Compare commits
7 Commits
889f08a5c2
...
main
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
4d24fca821 | ||
|
|
fd0887a683 | ||
|
|
172db956a3 | ||
|
|
994cb382cb | ||
|
|
6c2b3ce357 | ||
|
|
c5fa59b6e0 | ||
|
|
2566897246 |
@@ -25,3 +25,14 @@ tags:
|
|||||||
[[Subnetting (Part 1)]]
|
[[Subnetting (Part 1)]]
|
||||||
[[Subnetting (Part 2)]]
|
[[Subnetting (Part 2)]]
|
||||||
[[Subnetting (Part 3 - VLSM)]]
|
[[Subnetting (Part 3 - VLSM)]]
|
||||||
|
[[VLAN (Part 1)]]
|
||||||
|
[[VLAN (Part 2)]]
|
||||||
|
[[VLAN (Part 3)]]
|
||||||
|
[[DTP - VTP]]
|
||||||
|
[[Protocole Spanning Tree (part1)]]
|
||||||
|
[[Protocole Spanning Tree (part2)]]
|
||||||
|
[[PortFast (STP Toolkit)]]
|
||||||
|
[[BPDU Guard & BPDU Filter (STP Toolkit)]]
|
||||||
|
[[Root Guard (STP Toolkit)]]
|
||||||
|
[[Rapid Spanning Tree Protocol]]
|
||||||
|
[[EtherChannel]]
|
||||||
|
|||||||
85
16. VLAN (Part 1).md
Normal file
85
16. VLAN (Part 1).md
Normal file
@@ -0,0 +1,85 @@
|
|||||||
|
---
|
||||||
|
id: 16. VLAN (Part 1)
|
||||||
|
aliases: []
|
||||||
|
tags: []
|
||||||
|
---
|
||||||
|
|
||||||
|
# VLAN (Part 1)
|
||||||
|
|
||||||
|
## What is a [[LAN]]?
|
||||||
|
|
||||||
|
Previously i said that a LAN is a group of devices (PCs, servers, routers, switches) in a single
|
||||||
|
location (home office, etc.)
|
||||||
|
|
||||||
|
A more specific definition: A LAN is a single [[broadcast domain]], including all devices in that
|
||||||
|
broadcast domain.
|
||||||
|
|
||||||
|
## Broadcast domains
|
||||||
|
|
||||||
|
A broadcast domain is the group of devices which will receive a broadcast frame (destination [[MAC]]
|
||||||
|
FFFF.FFFF.FFFF) sent by any one of the members.
|
||||||
|
|
||||||
|
Perfomance: lots of unnecessary broadcast traffic can reduce network performance
|
||||||
|
Security : Even within the same office you want to limit who has access to what. You can apply
|
||||||
|
security policies on a [[router]]/[[firewall]]
|
||||||
|
|
||||||
|
Because this is one LAN, PCs can reach each other directly, without traffic passing through the router
|
||||||
|
So even if you configure security policies, they won't have any effect.
|
||||||
|
|
||||||
|
Although we separated the three departments into three subnets ([[OSI|Layer 3]]), they are still in
|
||||||
|
the same broadcast domain ([[OSI|Layer 2]])
|
||||||
|
|
||||||
|
## What is a [[VLAN]]
|
||||||
|
|
||||||
|
A [[switch]] will not forward traffic between VLANs, including broadcast/unknown unicast traffic
|
||||||
|
|
||||||
|
- VLANs are configured on switches on a **per-interface** basis.
|
||||||
|
- logically separate end hosts at Layer 2.
|
||||||
|
|
||||||
|
The switch does not perform inter-Vlan routing. It must send the traffic through the router
|
||||||
|
|
||||||
|
### VLAN configuration
|
||||||
|
|
||||||
|
to display all the VLAN's available you can do the command
|
||||||
|
|
||||||
|
```Cisco
|
||||||
|
SW1#show vlan brief
|
||||||
|
```
|
||||||
|
|
||||||
|
By default all interfaces are set to VLAN 1
|
||||||
|
|
||||||
|
But VLANs1, 10002-1005 exist by default and *cannot be deleted*
|
||||||
|
|
||||||
|
to assign interfaces to a VLAN
|
||||||
|
|
||||||
|
```Cisco
|
||||||
|
SW1(config)#interface range g1/0 - 3
|
||||||
|
SW1(config)#switchport mode access
|
||||||
|
SW1(config)#switchport access vlan 10
|
||||||
|
% Access VLAN does not exist. Creating vlan 10
|
||||||
|
```
|
||||||
|
|
||||||
|
An access port is a switchport which belongs to asingle VLAN, and usually connects to end hosts
|
||||||
|
like PCs
|
||||||
|
|
||||||
|
Switchports which carry multiple VLANs are called 'trunk ports' (More information on trunks in
|
||||||
|
the next lesson)
|
||||||
|
|
||||||
|
You can change the name of the VLAN with the command :
|
||||||
|
|
||||||
|
```Cisco
|
||||||
|
SW1(config)#vlan 10
|
||||||
|
SW1(config-vlan)#name ENGINEERING
|
||||||
|
```
|
||||||
|
|
||||||
|
This Commang creates a VLAN.
|
||||||
|
(In this case it was already automatically created when we assigned the interfaces)
|
||||||
|
|
||||||
|
## Review
|
||||||
|
|
||||||
|
- What is a (LAN)?
|
||||||
|
- Broadcast domains
|
||||||
|
- What is a Vlan
|
||||||
|
- What is the purpose of VLANs?
|
||||||
|
- How to configure VLANs on Cisco switches
|
||||||
|
|
||||||
199
17. VLAN (Part 2).md
Normal file
199
17. VLAN (Part 2).md
Normal file
@@ -0,0 +1,199 @@
|
|||||||
|
---
|
||||||
|
id: 17. VLAN (Part 2)
|
||||||
|
aliases: []
|
||||||
|
tags: []
|
||||||
|
---
|
||||||
|
|
||||||
|
# VLAN (Part 2)
|
||||||
|
|
||||||
|
## Trunk ports
|
||||||
|
|
||||||
|
In a small network with few [[VLAN]]s it is possible to use separate interface for each VLAN
|
||||||
|
when connecting switches to switches, and switches to routers.
|
||||||
|
|
||||||
|
However, when the number of VLANs increases, this is not viable. it will result in wasted interfaces,
|
||||||
|
and often routers won't have enough interfaces for each VLAN.
|
||||||
|
|
||||||
|
You can use trunk ports to carry traffic from multiple VLANs over a single interface.
|
||||||
|
|
||||||
|
Switches wil 'tag' all frames that they send over a trunk link.
|
||||||
|
This allows the receiving switch to know which VLAN the frame belong to.
|
||||||
|
|
||||||
|
Trunk ports = 'tagged' ports
|
||||||
|
Access ports = 'untagged' ports
|
||||||
|
|
||||||
|
### VLAN Tagging
|
||||||
|
|
||||||
|
- There are two main trunking protocols: [[ISL]] (Inter-Switch Link) and [[IEEE 802.1Q]] (dot1q)
|
||||||
|
- ISL is an old Cisco proprietary protocol created before the industry standard IEEE 802.1Q
|
||||||
|
- IEEE 802.1Q is an industry standard protocol created by the [[IEEE]] (Institure of Electrical and
|
||||||
|
Electronics Engineers)
|
||||||
|
- You will probably NEVER use ISL in the real world. Even modern Cisco equipment doesn't support it
|
||||||
|
For the CCNA you only need to learn 802.1Q
|
||||||
|
|
||||||
|
#### inside Ethernet Header
|
||||||
|
|
||||||
|
Preamble | SFF | Destination | Source | 802.1Q | Type
|
||||||
|
|
||||||
|
The 802.1Q tag is inserted between the Source and Type/Length fields of the Ethernet frame.
|
||||||
|
The tag is 4 bytes (32 bits) in length.
|
||||||
|
The tag consists of two main fields:
|
||||||
|
- Tag Protocol Identifier [[TPID]]
|
||||||
|
- Tag Control Information [[TCI]]
|
||||||
|
|
||||||
|
The TCI consists of three sub-fields.
|
||||||
|
|
||||||
|
802.1Q tag Format
|
||||||
|
+-----------------------------------+
|
||||||
|
|16 bits | 3 | 1 |12 bits |
|
||||||
|
| | bits | bit | |
|
||||||
|
| TPID | TCI |
|
||||||
|
| | PCP | DEI | VID |
|
||||||
|
+-----------------------------------+
|
||||||
|
|
||||||
|
##### TPID ( Tag Protocol Identifier)
|
||||||
|
|
||||||
|
- 16 bits (2bytes) in length
|
||||||
|
- Always set to a alue of 0x8100. This indicate that the frame is 802.1Q-tagged.
|
||||||
|
|
||||||
|
##### PCP (Priority code point)
|
||||||
|
|
||||||
|
- 3 bits in length
|
||||||
|
- Used for Class of Service (CoS), which prioritizes iimportant traffic in congested network
|
||||||
|
|
||||||
|
##### DEI ( Drop Eligible Indicator)
|
||||||
|
|
||||||
|
- 1 bit in length
|
||||||
|
- Used to indicate frames that can be dropped if the network is congested.
|
||||||
|
|
||||||
|
##### VID (VLAN ID)
|
||||||
|
|
||||||
|
- 12 bits in lenght
|
||||||
|
- Indentifies the VLAN the frame elongs to.
|
||||||
|
- 12 bits in length = 4096 total VLANs (2^12), range of 0 - 4095
|
||||||
|
- VLANs 0 and 4095 are reserved and can't be used
|
||||||
|
- Therefore the actula range of VLANs is 1-4094
|
||||||
|
- Cisco's proprietary ISL also has a VLAN range of 1 - 4094
|
||||||
|
|
||||||
|
more info https://en.wikipedia.org/wiki/IEEE_802.1Q
|
||||||
|
|
||||||
|
## VLAN Ranges
|
||||||
|
|
||||||
|
- The range of VLANs (1-4094) is divided into two sections:
|
||||||
|
Normal VLANs: 1-1005
|
||||||
|
Extended VLANs : 1006-4094
|
||||||
|
|
||||||
|
- Some older devices cannot use the extended VLAN range, however it's safe to expect that modern
|
||||||
|
switches will support the extended VLAN range.
|
||||||
|
|
||||||
|
## Native VLAN
|
||||||
|
|
||||||
|
- 802.1Q has a feature called the **native VLAN**.
|
||||||
|
ISL does not have this feature
|
||||||
|
- The native VLAN is VLAN 1 by default on all trunk ports, however this can be manually configured
|
||||||
|
on each trunk port.
|
||||||
|
- The switch does not ad an 802.1Q tag to frames in the native VLAN.
|
||||||
|
- When a switch receives an untagged frame on a trunk port, it assumes the frame belongs to
|
||||||
|
the native VLAN.
|
||||||
|
**It's very important that the native VLAN matches!**
|
||||||
|
|
||||||
|
## Trunk Configuration
|
||||||
|
|
||||||
|
```Cisco
|
||||||
|
SW1(config)#interface g0/0
|
||||||
|
SW1(config-if)#switchport mode trunk
|
||||||
|
command rejected
|
||||||
|
```
|
||||||
|
|
||||||
|
Many modern switches do not support Cisco;s ISL at all. They only support 802.1Q (dot1q)
|
||||||
|
However, switches that do support both (like the one I'm using in this example) have a trunk
|
||||||
|
encapsulation of Auto by default
|
||||||
|
To manually configure the interface as a trunk port, you must first set the encapsulation to
|
||||||
|
802.1Q or ISL. On switches that only support 802.1Q this is not necessary
|
||||||
|
|
||||||
|
```Cisco
|
||||||
|
SW1(config)#interface g0/0
|
||||||
|
SW1(config-if)#switchport trunk encapsulation dot1q
|
||||||
|
SW1(config-if)#switchport mode trunk
|
||||||
|
```
|
||||||
|
|
||||||
|
To see the configurations about the trunk
|
||||||
|
|
||||||
|
```Cisco
|
||||||
|
SW1#show interfaces trunk
|
||||||
|
|
||||||
|
Port Mode encapsulation Status Native vlan
|
||||||
|
Gi0/0 on 802.1q trunking 1
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
```Cisco
|
||||||
|
## for security reason you must not allow every vlan on the trunk
|
||||||
|
SW1(config-if)#switchport trunk allowed vlan 10,30
|
||||||
|
|
||||||
|
### for adding VLAN
|
||||||
|
SW1(config-if)#switchport trunk allowed vlan add 20
|
||||||
|
|
||||||
|
## For removing Vlan in the trunk use this command
|
||||||
|
SW1(config-if)#switchport trunk allowed vlan remove 20
|
||||||
|
|
||||||
|
### The all option is to allowed all vlan
|
||||||
|
SW1(config-if)#switchport trunk allowed vlan all
|
||||||
|
|
||||||
|
## The except command if for all vlan except a range or a specific vlan
|
||||||
|
SW1(config-if)#switchport trunk allowed except 1-5,10
|
||||||
|
|
||||||
|
## The none disable every VLAN
|
||||||
|
SW1(config-if)#switchport trunk allowed none
|
||||||
|
```
|
||||||
|
|
||||||
|
For security purposes, it is best to change the native VLAN to an unused VLAN.
|
||||||
|
(network security will be explained more-in depth later in the course)
|
||||||
|
**Make sure the native VLAN matches on between switches**
|
||||||
|
|
||||||
|
The command to change the native VLAN is :
|
||||||
|
|
||||||
|
```Cisco
|
||||||
|
SW1(config-if)#switchport trunk native vlan 1001
|
||||||
|
```
|
||||||
|
|
||||||
|
note : the show vlan brief command shows the access prots assigned to each VLAN, not
|
||||||
|
the trunk ports that allow each VLAN.
|
||||||
|
Use the **show interfaces trunk** command instead to confirm trunk ports.
|
||||||
|
|
||||||
|
|
||||||
|
## ROAS (Router on a stick)
|
||||||
|
|
||||||
|
For three VLAN in the same interface
|
||||||
|
|
||||||
|
```Cisco
|
||||||
|
R1(config)#interface g0/0
|
||||||
|
R1(config-if)#no shutdown
|
||||||
|
R1(config-if)#interface g0/0.10
|
||||||
|
R1(config-if)#encapsulation dot1q 10
|
||||||
|
R1(config-subif)#ip address 192.168.1.62 255.255.255.192
|
||||||
|
R1(config-if)#encapsulation dot1q 20
|
||||||
|
R1(config-subif)#ip address 192.168.1.62 255.255.255.192
|
||||||
|
R1(config-if)#encapsulation dot1q 30
|
||||||
|
R1(config-subif)#ip address 192.168.1.62 255.255.255.192
|
||||||
|
```
|
||||||
|
|
||||||
|
The subinterface number does not have to match the VLAN number.
|
||||||
|
Howerver it is highly recommended that they do match, to make it easier to understand
|
||||||
|
|
||||||
|
- ROAS is used to route beween multiple VLANs using a single interface on the router and switch.
|
||||||
|
- The switch interface is configured as a regular trunk.
|
||||||
|
- The router interface is configured using subinterfaces.
|
||||||
|
- You configure the VLAN tag and IP address on each subinterface.
|
||||||
|
- The router will behave as if frames arriving with a certain VLAN tag have arrived on the
|
||||||
|
subinterface configured with that VLAN tag.
|
||||||
|
- The router will tag frames sent out of each subinterface with the VLAN tag configured on the
|
||||||
|
subinterface.
|
||||||
|
|
||||||
|
## Review
|
||||||
|
|
||||||
|
- What is a trunk port ?
|
||||||
|
- What is the purpose of trunk ports?
|
||||||
|
- 802.1Q Encapsulation
|
||||||
|
- How to configure trunk ports
|
||||||
|
- 'Router on a Stick'(ROAS)
|
||||||
90
18. VLAN (Part 3).md
Normal file
90
18. VLAN (Part 3).md
Normal file
@@ -0,0 +1,90 @@
|
|||||||
|
---
|
||||||
|
id: 1778493954-IJHJ
|
||||||
|
aliases:
|
||||||
|
- VLAN (Part 3)
|
||||||
|
tags: []
|
||||||
|
---
|
||||||
|
|
||||||
|
# VLAN (Part 3)
|
||||||
|
|
||||||
|
## Native VLAN on a router (ROAS)
|
||||||
|
|
||||||
|
There 2 methods for configuring the native VLAN on a router:
|
||||||
|
|
||||||
|
1.
|
||||||
|
```Cisco
|
||||||
|
R1(config)# int g0/0.10
|
||||||
|
R1(config-subif)#encapsulaton dot1q *vlan-id* native
|
||||||
|
```
|
||||||
|
|
||||||
|
2.
|
||||||
|
Configure the [[IP address]] for the native VLAN on the router's physical interface
|
||||||
|
(the command is not necessary)
|
||||||
|
```Cisco
|
||||||
|
R1(config)# int g0/0.10
|
||||||
|
R1(config-subif)#ip address 192.168.1.62 255.255.255.192
|
||||||
|
```
|
||||||
|
|
||||||
|
## Layer 3 (Multilayer) switches
|
||||||
|
|
||||||
|
- A multilayer switch is capable of both switching and routing.
|
||||||
|
- It is 'Layer 3 aware'
|
||||||
|
- You can assign IP addresses to its interfaces, like a router.
|
||||||
|
- You can create virtual interfaces for each VLAN, and assign IP addresses to those interfaces.
|
||||||
|
- You can configure routes on it, just like a router.
|
||||||
|
- it can be used for inter-VLAN routing
|
||||||
|
|
||||||
|
### Inter-VLAN routing via SVI
|
||||||
|
|
||||||
|
- SVIs (Switch Virtual Interfaces) are the virtual interfaces you can assign IP addresses to
|
||||||
|
in a multilayer switch.
|
||||||
|
- Configure each PC to use the SVI (Not the router) as their gateway address.
|
||||||
|
- To send traffic to different subnets/VLANs, the PCs will send traffic to the switch,
|
||||||
|
and the switch will route the traffic
|
||||||
|
|
||||||
|
the command to enable Layer 3 routing on the switch is
|
||||||
|
|
||||||
|
```Cisco
|
||||||
|
SW2(config)#ip routing
|
||||||
|
|
||||||
|
## this configure the interface as a 'routed port'
|
||||||
|
## (Layer 3 port, not Layer 2 /switchport)
|
||||||
|
SW2(config)#interface g0/1
|
||||||
|
SW2(config-if)#no switchport
|
||||||
|
|
||||||
|
## then you can configure an IP address on the interface like a regular router interface
|
||||||
|
SW2(config-if)#ip address 192.168.1.193 255.255.255.252
|
||||||
|
|
||||||
|
## then you can configure the default route
|
||||||
|
SW2(config-if)#ip route 0.0.0.0 0.0.0.0 192.168.1.194
|
||||||
|
```
|
||||||
|
|
||||||
|
To configure SVI you can assign ip address to each vlan
|
||||||
|
```Cisco
|
||||||
|
SW2(config)#interface vlan10
|
||||||
|
SW2(config-if)#ip address 192.168.1.62 255.255.255.192
|
||||||
|
SW2(config-if)#no shutdown
|
||||||
|
SW2(config)#interface vlan20
|
||||||
|
SW2(config-if)#ip address 192.168.1.126 255.255.255.192
|
||||||
|
SW2(config-if)#no shutdown
|
||||||
|
SW2(config)#interface vlan30
|
||||||
|
SW2(config-if)#ip address 192.168.1.190 255.255.255.192
|
||||||
|
SW2(config-if)#no shutdown
|
||||||
|
```
|
||||||
|
|
||||||
|
1. The Vlan must exist on the switch
|
||||||
|
2. The swithc must have at least one access port in the VLAN in an up/up state, AND/OR
|
||||||
|
one trunk port that allows the VLAN that is in an up/up state
|
||||||
|
3. The VLAN must not be shutdown (you can use the shutdown command to disable a VLAN)
|
||||||
|
4. The SVI must not be shutdown (SVIs are disabled by default)
|
||||||
|
|
||||||
|
## Review
|
||||||
|
|
||||||
|
- Native VLAN on a router
|
||||||
|
- Wireshark analysis
|
||||||
|
- Layer 3 Switching/multilayer Switching
|
||||||
|
|
||||||
|
**next lesson**
|
||||||
|
- DTP (Dynamic Trunking Protocol)
|
||||||
|
- VTP (VLAN trunking Protocol)
|
||||||
|
|
||||||
200
19. DTP - VTP.md
Normal file
200
19. DTP - VTP.md
Normal file
@@ -0,0 +1,200 @@
|
|||||||
|
---
|
||||||
|
id: 19. DTP - VTP
|
||||||
|
aliases: []
|
||||||
|
tags: []
|
||||||
|
---
|
||||||
|
|
||||||
|
# DTP - VTP
|
||||||
|
|
||||||
|
Note: DTP and VTP were removed from the CCNA exam topics list for the new exam (200-301).
|
||||||
|
However, it's important to know their function, and you may still get questions about them
|
||||||
|
on the exam even though they are not on the topics list
|
||||||
|
|
||||||
|
## DTP Dynamic Trunking Protocol
|
||||||
|
|
||||||
|
DTP is a [[Cisco]] proprietary protocol that allows Cisco switches to dynamically determine
|
||||||
|
their interface status (access or trunk) without manual configuration
|
||||||
|
|
||||||
|
DTP is enabled by default on all Cisco switch interfaces.
|
||||||
|
|
||||||
|
So far, we have been manually configuring switchports using these command :
|
||||||
|
- switchport mode access
|
||||||
|
- switchport mode trunk
|
||||||
|
|
||||||
|
For security purposes, manual configuration is recommended. DTP should be disabled on all switchports
|
||||||
|
|
||||||
|
### CLI
|
||||||
|
|
||||||
|
```Cisco
|
||||||
|
SW2(config-if)#switchport mode ?
|
||||||
|
## we will focus on the dynamic option
|
||||||
|
|
||||||
|
SW2(config-if)#switchport mode dynamic ?
|
||||||
|
## we have to mode auto or desirable
|
||||||
|
```
|
||||||
|
|
||||||
|
A switchport in dynamic desirable mode will actively try to form a trunk with other Cisco switches,
|
||||||
|
it will form a trunk if connected to another switchport in the following modes:
|
||||||
|
|
||||||
|
1. switchport mode trunk
|
||||||
|
1. switchport mode dynamic desirable
|
||||||
|
1. switchport mode dynamic auto
|
||||||
|
|
||||||
|
to verify you can
|
||||||
|
|
||||||
|
```Cisco
|
||||||
|
SW1# show interfaces g0/0 switchport
|
||||||
|
Name: Gi0/0
|
||||||
|
Switchport: Enabled
|
||||||
|
Administrative Mode: Dynamic desirable
|
||||||
|
Operational Mode: trunk
|
||||||
|
```
|
||||||
|
|
||||||
|
### Static access
|
||||||
|
|
||||||
|
Static access means an access port that belongs to a single VLAN that doesnt change (unless
|
||||||
|
you configure a different VLAN).
|
||||||
|
|
||||||
|
There are also 'dynamic access' ports, in which a server automatically assings the VLAN depending
|
||||||
|
on the [[MAC]] address on the connected device.
|
||||||
|
(This is out of the scope of the CCNA)
|
||||||
|
|
||||||
|
|
||||||
|
| Administrative mode | Trunk | Dynamic desirable | Access | Dynamic Auto |
|
||||||
|
| ------------- | -------------- | -------------- |------------ |------------ |
|
||||||
|
| Trunk | Trunk | Trunk | x | Trunk|
|
||||||
|
| Dynamic Desirable | Trunk | Trunk | Access | Trunk|
|
||||||
|
| Access | x | Access | Access | Access |
|
||||||
|
| Dynamic Auto | Trunk | Trunk | Access | Access |
|
||||||
|
|
||||||
|
|
||||||
|
DTP will not form a trunk with a router, PC, etc.
|
||||||
|
The switchport will be in access mode
|
||||||
|
|
||||||
|
On *older* switches, **swithport mode dynamic desirable** is the default administrative mode.
|
||||||
|
On *newer* switches, **swithport mode dynamic auto** is the default administrative mode.
|
||||||
|
You can disable DTP negotiation on the interface with this command:
|
||||||
|
- switchport nonegotiate
|
||||||
|
|
||||||
|
Configuring an access port with **switchport mode access** also disables DTP negotiation on
|
||||||
|
an interface
|
||||||
|
|
||||||
|
It is recommended that you disable DTP on all switchports and manually confugre them as access or
|
||||||
|
trunk ports.
|
||||||
|
|
||||||
|
### Encapsulation
|
||||||
|
|
||||||
|
[[Switches]] that support both [[802.1Q]] and ISL trunk encapsulations can use DTP to negotiate
|
||||||
|
The encasulation they will use.
|
||||||
|
|
||||||
|
This negotiation is enabled by default, as the default trunk encapsulation mode is :
|
||||||
|
**switchport trunk encapsulation negotiate**
|
||||||
|
|
||||||
|
*ISL is favored over 802.1Q, so if both switches support ISL, it will be selected*
|
||||||
|
|
||||||
|
DTP frames are sent in VLAN1 when using ISL or in the [[native VLAN]] whe using 802.1Q
|
||||||
|
(the default native VLAN is VLAN1, however)
|
||||||
|
|
||||||
|
## VTP VLAN Trunking Protocol
|
||||||
|
|
||||||
|
VTP allows you to configure VLANs on a central VTP server switch, and other switches (VTP client)
|
||||||
|
will synchronize their VLAN database to the server.
|
||||||
|
It is designed for large networks with many VLANs, so that you don't have to configure each VLAN
|
||||||
|
on every switch
|
||||||
|
It is rarely used, and it is recommended that you do not use it.
|
||||||
|
There are three VTP versions: 1, 2, and 3.
|
||||||
|
There are three VTP modes: server, client, and transparent.
|
||||||
|
*Cisco switches operate in VTP server mode by default*
|
||||||
|
|
||||||
|
### VTP Servers
|
||||||
|
|
||||||
|
Can add/modify/delete VLANs
|
||||||
|
Store the VLAN database in non-volatile RAM (NVRAM)
|
||||||
|
Will increase the revision number every time a VLAN database on trunk interfaces, and
|
||||||
|
The VTP clients will synchronize their VLAN database to it
|
||||||
|
VTP servers also function as VTP client
|
||||||
|
Therefore, A VTP server will synchronize to anothre VTP server with a higher revision number
|
||||||
|
|
||||||
|
### VTP clients
|
||||||
|
|
||||||
|
Cannot add/modify/delete VLANs
|
||||||
|
Do not store the VLAN database in NVRAM (in VTPv3 they do)
|
||||||
|
Will synchronize their VLAN database to the server with the highest revision number in their VTP domain
|
||||||
|
Will advertise their VLAN database, and forward VTP advertisements to other client over their trunk
|
||||||
|
ports.
|
||||||
|
|
||||||
|
### How it's work
|
||||||
|
|
||||||
|
to see all the VTP type
|
||||||
|
|
||||||
|
```Cisco
|
||||||
|
SW1#Show VTP status
|
||||||
|
```
|
||||||
|
|
||||||
|
VTPvv1/v2 do not support the extended VLAN range (1006-4094) only BTPv3 supports them
|
||||||
|
|
||||||
|
to set a domain name
|
||||||
|
|
||||||
|
```Cisco
|
||||||
|
SW1#vtp domain cisco
|
||||||
|
```
|
||||||
|
|
||||||
|
now on switch 1 can do
|
||||||
|
|
||||||
|
```Cisco
|
||||||
|
SW1#vlan 10
|
||||||
|
SW1#name engineering
|
||||||
|
```
|
||||||
|
|
||||||
|
switch 2 will have the same vtp domain and vlan configured
|
||||||
|
pass along to switch 3 and 4
|
||||||
|
|
||||||
|
|
||||||
|
If a switch with no VTP domain (domain NULL) receives a VTP advertisement with a VTP domain name,
|
||||||
|
it will automatically join that VTP domain
|
||||||
|
|
||||||
|
If a switch receives a VTP advertisement in the same VTP domain with a higher revision number
|
||||||
|
it will update its VLAN database to match
|
||||||
|
|
||||||
|
### **ONE DANGER OF VTP**
|
||||||
|
|
||||||
|
If you connect an old switch with a higher revision number to your network ( and the VTP domain
|
||||||
|
matches), all switches in the domain will sync their VLAN database to that switch
|
||||||
|
|
||||||
|
|
||||||
|
### VTP transparent mode
|
||||||
|
|
||||||
|
Does not participate in the VTP domain (does not sync its VLAN database).
|
||||||
|
|
||||||
|
Maintains its own VLAN database in NVRAM. it can add/modify/delete VLANs, byt they won't be
|
||||||
|
advertised to other switches.
|
||||||
|
|
||||||
|
Will forward VTP advertisements that are in the same domain as it.
|
||||||
|
|
||||||
|
NOTE : Changing the VTP domain to an unused domain will reset the revision number to 0
|
||||||
|
Changing the VTP mode to transparent will also reset the revision number to 0
|
||||||
|
|
||||||
|
### VTP version
|
||||||
|
You can change the VTP version with this command
|
||||||
|
|
||||||
|
```Cisco
|
||||||
|
SW1(config)#vtp version 2
|
||||||
|
```
|
||||||
|
|
||||||
|
VTP V2 is not much different than VTP V1. The major difference is that VTP V2 introduces support
|
||||||
|
for Token RIng VLANs. if you use Token Ring VLANs, you must enable VTP V2. Otherwise there is
|
||||||
|
no reason to use VTP V2
|
||||||
|
|
||||||
|
For the V3 it's Beyond the scope of the CCNA
|
||||||
|
|
||||||
|
# Review
|
||||||
|
|
||||||
|
note: Recommended that you disable this protocol for security purposes.
|
||||||
|
|
||||||
|
DTP (dynamic trunking Protocol)
|
||||||
|
a protocol that allows Cisco switches to form trunk connections with other cisco switch without
|
||||||
|
manual configuration
|
||||||
|
|
||||||
|
VTP (VLAN Trunking Protocol)
|
||||||
|
Allow to configure VLAN on switches that operate as central VTP servers, which then advertise
|
||||||
|
Their VLAN database,and VTP client switches sync their database to it
|
||||||
140
20. Protocole Spanning Tree (part1).md
Normal file
140
20. Protocole Spanning Tree (part1).md
Normal file
@@ -0,0 +1,140 @@
|
|||||||
|
---
|
||||||
|
id: 20. Protocole Spanning Tree
|
||||||
|
aliases: []
|
||||||
|
tags: []
|
||||||
|
---
|
||||||
|
|
||||||
|
# Protocole Spanning Tree
|
||||||
|
|
||||||
|
## Networks Redundancy
|
||||||
|
|
||||||
|
- Redundandy is an essential part of network design.
|
||||||
|
- Modern networks are expected to run 24/7/365
|
||||||
|
- if one network component fails, you must ensure that other components will take over
|
||||||
|
with little or no downtime
|
||||||
|
- As much as possible, you must implement redundancy at every possible point in the network
|
||||||
|
|
||||||
|
note: Most PCs only have a single network interface card [[NIC]], so they can only be plugged
|
||||||
|
into a single switch. However, important servers typically have multiple NICs, so they can be
|
||||||
|
plugged into multiple switches for redundancy
|
||||||
|
|
||||||
|
The [[Ethernet header]] doesn't have a [[TTL]] field. These broadcast frames will loop around
|
||||||
|
the network indefinitely, if enough of these looped broadcasts accumulate in the network, the
|
||||||
|
network will be too congested for legitimate traffic to use the network. This is called
|
||||||
|
[[Broadcast Storm]]
|
||||||
|
|
||||||
|
Network congestion isn't the only problem. each time a frame arrives on a switchport, the switch
|
||||||
|
uses the source [[MAC]] address field to learn the MAC address and update its MAC address table.
|
||||||
|
When a frames with the same source MAC address repeatedly arrive on different interfaces,
|
||||||
|
the switch is continously updating the interface in its MAC address table. this is known as
|
||||||
|
[[MAC Address Flapping]]
|
||||||
|
|
||||||
|
## Spanning Tree protocol
|
||||||
|
|
||||||
|
- Classic Spanning Tree Protocol is **IEEE 802.1D**
|
||||||
|
- Switches from all vendors run STP by default.
|
||||||
|
- STP prevents Layer 2 loops by placing redundant ports in a blocking state, essentially disabling
|
||||||
|
the interface.
|
||||||
|
- These interfaces act as backups that can enter a forwarding state if an active (=currently forwarding)
|
||||||
|
interface fails
|
||||||
|
- Interfaces in a frowarding state behave normally. They send and receive all normal traffic.
|
||||||
|
- Interfaces in a blocking state only send or receive STP messages (called **[[BPDU]]s**)
|
||||||
|
Bridge Protocol Data Units
|
||||||
|
|
||||||
|
note: Spanning Tree Protocol still use the term [[Bridge]]. However, when we use the term
|
||||||
|
bridge, we really mean [[Switch]]. Bridges are not used in modern networks.
|
||||||
|
|
||||||
|
- By selecting which ports are forwarding and which ports are blocking, STP creates a single path to/from
|
||||||
|
each point in the network. This prevents Layer 2 loops.
|
||||||
|
- There us a set process that STP uses to determine which ports should be forwartding and which should
|
||||||
|
be blocking
|
||||||
|
- STP-enanbled switches send/receive Hello BPDUs out of all interfaces, the default timer is
|
||||||
|
2 seconds (the switch will send a Hello BPDU out of every interface, once every 2 secong)
|
||||||
|
- If a switch receives a Hello BPDUs on an interface, it knows that interface is connected to another
|
||||||
|
switch (routers, PCs, etc. do not use STP, so they do not send Hello BPDUs)
|
||||||
|
|
||||||
|
- Switches use one field in the STP BPDU, the Bridge ID field, to elect a root bridge for the network
|
||||||
|
- The switch with the lowest Bridge ID becomes the root bridge.
|
||||||
|
- ALL ports on the root bridge are put in a forwarding state,and other switches in the topology
|
||||||
|
must have a path to reach the root bridge
|
||||||
|
|
||||||
|
+---------------------------------+
|
||||||
|
| Bridge ID |
|
||||||
|
|------------------+--------------|
|
||||||
|
| Bridge Priority | Mac address |
|
||||||
|
| 16 bits | 48 bits |
|
||||||
|
+---------------------------------+
|
||||||
|
|
||||||
|
The default bridge priority is 32768 on all switches, so by default the MAC address is used
|
||||||
|
as the tie-breaker (lowest MAC address becomes the root bridge)
|
||||||
|
|
||||||
|
**The Bridge Priority is compared first. if they tie, the MAC address is then compared**
|
||||||
|
|
||||||
|
Howerver the Bride ID have been updated
|
||||||
|
|
||||||
|
+---------------------------------+
|
||||||
|
| Bridge ID |
|
||||||
|
|------------------+--------------|
|
||||||
|
| Bridge Priority | Mac address |
|
||||||
|
| 16 bits | 48 bits |
|
||||||
|
+---------------------------------+
|
||||||
|
|
|
||||||
|
+----------------------------+
|
||||||
|
| Bridge | Extended System ID|
|
||||||
|
|Priority| (VLAN ID) |
|
||||||
|
| 4bits | 12 bits |
|
||||||
|
+----------------------------+
|
||||||
|
|
||||||
|
Cisco switches use a version of STP called PVST (per-VLAN Spanning Tree).
|
||||||
|
PVST runs a separate STP instance in each VLAN, so in each VLAN different interfaces
|
||||||
|
can be forwarding/blocking
|
||||||
|
|
||||||
|
in the default VLAN of 1, the default bridge priority is actually 32769 (32768 + 1)
|
||||||
|
|
||||||
|
The STP bridge priority can only be changed in units of 4096
|
||||||
|
|
||||||
|
All interface on the root bridge are **designated ports**. designated ports are in a forwarding state
|
||||||
|
|
||||||
|
Whe a switch is powered on, it assumes it is the root bridge.
|
||||||
|
it will only give up its position if it receives a superior BPDU (lower bridge ID)
|
||||||
|
|
||||||
|
Once the topology has converged and all switches agree on the root bridge, only the root bridge sends BPDUs
|
||||||
|
Other switches in the network will forward these BPDUs, but will not generate their own original BPDUs
|
||||||
|
|
||||||
|
### STP Cost
|
||||||
|
|
||||||
|
| Speed | STP Cost |
|
||||||
|
| -------------- | --------------- |
|
||||||
|
| 10Mbps | 100 |
|
||||||
|
| 100Mbps | 19 |
|
||||||
|
| 100Gbps | 4 |
|
||||||
|
| 10Gbps | 2 |
|
||||||
|
|
||||||
|
The ports connected to another switch's root port MUST be designated. Because the root port is the switch's path to the root bridge
|
||||||
|
another switch must not block it
|
||||||
|
|
||||||
|
### Port ID
|
||||||
|
|
||||||
|
STP Port ID = port priority (default 128) + port number
|
||||||
|
|
||||||
|
Every collision domain has a single STP designated port
|
||||||
|
|
||||||
|
### Steps
|
||||||
|
|
||||||
|
1) The switch with the lowest bridge ID is elected as the root bridge. All ports on the root bridge are designated ports (forwarding state).
|
||||||
|
2) Each remaining switch will select ONE of its interfaces to be its root port. The interface with the lowest root cost will
|
||||||
|
be the root port. Root ports are also in a forwarding state
|
||||||
|
Root port selection:
|
||||||
|
- lowest root cost
|
||||||
|
- lowest neighbor bridge ID
|
||||||
|
- lowest neighbor port ID
|
||||||
|
3) Each remaining collision domain will select ONE interface to be a designated port (forwarding state). THe other port in the
|
||||||
|
collision domain will be non-designated (blocking)
|
||||||
|
Designated port selection:
|
||||||
|
- Interface on switch wih lowest root cost
|
||||||
|
- Interface on switch wih lowest bridge ID
|
||||||
|
|
||||||
|
## Review
|
||||||
|
|
||||||
|
- Redundancy in networks
|
||||||
|
- STP (Spanning Tree Protocol)
|
||||||
167
21. BPDU Guard & BPDU Filter (STP Toolkit).md
Normal file
167
21. BPDU Guard & BPDU Filter (STP Toolkit).md
Normal file
@@ -0,0 +1,167 @@
|
|||||||
|
---
|
||||||
|
id: 1779916771-SNCX
|
||||||
|
aliases:
|
||||||
|
- BPDU Guard & BPDU Filter (STP Toolkit)
|
||||||
|
tags: []
|
||||||
|
---
|
||||||
|
|
||||||
|
# BPDU Guard & BPDU Filter (STP Toolkit)
|
||||||
|
|
||||||
|
PortFast makes a port start in the Forwarding state when it is connected, but it doesn't disable STP
|
||||||
|
on the port.
|
||||||
|
- The port will continue to send BPDUs every 2 seconds.
|
||||||
|
|
||||||
|
Because end hosts don't run STP and send BPDUs, a PortFast enabled port shouldn't receive BPDUs
|
||||||
|
- But what if it does?
|
||||||
|
|
||||||
|
If a PortFast-enabled port receives an STP BPDU, it will revert to acting like a regular STP port
|
||||||
|
(without PortFast)
|
||||||
|
|
||||||
|
## BPDU Guard
|
||||||
|
|
||||||
|
### The problem
|
||||||
|
|
||||||
|
PortFast should only be enabled on ports connected to non-switch devices (end osts, routers).
|
||||||
|
- A PortFast-enabled port still sends BPDUs and will operate like a regular STP port if it
|
||||||
|
receives VPDUs from a neighbor.
|
||||||
|
- If an end user carelessly connects a switch to a port meant for end hosts,, it could affect the
|
||||||
|
STP topology.
|
||||||
|
- *BPDU Guard* acts as a safeguard against this.
|
||||||
|
|
||||||
|
### The Solution
|
||||||
|
|
||||||
|
BPDU Guard protects the network from unauthorized switches being connected to ports intended for end hosts.
|
||||||
|
It can be configured separately from [[PortFast]] but both features are usually used together.
|
||||||
|
They both enhance STP's functionality on ports inteded for end hosts.
|
||||||
|
|
||||||
|
A BPDU Guard-enabled port contibues to send BPDUs, but if it receives a BPDU it enters the error-disabled state.
|
||||||
|
- In effect, this disbales the port.
|
||||||
|
|
||||||
|
### Configuration
|
||||||
|
|
||||||
|
Like PorFast, BPDU Guard can be configured in two ways:
|
||||||
|
|
||||||
|
per-port:
|
||||||
|
```Cisco
|
||||||
|
SW3(config-if)# spanning-tree bpduguard enable
|
||||||
|
```
|
||||||
|
|
||||||
|
default
|
||||||
|
```Cisco
|
||||||
|
SW3(config)# spanning-tree portfast bpduguard default
|
||||||
|
```
|
||||||
|
|
||||||
|
When enabled by default *BPDU Guard* is activated on **All Portfast-enabled ports**.
|
||||||
|
|
||||||
|
disableing it
|
||||||
|
```Cisco
|
||||||
|
SW3(config)# spanning-tree bpduguard disable
|
||||||
|
```
|
||||||
|
|
||||||
|
### Errdisable
|
||||||
|
|
||||||
|
ErrDiable is a [[Cisco]] switch feature that disables a port under certain conditions, such as BPDU
|
||||||
|
Guard violation.
|
||||||
|
More examples are
|
||||||
|
- Power Policing violations
|
||||||
|
- Port Security violations
|
||||||
|
- DAI (Dynamic ARP inspection) violations
|
||||||
|
|
||||||
|
to re-enable an err-disabled port, *first solve the underlying issue*
|
||||||
|
- if you re0enable the port without fixing the issue, it will just be err-disabled again.
|
||||||
|
|
||||||
|
You can re-enable an err-disabled port in two ways:
|
||||||
|
1. Manual: use *shutdown* and *no shutdown* to reset the disabled port.
|
||||||
|
2. Automatic: *ErrDisable Recovery*
|
||||||
|
|
||||||
|
#### ErrDisable Recovery
|
||||||
|
|
||||||
|
ErrDisable Recovery is a feature that automatically re-enables err disabled ports after a certain period of time
|
||||||
|
|
||||||
|
ErrDisable Recovery is disabled by default
|
||||||
|
|
||||||
|
to view it status use
|
||||||
|
|
||||||
|
```Cisco
|
||||||
|
SW1# show errdisable recovery
|
||||||
|
```
|
||||||
|
|
||||||
|
The default recovery timer is 300 seconds (5minutes).
|
||||||
|
- err-disabled interfaces will be automatically re-enabled after 5 minutes
|
||||||
|
|
||||||
|
command to modify the interval is
|
||||||
|
```Cisco
|
||||||
|
SW1# errdisable recovery interval *seconds*
|
||||||
|
```
|
||||||
|
|
||||||
|
to enable ErrDisable Recovery for ports disabled by a particular cause use
|
||||||
|
```Cisco
|
||||||
|
SW1(config)# errdisble recovery cause *cause*
|
||||||
|
```
|
||||||
|
|
||||||
|
## BPDU Filter
|
||||||
|
|
||||||
|
### The Problem
|
||||||
|
|
||||||
|
A switch port connected to an end host contnues sending BPDUs every 2 seconds.
|
||||||
|
- regardless of whether PortFast and/or BPDU GUard are enabled
|
||||||
|
If the port doeen't connect to a switch, sending BPDUs is unnecessary and undesirable for a
|
||||||
|
coupe of reasons
|
||||||
|
1. Sendig BPDUs uses some bandwidth and processing power on the witch (althrough it's minimal).
|
||||||
|
2. BPDUs contain information about the LAN's STP topology
|
||||||
|
- If maximum security is a concern, you should avoid sending this info to user devices.
|
||||||
|
|
||||||
|
Bpdu Filter solves this by preventing a port from sending BPDUs
|
||||||
|
|
||||||
|
### The Solution
|
||||||
|
|
||||||
|
BPDU FIlter stops a port fro sending BPDUs
|
||||||
|
- Unlike BPDU Guard, it does not disable the port if it receives a BPDU
|
||||||
|
BPDU filter can be enabled in two ways:
|
||||||
|
|
||||||
|
per-port:
|
||||||
|
```Cisco
|
||||||
|
SW3(config-if)# spanning-tree bpdufilter enable
|
||||||
|
```
|
||||||
|
The port will not send BPDUs
|
||||||
|
The port will ignore any BPDUs it receives.
|
||||||
|
In effect this disables [[STP]] on the port. *Use with caution!*
|
||||||
|
|
||||||
|
default
|
||||||
|
```Cisco
|
||||||
|
SW3(config)# spanning-tree portfast bpdufilter default
|
||||||
|
```
|
||||||
|
BPDU Filter will be activated on all *PortFast-enabled ports*.
|
||||||
|
You can use spanning-tree bpdufilter disable to disable it on specific ports.
|
||||||
|
The port will not send BPDUs
|
||||||
|
If the port receives a BPDU, PortFast and BPDU Filter are disabled, and it operates as a normal STP Port.
|
||||||
|
|
||||||
|
## Recommandation
|
||||||
|
|
||||||
|
Enable PortFast and BPDU Guard however you prefer (per-port or by default)
|
||||||
|
- Only enable BPDU Filter by default (global config mode).
|
||||||
|
- Unless you have a very good reason to enable it per-port
|
||||||
|
|
||||||
|
*BPDU Guard* and *BPDU Filter* can be enabled on the same port at the same time:
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
If BPDU Filter is enabled in global-confg mode and the port receives a BPDU:
|
||||||
|
1. BPDU Filter will be disabled
|
||||||
|
2. BPDU Guard will be triggered (and err-disable the interface)
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
If BPDU Fileter is enabled in interface config mode and the port receives a BPDU:
|
||||||
|
- The BPDU will be ignored
|
||||||
|
- BPDU Guard will *not* be triggered
|
||||||
|
|
||||||
|
## Review
|
||||||
|
|
||||||
|
### BPDU Guard
|
||||||
|
Automatically disables a port if it receives a BPDU, protecting the STP topology by preventing
|
||||||
|
unauthorized devices from becoming part of the network
|
||||||
|
|
||||||
|
|
||||||
|
### BPDU Filter
|
||||||
|
Stops a port from sending BPDUs or processing received BPDUs
|
||||||
126
21. PortFast (STP Toolkit).md
Normal file
126
21. PortFast (STP Toolkit).md
Normal file
@@ -0,0 +1,126 @@
|
|||||||
|
---
|
||||||
|
id: 1779884291-BCDN
|
||||||
|
aliases:
|
||||||
|
- PortFast (STP Toolkit)
|
||||||
|
tags: []
|
||||||
|
---
|
||||||
|
|
||||||
|
# PortFast (STP Toolkit)
|
||||||
|
|
||||||
|
ex:
|
||||||
|
Switch <-> PC
|
||||||
|
|
||||||
|
Listening
|
||||||
|
| 15sec
|
||||||
|
Learning
|
||||||
|
| 15sec
|
||||||
|
Forwarding
|
||||||
|
|
||||||
|
When an end host connects to a switch port, the port becomes up/up but can't send/receive data yet.
|
||||||
|
- It is a *Designated port* but will take 30 seconds before it enters the Forwarding state:
|
||||||
|
- 15 seconds in Listening
|
||||||
|
- 15 seconds in Learning
|
||||||
|
This lead to poor user experience
|
||||||
|
- the user probably doesn't even know [[STP]] exists.
|
||||||
|
- They just know "the internet doesn't work" for 30 seconds when they connect their computer.
|
||||||
|
- This wait is unnecessary, because there is no risk of a Layer 2 loop occuring between a switch/PC
|
||||||
|
|
||||||
|
## The solution
|
||||||
|
|
||||||
|
When portFast is configured on a port, the port immediately enters the Forwardin state when connected
|
||||||
|
to another device.
|
||||||
|
It bypasses Listening/Learning and can send/receive data right away
|
||||||
|
|
||||||
|
You can configure PortFast in two ways
|
||||||
|
|
||||||
|
1. Interface config mode
|
||||||
|
|
||||||
|
```Cisco
|
||||||
|
SW1(config-if)# spanning-tree portfast
|
||||||
|
```
|
||||||
|
|
||||||
|
This enables PortFast only on the individual interface.
|
||||||
|
|
||||||
|
*Even if you configure spanning-tree porfast on a trunk port, it won't be active.*
|
||||||
|
|
||||||
|
2. Global config mode:
|
||||||
|
|
||||||
|
```Cisco
|
||||||
|
SW1(config)# spanning-tree portfast default
|
||||||
|
```
|
||||||
|
|
||||||
|
This enables PorFast on all access ports.
|
||||||
|
|
||||||
|
Connections between switches are almost always trunk links.
|
||||||
|
Connections to end hosts are almost always access links.
|
||||||
|
|
||||||
|
**PortFast should NOT be configured on ports connected to switches or temporary Layer 2
|
||||||
|
loops can occur.**
|
||||||
|
|
||||||
|
## showing result
|
||||||
|
|
||||||
|
```Cisco
|
||||||
|
SW1(config)# show spanning-tree interface g0/1 detail
|
||||||
|
```
|
||||||
|
|
||||||
|
## diabling portfast
|
||||||
|
|
||||||
|
```Cisco
|
||||||
|
SW1(config-if)# spanning-tree portfast disable
|
||||||
|
```
|
||||||
|
|
||||||
|
## Configurating Portfast on trunk port
|
||||||
|
|
||||||
|
In some cases, you might want to enable PortFast on a trunk port:
|
||||||
|
- A port connected to a virtualization server with virtual machines (VMs) in different VLANs.
|
||||||
|
- A port connected to a [[router]] via router on a stick [[ROAS]].
|
||||||
|
|
||||||
|
This can only be cofigured per-port in interface config mode:
|
||||||
|
|
||||||
|
```Cisco
|
||||||
|
SW1(config-if)# spanning tree portfast trunk
|
||||||
|
```
|
||||||
|
|
||||||
|
## PortFast Edge
|
||||||
|
|
||||||
|
In modern Cisco switches, if you use the commands covered in this lecture, the device will automatically
|
||||||
|
add the edge keyword to the configuration.
|
||||||
|
|
||||||
|
```Cisco
|
||||||
|
SW1(config-if)# spanning-tree portfast
|
||||||
|
running-config
|
||||||
|
spanning-tree portfast edge
|
||||||
|
```
|
||||||
|
|
||||||
|
```Cisco
|
||||||
|
SW1(config-if)# spanning tree portfast trunk
|
||||||
|
running-config
|
||||||
|
spanning-tree portfast edge trunk
|
||||||
|
```
|
||||||
|
|
||||||
|
```Cisco
|
||||||
|
SW1(config)# spanning-tree portfast default
|
||||||
|
running-config
|
||||||
|
spanning-tree portfast edge default
|
||||||
|
```
|
||||||
|
|
||||||
|
You can use either version of the commands when configuring PortFast.
|
||||||
|
|
||||||
|
The end result is the same: edge will always be added in the configuraion.
|
||||||
|
|
||||||
|
spanning-tree portfast disable doesn't use the *edge* keyword.
|
||||||
|
|
||||||
|
|
||||||
|
## two kind of Portfast
|
||||||
|
|
||||||
|
There are two kinds of PortFast:
|
||||||
|
- edge
|
||||||
|
- edge is the kind we are covering in this video
|
||||||
|
- network
|
||||||
|
- network is used for a feature called Bridge Assurance (not a CCNA topic)
|
||||||
|
|
||||||
|
## Review
|
||||||
|
|
||||||
|
### PortFast:
|
||||||
|
Allows switchs ports connected to end hosts to immediately enter the STP Forwarding state.
|
||||||
|
Bypassing Linstening and Learning
|
||||||
226
21. Protocole Spanning Tree (part2).md
Normal file
226
21. Protocole Spanning Tree (part2).md
Normal file
@@ -0,0 +1,226 @@
|
|||||||
|
---
|
||||||
|
id: 1778913634-WEMK
|
||||||
|
aliases:
|
||||||
|
- Protocole Spanning Tree (part2)
|
||||||
|
tags: []
|
||||||
|
---
|
||||||
|
|
||||||
|
# Protocole Spanning Tree (part2)
|
||||||
|
|
||||||
|
## Spanning Tree Port State
|
||||||
|
|
||||||
|
| STP Port State | Stable/Transitional |
|
||||||
|
| -------------- | --------------- |
|
||||||
|
| Blocking | Statble |
|
||||||
|
| Listening | Transitional |
|
||||||
|
| Learning | Transitional |
|
||||||
|
| Forwarding | Stable |
|
||||||
|
| Disabled | Stable |
|
||||||
|
|
||||||
|
- Root/Designated ports remain stab;e in Forwarding state.
|
||||||
|
- Non-designated ports remain stabl in a Blocking state.
|
||||||
|
- Listening and Learning are transitional states which are passed through when an interface is
|
||||||
|
activated, or when a *Blocking* port must transition to a Forwarding state due to a change in the
|
||||||
|
network topology
|
||||||
|
|
||||||
|
### Blocking state
|
||||||
|
|
||||||
|
- Non designated ports are in a Blocking state
|
||||||
|
- Interfaces in a Blocking state are effectively disabed to prevent loops.
|
||||||
|
- Interfaces in a Blocking stae do not send/receive regular naetwork traffic.
|
||||||
|
- Interfaces in a Blocking state receive STP BPDUs.
|
||||||
|
- Interfaces in a Blocing state do NOT forward STP BPDUs.
|
||||||
|
- Interfaces in a Blocking state do NOT learn [[MAC]] addresses.
|
||||||
|
|
||||||
|
### Listening state
|
||||||
|
|
||||||
|
- After the Blocking state interfaces with the Designated or Root role enter Listening state.
|
||||||
|
- Only Designated or Root ports enter the Listening state (Non-designated ports are always Blocking)
|
||||||
|
- The Listening state is 15 seconds long by default. This is determined by the *orward delay* timer.
|
||||||
|
- An interface in the listening state ONLY forwards/receives STP BPDUs.
|
||||||
|
- An interface in the Listening state does NOT send/receive regular traffic
|
||||||
|
- An interface in the Listening state does NOT Learn MAC addresses from regular traffic that
|
||||||
|
arrives on the interface
|
||||||
|
|
||||||
|
### Learning state
|
||||||
|
|
||||||
|
- After the Listeing state, a Designated or ROOT port will enter Learning state.
|
||||||
|
- The Learning state is 15 seconds long by default. This is determined by the Forward delay
|
||||||
|
timer ( the same timer is used for both the Listening and Learning states).
|
||||||
|
- An interface in the Learning state ONLY sends/receives STP BPDUs.
|
||||||
|
- An interface in the Learning state learns MAC addresses from regular traffic that arrives on
|
||||||
|
the interface.
|
||||||
|
|
||||||
|
### Forwarding state
|
||||||
|
|
||||||
|
- Root and designated ports are in a Forwarding state.
|
||||||
|
- A port in the Forwarding state operate as normal
|
||||||
|
- A port in the Forwarding state sends/receives BPDUs.
|
||||||
|
- A port in the Forwarding state sends/receives normal traffic.
|
||||||
|
- A port in the Forwarding state learns MAC addresses.
|
||||||
|
|
||||||
|
### summary
|
||||||
|
|
||||||
|
|
||||||
|
| STP Port State |Send/Receive BPDUs | Frame forwarding | Mac address learning| Stable/Transitional |
|
||||||
|
| -------------- |----|----|----| --------------- |
|
||||||
|
| Blocking | No/Yes| NO | NO | Statble |
|
||||||
|
| Listening | Yes/Yes| NO | NO | Transitional |
|
||||||
|
| Learning | Yes/Yes| NO | Yes | Transitional |
|
||||||
|
| Forwarding | Yes/Yes| Yes | Yes | Stable |
|
||||||
|
| Disabled | NO/NO| NO | NO | Stable |
|
||||||
|
|
||||||
|
|
||||||
|
note: Switches do not forward the BPDUs out of their root ports and non-designated ports,
|
||||||
|
only their designated ports
|
||||||
|
|
||||||
|
## STP timers
|
||||||
|
|
||||||
|
### Hello
|
||||||
|
|
||||||
|
How often the root bridge sends hello BPDUs
|
||||||
|
duration: 2 sec
|
||||||
|
|
||||||
|
### Forward delay
|
||||||
|
|
||||||
|
How long the switch will stay in the Listening and Learning states (each stae is 15 seconds
|
||||||
|
= total 30 seconds)
|
||||||
|
duration: 15sec
|
||||||
|
|
||||||
|
### Max Age
|
||||||
|
|
||||||
|
How long an interface will wait after ceasing to receive Hello BDPUs to change the STP topology
|
||||||
|
duration: 20 sec (10*hello)
|
||||||
|
|
||||||
|
- If another BPDU i received before the max age timer counts down to 0, the time will reset to 20
|
||||||
|
seconds and no changes will ocur.
|
||||||
|
|
||||||
|
- If another BPDU is not received the max age timer counts down to 0 and the switch will
|
||||||
|
reevaluate its STP choices, including root bridge, and local root, designated, and non-designated ports
|
||||||
|
|
||||||
|
- if a non-designated port is selected to become a designated or root port, it will transition
|
||||||
|
from the blocking state to the listening state (15 seconds), learning state (15 seconds),
|
||||||
|
and then finally the forwarding state. So it can take a total of 50 seconds for a blocking
|
||||||
|
interface to transition to forwarding
|
||||||
|
|
||||||
|
- These timers and transitional states are to make sure that loops aren't accidentally created
|
||||||
|
by interface moving to forwarding state too soon.
|
||||||
|
|
||||||
|
note: A forwarding interface can move directly to a blocking state (there is no worry
|
||||||
|
about creating a loop by blocking an interface).
|
||||||
|
A blocking interface cannot move directly to forwarding state, it must go through the
|
||||||
|
listening and learning states.
|
||||||
|
|
||||||
|
```Wireshark
|
||||||
|
Dst: PVST+ (01:00:0c:cc:cc:cd)
|
||||||
|
```
|
||||||
|
|
||||||
|
PVST = Only ISL trunk enquapsulation
|
||||||
|
PVST+ = Supports [[802.1Q]]
|
||||||
|
|
||||||
|
Regular STP (not Cisco's PVST+)
|
||||||
|
uses a destination MAC address of 0180.c200.0000
|
||||||
|
|
||||||
|
The STP timers on the root bridge determine the STP timers for th entire network.
|
||||||
|
|
||||||
|
## Spanning Tree Optional Features (STP Toolkit)
|
||||||
|
|
||||||
|
### Portfast
|
||||||
|
|
||||||
|
Portfast allows a port to move imediately to the Forwarding state,
|
||||||
|
bypassing *Listening* and *Learning*.
|
||||||
|
|
||||||
|
If used, it must be enabled *only on ports connected to end hosts,*
|
||||||
|
if enabled on a port connected to another switch it could cause a Layer 2 loop.
|
||||||
|
|
||||||
|
```Cisco
|
||||||
|
SW1(config)#interface g0/2
|
||||||
|
SW1(config-if)#spanning-tree portfast
|
||||||
|
```
|
||||||
|
|
||||||
|
You can also enable portfast with the command:
|
||||||
|
|
||||||
|
```Cisco
|
||||||
|
SW1(config)#spanning-tree portfast default
|
||||||
|
```
|
||||||
|
|
||||||
|
This enables portfast on all access ports (not trunk ports).
|
||||||
|
|
||||||
|
### BPDU Guard
|
||||||
|
|
||||||
|
if an interface with BPDU Guard enabled receives a BPDU from another switch,
|
||||||
|
the interface will be shut down to prevent a loop from forming.
|
||||||
|
|
||||||
|
```Cisco
|
||||||
|
SW1(config)#interface g0/2
|
||||||
|
SW1(config-if)#spanning-tree bpduguard enable
|
||||||
|
```
|
||||||
|
|
||||||
|
You can also enable portfast with the command:
|
||||||
|
|
||||||
|
```Cisco
|
||||||
|
SW1(config)#spanning-tree portfast bpduguard default
|
||||||
|
```
|
||||||
|
|
||||||
|
### Root Guard
|
||||||
|
|
||||||
|
If you enable root guard on an interface, even if it receives a superior BPDU (lower bridge ID)
|
||||||
|
on that interface , the switch will not accept the new switch as the root bridge.
|
||||||
|
the interface will be disabled.
|
||||||
|
|
||||||
|
### Loop Guard
|
||||||
|
|
||||||
|
If you enable loop guard on an interface, even if the interface stops receiving BPDUs, it`will not
|
||||||
|
start forwarding. The interface will be disabled.
|
||||||
|
|
||||||
|
## Spanning Tree Configuration
|
||||||
|
|
||||||
|
|
||||||
|
### Spanning Tree mode
|
||||||
|
|
||||||
|
```Cisco
|
||||||
|
SW1(config)#spanning-tree mode ?
|
||||||
|
mst multiple spanning tree mode
|
||||||
|
pvst Per-Vlan spanning tree mode
|
||||||
|
rapid-pvst Per-Vlan rapid spanning tree mode //default
|
||||||
|
|
||||||
|
SW1(config)#spanning-tree mode pvst
|
||||||
|
```
|
||||||
|
|
||||||
|
### Primary Root Bridge
|
||||||
|
|
||||||
|
```Cisco
|
||||||
|
SW1(config)#spanning-tree vlan 1 root primary
|
||||||
|
|
||||||
|
SW1(config)#do show spanning-tree
|
||||||
|
```
|
||||||
|
|
||||||
|
The *spanning-tree vlan (vlan-number) root primary* command sets the STP priority to 24576.
|
||||||
|
if another switch already has a priority lower than 24576, it sets this switch's priority
|
||||||
|
to 4096 less than the other switch's priority.
|
||||||
|
|
||||||
|
### Secondary Root Bridge
|
||||||
|
|
||||||
|
```Cisco
|
||||||
|
SW1(config)#spanning-tree vlan 1 root secondary
|
||||||
|
|
||||||
|
SW1(config)#do show spanning-tree
|
||||||
|
```
|
||||||
|
|
||||||
|
The *spanning-tree vlan (vlan-number) root secondary* command sets the STP priority to 28672.
|
||||||
|
|
||||||
|
### STP Port Setting
|
||||||
|
|
||||||
|
```Cisco
|
||||||
|
SW1(config)#spanning-tree vlan 1 cost 200
|
||||||
|
SW1(config)#spanning-tree vlan 1 port-priority 32
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
## Review
|
||||||
|
|
||||||
|
|
||||||
|
- STP state/timers
|
||||||
|
- STP BPDU
|
||||||
|
- STP optional features
|
||||||
|
- STP configuration
|
||||||
72
21. Root Guard (STP Toolkit).md
Normal file
72
21. Root Guard (STP Toolkit).md
Normal file
@@ -0,0 +1,72 @@
|
|||||||
|
---
|
||||||
|
id: 1779981231-AJMV
|
||||||
|
aliases:
|
||||||
|
- Root Guard (STP Toolkit)
|
||||||
|
tags: []
|
||||||
|
---
|
||||||
|
|
||||||
|
# Root Guard (STP Toolkit)
|
||||||
|
|
||||||
|
STP prevents loops by electing a root bridge and ensuring that each other switch has only *one valid path* to reach it.
|
||||||
|
|
||||||
|
YOu shouldn't randomly select the root bridge. Some things you should consider include:
|
||||||
|
- Optimal traffic flow
|
||||||
|
- minimize latency
|
||||||
|
- minimize congestion
|
||||||
|
- Stability and reliability
|
||||||
|
|
||||||
|
## The Problem
|
||||||
|
|
||||||
|
Within your own [[LAN]], you can easily control the root brdige by setting its priority to 0.
|
||||||
|
- But there are cases where you might connect your LAN to other switches outside of your direct control:
|
||||||
|
- A service provider offering Metro Ethernet service to customers
|
||||||
|
- Often used to connect sites within a [[MAN]]
|
||||||
|
- Even if you set your root bridge's priority to 0, its role can be taken by another switch with a lower
|
||||||
|
[[MAC address]] .
|
||||||
|
|
||||||
|
## The solution
|
||||||
|
|
||||||
|
- *Root Guard* can be configured to protect your [[STP]] topology by preventing your switches from
|
||||||
|
accepting superior [[BPDU]]s from switches outside of your control.
|
||||||
|
- Superior BPDUs = a BPDU that is superior in the STP algorith (e.g Claiming a better root bridge ID).
|
||||||
|
If you want to ensure that the root bridge rmains in your [[LAN]], you can configure Root Guard on the ports connected
|
||||||
|
to switches outside of your control
|
||||||
|
|
||||||
|
To enable root Guard on a port
|
||||||
|
|
||||||
|
```Cisco
|
||||||
|
SW1(config-if) spanning-tree guard root
|
||||||
|
```
|
||||||
|
|
||||||
|
There is no command to enable it by default from global config mode
|
||||||
|
|
||||||
|
If a Root Guard-enabled port receives a BPDU, it will enter the *Broken* (Root inconsistent) state
|
||||||
|
effectively disabling it
|
||||||
|
- The port will not able to forward data frames and will discard any frames it receives.
|
||||||
|
|
||||||
|
To re-enable a port disabled by Root Guard, you must solve the issue that disabled the port
|
||||||
|
- the disabled port must stop receiving superior BDPUs.
|
||||||
|
- tell the customer to increase the priority value of their switch.
|
||||||
|
|
||||||
|
Once teh superior BPDUs received age out, the ports will automatically be re-enabled.
|
||||||
|
- A BPDU's Max Age is 20 seconds by default.
|
||||||
|
|
||||||
|
To see the Root guard
|
||||||
|
|
||||||
|
```Cisco
|
||||||
|
SW1(config-if)# do show spanning-tree
|
||||||
|
|
||||||
|
## if it's broken
|
||||||
|
Gi0/1 Desg BKN*4 128.3 P2p *ROOT_Inc
|
||||||
|
|
||||||
|
BKN = Broken
|
||||||
|
ROOT_Inc = Root inconsistent
|
||||||
|
|
||||||
|
## if it's Work
|
||||||
|
Gi0/1 Desg FWD 4 128.3 P2p
|
||||||
|
```
|
||||||
|
|
||||||
|
## Review
|
||||||
|
|
||||||
|
Prevents a port from becoming a Root Port by disabling it if superior BPDUs are received,
|
||||||
|
Thereby enforcing the current [[Root Bridge]]
|
||||||
185
22 Rapid Spanning Tree Protocol.md
Normal file
185
22 Rapid Spanning Tree Protocol.md
Normal file
@@ -0,0 +1,185 @@
|
|||||||
|
---
|
||||||
|
id: 22 Rapid Spanning Tree Protocol
|
||||||
|
aliases: []
|
||||||
|
tags:
|
||||||
|
- CCNA
|
||||||
|
---
|
||||||
|
|
||||||
|
# Rapid Spanning Tree Protocol
|
||||||
|
|
||||||
|
## Spanning Tree Version
|
||||||
|
|
||||||
|
### Industry standards (IEEE)
|
||||||
|
|
||||||
|
Spanning Tree Protocol (802.1D)
|
||||||
|
- The original STP
|
||||||
|
- ALl VLANs share one STP instance.
|
||||||
|
- Therefore, cannot load balance.
|
||||||
|
|
||||||
|
Rapid spanning Tree Protocol (802.1w)
|
||||||
|
- Much faster at converging/adaptating to network changes than 802.1D
|
||||||
|
- All VLANs share one STP instance.
|
||||||
|
- Therefore, cannot load balance
|
||||||
|
|
||||||
|
Multiple Spanning Tree Protocol (802.1s)
|
||||||
|
- Uses modified RSTP mechanics.
|
||||||
|
- Can group multiple VLANs into different instacnces (ie. VLANs 1-5 instance 1, VLANs 6-10 in instance
|
||||||
|
2 ) to perform load balancing
|
||||||
|
|
||||||
|
### CISCO Versions
|
||||||
|
|
||||||
|
Per-VLAN Spanning Tree Plus (PVST+)
|
||||||
|
- Cisco's upgrade to 802.1D
|
||||||
|
- Each VLAN has its own STP instance.
|
||||||
|
- Can load balance by blocking different ports in each VLAN.
|
||||||
|
|
||||||
|
Rapid Per-VLAN Spanning Tree Plus (Rapid PVST+)
|
||||||
|
- Cisco's upgrade to 802.1w
|
||||||
|
- Each VLAN has its own STP instance
|
||||||
|
- Can load balance by blocking different ports in each VLAN
|
||||||
|
|
||||||
|
## Rapid spanning Tree Protocol
|
||||||
|
|
||||||
|
Cisco's summary:
|
||||||
|
"RSTP is not a timer-based spanning tree algorithm like 802.1D. therefore, RSTP offers an improvement
|
||||||
|
over the 30 seconds or more that 902.1d takes to move a link to forwarding. the heart of
|
||||||
|
the protocol is new bridge-bridge handshake mechanism, which allows ports to move directly to forwarding."
|
||||||
|
|
||||||
|
### Similarities between STP and RSTP:
|
||||||
|
|
||||||
|
RSTP serves the same purpoe as STP, blocking specific ports to prevent Layer2 loops.
|
||||||
|
- RSTP elect a root bridge with same rules as STP
|
||||||
|
- RSTP elects root ports with the same rules as STP.
|
||||||
|
- RSTP elects designated ports with the same rules as STP
|
||||||
|
|
||||||
|
### Differences
|
||||||
|
|
||||||
|
#### COST
|
||||||
|
|
||||||
|
| speed | STP COST | STP COST |
|
||||||
|
| -------------- | --------------- | --------------- |
|
||||||
|
| 10 Mbps | 100 | 2,000,000 |
|
||||||
|
| 100 Mbps | 19 | 200,000 |
|
||||||
|
| 1 Gbps | 4 | 20,000 |
|
||||||
|
| 10 Gbps | 2 | 2,000 |
|
||||||
|
| 100 Gbps | x | 200 |
|
||||||
|
| 1 Tbps | x | 20 |
|
||||||
|
|
||||||
|
|
||||||
|
#### Port State
|
||||||
|
|
||||||
|
| STP Port State | Send/Receive BPDUs | Frame Forwarding | MAC Learning | Stable/Transitional |
|
||||||
|
| ------------- | -------------- | -------------- | -------------- | -------------- |
|
||||||
|
| Discarding | NO/YES | NO | NO | Stable |
|
||||||
|
| Learing | YES/YES | NO | YES | Tranisitional |
|
||||||
|
| Forwarding | YES/YES | YES | YES | Stable |
|
||||||
|
|
||||||
|
|
||||||
|
- if a port is administratively disabled (shutdown command) = discarding state
|
||||||
|
- if a port is enabled but blocking traffic to prevent Layer 2 loops = discarding state
|
||||||
|
|
||||||
|
#### Port Roles
|
||||||
|
|
||||||
|
*The root port role remains unchanged in RSTP.*
|
||||||
|
- The port wthat is closet to the root bridge becomes the root port for the switch.
|
||||||
|
- The root bridge is the only switch that doesn't have a root port.
|
||||||
|
|
||||||
|
*The designated port role remains unchanged in RSTP.*
|
||||||
|
- The port on a segment (collision domain) that sends the best BPDU is that
|
||||||
|
segment's designated port (only one per segment)
|
||||||
|
|
||||||
|
- *The non designated port role is split into two separate roles in RSTP*:
|
||||||
|
- The alternate port role
|
||||||
|
- the backup port role
|
||||||
|
|
||||||
|
##### Alternate port Role
|
||||||
|
|
||||||
|
The RSTP alternate port role is discarding port that receives a superior BPDU from another switch.
|
||||||
|
- This is the same as what you've learned about *blocking* ports in classic STP.
|
||||||
|
- Functions as a backup to the root port.
|
||||||
|
- If the root port fails, the switch can immediately move its best alternate port to forwarding
|
||||||
|
|
||||||
|
This immediate move to fowarding state functions like a classic STP optional feature called
|
||||||
|
UplinkFast. Because it is built into RSTP, you do not need to activate UplinkFast when using
|
||||||
|
RSTP/Rapid PVST+
|
||||||
|
|
||||||
|
One more STP optional feature that was built into RSTP is BackboneFast.
|
||||||
|
Backbone Fast allows SW3 to expire the made age timers on its interface and rapidly forward the superior
|
||||||
|
BPDUs to SW2.
|
||||||
|
This functionality is built into RSTP, so it does not need to be configured
|
||||||
|
|
||||||
|
##### Backup port role
|
||||||
|
|
||||||
|
The RSTP backup port role is a discarding port that receives a superior BPDU from another
|
||||||
|
interface on the same switch.
|
||||||
|
- This only happnes when two interfaces are connected to the same collision domain (via a hub)
|
||||||
|
- Hubs are not used in modern networks, so you will probably not encounter an RSTP backup port.
|
||||||
|
- Function as backup for a designated port
|
||||||
|
- The interface with the lowest port ID will be selected as the designated port and the other will be the
|
||||||
|
backup port
|
||||||
|
|
||||||
|
### BPDU
|
||||||
|
|
||||||
|
In classic [[STP]], only the root bridge originated BPDUs, and other switches just forwarded the BPDUs
|
||||||
|
they received.
|
||||||
|
In Rapid STP, all Switches originate and send their own BPDUs from their designated ports
|
||||||
|
|
||||||
|
All switches running Rapid STP send their own BPDUs every hello time (2 seconds).
|
||||||
|
- Switches 'age' the BPDU information much more quickly, in classic STP a switch waits 10 hello intervales
|
||||||
|
(20 seconds). In rapid STP, a switch considers a neighbor lost if it misses 3 BPDUs (6 seconds)
|
||||||
|
It will the 'Flush' All MAV addresses learned on that interface
|
||||||
|
|
||||||
|
## RSTP Link Types
|
||||||
|
|
||||||
|
RSTP distiguishes between three different 'link types'
|
||||||
|
- Edge: a port that is connected to an end host. Moves directly to forwarding without negotiation.
|
||||||
|
- Point-to-point: a direct connection between two switches
|
||||||
|
- Shared a connection to a [[hub]]. Must operate in half-duplex mode.
|
||||||
|
|
||||||
|
### Edge
|
||||||
|
|
||||||
|
Edge ports are connected to end hosts.
|
||||||
|
- Because ther is no risk of creating a loop, they can move stright to the forwarding state without the
|
||||||
|
negotiation process.
|
||||||
|
- They function like a classic STP port with PortFast enabled
|
||||||
|
|
||||||
|
```Cisco
|
||||||
|
SW1(config-if)# spanning-tree portfast
|
||||||
|
```
|
||||||
|
|
||||||
|
### Point-to-Point
|
||||||
|
|
||||||
|
Point-to-point ports connect directly to another switch
|
||||||
|
- They function in full-duplex
|
||||||
|
- you don't need to configure the interface as point-to-point (it should be detected)
|
||||||
|
|
||||||
|
```Cisco
|
||||||
|
SW1(config-if)# spanning-tree link-type point-to-point
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
### Shared
|
||||||
|
|
||||||
|
shared Ports connect to another switch (or switches) via a hub.
|
||||||
|
- They function in half-duplex
|
||||||
|
- You don't need to configure the interface as shared (it should be detected)
|
||||||
|
|
||||||
|
```Cisco
|
||||||
|
SW1(config-if)# spanning-tree link-type shared
|
||||||
|
```
|
||||||
|
|
||||||
|
### Configuration
|
||||||
|
|
||||||
|
|
||||||
|
```Cisco
|
||||||
|
SW3(config)# spanning-tree mode rapid-pvst
|
||||||
|
|
||||||
|
SW3(config)# do show spanning-tree
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
## Review
|
||||||
|
|
||||||
|
Comparison of [[STP]] versions (standard vs [[Cisco]])
|
||||||
|
|
||||||
|
Rapid PVST+
|
||||||
128
23. EtherChannel.md
Normal file
128
23. EtherChannel.md
Normal file
@@ -0,0 +1,128 @@
|
|||||||
|
---
|
||||||
|
id: 23. EtherChannel
|
||||||
|
aliases: []
|
||||||
|
tags: []
|
||||||
|
---
|
||||||
|
|
||||||
|
# EtherChannel
|
||||||
|
|
||||||
|
multiple host -- ASW1 -- DSW1
|
||||||
|
|
||||||
|
ASW = Access layer Switch, a switch that end hosts connect to
|
||||||
|
DSW = Distribution layer switch, a switch that access layer switches connect to
|
||||||
|
|
||||||
|
When the bandwith of the interfaces connected to end hosts is greater than the bandwidth of the
|
||||||
|
connection to the distribution switch(es), this is called *oversubscription*.
|
||||||
|
Some oversubscription is acceptable, but too much will cause congestion.
|
||||||
|
|
||||||
|
- if you connect two switchs together with multiple links, all except one will be disabled by
|
||||||
|
[[spanning tree]]
|
||||||
|
- if all of ASW1's interfaces were forwarding, Layer 2 loops would form between ASW1 and DSW1,
|
||||||
|
leading to [[broadcast storms]].
|
||||||
|
- Other links will be unused unless the active link fails. in that case one of the inactive
|
||||||
|
links will start forwarding
|
||||||
|
- EtherChannel groups multiple interfaces together to act as a single interface.
|
||||||
|
- STP will treat this group as a single interface
|
||||||
|
|
||||||
|
Traffic using the EtherChannel wil be load balanced among the physical interfaces in the group.
|
||||||
|
An [[algorithm]] is used to determine which traffic will use which physical interface.
|
||||||
|
|
||||||
|
Some other names for an EtherChannel are:
|
||||||
|
- Port Channel
|
||||||
|
- LAG (Link aggregaton Group)
|
||||||
|
|
||||||
|
## Load Balancing
|
||||||
|
|
||||||
|
- EtherChannel load balances based on flows
|
||||||
|
- A flow is a communication between two nodes in the network
|
||||||
|
- Frames in the same flow will be forwarded using the same physicial interface.
|
||||||
|
- If frames in the same flow were forwarded using different physical interfaces, some frames
|
||||||
|
may arrive at the destination out of order, which can cause problems
|
||||||
|
- You can change the inputs used in the interface selection calculation.
|
||||||
|
- Inputs that can be used:
|
||||||
|
- Source [[MAC]]
|
||||||
|
- Destination MAC
|
||||||
|
- Source and Destination MAC
|
||||||
|
- Source [[IP]]
|
||||||
|
- Destination IP
|
||||||
|
- Source and Destination IP
|
||||||
|
|
||||||
|
### Commands
|
||||||
|
|
||||||
|
|
||||||
|
see current configuration
|
||||||
|
```Cisco
|
||||||
|
ASW1#show etherchannel load-balance
|
||||||
|
### default will be set to src-dst-ip
|
||||||
|
```
|
||||||
|
|
||||||
|
for configuring load balance configuration
|
||||||
|
```Cisco
|
||||||
|
ASW1(config)#port-channel load-balance src-dst-mac
|
||||||
|
|
||||||
|
## to see other method
|
||||||
|
ASW1(config)#port-channel load-balance ?
|
||||||
|
```
|
||||||
|
|
||||||
|
## EtherChannel Configuration
|
||||||
|
|
||||||
|
There are three methods of EtherChannel configuration on Cisco switches:
|
||||||
|
- PAgP (Port Aggregation Protocol)
|
||||||
|
- Cisco proprietary protocol
|
||||||
|
- Dynamically negotiates the creation/maintenance of the EtherChannel.
|
||||||
|
(like DTP does for trunks)
|
||||||
|
- LACP (Link Aggregation Control Protocol)
|
||||||
|
- Industry standard protocol (IEEE 802.3ad)
|
||||||
|
- Dynamically negotiate the creation/maintenance of the EtherChannel.
|
||||||
|
(like DTP does for trunks)
|
||||||
|
- Static EtherChannel
|
||||||
|
- A protocol isn't used to determine if an EtherChannel should be formed.
|
||||||
|
- Interfaces are statically configured to form an EtherChannel
|
||||||
|
|
||||||
|
Up to *8 interfaces* can be formed into a single EtherChannel (LACP allows up to 16, but only
|
||||||
|
8 will be active, the other 8 will be in standby mode, waiting for an active interface to fail)
|
||||||
|
|
||||||
|
```Cisco
|
||||||
|
ASW1(config)#inteface range g0/0 - 3
|
||||||
|
## to see all methods
|
||||||
|
ASW1(config-if-range)#channel-group 1 mode ?
|
||||||
|
## for PAgP
|
||||||
|
ASW1(config-if-range)#channel-group 1 mode desirable
|
||||||
|
```
|
||||||
|
|
||||||
|
note: The channel-group number has to match for member interfaces on the same switch.
|
||||||
|
However, it doesn't have to match the channel-group number on the other switch.
|
||||||
|
(channel-group 1 on ASW1 can form an EhterChannel with channel-group 2 on DSW1)
|
||||||
|
|
||||||
|
Member intefaces must have matching configurations.
|
||||||
|
- Same duplex (full/half)
|
||||||
|
- Same speed
|
||||||
|
- Same switchport mode (access/trunk)
|
||||||
|
- Same allowed VLANs/native VLAN (for trunk interfaces)
|
||||||
|
|
||||||
|
If an interface's configurations do not match the others, it will be excluded from the EtherChannel
|
||||||
|
|
||||||
|
to see running configuration of the EtherChannel
|
||||||
|
|
||||||
|
```Cisco
|
||||||
|
ASW1#show etherchannel summary
|
||||||
|
## less utilise command
|
||||||
|
ASW1#show etherchannel port-channel
|
||||||
|
```
|
||||||
|
|
||||||
|
## Layer 3 EtherChannel
|
||||||
|
|
||||||
|
```Cisco
|
||||||
|
ASW1(config)#int range g0/0 - 3
|
||||||
|
ASW1(config-if-range)#no switchport
|
||||||
|
ASW1(config-if-range)#channel-group 1 mode active
|
||||||
|
|
||||||
|
|
||||||
|
ASW1(config-if-range)#int po1
|
||||||
|
ASW1(config-if)#ip address 10.0.0.1 255.255.255.252
|
||||||
|
```
|
||||||
|
|
||||||
|
## Review
|
||||||
|
|
||||||
|
- What is EtherChannel? what problems does it solve?
|
||||||
|
- Configuring Layer 2/Layer 3 EtherChannel
|
||||||
Reference in New Issue
Block a user