Open in app

Sign in

Write

Sign in

My journey to CCIE RS — Switching 1

Giuliano Barros
TechRebels
Published in
8 min readOct 7, 2019

In this articles series I’ll share my notes, gathered along 3 years of study for my CCIE RS. It is a compilation of almost 400 pages of notebooks, with informations and notes that I find important when working with Routing and Switching for almost 15 years. Some of these techs are no long being used, but I’ll post them anyway.

I believe that these infos may help not only with certification tests, but also on a daily basis for people working with Cisco Technologies.

This is the first part, focusing “Switching”, and at the end of part 2 I’ll post a list with “show” commands among some filters that I think are efficient.

Please, feel free comenting below and to contact me on LinkedIn. if you liked this content, I encourage you to give a “clap” to the article and share it. Don’t forget to follow me and TechRebels, clicking the “follow” icon above.

Core Topics

  • Trunk
  • VLANs
  • EtherChannels
  • 802.1q (dot 1q)

L2 Ports

  • Access — single VLAN
  • Trunk — multiple VLANs
  • Tunnel — L2 transparent VPN (QinQ)
  • Dynamic — DTP negotiation

Negotiation

DTP is enabled by default (ISL -> Dot1q -> Access).

DTP stands as a security flaw, because we need to know the destination of each port (trunk or access)

ALWAYS look to manually config the interface as explicit access or trunk.

Trunking

ISL

  • Cisco proprietary
  • Uses encapsulation

802.1q

  • Open standard
  • Uses tags

DTP

  • Desirable — Initiates negotiation
  • Auto — Listens for negotiation passively
  • On — Sets the link as explicit trunk and tries to negotiate via DTP

OBS: TRUNK ON != TRUNK + DTP OFF (nonegotiate) — removes the negotiation overhead and time in milliseconds, usually it’s used for extremely sensitive applications with very low convergence time.

Disabling DTP

  • nonegotiate
  • access
  • dot1q-tunnel

A convergence failure may occur when one side is configured for “dynamic auto” and the other end as “trunk + nonegotiate”. In this case one end will enable trunk while the other will be as access and will discard encapsulated frames, while the sending switch won’t be aware.

VTP

Allows management centralization of VLAN attributes (mgmt only).

It simplifies management, but it isn’t worth because of the problems it may cause.

By default, VTP uses NULL domain and if a packet with a domain is received on a trunk interface, it will inherit this new domain. This present another security flaw, because a non-authorized switch may learn about all VLANs in a network.

Authentication is enabled by default even if a password is not configured. What matters is the MD5.

The revision number changes every time a VLAN is added or removed. Thereby, to force sync, we can add or delete VLANs or perform a link shutdown.

Modes:

  • server — creates or deletes VLANs
  • client — can’t create or delete VLANs
  • transparent — doesn’t change the database, but it will forward updates for other trunk links

VTP Pruning

Reduces unnecessary broadcast replication, unknown unicasts and unknown multicasts (unknowns are forwarded the same way as broadcasts).

Peers asks neighbors “which VLANs you got configured?” and “which VLANs are on the path?”. The neighbors send lists for both queries.

Prune eligible list — by default all standard VLANs (2–100) are in the eligible list. VLANs that are not in the eligible list can NOT be pruned. It’s the exact opposite of “trunk allowed list”.

VTP is proprietary, therefore, in a multivendor environment, transparent mode is recommended.

OBS: If using Pruning and a VTP non-supported device is connected through a trunk, it wont receive pruning requests. As such, the switch will forward on the uplink that it need all VLANs and all switches on the path forward this query. Therefore any equipment that doesn’t support VTP and is connected via trunk blows it all (what VTP optimizes). To correct this scenario, you should limit VLANs in the trunk allowed list and VTP presumes that the rest can be pruned.

OBS: Any device on the same domain with a higher revision number, when added to the domain, will modify the database of other else switch (simple attack).

Transparent mode (in theory):

  • Version 1 — Forwards VTP packets on the same domain
  • Version 2 — Forwards all versions e VTP domains (it doesn’t care)

OBS: in the real world, transparent mode for some Catalyst Switches does not forward packets from different domains and DTP will block the trunk.

It is NOT possible to use transparent mode in a pruning topology, because transparent SW will forward pruning messages on every other uplink and the neighbors will prune these VLANs, stopping communication on these trunks.

VTPv3

Corrects the revision number overwrite security problem by using primary/secondary servers. To make changes it must first promote the SW to primary (avoiding accidents). This separates the “server” function to the “temporary updater”.

“New advertisements” make administration easier:

  • extended vlans
  • private vlans
  • MST config
  • hidden password
  • VTPv3 can be enabled globally or by interface
  • The Secondary Server and Client functions are essentially the same on practice, because they can’t change VLANs
  • VTPv3 can enable global pruning for the topology

#vtp primary-server [vlan|mst] — Uses exec mode to promote the sw to primary on vlan (normal) or mst mode, allowing different logical topologies. EX: SW can be a server to “VLAN” and client “MST”.

#show vtp status — Shows the features for “vlan” and “mst”. If the Primary ID is 0000.0000.0000, there is no primary server on the network

VTP Version 3

Introduction Network administrators have to accommodate new and changing requirements on an ongoing base. They are…

www.cisco.com

Extended VLANs

  • 1006–4094
  • Requires VTP transparent and so doesn’t allow pruning
  • Works with VTPv3, but several devices doesn’t support it
  • Therefore extended VLANs should be specified on each sw

L3 Routing

  • Switched Virtual Interface (SVI)
  • Native Routed Interface

SVI shows “protocol down” when there are no STP instances for the VLAN.

When there is not a “default gw” configured, it will send ARP to everything. If some router on the VLAN is using proxy-arp it may confuse the behavior and tests, because it will respond with its own ARP. Pay attention to repeated MACs on table.

The choice between SVI and Native L3 basically depends on the topology. Besides, Native L3 interfaces converges faster because doesn’t need to wait for the STP convergence.

Router-on-a-stick

  • “Old version SVI”
  • Routers don’t support DTP or VTP
  • Routers encapsulate packets through sub-interfaces
  • Native VLAN must be specified on the interface (or sub-interface) or use tag

Etherchannel

  • Physical link bandwidth aggregation
  • Uses PPP Multilink logic
  • Can be any type of interface (L2, L3, Trunk, Tunnel)

OBS: Etherchannel is a Cisco proprietary naming for “NIC teaming”. NIC teaming is the access port aggregation to servers (L2).

Etherchannel modes:

  • on — no negotiation
  • PAgP — desirable or auto
  • LACP — active or passive

As usual, the advantage of not using negotiation is faster convergence.The disavantage is that it can’t prevent configuration failures.

Load Balance

  • source and destination MAC
  • source and destination IP

If an interface has much more traffic than the others, it’s obvious that the load balance is not adequate.

Interface channel members must have the same main configuration.

Always configure the channel with the interfaces DOWN to avoid negotiation errors that may cause L2 loops.

There is no way to tell which L1 path where traffic is going through the channel because all MACs and STP points towards the channel. What we can verify is the link utilization.

OBS: When making changes on a channel, make them at the logical interface and member interfaces all at the same time using the “range” command.

OBS: When a channel is created, it inherits the interface type of member interfaces (L3, L3, Trunk or Tunnel). If you change the interface type (ex: L2 -> L3) without changing the channel they will be removed from the bundle (… and shit is done). So ALWAYS specify the interface type correctly before adding it to the channel.

802.1q Tunneling

Created to offer a VPN over Ethernet service, usually used on Metro Ethernet environments. It’s a MPLS VPN light version.

PE adds a 802.1q additional tag to all frames received from the CE, called metro tag or QinQ. Therefore to the SP each client will be inside of an unique VLAN and doesn’t allow that VLANs communicate with each other, because each one has it’s own MAC table.

Obviously all the link to the CE must be manually configured and every SP SW must know the VLAN.

The main problem with this solution is that it is not scalable because the entire ISP end-to-end network must be L2 trunking.

  • OBS: MPLS is “over IP”, thereby scalable.

The second main problem is that, because it is a L2 link, the ISP SWs must know the MAC addresses from all clients. Obviously it doesn’t scale well.

Just the CE link must be dot1q. Internally the ISP network can be dot1q or ISL, as long it is an end-to-end L2 trunk.

Third main problem is that they use a 4 byte L2 tag. So is the ISP internal MTU is 1500 bytes, the client MTU must be 1496 bytes. As ethernet doesn’t support fragmentation, if the client sends a frame with the standard MTU (1500 bytes), they will be discarded.

  • OBS: For each “QinQ” 4 overhead bytes are discarded
  • OBS: Again, MPLS solves this scenario because it uses IP packets, that can be fragmented

SWs using “QinQ” will discard control plane packets from CEs (CDP, VTP, STP, etc…) because they use not allowed special MACs.

L2 Protocol Tunneling

Usually used to solve the above issue with “QinQ”, coding the control plane protocols inside a specific MAC.

Cisco proprietary protocol.

Usually there no reasons to use this without QinQ, but technically we can make a L2 protocol tunnel, making the SWs along the path transparent.

QinQ doesn’t work well when the VLAN to some client is the same trunk native VLAN. The result is that the switch will not add the TAG and leaks the client packet (with the VLAN TAGs) into the SP internal network. So client internal VLANs leaks to the access VLANs of other clients (with their respective numbers). The solution is to enables TAG for native VLAN on the ISPs .

L2 protocol tunneling allows etherchannel tunneling. Used mainly when more bandwidth is needed than the ISP can deliver in 1 interface. Channel must be specifically end-to-end, otherwise it will cause a L2 loop and so it needs a separate VLAN to each end-to-end interface that is a channel member.

Continue on part 2…

We will explore all of Spanning Tree and a great list of Show commands + filters.

My journey to CCIE RS — Switching 2

In this series I share notes accumulated during years of study until the CCIE RS. In this article follows the part 2…

medium.com

What do you think about this content?

Did it miss any important points?

Tell me in the comment section.

If you like this content, please give a “clap” to the article and share. Don’t forget to follow me and TechRebels by clicking “follow” down below :)

About the author:

Giuliano Barros is Network Consultant & Founder of Control Plane — Network Services.

Gratuated in Computer Science, CCIE certified by Cisco Systems and work for 15 years with projects for medium and big size companies.

linkedin.com/in/giulianobarros

Cisco
Cisco Certifications
Switching
Ccie
English

--

--

Giuliano Barros
TechRebels

Written by Giuliano Barros

609 Followers
Editor for

DevOps Network Engineer | CCIE RS #49619 | Cisco Champion | Blogger

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams