting wiring to provide Ethernet
service to a building that might not otherwise
have it. The preexisting wiring is usually going
to be the phone wires. The available speed is
dependent on the cable length - the longer the
wire, the less bandwidth that's available.
A Quick Cable
Review
To connect your PC to the console port of a switch, you must
have a rollover cable. Check your PC in advance to make
sure you don't need an adapter for the rollover cable. Many
laptops no longer have a DB9 port.
To connect a router, PC, or server to a switch, you'll need a
straight-through cable. If the router has an AUI port, you'll
also need a transceiver for the router. The transceiver
connects to the router and the cable connects to the
transceiver.
To connect two switches, you'll need a crossover cable.
What's A
"Geebic"?
MAC Table
A switch uses Layer 2 addresses, more commonly referred to
as MAC addresses, to forward or filter frames as
needed. When a switch is first powered on, its MAC address
table is empty. While a MAC table can be populated with
static MAC entries, it's more efficient to have the switch learn
the addresses dynamically. The switch does this by
examining the source MAC address before deciding how to
get the frame to the destination MAC address.
When a switch examines the source MAC of a frame, the
switch checks its MAC table to see if there's an entry for that
address. If not, the switch adds that address to its MAC table
along with the port used to reach that address.
Train Signal, Inc., 2002-2007
Destination MAC
Part 1
The switch will then check its MAC table for the
destination MAC. There are four possibilities for that
destination MAC:
The destination MAC is a unicast and there is no entry for
the address in the MAC table. This frame will be flooded it will be sent out every switch port except the one it came
in on.
The destination MAC is a unicast and there is an entry for
the address in the MAC table. In this case, the frame will
be sent out only the port leading to the host with the proper
destination MAC.
Train Signal, Inc., 2002-2007
Destination MAC
Part 2
The destination MAC is a unicast, and there is an
entry for the address in the MAC table, AND the
source and destination address are found off the
same port. This frame will be filtered - it will not be
forwarded at all by the switch.
The destination MAC is a broadcast or multicast, in
which case the frame will be sent out every port
except the one it was received upon.
Content
Addressable
Memory Table
The official terminology for the MAC table is the CAM
table, or Content Addressable Memory
table. Depending on who you talk to, you'll hear this
table called
the MAC address table
the CAM table
the bridging table
Cisco Filename
Part 1
Speaking of which, ever wonder what a Cisco filename
means? Look at the IOS image filename on the switch we've
been using in this section:
c2950-i6q4l2-mz.121-19.EA1.bin
Believe it or not, that mix of numbers and letters actually
means something. There is a standard for IOS filenames, so
as we decipher this filename, remember that you can use this
method to do so with any IOS filename.
c2950 - This one's easy, since we're working on a Catalyst
2950 switch.
Train Signal, Inc., 2002-2007
Cisco Filename
Part 2
i6q4l2 - This part describes the switch's feature set. The i at
the beginning of this feature set description indicates a switch
running an IP feature set.
mz - The m indicates that the image is running in RAM; the z
indicates a zip-compressed image.
121-19.EA1 - The 121 indicates the major IOS release
version, 12.1. The 19 is the maintenance release. The E
indicates an Early Deployment of features. A indicates the
interim build level, in this case the first one ("A"). The 1
indicates the first build of that level, and finally the .bin
indicates that the image file is a binary executable.
Train Signal, Inc., 2002-2007
Autorecovery From
An Err-Disabled
State
A switch port will be placed into error-disabled state, referred
to on the switch as err-disabled, under certain circumstances
such as a violation of port security. By default, a port in errdisabled state has to be manually reopened. (The port LED
will go out as well; as you'd suspect, a green LED indicates an
active port.)
You may have a situation where you want the port to reenable itself after a certain period of time, and this can be
configured with the errdisable recovery interval
command. Before doing so, though, you must define the
causes from which the port can recover automatically. We'll
use the "all" option here to allow the port to autorecover from
any err-disabled state.
Train Signal, Inc., 2002-2007
Virtual LANs
(VLANs)
Reasons for
VLANs Part 1
The most common reason for creating VLANs is
to prevent the excess traffic caused by a
switch's default behavior when it receives a
broadcast. One of the first switching concepts
you learned was that a switch that receives a
broadcast will forward it out every other port on
the switch except the one that it was originally
received on.
Reasons for
VLANs Part 2
We can use Virtual LANs (VLANs) to restrict broadcasts by
creating logical groups of hosts. The physical location of the
hosts does not matter, because these are virtual local area
networks. When a switch receives a broadcast packet from a
host in one particular VLAN, that switch will forward that
broadcast only via ports that are in the same VLAN.
By creating VLANs, you create multiple broadcast domains
while also lowering the number of multicasts sent throughout
the network.
Cisco's best practice is to have one VLAN per IP subnet, and
this is a best practice that works very well in the real world.
Train Signal, Inc., 2002-2007
Reasons for
VLANs Part 3
Static VLAN
VLAN Membership
Policy Server
Part 1
If we have "static VLANs", it follows that there is such a thing
as a "dynamic VLAN". The configuration of dynamic VLANs is
far out of the scope of the BCMSN exam, but as a CCNP you
need to know the basics of VMPS - a VLAN Membership
Policy Server.
When you move a user from one port to another using static
VLANs, you have to change the configuration of the switch to
reflect these changes. Using VMPS results in these changes
being performed dynamically, because the port's VLAN
membership is decided by the source MAC address of the
device connected to that port. (Yet another reason that the
first value a switch looks at on an incoming frame is the
source MAC address.)
Train Signal, Inc., 2002-2007
VLAN Membership
Policy Server
Part 2
VMPS uses a TFTP server to help in this
dynamic port assignment scheme. A database
on the TFTP server that maps source MAC
addresses to VLANs is downloaded to the
VMPS server, and that downloading occurs
every time you power cycle the VMPS server.
VMPS uses UDP to listen to client requests.
VLAN Membership
Policy Server
Part 3
An interesting default of VMPS is that when a port receives a
dynamic VLAN assignment, PortFast is automatically enabled
for that port! There's no problem with PortFast being turned
off on that port if you feel it necessary, but keep in mind that
PortFast will run on a dynamic VLAN port by default.
What if we had to move Host 1's connection to the switch to
port 0/6? With static VLANs, we'd have to connect to the
switch, configure the port as an access port, and then place
the port into VLAN 12. With VMPS, the only thing we'd have
to do is reconnect the cable to port 0/6, and the VMPS would
dynamically place that port into VLAN 12.
When dynamic VLANs are in use, the port number isn't
important - the MAC address of the host connected to the port
is the deciding factor regarding VLAN membership.
Train Signal, Inc., 2002-2007
Some things to
watch out for when
configuring VMPS:
The VMPS server has to be configured before
configuring the ports as dynamic.
Again, PortFast is enabled by default when a port
receives a dynamic VLAN assignment.
If a port is configured with port security, that feature must
be turned off before configuring a port as dynamic.
Trunking ports cannot be made dynamic ports, since by
definition trunking ports must belong to all
VLANs. Trunking must be disabled to make a port a
dynamic port.
10
Trunk Part 1
Trunk Part 2
You may have had a CCNA flashback when I mentioned
"dot1q"! There were quite a few differences between the
trunking protocols ISL and dot1q, so let's review those before
we examine a third trunking protocol that you didn't learn
during your CCNA studies.
For a trunk to form successfully, the ports must agree on the
speed, the duplex setting, and the encapsulation type. Many
Cisco switches offer the choice of ISL and IEEE 802.1q - and
I can practically guarantee your BCMSN exam just might
discuss these encap types! Let's take a detailed look at each
right now.
ISL Part 1
ISL is Cisco-proprietary, making it unsuitable for a multivendor
environment. That's one drawback, but there are others. ISL
will place both a header and trailer onto the frame,
encapsulating it. This increases the overhead on the trunk
line.
You know that the default VLAN is also known as the "native
VLAN", and another drawback to ISL is that ISL does not use
the concept of the native VLAN. This means that every single
frame transmitted across the trunk will be encapsulated.
The 26-byte header that is added to the frame by ISL contains
the VLAN ID; the 4-byte trailer contains a Cyclic Redundancy
Check (CRC) value. The CRC is a frame validity scheme that
checks the frame's integrity.
Train Signal, Inc., 2002-2007
11
ISL Part 2
Dot1q Part 1
In contrast, dot1q does not encapsulate frames. A 4-byte
header is added to the frame, resulting in less overhead than
ISL and resulting in a maximum frame size of 1522 bytes. If
the frame is destined for hosts residing in the native VLAN,
even that small header isn't added.
Since the dot1q header is only 4 bytes in size, and isn't even
placed on every frame, using dot1q lessens the chance of
oversized frames. When the remote port receives an
untagged frame, the switch knows that these untagged
frames are destined for the native VLAN.
Dot1q Part 2
12
Point-to-point
Protocols
Believe it or not, ISL and dot1q actually have something
in common! They're both considered point-to-point
protocols, since by definition a trunk only has two
endpoints, and that's it - just like ISDN.
Also notice that there's a 4-byte addition in both ISL and
dot1q - make sure to have them straight:
ISL: 4-byte trailer (with CRC value)
dot1q: 4-byte header inserted into the frame
Gotchas Part 1
I've created a lot of trunks over the years, and I've
bumped into quite a few "gotchas" that you might
not think to look at in a production network.
For trunks to work properly, the port speed and port duplex
setting should be the same on the two trunking ports. ISL
switches don't care about the native VLAN setting,
because they don't use the native VLAN to begin with.
Giants are frames that are larger than 1518 bytes, and
these can occur on ISL since they add 30 bytes to the
frame. Some Catalyst switches have Cisco-proprietary
hardware that allows them to handle the larger
frames. Check the documentation for your switch to see if
this is the case for your model.
Train Signal, Inc., 2002-2007
Gotchas Part 2
Dot1q does add 4 bytes to the frame, but thanks to IEEE
802.3ac, the maximum frame length can be extended to 1522
bytes. (The opposite of a giant is a runt. While giants are too
large to be successfully transmitted, runts are frames less than
64 bytes in size.)
Both switches must be in the same VTP domain - watch those
domain names, they're case-sensitive.
If you're working on a multilayer switch (also called a "Layer 3
switch"), make sure the port you want to trunk is a Layer 2 port
by configuring the interface-level command switchport on it.
You can configure a 10, 100, or 1000 MBPS interface as a trunk.
Changing the native VLAN on one switch does not dynamically
change the native VLAN on a remote trunking partner.
13
Native VLAN
By default, the native VLAN is VLAN 1. The native VLAN is
the VLAN the port will belong to when it is not trunking,
regardless of whether it once was a trunk port.
The native vlan can be changed with the switchport trunk
native vlan command, but you should be prepared for an error
message very quickly after configuring it on one side of the
trunk. We'll change the native vlan setting on fast 0/11 on
one side of an existing trunk and see what happens.
Changing the native VLAN on one switch in a trunk does not
automatically change it for the other switch!
switchport trunk
encapsulation
command Part 1
To manually configure a trunk port to run ISL or dot1q,
use the switchport trunk encapsulation command.
Rack1SW1(config-if)#switchport trunk encapsulation ?
dot1q
Interface uses only 802.1q trunking
encapsulation when trunking
isl
Interface uses only ISL trunking
encapsulation when trunking
negotiate Device will negotiate trunking
encapsulation with peer on
interface
switchport trunk
encapsulation
command Part 2
Notice that there's a third option, negotiate. The trunk ports
will then negotiate between ISL and dot1q, and naturally it
must be a protocol that both ports support. If the
negotiating ports support both protocols, ISL will be selected.
By the way, if you use IOS Help to display your switch's
encapsulation choices, and there aren't any, that's a pretty
good sign that your switch supports only dot1q!
SW1(config)#interface fast 0/11
SW1(config-if)#switchport trunk encapsulation ?
% Unrecognized command
14
Dynamic Trunking
Protocol
You learned about ISL and dot1q in your CCNA studies, but
there's a third trunking protocol involved as well. The Ciscoproprietary Dynamic Trunking Protocol actively attempts to
negotiate a trunk line with the remote switch. This sounds
great, but there is a cost in overhead - DTP frames are
transmitted every 30 seconds.
If you decide to configure a port as a non-negotiable trunk
port, there's no need for the port to send DTP frames. Also,
if there's a device on the other end of the line that can't trunk
at all - a firewall, for example - there's no need to send DTP
frames.
DTP can be turned off at the interface level with the switchport
nonegotiate command, but as you see below, you cannot turn
DTP off until the port is no longer in dynamic desirable
trunking mode.
Train Signal, Inc., 2002-2007
Trunk mode
Trunk mode means just that - this port is in unconditional trunk
mode and cannot be an access port. Since this port cannot
negotiate, it's standard procedure to place the remote port in
trunk mode. Turning off DTP when you place a port in trunk
mode is a great idea, because there's no use in sending
negotiation frames every 30 seconds if no negotiation is
necessary!
Dynamic desirable is the default setting for most Cisco switch
ports today. If the local switch port is running dynamic desirable
and the remote switch port is running in trunk, dynamic desirable,
or dynamic auto, a trunk will form. This is because a port in
dynamic desirable mode is sending and responding to DTP
frames.
If you connect two 2950s with a crossover cable, a trunk will form
in less than 10 seconds with no additional configuration needed.
Train Signal, Inc., 2002-2007
Dynamic auto
mode
Dynamic auto is the "oddball" trunking mode. A port
configured as dynamic auto (often called simply "auto") will
not actively negotiate a trunk, but will accept negotiation
begun by the remote switch. As long as the remote trunk port
is configured as dynamic desirable or trunk, a trunk line will
form.
It's important to note that this setting does not have to match
between two potential trunk ports. One port could be in
dynamic desirable and the other in trunk mode, and the trunk
would come up.
Is there a chance that two ports that are both in one of these
three modes will not successfully form a trunk? Yes - if
they're both in dynamic auto mode.
Train Signal, Inc., 2002-2007
15
Naming VLANs
VLAN database
mode
You'll notice that all of the configurations in this study guide
use the CLI commands to configure VLANs. There is a
second way to do so, and that's using VLAN database mode.
I personally don't like using this mode, because it's very easy
to save your changes incorrectly - which of course means that
your changes aren't saved! It's always a good idea to know
how to do something more than one way in Ciscoland,
though, so let's take a look at this mode. You enter this mode
by typing vlan database at the command prompt.
Snowflakes
Part 1
Learning to design anything from a class or study guide can
be frustrating, because like snowflakes, no two networks are
alike. What works well for "Network A" may be inefficient for
"Network B". You need to know about the following VLAN
design types for both the exam and the real world, but as
always you've got to be able to apply your knowledge to your
network's needs.
In my BSCI Study Guide's discussion of Cisco's Three-Layer
Hierarchical Networking Model, I mention that it's important to
let the Distribution layer handle the "little things" in order to
allow the core switches to do what they do best - switch!
16
Snowflakes
Part 2
With VLAN design, we're looking at much the same
scenario. If we don't control broadcast and multicast traffic, it
can soon affect our network negatively, particularly if we allow
it to flow through the core switches. Your VLAN scheme
should keep as many broadcasts and multicasts away from
the core switches as is possible.
End-to-End and
Local VLANs
Part 1
With end-to-end VLANs, the name is the recipe as end-to-end
VLANs will span the entire network. The physical location of
the user does not matter, as a user is assigned to a single
VLAN, and that VLAN will remain the same no matter where
the user is.
End-to-end VLANs can come in handy as a security tool
and/or when the hosts have similar resource requirements for example, if you had certain hosts across the network that
needed access to a particular network resource, but you didn't
even want your other hosts to know of the existence of that
resource. However, I can tell you that this VLAN type is a real
pain in the butt to configure. :)
End-to-End and
Local VLANs
Part 2
End-to-end VLANs should be designed with
the 80/20 rule in mind, where 80 percent of the
local traffic stays within the local area and the
other 20 percent will traverse the network core
en route to a remote destination.
End-to-end VLANs must be accessible on every
access-layer switch to accommodate mobile
users.
17
Local VLANs
Local VLANs are designed with the 20/80 rule in mind. Local
VLANs assume that 20 percent of traffic is local in scope,
while the other 80 percent will traverse the network
core. While physical location is unimportant in end-to-end
VLANs, users are grouped by location in Local VLANs.
More and more networks are using centralized data
depositories, such as server farms - and even in the simplified
network diagram above, the end user must go across a WAN
to reach the server farm, another reason that 80/20 traffic
patterns aren't seen as often as they were in the past.
VLAN Trunking
Protocol (VTP)
VTP
18
Major Feature of
VTP
Luckily, the major feature of VTP is the transmission of VTP
advertisements that notify neighboring switches in the same
domain of any VLANs in existence on the switch sending the
advertisements.
The key phrase there is "in the same domain". By default,
Cisco switches are not in a VTP domain. Before working with
VTP in a home lab or production network, run show vtp
status. (The official term for a VTP domain is "management
domain", but we'll just call them domains in this section. The
only place you'll probably see that full phrase is on the exam.)
Server mode
In Server mode, a VTP switch can be used to create, modify,
and delete VLANs. This means that a VTP deployment has to
have at least one Server, or VLAN creation will not be
possible. This is the default setting for Cisco switches.
Switches running in Client mode cannot be used to create,
modify, or delete VLANs. Clients do listen for VTP
advertisements and act accordingly when VTP
advertisements notify the Client of VLAN changes.
VTP Transparent mode actually means that the switch isn't
participating in VTP. (Bear with me here.) Transparent VTP
switches don't synchronize their VTP databases with other
VTP speakers; they don't even advertise their own VLAN
information! Therefore, any VLANs created on a Transparent
VTP switch will not be advertised to other VTP speakers in
the domain, making them locally significant only.
Train Signal, Inc., 2002-2007
VTP Versions
There are two versions of VTP, V1 and V2, and the main
difference between the two versions affects how a VTP
Transparent switch handles an incoming VTP advertisement.
VTP Version 1: The Transparent switch will forward that
advertisement's information only if the VTP version number
and domain name on that switch is the same as that of
downstream switches.
VTP Version 2: The Transparent switch will forward VTP
advertisements via its trunk port(s) even if the domain name
does not match.
19
Switches
The VTP
Advertisement
Process
Configuration
revision Part 1
20
Configuration
revision Part 2
SW1 received a VTP advertisement from SW2. Before
accepting the changes reflected in the advertisement, SW1
compares the revision number in the advertisement to its own
revision number. In this case, the revision number on the
incoming advertisement was 2 and R1's revision number was
1.
This indicates to SW11 that the information contained in this
VTP advertisement is more recent than its own VLAN
information, so the advertisement is accepted.
If SW1's revision number had been higher than that in the
VTP advertisement from SW2, the advertisement would have
been ignored.
Train Signal, Inc., 2002-2007
Potential issue
Revision number
21
Cisco Theory
VTP
Advertisements
There are three major types of VTP advertisements - here's
what they are and what they do. Keep in mind that Cisco
switches only accept VTP advertisements from other switches
in the same VTP domain.
Summary Advertisements are transmitted by VTP servers
every 5 minutes, or upon a change in the VLAN
database. Information included in the summary
advertisement:
Subset
Advertisements
22
Client
Advertisement
Requests
Client Advertisement Requests are just that - a
request for VLAN information from the
client. Why would a client request this
information? Most likely because the VLAN
database has been corrupted or deleted. The
VTP Server will respond to this request with a
series of Summary and Subset advertisements.
Train Signal, Inc., 2002-2007
VTP Pruning
Enabling pruning
23
Consistency
check
write erase
24
VTP password
VTP
Configuration
Tips
Unless you have a very good reason to put a switch into
Transparent mode, stick with Server and Client. Not only
does this ensure that the VTP databases in your network will
be synchronized, but it causes less confusion in the future for
other network admins who don't understand Transparent
mode as well as you do. :)
Some campus networks will have switches that can be easily
secured - the ones in your network control room, for example
- and others that may be more accessible to others. Your
VTP Servers should be the switches that are accessible only
by you and a trusted few. Don't leave every switch in your
VTP domain at the default of Server, or you've made it
possible to create and delete VLANs on every switch in your
network.
Train Signal, Inc., 2002-2007
Spanning Tree
Protocol (STP)
Switching Basics
BPDUs & the Root Bridge Election
Root Port Selection & Cost
STP Port States & Timers
Making a Nonroot Switch the Root Why and
How
TCN BPDUs
Load Sharing with the port-priority command
Extended System ID Failure
Train Signal, Inc., 2002-2007
25
Unknown unicast
frames
Unknown unicast frames are frames destined for a particular
host, but there is no MAC address table entry for that
destination. Unknown unicast frames are forwarded out every
port except the one they came in on. Under no circumstances
will a switch send a frame back out the same port it came in
on.
Broadcast frames are destined for all hosts, while multicast
frames are destined for a specific group of hosts. Broadcast
and multicast frames are also forwarded out every port except
the one they came in on.
Known unicast frames are frames destined for a particular
host, and this destination host has an entry in the switch's
MAC table. Such a frame would be forwarded only out the
appropriate port.
Train Signal, Inc., 2002-2007
The Role Of
BPDUs
BPDUs are transmitted every two seconds to the wellknown multicast MAC address 01-80-c2-00-00-00. (It
might not have been well-known to you before, but it is
now!) We've actually got two different BPDU types:
Topology Change Notification (TCN)
Configuration
We'll talk about TCNs later in this section, but for now it's
enough to know that the name is the recipe - a switch
sends a TCN when there is a change in the network
topology.
Configuration
BPDUs
Configuration BPDUs are used for the actual STP
calculations. Once a root bridge is elected, only that root bridge will
originate Configuration BPDUs; the non-root bridges will forward
copies of that BPDU.
BPDUs also carry out the election to decide which switch will be the
Root Bridge. The Root Bridge is the "boss" of the switching network
- this is the switch that decides what the STP values and timers will
be. Each switch will have a Bridge ID Priority value, more
commonly referred to as a BID.
This BID is a combination of a default priority value and the switch's
MAC address, with the priority value listed first. For example, if a
Cisco switch has the default priority value of 32,768 and a MAC
address of 11-22-33-44-55-66, the BID would be 32768:11-22-3344-55-66. Therefore, if the switch priority is left at the default on all
switches, the MAC address is the deciding factor in the root bridge
election.
Train Signal, Inc., 2002-2007
26
Root port
27
Process of
choosing a Root
Port
Here's the process of choosing a Root Port, and how
these steps factored into SW2's decision-making
process.
Choose the port receiving the superior BPDU. By "superior
BPDU", we mean the one with the lowest BID. The
BPDUs are coming from the same switch - SW1 - so this is
a tie.
Choose the port with the lowest Root Path Cost to the root
bridge. That's a tie here, too.
Choose the port receiving the BPDU with the lowest
Sender BID. Since the same switch is sending both
BPDUs, that's a tie here as well.
Choose the lowest Port ID. That was the tiebreaker here.
Train Signal, Inc., 2002-2007
Changing A Port's
Path Cost
28
learning mode
When the port goes into learning mode, it's not yet
forwarding frames, but the port is learning MAC
addresses by adding them to the switch's MAC address
table.
Finally, a port enters forwarding mode. This allows a
port to forward and receive data frames, send and
receive BPDUs, and place MAC addresses in its MAC
table.
To see the STP mode of a given interface, use the show
spanning-tree interface command.
29
Timers Part 1
Timers Part 2
Example 1
30
Example 2
Example 3
Example 4
Priority
28692 (priority 28672 sys-id-ext 20)
Address
0019.557d.8880
Hello Time
2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
31
spanning-tree
vlan root
Ever wondered how the STP process decides what
priority should be set when the spanning-tree vlan root
command is used? After all, we're not configuring an
exact priority with that command. Here's how the STP
process handles this:
If the current root bridge's priority is greater than 24,576,
the switch sets its priority to 24576 in order to become the
root. You saw that in the previous example.
If the current root bridge's priority is less than 24,576, the
switch subtracts 4096 from the root bridge's priority in
order to become the root.
Topology Change
Notifications (TCNs)
32
33
The Extended
System ID Feature
Earlier in this section, we took a look at part of a switch's
configuration and saw this line:
spanning-tree extend system-id
Defined in IEEE 802.1t, the Extended System ID
feature greatly extends the number of STP instances that can
be supported by the switch, which in turn allows the switch to
support up to 4096 VLANs. The extended VLANs will be
numbered 1025 - 4096.
You can't use this feature on all Cisco switches, though. It is
enabled by default on 2950 and 3550 switches with an IOS
version of 12.1(8)EA or later.
Train Signal, Inc., 2002-2007
Advanced STP
Features
34
Portfast
Uplinkfast
Details regarding
Uplinkfast
35
Root port
Immediate action
Where To Apply
Uplinkfast
As with all the topics in this section, it's not enough to
know the definition of Uplinkfast and what it does you've got to know where to configure it for best results.
Uplinkfast is a wiring-closet switch feature - it's not
recommended for core and distribution-layer
switches. Uplinkfast should be configured only on
access-layer switches. It's a safe bet that the root
switches are going to be found in the core layer, and the
switches that are farthest away from the root switches
will be the access switches. The access switches will be
the ones closest to the end users.
Train Signal, Inc., 2002-2007
36
Backbonefast
Uplinkfast and Portfast are great, but they've got limitations on
when they can and should be run. You definitely can't run either
one in a network backbone, but the Cisco-proprietary feature
Backbonefast can be used to help recover from indirect link
failures.
The key word there is indirect. If a core switch detects an indirect
link failure - a failure of a link that is not directly connected to the
core switch in question - Backbonefast goes into action.
This indirect link failure is detected when an inferior BPDU is
received.
When BackboneFast is configured, this process skips the
MaxAge stage. While this does not eliminate delays as efficiently
as PortFast and UplinkFast, but the delay is cut from 50 seconds
to 30. (MaxAge's default value is 20 seconds, but the 15-second
Listening and Learning stages still have to run.)
Train Signal, Inc., 2002-2007
RLQ Request
Upon receiving a RLQ request, a switch will answer
immediately under one of two conditions:
The receiving switch is indeed the root bridge named in
the RLQ request
The receiving switch has no connectivity to the root bridge
named in the RLQ request, because it considers another
switch to be the root bridge
37
BackboneFast
into action
To put BackboneFast into action in our network,
we have to know more than the
command! We've got to know where to
configure it as well. Since all switches in the
network have to be able to send, relay, and
respond to RLQ requests, and RLQ is enabled
by enabling BackboneFast, every switch in the
network should be configured for BackboneFast
when using this feature.
Train Signal, Inc., 2002-2007
Root Guard
BPDU Guard
38
PortFast BPDU
Filtering
What if you don't want the port to be put into err-disabled
state when it receives a BPDU? You can use BPDU
Filtering, but you have to be careful how you configure it
- this feature works differently when it's configured
globally as opposed to configuring it on a per-interface
level.
Globally enabling BPDU Filtering will have a PortFastenabled port stop running PortFast when the port
receives a BPDU.
Enabling BPDU Filtering on a specific port or ports, rather
than enabling it globally, will result in received BPDUs
being quietly ignored. Those incoming BPDUs will be
dropped, and the port will not send any BPDUs in return.
Train Signal, Inc., 2002-2007
Unidirectional Link
Detection (UDLD)
Most problems involving the physical link will make data
transfer in either direction impossible. Particularly with
fiber optic, there are situations where a physical layer
issue disables data transfer in one direction, but not the
other.
UDLD has two modes of operation, normal and
aggressive. When a unidirectional link is detected in
normal mode, UDLD generates a syslog message but
does not shut the port down.
Normal mode
39
Duplex Mismatches
And Switching
Loops
Loop Guard
BPDU Skew
Detection
You may look at that feature's name and think, "What is
a BPDU Skew, and why do I want to detect it?" What
we're actually attempting to detect are BPDUs that aren't
being relayed as quickly as they should be.
After the root bridge election, the root bridge transmits
BPDUs, and the non-root switches relay that BPDU
down the STP tree. This should happen quickly all
around, since the root bridge will be sending a BPDU
every two seconds by default ("hello time"), and the
switches should relay the BDPUs fast enough so every
switch is seeing a BPDU every two seconds.
Train Signal, Inc., 2002-2007
40
Rapid Spanning
Tree Protocol
So you understand STP, and you've got all these STP
features down - and now here's another kind of
STP! Specifically, it's RSTP, or Rapid Spanning Tree
Protocol. RSTP is defined by IEEE 802.1w, and is
considered an extension of 802.1d.
Root bridges are still elected with RSTP, but the port
roles themselves are different between STP and
RSTP. Let's take a look at the RSTP port roles in the
following three-switch network, where SW1 is the root.
Note that SW3 has multiple connections to the ethernet
segment.
Train Signal, Inc., 2002-2007
Transition States
41
Difference between
STP and RSTP
Detecting Link
Failures
42
MaxAge timer
BPDU format
The BPDU format is the same for STP and RSTP, but RSTP
uses all flag bits available in the BPDU for various purposes
including state negotiation between neighbors, but STP uses
only the Topology Change (TC) and Topology Change Ack
(TCA) flags. The details of this negotiation are out of the
scope of the BCMSN exam, but can easily be found on the
Internet by searching for "RSTP" in your favorite search
engine.
The RSTP BPDU is also of a totally different type (Type 2,
Version 2), which allows an RSTP-enabled switch to detect
older switches.
Switching features we looked at earlier in this section Uplinkfast, Portfast, and Backbonefast are built-in to RSTP.
Train Signal, Inc., 2002-2007
Per-VLAN Spanning
Tree Versions (PVST
and PVST+)
The ultimate "the name is the recipe" protocol, the Ciscoproprietary PVST, well, runs a separate instance of STP
for each VLAN!
The Good: PVST does allow for much better fine-tuning
of spanning-tree performance than does regular old
STP.
The Bad: Running PVST does mean extra work for your
CPU and memory.
The Ugly: PVST is Cisco-proprietary, so it must run over
the Cisco-proprietary trunking protocol - ISL.
43
PVST
Rapid Per-VLAN
Spanning Tree Plus
(RPVST +)
Now there's a mouthful!
Cisco being Cisco, you just know they have to have their
own version of STP! Per-VLAN Spanning Tree Plus
(PVST+) is just what it sounds like - every VLAN has its
own instance of STP running. PVST+ allows per-VLAN
load balancing and is also Cisco-proprietary.
If you configure a switch running PVST+ to use RSTP, you
end up with RPVST+ - Rapid Per-VLAN Spanning Tree
Plus. The good news is that the command is very simple,
and we'll use IOS Help to look at some other options:
Multiple Spanning
Tree
Defined by IEEE 802.1s, Multiple Spanning Tree gets its
name from a scheme that allows multiple VLANs to be
mapped to a single instance of STP, rather than having an
instance for every VLAN in the network. MST serves as a
middle ground between STP and PVST.
CST (Common Spanning Tree) uses a single instance of
STP, PVST has an instance for every VLAN, and MST allows
you to reduce the number of STP instances without knocking
it all the way back to one.
MST was designed with enterprise networks in mind, so while
it can be very useful in the right environment, it's not for every
network.
Train Signal, Inc., 2002-2007
44
Configuration of
MST
The configuration of MST involves logically dividing the
switches into regions, and the switches in any given
region must agree of the following:
The MST configuration name
The MST instance-to-VLAN Mapping table
The MST configuration revision number
MST
configurations
MST configurations can become quite complex and a great
deal of planning is recommended before implementing it. No
matter the size of the network, however, keep the central
point in mind - the purpose of MST is to map multiple VLANs
to a lesser number of STP instances.
A good way to get a mental picture of the interoperability of
MST and CST is that CST will cover the entire network, and
MST is a "subset" of the network. CST is going to maintain a
loop-free network only with the links connecting the MST
network subnets, and it's MST's job to keep a loop-free
topology in the MST region. CST doesn't know what's going
on inside the region, and it doesn't want to know.
Train Signal, Inc., 2002-2007
IST
The "IST" in each region stands for Internal Spanning Tree,
and it's the IST instance that is responsible for keeping
communications in the MST Region loop-free.
Up to 16 MST instances (MSTIs) can exist in a region,
numbered 0 through 15. MSTI 0 is reserved for the IST
instance, and only the IST is going to send MST BPDUs.
Occasionally the first ten MST instances are referred to as
"00" - "09". These are not hex values - they're regular old
decimals.
Here's the good part -- there's no such thing as "VTP For
MST". Each and every switch in your MST deployment must
be configured manually. (No, I'm not kidding!) When you
create VLAN mappings in MST, you've got to configure every
switch in your network with those mappings - they're not
advertised.
Train Signal, Inc., 2002-2007
45
Enabling MST
Part 1
A good place to start is to enable MST on the switch:
SW2(config)# spanning-tree mode mst
The name and revision number must now be set.
SW2(config)# spanning-tree mode mst
configuration
SW2(config-mst)# name REGION1
SW2(config-mst)# revision 1
Enabling MST
Part 2
To map VLANs to a particular MST instance:
SW2(config-mst)# instance 1 10,13, 14-20
Note that I could use commas to separate individual
VLANs or use a hyphen to indicate a range of them.
When mapping VLANs, remember that by default all
VLANs will be mapped to the IST.
46
Etherchannels
Etherchannels
Etherchannels aren't just important for your BCMSN studies,
they're a vital part of many of today's networks. Knowing how
to configure and troubleshoot them is a vital skill that any
CCNP must have.
Etherchannels are part of the CCNA curriculum, but many
CCNA books either leave Etherchannels out entirely or
mention them briefly. You may not have even seen an
Etherchannel question on your CCNA exam, so we're going to
begin this section with a review of what an Etherchannel is
and why we would configure one.
After that review, we'll begin an in-depth examination of how
Etherchannels work, and I'll show you some real-world
examples of common Etherchannel configuration errors to
help you master this skill for the BCMSN exam and for the
real world.
Train Signal, Inc., 2002-2007
Logical Bundling
An Etherchannel is the logical bundling of two to eight parallel
Ethernet trunks. This bundling of trunks is also referred to as
aggregation. This provides greater throughput, and is another
effective way to avoid the 50-second wait between blocking
and forwarding states in case of a link failure.
Spanning-Tree Protocol (STP) considers an Etherchannel to
be one link.
If one of the physical links making up the logical Etherchannel
should fail, there is no STP reconfiguration, since STP doesnt
know the physical link went down. STP sees only the
Etherchannel, and a single link failure will not bring an
Etherchannel down.
Etherchannels use the Exclusive OR (XOR) algorithm to
determine which channel in the EC to use to transmit data to
the remote switch.
Train Signal, Inc., 2002-2007
47
Logical Link
Negotiating An
Etherchannel
There are two protocols that can be used to negotiate an
etherchannel. The industry standard is the Link
Aggregation Control Protocol (LACP), and the Ciscoproprietary option is the Port Aggregation Protocol
(PAgP).
PAgP packets are sent between Cisco switches via ports
that have the capacity to be placed into an
etherchannel. First, the PAgP packets will check the
capabilities of the remote ports against those of the local
switch ports. The remote ports are checked for two
important values.
Train Signal, Inc., 2002-2007
Remote Port
Group
48
PAgP
PAgP also has the capability of changing a characteristic
of the etherchannel as a whole if one of the ports in the
etherchannel is changed. If you change the speed of
one of the ports in an etherchannel, PAgP will allow the
etherchannel to dynamically adapt to this change.
The industry standard bundling protocol defined in
802.3ad, LACP assigns a priority value to each port that
has etherchannel capability. You can actually assign up
to 16 ports to belong to an LACP-negotiated
etherchannel, but only the eight ports with the lowest
port priority will be bundled. The other ports will be
bundled only if one or more of the bundled ports fails.
Train Signal, Inc., 2002-2007
Initiating EC
You can see the different terminology LACP and PAgP use
for the same results - "active" and "desirable" for the local port
to initiate the EC, "auto" and "passive" if the remote port is
going to initiate the EC. To enable the etherchannel with no
negotiation, use the on option.
For an EC to form, LACP must have at least one of the two
ports on each physical link set for "active"; if both ports are set
to "passive", no EC will be built. The same can be said for
PAgP and the settings "auto" and "desirable" - if both ports
are set to auto, the link won't join the EC.
To verify both PAgP and LACP neighbors, you can use the
show pagp neighbor and show lacp neighbor commands.
49
Troubleshooting
EtherChannels
Once you get an EC up and running, it generally stays
that way - unless a port setting changes. From personal
experience, here are a few things to watch out for:
Changing the VLAN assignment mode to
dynamic. Ports configured for dynamic VLAN
assignment from a VMPS cannot remain or become part
of an EC.
The allowed range of VLANs for the EC must match that
of the ports. Here's a reenactment of an EC issue I ran
into once. The configuration of the channel-group
looked just fine
Train Signal, Inc., 2002-2007
Error Message
interface FastEthernet0/11
switchport trunk allowed vlan 10,20
no ip address
channel-group 1 mode on
!
interface FastEthernet0/12
switchport trunk allowed vlan 100,200
no ip address
channel-group 1 mode on
EC Error
When I remove the original command, I get the EC error
message again, but once I change port 0/12's config to match
0/11's, the EC forms.
SW1(config)#int fast 0/12
SW1(config-if)#no switchport trunk allowed vlan 100,200
02:51:15: %EC-5-CANNOT_BUNDLE2: Fa0/12 is not compatible with
Fa0/11 and will be suspended (vlan mask is different)
02:51:15: %EC-5-CANNOT_BUNDLE2: Fa0/12 is not compatible with
Fa0/11 and will be suspended (vlan mask is different)
SW1(config-if)#switchport trunk allowed vlan 10,20
02:51:25: %LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthernet0/12, changed state to up
50
Changing Port
Attribute
Securing the
Switches
Introduction to AAA
Port Security & Dot1x Port-Based Authentication
SPAN
VLAN ACLs
Private VLANs
DHCP Snooping, Dynamic ARP Inspection, IP
Secure Guard
MAC Address Flooding & VLAN Hopping
Attacks
Train Signal, Inc., 2002-2007
Physical security
51
AAA
You may have heard or read the acronym AAA in Cisco
switch documentation. This stands for Authentication,
Authorization, and Accounting - and you didn't know it, but
you're already working with AAA. Well, "A", anyway!
The passwords we've set here are part of Authentication, and
this local database of passwords is just one method of
authenticating users. We can also use RADIUS servers
(Remote Authentication Dial-In User Service, a UDP service)
or TACACS+ servers (Terminal Access Controller Access
Control System, a TCP service).
Both RADIUS and TACACS+ offer a lot of options. We're
going to look at a basic switch config that could get us started
with either. First, we've got to enable AAA on the switch.
(This is not required if only the local database will be used.)
Train Signal, Inc., 2002-2007
Authorization
Accounting
52
Port Security
Little gotcha
There is a little "gotcha" with port security that you need to be
aware of. You can specify the number of secure MAC
addresses, and you can specify secure MAC addresses as
well. What if you allow for more secure MAC address than
you actually configure manually, as shown below?
SW1(config-if)#switchport
SW1(config-if)#switchport
SW1(config-if)#switchport
aaaa.aaaa.aaaa
SW1(config-if)#switchport
cccc.cccc.cccc
port-security
port-security maximum 3
port-security mac-address
port-security mac-address
Port Security
Feature
trunk ports
ports placed in an Etherchannel
destination SPAN port
802.1x ports
53
Dot1x Port-Based
Authentication
Port security is good, but we can take it a step further with dot1x
port-based authentication. The name refers to IEEE 802.1x, the
standard upon which this feature is based. Unusually enough,
the Cisco authentication server must be RADIUS - you can't use
TACACS or TACACS+.
One major difference between dot1x port-based authentication
and port security is that both the host and switch port must be
configured for 802.1x EAPOL (Extensible Authentication Protocol
over LANs). That's a major departure from many of the switch
features we've studied to date, since most other switch features
don't require anything of the host. Usually the PC isn't aware of
what the switch is doing, and doesn't need to know. Not this
time!
Train Signal, Inc., 2002-2007
Force-authorized
Force-authorized, the default, does just what it sounds like - it
forces the port to authorize any host attempting to use the
port, but authentication is not required. Basically, there is no
authentication on this port type.
A port in force-unauthorized state literally has the port unable
to authorize any client - even clients who could otherwise
successfully authenticate!
The auto setting enables dot1x on the port, which will begin
the process as unauthorized. Only the necessary EAPOL
frames will be sent and received while the port's
unauthorized. Once the authentication is complete, normal
transmission and receiving can begin. Not surprisingly, this is
the most common setting.
Train Signal, Inc., 2002-2007
54
SPAN
SPAN allows the switch to mirror the traffic from the source
port(s) to the destination port to which the network analyzer is
attached. (In some Cisco documentation, the destination port
is referred to as the monitor port.)
SPAN works very well, and the basic operation is
simple. Studying SPAN for exams and network usage can
seem complicated at first, though, because there are several
different versions of SPAN. The versions are much the same,
though; the real difference comes in when you define the
source ports. It's the location of the source ports that
determines the SPAN version that needs to run on the switch.
Local SPAN
Command
monitor session
The command monitor session starts a SPAN
session, along with allowing the configuration of
the source and destination. The sessions are
totally separate operations, but the number of
simultaneous sessions you can run differs from
one switch platform to another. Cat 3550s and
2950s support only two, but more powerful
switches can run as many as 64 sessions at
once.
Train Signal, Inc., 2002-2007
55
RSPAN
Configuration
Part 1
RSPAN configuration is simple, but there are
some factors you need to consider when configuring
RSPAN:
If there were intermediate switches between the two
shown in the above example, they would all need to be
RSPAN-capable.
VTP treats the RSPAN VLAN like any other VLAN. It will
be propagated throughout the VTP domain if configured on
a VTP server. Otherwise, it's got to be manually
configured on every switch along the intermediate path.
VTP Pruning will also prune the RSPAN VLAN under the
same circumstances that it would prune a "normal" VLAN.
Train Signal, Inc., 2002-2007
RSPAN
Configuration Part 2
MAC address learning is disabled for the
RSPAN VLAN.
The source and destination must be defined
on both the switch with the source port and
the switch connected to the network analyzer,
but the commands are not the same on each.
Source port
notes:
A source port can be monitored in multiple,
simultaneous SPAN sessions.
A source port can be part of an Etherchannel.
A source port cannot be configured as a
destination port.
A source port can be any port type - Ethernet,
FastEthernet, etc.
56
Destination port
notes:
ESPAN
Access lists
57
Possible Side
Effect Part 1
A Possible Side Effect Of Performing ACL
Processing In Hardware
At the beginning of the VACL section, I mentioned that
ACL processing in multilayer switches is performed in
hardware. There will still be some traffic that is sent to the
CPU for software processing, and that forwarding rate is
much lower than the rate for the traffic forwarded by the
switch hardware. If the hardware hits its storage limit for
ACL configs, resulting in even more packets begin sent to
the CPU, the switch performance can degrade. (I've seen
that, and it's ugly. Avoid it.)
Train Signal, Inc., 2002-2007
58
Possible Side
Effect Part 2
Cisco's website lists two other factors that
may result in too many packets being sent to
the CPU, and they may surprise you:
Excessive logging
Use of ICMP Unreachable messages
Private VLANs
Example
In the following example, the router is located off a
switch port that has been configured as a private VLAN
port. There are options here as well:
The device connected to the private VLAN port can
communicate with any device connected to any primary or
secondary VLAN - this is promiscuous mode. This is the
recommended mode for ports connected to gateway
devices, such as the router seen below.
The host connected to the port is on either type of private
VLAN (isolated or community), and can communicate with
devices found off other promiscuous ports. If the host is
configured as part of a community private VLAN, the host
can also communicate with other hosts in that private
VLAN.
Train Signal, Inc., 2002-2007
59
DHCP Snooping
Part 1
DHCP Snooping
Part 2
DHCP Snooping allows the switch to serve as a firewall
between hosts and untrusted DHCP servers. DHCP
Snooping classifies interfaces on the switch into one of two
categories - trusted and untrusted.
DHCP messages received on trusted interfaces will be
allowed to pass through the switch. Not only will DHCP
messages received on untrusted interfaces be dropped by the
switch, the interface itself will be placed into err-disabled
state.
By default, the switch considers all ports untrusted - which
means we better remember to configure the switch to trust
some ports when we enable DHCP Snooping!
Train Signal, Inc., 2002-2007
Dynamic ARP
Inspection
Just as we must protect against rogue DHCP servers,
we have to be wary of rogue ARP users as well.
From your CCNA studies, you know all about Address
Resolution Protocol and how it operates. A rogue device
can overhear part of the ARP process in action and
make itself look like a legitimate part of the network. This
happens through ARP Cache Poisoning. (This is also
known as ARP Spoofing - be aware of both names for
your exam.)
ARP Cache Poisoning starts innocently enough - in this
case, through the basic ARP process on a switch.
Train Signal, Inc., 2002-2007
60
Trusted and
untrusted ports
DAI uses the concept of trusted and untrusted ports, just as
DHCP Snooping does. However, untrusted ports in DAI do
not automatically drop ARP Requests and Replies.
Once the IP-MAC address database is built, every single ARP
Request and ARP Reply received on an untrusted interface is
examined. If the ARP message has an approved MAC-IP
address mapping, the message is forwarded appropriately; if
not, the ARP message is dropped.
If the interface has been configured as trusted, DAI allows the
ARP message to pass through without checking the database
of trusted mappings. DAI is performed as ARP messages are
received, not transmitted.
Trusted/untrusted
port configuration
61
IP Source Guard
MAC Address
Flooding Attacks
62
MAC Address
Flooding
Double Tagging
One form of VLAN Hopping is double tagging, so named
because the intruder will transmit frames that are "double
tagged" with two separate VLAN IDs. As you'll see in
our example, certain circumstances must exist for a
double tagging attack to be successful:
The intruder's host device must be attached to an access
port.
The VLAN used by that access port must be the native
VLAN.
The term "native VLAN" tips us off to the third
requirement - dot1q must be the trunking protocol in use,
since ISL doesn't use the native VLAN.
Train Signal, Inc., 2002-2007
VLAN Hopping
63
Switch Spoofing
Multilayer
Switching
What Is Multilayer
Switching?
Multilayer switches are devices that switch and route
packets in the switch hardware itself. A good phrase to
describe a multilayer switch is "pure performance" these switches can perform packet switching up to ten
times as fast as a pure L3 router.
When it comes to Cisco Catalyst switches, this hardware
switching is performed by a router processor (or L3
engine). This processor must download routing
information to the hardware itself. To make this
hardware-based packet processing happen, Cat
switches will run either the older....um, I mean "legacy"
Multilayer Switching (MLS), or the newer Cisco Express
Forwarding (CEF).
Train Signal, Inc., 2002-2007
64
ASICs
Application-Specific Integrated Circuits (ASICs)
will perform the L2 rewriting operation of these
packets. You know from your CCNA studies
that while the IP source and destination address
of a packet will not change during its travels
through the network, the L2 source and
addresses may and probably will. With
multilayer switching, it's the ASICs that perform
this L2 address overwriting.
Train Signal, Inc., 2002-2007
Route Caching
The first multilayer switching (MLS) method is route caching. This
method may be more familiar to you as NetFlow switching. Route
caching devices have both a routing processor and a switching
engine. The routing processor routes a flow's first packet, the
switching engine snoops in on that packet and the destination, and
the switching engine takes over and forwards the rest of the packets
in that flow.
Now, what exactly does a "flow" consist of? A flow is a
unidirectional stream of packets from a source to a destination, and
packets on the same flow will share the same protocol. That is, if a
source is sending both WWW and TFTP packets to the same
destination, there are actually two flows of traffic. The MLS cache
entries support such unidirectional flows.
There's always room for improvement from the first implementation
of anything, though, and that improvement is Cisco Express
Forwarding.
Train Signal, Inc., 2002-2007
Cisco Express
Forwarding
Cisco Express Forwarding (CEF) is a highly popular
method of multilayer switching. Primarily designed for
backbone switches, this topology-based switching
method requires special hardware, so it's not available
on all L3 switches.
CEF can't be configured on 2950 switches, but you will
see it on 3550s and several other higher-numbered
series. CEF is highly scalable, and is also easier on a
switch's CPU than route caching.
CEF has two major components - the Forwarding
Information Base and the Adjacency Table.
Train Signal, Inc., 2002-2007
65
DEF-Enabled
Devices
CEF-enabled devices the same routing information that
a router would, but it's not found in a typical routing
table. CEF-enabled switches keep a Forwarding
Information Base (FIB) that contains the usual routing
information - the destination networks, their masks, the
next-hop IP addresses, etc - and CEF will use the FIB to
make L3 prefix-based decisions.
The FIB's contents will mirror that of the IP routing table actually, the FIB is really just the IP routing table in
another format. You can view the FIB with the show ip
cef command.
Train Signal, Inc., 2002-2007
FIB
The FIB takes care of the L3 routing information, but what of
the L2 information we need? That's found in the Adjacency
Table (AT). As adjacent hosts are discovered via ARP, that
next-hop L2 information is kept in this table for CEF switching.
Once the appropriate L3 and L2 next-hop addresses have
been found, the MLS is just about ready to forward the
packet. The MLS will make the same changes to the packet
as a router normally would, and that includes changing the L2
destination MAC address - that's going to be changed to the
next-hop destination, as I'm sure you remember from your
CCNA studies. The L3 destination will remain the
same. (The L2 source address will change as well, to the
MAC address on the MLS switch interface that transmits the
packet.)
Train Signal, Inc., 2002-2007
Enabling DEF
Enabling CEF is about as simple as it gets. CEF
is on by default on any and all CEF-enabled
switches, and you can't turn it off. Remember,
CEF is hardware-based, not software-based, so
it's not a situation where running "no cef" on a
switch will disable CEF. There's no such
command!
A multilayer switch must have IP routing enabled
for CEF to run, however. Trying to view the FIB
of a switch with IP routing not enabled results in
this console readout...
Train Signal, Inc., 2002-2007
66
Example
SW2#show ip cef
%IPv4 CEF not running
... and then after enabling IP routing.
SW2(config)#ip routing
SW2#show ip cef
Prefix
Next Hop
0.0.0.0/32
receive
224.0.0.0/4
drop
224.0.0.0/24
receive
255.255.255.255/32
receive
Interface
L3 Switching
As with several advanced L3 switching
capabilities, not every L3 switch can run
CEF. For instance, the 2900XL and 3500XL do
not support CEF. Keep in mind that switches
that do support CEF do so by default, and CEF
can't be turned off on those switches!
CEF does support per-packet and perdestination load balancing, but again does
not do so on all multilayer switches. Be sure to
check your switch's capabilities before
purchasing.
Train Signal, Inc., 2002-2007
The control plane's job is to first build the ARP and IP routing tables,
which makes the FIB and AT creation possible.
In turn, the data plane is also called by several different names:
"data plane"
"hardware engine"
"ASIC"
67
Tables for L3
Switching
The control plane builds the tables
necessary for L3 switching, but it's the
data plane that does the actual work! It's
the data plane that places data in the L3
switch's memory while the FIB and AT
tables are consulted, and then performs
any necessary encapsulation before
forwarding the data to the next hop.
Train Signal, Inc., 2002-2007
Exceptions To The
Rule (Of L3
Switching, That Is)
Exception packets are packets that cannot be hardware
switched, which leaves us only one option - software
switching! Comparing hardware switching to software
switching is much like comparing the hare to the tortoise - but
these tortoises are not going to win a race. Here are just a
few of the packet types that must be software switched:
Packets with IP header options
Packets that will be fragmented before transmission (because
they're exceeding the MTU)
802.3 Ethernet packets
Note that packets with TCP header options are still switched
in hardware; it's the IP header options that cause trouble!
Switching
Options
1.
Distributed CEF (DCEF). The name is the recipe the CEF workload is distributed over multiple CPUs.
2.
CEF
3.
Fast Switching
4.
Process Switching
Train Signal, Inc., 2002-2007
68
Inter-VLAN
Communication
Part 1
Since you learned in your CCNA studies that switching only
happens on switches and routing only happens on routers,
you also learned that a router has to get involved for interVLAN communication. Configuring router-on-a-stick is one
way to get inter-VLAN communication going, and it requires
only a single physical connection from the router to the switch.
(The port on the router needs to be a FastEthernet port,
remember.)
Having configured router-on-a-stick many times, I can tell you
that it works beautifully, but it does have its
drawbacks. Depending on how many VLANs are involved in
this configuration, they may not get all the bandwidth they
need.
Train Signal, Inc., 2002-2007
Inter-VLAN
Communication
Part 2
Router-on-a-stick does put an extra load on the
router's processor as well, so you have to be
careful as to which router in your network you
select for this job.
The biggest concern I have personally with
ROAS is that the router becomes a single point
of failure. If that FastEthernet port goes down,
that's the end of your inter-VLAN traffic.
Configuring traffic
69
Step One
Step One In L3 Switching
Troubleshooting:
Make Sure IP Routing Is On!
L2 Mode
Remember, the ports on a multilayer
switch will all be running in L2 mode by
default. To configure a port as a routing
port, use the no switchport command,
followed by the appropriate IP address.
Important Details
As always, there are some simple but important
details to keep in mind when configuring SVIs.
You need to create the VLAN before the SVI, and that
VLAN must be active at the time of SVI creation
Theoretically, you need to open the SVI with no shut
just as you would open a physical interface after
configuring an IP address
Remember that the VLAN and SVI work together, but
they're not the same thing. Creating a VLAN doesn't
create an SVI, and creating an SVI doesn't create a
VLAN.
Train Signal, Inc., 2002-2007
70
Fallback Bridging
Odds are that you'll never need to configure fallback
bridging, but it falls under the category of "it couldn't hurt
to know it". CEF has a limitation in that IPX, SNA, LAT,
and AppleTalk are either not supported by CEF or, in the
case of SNA and LAT, are nonroutable protocols. If
you're running any of these on an CEF-enabled switch,
you'll need fallback bridging to get this traffic from one
VLAN to another.
Fallback bridging involves the creation of bridge groups,
and the SVIs will have to be added to these bridge
groups.
Train Signal, Inc., 2002-2007
Commands
To create a bridge group:
MLS(config)# bridge-group 1
To join a SVI to a bridge group:
MLS(config)#interface vlan 10
MLS(config-if)#bridge-group 1
Train Signal, Inc., 2002-2007
Redundancy
Part 1
In networking, we'll take as much redundancy as
we can get. If a router goes down, we've
obviously got real problems. Hosts are relying
on that router as a gateway to send packets to
remote networks. For true network redundancy,
we need two things:
A secondary router to handle the load when the
primary goes down
A protocol to get the networks using that secondary
protocol as soon as possible
Train Signal, Inc., 2002-2007
71
Redundancy
Part 2
That second point is so important that Cisco
currently offers four separate protocols to
expedite the cutover to the secondary
router. These methods have much the same
end result, but how they get there is another
story. It's a story you can expect to be asked
about quite a bit on your exam, so let's get to
work and hit the details of these four redundancy
strategies.
Train Signal, Inc., 2002-2007
ICMP Router
Discovery Protocol
Defined in RFC 1256, IRDP is commonly used by
Windows DHCP clients and several Unix variations, but
you do see it in Cisco routers as well. IRDP is an
extension of ICMP - after all, it is the ICMP Router
Discovery Protocol!
IRDP routers will generate Router Advertisement
packets that will be heard by hosts on that segment. If a
host hears from more than one IRDP router, it will
choose one as its primary and will start using the other
router if the primary goes down. In the following
example, the PCs will choose either 172.12.1.1 or
172.12.1.2 as their default gateway.
Train Signal, Inc., 2002-2007
IRDP
IRDP does not involve a virtual router of any kind - when
hosts transmit data, they will be using the IP and MAC
address of a real, physical router as the default gateway,
not the IP and MAC address of a virtual router.
Hosts may also generate Router Solicitation messages,
usually at startup, asking IRDP routers to send Router
Advertisement packets.
To enable IRDP on a router's interface, just use the ip
irdp command.
MLS(config)# interface serial0
MLS(config-if)# ip irdp
Train Signal, Inc., 2002-2007
72
HSRP Part 1
Defined in RFC 2281, HSRP is a Cisco-proprietary
protocol in which routers are put into an HSRP router
group. Along with dynamic routing protocols and STP,
HSRP is considered a high-availability network service,
since all three have an almost immediate cutover to a
secondary path when the primary path is unavailable.
One of the routers will be selected as the primary, and
that primary will handle the routing while the other
routers are in standby, ready to handle the load if the
primary router becomes unavailable. In this fashion,
HSRP ensures a high network uptime, since it routes IP
traffic without relying on a single router.
Train Signal, Inc., 2002-2007
HSRP Part 2
The hosts using HSRP as a gateway don't know
the actual IP or MAC addresses of the routers in
the group. They're communicating with a
pseudorouter, a "virtual router" created by the
HSRP configuration. This virtual router will have
a virtual MAC and IP address as well.
The standby routers aren't just going to be sitting
there, though! By configuring multiple HSRP
groups on a single interface, HSRP load
balancing can be achieved.
Train Signal, Inc., 2002-2007
IP Address and
Virtual Router
An IP address was assigned to the virtual router, but not a
MAC address. However, there is a MAC address under the
show standby output on R3, the active router. How did the
HSRP process arrive at a MAC of 00-00-0c-07-ac-05?
Well, most of the work is already done before the
configuration is even begun. The MAC address 00-00-0c-07ac-xx is HSRP's well-known virtual MAC address, and xx is
the group number in hexadecimal. That's a good skill to have
for the exam, so make sure you're comfortable with hex
conversions.
In this example, the group number is 5, which is expressed as
05 with a two-bit hex character. If the group number had
been 17, we'd see 11 at the end of the MAC address - one
unit of 16, one unit of 1.
Train Signal, Inc., 2002-2007
73
HSRP Speakers
The output of the show standby command
also tells us that the HSRP speakers are
sending Hellos every 3 seconds, with a
10-second holdtime. These values can be
changed with the standby command, but
HSRP speakers in the same group should
have the same timers. You can even tie
down the hello time to the millisecond, but
it's doubtful you'll ever need to do that.
Train Signal, Inc., 2002-2007
Priority
Another key value in the show standby
command is the priority. The default is 100, as
shown in both show standby outputs. The
router with the highest priority will be the primary
HSRP router, with the router with the highest IP
address on an HSRP-enabled interface
becoming the primary if there is a tie on
priority. We'll raise the default priority on R2 and
see the results.
Train Signal, Inc., 2002-2007
Local State
Change
In just a few seconds, a message appears that the local state
has changed from standby to active. Show standby confirms
that R2, the local router, is now the active router - the
primary. R3 is now the standby. So if anyone tells you that
you have to take a router down to change the Active router,
they're wrong - you just have to use the preempt option on the
standby priority command.
What you do not have to do is configure the preempt
command if you want the standby to take over as the active
router if the current active router goes down. That's the
default behavior of HSRP. The preempt command is strictly
intended to allow a router to take over as the active router
without the current active router going down.
74
Load Balancing
with HSRP
We can do some load balancing with HSRP, but
it's not quite the load balancing you've learned
about with some dynamic protocols. Let's say
we have six hosts and two separate HSRP
devices. For HSRP load balancing, there will be
two HSRP groups created for the one VLAN. R2
will be the primary for Group 1 and R3 will be the
primary for Group 2. (In production networks,
you'll need to check the documentation for your
software, because not all hardware platforms
support multiple groups.)
Train Signal, Inc., 2002-2007
75
HSRP States
Disabled - Some HSRP documentation lists this as a state,
others do not. I don't consider it one, but Cisco
may. Disabled means that the interface isn't running HSRP
yet.
Initial (Init) -- The router goes into this state when an HSRPenabled interface first comes up. HSRP is not yet running on
a router in Initial state.
Learn -- At this point, the router has a lot to learn! A router in
this state has not yet heard from the active router, does not
yet know which router is the active router, and it doesn't know
the IP address of that router, either. Other than that, it's pretty
bright. ;)
Listen -- The router now knows the virtual IP address, but is
not the primary or the standby router. It's listening for hello
packets from those routers.
Train Signal, Inc., 2002-2007
Speak, Standby
and Active
Speak -- The router is now sending Hello
messages and is active in the election of the
primary and standby routers.
Standby -- The router is now a candidate to
become the active router, and sends Hello
messages.
Active -- The router is now forwarding packets
sent to the group's virtual IP address.
Train Signal, Inc., 2002-2007
Multiple HSRP
Groups
Note that an HSRP router doesn't send Hellos
until it reaches the Speak state. It will continue
to send Hellos in the Standby and Active states
as well.
There's also no problem with configuring an
interface to participate in multiple HSRP groups
on most Cisco routers. Some 2500, 3000, and
4000 routers do not have this capability. Always
verify with show standby, and note that this
command indicates that there's a problem with
one of the virtual IP addresses!
Train Signal, Inc., 2002-2007
76
Show Standby
Command Part 1
R1#show standby
FastEthernet0/0 - Group 1
State is Listen
Virtual IP address is 172.12.23.10
Active virtual MAC address is unknown
Local virtual MAC address is 0000.0c07.ac01 (v1
default)
Hello time 3 sec, hold time 10 sec
Preemption disabled
Active router is unknown
Standby router is unknown
Priority 100 (default 100)
IP redundancy name is "hsrp-Fa0/0-1" (default)
FastEthernet0/0 - Group 5
Train Signal, Inc., 2002-2007
Show Standby
Command Part 2
State is Init (virtual IP in wrong subnet)
Virtual IP address is 172.12.34.10 (wrong subnet
for this interface)
Active virtual MAC address is unknown
Local virtual MAC address is 0000.0c07.ac05 (v1
default)
Hello time 3 sec, hold time 10 sec
Preemption disabled
Active router is unknown
Standby router is unknown
Priority 100 (default 100)
IP redundancy name is "hsrp-Fa0/0-5" (default)
Train Signal, Inc., 2002-2007
HSRP Interface
Tracking
Using interface tracking can be a little tricky at
first, but it's a feature that can really come in
handy. Basically, this feature enables the HSRP
process to monitor an additional interface; the
status of this interface will dynamically change
the HSRP priority for a specified group. When
that interface's line protocol shows as "down",
the HSRP priority of the router is reduced. This
can lead to another HSRP router on the network
becoming the active router - but that other router
must be configured with the preempt option.
Train Signal, Inc., 2002-2007
77
Default Priority
In the following network, R2 is the primary due to its
priority of 105. R3 has the default priority of 100. R2 will
therefore be handling all the traffic sent to the virtual
router's IP address of 172.12.23.10. That's fine, but
there is a potential single point of failure. If R2's Serial0
interface fails, the hosts will be unable to reach the
server farm. HSRP can be configured to drop R2's
priority if the line protocol of R2's Serial0 interface goes
down, making R3 the primary router. (The default
decrement in the priority when the tracked interface goes
down is 10.)
Train Signal, Inc., 2002-2007
Priority/decrement
value Problem
Example Part 1
R1#show standby
FastEthernet0/0 - Group 1
State is Active
2 state changes, last state change 01:08:58
Virtual IP address is 172.12.23.10
Active virtual MAC address is 0000.0c07.ac01
Local virtual MAC address is 0000.0c07.ac01 (v1
default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 2.872 secs
Preemption disabled
Active router is local
Standby router is unknown
Priority 100 (default 100)
IP redundancy name is "hsrp-Fa0/0-1" (default)
Train Signal, Inc., 2002-2007
78
Example Part 2
FastEthernet0/0 - Group 5
State is Init (virtual IP in wrong subnet)
Virtual IP address is 172.12.34.10 (wrong subnet for
this interface)
Active virtual MAC address is unknown
Local virtual MAC address is 0000.0c07.ac05 (v1
default)
Hello time 3 sec, hold time 10 sec
Preemption disabled
Active router is unknown
Standby router is unknown
Priority 75 (default 100)
Track interface Serial0/0 state Down decrement 25
IP redundancy name is "hsrp-Fa0/0-5" (default)
Train Signal, Inc., 2002-2007
Debug Example
Part 1
R1#debug standby
*Apr 9 20:15:10.542: HSRP: Fa0/0 API MAC address update
*Apr 9 20:15:10.546: HSRP: Fa0/0 API Software interface coming up
*Apr 9 20:15:10.550: HSRP: Fa0/0 API Add active HSRP addresses to ARP
table
*Apr 9 20:15:10.554: HSRP: Fa0/0 API Add active HSRP addresses to ARP
table
R1#
*Apr 9 20:15:11.648: %SYS-5-CONFIG_I: Configured from console by
console
*Apr 9 20:15:12.541: %LINK-3-UPDOWN: Interface FastEthernet0/0,
changed state to up
R1#
*Apr 9 20:15:12.541: HSRP: API Hardware state change
*Apr 9 20:15:12.541: HSRP: Fa0/0 API Software interface coming up
*Apr 9 20:15:12.545: HSRP: Fa0/0 API Add active HSRP addresses to ARP
table
Debug Example
Part 2
*Apr 9 20:15:13.483: HSRP: Fa0/0 Interface up
*Apr 9 20:15:13.483: HSRP: Fa0/0 Starting minimum
interface delay (1 secs)
*Apr 9 20:15:13.543: %LINEPROTO-5-UPDOWN: Line protocol
on Interface FastEthernet0/0, changed state to up
R1#
*Apr 9 20:15:14.485: HSRP: Fa0/0 Interface min delay
expired
*Apr 9 20:15:14.485: HSRP: Fa0/0 Grp 1 Init: a/HSRP
enabled
*Apr 9 20:15:14.485: HSRP: Fa0/0 Grp 1 Init -> Listen
*Apr 9 20:15:14.485: HSRP: Fa0/0 Grp 1 Redundancy "hsrpFa0/0-1" state Init ->Backup
79
VRRP Part 1
Defined in RFC 2338, VRRP is the open-standard
equivalent of the Cisco-proprietary HSRP. VRRP works
very much like HSRP, and is suited to a multivendor
environment. The operation of the two is so similar that
you basically learned VRRP while going through the
HSRP section! There are a few minor differences, a few
of which are:
VRRP's equivalent to HSRP's Active router is the Master
router. (Some VRRP documentation refers to this router as the
IP Address Owner.) This is the router that has the virtual router's
IP address as a real IP address on the interface it will receive
packets on.
Train Signal, Inc., 2002-2007
VRRP Part 2
The physical routers in a VRRP Group combine to form a Virtual
Router.
VRRP Advertisements are multicast to 224.0.0.18.
VRRP's equivalent to HSRP's Standby router state is the Backup
state.
The MAC address of VRRP virtual routers is 00-00-5e-00-01-xx,
and you guessed it - the xx is the group number in hexadecimal.
"preempt" is a default setting for VRRP routers.
As of IOS Version 12.3(2)T, VRRP now has an Object Tracking
feature. Similar to HSRP's Interface Tracking feature, a WAN
interface can be tracked and a router's VRRP priority dropped
when that interface goes down.
Train Signal, Inc., 2002-2007
80
Key to GLBP
The key to GLBP is that when a host
sends an ARP request for the MAC of the
virtual router, one of the physical routers
will answer. The host will then have the IP
address of the virtual router and the MAC
address of a physical router in the group.
In the following illustrations, the three
hosts send an ARP request for the MAC of
the virtual router.
Train Signal, Inc., 2002-2007
Active Virtual
Gateway
The Active Virtual Gateway (AVG) will be the router with
the highest GLBP priority, and this router will send back
ARP responses containing virtual MAC addresses. The
virtual MAC addresses are assigned by the AVG as
well. The three hosts will have the same Layer 3
address for their gateway, but a different L2 address,
accomplishing the desired load balancing while allowing
standard configuration on the hosts. (If the routers all
have the same GLBP priority, the router with the highest
IP address will become the AVG.)
Train Signal, Inc., 2002-2007
GLBPs load
balancing
GLBP's load balancing also offers the opportunity to finetune it to your network's needs. GLBP offers three
different forms of MAC address assignment, the default
being round-robin. With round-robin assignments, a host
that sends an ARP request will receive a response
containing the next virtual MAC address in line.
If a host or hosts need the same MAC gateway address
every time it sends an ARP request, host-dependent
load balancing is the way to go.
Weighted MAC assignments affect the percentage of
traffic that will be sent to a given AVF. The higher the
assigned weight, the more often that particular router's
virtual MAC will be sent to a requesting host.
Train Signal, Inc., 2002-2007
81
Command
examples
GLBP is enabled just as VRRP and HSRP are - by
assigning an IP address to the virtual router. The
following command will assign the address 172.1.1.10 to
group 5.
MLS(config-if)# glbp 5 ip 172.1.1.10
To change the interface priority, use the glbp priority
command. To allow the local router to preempt the
current AVG, use the glbp preempt command.
MLS(config-if)# glbp 5 priority 150
MLS(config-if)# glbp 5 preempt
Train Signal, Inc., 2002-2007
Server Load
Balancing
We've talked at length about how Cisco routers and
multilayer switches can work to provide router
redundancy - but there's another helpful service, Server
Load Balancing, that does the same for servers. While
HSRP, VRRP, and CLBP all represent multiple physical
routers to hosts as a single virtual router, SLB represents
multiple physical servers to hosts as a single virtual
server.
In the following illustration, three physical servers have
been placed into the SRB group ServFarm. They're
represented to the hosts as the virtual server 210.1.1.14.
Train Signal, Inc., 2002-2007
Hosts
communication
The hosts will seek to communicate with the server at
210.1.1.14, not knowing that they're actually
communicating with the routers in ServFarm. This allows
quick cutover if one of the physical servers goes down,
and also serves to hide the actual IP addresses of the
servers in ServFarm.
The basic operations of SLB involves creating the server
farm, followed by creating the virtual server. We'll first
add 210.1.1.11 to the server farm:
MLS(config)# ip slb serverfarm ServFarm
MLS(config-slb-sfarm)# real 210.1.1.11
MLS(config-slb-real)# inservice
Train Signal, Inc., 2002-2007
82
Creating Server
Farm
The first command creates the server farm, with the real
command specifying the IP address of the real
server. The inservice command is required by SLB to
consider the server as ready to handle the server farm's
workload. The real and inservice commands should be
repeated for each server in the server farm.
To create the virtual server:
MLS(config)# ip slb vserver VIRTUAL_SERVER
MLS(config-slb-vserver)# serverfarm ServFarm
MLS(config-slb-vserver)# virtual 210.1.1.14
MLS(config-slb-vserver)# inservice
Train Signal, Inc., 2002-2007
Controlling
connections
You may also want to control which of your
network hosts can connect to the virtual
server. If hosts or subnets are named with the
client command, those will be the only clients
that can connect to the virtual server. Note that
this command uses wildcard masks. The
following configuration would allow only the
hosts on the subnet 210.1.1.0 /24 to connect to
the virtual server.
MLS(config-slb-vserver)# client
210.1.1.0 0.0.0.255
Train Signal, Inc., 2002-2007
IP Telephony &
Cisco IP Phones
IP Phone Basics
Voice VLANs
Voice QoS
DiffServ at L2 & L3
Trusting Incoming Values
Basics of AVVID
Power Over Ethernet
Train Signal, Inc., 2002-2007
83
Voice over IP
If you dont have much (or any) experience with Voice Over IP
(VoIP) yet, youre okay for now youll be able to understand
this chapter with no problem. I say for now because all of us
need to know some basic VoIP.
Voice and security are the two fastest-growing sectors of our
business. Theyre not going to slow down anytime soon,
either. Once youre done with your CCNP, I urge you to look
into a Cisco voice certification. There are plenty of good
vendor-independent VoIP books on the market as well.
Most Cisco IP phones will have three ports. One will be
connected to a Catalyst switch, another to the phone ASIC,
and another will be an access port that will connect to a PC.
Train Signal, Inc., 2002-2007
Four Choices
When it comes to the link between switch
and the IP Phone, weve got four choices:
Configure the link
Configure the link
802.1p
Configure the link
tag voice traffic
Configure the link
Voice VLAN
as an access link
as a trunk link and use
as a trunk link and do not
as a trunk link and specify a
84
Dot1p Option
85
Three Main
Enemies
I mentioned jitter earlier, but weve got
three main enemies when it comes to
successful voice transmission:
Jitter
Delay
Packet Loss
QoS
DiffServ
That issue is address with the
Differentiated Services Model, or DiffServ.
Where IntServ reserves an entire path in
advance for the entire voice packet flow to
use, DiffServ does not reserve bandwidth
for the flow; instead, DiffServ makes its
QoS decisions on a per-hop basis as the
flow traverses the network.
Train Signal, Inc., 2002-2007
86
DiffServ Model
The DiffServ model allows each network device along
the way to make a separate decision on how best to
forward the packet towards its intended destination,
rather than having all forwarding decisions made in
advance. This process is Per-Hop Behavior (PHB).
The core tasks of DiffServ QoS are marking and
classification. (They are two separate operations, but
they work very closely together, as youll see.) Marking
is the process of tagging data with a value, and
classification is taking the appropriate approach to
queueing and transmitting that data according to that
value.
Train Signal, Inc., 2002-2007
Code of Service
Part 1
You know that the physical link between two switches is
a trunk, and you know that the VLAN ID is tagged on the
frame before it goes across the trunk. You might not
know that another value a Code of Service (CoS) value
can also be placed on that frame. Where the VLAN ID
indicates the VLAN whose hosts should receive the
frame, the CoS is used by the switch to make decisions
on what QoS, if any, the frame should receive.
It certainly wont surprise you to find that our trunking
protocols, ISL and IEEE802.1Q (dot1q) handle CoS
differently. Hey, with all the differences between these
two that youve already mastered, this is easy!
Train Signal, Inc., 2002-2007
Code of Service
Part 2
The ISL tag includes a 4-bit User field; the last
three bits of that field indicated the CoS value. I
know I dont have to tell you this, but three
binary bits give us a range of decimal values of 0
7.
The dot1q tag has a User field as well, but this
field is built a little differently. Dot1qs User
fields has three 802.1p priority bits that make up
the CoS value, and again that gives us a
decimal range of 0-7.
Train Signal, Inc., 2002-2007
87
ToS
The IP ToS byte consists of...
an IP precedence value, generally referred to as IP Prec (3 bits)
a Type Of Service Value (4 bits)
a zero (1 bit)
Class Selector
Values
Heres a quick description of the Class Selector values and
their meanings:
Class 7 (111) Network Control, and the name is the recipe
this value is reserved for network control traffic (STP, routing
protocol traffic, etc.)
Class 6 (110) Internetwork Control, same purpose as Network
Control
Class 5 (101) Expedited Forwarding (EF, RFC 2598)
Reserved for voice traffic and other time-critical data. Traffic in
this class is practically guaranteed not to be dropped.
Classes 1-4 (001 100) Assured Forwarding (AF, RFC 2597)
These classes allow us to define QoS for traffic that is not as
time-critical as that in Class 5, but that should not be left to besteffort forwarding, which is...
Class 0 (000) Best-effort forwarding. This is the default.
Train Signal, Inc., 2002-2007
Assured Forwarding
classes
Weve got four different classes in Assured Forwarding,
and RFC 2597 defines three Drop Precedence values for
each of those classes:
High 3
Medium 2
Low 1
88
Other Techniques
Weve talked at length about using a priority queue for voice traffic,
but there are some other techniques we can use as well. As with
any other QoS, the classification and marking of traffic should be
performed as close to the traffic source as possible. Access-layer
switches should always perform this task, not only to keep the extra
workload off the core switches but to ensure the end-to-end QoS
you wanted to configure is the QoS youre getting.
Another method of improving VoIP quality is to configure RTP
Header Compression. This compression takes the IP/UDP/RTP
header from its usual 40 bytes down to 2-4 bytes.
RTP header compression is configured with the interface-level ip rtp
header-compression command, with one option you should know
about passive. If the passive option is configured, outgoing
packets are subject to RTP compression only if incoming packets
are arriving compressed.
Train Signal, Inc., 2002-2007
AVVID Part 1
Ciscos Architecture for Voice, Video, and Integrated
Data (AVVID) is a comprehensive network architecture
approach which integrates Voice and Video into an
existing Data network. (But you knew that from the
name, right?)
A PDF available on Ciscos website lists these five
AVVID components as primary concerns:
High Availability
Quality of Service
Security
Enterprise Mobility
Scalability
Train Signal, Inc., 2002-2007
AVVID Part 2
Basically, AVVID is designed to take an
organizations existing infrastructures and
combine them into one large infrastructure.
Ciscos theory holds that doing so will reduce
overall costs while preparing the infrastructure to
run the latest and greatest Cisco technologies.
Storage Networking is becoming more and more
important every day, and is also an important
part of an AVVID design.
Train Signal, Inc., 2002-2007
89
Wide-Ranging
AVVID
To show you how wide-ranging AVVID is, a
single AVVID infrastructure is designed to hold
all of the following hardware:
Cisco routers
Cat switches
IP phones
Voice trunking
Cisco Call Manager
Analog and digital gateways to the PSTN
Voice modules
Train Signal, Inc., 2002-2007
POE
With POE, the electricity necessary to power the IP
Phone is actually transferred from the switch to the
phone over the UTP cable that already connects the two
devices.
Not every switch is capable of running POE. Check your
particular switchs documentation for POE capabilities
and details.
The IEEE standard for POE is 802.3af. There is also a
proposed standard for High-Power POE, 802.3at. To
read more than youd ever want to know about POE, visit
http://www.poweroverethernet.com.
Train Signal, Inc., 2002-2007
POE-capable
switches Part 1
By default, ports on POE-capable switches do attempt to
find a device needing power on the other end of the link.
Weve got a couple of options for POE as well:
SW4(config)#int fast 1/0/1
SW4(config-if)#power inline ?
auto
Automatically detect and
power inline devices
consumption Configure the inline device
consumption
never
Never apply inline power
static
High priority inline power
interface
Train Signal, Inc., 2002-2007
90
POE-capable
switches Part 2
The Auto setting is the Default. The
consumption option allows you to set the level of
power sent to the advice:
SW4(config-if)#power inline
consumption ?
And naturally, the never option disables POE on
that port. POE options and capabilities differ
from one device to the next, so check your
switchs documentation carefully before using
POE.
Train Signal, Inc., 2002-2007
Wireless
Networking
WLAN
A common wireless topology is an Infrastructure
Wireless Local Area Network (WLAN) , also called a
Basic Service Set (BSS), where a Wireless Access
Point (WAP) is used to allow multiple devices to
intercommunicate. The area of coverage the WAP provides
is called a cell, and as any of us who have used wireless
networks know, that cell can shrink and grow without
warning!
Hosts successfully connecting to the WAP in a BSS are said
to have formed an association with the WAP. Forming this
association usually requires the host to present required
authentication and/or the correct Service Set Identifier (SSID).
The SSID is the public name of the wireless network. A SSID
is simply a string of text. SSIDs are case-sensitive and can
be up to 32 characters in length.
Train Signal, Inc., 2002-2007
91
AP vs. WAP
Cisco uses the term AP instead of WAP in much of their
documentation; just be prepared to see this term expressed either
way on your exam and in network documentation. I'll call it an AP
for the rest of this section.
A BSS operates much like a hub-and-spoke network in that all
communication must go through the hub, which in this case is the
AP.
APs can also be arranged in such a way that a mobile user, or
roaming user, will (theoretically) always be in the provider's
coverage area. Those of us who are roaming users understand the
"theoretical" part!
Speaking as a roaming user, did you ever wonder how your wireless
card decides to quit using its current AP and start using the next one
in line? Well, keep wondering. :) Seriously, wireless vendors keep
us guessing on this one, since they all use different standards on
when that cutover needs to be performed.
Train Signal, Inc., 2002-2007
Active and
Passive scanning
What we do know is that there are two different methods
the client can use to find the next AP - active scanning
and passive scanning. With active scanning, the client
sends Probe Request frames and then waits to hear
Probe Responses. If multiple Probe Responses are
heard, the client chooses the most appropriate WAP to
use in accordance with vendor standards.
Passive scanning is just what it sounds like - the client
listens for beacon frames from APs. No Probe Request
frames are sent.
WLAN
Authentication (And
Lack of Same)
Of course, you don't want just any wireless client
connecting to your WLAN! The 802.11 WLAN
standards have two different authentication schemes open system and shared key. They're both pretty much
what they sound like.
Open system is basically one station asking the
receiving station "Hey, do you recognize me?"
Hopefully, shared key is the authentication system you're
more familiar with, since open system is a little too
open! Shared key uses Wired Equivalent Privacy (WEP)
to provide a higher level of security than open system.
Train Signal, Inc., 2002-2007
92
A Giant LEAP
Forward
The Extensible Authentication Protocol (EAP) was
actually developed originally for PPP authentication, but
has been successfully adapted for use in wireless
networks. RFC 3748 defines EAP.
Cisco's proprietary version of EAP is LEAP, the
Lightweight Extensible Authentication Protocol. LEAP
has several advantages over WEP:
There is two-way authentication between the AP and the client
The AP uses a RADIUS server to authenticate the client
The keys are dynamic, not static, so a different key is generated
upon every authentication
Wi-Fi Alliance
Recognizing the weaknesses inherent in WEP, the Wi-Fi
Alliance (their home page is http://wi-fi.org) saw the need for
stronger security features in the wireless world. Their answer
was Wi-Fi Protected Access (WPA), a higher standard for
wireless security.
Basically, WPA was adopted by many wireless equipment
vendors while the IEEE was working on a higher standard as
well, 802.11i - but it wasn't adopted by every vendor. As a
result, WPA is considered to work universally with wireless
NICs, but not with all early APs.
When the IEEE issued 802.11i, the Wi-Fi Alliance improved
the original WPA standards, and came up with WPA2. As you
might expect, not all older wireless cards will work with WPA2.
Train Signal, Inc., 2002-2007
93
IBSS
APs are not required to create a wireless
network. In an ad hoc WLAN ("wireless
LAN"), the wireless devices communicate
with no AP involved. The official name for
an ad hoc WLAN is an Independent Basic
Service Set (IBSS). In the real world,
you'll almost always here them call ad hoc
networks, but it couldn't hurt to keep the
official name in mind for your exam.
Train Signal, Inc., 2002-2007
802.11a, 802.11b,
802.11g
802.11a has a typical data rate of 25 MBPS, but can
reach speeds of 54 MBPS. Indoor range is 100
feet. Operating frequency is 5 GHz.
802.11b has a typical data rate of 6.5 MBPS, but
can reach speeds of 11 MBPS. Indoor range is 100
feet. Operating frequency is 2.4 GHz.
802.11g has a typical data rate of 25 MBPS, a peak
data rate of 54 MBPS, and an indoor range of 100
feet. Operating frequency is 2.4 GHz. 802.11b and
802.11g are compatible to the point where many
wireless routers and cards that use these standards
are referred to as "802.11b/g", or just "b/g".
Train Signal, Inc., 2002-2007
802.11g and
802.11n
You can have trouble with 802.11g from an unexpected
source popcorn! Well, not directly, but microwave ovens
also share the 2.4 GHz band, and the presence of a
microwave in an office can actually cause connectivity issues.
(And you thought they were just annoying when people burn
popcorn in the office microwave!) Solid objects such as walls
and other buildings can disturb the signal in any bandwidth.
802.11n has a typical data rate of 200 MBPS, a peak data
rate of 540 MBPS, and an indoor range of 160
feet. Operating frequency is either 2.4 GHz or 5 GHz.
94
Infrared Data
Association (IrDA)
The IrDA is another body that defines specifications, but the
IrDA is concerned with standards for transmitting data over
infrared light. IrDA 1.0 only allowed for a range of 1 meter
and transmitted data at approximately 115 KBPS. The
transmission speed was greatly improved with IrDA 1.1, which
has a theoretical maximum speed of 4 MBPS. The two
standards are compatible.
Keep in mind that neither IrDA standard has anything to do
with radio frequencies - only infrared light streams.
The IrDA notes that to reach that 4 MBPS speed, the
hardware must be 1.1 compliant, and even that might not be
enough - the software may have to be modified as
well. Which doesn't sound like fun.
Train Signal, Inc., 2002-2007
Antenna Types
Part 1
A Yagi antenna (technically, the full name is
"Yagi-Uda antenna") sends its signal in a single
direction, which means it must be aligned
correctly and kept that way. Yagi antennas are
sometimes called directional antennas, since
they send their signal in a particular direction.
In contrast, an Omni ("omnidirectional") antenna
sends a signal in all directions on a particular
plane.
Train Signal, Inc., 2002-2007
Antenna Types
Part 2
Since this is networking, we can't just call these
antennae by one name! Yagis are also known as pointto-point and directional antenna; Omni antennas are also
known as omnidirectional and point-to-multipoint
antenna.
Both Yagi and Omni antennas have their place in
wireless networks. The unidirectional signal a Yagi
antenna sends makes it particularly helpful in bridging
the distance between APs. The multidirectional signal
sent by Omni antennas help connect hosts to APs,
including roaming laptop users -- like the ones who
connect to the Net while eating lunch!
Train Signal, Inc., 2002-2007
95
CSMA/CA
With "Wireless LANs", life isn't so simple. Wireless LANs
can't listen and send at the same time - they're half-duplex so traditional collision detection techniques cannot
work. Instead, wireless LANs will use IEEE standard 802.11,
CSMA/CA, (Carrier Sense Multiple Access with Collision
Avoidance).
Lets walk through an example of Wireless LAN access, and
youll see where the avoidance part of CSMA/CA comes in.
The foundation of CSMA/CA is the Distributed Coordination
Function (DCF). The key rule of DCF is that when a station
wants to send data, the station must wait for the Distributed
Interframe Space (DIFS) time interval to expire before doing
so. In our example, Host A finds the wireless channel to be
idle, waits for the DIFS timer to expire, and then sends
frames.
Train Signal, Inc., 2002-2007
DCF-speak
In DCF-speak, this random amount of time
is the Backoff Time. The formula for
computing Backoff Time is beyond the
scope of the BCMSN exam, but the
computation does involve a random
number, and that random value helps
avoid collisions.
Train Signal, Inc., 2002-2007
The Cisco
Compatible
Extensions Program
When you're looking to start or add to your wireless network, you
may just wonder....
"How The $&!(*% Can I Figure Out Which Equipment Supports
Which Features?"
A valid question! :)
Thankfully, Cisco's got a great tool to help you out - the Cisco
Compatible Extension (CCX) website. Cisco certification isn't just
for you and I - Cisco also certifies wireless devices that are
guaranteed to run a desired wireless feature.
The website name is a little long to put here, and it may well change,
so I recommend you simply enter "Cisco compatible extension" into
your favorite search engine - you'll find the site quickly. Don't just
enter "CCX" in there - you'll get the Chicago Climate Exchange. I'm
sure they're great at what they do, but don't trust them to verify
wireless capabilities!
Train Signal, Inc., 2002-2007
96
The Lightweight
Access Point
Protocol (LWAPP)
As our wireless networks get larger and larger,
we really need some kind of central authority to
ensure that a consistent access policy is
successfully implemented.
By no small coincidence, Cisco has developed
such an authority as part of their Cisco Unified
Wireless Network - the WLAN Controller, which
communicates with Lightweight Access Points
(LAP). This communication takes place via
LWAPP, the LightWeight Access Point Protocol.
Train Signal, Inc., 2002-2007
WLAN Controller
The WLAN Controller is basically the quarterback of the WLAN, with
the LAPs serving as the other players. The WLAN Controller will be
configured with security procedures, Quality of Service (QoS)
policies, mobile user policies, and more. The WLAN Controller than
informs the LAPs of these policies and procedures, ensuring that
each LAP is consistently enforcing the same set of wireless network
access rules and regulations.
Many Cisco Aironet access points can operate autonomously or as
an LAP. Here are a few of those models:
1230 AG Series
1240 AG Series
1130 AG Series
Aironet System
Tray Utility
We're all familiar with the generic icon on a
laptop or PC that shows us how strong (or weak)
our wireless signal is. The Aironet System Tray
Utility (ASTU) gives us that information and a lot
more. Instead of just indicating how strong the
wireless signal is, the icon will change color to
indicate signal strength and other important
information.
Problem is, the colors aren't exactly intuitive, so
we better know what they mean! Here's a list of
ASTU icon colors and their meanings.
Train Signal, Inc., 2002-2007
97
EAP
Authentication
If you're connecting to an ad hoc network,
just substitute "remote client" for "AP" in
the above list. The key is to know that red,
green, and yellow are referring to signal
strength, light gray indicates a lack of EAP
authentication, dark gray means there is
no connection to an AP or remote client,
and white means the adapter is disabled.
Train Signal, Inc., 2002-2007
Network Design
and Models
98
Core Switches
Part 1
Today's core switches are generally multilayer
switches - switches that can handle both the
routing and switching of data. The throughput of
core switches must be high, so examine your
particular network's requirements and switch
documentation thoroughly before making a
decision on purchasing core switches. We want
our core switches to handle switching, and let
distribution-layer switches handle routing.
Core Switches
Part 2
Core layer switches are usually the most powerful in
your network, capable of higher throughput than any
other switches in the network. Remember, everything we
do on a Cisco router or switch has a cost in CPU or
memory, so we're going to leave most frame
manipulation and filtering to other layers.
The exception is Cisco QoS, or Quality of Service.
Advanced QoS is generally performed at the core
layer. We'll go into much more detail regarding QoS in
another section, but for now, know that QoS is basically
high-speed queueing where special consideration can
be given to certain data in certain queues. Leave ACLs
and other filters for other parts of the network.
Train Signal, Inc., 2002-2007
99
Redundancy
The Distribution
Layer
The demands on switches at this layer are high. The accesslayer switches are all going to have their uplinks connecting to
these switches, so not only do the distribution-layer switches
have to have high-speed ports and links, they've got to have
quite a few to connect to both the access and core
switches. That's one reason you'll find powerful multilayer
switches at this layer - switches that work at both L2 and L3.
Distribution-layer switches must be able to handle redundancy
for all links as well. Examine your network topology closely
and check vendor documentation before making purchasing
decisions on distribution-layer switches. The distribution layer
is also where routing should take place when utilizing
multilayer switches, since the access layer is busy with end
users and we want the core layer to be concerned only with
switching, not routing.
Train Signal, Inc., 2002-2007
100
The Enterprise
Composite Network
Model
This model is much larger than the Cisco threelayer model, as you'll see in just a moment. I
want to remind you that networking models are
guidelines, and should be used as such. This is
particularly true of the Enterprise Composite
Network Model, which is one popular model
used to design campus networks. A campus
network is basically a series of LANs that are
interconnected by a backbone.
Train Signal, Inc., 2002-2007
Switch blocks
Switch blocks are units of access-layer and
distribution-layer devices. These layers contain
both the traditional L2 switches (found at the
access layer) and multilayer switches, which
have both L2 and L3 capabilities (found at the
distribution layer). Devices in a switch block
work together to bring network access to a unit
of the network, such as a single building on a
college campus or in a business park.
Train Signal, Inc., 2002-2007
101
Core blocks
Core blocks consist of the high-powered core
switches, and these core blocks allow the switch
blocks to communicate. This is a tremendous
responsibility, and it's the major reason that I'll
keep mentioning that we want the access and
distribution layers to handle as many of the
"extra" services in our network whenever
possible. We want the core switches to be left
alone as much as possible so they can
concentrate on what they do best - switch.
Train Signal, Inc., 2002-2007
Few Factors
The design of such a network is going to depend on
quite a few factors - the number of LANs involved, the
physical layout of the building or buildings involved being
just two of them - so again, remember that these models
are guidelines. Helpful guidelines, though!
The Enterprise Composite Network Model uses the term
block to describe the three layers of switches we just
described. The core block is the collection of core
switches, which is the backbone mentioned earlier. The
access and distribution layer switches are referred to as
the switch blocks.
Train Signal, Inc., 2002-2007
Model Parts
Overall, there are three main parts of this model:
The Enterprise Campus
The Enterprise Edge
The Service Provider Edge
102
Dual Core
The core design shown here is often referred to
as dual core, referring to the redundant fashion
in which the switch blocks are connected to the
core block. The point at which the switch block
ends and the core block begins is very clear.
A smaller network may not need switches to
serve only as core switches, or frankly, may not
be able to afford such a setup. Smaller
networks can use a collapsed core, where
certain switches will perform both as distribution
and core switches.
Train Signal, Inc., 2002-2007
Server Farm
Block
As much as we'd like to get rid of them
sometimes, we're not going to have much of a
network without servers! In a campus network,
the server farm block will be a separate switch
block, complete with access and distribution
layer switches. The combination of access,
distribution, and core layers shown here is
sometimes referred to as the Campus
Infrastructure.
Train Signal, Inc., 2002-2007
The Network
Management Block
103
Bonus Video:
Queueing
104
WFQ
What's so "fair" about Weighted Fair Queueing
(WFQ)? WFQ prevents one particular stream of
network traffic, or flow, from using most or all of the
available bandwidth while forcing other streams of traffic
to sit and wait. These flows are defined by WFQ and
require no access list configuration. Flow-based WFQ is
the default queueing scheme for Serial interfaces
running at E1 speed or below.
Flow-Based WFQ takes these packet flows and
classifies them into conversations. WFQ gives priority to
the interactive, low-bandwidth conversations, and then
splits the remaining bandwidth fairly between the noninteractive, high-bandwidth conversations.
Train Signal, Inc., 2002-2007
First Reaction to
WFQ
The first reaction to WFQ is usually something
like this: "That sounds great, but shouldn't the
network administrator be deciding which flows
should be transmitted first, rather than the
router?" Good question! There's an advanced
form of WFQ, Class-Based Weighted Fair
Queueing (CBWFQ) that allows manual
configuration of queueing - and CBWFQ does
involve access list configuration.
Train Signal, Inc., 2002-2007
105
CBWFQ
Available
Bandwidth
Why is 358 Kbps all that's available? Start with the bandwidth
of a serial interface, 1544 kbps. Only 75% of that bandwidth
can be assigned through CBWFQ, and 1544 x .75 =
1158. We can assign only 1158 kbps of a T1 interface's
bandwidth in the policy map. We have already assigned 800
kbps to class 17210100, leaving only 358 kbps for other
classes.
Keep this 75% rule in mind - it's a very common error with
CBWFQ configurations. Don't jump to the conclusion that
bandwidth 64 is the proper command to use when you've got
a 64 kbps link and you want to enable voice traffic to use all of
it. Always go with a minimum of 75% of available bandwidth,
and don't forget all the other services that will need bandwidth
as well!
Train Signal, Inc., 2002-2007
Reservable
bandwidth
The "reservable bandwidth" referenced in this
command isn't just the bandwidth assigned in
CBWFQ. It also includes bandwidth allocated
for the following:
106
Tail Drop
Tail drop may be the default, but there are two
major issues with it. First, this isn't a very
discriminating way to drop traffic. What if this
were voice traffic that needed to go to the head
of the line? Tail drop offers no mechanism to
look at a packet and decide that a packet
already in the queue should be dropped to make
room for it.
The other issue with tail drop is TCP global
synchronization. This is a result of TCP's
behavior when packets are lost.
Train Signal, Inc., 2002-2007
Dropped packets
Packets dropped due to tail drop result in the
TCP senders reducing their transmission rate.
As the transmission slows, the congestion is
reduced.
All TCP senders will gradually increase their
transmission speed as a result of the reduced
congestion - which results in congestion
occurring all over again.
Train Signal, Inc., 2002-2007
TCP Global
Synchronization
The result of TCP global
synchronization? When the TCP sender
simultaneously slow their transmission, that
results in underutilization of the
bandwidth. When the TCP senders all increase
their transmission rate at the same time, the
bandwidth is oversubscribed, packets are
dropped and must be retransmitted, and the
entire process begins all over again. Basically,
the senders are either sending too little or too
much traffic at any given time.
Train Signal, Inc., 2002-2007
107
CBWFQ
CBWFQ is definitely a step in the right direction, but
what we're looking for is a guarantee (or something
close to it) that data adversely affected by delays is
given the highest priority possible. Low Latency
Queueing (LLQ) is an "add-on" to CBWFQ that creates
such a strict priority queue for such traffic, primarily voice
traffic, allowing us to avoid the jitter that comes with
voice traffic that is not given the needed priority
queueing. (Cisco recommends that you use an LLQ
priority queue only to transport Voice Over IP traffic.)
Since we're mentioning "priority" so often here, it
shouldn't surprise you to learn that the command to
enable LLQ is priority.
Train Signal, Inc., 2002-2007
Before LLQ
Configuration
Before we configure LLQ, there are a couple of
commands and services we've mentioned that don't play
well with LLQ:
WRED and LLQ can't work together. Why? Because WRED is
effective only with TCP-based traffic, and the voice traffic that
will use LLQ's priority queue is UDP-based. The random-detect
and priority commands can't be used in the same class.
By its very nature, LLQ doesn't have strict queue limits, so the
queue-limit and priority commands are mutually exclusive.
Finally, the bandwidth and priority commands are also mutually
exclusive.
108
Example
R2#show access-list
Extended IP access list 155
permit udp 210.1.1.0 0.0.0.255 220.1.1.0 0.0.0.255 range 17000 18000
permit udp 210.1.1.0 0.0.0.255 220.1.1.0 0.0.0.255 range 20000 21000
R2(config)#class-map VOICE_TRAFFIC_PRIORITY
R2(config-cmap)#match access-group 155
R2(config)#policy-map VOICE
R2(config-pmap)#class VOICE_TRAFFIC_PRIORITY
R2(config-pmap-c)#priority 45
R2(config-pmap-c)#class class-default
R2(config-pmap-c)#fair-queue
R2(config-pmap-c)#interface serial0
R2(config-if)#service-policy output VOICE
Priority Queueing
The "next level" of queueing is Priority
Queueing (PQ), where four predefined
queues exist: High, Medium, Normal, and
Low. Traffic is placed into one of these
four queues through the use of access
lists and priority lists. The High queue is
also called the strict priority queue, making
HQ and LLQ the queueing solutions to use
when a priority Train
queue
is needed.
Signal, Inc., 2002-2007
Predefined
queues Part 1
These four queues are predefined, as are
their limits:
High-Priority Queue: 20 Packets
Medium-Priority Queue: 40 Packets
Normal-Priority Queue: 60 Packets
Low-Priority Queue: 80 Packets
109
Predefined
queues Part 2
It won't surprise you to learn that these limits can be
changed. Before we configure PQ and change these
limits, there's one very important concept that you must
keep in mind when developing a PQ strategy. PQ is not
round-robin; when there are packets in the High queue,
they're going to be sent before any packets in the lower
queues.
If too many traffic types are configured to go into the
High and Medium queues, packets in the Normal and
Low queues may never be sent! This is sometimes
referred to as traffic starvation or packet starvation. (I
personally think it's more like queue starvation, but the
last thing we need is a third name for it.)
Train Signal, Inc., 2002-2007
Custom Queueing
Custom Queueing (CQ) takes PQ one step further - CQ
actually allows you to define how many bytes will be
forwarded from every queue when it's that queue's turn
to transmit. CQ doesn't have the same queues that PQ
has, though. CQ has 17 queues, with queues 1 - 16
being configurable.
Queue Zero carries network control traffic and cannot be
configured to carry additional traffic. By default, the
packet limit for each configurable queue is 20 packets
and each will send 1500 bytes when it's that queue's turn
to transmit.
Train Signal, Inc., 2002-2007
Network Control
Traffic
The phrase "network control traffic" in
regards to Queue Zero covers a lot of
traffic. Traffic that uses Queue Zero
includes.
Hello packets for EIGRP, OSPF, IGRP, ISIS
Syslog messages
STP keepalives
Train Signal, Inc., 2002-2007
110
Round-Robin
System
CQ uses a round-robin system to send traffic. When it's
a queue's turn to send, that queue will transmit until it's
empty or until the configured byte limit is reached. By
configuring a byte-limit, CQ allows you to allocate the
desired bandwidth for any and all traffic types.
Configuring CQ is basically a three-step process:
Define the size of the queues
Define what packets should go in each queue
Define the custom queue list by applying the list to the
appropriate interface
111