Tuesday, August 26, 2014

Route Redistribution Notes

Route Redistribution Overview
Redistribution occurs from the routing table not the routing database
When redistributing protocol X into Y, take
-routes in the routing table via protocol X
-connected interfaces running protocol X

Route advertisement rules

Connected Redistribution
Implicitly occurs for connected links running the redistributed protocol
Additional connected links can explicitly included or excluded
-redistribute connected [metric] ][route-map]
-overrides implicit redistribution

How IOS chooses Path
Routing database chooses one or more candidate paths
-EIGRP via DUAL, OSPF via SPF, etc
-Load-balancing possible via maximum-paths

IF multiple equal matches between protocols
-choose the lower AD

Install results in RIB and/or FIB

Administrative Distance Values
0 : connected
1 : static
5 : EIGRP summary
20 : External BGP
90 : Interal EIGRP
110 : OSPF
115 : IS-IS
120 : RIP
160 : ODR
170 : External EIGRP
200 : Internal BGP
255 : Infinite

RIP Redistribution
Doesn’t differentiate between internal and external routes
-AD of 120 for all routes
No default seed metric
-redistribute [protocol] metric [hops]
-default-metric [hops]

EIGRP redistribution
AD of 170 for external EIGRP
-helps to automatically prevent route feedback
Uses router-id for loop prevention
No default seed metric unless EIGRP to EIGRP
-redistribute [protocol] metric [bw] [delay] [load] [relaibility] [mtu]
-default-metric [“”]

OSPF redistribution
AD of 110 for all OSPF routes
Uses Router-ID for flooding loop prevention
Default seed metric 20 and metric-type E2/N2
OSpf path selection preference
-E1 & N1 vs E2 & N2 metrics

BGP redistribution
Uses ORIGIN code incomplete (?)
Normal EBGP and IBGP loop prevention
-denies ospf external by default
.redistribute ospf [pid] match internal external
-EBGP routes allowed, iBGP routes denied by default
.bgp redistribute-internal
.legacy synchronization rule

.can cause routing loop

OSPF Notes

OSPF Overview
Classless link-state protocol
-uses Dijkstra SPF algorithm
-maintains active adjacencies
-supports VLSM
-supports both topology and NLRI summarization

Enabling OSPF
Enable the global process
-router ospf [process-id]
.process-id is locally significant
-Must be an up/up interface running IP
.used for OSPF Router-ID
Enable the interface process
-network [address] [wildcard] area [area]
-ip ospf [process-id] area [area]

Verifying OSPF
Verify OSPF is enabled
-show ip ospf
-show ip ospf interface [brief]
Verify OSPF adjacency's
-show ip ospf neighbor
-show ip ospf adj
Verify ospf database
-show ip ospf database [router | network | summary]

Neighbor and Topology Discovery
Like EIGRP, OSPF use hello packets to discover neighbors
-transport via IP protocol 89 (OSPF)
-sent as multicast to 224..0.0.5 or or unicast
Hello packets contain attributes that neighbors must agree on to form adjacency
Once adjacency is negotiated, LSDB is exchanged.

Negotiating OSPF Adjacencies
Neighbors must agree on attributes to form adjacency
-Not all ospf neighbors actually form adj
-most ospf configuration problems happen at this stage
Unique attributes include…
-local Router-id
-local interface ip address

Negotiating OSPF adjacencies
Common attributes include…
-interface area-id
-hello interval and dead interval
-interface network address
-interface MTU
-network Type
-stub flags
-other optional capabilities

OSPF Media Dependencies
OSPF  behavior changes based on media
-eg Ethernet vs FR vs PPP
Different media uses different “network types “ to control..
-how updates are sent
-who forms adjacency
-how next-hop is calculated

OSPF Network Types
Point-to-multipoint nonbroadcast

OSPF Network Broadcast
Ip ospf network broadcast
Default on multi-access broadcast medias
-ethernet, token ring, & FDDI
Sends hellos and updates as multicast
- (AllSPFRouters)
- (All DR Routers)
Performs DR and BDR election

DR/BDR Overview
Designated Router (DR)
-used on broadcast links to
.minimize adjacencies
.minimize LSA replication
Backup DR
-used for redundancy of DR
-All other routers on link
-form full adjacency with DR & BDR
-stop at 2way adj with each other
DR/BDR choosen through election process

DR/BDR election
Election based on the below field present in hello packets
Higher better
0 = never
.Highest loopback/interface Ip
.can be statically set
.higher better
.No preemption unlike IS-IS’s DIS

OSPF Network Non-Broadcast
Ip ospf network non-broadcast
Default on multipoint NBMA medias
Sends hellos as unicast
-manually defined addresses with neighbor command
-performs DR/BDR election

OSPF Network Point-to-multipoint
Ip ospf network point-to-multipoint
Treats network as a collection of point-to-point links
Sends hellos as multicast
No DR/BDR election
Special next-hop processing
Usually the best design option for partial mesh NBMA networks

OSPF network Point-to-point
ip ospf network point-to-point
Default on point-to-point medias
Sends hellos as multicast
No DR/BDR election
Supports only two neighbors on the link

Point to multipoint Non-broadcast
Ip ospf network point-to-multipoint non-broadcast
Same as point-to-multipoint, but sends hellos as unicast
-manually defined addresses with neighbor command
-allows for per-VC OSPF cost over NBMA
No DR/BDR election
Special next-hop processing

OSPF Network Loopback
Special case for loopback and looped-back interfaces
Advertises link as /32 stub host route
Ip ospf network point-to-point (used to disable loopback)

OSPF PATH Selection
Once databases are synchronized, path selection begins
Each router’s LSA include a “cost” attribute for each described link
Best path to that link is lowest end-to-end cost
Cisco’s implementation uses bandwidth based cost, but per RFC it is arbitrary
-default cisco cost = 100 Mbps/Link BW
-reference bandwidth can be modified to accommodate higher speed links (eg GigE)

OSPfF path selection order
Per RFC, ospf path selection state machine prefers..
-Intra area routes (O)
-Inter area routes (O IA)
-External Type 1 (E1)
-External Type 2 (E2)
-NSSA Type 1 (N1)
-NSSA Type 2 (N2)
Cannot be modified with metric or distance.

Modifying OSPF path selection
Ospf uses bandwidth based cost
-COST = ref BW/Interface_BW
Cost can be modified with
-interface bandwidth
-interface ip ospf cost
-process auto-cost
-process neighbor [address] cost

OSPF convergence Timers
Convergence based on hello and dead timer
-supports sub-second timers
Different timers for different network types
-show ip ospf interface
Changing hello time automatically adjusts dead time
-ip ospf hello-interval
-ip ospf dead-interval
Note: bidirectional forwarding detection is used for L2 link failures in ospf when we use switches in between routers.

OSPF Authentication
OSPF supports 3 types of authentication
-0 = Null
-1 = clear test
-2 = MD5
Can be enabled
-on all links in the area (ie configured on a process)
-on a per link basis
Key is always applied at link level
-virtual-links are area 0 interfaces

OSPF Summarization
All devices within the area must have the same LSDB
Implies summarization can only occur
-between areas
.area [source area] range [address] [mask]
-during redistribution
.summary-address [address] [mask]
Automatically generates discard route
-disabled with no discard route [internal | external]
Can be used for TE via longest match routing

OSPF Filtering Overview
OSpf is a link-state routing protocol
-to calculate identical SPTs everyone must have the same input to SPF(the LSDB)
-Implies that filtering cannot be configured within an area
Inter-area filtering through
-stub areas
-LSA 3 filter

OSPF Stub Areas
Stub areas used to limit type of LSAs allowed to enter an area
-Intra Area routes (O)
.LSA 1 & 2
Inter area routes (O IA)
.LSA 3 & 4
-External routes (E1 & E2)
.LSA 5
-NSSA external routes (N1 & N2)
.LSA 7

All routers in an area must agree on the stub flag

OSPF Stub Areas
Stub Area
-removes external routes (LSA 5)
-removes ASBR advertisement (LSA 4)
-ABR originates inter-area default route (LSA 3)

Enabled on all routers in an area
-area [area id] stub

OSPF Stub Areas
Totally stub Area
-removes external routes (LSA 5)
-removes ASBR advertisement (LSA 4)
-removes inter-area routes (LSA 3)
-ABR orginates inter-area default route (LSA 3)

Stub enabled on all routers in the area
-area [area] stub

Totally stubby enabled on ABR(s) of the area
-area [area] stub no-summary

OSPF Stub Areas
Not-so-stubby area (NSSA)
-allows NSSA external generation (LSA 7)
-removes external routes (LSA 5)
-removes ASBR advertisement (LSA 4)

All routers must agree on NSSA
-area [area] nssa

ABR does not originate default automatically
-can be configured to generate LSA 7 default
-area [area] nssa default-information-originate

OSPF stub Areas
Not-so-totally-stubby area
-allows NSSA external generation (LSA 7)
-removes external routes (LSA 5)
-removes ASBR advertisement (LSA 4)
-removes inter-area routes (LSA 3)
-ABR originates inter-area default route (LSA 3)

NSSA enabled on all routers in the area
-area [area] nssa

Totally stubby enabled on ABR(s) of the area
-area [area] nssa no-summary

Controlling NSSA Redistribution
Redistributed routes on an NSSA router are originated as LSA 7
If NSSA ASBR is also an ABR..
-type 7 originated into NSSA
-type 5 originated into Area 0

Type 7 origination can be suppressed
-area [area] nssa no-redistribution
-send type 5 to area 0 but not type 7 to NSSA

NSSA Translator Election
NSSA ABR translates Type 7 LSAs into Type 5 for Area 0 advertisement
If multiple ABRs, only on of them performs translation
-NSSA translator election chooses ABR with the higher router-id
IF forwarding address is non-zero, ABR need not be in the transit path

LSA 3 Filter
Stub areas can only filter on LSA type
ABRs can filter which summary LSAs (LSA 3) they generate between areas
Applied to process level of ABR
-area [area] filter-list prefix [prefix-list] [in | out]

-In/out allows for control of ABRs with more than 2 areas

Tuesday, August 5, 2014

BGP Notes

BGP Overview
Open Standards based
-RFC 4271 “ A border gateway protocol 4 (BGP-4)”
Classless path vector routing protocol
-uses multiple “attributes” for routing decision
-supports VLSM and summarization
 IPV4 Multicast, IPv6, MPLS, etc.

Autonomous Systems (AS)
-a set of routers under a single technical administration, using an interior gateway protocol(IGP) and common metrics to determine how to route packets within the AS, and using an inter-AS routing protocol to determine how to route packets to other Ases.
ASNs are allocated by Internet assigned number authority (IANA)
Generally, BGP relies on ospf, ISIS, Eigrp to advertise routing within AS.

BGP ASN Values
Originally 2 byte field
-value 0-65535
-public  ASNs 1-64511
-private ASNs 64512-65535

Now 2 byte is already occupied so we come up with 4 byte AS

Currently 4-byte field
-BGP support for four-octet AS number space

4-Byte BGP ASN
0.0   – 65535.65535 notation
-0.[0-65535] denote original 2 byte ASNs
Requires backwards compatibility with old code.
-4 byte ASN support negotiated during capability exchange
-old bgp speakers are sent ASdot numbers encoded as ASN “23456”
-real AS-Path encoded with optional transitive  attributes AS4_AGGREGATOR and AS4_PATH

Establishing BGP Peerings
Like IGP, the first step in BGP is to find neighbors to exchange information with
Unlike IGP..
-BGP does not have its own transport
-BGP has different types of neighbors
-BGP neighbors are not discovered
-BGP neighbors do not have to be connected
Since we have a TCP used as a L4 protocol(logical) for the establishment, hence neighbors in case of IBGP need not to be directly connected.

BGP Transport
BGP uses TCP port 179 for transport
-Implies that BGP needs IGP first
BGP neighbor statements tells process to
-listen for remote address via TCP 179
-initiate a session to remote address via TCP 179
-If collision, higher router-id becomes TCP client
Note: if you want to use BGP only then there should be a physical connection between all routers ie full mesh which has again routing issues. Hence we use IGP within IBGP for route recursion process to BGP next hop value.

BGP Peering Types
External BGP (EBGP ) peers
-neighbors outside my AS
Internal BGP(iBGP) Peers
-neighbors inside my AS
Update and pacth selection rules change depending on what type of peer a route is being sent to/received from

BGP Peering Rules
EBGP packets default to TTL 1
-Can be modified if neighbors are multiple hops away
.neighbor ebgp-multihop [ttl]
.neighbor ttl-security hops [ttl]
Nom multi-hop peers must be directly connected by default
-can be modified if connected neighbors peer via Loopbacks
.neighbor disable –connected-check

Loop prevention via AS-PATH
-Local ASN is prepended to outbound updates
-Inbound updates containing local ASN are discarded
-can be modified with neighbor allows-in

Next-hop processing
-outbound EBGP updates have local update-source for neighbor set as next-hop
Eg. If update-source is Loopback0, next –hop is loopback0
-Can be modified with route-map action set ip next-hop but typically shouldn’t
.eg third-party next-hop

Note: control plane = session = routing update
Data plane = data forwarding = actual data flow.
IBGP packets default to TTL 255
-implies neighbors do not have to be connected as long as IGP reachability exists
Loop prevention via route filtering
-iBGP learned routes cannot be advertised on to another IBGP neighbor
-Implies need for either..
.fully meshed iBGP peerings
.router reflection

Next-hop Processing
-Outbound iBGP updates do not modify the next-hop attribute regardless of IBGP peer type
.iBGP peer
.Route reflector’s client peer
.Route Reflector’s non-client peer
.Confederation EBGP peer
-Can be modified with neighbor next-hop-self on route-map action set ip next-hop
Note : in case of BGp control and data plane are disconnected which gives us a flexibility to route outbound traffic based on route-map.

BGP Transport
TCP server must agree on where client’s session is coming from
-if server does not expect session it will refuse
Client’s packet is sourced from outgoing interface in the routing table.
-can be modified with update-source per neighbor

iBGP Route reflection
Eliminates need of full mesh
-only need peering(s) to the RR(s)
Like OSPF DR & IS-IS DIS, minimizes prefix replication
-send one update to the RR
-RR sens the update to its “clients”
Loop prevention through Cluster-ID
-RR discards routed received with its own cluster-id
-does not modify other attributes such as next-hop

Route reflector Peerings
Route reflector can have three types of peers
-EBGP peers
.neighbors in differnet AS
-Client peers
.IBGP peers with route-reflector-client
-Non-client  peers
.IBGP peers without route-reflector-client

Route Reflector Update Processing
RR processes update differently depending on what type of peer they came from
-EBGP learned routes
.can be advertised to EBGP peers, clients, & Non clients
-client learned routes
.can be advertised to EBGP peers, clients, & non clients
-Non-cleient learned routes
.can be advertised to EBGP peers and clients
RR placement based upon these rules

Large Scale Route Reflection
Larger scale BGP designs cannot be serviced by only a single RR
-single RR is a single point of failure
RR “clusters” allow redundancy and hierarchy
-cluster is defined by the clients a RR servers
-RRs in the same cluster use the same cluster-ID

Inter-Cluster peerings between RRs can be client or non-client peerings
-depends on redundancy design

BGP Confederation
Reduces full mesh IBGP requirement by splitting AS into smaller Sub-Ases
-inside Sub-AS full mesh or RR requirement remains
-between sub-AS acts like EBGP
Devices outside the confederation do not know about the internal structure
-Sub-AS numbers are stripped from advertisements to “true” EBGP peers
Typically uses ASNs in private range (64512-65635)

BGP Confederation Configuration
Enable the BGP process
-router bgp [sub-as]
Specify the main AS number
-bgp confederation-id [main-as]
Specify other Sub-Ases that you peer with
-bgp confederation-peers [sub-as1 sub-asn]
-Not all sub-Ases, just those directly peered with

BGP NLRI Advertisement
BGP NLRI can be originated by
-network statement
.requires exact match in the routing table first
-redistribute statement
.won’t include OSPF External by default
-aggregate-address statement
.requires one subnet in BGP table first
-bgp inject-map statement
.opposite of aggregation

BGP Network Statement
Originates prefixes with ORIGIN of iGP(i)
Requires exact match in the routing table
-Does not have to be a connected prefix, can be learned via IGP
Without mask keyword  assumes classful mask

BGP redistribute statement
Originates prefixes with ORIGIN of INCOMPLETE (?)
Originates classfull summary if auto-summary is enabled
Automatically copies IGP metric to BGP MED
Won’t include OSPF external by default
-redistribute ospf [pid] match internal external

BGP Aggregation
Can be applied at any point in the network as long as one subnet is in the bGP table
Configured as aggregate-address [network] [mask] [args]
Arguments are ..
-attribute-map | route-map

BGP conditional Route Injection
Originates subnest(s) from aggregate for purpose of longest match traffic engineering
Configured as bgp inject-map inject-map exist-map exist-map [copy-attributes]
-Inject Map
.subnet to be advertised
.set ip address prefix-list [list]
-Exist Map
.Aggreate to be originated from
.match ip address prefix-list [list]
.match ip route-source prefix-list [list]

BGP Best Path Selection
Chooses which routes can be
-installed in the RIB/FIB
-Advertised to the other BGP peers

Best path selection prerequisites
Nexthop value must be in the routing table
-prevents route-recursion failure
Synchronization rule must be met or disabled
-Legacy black-hole prevention technique
AS-Path must not contain local-AS
-Normal EBGP loop prevention
First ASN in path must be neighbor’s ASN
-bgp enforce-first-as command

Best path Selection Order
Local Preference
Locally Originated
EBGP over IBGP (This is different form the AD)
IGP metric to Next-hop
Tie breakers
-Lowest RID
-Shortest cluster list
-Lowest neighbor address

Manipulating Best path selection
Outbound routing policy affects inbound traffic
Inbound routing policy affects outbound traffic
Weight and local pref
-set inbound
-affects outbound traffic
AS-path and MED
-set outbound
-affects inbound traffic

Best Path Selection Exception
-bgp bestpath as-path ignore
-bgp always-compare-med
-bgp bestpath med-confed
.compare med for routes locally originated in the confederation
-bgp bestpath med missing-as-worst
.assign MED of 4,294,967,294 to NULL MED
-bgp deterministic med
.compare MED against all possible paths

BGP Communities
BGP’s implementation of a route-tag
Used to group prefixes together for
-advertisement policy
-filtering policy
-best path selection policy
Community is an optional transitive attribute
-not exchanged between peers by default
-neighbor [address] send-community

BGP Community Values
Standard community is 4-byte value
Can be denoted as ..
-decimal (0-42944967296)
-AA:NN(00: - 65635:65535)
.ip bgpcommunity new-format
-same binary value regardless of visual format
Three “well-known” values are reserved

BGP well-known communities
No-export (0xFFFFFF01)
-don’t advertise to EBGP peers
No-advertise (0xFFFFFF02)
-don’t advertise to any peers
Local-AS (0xFFFFFF03)
-don’t advertise to confederation EBGP peers

Matching and setting Communities
Set occurs in route-map
-set community {community-number [additive] [well-known-community] | none}
-not additive by default

Match occurs by community-list
-Define list
.standard list matches community name or number
-ip community-list 1 standard permit no-export
.expanded matches regular expression
-ip community-list expanded AS100 permit 100:[0-9]+
-Reference from route-map
.match community AS100

Regular Expressions
Used for string matching in..
-show command outputs
-TCL/EEM scripting
-BGP AS-path access lists
-BGP Expanded community lists

BGP Filtering
BGP updates filtering occurs on a per peer bassis with..
-neighbor [address] distribute-list
-neighbor [address] filter-list
-neighbor [address] prefix-list
-neighbor [address] route-map

Using route-map avoids order of operations issues.

BGP Convergence
Hello and keepalive timers
-lowest timers are negotiated during peering establishment
-timers bgp
-neighbor timers

Link down detection
-bgp fast-external-fallover

Update timers
.neighbor advertisement-interval
-bgp nexthop {trigger {delay seconds | enable} | route-map map-name}
-bgp scan-time
-bgp update-delay

BGP Default routing
Three ways to originate default
-default-information originate + redistribute
-network mask
-neighbor default-originate

.supports conditional advertisement

Miscellaneous :
well known mandatory: everyone supports, must be in update message (next_hop, origin, as_path)
well known discretionary: everyone supports, might not be in update message (local pref, atomic aggregate)
Optional transitive: travel from router to router or from AS to AS
Optional non-transitive:  does not travel from router to router (Aggregator, MED)

Most  preferred: Ignore
In bgp table : * means valid  and > means best route

Two ways to get networks into BGP
-network commands

BGP synchronization:
Do not use or advertise a route learned via IBGP until the same route has been learned from the internal routing protocol.

BGP next-hop processing:
-for IBGP peers: do not change next hop address on advertised routes.
-for EBGP peers: change next hop address on advertised routes.

When we create neighbor relation within IBGP or Ebgp between loopback addresses we need to use update source loopback
when we create neighbor relation between ebgp routers having loopback address we need to use ebgp multihop since loopback address sees itself sees as one hop away.

When only BGP is configured on IBGP, do no synchronization on all routers in AS and do clear and reset the process(clear ip bgp *)

Issue: since with IBGP, next hop is not changed, internal router will not be able to reach ebgp router so solution is to redistribute external ebgp route to routers in internal AS or another solution is to set next hop- self  command  in border router.

Weight is cisco propriety and its local to the router. It is set on per neighbor basis.

To disable the neighbor
neighbor shut

origin code: i iGP(entering with network command) or e EGP or? incomplete (redistribute routes into BGP)

local pref : advertised within AS
bgp default local-preference 100. Mainly used when we want to pass routes through that particular router.

policy_routing : the programming language of routing table.


L2 Trunking and tunneling Notes

802.1q tunneling  mainly used in  Core

Layer2 Security:
port security, PVLANS, VACLS, DHCP Snooping, etc.

Layer 2 QoS.
Classification, Marking, Policing, Queueing, etc

Ethernet Interface Types.
Layer 2 Switchports
- access  ie one vlan
interface f 0/1
switchport mode access
switchport access vlan 10

- trunk == multiple VLANS

ISL is cisco propriety
All traffic encapsulated with ISL

open standard
native vlan sent untagged.

DTP (dynamic trunking protocol)
Used to automatically negotiate what are trunk links supposed to be.
verified with ..
show interface trunk
show interface switchport
show spanning-tree [vlan | interface]

desirable mode == initiates trunking negotiation
auto mode = passively listen for trunking negotiation

Disabling DTP negotiation
Switch port non-negotiate
Switch port mode access
Switch port mode dot1q-tunnel

- Tunnel = transparent Layer 2 VPN

- Dynamic = DTP negotiation

Layer 3 Ports
- Switched Virtual Interface (SVI)
- Native Routed Interface

802.1q Tunneling
1. Layer 2 VPN over switched ethernet network
Lightweight version of MPLS L2VPN
2. SP's PE adds additional 802.1q tag to all frames received from CE
called "metro tag" or "QinQ"
3. PE assigns all CE facing ports to the same VLAN
One vlan per customer in P network.

-switchport mode dot1q-tunnel
tell switch to double tag frames
-switchport access vlan {vlan}
metro vlan assignment

-show dot1q-tunnel

Cannot be dynamically negotiated.

802.1q Tunneling Design Issues:
Assumes L2 network end to end
- PE - P - PE links must all run layer 2 trunking
- Implies scalability issues.

Additional tags increase payload size
- 4 bytes per tag
- potential to exceed MTU of the transit path
- Ethernet doesn't support fragmentation

Loass of control plane signaling for CE devices
- CDP, VTP, STP etc dropped by PE.

Layer 2 Protocol tunneling
used to tunnel layer 2 control plane protocols between ports
-used with 802.1 q tunnel

Support for .. -cdp, vtp, stp, PAgP, LACP, and UDLD.

EtherChannel over 802.1q Tunnels
CE can suppport aggregation of CE-PE links
eg 2*GigE per customer site

EtherChannel must be point to point
- Implies one metro tag per PE-CE link

PE can tunnel negotiation as well

-l2protocol-tunnel point-to-point [lacp | pagp]

L3 Routing Notes

Layer 3 routing process of the Switches :
Switched virtual interfaces(SVI)
-interfaces vlan [1-4094]
-vlan must exist in the database first

Native routed interface
- no switchport
-same as ethernet interface on a router

Sw1# show ip route
Default gateway is not set
ICMP redirect cache is empty == means ip routing is not set in switch.
If gateway is not set, switch will try to do arp for all destination ips.

To turn on ip routing in switch
switch(config)# ip routing

Routing can be used over trunk interface. It is advisable to do so since it does not use STP and hence will not have convergence issues.

Layer 3 Routing (Contd)
Router on a Stick
-Layer 2 switch trunks traffic to external L3 router
-legacy version of SVI

Router usually does not support DTP and VTP
-switchport mode trunk
-switchport trunk allowed vlan

Router encapsulated ISL or 802.1q traffic using sub-interfaces
-encapsulation [isl | dot1q] {vlan} {native}

Native vlan must match
-Can be on the main interface or subinterface with native keyword.

Note: sub interface and vlan number need not to be matched. We are doing so just for clarity.

There will be only one native vlan on a trunk

Etherchannel Notes

used to aggregate bandwidth of physical links
-same logic as PPP multilink

Consists of two parts
-port-channel interface
 ie logical interface representing the link bundle

-members interfaces
 physical links part of a link bundle

Channel can be any type of interface
 ie layer 2 access, trunk, tunnel or l3 routed.

Etherchannel Negotiation
channel-group [number] mode [mode]
Mode determines how negotiation occurs
- ON
 No negotiation

- Desirable & Auto (used in PAgP)
 Initiate of listen for PAgp

- Active and Passive (used in LACP)
  In active state  send LACP and in passive state listen for LACP
PAgp vs LACP is like ISL vs 802.1q also LACP is defined in 802.3ad

Ether channel Mode compatibility
On - On
Desirable - Desirable
Desirable - Auto
Active - Active
Active - Passive

Ether Channel Load Balancing
Load balancing between member interface based on..
-source mac
-dest mac
-source ip
-dst ip
-combinations of four

Modified with..
- port-channel load-balance

Layer 3 EtherChannel
Issue the no switchport command on members interface first
- order of operations issues

Ip address and other logical options go on the Port-channel interface

Ether Channel
show etherchannel summary
L2 : show spanning-tree
L3 : show ip route

STP Notes

How STP works
Elect on root bridge
elect one root port per bridge
elect Designated ports

Root bridge act as ref point and path calculation happen based on it.

Switch with lowest bridge ID in network becomes Root Bridge

Bridge ID contains ..
- Bridge Priority
0 - 614440 in increments of 4096

- System ID extension
0- 4095

- Mac address

priority of 0 is most preferred for root bridge

Changing the root bridge election
Manually change BID priority
  spanning tree vlan [vlan] priority
  Lower is letter

Use root bridge macro
  spanning-tree vlan [vlan] root [primary | secondary]
  sets local priority based on current root bridge

  show spanning-tree vlan [vlan]
  show spanning-tree root

Note: bridges on the rest of the network will only use timer set in root bridge

default version of STP is PVSTP+

Root port opposite is always DP

Root and designated port election
DPs are downstream facing away from root bridge

Like root port election based on ..
-Lowest root path cost
-lowest BID
-lowest PortID

All other ports go into blocking mode
- receive BPDUs
- Discard all other traffic
- Cannot send traffic

Changing the Port's Role
Modify the port's cost
 spanning- tree vlan cost
 bandwidth [bps]

Modify the bridge ID
 spanning-tree vlan [vlan] priority

Modify the Port ID
 spanning-tree vlan [vlan] port-prority

- show spanning-tree interface [int] detail
- show spanning-tree vlan [vlan] detail

Why priority is always in increment of 4096?
When the extended system ID is used, it changes the number of bits available for the bridge priority value, so the increment for the bridge priority value changes from 1 to 4096. Therefore, bridge priority values can only be multiples of 4096.
Note that 2 raise to power 12 is 4096. Now if you occupy even a single bit ( out of the 4 bits) for the Bridge Priority,
It means 4096*2=8192 (multiple of 4096..)
The extended system ID value is added to the bridge priority value in the BID to identify the priority and VLAN of the BPDU frame.

Port ID = port priority + port no
default port priority is 128.

STP Timers
Timers effect the transition between port states
  - set only on the root bridge

  - How often configuration BPDUs are sent
  - defaults to 2 sec

Max Age
  - How long to wait in blocking state without hearing BPDU
  - defaults to 20 sec

Forward Delay
  - How long to wait in each the listening and learning phases while building CAM table.
  - defaults to 15 sec

Note : In STP, CST and PVSTP only root bridge is allowed to generate BPDUs. BPDU start at root and forward towards leafs.
worst case convergence timer for STP is 50 sec
Timers are set in root bridge only:

Changing STP Timers
 - spanning-tree vlan [vlan] hello-time
 - spanning-tree vlan [vlan] forward-time
 - spanning-tree vlan [vlan] max-age

 - show spanning-tree vlan [vlan]

 Advanced STP features
Portfast (direct from blocking to forwarding)
-edge ports shouldn't be subject to forward delay
- also effects TCN generation

-Direct root port failure should reconverge immediately if Alternate port available

Backbone Fast
-Indirect failures should start recalculating immediately.

CAM age time == max-age time. when topology change notification happens

default CAM aging time is 300 sec

portfast is also called as edge port.

portfast interface will not generate the TCN and edge ports are not subject to forward delay. Also, CAM table does not flushed out and hence cuts down unknown unicast flooding on the network. when portfast is on it does not mean STP is disabled the switch is still sending and listening BPDU's and (their is a default defense protection mechanism and if interface receives BPDU's it put itself out of edge port or portfast status) ie if router or any end device need to run stp, we will enable stp on router ie end device and the switch interface which receives BPDU will put itself out of edge port.

So instead of configuring portfast on every interface we have command which will enable portfast on all interfaces of switch ie spanning-tree portfast default this is equivalent as # int range fa0/1 - 24 , g0/1 -2 + spanning tree portfast and interfaces will automatically figure it out which one should run portfast and which one should not based on built on mechanism.

For trunk link portfast will not be on by default. if trunk links goes down and comes up it's not going to create TCN

Spanning-tree uplinkfast == should be configure in single switch

Spanning-tree backbonefast = > should be configure on all switches
These features are used for fast convergence. We need not to wait for max age time.
 Still with this feature convergence time is around 30 sec which is not enough.

BPDU Filter:
-To drop STP packet as they come into the interface or go out of the interface ie filter BPDUs in and out
- Can be configured per interface basis or globally . If configured at interface, the STP is disabled at interface and if configured globally stp is disabled on all interfaces. Typically used at access layer. This is mainly used to avoid L2 attacks.
Spanning-tree bpdufilter enable. Its like a passive interface. A disadvantage is when a router connected to this switch want to run STP, router will send BPDUs but switch will not receive BPDUs.

BPDU Guard
-If BPDU is received shut port down. Link is put in err-disable will not come out of it until err-disable recovery timeout or manually brought up.

Root Guard
-if superior BPDU is received shut port down.

Loop Guard & UDLD
-Prevent unidirectional links
Typically in the case of fiber network where send channel might be working but receiving channel might not be working. One physical link for sending traffic and other physical links for receiving traffic. It is possible to have one working and other break. In STP if we are able to send BPDUS but not able to receive BPDUs then max age time out will happen and port will move from blocking to forwarding since it will not rx BPDUs from other end and it will put itself in DP and it might happen both switches elect DP ports  and both interface will be in forwarding state. This is the violation of STP but STP will not detect this since it is a L1 issue. Solution is loop guard and unidirectional link detection

Multiple Spanning-Tree Protocol
IEEE (802.1s) response to PVST/PVST+
-supports rapid STP (802.w)

Instances are separate from VLANs
-PVST+ uses one instance per VLAN
-MST uses definable instances

Highly scalable
-Switches with same instances, configuration revision number, and name form a “region”
-Different regions see each other as virtual bridges.

Disadvantage of  STP is more overload.  If there are multiple vlans associated with same physical interface we need to create separate instance of STP for all vlans.

MST Path Selection
Same election process as CST/PVST
Root Bridge
-lowest BID

Root port
-lowest cost
-lowest upstream BID
-lowest portID

Changing MST Root Bridge Election
Manually change BID priority
-spanning-tree mst [instance] priority
-lower is better

Use root bridge macro
-spanning-tree mst [instance] root [primary | secondary]
-sets local priority based on current Root Bridge

-show spanning-tree mst [instance]
-show spanning-tree root

Note: with RSTP we need not to configure uplinkfast and backbonefast. Those are enabled by default.
Typically we want root bridge somewhere in the core.
In case of MST sys id comes from Instance number of MST.
Rstp is automatically enabled when we turn on MST.
MST0 instance is used for inter region operability. MST interact with PVSTP through MST instance 0 ie MST0
Role of VTP in MST is to advertise the instance between the neighbors.

Changing an MST Port’s Role
Modify the port’s cost
-          Spanning-tree mst  [instance ] cost
-          Bandwidth [bps]

Modify the Bridge ID
-          Spanning-tree mst  [instance] priority

Modify the port ID
-spanning-tree mst  [instance] port-priority

-show spanning-tree interface [init] detail
-show spanning-tree mst [instance] detail

Rapid Spanning-tree protocol
Rapid convergence based on sync process
Enabled through..
-spanning-tree mode mst
-spanning-tree mode rapid-pvst

Sync process only occurs on point-to-point non-edge ports
-implies link-type must be accurate
-spanning-tree link-type [point-to-point|shared]
-spanning-tree portfast

Root -----à downstream
Upstream--à Root

If links are not point to point ie full duplex then proposal process will not happen. Especially in the case when link is connected to hub.
In that case we have to use legacy STP.

So requirement is linked between the switches are point to point and non-edge ports and all other interfaces connected to end host should be defined as edge port as defined portfast command  in STP.

Portfast in STP is equivalent to edge port in rstp.