Switching Notes

Switching Notes

GENERAL STUFF
Cisco Switching Products To know traffic patterns… Important requirements in new campus intranet at L2 & L3 3 Categories of services Good Design Practice CWSI (Via SNMP) RMON groups supported	Intranet/Campus network is a group or inter-connected LANs in the same geographical region & maintained by the same group of people. CDP available on all Cisco switches Plug & play Company investment protection End-to-end switching Scalable performance 1.Which resources are being accessed? 2.How much bandwidth are the applications using? 3.What parts of the network are being impacted & by how much? 4.Type of traffic being generated? (Broadcasts, multicasts, unicasts?) 1.Adapting to topology changes quickly 2.Reliability & redundancy in case of network failures 3.Being able to scale to a very .large size 4.Accommodate very large amounts of bandwidth 5.Ability to predict traffic patterns 6.Centralizing services & applications to ease administration 7.Handling increased amounts of broadcast & multicast traffic 8.Coping with traffic pattern change from 80/20 rule to 20/80 rule 9.Supporting a diverse group of routed & bridged protocols 80/20 rule changing to 20/80 due to Internet & central resources. Causes strain on L3 devices. Ways round this… 1.Mirror servers on right VLAN 2.Move users to same segment as users 3.Move applications to local server 1.Local – on same subnet. Does not pass through L3 device. 2.Remote – on another subnet. Needs to pass through L3 device. 3.Enterprise – accessed by entire company. Usually located near core block, so L3 used. Examine single points of failures – eliminate if possible Understand nature or traffic Work out bandwidth requirements Use hierarchical design Supported on all Cisco switches. Comprised of… 1.CiscoView – Pictorial view of switches 2.VLANDirector – Aids VLAN set-up 3.TrafficDirector – L2 statistical management 4.ATMDirector – Management of ATM components including LANE 5.ResourceManager – General tool for switch management 1.Statistics – port utilization & errors 2.History – gathers periodic statistics 3.Alarm – set thresholds for alarm events. 2 thresholds – rising/falling 4.Events – monitors logging of events on switch Probe card needed to use other 5 RMON groups *SPAN port can mirror traffic on other ports. Used as a "capture port" for an analyzer

HIERIARCHICAL DESIGN
Core layer Distribution layer Access layer Switch Block Size determined by… Core Block L3 at core (Diagram P64) Collapsed core Dual Core	High-speed L2 backbone between distribution layers Packets switched as fast as possible L3 should not be used at this level, no packet filters or access lists. L3 only if core becomes too large & has STP convergence problems Cisco suggest 6500/8500. 5500 & 9 port Gb card cheap alternative Demarcation between core & access layers All L3 functions including routing & security/access lists Connects to access switches to provide work-group/dept access Implements VLANs. Routes between VLANs L3 addressing & address summarization Translation between different media types Needs high-speed L3 switching or MLS or intra/inter-VLAN traffic Cisco recommends 6000 & 5500 switches. Can use 2926 with MLS (2926G needs ext. L3) User & server entry point Shared (hubs) or switched access Can include L3 devices to connect branch offices via FR, DDR etc. VLAN memberships defined MAC address filters can be applied Intelligent multicast filters Dedicated switched b/w for servers/power-users. Shared hubs for some. Small campus – 1900/2820. Shared & switched solution Medium campus – 2900/2900XL/3500XL. 250 users @ 10/100Mb. Gb up-links, stackable. Large campus – 4000. 96 users @ 10/100Mb. 36Gb ports. Good for high bandwidth users. Very large campus – 5000. Up to 100 users. Very versatile Comprises Access & Distribution layers L2 & L3 devices & functions Contains broadcast. A storm can only affect 1 switch block, not core Terminates one or more VLAN at distribution layer, including trunks STP terminates within switch block so any problems localized L3 devices need to be very quick – MLS desirable Usually at least 2 distribution layer devices for redundancy. Every access layer switch connects to each distribution layer device Should not exceed 200 devices Too large - excessive broadcast within block, excessive multicast leave block, high CPU. 1.Number of stations in workgroup 2.Traffic patterns of network devices 3.Number of users on each access layer switch 4.Amount of traffic leaving switch block & crossing the core 5.Amount of MLS required 6.Size of STP domain Comprised for core layer only Needed when you have 2 or more switch blocks Wire-speed L2 switching between Switch blocks & WAN blocks. Frames, packets or cells No high CPU processing/filters High redundancy, so at lease 2 Core Block devices High bandwidth Should not be flat design. Routers in Switch Block can load share across separate L3 paths OSPF/EIGRP etc required to load share Scalability issues with choice of routing prot, No of Block conn's Try not to interconnect Switch Block devices so STP not needed (up to 1 min blocking!) Sometimes needed, but expensive. Eliminates need for STP 1.Expensive 2.Eliminates need for STP 3.More efficient load-balancing & redundancy 4.Reduces no of peers Switch Block devices need to connect with. 2 connections/block (Limit - RIP = 15, OSPF/EIGRP = 25 blocks) Core & distribution functions combined into single device Suitable for small campuses. Can be just 2 MLS devices Redundant L2 core between switch blocks Provides equal-cost paths

PHYSICAL CONNECTIVITY
Fast Ethernet Gigabit Ethernet	Cat5 = 90m Punch-down – Punch-down Router – switch = straight cable Cabling is the most common problem in new networks MMF = 2Km SMF = 10Km used at all 3 layers 802.3u for auto-negotiation of speed & duplex 802.3u can communicate with non-802.3u 802.3u computability problems between vendors. Recommend fixed speed/duplex to fix 100BaseTX = 100m (copper) 100BaseT4 = 100m (copper) 100BaseFX = 400M (fiber) Based on ANSI X3T11 spec for ether-channel. 802.3z = 1000BaseX (Fiber) 802.3ab = 1000BaseT (copper) Gb at all 3 layers – access switch up-links, core-core & core-distribution devices Not for user conn's – processors can’t keep up. Only high-speed servers. 1000BaseT = 100m 1000BaseSX (MMF) = 250m *1000BaseLX (SMF) = 3Km (Cisco support 10Km)

VLANs
Network can be divided up on… Purposes of VLANs No. of VLANs dependant on… VLANs based on… End-to-end VLANs Local VLANs Dynamic VLANs, based on… Static VLANs Use Static VLAN when… Trunks Cisco's tagging protocols... ISL Header contains 802.1q Dynamic Trunking Protocol DTP	VLANs should terminate within switch block so b/c's don’t cross core. VLAN 1 default on all switches All switches should have IP addr on same VLAN to ease management 1.Port ID 2.MAC address 3.L3 address 4.Directory/application info 1.Ease adds/moves/changes 2.Enhance security 3.Allows parallel paths for load-balancing 4.Isolates problems in small part of the network 5.Removes physical boundaries 6.Allow application to run on different media types 7.Limits broadcasts 1.Intranet traffic patterns 2.Applications used 3.Size of switch-blocks (number of end stations) 4.L3 addressing scheme 1.L3 protocol 2.Groups, departments etc 3.Security needs 4.Applications used Users/servers on same VLAN, maybe not the same location/sw block Maintains 80/20 rule Users/servers on different VLAN but same location/switch block 20/80 rule Easier to plan & implement than end-to-end VLANs L3 devices used more so MLS recommended 1.MAC address 2.L3 address 3.L3 protocol type 4.Application type 5.Directory info stored in Novell NDS or Microsoft Active Directory Users automatically assigned when moved so saving costs etc Good for end-to-end VLANs CWSI or CiscoWorks able to maintain MAC address database DHCP can not really be used with IP based dynamic VLAN Problems with MAC-based dynamic VLAN as faulty PC/NIC often replaced or upgraded. Directory-based best. Easy to maintain Also known as Port-Based Membership Good for Local VLANs 1.You want tight control over adds/moves/changes 2.You don’t want to have to maintain a MAC address database 3.You have a package like CiscoWorks to aid manual port changes By default, a trunk carries all VLANs but can be pruned Trunk port expects device at other end to also understand trunking Server trunks puts server in several VLANs, saving L3 processing Trunks on exterior L3 devices saves connections/interfaces Trunks supported on Ethernet ports of 100Mb plus only 802.1q – 4000 ISL – 1900/2820 Both – 5000/2900XL 1.Cisco ISL for Ethernet/Fast Ethernet 2.IEEE 802.1q for Ethernet/Fast Ethernet 3.Cisco 802.10 for FDDI 4.ATM Forum’s LANE ISL NIC cards created illusion of several "logical" NICs. Cisco proprietary but supported on other vendor’s NIC cards NICs use ASICs & are more expensive Original frame not modified. 26byte header, 4byte CRC trailer added 1.Source/destination MAC addresses 2.Frame type (ethernet, FDDI, TR, ATM) 3.Frame priority 4.Frame length 5.VLAN number(s) Generic on all vendor’s switches Original frame modified. Frame size unchanged, CRC re-generated. Cisco proprietary Replaces earlier DISL Negotiated of both ports support both ISL & 802.1q trunking *Both sides must support same protocols

VTP
(Glue that binds VLAN & trunks together) VTP shares… VTP Benefits… Servers Clients Transparent Adding a new switch… Advert types… Adverts contain… Version 2 additional features… Pruning (Disabled by default)	VLANs need switches, routers & VTP Allows VLANs to exist on different media types. A broadcast generated on an ethernet segment will automatically be propagated to an FDDI segment on the same VLAN Allows VLAN info to be shared between switches/router/end stations Dynamic updating of added VLANs across whole network Not needed for a single VLAN network A management protocol between devices communicating over trunks Each domain has unique name Info shared within domain only. Ignored if sent from another domain Each device can be in one domain only Switches in same domain advertise to each other on trunks Info stored in own NVRAM. Erasing switch config will not remove Switch reset will reset config revision number to zero Revision number in advert lets switch know if info contains change & database needs updating. If revision higher that that running, switch over-writes with new info Adverts sent downstream away from STP root device Client sends advert when reset or when wanting to learn new VLANs All switches in domain VTP V1 (def't) or V2. Not compatible! If no domain set up, all switches in transparent mode 1.ISL/802.1q VLAN Ids 2.ATM LANE names 3.FDDI SAID values 4.MTU sizes 5.Frame format of tagging used 1.Consistent VLAN implementation 2.Less configuration required when making changes 3.MD5 security on domain passwords 4.Mixed-media VLANs 5.All switches have knowledge of all VLANs Changes made to VLAN config & passed on to other servers/clients Uses multicasts to advertise Accepts changes from servers but no changes directly Database not held in NVRAM. Switch reset will erase & will need to reload from a server Do not participate in domain but pass on adverts Can hold their own database which is not advertised 1.Erase existing switch config 2.Reset switch 3.Configure VTP settings in client mode initially 4.Connect to existing network 1.Summary – Server sends every 5mins on VLAN1, sync all d/b's 2.Subset – Server sends detailed info concerning a specific VLAN 3.Request – From client or server seeking info 1.ISL/802.1q VLAN numbers, ELAN names, 802.10 SAID values 2.Domain name 3.Config revision number 4.VLAN MTU sizes (Subset) 5.Frame format (Subset) 6.MD5 key if passwords used 7.Sending switch ID 1.Support for Token Ring 2.Forwards & saves unrecognized type lengths 3.Passes message even if name/ver/password don’t match. V1 drops 4.Checks consistency of new VLANs, checks names & numbers Dynamically removes VLANs from trunks where destination has no ports assigned Dynamically adds again of port later added Superior to manual pruning on each trunk Need to enable on one server only for whole domain *Without pruning, every b/c sent out on every trunk in network!

INTER-VLAN ROUTING
VLAN planning considerations… External RP Needs… Internal RP Needs… RSM RSFC & MSM	RP can switch info between logical subnets/VLANs or physical I/Fs HSRP means users can have on default G/W but still get redundancy Trunking to external RP cuts down number of required interfaces 1.L3 addressing scheme 2.How many VLANs 3.Types of inter-VLAN traffic 4.Quantity of inter-VLAN traffic 5.Required redundancy 6.Choice of routing protocols 7.L3 convergence issues 8.Load balancing at L3 Advantage – may already have h/w. Just IOS upgrade & NFFC needed. 1.Cat 5000 with NFFC or NFFC2 2.7500, 7200, 4700, 4500, IOS V11.3.4 with MLSP s/w option For trunking - 3600 or above, for L3 switching – 4500 or above Both L2 & L3 components built into switch Cat 5000 with NFFC & RSM or RSFC, or Cat 6000 with MSM Basically a 7500 on a card Switch thinks RSM is Ethernet port to a RP. Actually a "logical" port Any slot in 5500 except 1 or 13 Up to 7 RPs in one chassis 256 VLANs/RP 2 back-plane conn.s using VLAN 0 (RP-SE comms only) & VLAN 1 Half VLANs added to one conn, half to other. Can manually assign. 2 sets of MAC addresses.1^st stored in ROM & used on VLAN 0 port. One MAC out of 512 chosen to be MAC address of ALL VLANs Can select a unique MAC for each VLAN. Helps performance of… 1.1900/2820 2.MLS 3.Fast Ether Channels & load-balancing RSFC is a daughter board that plugs into supervisor card *MSM on 6000 connects via up to 4 x Gb/channelized trunk

MULTI-LAYER SWITCHING (MLS)
"Route one, switch many" Need to configure MLS if… MLS components MLS hello/adverts contain… Multicasts Info… XTAG MLS requirements for Ext. RP… MLS requirements for Int RP… CGMP Initial packet Further packets Flow Masks Types…	L4S handles TCP/UDP ports and L3 sourse/dest addr's - sockets L3S & L4S both use high-speed ASICs for switching, not CPU L3S & L4S both handle all traditional router functions. E.g. filtering. L4S uses large amounts of mem tracking many sockets/end station. L4S ASICs cheaper than router but can only handle limited protocols & media. Cisco MLS IP/IPX only. Up to IOS V12, IP only Multi-layer Switch (MLS) L2S, L3S, L4S in same box. MLS will route first packet, switch rest. Route Once, Switch Many MLS no difference in performance with L2S, L3S or L4S Tracks sockets & re-writes L2 frame to switch directly to L3 dest. NFFC performs re-writing process. Daughter card on Supervisors Not the same as NetFlow implemented on many Cisco Routers To work, switch must be able to see flow both to & from the RP Separate entries for traffic from end-station & traffic to end-station Move end-station to a new port & DB entry will be purged/re-learned If CAT supports MLS with int RP, MLS enabled by default, no config 1.RP external 2.You want to adjust timer 1.MLS-RP (route processor) 2.MLS-SE (switch engine) 3.MLSP – MLS protocol. All Cisco devices use Cisco MLSP MLS-RP routes first packet & passes info to MLS-SE including… 1.MLS configuration info 2.MAC addresses 3.VLAN info 4.Routing updates 5.Access List changes When SE switches on MLS, listens for MLSP messages immediately SE will process messages but also forward them to other switches When RP turns on MLS, sends MLSP hello/ad's to SEs every 15secs Hellos let SE know RP alive & also pass changes & L3 info SE will record VLAN/port MLSP messages rx’d on & add RP MAC addr to CAM 1.MAC address of route processor 2.Additions/deletions/changes info 3.Filter/access list info 1.Flow mask info 2.Name(s) of VTP domain(s) 3.Statistical info 4.Number of management interface(s) 5.Number of VLANs & their IDs 6.Number of SEs & their MAC addresses 7.MLS IP of RP ( a MAC & IP address from one of it’s interfaces) Each RP that SE rx MLSP from give unique ID – a one byte header All entries in MLS DB tagged with XTAG ID of RP responsible for it If a RP dies, easy to purge MLS entries form DB with that XTAG ID Router – 4x00, 7x00, 85x0 with IOS 11.3(2)WA4(4) or later Switch – 2926G, 4006, 5000 ,6000 with s/w 4.1(1) or later Supervisor – 2, 3, 3F with NFFC or 2G or 3G (built in NFFC) Connection – Trunk or multiple ethernet/FE links of individual VLANs Router – 5000RSM or RSFC, or 6000MSM or MSFC Switch – 2926G-L3, 4908-L3, 5000 ,6000 with s/w 4.1(1) or later Supervisor – 2, 3, 3F with NFFC or 2G or 3G (built in NFFC) Cisco Group Management Protocol MLS uses CGMP multicast address to share info between RPs & SEs Switch checks DB. If no socket entry, passes to RP RP processes & sends back to switch on destination VLAN Switch checks DB again. This time a new entry made recording… 1.Destination MAC address 2.Source/destination IP address 3.Source/destination protocol/port (socket info) 4.XTAG number of RP Frame also forwarded to destination unchanged Switch checks DB & finds entry Destination MAC changed from that of RP, to destination end-station Frame re-written to look exactly like to cam from the RP Frame switch directly to dest end-station port, bypassing the RP DB entry remains while traffic flows. Removed after timeout period MLSP message from RP tells SE which mask based on access-lists Unused fields in mask filled with a "0" Cache emptied if new mask received Can't use Established/log/reflexive access-list commands with MLS. 1.Dest. Mask. Default, least specific. 1 entry/dest. No access-lists 2.Source/Dest Mask. 1 entry/source-dest pair. Standard access-lists 3.IP Flow Mask. 1 entry per socket. Extended access-lists

HSRP
Non-HSRP Gateway Discovery Problems 3 op-codes/message types Info in HSRP multicast messages HSRP RP status	HSRP Cisco proprietary Quick fail-over – RPs contently monitor each over within group Virtual g/w have virtual IP & MAC addresses Up to 255 RPs per group, up to 255 groups per LAN Only primary RP in group actually forwards packets Each VLAN needs it’s own group Default group priority = 100. Highest=Prim, 2nd highest=standby. Highest IP address if priorities equal Only one active & standby RP. Others in group just listen to "hellos" Virtual MAC 0000.0c07.acXX, XX = group no in hex, 07.ac = HSRP’s well-known m/c addr Default Hello interval 3secs & hold-down time 10secs (at least x3) *Keep interface shut until configured to stop end-stations learning real MAC address via ARP 1.IRDP. ICMP Router Discovery Protocol. RP with IRDP configured sends out multicasts that announce it’s existence (every 5 - 10mins). Can take up to 30mins for fail-over 2.Proxy-ARP. Fails if RP fails. End station may re-do but not usually. 3.Routing protocol e.g. RIP. Slow convergence. Most end-stations don’t support. Additional overheads 1.Hello – sent by active & standby RPs only 2.Resign – RP wishes to stop being active/standby 3.Coup – RP wishes to become active/standby 1.HSRP version in use 2.Op-code/message type 3.HSRP state 4.Hello interval (default 3 seconds) 5.RP group priority 6.Group number (0 – 255, default = 0) 7.Authentication password if used 8.Virtual IP address 1.Initial – RP reset & enabled. Not doing anything yet. 2.Learning – RP tries to find active & standby RPs 3.Listening – active/standby found. State unchanged if not to be active. 4.Speaking – Transmits multicasts to take part in election process 5.Active – RP becomes active RP for HSRP group 6.Standby – RP becomes standby RP for HSRP group

SECURITY
Distribution Layer Security Controlling routing updates 1. Route summarisation 2. Distribution Lists Access Layer Security Network Device Security	Port security on switches or access-lists on inter-VLAN routers Port security based on MAC addr inflexible as MAC often changes No security tools to be employed at the core Security policy defines appropriate use of N/W resources. Includes... 1.Resources user may access on a specify VLAN 2.Resources user may access on his/her switch-block 3.Resources user may access on another switch-block or on the core 4.Network devices (RP, SE, sever, even end stations) user may manage Most policies put here Filters any switch-block data not needing to pass to another block Inter-VLAN traffic filtered here Defines services to be accessed inside/outside own switch-block Routing updates controlled All achievable using access-lists Standard access-list less proc than extended. Use when possible Prevents incorrect or less desirable routes propagating Removes from tables entries users do not need to use or know about Decreases table sizes Reduces table sizes Localizes changes to routing tables. If a specific n/w fails in switch-block, summarized route in core will be unchanged. Controls which network numbers advertised or accepted Uses standard access lists Creation of VLANs Port security on switches – source MAC address. "Port Lockdown" If MAC address not specified, MAC of first frame used. Routers, switches, servers, sometimes end-stations Devices should be locked in secure room to restrict OOB access TACACS+ can be used to give greater p/w control & centralization. *Session timeout in minutes except for 2900xl/1900/2828 in seconds

SPANNING TREE PROT - STP
Bridges Bridge Functions STP STP Functions STP Components1.Bridge Identifiers 2.Path Cost 3.Port Priority 4.BDPUs – contain… Root Port (Diagram P196) Designated Bridge & Port Forwarding or Blocking Port Status (in order) Convergence Issues Delays CST PVST PVST+ Improvements on normal PVST Influencing choice of Root Path	Unknown, broadcasts & multicasts forwarded to all ports "Transparent" bridge because invisible to end-stations Learned MAC addresses & associated ports stored in CAM table If already there, aging-timer reset CAM automatically reset of station moved Plug & play 1.Making forwarding decisions based on MAC address 2.Learning where stations reside 3.Removal of loops IEEE 802.1d based on DEC standard. Not compatible Self-configuring Removes loops in bridged redundant network BDPUs Bridge P/C Data Units advertise a bridge, config & changes STP algorithm re-run if a cost changes or a segment/device in/out Invisible to end stations STP guarantees loop-free N/W, but not necessarily optimal Root determines timer values for all bridges 1.Detection/illumination of loops 2.Able to automatically detect failed active paths & utilize alternative 3.User can adjust parameters to fine tune performance Each bridge has unique identifier for the election of the root bridge When STP starts, one of first tasks is to elect root Made up of 2-byte Bridge Priority & 6-byte MAC address By default all bridges have same priority so lowest MAC wins Can manually select root by lowering Bridge Priority Inverse of bandwidth of port Lowest accumulated cost to root preferred If 2 identical path costs to root exist, lowest port priority chosen. IF priorities also the same, lowest numbered port on bridge wins 1.Protocol Identifiers 2.Version (set to zero) 3.Message type (set to zero) 4.Flags – signals topology change or acknowledgement to a change 5.Root Identifier – MAC of root bridge 6.Root Path Cost 7.Bridge Identifier 8Port Identifier – Port BDPU left from 9.Message Age – last time root sent out a BDPU 10.Max Age – age at which info removed from DB & STP re-run 11.Hello time – BDPU interval 12.Forward Delay After root selected, each bridge selects the best port to reach it (lowest accumulated cost) All frames forwarded this way After root selected, each LAN segment chooses a bridge & port to reach it. Again lowest cost All frames forwarded this way Any root & designated port put into forwarding. The rest blocking 1.Blocking. Listens to BDPUs only 2.Listening. Listens to BDPUs & frames to decide best path to root 3.Learning. Puts source addresses in CAM table 4.Forwarding. Port functions normally 5.Disabled. Additional status. Port shutdown or faulty/down Delays as BDPUs propagate across network Algorithm based on N/W diameter of 7 bridges & hello of 2 secs Max aging time therefore 20secs & forwarding delay time 15secs Blocking – Listening = 20secs Listening – Learning = 15secs Learning – Forwarding = 15secs Decreasing these values may speed up algorithm but may also not give BDPUs time to propagate & therefore mess up STP altogether. Should increase timers only. Common/Mono Spanning Tree. One instance of STP for whole N/W Generic 1 root bridge Sits on management VLAN (VLAN1 default) Good - 1 set of BDPUs so low overheads Good - Changes tracked for 1 VLAN only Bad - Sub-optimal paths likely Bad – Convergence a problem as network grows Per VLAN Spanning Tree. Each VLAN has own STP running Proprietary to Cisco. Solves problems with CST Port blocking per VLAN. If no port assigned to VLAN further down tree, port blocked Root bridge per VLAN Good - Increased scalability, decreased convergence Good - STP tunable for each VLAN for optimal paths Good – Stable. Link failures in other VLANs won’t trigger re-learn Bad – more BDPUs Bad – complex to configure Used in mixed-vendor network PVST & CST both supported at once Automatically detects CST & VPST, makes appropriate adjustments Proprietary to Cisco 1.Can tunnel PVST BDPUs across 802.1q trunks 2.Can check for VLAN & port inconsistencies 3..Puts port in blocking mode if inconsistent BDPU received 1.Path cost .#1 factor 2.Port cost. Accumulate to form Port Cost 3.Port Priority. #2 factor used if Path Costs equal 4.Lowest port number. #3 factor if Path Costs/Port Priority equal Take care not to produce sub-optimal paths when adjusting values Port Cost = 1000/speed in Mb (some vendors calculate cost differently!). Range 1-65,535 1Gb = 1 100Mb = 10 10Mb = 100 *10/100 port usually read as 100M even when running at 10M. Needs manual adjustment.

STP ENHANCEMENTS
EtherChannel PagP Rules for Channelling to Occur VLAN Load-Balancing on Trunks PortFast UplinkFast Requirements… BackBoneFast	STP treats as one conn. If one channel link fails, STP doesn’t see it. Single link fails & packets re-routed to another very quickly Up to 4 fastethernet ports or 2 Gb ports Port Aggregation Protocol allows dynamic creation of channels between switches. 4 modes – 1.On - Port forced to channel & PAgP frames sent 2.Off - Opposite of "On" 3.Auto – Will channel if other end initiates 4.Desirable – Seeks to become a channel if possible Channel formed if one end on/desirable & other on/desirable/auto 1.Ports enabled 2.Ports not in dynamic VLAN 3.Ports must be in same VLAN 4.Port security disabled 5.Port must be properly configured 6.Ports must be of same speed & duplex 7.Trunk protocols VLAN ranges must match 8.FE ports on same module & contiguous, GB ports on same module 9.Broadcast suppression must be configured as a % Used to load-balance prior to channeling Use STP to disable one redundant trunk for half of VLANs & the other trunk for the other half. Half the VLANs use one trunk, the others the other trunk. Both trunks then utilized. Change trunk port priority. Favored link taken below default of 32 Not true load balancing. One set of VLANs may be busier than other Finds ports that don’t have bridges or switches connected to them & removes them from STP PortFast ports go straight into forwarding mode. Add/removing port does not cause re-run of STP PortFast flushes CAM to stop comms while STP re-run Redundant path useable instantly route path fails, no 50sec wait. Recommended for access-layer switches only If you try & enable it on root switch, it will automatically be disabled 1.UplinkFast enabled on switches (default = off) 2.Switch must have one blocked port 3.Failed port must be route port for this switch Core & dist layer switches only, not on 1900/2820/2900XL Must be enabled on all core/distribution switches Generic extension of STP so supported by other vendors too. Like UplinkFast but able to detect remote link failure. An "inferior" BDPU received from neighbor on blocked port shows it to be both a designated & a root bridge at the same time. This can only mean that is has lost contact with the elected bridge. Since receiving bridge has connection to route, the port is unblocked to allow neighbor a new path to the root. If receiving bridge has also lost path to route, STP re-run *Path immediately placed into listening state without the blocking delay of 20 seconds, reducing convergence from 50secs to 30secs

MULTICASTS
Basic Issues..1. Multicast Addressing 2. Client Discovery 3. Forwarding Multicast Frames IGMP v1 Header… Joining using v1 Maintaining using v1 Leaving using v1 IGMP v2 (Default for IOS 11.3(2) plus) V2 Types Joining using v2 Maintaining using v2 f Leaving using v1 Distribution Trees.Used to ensure… Shared Distribution Trees (One tree only for whole n/w) Source-Based Distribution Trees Multicast Routing Protocols Types – Dense Mode DM DVMP Multicast OSPF (MOSPF) Sparse Mode SM PIM PIM-DM – use if… PIM-DM – use if… Multicasts & Switches… Controlling multicasts on switches (#1-3 not very practical, #4 used) CGMP	L2 & L3 process CGMP RPs talk to switches to discover ports where end-stations are. Traffic forwarded to these ports Multicast servers have no idea which end-stations are Rx their Tx's Can be received by 0 – millions of end-stations End-stations can join & leave dynamically End-station can participate in multiple groups simultaneously Best-efforts delivery like broadcasts Each application uses a different multicast address NICs told which addresses to look out for NIC can tell from L2 if frame needs to be sent to CPU for proc PC/servers must support RFC1112 & NICs need drivers for M/Cs SE/RPs must support IGMP, PIM, CGMP & DVMRP (for MBONE) Class D addresses designated for multicasts 1st 4 high-order bits = 1110 244.0.0.1 to 239.255.255.255 244.0.0.x (eg OSPF m/c) not Tx beyond source segment. TTL=1 MAC range 01.00.5e.00.00.00 to 01.00.55.7f.ff.ff MAC 01.00.5e.xx.xx.xx where xx.xx.xx taken from 23 bits of IP addr 5 bits of IP not copied so you could get 2 multicast addresses the same! (not likely though) Do not want to have to send multicasts to all segments End-station registration process used. L2/L3 process. RP maintains a list of known end stations IGMP used. Internet Group Management Protocol (IETF RFC1112) IGMP allows RPs to talk with end-stations to find out where they are If several RPs on a seg, Designated Router (DR) has highest IP addr. (Not on Point-to-Point) Query Messages from DR every 60secs. Checks E/Ss still there Report Messages – End-station response to query or adverts (processed by all RPs on seg) RP will Tx M/Cs only where it knows participating E/Ss reside RP's shares info about end-stations via m/c routing protocol Uses 28 byte IP packets 1.32bits Multicast group address. Set to zero in RP query messages 2.16bits CRC 3.4bits Type. Query or report. 4.4bits Version. IGMP v1 only. Set to 1 5.8bits unused If Protocol Field set to 2 then next 8 bytes contains a message All messages sent to all-hosts address of 244.0.0.1 with TTL=1 End-st'ns Tx Host Membership Report to 224.1.1.1 inc Group addr Or it can reply to HMQ to 224.0.0.1 Group addr set to zero If RP I/F brought up, it will send a hand-full of queries straight away Response Suppression. Only 1 host will reply to RPs query message. E/s starts a random 0-10sec timer upon receipt. When first replied, others don’t bother Client can just drop out without informing RP RP will only discover loss by lack of response to queries. Unused field carries max response time for e/s to reply to queries RP queries can now be group-specific. Carries group address V2 backward-compatible with V1 1.Membership Query 2.V1 Membership Report 3.V2 Membership Report 4.Leave Report Pretty much as with v1 If multiple RPs on seg, lowest IP address becomes active query RP Group-specific queries not Tx to 224.0.0.1, Tx to group addr instead One E/S now responds to gen query per group instead of per segment E/S now Tx Leave Request Message to 224.0.0.2, carries group addr RP then Tx group-specific query to find any other E/S for that group If none present, RP stops Tx traffic for that group to that segment Leave messages speed the leaving process up Traffic only sent to segments where participating clients reside, or paths that lead there Traffic passes each required segment only once. Only one path from client to server. Loop free Tree updated as clients added to or leave group Contain a single "Rendezvous Point" RP per tree. All servers send multicast frames here Can be more than one Rendezvous Point & tree for redundancy & speed Rendezvous Point IP addr cfg'd onto other RPs or the use auto-disc Rendezvous Point announces itself using M/C address 224.0.1.39 Mapping Agents Rx & pass them to other MA/DRs using 224.0.1.40 All leaf/branch RPs need to know the IP addr of one Rendezvous P't Leaf=RP with local clients, Branch=in path between leaf & Rend' P't Each frame has one copy sent to each seg with participating clients. Analogous to "per-network" STP Good – low overhead for tree-construction & maintenance Bad – often paths sub-optimal Bad – Possible bottlenecks if servers produce much m/c traffic Each M/C group has it’s own tree with source server is route of tree Analogous to "per-VLAN" STP Reverse Path Forwarding. Trees built from clients back towards server to find optimal path Good – Optimal Paths Bad – A lot more overhead (many trees!) All use distribution trees to build multicast routing tables Uses source-based distribution trees – tree per group, server as root DVMP, MOSPF, PIM-DM are all DM protocols Assumes participating clients on most segments Periodically floods all segs with M/C traffic while tree learned Tree pruned as IGMP discovers which seg's have participating clients Good – multicast traffic delivered immediately Good – minimalizes comms between RPs as few segments pruned Bad – traffic sent to many segments unnecessarily Bad – scales poorly First multicast routing protocol Derived from RIP. Hop count used as metric Used by MBONE (Multicast Backbone on the Internet) Extension of OSPF – can only be used if OSPF running on network RP advertises all links then calculates best route to all possible dest's Active client segment info include with normal OSPF updates Bad - when a link fails/changes & OSPF re-run, tree also re-built Bad – more groups=more trees. Very CPU/memory intensive on RPs Not widely used – Cisco don’t even support it! More commonly used than DM protocols CBT (RFC 2201) & PIM-SM Tree initially empty & no multicasts sent. Uses "join" messages from clients to build tree Uses shared distribution trees Join messages don’t always reach root. Once a branch found, new sub-branch formed Good – no flooding to unnecessary segments Supports both DM & SM at the same time Works with any unicast routing protocol – RIP, IGRP, EIGRP, OSPF MBONE plan to adopt PIM in the future. Cisco RPs PIM only. Other protocol's traffic forwarded, but won't participate. 1.Servers & clients close to each other 2.Few server, many participating end-stations 3.Continuous multicast traffic 4.Large amounts of multicast traffic 1.Servers & clients separated by a WAN 2.Very few clients in each multicast group 3.Multicast traffic not constant The RPs learn which segments have clients present & direct multicast traffic to the switches Switch then floods to all ports on VLAN like a broadcast. 1.Create a separate VLAN for each group 2.Switches snoop on IGMP frames sent to RP by clients. Detrimental to switching speeds 3.Manual configuration of static multicast entries in CAM table 4.RP sends info already gathered on clients to the switch. CGMP Cisco Group Management Protocol Allows IGMP-enabled Cisco RPs to pass client lists to Cisco CATs Client-server based. RP = server, SE = client RP sends client info periodically When RP learns of client added/removed, SE updated Good - Very little overhead Good – M/C's only Tx out of switch ports with clients attached CGMP info frame contains M/C group & real MAC address of client Switch examines CAM & tags entry with M/C group if MAC found If MAC not found in CAM, info ignored If CGMP enabled, switch will never flood multicast. None sent unless RP says where to send

1900/2820
Enterprise s/w 1900 2820 Modules	Entry level 10Mb work-group switches 1Gb back-plane 450,000 packets per second. About the same price as a managed hub. Menu driven, web interface or with Enterprise s/w, CLI also. Half, full & auto duplex Standard s/w = 4 VLANs, Console RJ45 at rear. Cisco blue X-over cable needed. No 10/100Mb ports. All one or the other Ping sends 5 messages as with routers *traceroute not available * 64 VLANs Fast Ether-Channel, VTP, ISL so can be integrated into backbone. Improves management security & scalability. IOS CLI VTP pruning, TACACS+, Uplink Fast Fixes architecture, no expansion slots or hardware upgrades possible. 1912 has 12 10Mb & 1 AUI ports 1924 has 24 10Mb & 1 AUI ports 2 x 100Mb ports for up-links 1024 MAC addresses. No limit on any port. 24 x 10Mb & AUI ports 2 expansion slots for Fast Ethernet, ATM or FDDI External unit to provide redundant PSU 2822 = 2048 MAC addresses. No limit on any port. 2828 = 8192 MAC addresses. No limit on any port. 4 or 8 x 100baseTX/FX hub 1 x 100baseTX/FX 1 x FDDI SAS or DAS 1 x ATM 155Mb OC3 MM, SM or UTP

2900XL/3500XL
Enterprise s/w 2900XL Modules 3500XL	Entry level 10/100Mb work-group/server-farm switches Cheap! 16 units stackable with Switch Clustering into one virtual switch. 64 VLANs Cisco Visual Switch Manager (CVSM) for web interface. Fast Ether-channeling up to 4 x 100Mb, or 2 x Gb ports Web-based interface or CLI Console RJ45 at rear. Cisco blue X-over cable needed. *Ping sends 5 messages as with routers *traceroute not available VTP, ISL, 802.1q Uplink Fast IOS interface 12 or 24 10/100Mb ports 2 expansion slots 3.2Gb back-plane 3,000,000 packets per second 4 x 10/100Mb ports 1 x Gb port 1 x ATM OC3 ISL module Fixed architecture 12, 24 or 48 10/100Mb plus 2 Gb ports. 3508GXL 8 x Gb ports only. 10.8Gb back-plane 8,000,000 packets per second *Up to 250 VLANs

2900/5000
Power-up diagnostics checks 2900 5000 5000 5002 5505 5509 5513/5500 Supervisor 2 Supervisor 2G Supervisor 3F Supervisor 3 Supervisor 3G	Work-group or server-farm switches Switch CLI based on UNIX csh (C-Shell) Later CLI supports arrows as with router IOS, earlier don‘t 3 types of commands – set, clear, show Changes straight to NVRAM Multi-layer switching (MLS) using Enhanced Feature s/w. High performance, flexible, reasonable cost. 2900 & 2900XL completely different switches 2900 & 5000 have same architecture & CLI 10Mb, 100Mb, Gb, ATM, FDDI, TR all supported 36,000,000 packets per second 16,000 MAC addresses 1000+ VLANs VTP, ISL, 802.1q, LNAE, 802.10 Uplink Fast, Fast-Span Status light red then amber (POST) then green on power-up *Ping gives single "alive" message All ports Connectivity to all line cards Back-plane & buses ASICs Buffers Fixed architecture 2926 24 x 10/100Mb, 2 x 100Mb, 1.2Gb Back-plane 2926G 24 x 10/100Mb, 2 x Gb, 1.2Gb Back-plane 2948G 24 x 10/100Mb, 2 x Gb, 2.4Gb Back-plane 2948G-L3 24 x 10/100Mb, 2 x Gb, 2.4Gb Back-plane, MLS All 5000 range supports MLS using Enhanced Feature s/w & h/w RSM/RSFC basically a 7x00 router 7x00 VIP cards can be used for WAN connections NFFC & a router/RSM/RSFC needed for MLS NFFC plugs into supervisor daughter slot. G-model sup's have a built-in Net Flow Feature Card NFFC for MLS. Route Switch Feature Card (RSFC) plugs into daughter slot on G-cards so RSM not needed OC3 & OC12 ATM modules Network Analysis Module (NAM) acts as an RMON probe 5 slots, 1.2Gb back-plane 2 slots, 1.2Gb back-plane 5 slots, 3.6Gb back-plane 9 slots, 3.6Gb back-plane 13 slots, 3.6Gb back-plane, 5Gb ATM back-plane 2 x 100Mb ports 2-3,000,000 pps, NFFC for MLS 4 x 100Mb or 10/100Mb or 2 x Gb ports 6,000,000 pps 2 x 100Mb ports 3,000,000 pps, NFFC for MLS 2 or 4 x 100Mb or 2 Gb ports 2-3,000,000 pps, NFFC for MLS 4 x 10/100Mb ports 6,000,000 pps Console RJ45 Supervisor 2G/3/3G (book says X, I say straight!!) Console female DB25 Supervisor 1 & 2 Aux. & RFSC ports currently disabled

4000/6000
4000 4908G 4912G 6000/6500 Multilayer Switch Mod (MSM) M. S. Feature Card (MSFC) Policy Feature Card (PFC)	Back-bone & large server-farms High density of Gb ports available Same CLI & s/w features as 5000 series 1000+ VLANs Up to 8 GB or 100Mb port Fast EtherChannels 10 & 100Mb ports HDX by default 10/100Mb ports auto-negotiate by default Gb ports auto-negotiate & FDX by default STP enabled on VLAN1 by default Can not set duplex on a 10/100Mb port that is set to auto-negotiate *Ping gives single "alive" message 16,000 MAC addresses 24Gb back-plane (4908G = 22Gb) 18,000,000 pps (4908G = 11,000,000 pps) L3S supported on 4006 & 4908G, not 4003, 4912G 8 x Gb ports fixed architecture 12 x Gb ports fixed architecture Both with 6 & 9 slot versions 32,000 MAC addresses 32Gb back-plane for 6000, 150Gb back-plane for 6500 Up to 384 x 10/100Mb ports Up to 192 x 100FX ports Up to 130 x Gb ports *Up to 8 x OC3 ports Built into supervisor. Used in place of RSM. 5,000,000 pps Needed for MLS, sits in daughter slot on supervisor. 15,000,000 pps QOS, load balancing, web services, web cache, priority queuing.

8500
SRP RP MSRP 8510 8540	High-speed campus back-bone switches True MLS, all built in with no add-ons needed. QOS, multicast support, security Can switch both frames & ATM cells on same back-plane Cisco Express Forwarding CEF as on Cisco 12000GSM supported CEF shares router info between CPU & line mod's, speeds things up. CEF means wire-speed forwarding of all IP & IPX traffic on all ports Uses router-style IOS, not switch CLI Native ATM on T1/E1, OC3, OC12, OC48 LS1010 line cards interchangeable with 85x0 switches Processor card for switching frames Centre 8510 slot, slot5/6 of 8540. Optional redundant SRP slot7 Route Processor needed for 8540 only for system man. Slot 4 Processor card for switching frames & ATM cells 5 slots, 32 x 100Mb, 4 x Gb 10Gb back-plane 6,000,000 pps 16,000 MAC addresses/interface 13 slots, 128 x 100Mb, 16 x Gb 40Gb back-plane 24,000,000 pps 64,000 MAC addresses/interface Slots 0-3 & 9-12 (8 slots) used for line cards Up to 8 x OC48 ports