My journey to CCIE RS — Switching 2

Catalyst 6500 Series Switches: https://www.cisco.com/c/en/us/products/switches/catalyst-6500-series-switches/index.html

Hi folks. I am here once more to share my notes, gathered along 3 years of study for my CCIE RS. Like I said before, it is a compilation of almost 400 pages of notebooks, with notes that I find important when working with Routing and Switching for 15 years.

These infos may help not only with certification tests, but also on a daily basis for people working with Cisco Technologies.

Did you miss the Part 1???

My journey to CCIE RS — Switching 1

On this “Switching — Part 2” we will explore all of Spanning Tree and a great list of Show commands + filters that I think efficient.

Please, feel free comenting below and to contact me on LinkedIn. if you liked this content, I encourage you to “clap” the article and share it. Don’t forget to follow me and TechRebels, clicking the “follow” icon above.

Spanning-tree

1. Elect root bridge
2. Elect root port on each SW
3. Elect designated port on each SW

Root bridge election is based on the best Bridge Identifier

• Bridge priority 0–61440 (increments of 4096)
• System ID extension 0–4095 (VLAN number)
• — The priority functional is the sum of the configured priority + sys-id-ext.
• MAC address
• OBS: If the standard priority is used in the network, older SWs have the tendency to become the root by having the oldest MAC.

Root port election:

1. Lowest cost to the root
2. Lowest BID
3. Lowest port ID

Designated port election:

1. Lowest cost to the root
2. Lowest BID
3. Lowest port ID

All remaining ports enter blocking (blk) mode

• Receives BPDU
• Discard traffic
• Cannot send traffic

OBS: Except the root election, almost everything else can be adjusted through cost.

OBS: Its thought the sys-id-ext that SWs identify a BPDU VLAN

STP Timers

Hello

• BPDU send frequency
• 2 sec. by default

MaxAge

• Max wait time between BPDUs
• 20 sec. default

Forward Delay

• Used on listening and learning states
• 15 sec. default

Timers are adjusted by the Root Bridge

• On PVST mode only the root generates BPDUs

Default convergence time 50 sec (20s +15s +15s)

Advanced STP Features

Portfast

• Edge ports do not wait for the forward delay
• Don’t generate TCN when changing states
• Portfast does not disable STP on the interface

TCNs tells the SWs to do a cam table flush lowering the aging time (default 300s) to the MaxAge (default 20s).

• OBS: Using edge ports without port-fast or adgeport on large L2 networks is very inneficient.

It is possible to enable portfast on trunks, but even with the global command, it stays disabled on trunks by default

Typical scenario where a edge port needs a trunk is where there is a server with multiple VLAN support

Uplink Fast

Direct flaws on the root port must reconverge immediately if alternative ports (ALT) are available.

The ALT port immediately transitions to FWD because it has already calculate a loop free path.

Immediately increases the SW priority avoiding being in the way among other switches and the root bridge. It also increases the interface costs.

The SW also do a spoofing of its own CAM table through ALT link so that the neighbors update their CAM table over the sources that the SW knows

The SW creates a group of possible paths to the root and when a root port goes down, it auto commutes the traffic to the next port in the group

Backbone Fast

Allows indirect failure detection and immediate recalculation. When receiving lower BPDUs, the SW ignores the MaxAge and immediately recalculates the path.

It is necessary to configure all the SWs because it is essentially a negotiation parameter among SWs.

It’s not as fast as Uplink Fast because it needs path recalculation. Even with tuned timers, the convergence takes around 8s (which is a lot).

BPDU Filter

• Filter inbound and outbound BPDUs
• Usually implemented on the access layer, avoids sending any information about the root bridge that may help a potential attack (MAC, priority, etc)
• Works as a “passive interface” for the STP

OBS: When configured on the interface, will filter in and out. When in global mode along with portfast, operates only as a “outbound filter” because “portfast” remains monitoring the inbound BPDUs to disable the portfast in case any BPDU is received and disable BPDU Filter. Both BPDU Filter and Portfast globally enabled presents a security flaw because it forces STP activation when receiving a BPDU, creating a “man in the middle opportunity”.

BPDU Guard

Disables the interface in case a BPDU is received, putting the interface as err-disable.

Implementing BPDU Guard along portfast globally is a safer way because every “non-trunk” interface enables portfast and goes to err-disable if a BPDU is received.

Root Guard

Disables the interface if a superior BPDU is received. More precisely disables the STP instance to this interface (root inconsistent state).

Should be implemented on every L2 downstream interface towards the access layer.

Loop Guard and UDLD

Loop Guard is a STP feature while UDLD is a separate feature altogether, but essentially doing the same job. Problem happens when an interface sends BPDUs but the other end doesn’t receive, MaxAge expires and both interfacers go into “designated state”… shit happens.

Main differences:

• Loop Guard uses BPDUs while UDLD uses its own keepalive.
• Loop Guard protects against STP software failures, but UDLD don’t.
• UDLD protects against cabling connection errors, Loop Guard não.
• Thereby, recommend using both features together, specially on fiber environments.

MST (802.1s)

MST uses the instances concept, with each instance grouping a set of VLANs in a logical topology.

SWs with the same instances, revision numbers and name make a Region.

Different regions see each other as “Virtual Bridges”, hiding informations about communication and internal flaws of a region. So, flaws in a specific region does not affect other regions (“black box” concept).

Uses the same election process of CST/PVST:

Root Bridge

• 1- Lowest BID

Root Port

• 1- Lowest cost to the root
• 2- Lowest BID upstream
• 3- Lowert port ID

Region is set by:

• Instance
• Configured VLANs
• Revision number
• Name

When a trunk link is enable on the MST, it starts operating quickly without waiting the MaxAge+Listening+Learning interval. This happens because MST enables Rapid-PVST by instance ahd RPVST uses a “request and response” negotiation (much faster).

MST0 represents the “Common Internal Spanning Tree” or CIST. MST0 (CIST) is used to make inter-region operations and PVST.

MST is backwards compatible with CST (802.1d) and PVST+, through replication of all VLANs on MST0 info. The main implication of this is that the CST Root NEEDS to be inside the MST domain. In this case, each region is seen as a SW, independent of number of SWs.

MST timers are the same of PVST, but are used only among non Rapid-PVST supported SWs.

OBS: Any VLAN created but not explicit associated with any instance is automatically associated to MST0.

Rapid-PVST

Uses a “proposal and response” negotiation system. The Root Bridge proposes to the downstream SWs that they should put their interfaces as Root Port (confirming through ACK), blocking other interfaces (BLK) and initiating the same negotiation system to the next downstream SWs.

• OBS: This negotiation system only occurs between P2P links (full-duplex) and non-edge. On the remaining ports, it returns to PVST mode.

OBS: “PVST portfast” is similar to “Rapid-PVST edgeport”.

MST and Rapid-PVST correlation

MST uses the RPVST negotiation system while there is a single instance per group. bu every other region SW must agree with this configuration.

RPVST can be configured as independent on each SW (doesn’t need to be all at once), but enables 1 instance per VLAN, creating extra overhead.

Flex Links

Allows link redundancy without using STP, disabling STP on primary and secondary interfaces.

Does a MAC address spoofing through backup links to allow neighbor SWs CAM table update (MAC-address Move Update — MMU)

Switching General Notes

• When we statically bind an access interface to an inexistent VLAN, this VLAN is automatically created. But when a Trunk is configures with an inexistent VLAN, this VLAN is not created and it doesn’t generate any warning messages.
• The ERR-DISABLE recovery time is global for any err-disable condition, because it’s a global state.
• When removing the VLAN1 from a trunk, the control packet traffic on VLAN1 between SWs is not interrupted (it can be seen through a network analyzer). But no data will be forwarded and STP won’t occur over this data-link. It is a technique to break VLAN1 into smaller domains.
• Port-priority is usually configured on designated interfaces starting from the Root Bridge, going to access SWs.
• Post-cost is usually configured on root ports and alt ports towards the root brdge.

Transparent Bridging

By default:

• Routers route IP
• Switches switches IP
• Routers can’t “route AND switch”

Transparent bridging puts the router to the same STP conditions:

• Only 1 active path
• Election of
• - Root Bridge
• - Root Port
• - Designated Port

Process:

1. Disable routing
2. Create STP bridge group

• bridge X protocol ieee (X = vlan)

3. Apply interface group

• bridge-group x

4. If applying interface muiltipoint NBMA, need to map the bridge

• ex: frelay map bridge

The objective is to extend the broadcast domain through the routers. Basically it creates a regular STP instance (802.1d) and bundles the interfaces on the same group.

OBS:: to confirm if the devices are in the same broadcast domain -> ping 255.255.255.255.

Integrated Routong & Bridging (IRB)

It’s the evolution of a feature called “Concurrent Routing and Bridging” that allowed routers to do routing and bridging on the same protocol stack, if the interface wasn’t the same.

There is no communication between 2 domains

IRB uses Bridge Virtual Interface to connect the switched domain with the routed domain. Uses the same SVI principle in switches. Nowadays it is NOT a good solution.

OBS: The “route” and “bridge” parameters are only shown when IRB is enable.

OBS: Be very careful when messing around with Transparent Bridging or IRB because when enabling “bridging”, packets are no longer routed.

• bridge irb
• bridge X route ip
• bridge X bridge ip

BVI is the same as SVI. On a switched domain, is on the BVI that L3 options are configured (NAT, QoS, etc…).

Fallback Bridging

• SW 3560 only routes IPv4 and IPv6 by default
• All other protocols must be switched
• Allows other stacks being switched between the SVI and the routed interface
• SW with disabled routing answers to pings on its interfaces, but does not forwards packets (does not route) on these interfaces

“Show” switching commands

sh int status | ex not

show int X/X switchport — checks the interface for routed mode operation, as a L3 port

sh vlan

sh vlan | in active

sh span vlan X

sh int trunk — All 4 fields are important. “n-xxx” means negociated

sh int trunk | in tru

sh span

sh span sum

sh span det

sh span int X/X

sh vtp status

sh vtp devices — to vtp3

sh vtp pass

sh ether

sh ether sum

sh ether prot

sh ether X port

sh ether det

sh ether det | in Mode

sh ip int bri | ex un

sh span | in VLAN|root

sh span | in VLAN|Fa

sh span | in VLAN|FWD|Cost

sh span int XX det

sh span sum

debug span events

sh err det

sh err rec

sh udld fa x/x

sh udld nei

sh span sum

sh span mst config

sh span mst

sh storm

sh storm uni

sh monitor

sh moni det

sh moni session x

sh moni se x det

sh vlan private

sh int pri map

sh bridge X — similar as “sh mac address-table”

sh bridge X group — interfaces are part of a STP group

sh span X — shows STP

What do you think about this content?

Did it miss any important points?

Tell me in the comment section.

If you like this content, please share. Don’t forget to follow me and TechRebels by clicking “follow” down below :)

About the author:

Giuliano Barros is Network Consultant & Founder of Control Plane — Network Services.

Gratuated in Computer Science, CCIE certified by Cisco Systems and work for 15 years with projects for medium and big size companies.

linkedin.com/in/giulianobarros