Tuesday, 7 April 2015

Optional Spanning Tree Features

PortFast:

Enabled only on edge ports and once it is enabled and if the port receives an electric signal immediately transitions to Forwarding state.

BPDUGuard:

If enabled along with Portfast and if the port receives BPDU port will be moved to err-disabled state.

Uplink Fast:

In this section, refer to the previous diagram, which uses a minimal backbone. The behavior of the STP is inspected in the event of uplink failure. Each step is followed with a diagram.
D1 and D2 are core switches. D1 is configured as the root bridge of the network. A is an access switch with one of its uplinks in blocking mode
  1. Assume that the primary uplink from A to D1 fails.
    51b.gif
  2. Port P1 goes down immediately and switch A declares its uplink to D1 as down.
    Switch A considers its link to D2, which still receives BPDUs from the root, as an alternate root port. Bridge A can start to transition port P2 from the blocking state to the forwarding state. In order to achieve this, it has to go through the listening and learning stages. Each of these stages last forward_delay (15 seconds by default), and holds port P2 blocking for 30 seconds.
  3. Once port P2 reaches the forwarding state, the network connectivity is re-established for hosts attached to switch A.
    The network outage lasted 30 seconds.
    51d.gif
    The minimum value allowed for the forward_delay timer is seven seconds. Tuning the STP parameters can lead to a recovery time of 14 seconds. This is still a noticeable delay for a user, and this kind of tuning should be done with caution. This section of this document shows how UplinkFast dramatically reduces the downtime.
Backbone Fast:

This scenario is based on the first example, but, this time with backbone fast enabled on the three switches.
  1. 18a.gifIf link L1 goes down, switch B immediately detects the failure and assumes it is the root. It starts to send BPDUs to S and claims to be the new root.
  2. As soon as S receives the inferior BPDU from B, it starts to reconfirm its non-designated ports instead of waiting max_age. It sends a RLQ query on its root port for root bridge R.
  3. Root bridge R receives the query and immediately answers with a RLQ response that specifies there is still a root R in that direction.
  4. S has now checked all its non-designated ports, and it still has connectivity to the root. It can then age out immediately the information stored on port P. P transitions to listening and starts to send BPDUs. At that stage, you have already saved max_age seconds, and the standard Spanning-Tree Algorithm (STA) applies then.
  5. B receives the better BPDU from S (R better root than B) and considers now the ports that lead to L3 as its root port.
18m.gif

Root Guard:

The Root Guard feature can be enabled on all switch ports in the network off of which the root bridge should not appear (that is, every port that is not a root port , the port on each switch that is considered to be closest to the root
bridge). If a port configured for Root Guard receives a superior BPDU, instead of believing the BPDU, the port goes into a root-inconsistent state. While a port is in the root-inconsistent state, no user data is sent across it. However, after the superior BPDUs stop, the port returns to the forwarding state.

Wednesday, 1 April 2015

LACP

Dynamic Trunking Protocol

Dynamic Trunk Protocol (DTP) to dynamically learn whether the
device on the other end of the cable wants to perform trunking and, if so, which trunking

protocol to use.
  1. dynamic auto: The port will negotiate the mode automatically; however, it prefers to be an access port.
  2. dynamic desirable: The port will negotiate the mode automatically; however, it prefers to be a trunk port.
Dynamic AutoCreates the trunk based on the DTP request from the neighboring switch.
Dynamic DesirableCommunicates to the neighboring switch via DTP that the interface would like
to become a trunk if the neighboring switch interface is able to become a trunk.
TrunkAutomatically enables trunking regardless of the state of the neighboring switch
and regardless of any DTP requests sent from the neighboring switch.
AccessTrunking is not allowed on this port regardless of the state of the neighboring
switch interface and regardless of any DTP requests sent from the neighboring
switch.
NonegotiatePrevents the interface from generating DTP frames. This command can be
used only when the interface switchport mode is access or trunk. You must
manually configure the neighboring interface as a trunk interface to establish a
trunk link.

Trunk + Trunk = Trunk
Trunk + Des = Trunk
Trunk + Auto = Trunk
Des + Des = Trunk
Des + Auto = Trunk
Auto + Auto = No Trunk
Any + Access = No Trunk

Default on swtich ports is Auto.

Preferred dynamic desirable and if both ports are dynamic but one is configured as auto and the other as desirable, the resulting operating mode will be trunk.


DTP also negotiates the type of encapsulation on the trunk should either of the two devices support both ISL and 802.1Q.If both devices support both trunk types, they will choose ISL. Should the DTP negotiation fail, any port in dynamic mode, either desirable or auto, will be operating as an access port

Catalyst 2950 and 3550 models default to dynamic desirable mode
Catalyst 2960, 3560 or 3750, default to dynamic auto mode.

While DTP and VTP are independent protocols, DTP carries the VTP domain name in its messages

Example:

! The administrative mode of dynamic desirable (trunking) and negotiate (trunking
! encapsulation) means that Switch1 attempted to negotiate to trunk, but the
! operational mode of static access means that trunking negotiation failed.
! The reference to "operational trunking encapsulation" of native means that
! no tagging occurs.
Switch1# show int fa 0/1 switchport
Name: Fa0/1
Switchport: Enabled
Administrative Mode: dynamic desirable
Operational Mode: static access
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)

++++++++++++++++++++++++++++++++++++++++++++++++++++++

! Next, the show int gig 0/1 trunk command shows the configured mode
! (desirable), and the current status (n-isl), meaning negotiated ISL. Note
! that the trunk supports the extended VLAN range as well.
Switch1# show int gig 0/1 trunk
Port      Mode    Encapsulation    Status         Native vlan
Gi0/1 desirable      n-isl              trunking            1

++++++++++++++++++++++++++++++++++++++++++++++++++++++

! The TOS/TAS/TNS stand for Trunk Operating/Administrative/Negotiation Status
! The TOT/TAT/TNT stand for Trunk Operating/Administrative/Negotiation Type
! In the following output, Fa0/12 is configured as dynamic desirable

SW1# show dtp interface fa0/12
DTP information for FastEthernet0/12:
TOS/TAS/TNS: TRUNK/DESIRABLE/TRUNK
TOT/TAT/TNT: ISL/NEGOTIATE/ISL

++++++++++++++++++++++++++++++++++++++++++++++++++++++


Without any configuration, the default port settings on recent Catalyst switch
series such as 2960, 3560, 3750, 3650, and 3850 are as follows: mode set to dynamic auto,
native VLAN set to 1, access VLAN set to 1, trunk encapsulation set to auto (if both ISL
and dot1q supported) or dot1q, all VLANs allowed, and VLANs 2–1001 eligible for pruning.
On older 2950 and 3550 models, the default mode was dynamic desirable.


Private VLAN


  1. Promiscuous— A promiscuous port can communicate with all interfaces, including the isolated and community ports within a PVLAN.
  2. Isolated— An isolated port has complete Layer 2 separation from the other ports within the same PVLAN, but not from the promiscuous ports. PVLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic from isolated port is forwarded only to promiscuous ports.
  3. Community— Community ports communicate among themselves and with their promiscuous ports. These interfaces are separated at Layer 2 from all other interfaces in other communities or isolated ports within their PVLAN.
Example

! If not running VTPv3, a switch must be put into VTP Transparent mode before
! configuring Private VLANs
AccessSw(config)# vtp mode transparent
Setting device to VTP Transparent mode for VLANS.
! One isolated secondary VLAN and three community secondary VLANs will now be
! created. Afterwards, they will be associated with the primary VLAN 100.
AccessSw(config)# vlan 199
AccessSw(config-vlan)# name Isolated
AccessSw(config-vlan)# private-vlan isolated
AccessSw(config-vlan)# vlan 101
AccessSw(config-vlan)# name Community1
AccessSw(config-vlan)# private-vlan community
AccessSw(config-vlan)# vlan 102
AccessSw(config-vlan)# name Community2
AccessSw(config-vlan)# private-vlan community
AccessSw(config-vlan)# vlan 103
AccessSw(config-vlan)# name Community3
AccessSw(config-vlan)# private-vlan community
AccessSw(config-vlan)# vlan 100
AccessSw(config-vlan)# name Primary1
AccessSw(config-vlan)# private-vlan primary
AccessSw(config-vlan)# private-vlan association 101-103,199
AccessSw(config-vlan)# exit
AccessSw(config)# do show vlan private-vlan
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
100 101 community
100 102 community
100 103 community
100 199 isolated
! Now, ports will be assigned to these VLANs:
! Fa0/1 - 3: Secondary community VLAN 101
! Fa0/4 - 5: Secondary community VLAN 102
! Fa0/6 - 8: Secondary community VLAN 103
! Fa0/9 - 12: Secondary isolated VLAN 199
! Fa0/13: Promiscuous port in primary VLAN 100
! For brevity purposes, only the configuration of Fa0/1 - 3 will be shown, as all
! other ports in secondary VLANs, isolated or community, are configured similarly
! Afterwards, show vlan private-vlan is issued to verify the port assignment.
! As Fa0/13 is a promiscuous port, it will be shown in all associated secondary
! VLANs
AccessSw(config)# interface range fa0/1 - 3
AccessSw(config-if-range)# switchport mode private-vlan host
AccessSw(config-if-range)# switchport private-vlan host-association 100 101
AccessSw(config-if-range)# interface fa0/13
AccessSw(config-if)# switchport mode private-vlan promiscuous
AccessSw(config-if)# switchport private-vlan mapping 100 101-103,199
AccessSw(config-if)# do show vlan private-vlan
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
100 101 community Fa0/1, Fa0/2, Fa0/3, Fa0/13
100 102 community Fa0/4, Fa0/5, Fa0/13
100 103 community Fa0/6, Fa0/7, Fa0/8, Fa0/13
100 199 isolated Fa0/9, Fa0/10, Fa0/11, Fa0/12, Fa0/13
! If a SVI is used as a gateway for devices associated with the primary VLAN 100
! If a SVI is used as a gateway for devices associated with the primary VLAN 100,
! it must also be configured as promiscuous
AccessSw(config-if)# interface Vlan100
AccessSw(config-if)# private-vlan mapping 101-103,199
AccessSw(config-if)# ip address 192.168.100.254 255.255.255.0