Home » All posts

Port Channel Load Balance Switch Settings

Posted by fanie on Sunday, January 6, 2013

Port channel load balance methods can be divided in many types :

  1. dst ip (layer 3)
    • many sources -> same destination ip (go through same port)
  2. dst mac (layer 2)
    • many sources -> same destination mac (go through same port)
  3. dst port (layer 4)
    • many sources -> same destination port (go through same port)
  4. src-dst ip
    • A src - C dest (port 1) , B src - C dest (port 2) , D src - F dst (port 3)
  5. src-dst mac
    • A src - C dest (port 1) , B src - C dest (port 2) , D src - F dst (port 3)
  6. src-dst port
    • A src - C tcp 25 (port 1) , B src - C tcp 80 (port 2) , D src - F ftp (port 3)




More aboutPort Channel Load Balance Switch Settings
at 4:27 AM { Add comments }

Switchport nonegotiate Switch Settings

Posted by fanie

Switchport nonegotiate characteristics :
  • Disable DTP (dynamic trunking protocol)
  • Not allowing trunk auto creation (dynamic desirable default port in cisco),
  • Stopping dtp messages which are sent every 30 seconds
  • Defining switchport mode trunk command first then switchport nonegotiate
 Desirable mode will create auto trunk as long as vtp domain is same


More aboutSwitchport nonegotiate Switch Settings
at 2:47 AM { Add comments }

Vlan dot1q Tag untag Native Switch Settings

Posted by fanie

Brief tutorial for vlan behaviour in different conditions :

access (vlan 10) - access (vlan 10)
Forwarding packet in the same vlan (untagged)

access (vlan 10) - trunk (tag vlan 10)
Packet will be forwarded tag vlan 10

access (vlan 10) - trunk native (vlan 10)
Packet will be forwarded in untagged mode through the trunk, because in the same vlan. Native vlan mode is untagged.

vlan dot1q tag native
this command is  used to make native vlan in tagged mode.

(access vlan 10) SW1 (access vlan 10 ) ~ (vlan 10 access) SW2 (trunk tag vlan 10) ~ (trunk tag vlan 10) SW3 (access vlan 10) ~ (access vlan 10) SW4 (access vlan 10)

The packet will get through using vlan 10, tagged in vlan 10 id.

(access vlan 10) SW1 (access vlan 10 ) ~ (vlan 10 access) SW2 (trunk native vlan 10) ~ (trunk native vlan 10) SW3 (access vlan 10) ~ (access vlan 10) SW4 (access vlan 10)

the packet will get through using vlan 10 in untagged mode

(access vlan 10) SW1 (access vlan 10 ) ~ (vlan 10 access) SW2 (trunk native vlan 10) ~ (trunk native vlan 10) SW3 (access vlan 10) ~ (access vlan 10) SW4 (access vlan 10)

Tagging vlan 10 will give an id for vlan 10, after stripping tag id, we can find the access for vlan 10.


More aboutVlan dot1q Tag untag Native Switch Settings
at 12:06 AM { Add comments }

Spanning-tree Interoperability Switch Settings

Posted by fanie on Saturday, January 5, 2013

Spanning tree is used to avoid network loop in layer 2 switch

Common Spanning tree characteristics :
  • Long forwarding time (50 seconds)
  • Blocking (20 seconds -> max-age)
  • Listening (15 seconds -> forward delay)
  • Learning (15 seconds -> forward delay) -> building mac table
  • Forwarding -> up/up
  • Disabled
Spanning tree timers :
  • Blocking - Listening 20 seconds
  • Listening - Learning 15 seconds
  • Learning - Forwarding 15 seconds

For faster forwarding state when you connect to workstation/pc, you can use spanning tree portfast.

Spanning tree portfast characteristics :
  • Connecting only to workstation, not switch or there will be a loop network
  • Decreasing forwarding time to zero
  • No TCN (topology change notification)

If you connect switch to a portfast port, there is opportunity for network loop. Although it will no happen because of the stp algorithm. But in the first time, the network will be overwhelmed by the broadcast storm.

Common spanning-tree result :

W1#show spanning-tree

VLAN0001
  Spanning tree enabled protocol rstp
  Root ID    Priority    24577
             Address     0019.f5d5.4256
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    24577  (priority 24576 sys-id-ext 1)
             Address     0019.f5d5.4256
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- ---------------------------
Fa0/1               Desg FWD 19        128.3    P2p


Global Config (per port access)  
 
 
 
interface fa0/0 
shutdown 
 
interfacen fa0/0
spanning-tree portfast
 
int fa0/0
no shutdown
 
SW1#show spanning-tree

VLAN0001
  Spanning tree enabled protocol rstp
  Root ID    Priority    24577
             Address     0019.f5d5.4256
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    24577  (priority 24576 sys-id-ext 1)
             Address     0019.f5d5.4256
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- ---------------------------
Fa0/1               Desg FWD 19        128.3    P2p Edge 
 

There is identifier of edge in spanning-tree type. The port switches to forwarding directly without dealing listening, learning state.





Configuring Spanning Tree for all access ports (GLOBAL)



Global Config 

spanning-tree portfast default




SW1#show spanning-tree summary
Switch is in rapid-pvst mode
Root bridge for: VLAN0001
Extended system ID           is enabled
Portfast Default             is enabled
PortFast BPDU Guard Default  is disabled
Portfast BPDU Filter Default is disabled
Loopguard Default            is disabled
EtherChannel misconfig guard is enabled
UplinkFast                   is disabled
BackboneFast                 is disabled
Configured Pathcost method used is short

Name                   Blocking Listening Learning Forwarding STP Active
---------------------- -------- --------- -------- ---------- ----------
VLAN0001                     0         0        0          1          1
---------------------- -------- --------- -------- ---------- ----------
1 vlan                       0         0        0          1          1




Spanning-tree Portfast & Spanning-tree Portfast Trunk Difference



Access port,

spanning-tree portfast and spanning-tree 
portfast trunk make the port as  PortFast-enabled (edge
port). That port will be Forwarding state after coming up.



Trunk Port 

spanning-tree portfast has no effect on trunk ports. For Trunk port if you want immediately to make the trunk in forwarding state,use spanning-tree porfast trunk command. But this command must not be used when connecting to switch. Because it will no detect looping in your network. This command only suitable when connecting to Layer 3 devices for examples routers (with encapsulation vlans).





Spanning-tree Rapid (802.1w) RW



The forward delay  is not used (synchronization process)

Faster,Max age timer is used (6 seconds -> three missed 
BPDUs in a row) 



RSTP bridge port roles:



    

  1. Root port – The closest port to the root bridge (forwarding) cost 
    2. 

  2. Designated port – A forwarding port 
    3. 

  3. Alternate port – The best alternate path to the root 
bridge. .
    4. 

  4. Backup port – Two Ports/more connected to a hub. The port will be in fwd in case one of them in trouble
    5. 

  5. Disabled port
    6. 




Spanning-tree States :




    

  1. Discarding
    2. 

  2. Learning
    3. 

  3. Forwarding
    4. 




Spanning-tree Compatibility

RSTP - STP (backward to STP in that port boundary)

PVRSTP - RSTP (compatible using vlan 1 instance with switch in rstp mode, other instances will be tunneled without connecting to  switch running rstp mode)

MSTP - RSTP, RPVST+,PVST+ ->compatible with instance 0 in mst -> common spanning tree (CST).



RSTP,RPVST+, PVST+ see MST region as a single switch.



MSTP - MSTP pre standard (MISTP) -> must set spanning-tree mst pre-standard in mst switch







Table 17-2 PVST+, MSTP, and Rapid-PVST+ Interoperability




  

    
    



PVST+



    



MSTP



    



Rapid PVST+










PVST+







Yes







Yes (with restrictions)







Yes (reverts to PVST+)










MSTP







Yes (with restrictions)







Yes







Yes (reverts to PVST+)










Rapid PVST+







Yes (reverts to PVST+)







Yes (reverts to PVST+)







Yes













MSTP instance 0 is the IST/CST region inside MST.





MSTP instance 0 as the CST region outside of MST.





The MST to PVST+ interaction replicates the BPDU from IST for each vlan. Simulating PVST+ neighbour.
















More aboutSpanning-tree Interoperability Switch Settings










at
5:03 PM



{ Add comments }
          


























IP ARP Inspection Switch Settings





Posted by
fanie




IP arp inspection is used to validate ip to mac binding of arp cache in a switch. This method prevent from man in the middle attack (broadcast arp request then responded by unknown switch using invalid mac address table). The switch database is using the dhcp snooping database. A trusted port of ip arp inspection will forward packet without check it. But untrusted packet will check packet before forwarding it.



Characteristics of ip arp inspection :

Validate ip-to-mac binding before updating local arp cache

Intercepting trusted and untrusted switch port

Drop invalid arp packets

Per vlan basis configuration



Example :




SW1(config)#ip arp inspection vlan 11
SW1#show ip arp inspection

Source Mac Validation      : Disabled
Destination Mac Validation : Disabled
IP Address Validation      : Disabled

Vlan     Configuration    Operation   ACL Match          Static ACL
 ----     -------------    ---------   ---------          ----------
   11     Enabled          Active

Vlan     ACL Logging      DHCP Logging      Probe Logging
 ----     -----------      ------------      -------------
   11     Deny             Deny              Off

Vlan      Forwarded        Dropped     DHCP Drops      ACL Drops
 ----      ---------        -------     ----------      ---------
   11              0              0              0              0

Vlan   DHCP Permits    ACL Permits  Probe Permits   Source MAC Failures
 ----   ------------    -----------  -------------   -------------------
   11              0              0              0                     0

Vlan   Dest MAC Failures   IP Validation Failures   Invalid Protocol Data
 ----   -----------------   ----------------------   ---------------------
   11                   0                        0                       0






More aboutIP ARP Inspection Switch Settings










at
8:28 AM



{ Add comments }
          


























IP DHCP Snooping Switch Settings





Posted by
fanie




ip dhcp snooping command is very useful to check dhcp messages from untrusted ports to the trusted port of dhcp server. It is operated by vlan basis by using command :



ip dhcp snooping vlan 17



by using that command, every dhcp messages will be validated against the dhcp database.



verification :








show ip dhcp snooping 









Switch DHCP snooping is enabled









DHCP snooping is configured on following VLANs:









10









DHCP snooping is operational on following VLANs:









none









DHCP snooping is configured on the following Interfaces:















Insertion of option 82 is enabled









Verification of hwaddr field is enabled









Interface                    Trusted     Rate limit (pps)









------------------------     -------     ----------------


 





More aboutIP DHCP Snooping Switch Settings










at
8:09 AM



{ Add comments }
          


























Switch Root Guard Advantages





Posted by
fanie




Root Guard command is very useful in switch configuration. The configuration is set on the access port of switch.



Advantages and characteristics of using root guard :

Prevent other switches to become root switch (designated port not root port)

Change port state to inconsistentports when receiving superior bpdu 

Port auto recovery after the disturbing switch has gone




Command :

int fa0/0

spanning-tree guard root








More aboutSwitch Root Guard Advantages










at
8:01 AM



{ Add comments }