Week 3 Notes

VTP Troubleshooting
> show interface trunk
> show vlan brief
> show vtp status
- Domain name is case-sensitive and must match
- Password must match (MD5 hash)
- Versions also must match

VTP Troubleshooting 2
> show interface switchport
> show interface trunk
- VTP requires trunk links
- NO on both sides - Administrative Mode: dynamic auto 
=> set one side to dynamic desirable
Switch1(config)#interface g0/0 
Switch1(config-if)#switchport mode dynamic desirable

===PacketTracer Configuration - Section184===
Switch>en
Switch#conf t
Switch(config)#int range g0/0-3
Switch(config-if)#no shut
Switch(config-if)#int vlan 1
Switch(config-if)#ip address 10.1.100.1 255.255.255.0
Switch(config-if)#no shut
Switch(config-if)#vlan 10
Switch(config-if)#ip address 10.1.10.1 255.255.255.0
Switch(config-if)#no shut
Switch(config-if)#vlan 20
Switch(config-if)#ip address 10.1.20.1 255.255.255.0
Switch(config-if)#no shut
Switch(config-if)#end
Switch#conf t
Switch(config)#host S1
S1(config)#vtp mode transparent
S1(config)#end
S1#copy running-config startup-config

DTP Dynamic Trunking Protocol
- Dyanmically negotiate the forming of trunks
- Cisco proprietary protocol, but better to disable it and configure trunking manually
2 Types of DTP:
1) Dynamic Auto - does not initiate trunking, waits for the other side to initiate trunk
2) Dynamic Desirable - initiates trunking

===PacketTracer Configuration - Section189===
Switch>en
Switch#conf t
Switch(config)#int range g0/0-3
Switch(config-if-range)#switchport trunk encapsulation dot1q
((Alternatively)) Switch(config-if-range)#switchport trunk allowed vlan 1 (or all)
Switch(config-if-range)#switchport mode trunk
Switch(config-if-range)#switchport nonegotiate

For a PC/Router to talk to the switch on vlan 10 for ex., the switch must set its access port
Switch>en
Switch#conf t
Switch(config)#int g1/0
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 10
Switch(config-if)#switchport nonegotiate

===VLAN Simulations - Section193===
Create VLAN 2 on the switch with the name of sales
Configure interface FastEthernet 0/1 as an access port
Put interface FastEthernet 0/1 in VLAN 2
Enable FastEthernet 0/1

Switch1> en
Switch1# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Switch1(config)# vlan 2
Switch1(config-vlan)# host sales
Switch1(config-vlan)# int f0/1
Switch1(config-vlan)# switchport mode access
Switch1(config-vlan)# switchport access vlan 2
Switch1(config-vlan)# no shut

===VLAN Simulations - Section194===
FastEthernet 0/2 has a critical server connected to it
Configure the port as an access port
Set the speed to 100Mbps and full duplex
Put the port into VLAN 2
Enable the interface
Set a description to 'Main Server'

Switch1> en
Switch1# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Switch1(config)# int f0/2
Switch1(config-if)# switchport mode access
Switch1(config-if)# speed 100
Switch1(config-if)# duplex full
Switch1(config-if)# switchport access vlan 2
Switch1(config-if)# no shut
Switch1(config-if)# description Main Server

===VLAN Simulations - Section196===
The Switch supports both ISL and 802.1Q. You will therefore need to configure the encapsulation to dot1q
Manually configure the port as a trunk
Set the native vlan to 99
Disable Dynamic Trunking Protocol
Allow only vlan 1,10,20,30 and 99 on the trunk
Enable the interface

Switch1> en
Switch1# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Switch1(config)# int f0/23
Switch1(config-if)# switchport trunk encapsulation dot1q
Switch1(config-if)# switchport mode trunk 
Switch1(config-if)# switchport trunk native vlan 99
Switch1(config-if)# switchport nonegotiate
Switch1(config-if)# switchport trunk allowed vlan 1,10,20,30,99
Switch1(config-if)# no shut

===VLAN Simulations - Section197===
Configure Switch1 as a VTP server and Switch2 as a VTP client
Set the VTP domain to gns3.com
Set the VTP password to cisco
Enable VTP pruning

Switch2> en
Switch2# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Switch2(config)# vtp mode client (vtp mode server on Switch1)
Setting device to VTP mode client
Switch2(config)# vtp domain gns3.com
Changing VTP domain name from NULL to gns3.com
Switch2(config)# vtp password cisco
Setting device VLAN database password to cisco
Switch2(config)# vtp pruning

===VLAN Simulations - Section198===
Delete the VLAN database on the switch (don't forget to reload the switch)

Switch1> en
Switch1# delete flash:vlan.dat 
Switch1# reload

===VLAN Simulations - Section199===
Configure interface FastEthernet 0/1 to negotiate from nontrunk to trunk mode
Both sides should be able to initiate negotiation.
Enable the interface.

Switch2> en
Switch2# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Switch2(config)# int f0/1
Switch2(config-if)# switchport mode dynamic desirable
Switch2(config-if)# no shut

===VLAN Simulations - Section200===
Configure interface FastEthernet 0/1 to negotiate from nontrunk to trunk mode
Only Switch 1 should be able to initiate negotiation.
Switch 2 should only become a trunk if Switch1 initiates trunking.
Enable the interface.

Switch1> en
Switch1# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Switch1(config)# int f0/1
Switch1(config-if)# switchport mode dynamic desirable
Switch1(config-if)# no shut

______________________________________________________

Spanning Tree (802.1D)
- Used to avoid loops in Layer 2 (MAC Address) environments
- Slow convergence due to its design was for bridges (uses software for calculation, rather than switches uses hardware)
- Therefore, superseeded by Rapid Spanning Tree and Multiple Spanning Tree

Types of Spanning Trees:
1) CST Common Spanning Tree - Assumes one spanning tree for the entire bridged network regardless of # of vlans
2) PVST Per VLAN Spanning Tree (superseeded CST) - Cisco's version of Spanning Tree, each VLAN has its own Spanning Tree
3) MSTP Multiple Spanning Tree - Maps multiple VLANs into same Spanning Tree instances (ex. instead of 200 VLANs, having 200 spanning trees, MSTP -> 1-100 VLANs into Instance1, 101-200 VLANs into Instance2)
4) RSTP Rapid Spanning Tree is built into MSTP - RSTP assigns roles to ports, much quicker convergence, but only support a single instance
5) **Rapid PVST+ (Cisco switches use this by default) 
- One Spanning Tree instance per VLAN
- With Rapid Convergence 
**Summary**
10 VLANs -> Use Rapid PVS+
100-1000+ VLANs -> MSTP

PVST
- Could take 50 seconds for ports to start forwarding traffic 
**** Blocking20s > Listening15s(Sending BPDUs, not updating MAC address table) > Learning15s(Updating MAC Address table) > Forwarding

BPDU Bridge Protocols Data Units
- When running spanning tree, BPDUs are sent out of every port on switches every 2 seconds
- Switches learn about each other through **receiving BPDUs from the same switch on multiple ports
ex. Switch B receives multiple BPDUs on multiple ports from Switch A. So Switch B learns about Switch A - there must be a loop
- BPDUs are 8 byte value - unique to the switch (2 byte priority field, 6 byte system ID (burnt in MAC address))

3 kinds of BPDUs
- Uses 802.3 Ethernet
1) Configuration BPDU - used by Spanning Tree to provide information to switches
2) Topology change BPDU - tell switches of a change
3) Acknowledgement BPDU - confirm the receipt of a topology change in notification

==View Spanning Tree==
Switch>en
Switch#sh spanning-tree

Decisions of Spanning Tree
1) Determine Root Bridge
- Root Bridge (only forwards traffic - outgoing device) is based on lowest Priority #, if its tie, then it is determined by lowest MAC Address #
- Root Bridge default is 32768 + Vlan # (if VLAN 1, then 32769)
2) Every non Root Bridge switch needs to determine Root Port (sh spanning-tree)
- Root Port is its best port to get to Root Bridge based on:
1) lowest path cost 
2) if lowest path cost are equal, then lowest neighbour ID
3) if lowest neighbour ID are equal, then lowest port priority
4) if not 3) lastly lowest port ID
~Path Cost old IEEE = 100/19/4/2, Path Cost new IEEE = 2,000,000/200,000/etc...
3) To check this in WireShark... Bridge Identifier # > Root Identifier #, if it is the other way around, then the switch in question is the Root Bridge

PVST+  Rapid per VLAN Spanning Tree Extended Bridge ID
- Rapid PVST+ Extended Bridge ID
- Each VLAN in Spanning Tree must be unique and based on MAC Address
- In theory then.... for a switch that is capable of 4096VLANs would use 4096MAC Address, thats not feasible... therefore, Extended Bridge ID is used.
[Original Bridge ID = 8 bytes]
Bridge Priority (2bytes) | MAC Address (6bytes)
[*Extended Bridge ID = 8 bytes]
Bridge Priority (4bits) + Extended System ID (12bits) | MAC Address (6bytes)
- Bridge Priority is a number you can set (default: 32768)
- Extended System ID is populated by VLAN number
... because bridge priority is 4 bits and in the most left, it is 0, 4096,... increments of 4096
- Because PVST+ could take 30seconds to converge, some ports are set as "Edge Ports or Port Fast Ports" on Access Ports (do not enable on Trunk Ports - create loops) 
**Edge Ports or Port Fast Ports immediately transitions to the forwarding state. Skips Blocking, Listening and Learning states, goes directly to Forwarding state

Path Cost
- Cost to get to root bridge/switch
- Calculated from the sum of cost of a port and the number of links
- Changing between IEEE Cost 1998 100/19/4/2 vs IEEE Cost 2004 2,000,000/200,000/20,000/2,000 
-> Use command Spanning-Tree pathcost method long

==Change root priority of switch==
Switch>en
Switch#conf t
Switch(config)#spanning-tree vlan 1 root primary
OR 
Switch(config)#spanning-tree vlan 1 priority 0
==Change spanning-tree mode to pvst==
Switch#config)#spanning-tree mode pvst
==Change spanning-tree mode to rapid-pvst (rpvst)==
Switch#config)#spanning-tree mode rapid-pvst [recall rapid pvst, convergence takes a lot quicker]

**In real world, use rapid-pvst instead of pvst
**rpvst > pvst > 802.1D (stp), but are backwards compatible, but will cause slowdowns because 802.1D uses timers (20>15>15)
**PortFast/Edge Port - connects to end user devices, transition it directly to the forwarding state
***Summary:
pvst - per VLAN spanning tree, single root in the entire topology
rapid-pvst - rapid pvst, gives root on per VLAN basis
mst - multipole spanning tree, associates multiple VLAN to a spanning tree root, can have mutliple roots

RSTP Rapid Spanning-Tree Protocol 
- 802.1W
- Not based on timers
- *NEW* Port role assignments and port states
- *NEW* BPDU format and BPDU processing
- *NEW* Uses bridge-bridge handshake mechanism, which allow ports to move directly to forwarding
- *NEW* different Topology Change Notification and processing procedure

3 Port States in RSTP 802.1W
1) Learning
2) Forwarding
3) Discarding

*NEW* Port role assignments and port states------------
802.1W vs 802.1D:
1) Port State
Discarding  = Disabled, Blocking, Listening
Learning = Learning
Forwarding = Forwarding
2) Port Roles
- A port's role is determind based on the usefulness of the BPDUs that are receivied
- A BPDUs that are more useful, are the ones with lower path cost
a) Root Port (FWD) - port that is closest to the root bridge (switch) in terms of path cost
- root port leads towards the root bridge
b) Designated Port (FWD) - port that is the best port on the root bridge (switch) 
- designed port leads away of the root bridge
c) Alternative Port (BLK) - port that is blocked because it is receiving more useful BPDUs from another bridge
d) Backup Port (BLK) - port that is blocked because it is receiving more useful BPDUs from the same brige it is on

==Change Half-duplex to Full-duplex==
*Notice "Type" is "Shr" (shared), we need to change this to point-to-point 
P2p" for full-duplex
Switch#conf t
Switch(config)#int g0/0
Switch(config-if)#spanning-tree link-type point-to-point

Portfast vs Edge Ports
- PortFast does not lose its edge port status when it receives BPDU, generates topology changes
- Edge Ports loses its edge port status  when it receives BPDU, does not generate topology changes

*NEW* BPDU format and BPDU processing------------
P2p 
- uses Proposal/Agreement Handshake Sequence to quickly transition ports to achieve faster convergence whereas 802.1D waits for timer to expire

- *NEW* RSTP BPDU now includes 
Bit 0 - Topology Change
Bit 1 - Proposal
Bit 2-3 - Port Role
Bit 4 - Learning
Bit 5 - Forwarding
Bit 6 - Agreement
Bit 7 - Topology Change ACK

BPDU Processing - must use p2p
1) Root switch p0 send "Proposal" to Switch A p1
2) Switch A receives proposal on p1, makes sure its ports are in sync making its ports "blocking state" or "edge port". Switch A will now unblock p1
3) Switch A replies with an "Agreement"
4) Root switch can immediately unblock p0, transition to forwarding
**The proposal agreement is very fast as it does not rely on timers
**This handshake propagates quickly towards edge of network, and quickly restores connectivity after a change in topology
**If agreement is not received after sent proposal, it transition back to traditional 802.1D listening-learning sequence

MSTP Downside
- Protocol is more complex than usual STP, requires additional training of staff
- Interaction with legacy bridges is sometimes challenging
- Only useful for high number of VLANs

STP Summary:
1) STP
- 802.1D standard
- One ST per network 
- Slow convergence
2) PVST+ 
- Cisco Proprietary standard
- One ST per VLAN
- Slow convergence
3) RSTP
- 802.W standard
- One ST per network
- Fast convergence
4) Rapid PVST+
- Cisco Proprietary standard
- Upgrade from RSTP, One ST per VLAN with fast convergence and load sharing
ex. 200 VLANs, would require 200 instances of ST
5) MSTP
- 802.1s
- One for Multiple VLANs
- Upgrade from Rapid PVST+, with low resources because of resource sharing via multiple VLANs with fast convergence
"Instance of ST, then map various VLANs to that instance"
ex. 200 VLANs, could use 2 instances to do load sharing of 100 VLANs each (lower memory and CPU requirements)

BPDU Guard
- Security mechanism of ST to protect the ST network
- ex. a hacker plugging into the switch, making it the root of the ST to analyze the traffic

How BPDU Guard works?
- Disables a port if BPDU is received on that port or portFast
- Because, portFast should be connected to a user's device, it should not be connected to another switch

2 ways to configure BPDU Guard  (through CLI)
1) Per Interface basis
Switch(config)#spanning-tree portfast 
2) Configure it globally on a switch 
Switch(config)#spanning-tree portfast edge bpduguard

__________________________________________________________

===VLAN Simulations - Section222===
Enable PortFast on all non-trunking interfaces

Switch1(config)# spanning-tree portfast default

===VLAN Simulations - Section223===
Enable PortFast on FastEthernet 0/4 and enable the interface

Switch1> en
Switch1# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Switch1(config)# int f0/4
Switch1(config-if)# spanning-tree portfast default
Switch1(config-if)# no shut

===VLAN Simulations - Section224===
Configure the spanning tree mode as Rapid PVST+ on both switches.

Switch1> en
Switch1# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Switch1(config)# spanning-tree mode rapid-pvst

===VLAN Simulations - Section225===
Configure switch1 as the primary root for VLAN 1
Configure switch2 as the secondary root for VLAN 1

Switch1> en
Switch1# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Switch1(config)# spanning-tree vlan 1 root primary
Switch2(config)# spanning-tree vlan 1 root secondary

===VLAN Simulations - Section226===
Configure switch with the second lowest possible priority
Assume that Extended System IDs are used

Switch1> en
Switch1# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Switch1(config)# spanning-tree vlan 1 priority 4096

===VLAN Simulations - Section226===
Configure the switch with a default gateway of 10.1.1.1

Switch1> en
Switch1# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Switch1(config)# ip default-gateway 10.1.1.1

__________________________________________________________

CDP Cisco Discovery Protocol (hoewver, LLDP Link Layer Discovery Protcol is industry standard)
- Layer 2 
- See how devices are directly connected (one jump) to each other that are running cdp
- Useful, but security concerns

CDP (Cisco devices ONLY) /LLDP (Non-Cisco devices) Commands
==See CDP/LLDP neighbours==
R1#show cdp neighbors or R1#show cdp neighbors details [show lldp neighbors]
==Disable CDP/LLDP on globally on device==
R3(config)#no cdp run [no lldp run]
==Disable CDP on interface f0/1==
R3(config)#int f0/1
R3(config-if)#no cdp enable
==Configure CDP==
R3(config)#cdp ___ (use ?)

__________________________________________________________

===VLAN Simulations - Section234===
Disable CDP globally on the router
But enable it on Ethernet 0

Router1> en
Router1# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)# no cdp run
Router1(config)# int ethernet 0
Router1(config-if)# cdp enable

===VLAN Simulations - Section235===
Enter the relevant commands on the router to answer the sets of question below.
(1) What interface on R2 is connected to R1?
(2) What type of router is R5?
> Router2> en
> Router2# show cdp nei

===VLAN Simulations - Section236===
Enter the CDP command that displays information about R3 only and then answer the following questions.
> Router2# show cdp entry R3 
**Note: version of CDP = advertisement version