Thursday, July 12, 2012

CCIE Written: IPv4 Routing Protocols Overview


IPv4 Routing Protocol
* Static Routing
* RIPv2
* EIGRP
* OSPF
* BGP
* Policy Routing
* IP Tunneling

IP Routing Overview
* Longest match routing
                - Most bits in common when finding the routing path
* Metric vs Administrative Distance
                - Same protocol vs different protocol
                - If different protocol, then it will compare with the Administrative Distance
                - If same protocol, then it will compare with the metric / hops /cost

CCIE Written: Frame Relay


Frame Relay Overview
* NBMA (Non Broadcast Multi Access)
                - Address resolution issues implied
                - It has problem on L3 to L2 address resolution
* Data Link Connection Identifier (DLCI)
                - Layer 2 addressing
                - DLCI number only locally significant
* Local Management Interface (LMI)
                - DTE/DCE (router/switch) communications
                - Reports virtual circuit (VC) status

Frame Relay LMI
* encapsulation frame-relay
* LMI types
                - Automatically detected
                - frame-relay lmi-type [cisco | ansi | q933a]
                - show frame-relay lmi
* LMI advertises VC Status
* Status can be
                - Active: working on both end
                - Inactive: one site is not configured
                - Deleted: DLCI doesn’t match with the frame-relay switch
                - Static: Have a manual back to back configuration

Full Mesh Network
* Topology where all devices have a direct layer 2 circuit to each other
* More closely emulates a LAN
* More expensive to provision than partial mesh network

Partial Mesh Network
* Topology where not all devices have a direct layer 2 circuit to each other
                - i.e. not fully meshed circuits
                - i.e. Hub-and-Spoke is a type of partial mesh

* Design problems occur when layer 3 network does not map exactly to layer 2 network
                - Devices without direct layer 2 circuits cannot resolve each other via Inverse-ARP
                - Some higher layer protocols (OSPF, PIM, etc) do not understand this disconnect
* Ideally layer 3 is point to point with layer 2 network
                - Separate IPv4/IPv6 subnet and point-to-point sub-interface for each DLCI

CCIE Written: EtherChannel


Ether Channel
* Used to aggregate bandwidth of physical links
                - Same logic as PPP Multilink
* Consists of two parts
                - Port-channel interface
                   + Logical interface representing the link bundle
                - Members interfaces
                   + Physical links part of a link bundle
* Channel can be any type of interface
                - i.e. Layer 2 access, trunk, tunnel or layer 3 routed

EtherChannel Negotiation
* channel-group [number] mode [mode]
* Mode determines how negotiation occurs
                - On: No negotiation  and permanently enable
                - Desirable & Auto: Initiate or listen for PAgP
                - Active & Passive: Initiate or listen for LACP (802.3ad)
* PAgp vs LACP
                - Like ISL vs 802.1q

EtherChannel Mode Compatibility
* On – On
* Desirable – Desirable
* Desirable – Auto
* Active – Active
* Active – Passive

EtherChannel Load Balancing
* Load balancing between member interface based on
                - Source MAC Address
                - Destination MAC address
                - Source IP Address
                - Destination IP Address
                - Combinations of the four
* Modified with port-channel load-balance

CCIE Written: Core Ethernet Switching Components


VLAN
* Used to separate ports into different broadcast domains
* Hosts in same VLAN share the same broadcast domain
* Switches create a separate CAM (Content Addressable Memory) table per VLAN
* Traffic inside the VLAN is layer 2 switches
* Traffic to outside or between VLANs must be layer 3 routed
* VLAN Trunks carry traffic for multiple VLANs between switches on uplinks

VLAN Numbering
* VLAN membership defined by number
* 12-bit field (0-4095)
                - 0 * 4095 reserved per 802.1Q standard
* Normal VLANs 1-1005
                - 1 à Default Ethernet VLAN
                - 1002/1004 à Default FDDI VLANs
                - 1003/1005 à Default Token Ring VLANs
                - Extended VLANs 1006 -4094
* Extended VLANs range can assigned via the VTP transparent mode. And mostly used in Private VLAN
* Extended VLAN is not advertised via the VTP version 1 & 2. It can advertised via VTP v3 in the new platform.

VLAN Trunks
* Trunk links are used to transport traffic for multiple VLANs between devices
* Traffic sent over a trunk link receives special trunking encapsulation
                - Normal Ethernet header does not have field for VLAN number
                - ISL or 802.1Q headers are added to include this information
* Both ISL and 802.1Q accomplish the same goal of encoding VLAN number in frame header to separate traffic
* The key different are
                - ISL: + Cisco Proprietary
                          + 30 byte encapsulation for all frames (26 byte header and 4 byte trailer FCS)
                          + Does not modify original frame
                - 8021.Q: + IEEE Standard
                                   + 4-byte tag except for “native VLAN”
                                   + Modify original frame as it need to generate the new FCS
IOS Switch Port modes
* Access
* Trunk
* Dynamic Desirable
* Dynamic Auto
* Tunnel (802.1q)

Dynamic Trunking Protocol
*Dynamic Switchports automatically choose whether to run in access or trunking mode
* Run DTP to negotiate , in order to decide to run ISL trunk, 802.1q trunk or access port
* DTP prefer ISL as it negotiate as ISL, then 802.1q and then access
* Configure as switchport mode dynamic [auto | desirable]
* Disable with switchport nonegotiate or switchport mode access
* On: Force the port to become trunk
   Off: Force the port to become non-trunk
   Desirable: Actively to convert the link to trunk when the other party is On, Auto & Desirable
   Auto: Trunk if other is Desirable or On
   No-negotiate: Turn off the DTP.


On
Off
Des
Auto
Nonego
On
X
Off
x
X
x
X
x
Des
X
Auto
X
X
x
Nonego
X
X
- Nonego and nonego depends on the switchport mode. Both sides must on.

VLAN Trunking Protocol
* VTP solves the VLAN administration problem. It is just make sure the switches agree on the VLAN number assignment
* Cisco proprietatly
* Used to dynamically
                - Advertise addition, removal, modification of VLAN properties like numbers, name etc
                - Negotiate trunking allowed lists by using VTP pruning
* Does not affect actual VLAN assignments
                - Still manually needed with switchport access vlan [vlan]

How VTP Works
* VTP domain
                - To exchange information, switches must belong to the same domain
* VTP Mode      
                - Controls who can advertise new/modified information
                - Modes are Server, Client and Transparent
* VTP Revision Number
                - Sequence number to ensure consistent databases
                - Higher revision number indicates newer database

VTP Domains
* VTP domain name controls which devices can exchange VTP advertisements
* VTP domain does not define broadcast domain
                - Switches in different VTP domains that share same VLAN numbers hosts’ are still in the same broadcast
                 domain
* Configured as vtp domain [name]
* Defaults to null value
                - Switch inherits VTP domain name of first advertisement it received

VTP Server Mode
* Default mode
* Allows addition, deletion and modification of VLAN information
* Changes on server overwrite the rest of the domain assuming it has the highest revision number
* Configure as vtp mode server

VTP Client Mode
* Not allows for addition, deletion and modification of VLAN information
* Listens for advertisements originated by a server, installs them and passes them on
* Configure as vtp mode client

VTP Transparent Mode
* Keeps a separate VTP database from the rest of the domain
* Does not originate advertisements
* “Transparently” passes received advertisements through without installing them
* Needed for some applications like Private VLANs
* Configure as vtp mode transparent

VTP  Security
* VTP susceptible to attacks or mis-configuration where VLANs are deleted
                - Access ports in a VLAN that does not exist cannot forward traffic
* MD5 authentication prevents against attack
                - vtp password [password]
* Does not prevent against mis-configuration
                - VTP transparent mode recommendation

VTP  Pruning
* Broadcast and unknown unicast/multicast frame are flooded everywhere in the broadcast domain
                - Includes trunk links
* Edition allowed list limits this flo0ding, but large administrative overhead
* VTP pruning automates this procedure
                - Switches advertise what VLANs they need
                - All other VLANs are pruned (removed) off the trunk link
* Does not work for transparent mode
* Just configure the VTP pruning in any of the server and it will propagate out to the whole VTP domain

Tuesday, July 10, 2012

CCIE Written: Spanning Tree Protocol


CCIE Written: STP

 STP Variations
                - 802.1d: Common Spanning Tree (CST)
                - PVST / PVST+: Cisco Per-VLAN Spaning-Tree
                - 802.1W: Rapid Spanning Tree (RSTP)
                -802.1S: Multiple Spanning Tree (MSTP)

How 802.1d STP works
                - Elect one Root Bridge
                - Elect one Root Port per bridge/switch
                - Elect Designated Ports

Root Bridge Election
* Switch with lowest Bridge ID in the network becomes Root Bridge
* Bridge ID contains:

  • Bridge Priority: 0~61440 in increments of 4096. 0 is the most preferable and 32768 is the default value.
  • System ID Extension: 0~4095 Used to encode the VLAN number of the Spanning Tree Instance
  • MAC Address: Lowest MAC address is more preferable
* Only Root Bridge is in charge of generate for the BPDU packets (802.1d only)
* Once elected, BPDUs flow down from root of the tree to the the leaves

Rot Port Election
* RP is upstream facing towards Root Bridge
* Elected based on lowest Root Path Cost
                - Cumulative cost of all links to get to the root
* Cost based on inverse bandwidth
                - i.e. higher bandwidth, lower cost, not linear.
                - 10Mbps=100, 100Mbps=19, 1000Mbps=1
* If tie in cost
                - Choose lowest upstream BID
                - Choose lowest upstream Port ID

Designated Port Election
* DPs are downstream away from the Root Bridge
* Like Root Port, elected based on
                - Lowest Root Path Cost
                - Lowest BID
                - Lowest Port ID
* All other ports go into blocking mode
                - Receive BPDUs
                - Discard all other traffic
                - Cannot Send Traffic

802.1d Convergence
* CST convergence based on timers set on Root Bridge
                - Hello Timer: How often to send the BPDU
                - Forward Delay Timer:
                   To control transition from blocking – listening – learning- forwarding stages
                - Max Age Timer:
                  How long we wait for the upstream device to send the BDPU packet before
                  we declare them down. It consider as dead interval.
* Default Hello is 2 seconds, Forward delay is 15 seconds (listening 15s, learning 15s) and total is 30s, Max Age is 20s
* The minimum value for the Forward delay is 7s
 * Convergence time will be forward delay + max age
* TCN BPDUs used to notify Root Bridge of changes
                - Flows up the tree to root, root replies with ACK
                - CAM aging time set to Forward Delay to flush MAC addresses

PVST/PVST+

Per VLAN STP (PVST)
* One instance of Legacy STP per VLAN
* Cisco ISL support

Per VLAN STP Plus (PVST+)
* One instance of Legacy STP per VLAN
* Cisco ISL and 802.1Q support
* Provides interoperability between CST and PVST
* Default mode on most Catalyst platforms
* Allows root bridge / port placement per VLAN

Cisco’s STP Enhancement ( to speed up the convergence)
* Port Fast
                - Edge ports shouldn’t be subject to Forwarding Delay or generate TCNs
                - It allow the port that is port-fast enable jump from disable to forwarding

* Uplink Fast
                - Direct Root Port failure should re-converge immediately if Alternate Port
                  available
                - Used when multiple link from one switch to another switch
                - Cisco Doc          
                - When enable, it will increase the bridge priority to 49152 and increase by 3000
                   for port priority
                - Reason of the increase is to make sure the bridge won’t elect as Root Bridge
                  and the port wouldn’t elect to designated port. The uplink fast is make sure of 
                  the Alternate port and enable in the global mode

* Backbone Fast
                - Indirect failures should start recalculating immediately
                - Inferior BDPU sent from the upper edge switch to determine the original path
                   to root bridge is down
                - It needs to wait the Max Age if the neighbor link is not down but the upper link
                  is down            
                - If backbone fast Is enable in the switch, it will skip the Max Age timers
                - Cisco Doc             
* Port fast saves Max Age + Forward Delay timers
* Uplink Fast saves Forward Delay timers
* Backbone Fast saves Max Age timers

Other Cisco’s STP Features
* BPDU Filter
                - Filter BDPUs in and out

* BPDU Guard
                - If BPDU is received shut port down

* Root Guard
                - If superior BPDU is received shut port down

* Loop Guard & UDLD (Uni Direction Link Detection) (same features)
                - Prevent unidirectional links
                - Loop Guard is using the STP BPDU to detect
                - UDLD using its own lightweight L2 keep alive

802.1w RSTP

Rapid Spanning Tree Protocol
* Faster convergence compare to legacy 802.1d
* Rapid convergence based on sync process or proposal process
* Allow for faster initial convergence
* Announce itself as root bridge when startup and start sending the proposal
* Switches will agree on the proposal on who is the root bridge in sub second method
* RSTP simplified the port state to 3 stages: Discarding, learning, forwarding.
* All bridges generate BPDUs
                - Send out all every Hello Interval which by default 2s
                - If three Hellos are missed neighbor is declared down and CAM is immediately
                   flushed
                - Three Hello timers is greater than Max Age which 6s vs 20s
                - Allows for faster re-convergence
* Runs backward compatibility with 802.1d

802.1s MSTP

Multiple Spanning Tree Protocol
* User defined instances are separate from VLANs
* PVST+ uses one instance per VLAN
* Uses 802.1w for rapid convergence
* Highly scalable
                - Switches with same instances, configuration revision number and name form
                   a “region”
                - Different regions see each other as virtual bridges

CCIE Written: Overview


CCIE Written Overview

* CCNP level of knowledge of
                - Layer 2: Ethernet, Frame Relay, HDLC, PPP, Briding
                - Layer 3: IPv4/IPv6, Routing Logic, RIP, EIGRP, OSPF, BGP, Multicast, MPLS
                - Misc: QoS, IOS Security, IOS features & management

* Cisco Documentation is the only resources can be used during the lab test.
                - Configuration Guide
                - Command Reference
                - Master Index
                - New Feature List

* Search is DISABLE during the lab exam