Icnd2 Ebook

e
ut
ib
tr
is
D
STUDENT MANUAL
or
Cisco® CCNA®
e
at
3.0:
lic
Interconnecting
Cisco Network
up
Devices, Part 2
D
(ICND2)
ot
N
o
D
Licensed For Use Only By: LeaderQuest Student lq_inst Aug 27 2018 1:13PM
e
ut
Cisco® CCNA®
ib
tr
3.0:
is
D
Interconnecting
Cisco Network or
e
Devices, Part 2
at
(ICND2)
lic
up
D
ot
N
o
D
Cisco® CCNA® 3.0: Interconnecting
Cisco Network Devices, Part 2 (ICND2)
e
ut
Part Number: 093043
Course Edition: 1.0
ib
Notices
tr
DISCLAIMER
is
While Logical Operations, Inc. takes care to ensure the accuracy and quality of these materials, we cannot guarantee their
accuracy, and all materials are provided without any warranty whatsoever, including, but not limited to, the implied warranties of
merchantability or fitness for a particular purpose. The name used in the data files for this course is that of a fictitious company. Any
D
resemblance to current or future companies is purely coincidental. We do not believe we have used anyone's name in creating this
course, but if we have, please notify us and we will change the name in the next revision of the course. Logical Operations is an
independent provider of integrated training solutions for individuals, businesses, educational institutions, and government agencies.
or
The use of screenshots, photographs of another entity's products, or another entity's product name or service in this book is for
editorial purposes only. No such use should be construed to imply sponsorship or endorsement of the book by nor any affiliation of
such entity with Logical Operations. This courseware may contain links to sites on the Internet that are owned and operated by third
parties (the "External Sites"). Logical Operations is not responsible for the availability of, or the content located on or through, any
External Site. Please contact Logical Operations if you have any concerns regarding such links or External Sites.
e
at
TRADEMARK NOTICES
Logical Operations and the Logical Operations logo are trademarks of Logical Operations, Inc. and its affiliates.
® ®
Cisco and CCNA are registered trademark of Cisco in the U.S. and other countries. The other Cisco products and services
lic
discussed or described may be trademarks or registered trademarks of Cisco. All other product and service names used may be
common law or registered trademarks of their respective proprietors.
Copyright © 2016 Logical Operations, Inc. All rights reserved. Screenshots used for illustrative purposes are the property of the
up
software proprietor. This publication, or any part thereof, may not be reproduced or transmitted in any form or by any means,
electronic or mechanical, including photocopying, recording, storage in an information retrieval system, or otherwise, without
express written permission of Logical Operations, 3535 Winton Place, Rochester, NY 14623, 1-800-456-4677 in the United States
and Canada, 1-585-350-7000 in all other countries. Logical Operations’ World Wide Web site is located at
www.logicaloperations.com.
D
This book conveys no rights in the software or other products about which it was written; all use or licensing of such software or
other products is the responsibility of the user according to terms and conditions of the owner. Do not make illegal copies of books
or software. If you believe that this book, related materials, or any other Logical Operations materials are being reproduced or
ot
transmitted without permission, please call 1-800-456-4677 in the United States and Canada, 1-585-350-7000 in all other countries.
N
o
D
Cisco® CCNA® 3.0:
Interconnecting Cisco
e
ut
Network Devices, Part 2
ib
(ICND2)
tr
is
D
or
Lesson 1: Managing VLANs on Cisco Switches.................1
e
Topic A: Configure VLANs on Cisco Switches.................................. 2
at
Topic B: Configure Connectivity Between Cisco Switches................ 7

Topic C: Troubleshoot VLANs....................................................... 14
lic
Topic D: Troubleshoot Interswitch Connectivity............................ 17

up
Lesson 2: Managing STP............................................... 21

D
Topic A: Basics of STP.................................................................. 22

Topic B: Configure STP................................................................. 27
ot
Topic C: Troubleshoot STP........................................................... 34

N
Lesson 3: Managing EtherChannel................................ 39

o
Topic A: Basics of Switch Stacks and VSS...................................... 40

D
Topic B: Configure EtherChannel.................................................. 44

Topic C: Troubleshoot EtherChannel............................................ 49
| Cisco® CCNA® 3.0: Interconnecting Cisco Network Devices, Part 2 (ICND2) |
Lesson 4: Mitigating Threats to the Access Layer.................. 53

Topic A: Configure Access and Trunk Interfaces..................................... 54
Topic B: Configure IEEE 802.1x Port-Based Authentication..................... 57
Topic C: Configure DHCP Snooping........................................................ 69
e
ut
Lesson 5: Configuring Infrastructure Services...................... 73
ib
Topic A: Configure HSRP........................................................................ 74
Topic B: Overview of Cloud Services....................................................... 78
tr
Topic C: Configure Traffic Filtering Using Access Lists............................81
is
Topic D: Troubleshooting ACLs.............................................................. 87
Topic E: Configure VRRP......................................................................... 90
D
or
Lesson 6: Describing QoS Concepts ..................................... 95
Topic A: Describe the QoS Concepts....................................................... 96
e
Topic B: Describe the Congestion Management and Avoidance
at
Techniques...................................................................................... 104
lic
Lesson 7: Infrastructure Maintenance................................. 109

Topic A: Configure SNMP......................................................................110
up
Topic B: Troubleshoot Network Connectivity Issues Using ICMP Echo-

based SLA........................................................................................ 115
D
Topic C: Troubleshoot Problems Using Local SPAN............................... 118

Topic D: Troubleshoot Basic Layer 3 End-to-End Connectivity Issues... 122
ot
N
Lesson 8: Managing Devices Using AAA.............................. 125

Topic A: Manage a Device Using AAA with TACACS+............................ 126
o
Topic B: Manage a Device Using AAA with RADIUS................................ 132

D
Lesson 9: Network Programmability...................................137

Topic A: Network Programmability Basics............................................. 138
Lesson 10: WAN Technologies............................................ 145

Topic A: WAN Topology Basics............................................................. 146
Topic B: WAN Access Connectivity Basics.............................................. 153
Topic C: Configure PPP on WAN Interfaces Using Local Authentication..156
e
Topic D: Configure MLPPP on WAN Interfaces Using Local
Authentication................................................................................. 159
ut
Topic E: Configure PPPoE Client-Side Interfaces....................................162
ib
Topic F: Configure GRE Tunnel Connectivity......................................... 166
Topic G: Describe Single-Homed Branch Connectivity...........................168
tr
is
Lesson 11: Routing Technologies....................................... 171
D
Topic A: Routing Protocols................................................................... 172
Topic B: Configure Inter-VLAN Routing................................................ 178
or
Topic C: Configure OSFPFv2 Routing for IPv4........................................181
Topic D: Configure OSFPFv3 Routing for IPv6....................................... 185
e
Topic E: Configure EIGRPv4.................................................................. 188
at
Topic F: Configure EIGRPv6.................................................................. 192

lic
Topic G: Troubleshoot Routing Protocols..............................................194

up
D
ot
N
o
D
| Table of Contents |
e
ut
ib
tr
is
D
or
e
at
lic
up
D
ot
N
o
D
About This Course
e
ut
ib
Course Objectives
tr
In this course, you will:
• Manage VLANs on Cisco switches.
is
• Manage STP.
• Manage EtherChannels.
D
• Describe the mechanisms used to mitigate network threats.
• Configure infrastructure services.
• Describe QoS concepts and techniques to manage congestion.
• Perform infrastructure maintenance.
or
• Manage devices using AAA with the TACACS+ and RADIUS protocols.
• Describe the basics of network programmability.
e
• Describe the features of WAN technologies.
• Manage routing protocols.
at
How to Use This Book

lic
As You Learn
This book is divided into lessons and topics, covering a subject or a set of related subjects.
up
In most cases, lessons are arranged in order of increasing proficiency.

The results-oriented topics include relevant and supporting information you need to master
the content. Each topic has various types of activities designed to enable you to solidify
D
your understanding of the informational material presented in the course. In this course,
you will perform the hands-on activities using online practice labs that are provided as part
of the course curriculum. Information is provided for reference and reflection to facilitate
ot
understanding and practice.
As You Review
N
Any method of instruction is only as effective as the time and effort you, the student, are
willing to invest in it. In addition, some of the information that you learn in class may not be
important to you immediately, but it may become important later. For this reason, we
o
encourage you to spend some time reviewing the content of the course after your time in
the classroom.
D
As a Reference
The organization and layout of this book make it an easy-to-use resource for future
reference.
Course Icons
Watch throughout the material for the following visual cues.
Icon Description
A Note provides additional information, guidance, or hints about a topic or task.
A Caution note makes you aware of places where you need to be particularly careful
with your actions, settings, or decisions so that you can be sure to get the desired
e
results of an activity or task.
ut
A display slide note provides a prompt to the instructor to display a specific slide
from the provided PowerPoint files. (Instructor Edition only.)
ib
Content delivery tips provide guidance for specific delivery techniques instructors
may want to utilize at particular points in the course, such as lectures, whiteboard
sketching, or performing their own demonstrations for the class. (Instructor Edition
tr
only.)
is
D
or
e
at
lic
up
D
ot
N
o
D
| About This Course |
1 Managing VLANs on
Cisco Switches
e
ut
Lesson Time: 3 hours
ib
tr
is
Lesson Objectives
D
In this lesson, you will manage VLANs on Cisco switches. You will:
or
• Describe VLANs and their configurations using Cisco switches.
• Describe connectivity configurations between Cisco switches.
• Describe the techniques to troubleshoot issues with VLANs.
e
• Describe the techniques to troubleshoot interswitch connectivity issues.
at
Lesson Introduction
lic
Familiarity with VLANs and their configurations, and the ability to troubleshoot VLAN and
interswitch connectivity issues will enable you to manage the VLANs in your network
up
efficiently.
D
ot
N
o
D
2 | Cisco® CCNA® 3.0: Interconnecting Cisco Network Devices, Part 2 (ICND2)
TOPIC A
Configure VLANs on Cisco Switches
In this topic, you will describe VLANs and their configurations using Cisco switches.
e
VLANs
ut
VLANs A virtual local area network (VLAN) is a:
• Local area network (LAN) in which the network components can be connected even when they
ib
are not on the same LAN segment.
• Logical network without the physical characteristics of a LAN.
Each VLAN is logically a network in itself, and if there are packets that are not meant for a node
tr
that does not belong to the same VLAN as the source node, they must be forwarded by a routing
device.
is
D
or
e
at
lic
up
D
ot
N
o
Figure 1-1: An example of a VLAN in an organization.

D
Features of VLANs
Unlike the regular LAN that is limited by physical distances, VLANs can network irrespective of the
physical distances involved and also can group individual networks that are based on different
technologies.
Key hardware in a VLAN includes a configurable managed switch, known as a VLAN switch, which
can build a logical network in any required configuration, even when computers are on different
Lesson 1: Managing VLANs on Cisco Switches | Topic A
Cisco® CCNA® 3.0: Interconnecting Cisco Network Devices, Part 2 (ICND2) | 3
physical segments. Configuration management can be done through software and there is no need
to relocate the devices physically.
Normal VLANs
• Normal VLANs or normal-range VLANs are VLANs with VLAN IDs 1 to 1005. Normal VLANs
• VLAN IDs 1 and 1002 to 1005 are automatically created and cannot be removed. The VLAN database file
is stored in flash
• When the switch is in VLAN Trunking Protocol (VTP) server or VTP transparent mode, you memory.
e
can add, modify or remove configurations for VLANs 2 to 1001 in the VLAN database file,
vlan.dat.
ut
• The configurations for VLAN IDs 1 to 1005 are written to the VLAN database.
• The privileged EXEC command show vlan displays the VLAN configuration.
ib
tr
is
D
or
e
at
lic
Figure 1-2: A Normal VLAN representation.

up
Extended Range VLANs

• Extended-range VLANs are VLANs with IDs from 1006 to 4094. Extended Range VLANs
D
• The switch must be set to VTP transparent mode using the vtp mode transparent command
on VTP version 1 and version 2 in order to create extended-range VLANs.
• Extended-range VLANs are not stored in the VLAN database but are stored in the switch
ot
running configuration file.

• Extended-range VLANs enable service providers to extend their infrastructure to reach a greater
number of customers.
N
• Extended-range VLAN IDs are allowed for any switchport commands that allow VLAN IDs.
• The privileged EXEC command copy running-config startup-config allows you to save
the configuration in the startup configuration file.
o
• Extended-range VLANs are supported in VTP version 3 in VTP server and transparent modes
D
and are stored in the VLAN database.
VLANs Spanning Multiple Cisco Switches

• Both regular VLANs and private VLANs can also span multiple switches. VLANs Spanning
Multiple Cisco Switches
• Inter-switch link ports need not be aware of the special VLAN type and carry frames tagged with
these VLANs just like any other frame.
• Consistent behavior throughout the network can be maintained by embedding the isolation
information at the VLAN level and by transporting it along with the packet.
• The mechanism which restricts Layer 2 communication between two isolated ports in the same
switch, restricts Layer 2 communication between two isolated ports in two different switches.
e
ut
ib
tr
is
D
or
e
at
lic
Figure 1-3: An example of a VLAN spanning multiple switches.
Access Ports of a Cisco Switch

up
Access Ports of a Cisco • Configure a switch port as access port to assign it to one VLAN.
Switch
• The speed and duplex for switch ports are set to auto-negotiate by default.
D
• The default auto-negotiation setting includes the Auto-medium dependent interface (MDI)/
medium dependent interface crossover (MDIX) feature.
ot
• The Auto-MDI/MDIX feature eliminates the need for crossover cabling by performing an
internal crossover when a straight cable is detected in the auto-negotiation phase.
• Remember that you cannot disable Auto-MDI/MDIX for the interface.
N
o
D
Figure 1-4: A Cisco switch.
Access Data Port

When defining a data port VLAN definition, you must consider the following: Access Data Port
• Define the slot-port combination where the data port is located.
• Select the sensing mode to be used by the data port.
• Define the VLANs that are to be forwarded to the data port.
The following restrictions apply to data port VLAN definition:
• There can only be single definition for each data port.
e
• A data port definition cannot be created if the port is already defined as part of a channel group.
ut
ib
tr
is
D
Figure 1-5: An example of an access data port definition.
or
Access Voice Port
e
at
• The voice VLAN feature allows access ports to carry IP voice traffic from an IP phone. Access Voice Port
• When the switch is connected to a Cisco IP Phone, the phone sends voice traffic with Layer 3 IP
precedence and Layer 2 Class of Service (CoS) values, which are both set to 5 by default.
lic
• The switch supports quality of service (QoS) based on the Institute of Electrical and Electronics
Engineers (IEEE) 802.1p CoS. QoS uses classification and scheduling to send network traffic
from the switch in a predictable manner, because the sound quality of an IP phone call can
up
deteriorate if the data is unevenly sent.

D
ot
N
o
D
Figure 1-6: An example of an access voice port definition.
Default VLAN in a Cisco Environment

• Default VLAN refers to VLAN1, which uses only default values, and does not allow you to Default VLAN in a Cisco
create, delete, or suspend activity in the default VLAN. Environment
• VLANs can be assigned numbers from 1 to 4094.

• All configured ports belong to the default VLAN when you first bring up the switch.
Add or Remove VLANs

Add or Remove VLANs • You need to use the vlan <vlan-id>|<vlan-range> to create a new VLAN or a range of
VLANs.
• You cannot create or delete the default VLAN and other VLANs that are already internally
e
allocated for use to the switch.
ut
• When you create a VLAN it is automatically in the active state.
Example of VLAN range creation:
ib
• The vlan 25-50 to create a range of vlans with ID from 25 to 50.
• You need to use the no vlan <vlan-id>|<vlan-range> to delete a VLAN.
• When a VLAN is deleted, the ports associated to that VLAN will be shut down.
tr
• The packets will be dropped and the traffic will not flow.
is
Add and Remove VLANs on a Trunk
D
Add and Remove • The switchport mode trunk command changes the interface into permanent trunking mode.
VLANs on a Trunk Then, it negotiates to convert the neighboring link into a trunk link. However, the interface will
become a trunk interface even if the neighboring interface is not a trunk interface.
or
• The switchport trunk allowed vlan add <vlan-list> command allows you to specify the
native VLAN or VLAN ranges that need to be added to the IEEE 802.1Q trunks.
• The switchport trunk allowed vlan remove <vlan-list> command allows you to specify the
e
native VLAN or VLAN ranges that need to be removed from the IEEE 802.1Q trunks.
• The no switchport trunk allowed vlan interface configuration command will allow you to
at
return to the default allowed VLAN list of all VLANs.

lic
Specify VLAN Range

In the <vlan-list> attribute you can use hyphen to specify a VLAN range. For example, 20-40.
You need to use a comma to separate an individual VLAN ID from the VLAN ranges. For
up
example, 20-40,50. You can use this <vlan-list> attribute for adding or removing VLANs.
IEEE 802.1Q Encapsulation

D
IEEE 802.1Q • IEEE 802.1Q is a networking standard that supports VLANs in an Ethernet-based network.
Encapsulation
• A switch assigns the VLAN identification information to a packet, through a process known as
ot
tagging.
• Two popular protocols for tagging are the Inter-Switch Link (ISL) and the IEEE 802.1Q
protocol.
N
• ISL is the Cisco proprietary protocol for tagging packets and associating them with a
particular VLAN on legacy switches.
o
• 802.1Q is the IEEE standard for VLAN trunking. Newer Cisco switches and other original
equipment manufacturer (OEM) switches use 802.1Q for tagging.
D
Figure 1-7: The IEEE 802.1Q Encapsulation standard.
TOPIC B
Configure Connectivity Between Cisco Switches
In this topic, you will describe connectivity configurations between Cisco switches.
e
ISL Protocol
ut
Inter-Switch Link (ISL): ISL Protocol
• Is a Cisco protocol for interconnecting multiple Cisco switches and maintaining VLAN
ib
information as traffic passes between switches.
• Provides VLAN capabilities while maintaining full wire speed performance on Fast Ethernet
links in full- or half-duplex mode.
tr
• Operates in a point-to-point environment and can support up to 1,000 VLANs.
• Enables you to define as many logical networks as are necessary for your environment.
is
D
or
e
at
lic
Figure 1-8: ISL protocol implementation in a network.

up
Access and Trunk Interfaces

• Access ports can carry traffic only for one VLAN. Access and Trunk
Interfaces
D
• An access port can have only one VLAN configured on the Ethernet interface.
• Ethernet interfaces can be configured as either access ports or trunk ports.
• Trunks can carry the traffic of multiple VLANs over a single link and facilitate you to extend
ot
VLANs across the network.

• A trunk port can carry traffic simultaneously for several VLANs and can have two or more
VLANs configured on the Ethernet interface.
N
o
D
Lesson 1: Managing VLANs on Cisco Switches | Topic B
e
ut
ib
Figure 1-9: Types of Ethernet interfaces.
tr
Trunking
is
Trunking • Trunking, also known as VLAN trunking, allows interconnected ports to transmit and receive
frames in more than one VLAN over the same physical link.
D
• Trunking and port channels function as follows:
• Port channels allow several physical links to be combined into one aggregated logical link.
or
• Trunking allows a link to carry or trunk traffic of multiple VLANs.
e
at
lic
up
D
ot
N
Figure 1-10: Trunking in a network with multiple VLANs.

o
Trunking Modes
D
Trunking Modes • The default trunk mode is dynamic (desirable).

• The trunk mode can be configured as - on (enabled), off (disabled), or auto (automatic).
• The trunk mode configuration at the two ends of an ISL, between two switches, help to
determine the resulting trunking state of the link and the port modes at both ends.
VTP Modes
Three VTP modes that can be configured on a Cisco switch are: VTP Modes
• Server Mode: In the VTP server mode, you can create, modify, and delete VLANs and specify
configuration parameters for the entire VTP domain. The VTP server mode is the default mode.
• Client Mode: The client mode is similar to VTP server mode, but on a VTP client, VLANs
cannot be created, modified, or deleted.
• Transparent Mode: When a device is in transparent mode, it does not participate in VTP. It
e
neither advertises its VLAN configuration nor synchronizes its VLAN configuration based on
any received advertisements.
ut
VTP Functions
ib
In VTP version 2, a network device in transparent mode will forward any VTP advertisements
received from its LAN ports. In VTP version 3, a network device in transparent mode is specific to
an instance.
tr
If the Cisco switch detects a failure when writing configuration to non-volatile RAM (NVRAM), it
will automatically change from VTP server mode to VTP client mode. In this situation, until the
is
NVRAM returns to normal functioning, the switch cannot be changed back to VTP server mode.
D
DTP
Dynamic Trunking Protocol (DTP): DTP
• Is a Cisco proprietary point-to-point protocol (PPP).
or
• On a link between two devices manages the trunk negotiation and also negotiates the trunking
encapsulation to be used.
e
• Supports auto-negotiation of both ISL and 802.1Q trunks.
• Is a second generation Dynamic Inter-Switch Link Protocol (DISL) that allows the Cisco
at
Catalyst devices to negotiate whether to use 802.1Q encapsulation.

lic
up
D
ot
N
o
D
Figure 1-11: Working of DTP between devices.
Dynamic Trunking
Dynamic Trunking refers to the ability of a network device to negotiate the trunking method with
the other device. If one side of the link to trunk is configured and sends DTP signals, when the
options correctly match, the other side of the link will also dynamically begin to trunk.
In case of EtherChannel, DISL and DTP only negotiate whether to enable trunking and do not
negotiate trunking.
VTP v1
VTP v1 • The VLAN Trunking Protocol (VTP) is a messaging protocol used on VLANs developed by
Cisco.
• All the changes made to a VLAN are documented as VTP configurations.
e
• The main function of VTP is to advertise the switching information and configuration changes
on a VLAN through all the switches on a network.
ut
• VTP eliminates the hassles involved in porting the same VLAN to another network, which is
managed by different switches.
ib
• It also allows configuring switches as a group for management in a VLAN.
• In VTP version 1, a VTP transparent network device inspects VTP messages for the domain
name and version, and forwards a message only when the version and domain name match.
tr
is
D
or
e
at
Figure 1-12: Working of VTP v1.
VTP v2
lic
VTP v2 VTP version 2 supports all the features of VTP version 1 and supports some additional features:
• Token Ring Support: VTP version 2 supports Token Ring LAN switching and VLANs, namely
up
Token Ring Bridge Relay function and Token Ring Concentrator Relay function.
• Unrecognized Type-Length-Value (TLV) Support: A VTP server or client transmits
configuration changes to its other trunks. These configuration changes include even TLVs that
D
the VTP server or client is not able to parse. Such unrecognized TLV is saved in NVRAM.
• Version-Dependent Transparent Mode: VTP version 2 forwards VTP messages in
transparent mode without checking the version because only one domain is supported.
ot
• Consistency Checks: In VTP version 2, VLAN consistency checks such as VLAN names and
values are performed only on any new information that is specified through the CLI or SNMP.
When new information is obtained from a VTP message, or when information is read from
N
NVRAM, consistency checks are not performed. The information received from a VTP message
is accepted without consistency checks, when the digest on the received VTP message is correct.
o
Choice of VTP Version

D
You can choose between selecting VTP version 1 or version 2 as the VTP for your network.
However, if you plan to use VTP in a Token Ring environment, you must use VTP version 2.
Commands Related to VTP Lab

Commands Related to The commands related to the VTP lab are listed in the table.
VTP Lab
Command Description
hostname <host_name> Configures an appropriate host name for your
switch.
interface vlan <vlan_id> Configures interface with the selected VLAN ID
ip address <ip_address> <subnet_mask>
with the appropriate IP address and subnet
mask.
interface fastethernet 0/12 Configures trunking on the FastEthernet 0/12
e
switchport mode trunk
port of a switch.
ut
vtp domain <domain_name> Configures a VTP domain name to the specified
domain name.
ib
vtp password <password> Configures a password for the VTP domain.
show vtp status Verifies the switch’s VTP configuration.
tr
vlan <vlan_id> Creates a new VLAN with the specified ID.
is
interface range fastethernet 0/2 – 5 Assigns FastEthernet ports 0/2 through 0/5 to
switchport access vlan <vlan_id>
a specific VLAN.
D
show vlan Verifies the current VLAN configuration on the
switch.
vtp mode client
show running-config
or
Configures the switch as a VTP client.
Shows the current configuration details.
e
Lab: VTP
at
Lab: VTP
lic
• Path to lab: ICND2→Scalable Networks

• Lab name: VTP
• Duration: 15 minutes (approx.)
up
D
Commands Related to VTP Modes Lab

ot
The commands related to the VTP Modes lab are listed in the table. Commands Related to
VTP Modes Lab
N
Command Description
show ip interface brief Displays the state of the interfaces.
o
show vlan brief Displays the number of VLANs that are

D
configured on each of the switches.

vtp mode server Configures the switch, on which this command
is executed, as the source of VLAN propagation
for the other switches in the network.
Lab: VTP Modes

Lab: VTP Modes
• Lab name: Spanning Tree I
e
ut
Commands Related to Configuring VTP on Switches and
ib
Configuring VTP Client Mode on Switches Labs
tr
Commands Related to The commands related to the Configuring VTP on Switches and Configuring VTP Client Mode on
Configuring VTP on Switches labs are listed in the table.
Switches and
is
Configuring VTP Client Command Description
Mode on Switches Labs
D
hostname <host_name> Configures an appropriate host name for your
switch.
interface fastethernet 0/12 Configures the FastEthernet interface with port
switchport trunk encapsulation dot1q
switchport mode trunk
or 0/12 to always be trunks.
e
show running-config Shows the current configuration details.
at
Lab: Configuring VTP on Switches

lic
Lab: Configuring VTP on

Switches • Path to lab: ICND2→Scalable Networks
• Lab name: Configuring VTP on Switches
up

D
ot
Lab: Configuring VTP Client Mode on Switches

N
Lab: Configuring VTP

Client Mode on Switches • Path to lab: ICND2→Scalable Networks
• Lab name: Configuring VTP Client Mode
o
on Switches
D
Commands Related to Expanding Switched Networks Lab

The commands related to the Expanding Switched Networks lab are listed in the table. Commands Related to
Expanding Switched
Command Description Networks Lab
show cdp neighbors Determines which interfaces are used to connect

to neighboring devices.
interface fastethernet 0/12 shutdown Disables the FastEthernet 0/12 port of a switch.
e
vtp mode transparent Changes the VTP to transparent mode.
ut
end Ends and exits configuration mode.
Enables an interface.
ib
no shutdown
no ip address Removes an IP address from an interface.
tr
show ip route Displays the IP routing table.
Enters router configuration mode for Enhanced
is
router eigrp
<autonomous_system_number> Interior Gateway Routing Protocol (EIGRP).
Configures a list of networks for the selected
D
network <subnet_mask>
routing protocol on a specific network.
Lab: Expanding Switched Networks

or
e
Lab: Expanding
• Path to lab: ICND2→Scalable Networks Switched Networks
at
• Lab name: Expanding Switched Networks

lic
up
D
ot
N
o
D
TOPIC C
Troubleshoot VLANs
In this topic, you will describe the techniques to troubleshoot issues with VLANs.
e
VLAN Naming Convention
ut
VLAN Naming In a VLAN name, only the following characters are permitted:
Convention • Letters: a through z or A through Z
ib
• Numbers: 0 through 9
• Special Characters: - (hyphen) or _ (underscore)
tr
In newer Cisco devices, long-names of up to 128 characters can be used as VLAN names.
• VTP must be in transparent or in off mode to configure VLAN long-names.
is
• The VLAN long-name feature is disabled when the VTP is in client or server mode.
D
VLAN Leaking
VLAN Leaking • VLAN Leaking refers to a situation where sometimes a switch port may behave like a full-
or
fledged trunk port even when it is simply receiving regular packets and is not supposed to do so.
For example, accepting packets from VLANs that are different from native VLANs.
• Fortunately, the Catalyst switches of Cisco are designed in their hardware and software to always
e
enforce proper traffic classification and isolation on all their ports.
• The show interfaces trunk command allows to check if the local and peer native VLANs are
at
matching; VLAN leaking occurs when the native VLAN does not match on both sides.
• You need to configure the native VLAN to be the same VLAN on both sides of the link to
lic
ensure that VLAN leaking does not occur.
Guidelines and Limitations for Troubleshooting VLANs

up
Guidelines and
Limitations for Note: All of the Guidelines for this lesson are available as checklists from the Checklist tile on
Troubleshooting VLANs the CHOICE Course screen.
D
When configuring VLANs, follow these guidelines:

• Ensure that you associate all the ports on all switches with VLANs other than VLAN 1 by
ot
configuring all unused ports to a black hole VLAN that will be left unused on the network.
• Ensure that the native VLAN for an 802.1Q trunk is the same on both ends of the trunk link.
• As a good practice shut down unused switch ports to prevent unauthorized access.
N
• Ensure that you keep the user traffic off the management VLAN by separating user data from
the management VLAN.
o
Initial Troubleshooting VLANs Checklist

D
Initial Troubleshooting • Troubleshooting a VLAN problem starts by gathering information about the configuration and
VLANs Checklist connectivity of individual devices and the entire network.
• You need to begin your troubleshooting VLAN issues by checking the following issues first:
• Verify the physical connectivity for any problem ports or problem VLANs.
• Verify that both your end devices are in the same VLAN.
Lesson 1: Managing VLANs on Cisco Switches | Topic C
VLAN Information CLI Commands

The CLI commands used to display VLAN information in a Cisco environment are listed in the VLAN Information CLI
table. Commands
Command Description
show vlan vlan-id Displays information about the VLAN with the ID specified in
the command.
e
show vlan all-ports Displays VLAN information for trunk and access ports.
ut
show tech-support vlan Displays detailed information about VLAN for troubleshooting
purposes.
ib
show vlan private-vlan Displays the status information for the private VLAN.
[type]
tr
show interface vlan vlan- Displays information about the mapping between two VLANs
id private-vlan mapping that share the same virtual interface.
is
Common VLAN Issues and Solutions
D
Some of the common VLAN issues, their cause, and possible solutions are listed in the table. Common VLAN Issues
and Solutions
Symptom
VLAN cannot be
created
Possible Cause
A reserved VLAN ID
is being used.
Solution
or
VLANs 3968 to 4047 and 4094 are reserved for
internal use and you cannot change or use these
e
reserved VLANs. Change to a permitted VLAN
ID.
at
The VLAN interface is The VLAN does not • Use the show vlan command to determine
down exist. if the VLAN exists.
lic
• Use the vlan command to create the VLAN.

Two devices on the The devices on the Identify the incorrect configuration and specify
same VLAN cannot same VLAN have been the correct subnet address for devices within the
up
communicate assigned different same VLAN.

subnet addresses.
D
Commands Related to VLAN Leaking Lab

ot
The commands related to the VLAN Leaking lab are listed in the table. Commands Related to
VLAN Leaking Lab
Command Description
N
show interfaces status Displays the status of all interfaces that allows you to
verify the status of the VLAN assignment for the ports
of the switch.
o
interface range fastethernet Allows you to assign select ports of the switch to the
D
<starting port> -<ending port> specific VLAN as access ports. If the VLAN ID
switchport mode access
mentioned does not exist, a new VLAN will be created
with the specified VLAN ID.
switchport access vlan <VLAN
ID>
Command Description
show interfaces trunk Displays the port and module interface-trunk
information. The default behavior is to trunk, and all
VLANs are allowed.
show interfaces fastethernet Displays the switchport configuration.
<slot> switchport
show running-config Displays the active configuration file for the switch.
e
ut
The commands specific to a PC or workstation are listed in the table.
Command Description
ib
ipconfig /ip [IP address] Assigns IP address and subnet mask to a workstation
[Subnet mask] interface.
tr
ping [IP address] Sends an Internet Control Message Protocol (ICMP)
echo request to the specified address.
is
Lab: VLAN Leaking
D
Lab: VLAN Leaking
• Lab name: VLAN Leaking
• Duration: 20 minutes (approx.) or
e
at
lic
up
D
ot
N
o
D
TOPIC D
Troubleshoot Interswitch Connectivity
In this topic, you will describe the techniques to troubleshoot interswitch connectivity issues.
e
Types of Switch Issues
ut
The two types of switch issues are: Types of Switch Issues
• Switch-to-Switch Basic Interconnectivity Problems: These can result in the isolation of a
ib
port or virtual storage area network (VSAN) due to incorrect parameters or settings on an ISL or
VSAN.
• Fabric to Server/Storage Connectivity Problems: These can be identified by a Fx port not
tr
coming up or caused by zone or VSAN configuration errors.
is
D
or
e
at
lic
Figure 1-13: The two types of switch issues.
Common Interconnectivity Issues

up
The common interconnectivity issues that are encountered while configuring VLANs and trunks on Common
a switched infrastructure are: Interconnectivity Issues
D
• Mismatch in Native VLAN: This issue occurs when the trunk ports have been configured with
different native VLANs. This error in configuration generates notifications on console and
results in misdirection of control and management traffic. This misconfiguration poses a serious
ot
security risk.
• Mismatch in Trunk Mode: This issue occurs when the trunk ports have been configured in
such a way that one trunk port is configured with trunk mode off while the other trunk port has
N
been configured with trunk mode on. This misconfiguration causes the trunk link stop working.
• Use of Outdated VLAN Allowed List: This issue occurs when the list of VLANs allowed on a
trunk has not been updated to match the current VLAN trunking requirements. This results, in
o
no traffic or unnecessary traffic being sent over the trunk.

D
When a trunk issue is discovered and the cause is unknown, your troubleshooting steps must start
with checking for mismatches in native VLAN. If the cause is still unknown, you need to check for
mismatches in trunk mode. As the final check for the cause, you must verify the allowed VLAN list
used on the trunk.
Lesson 1: Managing VLANs on Cisco Switches | Topic D
Switch and Trunk Ports

Switch and Trunk Ports • The switchport mode trunk command allows you to configure the trunk link statically.
• DTP is used by Cisco Catalyst switch trunk ports to negotiate the state of the link.
• You need to ensure that the trunk mode configured on the port on a trunk link is compatible
with the neighboring trunk port for the trunk link to be fully functional between the two
switches.
e
ut
ib
tr
is
D
or
e
at
lic
up
D
ot
N
o
D
Lesson 1: Managing VLANs on Cisco Switches | Topic D
Summary
• A VLAN is a LAN in which the network components can be connected even when they are not Key Points
on the same LAN segment.
• Normal VLANs or normal-range VLANs are VLANs with VLAN IDs 1 to 1005.
• VLANs can be assigned numbers from 1 to 4094.
• IEEE 802.1Q is a networking standard that supports VLANs in an Ethernet-based network.
e
• The VTP is a messaging protocol used on VLANs developed by Cisco.
ut
• The common interconnectivity issues while configuring VLANs and trunks on a switched
infrastructure are: mismatch in native VLAN, mismatch in Trunk Mode, and use of outdated
VLAN allowed list.
ib
tr
is
D
or
e
at
lic
up
D
ot
N
o
D
Lesson 1: Managing VLANs on Cisco Switches |
e
ut
ib
tr
is
D
or
e
at
lic
up
D
ot
N
o
D
2 Managing STP
e
Lesson Time: 2 hours, 35 minutes
ut
ib
tr
Lesson Objectives
is
In this lesson, you will manage STP. You will:
D
• Describe the features of STP.
• Describe the configuration mode of STP.
or
• Describe the techniques to troubleshoot issues with STP.
Lesson Introduction
e
at
As network professional, you may need to set up redundant networks to ensure continuous
availability of the key network services. In these situations, you must be able to configure
switches to use STP feature and prevent data looping within the network.
lic
up
D
ot
N
o
D
TOPIC A
Basics of STP
In this topic, you will describe the features of STP.
e
STP
ut
STP • Spanning Tree Protocol (STP) is a Institute of Electrical and Electronics Engineers (IEEE)
802.1D bridge and Layer 2 link-management protocol, which prevents undesirable loops in the
ib
network by providing path redundancy.
• There can only be one existing active path between two stations for the proper functioning of a
Layer 2 Ethernet network.
tr
• STP operation is transparent to end stations that cannot detect whether they are connected to a
switched local area network (LAN) of multiple segments or to a single LAN segment.
is
• The root switch is the switch that has all of its ports as either the designated role or as the
backup role.
D
• The designated switch that has at least one of its ports in the designated role.
or
e
at
lic
up
D
ot
N
Figure 2-1: STP operation.

o
Port Roles
D
Port Roles • The STP uses a spanning-tree algorithm to select one switch as the root of the spanning tree of a
redundantly connected network.
• The algorithm assigns a role to each port based on the role of the port in the active topology and
calculates the best loop-free path through a switched Layer 2 network.
• The port roles are:
• Root Port: A forwarding port elected for the spanning-tree topology.
Lesson 2: Managing STP | Topic A
• Designated Port: A forwarding port elected for every switched LAN segment.
• Alternate Port: A blocked port that provides an alternate path to the root bridge in the
spanning tree.
• Backup Port: A blocked port used in a loopback configuration.
e
ut
ib
Figure 2-2: Types of port roles.
tr
STP Modes
is
• The three STP modes supported by the newer Cisco switches are: Per VLAN Spanning Tree STP Modes
D
Plus (PVST+), rapid PVST+, and Multiple Spanning Tree Protocol (MSTP). The default mode Per-VLAN spanning tree
for the switch is the PVST+ protocol. (PVST) is an extension
that allows Layer 2
• PVST+: This mode is based on the IEEE 802.1D standard and Cisco proprietary extensions. It
(VLANs). or
is the default spanning-tree mode used on all the Ethernet port-based virtual local area networks
• Rapid PVST+: This mode is the same as PVST+ except that it uses a rapid convergence based
Ethernet ports to use
STP on all VLANs.
e
on the IEEE 802.1w standard.
• MSTP: This mode is based on the IEEE 802.1s standard. The MSTP runs on top of the Rapid
at
Spanning Tree Protocol (RSTP), which is based on IEEE 802.1w standard and provides for
rapid convergence of the spanning tree by eliminating the forward delay and by quickly
transitioning root ports and designated ports to the forwarding state.
lic
PVST+
up
• PVST+ provides the same functionality as Per VLAN Spanning Tree (PVST) using 802.1Q PVST+
trunking technology rather than Inter-Switch Link (ISL). Multiple active paths
between end stations
• PVST+ is an enhancement to the 802.1Q specification and is not supported on non-Cisco
D
cause loops in the

devices. network. When a loop
• By default, a single instance of STP runs on each configured VLAN when STP is not manually exists in the network,
ot
disabled. You can enable and disable STP on a per-VLAN basis. end stations might
• When you create fault-tolerant internetworks, you must have a loop-free path between all nodes receive duplicate
in a network. messages and network
N
devices might learn end

• The STP algorithm calculates the best loop-free path throughout a switched Layer 2 network. station Media Access
• Layer 2 LAN ports send and receive STP frames at regular intervals. Control (MAC)
• Network devices do not forward the STP frames, but use the frames to construct a loop-free addresses on multiple
o
path. Layer 2 LAN ports.

These conditions result
D
in an unstable network.
RPVST+
• Rapid PVST+ is the default STP mode for the switch. RPVST+
• Rapid PVST+ is the IEEE 802.1w RSTP standard implemented per VLAN.
• A single instance of STP runs on each configured VLAN when you do not manually disable
STP.
• Each Rapid PVST+ instance on a VLAN uses a single root switch.
• Rapid PVST+ uses point-to-point wiring to provide rapid convergence of the spanning tree.
Enable and Disable STP on a Per-VLAN Basis

You can enable and disable STP on a per-VLAN basis when you are running Rapid PVST+. The
spanning-tree reconfiguration can occur in less than 1 second with Rapid PVST+ (in contrast to 50
e
seconds with the default settings in the 802.1D STP).
ut
STP Root Bridge Selection
ib
STP Root Bridge • When a switch powers up, it changes to Rapid PVST+ mode and broadcasts a special spanning-
Selection tree message on all ports. This message is called a Bridge Protocol Data Unit (BPDU).
tr
• Each configuration BPDU contains the following information:
• The unique access point ID of the wireless access point that the sending access point uses as
is
the spanning-tree root.
• The cost of the spanning-tree path to the root.
• The sending access point’s access point ID.
D
• Age of the message.
• The sending interface’s identifier.
or
• Values for the hello timer, forward delay timer, and max-age protocol timer.
• All access points in the Layer 2 network that participate in STP gather information about other
access points in the network through an exchange of BPDU data messages. This exchange of
messages results in the following:
e
• An unique spanning-tree root for each spanning-tree instance is elected.
at
• A designated access point for every LAN segment is elected.

• The loops in the network are removed by blocking Layer 2 interfaces that are connected to
redundant links.
lic
MSTP
up
MSTP MSTP:
The Multiple Spanning • Uses RSTP for rapid convergence and enables multiple VLANs to be grouped into and mapped
Tree (MST) to the same spanning-tree instance.
D
implementation is based
on the IEEE 802.1s • Provides for multiple forwarding paths for data traffic, enables load balancing, and reduces the
standard. number of spanning-tree instances required to support a large number of VLANs.
ot
• Improves the fault tolerance of the network because a failure in one instance (forwarding path)
does not affect other instances (forwarding paths).
N
STP-Related Optional Features

STP-Related Optional
o
• In addition to standard STP features, additional features can be incorporated in Cisco IOS
Features devices using extensions.
D
• The optional STP features help in:

• Enhancing loop prevention.
• Protecting against possible misconfigurations by users.
• Providing better control over the protocol parameters.
• Two such optional STP features are PortFast and BPDU Guard.
PortFast
• STP PortFast causes a Layer 2 LAN port configured as an access port to enter the forwarding PortFast
state immediately, by allowing the device to bypass the listening and learning states. You can use PortFast on
Layer 2 access ports
• Interfaces connected to a single workstation or server should not receive BPDUs.
connected to a single
• A PortFast enabled port can immediately transition to the blocking state if necessary (this could workstation or server to
happen on receipt of a superior BPDU). allow those devices to
• PortFast can be enabled on trunk ports and can have an operational value that is different from connect to the network
e
the configured value. immediately, instead of
waiting for STP to
ut
converge. When
configured for PortFast,
a port is still running the
ib
STP.
tr
is
D
or
e
at
lic
Figure 2-3: STP PortFast.

up
BPDU Guard
• BPDU Guard balances the functionality of PortFast. BPDU Guard
• On PortFast-enabled ports, BPDU Guard provides the protection against Layer 2 loops that When a BPDU is
D
received by a PortFast
STP cannot provide when STP PortFast is enabled.
Layer 2 LAN interface, it
• PortFast Layer 2 LAN interfaces (edge ports) with valid configuration will not receive BPDUs. indicates an invalid
ot
• When BPDU Guard is enabled on a port, it shuts down a port that receives a BPDU regardless configuration, such as
of the PortFast configuration. an unauthorized device
• When BPDU Guard is configured globally, it is only effective on ports in the operational connection. BPDU
N
Guard provides a secure

PortFast (edge) state.
mechanism to respond
to invalid configurations,
because the
o
administrator must
manually reconfigure the
D
Layer 2 LAN interface

and put it back in
service.
e
ut
ib
tr
is
D
or
Figure 2-4: BPDU Guard enabled on edge ports.
e
at
lic
up
D
ot
N
o
D
TOPIC B
Configure STP
In this topic, you will describe the configuration mode of STP.
e
Spanning-Tree Interface States
ut
• When the spanning-tree algorithm is run, it transitions each port through several different states. Spanning-Tree Interface
States
• This is done to ensure that placing a port in forwarding mode will not cause a loop.
ib
• The spanning-tree port states are: Blocking, Listening, Learning, and Forwarding.
tr
is
D
or
e
at
lic
up
Figure 2-5: The spanning-tree port states.

D
Blocking State
ot
• When you enable STP, an interface always enters the blocking state. Blocking State
• After the device initializes, it sends a BPDU to the Ethernet and radio ports of the access points.
N
• When the access points exchange BPDU, it helps in identifying the spanning-tree root access
point in the network.
• When an interface is in a blocking state, it does not participate in frame forwarding and it
o
discards the frames received on the port and does not learn addresses.
D
• The interface in blocking state will receive BPDUs.
Listening State
• The listening state is the first interface state after the blocking state. Listening State
Lesson 2: Managing STP | Topic B
• When STP determines that the interface should participate in frame forwarding, the device enters
this state.
• When an interface is in the listening state it discards frames received on the port and does not
learn addresses.
• The interface in listening state will receive BPDUs.
• The default duration of the listening state is 15 seconds.
Learning State
e
Learning State
ut
• The learning state is the next interface state after the listening state.
• When an interface is in the learning state, it prepares to participate in frame forwarding.
• When an interface is in the learning state, it discards frames received on the port.
ib
• The interface in learning state will learn addresses and receive BPDUs.
• The default duration of the learning state is 15 seconds.
tr
Forwarding State
is
Forwarding State • The forwarding state is the next interface state after the learning state.
D
• When an interface is in the forwarding state, it will participate in frame forwarding.
• When an interface is in the forwarding state, it receives and forwards frames received on the
port.
or
• The interface in forwarding state will learn addresses and receive BPDUs.
Disabled State
e
Disabled State
at
• The disabled state is the next interface state after the forwarding state.
• When an interface is in the disabled state, it does not participate in frame forwarding or in the
spanning tree and is non-operational.
lic
• When an interface is in the disabled state, it discards frames received on the port.
• The interface in disabled state will neither learn addresses nor receive BPDUs.
up
Steps to Configure STP on Switches

Steps to Configure STP You need to perform these steps to configure STP on switches:
D
on Switches 1. Use the configure terminal command to enter the global configuration mode.
2. Use the spanning-tree mode {pvst | mst | rapid-pvst} command to configure a
spanning-tree mode.
ot
3. Use the interface <interface-id> command to specify an interface to configure and specify
interface configuration mode.
N
4. Use the spanning-tree link-type point-to-point command to specify that the link type
for the port as point-to-point.
5. Use the end command to return to the privileged EXEC mode.
o
6. Use the clear spanning-tree detected-protocols command to restart the protocol

migration process on the entire switch when any port on the switch is connected to a legacy
D
IEEE 802.1D switch.

7. Use the show spanning-tree summary and show spanning-tree interface interface-
id commands to verify your configuration entries.
8. Use the copy running-config startup-config command to save your entries in the
configuration file.
Note: In Step 3, which is recommended only for rapid-PVST+ mode, the valid interfaces that
you can specify are physical ports, VLANs, and port channels. Your VLAN ID can range from 1
to 4094, while your port-channel can range from 1 to 6.
Note: Steps 4 and 6 are recommended only for rapid-PVST+ mode. Step 8 is an optional step.
Also, step 6 will become optional when the designated switch is able to correctly detect that this
switch is running rapid PVST+.
e
Note: In Step 4, when you connect the local port to a remote port through a point-to-point link
and the local port becomes a designated port, the switch will negotiate with the remote port and
ut
rapidly change the local port to the forwarding state.
ib
Default Configuration of a Spanning Tree
The default configuration of a spanning tree is listed in the table. Default Configuration of
tr
a Spanning Tree
Name of the Feature Default State/Value
is
Enable state Enabled on VLAN 1.
D
Spanning-tree mode PVST+ (Rapid PVST+ and MSTP are disabled.)
Switch priority 32768
Spanning-tree port priority
Spanning-tree port cost
128
1000 Mb/s: 4
100 Mb/s: 19
or
e
10 Mb/s: 100
at
Spanning-tree VLAN port priority 128

Spanning-tree VLAN port cost 1000 Mb/s: 4
lic
100 Mb/s: 19
10 Mb/s: 100
up
Spanning-tree timers Hello time 2 seconds

Forward-delay time 15 seconds
D
Maximum-aging time 20 seconds

Transmit hold count 6 BPDUs
ot
Note: In the table, the values of the spanning-tree port priority and spanning-tree port cost are
configurable on a per-interface basis. The values of spanning-tree VLAN port priority and Guidelines Related to
N
spanning-tree VLAN port cost are configurable on a per-VLAN basis. Spanning-Tree

Configuration and
Restrictions
o
Guidelines Related to Spanning-Tree Configuration and You need to use the no

spanning-tree vlan
D
Restrictions <vlan_id> command to

disable spanning tree on
the specified VLAN.
Note: All of the Guidelines for this lesson are available as checklists from the Checklist tile on
You need to use the
the CHOICE Course screen.
spanning-tree vlan
While configuring STP settings, you need to be aware of guidelines and restrictions: <vlan-id> command to
enable spanning tree on
the required VLAN.
• Every stack member will run its own spanning tree, and to the rest of the network, the entire
stack will appear as a single switch.
• When you have more VLANs defined than the instances of STP, you will be able to enable
PVST+ or rapid PVST+ only on 128 VLANs on each switch stack. You will be able to operate
the remaining VLANs only with the STP disabled. However, you will be able to use MSTP to
map multiple VLANs to the same instances of the spanning tree.
• When you are already having 128 instances of spanning tree that are in use, and require to use
STP on one of the VLANs, you will need to disable STP on any other VLAN to be able to
enable and run STP on this VLAN.
e
• You can use the spanning-tree commands to control the configuration of VLAN spanning-tree
ut
instances. A spanning-tree instance is created when an interface is assigned to a VLAN. The
spanning-tree instance will be removed when you move the last interface to another VLAN.
• You will be able to configure switch and port parameters before creating a spanning-tree
ib
instance. When the spanning-tree instance is created, these switch and port parameters will be
applied.
tr
• Although a switch may support PVST+, rapid PVST+, and MSTP, only one version can be
active at any time.
is
• The same spanning-tree version must be run by all stack members.
Spanning-Tree Status Commands
D
Spanning-Tree Status The IOS commands related to spanning tree need to be executed in privileged EXEC mode to
Commands
Command
show spanning-tree
or
display the status of the spanning tree. The commands are listed in the following table.
Description
Displays information about your network’s

e
spanning tree.
at
show spanning-tree blocked-ports Displays the list of blocked ports.

show spanning-tree bridge Displays status and configuration of the selected
lic
bridge.
show spanning-tree active Displays spanning-tree information on only the
active interfaces.
up
show spanning-tree root Displays a detailed summary of information on

the spanning-tree root.
D
show spanning-tree interface Displays spanning-tree information for the

interface-id specified interface.
show spanning-tree summary [totals] Displays a summary of port states or displays
ot
the total lines of the STP state section.
STP Configuration
N
Examples STP Configuration Examples

Example 1: The show
spanning-tree interface The following are STP configuration examples.
o
gi3/13 details command

displays the STP
D
information for an edge

port.
Example 2: The show
spanning-tree vlan 2
command displays the
STP information for the
selected VLAN - VLAN
2.
e
Figure 2-6: Example 1: Spanning-tree configuration details of an edge port.
ut
ib
tr
is
D
Figure 2-7: Example 2: Spanning-tree summary totals.
or
e
Commands Related to the Spanning Tree Labs
at
The commands related to the Spanning Tree labs are listed in the table. Commands Related to
lic
the Spanning Tree Labs

Command Description
ipconfig /all Verifies the current IP configurations on the
up
selected PC.
spanning-tree vlan <vlan_id> priority Ensures that the selected switch is the root
0 bridge.
D
show spanning-tree vlan <vlan_id> Shows whether spanning tree is running for a
specific VLAN.
ot
spanning-tree mode rapid-pvst Enables Rapid-PVST mode on switches.

interface fastethernet 0/12 Sets the port speed and duplex on the
N
speed 100
FastEthernet 0/12 interface.
duplex full
o
show interfaces fastethernet 0/11 Displays the information about switchport.

D
switchport
show spanning-tree Displays the spanning-tree state of the VLANs.

show spanning-tree <vlan_id> detail Displays the detailed information about the
current spanning-tree configuration for the
selected VLAN on the specific switch.
Command Description
Lab: Spanning Tree I

Lab: Spanning Tree I
e
• Lab name: Spanning Tree I
ut
ib
tr
Lab: Spanning Tree II
is
Lab: Spanning Tree II
D
• Lab name: Spanning Tree II
or
e
at
Lab: Spanning Tree III

lic
Lab: Spanning Tree III

• Lab name: Spanning Tree III
up

D
ot
Commands Related to Spanning Tree and MST Lab

The commands related to the Spanning Tree and MST lab are listed in the table.
N
Commands Related to
Spanning Tree and MST
Lab Command Description
o
no spanning-tree vlan 1 priority 4096 Returns the switch to its default configuration.
D
show spanning-tree interface Displays the MST configuration on the specified

fastethernet 0/3 interface connected to the specific port.
interface fastethernet 0/1 spanning- Enables BPDU guard on selected switch’s
tree bpduguard enable FastEthernet 0/1 interface.
interface fastethernet 0/1 no Disables BPDU guard on selected switch’s
spanning-tree bpduguard enable FastEthernet 0/1 interface.
Command Description
do <command> Executes the command without the need to
change EXEC levels.
show spanning-tree summary Displays the spanning-tree summary of port
states.
Lab: STP and MST
e
ut
Lab: STP and MST
• Lab name: STP and MST
ib
tr
is
D
or
e
at
lic
up
D
ot
N
o
D
TOPIC C
Troubleshoot STP
In this topic, you will describe the techniques to troubleshoot issues with STP.
e
Initial Troubleshooting STP Checklist
ut
Initial Troubleshooting • Troubleshooting an STP problem requires information about the configuration and connectivity
STP Checklist of individual devices and the entire network.
ib
• Before you start with the actual troubleshooting, you need to obtain more information about the
network layout, details of the devices, and existing STP configuration details. These include:
• An actual topology diagram, which contains the details of all switches and bridges that are
tr
active on the network.
• The interconnecting port numbers of the devices used in the network.
is
• STP configuration details, which help you to identify the root switch and the backup root
switch, determine the links that have a non-default cost or priority, and the location of the
D
blocking ports.
• Your initial troubleshooting STP checklist must consider the following points:
or
• Verify the type of spanning tree configured on your device.
• Verify the network topology including all interconnected ports and switches. Identify all
redundant paths on the network and verify that the redundant paths are blocking.
• Use the show spanning-tree summary totals command to verify that the total number
e
of logical interfaces in the Active state are less than the maximum allowed.
at
• Verify the primary and secondary root bridge and any configured Cisco extensions.
Commands to View STP Configuration and Operational Details

lic
Commands to View STP The commands to view STP configuration and operational details are listed in the table.
Configuration and
up
Operational Details Command Description

show running-config spanning-tree Displays the current configuration for the
spanning tree.
D
show spanning-tree summary Provides a summary of connected spanning-tree

ports by VLAN.
ot
show spanning-tree detail Displays the details of the spanning tree.

show spanning-tree bridge Displays the current configuration of the bridge.
N
show spanning-tree mst <options> Displays detailed information for the current
MST configuration.
o
show spanning-tree mst configuration Displays the current MST configuration.

D
show spanning-tree interface Displays the detailed STP information for the
interface-type slot/port [detail] selected interface.
show tech-support stp Displays tech-support commands for spanning
tree.
show spanning-tree blockedports Displays the ports that are blocked by STP.
Lesson 2: Managing STP | Topic C
Command Description
show mac address-table dynamic vlan Determines if learning or aging occurs at each
node.
STP Data Loops

• Data loops are a common problem in STP networks where data is continuously flowing in the STP Data Loops
e
same direction between the same set of switches forming a never-ending loop.
• Some of the symptoms of a data loop are as follows:
ut
• High utilization of link, up to 100 percent.
• High utilization of central processing unit (CPU) and backplane traffic.
ib
• Constant relearning and flapping of MAC address.
• Excessive drops of output on an interface.
tr
is
D
or
e
at
Figure 2-8: A STP data loop.

lic
Excessive Packet Flooding

up
• Unstable STP topology changes can trigger excessive packet flooding in your STP network. Excessive Packet
Flooding
• With Rapid STP or MST, when the port's state is changed to forwarding, as well as when a role is
In a stable topology, a
changed from designated to root, a topology change is triggered.
topology change should
D
• Rapid STP immediately flushes the Layer 2 forwarding table. not trigger excessive
• 802.1D shortens the aging time. flooding.
• The immediate flushing of the forwarding table restores connectivity faster but causes more
ot
flooding.
• Link flaps can cause a topology change, so continuous link flaps can cause repetitive topology
N
changes and flooding.

• Flooding slows the network performance and can cause packet drops on an interface.
o
Convergence Time Issues

D
STP convergence can take longer than expected or results in a different topology than what was Convergence Time
expected. To troubleshoot convergence issues, check the following issues: Issues
• Errors in the documented network topology diagram.
• Misconfiguration of the STP timers; diameter of STP; Cisco extension features such as bridge
assurance, root guard, and BPDU guard.
• Overloaded switch CPU during convergence that exceeds the recommended logical port (port-
vlan) limit.
• Software defects that affect STP.
Forwarding Loops
Forwarding Loops • Cisco has developed a number of features and enhancements to protect the networks against
forwarding loops to handle the inability of STP to deal correctly with certain failures.
e
• Troubleshooting STP helps to isolate and find the cause for a particular failure, while the
implementation of these enhancements is the only way to secure the network against forwarding
ut
loops.
• Autonegotiation mechanisms can convey remote fault information, which is the quickest way to
ib
detect failures at the remote side. If failures are detected at the remote side, the local side brings
down the link even if the link is still receiving pulses.
tr
Guidelines to Troubleshoot Forwarding Loops
is
Guidelines to Guidelines to troubleshoot forwarding loops include:
Troubleshoot • Enable the Cisco-proprietary Unidirectional Link Detection (UDLD) protocol on all the switch-
D
Forwarding Loops
to-switch links.
• Set up the bridge assurance feature by configuring all the switch-to-switch links as the spanning-
tree network port type.
or
• Ensure that you enable the bridge assurance feature on both sides of the links.
• Set up the STP edge port to limit the amount of topology change notices and subsequent
flooding that can affect the performance of the network. Remember to use this command only
e
with ports that connect to end stations to avoid any accidental topology loop can cause a data-
packet loop and disrupt the device and network operation.
at
• Enable the Link Aggregation Control Protocol (LACP) for port channels to avoid any port-
channel misconfiguration issues.
lic
• Do not disable autonegotiation on the switch-to-switch links.

• Set up all the end-station ports as a spanning-tree edge port type.
up
D
ot
N
o
D
Summary
• STP is a IEEE 802.1D bridge and Layer 2 link-management protocol, which prevents Key Points
undesirable loops in the network by providing path redundancy.
• The three STP modes supports by the newer Cisco switches are: PVST+, rapid PVST+, and
MSTP.
• The default mode for the switch is the PVST+ protocol.
e
• BPDU Guard balances the functionality of PortFast.
ut
• The spanning-tree port states are: Blocking, Listening, Learning, and Forwarding.
• The radio and Ethernet interfaces and the native VLAN on the access point are assigned to
bridge group 1 by default.
ib
• IOS commands need to be executed in privileged EXEC mode to display the status of the
spanning tree.
tr
• STP convergence can take longer than expected or result in an unexpected final network
topology.
is
• Data loops are a common problem in STP networks.
D
or
e
at
lic
up
D
ot
N
o
D
Lesson 2: Managing STP |
e
ut
ib
tr
is
D
or
e
at
lic
up
D
ot
N
o
D
3 Managing EtherChannel
e
ut
ib
tr
Lesson Objectives
is
In this lesson, you will manage EtherChannels. You will:
D
• Describe the basic features of switch stacks and VSS.
• Describe the configuration mode of EtherChannel.
or
• Describe the techniques to troubleshoot issues with EtherChannel.
Lesson Introduction
e
at
As network professional, you can use EtherChannels to aggregate bandwidth from many
physical links, to optimize the network performance. In order to use EtherChannel
effectively in your network, you need to be aware of the methods to configure
lic
EtherChannels and the techniques to troubleshoot them.

up
D
ot
N
o
D
TOPIC A
Basics of Switch Stacks and VSS
In this topic, you will describe the basic features of switch stacks and VSS.
e
Switch Stacking
ut
Switch Stacking • Switch stacking refers to setting up of nine stacking-capable switches that are connected to their
StackWise Plus ports or StackWise ports.
ib
• A switch stack is identified in the network using its bridge ID and, if it is operating as a Layer 3
device, by its router Media Access Control (MAC) address.
• A switch stack can contain either one switch type connected to each other in the stack or can
tr
contain a mix of Catalyst 3750-X, Catalyst 3750-E, and Catalyst 3750 switches that are connected
in the stack.
is
• A switch stack will consist of a stack master and other switches that are stack members.
D
or
e
at
lic
up
D
ot
N
Figure 3-1: A switch stack.
Switch Stack Members and Ports

o
Catalyst 3750-X and Catalyst 3750-E stack members contain StackWise Plus ports. Catalyst 3750
D
members contain StackWise ports.
Stack Master
Stack Master • The stack master is the switch that controls the operation of the entire switch stack.
• The stack master is the single point of stack-wide management.
Lesson 3: Managing EtherChannel | Topic A
• From the stack master, you can configure:

• The global or system-level features that are applicable to all stack members.
• The interface-level features that are applicable for each stack member.
• All stack members are eligible to be stack masters. If the stack master becomes unavailable, the
remaining stack members elect a new stack master from among themselves.
• The switch with the highest stack member priority value becomes the new stack master.
• The bridge ID and router MAC address are determined by the MAC address of the stack master.
e
Role of the Stack Master
ut
The stack master contains both the saved and running configuration files for the entire switch stack.
These configuration files contain the system-level settings for the switch stack and the interface-level
settings for each stack member. Also, each stack member of the switch will have a current copy of
ib
these files for back-up and recovery purposes.
A stack master will continue to retain its role unless one of these events occurs:
tr
• The entire switch stack is reset.
• The stack master is removed from the switch stack.
is
• The stack master is reset, powered off, or fails.
• The switch stack membership is increased by adding powered-on standalone switches or switch
D
stacks.
Stack Members
or
• The stack master and the other switches in the switch stack are all stack members.
• Layer 2 and Layer 3 protocols help in presenting the entire switch stack as a single entity to the
Stack Members
e
network.
• The Cisco StackWise Plus technology is used by the stack members to work together as a single
at
unified system.
• Every stack member is identified by its own stack member number.
lic
Cisco StackWise Plus Technology

The Cisco StackWise Plus technology is a proven and widely deployed, cost-effective switch
up
stacking solution that provides a pay-as-you-grow model.
Types of Switch Stack Configurations

D
The types of switch stack configurations are: Types of Switch Stack

• Homogeneous Stack: The members of the stacks are all similar types of catalyst switches. For Configurations
ot
example, a switch stack that consists of only Catalyst 3750-E switches as stack members or a
switch stack that consists of only Catalyst3750-X switches as stack members.
• Mixed Stacks: There are three types of mixed stacks—mixed hardware stack, mixed software
N
stack, and mixed hardware and software stack.

o
D
e
ut
ib
tr
is
Figure 3-2: Switch stack configurations.
D
Mixed Stacks
Mixed Stacks The types of mixed stacks are:
or
• Mixed Hardware Stack: A mixed hardware stack consists of different types of switches, such as
Catalyst 3750-X, Catalyst 3750-E, and 3750 switches, as its stack members, that support the same
set of features. For example, Catalyst 3750-E and 3750 switches can be the stack members that
form part of the same switch stack to support IP services features.
e
• Mixed Software Stack: A mixed software stack consists of same type of switches, such as
at
Catalyst 3750-X, Catalyst 3750-E, or Catalyst 3750 switch, but with each switch supporting
different features, as its stack members. For, example, in a Catalyst 3750-E only stack, some
members may run the IP base feature set, whereas other members may run the IP services
lic
feature set.
• Mixed Hardware and Software Stack: A mixed hardware and software stack consists of
different types of switches, such as Catalyst 3750-X, Catalyst 3750-E, and Catalyst 3750 switches,
up
with each supporting different features as its stack members. For example, a stack that contains
the Catalyst 3750-E switches as members running the IP services feature set and the Catalyst
3750 switches as members running the IP services software image.
D
Benefits of Switch Stacking

ot
Benefits of Switch The stacking of Ethernet switches provides the network administrator with three major operational
Stacking benefits:
• Provides a Single Point of Management: All switches in the stack can be managed as one unit.
N
• Ensures High Availability and Built-In Redundancy: The connections of stacked switches
provide redundant communication for each stack member to every other member in the switch
o
stack.
• Easily Scalability to Fit Network Needs: A new switch can be easily added to the stack. As
D
the requirement for additional access ports grows, it is easier and faster to add a new switch to an
existing stack when compared to adding a new standalone switch to the network.
Chassis Aggregation
• Chassis Aggregation, which is also known as Virtual Switching System (VSS), forms a single Chassis Aggregation
network element by combining a pair of switches. For example, a VSS in the distribution layer of The VSS active and
the network will interact with the access and core networks as if it were a single switch. VSS standby chassis
together perform packet
• An access switch uses one logical port channel to connect to both chassis of the VSS, which forwarding for ingress
manages redundancy and load balancing on the port channel. This capability implements a loop- data traffic on their
free Layer 2 network topology. locally hosted interfaces
e
• The VSS simplifies the Layer 3 network topology by reducing the number of routing peers in the and the VSS standby
network. chassis sends all control
ut
traffic to the VSS active
• When you create or restart a VSS, the peer chassis negotiate their roles, with one chassis
chassis for processing.
becoming the VSS active chassis, and the other chassis becoming the VSS standby.
• The VSS active chassis controls the VSS and runs the Layer 2 and Layer 3 control protocols for
ib
the switching modules on both chassis. It also provides management functions for the VSS, such
as module Online Insertion and Removal (OIR) and the console interface.
tr
Benefits of Chassis Aggregation
is
The benefits of chassis aggregation include: Benefits of Chassis
D
• Network operators usually increase network reliability by configuring redundant pairs of network Aggregation
devices and links. However, the redundant network elements and redundant links may add
complexity to network design and operation. Virtual switching solves this issue by simplifying
redundant switches and links. or

the network to reduce the number of network elements and hide the complexity of managing
• The VSS manages the redundant links, which externally function as a single port channel.
• The VSS simplifies the network configuration and operation by reducing the number of Layer 3
e
routing neighbors and providing a loop-free Layer 2 topology.
at
VSL
lic
• The Virtual Switch Link (VSL) is a special link that carries control and data traffic between the VSL
two VSS chassis.
up
• It is implemented as an EtherChannel with up to eight links.

• The VSL gives control traffic higher priority than data traffic, which ensures that control
messages are never discarded.
• EtherChannel load-balancing algorithm is used to balance the data traffic load among the VSL
D
links.
• When VSL is configured, all existing configurations are removed from the interface with the
exception of some specific commands and the system puts the interface into a restricted
ot
mode.
• Only specific configuration commands can be configured on the interface, when it is in the
N
restricted mode.
o
D
TOPIC B
Configure EtherChannel
In this topic, you will describe the configuration mode of EtherChannel.
e
EtherChannel
ut
EtherChannel • EtherChannel is Cisco’s link aggregation port trunking technology that combines individual
New Cisco IOS Ethernet links into a single logical link in such a manner that it provides an aggregate bandwidth
Releases support a
ib
of up to eight physical links.
maximum of 128
EtherChannels. • EtherChannel offers fault-tolerant high-speed links between switches, routers, and servers.
• On any switching module, you can form an EtherChannel made up of up to eight compatibly
tr
Sometimes the number
of ports in an configured local area network (LAN) ports.
EtherChannel may be • In each EtherChannel, all LAN ports must be of the same speed and must be configured either
is
limited to a specific as Layer 2 LAN port or Layer 3 LAN port.
number by the network
device to which a switch
D
is connected.
or
e
at
lic
up
D
ot
EtherChannel
Configuration
N
When an EtherChannel
port is manually
configured, it does not Figure 3-3: An EtherChannel.
o
exchange EtherChannel
protocol packets. A
D
manually configured EtherChannel Configuration

EtherChannel will be
successfully formed only You need to consider the following points when configuring EtherChannel:
when you configure all • EtherChannels can be configured manually or can be formed using the Port Aggregation Control
ports in the
Protocol (PAgP) or the Link Aggregation Control Protocol (LACP).
EtherChannel to be
compatible with each • The EtherChannel is formed through dynamic negotiation of ports with similar characteristics,
other. which are allowed by EtherChannel protocols, with connected network devices.
Lesson 3: Managing EtherChannel | Topic B
• While PAgP is a Cisco-proprietary protocol, LACP is defined in the Institute of Electrical and
Electronics Engineers (IEEE) 802.3ad.
• PAgP and LACP are not compatible with each other.
• Ports that are configured to use PAgP cannot be used to form EtherChannels with ports that are
configured to use LACP and vice-versa.
• Neither PAgP nor LACP interoperates with manually configured ports.
PAgP EtherChannel Configuration
e
You need to consider the following points when configuring PAgP EtherChannel: PAgP EtherChannel
ut
• PAgP enables the automatic creation of EtherChannels by allowing exchange of PAgP packets Configuration
between LAN ports that are in auto and desirable modes. A LAN port in auto
mode cannot form an
ib
• The protocol learns the capabilities of LAN port groups dynamically and informs the other LAN EtherChannel with
ports. another LAN port that is
• After the PAgP identifies the correctly matched Ethernet links, it facilitates grouping the links also in auto mode,
tr
into an EtherChannel. because neither port will
• The EtherChannel is then added as a single bridge port to the spanning tree. initiate negotiation.
is
• Both the auto and desirable modes allow PAgP to negotiate between LAN ports to determine if
an EtherChannel can be formed. They use criteria such as port speed and trunking state for the
D
negotiation. Layer 2 EtherChannels also use virtual local area network (VLAN) numbers for the
negotiation.
• LAN ports can form an EtherChannel when they are in different PAgP modes if the modes are
compatible. For example:
or
• LAN ports in desirable mode can form an EtherChannel successfully with each other.
• A LAN port in desirable mode can form an EtherChannel with another LAN port that is
e
in auto mode.
at
IEEE 802.3ad LACP EtherChannel Configuration

lic
You need to consider the following points when configuring IEEE 802.3ad LACP EtherChannel: IEEE 802.3ad LACP
• LACP is a IEEE 802.3ad standard that supports the automatic creation of EtherChannels by EtherChannel
Configuration
permitting exchange of LACP packets between LAN ports that are in passive and active
up
modes.
• The protocol dynamically learns about the capabilities of LAN port groups and informs the
other LAN ports.
D
• When LACP identifies the correctly matched Ethernet links, it allows the grouping of links into
an EtherChannel. Then, the EtherChannel is added to the spanning tree as a single bridge port.
• Using criteria such as port speed and trunking state, both the passive and active modes
ot
allow LACP to negotiate between LAN ports to determine if an EtherChannel can be formed.
• Layer 2 EtherChannels also use VLAN numbers as a criterion.
N
LACP Mode Compatibility

Even LAN ports that are in different LACP modes can form an EtherChannel as long as the modes
are compatible. For example:
o
• Two LAN ports that are in active mode can form an EtherChannel successfully.
D
• A LAN port that is in active mode can form an EtherChannel with another LAN port that is in
passive mode.
• Two LAN ports that are in passive mode cannot form an EtherChannel because neither of the
ports will be able to initiate a negotiation.
EtherChannel Hash-Distribution Algorithms

EtherChannel Hash- • EtherChannel frame distribution uses a Cisco-proprietary hashing algorithm.
Distribution Algorithms
• Switches that use older Cisco IOS versions before release 12.2(33)SXH supported only a fixed
load-distribution algorithm.
• Whenever you added a port to the EtherChannel or deleted a port from the EtherChannel, the
switch updated the port Application-Specific Integrated Circuit (ASIC) for each port in the
EtherChannel, which caused a short outage on each port.
e
• To overcome this issue, switches that use Cisco IOS versions after release 12.2(33)SXH support
an adaptive algorithm that does not update the port ASIC for existing member ports.
ut
• The fixed load-distribution algorithm is the default algorithm, whereas, you can configure a
global value for the adaptive algorithm.
ib
• Algorithm for individual port channels can be specified.
Algorithm Changes and Member Link Events
tr
When you change the algorithm, the change is applied at the next member link event such as link
down, link up, addition, deletion, no shutdown, and shutdown. When you enter the
is
command to change the algorithm, the command console issues a warning that specifies the
command does not take effect until the next member link event.
D
EtherChannel Min-Links Feature
EtherChannel Min-Links
Feature
The EtherChannel min-
links feature works
or
• EtherChannel Min-Links feature allows you to configure the minimum number of member ports
that need to be in the link-up state and must be bundled in the EtherChannel for the port
channel interface to transition to the link-up state.
e
correctly even when it is • EtherChannel Min-Links feature is supported only on LACP EtherChannels.
configured only on one • EtherChannel Min-Links feature can be used to prevent low-bandwidth LACP EtherChannels
at
end of an EtherChannel. from becoming active.

For best results, • LACP EtherChannels will become inactive if there are too few active member ports to supply
however, you need to
lic
the required minimum bandwidth.

ensure that you
configure the same
• When LACP max-bundle values are specified in conjunction with min-links, the configuration is
number of minimum verified and if the min-links value is not compatible with (less than or equal to) the max-bundle
up
links on both ends of the value, an error message is returned.

EtherChannel.
Commands Related to Layer 2 EtherChannel Lab

D
Commands Related to The commands related to the Layer 2 EtherChannel lab are listed in the table.
Layer 2 EtherChannel
ot
show cdp neighbors Displays information about the directly

connected neighbors of the current network
N
device.
show ip interface brief Displays a brief summary of configuration and
o
interface status.
show interfaces trunk Displays interface-trunk information of port and
D
module.
channel-group 1 on Assigns an Ethernet interface to an
EtherChannel group.
show spanning-tree vlan 1 Shows whether spanning tree is running for a
VLAN for selected VLAN.
Command Description
show interfaces fastethernet 0/5 Displays the detailed information about the
specified interface.
interfaces port-channel 1 Changes from global configuration mode to
show etherchannel port-channel Displays the configuration of the port channel,
which helps you to verify the configuration.
e
show running-config Displays the active configuration file for the
ut
current network device.
ib
Lab: Layer 2 EtherChannel
Lab: Layer 2
tr
• Path to lab: ICND2→Scalable Networks EtherChannel
• Lab name: Layer 2 EtherChannel
is
D
Commands Related to EtherChannel Negotiation Protocols:
or
LACP Lab
e
at
The commands related to the EtherChannel Negotiation Protocols: LACP lab are listed in the table. Commands Related to
EtherChannel
Command Description Negotiation Protocols:
lic
LACP Lab
channel-protocol lacp Configures LACP as the EtherChannel
negotiation protocol for the interface.
up
channel-group 1 mode passive Assigns an Ethernet interface in passive mode to

the EtherChannel group
show interfaces port-channel 1 Displays detailed information about the
D
show interfaces port-channel 1 Displays detailed information about the
switchport specified interface including the administrative
ot
mode.
interface port-channel 1 Changes the administrative mode to form a
N
switchport trunk encapsulation dot1q

trunk unconditionally and force the
encapsulation to 802.1Q on the Port-Channel 1
switchport mode trunk interface of the selected switch.
o
show etherchannel summary Displays the summary EtherChannel

D
information for the channel.
Lab: EtherChannel Negotiation Protocols—LACP

Lab: EtherChannel
Negotiation Protocols— • Path to lab: ICND2→Scalable Networks
LACP • Lab name: EtherChannel Negotiation
Protocols: LACP
e
ut
ib
tr
is
D
or
e
at
lic
up
D
ot
N
o
D
TOPIC C
Troubleshoot EtherChannel
In this topic, you will describe the techniques to troubleshoot issues with EtherChannel.
e
EtherChannel Feature Configuration Guidelines and
Restrictions
ut
EtherChannel Feature
ib
Configuration Guidelines
the CHOICE Course screen. and Restrictions (2
Slides)
When EtherChannel interfaces are improperly configured, they are disabled automatically to avoid
tr
A maximum of 256 port-
network loops and other related issues. You need to observe the following guidelines and need to be channel interfaces,
aware of the restrictions to avoid configuration problems:
is
numbered from 1 to 256,
• All Ethernet LAN ports on all modules support EtherChannels (maximum of eight LAN ports) can be configured.
even when the LAN ports are not physically contiguous or on the same module. Remember that when
D
you configure an
• You cannot run two EtherChannel protocols in one EtherChannel, so you need to ensure that EtherChannel, the
you configure all LAN ports in an EtherChannel using the same EtherChannel protocol. configuration that you
• Ensure that you configure all LAN ports in an EtherChannel to operate in the same duplex apply to the port-channel
mode and at the same speed.
or
• When you use half-duplex ports in an LACP EtherChannel, the LACP EtherChannel are put in
suspended state because half-duplex is not supported by LACP.
interface affects the
EtherChannel. However,
when you apply the
configuration to the LAN
e
• Ensure that you enable all LAN ports in an EtherChannel because even if a LAN port in an ports, only the LAN ports
EtherChannel is shut down, it is considered as a link failure and the LAN traffic is transferred to to which you apply the
at
one of the remaining EtherChannel ports. configuration are

• If one of the LAN ports is a Switched Port Analyzer (SPAN) destination port, an EtherChannel affected.
lic
will not be formed.

• For Layer 3 EtherChannels, you need to assign Layer 3 addresses to the port channel logical
interface, and not to the LAN ports in the channel.
up
• For Layer 2 EtherChannels, you need to assign all LAN ports in the EtherChannel to the same
VLAN or configure them as trunks.
• When you configure a Layer 2 EtherChannel from trunking LAN ports, you need to verify that
all the trunks have the same trunking mode. LAN ports in EtherChannel operate unpredictably
D
when they are configured with different trunk modes.

• Remember that an EtherChannel supports the same allowed range of VLANs on all the LAN
ports in a trunking Layer 2 EtherChannel. An EtherChannel will not be formed, when the
ot
allowed range of VLANs are different.

• LAN ports with different Spanning Tree Protocol (STP) port path costs can form an
N
EtherChannel as long they are compatibly configured with each other. If you set different STP
port path costs, the LAN ports are still compatible for the formation of an EtherChannel.
• An EtherChannel will not form when protocol filtering is set differently on the LAN ports.
o
Troubleshooting EtherChannel
D
The problem related to EtherChannel and the causes and solution of the problem are listed in the Troubleshooting
following: EtherChannel
• Problem: Inconsistency in EtherChannel causes looping.
Lesson 3: Managing EtherChannel | Topic C
• Causes: For example, the ports on one side of the EtherChannel either are not configured to be
in the channel or have failed to bundle, while ports on the other side of the EtherChannel are
successfully bundled.
• Solution: Perform the following steps to resolve the misconfiguration to correct the
inconsistency:
1. Execute the show interfaces status err-disabled command to determine the local
ports that contain a misconfiguration.
2. Execute the show etherchannel summary command on the remote device to check the
e
EtherChannel configuration on the remote device.
3. From the output, determine the issue and carry out the changes to correct the
ut
misconfiguration on the remote device.
4. After correcting the configuration, execute the shutdown command on the associated port-
channel interface to disable the interface.
ib
5. Wait for the device to shutdown and then execute the no shutdown command on the
associated port-channel interface to re-enable the interface.
tr
Commands Related to Troubleshooting EtherChannel Lab
is
Commands Related to The commands related to the Troubleshooting EtherChannel lab are listed in the table.
D
Troubleshooting
EtherChannel Lab Command Description
show etherchannel port-channel Displays EtherChannel information for the port
show ip interface brief

or channel.
Displays the IP address and status information
for the interfaces on a device.
e
show spanning-tree Displays the information about the state of the
at
spanning-tree.
interface range fastethernet 0/1 – 8 Configures the interfaces that fall within the
lic
specified range of interfaces.

channel-group 1 mode on Assigns an Ethernet interface in active mode to
an EtherChannel group.
up
show running-config Displays the contents of the configuration file

for the device.
D
Lab: Troubleshooting EtherChannel

ot
Lab: Troubleshooting
EtherChannel • Path to lab: ICND2→Troubleshooting
• Lab name: Troubleshooting EtherChannel
N

o
D
Lesson 3: Managing EtherChannel | Topic C
Summary
• An EtherChannel combines individual Ethernet links into a single logical link in such a manner Key Points
that it provides the aggregate bandwidth of up to eight physical links.
• A switch stack is identified in the network using its bridge ID and, if it is operating as a Layer 3
device, by its router MAC address.
• The stack master and the other switches in the switch stack are all stack members.
e
• Chassis Aggregation, which is also known as VSS, forms a single network element by combining
ut
a pair of switches.
• The VSL is a special link that carries control and data traffic between the two VSS chassis.
• EtherChannels can be configured manually or can be formed using PAgP or the LACP.
ib
• When EtherChannel interfaces are improperly configured, they are disabled automatically to
avoid network loops and other related issues.
tr
is
D
or
e
at
lic
up
D
ot
N
o
D
Lesson 3: Managing EtherChannel |
e
ut
ib
tr
is
D
or
e
at
lic
up
D
ot
N
o
D
4 Mitigating Threats to the
Access Layer
e
ut
Lesson Time: 1 hour, 45 minutes
ib
tr
is
Lesson Objectives
D
In this lesson, you will describe the mechanisms that allow you to mitigate threat to your
network from attackers. You will:
or
• Describe the methods to configure access and trunk interfaces.
• Describe the methods to configure IEEE 802.1x port-based authentication.
e
• Describe the components used to configure DHCP snooping.
at
Lesson Introduction
lic
While as network administrators you need to ensure that the network connectivity is
available to users all the time, you also need to ensure that proper security mechanisms are
up
in place on the network to authenticate the users attempting to access the network. The
security mechanisms will help you ensure that your network is free of threat from attackers
and that the data on the network is being accessed only by authenticated users.
D
ot
N
o
D
TOPIC A
Configure Access and Trunk Interfaces
In this topic, you will describe the methods to configure access and trunk interfaces.
e
Native VLAN ID for Trunk Ports
ut
Native VLAN ID for • Native virtual local area network (VLAN) ID for trunk ports refers to the VLAN that carries
Trunk Ports untagged traffic on trunk ports.
The native VLAN ID
ib
• A trunk port can carry both untagged packets and the 802.1Q tagged packets at the same time.
numbers need to match
on both ends of the • When a default port VLAN ID is assigned to the trunk port, all untagged traffic will travel on the
trunk. default port VLAN ID for the trunk port.
tr
• It is assumed that all untagged traffic belongs to this default VLAN.
• This default VLAN is also referred to as the native VLAN ID for a trunk port.
is
• The trunk port will send an egressing packet with a VLAN ID that is equal to the default port
VLAN ID as untagged.
D
• All the other egressing packets will be tagged by the trunk port.
• When you have not configured a native VLAN ID, the trunk port will use the default VLAN as
the native VLAN ID.
or
e
at
lic
up
Figure 4-1: Types of packets carried by the trunk port.

D
Allowed VLANs
Allowed VLANs • By default, a trunk port will be able to send traffic to and receive traffic from all VLANs.
ot
• All VLAN IDs will be allowed on each trunk.

• If you want to prevent traffic from specific VLANs from passing over the trunk, you need to
N
remove such VLANs from the inclusive list. Later, if you need to allow traffic from a specific
VLAN to pass over the trunk, you can add the specific VLAN back to the list.
• If you need to partition STP topology for the default VLAN, which is VLAN1, you will need to
o
remove VLAN1 from the list of allowed VLANs.

• If you do not remove VLAN1 from the list, because it is enabled on all ports by default, VLAN1
D
may have a very big Spanning Tree Protocol (STP) topology. This might result in problems
during STP convergence.
• When VLAN1 is removed from the list of allowed VLANs, all data traffic for VLAN1 on the
port will be blocked. However, the control traffic will continue to move on the port.
Lesson 4: Mitigating Threats to the Access Layer | Topic A
Steps to Configure Allowed VLANs for Trunking Ports

• Before configuring the allowed VLANs for the specified trunk ports, you need to ensure that Steps to Configure
you are configuring the correct interfaces and that the interfaces are trunks. Allowed VLANs for
Trunking Ports
• The steps to configure allowed VLAN for trunking ports are:
1. In the configuration mode, use the interface <type> <slot>/<port | <port-channel
number> command to specify an interface to configure, and enter the interface configuration
mode.
e
2. Use the switchport trunk allowed vlan <vlan-list> all | none add except |
none | remove <vlan-list> command to set the allowed VLANs for the trunk interface.
ut
The following example will add VLANs 25 to 40 to the list of allowed VLANs on the FastEthernet
0/12 Ethernet trunk port.
ib
tr
is
D
or
Figure 4-2: An example to add a VLAN range to the list of allowed VLANs on the trunk port of the
selected interface.
e
Allowed VLANs
at
The default setting will allow all VLANs (1 to 3967 and 4048 to 4094) on the trunk interface.
VLANs 3968 to 4047 are the default VLANs that are reserved for internal use. This group of
VLANs are configurable.
lic
You cannot add internally allocated VLANs as allowed VLANs on trunk ports. The system will
return an error if you attempt to list an internally allocated VLAN as an allowed VLAN.
up
Nondefault Native VLAN

• You need to manually configure native VLAN for a 802.1Q trunking port, otherwise, the default Nondefault Native VLAN
D
VLAN will be used as the native VLAN ID by the trunk port. Native VLANs need to
be matching on the trunk
• The steps to configure native VLAN for a 802.1Q trunking port are:
neighbor. Otherwise, the
ot
1. In the configuration mode, use the interface <type> <slot>/<port | <port-channel trunk port will not come
number> command to specify an interface to configure, and enter the interface configuration up.
mode.
N
2. Use the switchport trunk native vlan <vlan-id> command to set the native VLAN
for the 802.1Q trunk. The default value is VLAN 1. The valid values can range from 1 to
4094, with the VLAN ID of the VLANs that are reserved for internal use excluded.
o
The following example will set the native VLAN to VLAN 15 for Fast Ethernet 0/4 Ethernet trunk
D
port.
e
ut
Figure 4-3: An example to set a specific VLAN ID as the native VLAN for the trunk port of the
selected interface.
ib
Commands to Verify Trunk Interface Configuration
tr
Commands to Verify The commands to display access and trunk interface configuration information are listed in the
Trunk Interface table.
is
Configuration
Command Description
D
show interface Displays configuration of the interface.
show interface switchport Displays information for all Ethernet interfaces. This
includes information about access and trunk
show interface brief

or interfaces.
Displays information about the interface
configuration.
e
at
lic
up
D
ot
N
o
D
TOPIC B
Configure IEEE 802.1x Port-Based
Authentication
In this topic, you will describe the methods to configure IEEE 802.1x port-based authentication.
e
ut
Authentication
• Authentication is the process of verifying the identity of the person or device accessing the Cisco Authentication
ib
switches.
• It uses a combination of the user ID and password specified by the entity that is attempting to
tr
access the switch to establish the identity of the devices or users.
• The Cisco switches support both local authentication (using the local lookup database) or remote
is
authentication (using either Remote Authentication Dial-In User Service [RADIUS] or Terminal
Access Controller Access Control System Plus [TACACS+] servers).
D
• Authentication uses the challenge and response mechanism.
• Authentication provides support for messaging and encryption based on the security protocol
selected by you.
methods and applying the list to various interfaces.

or
• Authentication can be configured by defining a named list that consists of authentication
• A method list must be used to define the types of authentication to be performed and the
sequence in which the authentication will be performed.
e
• The method list must be applied to a specific interface before any of the defined authentication
at
methods will be performed.

• There is a default method list that will be automatically applied to all the interfaces when you do
not define any other method. However, when you define a method list, it will override the
lic
default method list.
RADIUS and TACACS+

up
The RADIUS and TACACS+ servers are part of the Authentication Authorization and Accounting
(AAA) servers.
All authentication methods, other than local, line password, and enable authentication, must be
D
defined through AAA. AAA is pronounced “Triple A."

Note: You will learn more about these two servers and about AAA servers later in this course.
ot
Method List
N
• Method list refers to a sequential list that is used to define the authentication methods for Method List
o
authenticating a user.
• Method list allows you to designate one or more security protocols to be used for authentication.
D
This acts as a backup system for authentication, if the authentication method that is used as the
initial method fails.
• Cisco IOS software will use the first method listed to authenticate users.
• When that method does not respond, Cisco IOS software will select the next authentication
method in the method list. This process will be repeated until there is successful communication
with a listed authentication method or the authentication method list is exhausted, which will
cause the authentication to fail.
Lesson 4: Mitigating Threats to the Access Layer | Topic B
Authentication by Cisco IOS Software

The Cisco IOS software will attempt authentication with the next listed authentication method only
when it does not receive any response from the previous method. If the authentication fails at any
point in this cycle or process, because the security server or local username database responds by
denying the user access, the authentication process will stop and no other authentication methods
are attempted.
Authorization
e
Authorization
ut
• Authorization is the process of assembling a set of attributes that describe the action the user is
Similar to authentication, authorized to perform and then providing suitable access to the user.
authorization can be
• Authorization provides a method for remote access control and includes one-time authorization
configured by defining a
ib
named list of or authorization for each service, per-user account list and profile, user group support, and
authorization methods, support of IP, Internetwork Packet Exchange (IPX), AppleTalk Remote Access (ARA), and
and then applying the list Telnet.
tr
to the various interfaces. • Cisco switches provide authorization by using the attributes that are downloaded from AAA
servers.
is
• Remote security servers, such as RADIUS and TACACS+, allow specific rights to the users by
associating attribute-value (AV) pairs. The AV pairs define the rights for the appropriate user.
D
• All authorization methods can be defined only through AAA.
Accounting
Accounting
The Cisco IOS software
or
• Accounting provides a method for collecting information, logging the information locally, or
sending the information to remote AAA server for the purposes of billing, auditing, and
e
provides support for reporting.
authentication,
• Accounting tracks and maintains a log of every management session used to access the Cisco
at
authorization, and
accounting separately. switches.
This will allow you to • The information collected by accounting can be used to generate reports for troubleshooting and
lic
configure authentication auditing purposes.

and authorization even • Accounting enables tracking of the services that the users are accessing as well as the amount of
without configuring
network resources that they are consuming.
accounting.
up
• When you activate AAA accounting, the network access server will report the user activity in the
Similar to authentication
and authorization, form of accounting records to the RADIUS or TACACS+ security server, depending on the
accounting can be security method implemented by you.
configured by defining a • Each accounting record will comprise of accounting AV pairs and will be stored on the access
D
named list of accounting control server.

methods, and then • All accounting methods can be defined only through AAA.
applying the list to
ot
various interfaces.
IEEE 802.1x Port-Based Authentication
N
IEEE 802.1x Port-Based • The Institute of Electrical and Electronics Engineers (IEEE) 802.1x port-based authentication
Authentication defines a client-server-based access control and authentication protocol, which prevents clients
o
from connecting to a local area network (LAN) through publicly accessible ports unless the
clients are authenticated.
D
• The authentication server authenticates each client connected to a switch port and only then
makes available any services offered by the switch or the LAN.
• IEEE 802.1x port-based authentication allows only Extensible Authentication Protocol over
LAN (EAPOL), Cisco Discovery Protocol (CDP), and STP traffic through the port to which the
client is connected, until the client is authenticated. However, after successful authentication of
the client, normal traffic is allowed to pass through the port.
e
ut
ib
Figure 4-4: Types of port traffic permitted even before client authentication.
tr
Roles of Devices in IEEE 802.1x Port-Based Authentication
is
Each device has a specific role to play in IEEE 802.1x port-based authentication: Roles of Devices in
• Client (Workstation): In this role, the device or workstation requests access to the LAN and IEEE 802.1x Port-Based
Authentication
D
switch services and responds to requests from the switch.
In the IEEE 802.1x
• Authentication Server: In this role, the device performs the actual authentication of the client. standard, the client is
This server validates the identity of the client and notifies the switch whether the client is the supplicant or
the authentication service transparent to the client.

or
authorized to access the LAN and switch services or not. The switch acts as the proxy and makes
• Authenticator (Edge Switch or Wireless Access Point): In this role, the device controls the
physical access to the network according to the authentication status of the client. This
unauthorized device and
the switch is the
authenticator.
e
authenticator acts as an intermediary or proxy between the client and the authentication server. It
requests identity information from the client, verifies the received information with the
at
authentication server, and relays a response to the client.

lic
up
D
ot
N
Figure 4-5: The device roles used for the IEEE 802.1x port-based authentication in a Cisco
network environment.
o
NAD and NAS

D
The Authenticator (Edge Switch or Wireless Access Point) is also referred to as Network
Authentication Device (NAD). A Network Access Server (NAS) refers to each access point that
uses the local authenticator.
Authentication Process
Authentication Process When you have enabled 802.1x port-based authentication and the client also supports 802.1x-
The inaccessible compliant client software, the following sequence of events are possible:
authentication bypass • If the client identity is valid and the 802.1x authentication is successful, the switch will grant the
option is also referred to
client access to the network.
as critical authentication
or the AAA fail policy. • If 802.1x authentication is timed out while waiting for exchange of an EAPOL message and the
Media Access Control (MAC) authentication bypass option is enabled, the switch will be able to
e
use the client MAC address for authorization.
• If the client MAC address is valid and the authorization is successful, the switch will grant the
ut
client access to the network.
• If the client MAC address is invalid and the authorization is not successful, the switch will assign
the client to a guest VLAN, which will provide limited services when you have configured a
ib
guest VLAN.
• If the switch receives an invalid identity from an 802.1x-capable client and a restricted VLAN is
tr
also specified, the switch will be able to assign the client to a restricted VLAN that can provide
limited services.
is
• If the RADIUS authentication server is not available (down) and you have enabled the
inaccessible authentication bypass option, the switch will grant the client access to the network.
The access will be provided to the client by placing the port in the critical-authentication state in
D
the RADIUS-configured or the user-specified access VLAN.
Authentication Initiation
and Message Exchange
or
Authentication Initiation and Message Exchange
Authentication initiation and message exchange may involve the following actions:
• The switch or the client can initiate authentication during 802.1x authentication.
e
• You can enable authentication on a port by using the authentication port-control auto or
at
dot1x port-control auto interface configuration command.

• When you enable the authentication on the port using either of the commands, the switch will
initiate authentication when the link state changes from down to up or periodically until the port
lic
remains in the up state and is unauthenticated.

• The switch will send an Extensible Authentication Protocol (EAP)-request/identity frame to the
client to request its identity.
up
• On receiving the frame, the client will respond with an EAP-response/identity frame. However,
if during bootup, the client did not receive an EAP-request/identity frame from the switch, the
client will be able to initiate authentication by sending an EAPOL-start frame, which will prompt
D
the switch to request the client’s identity.

• When the client provides its identity details to the switch, the switch will begin its role as the
intermediary, and will start passing EAP frames between the client and the authentication server
ot
until the authentication turns out to be either a success or failure. When the authentication is
successful, the switch port will become authorized. If the authentication fails, authentication will
need to be retried, the port may be assigned to a VLAN that will provide limited services, or the
N
network access may not be granted.
Ports in Authorized and Unauthorized States

o
D
Ports in Authorized and • During 802.1x authentication, the switch can grant a client access to the network depending on
Unauthorized States the switch port state.
• The port will start in an unauthorized state. When a port that is not configured as a voice VLAN
port is in this state, it will disallow all ingress and egress traffic, other than traffic that are meant
for 802.1x authentication and CDP and STP packets.
• The port will be changed to the authorized state, when the client is successfully authenticated
and will allow all traffic for the client to flow normally.
• When the port is configured as a voice VLAN port, it will allow voice over IP (VoIP) traffic and
802.1x protocol packets even before the client is successfully authenticated.
• The switch will request for the identity of a client, if the client that connects to an 802.1x port
does not support 802.1x authentication. In this case, if the client does not respond to the request,
the port will remain in an unauthorized state, and the client will not be granted access to the
network.
• When an 802.1x-enabled client connects to a port, which is not running the 802.1x standard, the
client will initiate the authentication process by sending the EAPOL-start frame. If no response
is received, the client will continue to send the request for a fixed number of times. If no
e
response is received, the client will begin sending frames assuming that the port is in the
ut
authorized state.
Commands and Keywords to Control the Port Authorization
ib
State
tr
• The dot1x port-control interface configuration command allows you to control the port Commands and
authorization state by using the following keywords: Keywords to Control the
is
Port Authorization State
• force-authorized: Disables the 802.1x authentication and causes the port to change to the
authorized state without requiring any authentication exchange. The port will send and
D
receive normal traffic without 802.1x-based authentication of the client. This is the default
setting.
• force-unauthorized: Causes the port to remain in an unauthorized state. The port will
authentication services to the client through the port. or

ignore all attempts by the client to authenticate. The switch will not be able to provide
• auto: Enables 802.1x authentication and causes the port to begin in an unauthorized state.
e
This setting will allow only EAPOL frames to be sent and received through the port. The
authentication process will begin when the link state of the port changes from down to up or
at
when an EAPOL start frame is received.

• The switch will request for the identity of the client and will begin relaying authentication
messages between the client and the authentication server.
lic
• The switch will use the client MAC address to uniquely identify each client that is attempting to
access the network.
up
IEEE 802.1x Authentication and Switch Stacks (Optional)

• When you add a switch to or remove a switch from a switch stack, the 802.1x authentication will IEEE 802.1x
D
remain unaffected as long as the IP connectivity between the RADIUS server and the stack is Authentication and
Switch Stacks (Optional)
intact. The authentication will also not be affected even if you remove the stack master from the
You need to ensure that
switch stack.
ot
there is a redundant
• When the IP connectivity to the RADIUS server is interrupted because the switch that was connection to the
connected to the server is removed or fails, the following events may occur: RADIUS server in order
N
• Ports that are already in the authenticated state and do not have periodic re-authentication to avoid loss of
connectivity. For
enabled will remain in the authenticated state. These ports will not be required for
example, you need to
communication with the RADIUS server. have a redundant
o
• Ports that are already authenticated and have periodic re-authentication enabled (with the connection to the stack
dot1x re-authentication global configuration command) will fail the authentication master and another to a
D
process when the re-authentication is initiated. The ports will return to the unauthenticated stack member. This will
state during the re-authentication process. These ports will require communication with the ensure that the switch
RADIUS server. stack will continue to
have connectivity to the
• For any ongoing authentication, the authentication will fail immediately because there is no RADIUS server, even if
server connectivity. the stack master fails.
• When a switch that had failed earlier comes up and is rejoined to the switch stack, the
authentication status will depend on the boot-up time and whether the connectivity to the
RADIUS server can be re-established by the time the authentication is attempted. If the
switch is booted and the connectivity to the RADIUS server is re-established before
authentication is attempted, the authentication may be successful. Otherwise, the
authentication may fail.
IEEE 802.1x Host Mode
e
IEEE 802.1x Host Mode A 802.1x port can be configured for single-host or for multiple-hosts mode.
ut
• Single-Host Mode:
• In this mode, you can connect only one client to the 802.1x-enabled switch port. The switch
ib
will detect the client by sending an EAPOL frame when the port link state changes to the up
state. The switch changes the port link state to down, if a client leaves or is replaced with
another client and the port will return to the unauthorized state.
tr
• Multiple-Hosts Mode:
• In this mode, multiple hosts can be attached to a single 802.1x-enabled port. All the clients
is
will be granted network access even if only one of the attached clients is authorized. If the
port becomes unauthorized due to failure of re-authentication or receipt of EAPOL-logoff
D
message, the switch will deny network access to all the attached clients. In this topology, the
wireless access point will be responsible for authenticating the clients attached to it, and will
also act as a client to the switch.
or
• When this mode is enabled, you will be able to use 802.1x authentication to authenticate the
port and port security in order to manage network access for all MAC addresses, including
the client.
e
IEEE 802.1x Accounting
at
IEEE 802.1x Accounting • The 802.1x standard, which defines how users are authorized and authenticated for network
lic
access, does not keep track of network usage.

• By default, 802.1x accounting is disabled. You need to enable 802.1x accounting to monitor
events on the 802.1x-enabled ports. These events include:
up
• Successful user authentication.

• Logging off by the user.
• Link changing to down state.
D
• Successful re-authentication of the user.

• Failure of re-authentication of the user.
• The switch, which does not log 802.1x accounting information, sends the information to the
ot
RADIUS server. However, the RADIUS server must be configured to log the accounting
messages.
N
IEEE 802.1x Accounting Attribute-Value Pairs

o
IEEE 802.1x Accounting • The information sent to the RADIUS server is represented in the form of AV pairs.
Attribute-Value Pairs
• The AV pairs can be used to provide data for different applications. For example, a billing
D
application may require information, which is currently in a RADIUS packet in either the Acct-
Input-Octets or the Acct-Output-Octets attributes.
• When a switch is configured for 802.1x accounting, it will automatically send the AV pairs.
• A switch can send three types of RADIUS accounting packets. These are:
• START: This packet type is sent when a new user session is started.
• INTERIM: This packet type is used for sending updates during an existing session.
• STOP: This packet type is sent when a session is terminated.
e
ut
ib
Figure 4-6: The types of RADIUS accounting packets.
tr
IEEE 802.1x Authentication with VLAN Assignment
is
• 802.1x authentication with VLAN assignment is supported by Cisco switches. IEEE 802.1x
Authentication with
• The RADIUS server will send the VLAN assignment to configure the switch port, after VLAN Assignment
D
successful 802.1x authentication of a port.
Multidomain host
• The RADIUS server database maintains the username-to-VLAN mappings and assigns the authentication will be
VLAN based on the username of the client connected to the switch port. covered in detail later in
or
• This feature allows you to limit network access only a limited number of users.
• In Cisco IOS Release 12.2(37)SE, the voice device authentication is supported with multidomain
host mode.
• In Cisco IOS Release 12.2(40)SE and later, if a voice device is authorized and the RADIUS
this lesson.
e
server returns an authorized VLAN, the voice VLAN on the port is configured to send and
at
receive packets on the assigned voice VLAN.
IEEE 802.1x Authentication with Per-User ACLs

lic
• You can provide different levels of network access and service to an 802.1x-authenticated user IEEE 802.1x
by enabling per-user access control lists (ACLs). When the RADIUS server authenticates a user Authentication with Per-
up
User ACLs
connected to an 802.1x port, it will retrieve the ACL attributes based on the user identity and
sends them to the switch.
• The switch will apply the attributes to the 802.1x port for the duration of the user session.
D
• The switch will remove the per-user ACL configuration when the session is complete, or if the
authentication fails, or if a link goes down. IEEE 802.1x
Authentication with
• The switch will not store the RADIUS-specified ACLs in the running configuration. The switch
ot
Guest VLAN
removes the ACL from the port, when the port is unauthorized.
When the switch port is
• You will be able to configure router ACLs and input port ACLs on the same switch. However, a moved to the guest
port ACL will take precedence over a router ACL.
N
VLAN, any number of

• When you apply input port ACL to a VLAN interface, the port ACL will take precedence over 802.1x-incapable clients
an input router ACL applied to the VLAN interface. The incoming packets received on the port are allowed access.
When an 802.1x-
o
to which a port ACL is applied will be filtered by the port ACL. The incoming routed packets
received on other ports will be filtered by the router ACL. capable client joins the
same port on which the
D
• The outgoing routed packets will be filtered by the router ACL. guest VLAN is
configured, the port will
be put into the
IEEE 802.1x Authentication with Guest VLAN unauthorized state in the
user-configured access
• A guest VLAN configured for each 802.1x port on a switch will allow you to provide limited VLAN, and
services to clients. For example, these services may be used to allow clients to upgrade their authentication will be
restarted.
system for 802.1x authentication by enabling the download of the 802.1x client software. These
services can be useful to hosts that are not IEEE 802.1x capable.
• Guest VLANs are supported on 802.1x ports in both single-host and multiple-hosts modes.
• When the guest VLAN is enabled on an 802.1x port, the switch will assign clients to a guest
VLAN if the switch does not receive a response to its EAP request/identity frame or when the
client does not send EAPOL packets.
• The EAPOL packet history is maintained by the switch. When the switch detects an EAPOL
packet on the interface during the lifetime of the link, it can determine that the device connected
to that interface is an IEEE 802.1x-capable supplicant or unauthorized device. Also, the interface
e
will not change to the guest VLAN state.
ut
• If the interface link goes down, the EAPOL history will be cleared. If no EAPOL packet is
detected on the interface, the interface will change to the guest VLAN state.
ib
IEEE 802.1x Authentication with Restricted VLAN (Optional)
tr
IEEE 802.1x • A restricted VLAN also referred to as an authentication failed VLAN can be configured for each
Authentication with IEEE 802.1x port on a switch stack or a switch. This will be used to provide limited services to
is
Restricted VLAN
(Optional)
clients that cannot access the guest VLAN.
You need to configure a • These clients are 802.1x-compliant, but they cannot access another VLAN because they have
D
VLAN to be both the failed the authentication process.
guest VLAN and the • You can use a restricted VLAN to allow access for a limited set of services to users without valid
restricted VLAN if you credentials in an authentication server (typically, visitors to an enterprise). The administrator will
want to provide the
same services to both
types of guest users and
the unauthenticated
or
be able to control the services available to the restricted VLAN.
• In the absence of this feature, the client will attempt and fail authentication indefinitely, and the
switch port will remain in the spanning-tree blocking state.
• This feature allows you to configure the switch port to be in the restricted VLAN state after a
e
users.
specified number of authentication attempts or until the default three attempts are completed.
at
IEEE 802.1x Authentication with Inaccessible Authentication

lic
Bypass (Optional)
IEEE 802.1x • When the switch cannot reach the configured RADIUS servers or new hosts cannot be
up
Authentication with authenticated, you need to use the inaccessible authentication bypass feature, which is also
Inaccessible
Authentication Bypass
referred to as the critical authentication or the AAA fail policy.
(Optional) • The switch can be configured to connect the new hosts that cannot be authenticated to critical
ports.
D
• When a new host attempts to a connect to a critical port, that host will be moved to a user-
specified access VLAN or the critical VLAN. The administrator will give limited authentication
ot
to the hosts.
• When the switch tries to authenticate a host connected to a critical port, it will check the status
of the configured RADIUS server. Only, when the server is available, the switch can authenticate
N
the host. However, when all the RADIUS servers are unavailable, the switch will grant network
access to the host and put the port in the critical-authentication state. This state is a special case
of the authentication state.
o
IEEE 802.1x Authentication with Voice VLAN Ports (Optional)

D
IEEE 802.1x • A voice VLAN port refers to a special access port that is associated with two VLAN identifiers:
Authentication with
Voice VLAN Ports
• Voice VLAN Identifier (VVID):
(Optional) • Carries voice traffic to and from the IP phone. It is also used to configure the IP phone that
is connected to the port.
• Port VLAN ID (PVID):
• Carries data traffic to and from the workstation connected to the switch through the IP
phone. It is the native VLAN of the port.
• The VVID is used by the IP phone for its voice traffic, irrespective of the authorization state of
the port. This enables the phone to work independent of IEEE 802.1x authentication.
• In single-host mode, on the voice VLAN, only the IP phone is allowed.
• In multiple-hosts mode, after a supplicant is authenticated on the PVID, additional clients can
send traffic on the voice VLAN.
• The supplicant authentication can affect both the PVID and the VVID, when multiple-hosts
e
mode is enabled.
ut
IEEE 802.1x Authentication with Port Security
ib
• Port security must be configured on the port using the switchport port-security interface IEEE 802.1x
configuration command. Authentication with Port
Security
• Port security can be configured on a IEEE 802.1x port in either single-host or multiple-hosts
tr
mode.
• When both port security and IEEE 802.1x authentication are enabled on a port, IEEE 802.1x
is
authentication will authenticate the port, and port security will manage network access for all
MAC addresses, including that of the client.
D
• You can then limit the number or group of clients, which have access to the network through an
IEEE 802.1x port.
IEEE 802.1x Authentication with WoL (Optional) or

• IEEE 802.1x Authentication with Wake-on-LAN (WoL) is feature that will allow dormant PCs IEEE 802.1x
e
to be powered on when the switch receives a specific Ethernet frame that is known as the magic Authentication with WoL
(Optional)
packet.
at
• This feature can be used in environments where you or other administrators need to connect to
systems that have been powered down.
lic
• The IEEE 802.1x port will become unauthorized, when a host that uses WoL is attached
through an IEEE 802.1x port and the host is powered off.
• In such a situation, the port will be able to only receive and send EAPOL packets, and the WoL
up
magic packets cannot reach the host. When the PC is powered off, it is not authorized, and the
switch port will not be opened.
• When the switch uses IEEE 802.1x authentication with WoL, it will forward the data traffic
including magic packets to unauthorized IEEE 802.1x ports.
D
• When the port is unauthorized, the switch will continue to block ingress traffic other than
EAPOL packets. While the host will be able to receive packets, it cannot send packets to other
devices in the network.
ot
IEEE 802.1x Authentication with MAC Authentication Bypass

N
• When you enable the MAC authentication bypass feature on an IEEE 802.1x port, the switch IEEE 802.1x
will use the MAC address as the client identity. Authentication with MAC
o
Authentication Bypass
• The authentication server maintains a database of client MAC addresses for which network
If the authorization fails,
D
access are allowed. When the switch detects a client on an IEEE 802.1x port, it will wait for an the switch will assign the
Ethernet packet from the client. The switch will send a RADIUS-access/request frame with a port to the guest VLAN
username and password based on the MAC address to the authentication server. If the that has been
authorization is successful, the switch will grant the client access to the network. configured.
e
ut
ib
tr
Figure 4-7: The flow of data in a network environment that uses MAC authentication bypass
is
feature.
D
NAC Layer 2 IEEE 802.1x Validation (Optional)
NAC Layer 2 IEEE Network Admission Control (NAC) Layer 2 IEEE 802.1x validation will permit the following tasks.
802.1x Validation
(Optional)
You can:
or
• Download the Termination-Action RADIUS and Session-Timeout RADIUS attributes from
the authentication server.
• Set the number of seconds between re-authentication attempts as the value of the Session-
e
Timeout RADIUS attribute, and get an access policy against the client from the RADIUS server.
at
• Set the action to be performed when the switch uses the Termination-Action RADIUS
attribute and tries to re-authenticate the client. When the value is either DEFAULT or when value
is not set, the session will end. When the value is RADIUS-Request, the re-authentication process
lic
will be started.
• Use the show dot1x privileged EXEC command to check whether 802.1X authentication has
been configured on the device.
up
• Configure the secondary private VLANs as guest VLANs.
MDA
D
MDA • Multidomain authentication (MDA) is a feature supported by switches that allow both data and
voice devices such as an IP phone (Cisco or non-Cisco), to authenticate client on the same
ot
switch port. The port is divided into a data domain and a voice domain.
• For best results, it is recommended that a voice device gets authenticated before a data device is
N
authenticated on a MDA-enabled port.

• Cisco IP phones send a Cisco Discovery Protocol (CDP) attribute that will notify the switch of
changes in the link state of the attached client’s port.
o
• MDA does not enforce the order of device authentication.

D
e
ut
Figure 4-8: A Cisco network environment that uses MDA.
ib
WebAuth
tr
• Web authentication (WebAuth) is a Layer 3 security mechanism that protects the data during any WebAuth
is
web based transaction. This type of authentication will work on any network node that runs a
web browser. It can also be combined with any pre-shared key (PSK) security (Layer 2 security
policy).
D
• You can set MAC authentication bypass and 802.1x as the primary or secondary authentication
methods, and set web authentication as the fallback method to be used if either or both of those
authentication attempts fail.
or
• For non-802.1x devices, in addition to the MAC authentication bypass, you can use the web
authentication as the fallback method for authenticating individual host and different hosts by
using different methods on a single port.
e
• You will also be able to download ACLs during web authentication.
• You can use the authentication fallback <fallback-profile> command to configure a
at
port to use web authentication as a fallback method for clients that do not support 802.1x
authentication.
lic
Commands Related to AAA Lab

up
The commands related to the AAA lab are listed in the table. Commands Related to
AAA Lab (2 Slides)
Command Description
D
interface <interface_type> <slot>/ Configures the appropriate IP address using the

<port> default encapsulation of High-Level Data Link
Control (HDLC) and the required clock rate on
ot
the selected interface.

clock rate <clock_rate>
no shutdown
N
router rip Configures Routing Information Protocol

version 2
version 2 (RIPv2) to advertise the required
o
network.
network <network_address>
D
aaa new-model Enables AAA on the router.

tacacs-server host <host_address> Enables the router to use a TACACS+ server
tacacs-server key <shared key set>
with a shared key set and the required timeout.
tacacs-server timeout
<timeout_in_seconds>
Command Description
aaa authentication ppp <rule_name> Creates a new AAA rule for Point-to-Point
tacacs local Protocol (PPP) authentication.
encapsulation ppp Enables PPP encapsulation.
ppp authentication pap <rule_name> Specifies PPP Password Authentication Protocol
(PAP) authentication using the required rule
name on the selected interface.
e
ppp pap sent-username <user_name> Configures the PAP sent user name with a
ut
password <password> password.
ppp authentication pap Specifies PAP authentication for the selected
ib
interface.
show ip interface brief Verifies the state of the interface.
tr
Lab: AAA
is
Lab: AAA
D
• Path to lab: ICND2→Device Hardening
• Lab name: AAA
or
e
at
lic
up
D
ot
N
o
D
TOPIC C
Configure DHCP Snooping
In this topic, you will describe the components used to configure DHCP snooping.
e
DHCP Snooping
ut
A security feature, which acts similar to a firewall between untrusted hosts and trusted Dynamic DHCP Snooping
Host Configuration Protocol (DHCP) servers. Information in the DHCP
snooping binding
ib
• DHCP Snooping:
database is also used by
• Validates DHCP messages that are received from untrusted sources and filters out the invalid other security features
messages. such as Dynamic
tr
• Implements rate limits on DHCP traffic from trusted and untrusted sources. Address Resolution
Protocol Inspection
• Builds and manages the DHCP snooping binding database that contains information about
is
(DAI).
untrusted hosts with leased IP addresses.
• Uses the information from the DHCP snooping binding database to validate subsequent
D
requests from untrusted hosts.
or
e
at
lic
Figure 4-9: DHCP snooping applied in a Cisco network environment.

up
DHCP Snooping and VLANs

By default, DHCP snooping is in an inactive state. DHCP snooping can be enabled on a per-VLAN
D
basis. It can be enabled on a single VLAN or a range of VLANs.
Implementation of DHCP Snooping

ot
The DHCP snooping feature is implemented in the software on a Route Processor (RP). This
ensures that all DHCP messages for the VLANs that are currently enabled are intercepted by the
priority flow control (PFC) and then directed to the RP for processing.
N
Trusted and Untrusted

Trusted and Untrusted Sources Sources
o
You must connect all

The DHCP snooping feature will help you determine whether traffic sources are trusted or
DHCP servers to the
D
untrusted. switch through trusted

• Trusted Sources: interfaces for the DHCP
snooping to properly
• In an enterprise network, trusted sources are the devices that are under your administrative function. This is because
control. The devices that are trusted sources include routers, switches, and servers. only trusted interfaces
• In the switch, you need to indicate that a source is trusted by configuring the trust state of the are used to forward
interface of the switch that is connecting to it. untrusted DHCP
messages.
Lesson 4: Mitigating Threats to the Access Layer | Topic C
• Untrusted Sources:
• Untrusted sources are devices that are beyond the firewall or outside your network. Generally,
host ports and unknown DHCP servers are treated as untrusted sources.
• In a service provider environment, any device that is outside the service provider network
such as a customer switch is consider as an untrusted source. Also, the host ports are
considered as untrusted sources.
• Traffic attacks or other hostile actions may be initiated by an untrusted source. The DHCP
snooping feature allows you to filter messages and apply rate-limits to traffic that originates
e
from untrusted sources and prevent such attacks.
ut
Spurious DHCP Server
A spurious DHCP server refers to a DHCP server that is active on your network without your
ib
knowledge and is running on an untrusted port. This server refers to any piece of equipment that is
loaded with DHCP server enabled. You need to send dummy DHCPDISCOVER packets out to all
the DHCP servers so that you receive a response back to the switch. You can use this response to
tr
detect spurious DHCP servers.
is
Default Trust State
All the devices are in an untrusted state by default and you need to configure DHCP server
D
interfaces as trusted. You need to configure other interfaces as trusted, if you need to connect them
to devices such as switches or routers within your network. Usually, you need not configure host
port interfaces as trusted.
DHCP Snooping Binding

DHCP Snooping Binding Database or
e
• This database is dynamically built and maintained by the DHCP snooping feature using the
Database information extracted from the intercepted DHCP messages.
at
The DHCP snooping

• DHCP snooping binding database contains an entry for each untrusted host with a leased IP
binding database is also
called as the DHCP address, if DHCP snooping is enabled for the VLAN to which the host is associated with.
lic
snooping binding table. • This database does not contain entries for hosts that are connected using trusted interfaces.
• Each entry in this database contains the MAC address of the host, the leased IP address, the
leased time, the binding type, the VLAN number, and the interface information associated with
the host.
up
• When the switch receives specific DHCP messages, the DHCP snooping feature updates the
database.
• For example, when the switch receives a DHCPACK message, the DHCP snooping feature adds
D
an entry to the database from the server. This entry will be removed from the database by the
feature, when the switch receives a DHCPRELEASE message from the host or when the IP
address lease expires.
ot
DHCP Snooping Database Agent

N
DHCP Snooping • This agent allows you to retain the bindings across reloads.
Database Agent
• In the absence of this agent, the bindings established by the DHCP snooping feature will be lost
o
upon reload, along with the connectivity.

• The DHCP snooping database agent stores the bindings within a file at a configured location.
D
• When the switch is reloaded, it will read the file to build the database for the bindings.
• The switch writes to the file as the database changes to keep the file current.
• Each entry in the file is tagged with a checksum, which is used to validate the entries each time
the file is read. On the first line of the file, the <initial-checksum>entry helps distinguish
entries associated with the latest write from entries that are associated with a previous write.
DHCP Snooping Option-82

• When you enable the DHCP snooping option-82 feature on the switch, a subscriber device will DHCP Snooping
be identified by the switch port through which it connects to the network in addition to its MAC Option-82 (2 Slides)
address. Multiple hosts on the subscriber LAN that are connected to the same port on the access
switch can be uniquely identified.
• When you enable the DHCP snooping information option-82 on the switch, the following
sequence of events occurs:
e
1. The host (DHCP client) generates a DHCP request and then, broadcasts the request on the
network.
ut
2. When the switch receives the DHCP request, it will add the option-82 information in the
packet.
ib
3. If you have enabled IEEE 802.1X port-based authentication, the switch will add the host’s
802.1X authenticated user identity information (the RADIUS attributes suboption) to the
packet.
tr
4. If you have configured the IP address of the relay agent, the switch will add the IP address in
the DHCP packet.
is
5. The switch forwards the DHCP request that includes the option-82 field to the DHCP
server.
D
6. The DHCP server will receive the packet. If the server can support the option-82 feature, it
will be able to use the remote ID, or the circuit ID, or both to assign IP addresses. The server
will also be able to implement policies, such as restricting the number of IP addresses that can
be assigned to a circuit ID or single remote ID.
or
7. The DHCP server will then echo the option-82 field in the DHCP reply.
8. The DHCP server will unicast the reply to the switch for requests that were relayed to the
server by the switch. The server will broadcast the reply, when the client and server are on the
e
same subnet.
at
9. The switch will inspect the remote ID and possibly the circuit ID fields to verify that it
originally inserted the option-82 data.
10. The switch will remove the option-82 field and forward the packet to the switch port that
lic
connects to the DHCP client that sent the DHCP request.
Option-82 Information
up
The option-82 information will contain the switch MAC address (the remote ID suboption). It will
also include the port identifier, vlan-mod-port, from which the packet is received (the circuit ID
suboption).
D
ot
N
o
D
Summary
Key Points • When a default port VLAN ID is assigned to the trunk port, all untagged traffic will travel on the
default port VLAN ID for the trunk port.
• By default, a trunk port will be able to send traffic to and receive traffic from all VLANs.
• You need to manually configure native VLAN for a 802.1Q trunking port, otherwise, the default
VLAN will be used as the native VLAN ID by the trunk port.
e
• Cisco switches support both local authentication (using the local lookup database) or remote
ut
authentication (using either RADIUS or TACACS+ servers).
• A method list must be used to define the types of authentication to be performed and the
sequence in which the authentication will be performed.
ib
• Authentication uses a combination of the user ID and password specified by the entity that is
attempting to access the switch in order to establish the identity of the devices or users.
• Authorization is the process of assembling a set of attributes that describe the action the user is
tr
authorized to perform and then providing suitable access to the user.
• Accounting tracks and maintains a log of every management session used to access the Cisco
is
switches.
• A 802.1x port can be configured for single-host or for multiple-hosts mode.
D
or
e
at
lic
up
D
ot
N
o
D
Lesson 4: Mitigating Threats to the Access Layer |
5 Configuring
Infrastructure Services
e
ut
ib
tr
is
Lesson Objectives
D
In this lesson, you will configure infrastructure services. You will:
• Describe the features of HSRP.
or
• Describe the basic features of cloud services.
• Describe the methods to configure traffic filtering using access lists.
e
• Describe the methods to troubleshoot ACLs.
at
• Describe the methods to configure VRRP.

lic
Lesson Introduction
up
As network administrators you may need ensure that the routers are always available for the
users while being able to control the data traffic that is routed through your network.
Further, you may need to utilize cloud services that are supported in Cisco environment.
Before you attempt to deploy these additional features in your network which are part of the
D
infrastructure services, you need to be fully aware of their characteristics to be able to derive
the optimum benefit from such deployments.
ot
N
o
D
TOPIC A
Configure HSRP
In this topic, you will describe the features of HSRP.
e
HSRP
ut
HSRP • Hot Standby Router Protocol (HSRP) is a First Hop Redundancy Protocol (FHRP) that is
Within a group of device designed to provide transparent failover of the first-hop IP device or the default router.
interfaces, the active
ib
• HSRP is a Cisco proprietary protocol.
device is used as the
device of choice for • The first hop redundancy provides multiple routes to the default router.
routing packets. The • Provides high network availability by allowing first-hop routing redundancy for IP hosts on
tr
standby device refers to networks configured with a default gateway IP address.
the device that is • Used in a group of routers and allows you to select an active device and a standby device.
is
designated to take over
the role of the active
device when either the
D
active device fails or
when the preset
conditions are met.
or
e
at
lic
up
D
Figure 5-1: A HSRP design.

ot
HSRP Operation
HSRP Operation
N
• When you use HSRP, the HSRP virtual IP address will be configured as the host’s default
The address that is gateway. This is different to the usual practice where most IP hosts will have an IP address of a
assigned to the HSRP single device such as a router configured as the default gateway.
group is usually referred
o
to as the virtual IP • When you configure HSRP on a network segment, it will provide a virtual Media Access Control
address. (MAC) address and an IP address that will be shared among a group of devices that are running
D
HSRP.
• HSRP will be useful for hosts that do not support a discovery protocol such as Internet Control
Message Protocol Router Discovery Protocol (IRDP). Such hosts cannot switch to a new device
when their selected device is reloaded or loses power.
• HSRP can be used on such hosts, because the existing Transmission Control Protocol (TCP)
sessions can survive the failover. This provides a more transparent recovery for hosts that
dynamically choose a next hop for routing IP traffic.
Lesson 5: Configuring Infrastructure Services | Topic A
• When HSRP detects that the designated active device has failed, at the same time, a selected
standby device will assume control of the MAC and IP addresses of the Hot Standby group. A
new standby device may also be selected at that time.
• HSRP will use a priority mechanism to determine the HSRP configured device that will be the
default active device.
Priority to Routers
e
• Assigning a priority to routers will allow you to select the active and standby routers. Priority to Routers
• When preemption is enabled, the router with the highest priority will become the active router. If
ut
the priorities are equal, the current active router will not be changed.
• The highest number among the range 1 to 255 will represent the highest priority. The router with
ib
the highest number is most likely to become the active router.
• When you set the priority, preempt, or both, you need to specify at least one keyword
(priority, preempt, or both).
tr
• When you configure an interface with the standby track command and another interface on
the router goes down, the priority of the device will be changed dynamically.
is
The HSRP Preemption Feature
D
• The HSRP preemption feature enables the router with highest priority, among the remaining The HSRP Preemption
Feature
or
routers, to immediately become the active router, when the original active router goes down.
• The Preemption feature will also allow a standby device to delay becoming active for a
configurable amount of time.
• Priority will be determined first by the configured priority value and then by the IP address.
e
• For both the priority value and the IP address, a higher value will be treated as greater priority.
at
• A higher-priority router that preempts a lower-priority router will send a coup message or a
hello message to the latter.
• When a lower-priority active router receives a coup message or hello message from a higher-
lic
priority active router, it will change to the speak state and send a resign message.
HSRP Versions
up
• Cisco IOS supports HSRP versions 1 (HSRPv1) and 2 (HSRPv2). HSRP Versions
• HSRPv1 is the default version of HSRP and has the following features: HSRPv2 supports a
D
different packet format

• The HSRP group number can be from the range 0 to 255. than HSRPv1. A
• Uses the multicast address 224.0.0.2 to send hello packets. This address can conflict with HSRPv2 packet that
uses the type-length-
ot
Cisco Group Management Protocol (CGMP) leave processing. Hence, you will not be able to
enable HSRPv1 and CGMP at the same time and these services are mutually exclusive. value (TLV) format, has
a 6-byte identifier field
• HSRPv2 has the following features: with the MAC address of
N
• Uses the multicast address 224.0.0.102 to send hello packets. Thus, you can enable both the physical router that
HSRPv2 and CGMP leave processing at the same time and these services are no longer sent the packet.
mutually exclusive.
o
• Supports a different packet format than HRSPv1.

D
• The HSRP group number can be from the range 0 to 4095.
Commands Related to Configuring HSRP Lab

The commands related to the Configuring HSRP lab are listed in the table. Commands Related to
Configuring HSRP Lab
Command Description
standby <group_number> ip <ip_address> Creates a HSRP group with the specified group
number and IP address.
show standby Allows you to view the HSRP configuration.
standby <group_number> priority Assigns the specified priority to the HSRP
<priority_number> group.
e
standby <group_number> preempt Enables preempt on the HSRP group.
ut
Lab: Configuring HSRP
ib
Lab: Configuring HSRP
tr
• Lab name: Configuring Hot Standby Router
Protocol
is
D
or
Commands Related to HSRP Interface Tracking and
Troubleshooting HSRP Part II Labs
e
Commands Related to The commands related to the HSRP Interface Tracking and Troubleshooting HSRP Part II Labs are
HSRP Interface Tracking listed in the table.
at
and Troubleshooting
HSRP Part II Labs Command Description
lic
show spanning-tree Displays STP information.

tracert <ip_address> Allows you to trace the route from PC to the
router’s interface.
up
show running-config interface vlan Displays the specified interface’s active

<vlan_id> configuration file.
D
standby 1 track fastethernet 0/1 Enables HSRP interface tracking and

decrement <number> decrements the priority by the specified number
instead of the default.
ot

N
Lab: HSRP Interface Tracking

Lab: HSRP Interface
o
Tracking • Path to lab: ICND2→Scalable Networks

D
• Lab name: HSRP Interface Tracking

Lab: Troubleshooting HSRP Part II

• Path to lab: ICND2→Troubleshooting HSRP Part II
• Lab name: Troubleshooting Hot Standby
Router Protocol Part II
e
ut
ib
tr
is
D
or
e
at
lic
up
D
ot
N
o
D
TOPIC B
Overview of Cloud Services
In this topic, you will describe the basic features of cloud services.
e
Cloud Computing Services
ut
Cloud Computing • Cisco defines cloud computing as follows: IT resources and services that are abstracted from the
Services underlying infrastructure and provided “on-demand” and “at scale” in a multitenant
ib
environment.
• Cloud computing provides a method for offering IT services. Cloud computing offers IT
services such as servers, and databases, and networks, and security, and all the related hardware
tr
and software. These IT services can be used as the platform by the enterprise to run its business
operations and related set of applications.
is
• Cloud computing uses virtualization products like virtual machines and also products such as
physical servers built specifically to enable cloud features.
D
or
e
at
lic
Figure 5-2: The IT services provided by cloud computing.
Criteria for Cloud Computing Service

up
Criteria for Cloud From the definition of cloud computing by the U.S. National Institute of Standards and Technology
Computing Service (NIST), you can derive the following five criteria that need to be met by a cloud computing service.
• On-demand Self-Service: The IT consumer must be able to choose when to start and stop
D
using the service, even without having any direct interaction with the provider of the service.
• Broad Network Access: The service will need to be available from many types of devices and
ot
over many types of networks (including the Internet).

• Resource Pooling: The provider will need to create a pool of resources, instead of dedicating
use of specific servers only to certain consumers. In addition, the provider will need to
Traffic Path to Internal
N
dynamically allocate resources from the resources pool for each new request received from a
Cloud Services
consumer.
The cloud team will need
to test and add new • Rapid Elasticity: The resource pool will need to appear to be unlimited to the consumer. The
o
services to the catalog, resource pool must be able to expand quickly (or be elastic as indicated by its name) and satisfy
handle exceptions, and the requests for new service from the consumer.
D
monitor the reports • Measured Service: The provider must be able to measure the usage and report that usage to the
based on the measured consumer, both for transparency and billing purposes.
service requirement to
determine when they
need to add capacity to
ensure that the resource
Traffic Path to Internal Cloud Services
pool is ready to handle
all requests. • The internal cloud services are also referred to as a private cloud.
Lesson 5: Configuring Infrastructure Services | Topic B
• Private cloud creates a service within a company that is meant only for its internal customers.
The service needs to meet the five criteria from the NIST list.
• The workflow in the internal cloud services will consist of the following steps:
1. The user of web applications may send a change request asking for some service such a new
virtual machine from the virtualization team. The internal consumers of IT services such as
developers and operators can select the required service from the service catalog.
2. The virtual tools will act upon the user or internal customer’s request and create the required
service.
e
3. When the required services are started, the services requested by the user or the internal
customers will be available. The services will be running in a data center that is owned by the
ut
enterprise
• By adding suitable application programming interfaces (APIs) into the virtualization software, the
services catalog software will be able to react to consumer requests such as to add, move, and
ib
create virtual machines.
• The cloud team is composed of server, virtualization, network, and storage engineers and focuses
tr
on building the resource pool.
is
Traffic Path
Cloud services use the Internet as the path for the traffic flow.
D
Traffic Path to External Cloud Services
• The external cloud services are also referred as public cloud.
or
• A public cloud provider will offer services and sells those services to consumers in other
companies.
Traffic Path to External
Cloud Services
e
• The workflow in the external cloud services will consist of the following steps:
at
1. The customer may ask for some service such a new virtual machine from the service catalog
web page.
2. The virtual tools will act upon the customer’s request and create the required service.
lic
3. When the required services are started, the services requested by the customer will be
available. However, the services may be running in a data center that will be residing in any
location in the world but not at the data center of the enterprise.
up
D
ot
N
o
D
Figure 5-3: A workflow in external cloud services.
Basic Virtual Network Infrastructure

Basic Virtual Network The key components that form part of the basic virtual network infrastructure are listed in the
Infrastructure following:
• Virtual Machine: A virtual machine is a software implementation of a computing environment
that allows an environment for installing and running of an operating system or program. The
virtual machine will typically emulate a physical computing environment. However, the
virtualization layer will manage the requests for central processing unit (CPU), memory, hard
disk, network, and other hardware resources. This layer will then translate these requests to the
e
underlying physical hardware.
ut
• Hypervisor: A hypervisor allows multiple operating systems to share a single hardware host
machine. Each operating system will appear to have the dedicated use of the host's processor,
memory, and other resources. However, in the background, the hypervisor will control and
ib
allocate only the needed resources to each operating system while at the same time ensuring the
operating systems in the virtual machines are not disrupting each other.
tr
• Virtual NIC: Each of the hypervisors will support different virtual network interface card
(vNIC) types. For example, the Cisco CSR 1000v router supports the maximum number of
vNICs based on the hypervisor. Some routers and hypervisors may also allow you to add and
is
remove vNICs even without powering down the virtual machine (vNIC Hot Add/Remove).
D
Types of Virtual Services
Types of Virtual Services
or
• The IT foundation or the basic IT services act as the basis of the virtual services.
• It provides basic building blocks to architect and enable the virtual services. Cisco partners with
several industry players to provide this IT foundation.
• The virtual services offered over cloud platform can be of the following types:
e
• Software as a Service (SaaS): A type of service in which application services are delivered
at
over the network on a subscription and on-demand basis. Cisco WebEx® is an example of
SaaS.
• Platform as a Service (PaaS): A type of service in which the run-time environments and
lic
software development frameworks and components are delivered over the network on a pay-
as-you-go basis. These type of services are typically presented as API to consumers. Cisco
WebEx Connect® is an example of PaaS.
up
• Infrastructure as a Service (IaaS): A type of service in which compute, network, and

storage are delivered over the network on a pay-as-you-go basis. The various approaches
taken by Cisco are to facilitate the service providers to provide more of services belonging to
this type.
D
ot
N
o
D
Figure 5-4: The types of virtual services.
TOPIC C
Configure Traffic Filtering Using Access Lists
In this topic, you will describe the methods to configure traffic filtering using access lists.
e
Access Lists for Traffic Filtering
ut
• An access list can be defined as a sequential list that will consist of at least one permit statement Access Lists for Traffic
and possibly one or more deny statements. Filtering
ib
• Access lists will allow the filtering of inbound and outbound traffic at specific interfaces
depending upon the source and destination addresses.
• At the end of each access list there will be an implicit deny statement.
tr
• Cisco implements traffic filters with access control lists or access lists. Access lists help you to
determine the traffic that needs to be blocked and the traffic that needs to be forwarded at router
is
interfaces.
• Access lists can be configured on a router or Layer 3 switch to provide basic network security.
D
or
e
at
lic
up
Figure 5-5: ACLs used for permitting and denying traffic in a network environment.
D
ACLs and Hosts

Access control lists (ACLs) can be used to control the hosts that can access different parts of a
ot
network or decide on the traffic that is to be forwarded or blocked at the router interfaces. For
example, you can allow email traffic to be forwarded while blocking Telnet traffic. You can
configure ACLs to block inbound traffic, outbound traffic, or both. If the ACLs are not configured,
N
all packets that pass through the switch may be allowed onto all parts of the network.
IPv4 and IPv6 Access Lists for Traffic Filtering

o
IPv4 and IPv6 Access

Lists for Traffic Filtering
D
• Internet Protocol version 4-Access Control Lists (IPv4-ACLs) and IPv6-ACLs can be used to On loopback and
provide basic network security to all the latest Cisco IOS devices by allowing you to restrict IP- interflex interfaces, IPv4-
related traffic based on the IP filters that are configured by you. ACLs are not supported.
• A filter will contain the rules that will attempt to match an IP packet, and if the packets match, On loopback, interflex,
the rule will also allow you to mention if the packet needs to be permitted or denied. and L2 Ethernet Flow
• Traffic coming into the switch will be compared to IPv4-ACL or IPv6-ACL filters based on the Point (EFP) main or
subinterfaces, IPv6-
order that the filters occur in the IOS device. ACLs are not supported.
Lesson 5: Configuring Infrastructure Services | Topic C
• New filters will be added to the end of the IPv4-ACL or the IPv6-ACL.
• The switch will keep looking within the ACL until it finds a match. If no matches are found even
after the switch reaches the end of the filter, the traffic will be denied. For this reason, you
should have the frequently hit filters at the top of the filter.
• There will be an implied deny for traffic that is not permitted.
• You can use a single-entry IPv4-ACL or IPv6-ACL with only one deny entry to deny all traffic.
Standard ACLs
e
Standard ACLs
ut
• Standard ACLs are the oldest type of ACL.
Standard ACLs date • Standard ACLs will allow you to control traffic by comparing the source address of the IP
back to as early as the
packets to the addresses configured in the ACL.
Cisco IOS Software
ib
Release 8.3. • The syntax of the standard ACL command is as follows:
access-list <access-list-number> {permit|deny} {<host>|<source> <source-
tr
wildcard> | any}
• The valid access-list-number for standard ACL can be any number from 1 to 99. Also, the newer
is
versions of Cisco IOS support numbers between 1300 to 1999 for standard ACL.
• After you apply ACL, you must apply it to the interface either inbound or outbound. In early
software releases, out was taken as the default when you did not specify a keyword out or in.
D
• However, in the later software releases, you need to specify the direction using the following
syntax:
Source and Source-Wildcard Setting

or
interface <interface> ip access-group <number> {in|out}
You can specify a source/source-wildcard setting of 0.0.0.0/255.255.255.255 can be specified as any.

e
The wildcard can be omitted if it has only zeros. Thus a host 10.11.1.2 0.0.0.0 will be the same as the
at
host 10.11.1.2.
Extended ACLs
lic
Extended ACLs • Extended ACLs will allow you to control traffic by comparing the source and destination
Extended ACLs were addresses of the IP packets to the addresses configured in the ACL.
up
introduced in Cisco IOS

• You can also configure extended ACLs to filter traffic by specifying criteria such as Protocol,
Software Release 8.3.
Port numbers, and Precedence value.
• The valid access-list-number for extended ACL can be any number from 100 to 199. Also, the
D
newer versions of Cisco IOS support numbers between 2000 to 2699 for extended ACL.
Syntax of the Extended ACLs Command

ot
The syntax of the extended ACLs command is:

access-list <access-list-number>[dynamic <dynamic-name> [timeout <minutes>]]
N
{deny|permit} <protocol> <source> <source-wildcard><destination> <destination-

wildcard> [precedence <precedence>][tos <type_of_service>] [log|log-input]
[time-range <time-range-name>]
o
Named ACLs
D
Named ACLs • All access lists need to be identified by either a name or a number.
• Named access lists are convenient when compared to numbered access lists because they allow
you to specify a meaningful name that will be easier for you to remember and associate with a
task.
• You will be able to reorder statements in named access list or add statements to a named access
list.
• You need to use the ip access-list extended <name> command to create a named ACL.
• This command will allow you to define an extended IP access list using a name and enter the
extended named access list configuration mode.
APIC-EM Path Trace ACL Analysis Tool
e
• The Cisco Application Policy Infrastructure Controller-Enterprise Module (APIC-EM) is Cisco's APIC-EM Path Trace
Software Defined Networking (SDN) Controller for Enterprise Networks. ACL Analysis Tool
ut
The Access, Campus,
• The ACL analysis tool of APIC-EM will allow you to analyze how a flow is affected by ACLs
WAN and Wireless
programmed on the path. networks are the
ib
• The ACL Trace tool will analyze both ingress and egress interfaces of all devices on the path enterprise networks that
after the path between the source and the destination is calculated. are supported by APIC-
• This tool will show whether the traffic matching your criteria would be permitted or denied EM tool.
tr
based on the ACLs configured on the path.
• The following rules affect the results of the ACL Analysis tool of APIC-EM:
is
• Only matching access control entries (ACEs) will be reported.
• If you omit the protocol, source port, or destination port when defining a path trace, the
D
results will include ACE matches for all possible values for these fields.
• If there is no matching ACEs in the ACL, the flow will be reported as implicitly denied.
ACL Analysis
or
The analysis of the ACL path trace tool will be independent among the ACLs throughout the path.
For example, if an ACL has entries that would deny the traffic on an interface along the path, the
e
results of the analysis will be reported as if the traffic had reached the destination without being
denied by the ACL. The analysis of entries within an individual ACL is cumulative, which will mean
at
that if a higher priority ACE is the match, the lower-priority ACEs will be ignored.
lic
Commands Related to IP Access Lists Lab

The commands related to the IP Access Lists lab are listed in the table. Commands Related to
up
IP Access Lists Lab

Command Description
access-list <access_list_number> Creates an access list that denies or permits IP
D
permit <source address> <source traffic from the specified address or address
wildcard> range.
Controls the access to an interface.
ot
ip access-group <group_number> in
access-list <access_list_number> deny Defines an extended IP ACL that will deny

tcp host <ip_address> any eq telnet Telnet based traffic from the specific host.
N
access-list <access_list_number>deny Defines an extended IP ACL that will deny

icmp host <ip_address> any Internet Control Message Protocol (ICMP)
o
traffic from specific host.

Defines an extended IP ACL that will permit IP
D
access-list <access_list_number>
permit ip any any traffic.
Lab: IP Access Lists

Lab: IP Access Lists
• Path to lab: ICND2→Device Hardening
• Lab name: IP Access Lists
e
ut
Commands Related to Extended ACL Practice Lab 1 Lab
ib
Commands Related to The commands related to the Extended ACL Practice Lab 1 lab are listed in the table.
Extended ACL Practice
tr
Lab 1 Lab Command Description
is
show access-lists Displays the configured ACLs.
show ip interface brief Displays a brief summary of interface status and
D
configuration.
Lab: Extended ACL Practice Lab 1

Lab: Extended ACL
Practice Lab 1 • Path to lab: ICND2→Device Hardening
or
e
• Lab name: Lab: Extended ACL Practice Lab
1
at

lic
up
Commands Related to Advanced Extended Access Lists Lab

Commands Related to The commands related to the Advanced Extended Access Lists lab are listed in the table.
D
Advanced Extended
Access Lists Lab Command Description
ot
hostname <router_name> Configures the appropriate host name, IP

interface <type> <slot>/<port>
addresses, and subnet masks, enables the
interfaces, and configures a clock rate on the
N
ip address <ip_address> <subnet_mask> selected interface of the router.

clock rate <clock_rate>
o
router rip Configures Routing Information Protocol

version 2
version 2 (RIPv2) to advertise each configured
D
interface.

no ip access-group <group_id> out Removes the ACLs applied to the group for the
outgoing traffic.
Command Description
no ip access-group <group_id> in Removes the ACLs applied to the group for the
incoming traffic.
Lab: Advanced Extended Access Lists

Lab: Advanced
e
• Path to lab: ICND2→Device Hardening Extended Access Lists
• Lab name: Advanced Extended Access Lists
ut
ib
tr
is
Commands Related to Reviewing Access Lists Lab
The commands related to the Reviewing Access Lists lab are listed in the table. Commands Related to
D
Reviewing Access Lists
Command Description Lab
show vlan
show mac-address-table
network (VLAN). or
Displays information about virtual local area
Displays the MAC forwarding table.

e
telnet <ip_address> Starts the terminal emulation program from a
at
PC, router, or switch and permits you to access

devices remotely over the network.
lic
Lab: Reviewing Access Lists

Lab: Reviewing Access
up
• Path to lab: ICND2→Device Hardening Lists

• Lab name: Reviewing Access Lists
D
ot
N
Commands Related to Configuring IPv6 ACLs Lab

The commands related to the Configuring IPv6 ACLs lab are listed in the table. Commands Related to
o
Configuring IPv6 ACLs

D
show ipv6 access-list Displays the contents of all current IPv6 access
lists.
ipv6 access-list <access_list_name> Defines an IPv6 access list and places the device
in an IPv6 access list configuration mode.
Command Description
deny tcp host <source-ipv6-prefix/ Allows you to set deny conditions for an IPv6
prefix-length> access list to deny Telnet traffic.
any eq telnet
permit ipv6 any any Sets permit conditions for an IPv6 access list.
show running-config interface Displays the active configuration file for the
e
interface_type <slot>/<port> selected interface.
ut
Lab: Configuring IPv6 ACLs
ib
Lab: Configuring IPv6
ACLs • Path to lab: ICND2→Device Hardening
• Lab name: Configuring IPv6 ACLs
tr
is
D
or
e
at
lic
up
D
ot
N
o
D
TOPIC D
Troubleshooting ACLs
In this topic, you will describe the methods to troubleshoot ACLs.
e
Techniques to Troubleshoot ACLs
ut
Techniques to
Note: All of the Guidelines for this lesson are available as checklists from the Checklist tile on Troubleshoot ACLs
ib
Even before you attempt to troubleshoot ACL issues, you need to need to focus on these four key
points:
tr
• Determine whether there is an ACL problem: If possible, you will need to remove the access
list and test.
is
• Test the interface on which ACL is applied and direction of data flow: While, you may be
tempted to verify the access list first, it is also important for you to verify the direction and
D
ensure that the sources and destinations are being correctly interpreted. It might be possible that
the applied interface is not on the path that the traffic is routed through.
• Check the entries in the access list: You need to check and verify that the addresses and port
numbers have been entered correctly.
or
• Review the order of operations: You need to remember that ACLs are processed top-down
and the first match (permit or deny) is executed. It could be possible that the traffic is matching
an earlier statement. You will be able the check this by temporarily moving the line in question to
e
the top of the list.
at
Commands Related to Troubleshooting Access Lists Lab

lic
The commands related to the Troubleshooting Access Lists lab are listed in the table. Commands Related to
Troubleshooting Access
Command Description Lists Lab
up
show access-lists <list_name> Displays only the statements related to the

specific ACL that is used to filter inbound traffic
for the specified interface.
D
ip access-list extended <list_name> Allows you to modify the selected ACL, remove
no <sequence_number>
the contents of the line number specified, and
ot
include a new set of commands in the specified

<sequence_number> deny tcp any eq line number within the selected ACL.
telnet
N
show access-lists Displays the contents of currently configured

ACLs.
o
D
Lesson 5: Configuring Infrastructure Services | Topic D
Lab: Troubleshooting Access Lists

Access Lists • Path to lab: ICND2→Troubleshooting
• Lab name: Troubleshooting Access Lists
e
ut
Commands Related to Troubleshooting Named ACLs Lab
ib
Commands Related to The commands related to the Troubleshooting Named ACLs lab are listed in the table.
Troubleshooting Named
tr
ACLs Lab Command Description
is
show vlan Displays the VLAN information.
D
configuration.
ip access-list extended Creates a named access list and places the router
into ACL configuration mode.
<access_list_name>
<sequence_number> permit udp

<source_address><source-wildcard>
host <destination_address> eq 53
or Defines a sequential extended IP ACL statement
that matches User Datagram Protocol (UDP)
traffic on port 53.
e
at
Lab: Troubleshooting Named ACLs

lic
Named ACLs • Path to lab: ICND2→Troubleshooting
• Lab name: Troubleshooting Named ACLs
up

D
ot
Commands Related to Troubleshooting ACLs 1,

Troubleshooting ACLs 2, and Troubleshooting ACLs 3 Labs
N
Commands Related to The commands related to the Troubleshooting ACLs 1, Troubleshooting ACLs 2, and
Troubleshooting ACLs 1, Troubleshooting ACLs 3 labs are listed in the table.
o
Troubleshooting ACLs 2,
and Troubleshooting Command Description
D
ACLs 3 Labs
show ip interface <interface_type> Displays information for the specified interface.
<slot>/<port>
no ip access-group <group_id> in Removes the specified access list from the

interface in the inbound direction.
Command Description
ip access-group <group_id> out Applies the specified access list to the interface
in the outbound direction.
ip access-list extended TELNET Places the router into extended named ACL
configuration mode.
do show access-lists Allows you to run the show command from any
configuration mode such as global configuration
e
mode.
ut
Lab: Troubleshooting ACLs 1—Extended ACLs
ib
• Path to lab: ICND2→Troubleshooting ACLs 1—Extended
ACLs
tr
• Lab name: Troubleshooting ACLs 1 -
Extended ACLs
is
D
Lab: Troubleshooting ACLs 2—Standard ACLs
or Lab: Troubleshooting
e
• Path to lab: ICND2→Troubleshooting ACLs 2—Standard ACLs
at
Standard ACLs
lic
up
Lab: Troubleshooting ACLs 3—Named ACLs

D
• Path to lab: ICND2→Troubleshooting ACLs 3—Named ACLs
ot
Named ACLs
N
o
D
TOPIC E
Configure VRRP
In this topic, you will describe the methods to configure VRRP.
e
VRRP
ut
VRRP • Virtual Router Redundancy Protocol (VRRP) allows you to configure a group of routers to share
a virtual IP address. Such configuration provides for transparent failover at the first-hop IP
ib
router.
• VRRP is an industry standard protocol that will work in a multivendor environment.
• VRRP will select a master router in the router group. This master router will handle all packets
tr
for the virtual IP address.
• The remaining routers in the group will be on standby and will take over if the master router
is
fails.
D
or
e
at
lic
up
D
ot
Figure 5-6: A sample VRRP setting in a network environment.

N
First Hop Router Determination Methods

First Hop Router • There are two methods used by a local area network (LAN) client to determine the router that
o
Determination Methods will be the first hop to a particular remote destination—Dynamic Process and Static
D
Configuration.
• Dynamic Process: Dynamic discovery protocol will incur some processing and
configuration overhead on the LAN client. In the event of a router failure, the switchover to
another router is very slow. Examples of dynamic router discovery are Proxy Address
Resolution Protocol (ARP), Routing protocol, and IRDP client.
• Static Configuration: Statically configuring a default router on the client will simplify the
client processing and configuration. However, it will create a single point of failure, which will
Lesson 5: Configuring Infrastructure Services | Topic E
cut of the LAN client from the rest of the network, if there is failure of the default gateway.
The LAN client will have limited communications only on local IP network segment.
• VRRP will allow you to solve the static configuration problem by enabling a group of routers or
a VRRP group that will share a single virtual IP address. Then, you can configure the LAN
clients using the virtual IP address as their default gateway.
Proxy ARP
The LAN client will use ARP to obtain the destination it needs to reach, and a router will provide its
e
own MAC address as a response to the ARP request.
ut
Routing Protocol
The LAN client will form its own routing table by listening to the dynamic routing protocol updates.
For example, Routing Information Protocol (RIP) updates.
ib
IRDP Client
tr
The LAN client will run an ICMP router discovery client.
is
Benefits of VRRP
D
VRRP provides various benefits as listed in the table. Benefits of VRRP (2
Slides)
Benefit Description
Redundancy
or
Allows you to configure multiple routers as the default gateway router.
Such configuration will reduce the possibility of a single point of failure in a
network.
e
Load sharing Allows you to configure and share the traffic to and from LAN clients
at
among multiple routers. This traffic sharing ensures that you can equally
distribute the traffic load among available routers.
Multiple virtual Provides support for up to 255 virtual routers or VRRP groups on a router
lic
routers physical interface on platforms that support multiple MAC addresses. With
its support for multiple virtual router, VRRP allows implementation of
redundancy and load sharing in your LAN topology.
up
Multiple IP addresses Allows you to manage multiple IP addresses, including secondary IP

addresses. Thus, you will be able to configure VRRP on each subnet, when
you have multiple subnets configured on an Ethernet interface.
D
Preemption Allows you to substitute a virtual backup router, which you had deployed
previously to overcome a failing router master, with a different virtual
backup router. Usually, the newly selected virtual backup router will be a
ot
higher priority virtual backup router, which may been previously

unavailable but now has become available.
N
Authentication Uses the VRRP Message Digest 5 (MD5) algorithm authentication to

protect against VRRP-spoofing software. The use of industry-standard
MD5 algorithm provides improved reliability and security.
o
Advertisement Uses a dedicated Internet Assigned Numbers Authority (IANA) standard

D
protocol multicast address (224.0.0.18) for VRRP advertisements, which minimizes

the number of routers that must service the multicasts. This addressing
scheme also allows testing of equipment to accurately identify VRRP
packets on a segment.
The IANA has assigned the IP protocol number 112 to VRRP.
Benefit Description
VRRP object tracking Provides a method to ensure that the best VRRP router is virtual router
master for the group. This is ensured by altering VRRP priorities to the
status of tracked objects such as interface or IP route states.
Commands Related to Configuring VRRP I and Configuring

VRRP II Labs
e
Commands Related to The commands related to the Configuring VRRP I and Configuring VRRP II labs are listed in the
ut
Configuring VRRP I and table.
Configuring VRRP II
Labs Command Description
ib
configuration.
tr
interface vlan <vlan_id> Accesses the specified VLAN and creates a VRRP
is
vrrp <group_id> ip <ip_address>
group with the specified group number and IP
address.
D
ip default-gateway <ip_address> Configures the default gateway to be the specified
IP address.
Displays the status of the VRRP groups on the
show vrrp
vrrp <group_id> priority <value>

or router.
Assigns the specified priority to the selected VRRP
group.
e
tracert 1.1.1.1 Traces the path to router’s Loopback 0 interface
at
(1.1.1.1) from the PC.

lic
Lab: Configuring VRRP I

Lab: Configuring VRRP I
up

• Lab name: Configuring VRRP I
D
ot
N
Lab: Configuring VRRP II

Lab: Configuring VRRP
o
II • Path to lab: ICND2→Scalable Networks

• Lab name: Configuring VRRP II
D
Summary
• HSRP will be useful for hosts that do not support a discovery protocol such as IRDP. Key Points
• Assigning a priority to routers will allow you to select the active and standby routers.
• The HSRP preemption feature enables the router with highest priority to immediately become
the active router when the original active router goes down.
• Private cloud creates a service within a company that is meant only for its internal customers that
e
will meet the five criteria from the NIST list.
ut
• The IT foundation acts as the basis of the virtual services.
• IPv4-ACLs and IPv6-ACLs can be used to provide basic network security to all the latest Cisco
switches.
ib
• The Cisco APIC-EM is Cisco's SDN Controller for Enterprise Networks.
• VRRP allows you to configure a group of routers to share a virtual IP address.
tr
• VRRP will allow you to solve the static configuration problem by enabling a group of routers or
a VRRP group that will share a single virtual IP address.
is
D
or
e
at
lic
up
D
ot
N
o
D
Lesson 5: Configuring Infrastructure Services |
e
ut
ib
tr
is
D
or
e
at
lic
up
D
ot
N
o
D
6 Describing QoS Concepts
e
ut
ib
tr
Lesson Objectives
is
In this lesson, you will describe QoS concepts and describe techniques to manage and avoid
D
congestion. You will:
• Describe QoS parameters and priority values and QoS classification, marking, and
policing techniques.
or
• Describe congestion management, scheduling, and prioritization techniques.
Lesson Introduction
e
at
Your enterprise network needs to handle different types of traffic, such as data, voice, and
video transmissions. To optimize bandwidth usage and also ensure good user experiences,
lic
you need to prioritize some traffic over others. QoS enables you to specify several
parameters to optimize bandwidth allocation and manage different types of traffic in a
network.
up
D
ot
N
o
D
TOPIC A
Describe the QoS Concepts
In this topic, you will describe QoS parameters and priority values and QoS classification, marking,
and policing techniques.
e
QoS
ut
QoS • Ability of a network to offer improved service to specific types of network traffic.
ib
• Defined by a set of parameters that controls the service provided.
• Prioritizes traffic based on importance and uses congestion avoidance methods.
• The most common quality of service (QoS) parameters are bandwidth, latency, jitter, and packet
tr
loss.
• QoS aims at providing high bandwidth, less latency and jitter, and minimal data loss while
is
making sure that prioritizing one type of network traffic does not affect the other types.
The table lists the QoS parameters and describes them.
D
QoS Parameter Description
Bandwidth
Latency
or
The average number of bits of data that can be transmitted from source to
destination in one second.
The time difference between the transmission of a signal and its receipt.
Also called lag or delay.
e
Jitter The variability over time in latency between sequentially transmitted
at
packets.
Packet Loss The number of packets lost or damaged during transmission.
lic
Optimum Usage of Bandwidth

An optimum usage of bandwidth is critical for multimedia applications. Low bandwidth may result
up
in bad quality transmission leading to packet dropouts or data loss. Latency is inevitable when
packets are held up in queues or when packets are routed through less congested routes that are
long. However, latency can be minimized by increasing the network bandwidth, fragmenting data
D
packets, or prioritizing data on a network. Jitter may be caused by network congestion, improper
queuing, or configuration errors. A very low jitter is important for voice and video transmissions.
Packet loss may be due to full buffers at the destination. This can result in destinations requesting
ot
retransmission of data.
QoS Architecture
N
QoS Architecture • QoS implementation in a network includes three techniques:

o
• Identification and marking: Involve techniques to implement QoS between network

components. Typically includes classification, policy, and marking steps.
D
• Applying QoS in a single node: Involves the use of queuing, scheduling, and traffic-
shaping tools to apply QoS on a single node.
• Applying policy, management, and accounting functions in a network: Involves
techniques to control and manage traffic in a network.
• There are three levels of QoS that can be implemented in a network:
• Best-effort Service: All traffic is treated equally. No differentiation is applied.
Lesson 6: Describing QoS Concepts | Topic A
• Differentiated Service: Differentiates traffic and applies QoS based on the traffic.
• Guaranteed Service: Guarantees reliable transmission to specific traffic by reserving
network resources.
e
ut
ib
Figure 6-1: Three levels of QoS.
tr
Best-Effort Service
The Best-effort Service is also called lack of QoS, the Differentiated Service is also called Soft QoS,
is
and the Guaranteed Service is also called Hard QoS. First In First Out (FIFO) queues represent
best-effort service. Differentiated service uses tools such as Priority Queuing (PQ), Custom
Queuing (CQ), Weighted Fair Queuing (WFQ), and Weighted Random Early Detection (WRED).
D
This service does not guarantee delivery of packets. Guaranteed service uses tools such as Resource
Reservation Protocol (RSVP) and Class-based WFQ (CBWFQ).
Priority Values or
• To determine the QoS to be applied to network traffic, frames and packets carry priority Priority Values
e
information. CoS values start from 0
for low priority to 7 for
at
• Priority is used to classify packets so that packets of the same class can be forwarded with the
high priority.
same QoS.
• In Layer 2, frames carry a Class of Service (CoS) value or a Priority Code Point (PCP) value to
lic
indicate priority.
• In Layer 3, IP packets carry an IP Precedence (IPP) value or a Differentiated Services Code
Point (DSCP) value to indicate priority.
up
The table lists the priority values for each layer and describes them.
Layer Type of Value Description

D
Layer 2 CoS value Three least significant bits of the 1-byte User field in
Inter-Switch Link (ISL) frame headers contain a CoS
value.
ot
Layer 2 PCP value Three most significant bits in the 2-byte Tag Control
Information field of Institute of Electrical and
N
Electronics Engineers (IEEE) 802.1Q frames contain a

PCP value.
o
Layer 3 IPP value Three bits of the Type of Service (TOS) field contain a
value ranging from 0 to 7. Network Traffic
D
Layer 3 DSCP value Six bits of the TOS field contain a value ranging from 0 Classification
to 63. Before enabling
classification on a Cisco
switch, you need to
enable QoS globally on
Network Traffic Classification the switch. By default,
QoS is disabled in
• The process of differentiating network traffic types to implement QoS. switches.
• An identification step that examines the fields in packets to classify network traffic.
• Classification can be applied in two ways:
• On a per-hop basis: Packet is identified at a router but its class is not marked. Class
information is not passed on to other routers.
• On a network-wide basis: Packet is identified at a router and marked with IPP or DSCP
values for network-wide identification. Applied when PQ and CQ methods are used.
• Some of the common methods to perform classification are:
• Matching CoS, IPP, or DSCP values, or access control lists (ACLs).
e
• Policy-based routing.
ut
• Committed Access Rate (CAR).
• Network-Based Application Recognition (NBAR).
ib
tr
is
D
Figure 6-2: Types of classification methods used in QoS.
Device Trust or
e
Device Trust • A Cisco interface can be configured to trust DSCP or CoS values in IP packets. When trust is
If the ACL classification enabled, the device is said to be in trusted state.
at
method is applied
• All Cisco devices are in an untrusted state by default.
without specifying an
ACL definition, the • The different methods to classify an incoming IP packet using trust states are:
lic
default DSCP value set • Configure the interface to trust the DSCP value in the IP packet so that the DSCP value can
for the interface is be used as the internal DSCP value for the packet.
assigned to the IP
packet. For non-IP • Configure the interface to trust the CoS value in the packet and use a CoS to DSCP map to
up
packets, you can either determine the internal DSCP value for the packet.
configure the interface to • Apply a standard or extended ACL to classify the packet. Use a policy map to determine the
use CoS to DSCP maps internal DSCP value.
to determine the internal
D
DSCP value or assign a

default DSCP value.
ot
N
o
D
Figure 6-3: Classification of IP packets using trust states.
Class Maps
• A mechanism used to specify criteria for matching IP packets to classify network traffic. Class Maps
• A class map uses a name to identify a specific class. You can create multiple class maps to
segregate traffic into different classes.
• The matching criteria in a class map can be defined by:
• An ACL access group.
• A list of IPP values.
e
• A list of DSCP values.
ut
• A policy map configures the QoS actions for one particular class. The policy map is applied
when an IP packet satisfies the criteria specified in the class map.
The command to create a class map is:
ib
class-map [match-all | match-any] <class-name>
The commands to define matching criteria are:
tr
match access-group {<acl-index> | name <acl-name>}
is
match ip precedence <ipp_value1> [<ipp_value 2> [<ipp_valuen>]]
match ip dscp dscp_value1 <[dscp_value2> [<dscp_valuen>]]
D
Class Map Creation
A class map is created using the class-map global configuration command. When the match-all
or
option is used, only one match criterion can be specified. All packets which match the specified
criterion are matched to the class. When the match-any option is used, multiple match statements
can be specified. Packets which match any of the specified match criteria are matched to the class.
The match class-map configuration command is used to specify the matching criteria.
e
at
Policy Maps
Policy Maps
lic
• Contain traffic policies that are applied to classes of network traffic.

• A policy map contains a class map and a list of QoS actions to be applied on the specified class. Policy maps are
associated with
• A policy map can contain many classes to specify multiple match criteria for packets. It can interfaces through
up
include a maximum of 255 class statements. service policies. One

• An IP packet matches to one class in a policy map. If more than one class is matched, then the input policy map and
packet is classified into the first matched class. one output policy map
• The steps to configure a policy map are: can be applied to an
D
interface. You can

1. Define a policy map using a name in the policy-map global configuration command. At this create up to 256 policy
point, the policy-map configuration mode is initiated. maps.
ot
2. Specify a class map to associate a class with the policy map. At this point, the class
configuration mode is initiated.
3. Specify the QoS actions to be applied to the class. QoS actions depend on the type of policy
N
map.
• Policy maps are of two types:
• Input policy maps.
o
• Output policy maps.

D
Input Policy Maps

• Apply policies and mark packets received at an interface. Input Policy Maps
• Depending on the configured parameters, an input policy map can drop packets that do not
conform to the specified permitted rates.
• Sometimes, when a packet exceeds the limits, its priority level is reduced or marked down.
• An input policy map can include up to 32 classes.
• The matching criteria used in input policy maps are CoS values, IPP values, DSCP values, ACLs,
or virtual local area network (VLAN) IDs.
• The QoS actions in an input policy map can include assigning CoS, IPP, DSCP, or QoS group
values, or applying individual or aggregate policing.
• A default class is defined by the class-default keyword. This class provides QoS actions for
packets that do not match any other classes in the policy map.
e
ut
ib
tr
Figure 6-4: Representation of input policy map application.
is
Output Policy Maps
D
Output Policy Maps • Apply scheduling and queuing mechanisms on outgoing packets at an interface.
QoS group value.

or
• The matching criteria used in output policy maps are CoS values, IPP values, DSCP values, or a
• Access groups are not supported in output policy maps.

• The QoS actions in an output policy map can include queuing and scheduling actions. These are
e
specified by using the queue-limit, bandwidth, priority, and shape average parameters.
at
• A default class is used to match packets that do not match any other classes.
• Only those packets that are already matched by an input policy map are matched by the output
policy map.
lic
up
D
Figure 6-5: Representation of output policy map application.

ot
Table Maps
N
Table Maps • Tables that provide one-to-one mapping of IPP, CoS, or DSCP values.
Table maps can also be • Are specified along with input policy maps.
o
configured in a policy
map definition using the • Provide a mapping for a large set of values.
D
conform-action or • Used to:

exceed-action • Map an IPP value to a CoS or DSCP value, a CoS value to an IPP or DSCP value, or a DSCP
options.
value to a CoS or IPP value.
• Assign or replace an IPP, CoS, or DSCP value in a packet with a new value.
• Lower a packet’s priority by marking down its IPP, CoS, or DSCP value.
• Mark packets without a matching class with default values.
• The table-map command defines a table map. Map statements define individual map entries
within the table map.
• Up to 256 table maps can be configured on a single switch and each table map can have a
maximum of 64 map statements.
The command to create a table map is:
table-map <table-map name>
The command to create a map statement is:
e
map from <from-value> to <to-value>
ut
Policing
ib
• The process of creating a policer in a policy map. Policing
• A policer is a command within a policy map that defines the bandwidth limits for network traffic The bandwidth limit
specified by a policer is
and outlines the actions to be taken depending on whether a packet conforms to the limits or
tr
referred to as Committed
not. Information Rate (CIR).
• The actions defined in the policer are implemented using a marker.
is
• The policer uses the length of the IP payload, which is the length of the IP packet header, to
perform the required checks.
D
• In Cisco devices, policers are not specified by default.
• Based on the types of policers used, policing is categorized into three types:
• Individual Policing.
• Aggregate Policing.
• Unconditional Priority Policing.
or
e
at
lic
up
Figure 6-6: Types of policing.

D
Individual Policing
ot
• A type of policing in which bandwidth limits are defined for each class of network traffic. Individual Policing
• This type of policing is applied on every port that is configured with a policy map. By default, the conform
action for an individual
N
• The individual policer checks the incoming packets to determine whether they conform to policer is transmit.
bandwidth limits at the interface level. When an interface is
• Individual policing is also called per-interface policing. configured with this type
o
• To define an individual policer, you need to specify the police command within the policy map of QoS, all the incoming
configuration. traffic is classified and
D
policed. But, if VLAN-

• The rate and burst parameters of the police command specify the bandwidth limits. based QoS is configured
• The conform-action parameter specifies the QoS action to be performed on a packet that at the interface, the
conforms to the limits. The exceed-action parameter specifies the QoS action to be performed policy map configured
on a packet that does not conform to the limits. on that particular VLAN
supersedes individual
The command to configure individual policer is: policing.
police <rate> <burst> [[conform-action {transmit | drop}] [exceed-action

{transmit | drop | policed-dscp-transmit}]]
Aggregate Policing
Aggregate Policing • A type of policing in which bandwidth limits are applied collectively to all matched traffic.
• This type of policer has a name and is shared by many classes in a policy map.
• An aggregate policer can be configured at multiple interfaces.
e
• To define a named aggregate policer, you need to specify the police aggregate command
ut
within the policy map configuration.
• The bandwidth limits and the QoS actions for the aggregate policer must be defined using the
qos aggregate-policer global configuration command.
ib
• The rate and burst, conform-action, and exceed-action parameters work the same way
as individual policing.
tr
• The policer-name parameter specifies the name of the aggregate policer.
The command to configure aggregate policer is:
is
qos aggregate-policer <policer_name> <rate> <burst> [[conform-action {transmit
| drop}] [exceed-action {transmit | drop | policed-dscp-transmit}]]
D
Unconditional Priority Policing
Unconditional Priority
Policing
•
•
•
or
A type of policing in which priorities can be applied to output policy maps.
Used to apply priority queuing for matching classes.
Also used to mark packets to be forwarded along routes in which latency is low.
e
• When priority queuing is applied, packets marked with high priority are scheduled to be
forwarded first while low priority packets are forwarded later.
at
• Unconditional priority policing includes features that enable bandwidth reduction for the priority
queue. This mechanism reduces congestion by ensuring that bandwidth is also allocated for low
lic
priority packets.
• To apply unconditional priority policing, the priority keyword is used along with the police
command in an output policy map configuration.
up
Example for Unconditional Priority Policing

An example for unconditional priority policing is:
D
policy-map mypolicy
class myout-class
priority
ot
police 150000
exit
N
Marking
Marking
o
• The next step after classification in which packets are labeled to identify their class.
• Packets are marked when they arrive at an interface and their class is identified.
D
• A value is set in an IP packet header depending on the matched class. The value can be an IPP,
CoS, or DSCP value, which identifies the traffic class.
• The newly marked values determine the QoS action on the packet.
• Earlier Internet Protocol version 4 (IPv4) packets were marked with IPP and CoS values.
• Currently, IPv4 and IPv6 use a 6-bit DSCP field to mark packets. In IPv6, the DSCP field is also
called the traffic class byte.
• When 802.1Q headers are used in VLAN trunk links, a 3-bit CoS or Priority Code Point (PCP)
field shows the marking in an Ethernet frame header.
e
ut
Figure 6-7: Marking in the IPv4 packet format.
ib
tr
is
D
or
e
at
lic
up
D
ot
N
o
D
TOPIC B
Describe the Congestion Management and
Avoidance Techniques
In this topic, you will describe congestion management, scheduling, and prioritization techniques.
e
ut
Congestion Management and Scheduling
Congestion • The process of managing queues to reduce congestion at networking devices is called congestion
ib
Management and management.
Scheduling
• Networking devices such as routers maintain queues at their outgoing interfaces. Packets are
tr
stored in queues until an outgoing interface is available for transmission.
• Packets in queues are marked with class information that determine their priority.
is
• When multiple queues are used, a router uses a scheduler function to determine which packet has
to be selected from which queue for transmission.
D
• Schedulers use prioritization techniques to prioritize queues and manage congestion.
or
e
at
lic
Figure 6-8: Representation of congestion management and scheduling in a Cisco router.

up
Prioritization
D
Prioritization • The method of assigning higher priority to some queues so that packets in higher priority queues
are forwarded first.
• Cisco devices such as routers and switches use different types of prioritization techniques while
ot
forwarding packets from queues:

• Round-robin: Scheduler forwards a specific number of packets or bytes from one queue and
N
moves on to the next queue until it cycles back to the first queue.
• Weighted round-robin: Scheduler cycles through queues but forwards a different number of
packets or bytes in each queue based on the priority levels assigned to the queues. Class-
o
Based Weighted Fair Queuing (CBWFQ) is one tool that uses this method.
• Low-Latency Queuing (LLQ): Scheduler places voice, video, and data packets into
D
separate queues and assigns different priority levels for each queue.
Lesson 6: Describing QoS Concepts | Topic B
e
ut
Figure 6-9: Representation of prioritization using LLQ scheduling.
ib
Considerations for Prioritizing Voice
tr
• Interactive voice applications like IP phone calls need less latency, jitter, and packet loss for good Considerations for
Prioritizing Voice
is
quality audio transmissions.
• Voice over IP (VoIP) calls require lesser bandwidth than data applications.
• Cisco guidelines provide permissible limits on the latency, jitter, and packet loss QoS parameters
D
to ensure good quality audio transmissions.
• Priority queuing with LLQ is the most preferred prioritization mechanism for interactive voice
transmissions.
or
• CBWFQ is the most preferred queuing method for non-interactive voice transmissions.
The table lists the Cisco recommended limits for different QoS parameters while prioritizing voice.
e
QoS Parameter Recommended Limits
at
Latency 150 ms or less for one-way flow

Jitter 30 ms or less
lic
Packet Loss 1% or less

up
Considerations for Prioritizing Video

• Video applications need less latency, jitter, and packet loss for good quality transmissions. Considerations for
Prioritizing Video
D
• Also require high bandwidths.

• Need careful configuration of QoS parameters to ensure good user experience.
• Cisco guidelines provide permissible limits on the bandwidth, latency, jitter, and packet loss QoS
ot
parameters to ensure good quality video.

• Priority queuing with LLQ is the most preferred prioritization mechanism for interactive video
transmissions like videoconferencing.
N
• Specifying bandwidth rates for each priority queue helps to avoid packet loss.
The table lists the Cisco recommended limits for different QoS parameters while prioritizing video.
o
QoS Parameter Recommended Limits

D
Bandwidth 384 Kbps to more than 20 Mbps

Latency 200 to 400 ms or less latency for one-way flow
Jitter 30 to 50 ms or less
Packet Loss 0.1% to 1%
Considerations for Prioritizing Data

Considerations for • Data applications can tolerate slightly higher latency, jitter, and packet loss than voice and video
Prioritizing Data applications.
• Interactive data applications require high bandwidths to provide fast and reliable services to
users.
• Data transmissions typically occur in bursts. For example, a user selecting an option in a web
page that results in large download of data from the web server.
e
• In an enterprise, traffic involving data are classified based on importance to ensure that business-
critical applications do not suffer data loss.
ut
• CBWFQ is commonly used as the scheduling tool for prioritizing data applications.
• Call Admission Control (CAC) tools are used to prevent accumulation of data packets when
ib
audio and video transmissions are given higher priority.
• When prioritizing traffic of different types, care should be taken to ensure that data packets are
not delayed in queues for very long time periods.
tr
Traffic Shaping
is
Traffic Shaping • A mechanism to control traffic flow at an outgoing interface.
D
• A shaper is a tool that queues packets at an outgoing interface. This helps to reduce the speed of
traffic flow to a rate that can be handled by the destination.
• Shapers use shaping rates to schedule transmission of packets from the output queues.
or
• A shaper ensures that the transmission rate of packets does not exceed the specified shaping rate.
• A congestion management tool such as CBWFQ or LLQ scheduling is used to manage
congestion at the output queues maintained by a shaper.
e
at
lic
up
D
Figure 6-10: Representation of traffic shaping in a Cisco router.

ot
Congestion Avoidance
N
Congestion Avoidance • A mechanism to reduce congestion at queues using Transmission Control Protocol (TCP)
windowing techniques.
• When one or more queues are full at an outgoing interface, packets at the end of the queues are
o
discarded. The loss of packets from the end of a queue is called a tail drop.
D
• To prevent packet loss, congestion avoidance tools maintain maximum and minimum thresholds
for the number of packets in a queue.
• Congestion avoidance tool keeps track of the number of packets in a queue (also called queue
depth) and applies suitable actions:
• Number of packets in the queue < Minimum threshold – No action.
• Number of packets in the queue is between maximum and minimum threshold – Specific
percentage of packets are discarded.
• Number of packets in the queue > Maximum threshold – All packets are discarded.
e
ut
ib
Figure 6-11: An example that illustrates actions that take place depending on the queue depth.
tr
Example
Consider a queue with minimum threshold of 300 packets and maximum threshold of 700 packets.
is
The queue is considered full when it has 1,000 packets. When the number of packets in the queue
exceeds 700, all the packets are dropped. When the number of packets is between 300 and 700, 5%
D
to 20% of the packets are dropped. When the number of packets is below 300, no packets are
dropped. A situation when all the packets are discarded by a congestion avoidance tool is called a
full drop. Queuing needs to start again. When a specified percentage of packets are dropped,
or
congestion avoidance tools also use DSCP values in the packets to determine the priority of packets.
Low priority packets may get discarded to ensure that high priority packets are transmitted.
CBWFQ, Distributed WFQ, and HQF

e
at
• CBWFQ and Distributed WFQ are queuing methods that are used for prioritizing traffic. CBWFQ, Distributed
WFQ, and HQF
• CBWFQ is used to specify the bandwidth rates to be used for traffic classes.
lic
• Classes are specified to match criteria using ACLs and queues are maintained for each class.
• For each class of traffic, you can specify the bandwidth rate and set aside a portion of the total
allocated bandwidth at a port. Each class also has a maximum limit for its queue.
• CBWFQ set up requires class configuration through class maps, policy associations through
up
policy maps, and policy attachments to interfaces through service policies.

• CBWFQ guarantees a minimum bandwidth level for a specific class of traffic.
• Flow-based Distributed WFQ provides a queuing mechanism in a distributed mode. DWFQ tail
D
drops packets when the length of an individual queue exceeds limits or when the aggregate
length of all queues exceeds limits.
• Hierarchical Queuing Framework (HQF) is a feature that is used to implement a flexible QoS
ot
architecture. This feature allows QoS management at the physical and logical interface level, and
the class level.
N
o
D
Summary
Key Points • QoS is the ability of a network to offer improved service to specific types of network traffic.
• The most common QoS parameters are bandwidth, latency, jitter, and packet loss.
• To determine the QoS to be applied to network traffic, frames and packets carry priority
information in the form of IPP, CoS, and DSCP values.
• Classification can be applied on a per-hop basis or on a network-wide basis.
e
• Class maps specify criteria for matching IP packets to classify network traffic.
ut
• Policy maps contain traffic policies that are applied to classes of network traffic.
• Policy maps are of two types: input policy maps and output policy maps.
• The process of creating a policer in a policy map is called policing.
ib
• Marking is the next step after classification in which packets are labeled to identify their class.
• The method of assigning higher priority to some queues so that packets in high priority queues
tr
are forwarded first is called prioritization.
• Traffic shaping is a mechanism to control traffic flow at an outgoing interface.
is
D
or
e
at
lic
up
D
ot
N
o
D
Lesson 6: Describing QoS Concepts |
7 Infrastructure
Maintenance
e
ut
ib
tr
is
Lesson Objectives
D
In this lesson, you will configure SNMP, troubleshoot network connectivity issues using
ICMP Echo-based SLA, troubleshoot problems using local SPAN, and troubleshoot basic
or
layer 3 end-to-end connectivity issues. You will:
• Configure SNMP manager and agent settings.
e
• Troubleshoot network connectivity issues using ICMP Echo-based SLA operations.
at
• Monitor and troubleshoot network traffic by using local SPAN.

• Troubleshoot layer 3 connectivity and routing problems.
lic
Lesson Introduction
up
As a network administrator, you need to constantly monitor the performance of the devices
in your network. An understanding of the tools that help you to diagnose and troubleshoot
problems in your network will help you maintain the network infrastructure efficiently.
D
ot
N
o
D
TOPIC A
Configure SNMP
In this topic, you will configure SNMP manager and agent settings.
e
SNMP
ut
SNMP • Simple Network Management Protocol (SNMP) is an application layer protocol that provides the
capability to collect information from network devices for diagnostic and maintenance purposes.
ib
• SNMP includes management systems called SNMP managers and agent software.
• SNMP managers are hosts called Network Management Systems (NMS) on which the SNMP
network management application is installed.
tr
• SNMP agent is a piece of software installed on a network device that maintains a database called
Management Information Base (MIB) with configuration information, status, and counters on
is
the device.
D
or
e
at
lic
up
D
ot
N
Figure 7-1: SNMP manager and agents in a network.
SNMP Manager
o
Agents send information about the device to the SNMP manager. Using the networking information
obtained, the SNMP manager notifies the network administrator of problems, runs a corrective
D
program or script, stores the information for later review, or queries the agent about a particular
network device. The MIB stores information in variables. Some of these variables are common
across many network devices while others are unique to a specific network device.
Lesson 7: Infrastructure Maintenance | Topic A
SNMP Get and Set Messages

• SNMP specifies Get and Set messages for communication between the NMS and SNMP agents. SNMP Get and Set
Messages
• The Get message is used by the NMS to query an agent for device information.
• The Set message is used by the NMS to modify the variables stored in the MIB of the network
device with new values.
• SNMP Get, GetNext and GetBulk messages are different forms of the Get message that can be
used to collect information from a network device. The NMS uses the information to notify the
e
network administrator of any issues in the device.
• Get and Set messages include pairs of request and response messages between the NMS and
ut
SNMP agent.
• Network administrators store the information collected by the NMS to perform statistical
ib
analysis on different network parameters.
tr
is
D
Figure 7-2: SNMP Get messages between NMS and SNMP agent. or
e
SNMP Notifications
at
• Messages sent by SNMP agents to establish communication with the NMS and notify the current SNMP Notifications
state of MIB variables. When NMS receives
lic
Trap or Inform
• An SNMP agent notifies the NMS when an event that requires attention is encountered. For
messages from an
example, a switch is down or a router interface has failed. SNMP agent, it notifies
• Two types of notification messages are sent by an SNMP agent. They are: the network
up
• Trap: SNMP notification messages, which are based on a fire-and-forget process. When an administrator about the
event through monitor
SNMP agent issues a Trap message, the message is transmitted to the IP address of the NMS.
displays, emails, or text
However, there is no error-recovery mechanism if a Trap message is lost during transmission. messages. Threshold
D
• Inform: SNMP notification messages, which include an acknowledgement mechanism. When levels can also be set on
the NMS receives an Inform message, it acknowledges the receipt. The SNMP agent MIB variables so that
retransmits the Inform message if no acknowledgement is received for a long time. Inform network devices raise
ot
messages are more reliable than Trap messages. notifications when the
specified levels are
reached.
N
o
D
Figure 7-3: Inform and acknowledgement messages between NMS and SNMP agent.
MIB
MIB • The database maintained by an SNMP agent in a network device that stores information in
variables.
• SNMP agents set the values in MIB variables.
• The values in MIB variables are used by the NMS to monitor and control a device.
• MIB variables are defined as Object IDs in a hierarchical structure specified by Request for
Comments (RFC) standards and Cisco proprietary standards.
e
• The hierarchy of MIB variables forms a tree with each node in the tree identified by a name or a
sequence of numbers.
ut
• MIB variables are long strings of numbers.
ib
tr
is
D
or
e
at
lic
up
D
ot
Figure 7-4: Tree structure for MIBs in Cisco starting with 1.3.6.1.4.1.9.
SNMP Managers
N
SNMP Managers likes Cisco Prime show a graphical user interface (GUI) view to monitor network
devices. When such a device is used as the NMS, it is not necessary to remember and use long MIB
o
variables. For example, the MIB variable for central processing unit (CPU) utilization is
1.3.6.1.4.1.9.2.1.58.0. A network administrator can select a GUI option to view CPU utilization
D
information without entering the lengthy MIB variable.

SNMP Versions
The community string is
used in all Get and Set SNMP Versions
messages to secure the
communication between • There are three versions of SNMP, namely, SNMPv1, SNMPv2, and SNMPv3.
the NMS host and • Two important features supported by SNMP are:
SNMP agents.
• Packet Filtering: All SNMP versions support the use of Internet Protocol version 4 (IPv4)
and IPv6 access control lists (ACLs) to filter incoming packets. Packet filtering is necessary to
distinguish SNMP messages from other messages. ACLs are configured to ensure that SNMP
agents respond to Get messages from NMS hosts only.
• Security: SNMP versions 1 and 2 support a password mechanism called communities. An
NMS host and an SNMP agent are configured with the same community string that acts as a
password. SNMPv3 provides enhanced security features, which are not available in the other
two versions.
• There are two types of communities:
e
• Read-Only (RO) Community: Used in Get messages only. Cannot be used in Set messages.
ut
• Read-Write (RW) Community: Used in both Get and Set messages.
• An SNMP agent processes a Get or Set message from an NMS host only if the community string
in the message matches the community string configured at the agent.
ib
SNMPv2
tr
• A version of SNMP, which provides enhancements to SNMP version 1. SNMPv2
is
• The original definition of SNMPv2 does not include communities. However, SNMPv2 was
upgraded to include communities. The upgraded version is called SNMPv2c.
D
• SNMPv2c is currently referred to as SNMPv2. The original definition of SNMPv2 without
communities is no longer in use.
• SNMPv2 supports additional data types and enhanced protocol operations.
for filtering packets.

• Some of the advanced features supported by SNMPv2 include:
or
• SNMPv2 configuration includes specifying the RO and RW community strings and ACL settings
e
• Bulk-retrieval: Support for huge volumes of data transfer and table retrievals. Minimizes the
at
number of messages sent between NMS and SNMP agent.

• Error Reporting: Use of error codes to provide detailed error information. SNMPv1
supports one type of error code only. SNMPv2 supports multiple error codes to identify the
lic
type of error that occurred.

• Exception Reporting: Use of different types of exceptions such as no such instance
exceptions, no such object exceptions, and end of MIB view exceptions.
up
SNMPv3
D
• SNMPv3 includes all the protocol features of SNMPv1 and SNMPv2. SNMPv3
• SNMPv3 replaces the community-based password security feature with other advanced security
features.
ot
• The new security features in SNMPv3 include:

• Message Integrity: Identifies whether an SNMP message has undergone any modification.
N
Message integrity is applied to all SNMPv3 messages.

• Encryption: Secures SNMP messages with an encryption strategy to prevent unauthorized
access. An optional feature that uses encryption keys and algorithms.
o
• Authentication: Authenticates messages using usernames and passwords. SNMPv3 applies

hashing methods to protect passwords. This is an optional feature.
D
• Security Groups and Levels: Segregates users into different groups and assigns different
security levels to them. Security levels determine the security features applied to SNMP
messages.
The table lists the security levels and the features they support.
Security Level Supported Security Features
noauth Message Integrity

auth Message Integrity and Authentication
priv Message Integrity, Authentication, and Encryption
SNMP Configuration Task List
e
SNMP Configuration • SNMPv2 configuration involves the following steps:
ut
Task List
The lab titled 1. Enable the SNMP agent by entering the following command, which sets the Read-Only
“Configuring Network community string and ACL for filtering packets:
ib
Device Management” snmp-server community <community string> RO [ipv6 <acl-name>] [acl-name]
deals with SNMP
2. If necessary, enable the SNMP agent with a Read-Write community string and ACL by
configuration in a
tr
network that uses
entering the following command:
Terminal Access snmp-server community <community string> RW [ipv6 <acl-name>] [acl-name]
is
Controller Access
command.
Control System Plus
(TACACS+) 3. Configure the ACL referenced by the following command:
D
authentication. This lab snmp-server community
is covered in lesson 8. 4. If necessary, document the device location by entering the following command:
or
snmp-server location <text description>
Also, document the contact person’s name by entering the following command:
snmp-server contact <contact-name>
5. Configure traps and informs by entering the following command:
e
snmp-server host {<hostname> | <ip-address> } [informs] version 2c
at
<notification-community>
• SNMPv3 does not include the following command:
lic
snmp-server community
• SNMPv3 uses the following commands to specify security features:
snmp-server group
up
snmp-server user
D
ot
N
o
D
TOPIC B
Troubleshoot Network Connectivity Issues Using
ICMP Echo-based SLA
In this topic, you will troubleshoot network connectivity issues using ICMP Echo-based SLA
e
operations.
ut
IP SLA
ib
• The IP Service Level Agreement (SLA) is a feature available in Cisco routers that can be used to IP SLA
monitor network performance and troubleshoot issues.
tr
• The term SLA refers to a contract between a service provider and a receiver that describes the
details of the service.
is
• IP SLA enables measurement of a variety of parameters that can be used to verify whether
network devices meet the required SLA terms.
D
• Instead of measuring actual end-user traffic, IP SLA operations generate traffic that is similar to
end-user traffic.
• An IP SLA operation that generates test packets to measure network performance is called a
probe.
or
• Probes send test packets with headers that resemble normal network traffic and receive
responses from devices. They measure the quality of service (QoS) parameters applied by the
network to determine network performance.
e
• A probe involves two routers:
at
• IP SLA source: A router that generates packets for a probe and sends them.
• IP SLA responder: A router that sends replies on receipt of probe packets.
lic
ICMP Echo Operation

ICMP Echo Operation
up
• Internet Control Message Protocol (ICMP) is a type of IP SLA operation, which does not
require an IP SLA responder.
• ICMP Echo operations use ICMP Echo Request messages. For example, the ping command
generates an ICMP Echo Request message.
D
• Any host that receives an ICMP Echo Request message is capable of sending an ICMP Echo
Reply message. A dedicated router is not required to act as a responder.
ot
• An ICMP Echo operation is commonly used to measure end-to-end response time between a
host and a Cisco router. The time interval between the transmission of an ICMP Echo Request
message and the receipt of an ICMP Echo Reply message shows the response time.
N
o
D
Lesson 7: Infrastructure Maintenance | Topic B
e
ut
Figure 7-5: ICMP Echo Request and Reply messages between an IP SLA source and a host.
ib
IP SLA ICMP Echo Operation Configuration Steps
tr
IP SLA ICMP Echo 1. Enter IP SLA configuration mode using the command: ip sla <operation-number>.
Operation Configuration
Steps
2. Specify an ICMP Echo operation and enter into its configuration mode using the command:
is
icmp-echo {<destination-ip-address> | <destination-hostname>} [source-ip
Before using optional
parameters, you need to {<ip-address> | <hostname>} | source-interface <interface-name>].
D
check the feature 3. If necessary, specify the number of seconds at which the probe has to repeat by using the
information of the command: frequency <seconds>.
network device and 4. If necessary, specify optional parameters to monitor network performance by reviewing
determine whether the
device supports those
parameters. or
historical statistics. Some of the optional parameters are data pattern, history buckets-
kept, history filter, history hours-of-statistics-kept, history statistics-
distribution-interval, and threshold.
5. If necessary, configure a schedule for performing the ICMP Echo operation by entering the ip
e
sla schedule command.
at
When a schedule is configured, the schedule specifies the start and end times of the ICMP Echo
operation. It can also be configured to limit the number of times the probe is executed.
lic
Troubleshooting Tips
Troubleshooting Tips
up
An IP SLA operation
D
stores data such as RTT Tips for Troubleshooting

and return codes in
history buckets. When
• An ICMP Echo operation based on IP SLA collects network data, which can be used to identify
and troubleshoot issues in the network.
ot
the show ip sla

history command is • The show ip sla summary command displays detailed information about an IP SLA ICMP
entered, each stored Echo operation, such as the IP address of the destination to which an ICMP Request message
N
history bucket is was sent, the Round Trip Time (RTT) of the ICMP Echo operation, and an indication of
displayed in one line of whether an ICMP Reply message was received.
the output. • The show ip sla statistics command enables the use of IP SLA statistical counters to
o
measure the success or failure of the ICMP Echo operations.

D
Troubleshooting Commands Table

The table describes the troubleshooting commands for IP SLA ICMP Echo operations.
Command Description
show ip sla summary Displays a summary of an IP SLA operation.
Command Description
show ip sla statistics Displays counters of the number of successes
and failures.
show ip sla history [enhanced] Displays detailed history of an IP SLA
operation.
verify-data Enables verification of data when configured
along with the ICMP Echo operation
e
configuration.
ut
debug ip sla trace Trace and debug the errors in the IP SLA
debug ip sla error
operation.
ib
ip sla restart Resets the historical statistics so that counters
are restarted.
tr
is
D
or
e
at
lic
up
D
ot
N
o
D
TOPIC C
Troubleshoot Problems Using Local SPAN
In this topic, you will monitor and troubleshoot network traffic by using local SPAN.
e
Local SPAN
ut
Local SPAN • The local Switched Port Analyzer (SPAN) is a mechanism used in Cisco switches that makes
Frame copies are copies of Ethernet frames and sends those copies to another tool, such as a network analyzer,
analyzed by tools such
ib
for analysis.
as a SwitchProbe device
or a Remote Monitoring • SPAN copies frames from one or more ports, called the source ports, into another port, called
(RMON) probe. They the destination port. A network analyzer tool is attached to the destination port and it receives
tr
can also be used by frames for analysis through that port.
Intrusion Prevention • A local SPAN is a type of SPAN in which the source and destination ports are present in the
is
Systems (IPS) and other same switch.
network analysis tools to
• A local SPAN session is a set of rules defined on a switch that specifies the source ports, the
troubleshoot problems.
D
SPAN is also called port
destination port, and the direction of traffic to be monitored. Local SPAN sessions help to
mirroring or port monitor frames.
monitoring.
or
e
at
lic
up
Figure 7-6: An example of a Local SPAN configuration in a Cisco switch.

D
Source Ports and Local SPAN Sources

ot
Source Ports and Local • A source port in a local SPAN is also called a monitored port because the traffic flowing through
SPAN Sources that port is analyzed in a local SPAN session.
N
• All the ports in a switch except the destination port can be used as source ports in a local SPAN
session.
• In a local SPAN session configuration, the direction of traffic to be monitored is also configured.
o
The direction of traffic can be:

• Ingress: Used when incoming traffic at the source port has to be copied.
D
• Egress: Used when traffic coming out of a source port has to be copied.
• Bi-directional: Used when both incoming and outgoing traffic at a source port must be
copied.
• Apart from a source port in a switch, a local SPAN can have other types of sources, such as
source CPUs, EtherChannels, and source virtual local area networks (VLANs).
The command to enable a SPAN session with one or more source interfaces is:
Lesson 7: Infrastructure Maintenance | Topic C
monitor session <session_number> source interface <type> <number> [- last-in-

range] [rx|tx|both]
Command to Enable a SPAN Session

The monitor session source interface command is used to enable a SPAN session on the
specified source interfaces. The rx option is used to enable ingress traffic monitoring. The tx
option is used to enable egress traffic monitoring. The both option is used to enable bi-directional
traffic monitoring. Source ports are not unique to a single local SPAN session. Multiple local SPAN
sessions can use the same source ports. When the network uses VLANs, the source ports of a local
e
SPAN session can be present in the same VLAN or in different VLANs.
ut
Source CPUs
ib
• CPUs that are monitored for troubleshooting issues and for analyzing CPU traffic and Source CPUs
utilization. The local keyword
tr
indicates a local SPAN
• Route Processor (RP) CPUs and Service Processor (SP) CPUs can be used as source CPUs.
in which traffic is
• The monitor session command with the local or local-tx keyword is used to enter into the
is
monitored on both
local SPAN configuration mode. directions, whereas the
• The source command with the cpu keyword is used to specify the source CPUs for the SPAN local-tx keyword
D
session. indicates that only the
• The source command also specifies the VLANs and source ports. The rx, tx, and both egress traffic is
monitored.
keywords specify the direction of traffic to be monitored.
The commands to enable a SPAN session with a source CPU are:
monitor session <session_number> type [local | local-tx]
source {{cpu {rp | sp}} | <single_interface> | <interface_list> |
or
e
<interface_range> | <mixed_interface_list> | <single_vlan> | <vlan_list> |
at
<vlan_range> | <mixed_vlan_list>} [rx | tx | both]
EtherChannels
lic
• Network traffic flowing through an EtherChannel can be monitored by configuring the EtherChannels
EtherChannel as the source in a local SPAN session.
up
• When an EtherChannel needs to be monitored, the EtherChannel group is configured to act as

the source port.
• A single local SPAN session can analyze the traffic in one or more EtherChannels.
D
• Some key points that must be considered when using EtherChannels as local SPAN sources are:
• An EtherChannel which includes a port that serves as a destination port in one local SPAN
session cannot be configured as a local SPAN source in another local SPAN session.
ot
• A local SPAN session with an EtherChannel group as its source, monitors the entire
EtherChannel group.
N
• When an EtherChannel group is monitored, the direction of monitored traffic is applicable to

all the physical ports.
• EtherChannels can be configured as local SPAN sources along with VLAN trunk ports and Source VLANs
o
non-trunk ports. The monitor

• A port that is part of an EtherChannel group can be monitored individually outside of the session source
D
EtherChannel group. vlan command is used

to enable a VSPAN
session on the specified
Source VLANs VLAN ID. The rx, tx,
and both keywords
specify the direction of
• VLANs that act as the source in a SPAN session. When source VLANs are used, the traffic
traffic to be monitored on
flowing through the VLANs is monitored in SPAN sessions for analysis. the VLAN.
• A SPAN session in which one or more VLANs are monitored is also called a VSPAN session.
• The source in a VSPAN session includes all the source VLAN ports. It can also include
EtherChannels.
• Some key points that must be considered when using source VLANs are:
• A VSPAN can be used to monitor traffic flowing in both the directions of all the active ports
in a source VLAN.
• Only Ethernet VLANs can be used as source VLANs.
• VLAN filtering cannot be applied on source VLANs.
e
• A VSPAN copies only the traffic from the monitored VLAN into the destination port.
ut
• Only ingress and outgoing traffic of layer 2 VLAN ports is monitored in a VSPAN session.
The command to enable a SPAN session with a source VLAN is:
monitor session <session_number> source vlan <vlan-id> [rx|tx|both]
ib
Destination Port
tr
Destination Port • The port which receives copies of Ethernet frames for monitoring and analysis.
is
The monitor • Also called the monitoring port.
session
• A destination port receives copies of frames from all the source ports.
D
destination
interface command • Some key points related to destination ports are:
specifies the destination • In a local SPAN session, the destination port and the source ports must be present in the
port for a SPAN session.
same switch.
or
• For a destination port, the switch does not use Media Access Control (MAC) address tables
for forwarding frames.
• Any physical Ethernet port can be used as a destination port. However, a port can act as a
e
destination port in one SPAN session only.
at
• A destination port cannot be configured to work as a source port.

• An EtherChannel group cannot be set as the destination port of a SPAN session.
• A port that acts as a destination in a VSPAN session cannot be configured as a source port.
lic
The command to specify a destination port for a SPAN session is:

monitor session <session_number> destination interface <type> <number>
up
Troubleshoot and Resolve Problems in SPAN

Troubleshoot and
D
Resolve Problems in Resolve Problems in SPAN—Table

SPAN The table describes the most common issues that arise when using SPAN and lists the possible
resolutions.
ot
Issue Resolution
N
Frames not getting captured correctly at the Use the show command to check SPAN settings
network analyzer and identify whether frames are copied correctly
at the destination port.
o
Congestion at the destination port because of Limit the traffic copied to the destination port
D
too much traffic from source ports or apply a congestion management mechanism
at the destination port.
Too many source ports Avoid using an entire VLAN as a source VLAN
when only a few ports in the VLAN need to be
monitored.
Resolve Problems in SPAN—Commands

• The show command is used to identify and detect problems in a SPAN session.
• The output of the show command enables you to verify the SPAN settings, such as source and
destination ports, and traffic direction.
Commands Used to Display SPAN Session Information

The table describes the different show commands that can be used to display information about
SPAN sessions.
e
Command Description
ut
show monitor session all Displays the settings of all SPAN sessions one after
the other.
ib
show monitor session <number> Displays the settings of the specified SPAN session.
Displays detailed information about all the SPAN
tr
show monitor detail
sessions including default values and specific
configurations.
is
D
or
e
at
lic
up
D
ot
N
o
D
TOPIC D
Troubleshoot Basic Layer 3 End-to-End
Connectivity Issues
In this topic, you will troubleshoot layer 3 connectivity and routing problems.
e
ut
Layer 3 End-to-End Connectivity Issues
Layer 3 End-to-End • Some of the most common connectivity issues include:
ib
Connectivity Issues
Overlapping subnets • Connectivity issues between a host and default router. This could be due to incorrect IPv4
result when features settings at the host that do not match the Domain Name Services (DNS) settings, local area
tr
such as static routes, network (LAN) interface configuration, subnet masks, and subnet ID settings at the default
autosummarization, and router.
is
manual route • Incorrect subnet masks and IP address settings at the default router.
summarization are used.
• Connectivity issues between a Dynamic Host Configuration Protocol (DHCP) relay agent
D
and a DHCP server.
• LAN connectivity issues due to router interface failure.
• Availability of more than one route for routing packets. When there are overlapping subnets
also be due to poor subnet plans. or

in a network, a router may calculate multiple routes for a packet. Overlapping of subnets can
• Use of incorrect addressing and overlapping in Variable-Length Subnet Masks (VLSMs).

• The show ip route command is the most commonly used command to troubleshoot layer 3
e
connectivity issues. This command provides details such as network class, number of subnets,
at
number of subnet masks, subnet ID, prefix length, administrative distance, metric, next-hop
router, and outgoing interface number.
lic
up
D
ot
N
o
D
Lesson 7: Infrastructure Maintenance | Topic D
Summary
• SNMP is an application layer protocol that provides the capability to collect information from Key Points
network devices for diagnostic and maintenance purposes.
• SNMP agent is a piece of software installed on a network device that maintains a database called
MIB.
• SNMP specifies Get and Set messages for communication between the NMS and SNMP agents.
e
• There are three versions of SNMP, namely, SNMPv1, SNMPv2, and SNMPv3.
ut
• SNMP versions 1 and 2 support a password mechanism called communities.
• The new security features in SNMPv3 include message integrity, encryption, authentication, and
security groups and levels.
ib
• IP SLA is a feature available in Cisco routers that can be used to monitor network performance
and troubleshoot issues.
tr
• ICMP Echo Operation is a type of IP SLA operation, which does not require an IP SLA
responder.
is
• SPAN is a mechanism used in Cisco switches that makes copies of Ethernet frames and sends
those copies to another tool, such as a network analyzer, for analysis.
D
or
e
at
lic
up
D
ot
N
o
D
Lesson 7: Infrastructure Maintenance |
e
ut
ib
tr
is
D
or
e
at
lic
up
D
ot
N
o
D
8 Managing Devices Using
AAA
e
ut
ib
tr
is
Lesson Objectives
D
In this lesson, you will manage devices using AAA with the TACACS+ and RADIUS
protocols. You will:
or
• Manage device AAA with TACACS+ and local databases.
• Manage device AAA with RADIUS.
e
Lesson Introduction
at
lic
In a large enterprise network, managing user login information on every switch and router is
tedious. Using an external server that centralizes user authentication and authorization to
services reduces much of the administrative effort required. Setting up an AAA server with
the TACACS+ or RADIUS protocol will help you centralize authentication, authorization,
up
and accounting services in a network.

D
ot
N
o
D
TOPIC A
Manage a Device Using AAA with TACACS+
In this topic, you will manage device AAA with TACACS+ and local databases.
e
Device Management Using AAA
ut
Device Management • Authentication Authorization and Accounting (AAA) is a framework that provides security
Using AAA services to manage user access to network devices.
ib
• AAA provides three major types of services; namely, authentication, authorization, and
accounting.
• The AAA server maintains security information and provides services to network devices
tr
through the Terminal Access Controller Access Control System Plus (TACACS+) and Remote
Authentication Dial-In User Service (RADIUS) protocols. AAA service information is
is
maintained either on a local database or on a database stored at the server.
The AAA features are listed in the table.
D
AAA Feature Description
Authentication
or
• Identifies users by validating usernames and passwords.
• Supports a challenge and response mechanism, and enables messaging
features.
• Uses method lists that define the authentication type and the sequence of
e
validation steps.
at
Authorization • Checks a set of attributes to authorize the actions that a user is allowed to
perform.
lic
• Uses a local database or attribute-value pairs to validate user permissions.

• Supports authorization per service, per user account or profile, and one-
time authorization.
up
Accounting • Collects usage information for auditing and reporting purposes.

• Reports user activity including consumption of resources in accounting
records.
D
• Stores information such as commands executed, session start and end

times, and number of bytes consumed.
ot
AAA Services Using a Local Database

N
AAA Services Using a • AAA services can be provided locally on a switch without using a server.
Local Database
• AAA is implemented in local mode by using a local database on the switch. The local database
stores the user’s profile that is used for authentication and authorization.
o
• In local mode only authentication and authorization services are available. Accounting features
D
are not available.

• The steps to configure AAA services in local mode are:
1. Enable AAA by entering the aaa new-model command.
2. Configure login authentication to use the local database by entering the aaa
authentication login default local command.
3. Configure authorization to enable user access:
Lesson 8: Managing Devices Using AAA | Topic A
• To authorize privileged EXEC mode access, enter the command aaa authorization
exec local.
• To authorize access to network-related services, enter the command aaa
authorization network local.
4. Specify user login information to be stored in the local database by entering the username
<name> [privilege <level>] {password <encryption-type> <password>}
command. This command has to be repeated with information specific to each user.
Configuration Details
e
When the default keyword is used to configure login authentication, login authentication is
ut
enabled through the local database on all the ports. In the command used to specify user
information, the name parameter specifies the user ID, the level parameter specifies the privilege
level from 0 to 15, the encryption-type parameter specifies the type of encryption used, and the
ib
password parameter specifies the password associated with the user ID. Privilege level 15 indicates
that the user can access privilege EXEC mode. Privilege level 0 indicates that the user can access
tr
user EXEC mode. In local mode, access to the privilege EXEC mode can also be protected by using
the enable password <password> command.
is
TACACS+
D
• TACACS+ is a Cisco proprietary protocol that enables centralized authentication of remote user TACACS+
access to network devices through AAA. TACACS+ supports a
comprehensive
which stores TACACS+ service information. or
• Requires a TACACS+ server. A TACACS+ daemon running on the server supports a database,
• Enables use of a single access control server with separate databases to handle AAA services
independently.
authentication
mechanism,
sophisticated methods to
authorize users, and
e
• Uses TCP port 49 and also supports multifactor authentication. detailed accounting. It is
considered more secure
at
and scalable than

RADIUS. AAA
commands are used to
lic
enable TACACS+ on
network devices.
A daemon is a
up
background process that

runs on a device.
D
ot
N
TACACS+ Operation
Figure 8-1: TACACS+ authentication. When a REJECT
o
response is received
during authentication,
D
TACACS+ Operation access to the device

may be denied or the
1. When a user attempts to connect to a device, TACACS+ authenticates the user through an user may be prompted
interactive dialog between the user and the TACACS+ daemon. The user is prompted to enter to retry authentication.
The type of action
login information, such as user name and password.
depends on the
2. Once the TACACS+ daemon finishes authentication, it sends a response to the device. The TACACS+ settings you
response can be: have configured.
• ACCEPT: User authentication is successful and authorization (if enabled) can start.
• REJECT: User authentication has failed due to incorrect login information.
• ERROR: User authentication has failed due to an error, such as a network connection issue.
The device uses alternate methods to authenticate the user.
• CONTINUE: User authentication dialog continues and the user is challenged for more
information, such as a mother’s maiden name, home address, or Social Security number.
3. If authentication is successful and authorization settings are enabled on the device, the TACACS
+ daemon validates the user’s permissions and sends an ACCEPT or REJECT response to
e
access the requested service.
• An ACCEPT response carries attributes that authorize access to services.
ut
• Some of the services that users are authorized to access include Secure Shell (SSH), Telnet,
rlogin, privileged EXEC services, connection parameters, user timeouts, and access lists.
ib
TACACS+ Login Authentication
tr
TACACS+ Login • TACACS+ authentication mechanism uses a method list to define the authentication methods
Authentication
is
and sequence of authentication steps. Method lists are applied on specific interfaces of the
device.
• The configuration of TACACS+ can also include specifications of other security protocols.
D
These protocols can serve as backups if TACACS+ encounters errors.
• If a user’s login attempt fails, TACACS+ denies access to the user. If access is denied, none of
the other security protocols defined in the configuration are used.
group. or
• TACACS+ authentication can be facilitated through a single AAA server or an AAA server
• The steps to configure TACACS+ authentication are:

e
1. Specify the host running the TACACS+ server by entering the tacacs-server host <ip-
at
address> command.
3. Define an authentication method list by entering the aaa authentication login
lic
{default | <list-name>} <method1> [<method2 …>] command.

4. Enable login to the TACACS+ server by entering the login authentication {default
| <list-name}>}command.
up
5. Verify the configuration by entering the show tacacs command.
TACACS+ Authentication Capabilities

D
TACACS+ authentication also includes capabilities to send messages and notifications, such as
password expiry, that are displayed on a user’s screen. While specifying TACACS+ server host, you
can also define an AAA server group and associate a specific TACACS+ server with that server
ot
group. While defining a method list, you can also specify a default method list, which is applied on
all the interfaces.
N
AAA Authorization Using a Local Database

o
AAA Authorization Using • When a local database is used, AAA authorizes user access by checking the user’s profile stored
a Local Database in the local database.
D
• The local keyword is used when authorization is performed using the local database.
AAA Local Mode Authorization Commands

• For TACACS+:
• Use the aaa authorization tacacs+ network local command for authorizing access to
network-related services.
• Use the aaa authorization tacacs+ exec local command for authorizing access to
privileged EXEC mode.
• For RADIUS:
• Use the aaa authorization radius network local command for authorizing access to
network-related services.
• Use the aaa authorization radius exec local command for authorizing access to
privileged EXEC mode.
e
TACACS+ Authorization for Privileged EXEC Access and
ut
Network Services
• TACACS+ uses authorization mechanisms supported by AAA to restrict user access to TACACS+ Authorization
ib
privileged EXEC mode and network services on a device. for Privileged EXEC
Access and Network
• TACACS+ supports sophisticated authorization capabilities that specify the actions a user can Services
tr
perform in a session. You can also restrict
• Authorization is used to control the facilities available to a user by specifying limits on access to access to privileged
is
services, session duration, autocommands, and protocol support. It can also be used to control EXEC mode or network
access to specific commands that a user can execute. services by entering the
aaa authorization
D
TACACS+ Authorization Process tacacs+ global
configuration command.
1. TACACS+ checks the user’s profile information, which is stored in a local database or in the
TACACS+ server.
or
2. Depending on the permissions provided in the user’s profile, TACACS+ authorizes or denies
access to the service requested by the user.
e
TACACS+ Configuration Steps
at
• Configure authorization settings on the device to validate user access to network-related services
by entering the aaa authorization network tacacs+ command.
• Configure authorization settings on the device to validate privilege EXEC mode access by
lic
entering the aaa authorization exec tacacs+ command.
TACACS+ Accounting
up
• A feature that tracks services and resources accessed by users. TACACS+ Accounting
• A device on which TACACS+ accounting is configured sends user activity information to the
D
TACACS+ server.
• TACACS+ uses accounting records to manage information related to user activity.
ot
• Accounting records are stored as attribute-value (AV) pairs on the server.

• The steps to configure TACACS+ accounting are:
• Enable TACACS+ accounting to track user access of network services by entering the aaa
N
accounting network start-stop tacacs+ command.

• Enable TACACS+ accounting to track user access to privileged EXEC mode by entering the
aaa accounting exec start-stop tacacs+ command.
o
• When TACACS+ accounting is configured to track privileged EXEC mode access, TACACS+
D
sends two kinds of instructions to the device:

• A start-record notice when the user enters in to the privileged EXEC mode.
• A stop-record notice when the user exits the privileged EXEC mode.
Commands Related to AAA Login Authentication and Exec

Authorization Lab
Commands Related to The commands related to the AAA Login Authentication and Exec Authorization lab are listed in
AAA Login the table.
Authentication and Exec
Authorization Lab (2 Command Description
Slides)
aaa authentication enable default Enables AAA authentication to validate user
e
<method1> [<method2…>] access to privileged EXEC mode.
ut
aaa authentication login {default | Enables AAA login.
<list-name>} <method1> [<method2 …>]
ib
aaa authentication login default Configures authentication to use the enable
enable passwords.
tr
aaa authorization exec {default | Configures EXEC authorization to use methods
<list-name>} <method1> [<method2...>] from the list.
is
aaa new-model Enables the AAA model.
authorization exec [default | <list- Enables AAA authorization to determine
D
name>] whether a user is permitted to access privileged
EXEC mode.
enable password <password>
login authentication {default | <list-

name}>}
or Sets the enable password.
Enables login to a TACACS+ server.
e
tacacs-server host <ip-address> Identifies the TACACS+ server.
at
tacacs-server key <shared-key> Identifies the password required to access the

TACACS+ server.
lic
username <name> privilege <privilege- Sets the user’s privilege level.

level> password <password>
username <name> password <password> Creates a local user name and password pair.
up
Lab: AAA Login Authentication and Exec Authorization

D
Lab: AAA Login

Authentication and Exec • Path to lab: ICND2→Device Hardening
Authorization
ot
• Lab name: AAA Login Authentication and

Exec Authorization
N
o
D
Commands Related to Configuring Network Device

Management Lab
Commands Related to The commands related to the Configuring Network Device Management lab are listed in the table.
Configuring Network
Device Management
Lab
Command Description
tacacs-server host <ip-address> Configures a TACACS+ server to communicate
single-connection with the specified host.
tacacs-server key <key> Sets the authentication encryption key used for
TACACS+ communication between the access
server and the TACACS+ daemon.
show snmp community Displays Simple Network Management Protocol
e
(SNMP) community access strings.
ut
show snmp contact Displays SNMP system contact information.
show snmp host Displays the recipient details for SNMP
ib
notifications.
show snmp location Displays the SNMP system location string.
tr
snmp-server contact <text> Sets the system contact string.
is
snmp-server community <string> [ro] Sets the community access string to permit
access to SNMP.
D
snmp-server host <ip-address> Specifies the recipient of a SNMP notification
[<community-string>] operation.
snmp-server location <text> Sets the system location string.
Lab: Configuring Network Device Management

or
e
Lab: Configuring
at
• Path to lab: ICND2→Device Hardening Network Device

• Lab name: Configuring Network Device Management
Management
lic

up
D
ot
N
o
D
TOPIC B
Manage a Device Using AAA with RADIUS
In this topic, you will manage device AAA with RADIUS.
e
RADIUS
ut
RADIUS • RADIUS is a protocol that enables a server to provide standardized and centralized
authentication for remote users through AAA.
ib
• Uses port numbers 1812 and 1813. Uses User Datagram Protocol (UDP) as the transport
protocol.
• A remote access server in a network can be configured to be a RADIUS server and all of the
tr
other devices that access the server can be configured as RADIUS clients.
• The RADIUS clients pass all authentication requests to the RADIUS server. Cisco routers and
is
switches can be configured as RADIUS clients.
• User configuration, remote access policies, and usage logging are centralized on the RADIUS
D
server.
or
e
at
lic
up
Figure 8-2: RADIUS authentication.

D
RADIUS: Additional Information

ot
RADIUS is based on a distributed client/server architecture. It can be used to provide centralized

authentication in a network that includes servers from different vendors. It can also be used on
networks in which user access must be restricted to a specific service, resource accounting services
N
must be provided, or users must be authenticated to access specific resources. RADIUS does not
support two-way authentication and is not suitable for network environments that use multiple
RADIUS Operation
protocols. RADIUS associates users with one particular service model. Therefore, it is not suitable
When a REJECT
o
for networks that need to support multiple services.

response is received
during authentication,
D
access to the device

may be denied or the
RADIUS Operation
user may be prompted
to retry authentication. 1. When a user attempts to log in to a device, RADIUS authentication is performed through an
The type of action interactive dialog. The device prompts the user to enter a username and password and sends the
depends on the RADIUS login information to the RADIUS server.
settings you have
configured.
Lesson 8: Managing Devices Using AAA | Topic B
2. Once the RADIUS server finishes authentication, it sends a response to the device. The response
can be:
• ACCEPT: User authentication is successful and authorization (if enabled) can start.
• REJECT: User authentication has failed due to incorrect login information.
• CHALLENGE: User authentication dialog continues and the user is challenged to enter
more information.
• CHALLENGE PASSWORD: User is prompted to enter a new password.
3. If authentication is successful and authorization settings are enabled on the device, the RADIUS
e
server validates the user’s permissions and sends an ACCEPT or REJECT response to access the
requested service.
ut
• An ACCEPT response carries attributes that authorize access to privilege EXEC or network
services.
ib
• Some of the services that users are authorized to access include SSH, Telnet, rlogin, privileged
EXEC services, connection parameters, user timeouts, and access lists.
tr
RADIUS Server Host Components
is
• A host that is used as a RADIUS server is configured with several components in the form of RADIUS Server Host
command parameters. Components
D
When multiple RADIUS
• A RADIUS server can use different ports, with each port dedicated to provide AAA service.
servers are used in a
• A client uses a unique identifier, which is a combination of hostname or IP address, and a UDP network, the timeout
The command to configure a RADIUS server is: or

port number to access the required AAA service from the RADIUS server.
radius-server host {<hostname> | <ip-address>} [auth-port <port-number>] [acct-

period, retransmission
value, and key string
components can be
configured globally or
e
port <port-number>] individually on each
[timeout <seconds>] [retransmit <retries>] [key <string>] server. Once a RADIUS
at
server host is
The RADIUS server host components are listed in the table. configured, all the clients
must be configured to
lic
Component Indicates communicate with the

server.
Hostname or IP Address The hostname or IP address of the host, which acts as the RADIUS
server.
up
Authentication The UDP port that handles user authentication requests.

Destination Port
Accounting Destination The UDP port that handles requests for RADIUS accounting.
D
Port
Timeout Period The number of seconds the device must wait for a response from the
ot
RADIUS server. If a response is not received within the timeout

period, the request is sent again.
Retransmission Value The number of times a client can resend a request to the RADIUS
N
server.
Key String The text string that acts as the encryption key to secure communication
o
between the RADIUS server and clients.

D
RADIUS Login Authentication

• Like TACACS+, RADIUS authentication mechanism also uses a method list to define the RADIUS Login
authentication methods and sequence of authentication steps. Authentication
• The configuration of RADIUS can also include specifications of other security protocols, which
are used as backups in case RADIUS fails.
• If a user’s login attempt fails, RADIUS denies access to the user the same way as TACACS+.
• The steps to configure RADIUS login authentication are:
1. Configure a RADIUS server using the radius-server host command.
3. Define an authentication method list by entering the aaa authentication login
{default | <list-name>} <method1> [<method2 …>] command.
4. Enable login by entering the login authentication {default | <list-name}>}
command. The default keyword specifies the default method list applied on all interfaces.
e
The list-name parameter specifies one particular method list from the list of method lists
configured in the aaa authentication login command.
ut
AAA Server Groups
ib
AAA Server Groups • Groups of servers that can be used to provide AAA services in a network.
tr
• A subset of an AAA server group can be dedicated to handle one type of AAA service.
• The IP addresses of the server hosts in a server group are maintained in a global server host list.
is
• One server host can be defined by using multiple host entries in a server group. Each entry uses
a unique identifier, which is a combination of IP address or host name, and UDP port number.
• The unique identifier helps to determine the port that offers one particular service.
D
• The radius-server host command is used to configure the individual server hosts. The
server command is executed on each server host to associate the server host with an AAA
server group.
or
The command to define an AAA server group is:
aaa group server radius <group-name>
e
The command to associate a RADIUS server host with an AAA server group is:
at
server <ip-address>
RADIUS Authorization for User Privileged Access and Network

lic
Services
RADIUS Authorization
up
• RADIUS uses the same authorization mechanisms as TACACS+ to restrict user access to
for User Privileged privileged EXEC mode and network services on a device.
Access and Network
Services • A user is authorized to access services based on the user profile stored in the local or server
database.
D
You can also restrict

access by entering the • RADIUS authorization process follows the same steps as the TACACS+ authorization process.
aaa authorization radius
global configuration RADIUS Configuration Steps
ot
command.
• Configure authorization settings on the device to validate user access to network-related services
by entering the aaa authorization network radius command.
N
• Configure authorization settings on the device to validate privilege EXEC mode access by
entering the aaa authorization exec radius command.
o
RADIUS Accounting
D
RADIUS Accounting • Tracks services and resources accessed by users.

• A device on which RADIUS accounting is configured sends user activity information to the
RADIUS server.
• RADIUS uses accounting records to manage information related to user activity the same way as
TACACS+.
• The steps to configure RADIUS accounting are:
• Enable RADIUS accounting to track user access of network services by entering the aaa
accounting network start-stop radius command.
• Enable RADIUS accounting to track user access to privileged EXEC mode by entering the
aaa accounting exec start-stop radius command.
• When RADIUS accounting is configured to track privileged EXEC mode access, it sends a start-
record notice when the user enters in to the privileged EXEC mode and a stop-record notice
when the user exits the privileged EXEC mode.
e
RADIUS Server Load Balancing
ut
• A feature supported by RADIUS that enables distribution of AAA services across multiple RADIUS Server Load
servers. Balancing
ib
• It helps to reduce central processing unit (CPU) loads and improve response times.
• This feature is applicable on a network that uses AAA RADIUS server groups. When RADIUS
server load balancing is configured, the servers in a server group can share the load of providing
tr
AAA services in the network.
• Load balancing works by assigning batches of AAA transactions to individual servers. Each
is
server in a server group uses queues to store the transactions assigned to it.
D
RADIUS Server Load Balancing Process
1. When a new AAA service request is received for the first time, the request is considered as a new
transaction and is placed in a new batch.
sizes are specified during configuration. or

2. Subsequent transactions are added to the new batch until the batch size limit is reached. Batch
3. The server queue, which has the least number of transactions is selected.
e
4. One batch of transactions is placed on the selected server queue.
at
lic
up
D
ot
N
o
D
Summary
Key Points • AAA is a framework that provides security services to manage user access to network devices.
• The AAA server maintains security information and provides services to network devices
through the TACACS+ and RADIUS protocols.
• TACACS+ is a Cisco proprietary protocol that enables centralized authentication of remote user
access to network devices through AAA.
e
• TACACS+ authentication includes four responses: ACCEPT, REJECT, ERROR, and
ut
CONTINUE.
• RADIUS is a protocol that enables a server to provide standardized and centralized
authentication for remote clients through AAA.
ib
• RADIUS authentication includes four responses: ACCEPT, REJECT, CHALLENGE, and
CHALLENGE PASSWORD.
• TACACS+ and RADIUS authentication mechanisms use method lists to define the
tr
authentication methods and sequence of authentication steps.
• TACACS+ and RADIUS use authorization mechanisms supported by AAA to restrict user
is
access to privileged EXEC mode and network services on a device.
D
or
e
at
lic
up
D
ot
N
o
D
Lesson 8: Managing Devices Using AAA |
9 Network
Programmability
e
ut
ib
tr
is
Lesson Objectives
D
In this lesson, you will describe the basics of network programmability. You will:
or
• Describe the basic network programmability concepts.
Lesson Introduction
e
at
As your enterprise network grows bigger, managing the configuration of each network
device becomes a tedious task. By familiarizing yourself with network programmability
concepts, you can start using software to manage the devices in your network.
lic
up
D
ot
N
o
D
TOPIC A
Network Programmability Basics
In this topic, you will describe the basic network programmability concepts.
e
Network Programmability
ut
Network • The use of software to manage network configuration and operation.
Programmability
• Supports dynamic network infrastructure configurations in such a way that device-level static
ib
configurations are not required.
• Uses software to manage deployment, maintenance, and troubleshooting of network devices.
• Software tools include APIs that enable communication with devices to gather data and set
tr
configurations.
• Use of network programmability features simplifies network administration, makes it easier to
is
modify the network infrastructure, and helps to reduce configuration errors.
• Also referred to as Software Defined Networking (SDN).
D
• Some of the most popular SDN solutions offered by Cisco are:
• Cisco Application Policy Infrastructure Controller-Enterprise Module (APIC-EM).
• Open SDN Controller and OpenFlow.
or
• Cisco Application Centric Infrastructure (ACI) and OpFlex.
Types of Planes
e
at
Types of Planes • Networking devices such as switches and routers perform many tasks when they receive,
process, and forward frames. They also include protocols and settings that define the way they
communicate and the actions they perform.
lic
• The operations of network devices are categorized into three planes.

• The three planes are:
up
• Data Plane.
• Control Plane.
• Management Plane.
• The separation of network device operations into three planes enables network administrators to
D
program and manage the operations either in a distributed or in a centralized manner.

ot
N
o
D
Figure 9-1: The three types of planes.
Lesson 9: Network Programmability | Topic A
Data Plane
• A collection of tasks performed by a networking device when it handles data. Data Plane
• Includes operations performed by the device when it receives, processes, and transmits data.
• Data refers to frames, packets, or messages.
• A networking device performs several actions in the data plane. One of the most important tasks
of a router or a switch in the data plane is forwarding data.
• The data plane is also called the forwarding plane.
e
The table lists some devices and features. and identifies the actions they perform in the data plane.
ut
Device/Feature Performs Data Plane Actions To
Routers and Switches Add or remove 802.1Q headers for virtual local area network (VLAN)
ib
trunks.
Routers and Layer 3 De-encapsulate and then encapsulate packets into frames.
tr
Switches
is
Layer 3 Switches Match the IP address of the destination to the routing table.
Layer 2 Switches Match the Media Access Control (MAC) address of the destination to
D
the MAC address table.
ACL and Security Filter packets and drop messages that do not meet specified access
control list (ACL) criteria or security level.
NAT Processing
VPN Processing
source or destination. or
Network address translation (NAT) translates the IP address of the
Encrypt data and add IP headers for virtual private network (VPN)
e
processing.
at
Control Plane
lic
• A collection of actions that controls the data plane. Control Plane

• Provides information that the data plane requires to function, such as IP routes and MAC The type of control plane
in which control plane
up
address entries.
actions are distributed
• Includes operations for creating and managing routing tables, MAC address tables, and Address among the networking
Resolution Protocol (ARP) tables. devices is also called a
• Open Shortest Path First (OSPF) is a routing protocol that manages the routing tables in the distributed control plane.
D
control plane on each router. The data plane on each router uses the routing tables to forward
packets.
ot
• Protocols and network device functions help to separate the data plane and control plane on
each network device. The control plane enables the data plane to work efficiently.
N
o
D
e
ut
ib
Figure 9-2: Control and data planes in a network.
tr
Commonly Used Protocols
The most commonly used protocols in the control plane are Internet Protocol version 4 (IPv4)
is
ARP, IPv6 Neighbor Discovery Protocol (NDP), Spanning Tree Protocol (STP), MAC Address
Learning in switches, and routing protocols such as OSPF, Routing Information Protocol (RIP),
D
Border Gateway Protocol (BGP), and Enhanced Interior Gateway Routing Protocol (EIGRP).
Management Plane
Management Plane or
• A collection of protocols that enables management of network devices.
• Some of the most commonly used protocols in the management plane are Telnet, Secure Shell
e
(SSH), Simple Network Management Protocol (SNMP), and Syslog.
• Management plane protocols are not essential for the working of networking devices.
at
• Protocols such as SNMP and Syslog in the management plane help to troubleshoot and diagnose
problems, perform maintenance tasks, and monitor device performance.
lic
up
D
ot
N
o
Controller
Instead of handling all of
D
the control plane actions Figure 9-3: Management plane in a network.

in a network, it is also
possible to set up the
controller to only Controller
supervise the control
plane actions that are
distributed across the
• A centralized application that performs all or some of the actions of a control plane. It usually
networking devices. runs in a server.
• The extent of control plane responsibilities handled by a controller varies.

• When a controller is configured to handle all the control plane actions in a centralized manner,
the following steps are performed:
• The controller is set up in such a way that it is reachable by all devices.
• Devices are configured with data planes only. They do not have control planes.
• The routing, MAC address, and ARP tables used by each device are created and updated by
the controller. Network devices only use the entries from these tables.
e
ut
ib
tr
is
D
or
Figure 9-4: A representation of the functions of a controller in a network.
e
Southbound API
at
• An Application Programming Interface (API) that enables exchange of data between a controller Southbound API
lic
and another program running on a network device. The interface is named

SBI because in network
• A Southbound Interface (SBI) is an interface that enables communication between a controller
diagrams, the network
and a network device. devices are placed
up
• An SBI is configured with the protocols and Southbound API that are required to establish below the controller.
communication between the controller and a network device. An API is a piece of
• The controller uses the Southbound API to pass on routing tables, MAC address tables, and code that enables
other control information to the network devices. exchange of data
D
• Southbound API is a set of code that enables the controller to set up the data planes with the between two programs.
required forwarding tables.
ot
N
o
D
e
ut
ib
tr
Figure 9-5: Use of SBIs in a network.
is
Northbound API
D
Northbound API • To perform its functions, a controller stores several pieces of information such as a list of all
The interface is named devices in the network, the network topology, interfaces on each device, device configurations
NBI because in network
diagrams, the app or
program that obtains
information from the
or
including IP addresses and VLANs, device capabilities, and current state of devices.
• A Northbound Interface (NBI) is an interface that enables a program or an app to obtain the
information stored in a controller and process the information.
e
controller is shown • A Northbound API enables exchange of data between the controller and the app.
above the controller. • By using the information obtained from the controller, the app programs the logic the controller
at
The app can run on the uses to maintain forwarding tables in the network.
same host as the
controller or on a
lic
different host.
Representational State
Transfer (REST) is an
up
API that enables

communication between
the controller and an app
that runs on a different
D
host.
ot
N
o
D
Figure 9-6: Northbound APIs in a network.
Enterprise Network Architecture

Enterprise Network • In an Enterprise Network Architecture, the data plane involves network devices, such as routers,
Architecture which route packets or messages using forwarding tables.
• The controller handles all the functions in the control plane.

• The SBIs enable communication between the controller and the network devices, while NBIs
enable communication between the controller and applications.
e
ut
ib
tr
is
D
Figure 9-7: An example of a Enterprise Network Architecture.
or
e
at
lic
up
D
ot
N
o
D
Summary
Key Points • The use of software to manage network configuration and operation is called network
programmability.
• Network programmability is also referred to as SDN.
• The operations of network devices are categorized into three planes.
• Data plane is a collection of tasks performed by a networking device when it handles data.
e
• Control plane is a collection of actions that controls the data plane.
ut
• Management plane is a collection of protocols that enables management of network devices.
• A controller is a centralized application that performs all or some of the actions of a control
plane.
ib
• A Southbound API is an API that enables exchange of data between a controller and another
program running on a network device.
tr
• A Northbound API is an API that enables exchange of data between the controller and an app
so that the app can use the information to program controller logic.
is
D
or
e
at
lic
up
D
ot
N
o
D
Lesson 9: Network Programmability |
10 WAN Technologies
e
ut
ib
tr
Lesson Objectives
is
In this lesson, you will describe the features of the various WAN technologies. You will:
D
• Describe the basic features of WAN topology.
• Describe the basic features of connectivity to WAN access.
authentication. or
• Describe the features of PPP configuration on WAN interfaces using local
• Describe the features of MLPPP configuration on WAN interfaces using local

e
authentication.
at
• Describe the methods to configure PPPoE client-side interfaces.

• Describe the methods to configure GRE tunnel connectivity.
lic
• Describe the features of single-homed branch connectivity.
Lesson Introduction
up
As network administrators, you may need to provide connectivity to locations, which may
D
be outside of your LAN or in different geographical locations. In such situations, you

should be able to deploy the suitable WAN technologies to meet your requirements. In
order to make this selection, you need to be aware of the features of the various WAN
ot
connectivity and topologies. This will help you to choose the WAN service best suited to
meet the needs of your users and applications.
N
o
D
TOPIC A
WAN Topology Basics
In this topic, you will describe the basic features of WAN topology.
e
WAN Technologies
ut
WAN Technologies • Cisco IOS software supports a range of wide-area networking capabilities that will fit the need of
most of the network environments.
ib
• Some of the wide area network (WAN) technologies supported by Cisco are:
• Virtual Private Network (VPN): A set of security protocols that are implemented on both
ends of an insecure network, such as the Internet, to provide secure connectivity to remote
tr
sites and partner sites.
• Frame Relay: A standard data link protocol that defines the capabilities to create a frame-
is
switched or packet-switched service, which allows Data Terminal Equipment (DTE) devices
like routers to send data to many other devices using a single physical connection to the
D
Frame Relay service.
• Asynchronous Transfer Mode (ATM): A cell-switching and multiplexing technology that
provides data link (Layer 2) services with scalable bandwidth usually over Synchronous
links. or
Optical Networking (SONET)/Synchronous Digital Hierarchy (SDH) physical (Layer 1)
Note: You will learn more about these WAN technologies later in this lesson.
e
at
lic
up
D
Figure 10-1: Types of WAN technologies.

ot
WAN Topologies
WAN Topologies • A WAN topology allows you to specify the peers and the networks that are part of the WAN
N
and the types of connections between them.

• After the WAN topology is created, you will get access to the policies that you can apply to your
o
WAN topology.
• The configuration methods of the policies will vary based on the assigned Internet Protocol
D
security (IPsec) technology.

• The Cisco IOS supports the point-to-point, hub-and-spoke, and full mesh WAN topologies.
Lesson 10: WAN Technologies | Topic A
e
ut
ib
tr
Figure 10-2: Types of WAN topologies supported by Cisco.
is
Point-to-Point
D
• Point-to-point WAN represents the simplest of the WAN topologies, in which a customer will Point-to-Point
be able to connect two sites with access links.
or
• This topology will allow the two customer devices to send Ethernet frames to each other.
• For this topology to be functional and the routers to become neighbors and exchange routes, the
routers must use physical Ethernet interfaces and need to be configured with IP addresses in the
same subnet as each other.
e
at
lic
Figure 10-3: A point-to-point WAN topology.

up
Hub-and-Spoke
• Hub-and-spoke is a WAN topology in which the central site device will be able to send Ethernet Hub-and-Spoke
D
frames directly to each remote (leaf) site.

• The remote (leaf) sites will be able to send Ethernet frames only to the central site but not to
other remote (leaf) sites.
ot
• The central site will serve as the root of a tree, and each remote site will be one of the leaves.
• The topology is also referred to as partial mesh, hub-and-spoke, and point-to-multipoint.
Regardless of the term you use for the topology, it will create a service that works well for design
N
which have a central site plus many remote sites.

o
D
e
ut
Figure 10-4: A hub-and-spoke WAN topology.
ib
Full Mesh
tr
Full Mesh • Full mesh is a WAN topology that creates a direct communication path for a set of devices.
• This topology will be useful if the enterprise needs to connect several sites to the WAN with a
is
goal of allowing every site to send frame directly to every other site.
• Each device will be able to send Ethernet frames directly to every other device, as if the entire
D
WAN service were one big Ethernet switch.
or
e
at
lic
Figure 10-5: A full mesh WAN topology.

up
Single-Homed
D
Single-Homed • In this design, there is only a single link between the Internet service provider (ISP) and your
enterprise network.
ot
• There must be only one ISP and this link must be only connectivity to that ISP.
• Typically, single-homed design is used to connect an enterprise branch office to the Internet.
• This design will allow various kinds of WAN links such as Digital Subscriber Line (DSL), cable,
N
fiber Ethernet or a wireless Long-Term Evolution (LTE) connection.

• In case the link to the ISP fails or the router at either end of the link fails, the Internet will not be
accessible.
o
D
e
Figure 10-6: A single-home design.
ut
Dual-Homed
ib
• In this design, there are two links between the ISP and your enterprise network. Dual-Homed
• There must be only one ISP and this link must provide one of the two paths to reach the ISP.
tr
• The presence of two links provide an alternative method for reaching the ISP in case either of
other links fail.
is
D
Figure 10-7: A dual-homed design.
or
e
at
ATM
lic
• ATM will uses one virtual circuit (VC) to carry all traffic to the next hop address. ATM
• Even in case of VC multiplexing, only a single VC will carry all traffic of the same protocol to
the next hop address.
up
• Although there are multiple methods such as Weighted Random Early Detection (WRED) and
Weighted Fair Queuing (WFQ) that can be used to classify and prioritize the packets, these
methods will all share one single quality of service (QoS) VC.
• When you require a permanent virtual circuit (PVC), you need to configure the PVC in both the
D
router and the ATM switch. The PVCs will remain active until the circuit is removed from either
of the configurations.
ot
Frame Relay
N
• Frame Relay is a high-performance data link (Layer 2) WAN protocol, which uses variable-length Frame Relay
packet switching with statistical multiplexing. Frame Relay was
originally designed for
• Frame Relay networks will consist of Frame Relay switches that are interconnected by point-to-
o
use across Integrated

point Frame Relay links or interfaces. Services Digital Network
D
• Frame Relay, which is fundamentally connection oriented, requires a VC to be set up across the (ISDN) interfaces.
Frame Relay network before any data transfer. However, today, it is
• Frame Relay supports multipoint interfaces, which will allow you to use multipoint subinterfaces widely used over
to connect three or more routers in the same subnet. additional network
interfaces.
• You need to use the encapsulation frame-relay command to enable the routers to use
Frame Relay data-link protocols instead of High-Level Data Link Control (HDLC), which is the
default protocol.
• Frame Relay can be applied over partial mesh and full mesh topologies.
Commands Related to Frame Relay Hub-and-Spoke Lab

Commands Related to The commands related to the Frame Relay Hub-and-Spoke lab are listed in the table.
Frame Relay Hub-and-
Spoke Lab Command Description
encapsulation frame-relay Sets the encapsulation type for the selected
e
interface to frame-relay.
ut
interface serial 0/0.100 point-to- Creates a point-to-point subinterface, Serial
point 0/0.100.
ib
frame-relay interface-dlci <id> Sets the Frame Relay data link connection
identifier (DLCI) to the specified ID.
tr
interface serial 0/0 Enables the Serial 0/0 interface.
no shutdown Enables the interface.
is
Lab: Frame Relay Hub-and-Spoke
D
Lab: Frame Relay Hub-
and-Spoke • Path to lab: ICND2→Wide Area Networks
• Lab name: Frame Relay Hub-and-Spoke
• Duration: 15 minutes (approx.) or
e
at
lic
Commands Related to Frame Relay Labs and Frame Relay Full

Mesh Lab
up
Commands Related to The commands related to the Frame Relay labs and the Frame Relay Full Mesh lab are listed in the
Frame Relay Labs and table.
Frame Relay Full Mesh
D

no frame-relay inverse-arp Disables inverse Address Resolution Protocol
ot
(ARP) on an interface.
frame-relay map ip Defines the mapping between a destination
protocol address and the DLCI used to connect
N
<destination_address>
to the destination address.
broadcast frame-relay lmi-type ansi Selects the Local Management Interface (LMI)
o
type as ANSI for broadcast.

D
show frame-relay map Shows the mapping of local DLCIs to remote IP

addresses.
show frame-relay pvc Show the status of the PVCs connected to the
routers.
show frame-relay lmi Displays LMI statistics, including how many
status inquiries and replies have been exchanged.
Command Description
show ip interface brief Allows you to verify that the physical interfaces
and subinterfaces are active.
show frame-relay traffic Displays the global Frame Relay statistics since
the last reload of the router.
Lab: Frame Relay I
e
ut
Lab: Frame Relay I
• Path to lab: ICND2→Wide Area Networks
• Lab name: Frame Relay I
ib
tr
is
D
Lab: Frame Relay II
Lab: Frame Relay II
• Lab name: Frame Relay II
or
e
at
lic
Lab: Frame Relay Full Mesh

up
Lab: Frame Relay Full

• Path to lab: ICND2→Wide Area Networks Mesh
• Lab name: Frame Relay Full Mesh
D
ot
N
Commands Related to Multipoint Frame Relay I Lab

o
The commands related to the Multipoint Frame Relay I lab are listed in the table. Commands Related to
Multipoint Frame Relay I
D
frame-relay map ip <ip_address> <id> Configures multipoint Frame Relay.

broadcast
interface serial 0/0.1 multipoint Creates a multipoint subinterface Serial 0/0.1.
Command Description
no ip split-horizon eigrp <id> Disables Enhanced Interior Gateway Routing
Protocol (EIGRP) split horizon on an interface.
router eigrp <id> Configures the appropriate interfaces on the
interface to run EIGRP <id>.
no auto-summary Disables automatic route summary for a routing
protocol.
e
ut
Lab: Multipoint Frame Relay I
Lab: Multipoint Frame
ib
Relay I • Path to lab: ICND2→Wide Area Networks
• Lab name: Multipoint Frame Relay I
tr
is
D
or
e
at
lic
up
D
ot
N
o
D
TOPIC B
WAN Access Connectivity Basics
In this topic, you will describe the basic features of connectivity to WAN access.
e
MPLS
ut
• Multiprotocol Label Switching (MPLS) is a WAN service that allows you to combine the MPLS
performance and capabilities of Layer 2 (data link layer) switching with the proven scalability of MPLS switching on
Cisco switches require
ib
Layer 3 (network layer) routing.
you to enable the Cisco
• MPLS allows the service providers to use the existing network infrastructure to meet the Express Forwarding
challenges arising out of explosive growth in network utilization and allow the service providers feature.
tr
to differentiate their services.
• The architecture of MPLS is flexible and you can employ it with any combination of Layer 2
is
technologies such as local area network (LAN) switching and WAN circuits.
• MPLS support exists for all Layer 3 protocols, and provides wider scaling well beyond those
D
typically available in today’s networks.
Metro Ethernet
or
• Metro Ethernet uses Ethernet technology to deliver cost-effective and high-speed connectivity
for metropolitan area network (MAN) and WAN applications.
Metro Ethernet
e
• Metro Ethernet provides a wide variety of WAN services with some common system settings
that are used to simplify and secure the connection.
at
• Every Metro Ethernet service connects the customer’s device to the service provider’s device
using Ethernet physical links.
lic
• Metro Ethernet is primarily a Layer 2 service because the Ethernet frames are forwarded from
one customer device to another by the WAN provider.
up
Broadband PPPoE
• Point-to-Point Protocol over Ethernet (PPPoE) is a specification that helps you to define how a Broadband PPPoE
D
host PC will interact with a common broadband medium such as a DSL, wireless modem, or
cable modem to access a high-speed data network.
• The PPPoE implementation relies on two widely accepted standards: Ethernet and Point-to-
ot
Point Protocol (PPP), to allow users to share a connection over the Ethernet.
• PPPoE profiles will contain configuration information for a group of PPPoE sessions.
• You can define multiple PPPoE profiles for a device, allow different virtual templates, and assign
N
other PPPoE configuration parameters to different PPP interfaces, virtual local area networks
(VLANs), and ATM PVCs that will be used to support broadband access aggregation of PPPoE
sessions.
o
• PPPoE profiles can separate the configuration of PPPoE from the configuration of virtual
D
private dial-up networks (VPDNs).
Internet VPN
• Internet VPN is a type of VPN used by an enterprise to connect each business to the Internet by Internet VPN
using the Internet as a WAN service.
Lesson 10: WAN Technologies | Topic B
• An enterprise will be able to connect each business site to the Internet and use VPN to create an
Internet VPN.
• Internet VPN will allow the enterprise’s packets to be secured and kept private through
encryption and other security mechanisms even when the data is sent over the Internet.
• Internet VPN provides important security features that will:
• Prevent anyone (man-in-the-middle) on the Internet from being able to read, copy, or replay
the transmitted data and pose as a legitimate user.
• Verify that the VPN packet originated from a legitimate device and not any device that is
e
used an attacker.
• Verify that the packet was intact and not changed during transit on the Internet.
ut
• Internet VPN is faster and cheaper compared to other private WAN options. It is available
worldwide due to the Internet and the communications can be secured using VPN technology
ib
and protocols.
DMVPN
tr
DMVPN
is
• The Dynamic Multipoint VPN (DMVPN) feature on Cisco IOS routers provides a simple and
scalable way to create large and small IPsec VPNs by combining Generic Routing Encapsulation
(GRE) tunnels, IPsec encryption, and Next Hop Resolution Protocol (NHRP).
D
• Spokes in a DMVPN network can register their public IP addresses with the hub during every
boot session.
• Source spokes can query the NHRP database on the hub to obtain the public IP address of
destination spokes.
or
• A multipoint GRE tunnel interface will enable a single GRE tunnel to support multiple IPsec
tunnels.
e
• DMVPN supports two configurations - hub-to-spoke and spoke-to-spoke.
at
Site-to-Site VPN
lic
Site-to-Site VPN • Site-to-site VPN refers to a VPN tunnel created by two enterprise sites for sending encrypted
data between two devices.
• IPsec defines one set of rule for creating site-to-site VPN.
up
• IPsec is the architecture or framework that needs to be used for security services at the IP
networks.
• IPsec defines how devices at both the enterprise sites that connect to the Internet can achieve
D
the main goals of VPN—confidentiality, integrity of data, authentication, and anti-replay.

• The following four steps are used in to encrypt data in site-to-site VPN:
1. The sending VPN device provides the original packet and the session key for encryption and
ot
encryption data calculation.

2. The sending device encapsulates the encrypted data into a packet that includes the new IP
N
and VPN headers.

3. The sending device sends the new packet to the destination VPN device.
4. The receiving VPN device will use the encrypted data and session key to run the decryption
o
formula to decrypt the data.

D
Client VPN
Client VPN (2 Slides) Cisco VPN client uses the Secure Sockets Layer (SSL) technology to create a client VPN:
• The SSL protocol provides an alternative VPN technology to IPsec.
• SSL is used by web browsers to provide a secure communication method using the port 443.
• SSL encrypts data that is transferred between the browser and the server after authenticating the
user.
• After authentication, the Hyper-Text Transfer Protocol (HTTP) messages are allowed to pass
through the SSL VPN client.
• The Cisco AnyConnect Secure Mobility client or AnyConnect client is a software that is placed
on the user’s PC and creates one end of the VPN remote-access tunnel using SSL. This ensures
that all the packets that are sent to the other end of the tunnel are encrypted.
IPsec VPN Client or Remote access VPN will allow users to connect to a central site through a
e
secure connection over a Transmission Control Protocol/Internet Protocol (TCP/IP) network such
as the Internet.
ut
• The Internet Security Association and Key Management Protocol (ISAKMP), also called IKE, is
the negotiation protocol that will allow the IPsec client on the remote PC and the Adaptive
ib
Security Appliances (ASA) agree on how to build an IPsec Security Association.
• Each ISAKMP negotiation will be divided into two sections called Phase1 and Phase2.
• Phase 1 will create the first tunnel to protect later ISAKMP negotiation messages.
tr
• Phase 2 will create the tunnel that protects the data that travels across the secure connection.
is
D
or
e
at
lic
up
D
ot
N
o
D
TOPIC C
Configure PPP on WAN Interfaces Using Local
Authentication
In this topic, you will describe the features of PPP configuration on WAN interfaces using local
e
authentication.
ut
PPP
ib
PPP Point-to-Point Protocol (PPP) is a standard protocol that is used to send data over synchronous
CHAP and PAP were serial links. PPP:
originally specified in
tr
• Defines a header and trailer to enable delivery of a data frame over the serial link. A protocol
Request for Comment
type field in the header allows multiple Layer 3 protocol based data to travel using the same link.
(RFC) 1334, and CHAP
is
is updated in RFC 1994. • Provides support for both synchronous and asynchronous links.
• Contains two built-in authentication tools: Password Authentication Protocol (PAP) and
Challenge Handshake Authentication Protocol (CHAP).
D
• Controls protocols for each higher-layer protocol that is placed above PPP and provides easy
integration and support for such protocols.
or
e
at
lic
up
D
Figure 10-8: The built-in PPP authentication tools.

ot
PPP Encapsulation
PPP Encapsulation • PPP encapsulation is a technique that allows you to multiplex different network-layer protocols
N
When you configure an simultaneously over a single link.

interface with PPP
• PPP uses a Link Control Protocol (LCP) for negotiating the link’s properties.
encapsulation, a link will
• LCP monitors the continuing availability of the link using echo requests and responses.
o
be declared to be in the
down state. The full LCP • PPP provides the following functionalities: Network Control Protocols (NCPs), IP Control
D
negotiation will be re- Protocol (IPCP), Multiprotocol Label Switching control processor (MPLSCP), Cisco Discovery
initiated after five echo Protocol control processor (CDPCP), Internet Protocol version 6 control processor (IPv6CP),
request (ECHOREQ) and Open Systems Interconnection control processor (OSICP).
packets are sent for
which there are no
• Each of these functionalities are used to negotiate the properties of the related protocols that are
corresponding echo run on the link.
response (ECHOREP).
Lesson 10: WAN Technologies | Topic C
PAP
• PPP with Password Authentication Protocol (PAP) will be used to inform the central site about PAP
the remote devices that are connected to the site.
• When PAP is enabled, the remote router attempting to connect to the local device or access
server will be required to send an authentication request. PAP uses clear text for authentication.
• Cisco software will send an authentication acknowledgment if the username and password
specified in the authentication request are accepted.
e
• PAP will exchange two packets to complete authentication.
ut
CHAP
ib
• PPP with Challenge Handshake Authentication Protocol (CHAP) will also be used to inform the CHAP
central site about the remote devices that are connected to the site.
tr
• The local device or access server will send a CHAP packet to the remote device, when a remote
device attempts to connect to a CHAP-enabled interface.
is
• The CHAP packet will request or “challenge” the remote device to respond. This challenge
packet will consist of an ID, a random number, and the host name of the local device.
• The required response will consist of the following two parts:
D
• The first part contains an encrypted version of the ID, a secret password, and a random
number.
on the remote device.

• CHAP will exchange three packets to complete authentication.
or
• The second part contains either the hostname of the remote device or the name of the user
e
Commands Related to Configuring PPP-PAP-CHAP, PPP with
at
CHAP Authentication, and PPP with CHAP Labs

lic
The commands related to the Configuring PPP-PAP-CHAP, PPP with CHAP Authentication, and Commands Related to
PPP with CHAP labs are listed in the table. Configuring PPP-PAP-
CHAP, PPP with CHAP
Command Description Authentication, and PPP
up
with CHAP Labs

configuration.
D
show controllers serial 0/1 Displays cable orientation for serial interfaces.
encapsulation ppp Enables PPP on the selected interface.
ot
ppp authentication pap Enables PAP authentication.

ppp pap sent-username <user name> Sets the PAP sent user name to the specified
N
password <password> user name with the specified password set as the
password.
username <username> password Creates a user with the specified user name and
o
<password> password.
D
ppp authentication chap Enables CHAP authentication.
Lab: Configuring PPP-PAP-CHAP

Lab: Configuring PPP-
PAP-CHAP • Path to lab: ICND2→Wide Area Networks
• Lab name: Configuring PPP-PAP-CHAP
e
ut
Lab: PPP with CHAP Authentication
ib
Lab: PPP with CHAP
Authentication • Path to lab: ICND2→Wide Area Networks
tr
• Lab name: PPP with CHAP Authentication
is
D
Lab: PPP and CHAP
Lab: PPP and CHAP or
e
at
• Lab name: PPP and CHAP

lic
up
D
ot
N
o
D
TOPIC D
Configure MLPPP on WAN Interfaces Using Local
Authentication
In this topic, you will describe the features of MLPPP configuration on WAN interfaces using local
e
authentication.
ut
MLPPP
ib
• A Multilink Point-to-Point Protocol (MLPPP) is a protocol that allows you to combine interfaces MLPPP
that are related to an entire T1 or E1 multilink bundle.
tr
• A MLPPP bundle is a single, virtual interface that allows you to connect to the peer system and
provides a single point for applying hierarchical queueing, shaping, and policing to traffic flows.
is
• You can use any combination of E1 and T1 member link interfaces and choose the required
number of bundles and the number of T1 or E1 lines in each bundle.
D
• Provides load balancing functionality over multiple WAN links along with support for the
fragmentation and packet sequencing specifications.
• Hierarchical queueing is not performed by the individual links in the bundle, which also do not
or
have any knowledge about the traffic that is passing through the parallel links.
• The single bundle simplifies your task of monitoring traffic to the peer system because you need
to monitor only one single interface for the entire traffic.
e
Guidelines Related to MLPPP Configuration
at
Guidelines Related to
Note: All of the Guidelines for this lesson are available as checklists from the Checklist tile on MLPPP Configuration
lic
When configuring MLPPP, you need to consider the following guidelines:

up
• MLIPP supports only T1 and E1 links in a bundle.

• Ensure that you enable PPP encapsulation before configuring multilink-related commands.
• Only interfaces that belong to the same interface module can be grouped into the MLPPP
bundle.
D
• There can be a maximum of 16 interfaces in a group and the maximum transmission unit (MTU)
allowed for MLPPP is 9216.
• The maximum MTU will vary for Optical Carrier-3 (OC-3) and T1/E1 interfaces for serial links
ot
that are not part of MLPPP configuration.

N
The MLPPP Minimum Links Mandatory Feature

• The MLPPP Minimum Links Mandatory feature allows you to configure the minimum number The MLPPP Minimum
o
of links that are needed to keep a MLPPP bundle active. Links Mandatory Feature
D
• MLPPP, which is mostly used to increase the bandwidth between points, allows you to establish
multiple PPP links to the same destination in parallel.
• Disables all Network Control Protocols (NCPs) for a MLPPP bundle until the required
minimum number of links are available in the MLPPP.
• The NCPs will be activated for the MLPPP bundle when you add a new link to the bundle that
makes the number of links the same as the required number of minimum links.
Lesson 10: WAN Technologies | Topic D
• The NCPs will be disabled for the MLPPP bundle when you remove a link from the bundle that
makes the number of the links less than the required number of minimum links.
MPPC
MPPC • Microsoft Point-to-Point Compression (MPPC) is a technique that is used to compress PPP
For the MPPC, the packets between Cisco and Microsoft client devices.
Compression Control
• The MPPC algorithm, which is designed to optimize bandwidth utilization to support multiple
Protocol (CCP)
e
configuration option is simultaneous connection, uses a Lempel-Ziv (LZ)-based compression algorithm that has a
continuous history buffer called a dictionary.
ut
18.
• A 12-bit coherency count is maintained, which is used to synchronize the history buffers
between the compressor and the decompressor.
ib
• When the decompressor detects the coherency count to be out of sequence, the following error
recovery process will be performed:
tr
1. The decompressor will send a Reset Request (RR) packet.
2. The compressor will then flush the history buffer and set the flushed bit in the next packet
sent by it.
is
3. When the decompressor receives the flushed bit set packet, the decompressor will flush the
history buffer.
D
• The Rest Acknowledge (RA) packet is used for synchronization without CCP, but consumes
additional time when compared to the CCP.
The LZ Compression
or
LZ, which is a standards-based compression, can minimize the amount of bandwidth that is
consumed by a TCP flow. LZ keeps limited compression history and operates on smaller data
e
streams.
at
IP Address Pooling
lic
IP Address Pooling • IP address pooling uses a pool of IP addresses that allows an incoming interface to provide an IP
address through IPCP address negotiation process to a remote node.
• IPCP address negotiation process must be used by a point-to-point interface to provide IP
up
address to a remote node.

• A variety of sources can be used for providing the IP address. The sources are:
• Command line.
D
• EXEC-level command.
• Terminal Access Controller Access Control System Plus (TACACs+).
• The Dynamic Host Configuration Protocol (DHCP).
ot
• A locally administered address pool.

• IP address pooling enhances configuration flexibility by simultaneously allowing multiple types
N
of active pooling.
MLPPP Interleaving and
Queueing
When you offload a MLPPP Interleaving and Queueing
o
multilink bundle to a
different system using
D
Multichassis MLPPP,
• MLPPP Interleaving feature will allow multilink encapsulation and fragmentation of large
both MLPPP and packets into a size that is small enough to overcome any delay in real-time traffic.
weighted fair queueing • Real-time packets that are already small in size will not be multilink encapsulated and will be sent
will not be supported. between the fragments of large packets.
This will mean that • Interleaving can be applied only to interfaces on which can you can configure a multilink bundle
Multichassis MLPPP interface.
networking designs will
not support interleaving.
• The interleaving feature also provides a special transmit queue, for sending smaller packets that
are delay-sensitive earlier than other flows.
• WFQ on MLPPP will work only at the packet level, and not at the level of the multilink
fragments. This will cause a small real-time packet that is queued behind a larger packet to be
scheduled for transmission only after the fragments of the larger packets are scheduled for
transmission, when there is no special queue reserved for real-time packets.
• All interfaces that support MLPPP, such as MLPPP virtual access interfaces and virtual interface
templates, will support weighted fair queueing, which is enabled by default.
e
ut
ib
tr
is
D
or
e
at
lic
up
D
ot
N
o
D
TOPIC E
Configure PPPoE Client-Side Interfaces
In this topic, you will describe the methods to configure PPPoE client-side interfaces.
e
PPPoE Client-Side Interfaces
ut
PPPoE Client-Side • PPP over Ethernet (PPPoE) is an application that is commonly used in the deployment of DSLs.
Interfaces
• The PPPoE Client is a feature that provides client side PPPoE support on routers.
ib
• The PPPoE Client feature expands PPPoE functionality by providing support for PPPoE on the
client and the server.
• You need to establish PPP connections between two endpoints over a serial link.
tr
is
Restrictions for PPPoE Client
Restrictions for PPPoE
D
• For PPPoE over ATM, there must be one PVC that will support multiple PPPoE clients.
Client
• This will allow multiple PPPoE sessions to be run concurrently on the same PVC. An ATM
PVC can be a member of several dialer pools but with unique dialer pool numbers.
separate dialer pool.

or
• For PPPoE, you need to ensure that each PPPoE client uses a separate dialer interface and a
• For the PPPoE-Max-Payload Support on Client feature, you need to:

• Ensure that the physical interface supports a MTU greater than 1500.
e
• Suitably configure the Broadband Remote Access Server.
at
PPPoE Client Network Topology

lic
PPPoE Client Network • This topology provides PPPoE client support on routers on customer premises.
Topology
• Before this topology, Cisco IOS software provided support for PPPoE only on the access server
up
side.
• PPPoE authentication is composed of two main phases:
• Active Discovery Phase: In this phase, the PPPoE client will locate a PPPoE server, called
D
an access concentrator. During this phase, a Session ID will be assigned and the PPPoE layer
will be established.
• PPP Session Phase: In this phase, PPP options will be negotiated and authentication will be
ot
performed. When the link setup is completed, PPPoE will function as a Layer 2 encapsulation
method, which will allow data to be transferred over the PPP link within PPPoE headers.
N
o
D
Lesson 10: WAN Technologies | Topic E
e
ut
ib
tr
Figure 10-9: A PPPoE client network topology.
is
PPPoE Client Support on ATM PVCs and Ethernet Interfaces
D
• The PPPoE client support on ATM PVCs and Ethernet interfaces is provided by the PPPoE PPPoE Client Support
Client feature. on ATM PVCs and
• Virtual access must be cloned using a dialer interface.
or
• The Multiple PPPoE Client feature allows one ATM PVC to support multiple PPPoE clients.
This allows a second line connection and provides redundancy.
Ethernet Interfaces
The Multiple PPPoE
Client feature was
introduced in the Cisco
e
• While multiple PPPoE clients can be run concurrently on different PVCs, you need to ensure IOS release 12.4(15)T.
that each PPPoE client uses a separate dialer interface and a separate dialer pool. Prior to this Cisco IOS
at
release, one ATM PVC

• Similarly, while multiple PPPoE client sessions can be configured on an Ethernet interface, you
could support only one
need to ensure that each session uses a separate dialer interface and a separate dialer pool. PPPoE client.
lic
PPPoE Client Session Initiation

up
• The PPPoE client will initiate a PPPoE session. When the session is timed out or disconnected, PPPoE Client Session
the PPPoE client will immediately attempt to reestablish the session. Initiation
• The following steps describe the exchange of packets that takes place when a PPPoE client
D
initiates a PPPoE session:

1. The client will broadcast a PPPoE active discovery initiation (PADI) packet.
2. When the access concentrator that can serve a PADI packet receives the PADI packet, it will
ot
send a PPPoE active discovery offer (PADO) packet to the client as its reply.
3. The host may receive more than one PADO packet, because the PADI packet was
broadcasted. The host will look through the PADO packets it received and will select one of
N
the packets. This selection may be based on the access concentrator name or on the services
offered. The host will then send a single PPPoE active discovery request (PADR) packet to
the selected access concentrator.
o
4. The access concentrator will send a PPPoE active discovery session-confirmation (PADS)
D
packet as its response to the PADR packet. At this time, a virtual access interface will be
created, which will then negotiate PPP. The PPPoE session will be initiated on this virtual
access interface.
Retransmission of PADI Packet by Client

When a client does not receive a PADO packet for a PADI packet already sent, the client will send
out a PADI packet at predetermined intervals. This interval length will be doubled for every
successive PADI packet that does not evoke a response, until the configured maximum interval is
reached.
New PPPoE Session Establishment by Client

When the PPP negotiation fails or the PPP line protocol is brought down for any reason, the
PPPoE session and the virtual access will also be brought down. The client will wait for a
predetermined number of seconds before it tries to establish another PPPoE session.
e
Troubleshoot PPPoE Client Sessions
ut
Troubleshoot PPPoE
Client Sessions (2 PPPoE Client Sessions Troubleshooting
Slides)
ib
• Even in PPPoE sessions, you may have issues that will usually happen with many other
networking services.
• The Layer 3 features may not work if any Layer 2 function on which they rely upon has a
tr
problem.
• In the same manner, a Layer 2 problem may be resulting from a problem in the underlying Layer
is
1.
• You may have problems related to network, data link, and physical layers, in which case you need
D
to start your troubleshooting problem by moving up from the lower layers of the stack to
identify the issues.
• You need use diagnostic messages using suitable debug commands to identify underlying causes
or
for the issues related to PPPoE and then resolve the issues.
• You need to use the debug pppoe {data | errors | events | packets} command to
display debugging information for PPPoE sessions in Cisco IOS Release 12.2(13)T and later
releases.
e
at
PPPoE Troubleshooting Commands

The commands that are used to troubleshoot any issues that occur in the PPPoE client sessions in
releases prior to Cisco IOS Release 12.2(13)T are listed in the table.
lic
Command Description
up
enable Enables the privileged EXEC mode. If prompted, you

need to enter your password.
debug vpdn pppoe-data Displays the data packets of the PPPoE session.
D
debug vpdn pppoe-errors Displays the PPPoE protocol errors that are preventing a
session from being established or errors that are causing
an established session to be terminated.
ot
debug vpdn pppoe-events Displays the PPPoE protocol messages related to events
that are part of normal session establishment or
N
shutdown.
debug vpdn pppoe-packets Displays each of the PPPoE protocol packets that were
exchanged.
o
D
Commands Related to Configuring a PPPoE Client Lab

Commands Related to The commands related to the Configuring a PPPoE Client lab are listed in the table.
Configuring a PPPoE
Client Lab
Command Description
interface dialer <group number> Configures a dialer interface using the specified
group number.
dialer pool <pool number> Configures the specified dialer pool number for
the dialer interface.
ip address negotiated Configures the dialer interface to negotiate with
the PPPoE server to obtain its IP address.
e
no ip address Allows you to verify that the selected interface is
ut
not configured with an IP address.
pppoe-client dial-pool-number <pool Configures the selected interface to connect to
the PPPoE server using the specified dialer pool
ib
number>
number.
show pppoe session Displays the currently active PPPoE sessions.
tr
show interfaces dialer <number> Allows you to verify the negotiated IP address
is
from the Internet service provider (ISP).
D
Lab: Configuring a PPPoE Client
Lab: Configuring a
• Lab name: Configuring a PPPoE Client
or PPPoE Client
e
at
lic
up
D
ot
N
o
D
TOPIC F
Configure GRE Tunnel Connectivity
In this topic, you will describe the methods to configure GRE tunnel connectivity.
e
Ethernet over GRE Tunnels
ut
Ethernet over GRE • Generic Routing Encapsulation (GRE) is a unicast protocol that will offer the advantages of
Tunnels encapsulating broadcast and multicast traffic or other non-IP protocols and IPsec-based
ib
protection.
• Ethernet over GRE Tunnels is a feature that provides mobility services to mobile nodes that
allow customers to leverage existing low-end residential gateways by aggregating Wi-Fi traffic
tr
from hotspots.
• This feature allows Customer Premises Equipment (CPE) devices to bridge the Ethernet traffic
is
coming from an end host, and encapsulates the traffic in Ethernet packets over an IP GRE
tunnel.
D
• When the IP GRE tunnels are terminated on a service provider broadband network gateway, the
end host’s traffic will be terminated and the subscriber sessions will be initiated for the end host.
• High availability will be supported for Ethernet over GRE (EoGRE) IPv4 and IPv6 tunnel
configuration.
or
• Client single sign-on (SSO) is supported for IPv4 and IPv6 EoGRE tunnel clients.
e
Supported Functionality of Ethernet over GRE Tunnels
at
Supported Functionality The Ethernet over GRE tunnels feature supports the following functionality:
of Ethernet over GRE • The existing low-end residential gateways (RGs) can provide mobility services to the mobile
Tunnels
lic
nodes using Ethernet over GRE tunnels. The mobility services can be also be provided by the
using Intelligent Service Gateway (ISG), Proxy Mobile IPv6 (PMIPv6), and General Packet
Radio Service Tunneling Protocol (GTP).
• Ethernet frames can be transported over IPv6 and IPv4 infrastructures. Customer Premises
up
Equipment (CPE) will be pre–configured with a point-to-point GRE IPv4 or IPv6 tunnel. A
well-known IPv4 or IPv6 address of an aggregation device will be the tunnel destination.
• Tunnels can be configured as part of a single VLAN with support being provided only for single
D
VLAN tag. The CPE will be able to insert a VLAN tag in the Ethernet frame.
• Tunnels can be configured with a statically configured symmetric GRE key. This key can be
configured using the tunnel key command.
ot
• Sessions might be created with DHCP for IPv4 (DHCPv4), unclassified Media Access Control
(MAC), and ARP Detecting Network Attachments for IPv4 (DNAv4).
N
Virtual MAC Address

o
Virtual MAC Address • Virtual MAC address refers to a MAC address that is assigned to a virtual device.
When you configure the
D
• An Ethernet over GRE tunnel will need to be configured with a virtual MAC address. When a
tunnel interface to
packet enters the tunnel, the tunnel will accept the packet only if the destination MAC address of
handle multicast traffic
for specific multicast the packet matches the virtual MAC address of the tunnel or the broadcast MAC address.
groups, the tunnel will Otherwise, the tunnel will drop the packet.
also accept the • If PMIPv6 or GTP is enabled on the tunnel, the protocols will provide a virtual MAC address
corresponding MAC that is used as the source MAC address of packets exiting the tunnel.
addresses.
Lesson 10: WAN Technologies | Topic F
• If PMIPv6 or GTP is not enabled, the virtual MAC address of the tunnel interface will be used
as the source MAC address of the exiting packets.
• The commands related to Virtual MAC address are listed in the table.
Command Description
mac-address Allows you to associate virtual MAC addresses with the

tunnel.
show tunnel mac-table Allow you to view the MAC table entries.
e
test tunnel mac-address Allows you to test the addition of MAC addresses to
ut
the MAC table of a tunnel interface.
ib
Commands Related to GRE Tunnels Lab
The commands related to the GRE Tunnels lab are listed in the table.
tr
Commands Related to
GRE Tunnels Lab
Command Description
is
D
interface tunnel <interface number> Creates a tunnel interface with the specified
interface number.
Allows you to verify the status of the tunnel
do show ip interface brief
tunnel destination <ip_address>

interface.
or
Configures the tunnel interface with the
appropriate destination address.
e
tunnel source <ip_address> Configures the tunnel interface with the
at
appropriate source address.

show interfaces tunnel <interface Displays detailed information about the tunnel
lic
number> interface.
router eigrp <AS number> Starts the EIGRP process using the specified AS
number.
up
no auto-summary Disables automatic summarization.

D
Lab: GRE Tunnels

Lab: GRE Tunnels
ot

• Lab name: GRE Tunnels
N
o
D
Lesson 10: WAN Technologies | Topic F
TOPIC G
Describe Single-Homed Branch Connectivity
In this topic, you will describe the features of single-homed branch connectivity.
e
eBGP IPv4
ut
eBGP IPv4 • Border Gateway Protocol (BGP) is an interdomain routing protocol that is designed to provide
Cisco IOS software loop-free routing links between organizations when there is single-homed branch connectivity.
provides support for
ib
• Single-homed branch connectivity is the term used to describe an enterprise branch in which
BGP version 4, which is
used by ISPs to help only a single ISP provides the connectivity to the Internet.
build the Internet. • BGP is designed to run over a reliable transport protocol and uses TCP (port 179) as the
tr
The local port is transport protocol.
assigned a random port • The BGP path-selection algorithm prefers external BGP (eBGP) paths over internal BGP
is
number while the (iBGP) paths.
destination TCP port is • With the external/internal BGP (eiBGP) Multipath for Non-Virtual Routing and Forwarding
assigned 179.
D
(Non-VRF) Interfaces (IPv4/IPv6) feature, the algorithm is modified to support multipath load
sharing among native IPv4 and IPv6 eBGP and iBGP paths.
• The BGP best path algorithm will select a single multipath as the best path and will advertise the
Information Base (RIB). or

path to BGP peers. Other multipaths will be inserted into both the BGP table and the Routing
• These multipaths will be used by Cisco Express Forwarding to perform load balancing, which
may be performed either on a per-packet basis or on a per-source or per-destination basis.
e
at
External BGP Peering

lic
External BGP Peering • External BGP peering sessions are configurations that allow BGP peers from different
Interfaces on networking autonomous systems to exchange routing updates.
devices may also fail,
• By design, a BGP routing process will expect eBGP peers to be directly connected over a WAN
and they may need to be
up
taken out of service for connection. However, there may be many real-world scenarios where this rule would prevent
maintenance. routing from occurring.
• You need to use the ebgp-multihop command to configure peering sessions for multihop
neighbors with the neighbor.
D
• Loopback interfaces are generally preferred for establishing eBGP peering sessions. This
because, they are less susceptible to interface flapping. Flap refers to an interface that is
administratively brought up or down, due to failure or maintenance.
ot
BGP Attributes
N
BGP Attributes (2
Slides) • By default, BGP selects a single path as the best path to a destination host or network.
Cisco IOS software can • The best-path selection algorithm allows you to analyze path attributes to determine the route
o
influence the BGP path that is installed as the best path in the BGP routing table. Each path will carry the various
selection by allowing you
D
attributes that will be used in BGP best-path analysis.

to alter the BGP
• BGP uses the best-path selection algorithm to find the potential multipaths that consist of a set
attributes via the
command-line interface
of equally good routes.
(CLI). BGP path • The BGP attributes that you can configure are listed in the table.
selection can also be
influenced through
standard BGP policy
configuration.
Lesson 10: WAN Technologies | Topic G
Attribute Description
AS_Path Contains a list or set of the autonomous system

numbers through which routing information has
been passed.
Community Groups networking devices that share common
properties, irrespective of network, autonomous
system, or any physical boundaries.
e
Local_Pref Indicates the preferred outbound path from the
local autonomous system when it has the highest
ut
value.
Multi_Exit_Discriminator (MED) Indicates a preferred path into an autonomous
ib
system to an external peer.
Next_Hop Identifies the next-hop IP address for use as the
tr
BGP next hop to the destination.
Origin Indicates the method using which the route was
is
included in a BGP routing table.
D
Multihoming
provider.
or
• Multihoming refers to the connecting of an autonomous system with more than one service
• In case, you have any reliability issues with one service provider, then you will have a backup
connection.
Multihoming
e
• This feature can also address performance issues because you can utilize better paths to the
at
destination network.
• You must plan your routing configuration carefully to avoid Internet traffic traveling through
your autonomous system, which might consume all your bandwidth.
lic
Suppress Inactive Route Advertisement Using BGP

up
• Routes that are not installed can be advertised by a BGP routing process in the RIB to BGP Suppress Inactive Route
peers by default. Advertisement Using
BGP
• An inactive route is a route that is not installed into the RIB.
D
• When routes are advertised through common route aggregation, an inactive route advertisement
can occur.
• The bgp suppress-inactive command allows you to configure BGP to not advertise inactive
ot
routes to any BGP peer.

• When inactive route advertisements are suppressed, it can provide for more consistent data
N
forwarding.
• The BGP address family model supports four address families in Cisco IOS software: IPv4,
IPv6, Connection-Less Network Service (CLNS), and VPNv4.
o
• You can configure this feature only on a per IPv4 address family basis.
• You can also suppress inactive route advertisement to prevent inactive routes from being
D
accepted into the Virtual Routing and Forwarding (VRF) after route limit has been exceeded.
You can specify the maximum number of routes that can be configured in a VRF using the
maximum routes global configuration command.
Lesson 10: WAN Technologies | Topic G
Summary
Key Points • Point-to-Point WAN represents the simplest of the WAN topologies, in which a customer will
be able to connect two sites with access links.
• Hub-and-spoke is a WAN topology in which the central site device will be able to send Ethernet
frames directly to each remote (leaf) site.
• Full Mesh is a WAN topology that creates a direct communication path for a set of devices.
e
• MPLS allows you to combine the performance and capabilities of Layer 2 (data link layer)
ut
switching with the proven scalability of Layer 3 (network layer) routing.
• IPsec defines one set of rule for creating site-to-site VPN.
• SSL is used by web browsers to provide a secure communication method using the port 443.
ib
• PPP provides a LCP for negotiating the link’s properties.
• LCP monitors the continuing availability of the link using echo requests and responses.
tr
• MLPPP Interleaving feature will allow multilink encapsulation and fragmentation of large
packets into a size that is small enough to overcome any delay in real-time traffic.
is
D
or
e
at
lic
up
D
ot
N
o
D
Lesson 10: WAN Technologies |
11 Routing Technologies
e
ut
ib
tr
Lesson Objectives
is
In this lesson, you will manage the routing protocols. You will:
D
• Describe the various routing protocols.
• Describe the Inter-VLAN Routing configuration.
or
• Describe the OSFPFv2 Routing for IPv4 configuration.
• Describe the OSFPFv3 Routing for IPv6 configuration.
e
• Describe the configuration of EIGRPv4.
• Describe the configuration of EIGRPv6.
at
• Describe the methods to troubleshoot routing protocols.

lic
Lesson Introduction
up
As a network administrator, you need to be aware of the operations of the various types of
routing protocols that you can deploy in a Cisco network. Only then, you will be able to
select the routing protocols that are best suited for your network. The correct selection of
D
protocols will ensure that the data flows through the optimal route to the extent possible all
the time. In addition, you will be able to troubleshoot any issues that arise with any of the
routing protocols that you have deployed on your network.
ot
N
o
D
TOPIC A
Routing Protocols
In this topic, you will describe the various routing protocols.
e
Distance Vector Routing Protocol
ut
Distance Vector Routing • A distance vector protocol will advertise its routing table to all its directly connected neighbors
Protocol frequently at regular intervals.
ib
• In the process, it uses a lot of bandwidth and will be slow to converge.
• When a route becomes unavailable, all router tables will need to be updated with that new
information.
tr
• Each router will have to advertise the new information to its neighbors, which will make it longer
for all routers to accurately determine the current view of the network.
is
• Distance vector protocols use fixed length subnet masks, which cannot be scaled.
• Routing Information Protocol (RIP) is an example of distance vector routing protocol.
D
Link-State Routing Protocol
Link-State Routing
Protocol the source and destination devices.
or
• A link-state protocol will make its routing decisions based on the state of the links that connect
• The state of the link will describe the interface and its relationship to the networking devices in
e
its neighborhood.
at
• The interface information will include details such as IP address of the interface, network mask,
type of the connected network, and the routers connected to the network.
• This interface information will be multicast using various types of link-state advertisements
lic
(LSAs).
• A router will store a collection of received LSA data in a link-state database.
• This database will include LSA data for the links of the router.
up
• The contents of the database, when subjected to the Dijkstra algorithm, will extract data to create
an Open Shortest Path First (OSPF) routing table.
• OSPF and Intermediate System-Intermediate System (IS-IS) are examples of link-state routing
D
protocols.
Difference Between Database and Routing Table

ot
The difference between the database and the routing table is that while the database will contain a
complete collection of raw data, the routing table will contain a list of shortest paths to known
destinations over specific router interface ports.
N
Dijkstra Algorithm
o
This algorithm will allow you to select the best path to each destination. This path will be selected
based on the sum of all the link costs for each link in the path.
D
Interior Routing Protocol

Interior Routing Protocol • Interior routing protocol is used for routing networks, which are under a common network
administration.
• These protocols are also referred to as interior gateway protocols.
Lesson 11: Routing Technologies | Topic A
• You need to specify all IP interior routing protocols with a list of associated networks before the
routing activities can begin. A routing process will listen to updates from other routers on the
associated networks and then advertise its own routing information using the same networks.
• The interior routing protocols that are supported by Cisco IOS software are:
• On-Demand Routing (ODR).
• RIP.
• Interior Gateway Routing Protocol (IGRP).
• OSPF.
e
• Enhanced IGRP (EIGRP).
ut
• IS-IS.
Exterior Routing Protocol
ib
• Exterior routing protocol is used to exchange routing information between networks that do not Exterior Routing
tr
share a common administration. Protocol
• These protocols are also referred to as exterior gateway protocols.
is
• The following information is required before routing can begin with IP exterior routing protocol:
• A list of neighbor or peer routers with which you need to exchange routing information.
D
• A list of networks, which need to advertised as directly reachable.
• The local router‘s autonomous system number.
• Border Gateway Protocol (BGP) is the only exterior routing protocol used today.
Hybrid Routing Protocols

or
e
• The balanced hybrid routing protocols use distance-vector metrics but at the same time these Hybrid Routing Protocols
at
protocols also emphasize more accurate metrics than conventional distance-vector protocols.
• These types of protocols also converge more rapidly than distance-vector protocols but they do
not incur the overheads of link-state updates.
lic
• Balanced hybrids are driven by events rather than being periodic and thereby help to conserve
bandwidth for real applications.
• Although "open" balanced hybrid protocols exist, this form is almost exclusively associated with
up
the proprietary creation of Cisco Systems, Inc.

• EIGRP, which was developed by Cisco, is the best example for hybrid routing protocol.
• EIGRP was designed to combine the best aspects of distance-vector and link-state routing
D
protocols while ensuring that none of the performance limitations or penalties of the two
protocol types are incurred.
ot
IGRP
IGRP
N
• The Interior Gateway Routing Protocol (IGRP) is a proprietary distance vector routing protocol
developed in the mid-1980s by Cisco Systems, Inc. IGRP is no longer used
and has been
• This protocol was used for routing multiple protocols across small and medium sized Cisco
discontinued.
o
networks and worked only with Cisco routers.

• IGRP could route IP, IPX, Decnet and AppleTalk, which made it very versatile for clients
D
running many different protocols.

• This protocol supported a hop count of 100, and only advertised every 90 seconds and used a
composite of five different metrics to select a best path destination.
• This protocol advertised less frequently, which meant it used less bandwidth than RIP but
converged slower because it took 90 seconds for the IGRP routers to be aware of changes in the
network topology.
• It recognized assignment of different autonomous systems and automatically summarized at

network class boundaries. In addition, IGRP could load balance traffic across equal or unequal
metric cost paths.
OSPF
OSPF • Open Shortest Path First (OSPF) is a true link state protocol that was developed as an open
OSPF was developed by standard for routing IP across large multi-vendor networks.
e
the OSPF working group
• This protocol provides support for IP subnetting and tagging of externally derived routing
of the Internet
information. It also permits packet authentication and uses IP multicast when sending and
ut
Engineering Task Force
(IETF). receiving packets.
• It sends link state advertisements to all connected neighbors of the same area to communicate
ib
route information.
• When you start each OSPF enabled router, the router will send hello packets to all directly
connected OSPF routers. The hello packets will contain information such as router timers,
tr
router ID, and subnet mask. If the routers agree on the information in the hello packets, they
will become OSPF neighbors.
is
• After routers become neighbors they will establish adjacencies by exchanging link state databases.
Routers on point-to-point and point-to-multipoint links (as specified with the OSPF interface
D
type setting) will automatically establish adjacencies.
• Routers with OSPF interfaces that are configured as broadcast (on Ethernet) and
Nonbroadcast Multiaccess (NBMA) (on Frame Relay) will use a designated router that
establishes those adjacencies.
Commands Related to OSPF I Lab

or
e
Commands Related to The commands related to the OSPF I lab are listed in the table.
at
OSPF I Lab
Command Description
lic

show ip protocols Displays information about active routing protocols.
up
show ip ospf database Displays the OSPF link state database.

show ip ospf neighbor Displays OSPF neighbor information.
show ip ospf interface Displays OSPF interface information.
D
Lab: OSPF I
ot
Lab: OSPF I
• Path to lab: ICND2→IPv4 Routing
N
Protocols
• Lab name: OSPF I
o
D
Commands Related to OSPF II Lab

Commands Related to The commands related to the OSPF II lab are listed in the table.
OSPF II Lab
Command Description
router ospf <process_id> Enables OSFP routing protocol in router.
no network <network_address> Deactivates OSPF on the specified network and
<wildcard_mask> area <area_id> removes the matching interface from the
specified area by removing the network
statement from the current configuration.
network <network_address> Activates OSPF on the specified network and
e
<wildcard_mask> area <area_id> places the matching interface in the specified
area by adding the network statement to the
ut
current configuration.
ib
Lab: OSPF II
tr
Lab: OSPF II
is
Protocols
• Lab name: OSPF II
D
Commands Related to OSPF Authentication Lab
or
e
The commands related to the OSPF Authentication lab are listed in the table. Commands Related to
at
OSPF Authentication
lic
ip ospf authentication Enables OSPF authentication.

ip ospf authentication-key <password> Assigns a password to be used by neighboring
routers that are using OSPF Message Digest 5
up
(MD5) authentication.
<interface_type> <slot>/<port>
D
no ip ospf authentication Disables IP OSPF authentication on an

interface.
ot
no ip ospf authentication-key Removes the password set for use by

<password> neighboring routers that are using OSPF MD5
authentication.
N
ip ospf authentication message-digest Specifies the authentication type for an interface.

Enables OSPF MD5 authentication.
o
ip ospf message-digest-key <key_id>

md5 <key>
D
Lab: OSPF Authentication

Lab: OSPF
Authentication • Path to lab: ICND2→IPv4 Routing
Protocols
• Lab name: OSPF Authentication
e
ut
Commands Related to OSPF Authentication II Lab
ib
Commands Related to The commands related to the OSPF Authentication II lab are listed in the table.
OSPF Authentication II
tr
is
show ip ospf Displays OSPF based details from which you can
determine the router’s IP address.
D
debug ip ospf events Displays information on OSPF-related events, such as
adjacencies, flooding information, designated router
selection, and Shortest Path First (SPF) calculation.
undebug all
or
Turns off all debugging and diagnostic output.
Lab: OSPF Authentication II

e
at
Lab: OSPF
Authentication II • Path to lab: ICND2→IPv4 Routing
Protocols
lic
• Lab name: OSPF Authentication II

up
D
Commands Related to OSPF Routes Lab

The commands related to the OSPF Routes lab are listed in the table.
ot
Commands Related to
OSPF Routes Lab
Command Description
N
hostname <router_name> Configures a host name, the appropriate IP

interface <interface_type> <slot>/
addresses, and enables the interface.
o
<port>
D
no shutdown
Command Description
router ospf <process_id> Activates OSPF on the specified network and

places the matching interface in the specified
<wildcard_mask> area <area_id>
area.
Lab: OSPF Routes
e
Lab: OSPF Routes
ut
Protocols
• Lab name: OSPF Routes
ib
tr
is
D
or
e
at
lic
up
D
ot
N
o
D
TOPIC B
Configure Inter-VLAN Routing
In this topic, you will describe the Inter-VLAN Routing configuration.
e
Inter-VLAN Routing
ut
Inter-VLAN Routing • Inter-VLAN Routing is a feature that enables you to route the traffic between different virtual
local area networks (VLANs). It is required when an end station wants to communicate with
ib
another end station that is in a different VLAN.
• Devices within a VLAN will be able to communicate with one another without the help of a
router.
tr
• Network devices in different VLANs will not be able to communicate with one another without
a router to route the traffic between the VLANs.
is
• In most of the network environments, VLANs will be associated with individual networks or
subnetworks. In a switched network, VLANs will segregate devices into different collision
D
domains and Layer 3 subnets.
or
e
at
lic
up
D
ot
N
o
Figure 11-1: The Cisco Inter-VLAN routing environment.

D
VLAN Configuration
When you configure VLANs for inter-VLAN routing, it will help you to control the size of the
broadcast domain and keep the local traffic local. You will be able to configure one or more routers
to route traffic in the network. Layer 2 switches will require a Layer 3 routing device that will be
either external to the switch or in another module on the same chassis.
Lesson 11: Routing Technologies | Topic B
New Layer 3 Switches

The new Layer 3 switches will accommodate routing capabilities. The router or the switch will be
able to receive a packet, determine the VLAN to which it belongs, and send the packet to the
appropriate port on the other VLAN.
ROAS
Router on a Stick (ROAS) refers to a Layer 2 switch that is interconnected with a router via a trunk
connection in a router on a stick topology. The router will have an IP address in each subnet, with
e
one subnet per VLAN. The router configuration will add each matched subnet and associated
VLAN to a subinterface.
ut
SVI
ib
• Switch Virtual Interface (SVI) allows you to represent a VLAN of switch ports as one interface SVI
tr
to the routing or bridging function in the system.
• You will be able to associate only one SVI with a VLAN. Also, you will be able to configure an
SVI for a VLAN only to route between VLANs or to provide IP host connectivity to the switch.
is
• By default, an SVI will be created for the default VLAN (VLAN 1) to permit remote switch
administration. You need to explicitly configure additional SVIs.
D
• SVIs can provide IP host connectivity only to the system. SVIs will be created the first time that
you enter the vlan interface configuration command for a VLAN interface.
• The VLAN will correspond to the VLAN tag associated with data frames on an Inter-Switch
trunk or the VLAN ID configured for an access port. or

Link (ISL) or Institute of Electrical and Electronics Engineers (IEEE) 802.1Q encapsulated
• You will need to configure a VLAN interface for each VLAN for which you want to route
e
traffic, and then assign it an IP address.
at
SVI: Additional Information

Although the switch stack or switch can support a total of 1,005 VLANs and SVIs, the
lic
interrelationship between the number of SVIs and routed ports and the number of other features
that are configured may impact central processing unit (CPU) performance because of hardware
limitations. When you create an SVI, it will not become active until you associate it with a physical
port.
up
Inter-VLAN Routing Issues

D
The issues faced in Inter-VLAN routing are listed in the table. Inter-VLAN Routing
Issues
Issue Description The router will have two
ot
states: the Line state

Speed mismatch The router and switch may both use the speed interface subcommand to set and the Protocol state.
the speed, but may be set to different speeds. The router state will be down/
N
down.
Shutdown The router interface has been configured with the shutdown interface
subcommand. The router state will be Admin down/down.
o
Err-disabled switch The neighboring switch port uses port security, which has put the port in an
D
err-disabled state. The router state will be down/down.

No cable/bad cable The router has no cable installed, or the cable pinouts are incorrect. The
router state will be down/down.
Troubleshoot Inter-VLAN Routing Connectivity Issues

Troubleshoot Inter-VLAN
Routing Connectivity Note: All of the Guidelines for this lesson are available as checklists from the Checklist tile on
Issues the CHOICE Course screen.
The steps to troubleshoot Inter-VLAN routing connectivity issues are:

1. Issue Internet Control Message Protocol (ICMP) pings in order to check whether you have Layer
2 connectivity.
e
2. If you are not able to ping between two devices on the same VLAN on the same switch, you
need to verify that your source and destination ports have devices connected to them and are
ut
assigned to the same VLAN.
3. If you are not able to ping between two devices on the same VLAN but not on the same switch,
ib
you need to verify that trunking is configured properly and that the native VLAN matches on
both sides of the trunk.
4. Initiate an ICMP ping from an end device connected to the switch to its corresponding VLAN
tr
interface. If the ping test is successful in step 3, but if this step fails and the device is unable to
reach the end device on the other VLAN, you will need to verify that the default gateway on the
is
connected device is configured correctly.
5. If you are unable to reach the Internet or corporate network, you will need to verify that the
D
default route on the Cisco switch points to the correct IP address on the default router. Also,
you will need to verify that the IP address and subnet mask on the switch are configured
correctly.
or
e
at
lic
up
D
ot
N
o
D
TOPIC C
Configure OSFPFv2 Routing for IPv4
In this topic, you will describe the OSFPFv2 Routing for IPv4 configuration.
e
OSPFv2 Routing for IPv4
ut
• Open Shortest Path First version 2 (OSPFv2) is an Internet Engineering Task Force (IETF) link- OSPFv2 Routing for
state protocol, which supports routing for Internet Protocol version 4 (IPv4) networks. IPv4
ib
• An OSPFv2 router sends a special message or a hello packet, out to each of the OSPF-enabled
interface to discover other OSPFv2 neighbor routers.
• After a neighbor is discovered, the two routers will compare information in the hello packet to
tr
determine whether the routers have compatible configurations.
• The neighbor routers will try to establish adjacency, which means that the routers will
is
synchronize their link-state databases to ensure that they have identical OSPFv2 routing
information.
D
• Adjacent routers will share link-state advertisements (LSAs) that include information about the
operational state of each link, the cost of the link, and any other neighbor information. The
routers will then flood these received LSAs out to every OSPF-enabled interface so that all
OSPFv2 routers eventually have identical link-state databases.
or
• When all OSPFv2 routers have identical link-state databases, the network will converge.
Adjacency
e
Not all the neighbors will be able to establish adjacency. Some neighbors will become fully adjacent
at
based on the network type and the designated router establishment and will share LSAs with all their
neighbors, while other neighbors will not be able to do so. Adjacency will be established using
Database Description packets, Link State Request packets, and Link State Update packets in the
lic
OSPF.
Database Description Packet

up
The Database Description packet will include just the LSA headers from the link-state database of
the neighbor. The local router will compare these headers with its own link-state database and
determine which of the LSAs are new or updated. The local router will send a Link State Request
D
packet for each LSA indicating that it will need new or updated information. The neighbor will
respond with a Link State Update packet. This exchange will continue until both routers have the
same link-state information.
ot
OSPFv2 Area
N
• An area is a logical division of routers and links within an OSPFv2 domain that allows you to OSPFv2 Area
create separate subdomains.
o
• A single-area refers to a situation where all your devices are contained within the same OSPF
area.
D
• You will be able to limit the CPU and memory requirements required by routers for running
OSPFv2 by dividing an OSPFv2 network into areas.
• LSA flooding will be contained within an area, and the link-state database will be limited to links
within the area.
• You will be able to assign an Area ID to the interfaces within the defined area.
• The Area ID is a 32-bit value that can be entered as a number or in dotted decimal notation,
such as 10.12.13.11.
Lesson 11: Routing Technologies | Topic C
e
Figure 11-2: A single-area in a OSPFv2 domain.
ut
Multiarea OSPFv2 for IPv4
ib
Multiarea OSPFv2 for • When you define more than one area in an OSPFv2 network, you must also define the backbone
IPv4
tr
area, which has the reserved area ID of 0.
The ABR will send
• When you have more than one area, then one or more routers will become area border routers
Network Summary (type
is
3) from one connected (ABRs).
area to the backbone • An ABR will allow you to connect to both the backbone area and at least one other defined area.
area. The backbone • The ABR will have a separate link-state database for each area to which it connects.
D
area will send • OSPFv2 defines one other router type, namely, the autonomous system boundary router
summarized information
(ASBR), which will connect an OSPFv2 area to another autonomous system. An autonomous
about one area to
another area.
OSPFv2 will be able to
redistribute its routing
information into another
or
system is a network controlled by a single technical administration entity.
e
autonomous system or
receive redistributed
at
routes from another

autonomous system.
lic
Figure 11-3: An ABR that connects two OSPFv2 areas.

up
Commands Related to Planning and Configuring Single-Area

D
OSPF Lab
Commands Related to The commands related to the Planning and Configuring Single-Area OSPF lab are listed in the table.
ot
Planning and
Configuring Single-Area Command Description
OSPF Lab
Displays a brief summary of interface status and
N
show ip interface brief

configuration.
network <network_address> Activates OSPF on the specified network and
o
<wildcard_mask> area <area_id> places the matching interface in the specified

area.
D
show ip ospf interface brief Displays a brief summary of interface status and
configuration.
show ip ospf neighbor Displays OSPF neighbor information.
Command Description
interface loopback <loopback_id> Changes from global configuration mode to
ip ospf priority <priority_value> Sets the router priority, which helps determine
the designated router (DR) for the network.
router ospf <process_id> Enters router configuration mode for an OSPF
process.
e
show ip ospf database Displays the OSPF link state database.
ut
<interface_type> <slot>/<port>
ib
Lab: Planning and Configuring Single-Area OSPF
tr
Lab: Planning and
is
• Path to lab: ICND2→IPv4 Routing Configuring Single-Area
Protocols OSPF
• Lab name: Planning and Configuring Single-
D
Area OSPF
or
e
Commands Related to Planning and Configuring Multi-Area
OSPF I Lab
at
The commands related to the Planning and Configuring Multi-Area OSPF I lab are listed in the Commands Related to
lic
table. Planning and

Configuring Multi-Area
Command Description OSPF I Lab
up

show ip ospf Displays OSPF process information.
D
show ip ospf <process_id> <area_id> Displays the OSPF link state database for the
database selected area.
show ip ospf database router Displays the OSPF link state database for the
ot
selected area and router.

show ip ospf <process_id> <area_id> Displays OSPF interface information for the
N
interface brief selected area.

show ip ospf <process_id> <area_id> Displays OSPF neighbor information for the
selected area.
o
neighbor
D
Lab: Planning and Configuring Multi-Area OSPF I

Lab: Planning and
Configuring Multi-Area • Path to lab: ICND2→IPv4 Routing
OSPF I Protocols
• Lab name: Planning and Configuring Multi-
Area OSPF I
e
ut
Commands Related to Planning and Configuring Multi-Area
ib
OSPF II Lab
tr
Commands Related to The commands related to Planning and Configuring Multi-Area OSPF II lab are listed in the table.
Planning and
Configuring Multi-Area Command Description
is
OSPF II Lab
passive-interface Disables the routing protocol from sending out of the
D
debug ip ospf hello Enables the debug mode and displays information on
OSPF-related events.
ip routing
router-id 1.0.1.1
or
Enables Layer 3 processing.
Assigns a router ID to an interface and is used with
OSPF.
e
show ip ospf Displays OSPF interface information.
at
no debug ip ospf hello Disables the debug mode.

lic
Lab: Planning and Configuring Multi-Area OSPF II

up
Lab: Planning and

Configuring Multi-Area • Path to lab: ICND2→IPv4 Routing
OSPF II Protocols
• Lab name: Planning and Configuring Multi-
D
Area OSPF II
ot
N
o
D
TOPIC D
Configure OSFPFv3 Routing for IPv6
In this topic, you will describe the OSFPFv3 Routing for IPv6 configuration.
e
OSPFv3 Routing for IPv6
ut
• Open Shortest Path First version 3 (OSPFv3) is an IETF link-state protocol, which supports OSPFv3 Routing for
routing for Internet Protocol version 6 (IPv6) networks. OSPFv3 protocol supports the features IPv6
OSFPv3, being an IPv4
ib
of OSPFv2.
link-state routing
• OSPFv3 protocol supports the following additional features: protocol, will also
• OSPFv3 expands on OSPFv2 and provides support for IPv6 routing prefixes and IPv6 support IPv4 unicast
tr
addresses that are of larger size when compared to IPv4 addresses. address families (AFs).
• LSAs in OSPFv3 need to be expressed as prefix and prefix length instead of address and
is
mask.
• The router ID and area ID will be 32-bit numbers with no relationship to IPv6 addresses.
D
• OSPFv3 will use link-local IPv6 addresses for neighbor discovery and other features.
• OSPFv3 allows you to use the IPv6 authentication trailer or IPSec for authentication.
• OSPFv3 redefines the types of LSA.
unique instance tag for the OSPFv3 instance. or

• The first step in configuring OSPFv3 will be to create OSPFv3 instance. You will need assign a
• You can also configure optional parameters such as Router ID, Administrative
e
distance, Log adjacency changes, Maximum paths, and Reference bandwidth.
at
Multiarea OSPFv3 for IPv6

lic
• OSPFv3 multi-area adjacency feature allows you to configure a link on the primary interface that Multiarea OSPFv3 for
is in more than one area. This link will become the preferred intra-area link in those areas. IPv6
• Multi-area adjacency will establish a point-to-point unnumbered link in an OSPFv3 area that will
up
provide a topological path for that area. The primary adjacency will use the link to advertise an
unnumbered point-to-point link in the Router LSA for the corresponding area when the
neighbor state becomes full.
D
• The multi-area interface will exist as a logical construct over an existing primary interface for
OSPF. However, the neighbor state on the primary interface will be independent of the multi-
area interface.
ot
• The multi-area interface will establish a neighbor relationship with the corresponding multi-area
interface on the neighboring router.
N
Commands Related to Configuring Static and OSPFv3 Routing,

Configuring Single-Area OSPFv3, and Configuring Multi-Area
o
OSPFv3 Labs
D
The commands related to the Configuring Static and OSPFv3 Routing, Configuring Single-Area Commands Related to
OSPFv3, and Configuring Multi-Area OSPFv3 labs are listed in the table. Configuring Static and
OSPFv3 Routing,
Command Description Configuring Single-Area
OSPFv3, and
ipv6 address address/prefix-length Configures an IPv6 address for an interface. Configuring Multi-Area
OSPFv3 Labs
Lesson 11: Routing Technologies | Topic D
Command Description
ping ipv6 ipv6-address Sends an ICMP echo request to the specified
IPv6 address.
ipv6 router ospf <process_id> Configures global options for OSPFv3.
router-id <ipv4_address> Defines the router ID for the OSPFv3 process
and is required only if the router is IPv6 only.
e
ipv6 ospf <process_id> area <area_id> Configures an interface to run OSPFv3.
Allows you to verify the OSPFv3 interface
ut
show ipv6 ospf interface
configuration on the Edge routers.
show ipv6 ospf neighbor Displays a list of all OSPFv3 neighbors.
ib
show ipv6 route Displays the IPv6 routing table.
tr
show ipv6 interface brief Displays a brief summary of each IPv6
interface’s configuration and status.
is
show ipv6 protocols Displays information about active IPv6 routing
protocols.
D
ipv6 unicast-routing Enables IPv6 packet forwarding on each router.
Lab: Configuring Static

and OSPFv3 Routing • Path to lab: ICND2→IPv6 Routing
or
Lab: Configuring Static and OSPFv3 Routing
e
Protocols
at
• Lab name: Configuring Static and OSPFv3

Routing
lic
up
Lab: Configuring Single-Area OSPFv3

Lab: Configuring Single-
D
Area OSPFv3 • Path to lab: ICND2→IPv6 Routing

Protocols
• Lab name: Configuring Single-Area
ot
OSPFv3
N
o
D
Lab: Configuring Multi-Area OSPFv3

Lab: Configuring Multi-
• Path to lab: ICND2→IPv6 Routing Area OSPFv3
Protocols
• Lab name: Configuring Multi-Area OSPFv3
e
ut
ib
tr
is
D
or
e
at
lic
up
D
ot
N
o
D
TOPIC E
Configure EIGRPv4
In this topic, you will describe the configuration of EIGRPv4.
e
EIGRPv4
ut
EIGRPv4 • Enhanced Interior Gateway Routing Protocol (EIGRP) is a hybrid routing protocol developed
In per-interface by Cisco systems. EIGRP has the characteristics of both distance vector routing protocols and
configuration at system
ib
link state routing protocols.
startup, if you have
configured EIGRP on an • This protocol supports routing of many protocols across an enterprise Cisco network. However,
interface, then the because it is Cisco proprietary, it can be used only with Cisco routers.
tr
EIGRP protocol will start • EIGRP will send out periodic hello messages for neighbor discovery. After EIGRP learns a
running before any new neighbor, it will send a one-time update of all the local EIGRP routes and route metrics.
is
EIGRP router mode The receiving EIGRP router will calculate the route distance based on the received metrics and
commands have been the locally assigned cost of the link to that neighbor.
executed.
D
• You need to use the router eigrp <autonomous_system_number> command to create an
EIGRP autonomous system configuration. This system configuration will create an EIGRP
routing instance that can be used for tagging routing information.
peers, and advertise only IPv4 routes.
Incremental Updates
or
• EIGRP IPv4 (EIGRPv4) will run over an IPv4 network layer, communicate only with IPv4
e
After the initial full route table update, EIGRP will send incremental updates only to those
at
neighbors which are affected by the route change. This process of sending only incremental updates
speeds up convergence, while at the same time minimizing the bandwidth used by EIGRP.
lic
Basic Components of EIGRP

Basic Components of EIGRP has the following basic components:
up
EIGRP • Reliable Transport Protocol (RTP): RTP guarantees ordered delivery of EIGRP packets to all
neighbors. The RTP supports an intermixed transmission of multicast and unicast packets.
• Neighbor Discovery and Recovery Mechanism: EIGRP will use the hello messages from the
D
RTP to discover neighboring EIGRP routers on directly attached networks. EIGRP adds
neighbors to the neighbor table. The information in the neighbor table will include the neighbor
address, the interface it was learned on, and the hold time, which indicates how long EIGRP
ot
should wait before declaring a neighbor unreachable. By default, the hold time is three times the
hello interval or 15 seconds.
• Diffusing Update Algorithm: The Diffusing Update Algorithm (DUAL) will calculate the
N
routing information based on the destination networks in the topology table. DUAL will use the
distance metric to select efficient, loop-free paths. DUAL will select routes to insert into the
unicast Routing Information Base (RIB) based on feasible successors. When a topology change
o
occurs, DUAL will look for feasible successors in the topology table. If there are feasible
D
successors, DUAL will select the feasible successor with the lowest feasible distance and inserts
that into the unicast RIB, which will avoid unnecessary recomputation.
Recomputation
When there are no feasible successors to a route that has failed, but there are neighbors advertising
the route, a recomputation must be done. By using this process, DUAL will determine a new
successor. The amount of time required to recompute the route will affect the convergence time.
Lesson 11: Routing Technologies | Topic E
With recomputation being processor-intensive, it will be advantageous to avoid unneeded

recomputation. When a topology change occurs, DUAL tests for feasible successors. If there are
feasible successors, DUAL uses them in order to avoid unnecessary recomputation.
Commands Related to EIGRP and EIGRP Authentication I Labs

The commands related to the EIGRP and EIGRP Authentication I labs are listed in the table. Commands Related to
EIGRP and EIGRP
Command Description Authentication I Labs (2
e
Slides)
Enables EIGRP routing protocol in router,
ut
router eigrp
<autonomous_system_number> restores the default behavior of automatic
auto-summary
summarization of subnet routes into network-
ib
level routes, and activates EIGRP on the
network <network_address> specified network.
Displays information about active routing
tr
show ip protocols
protocols.
is
show ip eigrp neighbors Displays information about EIGRP neighbors.
show ip eigrp traffic Displays EIGRP traffic information.
D
show ip eigrp topology Displays EIGRP topology table.
key <key-id> Creates or modifies a key chain key, creates or
key chain <key_chain_name>
key-string <key_string_text>
or
modifies a key chain, and specifies the
authentication string for the key.
e
ip authentication mode eigrp Specifies the type of authentication used in
<autonomous_system_number> md5 EIGRP packets.
at
ip authentication <key_chain> eigrp Enables authentication of EIGRP packets.

<autonomous_system_number> <key_chain>
lic
debug eigrp neighbors Displays EIGRP neighbors discovered by

EIGRP.
up
no debug all Turns off all diagnostic output.
Lab: EIGRP
D
Lab: EIGRP
ot
Protocols
• Lab name: EIGRP
N
o
D
Lab: EIGRP Authentication I

Lab: EIGRP
Authentication I • Path to lab: ICND2→IPv4 Routing
Protocols
• Lab name: EIGRP Authentication I
e
ut
Commands Related to EIGRP Routes Lab
ib
Commands Related to The commands related to the EIGRP Routes lab are listed in the table.
EIGRP Routes Lab
tr
Command Description
is
hostname <router_name> interface Configures a host name, the appropriate IP
<interface_type> <slot>/<port> addresses, and a clock rate on the selected
interface and enables the interface.
D
no shutdown
<wildcard_mask>
or Activates EIGRP on the specified network with
the wildcard-mask parameter allowing for
more specific configuration.
e
Lab: EIGRP Routes
at
Lab: EIGRP Routes

lic
Protocols
• Lab name: EIGRP Routes
up
D
Commands Related to EIGRP and Wildcard Masks Lab

ot
Commands Related to The commands related to the EIGRP and Wildcard Masks lab are listed in the table.
EIGRP and Wildcard
N
Masks Lab Command Description

no router eigrp <id> router eigrp Reconfigures EIGRP so that a single network
o
<id> network <network_address> command can be issued to activate EIGRP on

<wildcard_mask> the specified network. The wildcard-mask
D
parameter will allow for more specific

configuration.
Lab: EIGRP and Wildcard Masks

Lab: EIGRP and
• Path to lab: ICND2→IPv4 Routing Wildcard Masks
Protocols
• Lab name: EIGRP and Wildcard Masks
e
ut
ib
tr
is
D
or
e
at
lic
up
D
ot
N
o
D
TOPIC F
Configure EIGRPv6
In this topic, you will describe the configuration of EIGRPv6.
e
EIGRPv6
ut
EIGRPv6 • EIGRP for IPv6 (EIGRPv6) will need to be directly configured on the interfaces over which it
runs.
ib
• This ability to perform direct configuration on the interface will allow EIGRPv6 to be
configured without the use of a global IPv6 address. Further, there is no network statement in
EIGRPv6.
tr
• The differences between EIGRPv4 and EIGRPv6 are:
• An EIGRPv6 protocol instance will require a router ID before it can start running.
is
• EIGRPv6 has a shutdown feature, which requires that the routing process need to be in no
shut mode in order to start running.
D
• When a user uses a passive-interface configuration, EIGRPv6 need not be configured on the
interface that is made passive.
• EIGRPv6 uses the distribute-list prefix-list command to provide route filtering.
or
The route-map command is not supported for route filtering with a distribute list.
Commands Related to EIGRPv6 Configuration I Lab

e
Commands Related to The commands related to the EIGRPv6 Configuration I lab are listed in the table.
at
EIGRPv6 Configuration I
lic
ipv6 unicast-routing Enables IPv6 unicast routing.

ipv6 router eigrp <as_number> Enables the EIGRPv6 routing process.
up
router-id <ip_address> Assigns a router ID to an interface.

show ipv6 protocols Displays information about active routing
protocols.
D
show ipv6 eigrp neighbors Displays information about EIGRPv6

neighbors.
ot
show ipv6 eigrp topology Displays the EIGRPv6 topology table.

show ipv6 eigrp topology all-links Displays all routes, both successor and feasible
N
successor, learned by the router.

o
D
Lesson 11: Routing Technologies | Topic F
Lab: EIGRPv6 Configuration I

Lab: EIGRPv6
• Path to lab: ICND2→IPv6 Routing Configuration I
Protocols
• Lab name: EIGRPv6 Configuration I
e
ut
Commands Related to EIGRPv6 Configuration II Lab
ib
The commands related to the EIGRPv6 Configuration II lab are listed in the table. Commands Related to
EIGRPv6 Configuration
tr
Command Description II Lab
is
ipv6 cef Configures the routers to run Cisco Express
Forwarding for IPv6.
D
ipv6 address <ipv6_address> Configures the appropriate IPv6 address.
show ipv6 interface Displays IPv6 interface information.
Lab: EIGRPv6 Configuration II or Lab: EIGRPv6

e
• Path to lab: ICND2→IPv6 Routing Configuration II
at
Protocols
• Lab name: EIGRPv6 Configuration II
lic
up
D
ot
N
o
D
Lesson 11: Routing Technologies | Topic F
TOPIC G
Troubleshoot Routing Protocols
In this topic, you will describe the methods to troubleshoot routing protocols.
e
Troubleshoot PPP-PAP-CHAP
ut
Troubleshoot PPP-PAP- To resolve problems related to PPP-PAP-CHAP Authentication failure, you need to apply the
CHAP solutions listed in the table.
ib
Problem Solution
Any failure in the PAP/ You need to use the show interfaces and show ppp all
tr
CHAP authentication commands to look further into the status of the PPP authentication
process may result in both process. In this way, you will be able to isolate and discover the root
is
router interfaces failing to cause of why the interface is in an up/down state. Additionally, you
an up/down state. can either rule out or determine that PPP authentication as the root
D
cause.
The show commands used Another method to troubleshoot PPP authentication problems is to
earlier do not help you to use the debug ppp authentication command. When you enable
identify the PPP
authentication problems. or
the debug output, you need to shutdown the link and bring it back
up to see the debug messages that will match the three-way
exchange. In case of authentication failure, you will see a failure
message at the point at which the process fails. This may help you
e
decide the issue that needs to be fixed.
at
Troubleshoot Port Security

lic
Troubleshoot Port
Security (2 Slides) Port Security Troubleshooting
The problems associated with Port Security are listed along with causes /solutions in the table.
up
Problem Cause/Solution
Secure addresses may appear as static Cause: If the secure VLAN associated with that Media
D
entries in the output of show mac- Access Control (MAC) address is a regular or primary
address-table static command. VLAN, the address associated with that VLAN will appear
in the output of the show port-security address
ot
command. If the VLAN associated with that MAC address

is a secondary VLAN, the address appears in the primary
N
VLAN in the output of the command.

Solution: Check and make the address secure by associating
the VLANs.
o
D
Lesson 11: Routing Technologies | Topic G
Problem Cause/Solution
The previously configured static or Cause: If you change the set of allowed VLANs on the
sticky secure addresses on VLANs trunk port, the configured static or sticky secure addresses
are missing. located on certain VLANs will be erased by the software.
You will be able to convert a port configured with port
security and static/sticky secure addresses to a router port.
Also, you will be able to hotswap it out of the system. If this
happens, the configuration on the port will be ineffective in
e
the system. This will allow the addresses that are secured on
the port to be secured on other ports.
ut
Solution: You need to configure a secure trunk port with
static or sticky secure addresses.
ib
There is a port security violation and Cause: Each interface will have a default or configured
the systems have logged an error number of MAC addresses that can be secured when port
tr
message “Security violation security is enabled. You need to determine the number of
occurred”. The systems will send a MAC addresses that can be secured per port and configure
is
trap if you have enabled Simple that many number of addresses on the interface. When port
Network Management Protocol security is properly configured under anticipated operating
(SNMP) traps for port security. conditions, port security will continue to work normally.
D
Based on the violation mode, either However, virus attacks, hostile workstations, or accidentally
the port will be error-disabled reconfigured hosts, might cause end hosts to send out
(shutdown mode), or the packets packets with more than the expected number of MAC
from the unsecure addresses may be
dropped in the software (restrict
mode).
or
addresses. This will result in a port security violation and the
resultant system error messages will appear based on the
configuration.
e
Solution: To ensure that the CPU is not loaded when such
an event occurs, you need to set the violation mode to
at
shutdown. You need to configure errdisable recovery

and timeout to ensure an automatic recovery from the
lic
error-disable state.
debug Command
up
You can use the debug port-security command to display generic messages associated with the
execution of port security. The output will be useful for engineers and Technical Assistance Center
(TAC) in debugging any port security-related issues.
D
Troubleshoot OSPF
ot
OSPF neighbors may not be able to form an adjacency due to a number of problems related to the Troubleshoot OSPF (2
configuration. You must locate the problem and manually rectify it by changing the configuration Slides)
suitably. Some of the problems and the list of commands to isolate the problems are listed in the
N
table.
Problem Command to Isolate the Problem

o
OSPF may not have been configured on one of show ip ospf

D
the routers.
Problem Command to Isolate the Problem
OSPF may not be enabled on an interface where show ip ospf interface

it is needed.
OSPF HELLO or Dead timer interval values
may be mismatched.
There may be IP OSPF network-type mismatch
on the adjoining interfaces.
e
There is MTU mismatch between neighboring show interface <int-type><int-num>
ut
interfaces.
OSPF area-type is stub on one neighbor, but the show running-config
adjoining neighbor in the same area it may not
ib
show ip ospf interface
be configured for stub.
OSPF neighbors may have duplicate Router show ip ospf show ip ospf interface
tr
IDs.
is
OSPF may be configured on the secondary show ip ospf interface
network of the neighbor, but not on the primary show running-config
network. This is an illegal configuration, which
D
will prevent OSPF from being enabled on the
interface.
or
OSPF HELLOs are not processed due to a lack show memory summary
of resources. This may be caused by factors such show memory processor
as high CPU utilization or not enough memory.
An underlying Layer problem may be preventing show interface
e
OSPF HELLOs from being received.
at
Troubleshoot EIGRP
lic
Troubleshoot EIGRP When the show ip eigrp neighbors command does not list one or more of the expected
If even after the two neighbors, as the first problem isolation step you need to find out if the two routers are able to ping
neighboring routers are each other’s IP addresses on the same subnet successfully. If the ping is successful, you need to
up
able to ping each other perform the neighbor verification checks that are listed in the table.
successfully, the two
routers still do not EIGRP Neighbor Verification Check Command to Isolate the Problem
become EIGRP
D
neighbors, as the next Must be in the same subnet. show interfaces

step, you will need to
and
examine each of the
ot
EIGRP neighbor show ip interface

requirements. These
requirements are, they Must use the same ASN on the router show ip eigrp interfaces
N
must be in the same configuration command. and

subnet, have matching
show ip protocols
hello and dead timers,
o
be in the same area, Must pass EIGRP neighbor debug eigrp packets
have unique remote IDs authentication.
D
(RIDs), and pass any

neighbor authentication. K-values must match. show ip protocols
Troubleshoot EIGRPv6
Troubleshoot EIGRPv6 The list of problems and steps to resolve the problems related to EIGRPv6 are listed in the table.
(2 Slides)
Problem Solution
Router does not have any route to a given 1. Check the routers with interfaces that are
subnet. directly connected to the IPv6 prefix or
subnet. A router will need to have EIGRP
for IPv6 enabled on that interface before
EIGRP for IPv6 can advertise about the
subnet.
2. Check the EIGRP for IPv6 neighbor
e
relationships for all routers between the local
ut
router and the routers with an interface
connected to that IPv6 prefix or subnet.
Router has a route but it appears to be the 1. Check for broken neighbor relationships
ib
wrong (suboptimal) route. over what should be the optimal path from
the local router and the IPv6 prefix.
tr
2. Check the interface bandwidth and delay
settings. In particular, you need to check the
is
lowest bandwidth in the end-to-end route,
because EIGRP will ignore the faster
bandwidths, and use only the lowest
D
(slowest) bandwidth for its metric
calculation.
When the ipv6 eigrp as an interface
or
Check and include theipv6 eigrp as an
subcommand is omitted on an interface that has interface subcommand even on an interface that
no possible neighbors it may be overlooked.
While this omission will not impact EIGRP for
has no possible neighbors.
e
IPv6 neighbors, it will mean that EIGRP for
IPv6 will not be enabled on that Interface.
at
Therefore, the router will not advertise about

that connected subnet and this may show up as
lic
a missing route problem.

When you make an interface passive to the Check and reconfigure the interfaces such that
EIGRP for IPv6 process, and if a potential none of them are in the passive state.
up
EIGRP for IPv6 neighbor is connected to that

link, it will prevent the two routers from
becoming neighbors. Even if one of the two
routers has a passive interface the neighbor
D
relationship will fail.

ot
Troubleshoot Frame Relay Problems

The list of problems and steps to resolve the problems related to Frame Relay are listed in the table. Troubleshoot Frame
N
Relay Problems (2
Problem Solution Slides)
o
Mismatch in Local 1. Check the state of the interface by using the show interfaces
Management Interface serial command.
D
(LMI) type. 2. Verify the LMI type configured on the Frame Relay interface using
the show frame-relay lmi exec command.
3. Ensure that the LMI type is the same for all devices in the path
from source to destination. Use the frame-relay lmi-type
<lmi-type> command to change the LMI type on the router.
Problem Solution
The Data Link Connection 1. View the status of the interface’s permanent virtual circuit (PVC)
Identifier (DLCI) is either by using the show frame-relay pvc exec command.
inactive or has been 2. If the output shows that the PVC as either inactive or deleted,
deleted. there is a problem along the path to the remote router. You need
to check the remote router or contact your carrier service provider
to check the status of the PVC.
e
The DLCI may be 1. Check the assigned DLCIs by using the show frame-relay pvc
assigned to the wrong privileged exec command.
ut
subinterface. 2. Ensure that the correct DLCIs are assigned to the correct
subinterface. In case the DLCI is incorrect, you need to use the
ib
no frame-relay map interface-dlci command to delete the
incorrect DLCI number entry under the interface. Define the
mapping between an address and the correct DLCI used to
tr
connect to the address, by using the frame-relay map
interface-dlci command.
is
Frame Relay link may be 1. On both the local and remote router, check the interfaces to see
down due to a cabling, whether the interface and line protocol are up.
D
hardware, or carrier 2. If the interface and line protocol are down, check the cable to
problem. make sure that a Data Terminal Equipment (DTE) serial cable is
used and ensure that cables are securely attached. If the cable is
or
correct, try moving it to a different port. If this change in port
resolves the issue, then it will mean that the first port is defective.
You need to replace either the card or the router. If the cable
doesn’t work on the second port, you need to replace the cable.
e
at
Methods to Troubleshoot Frame Relay

lic
Methods to Troubleshoot • In order to isolate a Frame Relay problem, you need to start with some pings. Generally the
Frame Relay (2 Slides) pings from an end-user host on a local area network (LAN) to another host on a remote LAN
will quickly help you to determine whether the network currently will be able to meet the true
up
end goal of delivering packets between computers.

• If the ping between end-user host on the LAN to another host on a remote LAN is not
successful, you will need initiate a ping from one router to the other router’s Frame Relay IP
address.
D
• If the ping from one router to the other router’s Frame Relay IP address is successful, but if the
end user’s ping is not successful, the problem will probably be related to Layer 3 issues.
ot
• However, if you find that a ping from one router to another router’s Frame Relay IP address is
not successful, the problem will most likely be related to the Frame Relay network.
• If you determine that a Frame Relay router’s pings fail for all remote routers whose virtual
N
circuits (VCs) share a single access link, you will need to perform the following steps:
1. Check for Layer 1 problems on the access link between the router and the local Frame Relay
switch (all routers).
o
2. Check for Layer 2 problems on the access link, particularly encapsulation and LMI. If from
D
the original ping tests, you can determine that the Frame Relay router can ping only some of
the other Frame Relay routers whose VCs share a single access link, you need to perform
these additional steps.
3. Check for PVC problems based on the PVC status and subinterface status.
4. Check for Layer 2 or 3 problems with both static and dynamic (Inverse Address Resolution
Protocol [ARP]) mapping.
5. Check for Layer 2 or 3 problems related to a mismatch of end-to-end encapsulation (cisco

or ietf).
6. Check for other Layer 3 issues, including mismatched subnets.
Commands Related to Troubleshooting PPP-PAP-CHAP Lab

The commands related to the Troubleshooting PPP-PAP-CHAP lab are listed in the table. Commands Related to
Troubleshooting PPP-
e
Command Description PAP-CHAP Lab
ut
configuration.
show running-config Displays the active configuration file.
ib
show cdp neighbors Displays information about directly connected
neighbors.
tr
show controllers <interface_type> Displays cable orientation for Serial interfaces.
is
<slot>/<port>
encapsulation ppp Sets the Data Link layer protocol for an
D
interface.
debug ppp authentication
no debug all
occurs.
or
Displays PPP authentication information as it
Turns off all diagnostic output.

e
ppp authentication pap Enables PAP authentication.
at
ppp pap sent-username <user_name> Determines which user name and password
password <password> combination PAP sends as part of its
authentication process.
lic
Lab: Troubleshooting PPP-PAP-CHAP

up
• Path to lab: ICND2→Troubleshooting PPP-PAP-CHAP
• Lab name: Troubleshooting PPP-PAP-
D
CHAP
ot
N
Commands Related to Troubleshooting EIGRP Lab

o
The commands related to the Troubleshooting EIGRP lab are listed in the table. Commands Related to
D
Troubleshooting EIGRP
router eigrp Enables EIGRP routing protocol in router.

<autonomous_system_number>
network <network_address> Activates the specified routing protocol on the

specified network.
Command Description
bandwidth <value_in_kbps> Sets the value of the inherited and received
bandwidth for an interface.
Lab: Troubleshooting EIGRP

e
EIGRP • Path to lab: ICND2→Troubleshooting
• Lab name: Troubleshooting EIGRP
ut
ib
tr
is
Commands Related to Troubleshooting OSPF Lab
Commands Related to The commands related to the Troubleshooting OSPF lab are listed in the table.
D
Troubleshooting OSPF
show ip ospf neighbor
show ip ospf interface brief
debug ip ospf hello

or Displays OSPF neighbor information.
Displays OSPF interface information.
Displays the hello packets that are being sent
e
from selected interface of the router to another
at
router.
no debug ip ospf hello Turns off debugging.
lic
router ospf <process_id> Enters router configuration mode for an OSPF

process and activates OSPF on the specified
<wildcard_mask> area <area_id>
network and places the matching interface in the
up
specified area.
debug ip ospf events Displays information on OSPF-related events.
no debug ip ospf events Turns off debugging.
D
Lab: Troubleshooting OSPF

ot
OSPF • Path to lab: ICND2→Troubleshooting
N
• Lab name: Troubleshooting OSPF

o
D
Commands Related to
Commands Related to Troubleshooting OSPFv3
Troubleshooting The commands related to the Troubleshooting OSPFv3 lab are listed in the table.
OSPFv3
Command Description
show ipv6 ospf neighbor Displays OSPFv3 neighbor information.
ipv6 router ospf <process_id> Defines which interfaces operate in which
e
OSPFv3 processes and areas.
Stops and restarts the OSPF process.
ut
clear ipv6 ospf process
Lab: Troubleshooting OSPFv3
ib
tr
• Path to lab: ICND2→Troubleshooting OSPFv3
• Lab name: Troubleshooting OSPFv3
is
D
Commands Related to Troubleshooting EIGRPv6 Lab
or
e
The commands related to the Troubleshooting EIGRPv6 lab are listed in the table. Commands Related to
Troubleshooting
at
Command Description EIGRPv6 Lab
ping ipv6 <ipv6_address> Sends an ICMP echo request to the specified

lic
IPv6 address.
show ipv6 eigrp neighbors Displays information about EIGRPv6
neighbors.
up

D
show ipv6 protocols Displays information about active IPv6 routing

protocols.
no ipv6 eigrp <as-number> Deactivates EIGRPv6 on the specified interface
ot
ipv6 eigrp <as-number>

and enables it on the other interface.
Changes EIGRP metric calculation.

N
metric <weights> <tos> <k1> <k2> <k3>

<k4> <k5>
o
D
Lab: Troubleshooting EIGRPv6

EIGRPv6 • Path to lab: ICND2→Troubleshooting
• Lab name: Troubleshooting EIGRPv6
e
ut
Commands Related to Troubleshooting Port Security Lab
ib
Commands Related to The commands related to the Troubleshooting Port Security lab are listed in the table.
Troubleshooting Port
tr
Security Lab Command Description
is
show port-security Displays port-security settings for the switch.
show port-security interface Displays port-security settings for an interface of
D
<interface_type> <slot>/<port> the switch.
no switchport port-security mac- Removes port security configuration for the
specified MAC address.
address <mac_address>
switchport port-security mac-address

<mac_address>
or Specifies a secure MAC address for a port.
e
Lab: Troubleshooting Port Security
at
lic
Port Security • Path to lab: ICND2→Troubleshooting

• Lab name: Troubleshooting Port Security
up
D
Commands Related to Troubleshooting Frame Relay Lab

ot
Commands Related to The commands related to Troubleshooting Frame Relay lab are listed in the table.
Troubleshooting Frame
N
Relay Lab Command Description

show frame-relay lmi Displays statistics about the LMI.
o
show frame-relay map Displays the current Frame Relay map entries
D
and information about connections.

show frame-relay pvc Displays virtual circuit information.
encapsulation frame-relay Enables Frame Relay encapsulation on the
interface.
Command Description
frame-relay interface-dlci <dlci> Assigns the DLCI to an interface or subinterface
that will connect to a Frame Relay network.
Lab: Troubleshooting Frame Relay

e
• Path to lab: ICND2→Troubleshooting Frame Relay
• Lab name: Troubleshooting Frame Relay
ut
ib
tr
is
Commands Related to Troubleshooting Frame Relay II Lab
The commands related to the Troubleshooting Frame Relay II lab are listed in the table. Commands Related to
D
Troubleshooting Frame
Command Description Relay II Lab
show ip eigrp neighbors
no frame-relay map ip
<protocol_address> dlci broadcast
or
Displays information about EIGRP neighbors.
Removes the mapping between a destination
protocol address and the DLCI used to connect
e
at
frame-relay map ip <protocol_address> Defines the mapping between a destination

broadcast protocol address and the DLCI used to connect
lic
frame-relay inverse-arp Enables inverse AR) on an interface.

up
Lab: Troubleshooting Frame Relay II

• Path to lab: ICND2→Troubleshooting Frame Relay II
D
• Lab name: Troubleshooting Frame Relay II

ot
N
o
D
Summary
Key Points • A distance vector protocol will advertise its routing table to all its directly connected neighbors
frequently at regular intervals.
• A link-state protocol will make its routing decisions based on the state of the links that connect
the source and destination devices.
• You need to specify all IP interior routing protocols with a list of associated networks before the
e
routing activities can begin.
ut
• IGRP could route IP, IPX, Decnet and AppleTalk, which made it very versatile for clients
running many different protocols.
• Balanced hybrids are driven by events rather than being periodic and thereby help to conserve
ib
bandwidth for real applications.
• In a switched network, VLANs will segregate devices into different collision domains and Layer
3 subnets.
tr
• When you are troubleshooting Frame Relay problems, it would mostly mean that you will need
to look at all the routers’ configurations and ensure that sure that the configurations meet the
is
requirements.
D
or
e
at
lic
up
D
ot
N
o
D
Lesson 11: Routing Technologies |
e
ut
ib
tr
is
D
or
e
at
lic
up
D
ot
N
o
D

Icnd2 Ebook

Enviado por

Dados do documento

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Icnd2 Ebook

Enviado por

Direitos autorais:

Formatos disponíveis

e

Topic B: Configure Connectivity Between Cisco Switches................ 7

Topic D: Troubleshoot Interswitch Connectivity............................ 17

Lesson 2: Managing STP............................................... 21

Topic A: Basics of STP.................................................................. 22

Topic C: Troubleshoot STP........................................................... 34

Lesson 3: Managing EtherChannel................................ 39

Topic A: Basics of Switch Stacks and VSS...................................... 40

Topic B: Configure EtherChannel.................................................. 44

Lesson 4: Mitigating Threats to the Access Layer.................. 53

Lesson 7: Infrastructure Maintenance................................. 109

Topic B: Troubleshoot Network Connectivity Issues Using ICMP Echo-

Topic C: Troubleshoot Problems Using Local SPAN............................... 118

Lesson 8: Managing Devices Using AAA.............................. 125

Topic B: Manage a Device Using AAA with RADIUS................................ 132

Lesson 9: Network Programmability...................................137

Lesson 10: WAN Technologies............................................ 145

Topic F: Configure EIGRPv6.................................................................. 192

Topic G: Troubleshoot Routing Protocols..............................................194

How to Use This Book

In most cases, lessons are arranged in order of increasing proficiency.

understanding and practice.

A Note provides additional information, guidance, or hints about a topic or task.

Figure 1-1: An example of a VLAN in an organization.

Figure 1-2: A Normal VLAN representation.

Extended Range VLANs

running configuration file.

and are stored in the VLAN database.

VLANs Spanning Multiple Cisco Switches

Figure 1-3: An example of a VLAN spanning multiple switches.

Access Ports of a Cisco Switch

Figure 1-4: A Cisco switch.

Access Data Port

deteriorate if the data is unevenly sent.

Figure 1-6: An example of an access voice port definition.

Default VLAN in a Cisco Environment

• VLANs can be assigned numbers from 1 to 4094.

Add or Remove VLANs

return to the default allowed VLAN list of all VLANs.

Specify VLAN Range

IEEE 802.1Q Encapsulation

Figure 1-7: The IEEE 802.1Q Encapsulation standard.

Figure 1-8: ISL protocol implementation in a network.

Access and Trunk Interfaces

VLANs across the network.

Figure 1-10: Trunking in a network with multiple VLANs.

Trunking Modes • The default trunk mode is dynamic (desirable).

Catalyst devices to negotiate whether to use 802.1Q encapsulation.

Figure 1-11: Working of DTP between devices.

Figure 1-12: Working of VTP v1.

Choice of VTP Version

Commands Related to VTP Lab

• Path to lab: ICND2→Scalable Networks

Commands Related to VTP Modes Lab

show vlan brief Displays the number of VLANs that are

configured on each of the switches.

Lab: VTP Modes

Lab: Configuring VTP on Switches

Lab: Configuring VTP on

• Duration: 15 minutes (approx.)

Lab: Configuring VTP Client Mode on Switches

Lab: Configuring VTP

Commands Related to Expanding Switched Networks Lab