Wednesday, September 30, 2015

Facts to remember about LAN Switching

Etherchannel (Portchannel)
  • Bundles individual links (up to 8) into a channel group to create a single logical link 
  • All members have to share same features: speed, duplex mode, switchport mode (access, trunk)
  • STP will treat it as a one single link, if one link fails there is no STP reconvergence
  • Traffic is distributed between members of the port channel if one of them fails
  • Etherchannel gives you more pipes for your data but does not increase your transfer speeds
  • Established by LACP (active, pasive), PAgP (desirable, auto), Static ( on - persistent)
  • Etherchannel verification "show etherchannel summary"
Configure SW1 and SW2 as a portchannel numbered 12, SW1 active mode, SW2 passive mode
SW1:
interface FastEthernet0/23
 channel-group 12 mode active
!
interface FastEthernet0/24
 channel-group 12 mode active

SW2:
interface FastEthernet0/23
 channel-group 12 mode passive
!
interface FastEthernet0/24
 channel-group 12 mode passive


Trunking
  • Trunking verification "show interface trunk"
Configure SW1and SW2 portchannels as static 802.1q trunk links
SW1:
interface Port-channel12
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
SW2:
interface Port-channel12
 switchport trunk encapsulation dot1q
 switchport mode trunk


 VTP
  • VTP verification "show vtp status"
Configure SW1 as a VTP server in the domain CCIE., SW2 should be VTP client. Configure VLANs 21, 22, 121, 122, 124, 221, 222, and 239 on SW1. After that SW2 should learn these VLANs via VTP
SW1:
vtp domain CCIE                       
vtp mode server                       
!
vlan 21,22,121,122,124,221,222,239

SW2:
vtp mode client

 Portfast 
  • Skips listening and learning stages cause it is supposed these ports will be directly connected to end stations and not to another switch so they will not create bridging loops in the network
  • It is also known as Edge port
  • The switch will not generate TCNs (topology change notificactions) throughout the spanning-tree domain if interface goes down/up. BEWARE CAUSE TCN NOTIFICATIONS WILL CAUSE EVERY SWITCH IN RSTP FLUSH THEIR MAC ADDRESS TABLES AND RE-LEARNED THEM AGAIN
  • If it receives a BPDU immediately loses its edge port status and becomes a normal spanning tree port
  • It can be configured in access ports "spanning-tree portfast"or trunk ports "spanning-tree portfast trunk"
  • Portfast can be enable by default at global level configuration
SW1:
spanning-tree portfast default
!

 Spanning-Tree
  • Enable Per-VLAN Rapid Spanning Tree on SW1, SW2
  • Configure SW1 as the RPVST root bridge for all configured VLANs.
  • Ensure that no topology change notifications are sent throughout the spanning-tree domain if SW1's FastEthernet0/1 interface goes down/up.
SW1:
spanning-tree mode rapid-pvst
spanning-tree vlan 1-4094 priority 0
!
interface FastEthernet0/1
 spanning-tree portfast trunk

SW2:
spanning-tree mode rapid-pvst


 STP BPDU Guard
  • It is used to enforce access layer security on the termination of the STP domain (access switch)
  • When BPDU Guard enable interface receives a BPDU (STP packet), it is transitioned into err-disable state.
  • This ensures that unauthorized switches cannot be plugged in to the network (man in the middle attack)
  • If configured, the errdisable recovery feature can then be used to bring the interface out of err-disable state automatically after a configured interval
  • To verify if bpdu guard is enable, interfaces in err-disable state and time interval "show errdisable recovery" 
  • BPDU Guard can also be enabled by default, at the global level to work with Portfast
SW4:
default interface range FastEthernet0/23 - 24
!
interface range FastEthernet0/23 - 24
 channel-group 34 mode active
!
interface Port-channel34
 switchport mode access
 switchport access vlan 10
 spanning-tree bpduguard enable
!
errdisable recovery cause bpduguard
errdisable recovery interval 120

Enabled at global level by default with PorFast
SW4:
spanning-tree portfast bpduguard default 
spanning-tree portfast default


RootGuard
  • Like "BPDU Guard", it blocks superior BPDUs (better cost to the root bridge)
  • The interface is only logically disabled (via Root Inconsistent state).The switch automatically recovers the port from Root Inconsistent and starts negotiating the new port state and role, as soon as superior BPDUs are no longer received inbound.
  • Is is not for access swicthes, It must be configured in all the ports of the ROOT BRIDGE cause all of them are designated ports
  • It prevents a Designated port from becoming Non-Designated port
  • It can be enabled only at the port level 
  • Generally root guard is enable for all VLANS
SW1:
interface range FastEthernet0/19 - 20
 spanning-tree guard root


 LoopGuard
  • Loop Guard prevents a Non-Designated port from becoming Designated, thus it is the opposite of Root Guard; for this reason Root Guard and Loop Guard cannot be actively enabled at the same time on the same ports
  • Blocking states ports can transition to the forwarding state if they don't receive BPDUs from designated ports ( maybe a unidirectional problem). LoopGuard prevents this transisition the port in Loop Inconsistent
  • Switch will automatically recover the port from Loop Inconsistent state when it starts receiving BPDUs and the STP port state is re-negotiated.
  • Just like Root Guard, although is enabled for a port, Loop Guard takes actions on a per-VLAN level; for example if a trunk port is in blocking state and stops receiving BPDUs for VLAN 2 from the designated port on the segment, it transitions the port into Loop Inconsistent only for VLAN 2
  • It can be enabled at global configuration level or interface configuration level
SW1 - SW2:
spanning-tree loopguard default

SW3 - SW4:
interface range FastEthernet0/19 - 20
 spanning-tree guard loop













Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)