1.The Evolving Network Model VLAN Implementation Spanning Tree InterVLAN Routing Layer 3 RedundancyCCNP BCMSN Using Wireless LANsQuick Reference Sheets VoIP in a Campus NetworkExam 642-812 Campus Network SecurityBrent StewartDenise Donohueciscopress.com

2. [2] ABOUT THE AUTHORSCCNP BCMSN Quick Reference SheetsAbout the AuthorsBrent Stewart, CCNP, CCDP, MCSE, Certified Cisco Systems Instructor, is a network administratorfor CommScope. He participated in the development of BSCI, and has seperately developed trainingmaterial for ICND, BSCI, BCMSN, BCRAN, and CIT. Brent lives in Hickory, NC, with his wife,Karen, and children, Benjamin, Kaitlyn, Madelyn, and William.Denise Donohue, CCIE No. 9566, is a Design Engineer with AT&T. She is responsible for designingand implementing data and VoIP networks for SBC and AT&T customers. Prior to that, she was aCisco instructor and course director for Global Knowledge. Her CCIE is in Routing and Switching. 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 67 for more details. 3. [3] ICONS USED IN THIS BOOK CCNP BCMSN Quick Reference SheetsIcons Used in This BookSiRouter7507 Multilayer Switch Multilayer CommunicationSwitchRouter with TextSwitch ServerI DCInternal FirewallIDSWeb DatabaseApp Server Browser 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 67 for more details. 4. [4]CHAPTER 1CCNP BCMSN Quick Reference SheetsThe EvolvingNetwork ModelFIGURE 1-1 THE HIERARCHICAL DESIGN MODELCoreCisco has developed specific architecture recommendations for Campus,Data Center, WAN, branches, and telecommuting. These recommendationsSiadd specific ideas about how current technologies and capabilities matchthe network roles within an enterprise. DistributionEach of these designs builds on a traditional hierarchical design andSiSi Si Siadds features such as security, Quality of Service (QoS), caching,and convergence.AccessThe HierarchicalDesign ModelCisco has used the three level Hierarchical Design Model for years.The hierarchical design model divides a network into three layers:This older model provided a high-level idea of how a reliable network n AccessEnd stations attach to VLANs.might be conceived, but it was largely conceptual because it did notprovide specific guidance. Figure 1-1 is a simple drawing of how the Clients attach to switch ports.three-layer model might have been built out. A distribution layer-3 VLAN assigned/broadcast domains established.switch would be used for each building on campus, tying together the Built using low-cost ports.access-switches on the floors. The core switches would links thevarious buildings together. n DistributionIntermediate devices route and apply policies. VLANs terminated, routing between. Policies applied, such as route selection. Access-lists. Quality of Service (QoS). 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 67 for more details. 5. [5] CHAPTER 1CCNP BCMSN Quick Reference Sheets THE EVOLVING NET WORK MODELn CoreThe backbone that provides a high-speed path between distribution elements.Enterprise Composite Distribution devices are interconnected.Network ModelThe newer Cisco modelthe Enterprise Composite Modelis signifi- High speed (there is a lot of traffic).cantly more complex and attempts to address the major shortcoming of No policies (it is tough enough to keep up). the Hierarchical Design Model by expanding the older version andmaking specific recommendations about how and where certainLater versions of this model include redundant distribution and corenetwork functions should be implemented. This model is based on thedevices, and connections that make the model more fault-tolerant. A set principles described in the Cisco Architecture for Voice, Video, andof distribution devices and their accompanying access layer switchesIntegrated Data (AVVID).are called a switch block.The Enterprise Composite Model is broken up into three large sections: n Enterprise CampusThe portion of the design that is like the oldProblems with thehiearchical model.Hierarchical Design Modeln Enterprise EdgeThe connections to the public network.This early model was a good starting point, but it failed to address key n Service Provider EdgeThe different public networks that areissues, such as: attached.n Where do wireless devices fit in?The first section, the Enterprise Campus, looks like the old Hierarchicaln How should Internet access and security be provisioned? model with some added details. The Enterprise Campus is shown inn How to account for remote-access, such as dial-up or virtualFigure 1-2. It features six sections: private network (VPN)?n Campus BackboneThe center of the network, like the old core.n Where should workgroup and enterprise services be located? n Building DistributionIntermediate devices that route from the core to access devices. 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 67 for more details. 6. [6] CHAPTER 1 CCNP BCMSN Quick Reference Sheets THE EVOLVING NET WORK MODEL n Building AccessConnections for end systems. The Enterprise Edge (shown in Figure 1-3) details the connections fromthe campus to the Wide Area Network and includes: n ManagementCommand, control, and auditing features. n Edge DistributionA distribution layer out to the WAN. n E-CommerceExternally accessible services that have ties tointernal data stores. n Server FarmFor Enterprise services.n Internet ConnectivityConnectivity to outside services.n Remote AccessDial and VPN.n WANInternal links.FIGURE 1-2 THE ENTERPRISE CAMPUS Campus Backbone A Campus Backbone B CORE BuildingBuildingBuildingBuildingBuilding Distribution ADistribution BDistribution ADistribution BDistribution ABuilding Distribution B 1st Floor Access 3rd Floor Access1st Floor Access 3rd Floor Access1st Floor Access 3rd Floor Access2nd Floor Access2nd Floor Access2nd Floor Access BUILDING A 4th Floor Access BUILDING B 4th Floor Access BUILDING C 4th Floor Access 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 67 for more details. 7. [7]CHAPTER 1CCNP BCMSN Quick Reference SheetsTHE EVOLVING NET WORK MODELFIGURE 1-3 THE ENTERPRISE EDGE Frame Relay ATMPPP WANCorporate Router E-CommerceWeb DMZ Firewall Internet RouterDatabaseI DC App ServerInternal RouterInternal FirewallInternet Internal Firewall DMZ FirewallInternetInternal Router RouterPublic Servers InternetCachingInternal RouterFirewall VPN Edge Campus BackboneDistribution Remote Access IDSDial-InPSTN Enterprise EdgeService Provider Edge 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 67 for more details. 8. [8] CHAPTER 1CCNP BCMSN Quick Reference Sheets THE EVOLVING NET WORK MODELThe Service Provider Edge consists of the public networks that facili- Figure 1-4 puts together the various pieces: Campus, Enterprise Edge,tate wide-area network connectivity: and Service Provider Edge. Security implemented on this model is described in the Cisco SAFE (Security Architecture for Enterprise)n Internet Service Provider (ISP)Public connectivity blueprint.n Public Switched Telephone Network (PSTN)Dial upn Frame Relay, ATM, and PPPPrivate connectivityFIGURE 1-4THE COMPLETE ENTERPRISE COMPOSITE MODELFrame RelayE-Mail I DCDNS File & PrintDirectoryLegacyEdgeWAN IDC Database I DCDistribution ATM CorporateSERVER FARM RouterPPP E-Commerce WebDMZ FirewallInternet RouterDatabase I DCCAMPUS BACKBONE App Server Internal RouterInternal Firewall BUILDING DISTRIBUTIONInternetInternal Firewall DMZ FirewallInternet Internal RouterRouter Management BUILDING DISTRIBUTIONBUILDING DISTRIBUTIONPublicServersCaching Internetth 4 Floor4th Floor4th Floor rd rd rd 3 Floor 3 Floor3 Floor Internal RouterFirewall VPN2nd Floor2nd Floor 2nd Floor PSTN 1st Floor 1st Floor1st FloorBUILDING ACCESSBUILDING ACCESSBUILDING ACCESSRemote AccessIDSDial-InEnterprise Campus Enterprise Edge Service Provider Edge 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 67 for more details. 9. [9] CHAPTER 1 CCNP BCMSN Quick Reference Sheets THE EVOLVING NET WORK MODEL IIN describes an evolutionary vision of a network that integratesSONA and IIN network and application functionality cooperatively and allows theModern converged networks include different traffic types, each with network to be smart about how it handles traffic to minimize the foot-unique requirements for security, QoS, transmission capacity, andprint of applications. IIN is built on top of the Enterprise Compositedelay. These include:Model and describes structures overlaid on to the Composite design asn Voice signaling and bearer needed in three phases.n Core Application traffic, such as Enterprise Resource ProgrammingPhase 1, Integrated Transport, describes a converged network, which (ERP) or Customer Relationship Management (CRM) is built along the lines of the Composite model and based on open stan- dards. This is the phase that the industry has been transitioning to forn Database Transactions the last few years, and the Cisco Integrated Services Routers (ISR) aren Multicast multimedia an example of this trend.n Network management Phase 2, Integrated Services, attempts to virtualize resources, such asn Other traffic, such as web pages, e-mail, and file transferservers, storage, and network access and move to an on-demand model.Cisco routers are able to implement filtering, compression, prioritiza- By virtualize Cisco means that the services are not associated with ation, and policing (dedicating network capacity). Except for filtering, particular device or location. Instead, many services can reside in onethese capabilities are referred to collectively as QoS. device to ease management, or many devices can provide one service that is more reliable.NoteThe best way to meet capacity requirements is to have twice as much bandwidth as An ISR brings together routing, switching, voice, security, and wire-needed. Financial reality, however, usually requires QoS instead.less. It is an example of many services existing on one device. A load balancer, which makes many servers look like one, is a secondAlthough QoS is wonderful, it is not the only way to address band- example.width shortage. Cisco espouses an ideal called the IntelligentInformation Network (IIN). 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 67 for more details. 10. [ 10 ] CHAPTER 1 CCNP BCMSN Quick Reference Sheets THE EVOLVING NET WORK MODELVRFs are an example of taking one resource and making it look like that source from further communication. In this example, routing, anmany. Some versions of IOS are capable of having a router presentawareness of the application data flow, and security are combined toitself as many virtual router forwarding (VRF) instances, allowing yourallow the network to contribute to the success of the application.company to deliver different logical topologies on the same physical Services-Oriented Network Architecture (SONA) applies the IIN idealsinfrastructure. Server virtualization is another example. The classic to Enterprise networks. Figure 1-5 shows how SONA breaks down theexample of taking one resource and making it appear to be many IIN functions into three layers:resources is the use of a virtual LAN (VLAN) and a virtual storagearea network (VSAN).n Network InfrastructureHierarchical converged network andattached end systems.Virtualization provides flexibility in configuration and management.n Interactive ServicesResources allocated to applications.Phase 3, Integrated Applications, uses application-oriented network-ing (AON) to make the network application-aware and to allow then ApplicationsIncludes business policy and logic.network to actively participate in service delivery.An example of this phase 3 IIN systems approach to service delivery isNetwork Admission Control (NAC). Before NAC, authentication,VLAN assignment, and anti-virus updates were separately managed.With NAC in place, the network is able to check the policy stance of aclient and admit, deny, or remediate based on policies.IIN allows the network to deconstruct packets, parse fields, and takeactions based on the values it finds. An ISR equipped with an AONblade might be configured to route traffic from a business partner. TheAON blade can examine traffic, recognize the application, and rebuildXML files in memory. Corrupted XML fields might represent an attack(called schema poisoning), so the AON blade could react by blocking 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 67 for more details. 11. [ 11 ] CHAPTER 1CCNP BCMSN Quick Reference Sheets THE EVOLVING NET WORK MODELFIGURE 1-5 IIN AND SONA COMPARED IIN PhasesSONA Framework LayersCollaboration Phase 3 Integrated ApplicationsApplicationBusiness Apps Collaboration AppsLayerLayer (application aware)MiddlewareMiddlewareInteractiveApplication Networking Services Services Layer Phase 2 Integrated Services (virtualized resources) Infrastructure ServicesInfrastructure Network Layer Phase 1 Integrated Transport (converged network) Servers Clients Storage 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 67 for more details. 12. [ 12 ]CHAPTER 2CCNP BCMSN Quick Reference SheetsVLAN Implementation FIGURE 2-1END-TO-END VLANSVLANs are used to break large campus networks into smaller pieces.The benefit of this is to minimize the amount of broadcast traffic on aHRDepartmentITDepartmentlogical segment.4th FloorWhat Is a VLAN? 3rd FloorA virtual LAN (VLAN) is a logical LAN, or a logical subnet. It defines2nd Floora broadcast domain. A physical subnet is a group of devices that sharesthe same physical wire. A logical subnet is a group of switch ports1st Floorassigned to the same VLAN, regardless of their physical location in aswitched network.Two types of VLANs are: FIGURE 2-2LOCAL VLANS HRITDepartment Departmentn End-to-end VLANVLAN members are assigned by function and can reside on different switches. They are used when hosts are assigned to VLANs based on functions or workgroups, rather than4th Floor physical location. VLANs should not extend past the Building Distribution submodule. Figure 2-1 shows end-to-end VLANs.n Local VLANHosts are assigned to VLANs based on their loca-3rd Floor tion, such as a floor in a building. A router accomplishes sharing of resources between VLANs. This type is typically found in the Building Access submodule. Figure 2-2 shows an example of local2nd Floor VLANs. 1st Floor 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 67 for more details. 13. [ 13 ] CHAPTER 2 CCNP BCMSN Quick Reference Sheets VL AN IMPLEMENTATIONVLAN membership can be assigned either statically by port ordynamically by MAC address using a VLAN Membership Policy Creating a VLAN in GlobalServer (VMPS). Config Mode VLANs must be created before they may be used. VLANs may be created in global configuration mode or in VLAN database mode.Best Practices Creating VLANs in global configuration is easyjust identify theVLAN networks need many of the same considerations that normal VLAN number and name it!Ethernet lines demand. For instance, VLANs should have one IP subnet.By supplying consecutive subnets to VLANs, the routing advertise-(config)#vlan 12 (config-vlan)#name MYVLANments can be summarized (which has many benefits to convergence).A stereotypical description of capacity requirements is possible. Accessports are assigned to a single VLAN and should be Fast Ethernet or Creating a VLAN in Databasefaster. Ports to the distribution layer should be Gigabit Ethernet orbetter. Core ports are Gigabit Etherchannel or 10-Gig Ethernet.ModeRemember that uplink ports need to be able to handle all hosts commu-Creating a VLAN in VLAN database mode is very similar to globalnicating concurrently, and remember that although VLANs logicallyconfiguration. There are no advantages to either method. Either methodseparate traffic, traffic in different VLANs can still experiencecreates an entry in a VLAN.DAT file. Remember that copying thecontention with other VLANs when both VLANs travel over the same configuration, by itself, does not move the VLAN information! To dotrunk line.that you must move the VLAN.DAT file.Take into account the entire traffic pattern of applications found in your #vlan databasenetwork. For instance, Voice VLANs pass traffic to a remote Call (vlan)#vlan 12 name MYVLANManager. Multicast traffic has to communicate back to the routingprocess and possibly call upon a Rendezvous Point. Delete a VLAN by using the same command with no in front of it. There is no need to include the name when deleting. 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 67 for more details. 14. [ 14 ] CHAPTER 2 CCNP BCMSN Quick Reference Sheets VL AN IMPLEMENTATION 1002fddi-defaultactiveAssigning Ports to VLANs 1003trcrf-defaultactive 1004fddinet-defaultactiveWhen statically assigning ports to VLANs, first make it an access port,1005trbrf-defaultactiveand then assign the port to a VLAN. At the interface configuration prompt: Other verification commands include:(config-if)#switchport mode access(config-if)#switchport access vlan 12 n show running-config interface interface no.Use thefollowing to verify the VLAN membership of the port:The commands are similar when using dynamic VLAN assignment. Atinterface configuration mode: ASW# show run interface fa0/5Building configuration...Current configuration 64 bytes(config-if)#switchport mode accessinterface FastEthernet 0/5(config-if)#switchport access vlan dynamic switchport access vlan 20 switchport mode accessIf you use dynamic, you must also enter the IP address of the VMPSserver at global configuration mode:n show mac address-table interface interface no. vlan vlan no.Use the following to view MAC addresses learned through that(config-if)#vmps server ip addressport for the specified VLAN:ASW# show mac address-table interface fa0/1Verifying VLAN Configuration Mac Address TableTo see a list of all the VLANs and the ports assigned to them, use theVlanMac AddressTypePorts- -command show vlan. To narrow down the information displayed, you10030.b656.7c3d DYNAMIC Fa0/1can use these keywords after the command: brief, id, vlan-number, orTotal Mac Addresses for this criterion: 1name vlan-name:n show interfaces interface no. switchportUse the followingASW# show vlan briefVLAN Name Status Portsto see detailed information about the port configuration, such as - entries in the Administrative Mode and Access Mode VLAN fields:1default active Fa0/1, Fa0/2, Fa0/3,ASW# show interfaces fa0/1 switchport Fa0/10,Fa0/11,Fa0/12 Name: Fa0/120 VLAN0020 active Fa0/5,Fa0/6,Fa0/7Switchport: Enabled21 VLAN0021 active Fa0/8,Fa0/9Administrative Mode: dynamic desirable 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 67 for more details. 15. [ 15 ] CHAPTER 2CCNP BCMSN Quick Reference Sheets VL AN IMPLEMENTATIONOperational Mode: static accessAdministrative Trunking Encapsulation: negotiateVLAN TrunkingOperational Trunking Encapsulation: nativeNegotiation of Trunking: On A trunk is a link that carries traffic for more than one VLAN. TrunksAccess Mode VLAN: 1 (default) multiplex traffic from multiple VLANs. Trunks connect switches andTrunking Native Mode VLAN: 1 (default)Trunking VLANs Enabled: ALL allow ports on multiple switches to be assigned to the same VLAN.Pruning VLANs Enabled: 2-1001Protected: falseTwo methods of identifying VLANs over trunk links are:Unknown unicast blocked: falseUnknown multicast blocked: false n Inter-Switch Link (ISL)A Cisco proprietary method that encap-Broadcast Suppression Level: 100Multicast Suppression Level: 100 sulates the original frame in a header, which contains VLANUnicast Suppression Level: 100 information. It is protocol-independent and can identify Cisco Discovery Protocol (CDP) and bridge protocol data unit (BPDU) frames.Troubleshooting VLAN Issuesn 802.1QStandards-based, tags the frames (inserts a field into theThe following are three steps in troubleshooting VLAN problems:original frame immediately after the source MAC address field),n Check the physical connectivityMake sure the cable, the and supports Ethernet and Token Ring networks.network adapter, and switch port are good. Check the ports linkLED.When a frame comes into a switch port, the frame is tagged internallywithin the switch with the VLAN number of the port. When it reachesn Check the switch configurationIf you see FCS errors or latethe outgoing port, the internal tag is removed. If the exit port is a trunkcollisions, suspect a duplex mismatch. Also check configuredport, then its VLAN is identified in either the ISL encapsulation or thespeed on both ends of the link. Increasing collisions can mean an 802.1Q tag. The switch on the other end of the trunk removes the ISLoverloaded link, such as with a broadcast storm.or 802.1Q information, checks the VLAN of the frame, and adds then Check the VLAN configurationIf two hosts cannot communi- internal tag. If the exit port is a user port, then the original frame is sentcate, make sure they are both in the same VLAN. If a host cannotout unchanged, making the use of VLANs transparent to the user.connect to a switch, make sure the host and the switch are in the If a nontrunking port receives an ISL-encapsulated frame, the frame issame VLAN.dropped. If the ISL header and footer cause the MTU size to be 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 67 for more details. 16. [ 16 ] CHAPTER 2 CCNP BCMSN Quick Reference Sheets VL AN IMPLEMENTATIONexceeded, it might be counted as an error. (config-if)#switchport mode {dynamic {auto | desirable} | trunk}If a nontrunking port receives an 802.1Q frame, the source and destina-If dynamic mode is used, DTP negotiates the trunking state and encap-tion MAC addresses are read, the tag field is ignored, and the frame issulation. If trunk mode is used, you must specify encapsulation:switched normally at Layer 2.(config-if)#switchport trunkencapsulation {isl | dot1q | negotiate}Configuring a Trunk LinkPorts can become trunk ports either by static configuration or dynamic Native VLAN with 802.1Qnegotiation using Dynamic Trunking Protocol (DTP). A switch port can If you are using 802.1Q, specify a native VLAN for the trunk link withbe in one of five DTP modes: the command:n AccessThe port is a user port in a single VLAN. (config-if)#switchport trunk native vlan vlan non TrunkThe port negotiates trunking with the port on the otherFrames from the native VLAN are sent over the trunk link untagged. end of the link.Native VLAN is the VLAN the port would be in if it were not a trunk,n Non-negotiateThe port is a trunk and does not do DTP negotia- and it must match on both sides of the trunk link. VLAN 1 is the default tion with the other side of the link. native VLAN for all ports.n Dynamic DesirableActively negotiates trunking with the other side of the link. It becomes a trunk if the port on the other switch is set to trunk, dynamic desirable, or dynamic auto mode. VLAN Mapping ISL trunking recognizes only VLANs numbered 11001, but 802.1Q cann Dynamic AutoPassively waits to be contacted by the other use VLANs 04094. If you are using both ISL and 802.1Q in your network switch. It becomes a trunk if the other end is set to trunk or and have VLANs numbered above 1001, you have to map the 802.1Q dynamic desirable mode. VLANS to ISL numbers. Some rules about mapping VLANs include:Configure a port for trunking at the interface configuration mode:n You can configure only eight mappings.n Mappings are local to the switch; the same mappings must beconfigured on all switches in the network. 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 67 for more details. 17. [ 17 ] CHAPTER 2 CCNP BCMSN Quick Reference Sheets VL AN IMPLEMENTATIONn You can map only to Ethernet ISL VLANs.Using the trunk keyword with the show interfaces command gives information about the trunk link:n The 802.1Q VLANs with the same number as mapped ISLVLANs are blocked. (For example, you map 802.1Q VLAN 1500# show interfaces fastethernet 0/1 trunk PortModeEncapsulation StatusNativeto ISL VLAN 150, then 802.1Q VLAN 150 is blocked on that vlanswitch.) Fa0/1desirable n-802.1q trunking 1 PortVlans allowed on trunkn You should not map the 802.1Q native VLAN. Fa0/1 1-150 VLANs Allowed on the Trunk 802.1Q TunnelsBy default, a trunk carries traffic for all VLANs. You can change that Tunneling is a way to send 802.1Q-tagged frames across a foreignbehavior for a particular trunk link by giving the following command at network (such as a Service Providers network) and still preserve thethe interface config mode: original 802.1Q tag. The SP configures their end of the trunk link as aswitchport trunk allowed vlan vlans tunnel port and assigns a VLAN to carry your traffic within their network. The SP switch then adds a second 802.1Q tag to each frameMake sure that both sides of a trunk link allow the same VLANs. that came in the tunnel port. Other switches in the SP network see only this second tag, and do not read the original tag. When the frame exitsVerifying a Trunk Link the SP network, the extra tag is removed, leaving the original 802.1Q tag to be read by the receiving switch in your network.Two commands you can use to verify your trunk configuration are:#show running-config#show interfaces [interface no.] switchport | trunk 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 67 for more details. 18. [ 18 ] CHAPTER 2CCNP BCMSN Quick Reference Sheets VL AN IMPLEMENTATIONFIGURE 2-3802.1Q Second Tag ISL DA SA ETYPE 802.1Q Data .1Q Access 802.1Q Port DA SA ETYPE Data DA SA ETYPE 802.1Q ETYPE 802.1Q DataTrunk Port V=900Second Tag Q Edge CoreAccessV=900Si V=5 DA SA ETYPE 802.1Q Data ISP L2 CoreCustomer802.1Q or ISL 802.1Q or ISLTrunk PortTrunk PortLayer 2 Protocol TunnelingTroubleshooting Trunking(GBPT)Troubleshooting trunking links happens mostly at the physical anddatalink layers. Start with the most basic assumptions and work yourIf a Service Provider separates sections of your network, you can useway up the OSI model. It is important to show that physical layerLayer 2 protocol tunneling to tunnel CDP, Spanning Tree Protocolconnectivity is present, before moving on to, for instance before trying(STP), and VLAN Trunking Protocol (VTP) frames across the SPsto troubleshoot IP problems.cloud. This is called Generic Bridge PDU Tunneling (GBPT). Framesfrom the above control protocols are encapsulated as they enter then Are both sides of the link in the correct trunking mode?SPs network on a tunnel port, and de-encapsulated when they exit that n Is the same trunk encapsulation on both sides?network. n If 802.1Q, is the same native VLAN on both sides? n Are the same VLANs permitted on both sides? 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 67 for more details. 19. [ 19 ] CHAPTER 2 CCNP BCMSN Quick Reference Sheets VL AN IMPLEMENTATIONVLAN Trunking Protocol (VTP) VTP Switch RolesVTP is a protocol that runs over trunk links and synchronizes theA switch can be a VTP:VLAN databases of all switches in the VTP domain. A VTP domain isn ServerThe default VTP role. Servers can create, delete, andan administrative groupall switches within that group must have therename VLANs. They originate both periodic and triggered VTPsame VTP domain name configured or they do not synchronize data-advertisements and synchronize their databases with otherbases.switches in the domain.VTP works by using Configuration Revision numbers and VTP adver-n ClientClients cannot make VLAN changes. They originate peri-tisements:odic VTP advertisements and synchronize their databases withn All switches send out VTP advertisements every five minutes, or other switches in the domain.when there is a change to the VLAN database (when a VLAN is n TransparentIt can create, delete, and rename VLANs, but itscreated, deleted, or renamed).VLANs are only local. It does not originate advertisements orn VTP advertisements contain a Configuration Revision number. synchronize its database with any other switches. It forwards VTPThis number is increased by one for every VLAN change.advertisements out its trunk links, however.n When a switch receives a VTP advertisement, it compares theConfiguration Revision number against the one in its VLAN database.n If the new number is higher, the switch overwrites its databaseVTP Pruningwith the new VLAN information, and forwards the information to By default, switches flood broadcasts, multicasts, and unknownits neighbor switches. unicasts across trunk links. Suppose a host in VLAN 10 on Switch Bn If the number is the same, the switch ignores the advertisement. sends a broadcast. Hosts in VLAN 10 on Switch C need to see that broadcast, but Switch A has no ports in VLAN 10, so it doesnt need ton If the new number is lower, the switch replies with the more up- receive the broadcast traffic.to-date information contained in its own database. Enabling VTP pruning causes the switch to keep track of VLAN port assignments in its downstream switches. The switch then sends flooded traffic only on trunks toward switches that have ports assigned to the 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 67 for more details. 20. [ 20 ] CHAPTER 2CCNP BCMSN Quick Reference Sheets VL AN IMPLEMENTATIONVLAN originating the traffic. It prunes flooded traffic from all otherTo configure the switch to use VTP Version 2:trunks. VTP pruning increases the available bandwidth by preventing (config)#vtp version 2unnecessary traffic on trunk links.To enable pruning:There are two versions of VTP: Version 1 and Version 2. To use Version2, all switches in the domain must be capable of using it. Configure onevtp pruningserver for Version 2, and the information is propagated through VTP.To specify which VLANs are to be pruned:Version 2 has the following added features:(config-if)#switchport trunk pruning vlan {add | except | nonen It supports Token Ring VLANs. | remove} vlan-list [,vlan[,vlan[,,,]]n Transparent switches pass along messages from both versions of VTP.n Consistency checks are performed only when changes are config-Verifying and Monitoring VTP ured through the CLI or SNMP.To get basic information about the VTP configuration, use show vtpstatus. The example shows the default settings:# show vtp statusVTP Version : 1Configuring VTP Configuration Revision: 0Maximum VLANs supported locally: 1005Number of existing VLANs: 5VTP configuration is done at the global config mode. To configure the VTP Operating Mode: Serverswitchs VTP mode:VTP Domain Name :(config)#(config)#vtp {server | client |transparent} VTP Pruning Mode: DisabledVTP V2 Mode : DisabledVTP Traps Generation: DisabledTo configure the VTP domain name: MD5 digest:(config)#vtp domain nameTo configure a VTP password (all switches in the domain must use thesame password):(config)#vtp password password 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 67 for more details. 21. [ 21 ] CHAPTER 2 CCNP BCMSN Quick Reference Sheets VL AN IMPLEMENTATIONTroubleshooting VTPThe following are some common things to check when troubleshootingproblems with VTP:n Make sure you are trunking between the switches. VTP is sentonly over trunk links.n Make sure the domain name matches on both switches (name iscase sensitive).n If the switch is not updating its database, make sure it is not intransparent mode.n If using passwords, make sure they all match. To remove a pass-word, use no vtp password.Adding a New Switch to a VTPDomainAdding a new switch in client mode does not prevent it from propagat-ing its incorrect VLAN information. A server synchronizes to a client ifthe client has the higher configuration revision number. You must resetthe revision number back to 0 on the new switch. The easiest way to dothis is to change the domain name. Then change it back to the correctone, and attach the switch to the network. 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 67 for more details. 22. [ 22 ]CHAPTER 3CCNP BCMSN Quick Reference SheetsSpanning Tree n Forward broadcasts and multicasts out all ports except the onEthernet network design balances two separate imperatives. First, which they came. (This is called flooding.)Ethernet has no capacity for detecting circular paths. If such pathsn Forward unknown unicasts out all ports except the one on whichexist, traffic loops around and accumulates until new traffic is shut out they came. An unknown unicast is a message bound for a unicast(this is called a broadcast storm). Second, having secondary paths is MAC address that is not in the switchs table of addresses and ports.good preparation for inevitable link failure.n Do not make any changes to the frames as they forward them.Spanning Tree is a protocol that prevents loop formation by detectingredundant links and disabling them until needed. Designers can there-Spanning Tree Protocol (STP) works by selecting a root bridge, thenfore build redundant links and the protocol will allow one to pass traffic selecting one loop-free path from the root bridge to every other switch.and keep the other in reserve. When the active link fails, the secondary (STP uses the term bridge because it was written before there werelink is enabled quickly. switches.) Consider the following switched network (see Figure 3-1). FIGURE 3-1EXAMPLE SWITCHED TOPOLOGYAUnderstanding the Spanning000c.1111.0011Tree ProtocolSwitches either forward or filter Layer 2 frames. The way they make 100 10Mbps Mbpsthe forwarding/filtering decision can lead to loops in a network with 1000Mbpsredundant links. Spanning Tree is a protocol that detects potential loops B Cand breaks them. 000c.2678.1010000c.321a.bcde10100A Layer 2 switch is functionally the same thing as a transparent bridge. Mbps DMbpsTransparent bridges:000c.8181.1122n Learn MAC (Media Access Control) addresses by looking at the0/10/2 source address of incoming frames. They build a table mapping 100Mbps 100 Mbps MAC address to port number.E000c.2679.2222 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 67 for more details. 23. [ 23 ] CHAPTER 3CCNP BCMSN Quick Reference Sheets SPANNING TREESpanning Tree must select: n Path costThis is the cumulative value of the cost of each link between the bridge and the root. Cost values were updated in 2000n One root bridge and you should see only new cost values, but both are given in then One root port per nonroot bridge following table (see Table 3-1). Old and new switches workn One designated port per network segmenttogether.TABLE 3-1: Spanning Tree CostsSpanning Tree ElectionLink SpeedOld Cost New Cost10 Mbps 100100Criteria100 Mbps10 19Spanning Tree builds paths out from a central point along the fastest1 Gbps14available links. It selects path according to the following criteria:10 Gbps 12 1. Lowest root bridge ID (BID) 2. Lowest path cost to the root 3. Lowest sender bridge IDThe STP ElectionSpanning Tree builds paths out from a starting point, the root of the 4. Lowest sender port ID (PID) tree. The first step in selecting paths is to identify this root device.When reading the path selection criteria, remember the following: Then, each device selects its best path back to the root, according to thecriteria laid out in the previous sections (lowest root BID, lowest cost,n Bridge IDBridge priority: Bridge MAC address.lowest advertising BID, lowest port).n Bridge priority2-btye value, 065,535 (00xFFFF).n Default priority is 32,768 (0x8000).n Port IDPort priority: port number.n Port priorityA 6-bit value, 063, default is 32. 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 67 for more details. 24. [ 24 ] CHAPTER 3 CCNP BCMSN Quick Reference Sheets SPANNING TREERoot Bridge Electionn Switch EThe lowest path cost is the same for both ports (76through D to C to B to A). Next check sender BIDsender forLooking at Figure 3-1, first select the root bridge. Assume each switchuses the default priority.both ports is D, so that it does not break the tie. Next check senderPort ID. Assuming default port priority, the PID for 0/1 is lowern Switch A BID = 80-00-00-0c-11-11-00-11than the PID for 0/2, so the port on the left is the root port.n Switch B BID = 80-00-00-0c-26-78-10-10n Switch C BID = 80-00-00-0c-32-1a-bc-den Switch D BID = 80-00-00-0c-81-81-11-22 Designated Port Election Designated ports are ports that lead away from the root. Obviously,n Switch E BID = 80-00-00-0c-26-79-22-22 all ports on the root bridge are designated ports (A-B and A-C in Figure 3-1).Switch A has the lowest BID, so it is the root. Each nonroot switchmust now select a root port.n Segment B-DB has the lowest path cost to root (19 vs 119), soit is designated for this segment.n Segment C-DC has the lowest path cost to the root (100 vsRoot Port Election119), so it is designated for this segment.The root port is the port that leads back to the root. Continuing withn Segment B-CB has the lowest path cost to the root (19 vs 100),Figure 3-1, once A is acknowledged as the root, the remaining bridgesso it is designated for this segment.sort out their lowest cost path back to the A.n Both segments D-ED has the lowest cost to the root (57 vs 76),n Switch BUses the link to A with a cost of 19 (link speed of 100so it is designated for both segments.Mbps).n Switch CThe connected link has a cost of 100 (Ethernet), theNow the looped topology has been turned into a tree with A at the root.link through B has a path cost of 38 (two 100 Mbps links), and soNotice that there are no more redundant links.B is chosen.n Switch DThe link through B has a path cost of 119, the pathcost through C to A is 119, the path through C then B is 57, so Cis chosen. 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 67 for more details. 25. [ 25 ] CHAPTER 3 CCNP BCMSN Quick Reference Sheets SPANNING TREEFIGURE 3-2 THE ACTIVE TOPOLOGY AFTER SPANNINGConfiguration BPDUs are sent every two seconds from the root toward TREE IS COMPLETEthe downstream switches. They:An Are used during an election.n Maintain connectivity between switches.n Send timer information from the root. B C TCN BPDUs are sent toward the root when:n There is a link failure.n A port starts forwarding, and there is already a designated port. Dn The switch receives a TCN from a neighbor. When a switch receives a TCN BPDU, it acknowledges that with a configuration BPDU that has the TCN Acknowledgment bit set. When the root bridge receives a TCN, it starts sending configuration BPDUs with the TCN bit set for a period of time equal to max age plus E forward delay. Switches that receive this change their MAC table aging time to the Forward Delay time, causing MAC addresses to age faster. The topology change also causes an election of the root bridge, root ports, and designated ports.Bridge Protocol Data Units(BPDUs)Switches exchange BPDUs. There are two types of BPDUs:Configuration and Topology Change (TCN). 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 67 for more details. 26. [ 26 ] CHAPTER 3CCNP BCMSN Quick Reference Sheets SPANNING TREETABLE 3-2: Spanning Tree Port StatesBPDU Fields Port State TimerActionsSome of the fields in the BPDU include:Learning Forward Delay (15 sec) Discards frames, does learn MACn Root bridge IDThe BID of the current root. addresses, receives and transmitsBPDUs.n Senders root path costThe cost to the root.ForwardingAccepts frames, learns MACn Senders bridge IDSenders priority concatenated to MAC. addresses, receives and transmitsBPDUs.n Senders port IDThe port number, transmitted as final tie- breaker.n Hello timeTwo seconds by default.Designing for Spanning Treen Forward Delay15 seconds by default.To optimize data flow in the network, design and configure switchesfor the following STP roles:n Max Age20 seconds by default. n Primary and secondary root bridges (set priority values) n Designated and root ports (set port priorities/path cost)Spanning Tree Port Statesn Enable STP enhancements, such as Root GuardWhen a port is first activated, it transitions through the following stagesshown in Table 3-2.TABLE 3-2: Spanning Tree Port StatesSpanning Tree and PVSTPort State TimerActions With PVST (Per Vlan STP), there is a different instance of STP forBlocking Max Age (20 sec) Discards frames, does not learn each VLAN. To derive the VLAN BID, the switch picks a differentMAC addresses, receives BPDUs.MAC address from its base pool for each VLAN. Each VLAN has itsown root bridge, root port, and so on. You can configure these so thatListeningForward Delay (15 sec) Discards frames, does not learnMAC addresses, receives BPDUs data flow is optimized, and traffic load is balanced among the switches.to determine its role in theSpanning Tree is enabled by default on every VLAN.network. 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 67 for more details. 27. [ 27 ] CHAPTER 3 CCNP BCMSN Quick Reference Sheets SPANNING TREEConfiguring Spanning TreeSpanning Tree EnhancementsTo change the STP priority value, use the following: Cisco has some proprietary enhancements to Spanning Tree that helpSwitch (config)#spanning-tree vlan vlan_no. priority value speed up network convergence. They include:n PortFastTo configure a switch as root without manually changing priorityvalues, use the following:n UplinkFastSwitch (config)# spanning-tree vlan vlan_no. root {primary |n BackboneFastsecondary}To change the STP port cost for an access port, use the following: PortfastSwitch(config-if)# spanning-tree cost valuePortfast is for access (user) ports only. It causes the port to bypass the STP listening and learning states and transition directly to forwarding.To change the STP port cost for a VLAN on a trunk port, use the Connecting a switch to a Portfast port can cause loops to develop.following: (config-if)#spanning-tree portfastSwitch(config-if)# spanning-tree vlan vlan_no. cost valueTo display STP information for a VLAN, use the following: UplinkFastSwitch# show spanning-tree vlan vlan_no. UplinkFast is for speeding convergence when a direct link to anTo display the STP information for an interface, use the following:upstream switch fails. The switch identifies backup ports for the root port (these are called an uplink group). If the root port fails, then one ofSwitch # show spanning-tree interface interface_no. [detail] the ports in the uplink group is unblocked and transitions immediatelyTo verify STP timers, use the following: to forwardingit bypasses the listening and learning stages. It should be used in wiring closet switches with at least one blocked port.Switch #show spanning-tree bridge brief The command to enable uplinkfast is shown below. Please note that uplink- fast is enabled globally, so the command affects all ports and all VLANs. (config)# spanning-tree uplinkfast 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 67 for more details. 28. [ 28 ] CHAPTER 3CCNP BCMSN Quick Reference Sheets SPANNING TREEBackboneFastRapid Spanning Tree (RSTP)BackboneFast is used for speeding convergence when a link fails that is Rapid Spanning Tree (RSTP) 802.1w is a standards-based, non-propri-not directly connected to the switch. It helps the switch detect indirect etary way of speeding STP convergence. Switch ports exchange anfailures. If a switch running BackboneFast receives an inferior BPDUexplicit handshake when they transition to forwarding. RSTP describesfrom its designated bridge, it knows a link on the path to the root has different port states than regular STP, as shown in the Table 3-3.failed. (An inferior BPDU is one that lists the same switch for rootbridge and designated bridge.)TABLE 3-3: Comparing 802.1d and 802.1w Port StatesSTP Port StateEquivalent RSTP Port StateThe switch then tries to find an alternate path to the root by sending aDisabledDiscardingRoot Link Query (RLQ) frame out all alternate ports. The root thenresponds with an RLQ response, and the port receiving this response BlockingDiscardingcan transition to forwarding. Alternate ports are determined in this way: Listening Discardingn If the inferior BPDU was received on a blocked port, then the rootLearningLearning port and any other blocked ports are considered alternates.ForwardingForwardingn If the inferior BPDU was received on the root port, then all blocked ports are considered alternates.RSTP Port Rolesn If the inferior BPDU was received on the root port and there areRSTP also defines different Spanning Tree roles for ports: no blocked ports, the switch assumes it has lost connectivity with the root and advertises itself as root. n Root portThe best path to the root (same as STP). n Designated portSame role as with STP.Configure this command on all switches in the network: n Alternate portA backup to the root port.(config)#spanning-tree backbonefast n Backup portA backup to the designated port. n Disabled portOne not used in the Spanning Tree. n Edge portOne connected only to an end user. 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 67 for more details. 29. [ 29 ] CHAPTER 3CCNP BCMSN Quick Reference Sheets SPANNING TREE n Backup and alternate portsPorts that can transition to forward-BPDU Differences in RSTP ing when no BPDUs are received from a neighbor switch (similarIn regular STP, BPDUs are originated by the root and relayed by each to UplinkFast).switch. In RSTP, each switch originates BPDUs, whether or not itreceives a BPDU on its root port. All eight bits of the BPDU type fieldIf an RSTP switch detects a topology change, it sets a TC timer toare used by RSTP. The TC and TC Ack bits are still used. The other sixtwice the hello time and sets the TC bit on all BPDUs sent out to itsbits specify the ports role and its RSTP state, and are used in the portdesignated and root ports until the timer expires. It also clears the MAChandshake. The RSTP BPDU is set to Type 2, Version 2. PVST is doneaddresses learned on these ports.by Rapid PVST+ on Catalyst switches.If an RSTP switch receives a TC BPDU, it clears the MAC addresseson that port and sets the TC bit on all BPDUs sent out its designatedRSTP Fast Convergence and root ports until the TC timer expires.The Rapid Spanning tree process understands and incorporates topol-ogy changes much quicker than the previous version.Multiple Spanning Tree (MST)n RSTP uses a mechanism similar to BackboneFastWhen an infe-With Multiple Spanning Tree (MST), you can group VLANs and run rior BPDU is received, the switch accepts it. If the switch hasone instance of Spanning Tree for a group of VLANs. This cuts down another path the root, it uses that and informs its downstreamon the number of root bridges, root ports, designated ports, and BPDUs switch of the alternate path.in your network. Switches in the same MST Region share the samen Edge ports work the same as Portfast portsThey automatically configuration and VLAN mappings. Configure MST with these transition directly to forwarding. commands:n Link typeIf you connect two switches through a point-to-point(config)# spanning-tree mode mst(config)# spanning-tree mst configuration link and the local port becomes a designated port, it exchanges a(config-mst)# name region_name handshake with the other port to quickly transition to forwarding. (config-mst)# revision number(config-mst)# instance number vlan vlan_range Full-duplex links are assumed to be point-to-point, half-duplex(config-mst)# end links are assumed to be shared.To be compatible with 802.1Q trunking, which has one commonSpanning Tree (CST) for all VLANs, MST runs one instance of an 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 67 for more details. 30. [ 30 ] CHAPTER 3CCNP BCMSN Quick Reference Sheets SPANNING TREEInternal Spanning Tree (IST). The IST appears as one bridge to a CST n Put all bundle ports in the same VLAN, or make them all trunks.area and is MST instance number 0. The original MST Spanning Trees If they are trunks, they must all carry the same VLANs and use(called M-Trees) are active only in the regionthey combine at the the same trunking mode.edge of the CST area to form one. n Configuration you apply to the Port Channel interface affects the entire EtherChannel. Configuration you apply to a physical inter- face only affects that interface.EtherChannelsEtherChannel is a way of combining several physical links betweenswitches into one logical connection. Normally, Spanning Tree blocksredundant links; EtherChannel gets around that and allows load balanc-Configuring an EtherChanneling across those links. Load is balancing on the basis of such things asBasically, for a Layer 3 EtherChannel, you should configure the logicalsource or destination MAC address or IP address. The Etherchannel interface and then put the physical interfaces into the channel group:load-balancing method is configured at global configuration mode. (config)#interface port-channel number(config-if)#no switchport(config)#port-channel load-balance type(config-if)#ip address address maskA logical interfacethe Port Channel interfaceis created.Then, at each port that is part of the EtherChannel, use the following:Configuration can be applied to both the logical and physical interfaces.(config)#interface { number | range interface interface}(config-if)#channel-group number mode {auto | desirable | on}Some guidelines for EtherChannels are as follows:n Interfaces in the channel do not have to be physically next to each Putting the IP address on the Port Channel interface creates a Layer 3 other or on the same module. EtherChannel. Simply putting interfaces into a channel group creates aLayer 2 EtherChannel, and the logical interface is automaticallyn All ports must be the same speed and duplex.created.n All ports in the bundle should be enabled.The Cisco proprietary Port Aggregation Protocol (PAgP) dynamicallyn None of the bundle ports can be a SPAN port.negotiates the formation of a channel. There are three PAgP modes:n Assign an IP address to the logical Port Channel interface, not the n OnThe port channels without using PAgP negotiation. The port physical ones. on the other side must also be set to On. 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 67 for more details. 31. [ 31 ] CHAPTER 3CCNP BCMSN Quick Reference Sheets SPANNING TREEn AutoResponds to PAgP messages but does not initiate them. n #show etherchannel number port-channelPort channels if the port on the other end is set to Desirable. This n #show etherchannel summaryis the default mode.n DesirablePort actively negotiates channeling status with theinterface on the other end of the link. Port channels if the otherside is Auto or Desirable.Additional Spanning TreeFeaturesThere is also a non-proprietary protocol called Link AggregationSome additional features available to help you tune Spanning TreeControl Protocol (LACP), IEEE 802.3ad, which does the same thing. include:LACP has two modes: n BPDU Guardn ActivePort actively negotiates channeling with the port on the n BPDU Filteringother end of the link. A channel forms if the other side is Passiveor Active. n Root Guardn PassiveResponds to LACP messages but does not initiate them.n UDLDA channel forms if the other end is set to Active. n Loop GuardIf you want to use LACP, specify it under the interface and put theinterface in either active or passive mode:(config-if)#channel-protocol lacp BPDU GuardBPDU Guard is used to prevent loops if another switch is attached to aPortfast port. When BPDU Guard is enabled on an interface, it is putVerifying an EtherChannel into an error-disabled state (basically, shut down) if a BPDU is receivedSome typical commands for verifying include:on the interface. It can be enabled at either global config modeinwhich case it affects all Portfast interfaces, or at interface mode.n #show running-config interface numberPortfast does not have to be enabled for it to be configured at a specificn #show interfaces number etherchannel 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 67 for more details. 32. [ 32 ] CHAPTER 3CCNP BCMSN Quick Reference Sheets SPANNING TREEinterface. The following configuration example shows BPDU guardbeing enabled.Unidirectional Link Detection(config)#spanning-tree portfast bpduguard default (UDLD)(config-if)#spanning-tree bpduguard enableA switch notices when a physical connection is broken by the absenceof Layer 1 electrical keepalives (Ethernet calls this a link beat).However, sometimes a cable is intact enough to maintain keepalives,BPDU Filteringbut not to pass data in both directions. This is a Unidirectional Link.Unidirectional Link Detection (UDLD) detects a unidirectional link byBPDU filtering is another way of preventing loops in the network. Itsending periodic hellos out to the interface. It also uses probes, whichalso can be enabled either globally or at the interface, and functionsmust be acknowledged by the device on the other end of the link.differently at each. In global config, if a Portfast interface receives anyUDLD operates at Layer 2. The port is shut down if a unidirectionalBPDUs, it is taken out of Portfast status. At interface config mode, itlink is found.prevents the port from sending or receiving BPDUs. The commandsare:To enable UDLD on all fiber-optic interfaces, use the followingcommand:n (config)# spanning-tree portfast bpdufilter default(config)# udld enablen (config-if)# spanning-tree bpdufilter enableAlthough this command is given at global config mode, it applies onlyto fiber ports.Root GuardTo enable UDLD on non-fiber ports, give the same command at inter-Root Guard is meant to prevent the wrong switch from becoming the face config mode.Spanning Tree root. It is enabled on ports other than the root port andTo disable UDLD on a specific fiber port, use the following command:on switches other than the root. If a Root Guard port receives a BPDUthat might cause it to become a root port, then the port is put into root- (config-if)# udld disableinconsistent state and does not pass traffic through it. If the port stopsTo disable UDLD on a specific non-fiber port, use the followingreceiving these BPDUs, it automatically re-enables itself.command:(config-if)# spanning-tree guard root(config-if)#no udld enable 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 67 for more details. 33. [ 33 ] CHAPTER 3CCNP BCMSN Quick Reference Sheets SPANNING TREETo re-enable all interfaces shut by UDLD, use the following:To enable Loop Guard on a specific interface, use the following:#udld reset (config-if)# spanning-tree guard loopTo verify UDLD status, use the following: Loop Guard automatically re-enables the port if it starts receiving#show udld interfaceBPDUs again.Loop GuardTroubleshooting STPSome common things to look for when troubleshooting Spanning TreeLoop Guard prevents loops that might develop if a port that should beProtocol include:blocking inadvertently transitions to the forwarding state. This canhappen if the port stops receiving BPDUs (perhaps because of a unidi-n Duplex mismatchWhen one side of a link is half-duplex and therectional link or a software/configuration problem in its neighbor other is full-duplex. This causes late collisions and FCS errors.switch). When one of the ports in a physically redundant topology n Unidirectional link failureThe link is up but data flows only instops receiving BPDUs, the STP conceives the topology as loop-free. one direction. It can cause loops.Eventually, the blocking port becomes designated and moves toforwarding state, thus creating a loop. With Loop Guard enabled, ann Frame corruptionPhysical errors on the line cause BPDUs to beadditional check is made.lost, and the port incorrectly begins forwarding. This is caused by duplex mismatch, bad cable, or cable too long.If no BPDUs are received on a blocked port for a specific length oftime. Loop Guard puts that port into loop inconsistent blocking state, n Resource errorsSTP is implemented in software, so a switchrather than transitioning to forwarding state. Loop Guard should bewith an overloaded CPU or memory might neglect some STPenabled on all switch ports that have a chance of becoming root or duties.designated ports. It is most effective when enabled in the entiren Port Fast configuration errorsConnecting a switch to two portsswitched network in conjunction with UDLD. that have Port Fast enabled. This can cause a loop.To enable Loop Guard for all point-to-point links on the switch, use the n STP tuning errorsMax age or forward delay set too short canfollowing command: cause a loop. A network diameter that is set too low causes(config)# spanning-tree loopguard defaultBPDUs to be discarded and affects STP convergence. 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 67 for more details. 34. [ 34 ] CHAPTER 3 CCNP BCMSN Quick Reference Sheets SPANNING TREE FIGURE 3-3EXAMPLE SWITCHED TOPOLOGYIdentifying a Bridging LoopSuspect a loop if you see the following: Root Bridgen You capture traffic on a link, and see the same frames multiple UDLD UDLDtimes. UDLD,n All users in a bridging domain have connectivity problems at theUDLD LoopGuardsame time. UplinkFast RootGuard,RootGuard,n There is abnormally high port utilization. UDLDUDLD UDLD,UDLD LoopGuardTo remedy a loop quickly, shut redundant ports and then enable them BackboneFast,one at a time. Some switches allow debugging of STP (not 3550/2950) BPDU Filterto help in diagnosing problems. PortFast,BPDU Guard Forwarding BlockingWhat to Use WhereConfused by all the acronyms and STP features? Figure 3-3 shows theSTP features you might use in your network and where you might usethem. 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 67 for more details. 35. [ 35 ]CHAPTER 4 CCNP BCMSN Quick Reference SheetsInterVLAN Routingn Routed portActs as layer 3 routed portVLANs divide the network into smaller broadcast domains, but also Place in layer 3 mode with no switchportprohibit communication between domains To enable communicationbetween those groupswithout also passing broadcastsrouting is used. Not associated with VLAN Turn on routing using ip routing Assign address and enable routing protocols as neededInterVLAN Routing UsingMultilayer SwitchesPort rolesInterVLAN RoutingMultilayer switches do the following:n Virtual LAN (VLAN) PortActs as layer 2 switching port with a VLAN. n Enable IP routing using ip routingn Static VLANUse the switchport command to identify VLAN. n Create SVI using interface vlan#n Dynamic VLANUse VLAN Membership Policy Server (VMPS). n Assign an IP address to each interfacen Trunk PortPasses multiple VLANs and differentiates by tagging.A router on a stick attaches the router to the switch using a trunk line(ISL or 802.1Q). Following are features of these:Use the switchport command to set parameters: n Easy to implementn ISL(Interswitch Link) or 802.1Q n Use existing equipmentn Switched Virtual Interface (SVI)Virtual routed port in a VLAN n Much more latency than Multi-layer switching (MLS) solution Use to route or fallback bridge between VLANs n Configure by creating subinterface with interface fastether- Default SVI for VLAN 1 automatically created net 1/0.7 Associate with VLAN using interface vlan# n Associate the VLAN to the interface with command encapsula- tion isl 7 or encapsulation dot1q 7 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 67 for more details. 36. [ 36 ] CHAPTER 4CCNP BCMSN Quick Reference Sheets INTER VL AN ROUTINGn ISLNo address on main interface 3. Select output port.n 802.1QAddress on main interface for native (untagged) VLAN4. Queue on port. 5. Rewrite. 6. Forward.Multilayer SwitchingSteps involved in layer 3 forwarding are as follows:This next section walks through the switching process and focuses onorder of operations. The order things happen is extremely important forn Inputtwo reasons. First, order of events is good test material. Second, under-1. Receive frame.standing the processing order allows you to evaluate how the variousfiltering and forwarding mechanisms interact (examples include error 2. Verify frame integrity.checking, access-lists, VLAN access-lists, routing, and QoS).3. Apply inbound VLAN ACL. 4. Look up destination MAC.Understanding the Switching Processn RoutingSteps involved in layer 2 forwarding are as follows: 1. Input ACL.n Input2. Switch if entry cached. 1. Receive frame. 3. Identify exit interface and next-hop address using routing table. 2. Verify frame integrity.4. Output ACL. 3. Apply inbound VLAN ACL (Virtual Local Area Network n OutputAccess List).1. Apply outbound VLAN ACL. 4. Look up destination MAC (Media Address Code).2. Apply outbound QoS ACL.n Output 3. Select output port. 1. Apply outbound VLAN ACL. 4. Queue on port. 2. Apply outbound QoS ACL. 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 67 for more details. 37. [ 37 ] CHAPTER 4CCNP BCMSN Quick Reference Sheets INTER VL AN ROUTING5. Rewrite source and destination MAC, IP checksum and frameUnderstanding Switch Forwarding check sequence, and decrement TTL (Time to Live field in the IP header).ArchitecturesIn a Centralized Forwarding model, the CPU controls forwarding deci-6. Forward. sions: n Decision made by single tableUnderstanding the Switching Table n Used by 4500 and 6500Content Addressable Memory (CAM) is used for MAC tables for layertwo switching.With Distributed Forwarding, the forwarding decisions are spread n Used for Catalyst 4500 layer 2 forwarding tables throughout the interface ASICs: n Used for Catalyst 6500 layer 2 and Netflow forwarding tablesn Decision made at port or module n Contains binary values (0 or 1) n Used by 3500/3700 and 6500 with distributed forwarding card n Match must be exact n NetFlow switching n Decision made cooperatively by Route Processor and MLSIn comparison, MLS uses Ternary Content Addressable Memory(TCAM).n First packet switched in software, result cached n Subsequent packets switched in hardware n Used for Catalyst 3500/3700, 4500, and 6500 layer 3 switching n Ternary (3) values (0, 1, or wildcard) Cisco Express Forwarding (CEF) uses a different kind of memory to n Entries are in VMR formfacilitate forwarding: ValuePattern to be matched. n Uses TCAM MaskMasking bits associated with pattern. n Topology-based switching (via Forwarding Information Base [FIB]) ResultConsequences of a match (permit/deny or moren Can be centralized or distributedcomplex information). 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 67 for more details. 38. [ 38 ] CHAPTER 4CCNP BCMSN Quick Reference Sheets INTER VL AN ROUTING n Handles traffic that must be forwarded in software (much slower)Multilayer Switching and includes:Multilayer Switching (MLS) is a switch feature that allows the switchto route traffic between VLANs and routed interfaces in a highly opti- Packets originating from device.mized and efficient manner. Cisco Express Forwarding (CEF) is an Packets with IP header options.example technology used to facilitate MLS (see Figure 4-1). Cisco Tunneled traffic.Express Forwarding (CEF) does the following: 802.3 (IPX) frames.FIGURE 4-1CISCO EXPRESS FORWARDING Load sharing traffic.AddressPrefix AS-PathNext-HopCommunitiesOther Attr.BGP Table 10.0.0.0 /842 131.2.3.437:12 BGP Table... Map FIB is an optimized routing table, stored in TCAM. ... ...... ... ... Builds adjacencies from ARP data. ProtocolAddressPrefixNext-Hop Outgoing Interface Precedence QoS GroupIP Routing TableBGP10.0.0.0 /8 1.2.3.437 Eliminates recursive loops.OSPF 1.2.3.0 /24 1.5.4.1Ethernet 0 Conn. 1.5.4.0/24 Ethernet 0 AddressPrefix Adjacency PointerPrecedence QoS GroupARP Throttling FIB Table10.0.0.0 /81.5.4.137ARP throttling is a tool to limit ARPs into a VLAN. ARPs, you may(CEF Cache)... ... ... ... ...recall, are sent as broadcast. Once an ARP is sent for a given IP, theARP Cache switch prevents repetitive ARPs for a short period of time: IP AddressLayer 2 Header IP Address MAC AddressAdjacency 1.5.4.1MAC Header1.5.4.10c.00.11.22.33.44 Table n First packet to destination forwarded to Route Processor.......... ... n Subsequent traffic dropped until MAC is resolved. n It prevents overwhelming the Route Processor (RP) with redun-n Separates control plane hardware from data plane hardware. dant ARP requests.n Controls plane runs in software and builds FIB and adjacency n It helps during Denial of Service attacks.table. n It is removed when MAC is resolved or in two seconds.n The data plane uses hardware to forward most IP unicast traffic. 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 67 for more details. 39. [ 39 ] CHAPTER 4 CCNP BCMSN Quick Reference Sheets INTER VL AN ROUTINGConfiguring and Troubleshooting CEFView detailed CEF FIB entry with the following:By default, CEF is on and supports per destination load sharing. #show ip cef fastethernet 2/2 10.0.0.1 detailTo disable CEF:Troubleshoot CEF drops with the following:n 4500Use (config)#no ip cef. #debug ip cef dropsn 3500/3700On each interface, use (config)#no ip route- Troubleshoot packets not forwarded by CEF with the following:cache cef. #debug ip cef receiven 6550 with policy feature card, distributed FC, and multilayer switch FCcannot be disabled. Troubleshoot CEF events with the following: #debug ip cef eventsView CEF information with the following:#show interface fastethernet 2/2 | begin L3View switching statistics with the following:#show interface fastethernet 2/2 | include switchedView FIB with the following:#show ip cef 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 67 for more details. 40. [ 40 ]CHAPTER 5CCNP BCMSN Quick Reference SheetsLayer 3 Redundancy The Active router forwards traffic. The Standby is backup. The standbySpecifying a default gateway leads to a single point of failure. Proxy monitors periodic hellos (multicast to 224.0.0.2, UDP port 1985) toAddress Resolution Protocol (ARP) is one method for hosts to dynami- detect a failure of the active router. On failure, the standby device startscally discover gateways, but it has issues in a highly-available environ-answering messages sent to the IP and MAC addresses of the virtualment. With Proxy ARP:router.n Hosts ARP for all destinations, even remote. The active router is chosen because it has the highest HSRP priority (default priority is 100). In case of a tie, the router with the highestn Router responds with its MAC. configured IP address wins the election. A new router with a highern Problem: Slow failover because ARP entries take minutes to priority does not cause an election unless it is configured to preempt timeout.that is, take over from a lower priority router. Configuring a router to preempt also insures that the highest priority router regains its activeInstead of making the host responsible for choosing a new gateway, status if it goes down but then comes back online again.Layer 3 redundancy protocols allow two or more routers to support a Interface tracking reduces the active routers priority if a specifiedshared MAC address. If the primary router is lost, the backup router circuit is down. This allows the standby router to take over even thoughassumes control of traffic forwarded to that MAC. This section refers to the active router is still up.routers, but includes those Layer 3 switches that can also implementLayer 3 redundancy. HSRP States HSRP devices move between these states:Hot Standby Router Protocoln InitialHSRP is not running.(HSRP)HSRP is a Cisco proprietary protocol. n LearnThe router does not know the virtual IP address and iswaiting to hear from the active router.With HSRP, two or more devices support a virtual router with a ficti-n ListenThe router knows the IP and MAC of the virtual router,tious MAC address and unique IP address. Hosts use this IP address astheir default gateway, and the MAC address for the Layer 2 header. Thebut it is not the active or standby router.virtual routers MAC address is 0000.0c07.ACxx, where xx is the HSRPn SpeakRouter sends periodic HSRP hellos and participates in thegroup. Multiple groups (virtual routers) are allowed. election of the active router. 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 67 for more details. 41. [ 41 ] CHAPTER 5 CCNP BCMSN Quick Reference Sheets L AYER 3 REDUNDANCYn StandbyRouter monitors hellos from active router and assumesRouter(config-if)#standby 39 preempt Router(config-if)#standby 39 preempt delay minimum 90 responsibility if active router fails.n ActiveRouter forwards packets on behalf of the virtual router.Speed convergence by changing the hello and hold timers. The follow- ing sets the hello interval to 2 seconds and the hold time to 7 seconds. They can be set between 1255 seconds (the default hello is 3 seconds and hold time is 10 seconds):Configuring HSRP Router(config-if)#standby 39 timers 2 7To begin configuring HSRP, use the standby group-number ip virtual-IP-address command in interface configuration mode. Routers in the Tracking an interface can trigger an election if the active router is stillsame HSRP group must belong to the same subnet/virtual LAN up, but a critical interface (such as the one to the Internet) is down. In(VLAN.) Give this command under the interface connecting to that the following, if serial 1/0/0 is down, the routers HSRP priority issubnet or VLAN. For instance, use the following to configure the routerdecremented by 100:as a member of HSRP group 39 with virtual router IP address 10.0.0.1: Router(config-if)#standby 39 track s1/0/00 100Router(config-if)#standby 39 ip 10.0.0.1Tune HSRP with four options: Priority, Preempt, Timers, and InterfaceNoteTracking.The standby router must be configured with the preempt command for it to take control.Manually select the active router by configuring its priority higher thanthe default of 100: Multiple HSRP standby groups can be configured, and the same routerRouter(config-if)#standby 39 priority 150can be active for some groups and standby for others by adjusting priorities. You can have a maximum of 255 groups. When using LayerAlong with configuring priority, configure preempt to allow a router to 3 switches, configure the same switch as the primary HSRP router andtake over if the active router has lower priority, as shown in the follow- the Spanning Tree root.ing commands. This helps lead to a predictable data path through thenetwork. The second command shown delays preemption until theTo view the HSRP status, use the show standby interface interfacerouter or switch has fully booted, and the routing protocol hascommand, or show standby brief. To monitor HSRP activity, use theconverged. Time how long it takes to boot and add 50 percent to get thedebug standby command.delay value in seconds: 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 67 for more details. 42. [ 42 ] CHAPTER 5 CCNP BCMSN Quick Reference Sheets L AYER 3 REDUNDANCY VRRP uses the following timers:Virtual Router Redundancyn Advertisement, or hello, interval in seconds. Default is 1 second.Protocol (VRRP)Virtual Router Redundancy Protocol (VRRP) is similar to HSRP, but itn Master down interval. Equals (3 x advertisement interval) plusis an open standard (RFC 2338). Two or more devices act as a virtualskew time. Similar to a hold or dead timer.router. With VRRP, however, the IP address used can be either a virtual n Skew time. (256priority) / 256. This is meant to ensure that theone or the actual IP address of the primary router. highest priority backup router becomes master, since higher prior-The VRRP Master router forwards traffic. The master is chosen ity routers have shorter master down intervals.because 1) it owns the real address, or 2) it has the highest priority(default is 100). If a real address is being supported, the owner of realTo change the timers on the master, use the following commandaddress must be master. A Backup router takes over if the master fails,because it is the router that advertises the hellos:and there can be multiple backup routers. They monitor periodic hellos Router(config-if)#vrrp 39 timers advertise 5multicast by the master to 224.0.0.18, using UDP port 112, to detect afailure of the master router.To change the timers on the backup routers, use the following command because they hear the hellos from the master:Multiple VRRP groups are allowed, just as with HSRP. Router(config-if)#vrrp 39 timers learnRouters in the same VRRP group must belong to the samesubnet/VLAN. To enable VRRP, give this command vrrp group-number ip virtual-IP-address under the interface connecting to that GLBPsubnet or VLAN:One issue with both HSRP and VRRP is that only the primary router is in use, the others must wait for the primary to fail before they are used.Router(config-if)#vrrp 39 ip 10.0.0.1 These two protocols use groups to get around that limitation. However,Control the master and backup elections by configuring priority values Gateway Load Balancing Protocol (GLBP) allows the simultaneous usefrom 1255. If a master VRRP router is shutdown, it advertises a prior-of up to four gateways, thus maximizing bandwidth. With GLBP, thereity of 0. This triggers the backup routers to hold an election without is still one virtual IP address. However, each participating router has awaiting for the masters hellos to time out. virtual MAC address, and different routers virtual MAC addresses are sent in answer to ARPs sent to the virtual IP address. GLBP can alsoRouter(config-if)#vrrp 39 priority 175 use groups up to a maximum of 1024 per physical interface. 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 67 for more details. 43. [ 43 ] CHAPTER 5CCNP BCMSN Quick Reference Sheets L AYER 3 REDUNDANCYThe load sharing is done in one of three ways:Hello and hold (or dead) timers can be configured for each interfacewith the command glbp group-number timers [msec] hello-timen Weighted load balancingTraffic is balanced proportional to a[msec] hold-time. Values are in seconds unless the msec keyword isconfigured weight.used.n Host-dependent load balancingA given host always uses theGLBP can also track interfaces; if an interface goes down, anothersame router.router answers for the first routers MAC address.n Round-robin load balancingEach router MAC is used to respondto ARP requests in turn.GLBP routers elect an Active Virtual Gateway (AVG). It is the onlyrouter to respond to ARPs. It uses this capacity to balance the loadamong the GLBP routers. The highest priority router is the AVG; thehighest configured IP address is used in case of a tie.The actual router used by a host is its Active Virtual Forwarder (AVF).GLBP group members multicast hellos every 3 seconds to IP address224.0.0.102, UDP port 3222. If one router goes down, another routeranswers for its MAC address.Configure GLBP with the interface command glbp group-number ipvirtual-IP-address, as shown:Router(config-if)#glbp 39 ip 10.0.0.1To ensure deterministic elections, each router can be configured with apriority. The default priority is 100:Router(config-if)#glbp 39 priority 150 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 67 for more details. 44. [ 44 ]CHAPTER 6CCNP BCMSN Quick Reference SheetsUsing Wireless LANs Step 4.The AP accepts the association.Step 5.The AP adds the clients MAC address to its associationWireless LAN Overviewtable.Devices on a wireless LAN (WLAN) transmit and receive data usingradio or infrared signals, sent through an access point (AP). WLANsCharacteristics of Wireless LANsfunction similarly to Ethernet LANs with the access point providing The following lists some characteristics of wireless LANs, and the dataconnectivity to the rest of the network as would a hub or switch. transmitted over wireless networks.WLANs use an Institute of Electrical and Electronics Engineers (IEEE)standard that defines the physical and data link specifications, includingn WLANs use Carrier Sense Multi-Access/Collision Avoidancethe use of Media Access Control (MAC) addresses. The same protocols (CSMA/CA). Wireless data is half-duplex. CSMA/CA uses(such as IP) and applications (such as IPSec) can run over both wired Request to Send (RTS) and Clear to Send (CTS) messages toand wireless LANs.avoid collisions.WLANs are local to a building or a campus, use customer-owned n WLANs use a different frame type than Ethernet.equipment, and are not usually required to have radio frequency (RF)n Radio waves have unique potential issues. They are susceptible tolicenses. interference, multipath distortion, and noise. Their coverage areaService Set Identifiers (SSID) correspond to a VLAN and can be used can be blocked by building features, such as elevators. The signalto segment users. SSIDs can be broadcast by the access point, or stati- might reach outside the building and lead to privacy issues.cally configured on the client, but the client must have the same SSIDn WLAN hosts have no physical network connection. They are oftenas the AP to register with it. SSIDs are case sensitive. Clients associatemobile and often battery-powered. The wireless network designwith access points as follows:must accommodate this.Step 1. The client sends a probe request. n WLANs must adhere to each countrys RF standards.Step 2. The AP sends a probe response. Clients can roam between APs that are configured with the sameStep 3. The client initiates an association to an AP. Authentication SSIDs/VLANs. Layer 2 roaming is done between APs on the sameand any other security information is sent to the AP.subnet; Layer 3 roaming is done between APs on different subnets. 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 67 for more details. 45. [ 45 ] CHAPTER 6 CCNP BCMSN Quick Reference Sheets USING WIRELESS L ANSWLAN Topologieslessly to multiple other APs and act as repeaters for them. Each AP has multiple paths through the wireless network. The Adaptive WirelessUse of the Cisco Aironet line of wireless products falls into three cate- Path (AWP) protocol runs between APs to determine the best path togories: the wired network. APs choose backup paths if the best path fails.n Client access, which allows mobile users to access the wired LAN resourcesn Wireless connections between buildings WLAN Standards WLANs use three unlicensed frequency bands: 900 MHz, 2.4 GHz, andn Wireless mesh 5 GHz. These bands are all in the Industrial, Scientific, and Medical (ISM) frequency range. Higher frequency bands allow greater band-Wireless connections can be made in ad-hoc mode or infrastructure width, but have smaller transmission ranges. Within all bands, the datamode. Ad-hoc mode (or Independent Basic Service Set [IBSS]) is rate decreases as the client moves away from the AP.simply a group of computers talking wirelessly to each other with noaccess point (AP). It is limited in range and functionality. Infrastructuremodes BSS uses one AP to connect clients. The range of the APssignal, called its microcell, must encompass all clients. The Extended 802.11b StandardService Set (ESS) uses multiple APs with overlapping microcells to 802.11b is a widely adopted standard that operates in the 2.4 GHzcover all clients. Microcells should overlap by 1015 percent for data,range and uses Direct Sequence Spread Spectrum (DSSS). It has fourand 1520 percent for voice traffic. Each AP should use a differentdata rates: 1, 2, 5.5, and 11 Mbps. 802.11b provides from 1114 chan-channel. nels, depending on country standards, but only three channels have nonoverlapping frequencies: 1, 6, and 11. Cisco recommends aWireless repeaters extend an APs range. They use the same channel asmaximum of 25 users per cell; expect an actual peak throughput oftheir AP, they must be configured with the APs SSID, and they shouldabout 6.8 Mbps.have 50 percent signal overlap.Workgroup bridges connect to devices without a wireless networkNoteinterface card (NIC) to allow them access to the wireless network. Japan provides a 14 channel, which does not overlap with channel 11 and gives a fourth available nonoverlapping channel.Wireless mesh networks can span large distances because only the edgeAPs connect to the wired network. The intermediate APs connect wire- 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 67 for more details. 46. [ 46 ] CHAPTER 6CCNP BCMSN Quick Reference Sheets USING WIRELESS L ANS802.11a Standardcauses a drop in overall throughput for all clients. Cisco recommends amaximum of 20 users per cell; expect an actual peak throughput of802.11a operates in the 5 GHz range and uses Orthogonal Frequency-about 32 Mbps.Division Multiplexing (OFDM). It has eight data rates: 6, 9, 12, 18, 24,36, 48, and 54 Mbps. 802.11a provides from 1223 nonoverlappingchannels, depending on country regulations. Portions of the 5 GHzrange are allocated to radar, so 802.11a uses Dynamic Frequency Wireless SecuritySelection (DFS) to check for radar signals and choose a different Wireless security methods, listed from weakest to strongest, include:channel if it detects them. It also uses Transmit Power Control (TMC) n Wired Equivalent Privacy (WEP)It uses static keys, weakto adjust client power, so that they use only enough to stay in contact authentication, and is not scalable.with the AP. DFS and TMC are part of the 802.11h specification. Ciscorecommends a maximum of 15 users per cell; expect an actual peak n 802.1x Extensible Authentication Protocol (EAP)Uses RADIUSthroughput of about 32 Mbps. for authentication, dynamic keys, and stronger encryption. Cisco supports it via Lightweight EAP (LEAP) and Protected EAP (PEAP).802.11g Standard n Wi-Fi Protected Access (WPA)This is a Wi-Fi Alliance stan-802.11g operates in the same 2.4 GHz range as 802.11b and uses the dard. Uses Temporal Key Integrity Protocol (TKIP) for encryption,same three nonoverlapping channels: 1, 6, and 11. It can provide higherdynamic keys, and 802.1x user authentication. Cisco supports itdata rates; however. 802.11g uses DSSS to provide 1, 2, 5.5, and 11via Lightweight EAP (LEAP), Protected EAP (PEAP), andMbps throughput, which makes it backward compatible with 802.11b.Extensible Authentication Protocol-Flexible Authentication viaIt uses OFDM to provide 6, 9, 12, 18, 24, 36, 48, and 54 MbpsSecure Tunneling (EAP-FAST).throughput, as does 802.11a. n WPA2The Wi-Fi Alliances implementation of the 802.11i stan-802.11b/g access points can register both 802.11b and 802.11g clients. dard, which specifies the use of Advanced Encryption StandardBecause 802.11b clients do not understand OFDM messages, when(AES) for data encryption and uses 802.1x authentication802.11b clients register, the AP implements an RTS/CTS protectionmethods. Can also use TKIP encryption.mechanism against collisions. When a client wants to talk, it sends anRTS message. The AP must answer with a CTS message before theclient is allowed to transmit. This creates overhead for the AP and 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 67 for more details. 47. [ 47 ] CHAPTER 6 CCNP BCMSN Quick Reference Sheets USING WIRELESS L ANSWPA/WPA2 AuthenticationTABLE 6-1Cisco Unified Wireless Network Components Component Description and DevicesWhen a host wanting WLAN access needs to be authenticated in anetwork using WPA or WPA2, the following steps occur:Client DevicesCisco Aironet client, and Cisco compatible third-party vendor clients.Step 1. An 802.1x/EAP supplicant on the host contacts the AP (or Mobility Platform Aironet APs and bridges, using LWAPP.WLAN controller, if it is a lightweight AP) using 802.1x. Network Unification Leverages existing wired network. 2000- andStep 2. The AP or WLAN controller uses RADIUS to contact the 4400-series WLAN controllers and switch andAAA server, and attempts to authentication the user. router modules.Step 3. If the authentication succeeds, all traffic from the client to World-Class Network Visualize and secure the WLAN. WCS for Managementlocation tracking, RF management, wirelessthe AP is encrypted. IPS, and WLC management. Unified AdvancedApplications such as wireless IP phones, Serviceslocation appliances, and RF firewalls.Cisco Wireless NetworkComponents You should review the following link for more information on CiscoThis section is mainly concerned with Cisco products and is quitewireless controllers and access points before you take the exam:marketing oriented. Cisco supported two types of wireless solutions: http://www.cisco.com/en/US/products/hw/wireless/products_category_one using autonomous access points, and one using lightweight (orbuyers_guide.htmlWireless Clients.dumb) access points in combination with WLAN controllers. Thewired network infrastructure is the same for both types: switches andCisco has a wireless NIC that can be installed on Windows 2000 androuters. Windows XP systems. It comes with some utilities: Aironet Desktop Utility (ADU), Aironet Client Monitor (ACM), and Aironet Client Administration Utility (ACAU). Cisco recommends using the ADU andCisco Unified Wireless Network ACM utilities to control your wireless card, rather than the built-inThe Cisco Unified Wireless Network concept has five components thatWindows controls to get the increased functionality Cisco provides. Thework together to create a complete network, from client devices to network Cisco ACAU allows loading and configuration of the Cisco client soft-infrastructure, to network applications. Cisco has equipment appropriate toware over the network, using encrypted files. There is also an Aironeteach component. Table 6-1 lists components and equipment.Site Survey Utility to scan for APs and get information about them. 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 67 for more details. 48. [ 48 ] CHAPTER 6 CCNP BCMSN Quick Reference Sheets USING WIRELESS L ANSCisco wireless IP phones have the same features as Cisco wired IP n Security managementphones and can use LEAP for authentication. n QoS policiesThe Cisco Compatible Extensions Program tests other vendors devicesn VLAN taggingfor compatibility with Cisco wireless products. Using products certifiedn Forwarding of user trafficby this program ensures full functionality of Cisco enhancements andproprietary extensions. A list of these products can be found atwww.cisco.com/go/ciscocompatible/wireless. The Lightweight Access Point Protocol (LWAP) supports the split MAC function in traffic between a lightweight AP and its controller. LWAP uses AES-encrypted control messages and encapsulates, butAutonomous APs does not encrypt, data traffic. LWAP operates at Layer 2, and also at Layer 3 over UDP. (However, Layer 2 operation has been deprecatedAutonomous APs run Cisco IOS, are programmed individually, and act by Cisco.) The controller can be either in the same broadcast domainindependently. They can be centrally managed with the CiscoWorks and IP subnet or in a different broadcast domain and IP subnets forWireless LAN Solution Engine (WLSE) and can use Cisco Secure Layer 3 operation. The AP follows this process to discover itsAccess Control Server (ACS) for RADIUS and TACAS+ authentica- controller:tion. Redundancy consists of multiple APs.Step 1.The AP requests a DHCP address. The DHCP response includes the management IP address of one or moreLightweight Access PointsWLCs.Lightweight APs divide the 802.11 processing between the AP and a Step 2.The AP sends an LWAPP Discovery Request message toCisco Wireless LAN Controller (WLC). This is sometimes called split each WLC.MAC, because they split the functions of the MAC layerLayer 2.Their management components also include the Wireless Control Step 3.The WLCs respond with an LWAPP Discovery ResponseSystem (WCS) and a location-tracking appliance. Redundancy consiststhat includes the number of APs currently associated to it.of multiple WLCs. The AP handles real-time processes, and the WLC Step 4.The AP sends a Join Request to the WLC with the fewesthandles processes such as: APs associated to it.n AuthenticationStep 5.The WLC responds with a Join Response message, the AP and the controller mutually authenticate each other andn Client association/mo