Monday, January 31, 2011

CCNP - ENTERPRISE - Spanning-tree Protocol - Tools to Prevent Loops

There are a number of tools that can be employed to make the STP topology more stable.

1) Root Guard - prevents an unexpected switch from becoming the Root Bridge. Enable RootGuard on all non-root ports on all switches expect the Root bridge.

If a designated port receives a superior BPDU that could cause the bridge to accept a different switch as the Root Bridge the port enters a 'root-inconsistent' state (instead of transitioning to a Root Port and therefore changing the STP topology).

The 'root-inconsistent' state will remain for as long as there are superior BPDU's being received on the port. Once the BPDU's stop the port cycles through the STP states to return to it's usual function.

Enabled on a per-port basis only:
sw1(config-if)#spanning-tree guard root

2) BPDU Guard - loop prevention mechanism applied to ports using PortFast so that if a BPDU is recieved on the port the port is placed in to an error-disabled state instead of allowing the traffic to be forwarded and potentially creating a loop.

If a BPDU is being received on the port there must, by definition, be another switch on the other end of the link. PortFast enable ports transition to a forwarding state instantly which is a benefit for end-station devices such as PC's which would be requiring a DHCP address as part of it's start up process. If you had a switch connected to a PortFast enable port packets could be forwarded and a loop created. BPDU Guard helps prevent this.

Enabled globally via:
sw1(config)#spanning-tree portfast bpduguard default

Or on per-interface basis via;
sw1(config-if)#spanning-tree bpduguard enable

3) BPDU Filtering - If a BPDU is received on a PortFast Port BPDU Filtering detects this and removes the PortFast status on the port. The port then transitions through the STP stages and the port then takes it place in the STP topology.

It works slightly differently depending on how the command is executed. When applied globally:
sw1(config)#spanning-tree portfast bpdufilter default

The PortFast enabled port loses it's PortFast status and transitions through the STP stages

When applied at interface level:
sw1(config-if)#spanning-tree bpdufilter enable

The PortFast enabled port is prevent from sending and receiving BPDU's entirely.

4) Unidirectional Link Detection - UDLD - A unidirectional link occurs when a physical fault on a link is such that electrical keepalives can pass across the link but can't pass data in both directions. UDLD detects this state by sending periodic hellos across the link which must be acknowledged.

There are 2 modes -
i) Normal - Link state turns to Undetermined State, port is allowed to continue working and UDLD marks the port and generates a syslog message

ii) Aggressive - The port is set to 'error-disabled', manual intervention is then required.

When enabled Globally it ONLY applied to Fibre ports:
sw1(config)#udld {enable | aggressive}

When configured on a per-port basis use the same command however you now have the option to disable it entirely if you are using a fibre optic port.
sw1(config-if)#udld {enable | aggressive | disable}

Re-enable a port shut down due to UDLD:
sw1(config-if)#udld reset

Verifiy UDLD:
sw1#sh udld interface

5) Loop Guard - Prevents loops forming on ports that transition from Blocking to Forwarding due to suddenly not receiving BPDU's from the switch on the other end of the link. If BPDU's stop being received on a blocking port the max-age timer eventually expires (as there haven't been any further BPDU's to refresh the timer) and the port then cycles through the STP states as it thinks there is no longer another switch on the other end of the link.

If the port transitions to a forwarding state then a loop can occur. Loop Guard helps prevent this sequence of events by tracking BPDU activity on non-designated ports.

If BPDU's are suddenly no longer received Loop Guard puts the port in to a 'Loop Inconsistent' blocking state. The port then remains in a blocking state and a loop can be avoided.

Loop Guard automatically enables the port again once BPDU's start being received again.

Enable globally via the command:
sw1(config)#spanning-tree loopguard default

Enable on specific ports using:
sw1(config-if)#spanning-tree guard loop

Loop Guard works on a per VLAN basis so doesn't block the entire port simply the VLAN is blocked.

CCNP - ENTERPRISE - Spanning-tree Protocol Link Convergence Tools

The following tools allow for faster link convergence in relation to STP:
1) Portfast - Applied on access switch ports linked to host devices (not other switches). Transitions the port to a forwarding state straight away instead of transition through the STP states Listening (15 secs), then Learning (15 secs), and finally forwarding. Not to be used on trunk links as it could result in loops occurring.

Applied globally via:
sw1(config)#spanning-tree portfast default

Or per interface:
sw1(config-if)#spanning-tree portfast

Portfast is also applied using the macro interface command:
sw1(config-if)#switchport host

2) UplinkFast - Applied to access switches, allows fast fail-over when dual uplinks are connected to a distribution layer switch. Can incorporate multiple redundant links to an uplink switch (not just 2 links), where there are more than 2 redundant links to a given switch the link with the next lowest root path cost is unlocked  immediately.

UplinkFast bypasses the Listening and Learning stages.

Note that the command is not allowed on a Root bridge as UplinkFast ensures that the local switch does not become the Root bridge. UplinkFast raises the Bridge Priority to 49,152 therefore it is unlikely the switch would become the Root bridge.

Applied globally via:
sw1(config)#spanning-tree uplinkfast

3) BackboneFast - Enabled on ALL switches in the topology, allows for fast convergence to the network backbone or core after an STP topology change. It shortens the STP convergence times by actively determining whether an alternate path exist to the Root bridge when a link goes down. It uses Root Link Query (RLQ) protocol to detect if the upstream switches have a connection to the Root bridge.

BackboneFast shortens the Max-age timer which in turn can reduce convergence times from 50 secs to approx 30 secs.

Applied on All switches in the topolgy using:
sw2(config)# spanning-tree backbonefast

Verify using;
sw2#sh spanning-trree backbonefast

Thursday, January 27, 2011

CCNP - ENTERPRISE - Inter-VLAN routing notes

- The Forward Information Base will be updated when:
i) An ARP entry for a dest next hp changes, or is removed
ii) The RT entry for the next hop changes
iii) The RT entry for a prefix changes

CCNP - ENTERPRISE - Spanning-tree Protocol notes

- Once a root bridge is elected, Configuration BPDU's are sent only by the Root Bridge. All the other switches must forward the BPDU's (or relay them) adding their own send Bridge ID to the Message.

- On a config output if you see 'Spanning tree enabled protocol ieee' it indicates ieee 802.1d (Common SPanning-Tree) is in use REGARDLESS of the ROLES listed.
- Enable Loop Guard on root ports and alternate ports
- If a BPDU is received on a Loop Guard port that is in an inconsistant state the port will transition to the appropriate state as determined by the normal function of the spanning tree verion/type in place
- Root Guard is enabled on a per-port basis, it re-enables a switch port once it stops receiving superior BPDU's
- When you have a link that is configured as Half-duplex on one end and Full on the other the following situations could arise:
 i) The switch with the Full Duplex setting could unblock it's port potentially creating a loop
 ii) The switch with the Full Duplex port will not be performing CSMA/CD
 iii) BPDU's amy not successfully negotiate port states on the link between the two switches.
- A switch running 802.1d (cst) will use the Forward delay timer to age out entries in the MAC address table when a tology change is received.
- MST extends 802.1w to multiple spanning trees.


- When configuring a Trunk link, be sure to configure the same native VLAN at the each end. If you leave a trunk with default settings, VLAN 1 will be used by default.
  If you see the cmd #switchport trunk natvie vlan [id] on one end and not on the other you will get a mismatch error
- On an ISL enabled trunk if it received an unencapsulated frame it will be dropped.

CCNP - ENTERPRISE - Implementing IP Switching notes

- GAP analysis should be conducted at the Plan phase of the Lifecycle Services approach
- NAT can consistantly increase the load on a CPU on a MLS switch.
- TTL decrementing and rewrite of Src and Dest MAC Addresses do not occur on a L2 switch
- L3 switching provides the ability to circumvent CPU processing

CCNP - ENTERPRISE - Preparing the Campus for Advanced Services notes

- With regards to Multicast, IGMP snooping is enabled by default on catalyst switches
- When traffic from a multicast source is received on a port that it not expected the router will drop the packets.
- is reserved for Network Time Protocol
- You might implement Voice services on a network to reduce costs and increase productivity.

CCNP - ENTERPRISE - Port Security notes

- An attacker would launch an MAC Flood Attack to capture data from the network and to initiate a DoS attack.
- use the cmd #sh monitor session 1 detail to observe whether data is being sent in association with that session.

CCNP - ENTERPRISE - First Hop Redundancy notes

- A standby router configured with HSRP will take 9 seconds to detect the loss of an active router (based on default timers)
- With GLBP there is no limit to the number of routers you can implement in a group, however only a maximum of 4 active routers will be forwarding at any given time (due to a limit of 4 virtual MAC addresses that can be used with a group).
- Default GLBP priority is 100, when a router is the Active Virtual Gateway or an Active Virtual forwarder either the priority has been increased from the default on the AVG OR the Priority has been reduced from the default on the AVF

Thursday, January 20, 2011

CCNP - ENTERPRISE - Inter-vlan Routing Notes

- Router interfaces on a Router-on-a-stick setup are configured as L3 subinterfaces

- Reasons you wouldn't need to implement an SVI;
i) Provide failover for a failed primary SVI
ii) Provide connectivity to an external router for inter-vlan routing

- The cmd 'Autostate Exclude' could be implemented on a port that is used for monitoring and is connected to an IDS

- A Glean adjacency is when a MLS connects directly to several hosts and the FIB table maintains a prefix for the subnet rather than individual host prefixes

- If you get 'incomplete' or 'drop' adjacencies check the switch hasn't been configured with unsupported software features.