CCNP and CCIE Enterprise Core ENCOR 350-401 Official Cert Guide, 2nd Edition.pdf

Chat with Document Quiz & Flashcards

Document Details

FabulousChrysocolla

Uploaded by FabulousChrysocolla

Tags

networking packet forwarding OSI model computer science

Related

Full Transcript

Part I Forwarding Chapter 1 Packet Forwarding This chapter covers the following subjects: Network Device Communication: This section explains how switches forward traffic from a Layer 2 perspective and routers forward traffic from a Layer 3 perspective....

Part I Forwarding Chapter 1 Packet Forwarding This chapter covers the following subjects: Network Device Communication: This section explains how switches forward traffic from a Layer 2 perspective and routers forward traffic from a Layer 3 perspective. Forwarding Architectures: This section examines the mechanisms used in routers and switches to forward network traffic. This chapter provides a review of basic network fundamentals and then dives deeper into the technical concepts related to how network traffic is forwarded through a router or switch architecture. Foundation Topics: Network Device Communication The primary function of a network is to provide connectivity between devices. There used to be a variety of network protocols that were device specific or preferred; today, almost everything is based on Transmission Control Protocol/Internet Protocol (TCP/IP). It is important to note that TCP/IP is based on the conceptual Open Systems Interconnection (OSI) model that is composed of seven layers. Each layer describes a specific function, and a layer can be modified or changed without requiring changes to the layer above or below it. The OSI model, which provides a structured approach for compatibility between vendors, is illustrated in Figure 1-1. Figure 1-1 OSI Model When you think about the flow of data, most network traffic involves communication of data between applications. The applications generate data at Layer 7, and the device/host sends data down the OSI model. As the data moves down the OSI model, it is encapsulated or modified as needed. At Layer 3, the device/host decides whether the data needs to be sent to another application on the same device, and it would then start to move the data up the stack. Or, if the data needs to be sent to a different device, the device/host continues processing down the OSI model toward Layer 1. Layer 1 is responsible for transmitting the information on to the media (for example, cable, fiber, radio waves). On the receiving side, data starts at Layer 1, then moves to Layer 2, and so on, until it has moved completely up to Layer 7 and on to the receiving application. This chapter reinforces concepts related to how a network device forwards traffic from either a Layer 2 or a Layer 3 perspective. The first Layer 2 network devices were bridges or switches, and Layer 3 devices were strictly routers. As technology advanced, the development of faster physical media required the ability to forward packets in hardware through application-specific integrated circuits (ASICs). As ASIC functionality continued to develop, multilayer switches (MLSs) were invented to forward Layer 2 traffic in hardware as if they were switches; however, they can also perform other functions, such as routing packets, from a Layer 3 perspective. Layer 2 Forwarding The second layer of the OSI model, the data link layer, handles addressing beneath the IP protocol stack so that communication is directed between hosts. Network packets include Layer 2 addressing with unique source and destination addresses for segments. Ethernet commonly uses Media Access Control (MAC) addresses, and other data link layer protocols such as Frame Relay use an entirely different method of Layer 2 addressing. The focus of the Enterprise Core exam is on Ethernet and wireless technologies, both of which use MAC addresses for Layer 2 addressing. This book focuses on the MAC address for Layer 2 forwarding. Note A MAC address is a 48-bit address that is split across six octets and notated in hexadecimal. The first three octets are assigned to a device manufacturer, known as the organizationally unique identifier (OUI), and the manufacturer is responsible for ensuring that the last three octets are unique. A device listens for network traffic that contains its MAC address as the packet’s destination MAC address before moving the packet up the OSI stack to Layer 3 for processing. Network broadcasts with MAC address FF:FF:FF:FF:FF:FF are the exception to the rule and will always be processed by all network devices on the same network segment. Broadcasts are not typically forwarded beyond a Layer 3 boundary. Collision Domains Ethernet is a shared communication medium. When two or more network devices tried to transmit data at the same time in the same network segment, the communication became garbled due to data collisions. To prevent data collisions, Ethernet includes Carrier Sense Multiple Access/Collision Detect (CSMA/CD), which ensures that only one device transmits data at a time in a collision domain. A collision domain is a network segment where one device can detect if another device is transmitting data, regardless of the destination device. If a device detects that another device is transmitting data, it delays transmitting data until the cable is quiet. This means devices could perform only one action at a time, whether that is to transmit or to receive data (that is, operate at half-duplex). When Ethernet became an Institute of Electrical and Electronic Engineers (IEEE) standard (802.3, CSMA/CD), it first used technologies like Thinnet (10BASE-2) and Thicknet (10BASE-5), which connected all the network devices using the same coaxial cable and T connectors. With those technologies, as more devices were added to the same collision domain (same coaxial cable), the less efficient the network became, because devices would need to wait until the cable was quiet to be able to transmit data. Changing the medium to Category 3/4 cable and using network hubs proliferated the problem, because they add port density while repeating traffic, thereby increasing the size of the collision domain. Network hubs do not have any intelligence in them to direct network traffic; they simply repeat traffic out of every port. Network switches enhance scalability and stability in a network through the creation of virtual channels. A switch maintains a table that associates a host’s Media Access Control (MAC) Ethernet addresses to the port that sourced the network traffic. Instead of flooding all traffic out of every switch port, a switch uses the local MAC address table to forward network traffic only to the destination switch port associated with where the destination MAC is attached. This approach drastically reduces the size of the collision domain between the devices and enables the devices to transmit and receive data at the same time (that is, operate at full duplex). Figure 1-2 demonstrates the collision domains on a hub versus on a switch. Both of these topologies show the same three PCs, as well as the same cabling. On the left, the PCs are connected to a network hub. Communication between PC-A and PC-B is received by PC-C too, because all three devices are in the same collision domain. PC-C must process the frame—in the process consuming resources—and then it discards the packet after determining that the destination MAC address does not belong to it. In addition, PC-C has to wait until the PC-A/PC-B conversation finishes before it can transmit data. On the right, the PCs are connected to a network switch. Communication between PC-A and PC-B is split into two collision domains. The switch can connect the two collision domains by using information from the MAC address table. Figure 1-2 Collision Domains on a Hub Versus a Switch When a switch receives a packet that contains a destination MAC address that is not in the switch’s MAC address table, the switch forwards the packet out of every switch port, except the port that the packet was received on. This process is known as unknown unicast flooding because the destination MAC address is not known. Broadcast traffic is network traffic intended for every host on the local area network (LAN) and is forwarded out of every switch port interface. Excessive broadcast traffic is undesirable: it diminishes the efficiencies of a network switch because it interrupts unicast communication between network devices. Network broadcasts do not cross Layer 3 boundaries (that is, from one subnet to another subnet). All devices that reside in the same Layer 2 segment are considered to be in the same broadcast domain. Figure 1-3 illustrates four PCs connected to a switch (SW1) in the same Layer 2 segment. It also displays SW1’s MAC address table, which correlates the PCs to the appropriate switch port. In the scenario on the left, PC-A is transmitting unicast traffic to PC-B. SW1 does not transmit data out of the Gi0/2 or Gi0/3 interface (which could potentially disrupt any network transmissions between those PCs). In the scenario on the right, SW1 is transmitting broadcast network traffic received from PC-A out of all active switch ports. Note The terms network device and host are considered interchangeable in this text. Figure 1-3 Unicast and Broadcast Traffic Patterns Virtual LANs Adding a router between LAN segments helps shrink broadcast domains and provides for optimal network communication. Host placement on a LAN segment varies because of network addressing. Poor host network assignment can lead to inefficient use of hardware because some switch ports could be unused. Virtual LANs (VLANs) provide logical segmentation by creating multiple broadcast domains on the same network switch. VLANs provide higher utilization of switch ports because a port can be associated to the necessary broadcast domain, and multiple broadcast domains can reside on the same switch. Network devices in one VLAN cannot communicate with devices in a different VLAN without a router to interconnect the VLAN segments. VLANs are defined in the IEEE 802.1Q standard, which states that 32 bits are added to the packet header in the following fields: Tag protocol identifier (TPID): This 16-bit field is set to 0x8100 to identify the packet as an 802.1Q packet. Priority code point (PCP): This 3-bit field indicates a class of service (CoS) as part of Layer 2 quality of service (QoS) between switches. Drop eligible indicator (DEI): This 1-bit field indicates whether the packet can be dropped when there is bandwidth contention. VLAN identifier (VLAN ID): This 12-bit field specifies the VLAN associated with a network packet. Figure 1-4 displays the VLAN packet structure. Figure 1-4 VLAN Packet Structure Note VLAN headers are not added to packets as they are forwarded locally in the switch. VLAN headers are added for packets that are sent across on trunk ports, which are covered later in this chapter. The VLAN identifier has only 12 bits, which provide 4094 unique VLANs. Catalyst switches use the following logic for VLAN identifiers: VLAN 0 is reserved for 802.1p traffic and cannot be modified or deleted. VLAN 1 is the default VLAN and cannot be modified or deleted. VLANs 2 to 1001 are in the normal VLAN range and can be added, deleted, or modified as necessary. VLANs 1002 to 1005 are reserved and cannot be deleted. VLANs 1006 to 4094 are in the extended VLAN range and can be added, deleted, or modified as necessary. VLANs are created by using the global configuration command vlan vlan-id. A friendly name (32 characters) is associated with a VLAN through the VLAN submode configuration command name vlan-name. The VLAN is not created until the command-line interface (CLI) has been moved back to the global configuration context or a different VLAN identifier. Example 1- 1 demonstrates the creation of VLAN 10 (PCs), VLAN 20 (Phones), and VLAN 99 (Guest) on SW1. Example 1-1 Creating a VLAN SW1# configure term Enter configuration commands, one per line. End with CNTL/Z. SW1(config)# vlan 10 SW1(config-vlan)# name PCs SW1(config-vlan)# vlan 20 SW1(config-vlan)# name Phones SW1(config-vlan)# vlan 99 SW1(config-vlan)# name Guest VLANs and their port assignment are verified with the show vlan [{brief | id vlan-id | name vlan- name | summary}] command, as demonstrated in Example 1-2. Notice that the output is split into four main sections: VLAN-to-port assignments, system MTU, SPAN sessions, and private VLANs. Example 1-2 Viewing VLAN Assignments to Port Mapping SW1# show vlan ! Traditional and common VLANs will be listed in this section. The ports ! associated to these VLANs are displayed to the right. VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Gi1/0/1, Gi1/0/2, Gi1/0/3 Gi1/0/4, Gi1/0/5, Gi1/0/6 Gi1/0/10, Gi1/0/11, Gi1/0/17 Gi1/0/18, Gi1/0/19, Gi1/0/20 Gi1/0/21, Gi1/0/22, Gi1/0/23 Gi1/1/1, Gi1/1/2, Te1/1/3 Te1/1/4 10 PCs active Gi1/0/7, Gi1/0/8, Gi1/0/9 Gi1/0/12, Gi1/0/13 20 Phones active Gi1/0/14 99 Guest active Gi1/0/15, Gi1/0/1 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup ! This section displays the system wide MTU setting for all 1Gbps and faster ! interfaces VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2 ---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------ VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2 ---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------ 1 enet 100001 1500 - - - - - 0 0 10 enet 100010 1500 - - - - - 0 0 20 enet 100020 1500 - - - - - 0 0 99 enet 100099 1500 - - - - - 0 0 1002 fddi 101002 1500 - - - - - 0 0 1003 tr 101003 1500 - - - - - 0 0 1004 fdnet 101004 1500 - - - ieee - 0 0 1005 trnet 101005 1500 - - - ibm - 0 0 ! If a Remote SPAN VLAN is configured, it will be displayed in this section. ! Remote SPAN VLANs are explained in Chapter 24 Remote SPAN VLANs ------------------------------------------------------------------------------ ! If Private VLANs are configured, they will be displayed in this section. ! Private VLANs are outside of the scope of this book, but more information ! can be found at http://www.cisco.com Primary Secondary Type Ports ------- --------- ----------------- ------------------------------------------ The optional show vlan keywords provide the following benefits: brief: Displays only the relevant port-to-VLAN mappings. summary: Displays a count of VLANS, VLANs participating in VTP, and VLANs that are in the extended VLAN range. id vlan-id: Displays all the output from the original command but filtered to only the VLAN number that is specified. name vlan-name: Displays all the output from the original command but filtered to only the VLAN name that is specified. Example 1-3 shows the use of the optional keywords. Notice that the output from the optional keywords id vlan-id is the same as the output from name vlan-name. Example 1-3 Using the Optional show vlan Keywords SW1# show vlan brief VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Gi1/0/1, Gi1/0/2, Gi1/0/3 Gi1/0/4, Gi1/0/5, Gi1/0/6 Gi1/0/10, Gi1/0/11, Gi1/0/17 Gi1/0/18, Gi1/0/19, Gi1/0/20 Gi1/0/21, Gi1/0/22, Gi1/0/23 Gi1/1/1, Gi1/1/2, Te1/1/3 Te1/1/4 10 PCs active Gi1/0/7, Gi1/0/8, Gi1/0/9 Gi1/0/12, Gi1/0/13 20 Phones active Gi1/0/14 99 Guest active Gi1/0/15, Gi1/0/16 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup SW1# show vlan summary Number of existing VLANs : 8 Number of existing VTP VLANs : 8 Number of existing extended VLANS : 0 SW1# show vlan id 99 VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 99 Guest active Gi1/0/15, Gi1/0/16 VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2 ---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------ 99 enet 100099 1500 - - - - - 0 0 Remote SPAN VLAN ---------------- Disabled Primary Secondary Type Ports ------- --------- ----------------- ----------------------------------------- SW1# show vlan name Guest VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 99 Guest active Gi1/0/15, Gi1/0/16 VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2 ---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------ 99 enet 100099 1500 - - - - - 0 0 Remote SPAN VLAN ---------------- Disabled Primary Secondary Type Ports ------- --------- ----------------- ------------------------------------------ Access Ports Access ports are the fundamental building blocks of a switch. An access port is assigned to only one VLAN. It carries traffic from the specified VLAN to the device connected to it or from the device to other devices on the same VLAN on that switch. The 802.1Q tags are not included on packets transmitted or received on access ports. Catalyst access switches place switch ports as Layer 2 access ports for VLAN 1 by default. The port can be manually configured as an access port with the command switchport mode access. A specific VLAN is associated to the port with the command switchport access vlan {vlan- id | name vlan-name}. The ability to set VLANs to an access port by name will still store the VLAN in numeric form in the configuration. Example 1-4 demonstrates the configuration of switch ports Gi1/0/15 and Gi1/0/16 as access ports in VLAN 99 for Guests. Notice that the final configuration is stored as numbers for both ports, even though different commands are issued. Example 1-4 Configuring an Access Port SW1# configure terminal Enter configuration commands, one per line. End with CNTL/Z. SW1(config)# vlan 99 SW1(config-vlan)# name Guests SW1(config-vlan)# interface gi1/0/15 SW1(config-if)# switchport mode access SW1(config-if)# switchport access vlan 99 SW1(config-if)# interface gi1/0/16 SW1(config-if)# switchport mode access SW1(config-if)# switchport access vlan name Guest SW1# show running-config | begin interface GigabitEthernet1/0/15 interface GigabitEthernet1/0/15 switchport access vlan 99 switchport mode access ! interface GigabitEthernet1/0/16 switchport access vlan 99 switchport mode access Trunk Ports Trunk ports can carry multiple VLANs. Trunk ports are typically used when multiple VLANs need connectivity between a switch and another switch, router, or firewall and use only one port. Upon receipt of the packet on the remote trunk link, the headers are examined, traffic is associated to the proper VLAN, then the 802.1Q headers are removed, and traffic is forwarded to the next port, based on the MAC address for that VLAN. Note Thanks to the introduction of virtualization, some servers run a hypervisor for the operating system and contain a virtualized switch with different VLANs. These servers also provide connectivity via a trunk port. Trunk ports are statically defined on Catalyst switches with the interface command switchport mode trunk. In Example 1-5, Gi1/0/2 and Gi1/0/3 are converted to a trunk port. Example 1- 5 Configuring a Trunk Port SW1# configure terminal Enter configuration commands, one per line. End with CNTL/Z. SW1(config)# interface gi1/0/2 SW1(config-if)# switchport mode trunk SW1(config-if)# interface gi1/0/3 SW1(config-if)# switchport mode trunk Example 1-6 shows the output of the show interfaces trunk command. This command provides a lot of valuable information in several sections for troubleshooting connectivity between network devices: The first section lists all the interfaces that are trunk ports, the status, and which VLAN is the native VLAN for that trunk port. Native VLANs are explained in the next section. EtherChannel interfaces are explained in Chapter 5, “VLAN Trunks and EtherChannel Bundles.” The second section of the output displays the list of VLANs that are allowed on the trunk port. Traffic can be minimized on trunk ports by restricting the allowed VLANs to specific switches, thereby restricting broadcast traffic too. Other use cases involve a form of load balancing between network links where select VLANs are allowed on one trunk link, while a different set of VLANs are allowed on a different trunk port. The third section displays the VLANs that are in a forwarding state on the switch. Ports that are in a blocking state are not listed in this section. Example 1-6 Verifying Trunk Port Status SW1# show interfaces trunk ! Section 1 displays the physical or EtherChannel interface status, encapsulation, ! and native VLAN associated to the interface Port Mode Encapsulation Status Native vlan Gi1/0/2 on 802.1q trunking 1 Gi1/0/3 on 802.1q trunking 1 ! Section 2 displays all of the VLANs that are allowed to be transmitted across ! the trunk ports Port Vlans allowed on trunk Gi1/0/2 1-4094 Gi1/0/3 1-4094 Port Vlans allowed and active in management domain Gi1/0/2 1,10,20,99 Gi1/0/3 1,10,20,99 ! Section 3 displays all of the VLANs that are allowed across the trunk and are ! in a spanning tree forwarding state Port Vlans in spanning tree forwarding state and not pruned Gi1/0/2 1,10,20,99 Gi1/0/3 1,10,20,99 Native VLANs In the 802.1Q standard, any traffic that is transmitted or received on a trunk port without the 802.1Q VLAN tag is associated to the native VLAN. Any traffic associated to the native VLAN will flow across the trunk port untagged. The default native VLAN is VLAN 1. A native VLAN is a port-specific configuration and is changed with the interface command switchport trunk native vlan vlan-id. Note Two hosts on the same subnet could still communicate if one host was connected to an access port associated to VLAN10 and the other host connects to a trunk port configured with a native VLAN of 10. This is not a best practice but demonstrates how there is not an 802.1Q VLAN tag added to the packet on either of the two ports. Note All switch control plane traffic is advertised using VLAN 1. The Cisco security hardening guidelines recommend changing the native VLAN to something other than VLAN 1. More specifically, it should be set to a VLAN that is not used at all (that is, has no hosts attached to it). The native VLAN should match on both ports for traffic to be transmitted for that VLAN across the trunk link. Allowed VLANs As stated earlier, VLANs can be restricted from certain trunk ports as a method of traffic engineering. This restriction can cause problems if traffic between two hosts is expected to traverse a trunk link and the VLAN is not allowed to traverse that trunk port. Restricting VLANs could limit MAC address flooding across switches that do not have hosts connected to restricted VLANs. The interface command switchport trunk allowed vlan vlan-ids specifies the VLANs that are allowed to traverse the link. Example 1-7 displays a sample configuration for limiting the VLANs that can cross the Gi1/0/2 trunk port for VLANs 1, 10, 20, and 99. Example 1-7 Viewing the VLANs That Are Allowed on a Trunk Link SW1# show run interface gi1/0/1 interface GigabitEthernet1/0/1 switchport trunk allowed vlan 1,10,20,99 switchport mode trunk The full command syntax switchport trunk allowed vlan {vlan-ids | all | none | add vlan- ids | remove vlan-ids | except vlan-ids} provides a lot of power in a single command. The optional keyword all allows for all VLANs, while none removes all VLANs from the trunk link. The add keyword adds additional VLANs to those already listed, and the remove keyword removes the specified VLAN from the VLANs already identified for that trunk link. Note When you are scripting configuration changes, it is best to use the add and remove keywords because they are more prescriptive. A common mistake is to use the switchport trunk allowed vlan vlan-ids command to list only the VLAN that is being added. This results in the current list being overwritten, causing traffic loss for the VLANs that were omitted. Layer 2 Diagnostic Commands The information in the “Layer 2 Forwarding” section, earlier in this chapter, provides a brief primer on the operations of a switch. The following sections provide some common diagnostic commands that are used in the daily administration, operation, and troubleshooting of a network. MAC Address Table The MAC address table is responsible for identifying the switch ports and VLANs with which a device is associated. A switch builds the MAC address table by examining the source MAC address for traffic that it receives. This information is then maintained to shrink the collision domain (point- to-point communication between devices and switches) by reducing the amount of unknown unicast flooding. The MAC address table is displayed with the command show mac address-table [address mac- address | dynamic | vlan vlan-id]. The optional keywords with this command provide the following benefits: address mac-address: Displays entries that match the explicit MAC address. This command could be beneficial on switches with hundreds of ports. dynamic: Displays entries that are dynamically learned and are not statically set or burned in on the switch. vlan vlan-id: Displays entries that match the specified VLAN. Example 1-8 shows the MAC address table on a Catalyst switch. The command in this example displays the VLAN, MAC address, type, and port associated to the connected network devices. Notice that port Gi1/0/3 has multiple entries, which indicates that this port is connected to a switch. Example 1-8 Viewing the MAC Address Table SW1# show mac address-table dynamic Mac Address Table Vlan Mac Address Type Ports ---- ----------- -------- ----- 1 0081.c4ff.8b01 DYNAMIC Gi1/0/2 1 189c.5d11.9981 DYNAMIC Gi1/0/3 1 189c.5d11.99c7 DYNAMIC Gi1/0/3 1 7070.8bcf.f828 DYNAMIC Gi1/0/17 1 70df.2f22.b882 DYNAMIC Gi1/0/2 1 70df.2f22.b883 DYNAMIC Gi1/0/3 1 bc67.1c5c.9304 DYNAMIC Gi1/0/2 1 bc67.1c5c.9347 DYNAMIC Gi1/0/3 99 189c.5d11.9981 DYNAMIC Gi1/0/3 99 7069.5ad4.c228 DYNAMIC Gi1/0/15 10 0087.31ba.3980 DYNAMIC Gi1/0/9 10 0087.31ba.3981 DYNAMIC Gi1/0/9 10 189c.5d11.9981 DYNAMIC Gi1/0/3 10 3462.8800.6921 DYNAMIC Gi1/0/8 10 5067.ae2f.6480 DYNAMIC Gi1/0/7 10 7069.5ad4.c220 DYNAMIC Gi1/0/13 10 e8ed.f3aa.7b98 DYNAMIC Gi1/0/12 20 189c.5d11.9981 DYNAMIC Gi1/0/3 20 7069.5ad4.c221 DYNAMIC Gi1/0/14 Total Mac Addresses for this criterion: 19 Note Troubleshooting network traffic problems from a Layer 2 perspective involves locating the source and destination device and port; this task can be done by examining the MAC address table. If multiple MAC addresses appear on the same port, you know that a switch, hub, or server with a virtual switch is connected to that switch port. Connecting to downstream switches may be required to identify the port that a specific network device is attached to. Some older technologies (such as load balancing) require a static MAC address entry in the MAC address table to prevent unknown unicast flooding. The global configuration command mac address-table static mac-address vlan vlan-id {drop | interface interface-id} adds a manual entry with the ability to associate it to a specific switch port or to drop traffic upon receipt. The command clear mac address-table dynamic [{address mac-address | interface interface- id | vlan vlan-id}] flushes the MAC address table for the entire switch. Using the optional keywords can flush the MAC address table for a specific MAC address, switch port, or interface. The MAC address table resides in content addressable memory (CAM). The CAM uses high- speed memory that is faster than typical computer RAM due to its search techniques. The CAM table provides a binary result for any query of 0 for true or 1 for false. The CAM is used with other functions to analyze and forward packets very quickly. Switches are built with large CAM to accommodate all the Layer 2 hosts for which they must maintain forwarding tables. Switch Port Status Examining the configuration for a switch port can be useful; however, some commands that are stored elsewhere in the configuration preempt the configuration set on the interface. The command show interfaces interface-id switchport provides all the relevant information for a switch port’s status. The command show interfaces switchport displays the same operational parameters for all ports on the switch. Example 1-9 shows the output from the show interfaces gi1/0/5 switchport command on SW1. The key fields to examine at this time are the switch port state, operational mode, and access mode VLAN. Example 1-9 Viewing the Switch Port Status SW1# show interfaces gi1/0/5 switchport Name: Gi1/0/5 ! The following line indicates if the port is configured as an L2 switchport. Switchport: Enabled Administrative Mode: dynamic auto ! The following line indicates if the port is acting as static access port, trunk ! port, or if is down due to carrier detection (i.e. link down) Operational Mode: down Administrative Trunking Encapsulation: dot1q Negotiation of Trunking: On ! The following line displays the VLAN assigned to the access port Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Voice VLAN: none Administrative private-vlan host-association: none Administrative private-vlan mapping: none Administrative private-vlan trunk native VLAN: none Administrative private-vlan trunk Native VLAN tagging: enabled Administrative private-vlan trunk encapsulation: dot1q Administrative private-vlan trunk normal VLANs: none Administrative private-vlan trunk associations: none Administrative private-vlan trunk mappings: none Operational private-vlan: none Trunking VLANs Enabled: ALL Pruning VLANs Enabled: 2-1001 Capture Mode Disabled Capture VLANs Allowed: ALL Protected: false Unknown unicast blocked: disabled Unknown multicast blocked: disabled Appliance trust: none Interface Status The command show interfaces status is useful for viewing the status of switch ports in a condensed and simplified manner. Example 1-10 demonstrates the use of this command and includes the following fields in the output: Port: Displays the interface ID or port channel. Name: Displays the configured interface description. Status: Displays connected for links where a connection was detected and established to bring up the link. Displays notconnect when a link is not detected and err-disabled when an error has been detected and the switch has disabled the ability to forward traffic out of that port. VLAN: Displays the VLAN number assigned for access ports. Trunk links appear as trunk, and ports configured as Layer 3 interfaces display routed. Duplex: Displays the duplex of the port. If the duplex auto-negotiated, it is prefixed by a-. Speed: Displays the speed of the port. If the port speed was auto-negotiated, it is prefixed by a-. Type: Displays the type of interface for the switch port. If it is a fixed RJ-45 copper port, it includes TX in the description (for example, 10/100/1000BASE-TX). Small form-factor pluggable (SFP)–based ports are listed with the SFP model if there is a driver for it in the software; otherwise, it displays unknown. Example 1-10 Viewing Overall Interface Status SW1# show interface status Port Name Status Vlan Duplex Speed Type Gi1/0/1 notconnect 1 auto auto 10/100/1000BaseTX Gi1/0/2 SW-2 Gi1/0/1 connected trunk a-full a-1000 10/100/1000BaseTX Gi1/0/3 SW-3 Gi1/0/1 connected trunk a-full a-1000 10/100/1000BaseTX Gi1/0/4 notconnect 1 auto auto 10/100/1000BaseTX Gi1/0/5 notconnect 1 auto auto 10/100/1000BaseTX Gi1/0/6 notconnect 1 auto auto 10/100/1000BaseTX Gi1/0/7 Cube13.C connected 10 a-full a-1000 10/100/1000BaseTX Gi1/0/8 Cube11.F connected 10 a-full a-1000 10/100/1000BaseTX Gi1/0/9 Cube10.A connected 10 a-full a-100 10/100/1000BaseTX Gi1/0/10 notconnect 1 auto auto 10/100/1000BaseTX Gi1/0/11 notconnect 1 auto auto 10/100/1000BaseTX Gi1/0/12 Cube14.D Phone connected 10 a-full a-1000 10/100/1000BaseTX Gi1/0/13 R1-G0/0/0 connected 10 a-full a-1000 10/100/1000BaseTX Gi1/0/14 R2-G0/0/1 connected 20 a-full a-1000 10/100/1000BaseTX Gi1/0/15 R3-G0/1/0 connected 99 a-full a-1000 10/100/1000BaseTX Gi1/0/16 R4-G0/1/1 connected 99 a-full a-1000 10/100/1000BaseTX Gi1/0/17 connected 1 a-full a-1000 10/100/1000BaseTX Gi1/0/18 notconnect 1 auto auto 10/100/1000BaseTX Gi1/0/19 notconnect 1 auto auto 10/100/1000BaseTX Gi1/0/20 notconnect 1 auto auto 10/100/1000BaseTX Gi1/0/21 notconnect 1 auto auto 10/100/1000BaseTX Gi1/0/22 notconnect 1 auto auto 10/100/1000BaseTX Gi1/0/23 notconnect routed auto auto 10/100/1000BaseTX Gi1/0/24 disabled 4011 auto auto 10/100/1000BaseTX Te1/1/1 notconnect 1 full 10G SFP-10GBase-SR Te1/1/2 notconnect 1 auto auto unknown Layer 3 Forwarding Now that we have looked at the mechanisms of a switch and how it forwards Layer 2 traffic, let’s review the process for forwarding a packet from a Layer 3 perspective. Recall that all traffic starts at Layer 7 and works its way down to Layer 1 on the source device, so the Layer 3 forwarding logic occurs before Layer 2 forwarding. There are two main methodologies for Layer 3 forwarding: Forwarding traffic to devices on the same subnet Forwarding traffic to devices on a different subnet The following sections explain these two methodologies. Local Network Forwarding Two devices that reside on the same subnet communicate locally. As the packet headers are built, the device detects that the destination is on the same network. However, the device still needs to add the Layer 2 information (that is, the source and destination MAC addresses) to the packet headers. It knows its own MAC address but does not initially know the destination’s MAC address. The Address Resolution Protocol (ARP) table provides a method of mapping Layer 3 IP addresses to Layer 2 MAC addresses by storing the IP address of a host and its corresponding MAC address. The device then uses the ARP table to add the appropriate Layer 2 headers to the data packet before sending it down the OSI model for processing and forwarding. For example, if an IP host needs to communicate with another IP host in the same Layer 2 segment (same broadcast domain), and an ARP entry for the other host does not exist in the local ARP table, the IP host performs address resolution by broadcasting an ARP request to the entire Layer 2 switching segment. The ARP request strictly asks that whoever owns the IP address respond with an ARP reply. All hosts in the Layer 2 segment receive the request, but only the host with the matching IP address should reply to the request. The responding host generates a unicast ARP reply that includes the IP and MAC address from the ARP request. The requesting host receives the ARP reply and then updates its local ARP table. Now, the host is able to add the appropriate Layer 2 headers and sends the original data packet for processing and forwarding. The ARP table contains entries for hosts or network devices that the host has communicated with recently and that are on the same IP network segment. It does not contain entries for devices on a remote network but does contain the ARP entry for the IP address of the next hop to reach the remote network. If communication has not occurred with a host after a length of time, the entry becomes stale and is removed from the local ARP table. Note The ARP table can be viewed with the command show ip arp [mac-address | ip- address | vlan vlan-id | interface-id]. The optional keywords make it possible to filter the information. Packet Routing Packets must be routed when two devices are on different networks. As the data is encapsulated with its IP address, a device detects that its destination is on a different network and must be routed. The device checks its local routing table to identify its next-hop IP address, which may be learned in one of several ways: From a static route entry, it can get the destination network, subnet mask, and next-hop IP address. A default-gateway is a simplified static default route that is used for all non-local traffic. Routes can be learned from routing protocols. The source device must add the appropriate Layer 2 headers (source and destination MAC addresses), but the destination MAC address is needed for the next-hop IP address. The device looks for the next-hop IP addresses entry in the ARP table and uses the MAC address from the next- hop IP address’s entry as the destination MAC address. The packet headers are added, and then the packet is sent down to Layer 1 for processing and forwarding. The next router receives the packet based on the destination MAC address, analyzes the destination IP address, locates the appropriate network entry in its routing table, identifies the outbound interface, and then finds the MAC address for the destination device (or the MAC address for the next-hop address if it needs to be routed further). The router then modifies the source MAC address to the MAC address of the router’s outbound interface and modifies the destination MAC address to the MAC address for the destination device (or next-hop router). Figure 1-5 illustrates the concept, with PC-A sending a packet to PC-B through an Ethernet connection to R1. PC-A sends the packet to R1’s MAC address, 00:C1:5C:00:00:A1. R1 receives the packet, removes the Layer 2 information, and looks for a route to the 192.168.2.2 address. R1 identifies that connectivity to the 192.168.2.2 IP address is through Gigabit Ethernet 0/1. R1 adds the Layer 2 source address by using its Gigabit Ethernet 0/1 MAC address 00:C1:5C:00:00:B1 and the destination address 00:00:00:BB:BB:BB for PC-B. Figure 1-5 Layer 2 Addressing Rewrite Note This process continues on and on as needed to get the packet from the source device to the destination device. IP Address Assignment TCP/IP has become the standard protocol for most networks. Initially, it was used with IPv4 and 32- bit network addresses. The number of devices using public IP addresses has increased at an exponential rate and depleted the number of publicly available IP addresses. To deal with the increase in the demand for public addresses, a second standard, called IPv6, was developed in 1998; it provides 128 bits for addressing. Technologies and mechanisms have been created to allow IPv4 and IPv6 networks to communicate with each other. With either version, an IP address must be assigned to an interface for a router or multilayer switch to route packets. IPv4 addresses are assigned with the interface configuration command ip address ip-address subnet-mask. An interface with a configured IP address and that is in an operational “up” state injects the associated network into the router’s routing table (Routing Information Base [RIB]). Connected networks or routes have an administrative distance (AD) of zero. It is not possible for any routing protocol or static route to preempt a connected route in the RIB. It is possible to attach multiple IPv4 networks to the same interface by configuring a secondary IPv4 address to the same interface with the command ip address ip-address subnet- mask secondary. IPv6 addresses are assigned with the interface configuration command ipv6 address ipv6- address/prefix-length. This command can be repeated multiple times to add multiple IPv6 addresses to the same interface. Example 1-11 demonstrates the configuration of IP addresses on routed interfaces. A routed interface is basically any interface on a router. Notice that a second IPv4 address requires the use of the secondary keyword; the ipv6 address command can be used multiple times to configure multiple IPv6 addresses. Example 1-11 Assigning IP Addresses to Routed Interfaces R1# configure terminal Enter configuration commands, one per line. End with CNTL/Z. R1(config)# interface gi0/0/0 R1(config-if)# ip address 10.10.10.254 255.255.255.0 R1(config-if)# ip address 172.16.10.254 255.255.255.0 secondary R1(config-if)# ipv6 address 2001:db8:10::254/64 R1(config-if)# ipv6 address 2001:db8:10:172::254/64 R1(config-if)# interface gi0/0/1 R1(config-if)# ip address 10.20.20.254 255.255.255.0 R1(config-if)# ip address 172.16.20.254 255.255.255.0 secondary R1(config-if)# ipv6 address 2001:db8:20::254/64 R1(config-if)# ipv6 address 2001:db8:20:172::254/64 Routed Subinterfaces A routed subinterface is required when there are multiple VLANs on a switch that require routing, and it is not desirable to use a dedicated physical routed interface per VLAN, or there are not enough physical router interfaces to accommodate all the VLANs. To overcome this issue, it is possible to create a trunk port on the switch and create a logical subinterface on the router. A subinterface is created by appending a period and a numeric value after the period. Then the VLAN needs to be associated with the subinterface with the command encapsulation dot1q vlan-id. Example 1-12 demonstrates the configuration of two subinterfaces on R2. The subinterface number does not have to match the VLAN ID, but if it does, it helps with operational support. Example 1- 12 Configuring Routed Subinterfaces R2# configure terminal Enter configuration commands, one per line. End with CNTL/Z. R2(config-if)# int g0/0/1.10 R2(config-subif)# encapsulation dot1Q 10 R2(config-subif)# ip address 10.10.10.2 255.255.255.0 R2(config-subif)# ipv6 address 2001:db8:10::2/64 R2(config-subif)# int g0/0/1.99 R2(config-subif)# encapsulation dot1Q 99 R2(config-subif)# ip address 10.20.20.2 255.255.255.0 R2(config-subif)# ipv6 address 2001:db8:20::2/64 Switched Virtual Interfaces With Catalyst switches, it is possible to assign an IP address to a switched virtual interface (SVI), also known as a VLAN interface. An SVI is configured by defining the VLAN on the switch and then defining the VLAN interface with the command interface vlan vlan-id. The switch must have an interface associated to that VLAN in an up state for the SVI to be in an up state. If the switch is a multilayer switch, the SVIs can be used for routing packets between VLANs without the need of an external router.Example 1-13 demonstrates the configuration of the SVI for VLANs 10 and 99. Example 1-13 Creating a Switched Virtual Interface (SVI) SW1# configure terminal Enter configuration commands, one per line. End with CNTL/Z. SW1(config)# interface vlan 10 SW1(config-if)# ip address 10.10.10.1 255.255.255.0 SW1(config-if)# ipv6 address 2001:db8:10::1/64 SW1(config-if)# no shutdown SW1(config-if)# interface vlan 99 SW1(config-if)# ip address 10.99.99.1 255.255.255.0 SW1(config-if)# ipv6 address 2001:db8:99::1/64 SW1(config-if)# no shutdown Routed Switch Ports Some network designs include a point-to-point link between switches for routing. For example, when a switch needs to connect to a router, some network engineers would build out a transit VLAN (for example, VLAN 2001), associate the port connecting to the router to VLAN 2001, and then build an SVI for VLAN 2001. There is always the potential that VLAN 2001 could exist elsewhere in the Layer 2 realm, or that a spanning tree could impact the topology. Instead, the multilayer switch port can be converted from a Layer 2 switch port to a routed switch port with the interface configuration command no switchport. Then the IP address can be assigned to it. Example 1-14 demonstrates port Gi1/0/14 being converted from a Layer 2 switch port to a routed switch port and then having an IP address assigned to it. Example 1-14 Configuring a Routed Switch Port SW1# configure terminal Enter configuration commands, one per line. End with CNTL/Z. SW1(config)# int gi1/0/14 SW1(config-if)# no switchport SW1(config-if)# ip address 10.20.20.1 255.255.255.0 SW1(config-if)# ipv6 address 2001:db8:20::1/64 SW1(config-if)# no shutdown Verification of IP Addresses IPv4 addresses can be viewed with the command show ip interface [brief | interface-id | vlan vlan- id]. This command’s output contains a lot of useful information, such as MTU, DHCP relay, ACLs, and the primary IP address. The optional brief keyword displays the output in a condensed format. However, on devices with large port counts, using the CLI parser and adding an additional | exclude field (for example, unassigned) yields a streamlined view of interfaces that are configured with IP addresses. Example 1-15 shows the show ip interface brief command used with and without the CLI parser. Notice the drastic reduction in unnecessary data that is presented. Example 1-15 Viewing Device IPv4 Addresses SW1# show ip interface brief Interface IP-Address OK? Method Status Protocol Vlan1 unassigned YES manual up up Vlan10 10.10.10.1 YES manual up up Vlan99 10.99.99.1 YES manual up up GigabitEthernet0/0 unassigned YES unset down down GigabitEthernet1/0/1 unassigned YES unset down down GigabitEthernet1/0/2 unassigned YES unset up up GigabitEthernet1/0/3 unassigned YES unset up up GigabitEthernet1/0/4 unassigned YES unset down down GigabitEthernet1/0/5 unassigned YES unset down down GigabitEthernet1/0/6 unassigned YES unset down down GigabitEthernet1/0/7 unassigned YES unset up up GigabitEthernet1/0/8 unassigned YES unset up up GigabitEthernet1/0/9 unassigned YES unset up up GigabitEthernet1/0/10 unassigned YES unset down down GigabitEthernet1/0/11 unassigned YES unset down down GigabitEthernet1/0/12 unassigned YES unset down down GigabitEthernet1/0/13 unassigned YES unset up up GigabitEthernet1/0/14 10.20.20.1 YES manual up up GigabitEthernet1/0/15 unassigned YES unset up up GigabitEthernet1/0/16 unassigned YES unset up up GigabitEthernet1/0/17 unassigned YES unset down down SW1# show ip interface brief | exclude unassigned Interface IP-Address OK? Method Status Protocol Vlan10 10.10.10.1 YES manual up up Vlan99 10.99.99.1 YES manual up up GigabitEthernet1/0/14 10.20.20.1 YES manual up up GigabitEthernet1/0/23 192.168.1.1 YES manual down down The same information can be viewed for IPv6 addresses with the command show ipv6 interface [brief | interface-id | vlan vlan-id]. Just as with IPv4 addresses, a CLI parser can be used to reduce the information to what is relevant, as demonstrated in Example 1-16. Example 1- 16 Viewing Device IPv6 Addresses SW1# show ipv6 interface brief ! Output omitted for brevity Vlan1 [up/up] FE80::262:ECFF:FE9D:C547 2001:1::1 Vlan10 [up/up] FE80::262:ECFF:FE9D:C546 2001:DB8:10::1 Vlan99 [up/up] FE80::262:ECFF:FE9D:C55D 2001:DB8:99::1 GigabitEthernet0/0 [down/down] unassigned GigabitEthernet1/0/1 [down/down] unassigned GigabitEthernet1/0/2 [up/up] unassigned GigabitEthernet1/0/3 [up/up] unassigned GigabitEthernet1/0/4 [down/down] unassigned GigabitEthernet1/0/5 [down/down] Unassigned SW1# show ipv6 interface brief | exclude unassigned|GigabitEthernet Vlan1 [up/up] FE80::262:ECFF:FE9D:C547 2001:1::1 Vlan10 [up/up] FE80::262:ECFF:FE9D:C546 2001:DB8:10::1 Vlan99 [up/up] FE80::262:ECFF:FE9D:C55D 2001:DB8:99::1 Forwarding Architectures The first Cisco routers would receive a packet, remove the Layer 2 information, and verify that the route existed for the destination IP address. If a matching route could not be found, the packet was dropped. If a matching route was found, the router would identify and add new Layer 2 header information to the packet. Advancements in technologies have streamlined the process so that routers do not remove and add the Layer 2 addressing but simply rewrite the addresses. IP packet switching or IP packet forwarding is a faster process for receiving an IP packet on an input interface and making a decision about whether to forward the packet to an output interface or drop it. This process is simple and streamlined so that a router can forward large numbers of packets. When the first Cisco routers were developed, they used a mechanism called process switching to switch the packets through the routers. As network devices evolved, Cisco created fast switching and Cisco Express Forwarding (CEF) to optimize the switching process for the routers to be able to handle larger packet volumes. Process Switching Process switching, also referred to as software switching or slow path, is a switching mechanism in which the general-purpose CPU on a router is in charge of packet switching. In IOS, the ip_input process runs on the general-purpose CPU for processing incoming IP packets. Process switching is the fallback for CEF because it is dedicated to processing punted IP packets when they cannot be switched by CEF. The types of packets that generally require software handling include the following: Packets sourced or destined to the router (using control traffic or routing protocols) Packets that are too complex for the hardware to handle (that is, IP packets with IP options) Packets that require extra information that is not currently known (for example, unresolved ARP entries) Note Software switching is significantly slower than switching done in hardware. The ip_input process is designed to handle a very small percentage of traffic handled by the system. Packets are hardware switched whenever possible. Figure 1-6 illustrates how a packet that cannot be CEF switched is punted to the CPU for processing. The ip_input process consults the routing table and ARP table to obtain the next-hop router’s IP address, outgoing interface, and MAC address. It then overwrites the destination MAC address of the packet with the next-hop router’s MAC address, overwrites the source MAC address with the MAC address of the outgoing Layer 3 interface, decrements the IP time-to-live (TTL) field, recomputes the IP header checksum, and finally delivers the packet to the next-hop router. Figure 1-6 Process Switching The routing table, also known as the Routing Information Base (RIB), is built from information obtained from dynamic routing protocols and directly connected and static routes. The ARP table is built from information obtained from the ARP protocol. Cisco Express Forwarding Cisco Express Forwarding (CEF) is a Cisco proprietary switching mechanism developed to keep up with the demands of evolving network infrastructures. It has been the default switching mechanism on most Cisco platforms that do all their packet switching using the general-purpose CPU (software-based routers) since the 1990s, and it is the default switching mechanism used by all Cisco platforms that use specialized application-specific integrated circuits (ASICs) and network processing units (NPUs) for high packet throughput (hardware-based routers). The general-purpose CPUs on software-based and hardware-based routers are similar and perform all the same functions; the difference is that on software-based routers, the general-purpose CPU is in charge of all operations, including CEF switching (software CEF), and the hardware-based routers do CEF switching using forwarding engines that are implemented in specialized ASICs, ternary content addressable memory (TCAM), and NPUs (hardware CEF). Forwarding engines provide the packet switching, forwarding, and route lookup capability to routers. Ternary Content Addressable Memory A switch’s ternary content addressable memory (TCAM) allows for the matching and evaluation of a packet on more than one field. TCAM is an extension of the CAM architecture but enhanced to allow for upper-layer processing such as identifying the Layer 2/3 source/destination addresses, protocol, QoS markings, and so on. TCAM provides more flexibility in searching than does CAM, which is binary. A TCAM search provides three results: 0 for true, 1 false, and X for do not care, which is a ternary combination. The TCAM entries are stored in Value, Mask, and Result (VMR) format. The value indicates the fields that should be searched, such as the IP address and protocol fields. The mask indicates the field that is of interest and that should be queried. The result indicates the action that should be taken with a match on the value and mask. Multiple actions can be selected besides allowing or dropping traffic, but tasks like redirecting a flow to a QoS policer or specifying a pointer to a different entry in the forwarding table are possible. Most switches implement multiple TCAM entries so that inbound/outbound security, QoS, and Layer 2 and Layer 3 forwarding decisions occur all at once. TCAM operates in hardware, providing faster processing and scalability than process switching. This allows for some features like ACLs to process at the same speed regardless of whether there are 10 entries or 500. The TCAM is not an infinite resource, and balancing memory allocations between functions has trade-offs. Centralized Forwarding Given the low cost of general-purpose CPUs, the price of software-based routers is becoming more affordable, but at the expense of total packet throughput. When a route processor (RP) engine is equipped with a forwarding engine so that it can make all the packet switching decisions, this is known as a centralized forwarding architecture. If the line cards are equipped with forwarding engines so that they can make packet switching decisions without intervention of the RP, this is known as a distributed forwarding architecture. For a centralized forwarding architecture, when a packet is received on the ingress line card, it is transmitted to the forwarding engine on the RP. The forwarding engine examines the packet’s headers and determines that the packet will be sent out a port on the egress line card and forwards the packet to the egress line card to be forwarded. Distributed Forwarding For a distributed forwarding architecture, when a packet is received on the ingress line card, it is transmitted to the line card’s local forwarding engine. The forwarding engine performs a packet lookup, and if it determines that the outbound interface is local, it forwards the packet out a local interface. If the outbound interface is located on a different line card, the packet is sent across the switch fabric, also known as the backplane, directly to the egress line card, bypassing the RP. Figure 1-7 shows the difference between centralized and distributed forwarding architectures. Figure 1-7 Centralized Versus Distributed Forwarding Architectures Software CEF Software CEF, also known as the software Forwarding Information Base (FIB), consists of the following components: Forwarding Information Base: The FIB is built directly from the routing table and contains the next-hop IP address for each destination in the network. It keeps a mirror image of the forwarding information contained in the IP routing table. When a routing or topology change occurs in the network, the IP routing table is updated, and these changes are reflected in the FIB. CEF uses the FIB to make IP destination prefix-based switching decisions. Adjacency table: The adjacency table, also known as the Adjacency Information Base (AIB), contains the directly connected next-hop IP addresses and their corresponding next- hop MAC addresses, as well as the egress interface’s MAC address. The adjacency table is populated with data from the ARP table or other Layer 2 protocol tables. Figure 1-8 illustrates how the CEF table is built from the routing table. First, the FIB is built from the routing table. The 172.16.10.0/24 prefix is a static route with a next hop of 10.40.40.254, which is dependent upon the 10.40.40.0/24 prefix learned via OSPF. The adjacency pointer in the FIB for the 172.16.10.0/24 entry is exactly the same IP address that OSPF uses for the 10.40.40.0/24 prefix (10.10.10.254). The adjacency table is then built using the ARP table and cross-referencing the MAC address with the MAC address table to identify the outbound interface. Figure 1-8 CEF Switching Upon receipt of an IP packet, the FIB is checked for a valid entry. If an entry is missing, it is a “glean” adjacency in CEF, which means the packet should go to the CPU because CEF is unable to handle it. Valid FIB entries continue processing by looking for the appropriate adjacency entry based on that FIB record. Missing adjacency entries invoke the ARP process. After ARP is resolved, the complete CEF entry can be created. As part of the packet forwarding process, the packet’s headers are rewritten. The router overwrites the destination MAC address of a packet with the next-hop router’s MAC address from the adjacency table, overwrites the source MAC address with the MAC address of the outgoing Layer 3 interface, decrements the IP time-to-live (TTL) field, recomputes the IP header checksum, and finally delivers the packet to the next-hop router. Note Packets processed by the CPU are typically subject to a rate limiter when an invalid or incomplete adjacency exists to prevent the starving of CPU cycles from other essential processes. Note The TTL is a Layer 3 loop prevention mechanism that reduces a packet’s TTL field by 1 for every Layer 3 hop. If a router receives a packet with a TTL of 0, the packet is discarded. Hardware CEF The ASICs in hardware-based routers are expensive to design, produce, and troubleshoot. ASICs allow for very high packet rates, but the trade-off is that they are limited in their functionality because they are hardwired to perform specific tasks. The routers are equipped with NPUs that are designed to overcome the inflexibility of ASICs. Unlike ASICs, NPUs are programmable, and their firmware can be changed with relative ease. The main advantage of the distributed forwarding architectures is that the packet throughput performance is greatly improved by offloading the packet switching responsibilities to the line cards. Packet switching in distributed architecture platforms is done via distributed CEF (dCEF), which is a mechanism in which the CEF data structures are downloaded to forwarding ASICs and the CPUs of all line cards so that they can participate in packet switching; this allows for the switching to be done at the distributed level, thus increasing the packet throughput of the router. Note Software CEF in hardware-based platforms is not used to do packet switching as in software-based platforms; instead, it is used to program the hardware CEF. SDM Templates The capacity of MAC addresses that a switch needs compared to the number of routes that it holds depends on where it is deployed in the network. The memory used for TCAM tables is limited and statically allocated during the bootup sequence of the switch. When a section of a hardware resource is full, all processing overflow is sent to the CPU, which seriously impacts the performance of the switch. The allocation ratios between the various TCAM tables are stored and can be modified with Switching Database Manager (SDM) templates. Multiple Cisco switches exist, and the SDM template varies by model. SDM templates can be configured on Catalyst 9300 switches with the global configuration command sdm prefer {vlan | advanced}. The switch must then be restarted with the reload command. Note Every switch in a switch stack must be configured with the same SDM template. Table 1-2 shows the approximate number of resources available per template. This number could vary based on the switch platform or software version in use. These numbers are typical for Layer 2 and IPv4 features. Some features, such as IPv6, use twice the entry size, which means only half as many entries can be created. Table 1-2 Approximate Number of Feature Resources Allowed by Templates Resource Advanced VLAN Number of VLANs 4094 4094 Resource Advanced VLAN Unicast MAC addresses 32,768 32,768 Overflow unicast MAC addresses 512 512 IGMP groups and multicast routes 4096 4096 Overflow IGMP groups and multicast routes 512 512 Directly connected routes 16,384 16,384 Indirect routes 7168 7168 Policy-based routing access control entries (ACEs) 1024 0 QoS classification ACEs 3000 3000 Security ACEs 3000 3000 NetFlow ACEs 768 768 Input Microflow policer ACEs 256,000 0 Output Microflow policer ACEs 256,000 0 Flow Span (FSPAN) ACEs 256 256 Control plane entries 512 512 The current SDM template can viewed with the command show sdm prefer, as demonstrated in Example 1-17. Example 1-17 Viewing the Current SDM Template SW1# show sdm prefer Showing SDM Template Info This is the Advanced (high scale) template. Number of VLANs: 4094 Unicast MAC addresses: 32768 Overflow Unicast MAC addresses: 512 IGMP and Multicast groups: 4096 Overflow IGMP and Multicast groups: 512 Directly connected routes: 16384 Indirect routes: 7168 Security Access Control Entries: 3072 QoS Access Control Entries: 2560 Policy Based Routing ACEs: 1024 Netflow ACEs: 768 Wireless Input Microflow policer ACEs: 256 Wireless Output Microflow policer ACEs: 256 Flow SPAN ACEs: 256 Tunnels: 256 Control Plane Entries: 512 Input Netflow flows: 8192 Output Netflow flows: 16384 SGT/DGT and MPLS VPN entries: 3840 SGT/DGT and MPLS VPN Overflow entries: 512 These numbers are typical for L2 and IPv4 features. Some features such as IPv6, use up double the entry size; so only half as many entries can be created. Part II Layer 2 Chapter 2 Spanning Tree Protocol This chapter covers the following subjects: Spanning Tree Protocol Fundamentals: This section provides an overview of how switches become aware of other switches and prevent forwarding loops. Rapid Spanning Tree Protocol: This section examines the improvements made to STP for faster convergence. A good network design provides redundancy in devices and network links (that is, paths). The simplest solution involves adding a second link between switches to overcome a network link failure or ensuring that a switch is connected to at least two other switches in a topology. However, such topologies cause problems when a switch must forward broadcasts or when unknown unicast flooding occurs. Network broadcasts forward in a continuous loop until the link becomes saturated, and the switch is forced to drop packets. In addition, the MAC address table must constantly change ports as the packets make loops. The packets continue to loop around the topology because there is not a time-to-live (TTL) mechanism for Layer 2 forwarding. The switch CPU utilization increases, as does memory consumption, which could result in the crashing of the switch. This chapter explains how switches prevent forwarding loops while allowing for redundant links with the use of Spanning Tree Protocol (STP) and Rapid Spanning Tree Protocol (RSTP). Two other chapters also explain STP-related topics: Chapter 3, “Advanced STP Tuning”: Covers advanced STP topics such as BPDU guard and BPDU filter. Chapter 4, “Multiple Spanning Tree Protocol”: Covers Multiple Spanning Tree Protocol. Foundation Topics: Spanning Tree Protocol Fundamentals Spanning Tree Protocol (STP) enables switches to become aware of other switches through the advertisement and receipt of bridge protocol data units (BPDUs). STP builds a Layer 2 loop-free topology in an environment by temporarily blocking traffic on redundant ports. STP operates by selecting a specific switch as the best switch and running a tree-based algorithm to identify which redundant ports should not forward traffic. STP has multiple iterations: 802.1D, which is the original specification Per-VLAN Spanning Tree (PVST) Per-VLAN Spanning Tree Plus (PVST+) 802.1W Rapid Spanning Tree Protocol (RSTP) 802.1S Multiple Spanning Tree Protocol (MST) Catalyst switches now operate in PVST+, RSTP, and MST modes. All three of these modes are backward compatible with 802.1D. IEEE 802.1D STP The original version of STP comes from the IEEE 802.1D standards and provides support for ensuring a loop-free topology for one VLAN. This topic is vital to understand as a foundation for Rapid Spanning Tree Protocol (RSTP) and Multiple Spanning Tree Protocol (MST). 802.1D Port States In 802.1D STP, every port transitions through the following states: Disabled: The port is in an administratively off position (that is, shut down). Blocking: The switch port is enabled, but the port is not forwarding any traffic to ensure that a loop is not created. The switch does not modify the MAC address table. It can only receive BPDUs from other switches. Listening: The switch port has transitioned from a blocking state and can now send or receive BPDUs. It cannot forward any other network traffic. The duration of the state correlates to the STP forwarding time. The next port state is learning. Learning: The switch port can now modify the MAC address table with any network traffic that it receives. The switch still does not forward any other network traffic besides BPDUs. The duration of the state correlates to the STP forwarding time. The next port state is forwarding. Forwarding: The switch port can forward all network traffic and can update the MAC address table as expected. This is the final state for a switch port to forward network traffic. Broken: The switch has detected a configuration or an operational problem on a port that can have major effects. The port discards packets as long as the problem continues to exist. Note The entire 802.1D STP initialization time takes about 30 seconds for a port to transition from a blocking to a forwarding state using default timers after a switch port transitions to a carrier up state. 802.1D Port Types The 802.1D STP standard defines the following three port types: Root port (RP): A network port that connects to the root bridge or an upstream switch in the spanning-tree topology. There should be only one root port per VLAN on a switch. Designated port (DP): A network port that receives and forwards BPDU frames to other switches. Designated ports provide connectivity to downstream devices and switches. There should be only one active designated port on a link. Blocking port: A network port that is not forwarding traffic because of STP calculations. STP Key Terminology Several key terms are related to STP: Root bridge: The root bridge is the most important switch in the Layer 2 topology. All ports are in a forwarding state. This switch is considered the top of the spanning tree for all path calculations by other switches. All ports on the root bridge are categorized as designated ports. Bridge protocol data unit (BPDU): This network packet is used for network switches to identify a hierarchy and notify of changes in the topology. A BPDU uses the destination MAC address 01:80:c2:00:00:00. There are two types of BPDUs: Configuration BPDU: This type of BPDU is used to identify the root bridge, root ports, designated ports, and blocking ports. The configuration BPDU consists of the following fields: STP type, root path cost, root bridge identifier, local bridge identifier, max age, hello time, and forward delay. Topology change notification (TCN) BPDU: This type of BPDU is used to communicate changes in the Layer 2 topology to other switches. It is explained in greater detail later in the chapter. Root path cost: This is the combined cost for a specific path toward the root switch. System priority: This 4-bit value indicates the preference for a switch to be root bridge. The default value is 32,768. System ID extension: This 12-bit value indicates the VLAN that the BPDU correlates to. The system priority and system ID extension are combined as part of the switch’s identification of a bridge. Root bridge identifier: This is a combination of the root bridge system MAC address, system ID extension, and system priority of the root bridge. Local bridge identifier: This is a combination of the local switch’s bridge system MAC address, system ID extension, and system priority of the local bridge. Max age: This is the maximum length of time that a bridge port stores its BPDU information. The default value is 20 seconds, but the value can be configured with the command spanning-tree vlan vlan-id max-age maxage. If a switch loses contact with the BPDU’s source, it assumes that the BPDU information is still valid for the duration of the Max Age timer. Hello time: This is the time interval that a BPDU is advertised out of a port. The default value is 2 seconds, but the value can be configured to 1 to 10 seconds with the command spanning-tree vlan vlan-id hello-time hello-time. Forward delay: This is the amount of time that a port stays in a listening and learning state. The default value is 15 seconds, but the value can be changed to a value of 4 to 30 seconds with the command spanning-tree vlan vlan-id forward-time forward-time. Note STP was defined before modern switches existed. The devices that originally used STP were known as bridges. Switches perform the same role at a higher speed and scale while essentially bridging Layer 2 traffic. The terms bridge and switch are interchangeable in this context. Spanning Tree Path Cost The interface STP cost is an essential component for root path calculation because the root path is found based on the cumulative interface STP cost to reach the root bridge. The interface STP cost was originally stored as a 16-bit value with a reference value of 20 Gbps. As switches have developed with higher-speed interfaces, 10 Gbps might not be enough. Another method, called long mode, uses a 32-bit value and uses a reference speed of 20 Tbps. The original method, known as short mode, has been the default for most switches, but has been transitioning to long mode based on specific platform and OS versions. Table 2-2 displays a list of interface speeds and the correlating interface STP costs. Table 2-2 Default Interface STP Port Costs Link Speed Short-Mode STP Cost Long-Mode STP Cost 10 Mbps 100 2,000,000 100 Mbps 19 200,000 1 Gbps 4 20,000 10 Gbps 2 2000 20 Gbps 1 1000 100 Gbps 1 200 1 Tbps 1 20 Link Speed Short-Mode STP Cost Long-Mode STP Cost 10 Tbps 1 2 Devices can be configured with the long-mode interface cost with the command spanning-tree pathcost method long. The entire Layer 2 topology should use the same setting for every device in the environment to ensure a consistent topology. Before you enable this setting in an environment, it is important to conduct an audit to ensure that the setting will work. Building the STP Topology This section focuses on the logic switches use to build an STP topology. Figure 2-1 shows the simple topology used here to demonstrate some important spanning tree concepts. The configurations on all the switches do not include any customizations for STP, and the focus is primarily on VLAN 1, but VLANs 10, 20, and 99 also exist in the topology. SW1 has been identified as the root bridge, and the RP, DP, and blocking ports have been identified visually to assist in the following sections. Root Bridge Election The first step with STP is to identify the root bridge. As a switch initializes, it assumes that it is the root bridge and uses the local bridge identifier as the root bridge identifier. It then listens to its neighbor’s configuration BPDU and does the following: If the neighbor’s configuration BPDU is inferior to its own BPDU, the switch ignores that BPDU. If the neighbor’s configuration BPDU is preferred to its own BPDU, the switch updates its BPDUs to include the new root bridge identifier along with a new root path cost that correlates to the total path cost to reach the new root bridge. This process continues until all switches in a topology have identified the root bridge switch. Figure 2-1 Basic STP Topology STP deems a switch more preferable if the priority in the bridge identifier is lower than the priority of the other switch’s configuration BPDUs. If the priority is the same, then the switch prefers the BPDU with the lower system MAC. Note Generally, older switches have a lower MAC address and are considered more preferable. Configuration changes can be made for optimizing placement of the root bridge in a Layer 2 topology to prevent the insertion of an older switch from becoming the new root bridge. In Figure 2-1, SW1 can be identified as the root bridge because its system MAC address (0062.ec9d.c500) is the lowest in the topology. This is further verified by using the command show spanning-tree root to display the root bridge. Example 2-1 demonstrates this command being executed on SW1. The output includes the VLAN number, root bridge identifier, root path cost, hello time, max age time, and forwarding delay. Because SW1 is the root bridge, all ports are designated ports, so the Root Port field is empty. Using this command is one way to verify that the connected switch is the root bridge for the VLAN. Example 2-1 Verifying the STP Root Bridge SW1# show spanning-tree root Root Hello Max Fwd Vlan Root ID Cost Time Age Dly Root Port ---------------- -------------------- --------- ----- --- --- ------------ VLAN0001 32769 0062.ec9d.c500 0 2 20 15 VLAN0010 32778 0062.ec9d.c500 0 2 20 15 VLAN0020 32788 0062.ec9d.c500 0 2 20 15 VLAN0099 32867 0062.ec9d.c500 0 2 20 15 In Example 2-1, notice that the root bridge priority on SW1 for VLAN 1 is 32,769 and not 32,768. The priority in the configuration BPDU packets is actually the priority plus the value of the sys-id- ext (which is the VLAN number). You can confirm this by looking at VLAN 10, which has a priority of 32,778, which is 10 higher than 32,768. When a switch generates the BPDUs, the root path cost includes only the calculated metric to the root and does not include the cost of the port that the BPDU is advertised out of. The receiving switch adds the port cost for its interface on which the BPDU was received in conjunction with the value of the root path cost in the BPDU. The root path cost is always zero on the root bridge. Figure 2-2 illustrates the root path cost as SW1 advertises the configuration BPDUs toward SW3 and then SW3’s configuration BPDUs toward SW5. Figure 2-2 STP Path Cost Advertisements Example 2-2 shows the output of the show spanning-tree root command run on SW2 and SW3. The Root ID field is exactly the same as for SW1, but the root path cost has changed to 4 because both switches must use the 1 Gbps link to reach SW1. Gi1/0/1 has been identified on both switches as the root port. Example 2-2 Identifying the Root Ports SW2# show spanning-tree root Root Hello Max Fwd Vlan Root ID Cost Time Age Dly Root Port ---------------- -------------------- --------- ----- --- --- ------------ VLAN0001 32769 0062.ec9d.c500 4 2 20 15 Gi1/0/1 VLAN0010 32778 0062.ec9d.c500 4 2 20 15 Gi1/0/1 VLAN0020 32788 0062.ec9d.c500 4 2 20 15 Gi1/0/1 VLAN0099 32867 0062.ec9d.c500 4 2 20 15 Gi1/0/1 SW3# show spanning-tree root Root Hello Max Fwd Vlan Root ID Cost Time Age Dly Root Port ---------------- -------------------- --------- ----- --- --- ------------ VLAN0001 32769 0062.ec9d.c500 4 2 20 15 Gi1/0/1 VLAN0010 32778 0062.ec9d.c500 4 2 20 15 Gi1/0/1 VLAN0020 32788 0062.ec9d.c500 4 2 20 15 Gi1/0/1 VLAN0099 32867 0062.ec9d.c500 4 2 20 15 Gi1/0/1 Locating Root Ports After the switches have identified the root bridge, they must determine their root port (RP). The root bridge continues to advertise configuration BPDUs out all of its ports. The switch compares the BPDU information received on its port to identify the RP. The RP is selected using the following logic (where the next criterion is used in the event of a tie): 1. The interface associated to lowest path cost is more preferred. 2. The interface associated to the lowest system priority of the advertising switch is preferred next. 3. The interface associated to the lowest system MAC address of the advertising switch is preferred next. 4. When multiple links are associated to the same switch, the lowest port priority from the advertising switch is preferred. 5. When multiple links are associated to the same switch, the lower port number from the advertising switch is preferred. Example 2-3 shows the output of running the command show spanning-tree root on SW4 and SW5. The Root ID field is exactly the same as on SW1, SW2, and SW3 in Examples 2-1 and 2-2. However, the root path cost has changed to 8 on SW4 and SW5 because both switches must traverse two 1 Gbps links to reach SW1. Gi1/0/2 was identified as the RP for SW4, and Gi1/0/3 was identified as the RP for SW5. Example 2-3 Identifying the Root Ports on SW4 and SW5 SW4# show spanning-tree root Root Hello Max Fwd Vlan Root ID Cost Time Age Dly Root Port ---------------- -------------------- --------- ----- --- --- ------------ VLAN0001 32769 0062.ec9d.c500 8 2 20 15 Gi1/0/2 VLAN0010 32778 0062.ec9d.c500 8 2 20 15 Gi1/0/2 VLAN0020 32788 0062.ec9d.c500 8 2 20 15 Gi1/0/2 VLAN0099 32867 0062.ec9d.c500 8 2 20 15 Gi1/0/2 SW5# show spanning-tree root Root Hello Max Fwd Vlan Root ID Cost Time Age Dly Root Port ---------------- -------------------- --------- ----- --- --- ------------ VLAN0001 32769 0062.ec9d.c500 8 2 20 15 Gi1/0/3 VLAN0010 32778 0062.ec9d.c500 8 2 20 15 Gi1/0/3 VLAN0020 32788 0062.ec9d.c500 8 2 20 15 Gi1/0/3 VLAN0099 32867 0062.ec9d.c500 8 2 20 15 Gi1/0/3 The root bridge can be identified for a specific VLAN through the use of the command show spanning-tree root and examination of the CDP or LLDP neighbor information to identify the host name of the RP switch. The process can be repeated until the root bridge is located. Locating Blocked Designated Switch Ports Now that the root bridge and RPs have been identified, all other ports are considered designated ports. However, if two non-root switches are connected to each other on their designated ports, one of those switch ports must be set to a blocking state to prevent a forwarding loop. In our sample topology, this would apply to the following links: SW2 Gi1/0/3 ← → SW3 Gi1/0/2 SW4 Gi1/0/5 ← → SW5 Gi1/0/4 SW4 Gi1/0/6 ← → SW5 Gi1/0/5 The logic to calculate which ports should be blocked between two non-root switches is as follows: 1. The interface is a designated port and must not be considered an RP. 2. The switch with the lower path cost to the root bridge forwards packets, and the one with the higher path cost blocks. If they tie, they move on to the next step. 3. The system priority of the local switch is compared to the system priority of the remote switch. The local port is moved to a blocking state if the remote system priority is lower than that of the local switch. If they tie, they move on to the next step. 4. The system MAC address of the local switch is compared to the system MAC address of the remote switch. The local designated port is moved to a blocking state if the remote system MAC address is lower than that of the local switch. All three links (SW2 Gi1/0/3 ←→ SW3 Gi1/0/2, SW4 Gi1/0/5 ←→ SW5 Gi1/0/4, and SW4 Gi1/0/6 ←→ SW5 Gi1/0/5) would use step 4 of the process just listed to identify which port moves to a blocking state. SW3’s Gi1/0/2, SW5’s Gi1/0/4, and SW5’s Gi1/0/5 ports would all transition to a blocking state because the MAC addresses are lower for SW2 and SW4. SW5 does not need to examine port numbers or priorities for the Gi1/0/4 and Gi1/0/5 interface because SW4 is not in the root path. The command show spanning-tree [vlan vlan-id] provides useful information for locating a port’s STP state. In Example 2-4, this command is being used to show SW1’s STP information for VLAN 1. The first portion of the output displays the relevant root bridge’s information, which is followed by the local bridge’s information. The associated interface’s STP port cost, port priority, and port type also are displayed. All of SW1’s ports are designated ports (Desg) because SW1 is the root bridge. These port types are expected on Catalyst switches: Point-to-point (P2P): This port type connects with another network device (PC or RSTP switch). P2P edge: This port type specifies that portfast is enabled on this port. Example 2-4 Viewing SW1’s STP Information SW1# show spanning-tree vlan 1 VLAN0001 Spanning tree enabled protocol rstp ! This section displays the relevant information for the STP root bridge Root ID Priority 32769 Address 0062.ec9d.c500 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec ! This section displays the relevant information for the Local STP bridge Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 0062.ec9d.c500 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 sec Interface Role Sts Cost Prio.Nbr Type ------------------- ---- --- --------- -------- -------------------------------- Gi1/0/2 Desg FWD 4 128.2 P2p Gi1/0/3 Desg FWD 4 128.3 P2p Gi1/0/14 Desg FWD 4 128.14 P2p Edge Note If the Type field includes *TYPE_Inc -, this indicates a port configuration mismatch between this Catalyst switch and the switch it is connected to. Common issues are the port type being incorrect and the port mode (access versus trunk) being misconfigured. Example 2-5 shows the STP topology for SW2 and SW3. Notice that in the first root bridge section, the output provides the total root path cost and the port on the switch that is identified as the RP. All the ports on SW2 are in a forwarding state, but port Gi1/0/2 on SW3 is in a blocking (BLK) state. Specifically, SW3’s Gi1/0/2 port has been designated as an alternate port to reach the root in the event that the Gi1/0/1 connection fails. The reason that SW3’s Gi1/0/2 port rather than SW2’s Gi1/0/3 port was placed into a blocking state is that SW2’s system MAC address (0081.c4ff.8b00) is lower than SW3’s system MAC address (189c.5d11.9980). This can be deduced by looking at the system MAC addresses in the output and confirmed by the topology in Figure 2-1. Example 2-5 Verifying the Root and Blocking Ports for a VLAN SW2# show spanning-tree vlan 1 VLAN0001 Spanning tree enabled protocol rstp Root ID Priority 32769 Address 0062.ec9d.c500 Cost 4 Port 1 (GigabitEthernet1/0/1) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 0081.c4ff.8b00 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 sec Interface Role Sts Cost Prio.Nbr Type ------------------- ---- --- --------- -------- -------------------------------- Gi1/0/1 Root FWD 4 128.1 P2p Gi1/0/3 Desg FWD 4 128.3 P2p Gi1/0/4 Desg FWD 4 128.4 P2p SW3# show spanning-tree vlan 1 VLAN0001 Spanning tree enabled protocol rstp ! This section displays the relevant information for the STP root bridge Root ID Priority 32769 Address 0062.ec9d.c500 Cost 4 Port 1 (GigabitEthernet1/0/1) Hello Time 2 sec Max Age 20 sec Forward Delay 15 se ! This section displays the relevant information for the Local STP bridge Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 189c.5d11.9980 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 sec Interface Role Sts Cost Prio.Nbr Type ------------------- ---- --- --------- -------- -------------------------------- Gi1/0/1 Root FWD 4 128.1 P2p Gi1/0/2 Altn BLK 4 128.2 P2p Gi1/0/5 Desg FWD 4 128.5 P2 Verification of VLANs on Trunk Links All the interfaces that participate in a VLAN are listed in the output of the command show spanning-tree. Using this command can be a daunting task for trunk ports that carry multiple VLANs. The output includes the STP state for every VLAN on an interface for every switch interface. The command show spanning-tree interface interface-id [detail] drastically reduces the output to the STP state for only the specified interface. The optional detail keyword provides information on port cost, port priority, number of transitions, link type, and count of BPDUs sent or received for every VLAN supported on that interface. Example 2-6 demonstrates the use of both iterations of the command. If a VLAN is missing on a trunk port, you can check the trunk port configuration for accuracy. Trunk port configuration is covered in more detail in Chapter 5, “VLAN Trunks and EtherChannel Bundles.” A common problem is that a VLAN may be missing from the allowed VLANs list for that trunk interface. Example 2-6 Viewing VLANs Participating with STP on an Interface SW3# show spanning-tree interface gi1/0/1 Vlan Role Sts Cost Prio.Nbr Type ------------------- ---- --- --------- -------- -------------------------------- VLAN0001 Root FWD 4 128.1 P2p VLAN0010 Root FWD 4 128.1 P2p VLAN0020 Root FWD 4 128.1 P2p VLAN0099 Root FWD 4 128.1 P2p SW3# show spanning-tree interface gi1/0/1 detail ! Output omitted for brevity Port 1 (GigabitEthernet1/0/1) of VLAN0001 is root forwarding Port path cost 4, Port priority 128, Port Identifier 128.1. Designated root has priority 32769, address 0062.ec9d.c500 Designated bridge has priority 32769, address 0062.ec9d.c500 Designated port id is 128.3, designated path cost 0 Timers: message age 16, forward delay 0, hold 0 Number of transitions to forwarding state: 1 Link type is point-to-point by default BPDU: sent 15, received 45908 Port 1 (GigabitEthernet1/0/1) of VLAN0010 is root forwarding Port path cost 4, Port priority 128, Port Identifier 128.1. Designated root has priority 32778, address 0062.ec9d.c500 Designated bridge has priority 32778, address 0062.ec9d.c500 Designated port id is 128.3, designated path cost 0 Timers: message age 15, forward delay 0, hold 0 Number of transitions to forwarding state: 1 Link type is point-to-point by default MAC BPDU: sent 15, received 22957.. STP Topology Changes In a stable Layer 2 topology, configuration BPDUs always flow from the root bridge toward the edge switches. However, changes in the topology (for example, switch failure, link failure, or links becoming active) have an impact on all the switches in the Layer 2 topology. The switch that detects a link status change sends a topology change notification (TCN) BPDU toward the root bridge, out its RP. If an upstream switch receives the TCN, it sends out an acknowledgment and forwards the TCN out its RP to the root bridge. Upon receipt of the TCN, the root bridge creates a new configuration BPDU with the Topology Change flag set, and it is then flooded to all the switches. When a switch receives a configuration BPDU with the Topology Change flag set, all switches change their MAC address timer to the forwarding delay timer (with a default of 15 seconds). This flushes out MAC addresses for devices that have not communicated in that 15-second window but maintains MAC addresses for devices that are actively communicating. Flushing the MAC address table prevents a switch from sending traffic to a host that is no longer reachable by that port. However, a side effect of flushing the MAC address table is that it temporarily increases the unknown unicast flooding while it is rebuilt. Remember that this can impact hosts because of their CSMA/CD behavior. The MAC address timer is then reset to normal (300 seconds by default) after the second configuration BPDU is received. TCNs are generated on a VLAN basis, so the impact of TCNs directly correlates to the number of hosts in a VLAN. As the number of hosts increases, the more likely TCN generation is to occur and the more hosts that are impacted by the broadcasts. Topology changes should be checked as part of the troubleshooting process. Chapter 3 describes mechanisms such as portfast that modify this behavior and reduce the generation of TCNs. Topology changes are seen with the command show spanning-tree [vlan vlan-id] detail on a switch bridge. The output of this command shows the topology change count and time since the last change has occurred. A sudden or continuous increase in TCNs indicates a potential problem and should be investigated further for flapping ports or events on a connected switch. Example 2-7 displays the output of the show spanning-tree vlan 10 detail command. Notice that it includes the time since the last TCN was detected and the interface from which the TCN originated. Example 2-7 Viewing a Detailed Version of Spanning Tree State SW1# show spanning-tree vlan 10 detail VLAN0010 is executing the rstp compatible Spanning Tree protocol Bridge Identifier has priority 32768, sysid 10, address 0062.ec9d.c500 Configured hello time 2, max age 20, forward delay 15, transmit hold-count 6 We are the root of the spanning tree Topology change flag not set, detected flag not set Number of topology changes 42 last change occurred 01:02:09 ago from GigabitEthernet1/0/2 Times: hold 1, topology change 35, notification 2 hello 2, max age 20, forward delay 15 Timers: hello 0, topology change 0, notification 0, aging 300 The process of determining why TCNs are occurring involves checking a port to see whether it is connected to a host or to another switch. If it is connected to another switch, you need to connect to that switch and repeat the process of examining the STP details. You might need to examine CDP tables or your network documentation. You can execute the show spanning-tree [vlan vlan- id] detail command again to find the last switch in the topology to identify the problematic port. Converging with Direct Link Failures When a switch loses power or reboots, or when a cable is removed from a port, the Layer 1 signaling places the port into a down state, which can notify other processes, such as STP. STP considers such an event a direct link failure and can react in one of three ways, depending on the topology. This section explains each of these three possible scenarios with a simple three-switch topology where SW1 is the root switch. Direct Link Failure Scenario 1 In the first scenario, the link between SW2 and SW3 fails. SW2’s Gi1/0/3 port is the DP, and SW3’s Gi1/0/2 port is in a blocking state. Because SW3’s Gi1/0/2 port is already in a blocking state, there is no impact to traffic between the two switches as they both transmit data through SW1. Both SW2 and SW3 will advertise a TCN toward the root switch, which results in the Layer 2 topology flushing its MAC address table. Direct Link Failure Scenario 2 In the second scenario, the link between SW1 and SW3 fails. Network traffic from SW1 or SW2 toward SW3 is impacted because SW3’s Gi1/0/2 port is in a blocking state. Figure 2-3 illustrates the failure scenario and events that occur to stabilize the STP topology: Figure 2-3 Convergence with Direct Link Failure Between SW1 and SW3 Phase 1.SW1 detects a link failure on its Gi1/0/3 interface. SW3 detects a link failure on its Gi1/0/1 interface. Phase 2.Normally, SW1 would generate a TCN flag out its root port, but it is the root bridge, so it does not. SW1 would advertise a TCN if it were not the root bridge. SW3 removes its best BPDU received from SW1 on its Gi1/0/1 interface because it is now in a down state. At this point, SW3 would attempt to send a TCN toward the root switch to

Use Quizgecko on...
Browser
Open
Browser
Browser