Electronic Book

00 9911 fm
10/14/03
12:31 PM
Page i
BCMSN
Richard A. Deal
00 9911 fm
10/14/03
12:31 PM
Page ii
BCMSN Exam Cram 2 (Exam Cram 642-811)
Publisher
Copyright 2004 by Que Publishing
Paul Boger
All rights reserved. No part of this book shall be reproduced, stored in

a retrieval system, or transmitted by any means, electronic, mechanical,
photocopying, recording, or otherwise, without written permission
from the publisher. No patent liability is assumed with respect to the
use of the information contained herein. Although every precaution
has been taken in the preparation of this book, the publisher and
author assume no responsibility for errors or omissions. Nor is any liability assumed for damages resulting from the use of the information
contained herein.
International Standard Book Number: 0-7897-2991-1
Library of Congress Catalog Card Number: 2003109277
Executive Editor
Jeff Riley
Acquisitions Editor
Carol Ackerman
Development Editor
Michael Watson
Printed in the United States of America
Managing Editor
First Printing: November 2003

06
05
04
03
Charlotte Clapp
3
Project Editor
Trademarks
All terms mentioned in this book that are known to be trademarks or
service marks have been appropriately capitalized. Que Publishing cannot attest to the accuracy of this information. Use of a term in this
book should not be regarded as affecting the validity of any trademark
or service mark.
Warning and Disclaimer

Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied. The information
provided is on an as is basis. The author and the publisher shall have
neither liability nor responsibility to any person or entity with respect
to any loss or damages arising from the information contained in this
book or from the use of the CD or programs accompanying it.
Tonya Simpson
Copy Editor
Mike Henry
Indexer
Tom Dinse
Proofreader
Wendy Ott
Technical Editors
Bulk Sales
Que Publishing offers excellent discounts on this book when ordered
in quantity for bulk purchases or special sales. For more information,
please contact
U.S. Corporate and Government Sales
1-800-382-3419
corpsales@pearsontechgroup.com
Michelle Plumb
Jacob Beach
Joshua Saul
Jeremy Cioara
Team Coordinator
Pamalee Nelson
For sales outside the U.S., please contact

International Sales
1-317-428-3341
international@pearsontechgroup.com
Multimedia Developer
Dan Scherf
Page Layout
Ron Wise
00 9911 fm
10/14/03
12:31 PM
Page iii
Que Certification 201 West 103rd Street Indianapolis, Indiana 46290
A Note from Series Editor Ed Tittel

You know better than to trust your certification preparation to just
anybody. Thats why you, and more than two million others, have
purchased an Exam Cram book. As Series Editor for the new and
improved Exam Cram 2 series, I have worked with the staff at Que Certification to
ensure you wont be disappointed. Thats why weve taken the worlds best-selling
certification producta finalist for Best Study Guide in a CertCities reader poll
in 2002and made it even better.
As a Favorite Study Guide Author finalist in a 2002 poll of
CertCities readers, I know the value of good books. Youll be
impressed with Que Certifications stringent review process,
which ensures the books are high-quality, relevant, and
technically accurate. Rest assured that at least a dozen industry
expertsincluding the panel of certification experts at
CramSessionhave reviewed this material, helping us deliver an
excellent solution to your exam preparation needs.
Weve also added a preview edition of PrepLogics powerful, full-featured test
engine, which is trusted by certification students throughout the world.
As a 20-year-plus veteran of the computing industry and the original creator and
editor of the Exam Cram series, Ive brought my IT experience to bear on these
books. During my tenure at Novell from 1989 to 1994, I worked with and around
its excellent education and certification department. This experience helped push
my writing and teaching activities heavily in the certification direction. Since then,
Ive worked on more than 70 certification-related books, and I write about
certification topics for numerous Web sites and for Certification magazine.
In 1996, while studying for various MCP exams, I became frustrated with the
huge, unwieldy study guides that were the only preparation tools available. As an
experienced IT professional and former instructor, I wanted nothing but the facts
necessary to prepare for the exams. From this impetus, Exam Cram emerged in
1997. It quickly became the best-selling computer book series since For
Dummies, and the best-selling certification book series ever. By maintaining an
intense focus on subject matter, tracking errata and updates quickly, and following
the certification market closely, Exam Cram was able to establish the dominant
position in cert prep books.
You will not be disappointed in your decision to purchase this book. If you are,
please contact me at etittel@jump.net. All suggestions, ideas, input, or constructive
criticism are welcome!
00 9911 fm
10/14/03
12:31 PM
Page iv
The Smartest Way To Study for Your CCNP Certification!

Exam Cram 2 offers the concise, focused coverage you need to pass your
CCNP exams. These books are designed to be used as a refresher on important
concepts, as well as a guide to exam topics and objectives.
Each book offers:
CD that includes a PrepLogic Practice Exam

Two text-based practice exams with detailed answers
Tear-out Cram Sheet that condenses the important information into a handy
two-page study aid
Key terms and concepts for the topic, notes, exam alerts and tips
Check out these other CCNP Exam Cram 2 titles:
CCNP BSCI
Exam Cram 2,
Exam 642-801
CCNP CIT
Exam Cram 2,
Exam 642-831
CCNP BCRAN
Exam Cram 2,
Exam 642-821
ISBN: 0789730170
ISBN: 0789730219
ISBN: 0789730200
$29.99
$29.99
$29.99
Buy the pack and SAVE!

Get all four CCNP Exam Cram 2
titles with CDs for just $99.99!
ISBN: 0789730979
Books are available online or at your favorite bookstore.
www.examcram2.com
00 9911 fm
10/14/03
12:31 PM
Page v
I would like to dedicate this book to my wife, Natalie, who is the

inspiration of my life.
00 9911 fm
vi
10/14/03
12:31 PM
Page vi
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
About the Author

Richard A. Deal has more than 17 years experience in the computing and
networking industry, including networking, training, systems administration,
and programming. In addition to a BS in mathematics from Grove City
College, Richard has certifications from Cisco. For the last 6 years, Richard
has operated his own company, The Deal Group Inc., located in Oviedo,
Florida. Richards company provides network consulting and training services nationwide.
This is Richards first book with Que Publishing, but he has published many
other books. With McGraw-Hill, he has published CCNA Cisco Certified
Network Associate Study Guide (Exam 640-801) and Cisco PIX Firewalls. With
The Coriolis Group, Richard has published CCNP: Switching Exam Cram,
CCNP: Remote Access Exam Prep, and CCNP: Cisco LAN Switch Configuration
Exam Cram. Richard is currently working with Cisco Press on a new book
titled Cisco IOS Router Security.
Richard also produces testing products for QuizWare, an affiliate of Boson
Software. You can find his and other products at www.quizware.com and
www.boson.com.
00 9911 fm
10/14/03
12:31 PM
Page vii
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
About the Technical Editors

Michelle Plumb is a full-time instructor focusing on Cisco and the Cisco IP
Telephony track with 15 years in the field as an IT and telephony specialist.
Michelle maintains a high level of Cisco and Microsoft certifications, including CCNP, Cisco IP Telephony Support Specialist, Unity, MCSE NT/2000,
and MCT. Michelle has technically reviewed numerous books for the Cisco
CCNP track and Microsoft 2000.
Joshua Saul, CCIE #9905, manages the network engineering department of
a major Internet book retailer. He has consulted for GE Capital, Pfizer,
Morgan Stanley, HSBC, and several other large financial firms. He is
responsible for Cisco solutions incorporating fully redundant load balanced
application delivery and intrusion detection systems. He has a BBA in
Management from The George Washington University and is currently pursuing an MBA at Fordham University, with a concentration in Information
and Communication Systems. He lives with his wife Turandot Saul, MD, in
New York City.
Jeremy Cioara has focused on network technologies for more than a decade.
During this time, he has achieved many certifications, including CCIE,
MCSE, and CNE. Some of his field work includes network design and consulting at MicroAge, Qwest, and Terminal Processing Systems. He is currently focusing on technical instruction and authoring on topics including
Cisco IP telephony, routing, and switching.
vii
00 9911 fm
viii
10/14/03
12:31 PM
Page viii
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Acknowledgments
This book would not have been possible without the support of my wife
Natalie. A book of this size is very time-consuming, especially when you have
to balance a book, a job, and, most importantly, a new baby on the way. My
wife provided endless encouragement to keep me writing when I was pressed
to meet deadlines for the book.
A special thanks to the team at Que Publishing, especially the books editors,
Carol Ackerman, Michael Watson, Tonya Simpson, and Mike Henry, and
technical editors, Michelle Plum, Jacob Beach, Joshua Saul, and Jeremy
Cioara.
Best wishes to all! And cheers!
Richard A. Deal
00 9911 fm
10/14/03
12:31 PM
Page ix
Contents at a Glance
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Introduction xx
Self-Assessment xxvii
1
Cisco Certification Exams 1
Designing Switched Networks 11
VLANs, Trunks, and VTP 45
Spanning Tree Protocol 83
Enhancements to STP 107
Multilayer Switching 147
Availability and Redundancy 179
Multicasts 217
Quality of Service 253
10
MLS Optimization and Security 295
11
Metro Ethernet 331
12
Sample Test 1 359
13
Answer Key 1 385
14
Sample Test 2 401
15
Answer Key 2 421
Whats on the CD-ROM 439
Using the PrepLogic Practice Exams, Preview

Edition Software 441
Glossary 449
Index 471
00 9911 fm
10/14/03
12:31 PM
Page x
00 9911 fm
10/14/03
12:31 PM
Page xi
Table of Contents
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Introduction ......................................................................xx
Self-Assessment .............................................................xxvii
Chapter 1
Cisco Certification Exams ......................................................1
The Exam Situation 2
Exam Layout and Design 4
Exam-Taking Techniques 6
Question-Handling Strategies 7
Mastering the Inner Game 8
Additional Resources 9
Chapter 2
Designing Switched Networks ...............................................11
Network Design 12
AVVID 12
Network Model 13
Enterprise Model 16
Devices, Media Types, and Switching Roles 19
Devices 19
Media Types 22
Switching Roles 26
Introduction to the Command-Line Interface 29
CatOS and IOS Comparison 30
Configuration Introduction 31
Troubleshooting 35
Converting CatOS to IOS 36
Switch Fabric Module 37
Summary 39
Exam Prep Questions 40
Need to Know More? 43
00 9911 fm
xii
10/14/03
12:31 PM
Page xii
Table
. . . .of. Contents
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 3
VLANs, Trunks, and VTP ......................................................45
Virtual LANs 46
Advantages of VLANs 46
VLAN Implementations 48
VLAN Assignment 51
Trunks 56
Frame Tagging 56
Protocols 58
Dynamic Trunk Protocol 64
Configuring ISL and 802.1Q Trunks 66
Verifying Your Trunk Configuration 66
Troubleshooting Trunk Connections 68
VLAN Trunk Protocol 68
VTP Advantages 68
Management Domain 69
VTP Modes 69
VTP Messages 70
VTP Versions 72
VTP Pruning 73
Configuring VTP Domains 75
Verifying Your Configuration 75
Troubleshooting VTP Problems 76
Summary 76
Chapter 4
Spanning Tree Protocol .......................................................83
Transparent Bridging 84
Forwarding and Filtering 84
Learning 85
Loops 85
STP Introduction 86
Bridge Protocol Data Unit 86
STP Advantages 87
STP Components and Operation 87
Running the STP Algorithm 89
Root Switch Election Process 89
Selection of Root Ports 90
Designated Switches and Designated Ports
Bridging Loops 92
91
00 9911 fm
10/14/03
12:31 PM
Page xiii
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Table
. . .of. Contents
. . . . .
Port States 92
Convergence Issues 93
Transition of Port States 93
Spanning Trees 94
CST 95
PVST 96
PVST+ 97
Configuring and Verifying STP 97
Enabling and Disabling STP 97
Selecting the Root Switch 98
Influencing Path Selections 98
Verification of STP 100
Summary 101
Chapter 5
Enhancements to STP .......................................................107
Cisco Enhancements to STP 108
PortFast 108
UplinkFast 110
BackboneFast 112
Rapid STP 115
BPDUs 115
Port States 116
Port Roles 117
Convergence Features 117
Multiple Spanning Tree 120
MST Advantages and Disadvantages 121
Regions 121
Internal Spanning Tree 122
MST Configuration and Verification 123
EtherChannels 125
Operation of EtherChannels 125
Port Aggregation Protocol and Link Aggregation Control
Protocol 125
Configuring EtherChannels 127
Other STP Enhancement Features 131
BPDU Skewing 131
Root Guard 132
Unidirectional Link Detection 134
Loop Guard 135
Additional Troubleshooting Tips and Tools 137
xiii
00 9911 fm
xiv
10/14/03
12:31 PM
Page xiv
Table
. . . .of. Contents
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Summary 140
Chapter 6
Multilayer Switching ........................................................147
Routing Considerations 148
Client End Station Issues 149
Route Processor Issues 150
Configuring Routing Between VLANs 150
Configuring an Internal RP 151
Configuring an External RP 154
Verifying Your Routing Configuration 157
MLS Overview 158
Switching Architectures 159
MLS Implementation 162
Rewriting Frame and Packet Contents 163
Routable and Nonroutable Traffic 164
Address Tables 165
MLS Using CEF 166
CEF Limitations 167
CEF Tables 167
CEF Operation 168
Load Balancing 169
CEF Example 169
CEF Configuration 171
CEF Verification 172
CEF Troubleshooting 173
Summary 174
Chapter 7
Availability and Redundancy ...............................................179
Introduction to Availability and Redundancy
Component Redundancy 181
Chassis Redundancy 183
Hardware Redundancy 183
Power Supplies 184
Supervisor Engines 185
Layer 2 Redundancy 189
Uplink Interfaces 190
Switch Redundancy 191
180
00 9911 fm
10/14/03
12:31 PM
Page xv
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Table
. . .of. Contents
. . . . .
Layer 3 Redundancy 191

Problems of Traditional RP Redundancy 191
HSRP 193
Single Router Mode Redundancy 202
Virtual Router Redundancy Protocol 204
Gateway Load Balancing Protocol 204
Server Load Balancing 206
Summary 209
Chapter 8
Multicasts .....................................................................217
Overview of Traffic Types 218
Unicasts 218
Broadcasts 219
Multicasts 219
Multicast Addressing 220
Client Registration 222
Overview 222
IGMPv1 223
IGMPv2 225
IGMPv3 227
Multicast Routing 229
Overview of Routing Multicast Traffic 229
Multicast Distribution Trees 229
Shared Distribution Tree 230
Source-Based Distribution Tree 231
Multicast Routing Protocols 231
Dense Mode Routing Protocols 232
Sparse Mode Routing Protocols 232
Protocol Independent Multicast 234
Multicasting and Switches 236
Controlling Multicast Traffic 236
IGMP Snooping 237
Cisco Group Management Protocol 237
Configuring Your RPs 238
Basic PIM Configuration 238
Designated Routers 239
Configuring Rendezvous Points 240
Configuring PIMv2 242
Configuring CGMP 243
Verifying Your Multicast Configuration 244
xv
00 9911 fm
xvi
10/14/03
12:31 PM
Page xvi
Table
. . . .of. Contents
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Summary 245
Chapter 9
Quality of Service ............................................................253
Voice and Telephony 254
Key Services 255
Bandwidth 256
Power 257
Auxiliary VLANs 258
Good Design Practices 258
QoS Issues and Architectures 258
Problems 259
QoS Solutions 261
QoS Architectures 262
QoS Implementation 264
Classification and Marking of QoS 264
Managing Congestion with Queuing 266
Avoiding Congestion 270
Conditioning Traffic 272
Increasing Link Efficiency 273
Campus QoS 274
QoS Configuration and Verification 275
Modular QoS CLI 275
Queuing Methods 280
Congestion Avoidance Methods: WRED 287
debug Commands 288
Summary 289
Chapter 10
MLS Optimization and Security ............................................295
Performance 296
Switched Port Analyzer 296
Network Analysis Module 301
Securing Your Switch 306
What to Secure 306
Authentication, Authorization, and Accounting
Security for Your Network 312
Basic Port Security 313
308
00 9911 fm
10/14/03
12:31 PM
Page xvii
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Table
. . .of. Contents
. . . . .
VLAN Access Lists 317

Private VLANs 319
Summary 324
Chapter 11
Metro Ethernet ................................................................331
Layer 1 and Layer 2 332
Cisco Metro Solutions 332
Services 333
Delivery Mechanisms 338
802.1Q Tunneling 342
Overview 343
Tag Stacking: Q-in-Q Tunneling
Q-in-Q Versus 802.1Q 348
Ethernet over MPLS 348
Overview 349
Process 349
Protocol Labeling 350
Connection Types 352
Summary 353
344
Chapter 12
Sample Test 1 ................................................................359
Questions, Questions, Questions 359
Picking Proper Answers 360
Decoding Ambiguity 361
Working Within the Framework 361
Deciding What to Memorize 362
Preparing for the Test 363
Taking the Test 363
Chapter 13
Answer Key 1 ..................................................................385
Chapter 14
Sample Test 2 ................................................................401
Chapter 15
Answer Key 2 .................................................................421
xvii
00 9911 fm
xviii
10/14/03
12:31 PM
Page xviii
Table
. . . .of. Contents
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Appendix A
Whats on the CD-ROM ......................................................439
The PrepLogic Practice Exams, Preview Edition Software
An Exclusive Electronic Version of the Text 440
439
Appendix B
Using the PrepLogic Practice Exams, Preview Edition Software .....441
The Exam Simulation 441
Question Quality 442
The Interface Design 442
The Effective Learning Environment 442
Software Requirements 442
Installing PrepLogic Practice Exams, Preview Edition 443
Removing PrepLogic Practice Exams, Preview Edition from Your
Computer 443
How to Use the Software 444
Starting a Practice Exam Mode Session 444
Starting a Flash Review Mode Session 445
Standard PrepLogic Practice Exams, Preview Edition
Options 445
Seeing Time Remaining 446
Getting Your Examination Score Report 446
Reviewing Your Exam 446
Contacting PrepLogic 447
Customer Service 447
Product Suggestions and Comments 447
License Agreement 447
Glossary .......................................................................449
Index ............................................................................471
00 9911 fm
10/14/03
12:32 PM
Page xix
xix
We Want to Hear from You!

As the reader of this book, you are our most important critic and commentator. We value your opinion and want to know what were doing right, what
we could do better, what areas youd like to see us publish in, and any other
words of wisdom youre willing to pass our way.
As an executive editor for Que Publishing, I welcome your comments. You
can email or write me directly to let me know what you did or didnt like
about this bookas well as what we can do to make our books better.
Please note that I cannot help you with technical problems related to the topic of this
book. We do have a User Services group, however, where I will forward specific technical questions related to the book.
When you write, please be sure to include this books title and author as well
as your name, email address, and phone number. I will carefully review your
comments and share them with the author and editors who worked on the
book.
Email:
feedback@quepublishing.com
Mail:
Jeff Riley
Executive Editor
Que Publishing
800 East 96th Street
Indianapolis, IN 46240 USA
For more information about this book or another Que Publishing title, visit
our Web site at www.examcram2.com. Type the ISBN (excluding hyphens) or the
title of a book in the Search field to find the page youre looking for.
00 9911 fm
10/14/03
12:32 PM
Page xx
Introduction
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Welcome to BCMSN Exam Cram 2 (642-811). This book is intended to prepare you to take and pass the Cisco BCMSN Certification Exam 642-811, as
administered by both the Prometric and Pearson VUE testing organizations.
This introduction explains Ciscos BCMSN certification program in general
and talks about how the Exam Cram 2 series can help you prepare for that
certification exam. You can learn more about Prometric by visiting its Web
site at www.prometric.com, and you can learn more about Pearson VUE by
visiting its Web site at www.vue.com.
Exam Cram 2 books help you understand and appreciate the subjects and
materials you need to pass certification exams. Exam Cram 2 books are aimed
strictly at test preparation and review. They do not teach you everything you
need to know about a topic. Instead, the series presents and dissects the questions and problems that youre likely to encounter on a test. In preparing this
book, weve worked from preparation guides and tests and from a battery of
third-party test-preparation tools. The aim of the Exam Cram 2 series is to
bring together as much information as possible about the certification exams.
Nevertheless, to completely prepare yourself for any test, we recommend
that you begin by taking the self-assessment immediately following this
introduction. This tool will help you evaluate your knowledge base against
the requirements for the Cisco BCMSN exam under both ideal and real
circumstances.
Based on what you learn from that exercise, you might decide to begin your
studies with some classroom training or to pick up and read one of the many
study guides available from third-party vendors, including Que
Certifications Training Guide series. We also strongly recommend that you
spend as much time as feasible configuring, optimizing, and monitoring
within the Cisco IOS as well as deploying the various BCMSN switching features in a real-world or test environment on actual Cisco switching devices.
00 9911 fm
10/14/03
12:32 PM
Page xxi
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Introduction
. . . . . . .
Who Is This Book For?

This book is for you if
Youre an IT professional who already holds a current Cisco Certified
Network Associate (CCNA) certification and are preparing for the Cisco
BCMSN 642-811 examination.
Your job or work involves working in and around the Internet or inter-
networks, offering you experience and a basic working knowledge of scalable routing technologies.
Your job or work carries some specific networking considerations with it,
be it configuration, policy, or network design.

Youre interested in pursuing the CCNP, CCIP, and/or CCDP certifica-
tion from Cisco.

This book is not for you if
Youre just getting started in networking and have little or no experience
with the Cisco IOS, networking concepts, and IP addressing.

Youre working in IT but have no systems or network administration
experience or explicitly router-related job duties or responsibilities.

You seek a learning tool to teach you all the background, terms, and con-
cepts necessary to understand basic networking.

Youre curious about these suddenly popular Cisco certifications and want
to explore a potential career change.

If you fall into the category that indicates this book is not for you, you should
start your Cisco certification path somewhere else. You should consider preparing for the Cisco CCNA Exam 640-801. Instead of taking the 640-801 exam,
you can take a two-exam approach by passing INTRO (640-821) and ICND
(640-811); either approach enables you to obtain your CCNA certification.
Cisco Certifications Requiring the

BCMSN Exam
Cisco (www.cisco.com) offers a wide range of highly regarded, broad, and specific network industry certifications that are primarily aimed at intermediateand advanced-level IT professionals. Heres a list of the three certifications
that have the BCMSN exam as a requirement:
xxi
00 9911 fm
xxii
10/14/03
12:32 PM
Page xxii
Introduction
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
CCNPThe Cisco Certified Network Professional (CCNP) certification
confirms advanced or journeyman knowledge of networking. This certification requires you to pass two or four exams. For more information on
the CCNP certification, see http://cisco.com/en/US/learning/le3/le2/le37/
le10/learning_certification_type_home.html.
CCIPThe Cisco Certified Internetwork Professional (CCIP) certifica-
tion demonstrates competency in IP networking pertaining to service

provider organizations. This certification requires you to pass four exams.
For more information on this certification, go to http://cisco.com/en/US/
learning/le3/le2/le37/le8/learning_certification_type_home.html.
CCDPThe Cisco Certified Design Professional (CCDP) certification
certifies advanced or journeyman knowledge of network design. This

certification requires you to pass three exams. For more information
about this certification, visit http://cisco.com/en/US/learning/le3/le2/le37/
le5/learning_certification_type_home.html.
Signing Up to Take the Exam

After you have studied this book, have taken the sample tests, and feel ready
to tackle the real thing, you can sign up to take the exam either at Prometric
or at Pearson VUE. The Cisco BCMSN exam costs $125.
Signing Up with Prometric

You can contact Prometric to locate a nearby testing center that administers
the test and to make an appointment. The last time we visited the Prometric
Web site, a searching system to find the testing center nearest you was located at www.2ittrain.com. The sign-up Web page address for the exam itself is
www.2test.com. You can also use this Web page (click the Contact Us link) to
obtain a telephone number for the company if you cant or dont want to sign
up for the exam on the Web page.
Signing Up with Pearson VUE

You can contact Pearson VUE to locate a nearby testing center that administers the test and to make an appointment. The sign-up Web page address
for the exam itself is www.vue.com/cisco.
00 9911 fm
10/14/03
12:32 PM
Page xxiii
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Introduction
. . . . . . .
Scheduling the Cisco BCMSN Exam

To schedule an exam, call at least one day in advance, but do not count on
getting an early appointment. In some areas of the United States, tests are
booked up for weeks in advance. To cancel or reschedule an exam, you must
call at least 12 hours before the scheduled test time (or you might be
charged). When calling Prometric, be sure to have the following information
ready for the representative who handles your call:
Your name, organization, mailing address, and email address.
A unique test ID. For most U.S. citizens, this will be your Social Security
number. Citizens of other nations can use their taxpayer IDs or make
other arrangements with the order taker.
The name and number of the exam you want to take. For this book, the
exam number is 642-811 and the exam name is BCMSN.

If youre paying by credit card, be sure to have your card handy as well. If
you want to pay by check or another means, you have to obtain the necessary information from the Prometric or Pearson VUE representative
with whom you speak.
Taking the Test

When you show up for your appointment, be sure to bring two forms of
identification that have your signature on them, including one with a photograph, like a drivers license, passport, or national ID. You wont be allowed
to take any printed material into the testing environment, but you can study
the cram sheet from the front of this book while youre waiting. Try to arrive
at least 15 minutes before the scheduled time slot.
All exams are completely closed book. In fact, you will not be permitted to
take anything with you into the testing area, but you will be furnished with
a blank sheet of paper and a pen. If allowed by the testing center, we suggest
that you immediately write down on that sheet of paper any of the information from this books cram sheet youve had a hard time remembering, such
as VLANs, STP, MLS, and other switching technologies and features.
Youll have some time to compose yourself, to record memorized information, and even to take a sample orientation exam before you begin the real
thing. We suggest you take the orientation test before taking your first exam,
but because theyre all more or less identical in layout, behavior, and controls, you probably wont need to do this more than once.
xxiii
00 9911 fm
xxiv
10/14/03
12:32 PM
Page xxiv
Introduction
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
About This Book

Each topical Exam Cram 2 chapter follows a regular structure, along with
graphical cues about important or useful information. Heres the structure of
a typical chapter:
Opening hotlistsEach chapter begins with a list of the terms, tools, and
techniques you must learn and understand before you can be fully conversant with that chapters subject matter. Following the hotlists are one
or two introductory paragraphs to set the stage for the rest of the chapter.
Topical coverageAfter the opening hotlists, each chapter covers a series of
at least four topics related to the chapters subject title. Throughout this
section, topics or concepts likely to appear on a test are highlighted in a
special Exam Alert layout, like this:
This is what an Exam Alert looks like. An Exam Alert normally stresses concepts,
terms, software, or activities that are likely to relate to one or more certification test
questions. For that reason, any information found offset in an Exam Alert is worthy
of unusual attentiveness on your part.
Pay close attention to material flagged as an Exam Alert; although all the
information in this book pertains to what you need to know to pass the
exam, we flag certain items that are really important. Youll find what
appears in the meat of each chapter to be worth knowing, too, when
preparing for the test.
Because this books material is very condensed, we recommend that you
use this book along with other resources to achieve the maximum benefit.
Practice questionsAlthough test questions and topics are discussed
throughout each chapter, the Exam Prep Questions section at the end
of each chapter presents a series of mock test questions and explanations
of both correct and incorrect answers.
Details and resourcesEvery chapter ends with a section titled Need to
Know More? that provides direct pointers to Cisco routing resources

that offer more details on the chapters subject. If you find a resource you
like in this collection, use it, but dont feel compelled to use all the
resources. On the other hand, we recommend only those resources we
ourselves use regularly, so none of our recommendations will waste your
time or money.
00 9911 fm
10/14/03
12:32 PM
Page xxv
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Introduction
. . . . . . .
The bulk of the book follows this chapter structure slavishly, but there are a
few other elements wed like to point out. Chapters 12 and 14 each contain
an entire sample test that provides a good review of the material presented
throughout the book to ensure youre ready for the exam. Chapters 13 and
15 contain the corresponding answer keys to the sample test chapters that
precede them. Additionally, youll find appendixes at the back of the book
that include the following information:
An explanation of whats on the CD (Appendix A)
An explanation of how to use the software on the CD (Appendix B)
A glossary that explains terms
An index you can use to track down terms as they appear in the text
Finally, the tear-out cram sheet attached next to the inside front cover of this
Exam Cram 2 book represents a condensed and compiled collection of facts,
tricks, and tips that we think you should memorize before taking the test.
You might even want to look at it in the car or in the lobby of the testing center just before you walk in to take the test.
Typographic Conventions
In this book, configuration settings and script fragments are typeset in a
monospaced font, as in the following example:
Switch(config)# ip routing
Switch(config)# router rip
Switch(config-router)# network 192.168.1.0
Switch(config-router)# exit
Switch(config)# vlan 1
Switch(config)# interface vlan 1
Switch(config-if)# ip address 192.168.1.1 255.255.255.0
Switch(config-if)# no shutdown
Switch(config-if)# exit
Switch(config-if)# end
Switch# copy running-config startup-config
This notation will be consistent with the exact syntax and structure of the
Cisco IOS on Cisco switches.
xxv
00 9911 fm
xxvi
10/14/03
12:32 PM
Page xxvi
Introduction
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Some script fragments include boldface, which indicates commands that

should be typed literally. Italic indicates variables, as in the following example:
Switch(config)# router routing_protocol [options]
Switch(config-router)# network network_# [options]
Switch(config)# vlan VLAN_#
Switch(config)# interface vlan VLAN_#
Switch(config-if)# ip address IP_address subnet_mask
How to Use This Book

The order of chapters is what we consider to be a logical progression for
someone who wants to review all the topics on the exam. If you feel that
youre already up to speed on certain topics, you may elect to skip the chapter or chapters in which those topics are covered. In any case, you should try
all the questions in the chapters and the sample tests in Chapters 12 and 14.
If you find errors, sections that could be worded more clearly, or questions
that seem deceptive, feel free to let our series editor, Ed Tittel, know by
email at etittel@examcram.com.
00 9911 fm
10/14/03
12:32 PM
Page xxvii
Self-Assessment
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Based on recent statistics, as many as half a million individuals are at some

stage of the certification process but have not yet received one of their various certification credentials. Recent polls in Certification magazine indicate
that two to three times that number might be considering whether to obtain
a certification of some kind. That is a huge potential audience!
What we cannot know yetbecause the revised BCMSN exam is relatively
new as this book goes to pressare precise numbers for the BCMSN exam
itself. Based on recent salary and job interest surveys, we know enterprise
networking is a hot topic for IT professionals and a leading target for
upcoming certification studies. One of the main factors that makes the
BCMSN exam such an excellent career option is that it is a mandatory
requirement for the Cisco Certified Network Professional (CCNP), Cisco
Certified Internetwork Professional (CCIP), and Cisco Certified Design
Professional (CCDP) certifications. BCMSN is also an important base of
knowledge for other Cisco certifications such as the Cisco Certified Security
Professional (CCSP) and, eventually, the Cisco Certified Internetwork
Expert (CCIE).
The reason we included a self-assessment in this Exam Cram 2 book is to
help you evaluate your readiness to tackle the Cisco 642-811 BCMSN exam.
But before you tackle this self-assessment, lets talk about concerns you
might face when pursuing the BCMSN exam as well as what an ideal candidate might look like.
Networking Professionals in the

Real World
In the next section, we describe an ideal candidate, knowing full well that
only a few real candidates meet this ideal. In fact, our description of an ideal
candidate might seem downright scary. But take heart: Although the requirements might seem formidable, theyre by no means impossible to meet.
00 9911 fm
10/14/03
12:32 PM
Page xxviii
xxviii Self-Assessment
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
However, be keenly aware that it takes time, involves some expense, and
requires real effort to get through this process.
Thousands of IT professionals already hold Cisco networking certifications,
so it is an eminently attainable goal. You can get all the real-world motivation you need from knowing that many others have gone down a similar path
before you, so you should be able to follow in their footsteps. If youre willing to approach the process seriously and do what it takes to obtain the necessary experience and knowledge, you can takeand passthe BCMSN
exam. In fact, we have designed our Exam Cram 2 books to make it as easy
on you as possible to prepare for these exams. But prepare you must!
The Ideal BCMSN Candidate

The BCMSN exam tests you on advanced or journeyman knowledge of local
area network (LAN) and wide area network (WAN) technologies. Youll be
tested for the skills necessary to configure and operate LAN and WAN services for organizations with networks from 100 to more than 500 nodes.
The protocols and technologies that you should know by exam time include
Enterprise switched network designs
Virtual LAN (VLAN) technologies
The Spanning Tree Protocol (STP) and its enhancements
Multilayer switching implementations
Availability and redundancy in a campus network
Multicasting solutions
Quality of Service (QoS) concerns and solutions
Switching optimization and security
Metropolitan Area Networks (MANs) and Ethernet
To ultimately achieve a Cisco Career Certification, you have to read and

accept the terms of the Cisco Career Certifications and Confidentiality
Agreement. If you fail to complete this step, certification application processing will stop. You can take the BCMSN exam on the way to earning the
CCNP, CCIP, and CCDP certifications without taking any courses, but you
must hold a valid CCNA certificate when you register for the BCMSN exam.
00 9911 fm
10/14/03
12:32 PM
Page xxix
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Self-Assessment
. . . . . . . . .
The BCMSN exam is often the first test taken on the path to CCNP, CCIP,
and CCDP certifications. These professional certifications generally endorse
an individuals networking skills at the mid-career level. Many BCMSN candidates already hold positions such as help-desk support, field technician,
systems administrator, network administrator, or technical trainer. As a
BCMSN exam candidate, you should already have knowledge of networking
at the small-office, home-office (SOHO) level as well as have the ability to
operate in a small business or organization with networks of fewer than 100
nodes. You also should presently be able to install and configure Cisco
routers in multiprotocol internetworks using LAN and WAN interfaces as
well as Cisco switches in small environments. In addition, you should be confident providing Level 1 troubleshooting support as well as optimizing network security and performance.
Fundamentally, this all boils down to about a bachelors degree in computer
science with a strong focus on networking, plus at least two years of experience
working in a position involving network design, installation, configuration,
maintenance, and/or security. We believe that fewer than half of all certification candidates meet these requirements and that, in fact, most meet less than
half of these requirementsat least, when they begin the certification process.
But because so many other IT professionals who already have been certified in
networking topics have survived this ordeal, you can survive it, too, especially
if you heed what our self-assessment can tell you about what you already know
and what you need to learn.
Put Yourself to the Test

The following series of questions and observations is designed to help you
figure out how much work you must do to pursue the BCMSN exam and
what types of resources you might consult on your quest. Be absolutely honest in your answers; otherwise, youll end up wasting money on an exam you
arent yet ready to take (and because the BCMSN exam costs around $125,
this isnt chump change). There are no right or wrong answersonly steps
along the path to certification. Only you can decide where you really belong
in the broad spectrum of aspiring candidates.
Two things should be clear from the outset, however:
Even a modest background in computer technologies is helpful.
Hands-on experience with networking and Cisco products and technologies
is a key ingredient to certification success.
xxix
00 9911 fm
xxx
10/14/03
12:32 PM
Page xxx
Self-Assessment
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Before you begin this process, take this simple four-step walk-through to validate your readiness for the BCMSN exam:
1. Do you have a current CCNA certification (requires renewal every 3
years)? [Yes or No]

If your answer is yes, proceed to step 2; if your answer is no, proceed to
step 4.
2. Have you taken the Building Cisco Multilayer Switched Networks
(BCMSN) v2.0 course from Cisco or a comparable training class? This

should be 5 days of instructor-led classes, 5 days of live e-learning, or
3035 hours of Web-based training. [Yes or No]
If your answer is yes, you should use this Exam Cram 2 book as a supplement to your acquired knowledge and experience and prepare to take
the exam in the near future.
If your answer is no, proceed to step 3.
3. Do you have at least 2 years of experience in a position such as help-desk
support, field technician, systems administrator, network administrator,

or technical trainer? [Yes or No]
If your answer is yes, you should use this Exam Cram 2 book as a supplement to your acquired knowledge and experience and prepare to take
the exam in the near future.
If your answer is no, you might want to consider taking the Building
Cisco Multilayer Switched Networks (BCMSN) v2.0 course from Cisco
or a comparable training class. If youre a disciplined and motivated selfstudier, you might want to build a home lab or rent some router time
online and purchase the CCNP BCMSN Exam Certification Guide (CCNP
Self-Study) book from Cisco Press (ISBN: 1-5872-0077-5).
4. Because you do not have a current CCNA certification, you must go to
and find out how you can recertify for your CCNA or take
the 640-801 exam (or both the 640-821 and 640-811 exams) for the first
time to achieve this certification.
www.cisco.com
Cisco also maintains a list of pointers to training venues on its Web site. Visit
http://cisco.com/en/US/learning/le31/learning_learning_resources_
home.html.
00 9911 fm
10/14/03
12:32 PM
Page xxxi
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Self-Assessment
. . . . . . . . .
Hands-on Experience
An important key to success on the BCMSN exam lies in obtaining hands-on
experience, especially with the Cisco IOS in the LAN and WAN environments. There is simply no substitute for time spent installing, configuring,
troubleshooting, securing, and optimizing a Cisco router and switch. If you
cannot afford your own equipment or lack the access at work, you can check
with companies on the Internet that rent router time. Some even provide
written labs specific to the BCMSN exam. Even www.ebay.com has many hardware packages at auction that you can bid on.
You can download objectives, practice exams, and other data about Cisco exams
from the official BCMSN Exam Web page at www.cisco.com/warp/public/10/
wwtraining/certprog/testing/current_exams/642-811.html.
Testing Your Exam-Readiness

Whether you attend a formal class on a specific topic to get ready for an
exam or use written materials to study on your own, some preparation for the
BCMSN certification exam is essential. At $125 a pop, pass or fail, you want
to do everything you can to pass on your first try. Thats where this Exam
Cram 2 comes in.
Weve included two practice exams in this book, so if you dont score that
well on the first test, you can study more and then tackle the second test. If
you still dont achieve a score of at least 90% after these tests, you should
investigate the practice test resources we mention here (feel free to use your
favorite search engine to look for more; this list is by no means exhaustive):
ExamCram2www.examcram2.com
QuizWarewww.quizware.com
Bosonwww.boson.com
MeasureUpwww.measureup.com
Transcenderwww.transcender.com
PrepLogicwww.preplogic.com
Self Test Softwarewww.selftestsoftware.com
xxxi
00 9911 fm
xxxii
10/14/03
12:32 PM
Page xxxii
Self-Assessment
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
For any given subject, consider taking a class if youve tackled self-study
materials, taken the test, and failed anyway. The opportunity to interact with
an instructor and fellow students can make all the difference in the world, if
you can afford that privilege.
When it comes to assessing your test-readiness, theres no better way than to take
a good-quality practice exam and pass with a score of 85% or better. When were
preparing ourselves, we shoot for more than 90%, just to leave room for the
weirdness factor that sometimes depresses exam scores when taking the real
thing. The passing score on BCMSN is 85% or higher; thats why we recommend
shooting for 90%: to leave some margin for the impact of stress when taking the
real thing.
In addition to the general exam-readiness information in the previous section,

there are several things you can do to prepare for the BCMSN exam. As
youre getting ready for the BCMSN, visit the Web sites at www.examcram2.com
and www.cramsession.com. You can sign up for Question of the Day services for
this exam; join ongoing discussion groups on the exam; and look for pointers
to exam resources, study materials, and related tips.
Onward, Through the Fog!

After youve assessed your readiness, undertaken the right background studies, obtained the hands-on experience that will help you understand the
products and technologies at work, and reviewed the many sources of information to help you prepare for the test, youre ready to take a round of practice tests. When your scores come back positive enough to get you through
the exam, youre ready to go after the real thing. If you follow our assessment
regime, youll know not only what you need to study, but also when youre
ready to make a test date at Prometric or VUE. Good luck!
01 9911 ch01 10/10/03 2:00 PM Page 1
1
Cisco Certification Exams
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Terms youll need to understand:

Radio button
Check box
Careful reading
Exhibits
Multiple-choice question formats
Simulation questions
Process of elimination
Techniques youll need to master:

Preparing to take a certification exam
Practicing to take a certification exam
Making the best use of the testing software
Budgeting your time
Guessing (as a last resort)
01 9911 ch01 10/10/03 2:00 PM Page 2
Chapter
. . . . .1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
No matter how well prepared you might be, exam taking is not something
that most people look forward to. In most cases, familiarity helps relieve test
anxiety. You probably wont be as nervous when you take your second or
third Cisco certification exam as youll be when you take your first one.
Whether its your second exam or your tenth, understanding the finer points
of exam taking (how much time to spend on questions, the setting youll be
in, and so on) and the exam software will help you concentrate on the questions at hand rather than on the surroundings. Likewise, mastering some
basic exam-taking skills should help you recognizeand perhaps even outsmartsome of the tricks and traps that youre bound to find in several of
the exam questions.
This chapterin addition to explaining the Cisco BCMSN exam environment and softwaredescribes some proven exam-taking strategies that you
should be able to use to your advantage.
The Exam Situation

When you arrive at the testing center where you scheduled your exam, youll
need to sign in with an exam proctor. Hell ask you to show two forms of
identificationone of which must be a photo ID, like a drivers license, passport, or national ID card. After you have signed in, youll be asked to deposit
any books, bags, or other items you brought with you. Then youll be escorted into the closed room that houses the exam seats.
All exams are completely closed book. In fact, you wont be permitted to take
anything with you into the testing area. Youll be furnished with a pen or
pencil and a blank sheet of paperor, in some cases, an erasable plastic sheet
and an erasable felt-tip penthat you can use to record notes during the test.
Youll have to turn in the sheet when you leave the room.
The room will typically be furnished with anywhere from one to half a dozen
computers, and each workstation will be separated from the others by
dividers designed to keep you from seeing whats happening on someone
elses computer.
Most test rooms feature a wall with a large picture window or video cameras.
This permits the exam proctor to monitor the room, prevent exam takers
from talking to one another, and observe anything out of the ordinary that
might go on. The exam proctor will have preloaded the appropriate Cisco
certification examfor this book, thats the Cisco BCMSN Certification
Exam 642-811and youll be permitted to start as soon as youre seated in
01 9911 ch01 10/10/03 2:00 PM Page 3
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Cisco
. . .Certification
. . . . . . Exams
. . . .
front of the computer and enter either your Social Security number or Cisco
identification number. At the beginning of each test is a tutorial that you can
go through if youre unfamiliar with the testing environment.
All Cisco certification exams allow a predetermined, maximum amount of
time in which to complete your work. This time is indicated on the exam by
an onscreen counter/clock in the upper-right corner of the screen, so you can
check the time remaining whenever you like. All exams are computer generated and use primarily a multiple-choice format with 25 simulation questions. These simulation questions test your real-world experience in the
actual Cisco interface. Youll be required to submit the proper series of commands to accomplish a particular configuration based on the given scenario
or diagram. Youll also encounter questions that demand a fill-in-the-blank
answer that represents the proper Cisco command. The Cisco BCMSN
exam consists of 6070 randomly selected questions from a pool of several
hundred questions. You can take up to 75 minutes to complete the exam.
Although that might sound quite simple, the questions are formulated to
thoroughly check your mastery of the material. Cisco exam questions are
also very adept at testing you on more than one area of knowledge with a single question; for example, testing your knowledge of the command syntax as
well as the proper command mode. Youll often be asked to provide more
than one answer to a question. Likewise, you might be asked to select the
best or most effective solution to a problem from a range of choices, all of
which are technically correct. Taking the exam is quite an adventure, and it
involves real thinking as well as skill and the ability to manage your time.
This book shows you what to expect and how to deal with the potential problems, puzzles, and predicaments you are likely to encounter.
When you complete a Cisco certification exam, the software will tell you
whether youve passed or failed. The results are then broken down into several main objectives or domain areas. Youll be shown the percentage that
you got correct for each individual domain. Even if you fail, you should ask
for (and keep) the detailed report that the test proctor prints for you. You can
use this report to help you prepare for another go-round, if necessary. If you
need to retake an exam, youll have to schedule a new test with Prometric or
VUE and pay for another exam. Keep in mind that because the questions
come from a pool, youll receive different questions the second time around.
Cisco also has a retake policy, which is that you must wait 72 hours between
exam attempts.
In the following section, youll learn more about how Cisco test questions
look and how they must be answered.
01 9911 ch01 10/10/03 2:00 PM Page 4
Chapter
. . . . .1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Exam Layout and Design

Some exam questions require you to select a single answer, whereas others ask
you to select multiple correct answers. The following multiple-choice question
requires you to select a single correct answer. Following the question is a brief
summary of each answer selection and why it is either correct or incorrect.
Question 1
When MLS rewrites frames in hardware, which of the following information is
not changed?
A. Source IP address
B. Destination MAC address
C. MAC frames CRC
D. IP TTL
Answer A is correct. The IP address is not changed when MLS rewrites

frame and packet information. Answers B, C, and D are incorrect because
they are rewritten by an MLS switch.
This sample question format corresponds closely to the Cisco BCMSN certification exam formatthe only difference on the exam is that questions are
not followed by answer keys. To select an answer, position the cursor over
the radio button next to the answer and then click the mouse button to select
the answer. See the practice exam CD that comes with this book for a general idea of what the questions will look like.
Next, we examine a question that requires choosing multiple answers. This
type of question provides check boxes rather than radio buttons for marking
all appropriate selections. This type of question can either specify how many
answers to choose or instruct you to choose all the appropriate answers.
Question 2
Which of the following items are not necessary when setting up routing in a
VLAN environment? (Choose two.)
A. Creating VLANs and associating user ports to them
B. Building trunks
C. Tuning STP
D. Configuring routing on an RP
01 9911 ch01 10/10/03 2:00 PM Page 5
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Cisco
. . .Certification
. . . . . . Exams
. . . .
Answers B and C are correct. Tuning STP is not necessary to set up routing
in a VLAN environment. Answer B is incorrect because it is required only
for a router-on-a-stick; but you can use access-links or MLS also. Answers A
and D are required, and therefore are incorrect answers.
For this type of question, more than one answer is required. Such questions
are scored as wrong unless all the required selections are chosen. In other
words, a partially correct answer does not result in partial credit when the
test is scored. If youre required to provide multiple answers and do not provide the number of answers the question asks for, the testing software indicates that you did not complete that question. For question 2, you have to
check the boxes next to answers B and C to obtain credit for this question.
Realize that choosing the correct answers also means knowing why the other
answers are incorrect!
Although these two basic types of questions can appear in many forms, they are
the foundation on which most of the BCMSN certification exam questions are
based. Some other complex questions might include exhibits, simple fill-inthe-blank questions, as well as simulation questions. For some of these questions, youll be asked to make a selection by clicking the portion of the exhibit
that answers the question or by typing the correct answer(s) in the testing
interface. Your knowledge and expertise of switch configuration must go well
beyond merely memorizing the purpose of various commands. The BCMSN
exam tests your ability to configure a switch in a variety of scenarios and configurations. Do not rely simply on your success at answering traditional multiplechoice questions. Although that type of question represents the core of the
exam, your failure to answer the many fill-in-the-blank, simulator, and configuration scenario type questions will lead to an unsuccessful testing session.
Other questions involving exhibits use charts or diagrams to help document
a network scenario that youll be asked to configure or troubleshoot. Careful
attention to such exhibits is the key to success. In these instances, you might
have to toggle between the exhibit and the question to absorb all the information being shown and to properly answer the question.
You also might see a question or two in which you must enter a simple command into an input box. You might be presented with a long list of available
commands as part of the testing interface. You will also encounter from one
to five simulation questions. You will be given a simulated scenario that you
must complete in the Cisco IOS environment. This generally involves performing a series of steps at the command line or possibly dragging and dropping the correct order of a certain procedure. Therefore, actual experience
with the Cisco switch IOS and real-world practice are critical to success on
the BCMSN exam.
01 9911 ch01 10/10/03 2:00 PM Page 6
Chapter
. . . . .1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Exam-Taking Techniques
A well-known principle when taking certification exams is to first read over
the entire exam from start to finish while answering only those questions you
feel absolutely sure of. The next time around, you can delve into the more
complex questions. Knowing how many such questions you have left helps
you spend your exam time wisely. Although this is good overall testing
advice, this capability is not available to you on the BCMSN exam 642-811.
To protect the integrity of the certifications, Cisco does not allow you to
mark and go back to review a previously answered question.
It is critical on a Cisco exam that you read each question thoroughly. After you input
your answer and move on to the next question, you cannot go back!
As you approach the end of your allotted testing time of 90 minutes, youre better
off guessing than leaving a question unanswered.
Please note that Cisco can, at any given time, change the number of questions on
the exam as well as the allotted time to complete the exam!
The most important advice about taking any exam is this: Read each question
carefully. Some questions are deliberately ambiguous, some use double negatives, and others use terminology in incredibly precise ways. Ive taken
numerous examsboth practice and liveand in nearly every one, I missed
at least one question because I didnt read it closely or carefully enough.
Here are some suggestions on how to deal with the tendency to jump to an
answer too quickly:
Make sure that you read every word in the question very carefully, even
if that means you have to read it several times.

As you read, try to reformulate the question in your own words. If you can
do this, you should be able to pick the correct answer(s) much more easily.
Rereading a question sometimes enables you to see something you
missed the first time you read it.

If you still do not understand the question, ask yourself what you dont
understand about it, why the answers dont appear to make sense, or
what appears to be missing. If you think about the subject for a while,
your subconscious might provide the details that are lacking or you
might notice a trick that points to the correct answer.
01 9911 ch01 10/10/03 2:00 PM Page 7
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Cisco
. . .Certification
. . . . . . Exams
. . . .
Above all, try to deal with each question by thinking through what you know
about switchingand the characteristics, behaviors, and facts involved. By
reviewing what you know (and what youve written down on your information sheet), youll often recall or understand enough to be able to deduce the
answer to the question.
Question-Handling Strategies
Based on exams Ive taken, some interesting trends have become apparent.
For those questions that take only a single answer, usually two or three of the
answers are obviously incorrect, and two of the answers are possibleof
course, only one can be correct. Unless the answer leaps out at you, begin the
process of answering by eliminating those answers that are most obviously
wrong. A word of caution: If the answer seems too obvious, reread the question to look for a trick. Often those are the ones you are most likely to get
wrong. If youve done your homework for an exam, no valid information
should be completely new to you. In that case, unfamiliar or bizarre terminology most likely indicates a bogus answer.
As you work your way through the exam, budget your time by making sure
that youve completed one quarter of the questions one quarter of the way
through the exam period and three quarters of them three quarters of the
way through the exam. This ensures that youll have time to go through
them all. As you know, there will be 6070 questions to answer in a 90minute time frame. That gives you an average of a minute to a minute-anda-half for each question. The simulation questions will probably take longer
than the multiple-choice questions, so give yourself ample time.
Be cautious about changing your answers and second-guessing yourself. Many
times the first selection is right and changing your answer might cause you to miss
questions that were originally answered correctly.
If you arent finished when 95% of the time has elapsed, use the last few minutes to guess your way through the remaining questions. Remember that
guessing is potentially more valuable than not answering because blank
answers are always wrong, but a guess might turn out to be right. If you dont
have a clue about any of the remaining questions, pick answers at random or
choose all As, Bs, and so on. The important thing is to submit an exam for
scoring that has an answer for every question.
01 9911 ch01 10/10/03 2:00 PM Page 8
Chapter
. . . . .1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Mastering the Inner Game

Knowledge breeds confidence, and confidence breeds success. If you study
the information in this book carefully and review all the practice questions at
the end of each chapter, you should become aware of those areas where you
need additional learning and studying.
Follow up by reading some or all the materials recommended in the Need
to Know More? section at the end of each chapter. Dont hesitate to look
for more resources online. Remember that the idea is to become familiar
enough with the concepts and situations you find in the sample questions
that you can reason your way through similar scenarios on a real exam. If you
know the material, you have every right to be confident that you can pass the
exam.
After you have worked your way through the book, take the sample tests in
Chapter 12 and Chapter 14. Doing so will provide a reality check and help
you identify areas you need to study further. Answer keys to these exams can
be found in Chapter 13 and Chapter 15.
Make sure that you follow up and review materials related to the questions
you miss on the practice exam before scheduling a real exam. The key is to
know the why and how. If you memorize the answers, you do yourself a great
injustice and might not pass the exam. Memorizing answers will not benefit
you because youre unlikely to see the identical question on the exam. Only
when youve covered all the ground and feel comfortable with the whole
scope of the practice exam should you take a real one.
If you take the practice exam and do not score at least 90% correct, you should
practice further. When you practice, remember that it is important to know why the
answer is correct or incorrect. If you memorize the answers instead, it will trip you
up when taking the exam.
With the information in this book and the determination to supplement your
knowledge, you should be able to pass the certification exam. However, you
have to work at it. Otherwise, youll have to pay for the exam more than once
before you finally pass. As long as you get a good nights sleep and prepare
thoroughly, you should do just fine. Good luck!
01 9911 ch01 10/10/03 2:00 PM Page 9
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Cisco
. . .Certification
. . . . . . Exams
. . . .
Additional Resources
A good source of information about Cisco certification exams comes from
Cisco itself. The best place to go for exam-related information is online. The
Cisco CCNP Certification home page, which includes a link to BCMSN
information, resides at www.cisco.com/warp/public/10/wwtraining/certprog/lan/
programs/ccnp.html.
Coping with Change on the Web

Sooner or later, all the information we have shared about Web-based resources mentioned
throughout this book might go stale or be replaced by newer information. However, there is
always a way to find what you want on the Web if youre willing to invest some time and energy. Ciscos site has a site map to help you find your way around, and most large or complex
Web sites offer search engines. Finally, feel free to use general search tools to search for related
information.
01 9911 ch01 10/10/03 2:00 PM Page 10
02 9911 ch02 10/10/03 1:59 PM Page 11
2
Designing Switched
Networks
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

AVVID
Core, distribution, and access layers
Building Access, Building Distribution, and Campus Core
CatOS, hybrid, and native modes
Switch Fabric Module

Understanding the components of AVVID
Using the Enterprise Composite Network Model to design
networks
Comparing and contrasting Layer 2 switches, routers, Layer 3
switches, and multilayer switches
Comparing and contrasting Ethernet technologies
Choosing products for small, medium, and large campus networks
Creating a basic switch configuration
02 9911 ch02 10/10/03 1:59 PM Page 12
12
Chapter
. . . . .2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
This chapter exposes a lot of different concepts to you. First, the chapter discusses Ciscos design philosophy for creating scalable campus networks,
including Ciscos old three-layer hierarchical model and Ciscos new
Enterprise Model design. Next, Ill compare and contrast the different types
of Layer 2 and Layer 3 solutions you can use in your campus network,
including the different Ethernet media types, as well as products that Cisco
recommends for the Enterprise Composite Network Model.
This chapter then discusses how to put a basic configuration on a Catalyst
switch, using native mode (using the IOS operating system). Its assumed that
you have basic knowledge of IOS commands, so this section is more of a
review of basic commands and configuration tasks. This is followed by the
optional Switch Fabric Module (SFM), which is supported in the Catalyst
6500 switches.
Network Design
The constant and variable changes in traffic patterns are just two things that
are reshaping the approach that designers have to take in designing campus
intranets. The following are important requirements in the new campus
intranet, at both Layers 2 and 3:
Adapting to topology changes very quickly
Reliability and redundancy in case of network failures
Being able to scale to a very large size
Accommodating large amounts of bandwidth
Being able to predict traffic patterns
Centralizing servers and applications to ease administration
Handling the increasing amount of multicast traffic and applications
Coping with traffic pattern changes from the 80/20 to the 20/80 rule
Supporting a diverse group of routed and bridged protocols
The following sections cover some concepts that Cisco uses when designing
campus networks.
AVVID
AVVID (Architecture for Voice, Video, and Integrated Data) is a process
Cisco developed to help design complex networks with multiple coexisting
02 9911 ch02 10/10/03 1:59 PM Page 13
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Designing
. . . . . .Switched
. . . . . Networks
. . . . .
technologies. Cisco created this architecture to simplify the planning,

designing, and implementing of networks for companies. AVVID has three
main components:
Network InfrastructureThis includes both the hardware devices and the
software necessary to move traffic across the network between a user and
his resource. Those devices include routers, switches, firewalls, voice
gateways, and others.
Intelligent Network ServicesThis enables you to provide the appropriate
level of secure service for individual users or applications, and includes

quality of service (QoS), multicasting, redundancy and availability, security, and network management.
Network SolutionsThese are the components of the network infrastruc-
ture that support Intelligent Network Services. These solutions include

storage and content networking as well as IP telephony.
The three components of AVVID are Network Infrastructure, Intelligent Network
Services, and Network Solutions.
Network Model
Over the last few years, the design of campus networks has radically changed.
Traditionally, most services (sometimes even local services) were placed at
the center of the network, with Layer 2 switching providing the transport
between the users and their resources. Today, a three-layer design is used to
provide scalability and efficiency for a growing intranet. This three-layer
design is composed of the following layers:
Core layerProvides a high-speed switching backbone
Distribution layerImplements corporate policies
Access layerProvides users initial access to the network
Figure 2.1 displays the three-layer hierarchy and the devices at each layer.
13
02 9911 ch02 10/10/03 1:59 PM Page 14
14
Chapter
. . . . .2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Figure 2.1 Three-layer hierarchy.
Core Layer
The function of the core layer is to offer a high-speed Layer 2 switching
backbone between different distribution layers, which provides packet
switching that is as fast as possible.
Note that implementing Layer 3 services at the core is not recommended.
That means features such as packet filters and policy-based decisions should
not be performed here, but rather at the lower distribution layer. This is
applicable even to multilayer switching in the core because the core devices
must perform packet manipulating or rewriting to perform their services,
thereby slowing down the packet flow. Theres an exception to implementing Layer 3 services at the core: If the campus in question is very large and
youre having issues with Layer 3 convergence at the distribution layers, it
might be necessary to implement Layer 3 switching at the core. However,
this should be approached with caution.
Distribution Layer
The distribution layer provides the demarcation point between the core and
the access layers of a campus network. The distribution layer switches should
perform all Layer 3 and policy functions. These include the following tasks:
Connecting to access switches to provide workgroup and department
access
Implementing VLANs to handle broadcast issues
Routing between VLANs
02 9911 ch02 10/10/03 1:59 PM Page 15
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Designing
. . . . . .Switched
. . . . . Networks
. . . . .
Designing addressing and address summarization
Enforcing security policies
Translating between different media types such as FDDI, Ethernet, and
token ring
Because the distribution layer aggregates the connection of many different
access switches, the distribution switch needs a high-speed Layer 3 or multilayer switching function to handle all the intra- and inter-VLAN traffic.
Access Layer
The access layer provides the user entry point into the switched network. It
allows for the connection of different users and their servers.
At this layer, you can provide shared or switched access. An example of
shared access is when you have computers attached to a hub thats in turn
attached to a switch. Switched access occurs when a computer has its own
connection on the switchits not sharing bandwidth with other networking
devices. Switched access provides more bandwidth for users, but is more
costly because it requires more ports on your switch.
The following are some of the tasks and items that this layer handles:
Defining VLAN membership for users and services to restrict the prop-
agation of broadcast and multicast traffic

Filtering traffic based on MAC addresses
Intelligent switching of multicast traffic
Dedicated switched bandwidth for servers and users or shared band-
width user environments where hubs are deployed

Authenticating users access to the network
Switches are the most common devices used at this layer to provide users
with their connections. Note that the access layer can include routers when
connecting branch offices to their corporate site by using technologies such
as frame relay, ISDN, or even dedicated links. It is sometimes mistaken that
the three layerscore, distribution, and accessmust exist in distinct physical entities, which obviously does not have to be the case. These layers are
defined more for representing functionality than for physical boundaries.
The way that the layers are implemented is based on your specific networking design. However, a hierarchical structure must be maintained for optimal
functionality.
15
02 9911 ch02 10/10/03 1:59 PM Page 16
16
Chapter
. . . . .2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The core provides high-speed switching between the distribution layers. The distribution layer provides Layer 3 services, including the containment of broadcasts and
STP problems. The access layer provides the users initial connection to the network.
Enterprise Model
One of the limitations of the three-layer hierarchical model is that it covers
only a single campus design and doesnt allow different types of treatments
based on the function of a particular layer(s) in a campus. Cisco has expanded on this and created the Enterprise Composite Network Model (ECNM),
which breaks a network into three functional areas, depicted in Figure 2.2:
Enterprise Campus
Enterprise Edge
Service Provider Edge

!

"

!
!$%

$
&
'

Figure 2.2 Enterprise model.
The main purpose of the ECNM is to define clear boundaries or demarcation points between different modules, or areas, of your network. By modularizing your network, your network becomes easier to troubleshoot and
maintain as well as more scalable. Also, by modularizing your network, it
becomes easier to add new modules to your existing design without having
to redesign your entire network infrastructure and services.
02 9911 ch02 10/10/03 1:59 PM Page 17
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Designing
. . . . . .Switched
. . . . . Networks
. . . . .
Each of these functional areas can have its own access, distribution, and core.
Those three layers are typically contained within the Enterprise Campus
area, but the other functional areas can contain one, two, or all three of these.
The following three sections cover these functional areas.
Enterprise Campus
The Enterprise Campus area provides the three-layer hierarchical campus
model, but it doesnt include remote or Internet connections (these are in the
Enterprise Edge area). Within the Enterprise Campus module, youll find
the following sub-modules: Campus Infrastructure, Edge Distribution,
Server Farm, and Network Management.
The Campus Infrastructure module includes the following sub-modules:
Building Access (formerly the access layer of the three-layer hierarchical
model)Responsible for network access/authentication, broadcast suppression, and QoS.

Building Distribution (formerly the distribution layer of the three-layer hierar-
chical model)Responsible for filtering traffic, connecting modules

together via VLAN routing, containing broadcasts, and QoS.
Redundancy is provided by having dual connections from the building
distribution to each building access and core modules.
Campus Backbone or Core (formerly the core of the three-layer hierarchical
model)Responsible for high-speed switching of traffic between building distribution modules, as well as QoS and, possibly, security and QoS.
Redundancy is provided by having dual connections to each building
distribution as well as the edge distribution.
In addition to these three sub-modules, Cisco has introduced some new
ones. The Edge Distribution sub-module is responsible for connecting to
the Enterprise Edge module, which separates you from the outside world
(Service Provider module). Its functions are similar to the Building
Distribution module in Campus Infrastructure. However, it can perform
additional security tasks as well as summarize routing information.
The Server Farm sub-module contains corporate resources, such as database
applications, corporate email, DNS and WINS, file and print services, and
so on. Because access to these resources is critical, dual connections are used
between the Server Farm and the Campus Backbone sub-modules. Please
note that you might have other servers in your network, typically at the
Building Distribution, for separate divisions or departments within your
company.
17
02 9911 ch02 10/10/03 1:59 PM Page 18
18
Chapter
. . . . .2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The Network Management sub-module is responsible for managing your

network infrastructure, providing for authentication services, capturing logging information, configuration management, and other functions.
Enterprise Edge
The Enterprise Edge sub-module controls traffic between the Service
Provider Edge and the Enterprise Campus. The Enterprise Edge contains
four sub-modules: E-commerce, Internet Connectivity, Remote Access and
VPNs, and WAN Access.
The E-commerce sub-module contains services offered to the public. Those
services can include Web servers, database servers, online transactions, and
application servers. Theyre all protected by security products such as
authentication servers, firewalls, and intrusion detection.
The Internet Connectivity sub-module provides a connection between you
and the Internet. This sub-module contains the following services: DNS,
FTP, email, and Web servers. It is protected by security products such as firewalls, basic filtering on perimeter routers, and intrusion detection systems.
The Remote Access and VPN sub-module is responsible for remote access
and remote access VPN connections from your external users and sites. The
types of devices involved with this sub-module include dial-up access servers,
VPN concentrators, firewalls, routers, and intrusion detection systems.
The WAN Access sub-module is responsible for connecting remote sites to
the Enterprise Edge via a private network. Traffic from these sites does not
traverse a public network, like the Internet, and is therefore more secure.
Types of technologies employed for these connections included leased lines,
DSL, cable, optical, wireless, frame relay, ATM, and others.

The Service Provider Edge sub-module provides WAN and MAN connections to private and public networks for customers and is connected to a
companys Enterprise Edge. There are three sub-modules in the Service
Provider Edge: ISP, PSTN, and WAN technologies.
The ISP sub-module is responsible for providing Internet access to a customer. It can host services for customers who want to outsource the management of specific e-commerce applications. The PSTN sub-module provides
dial-up access (analog, ISDN, and wireless) for remote access users. The
WAN Technologies sub-module provides permanent connections to remote
sites using media types like leased lines, frame relay, ATM, and others.
02 9911 ch02 10/10/03 1:59 PM Page 19
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Designing
. . . . . .Switched
. . . . . Networks
. . . . .
Devices, Media Types, and

Switching Roles
The next few sections examine the different devices that you can use in your
campus network, the media types that are typically used, and the role or roles
that your switching products will play in designing a scalable campus network.
Devices
When dealing with a campus network, youll have to use many different
types of devices to deliver the services that your users need. The basic infrastructure of this network contains devices that move traffic between the users
and their services. Choosing the correct devices is therefore very important.
The following sections cover some of the basic kinds of devices that youll
typically use for your design: Layer 2 switches, routers, Layer 3 switches, and
multilayer switches.
Layer 2 Switches
Introduced in 1994, switches are weapons in a network administrators arsenal that can help him solve problems in a data network. Switches have many
things in common with bridges: Both are Layer 2 devices; both forward all
broadcasts and multicasts; both do not allow multiple paths to a destination;
both solve collision problems; both learn the locations of devices by putting
the source MAC address of a frame, along with its associated port, into a port
address or CAM table; both make switching decisions based on MAC
addresses; both allow an administrator to use existing equipment and cabling
with little or no upgrading.
With switches and bridges sharing so many of the same characteristics, many
people scratch their heads wondering what the differences are. One difference, although its somewhat minor, is that bridges usually have no more than
2 or 4 ports per bridge, whereas switches, with some vendors, can have 500
to 1,000 ports.
Even though most enterprise networks dont use bridges in their networks, you
might see questions about bridges on the BCMSN exam.
19
02 9911 ch02 10/10/03 1:59 PM Page 20
20
Chapter
. . . . .2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
In addition to having all the advantages of bridges, switches have many other
advantages:
Switching is performed in hardware by application-specific integrated
circuits (ASICs) to provide low switching latency and wire speeds.

Switches support different media types: FDDI, token ring, Ethernet,
and ATM.
Switches support full and half duplexing.
Switches have faster backplane buses to support a higher port density
and higher connection speeds.

Switches use virtual LANs to help contain broadcasts.
However, switches (and bridges) do not solve all the problems in a campus
network. There are two main problems with this technology: switches flood
broadcasts, multicasts, and unknown unicast destinations and the Spanning
Tree Protocol (STP), which is discussed in Chapter 4, Spanning Tree
Protocol, has convergence and scalability problems.
Routers
Routers, unlike bridges and switches, operate at Layer 3. Routers also make
forwarding and filtering decisions, but these decisions are based on Layer 3
addressing information, like the network numbers for IP addresses. Unlike
switches, routers are somewhat intrusive in a network. Each segment off a
port of a router must be assigned a network number, and each device connected to that segment must have that network number and a unique node
number as part of its Layer 3 address, including the router itself. The end
stations must also know about the router so that if they need to send information to a device thats not on the same segment, they know where to send
the information to get it to its final destination. In protocols such as IP, this
must be physically configured on the end users device or automatically
assigned via a DHCP server.
Routers solve two problems that have been discussed so far: Through segmentation, they can create multiple collision domains as well as multiple
broadcast domains. Unlike bridges, routers do not forward broadcasts, by
default. In networks where broadcasts are problematic, routers can help cut
down on the propagation of broadcastsbroadcasts stay local to the segment
where they were created. The advantage of this is that if a machine goes
crazy with broadcasts, it does not affect the whole network because its in a
flat, switched network. Routers create a lot more broadcast domains, but
each of these domains is smaller and has less broadcasts.
02 9911 ch02 10/10/03 1:59 PM Page 21
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Designing
. . . . . .Switched
. . . . . Networks
. . . . .
Routers run a routing protocol to share information about the topology of

the network. Because this is a Layer 3 topology, using an intelligent routing
protocol such as OSPF or EIGRP can provide a more optimal path structure
than what STP would create at Layer 2. Routers can also utilize multiple
paths to a destination if their routing protocol supports it, thus taking advantage of more bandwidth. This is especially important for backbones that have
a very heavy traffic load (STP allows only one path to a destination).
Because youre dealing with Layer 3 logical addresses, you have more control over how information is processed and forwarded. Most routers have the
capability to perform filtering based on source and destination network
addresses as well as application types such as telnet and WWW. With this
capability, a network administrator can implement network or security policies more easily. With switches, you would have to filter on MAC addresses.
Despite all these advantages, routers do have some problems. They obviously
cost more than switches, given the fact that they can do a lot more than them,
which also means that routers require more configuration than switches. An
administrator cannot simply take a segment, separate it into two segments,
attach them to a router, and expect it to work. Because the configuration
tasks vary widely from protocol to protocol and vendor to vendor, many
administrators must get additional training to perform these tasks efficiently
and correctly. Finally, routers introduce more latency because they have
three layers to deal with rather than two layers, as with switches.
Layer 3 Switches
A Layer 3 switch is an enhanced router. One problem of traditional routers
is that a generic processor performs most of the switching decisions. Using a
generic processor allows the router to perform all tasks, but it does not perform all of them well. To overcome this inefficiency, Layer 3 switches use
inexpensive ASICs to perform forwarding of frames. This allows Layer 3
switches to achieve very high forwarding rates, and in tandem with a generic process, still allows the Layer 3 switch to offer many of the other features
of a traditional router, such as
Routing Layer 3 traffic, such as IP packets, based on destination
addresses
Applying filtering based on configured policies
Verifying the checksum of the Layer 3 packet
Updating SNMP MIB information for management purposes
Running a Layer 3 routing protocol to help make switching decisions
21
02 9911 ch02 10/10/03 1:59 PM Page 22
22
Chapter
. . . . .2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Updating Layer 3 packet information, such as the Time-To-Live (TTL)
field in IP
Supporting quality of service (QoS)
Tracking information flows as traffic passes through them
A Layer 3 switch, for all intents and purposes, is a router. The main difference between a Layer 3 switch and a traditional router is that a Layer 3
switch switches all frames in hardware at wire speeds. The main downside of
a Layer 3 switch is in interface flexibility. For example, if you need WAN
interfaces, a traditional router typically offers this flexibility, whereas a Layer
3 switch doesnt.
Multilayer Switches
Multilayer switching combines Layer 2, Layer 3, and Layer 4 switching in
one chassis. These switches can examine information in the transport layer
segment (TCP and UDP) to help make intelligent switching decisions. To do
this, a multilayer switch routes the first packet in a packet stream but switches the rest, sometimes referred to as route once, switch many.
Ciscos Catalyst family of multilayer switches can switch based on Layer 2,
Layer 3, and Layer 4 information. Because these Catalyst switches perform
their switching (at all levels) in hardware, theres no difference in performance from switching at Layer 2 and switching at Layer 4. Multilayer switches and Layer 3 switches are discussed in more depth in Chapter 6,
Multilayer Switching.
Media Types
Ethernet comes in a variety of flavors: 10Mbps, 100Mbps, 1Gbps, and even
10Gbps. The following sections briefly cover some of the important topics
related to Ethernet media types.
Ethernet
All flavors of Ethernet use the same frame type. However, the physical
implementation of these implementations is different. All of these implementations support both copper and fiber. Its important to realize that
Ethernet is distance sensitive. That means for the CSMA/CD mechanism to
work correctly, youll have to stringently follow the cabling type (copper and
fiber) and distance specifications for Ethernet. Table 2.1 describes the
100-meter rules that you should follow for Category 5 cabling.
02 9911 ch02 10/10/03 1:59 PM Page 23
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Designing
. . . . . .Switched
. . . . . Networks
. . . . .
Table 2.1 Rules for Cabling Category 5 Ethernet
Distance
Location
5 meters
Used from the users desktop to the punch-down block or outlet
90 meters
Used from the punch-down block to the wiring closets patch panel
5 meters
Used from the patch panel to the Ethernet switch
10Mbps Ethernet is not commonly used in todays networks; however, many

print servers and printers with Ethernet ports only support 10Mbps.
However, if you want to use it, you should restrict it to the Building Access
sub-module (user connections).
When cabling Ethernet connections, do not exceed more than 5 meters between the
users PC and his outlet or punch-down block, 90 meters between there and the
patch panel, and 5 meters from the patch panel to the Ethernet switch.
Fast Ethernet
Fast Ethernet is built on the same principles as Ethernet: It uses the same
frame type, length, and format; it implements CSMA/CD; it uses the same
MAC layer. The main difference between the two is that the physical layer
for Fast Ethernet is different. Fast Ethernet also supports half- and fullduplex connections. Table 2.2 describes the cabling types and distance limitations of Fast Ethernet for copper cabling.
Table 2.2 Fast Ethernet Media Types
Media Type
Distance (Meters)
Cabling
100BaseTX
100
Category 5 UTP
100BaseT4
100
Category 3, 4, 5 UTP
100BaseFX
Half duplex: 400

Full duplex: 2,000
Multimode Fiber (MMF)
Fast Ethernet, for the most part, has supplanted 10Mbps Ethernet. In most
designs, Fast Ethernet is used within the Building Access sub-module: It provides connections to users. Fast Ethernet can be used at the Building
Distribution (connections down to the access layer and to distribution layer
servers) and Campus Core sub-modules (connections within the core and to
Building Distribution sub-modules), but because of expanding bandwidth
needs, Gigabit Ethernet is a better solution for these locations.
23
02 9911 ch02 10/10/03 1:59 PM Page 24
24
Chapter
. . . . .2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
100BaseTX has a distance limitation of 100 meters. 100BaseFXs limitation is 400
meters half duplex and 2,000 meters full duplex.
Gigabit Ethernet
Gigabit Ethernet, supporting speeds of 1Gbps, can provide more than sufficient bandwidth to any bandwidth-intensive points in your intranet. The
physical layer of Gigabit Ethernet was developed from a mixture of technologies in the original Ethernet standards and includes the ANSI X3T11
Fiber Channel specification. Until recently, the most common was 802.3z,
which uses fiber at the physical layer. This is referred to as 1000Base-X. The
newer IEEE standard, 802.3ab, specifies copper, and is commonly referred
to as 1000BaseT.
Like Fast Ethernet, Gigabit Ethernet builds on the Ethernet protocol standard. There were some initial problems getting Gigabit Ethernet to perform
at gigabit speeds. To accomplish this, a few changes were made to its physical layer connectivity. This was facilitated by merging two existing standards:
IEEEs 802.3 Ethernet and ANSIs X3T11 Fiber Channel standards. The
MAC layer of Gigabit Ethernet uses the same CSMA/CD protocol as
Ethernet. Table 2.3 displays the cable types and distance limitations of different implementations of Gigabit Ethernet.
Table 2.3 Gigabit Ethernet Media Types
Media Type
Distance (Meters)
Cabling
1000BaseCX
25
STP
1000BaseT
100
Category 5 UTP
1000BaseSX
260 (62.5 micron)

550 (50 micron)
MMF
1000BaseLX
3,000-10,000
SMF
Cisco does not support 1000BaseCX in its products. The 1000BaseLX standard supports 3 kilometers, but Cisco has stretched this to 10 kilometers with
certain interface types.
Gigabit Ethernet can be deployed at all locations within the Enterprise
Campus module: Building Access, Building Distribution, Campus Core, and
Server Farm. Inside a building, it can aggregate multiple 10Mbps or 100Mbps
from the access layer switches to distribution layer switches. At the core, these
links can provide bandwidth capacity for streaming video or real-time
02 9911 ch02 10/10/03 1:59 PM Page 25
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Designing
. . . . . .Switched
. . . . . Networks
. . . . .
database enterprise application servers that are located in the server block.
Likewise, the links can be used in the core to connect two switch blocks when
the switch blocks are generating an inordinate amount of traffic between
themselves.
Gigabit Ethernet is not commonly used to connect user devices to access
layer switches. Not all computers and Gigabit Ethernet NICs can process
frames at Gigabit Ethernet speeds. Only high-end servers and expensive
Gigabit NICs with fast processors can approach this speed. For this reason,
it makes no sense to buy one of these cards for a small- to medium-sized file
server that handles only file and print services; it should be reserved for highend data or video servers. In many of these servers, the I/O subsystem connected to the disk drives cannot begin to attain these speeds even if the NIC
cards and the CPU can. Speeds in the range of 400 to 700Mbps are more
reasonable. If speeds higher than this are necessary, its better to buy a multiport Fast Ethernet ISL card and set up a full-duplex Fast EtherChannel.
(EtherChannels are discussed in Chapter 4.)
Distance limitations for Gigabit Ethernet include 25 meters for 1000BaseCX, 100
meters for 1000BaseT, 260550 meters for 1000BaseSX, and 3,00010,000 meters
for 1000BaseLX.
Other Ethernet Implementations

10 Gigabit Ethernet is a work in progress and is in a draft state. 10 Gigabit
Ethernet is based on the 802.3 MAC that the other flavors of Ethernet
implement and uses full duplex. It is used for switch-to-switch connections,
aggregating 1Gbps connections, and clustering of servers. It is typically used
in the Campus Core sub-module and as a backbone solution for the Service
Provider Edge by ISPs and metropolitan area networks (MANs). This solution allows a main office to easily aggregate a bunch of 1Gbps MAN connections coming from other offices connected to a MAN.
Many providers offer Ethernet as a connectivity solution in a MAN environment, called Metro Ethernet. This provides a seamless connection from the
network of a company that has deployed Ethernet, allowing switch-to-switch
connections across a providers backbone. Metro Ethernet is discussed in
Chapter 11, Metro Ethernet.
Cisco has a technology called Long Reach Ethernet (LRE), which extends
Ethernet to 5,000 feet over Category 1, 2, or 3 cabling. This is typically used
to provide Ethernet over POTS lines for provider ADSL connections.
25
02 9911 ch02 10/10/03 1:59 PM Page 26
26
Chapter
. . . . .2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Switching Roles
One of the decisions youll have to make is to choose devices for each of your
Enterprise Campus sub-modules. Table 2.4 summarizes what types of
switches and media types should be used at various locations in your campus.
Table 2.4 Switch Roles and Media Types
Location
Switch Type
Media Type
Building Access
Layer 2 switch
Fast Ethernet (and Ethernet)
Building
Distribution
Layer 3 or
multilayer switch
Fast Ethernet and Gigabit

Ethernet
Campus Core
Layer 2 or Layer 3
switch
Gigabit and 10 Gigabit

Ethernet
Layer 2 switches provide simple and fast, but not scalable, networks. Layer 3
switches support fast convergence, hierarchical designs, equal-cost path load
balancing, and better scalability than Layer 2 switches. The main downside
of Layer 3 switches is that they cost more than Layer 2 switches.
The Building Access module uses Layer 2 switches. Building Distribution uses
multilayer or Layer 3 switches. Campus Core uses Layer 2 or Layer 3 switches.
Design Practices
Youll want to include redundancy in any type of network design. Consider
Figure 2.3 as an example. In this design, the access layer switches have dual
connections to the redundant Building Distribution switches in the building
on the campus. STP removes any Layer 2 loops and Ciscos Hot Standby
Routing Protocol (HSRP) provides default gateway redundancy for users
inside the Building Access module. HSRP is discussed in Chapter 7,
Availability and Redundancy.
Notice that the core has two switches for redundancy, and the Building
Distribution switches have dual connections to each of these. By using a different VLAN for each connection, youre introducing redundancy at Layer
3 for your Layer 3 routing protocol. This provides two equal-cost paths for
a Building Distribution switch to reach locations across the Campus Core.
The next three sections discuss some design philosophies based on the size
of different campuses.
02 9911 ch02 10/10/03 1:59 PM Page 27
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Designing
. . . . . .Switched
. . . . . Networks
. . . . .

Figure 2.3 Design redundancy.
Small Campus Networks

There are actually many ways that you could design your network. For a
small campus network, you might have a collapsed core. With this design,
the Building Distribution and Campus Core components are lumped into
one sub-module, which is connected to the Building Access sub-module.
This creates a two-layer design, which is useful if you have only a single
building in your campus.
The Building Access sub-module uses Layer 2 switches, whereas the collapsed core uses Layer 3 switches. In this type of design, Cisco recommends
that you use 3550 Layer 3 Catalyst switches for the Campus Core and
Catalyst 2950 switches for the Building Access sub-modules. The 3550
breaks up broadcast domains, and the 2950 provides only Layer 2 access.
Use the Catalyst 3550 for the Campus Core and the 2950 for the Building Access.
27
02 9911 ch02 10/10/03 1:59 PM Page 28
28
Chapter
. . . . .2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Medium Campus Networks

A medium-sized campus network has a three-layer hierarchy: Building
Access, Building Distribution, and Campus Core. This type of network
might have a mixture of voice and data. Youll need to create VLANs (discussed in Chapter 3) to separate your voice and data traffic.
The Building Access sub-module uses Layer 2 switches, whereas Building
Distribution and Campus Core use Layer 3 or multilayer switches. By using
Layer 2 switches in the Building Distribution sub-module, youre containing
broadcast traffic and STP problems within a building. Please note that for
Layer 3 scalability, you can use Layer 3 switches in Campus Core. If this isnt
necessary, you can use Layer 2 switches. Cisco recommends that you use the
400x or 3500XL PWR Catalyst switches for the Building Access sub-module,
the 4006 for Building Distribution, and either the 4006 or 6500 for Campus
Core.
Use the Catalyst 4000s or 3500XL for Building Access, the 4006 for Building
Distribution, and either the 4006 or 6500 for the Campus Core.
Large Campus Networks

A large-sized campus network is similar in design to a medium-sized campus.
The main difference between the two is that in a large campus, you have to
interconnect many buildings, whereas in a medium campus, you have to deal
with only a handful of buildings if even that. In this environment, Layer 3
operation becomes very important. Youll want to use a fast converging Layer
3 routing protocol, such as OSPF or Ciscos EIGRP. Bandwidth between layers is also a serious consideration. Youll use Gigabit connections or Gigabit
EtherChannels to connect modules. Youll also implement many different features to ensure an appropriate level of service for your applications and traffic.
Building Access sub-module uses Layer 2 switches, Building Distribution
uses Layer 3 or multilayer switches, and Campus Core uses Layer 2, Layer
3, or multilayer switches. Cisco recommends that you use Catalyst 6500s or
400xs for the Building Access sub-module, Catalyst 6500s or 4006s for the
Building Distribution sub-module, and Catalyst 6500s for the Campus Core
sub-module.
Use the Catalyst 4000s or 6500 for the Building Access sub-module, 4006 or 6500
for Building Distribution, and 6500s for Campus Core.
02 9911 ch02 10/10/03 1:59 PM Page 29
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Designing
. . . . . .Switched
. . . . . Networks
. . . . .
Server Farm
The Server Farm sub-module is connected to the Campus Core. It contains
application and transaction servers, file and print servers, email servers, voice
gateways, DNS servers, multimedia servers, and others. Maintaining access
to these services is critical.
You should treat the Server Farm sub-module as a special logical building
within your campus: It should have Building Distribution (Layer 3 devices)
and Building Access (Layer 2 devices) sub-modules. It is important to use a
Layer 3 device to separate the Campus Core from the Server Farm to contain Layer 2 problems such as broadcasts, multicasts, and STP.
The Building Access sub-module should contain Layer 2 switches. Cisco
recommends Catalyst 6500 or 4000 Series switches. All critical services here
should be dual-homed to separate access switches and implement redundancy. The Building Distribution sub-module should contain mid-to-high-end
Catalyst switches, such as the 6500, as well as other devices, such as caching
systems, load server load balancing, server content routing, and so on.
Ciscos Content Network Solutions can provide these services.
Enterprise Edge
The Enterprise Edge module defines the boundary between your site and
other sites or networks. Layer 2 switches are typically used for connectivity
within this module. Other devices, described in the Enterprise Edge section earlier in this chapter, provide most of the connectivity functions for this
module, such as firewalling, routing, intrusion detection, terminating VPN
end points, and so on.
Introduction to the Command-Line

Interface
The remainder of this chapter focuses on using the command-line interface
(CLI) on Cisco switches. There are actually two different operating systems
that some Cisco switches support: CatOS and IOS. CatOS is the older style
operating system and the IOS is the newer style. The CCNP BCMSN exam
focuses on the newer style. So, most of the commands discussed in this and
the remaining chapters are IOS commands.
29
02 9911 ch02 10/10/03 1:59 PM Page 30
30
Chapter
. . . . .2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
CatOS and IOS Comparison

There are actually three flavors of the operating system for certain Catalyst
switches: CatOS, hybrid mode, and native mode (IOS). CatOS configures
only Layer 2 switching. For switches that have Layer 3 capabilities, such as
the Catalyst 6500 with the MSFC (multilayer switch feature card), CatOS
can be used for Layer 2 functionality and the IOS can control the MSFC.
This process is called hybrid mode. In native mode, the IOS controls both
Layer 2 and Layer 3 functions in the switch. Table 2.5 displays the switches
and the modes that they support.
Table 2.5 Catalyst Switches and Supported Operating Systems
Operating
System
Catalyst
2950
Catalyst
3550
Catalyst
4000
Catalyst
6500
CatOS
No
No
Supervisor
I and II
Yes
Hybrid
No
No
No
Yes, with MSFC
IOS
Yes
Yes
Supervisor
III and IV
Yes
CatOS and IOS support most of the same features; however, there are some
differences. For instance, CatOS supports dynamic VLANs and stateful
supervisor engine switchover/failover, whereas IOS doesnt. CatOS doesnt
support server load balancing, MPLS, and distributed Cisco Express
Forwarding (CEF), but IOS does.
CatOS is supported on the Catalyst 4000s and 6500s, and provides only Layer 2 processing. Hybrid mode is supported on the 4006 and 6500 when a routing card is
installedthe routing card has IOS and the Supervisor Engine has CatOS. Native
(IOS) mode only runs IOS on the switch, controlling both Layer 2 and Layer 3 functions. All of Ciscos switches support native mode.
If youve worked with CatOS in the past, the IOS interface and configuration will be noticeably different. Table 2.6 compares the configuration and
operation of the two operating systems.
One major difference between CatOS and IOS is that CatOS has only two
modes: User and Privilege EXEC, whereas IOS has three modes. Both
CatOS modes are similar to the equivalent IOS modes. The exception is that
in Privilege EXEC mode in CatOS, you can also execute configuration
commands, such as set and clear.
02 9911 ch02 10/10/03 1:59 PM Page 31
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Designing
. . . . . .Switched
. . . . . Networks
. . . . .
Table 2.6 IOS Versus CatOS
OS Features
IOS
CatOS
Mode of ports
Layer 2 and Layer 3
Layer 2
Default port
status
All Layer 3 ports

disabled; all Layer 2
ports enabled
All ports enabled
Number of
configuration
files
One
One for the Supervisor

Engine and one for the
MSFC
Modes
User and Privilege

EXEC and Configuration
modes
User and Privilege EXEC

modes
Configuration
commands
Changes done by IOSstyle commands;

negated with the no
parameter
Changes made with set and

clear commands
CatOS uses set and clear commands to make configuration changes.
Configuration Introduction
The commands discussed in this book are used by the IOS operating system
(CatOS is not discussed, except in specific situations related to the exam).
This book assumes that you have a basic knowledge of IOS commands. As
youll see in this section, the commands used by IOS routers are basically the
same as those used on the Catalyst switches, with some differences. This
book assumes that you have basic IOS skills and have at least achieved the
CCNA certification, which thoroughly covers basic IOS commands.
Features such as context help, CLI editing, and command recall are all supported in native mode.
To access the switch and put an initial configuration on the switch, youll
have to set up a console connection from your PC to the switch. This
requires a RJ-45 rollover cable and a DB9-to-RJ45 terminal adapter. Youll
need a terminal emulation program running on your PC, configured for
9,600bps, 8 data bits, 1 stop bit, no parity, and no flow control.
31
02 9911 ch02 10/10/03 1:59 PM Page 32
32
Chapter
. . . . .2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Sample Configuration
Lets take a look at a basic configuration for an IOS-based switch, shown in
Listing 2.1.
Listing 2.1 Basic Configuration
Switch> enable
Switch# configure terminal
Switch(config)# hostname name_of_switch
Switch(config)# enable password password
Switch(config)# enable secret password
Switch(config)# service password-encryption
Switch(config)#
Switch(config)# line console 0
Switch(config-line)# password password
Switch(config-line)# exit
Switch(config)# line vty 0 4
Switch(config-line)# login
Switch(config-line)# access-class ACL_# in
Switch(config)# access-list 1-99 permit IP_address [wildcard_mask]
Switch(config)#
Switch(config)# ip default-gateway router_IP_address
Switch(config)#
Switch(config)# interface type slot_#/port_#
Switch(config-if)# duplex auto|full|half
Switch(config-if)# speed 10|100|auto
Switch# exit
The
command takes you from User to Privilege Exec mode. The

configure terminal command takes you from Privilege EXEC to Configuration mode. The hostname command assigns a name to your switch, which
also changes its prompt. The enable password and enable secret commands
assign a password to restrict access to Privilege EXEC mode. The enable
password command stores the password in clear text, whereas the enable
secret command encrypts the password. If both commands are configured,
the enable secret command takes precedence. The service password-encryption command encrypts all clear-text passwords on the switch; however, its
encryption process is not as strong as using the enable secret command.
enable
There are two methods of accessing User EXEC mode on the switch: from the
console (line console 0) and from telnet (line vty 0 4). To secure the console
port, use the password command. To secure telnet access, authenticate logins
with the login command and assign a password with the password command.
Please note that the password created with the password command is stored in
02 9911 ch02 10/10/03 1:59 PM Page 33
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Designing
. . . . . .Switched
. . . . . Networks
. . . . .
clear text. Its recommended that you restrict telnet access to the switch by configuring a standard ACL with the access-list command and activating it on
your VTY lines with the access-class command. Use permit statements in the
ACL to match on networks or PCs that are allowed to telnet to the switch.
In-band management is management traffic, such as telnetting to the switch, that
crosses the switching backplane of the switch. Out-of-band management traffic,
such as accessing the switch through its console port, doesnt traverse the backplane of the switch.
To assign an IP address to the switch, you must create a logical VLAN interface. VLANs are discussed in Chapter 3. To create a logical VLAN interface,
use the interface vlan command, specifying the VLAN that the switch
should be associated with. Then assign an IP address to it with the ip address
command. By default, these logical interfaces are disabled, so enable them
with the no shutdown command. If the switch has no routing function (is configured only for or supports only Layer 2), assign a default gateway address
with the ip default-gateway command.
To configure interface settings, such as speed or duplexing, enter the physical
interface with the interface command. You must specify the type (fastethernet
or gigabitethernet), slot number (on the 2950, this is always 0), and the port
number. Once youre in the interface, use the duplex command to change the
duplexing (defaults to auto) and the speed command to change the speed
(defaults to auto for multispeed ports). If youre experiencing intermittent
connectivity problems or a large number of collisions on an interface,
autosensing could be the culprit. If this is the case, hardcode the speed and
duplexing on the interface.
To exit Configuration mode, use the end command or press the Ctrl+Z control sequence. To log out of the switch from either User or Privilege EXEC
mode, use the exit command. This is the crash course on basic switch
configuration.
Be familiar with the commands listed in Listing 2.1.
Please note that the Catalyst 1900, which is end-of-life (EOL), also has an IOS-based
interface. However, the commands to configure it are different from the ones presented earlier. Because the 1900 is EOL, this book focuses on IOS for only the newer
switches, which I discussed in Listing 2.1.
33
02 9911 ch02 10/10/03 1:59 PM Page 34
34
Chapter
. . . . .2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Manipulating Files
To view the active configuration file on a switch, use the show system:runningconfig command. To view a saved configuration file, use the show nvram:
startup-config command. Please note that the syntax listed earlier is the newer
syntax. The older syntax is still supported. In other words, you could omit the
location, like system: and nvram:, when performing certain copy functions.
When using native mode on a Catalyst switch, any configuration changes
that you make are not automatically saved to flash. This is different from
CatOS. To save your changes, use one of the following commands:
Switch# copy system:running-config nvram:startup-config
Switch# copy system:running-config tftp:[[[//IP_address]/
directory_name]/filename]
Switch# copy nvram:startup-config tftp:[[[//IP_address]/
directory_name]/filename]
Note that to use the copy command, you must be in Privilege EXEC mode.
The first command backs up the active configuration to flash. The second
command backs up the active configuration to a TFTP server. The third
command backs up the saved configuration to a TFTP server. To restore
your changes, use one of the preceding copy commands and revert the source
and destination information.
To view your operating system files in flash, use the show
command:
Switch# dir flash:
Directory of flash:/
2 -rwx
2664051
11.EA1.bin
3 -rwx
269
4 -rwx
1355
5 -rwx
5
7 drwx
704
flash
or dir
Mar 01 1993 00:03:18
c2950-i6q4l2-mz.121-
Jan
Mar
Mar
Mar
env_vars
config.text
vlan.dat
html
01
12
12
01
1970
1993
1993
1993
00:01:51
01:49:50
01:49:50
00:03:55
flash:
The first file is the operating image (IOS). The config.text file is the saved
configuration and mimics NVRAM found on Cisco routers. The vlan.dat file
contains the VLAN database configuration discussed in Chapter 3. The html
directory contains the necessary files to access and manage the switch using
a Web browser.
To back up the native mode image in flash, use the copy flash tftp command.
Youll be prompted for the name of the IOS image to back up, the IP address
of the TFTP server, and what you want to name the IOS image on the
TFTP server. To upgrade the native mode image on your switch, use the copy
02 9911 ch02 10/10/03 1:59 PM Page 35
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Designing
. . . . . .Switched
. . . . . Networks
. . . . .
tftp flash command. Youll be prompted for the same three pieces of information as with the copy flash tftp command.
Troubleshooting
The switches support two basic troubleshooting commands: show and debug.
show commands display static information about the operation and configuration of the switch; in other words, the information is not updated on the
screen unless you re-execute the command. Table 2.7 lists some common
show commands.
Table 2.7 show Commands
Command
Explanation
show interfaces
Displays the configuration, status, and statistics of the

switchs interfaces
show mac-address-table
Displays the contents of the port address tablewhat

MAC addresses reside on which ports
show processes
Displays the CPU utilization for each process running

on the switch
show spanning-tree
Displays the configuration and operation of STP
show version
Displays the software and hardware characteristics of

the switch
If you cant access the switch via IP or cannot access another device through
the switch, check the following:
Examine the cabling to make sure that youre using the correct type:
straight-through for DTE-DCE connections and crossover for DTEDTE and DCE-DCE connections. A DTE is a router, file server, or PC.
A DCE is a hub, bridge, or switch.
Examine the status of the interface to which the device is connected with
the show
interfaces
command.
Examine the switchs configuration of its IP addressing on the VLAN
interface with the show interfaces command. Also examine the switchs
default gateway address.
If the switch and other device are in different VLANs, make sure that
both devices are configured for the correct VLANs and have default
routes.
35
02 9911 ch02 10/10/03 1:59 PM Page 36
36
Chapter
. . . . .2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
debug commands have a dynamic display of events on your switch; that is,
they display events as they occur. You must be in Privilege EXEC mode to
execute debug commands. To add timestamps with the date and time to your
debug output, execute the service timestamps command. Because debug commands are process-intensive, you should disable them when youre finished.
Either preface the debug command with the no parameter to disable it, or use
the no debug all command.
debug commands are a very powerful tool. However, you should be very careful about
their use because they are very process-intensive and can affect the throughput of
traffic flowing through your switch. Do not use the debug all commanddoing so
will probably crash your switch.
Converting CatOS to IOS

In hybrid mode on the Catalyst 6500, your switch has two images: one for
the Supervisor Engine and one for the MSFC. The image name for the
Supervisor Engine begins with cat6000-sup. The image name for the MSFC
begins with c6msfc.
In native mode, only one image is used to operate the switch. There are four
types of native mode images for the Catalyst 6500, depending on the
Supervisor Engine (I or II) and MFSC (1, 2, or none) that are installed in the
switch. The four native mode image types are listed here:
c6sup-is-mz.version_#-revision_#.featuresUsed with a Supervisor
Engine I with an MSFC 1 installed. This is the original native mode

image nomenclature.
c6sup11-is-mz.version_#-revision_#.featuresUsed with a Supervisor
Engine I with an MSFC 1 installed. This is the newer native mode

image nomenclature.
Engine I with an MSFC 2 installed.

Engine II with an MSFC 2 installed.

Based on the hardware installed in your Catalyst 6500, you need to make
sure that you download the correct file.
Converting from a CatOS operating system to an IOS operating system is
not a trivial matter, would require quite a few pages of explanation, and is
beyond the scope of this book. However, if you need to perform this process
02 9911 ch02 10/10/03 1:59 PM Page 37
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Designing
. . . . . .Switched
. . . . . Networks
. . . . .
by upgrading to an IOS image, visit Ciscos Web site at http://www.cisco.com/

warp/customer/473/80.shtml. This site requires a CCO login.
To convert your CatOS configuration to an IOS configuration, download the
following tool from Cisco and run your CatOS configuration through it.
The converter tool outputs an IOS configuration file that you can load on
your switch: http://www.cisco.com/cgi-bin/tablebuild.pl/cat6000-configconverter. This tool requires a CCO login.
Switch Fabric Module

The Catalyst 6500 switches support a special card, called the Switch Fabric
Module (SFM), which comes in two versions, 1 and 2. In combination with
the Supervisor Engine II, the backplane capacity of the 6500 is upgraded from
32Gbps to 256Gbps. The SFM delivers 30Mpps throughput using Cisco
Express Forwarding (CEF) and 210Mpps throughput with the Distributed
Feature Card (DCF) installed. CEF is discussed in Chapter 6. The SFM also
supports advanced features, such as ACL filtering and QoS, in hardware.
SFM Characteristics
The SFM provides a dedicated connection between modules that support
SFM connectivity. Modules thus have a connection to the 32Gbps bus as well
as to the bus on the SFM itself. The SFM card doesnt have any interfaces,
but it does have an LCD display that shows the utilization of the module.
With a 6513 chassis, the SFM is installed in slot 7 or 8, and slots 913 support dual-switch fabric interface modules, such as Fast and Gigabit Ethernet
modules. For all other model 6500 switches, the SFM is installed in either
slot 5 or 6. With all 6500s, you can install a redundant SFM in the remaining slot. One nice feature about dual SFMs is that it doesnt require any extra
configuration on your part.
The SFM expands the backplane of the switch from 32 to 256Gbps. In a 6513, the
SFM goes in slot 7 or 8, whereas in other 6500 chassis, it goes in slot 5 or 6. The
SFM supports dual cards, but requires a Supervisor Engine II card.
After you install the SFM, traffic can be moved between connected modules
via one of three modes:
Bus modeUsed to move traffic between non-fabric modules and for
traffic between fabric and non-fabric modules. All traffic is sent through
the local bus and Supervisor Engine bus.
37
02 9911 ch02 10/10/03 1:59 PM Page 38
38
Chapter
. . . . .2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Compact modeUsed to move traffic between fabric modules only, which
first compacts the DBus header to improve performance (enabled by

default).
Truncated modeUsed when you have mixed modules. This mode
applies only to traffic between fabric modules.
Configuration
Setting up and configuring the SFM is simple. You can place a restriction on
your 6500 operation with the following SFM command:
Switch(config)# fabric required
When you configure this command, youre telling the switch that if the SFM
fails or is removed, the switch will not process any traffic until the SFM is
repaired or re-installed. Actually, in this situation, all modules are powered
off until the SFM is reinstalled.
The SFM can operate in any of the three modes discussed in the last section,
including more than one mode at a time, based on the type of cards installed.
You can restrict its operation by enabling or disabling modes with the following command:
Switch(config)# [no] fabric switching-mode allow bus-mode|
truncated [threshold #]
With truncated mode, you can specify an optional threshold, which specifies
how many fabric-supported modules must be installed before truncated mode
takes effect. To verify the SFMs operation, use the commands in Table 2.8.
Table 2.8 Verifying the SFMs Operation
Command
Explanation
show module [slot_#]
Displays the modules installed in the Catalyst

6500 chassis, as well as their operational status
show fabric active
Displays the redundancy status of the single or

dual SFMs installed in the chassis
show fabric switching-mode
Displays the operational modes of the SFM
02 9911 ch02 10/10/03 1:59 PM Page 39
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Designing
. . . . . .Switched
. . . . . Networks
. . . . .
Summary
This chapter covered many introductory concepts of Ciscos switches and
how you use them in your network. AVVID is one of the core building blocks
that Cisco uses when creating a network design. AVVID includes three components: Network Infrastructure, Intelligent Network Services, and
Network Solutions.
Cisco uses a basic three-layer hierarchical model to describe the design
process: core, distribution, and access. The core layer provides high-speed
switching between distribution layers. The distribution layer provides Layer
3 services and separation of access and other distribution layers. The access
layer provides a users initial connection to the network.
Cisco expands on this model when designing campus networks. A campus
network is made up of modules: Enterprise Campus (the campus itself),
Enterprise Edge (buffer between remote sites), and Service Provider Edge
(solutions for remote access). Within the Enterprise Campus are sub-modules,
including Building Access, Building Distribution, Campus Core, and Server
Farm. Layer 2 switches are used in the Building Access sub-module, either
Layer 3 or multilayer switches are used in the Building Distribution submodule, and either Layer 2 or Layer 3 switches are used in the Campus Core
sub-modules.
There are three types of operating system modes for Catalyst switches:
CatOS, hybrid, and native. CatOS mode provides only Layer 2 functionality for Supervisor Engines. Hybrid mode handles the Layer 3 cards installed
in a CatOS switch. Native (IOS) mode handles both Layer 2 and Layer 3
processes in a Catalyst switch. The Switch Fabric Module (SFM) expands the
backplane capacity of a 6500 switch from 32Gbps to 256Gbps.
39
02 9911 ch02 10/10/03 1:59 PM Page 40
40
Chapter
. . . . .2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Exam Prep Questions

Question 1
Which AVVID component is responsible for multicasting?
A. Network Infrastructure
B. Intelligent Network Services
C. Network Solutions
D. Design Construction
Answer B is correct. Intelligent Network Solutions provides for services such

as multicasting. Answer A defines hardware components and answer C
includes storage and content networking, making them incorrect answers.
Answer D is not a component of AVVID.
Question 2
Which layer provides filtering of traffic?
A. Access
B. Distribution
C. Core
D. Service Provider Edge
Answer B is correct. The distribution layer, part of Ciscos three-layer hierarchical design, provides Layer 3 services, including filtering of traffic.
Answer A provides a users access and answer C provides high-speed switching across the backbone, making them incorrect answers. Answer D is not
part of the three-layer hierarchy.
Question 3
Which Enterprise Composite Network Model component terminates VPN connections and provides firewall functions?
A. Enterprise Campus
B. Service Provider Edge
C. Distribution
D. Enterprise Edge
02 9911 ch02 10/10/03 1:59 PM Page 41
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Designing
. . . . . .Switched
. . . . . Networks
. . . . .
Answer D is correct. The Enterprise Edge terminates VPNs and provides

firewall functions. It connects to the remote sites via the Server Provider
Edge, making answer B incorrect. The Enterprise Campus is the backbone
of your campus, making answer A incorrect. Answer C is not part of the
Enterprise Composite Network Model.
Question 4
When terminating a users Ethernet connection to a punch-down block, you
should not exceed ______ meters in the cable length.
A. 5
B. 10
C. 20
D. 90
Answer A is correct. You should not exceed 5 meters from the users Ethernet
desktop connection to the punch-down block or outlet. You should not
exceed 90 meters from the punch-down block to the wiring closets patch
panel, making answer D incorrect. In any situation, the total distance should
not exceed 100 meters. Answers B and C dont have anything to do with the
recommended distance limitations.
Question 5
In small campus networks, Cisco recommends the ________ switch at the
Campus Core.
A. 1900
B. 2950
C. 3550
D. 4006
Answer C is correct. Cisco recommends using the Catalyst 3550 for the
Campus Core of small campus networks. The 1900 is EOL, making answer
A incorrect. Answer B is used at the Building Access for small campus networks. Answer D is used in medium and large campus networks.
41
02 9911 ch02 10/10/03 1:59 PM Page 42
42
Chapter
. . . . .2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 6
What operating system mode is used to provide only Layer 2 functions on a
Catalyst switch?
A. Hybrid
B. Native
C. CatOS
D. Layer-2 OS
Answer C is correct. The CatOS is used by the Supervisor Engine to provide

Layer 2 processing. Native mode (IOS) handles both Layer 2 and Layer 3,
making answer B incorrect. Hybrid mode is used to provide Layer 3 processing for Layer 3 cards in a Catalyst with a Supervisor Engine using
CatOS, making answer C incorrect. Answer D is a nonexistent mode.
Question 7
What CatOS command is used to make configuration changes from
Configuration mode?
A. set
B. configure terminal
C. update
D. None of these answers
Answer D is correct. The CatOS doesnt have a Configuration mode, but

instead uses set commands in Privilege EXEC mode to make changes, making Answer A incorrect. Answer B is used on IOS switches to access
Configuration mode. Answer C is a nonexistent command.
Question 8
Enter the switch configuration to restrict telnet access to the switch, allowing
traffic only from 192.168.1.0/24. Also allow login access for telnets and assign
a password of cisco: ________________________.
Use this configuration:

Switch(config)# access-list 1 permit 192.168.1.0 0.0.0.255
Switch(config-line)# login
Switch(config-line)# password cisco
Switch(config-line)# access-class 1 in
02 9911 ch02 10/10/03 1:59 PM Page 43
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Designing
. . . . . .Switched
. . . . . Networks
. . . . .
Question 9
________ management affects the backplane of the switch.
A. Out-of-band
B. Network-band
C. Center-band
D. In-band
Answer D is correct. In-band management traffic travels across the backplane of the switch. Answer A is via the console port and doesnt traverse the
backplane of the switch, making it an incorrect answer. Answers B and C are
not types of management access.
Question 10
Which of the following is false concerning the Switch Fabric Module?
A. 256Gbps backplane capacity
B. Goes into slots 1 and 2 of the 6500 Catalyst switch
C. 30Mpps forwarding rate with CEF
D. Supports up to two SFMs for redundancy
Answer B is correct. The SFM goes into slot 7 or 8 of a Catalyst 6513 and
slot 5 or 6 of other 6500 switches. Answers A, C, and D are true, and therefore incorrect answers.
Need to Know More?

For more information about AVVID, visit http://www.cisco.com/
en/US/netsol/netwarch/ns19/net_solution_home.html
For more information about the Enterprise Composite Network

Model, visit http://www.cisco.com/en/US/netsol/ns110/ns170/
ns171/ns128/networking_solutions_white_
paper09186a008009c8b6.shtml
For more information about Cisco Catalyst switches, including

their configuration, visit http://www.cisco.com/en/US/products/
hw/switches/index.html
43
02 9911 ch02 10/10/03 1:59 PM Page 44
03 9911 ch03 10/10/03 2:02 PM Page 45
3
VLANs, Trunks, and VTP
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Virtual LAN (VLAN)
Static and dynamic VLANs
Local and end-to-end VLANs
VLAN Membership Policy Server (VMPS)
InterSwitch Link (ISL)
IEEE 802.1Q and 802.1Q tunneling
Native VLAN
Dynamic Trunk Protocol (DTP)
VLAN Trunk Protocol (VTP)
VLAN Pruning

Understanding the advantages of VLANs
Comparing dynamic and static VLANs
Configuring static VLANs and associating ports to them
Troubleshooting VLAN configurations
Comparing IEEE 802.1Q and ISL trunking protocols
Tunneling 802.1Q VLAN information in a Metro network
Knowing the DTP modes and when a trunk is formed
Configuring and troubleshooting trunks and pruning
Understanding the three different VTP modes
Comparing VTP versions 1 and 2
Configuring and troubleshooting VTP
03 9911 ch03 10/10/03 2:02 PM Page 46
46
Chapter
. . . . .3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
There are many definitions for a virtual LAN (or VLAN, for short). A VLAN
can be described as a grouping of ports on a switch or a grouping of ports on
different switches. It can also be characterized as a group of related users in
a data network or as a group of users at the same geographic location (which
is the most common). In the simplest terms, a VLAN is a broadcast domain.
In a bridged network, all devices are in the same broadcast domain. One of
the problems of using bridges for LAN segmentation is that they solve bandwidth problems, but not broadcast problems. Switches, even though they act
like bridges, have some additional features that make them more robust in
solving your networking problems.
The remainder of this chapter focuses on three areas: VLANs, trunking, and
the Virtual Trunk Protocol (VTP). All three of these areas play an integral
part in the setup of VLANs in your network.
Virtual LANs
Virtual LANs (VLANs) give an administrator the ability to break up a
switched Layer 2 network into multiple broadcast domains. The advantage
of this approach is that it can be done using switches that cost less than traditional routers. However, each broadcast domain is typically considered to
be a separate subnet. To go between subnets, a Layer 3 component, such as a
router, is still required.
VLANs can be based on the port identifier of a switch, on an end stations
MAC address or Layer 3 address, or on directory or application information.
They also can be implemented in many different ways, depending on the
media topology (Ethernet, FDDI, or ATM) thats deployed.
Advantages of VLANs
One of the main reasons that network administrators buy switches is to help
control bandwidth problems by creating multiple collision or bandwidth
domains, but they can also help contain broadcasts by implementing
VLANs. However, VLANs offer a network administrator many more advantages than just these. Here are some examples:
They ease adding, moving, or changing users in a network, thereby
reducing personnel costs.

They enhance network security via logical segmentation of users and
groups.
03 9911 ch03 10/10/03 2:02 PM Page 47
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VLANs,
. . . . Trunks,
. . . . and
. . .VTP
. .
They allow multiple parallel paths in a switched network for load bal-
ancing, unlike bridges and the Spanning Tree Protocol.

They isolate problems within a small part of the intranet.
They remove the physical boundaries of a network, thus enabling users
and servers to be located anywhere.

They allow for the deployment of applications across different media
topologies, such as Ethernet, FDDI, and ATM.

They increase performance by limiting the scope of broadcast traffic.
Containment of Broadcasts
Broadcasts are a normal occurrence in LAN-based protocols such as IP, IPX,
and AppleTalk. In many cases, these broadcasts help users to find and use
services. Many applications also use multicasts to disseminate information,
which include LAN-based TV, video conferencing, routing protocols such as
OSPF and Ciscos Enhanced IGRP, and even the bridges and switches
Spanning Tree Protocol. Faulty network cards, Spanning Tree Protocol
problems, or an incorrect application or desktop configuration could cause a
flood of broadcasts or multicasts in a network. When switches see broadcasts
and multicasts, they treat them as unknown destinations and flood the frames
out all of their ports. Too many broadcasts, even from a single PC, can seriously slow a networks performance, if not bring it down completely.
From the users perspective, the use of broadcasts makes their lives easier.
However, from the network administrators perspective, broadcasts use up
bandwidth and affect every users desktop in the switched network. Some
mechanism is needed to reign in the propagation of broadcasts.
Routers were traditionally used to solve broadcast problems in data networks. Unfortunately, the use of routers on a port-by-port basis is a very
expensive solution for performing this barrier function. When switches were
first developed, they were essentially bridges with many ports. All ports were
in the same broadcast domain, just like a bridge. This is sometimes referred
to as a flat network.
Broadcasts and VLANs

VLANs are created by logically segmenting a network into separate broadcast domains. When you create VLANs, frames created by a member of one
VLAN are switched only among ports that are designated as belonging to
the same virtual LAN, which results in a more efficient use of bandwidth. In
47
03 9911 ch03 10/10/03 2:02 PM Page 48
48
Chapter
. . . . .3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
addition, instead of broadcast traffic propagating throughout the physical

infrastructure, such traffic is restricted to the broadcast domain that represents the VLAN.
The advantage of this approach is that if a machine goes bonkers with
broadcasts, it affects only the other machines in the same VLAN, not computers in other VLANs. VLANs allow for the extension of a broadcast barrier from the router. VLANs basically create the traditional illusion that
users are off of different ports of a router, but in reality, the users are part of
the same switched fabric. Because of this, routers are still required to connect the VLANs together. Each VLAN, as mentioned earlier, is typically a
unique subnet; to go from one subnet to another, a router is required.
Therefore, routers still perform their traditional role of containing broadcasts, but the quantity of ports is greatly reduced because of the use of
switches.
Because of this huge advantage, VLANs should not be employed across an
intranet, but should rather be terminated within an access layer or building
access. In other words, broadcasts that occur in one-building access should
not be propagated across the core or backbone of the network.
VLAN Implementations
Because broadcasts can be generated in all kinds of network operating systems and applications, you have a lot of flexibility in creating VLANs and
assigning people and computers to them. You can base VLANs on the
following items:
The Layer 3 protocols currently being used in the network
The groups, departments, or divisions in a company
The specific security needs of certain resources
The applications being used in the network
End-to-End VLANs
One of the unique properties of VLANs is that they can span multiple
switches. The physical boundaries of where people and resources are located are removed. In Figure 3.1, a switched network has three VLANs spread
across three switches: Accounting, Information Services, and Marketing.
03 9911 ch03 10/10/03 2:02 PM Page 49
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VLANs,
. . . . Trunks,
. . . . and
. . .VTP
. .
Accounting
VLAN
Information
Services
VLAN
Marketing
VLAN
Figure 3.1 A physical view of computers and a logical representation of VLANs.
Note that all the servers are located off of one switch. In traditional networks, resources such as local file servers would usually be located in the
same place as the users. Spreading the resources like this makes their management much harder and security harder still. Using VLANs, an administrator can create the illusion that the file server is on the same segment as the
users that access it, even though the file server could be on a completely different floor in a completely different building. Figure 3.2 gives a detailed
view of both a physical and logical representation of this concept.
End-to-end VLANs have the following characteristics:
Users are grouped into a VLAN based on function, not location.
The user belongs to the same VLAN no matter where she plugs her PC
into the network (this requires Ciscos VMPS, which is discussed later in
this chapter).
End-to-end VLANs are typically used for security reasons or for appli-
cation or resource requirements.

End-to-end VLANs are difficult to implement and troubleshoot.
49
03 9911 ch03 10/10/03 2:02 PM Page 50
50
Chapter
. . . . .3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Switch 1
Accounting
VLAN
Physical
View
Logical
View
Switch 2
Marketing
VLAN
Switch 3
Information
Services
VLAN
Figure 3.2 A physical representation of VLANs.
Local VLANs
The problem with end-to-end VLANs is that they become extremely difficult to maintain as the campus network grows and changes. Because of this,
most network administrators of campus environments use local VLANs.
Unlike end-to-end VLANs, local VLANs are very easy to plan and implement. Local VLANs are based on geographic locations by demarcation at a
hierarchical boundary (core, distribution, access). Therefore, a local VLAN
would never span from an access layer to a core block. Because VLANs are
created based on geographic or physical boundaries, its not uncommon to
see much of the traffic leaving the broadcast domain to access a resource.
There are two generic rules when dealing with traffic flow: 80/20 and 20/80.
The 80/20 rule assumes that 80% of the traffic stays local to a VLAN and
20% leaves a VLAN through a Layer 3 device. Local VLANs assume this
premise. Note that with this implementation, VLANs are solely used to solve
broadcast problems.
03 9911 ch03 10/10/03 2:02 PM Page 51
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VLANs,
. . . . Trunks,
. . . . and
. . .VTP
. .
With the 20/80 rule, 20% of the traffic stays within the VLAN and 80%
leaves it. In this situation, a burden is placed on the Layer 3 device that is
used to interconnect VLANs. Although they do introduce a latency issue
because of the access of resources outside of the VLAN, this can easily be
solved with multilayer switching, which is discussed in Chapter 6,
Multilayer Switching.
VLAN Assignment
There are two methods that you can use to associate users to VLANs:
dynamic and static. The following two sections compare and contrast the
two methods.
Dynamic VLANs
Dynamic VLANs require you to assign a user to a VLAN, and switches
dynamically use this information to configure the port on the switch automatically. Dynamic VLANs can be based on the following items:
The MAC addresses of workstations
The Layer 3 addresses (such as IP addresses)
The protocol type (such as IP or IPX)
Directory information stored in Novells NDS or Microsofts Active
Directory
The advantage of using dynamic VLANs is that network technicians dont
have to worry about making any changes on a switch when they move a user
from one location to another, which is advantageous when end-to-end
VLANs are deployed. Cisco currently allows you to use CiscoWorks 2000 to
implement dynamic VLANs based on MAC addresses.
A VLAN Management Policy Server (VMPS) associates MAC addresses to
VLANs. When a user connects to a switch and the switch sees the users
MAC address, the switch sends the users MAC address to the VMPS server.
The server responds with the users VLAN and the switch associates this
VLAN with the users interface.
Problems with MAC-based dynamic VLANs include PC NICs failing, PCs
being upgraded, and new PCs continually being added to the network.
Managing these MAC addresses soon becomes a headache in a large-scale
switched network.
51
03 9911 ch03 10/10/03 2:02 PM Page 52
52
Chapter
. . . . .3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Therefore, most administrators choose to base VLAN membership on directory information. Out of all these mechanisms for implementing dynamic
VLANs, the use of directory information is the most flexible and the easiest
to maintain. The only time you would have to make changes to the VLAN
database is when a user is hired, fired, or changes departments. Many vendors, including Cisco, are developing directory-based dynamic VLANs. The
remainder of this chapter and book focus on static VLANs and their
configuration.
Dynamic VLANs use a VMPS to assign VLAN information to a switch, which is then
associated with a users port. This enables users to be located anywhere in the network and still be assigned to the correct VLAN. Membership is typically based on a
devices MAC address.
Static VLANs
Ciscos initial implementation of VLANs was based on the port that a user
was assigned to. This is sometimes referred to as port-based membership. Using
this initial implementation, you would configure every port on a switch to
reflect the appropriate VLAN for the users. This could easily be done either
via a command-line interface or an SNMP-based product using a graphical
interface. Anytime a user moved his workstation to a different area, you would
have to reconfigure only the port to which the user attaches.
Static VLANs are normally used in local VLAN implementations, where the
problem of containing broadcasts is more important than placing specific
users in certain VLANs. Use static VLANs when any of the following criteria apply to your situation:
You have tight control over the moving of users and resources in the
campus
You do not want the hassles of maintaining the large tables required of
dynamic VLANs
You have a management package that easily maintains VLANs in your
campus
Static VLANs are manually configured: You specify which interface belongs to which
VLAN. This configuration is typically used in a more stable or static environment.
Configuring static VLANs is a very simple process.
03 9911 ch03 10/10/03 2:02 PM Page 53
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VLANs,
. . . . Trunks,
. . . . and
. . .VTP
. .
Creating and Deleting VLANs

Creating VLANs on your switch is a very simple process. There are two
methods for creating VLANs on Cisco IOS switches: from Privilege EXEC
mode and Configuration mode. The old way, shown here, is done from
Privilege EXEC mode:
Switch# vlan database
Switch(vlan)# [no] vlan vlan_number [name vlan_name]
The newer method for configuring VLANs is shown here:

Switch(config)# [no] vlan vlan_number [name vlan_name]
As you can see, the newer method is done from within Configuration mode.
To delete a VLAN, just preface the vlan command with the no parameter.
Cisco recommends that you perform all your VLAN configurations using the newer
method; that is, from Configuration mode.
Use the vlan command to create your VLANs. This can be done from Privilege EXEC
mode within the vlan database or from Configuration mode.
Associating Ports to VLANs

After youve created your VLANs, you can associate your switchs ports to
your VLAN with the following configuration:
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan VLAN_#
When youve entered the interface, use the switchport mode access command to
specify that this interface is associated with a single VLAN. The switchport
access vlan command associates a VLAN to this particular interface.
Depending on the model, there is at least one pre-configured VLAN on your switch:
VLAN 1. By default, all ports are associated with VLAN 1.
Use the switchport mode access command to define an interface as an access link
and the switchport access vlan command to associate an interface with a VLAN.
53
03 9911 ch03 10/10/03 2:02 PM Page 54
54
Chapter
. . . . .3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Verifying Your Configuration

After youve created your VLANs and placed interfaces in them, you can use
various show commands to verify your VLAN configuration. To view your
configured VLANs, use the show vlan command:
Switch# show vlan [id VLAN_# | name VLAN_name]
Without any of the optional parameters, all VLANs are listed. You can
optionally specify a VLAN number or name to examine a specific VLAN.
Heres an example of the use of this command:
Switch# show vlan
VLAN Name
---- -------------------------------1
default
10
VLAN0010
20
VLAN0020
VLAN
---1
10
20
Type
----enet
enet
enet
SAID
------100001
100010
100020
MTU
----1500
1500
1500
Parent
------
Status
--------active
active
active
RingNo
------
BridgeNo
--------
Mod/Ports
-----------------fa0/3-24
fa0/1-2
Stp
----
Trans1
-----0
0
0
Trans2
-----0
0
0
Remote SPAN VLANs

-----------------------------------------------------------------Primary Secondary Type
Ports
------- --------- --------------- -----------------------------
To see an interfaces configuration, use the

command:
show
running-config
interface
Switch# show running-config interface fastethernet 0/1

Building configuration...
!
Current configuration: 33 bytes
interface FastEthernet 0/1
switchport access vlan 10
switchport mode access
end
To see switch port information, use the

switchport parameter:
show interfaces
Switch# show interfaces type slot_#/port_# switchport
Heres an example:
Switch# show interface fastethernet0/1 switchport
Name: Fa0/1
Switchport: Enabled
Administrative mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
command with the
03 9911 ch03 10/10/03 2:02 PM Page 55
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VLANs,
. . . . Trunks,
. . . . and
. . .VTP
. .
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Broadcast Suppression Level: 100
Multicast Suppression Level: 100
Unicast Suppression Level: 100
To see which MAC addresses are associated with which interfaces, as well as
which VLAN the interface is associated with, you can use the show mac-addresstable command, which displays the port address or CAM (content addressable memory) table:
Switch# show mac-address-table
Mac Address Table
-----------------------------------------Vlan
---1
Mac Address
----------0008.7422.1234
Type
---DYNAMIC
Ports
----Fa0/1
As you can see in this example, there is one MAC address in the table off of
interface fa0/1, which is associated with VLAN 1.
Troubleshooting VLAN Problems

If youre experiencing connectivity problems in a VLAN environment, you
should perform the following troubleshooting steps:
1. Do you have a physical and data link layer connection? Check the
status of the interface with the show interfaces command. Use CDP
to check connectivity. Check the duplexing of the connection (auto
negotiation is a common problem with the negotiation of the duplexing mode).
2. Is your router and switch configuration correct? Verify that youve
configured your routing protocol and your routers interface. If youre

trunking between the router and the switch, verify this configuration.
3. Have you set up your VLAN configuration correctly? Check to make
sure that the appropriate interfaces are associated with the correct
VLANs.
55
03 9911 ch03 10/10/03 2:02 PM Page 56
56
Chapter
. . . . .3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Trunks
The previous sections discussed interfaces that belong to only one VLAN.
These are sometimes referred to as access links and are completely transparent to the users. The users have no knowledge of the existence of the VLAN.
However, to maintain VLAN information, the originating frame from a user
must contain VLAN information that the switch fabric can use to forward
the frame.
Frame Tagging
As a frame enters the switch fabric, its encapsulated or tagged with some
additional information that identifies VLAN properties for the frame as it is
switched through the switch fabric. This includes the VLAN ID or number,
sometimes referred to as the VLAN color. This additional information
remains on the frame as its forwarded across the switched backbone from
switch to switch.
A trunk link is a connection between two trunk-capable devices. These devices
could be two switches, a switch and a router, or even a switch and an end station. Trunking essentially extends the backplane of the switch. Normally, only
traffic from one VLAN can be associated with a port. The exception to this is
a trunk port. A trunk port allows multiple VLANs to cross it to a neighboring
device, unlike an access link. Trunking is performed by encapsulating or tagging frames in hardware by the ASICs on each port. Encapsulating or tagging
adds information, such as the VLAN number, to help in the forwarding of the
frame by other switches. By default, trunk links carry all VLAN traffic, but
you can restrict which VLANs can traverse a trunk.
The additional VLAN information remains on the frame until it reaches its
destination port, where it is then stripped off. This whole process occurs at
Layer 2 and is completely transparent to the user. At both the source and
destination, the users see the original frame, but as the frame is forwarded
between switches, the additional VLAN information is also seen.
Unlike an access (user) port that does not understand the frame encapsulating or tagging added by a switch, a trunk port expects that the device at the
other end of the connection does understand the frame tagging. Standard
Ethernet cards do not understand the additional VLAN information thats
been added to or inserted into a frame. When carrying information from
many VLANs between switches, you need this type of link. The destination
switch somehow needs to know what VLAN the frame originated from so
that it does not forward the frame out incorrect ports. You would not want a
broadcast from one VLAN to be propagated to other VLANs. In certain
03 9911 ch03 10/10/03 2:02 PM Page 57
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VLANs,
. . . . Trunks,
. . . . and
. . .VTP
. .
cases, as shown in Figure 3.3, it even makes sense to buy a special card that
does understand the tagging for an end station.
VLAN 1
VLAN 1
VL
AN
s1
-3
VLANs 1-3
VLAN 2
VLAN 2
-3
s1
AN
VL
VLAN 3
VLAN 3
EMAIL
Server
Figure 3.3 Tagging can be done between trunk-capable NICs, including switches, routers, and
file servers.
In a switched network, many clients from different VLANs might access an

enterprise resource, such as an email server. By having only a standard
Ethernet NIC, the file server can belong to one, and only one, VLAN.
Clients that belong to a different VLAN would have to send their traffic to a
router, and the router could then forward the frames to the email server. The
problem with this approach is the latency that the router introduces. In the
case of email, users will not notice this latency. But with a client/server, database, or voice or video application, users might notice the latency. For this
reason, it would be nice to place a special NIC card in the file server that actually understands multiple VLANsin essence, to make it a trunk connection.
With this special NIC, an end station would not have to send its frame to the
router first, but could bypass it completely to access the file server.
Likewise, it makes sense to have a special NIC like this in a router. Without
this card, a router would need a separate interface for each VLAN that exists
in the switched network to route between the VLANs. With a trunk NIC
interface, a router would only need one interface, thus greatly reducing the
cost requirements of the router. You could also implement Multilayer
switching to solve your Layer 3 latency problems.
57
03 9911 ch03 10/10/03 2:02 PM Page 58
58
Chapter
. . . . .3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Protocols
One important aspect of VLANs is for the switch fabric to carry the VLAN
information across different media topologies, such as Ethernet, token ring,
FDDI, and ATM. Here are the four VLAN tagging mechanisms supported
by Cisco:
Ciscos proprietary InterSwitch Link (ISL): Ethernet and token ring
support
IEEEs 802.1Q: Ethernet and token ring support
Ciscos extension to 802.10: FDDI support
ATM Forums LAN Emulation (LANE): ATM support
Please note that not all Cisco devices support all the preceding trunking protocols. For example, Ciscos Catalyst 1900 switches support only ISL, the
Catalyst 2950s support only 802.1Q, and the discontinued Catalyst 5000s
supported all four. With FDDI, the Security Association Identifier (SAID) is
used to carry VLAN information across a FDDI backbone. This book focuses on Ciscos ISL and IEEEs 802.1Q trunking protocols.
ISL
ISL is a Cisco-proprietary technology for trunking VLANs at Layer 2.
Unlike normal Ethernet NICs, ISL cards cost more because specialized
ASICs and processors are included to support the framing encapsulation at
gigabit speeds. ISL adds a 26-byte header and a 4-byte trailer (which is a
CRC) to the original Ethernet frame, for a total of 30 bytes. Figure 3.4 shows
a picture of an ISL frame.
ISL Frame
ISL
Header
DA
Type
User SA Length
Figure 3.4 ISL frame format.
Encapsulated Ethernet Frame
AAAA03
HSA
VLAN
BPDU Index
CRC
Res
03 9911 ch03 10/10/03 2:02 PM Page 59
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VLANs,
. . . . Trunks,
. . . . and
. . .VTP
. .
Some of the items included in the header are the source and destination MAC
address that are duplicated from the original frame, the type of frame
(Ethernet, FDDI, token ring, or ATM), the priority of the frame, the length
of the frame (not including the CRC), and the VLAN number (located in the
VLAN ID field). The BPDU field is a one-bit descriptor that signifies that the
encapsulated frame is either a Spanning Tree Protocol (STP), Bridge
Protocol Data Unit (BPDU), or Cisco Discover Protocol (CDP) information,
or is a normal Ethernet frame. There are two Field Checksum Sequence
(CRC) fields in an encapsulated frameone for the original Ethernet frame
and one for the ISL header and encapsulated Ethernet frame.
ISL requires a special Ethernet NIC that not only understands the VLAN
information in ISL frames but also allows the NIC to add VLAN information to frames. Some Cisco routers support ISL, some of Cisco switches support ISL, and third-party companies, such as Intel, produce ISL NICs. From
an end stations perspective with an ISL NIC, the software driver thats
loaded on the machine creates the illusion that there are many logical cards
connected to different Ethernet segments. The user would configure each
logical card with the appropriate network address that reflects the VLAN to
which the logical card belongs.
When setting up a trunk connection with ISL, both sides must be configured
with the same encapsulation. If one side is set to ISL and the other is set to
a normal Ethernet frame encapsulation, the normal Ethernet NIC wont
understand the VLAN tagging, and will mistake it for a normal Ethernet
frame. The problem that this typically causes is that a normal Ethernet frame
can be up to 1518 bytes in length, and ISL adds 30 bytes. If the MTU was
set to 1500 for the data, and 18 bytes for the MAC header information and
FCS, when you add 30 bytes for the ISL information, you exceed the maximum valid MTU size for an Ethernet frame (1548). A normal Ethernet NIC
would see this kind of frame as a giant and drop it.
802.1Q
Early in the summer of 1998, the IEEE standardized the frame tagging
process for trunking VLANs and produced the 802.1Q standard. One problem with Ciscos ISL frame encapsulation process is that other switching
vendors do not support it. In almost all cases, each vendor implements
VLANs differently, thus making it nearly impossible to use switches from
more than one vendor. Today, companies are no longer restricted to sticking
with just one vendor for their switching purchases. This is especially important with the great flux of changes occurring in todays industry. If a new
switching technology becomes available from a startup company, it becomes
much easier to integrate it into a corporations existing switched network.
59
03 9911 ch03 10/10/03 2:03 PM Page 60
60
Chapter
. . . . .3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
You no longer have to wait months for your preferred switching vendor to
either parallel the new technology or buy rights to it.
Both ISL and 802.1Q add VLAN information to the Ethernet frames explicitly. However, how they perform this process is different. With ISL, a 26-byte
header and a 4-byte trailer are added to the frame; the original frame is not
modified. This process is referred to as encapsulation. With 802.1Q, the actual frame is modified or tagged. To denote VLAN information, a 4-byte Tag
Protocol Identifier (TPID) and a 2-byte Tag Control Information (TCI) are
inserted between existing fields in the Ethernet frame, shown in Figure 3.5.

!
"

Figure 3.5 802.1Q frame format.
Because the information is inserted into the original Ethernet frame, the
original frames CRC is regenerated to accommodate the change. The
advantage of using the 802.1Q tagging process over ISL is that, in an ISL
trunking environment, ISL-aware cards must be used because a frame could
be larger than 1518 bytesthe maximum size of an Ethernet frame. With
802.1Q, the frame size is only increased by 4 bytes and can be forwarded by
a non-802.1Qaware device.
Because of the tagging information placed into a frame, 802.1Q provides
some advantages over ISL:
If the MTU is only 1500 bytes (plus the 18 bytes for the MAC header
and trailer), the 4-byte tag inserted into the frame totals 1522 bytes. By
adjusting the MTU to 1496, the 802.1Q frame does not exceed
Ethernets maximum MTU and therefore can be processed by non802.1Q devices, such as other switches. Other non-802.1Q switches
03 9911 ch03 10/10/03 2:03 PM Page 61
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VLANs,
. . . . Trunks,
. . . . and
. . .VTP
. .
process the frame like a normal Ethernet frame. (Remember that switches only need to see the destination MAC address to make a switching
decision as well as check the CRC if the switch is using store-and-forward
switching.)
802.1Q supports prioritization, which is processed as the tagged frame is
received on an 802.1Q interface.

Cisco is phasing out ISLas new switches are developed, only 802.1Q is implemented in them. For example, Ciscos discontinued 1900 supports only ISL, whereas
Ciscos newer switches, such as the 2950 and 3550, support only 802.1Q.
ISL encapsulates, whereas 802.1Q tags. ISL adds a 26-byte header and 4-byte trailer (CRC). 802.1Q inserts a 4-byte field and recomputes the frames CRC.
Native VLANs
802.1Q trunks support a native VLAN. A native VLAN is one that does not
tag frames. This is different from ISL, where all VLANs that traverse the
trunk carry VLAN information. Actually, a native VLAN has the following
criteria:
A native VLAN is the VLAN number associated with the interface for
nontagged frames.
The native VLAN defaults to VLAN 1 on Cisco switches, but can be
configured to any VLAN. Its important to point out that all 802.1Q
devices connected to the same trunk must use the same VLAN number
for the native VLAN.
802.1Q tagging devices and non-802.1Q devices can coexist on an
802.1Q trunk.
One advantage that native VLANs provide is that you can have both 802.1Q
and non-802.1Q devices on the same trunk connection, as is shown in Figure
3.6. In this example, assume the native VLAN is 1 and that PC-D and PC-E
are in this VLAN. As you can see from the figure, there is an 802.1Q trunk
between the switches, but a hub is providing connectivity. Plus, PC-E is connected to this hub. For PC-E to send traffic to PC-D, PC-E either needs an
802.1Q NIC or must be placed in the native VLAN. The other PCs, PC-A,
PC-B, and PC-C, are in another VLAN, such as VLAN 2, and can use normal NICs to communicate with each other. The trunk between the two
switches tags frames from these devices with a VLAN 2 identifier.
61
03 9911 ch03 10/10/03 2:03 PM Page 62
62
Chapter
. . . . .3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PC-A
PC-B
PC-C
802.1Q TRUNK
SwitchA
SwitchB
Hub
PC-D
PC-E
Figure 3.6 Native VLANs and trunking.
A native VLAN is a VLAN on an 802.1Q trunk where the frames for this VLAN are not
tagged. This allows non-802.1Q devices to also be connected to the trunk, but still
allows tagging of frames for other VLANs.
VLAN Ranges and Mappings

ISL supports VLANs numbered from 11005, where Ethernet-based
VLANs can use numbers from 11001 to create VLANs. (10021005 are
reserved for token ring and FDDI functions and cannot be deleted.)
802.1Q, on the other hand, has access to VLAN numbers ranging from
04095. 0 and 4095 are reserved for system uses, thus enabling you to use
numbers from 14094 to create Ethernet VLANs.
VLAN Services from Service Providers

Some service providers allow for the tunneling of 802.1Q tagged frames
through their networks. This enables you to use your own private VLAN
numbers in your own networks, but still allow these tagged frames through
the providers network, which might also be using 802.1Q VLANs.
This provides a huge advantage to service providers based on the number of
customers that they have and the VLANs that these customers use. 4,096
VLANs sounds like a lot of VLANs and is more than sufficient for a single
company, but imagine that you have thousands of companies connected to a
03 9911 ch03 10/10/03 2:03 PM Page 63
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VLANs,
. . . . Trunks,
. . . . and
. . .VTP
. .
providers networkperhaps with 10,000 VLANs among all of these companies. Of course, 802.1Q wouldnt be able to handle this when trying to
keep all the VLANs straight among all the customers.
However, 802.1Q supports a tunneling feature that enables you to keep your
own VLAN numbers as they are transferred across someone elses network.
For this process to take place, the original Ethernet frame is tagged twice:
once by your own switch, and again by the providers switches. Figure 3.7
shows an example of this double tagging.

Figure 3.7 802.1Q Double tagging.
As you can see in this example, the top frame is the original Ethernet frame
and the middle frame is the frame that your switch tagged. The bottom
frame is the one tagged by the service provider. With the second tagging, the
service provider inserts its VLAN tag before your tag and then recomputes a
new FCS value. When the frame exits the service providers network and is
forwarded to your remote site, the service provider removes its tag and
recomputes the FCS value based on your original tagged frame. Through
this process, your 802.1Q frame can be transmitted transparently through
the service providers network, based on its own internal VLAN configurations. The second tag that the provider adds is sometimes called a metro tag.
Interestingly, multiple levels of tunneling (tagging) are possible, but Cisco currently
supports only one level on its Catalyst switches.
For nontagged frames that enter a service providers network from a native VLAN, the
service provider performs its normal tagging process, which is stripped off at the
service providers exit switch.
63
03 9911 ch03 10/10/03 2:03 PM Page 64
64
Chapter
. . . . .3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
When using tunneling, BPDUs from your internal switches, CDP information, and VTP information can be tunneled through a carriers network to
your remote switch or switches, enabling you to treat the service providers
network as transparent (invisible). If your provider doesnt support tunneling, the provider either processes or drops this information, and forwards
only user traffic. 802.1Q tunneling is discussed in more depth in Chapter 11,
Metro Ethernet.
An alternative solution is the use of the Generic Bridge PDU Tunneling
(GBPT) protocol. GBPT allows the service provider switch to change the
original destination multicast address in the frame to a Cisco-proprietary
one: 0100.0ccd.cdd0. This is then forwarded out all trunk connections in the
native VLAN. One restriction of this feature is that when you enable GBPT
on a port, frames from other enabled protocols are not sent out of the port.
Service providers use 802.1Q tunneling to tunnel tagged VLAN information across a
carriers backbone. This allows the carrier to connect to thousands of sites with different VLAN configurations and to treat them transparently.
Dynamic Trunk Protocol

Trunking negotiation is the process that takes place to determine whether
two connecting devices can create a trunk connection. Dynamic ISL (DISL)
was Ciscos old protocol that performed this (that is, it verified whether two
connected ports could form a trunk). One large limitation of DISL was that
it could perform the dynamic trunking negotiation only for ISL links; you
had to manually configure 802.1Q trunks. DISL has been replaced by Ciscos
proprietary Dynamic Trunking Protocol (DTP).
DTP, like DISL, is a protocol that auto-negotiates whether trunking can be
performed on the connection. Unlike DISL, DTP supports auto-negotiation
of ISL and 802.1Q on trunk links. If two opposite ports use different encapsulation types, such as ISL and 802.1Q, they will not form a trunk: Both sides
must use the same encapsulation.
DTP supports five different trunking modes, as shown in Table 3.1. In this
table, the DTP modes are the ones used with the switchport mode command,
discussed later in this chapter. The Generate DTP Frames column indicates
whether the DTP mode generates DTP frames on the interface (only trunk
and dynamic desirable do this by default). The Trunking column indicates
whether or not the interface is trunking (by default, only trunk and nonegotiate
enable trunking). nonegotiate should be used on trunk connections where the
remote device doesnt understand Ciscos proprietary DTP. The default
03 9911 ch03 10/10/03 2:03 PM Page 65
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VLANs,
. . . . Trunks,
. . . . and
. . .VTP
. .
trunking mode is dynamic auto, which means that the configuration of the
remote interface determines whether the interface becomes a trunk or
remains an access link connection.
Table 3.1 DTP Modes and Trunking Information
DTP Mode
Generate
DTP Frames?
Trunking?
Explanation
Trunk
Yes
Yes
Forces the interface to trunk. Even if the

other side cannot become a trunk port,
this port will always be considered a
trunk and generate DTP frames.
Access
No
No
Forces the interface not to trunkit is

an access link connection.
Dynamic
Desirable
Yes
No
The port attempts to become

a trunk port and, using DTP, becomes a
trunk if the other side is set to trunk,
dynamic desirable, or dynamic auto.
Dynamic
Auto
No
No
The port becomes a trunk if the other

side initiates trunking with DTP. This is
the default mode.
Nonegotiate
No
Yes
The port becomes a trunk, just the same

as with the trunk parameter, but it does
not generate DTP frames between the
two devices. This should be used when
connected to a non-Cisco device.
Table 3.2 shows the combinations of modes that cause trunking to occur. Any
other combination of modes causes the interface to act as an access link
connection.
Table 3.2 When Trunks Are Formed
Side A Mode
Side B Mode(s)
Trunk
Trunk, Dynamic Desirable, Dynamic Auto
Dynamic Desirable
Trunk, Dynamic Desirable, Dynamic Auto
Nonegotiate
Nonegotiate
Know the DTP modes required on both switches in order to form a trunk, as shown
in Table 3.2.
65
03 9911 ch03 10/10/03 2:03 PM Page 66
66
Chapter
. . . . .3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring ISL and 802.1Q Trunks

Setting up an ISL or 802.1Q trunk is very straightforward, as shown here in
Listing 3.1.
Listing 3.1 Trunk Configuration
Switch(config-if)# shutdown
Switch(config-if)# switchport trunk encapsulation isl|dotq1
Switch(config-if)# switchport mode trunk|dynamic desirable|
dynamic auto|nonegotiate
Switch(config-if)# switchport trunk native vlan VLAN_#
Switch(config-if)# switchport trunk allowed vlan add|except|all|remove
VLAN_1, VLAN_2, etc.
Even though it isnt necessary to disable an interface when enabling trunking, doing so is recommended. You must first specify either ISL or 802.1Q
as the trunking type with the switchport trunk encapsulation command,
shown in Listing 3.1, and then specify the trunking mode with the switchport
mode trunk command. Refer to Table 3.1 for an explanation of the modes.
The switchport trunk native command is applicable only to 802.1Q trunks
and is optional. This command specifies the native VLAN number for the
trunk. By default, this is VLAN 1.
The switchport trunk allowed command is also an optional command. This
command enables you to manually prune off VLANs from a trunk. By
default, all VLANs are allowed to traverse a trunk. This is discussed in more
depth in the VTP Pruning section later in this chapter.
Use the switchport trunk encapsulation command to specify ISL or 802.1Q trunking. Use the switchport mode command to set the trunk. Remember the five modes:
trunk, dynamic desirable, dynamic auto, nonegotiate, and access. Use the switchport
trunk vlan allowed command to restrict VLANs on a trunk. Dont be surprised to see
a simulation question on this.
Verifying Your Trunk Configuration

There are three commands you can use to verify your trunking configuration:
show running-config interface type slot_#/port_#
show interfaces type 0/slot_# switchport
show interfaces type 0/slot_# trunk
Lets take a look at the output of all three of these commands. Listing 3.2
shows an example of the first one.
03 9911 ch03 10/10/03 2:03 PM Page 67
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VLANs,
. . . . Trunks,
. . . . and
. . .VTP
. .
Listing 3.2 show running-config interface Example
Switch# show running-config interface fastethernet 0/1
Building configuration...
!
Current configuration: 33 bytes
interface FastEthernet 0/1
switchport mode dynamic desirable
switchport trunk encapsulation dot1q
end
This listing displays the trunking configuration of FastEthernet 0/1.

Listing 3.3 shows an example of the
switchport parameter.
show
interfaces
command with the
Listing 3.3 show interface switchport Example

Switch# show interface fastethernet0/1 switchport
Name: Fa0/1
Switchport: Enabled
Administrative mode: dynamic desirable
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: Enabled
Trunking VLANs Active: 1,2
<--output omitted-->
This listing shows the switchport configuration of a specified interface. In

this example, Fa0/1 is trunking with 802.1Q and the trunk mode is set to
dynamic desirable.
Listing 3.4 shows an example of using the trunk parameter.
Listing 3.4 show interface trunk Example
2950# show interface fastethernet 0/1 trunk
Port
Mode
Encapsulation Status
Native vlan
Fa0/1
desirable 802.1q
trunking 1
Port Vlans allowed on trunk
Fa0/1 1-1005
Port Vlans allowed and active in management domain
Fa0/1 1-2,1002-1005
Port Vlans in spanning tree forwarding state and not pruned
Fa0/1 1-2,1002-1005
The listing shows that one interface was set to a desirable DTP mode and
formed a trunk with the remote device.
67
03 9911 ch03 10/10/03 2:03 PM Page 68
68
Chapter
. . . . .3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Troubleshooting Trunk Connections

If youre experiencing problems in setting up a trunk or having problems
with an active trunk, examine the following pointers:
Verify that the speed and duplexing configuration on both sides are correct
and that youre using the correct cable type (crossover versus straight).
Make sure that the trunking type (ISL or 802.1Q) is the same on both
sides and that the DTP modes are acceptable to forming a trunk.
For 802.1Q trunks, check that the native VLAN is the same on both sides.
VLAN Trunk Protocol

VLAN Trunk Protocol (VTP) is a Cisco-proprietary messaging protocol
that occurs between devices on trunk ports. It allows VLAN information to
be propagated across your switched network, providing a consistent VLAN
configuration in your network. This process makes it easy to add, change,
and delete VLANs as well as to add new devices to the network because your
VLAN information is automatically propagated by switches that understand
VTP on their trunk ports. This removes any possibility of inconsistencies
between VLAN configurations that might result in security violations or
errors. These problems can occur when VLANs become cross-connected as
duplicate VLAN names are configured or when VLANs become internally
disconnected because theyre incorrectly mapped between different LAN
media types.
Only VLAN configuration information is shared via VTP; port information, such as
which port belongs to which VLAN, is not shared.
VTP Advantages
Because many networks have mixed media or are going through a migration
to a new backbone media topology, such as Gigabit Ethernet or ATM, a special protocol is needed to provide compatibility for the implementation of
VLANs within these mixed-media topologies. Many networks today employ
Ethernet to the desktop, utilizing Fast Ethernet as a backbone solution. You
must first set up trunk connections for VTP to take place.
With VTP, a broadcast initiated in a VLAN from an Ethernet segment can
automatically be propagated to a FDDI backbone where servers belonging
03 9911 ch03 10/10/03 2:03 PM Page 69
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VLANs,
. . . . Trunks,
. . . . and
. . .VTP
. .
to that VLAN or servers performing trunking will also see the broadcast. In
traditional networks, a router would be required to perform this type of connectivity, but in todays switched networks, VTP can be used to integrate
mixed-media topologies, gaining you an increase in performance at a
reduced cost.
Another advantage of VTP is that it does not necessarily require that a new
VLAN be manually added to every switch in the network. By adding a
VLAN to one switch, VTP can propagate this information to every other
switch in the network, thus creating a consistent VLAN implementation. For
very large switched networks with tens or hundreds of switches, this becomes
a very important tool to help you manage your network.
VTP provides a consistent broadcast domain across a mixed-topology network as
well as the dynamic reporting of VLAN changes across your network. VTP information is shared across trunk connections only.
Management Domain
Using VTP requires setting up a management domain. A domain is a grouping of switches that will be sharing information about VLANs in a switched
network. Each domain must have a unique name, and every switch in a single domain must have the same configured domain name. A switch can
belong to only one management domain. However, switches of a management domain will contain the same VLAN information, thus providing a
consistent configuration. By default, a switch doesnt belong to any management domain. You must either configure a management domain or the
switch will learn it from a VTP advertisement on one of its trunks.
Each VTP-capable switch advertises VTP-multicast information periodically on its trunk ports on the factory-default VLAN. This includes information
about the management domain itself, the version of VTP in use, and VLANs
and their configuration. A switch can be configured in one of three different
VTP modes: server, client, and transparent.
VTP Modes
VTP servers and clients maintain all VLANs everywhere within the VTP
domain. A VTP domain defines the boundary of a particular VLAN. Servers
and clients transmit information through trunks to other attached switches
and receive updates from those trunks.
69
03 9911 ch03 10/10/03 2:03 PM Page 70
70
Chapter
. . . . .3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
VTP servers are responsible for making all VLAN configurationsadds,

changes, and deletionsand passing this information as a multicast advertisement to all other clients and servers, which then execute the changes.
Server mode is the default for Catalyst switches.
Clients can accept updates only from serversany changes that you want to
make for a VLAN must be done on a server. Servers maintain their VLAN
information in NVRAM, whereas clients do not. Clients learn VLAN information from a server switch when the client boots up.
Switches set to transparent mode do not participate in a management
domain, but they do take the VTP messages they receive and forward them
on to other switches. Transparent mode switches can create, change, and
delete VLANs, but they do not share this information with other switches.
If a VLAN is added on a server switch, the server generates a multicast
advertisement and forwards it to all other servers and clients in the network.
This information is automatically transmitted on all trunk connections,
including ISL, 802.1Q, 802.10, and LANE. If a transparent switch receives
such a message, it does not update its database but rather forwards the message to other switches out its remaining trunk ports. Table 3.3 summarizes
the three different VTP modes.
Table 3.3 Comparison Between the Three VTP Modes
Mode
Add, Delete,
Change
VLANs?
Generate
VTP
Messages?
Process
VTP
Messages?
Save Config
in NVRAM?
Server
Yes
Yes
Yes
Yes
Client
No
Yes
Yes
No
Transparent
Yes
No
No
Yes
Be able to compare the three different VTP modes shown in Table 3.3.
VTP Messages
Switches belonging to the same VTP domain advertise information to each
other on their trunk ports. Servers and clients are responsible for making
sure that the VLANs in a network are consistent throughout the switched
network. When VTP messages are generated, they contain at least the
following information:
03 9911 ch03 10/10/03 2:03 PM Page 71
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VLANs,
. . . . Trunks,
. . . . and
. . .VTP
. .
VLAN numbers for ISL and 802.1Q Ethernet VLANs, ELAN names
for ATM LANE, and 802.10 SAID values for FDDI

VTP domain name
VTP revision number
MTU size for the VLAN
Format of the frame
Identity of the originator of the message
Three Message Types

There are three VTP message types: summary advertisement, subset advertisement, and request advertisement. Table 3.4 explains the use of the
messages.
Table 3.4 VTP Messages
Message
Advertisement
Message
Originator
Summary
Server
Generated every 300 seconds in the management

VLAN (by default, VLAN 1) and used to ensure all
switches are in sync
Subset
Server
Generated in response to a request and contains

detailed configuration information about a VLAN
Request
Client
Generated to acquire VLAN information
Explanation
Processing Messages
If the management domain name in a VTP message does not match that of
the receiving switch, the advertisement is ignored. Advertisements that are
generated by VTP switches contain a revision number. This number helps
receiving switches to determine whether the information contains a change
or is the same as the information it currently has. The VTP message with the
highest revision number is the most current. Whenever you make a VLAN
change on a server switch, the revision number is incremented and then
advertised out all of its trunk interfaces. Care must be taken because if all the
VLANs are deleted on a server switch with the highest revision number, all
the VLANs in the management domain would also be deleted. Remember
that VTP transparent switches do not process messages from server switches. On a transparent switch, the revision number is always 0, and all messages
from server switches are not processed.
71
03 9911 ch03 10/10/03 2:03 PM Page 72
72
Chapter
. . . . .3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
VTP also supports password authentication. If passwords are in use, an MD5 hashed value is included in the VTP advertisement. If the hashed values
between the two switches do not match, the message is ignored.
Adding a New Switch to Your Network

When youre adding a new switch to an existing switched network, its
extremely important that you follow these steps to avoid any VTP propagation problems:
1. Erase the configuration on the switch (dont connect the switch to your
network yet).
2. Set the VTP domain name, change the VTP mode to client, and save
the switchs configuration.

3. Configure your trunk connections.
4. Connect the switch up to your current network.
5. Turn the switch off and back on. Doing so resets the revision number to 0.
6. After your switch has learned its VLAN information from another
switch, you can change its mode to server or transparent, if you

choose, and save your switchs configuration.
If you dont follow the preceding steps, introducing a switch with a higher
revision number than your current server switch or switches causes the new
switch to overwrite the VLANs on your current switches. As an added precaution, it is highly recommended to configure VTP passwords to ensure
that an added rogue switch doesnt wreak havoc with your current VLAN
configuration.
VTP Versions
There are two different versions of VTP: 1 and 2. VTP 2 is new as of CatOS
3.1(1), which is quite a while ago. Its important to point out that the two versions are not compatible with each other: All your switches have to run either
version 2 or 1. VTP version 2 has the following additional features that version 1 lacks:
Consistency checks are performed to make sure that VLAN names and
values match on switches.

Support for token ring VLANs was added.
Transparent mode switches forward all VTP messages. Version 1 trans-
parent mode switches only forward messages if the VTP version and
domain name values in the message matches its own configured values.
03 9911 ch03 10/10/03 2:03 PM Page 73
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VLANs,
. . . . Trunks,
. . . . and
. . .VTP
. .
Servers and clients propagate VTP messages out trunk interfaces even if
they dont understand the contents of the message (and store this in
NVRAM).
Know the differences between the VTP versions 1 and 2, as shown in the preceding
bullets.
If you need any of the features in the previous list, you need to enable VTP
version 2. To enable version 2, you have to enable it on only one server
switch in your network. That switch then propagates this information to all
the other switches in the VTP domain.
VTP Pruning
VTP pruning allows a switch to make more intelligent decisions concerning
the forwarding of multicast, broadcast, and unknown destinations across
trunk ports. VTP pruning is a method of traffic control that reduces unnecessary broadcast, multicast, and flooded unicast packets. This feature
restricts traffic that would normally be flooded out all trunks to only those
trunk links where the connected switches (or other networking devices) also
have ports in the associated VLAN.
Lets take a look at an example to explain the advantages of VTP pruning.
Figure 3.8 shows a network using VLANs and VTP.

Figure 3.8 Pruning example.

73
03 9911 ch03 10/10/03 2:03 PM Page 74
74
Chapter
. . . . .3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Without VTP pruning, a broadcast generated by a device in VLAN 40

would be propagated across every trunk connection to every switch. Looking
at Figure 3.8, switch 4 would propagate the broadcast across its trunk to
switch 1, which, in turn, would propagate the broadcast across its two trunks
to switch 2 and switch 3. Notice, however, that switch 1, switch 2, and switch
3 do not have any ports in VLAN 40, but because they have trunk ports,
broadcasts, multicasts, and unknown destination traffic for VLAN 40 is still
propagated across these trunks.
VTP pruning solves this problem. Through a dynamic process, the switches
discover with other switches what VLANs they have in commonthat is, the
ports assigned to those VLANs. Pruning is the process that removes a VLAN
from a trunk. In Figure 3.8, with pruning enabled, switches 1 and 4 would
prune off VLAN 40 from the trunk. Therefore, when a broadcast occurs in
VLAN 40, it does not affect the bandwidth on the other trunks or switches.
Likewise, it also reduces the size of STP for the VLAN. Note that if, at a
later point in time, switch 2 assigns a port to VLAN 40, the VLAN would be
added back to some of the trunks to create a single broadcast domain. The
pruning process itself takes only a few seconds. In this case, VLAN 40 would
still be pruned from the trunk between switches 1 and 3 because switch 3 still
doesnt have a port assigned in VLAN 40. This whole process relieves you of
having to manually configure trunks to specify which VLANs should be forwarded across it.
VTP pruning is disabled by default in a management domain, and must be
manually enabled. However, you need to enable it on only one server switch
in a configured domain, which will in turn enable it on all other switches in
the domain. One restriction of VTP pruning is that for a switch to take
advantage of it, a switch must be in server mode, which means that in most
cases, all your switches in the domain must be configured in server mode.
If you dont want to use VTP pruning, but to perform the pruning manually, you can manually remove VLANs from a trunk connection with the
switchport trunk allowed vlan command. This command was discussed previously in the Configuring ISL and 802.1Q Trunks section. The problem
with manual pruning is that it doesnt scale well in large networks and is
prone to configuration errors.
VTP pruning enables you to dynamically prune off inactive VLANs from a trunk. Use
the show interface [switchport|trunk] command to troubleshoot pruning problems.
03 9911 ch03 10/10/03 2:03 PM Page 75
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VLANs,
. . . . Trunks,
. . . . and
. . .VTP
. .
Configuring VTP Domains

The commands to configure VTP can be done from either the vlan database
in Privilege EXEC mode or from Configuration mode. The commands are
the same for either mode. Listing 3.5 shows the commands for the latter.
Listing 3.5 VTP Configuration
Switch(config)# vlan database
Switch(config-database) vtp domain domain_name
Switch(config-database) vtp password management_password
Switch(config-database) vtp server|client|transparent
Switch(config-database) [no] vtp pruning
Switch(config-database) [no] vtp v2-mode
The last command enables or disables version 2 of VTP. All the other commands are self-explanatory.
Use the vtp command to configure VTP. Know the commands in the preceding code
listing, especially the command to specify the VTP mode of the switch. Dont be surprised to see a simulation question on this.
Verifying Your Configuration

To verify the configuration of VTP, execute either the show vtp status or show
command. Heres an example of the first command:
vtp counters
Switch# show vtp status

VTP Version
: 2
Configuration Revision
: 3
Maximum VLANs supported locally : 68
Number of existing VLANs
: 4
VTP Operating Mode
: Server
VTP Domain Name
: dealgroup
VTP Pruning Mode
: Disabled
VTP V2 Mode
: Enabled
VTP Traps Generation
: Disabled
MD5 digest
: 0xA9 0xD1 0x3B 0xCD 0x32 0x94
Configuration last modified by 192.168.1.2 at 05-23-03 11:52:37
In this example, there have been three configuration changes. The switch is
operating in server mode in the dealgroup domain. The following command
displays VTP statistics information concerning the VTP messages that have
been sent and received:
Switch# show vtp counters
VTP statistics:
Summary advertisements received : 12
Subset advertisements received : 5
Request advertisements received : 0
75
03 9911 ch03 10/10/03 2:03 PM Page 76
76
Chapter
. . . . .3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Summary advertisements transmitted : 93
Subset advertisements transmitted : 8
Request advertisements transmitted : 2
Number of config revision errors : 0
Number of config digest errors : 0
Number of V1 summary errors : 0
In this example, you can see that the switch has sent and received VTP
messages.
Troubleshooting VTP Problems

If youre experiencing problems with the setup of VTP or with messages not
being propagated, you should check the following items to fix your VTP
problem:
Back up the
vlan.dat
and config.txt files on your switch before making
any changes.
Check to ensure that your trunks are configured properly between your
switches.
Verify that the VTP domain name (and password, if configured) match
on all switches in the domain.

Verify the VTP modes of the switches. If youre using the client/server
configuration, make sure that no switches are configured in transparent

mode.
Know the preceding four bullets for troubleshooting VTP problems.
Summary
The main use of VLANs is to contain broadcasts. To move traffic between
VLANs you need a Layer 3 device to route packets. End-to-end VLANs are
used when devices always need to belong to the same VLAN no matter
where the device is locatedtypically for security reasons. Local VLANs are
geographically based and are used to break up broadcast domains. Local
VLANs dont extend beyond a buildings access and distribution layers.
VLANs can be associated to a switch interface either dynamically or statically. Dynamic VLANs use a VMPS server to associate users to VLANs, but
03 9911 ch03 10/10/03 2:03 PM Page 77
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VLANs,
. . . . Trunks,
. . . . and
. . .VTP
. .
require a lot of upfront configuration. However, a user can be plugged in to

a switch port anywhere in the network and be associated to the correct
VLAN dynamically. Static VLANs are easier to configure, but are more difficult to manage if users are continually moving around in the network.
To create a VLAN, use the vlan command. To associate an interface to a
VLAN, use the switchport mode access and switchport access vlan commands.
The show vlan command displays your configured VLANs.
Trunks are used to add VLAN information to frames as they are transported between switches and other devices. ISL is proprietary to Cisco and adds
a 26-byte header and 4-byte trailer to the users frame to encapsulate it.
802.1Q tags a frame by inserting a 4-byte field and recomputing the users
FCS value in the frame. 802.1Q supports a native VLAN on a trunk, which
doesnt tag the frames for this VLAN and defaults to 1. In MANs, 802.1Q
tunneling is used to transport tagged user frames across a carriers network.
Cisco uses DTP to dynamically negotiate trunking on a connection. Use the
switchport trunk encapsulation command to specify the trunking protocol and
the switchport mode command to specify the DTP mode.
VTP is used to create a consistent VLAN configuration across your switched
network. Switches are associated with a domain, and are placed into one of
three modes: client, server (the default), or transparent. There are two versions of VTP, 1 and 2, which are not compatible with each other. VTP pruning can be used to dynamically prune inactive VLANs from trunk ports, but
it requires switches to be in server mode. Use the vtp command to configure
VTP parameters on your switch.
77
03 9911 ch03 10/10/03 2:03 PM Page 78
78
Chapter
. . . . .3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Exam Prep Questions

Question 1
Which of the following is true of using VLANs?
A. Makes it harder to add, move, and change users
B. Degrades network security
C. Isolates networking problems
D. Allows only a single path in a network from one area to another
Answer C is correct. Using VLANs allows for the isolation of problems

within a small part of your intranet. VLANs make it easier to add, move, and
change users, making answer A incorrect. Answer B is incorrect because
VLANs enable you to group users together based on function, which
increases your security. Answer D is incorrect because VLANs also enable
you to create multiple parallel paths and load-balance across them.
Question 2
You have users who continually move around in your network and youre very
concerned about security. What type of VLAN should you implement?
A. Local
B. Static
C. Dynamic
D. End-to-end
Answers C and D are correct. If you have users who are continually moving
around your network, dynamic VLANs are the best choice. In addition, if
youre concerned about security, you should implement end-to-end VLANs.
Local VLANs are typically used to control broadcasts, not security, making
answer A incorrect. Answer B is incorrect because static VLANs should be
used if users dont move around a lot.
03 9911 ch03 10/10/03 2:03 PM Page 79
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VLANs,
. . . . Trunks,
. . . . and
. . .VTP
. .
Question 3
What command takes you into this configuration mode: Switch(vlan)#?
A. vlan
B. vtp
C. vlan database
D. vtp database
Answer C is correct. To enter the vlan database from Privilege EXEC mode,
use the vlan database command. Answer A is incorrect because it creates a
VLAN. Answer B is incorrect because it configures VTP parameters. Answer
D is incorrect because it is a nonexistent command.
Question 4
ISL adds a ______-byte header and a ______-byte trailer, whereas 802.1Q
inserts a ______-byte tag.
A. 26, 4, 4
B. 4, 26, 4
C. 4, 4, 4
D. 26, 4, 8
Answer A is correct. ISL adds a 26-byte header and a 4-byte trailer to a users
frame to encapsulate it. 802.1Q inserts a 4-byte field into the Ethernet
frame, which tags it. Answer B is incorrect because it mixed up the header
and trailer sizes for ISL. Answer C is incorrect because it has an incorrect
header size for ISL. Answer D is incorrect because it has an incorrect tag size
for 802.1Q.
Question 5
Which switch command specifies the DTP mode for trunking?
A. switchport trunk
B. switchport mode
C. switchport native
D. switchport vtp
79
03 9911 ch03 10/10/03 2:03 PM Page 80
80
Chapter
. . . . .3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Answer B is correct. Answer A is incorrect because this command specifies

the trunking encapsulation: ISL or 802.1Q. Answers C and D are incorrect
because they are nonexistent commands.
Question 6
Youre experiencing problems on trunk interface fa1/1. What command would
you use to examine the trunking status?
A. show interface fa1/1 switchport
B. show trunk fa1/1
C. show trunk A
D. show interface fa1/1
Answer A is correct. Use the show interface fa1/1 switchport command to

troubleshoot trunking problems. Answers B and C are incorrect because
these are nonexistent commands. Answer D displays only interface status
information, not trunking information.
Question 7
Which DTP mode should you use if youre connecting a Cisco switch to a Nortel
switch and want to form a trunk?
A. ISL
B. 802.1Q
C. Trunk
D. Nonegotiate
Answer D is correct. If you are connecting a non-Cisco switch to a Cisco

switch, use the nonegotiate DTP mode to form a trunk. Answers A and B are
incorrect because these are trunk types, not DTP modes. Answer C is incorrect because this is used between switches that understand DTP (Cisco
switches).
03 9911 ch03 10/10/03 2:03 PM Page 81
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VLANs,
. . . . Trunks,
. . . . and
. . .VTP
. .
Question 8
Which VTP mode processes VTP messages and saves VLAN information in
NVRAM?
A. Client
B. Server
C. Transparent
D. Client and Server
Answer B is correct. In server mode, a server switch can process messages

and save its VLAN information to NVRAM. Answers A and D are incorrect
because a client switch cannot save its configuration to NVRAM. Answer C
is incorrect because a transparent switch doesnt process VTP messages, but
it forwards them out other trunk interfaces.
Question 9
You need to set up VTP on a switch. The management domain name is
dealgroup and the switch should be in client mode. Enter the configuration to
perform this: _________.
Enter the following commands from within either the vlan database or
Configuration mode:
vtp domain dealgroup
vtp client
Question 10
You suspect that VTP information is not being passed between two server
switches. Which of the following commands would not be helpful in troubleshooting this problem?
A. show interfaces type slot_#/port_# switchport
B. show vtp status
C. show interfaces type slot_#/port# trunk
D. show vlan
Answer D is correct. The show vlan command doesnt display information

about the status of trunks or VTP. Answers A and C are helpful, but incorrect
81
03 9911 ch03 10/10/03 2:03 PM Page 82
82
Chapter
. . . . .3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
because they show the status of trunking. Answer B is helpful, but incorrect
because this command shows your VTP configuration, including the domain
name, VTP mode, and VTP password configuration.
Need to Know More?

For information about trunking and trunk protocols, visit
http://www.cisco.com/en/US/tech/tk389/tk390/tech_protocol_
family_home.html and http://www.cisco.com/pcgi-bin/Support/
browse/psp_view.pl?p=Internetworking:Trunking
For information about VLANs and VTP, visit
http://www.
cisco.com/pcgi-bin/Support/browse/psp_view.
pl?p=Internetworking:VLANs_and_VTP
For information on 802.1Q, visit
http://standards.ieee.org/
getieee802/download/802.1Q-1998.pdf
04 9911 ch04 10/10/03 2:01 PM Page 83
4
Spanning Tree Protocol
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Spanning Tree Protocol (STP) and 802.1D
Bridge Protocol Data Unit (BPDU)
Bridge identifier
Port and path costs
Hello, maximum age, and forward delay timers
Root and designated ports
Common Spanning Tree (CST) and Per-VLAN Spanning Tree
(PVST)

Understand the three main functions of a transparent bridge
Know what BPDUs are used for
Understand how the root switch is elected and how the root
and designated ports are chosen
Know the states a port goes through when STP is running and
how long convergence can take
Compare and contrast CST and PVST
Configuring and verifying STP on your Catalyst switch
04 9911 ch04 10/10/03 2:01 PM Page 84
84
Chapter
. . . . .4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The need for high reliability and availability in todays networks is extremely important. However, this redundancy can create problems in switched
networksspecifically, Layer 2 loops. The problem that loops create is that
a local broadcast or multicast is automatically forwarded by a switch. If a loop
exists, the broadcast would circle around the loop forever. Some solution is
needed to deal with this problem. The remainder of this chapter will focus
on the Spanning Tree Protocol (STP): its components, its operation, its configuration, and troubleshooting.
Transparent Bridging
Digital Equipment Corporation (DEC) was the first to come to market with
a transparent bridge in the early 1980s. IEEE eventually incorporated DECs
work into the 802.1D standard. The term transparent bridge was used because
the bridge is completely transparent to the end stations that it is interconnecting. Frames that pass through a transparent bridge are not modified:
What comes in on an interface will leave exactly the same way on another
interface. Transparent bridges perform three basic functions:
They make forwarding and filtering decisions based on the destination
MAC address in a frame.

They learn where end stations reside in the network.
They remove loops.
Remember the three main functions of a transparent bridge in the preceding list.
Throughout the remainder of this chapter, Ill use the term switch, instead of bridge,
because most people deploy this kind of Layer 2 device in todays networks.
Forwarding and Filtering

As a frame comes into a port, the switch examines the destination MAC address,
performs a lookup in its port address table (also called a content addressable memory [CAM] table) for a matching MAC address, and forwards the frame out the
appropriate port. If the switch does not see a match, it floods the frame out all
its ports except the incoming port. Local broadcasts and multicasts are treated
04 9911 ch04 10/10/03 2:01 PM Page 85
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Spanning
. . . . . Tree
. . Protocol
. . . . .
the same way because bridges do not store these MAC addresses in their CAM
tables. Because forwarding decisions are made on MAC addresses, these must
be unique in a transparently bridged or switched network.
Learning
Besides examining the destination MAC address to make a forwarding decision, the switch also examines the source MAC address in the frame. After
examining the CAM table for a match and not finding one, the switch adds
the source MAC address to the CAM table with the addresss associated port.
If the frame is already in the CAM table, the switch resets its aging counter.
If a certain MAC address is not seen after a period of time, the entry eventually will be removed from the CAM table.
The advantage of a switch that dynamically learns the addresses of end stations is that you can plug the switch into the network and it will acquire
knowledge of the network without human intervention. If you move an end
station to a different segment, the switch will realize this and update its CAM
table appropriately. When transparent bridges were brought to market, they
did not have a learning capability, meaning that you had to manually configure the address table. Of course, todays bridges and switches have the capability to perform their learning function automatically.
Loops
The downside of transparent switches, however, is that no redundant connections or parallel paths are allowed, as shown in Figure 4.1.
Figure 4.1
Transparent switches and Layer 2 loops.
85
04 9911 ch04 10/10/03 2:01 PM Page 86
86
Chapter
. . . . .4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
A special protocol developed by DEC, called the Spanning Tree Protocol, is an

algorithm that runs on all switches that will, in software, disable any loops
found in a transparently switched network. On completion, only one active
path will exist between one switch and any other switch in the network.
STP Introduction
STP is a self-configuring Layer 2 algorithm thats responsible for removing
loops in a switched network while still providing path redundancy. Because a
switch automatically forwards broadcasts and multicasts, STP is necessary to
make sure that this traffic is not continuously forwarded throughout a
switched network. Another problem with loops is that with the switchs
learning function, it might mistakenly update its address table with incorrect
information concerning an end station as a frame traverses a loop.
STP was developed by DEC and later incorporated into IEEEs standards as
802.1D. However, the two protocols are not compatible. In a bridged or
switched network, all Layer 2 devices must run the same STP algorithm.
Bridge Protocol Data Unit

Periodically, switches send out a special multicast packet, called a Bridge
Protocol Data Unit or BPDU, which helps them to advertise themselves, their
configurations, and any changes that have occurred. BPDUs help switches
discover the topology of the network, including loops. If the cost of a link
changes, a new switch or segment is added to the network, or an existing
switch or segment fails, this information is propagated via BPDUs and causes the switches to run the STP algorithm. This is done to remove any existing loops that these changes might have created and to ensure that there is
still one active path between any two destinations. To ensure that only one
active path exists between any two end stations, a switch places its ports in
either a forward or blocking mode.
Update notifications are called topology change notifications (TCNs) and are
generated in the following situations:
A port moves from a forwarding state to a blocking state.
A non-root switch receives an update notification on a port from a
downstream neighboring switch.

A switch is forwarding traffic to a segment and another port moves into
a forwarding state.
04 9911 ch04 10/10/03 2:01 PM Page 87
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Spanning
. . . . . Tree
. . Protocol
. . . . .
The TCNs are propagated throughout the network to ensure that all switches understand that a topology change has taken place. Note that STP is
transparent to end stations in that they are unaware of the fact that theyre
connected to switches running STP.
BPDU hello messages are generated every 2 seconds by switches. BPDUs elect the
root, elect one switch per segment to handle forwarding functions, and remove loops
by placing ports connected to a redundant path in a blocking state. TCN BPDUs are
generated whenever a topology change occurs.
STP Advantages
STP provides the following items:
The detection and elimination of loops
The capability to automatically detect failed active paths and to utilize
alternate paths
User-configurable parameters that enable a network administrator to
fine-tune the algorithms performance
STP Components and Operation

Three important parametersthe bridge identifiers, port priorities, and
path costsinfluence how STP will shape the switched network by blocking
on some ports and forwarding on others. STP guarantees only a loop-free
environment; it does not guarantee an optimal configuration. Because of this,
its sometimes necessary to configure certain parameters on some of the
bridges and/or switches in a data network. Table 4.1 contains some important terms used by STP.
Table 4.1 Important STP Terms
Term
Description
Bridge Identifiers
Each bridge has a unique identifier that it uses when it multicasts its BPDUs. The identifier is made up of a bridge (switch)
priority and one of the switchs MAC addresses.
Path Costs
Each port has an associated cost, which is usually the inverse

of the actual bandwidth of the port. When youre choosing
ports to place into forwarding mode, lower accumulated port
costs of the paths to the root switch are preferred.
(continued)
87
04 9911 ch04 10/10/03 2:01 PM Page 88
Chapter
. . . . .4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Table 4.1 Important STP Terms (continued)
Term
Description
Port Priority
Each port has a default priority. If two paths exist to a destination and the accumulated port path costs are the same, the
port that has the higher priority is preferredthe lower the
value, the higher the priority. If both priorities are the same,
the lower-numbered port is chosen on the bridge.
BPDU
The BPDU is a multicast frame that bridges periodically generate to share topology information and to elect a root switch to
build a spanning tree and to prune off redundant links, as
shown in Figure 4.2.
Figure 4.2
"
"
"
"
"

!

"

*OJAI

88
BPDU format.
A BPDU frame type is used by IEEEs 802.1D bridge management protocol for
STP. It is used to share information about the topology of the network among
the other switches. Table 4.2 displays the fields contained in the BPDU frame.
Table 4.2 BPDU Frame Contents
Term
Description
Protocol Identifier
Contains the value zero.
Version
Message Type
Flags
Signifies one of two events: either topology changes or

acknowledgments to topology changes.
Root Identifier
Defines the switch thats at the top of the spanning tree.
Root Path Cost
Defines the cost from the advertising switch to the root switch
in the network.
Bridge (Switch)
Identifier
Identifies the switch that generated the BPDU and is used by

the algorithm to build a spanning tree.
(continued)
04 9911 ch04 10/10/03 2:01 PM Page 89
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Spanning
. . . . . Tree
. . Protocol
. . . . .
Table 4.2 BPDU Frame Contents (continued)
Term
Description
Port Identifier
Defines from which port this BPDU message left the switch.
This is used by other switches to detect and remove loops in
a data network.
Message Age
Defines the last time the root switch advertised a BPDU message on which the current network configuration is based.
Maximum Age
Defines the age at which the protocol will remove the information from its database and initiate a topology change by rerunning the spanning tree algorithm. This parameter allows all
switches to age uniformly and to rerun the STP in parallel.
Hello Time
Contains the interval in which a switch advertises BPDUs.
Forward Delay
Specifies the length of time a port will remain in a port state.

This will be discussed in the Port States section later in the
chapter.
The switch that becomes the root will determine the values of Message Age,
Maximum Age, Hello Time, and Forward Delay for all the switches in the
network. In other words, after the root is elected and is sending out its multicast BPDUs, the other switches in the network will take the timers in the
roots BPDU messages and change their own internal STP parameters to
match the roots.
Running the STP Algorithm

When STP is run, one of its first jobs is to designate a root switch. After this
is chosen, each switch will calculate the shortest distance (best cost) to the root.
For each LAN segment, a designated switch will be chosen based on the switch
that has the best cost. Ports that provide redundant connections to the root are
blocked, leaving a single path to the root, thus effectively eliminating any
loops. The following sections explain this process in more detail.
Root Switch Election Process

One of the first tasks of STP is to elect the root switch. Switches sharing
BPDUs will discover the current topology of the network, including all the
switch identifiers. A switchs identifier consists of a 2-byte priority and a 6byte MAC address. Based on the combination of these two pieces of information, the switch that has the lowest identifier (not necessarily the lowest
MAC address) is then elected as the root.
89
04 9911 ch04 10/10/03 2:01 PM Page 90
90
Chapter
. . . . .4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
By default, all switches have the same configured priority, which means that
the switch with the lowest MAC address will be chosen as the root. This can
be customized, however. For optimal performance, its recommended that
you change the priority so that the switch at a central point in the broadcast
domain will be chosen as the root. In a hierarchical design, this should be one
of your distribution layer switches for the distribution and access layers and a
core switch for the core. One issue with STP is that it guarantees a loop-free
environment, but it does not guarantee an optimal configuration. For example, in Figure 4.3, Switch 1 is elected as the root switch. The root switch is
necessary to build a reference point to start the calculation of the algorithm.
All paths from all the switches must be able to trace a path back to the root.
The switch with the lowest bridge ID (priority + MAC address) is elected as the root.

:

:

! "
# $
% ! "
& ' ( ! "

!" "
*
+ %%"##

,-./
,-./
,-./
,-./
,-./
00
00
00
00
00
Figure 4.3 STP process.
Selection of Root Ports

After the root switch is elected, each switch will determine which port, called
the root port, it will use to reach the root switch. The root port is the port on
04 9911 ch04 10/10/03 2:01 PM Page 91
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Spanning
. . . . . Tree
. . Protocol
. . . . .
a switch that has the lowest accumulated cost to the root switch. Figure 4.3
lists the root ports (R) for each bridge.
If a switch receives BPDUs from multiple ports, this indicates that there are
multiple paths to the root switch, and one of them will have to be chosen. If
a switch has two ports to the root switch, the path that has the lower path cost
is chosen. Here are the rules for choosing a root port:
1. Choose the path with the lowest accumulated path cost to the root
switch.
2. If there is a tie in path cost, choose the neighboring switch with the
lowest bridge ID.

3. If there is a tie in the bridge IDs, choose the port with the lowest priority.
4. If there are still multiple paths and they go through the same neigh-
boring switch, choose the physically lowest numbered port.

After going through this selection process, the switch will have one, and only
one port, that will be its root port.
Know the preceding four steps when choosing a root port for a switch.
Designated Switches and Designated Ports

After the root ports for each switch are determined, designated switches and
designated ports are resolved. Each LAN segment will have a designated
switch, which has the lowest accumulated path cost to the root switch. All
frames that are forwarded to that particular segment will go through the designated switch via its designated port, and no other ports. If two or more
switches have the same path cost to the root switch for a given segment, the
switch with the lower bridge identifier will be chosen as the designated
switch. Through the process of elimination, eventually only one switch will
remain that has a designated port for each LAN segment. In Figure 4.3,
LAN segment As designated switch is Switch 3. Note that for LAN segments
B and C, the root switch is also the designated switch.
Each segment has a designated port that switches traffic to and from the segment.
The switch with the best accumulated path cost will become the designated switch
and one port on it will be chosen for the segment. If there is a tie, the switch with the
lowest bridge ID is chosen.
91
04 9911 ch04 10/10/03 2:01 PM Page 92
92
Chapter
. . . . .4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Bridging Loops
After the designated ports and switches have been resolved for each LAN
segment, the ports on the switches connected to each segment will be placed
into either a blocking or forwarding mode. The root and designated ports
will be placed into forwarding mode and all other ports will be placed into a
blocking mode. After the completion of this process, no loops should exist in
the switched network, as shown in Figure 4.3. Note, though, that not every
path from one LAN segment to another is optimal. For LAN segment A to
get to LAN segment D, users must go through switches 3, 1, and then 5,
which is two extra hops.
Port States
In the previous section, two of the five port states were mentioned: blocking
and forwarding. Every time a change occurs in the status of the switched network, a recomputation of the STP algorithm must take place. Interestingly,
the root switch does not perform the calculation and pass its results to the
rest of the switches. Each switch runs STP in parallel, builds the same spanning tree, and derives the same results for the blocking and forwarding
modes for each of the switches ports.
One of the issues faced with changes is that it takes time for this convergence
to take place because each port might go through four different port states:
blocking, listening, learning, and forwarding, as described in Table 4.3.
Table 4.3 STP Port States
State
Description
Blocking
A blocking port listens only for BPDUs from other switches; it

does not forward any user frames. A port enters this state
when it doesnt detect a BPDU within the maximum age timer
interval.
Listening
Passing from a blocking state, a port enters into a listening

state. In this state, a port listens for frames to detect available
paths to the root switch, but does not take any source MAC
addresses of end stations and place them in the CAM table.
Likewise, the switch does not forward any user frames.
Learning
Upon completion of the listening state, a port moves into a

learning state. Here, a port examines user frames for source
MAC addresses and places them in the switchs CAM table;
still, no user frames are forwarded through the switch.
(continued)
04 9911 ch04 10/10/03 2:01 PM Page 93
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Spanning
. . . . . Tree
. . Protocol
. . . . .
Table 4.3 STP Port States (continued)
State
Description
Forwarding
After finally completing the learning state, a port is placed into

a forwarding state, where the bridge performs its normal
functioning. It learns source MAC addresses and updates the
switchs CAM table as well as forwards user frames through
the switch itself.
Disabled
This is a unique state for a port. A port that is in the disabled

state has either been disabled by the switch itself because of
physical problems or security violations, or it has been manually disabled by the network administrator.
Know the STP port states in Table 4.3.
Convergence Issues
BPDUs, as they are propagated through the switched network, will incur
delays. Because the delays incurred to propagate the BPDUs across the
bridged network might differ in length, how long it takes to incorporate the
topology changes in the network could be different. To prevent this type of
staggered convergence, STP uses timers. The STP algorithm is based on a
diameter of seven switches or fewer, with a Hello Timer value of 2 seconds.
The maximum age timer is 20 seconds (it can be between 640 seconds), and
the Forward Delay timer is 15 seconds. Cisco recommends that you adjust
these timers to reflect the diameter of your network.
Its recommended that you not change these parameters unless you know exactly
what youre doing and you understand the impact that the new timers will have on
your network. An incorrect setting of any of these timers could cause the creation of
loops due to the loss of BPDUs or not allowing enough time for the algorithm to run.
If you do change these timers, they only need to be changed on the root, which will
then propagate the timers to all other switches in its BPDU messages.
Transition of Port States

Latency is incurred when the ports have to go through their different states
when a change takes place in the network. An example of a change could be
a failed forwarding path, the addition of a new switch, or something as simple as the activation of a port on a switch by attaching an end station. Cisco
93
04 9911 ch04 10/10/03 2:01 PM Page 94
94
Chapter
. . . . .4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
uses a default value of 20 seconds for the Maximum Age timer (blocking) and
15 seconds for the Forward Delay timer (listening and learning), which is
used to measure the time a port stays in a specific state.
STP can take from 3050 seconds to converge: From blocking to listening20 seconds; from listening to learning15 seconds; from learning to forwarding15 seconds. This results in a 50-second hold-down value while a new topology is calculated. A port will start in a blocking state if a BPDU is received on a nonroot port with a
better cost to the root; otherwise, it starts in a listening state. This would be true for
a nondesignated port that becomes a designated port when the designated port fails.
During this convergence time, unfortunately, user data is not being forwarded
in the network, thus causing major disruptions. You can adjust these values,
where the Forward Delay value can be set as low as 4 seconds. Its recommended that if you change the timers, you should increase, not decrease,
them. By decreasing them, youll more than likely create problems. Having
a lower timer means that you might not be giving your network enough time
to propagate BPDUs, thus producing the likelihood of inadvertent Layer 2
loops. In times of STP instability, you should temporarily increase the
Forward Delay and Maximum Age timers.
Spanning Trees
The assumption made so far in this chapter is that all the switches are
running one instance of STP for the whole switched network. This is sometimes referred to as a Common Spanning Tree (CST). IEEE 802.1Q on nonCisco switches uses CST to remove loops.
Cisco, on the other hand, has two proprietary forms of STP implementations: Per-VLAN Spanning Tree or Shared Spanning Tree (PVST) and
PVST+. By default, PVST is used on ISL trunks and 802.1Q trunks between
Cisco switches, where a separate instance of STP is run for each VLAN. That
means for each VLAN you have, youll have a separate STP algorithm and
database, a separate root switch and BPDUs for each VLAN. PVST+ is used
in mixed trunk environments in which you have both ISL and 802.1Q
trunks. PVST+ allows CST BPDUs to be correctly incorporated into Ciscos
native PVST and vice versa.
CST is used on 802.1Q trunks connected to non-Cisco switches. PVST is used
between two Cisco switches on ISL and 802.1Q trunks.
04 9911 ch04 10/10/03 2:01 PM Page 95
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Spanning
. . . . . Tree
. . Protocol
. . . . .
CST
With CST, only one instance of STP is running for all the VLANs. STP will
run in the default management VLAN, which is typically VLAN 1. Because
only one instance of STP exists, one root switch is elected and all loops are
removed.
CST has two advantages compared to PVST:
Only one set of BPDUs is created for STP.
Changes only have to be tracked for one instance of STP.
Figure 4.4 shows an example of CST, with Switch 1 being the root bridge for
the whole network (including both VLANs 1 and 2) and X representing
blocking links.
VLAN 1
Root Switch
VLAN 1
Switch 1
Switch 2
Switch 3
VLAN 1
VLAN 2
VLAN 1
VLAN 1
VLAN 2
VLAN 1
Switch 4
Switch 5
Switch 7
X
X Switch 8
Switch 6
VLAN 1
Switch 9
VLAN 1
VLAN 2
VLAN 1
VLAN 2
Figure 4.4
CST example.
There is a downside to CST, however. For one, it will likely create suboptimal paths in your switched network. This can be seen in Figure 4.4 with
VLAN 2. For VLAN 2, off of Switch 5, to get to the users off of Switch 8, it
has to go through an extra switch: Switch 4. And it is even worse if either of
these groups wants to access the same VLAN off of Switch 9. The other
downside of CST is that as your network grows, convergence problems
become worse, and STP eventually runs out of steam.
95
04 9911 ch04 10/10/03 2:01 PM Page 96
96
Chapter
. . . . .4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PVST
To solve the scalability and convergence problems of CST, Ciscos PVST
uses a separate instance of STP per VLAN. That means for each VLAN,
youll have a root, port costs, path costs, and prioritiesand all these can be
different per VLAN. To ensure unique bridge IDs for each VLAN, Cisco
switches have a pool of MAC addresses to choose from. For some switches,
this pool can include up to 1,024 MAC addresses.
Actually, its recommended that you tune STP per VLAN to create the most
optimal paths for each VLAN. The size of each STP topology is reduced
because only switches that connect a VLAN together are included, thereby
decreasing convergence time and increasing scalability. PVST is also more
stable because links connected to switches not connected to a specific VLAN
are not included in the STP topology.
Given this capability with PVST, VLAN 2s topology might look like that
shown in Figure 4.5, where Switch 8 is the root. In this example, notice that
not every switch has a path back to the root, such as Switch 4. Switch 4 and
the switches behind it do not have any ports associated with VLAN 2. One
nice feature of PVST is that if VLAN 2 is configured on any of these other
switches, STP will rerun and include a path to the new addition.
VLAN 1
VLAN 1
Switch 2
Switch 3
VLAN 1
X Switch 5
Switch 6
VLAN 1
Switch 1
VLAN 1
VLAN 2
VLAN 1
VLAN 1
VLAN 2
Switch 4
X
Switch 7
X
Switch 8
Root Switch
For VLAN 2
X
Switch 9
VLAN 1
VLAN 2
VLAN 1
VLAN 2
Figure 4.5
PVST example.
The downside of PVST is that the switch will be multicasting BPDUs on each
VLAN and must have a topology database for each VLAN, thus creating a lot
of additional overhead. Plus, to make your network optimal, youll have to
04 9911 ch04 10/10/03 2:01 PM Page 97
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Spanning
. . . . . Tree
. . Protocol
. . . . .
examine your network closely and make the appropriate STP configuration
changes for each VLAN, which is a time-consuming process.
PVST+
PVST+ is a Cisco extension to its PVST protocol. PVST+ allows the incorporation of both IEEEs 802.1Q CST and Ciscos PVST in a switched network.
One nice feature of PVST+ is that you do not have to configure anything on
your switches to use itit works automatically. It detects CST and PVST and
makes the appropriate changes or adjustments.
The following are some of the enhancements built into PVST+:
Tunneling PVST BPDUs across an 802.1Q trunk
Checking for VLAN and port inconsistencies
Placing a port in blocking mode when receiving inconsistent BPDUs
Configuring and Verifying STP

Now that youre familiar with STPs components and operations, lets discuss
how to configure STP on your Catalyst switch. The following sections will
cover how to tune 802.1D STP parameters to optimize STP for your network layout.
Enabling and Disabling STP

By default, STP is enabled for every VLAN on Ciscos switches. STP can be
globally enabled or disabled or on a per-VLAN basis. If a switch has only one
connection to a switched network or is not part of a loop, STP could be disabled to decrease the likelihood of STP convergence problems disrupting
services. However, care must be taken if you choose to take this approach.
Because of issues with loops, Cisco recommends that you leave STP enabledeven
if no loops currently exist.
For a Catalyst switch, use the following command to enable or disable STP:
Switch(config)# [no] spanning-tree [vlan list_of_vlans]
Here, the list of VLANs is separated by spaces.
97
04 9911 ch04 10/10/03 2:01 PM Page 98
98
Chapter
. . . . .4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Selecting the Root Switch

The STP command that has the most impact on your STP topology is the
one to affect which switch will be the root. Youll need to take a look at your
current topology, including existing traffic patterns, and make a decision as
to which switch, for each VLAN, will become the root.
Its recommended that a distribution layer switch, not an access layer switch, be chosen as the root. Its also recommended that if you have two distribution layer switches for redundancy, you should configure one of the switches as the root for half the
VLANs and the other as the root for the remainder.
To change the priority (part of the bridge ID) to influence the root switch
selection process, use the following command:
Switch(config)# [no] spanning-tree [vlan list_of_vlans]
priority new_priority
Youll have to specify a priority less than 32,768 because this is the default
priority for all switches that use IEEEs STP. Remember that the switch with
the lowest bridge ID is elected as the root. Cisco recommends that the switch
that will become the root have a priority of 4,096 and the backup root should
have a priority of 8,096all other switches should use the default bridge
priority.
Influencing Path Selections

After a root switch is elected and is multicasting its BPDUs, the switches in
the network will need to remove loops and provide a single path from any
single source to a single destination. Three items affect which ports on a
switch will be placed in forwarding or blocking modes:
The cost of a port
The accumulated port costs to the root
The priority of a port
Each port has an associated cost thats applied to a BPDU when it arrives on
that port. These port costs are added as the BPDU is propagated through the
network: The more switches that a BPDU passes through, the higher its
cost. This value is called a path cost and is used to determine which port to
use, if multiple ports exist, to reach the root switch. The path with the lowest value is chosen. If two paths have the same cost, priorities of the respective ports are used as a tiebreaker.
04 9911 ch04 10/10/03 2:01 PM Page 99
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Spanning
. . . . . Tree
. . Protocol
. . . . .
You can modify these parameters to influence the port that a specific switch
will use to reach the root. Cisco recommends, however, that you take care
when using these commands because an incorrect configuration can create
suboptimal paths, rather than solving them. Youll need to know all the path
costs for each switch involved. The correct choice of the root will usually
alleviate you from having to use these commands.
Port Cost
STP uses the cost of ports to determine which port will be chosen as a root
port and thereby automatically placed into forwarding mode. The switch will
automatically assign a default port cost based on the speed of the port. There
are two versions of the formula. The old version usually takes 1,000 divided
by the port speed in megabits per second. A 10Mbps port has a port cost of
100, whereas a 100Mbps port has a port cost of 10. The lower the number,
the more preferred the port. The newer specification uses a nonlinear scale
to assign costs to ports. Table 4.4 shows the old and new port costs. Its
important to point out that this algorithm for port cost is not carved in
stonedifferent vendors might use different costs for the same speed port or
even different switches among the same vendor.
Table 4.4 Port Costs
Port Speed
Old Specification
New Specification
10 Mbps
100
100
100 Mbps
10
19
1 Gbps
10 Gbps
Remember the default STP port costs in Table 4.4.
Note that for 10/100Mbps auto-sensing ports, the cost is usually configured
to 10 or 19 (reflecting Fast Ethernet), no matter what the speed is.
Therefore, even if the port is configured as a 10Mbps port, the port cost is
10 and the switch will see it as equally as good as a 100Mbps link. Therefore,
you should manually change the port cost value if you have a mixture of 10
and 100 speeds on auto-sensing ports. The possible range of values is from 1
to 65,535. If youve done your homework and want to change the port cost
on a Catalyst switch, use the following configuration:
99
04 9911 ch04 10/10/03 2:01 PM Page 100
100 Chapter 4
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Switch(config-if)# [no] spanning-tree [vlan list_of_vlans] cost new_cost
Cost values can range from 1200,000,000.
Port Priority
A port can be assigned a priority thats used as a tiebreaker when two equalcost paths to the root exist. The default port priority on a Catalyst switch is
128 and can be set from 0 to 240 in increments of 16 (0, 16, 32, 48, and so
on). The lower the number, the more likely it is that the port will be chosen
as a root port. If all ports have the same priority, the physically lowest numbered port is chosen by STP.
To change the priority on a Catalyst switch, use this configuration:
Switch(config-if)# [no] spanning-tree vlan [list_of_vlans]
port-priority new_priority
Verification of STP
After youve made your changes, youll want to verify them to make sure that
STP is configured the way that you want it. On a Catalyst switch, you can
use the show spanning-tree command to see the changes:
Switch# show spanning-tree [vlan vlan_number]|
[interface type slot_#/port_#]
Note that if you do not specify a VLAN number after the command, the
information displayed will be for VLAN 1.
Switch# show spanning-tree
Spanning tree 1 is executing the IEEE compatible Spanning Tree protocol
Bridge Identifier has priority 32768, address 00e0.1e3d.002e
Configured hello time 2, max age 20, forward delay 15
Current root has priority 32768, address 00e0.1e2e.51f0
Root port is 10, cost of root path is 10
Topology change flag not set, detected flag not set, changes 1
Times: hold 1, topology change 25, notification 3
hello 2, max age 20, forward delay 15
Timers: hello 0, topology change 0, notification 0
Interface Fa0/1 in Spanning tree 1 is down
Port path cost 100, Port priority 128
Designated root has priority 32768, 00e0.1e2e.51f0
Designated bridge has priority 32768, address 00e0.1e3d.002e
Designated port is 1, path cost 10
Timers: message age 0, forward delay 0, hold 0
BPDU: sent 0, received 0
04 9911 ch04 10/10/03 2:02 PM Page 101
101
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Spanning
. . . . . Tree
. . Protocol
. . . . .
In the preceding example, this switch has a bridge ID of 32768.00e0.1e3d.002e

and is not the root. This can be seen by comparing the bridge ID in the second
line of output with the fourth line of output.
In any Layer 2 network, the network administrator should keep track of the number of
times the STP algorithm is run. Every time a switch has to rerun the algorithm, disruption of services can be noticeable to the users. Adding more switches in a network
can lengthen the time for convergence and therefore lengthen the time of disruption.
Use the show spanning-tree command to view the configuration and operation
of STP on your switch.
Summary
Transparent bridges and switches have three main functions: learn, forward,
and remove loops. Cisco switches use the 802.1D protocol to remove loops
in Layer 2 networks. BPDUs are used to discover the topology of the network, elect a root switch, and notify other switches of topology changes.
BPDUs hellos are generated every 2 seconds.
STP elects a root switch, which is switch with the lowest bridge ID (priority + MAC address). Each switch chooses the best port to reach the root,
called a root port: This is the port with the lowest accumulated path cost to
the root. Each segment has one designated port on one switch, which is used
to forward traffic to and from the segment. The switch with the lowest
accumulated path cost is chosen. All root and designated ports will move
from a blocking or listening state to learning and then forwarding. All other
ports remain in a blocked state. It can take between 3050 seconds for convergence to take place.
Non-Cisco switches use CST on 802.1Q trunks. Cisco switches support
PVST when connected to other Cisco switches on ISL or 802.1Q trunks. In
PVST, each VLAN has its own STP components: root switch, BPDUs, priorities, and port costs.
STP is enabled, by default, for all VLANs on Cisco switches. Use the
spanning-tree priority command to influence which switch will become
the root switch. Use the show spanning-tree command to view your STP
components and operation.
04 9911 ch04 10/10/03 2:02 PM Page 102
102 Chapter 4
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Exam Prep Questions

Question 1
BPDU hello messages are generated every ___________ seconds.
A. 1
B. 2
C. 15
D. 30
Answer B is correct. BPDU hello messages are generated every 2 seconds.

Therefore answers A, C, and D are incorrect.
Question 2
The switch with the _________ is elected as the root.
A. Lowest MAC address
B. Highest bridge identifier
C. Lowest priority
D. Lowest bridge identifier
Answer D is correct. The switch with the lowest bridge ID (priority + MAC
address) is chosen as the root. A and C are incorrect because theyre missing
one of the two bridge ID components. Answer B is incorrect because it is the
lowest bridge ID, not the highest.
Question 3
A switch is choosing a root port. Two ports have the same lowest accumulated
path cost. Which is the tiebreaker?
A. Highest numbered port
B. Lowest neighboring bridge ID
C. Lowest numbered port
D. Lowest port priority
04 9911 ch04 10/10/03 2:02 PM Page 103
103
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Spanning
. . . . . Tree
. . Protocol
. . . . .
Answer B is correct. When choosing a root port, the lowest accumulated

path cost is used first. If there is a tie, chose the neighboring switch with the
lowest bridge ID. If there is still a tie, the port with the lowest priority is
chosen, making answer D incorrect. If there is still a tie, choose the lowernumbered port on the switch, making answers A and C incorrect.
Question 4
When choosing a designated port, which switch is used when going through the
selection process?
A. The higher-modeled switch
B. The switch with the highest accumulated path cost
C. The switch with the lowest bridge ID
D. The switch with the highest priority
Answer C is correct. When choosing a designated port for a segment, the

switch with the lowest accumulated path cost is chosen, making answer B
incorrect. If there is a tie, the switch with the lowest bridge ID is chosen,
making answer D incorrect. The model of the switch is not taken into consideration, making answer A incorrect.
Question 5
In which port state does the CAM table begin to be built?
A. Forwarding
B. Learning
C. Listening
D. Blocking
Answer B is correct. The switch begins building the CAM table in the learning state. The switch also continues to build the CAM table and forwards
user frames in the forwarding state, making answer A incorrect. During the
listening and blocking states, the CAM table is not updated, making answers
C and D incorrect.
04 9911 ch04 10/10/03 2:02 PM Page 104
104 Chapter 4
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 6
It can take up to __________ seconds for STP to converge.
A. 2
B. 15
C. 50
D. 60
Answer C is correct. It can take up to 50 seconds for STP to converge.

Answer A is incorrect because this is the BPDU hello timer. Answer B is
incorrect because this is the forward delay timer. Answer D is an invalid
timer.
Question 7
PVST is supported on __________ trunks.
A. ISL
B. 802.1Q
C. ISL and 802.1Q
Answer C is correct. PVST is supported on both 802.1Q and ISL trunks.

PVST is supported on 802.1Q trunks only if the two connected switches are
Cisco switches.
Question 8
Which switch command selects the root switch?
A. (config)# spanning-tree priority
B. (config-if)# spanning-tree priority
C. (config)# spanning-tree bridge-id
D. (config)# spanning-tree bridge-priority
Answer A is correct. To change the priority of a switch that is part of the

bridge ID, use the global Configuration spanning-tree priority command.
Answer B is incorrect because it is executed at the wrong mode. Answers C
and D are incorrect because they are nonexistent commands.
04 9911 ch04 10/10/03 2:02 PM Page 105
105
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Spanning
. . . . . Tree
. . Protocol
. . . . .
Question 9
With the current 802.1D port cost standard, what is the cost of a Fast Ethernet
port?
A. 1
B. 4
C. 10
D. 19
Answer D is correct. The default port cost for a Fast Ethernet port in the
current 802.1D standard is 19. Answer A is incorrect because it is the old
port cost for a Gigabit Ethernet port. Answer B is incorrect because it is the
newer cost for a Gigabit port. Answer C is incorrect because it is the older
cost for a Fast Ethernet port.
Question 10
Which switch command displays the STP bridge identifier, as well as STP configuration for interfaces involved in STP?
A. show span
B. show span-tree
C. show spanning-tree
D. show stp
Answer C is correct. Use the show spanning-tree command to view your

current STP configuration and operation. Answer A is incorrect because this
displays the span feature configuration on your switch. Answers B and D are
incorrect because they are nonexistent commands.
Need to Know More?

For information about STP and its configuration on Catalyst
switches, visit http://www.cisco.com/pcgi-bin/Support/browse/
psp_view.pl?p=Internetworking:Spanning_Tree.
04 9911 ch04 10/10/03 2:02 PM Page 106
05 9911 ch05 10/10/03 1:57 PM Page 107
5
Enhancements to STP
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

PortFast, UplinkFast, and BackboneFast
BPDU Guard and filtering
Rapid STP (RSTP)
Alternate and backup port states for RSTP
Edge port and link type
Multiple Spanning Tree (MST) and regions
Internal Spanning Tree (IST)
EtherChannel
Port Aggregation Protocol (PAgP) and Link Aggregation
Control Protocol (LACP)
BPDU skewing, Root Guard, Unidirectional Link Detection
(UDLD), and Loop Guard

Enabling PortFast, UplinkFast, and BackboneFast
Using RSTP to scale Layer 2 networks
Understand the differences between CST, PVST, and MST
Configuring MST
Understand the EtherChannel operation and configuration
Understand when to use Root Guard, UDLD, and Loop Guard
to prevent STP misconfigurations
Know how to troubleshoot STP problems as well as the use of
debug commands
05 9911 ch05 10/10/03 1:57 PM Page 108
108 Chapter 5
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The preceding chapter covered the basic operation and configuration of

STP. This chapter discusses some of the enhancements to STP to help it
scale better in large Layer 2 networks. Those features include PortFast,
UplinkFast, BackboneFast, Rapid STP, STP Guard features, and
EtherChannels. The remainder of this chapter discusses these features in
more depth.
Cisco Enhancements to STP

The following sections cover items that Cisco has developed to enhance the
performance of STP, thus decreasing your convergence times. These features include Ciscos proprietary PortFast, UplinkFast, and BackboneFast.
PortFast
Ciscos proprietary PortFast feature reduces the size of the STP database by
excluding ports that do not have bridges or switches connected to them and
removing them from the STP topology, thereby minimizing downtime when
changes occur in a switched network. When a change occurs, STP flushes
the content-addressable memory (CAM) table, thereby preventing any communication between devices until STP has the ports go through the blocking, listening, learning, and forwarding states. Using the PortFast feature is
very important in environments where servers require constant communication between them and the end users devices or where changes are constantly taking place. Using the PortFast configuration commands greatly
reduces the number of ports in STP and therefore decreases the time it takes
for convergence to occur when changes take place in a switched network.
PortFast Operation
When a change occurs that causes STP to recalculate, ports enabled for
PortFast remain in a forwarding state and the entries in the CAM table for
these ports are not removed.
To take a port out of STP, you can place it in PortFast mode. When STP is
run and the ports go through the four different modes, ports in PortFast
mode are kept in a forwarding state. The advantage of this is that the ports
configured for PortFast do not have to wait 3050 seconds while the STP
algorithm is running. Make sure that you do this only for ports that you
know are not part of any Layer 2 loop. This is primarily used for ports connected to PCs, servers, and routers.
05 9911 ch05 10/10/03 1:57 PM Page 109
109
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enhancements
. . . . . . . . to
. .STP
. .
If you have devices that acquire addressing information (DHCP, IPX,

AppleTalk) when they boot up, youll have to enable PortFast for them. For
example, you turn on your PC and it tries to use DHCP to acquire its IP
addressing information. If PortFast is not enabled, your PC probably wont
get its IP addressing information because the port has to go through the various STP states to be placed into a forwarding state (listening, learning, and
forwarding). As STP is running and going through its states, the device is trying to acquire its addressing information. In many instances, the device will
give up before STP has had time to converge, thus preventing the device from
acquiring the necessary addressing to participate in the Layer 3 network.
PortFast Configuration
To configure PortFast on a Catalyst switch, execute the following command:
Switch(config-if)# [no] spanning-tree portfast
To verify your configuration, use the show spanning-tree summary command or

the show running-config interface command. Heres an example of the former
command:
Switch> show spanning-tree summary
Switch is in pvst mode
Root bridge for: none
EtherChannel misconfiguration guard is enabled
Extended system ID is enabled
Portfast is disabled by default
PortFast BPDU Guard is disabled by default
Portfast BPDU Filter is disabled by default
Loopguard is disabled by default
UplinkFast is disabled
BackboneFast is disabled
Pathcost method used is short
Name
Blocking Listening Learning Forwarding STP Active
---------- -------- --------- -------- ---------- ---------VLAN0001
0
0
0
1
1
<--output truncated-->
In this example, you can see that PortFast is not enabled.
BPDU Guard
BPDU Guard is a Cisco feature that shuts down a PortFast port if a BPDU
is received on it. When the port is shut down, the status of the interface is
error disabled. BPDU Guard is disabled by default. To enable it, use the
following commands:
Switch(config-if)# spanning-tree portfast bpduguard
05 9911 ch05 10/10/03 1:57 PM Page 110
110 Chapter 5
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
To verify whether BPDU Guard is enabled, use the

summary command.
show
spanning-tree
BPDU Filtering
The BPDU filtering feature enables you to filter BPDUs on ports of your
switch. This is handy for ports that you know should be connected only to
user devices. It prevents a switch that is mistakenly connected to one of these
ports from creating Layer 2 loops.
To configure BPDU filtering, you must first enable PortFast on the port.
After PortFast is enabled, you can enable BPDU filtering on the interface.
Heres an example of its configuration:
Switch(config-if)# spanning-tree portfast bpdufilter default
If a switch receives more than 10 BPDUs on a PortFast port when BPDU

filtering is enabled, the switch disables PortFast on the port and treats the
port as a normal STP port. The advantage that BPDU filtering has over
BPDU Guard is that BPDU filtering allows a port to dynamically switch to
and from PortFast, whereas BPDU Guard restricts the port to PortFast only.
Use the show spanning-tree summary command to verify your configuration.
PortFast takes a port out of STP and leaves it in a forwarding state. Use the spanningtree portfast command to enable this on an interface. When enabled, you must not
connect a switch to a port configured for PortFast. You can use the BPDU Guard and
BPDU filtering features to detect this problem and deal with it.
UplinkFast
STP guarantees a loop-free environment. However, one large disadvantage
of STP is the 30- to 50-second convergence time before redundant links can
be used when failures occur. This is problematic in environments where realtime or bandwidth-intensive applications are deployed. Ciscos proprietary
UplinkFast feature allows the almost-immediate use of a redundant switched
connection (a blocked port) without recalculating STP when the primary
path fails. This reduces the transition period from 30 or 50 seconds to less
than 4 seconds.
The name of this feature describes its purpose. Its typically used on uplink
ports that connect access layer switches to distribution layer switches. An
example of this is shown in Figure 5.1. The left side shows two distribution
layer switches. The one on the left is the root and the one on the right is the
backup, or secondary, root. Note that the primary link is from the access layer
05 9911 ch05 10/10/03 1:57 PM Page 111
111
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enhancements
. . . . . . . . to
. .STP
. .
switch to the root switch located on the left. When the link on the left fails,
the access layer switch uses the backup link on the right within 2 to 4 seconds
after detecting the failure. It does this by placing the blocked port into a forwarding state, bypassing the listening and learning states of STP.
Distribution Layer
Root Switch
Distribution Layer
Backup Root Switch
Distribution Layer
Root Switch
Distribution Layer
Backup Root Switch
X STP Blocked Port
Primary Link
is Forwarding
X
Access Layer
Switch
Failed Link
Backup Link
is Forwarding
Access Layer
Switch
Figure 5.1 UplinkFast example.
The following must be true for UplinkFast to perform its task:

The UplinkFast feature must be enabled on your switches. By default, it
is disabled.
The switch must have one port in a blocking state. This means that
theres an alternative path to the root switch.

The failure thats detected must be on the root port of this switch.
Therefore, failures on other switches could still affect convergence for

this switch.
Remember the UplinkFast requirements: It must be enabled, one port must be in a
blocking state, and the failure must be on the currently attached root port of the
switch.
Its highly recommended that UplinkFast be configured on your access layer switches only. If a switch is the root of STP, the switch will automatically disable it even if
you have UplinkFast enabled. In other words, UplinkFast is a feature designed for nonroot, or leaf, switches.
05 9911 ch05 10/10/03 1:57 PM Page 112
112 Chapter 5
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
To turn on UplinkFast for your Catalyst switch, use the following command:
Switch(config)# [no] spanning-tree uplinkfast
[max-update-rate update_rate]
By default, the switch generates 150 multicasts every second. You can
increase or decrease this value, which either decreases the amount of time to
detect failures or increases it, respectively. Note that there is no option to
enable or disable this per interface or VLANyou either enable it for the
whole switch or you leave it disabled. To verify UplinkFasts configuration,
use the show spanning-tree summary command, which was shown earlier in the
chapter in the PortFast Configuration section. You can also use the show
spanning-tree uplinkfast command:
Switch> show spanning-tree uplinkfast
UplinkFast is enabled
Station update rate set to 150 packets/sec.
UplinkFast statistics
----------------------Number of transitions via uplinkFast (all VLANs)
: 7
Number of proxy multicast addresses transmitted (all VLANs): 4238
Name
Interface List
-------------------- ----------------------VLAN1
Fa0/1 (fwd), Fa(0/3)
Use the spanning-tree uplinkfast command to enable UplinkFast on a switch.
BackboneFast
Ciscos proprietary BackboneFast feature is an enhancement to STP that
provides scalability to STP on your backbone switches: Its not meant for
your access layer switches but rather for your core and distribution layer
switches. BackboneFast and UplinkFast are complementary STP enhancements. One major difference between UplinkFast and BackboneFast is that
UplinkFast works only for directly connected links that fail, whereas
BackboneFast has the capability to detect indirect link failuresthat is, links
not physically connected to a switch.
Lets take a look at how the BackboneFast feature works. Lets assume that
you have three core switches that are interconnected, as shown in step 1 of
Figure 5.2. Switch 1 is the root, and switch 2 is the designated bridge for the
segment between switch 2 and switch 3. Because of this, switch 3 places its
port on the left in a blocking state.
05 9911 ch05 10/10/03 1:57 PM Page 113
113
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enhancements
. . . . . . . . to
. .STP
. .
Switch 2
Switch 3
Switch 2
Switch 3
STP Blocked
Port
STP Blocked
Port
FAILED
LINK
2
Switch 1 (Root)
Switch 1 (Root)
Switch 2
FAILED
LINK
Switch 3
3
Switch 1 (Root)
Figure 5.2 BackboneFast example.
The BackboneFast feature begins its process when it receives an inferior

BPDU from its designated switch, either on the root port or on a blocked
port of a switch. An inferior BPDU can be defined as a BPDU that identifies
a single switch as both the root switch and the designated switch. In this case,
switch 3 begins receiving these inferior BPDUs from switch 2the designated switch. When switch 3 starts receiving these BPDUs, it essentially tells
the switch that an indirect linka link its not physically connected tohas
failed and therefore the designated switch has lost its connection to the real
root switch. This is shown in step 2 of Figure 5.2.
In a normal situation, the inferior BPDUs that switch 3 is receiving from
switch 2 would be ignored until the maximum aging time had expired, thereby slowing down convergence. At that point, switch 3 will try to determine
whether it has a primary or alternative path to the real root switch. It does
this by examining all its other portswhether theyre blocked or if one happens to be a root port. In a worst case, if theres only a root port and no
blocked port, this tells the receiving switch that it has lost all connectivity to
the root. In either of these cases, the normal STP rules take place. The
receiving switch waits until the maximum aging time has expired, promotes
itself as root, and then starts the STP algorithm.
If there are alternative paths, the BackboneFast feature alleviates the problem of rerunning STP and creating convergence issues. If the inferior BPDU
05 9911 ch05 10/10/03 1:57 PM Page 114
114 Chapter 5
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
arrives on a root port, an alternative path must be foundhopefully, one of

the blocked ports will provide a secondary route. In this situation, not only
has the neighbor lost its primary path to the root, but also the switch receiving the inferior BPDU. However, if the inferior BPDU arrives on a blocked
port, the receiving switch knows it already has a valid primary path: the root
port itself. In step 2 of the example, switch 3 has a root portthe port on the
bottom connecting to the root bridge, switch 1.
If there is an alternative path, the bridge generates a special kind of PDU, called
a Root Link Query PDU (RPDU), out all its alternative ports, blocked or root.
The switch will then determine whether it has a valid alternative path to the
root, based on BPDUs coming from other switches (if it received the inferior
BPDU on its root port or if it has a primary path to the root on its root port).
If it does, as is the case for switch 3 in step 2, it expires the maximum aging timer
on the port(s) on which it received the inferior BPDU. This causes the switch
to make the port on which it received its inferior BPDU a designated port. The
switch moves the port immediately from a blocking state to listening, learning,
and then forwarding, as shown in step 3 of Figure 5.2 with switch 3.
Here is where BackboneFast has an advantage over the normal occurrence of
STP. With STP, a port must stay in a blocked state for 20 seconds. But with
BackboneFast, the port is immediately placed into a listening state, thus
reducing your convergence time from 50 seconds to 30 seconds. However,
for this feature to work, you must enable it on all switches in your network
your distribution and core layer switches.
To enable BackboneFast, use the following command:
Switch(config)# spanning-tree backbonefast
After BackboneFast is enabled, you can use the show spanning-tree summary
and show spanning-tree backbonefast commands to verify its configuration and
operation. Heres an example of the latter command:
Switch> show spanning-tree backbonefast
BackboneFast is enabled
BackboneFast statistics
----------------------Number of transition via backboneFast (all VLANs) : 0
Number of inferior BPDUs received (all VLANs)
: 0
Number of RLQ request BPDUs received (all VLANs) : 0
Where UplinkFast detects failures on directly connected interfaces, BackboneFast

detects failures on nonconnected interfaces. BackboneFast can detect this condition
by looking for inferior BPDUs. Use the spanning-tree backbonefast command to
enable this feature.
05 9911 ch05 10/10/03 1:57 PM Page 115
115
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enhancements
. . . . . . . . to
. .STP
. .
Rapid STP
Because of convergence issues in the 802.1D STP algorithm, IEEE developed
802.1W. 802.1W, also called Rapid STP or RSTP, includes enhancements to
speed up the convergence with STP. One of the main problems of using
Ciscos STP enhancementsPortFast, UplinkFast, and BackboneFastis
that theyre proprietary and function only on Cisco switches. In most
instances, you can use RSTP instead of Ciscos proprietary STP enhancements and get the same or better performance from your STP process.
For trunk connections using ISL or 802.1Q between Cisco switches, Cisco
has enhanced PVST+ to allow RSTP to function correctly. Cisco calls this
enhancement RPVST+. You do not need to configure anything special on
the switch to use RPVST+.
BPDUs
Just as with STP, RSTP uses BPDUs to elect a root switch, discover the
topology of the network, share STP configuration information, notify other
switches of topology changes, and verify the continuing existence of other
switches. RSTP uses the same BPDU format as STP. If you recall from
Chapter 4, Spanning Tree Protocol, a BPDU frame contains a type field.
With 802.1D, the type field was used to encode two different STP messages:
a topology change notification and a topology change acknowledgment. Two
bits were used to encode these message types.
RSTP, on the other hand, uses all six of the remaining bits, but not the 2 bits
that STP uses. IEEE decided on this approach so that in a mixed environment
where some switches support RSTP and some support only STP, both types
of switches would understand the BPDU framing format. Also, RSTP switches would be able to easily detect BPDUs from STP switches by looking at the
2-bit values in the type fieldRSTP uses only the other 6 bits. Therefore,
there are two different versions of BPDUs: switches running STP (802.1D)
use version 1, and switches running RSTP (802.1W) use version 2.
Its important to point out that RSTP switches can understand STP BPDUs
and can incorporate STP switches into the current Layer 2 loop-free network. However, in a mixed network of RSTP and STP switches, the RSTP
switches lose all the fast convergence features that will be discussed later in
this section. In other words, in a mixed network, an RSTP switch essentially functions as an STP switch.
Besides the use of the type field in a BPDU frame, there is another difference between RSTP and STP. With STP, the root generates BPDUs every
05 9911 ch05 10/10/03 1:57 PM Page 116
116 Chapter 5
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2 seconds and other bridges relay these hellos. A nonroot switch generates a
BPDU only when it receives a BPDU on its root port. With STP, switches
detect failures by missed BPDUs from the root on forwarding ports.
RSTP has every switch generate BPDUs every 2 seconds. These BPDUs
contain the switchs RSTP configuration information. If one switch misses
three consecutive hello BPDUs from a neighboring switch, it considers the
connection between itself and the neighbor to have failed, allowing the
detection of failures to occur more quickly (6 seconds or less) than with
802.1D (20 seconds with the maximum age timer).
Port States
RSTP is based on 802.1D STP. RSTP chooses one switch to function as the
root and all switches then designate the appropriate port states for their ports
to ensure a loop-free topology. Many of the terms and concepts are the same
between the two STPssuch as port and path cost, port priority, switch or
bridge ID, and so on. However, compared to STP, RSTP contains two additional port rolesAlternate and Backupwhich help with fast convergence.
Table 5.1 lists RSTPs port states and their functions. As you can see from the
table, RSTP has only three port states, as compared to STPs five. STPs disabled, blocking, and listening states have been combined into a single RSTP
state: discarding.
Table 5.1 RSTP Port States
RSTP Port State
Port Included in
STP Topology?
Learning MAC Addresses?
Discarding
No
No
Learning
Yes
Yes
Forwarding
Yes
Yes
One problem with STP is that the state the port is placed in is directly associated with the role that the port plays. For example, a root or designated
port is in a forwarding state. With RSTP, the role and state that a port is
placed in are separate.
Know the three RSTP port states in Table 5.1: discarding, learning, and forwarding.
05 9911 ch05 10/10/03 1:57 PM Page 117
117
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enhancements
. . . . . . . . to
. .STP
. .
Port Roles
RSTP adds two additional port roles to help with convergence issues. Table
5.2 lists all the port roles used in RSTP. As you can see from this table, there
are two new port roles: alternate and backup. An alternate port backs up a
root port, whereas a backup port backs up a designated port.
Table 5.2 RSTP Port Roles
RSTP Port Role
Explanation
Root
The port used on a switch to reach the root switch.
Designated
The port used on a switch by a segment to reach the root

switch.
Alternate
This port serves as a secondary root port in case the primary

root port fails. It is in a discarding state unless a failure of the
root port or connection occurs, in which case it is moved to a
forwarding state.
Backup
This port serves as a secondary designated port in case the

primary designated port fails. It is in a discarding state unless
a failure of the designated port occurs, in which case it is
moved to a forwarding state.
Disabled
This port is not participating in STP and has been disabled.
Understand the RSTP port roles in Table 5.2: an alternate root port backs up the root
port and a backup port backs up the designated port.
One of the interesting things about RSTP is that it uses the same STP algorithm to calculate paths to the root. Therefore, a network using RSTP has
the same default loop-free topology that STP would have created. In other
words, there are no changes in choosing a root switch, calculating accumulated path costs, or choosing a root or designated port. The main difference
is what occurs when changes happen in the network that would normally
cause 802.1D STP to rerun, which, as you saw in the previous chapter, creates convergence issues.
Convergence Features
RSTP implements are a handful of features to speed up convergence. The
first of those features is similar to Ciscos BackboneFast STP enhancement.
With this feature, if an 802.1W switch receives an inferior BPDU (a root
05 9911 ch05 10/10/03 1:57 PM Page 118
118 Chapter 5
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
BPDU with a better accumulated path cost was received on a nonroot port),
the switch floods this new information to other switches and begins its STP
calculation process to choose a new root port and form a new loop-free
Layer 2 topology.
However, the main convergence enhancement of RSTP is a feature called
Rapid Transition to Forwarding (RTF). In 802.1D, switches had to wait for
ports to go through all of their states (3050 seconds) before a port could be
placed in a forwarding state and user traffic could be processed. In many
examples, this doesnt make sense, especially the Layer 2 disruption of a
switched network when only an insignificant topology change occurssuch
as when a port connected to a PC becomes active.
Edge Port and Link Type

Where 802.1D relied on timers to allow for BPDU information to be propagated to all switches to ensure that a loop-free topology could be created,
RSTP uses the two components shown in Table 5.3.
Table 5.3 RSTP Convergence Components
Component
Explanation
Edge port
A port connected to a nonswitch (Layer 2) device, such as a

PC, router, or file server.
Link type
The link type of a connection, which is either point-to-point

(pt-pt) or a shared medium.
The edge port component is used to determine whether a switch is connected to your switch. It learns this by listening for BPDUs on the port. If your
switch doesnt receive any BPDUs on the port, the switch designates the port
as an edge port. Changes in the status of an edge port do not cause RSTP to
recalculate. In other words, if a PC is connected to your switch, this port is
considered an edge port. If you reboot your PC, your switch does not make
any changes in RSTP or notify any other devices about this change in port
state.
An edge port is left in a forwarding state unless a BPDU is received on it, at
which point an RSTP calculation occurs to ensure that no loops have been
created. The edge port then loses its status as an edge port and becomes a
normal STP port. Ciscos PortFast is similar to RSTPs edge port concept.
The major difference is that Ciscos PortFast feature always keeps a port in a
forwarding state even if a BPDU is received on it. Therefore, its possible to
have Layer 2 loops with Ciscos PortFast feature if you arent careful about
the ports on which you enable it. RSTPs edge port feature overcomes this
05 9911 ch05 10/10/03 1:57 PM Page 119
119
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enhancements
. . . . . . . . to
. .STP
. .
problem by listening for BPDUs on the port to ensure that no loops are or
will be created. If a port is either an edge port or is in a discarding state, the
port is said to be in sync.
The link type of a port is determined by the duplex setting on the port. If
your port is configured or detected as full duplex, the link type is considered
pt-pt. If your port is configured or detected as half-duplex, the link type is
considered as a shared medium.
Know how RSTP uses edge ports and link types in determining what a port is
connected to.
Topology Changes
When any topology change occurs in 802.1D, the root switch is notified first
and the root switch then propagates this information to all other switches.
When other bridges receive this update, they begin the recalculation process.
With RSTP, only changes on nonedge ports cause a topology change to
occur. Therefore, if someone turns on her PC, it does not cause RSTP to
perform a recalculation, but it would cause 802.1D to do so. When RSTP
detects a topology change, the switch performs the following actions:
1. The switch starts a timer (called TC While), which is set to two times
the hello interval for all nonedge ports, including all designated ports
and the root port, if necessary.
2. The switch removes all MAC addresses from the CAM table associated
with only these nonedge ports.

3. While the timer is active for a port, BPDUs are generated on the port
that indicated a topology change (TC).

If a switch receives a BPDU with the TC bit set in the type field, it first clears
the CAM table of all MAC addresses associated with the port the BPDU was
received on. The switch then repeats the preceding three steps for its
remaining nonedge ports.
Using this process, any changes can be immediately propagated throughout
the entire Layer 2 network, thus speeding up convergence. Where 802.1D
used a two-step process to propagate notification information, RSTP uses
only a one-step process; a switch doesnt have to notify the root switch first.
RSTP supports a convergence mechanism thats similar to Ciscos
UplinkFast feature. If a root port (or its connection to the next switch) on an
05 9911 ch05 10/10/03 1:57 PM Page 120
120 Chapter 5
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
RSTP switch fails, RSTP automatically takes the port in an alternate state
(the port is still receiving BPDUs from the root) and immediately moves it
to a forwarding state.
Multiple Spanning Tree

Multiple Spanning Tree (MST) is an enhancement to IEEEs RSTP. MST is
similar to Ciscos PVST. Youll recall from the last chapter that PVST has a
separate instance of STP for each VLAN, and is supported on trunk connections to Cisco devices. For each STP instance, there is a separate set of
BPDUs, root switches, and STP configuration information. One problem of
PVST is that it adds a lot of overhead to your switching equipment. An
example of PVST is shown in the top-left corner of Figure 5.3. In this example, there are 100 VLANs. Half of the VLANs (150) are forwarding on the
left trunk from switch 1 to switch 2 and the other half (51100) are forwarding on the right trunk from switch 1 to switch 3. With PVST, you have the
ability to tune each VLAN to the network to provide an optimal loop-free
topology. However, as you add more VLANs to your topology, you must
tune each VLAN individually to provide an optimal STP configuration,
which becomes cumbersome with a large number of VLANs.
CST (used with 802.1Q trunks) is shown in the top-right corner of Figure 5.3.
CSTs main weakness is that only one instance of STP is used. Therefore, an
optimal topology can be created for only some VLANs, but not for all. In addition, you cannot use redundant connections for load balancing, like PVST.
CST does have an advantage over PVST, however: It has minimal overhead.
Only one set of BPDUs is used throughout the network and the amount of
processing of STP information on your switches is almost negligible.
The main purpose of MST is to allow multiple instances of STP, but to
reduce the amount of overhead associated with Ciscos PVST. Instead of having a separate instance of STP for each VLAN, MST uses the concept of an
MST instance, where multiple VLANs can be associated with an instance.
An example of MST is shown in the bottom part of Figure 5.3. You associate VLANs with an MST instance. In Figure 5.3, VLANs 150 are associated with instance 1 and VLANs 51100 are associated with instance 2. Each
instance has its own STP components, which allows for an optimal tuning of
STP. In this figure, half of the VLANs are using one link as their primary
link from switch 1 while the other half are using the other link. With PVST,
you would have to tune this on a per-VLAN basis. With MST, you associate
VLANs to an instance and tune the instance. As you can see from this example, MST needs only two instances of STP, making it more scalable and
manageable than PVST, but more optimal than CST.
05 9911 ch05 10/10/03 1:57 PM Page 121
121
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enhancements
. . . . . . . . to
. .STP
. .

PVST

X

CST

X

X

MST

Figure 5.3 PVST, CST, and MST comparison.
MST Advantages and Disadvantages

Here are the two main advantages of MST: it can implement load balancing
with redundant connections, like PVST, and it has minimal overhead, like
CST.
Given its advantages, MST has two disadvantages. First, MST is more complex than CST, so additional training might be required of your administrators. In addition, the configuration of a mixed MST and CST network is not
simple and requires some planning and additional configuration.
Regions
A region in MST is where all the switches have the same base MST configuration. To belong to a region, switches must have the following information
identically configured on each switch:
The region name (32 bytes)
The revision number (2 bytes)
VLAN table contents (4,096 VLANs)
05 9911 ch05 10/10/03 1:57 PM Page 122
122 Chapter 5
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
If two switches have this information identically configured, the two switches belong to the same region. Otherwise, the switches are considered to be
in separate regions.
When multicasting BPDUs, switches include the three components from the
preceding list in the BPDUs. The exception to this is the VLAN table to
instance mapping. This table mapping is instead run through a digest function
and the output is included in the BPDU. This is to reduce the amount of information contained in the BPDU. The destination switch takes its own table and
runs it through the same digest function. If the output is the same, the VLAN
table mapping has been configured the same way on both switches.
To belong to the same region, all switches in the region must have the same region
name, revision number, and VLAN table mappings.
Internal Spanning Tree

Internal Spanning Tree (IST) is an internal STP process that runs on an
MST switch. IST is used to handle interaction between MST and CST
switches. Because 802.1Q is an IEEE standard, MST must be backwardcompatible with switches that support only CST. IST is used to implement
this functionality and to interact with CST switches. IST essentially treats
the entire MST region as a virtual switch when interacting with CST switches. An example of this is shown in Figure 5.4.
Root Switch
Switch 1
Switch 2
Switch 3
X
Switch 4
MST Region
Switch 6
X
Switch 7
Figure 5.4 IST example.
Switch 8
Switch 9
05 9911 ch05 10/10/03 1:57 PM Page 123
123
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enhancements
. . . . . . . . to
. .STP
. .
In this example, switches 4, 7, and 8 are part of an MST region. When

switches 4 and 8 interact with their directly connected CST switches (1 and
9), they pretend that the switches in the MST region are actually a single virtual switch running CST. Even though all the switches in the MST region
have their own unique switch IDs, they appear as a single switch ID to the
CST network.
However, within the MST region, each STP instance has its own spanning
tree where each instance is given a number of 1 or higher. IST is always
assigned a number of 0.
MST does provide interoperability with Ciscos PVST+. It does this by generating BPDUs for each non-CST VLAN. MST is not fully compatible with
PVST+, but does support many of its features. Table 5.4 lists the supported
features.
Table 5.4 Supported Features with MST
Feature
Support?
PortFast
Yes
UplinkFast
No
BackboneFast
No
BPDU Filter and Guard
Yes
Loop and Root Guard
Yes (discussed later in this chapter)
Private VLANs
Yes (you must map a secondary VLAN to the same

instance associated with the primary VLAN)
MST Configuration and Verification

MST is disabled on your Catalyst switch by default. To enable it, use the following command:
Switch(config)# spanning-tree mode mst
After youve enabled MST, you must perform additional configuration tasks,
including the setup of your MST instances. Here are the commands to set
up your VLAN instances:
Switch(config)# spanning-tree mst configuration
Switch(config-mst)# name region_name
Switch(config-mst)# revision revision_number
Switch(config-mst)# instance instance_number vlan VLAN_range
Switch(config-mst)# show current|pending
Switch(config-mst)# end
05 9911 ch05 10/10/03 1:57 PM Page 124
124 Chapter 5
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The name of the region and the revision number of the region must be the
same on all switches if you want them to interact with each other. The
instance number specifies which VLANs will belong to the specified
instance. You can specify a single VLAN or a range of VLANs, such as 5-9.
The show current command displays the active MST configuration after you
exit your MST configuration. show pending displays the changes youve made
to MST. Note that both of these show commands are done within the MST
configuration section.
The show spanning-tree
MST configuration:
mst configuration
command displays your current
Switch# show spanning-tree mst configuration

Name [region1]
Revision 1
Instance Vlans mapped
-------- ---------------------------------0 11-4094
1 1-5
2 6-10
----------------------------------
In this example, VLANs 15 have been associated with instance 1 and

VLANs 610 have been associated with instance 2.
To view general information concerning MST, use this command:
Switch# show spanning-tree mst [instance_#]
If you omit the instance number, it defaults to 0 (IST). Heres an example of

the output of this command:
Switch# show spanning-tree mst 1
###### MST00 vlans mapped: 1-5
Bridge address 0005.7439.abcd priority 32768 (32768 sysid 0)
Root address 0001.42a1.1234 priority 32768 (32768 sysid 0)
port Fa0/1 path cost 200038
IST master this switch
Operational hello time 2, forward delay 15, max age 20
Configured hello time 2, forward delay 15, max age 20, max hops 20
Interface Role Sts Cost
Prio.Nbr Type
---------- ---- ---- ------ --------- -------Fa0/1
Desg FWD 200000 128.1
P2p
Fa0/2
Root FWD 200000 128.2
P2p Bound(PVST)
Fa0/5
Desg FWD 200000 128.5
P2p
There are many optional parameters for the show spanning-tree mst command. If you use the interface parameter, the command displays the switch
ID, root switch, and the role, status, cost, priority, and link type of the specified interface. If you use the detail parameter, the command shows all MST
information, including each interfaces information.
05 9911 ch05 10/10/03 1:57 PM Page 125
125
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enhancements
. . . . . . . . to
. .STP
. .
EtherChannels
EtherChannels are technology that enables you to aggregate up to 8 Fast
Ethernet or Gigabit Ethernet connections, providing up to 1,600Mbps or
16Gbps of bandwidth (in full duplex mode). The channel is treated as one
logical connection between two switches. Even if one of the connections fails
in the EtherChannel, the other connections still operate properly.
EtherChannels are supported for both Layer 2 and Layer 3 connections.
Operation of EtherChannels
A link failure is transparent to the user because traffic is rerouted across
another of the channel connections in less than a handful of milliseconds.
When a failure occurs, the Ethernet controller sends information to the
switchs processor about the failure, and the processor correctly reroutes the
traffic across one of the other links in the EtherChannel.
EtherChannels also eliminate the problem of redundant links when STP
runs in a network. When running in a looped environment, STP removes
redundant connections by placing them in standby mode, thus reducing a
networks total available bandwidth. STP treats Fast EtherChannels as one
logical link. Even if one of the connections in the channel fails, the channel
itself is considered unchanged; STP isnt recalculated, thus avoiding the disruption of network services.
Port Aggregation Protocol and Link

Aggregation Control Protocol
Port Aggregation Protocol (PAgP), a Cisco-proprietary protocol, allows the
dynamic creation of EtherChannels between switches without your intervention. Using this protocol, switches send special frames out of ports capable of forming EtherChannels to discover whether neighboring switches
support this feature. If this is true and if the necessary configuration conditions have been met, a channel is formed between the connected ports on the
two switches. If you make port changes on one port, you must make the same
changes on all ports in the channel; otherwise, the channel will fail. PAgP and
Link Aggregation Control Protocol (LACP) support two user-configurable
channel modes, as shown in Table 5.5.
05 9911 ch05 10/10/03 1:57 PM Page 126
126 Chapter 5
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Table 5.5 PAgP and LACP Modes
Mode
Protocol
Description
on
Neither
The port is set to be part of a channel and does

not send PAgP or LACP frames.
auto
PAgP
A port becomes part of a channel if the other

switch initiates it. This is the default mode.
desirable
PAgP
A port actively seeks to become part of a channel

by sending PAgP frames.
passive
LACP
A port becomes part of a channel if the other

switch initiates it.
active
LACP
A port actively seeks to become part of a channel

by sending LACP frames.
Note that these modes are similar to the modes used by Ciscos DTP when
forming trunk connections between two Cisco switches. However, the
modes in Table 5.5 are used only to build EtherChannel connections
between Cisco switches.
Ports will form a channel with PAgP if one side is set to desirable and the
other side is set to desirable or auto. Two sets of ports in auto mode will not
form a channel.
The on mode should be used if you want to form a channel, but do not want to use
either LACP or PAgP to dynamically form channels.
LACP is IEEEs version of dynamically forming channels. LACP is defined

in 802.3ad and is similar to Ciscos PAgP. Like PAgP, LACP is used to interact with a remote switch to determine whether they have multiple connections between them that can be bound together into a single EtherChannel.
As shown in Table 5.5, LACP introduces two new modes: Active and Passive.
Active mode is similar to PAgPs Desirable mode and Passive mode is similar
to PAgPs Auto mode. Ports will form a channel with LACP if both sides are
active or one side is active and the other is passive. If both sides are passive,
a channel is not formed.
LACP introduces three additional parameters: system priority, port priority,
and administrative key. The system priority parameter is used to assign a system priority to the switch. Each switch has a system ID that is made up of the
system priority and its MAC address. The port priority is used if you want to
05 9911 ch05 10/10/03 1:57 PM Page 127
127
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enhancements
. . . . . . . . to
. .STP
. .
specify more than eight connections in a channel, but want to prioritize

which of them are actually used. You can specify more than eight connections
in a channel, but the switch will only use eight. The other remaining connections are placed in a standby state and are used for backup purposes if one
of the eight main connections fails. The administrative key specifies the
capability of a port to form channels with other ports based on the ports
characteristics, such as its data rate, duplex setting, and connection type
(point-to-point or shared medium).
Remember the channel modes discussed in Table 5.5. PAgP uses desirable and
auto, whereas LACP uses passive and active. The on mode enables channeling on
an interface, but disables PAgP and LACP.
Configuring EtherChannels
This section covers the basics of setting up and troubleshooting an
EtherChannel connection. Before I get started with the actual configuration
commands, there are some important guidelines that must be followed for
setting up a successful EtherChannel connection. These are discussed in the
next section.
EtherChannel Guidelines
When youre setting up a channel, each of the ports in the channel has to be
configured exactly the same; otherwise, an EtherChannel will not be formed.
Follow these guidelines when setting up EtherChannels:
Only eight interfaces are supported, but these interfaces do not have to
be contiguous nor on the same module.

All ports must be in the same VLAN or be trunk ports (in the same
mode, such as ISL).

If the EtherChannel is a trunk, the same range of allowed VLANs (if
youre using manual pruning) must match on all trunks in the channel
this applies to Layer 2 channels.
The ports cannot be in a dynamic VLAN; otherwise, the switchs
performance will be drastically affected (VMPS and learning issues)

and neither PAgP nor LACP will work.
If the ports are not properly configured, the EtherChannel will not form
so as not to create any network loops.

Ports must be set at the same speed and duplex setting.
05 9911 ch05 10/10/03 1:57 PM Page 128
128 Chapter 5
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The broadcast-suppression configuration must be specified as a percent-
age for the channel ports.

Port security must be disabled.
All ports must be enabled in the channel. If you manually disable one of
the interfaces in the channel, the interface is considered to have failed

and the switch will forward packets to the remaining interfaces in the
channel.
None of the interfaces can belong to SPAN.
Remember the preceding list of requirements for building an EtherChannel.
Configuration Commands
There are two ways that you can create EtherChannels: based on Layer 2 or
Layer 3 connections. This is useful depending on how you want your two
connected switches to load-balance across the channelbased on MAC
addresses or Layer 3 (IP) addresses. Load balancing is discussed a little later
in this section.
If you want to create a Layer 2 EtherChannel, use the following commands:
Switch(config-if)# channel-protocol lacp|pagp
Switch(config-if)# channel-group group_# [mode channel_mode]
Switch(config-if)# lacp system-priority priority_#
Switch(config-if)# lacp port-priority priority_#
Instead of configuring each interface individually, you can use this command
if the interfaces are contiguous on the same module:
Switch(config)# interface range type slot_#/start_port_# - end_port_#
When specifying the beginning and ending port numbers, you must separate
them by a space, a dash, and then a space, like this:
Switch(config)# interface range fastethernet 0/1 - 4
The channel-protocol command specifies the use of the protocol to use to

dynamically form channels with connected switches. The channel-group
command enables you to group interfaces together in a channel. Interfaces
with the same group number are placed in the same EtherChannel. You
can optionally define the mode for the channel; if you omit this, it defaults
05 9911 ch05 10/10/03 1:57 PM Page 129
129
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enhancements
. . . . . . . . to
. .STP
. .
to the use of PAgP in Auto mode. The valid modes were listed previously in
Table 5.5.
Use the channel-group command to include an interface in an EtherChannel.
The two lacp commands configure the system and port priorities for use with
LACP.
To create a Layer 3 EtherChannel, first configure a Layer 2 EtherChannel.
After that, create a logical interface and assign an IP address to it, like this:
Switch(config)# interface port-channel channel_group_#
Switch(config-if)# no switchport
In this configuration, the channel_group_# must match the number configured

on the physical interface with the channel-group command.
Load Balancing Methods

Load balancing on an EtherChannel is not done on a frame-by-frame or
packet-by-packet basis. Instead, the address or addresses in the frame or
packet are run through an algorithm, which results in a binary value. This
binary value is then matched up with one of the connections in the
EtherChannel. All traffic with this binary value is then transported across
this connection in the EtherChannel.
For example, lets assume that the EtherChannel is basing its switching decision on the destination MAC address in the frame. Any frame that has the
same destination MAC address would always go across the same connection
in the EtherChannel. If you have one file server that users are constantly
sending traffic to, all this traffic would go across one connection in the channel to reach the file server. Because of this process, Cisco recommends that
you choose source addresses or both source and destination addresses for
purposes of load balancing.
To set up load balancing, use the following command:
Switch(config)# port-channel load-balance load_balance_mode
Table 5.6 lists the valid modes that you can choose from when load balancing across an EtherChannel.
05 9911 ch05 10/10/03 1:57 PM Page 130
130 Chapter 5
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Table 5.6 Load Balancing Modes
Mode
Description
src-mac
Use the source MAC address in the frame
dst-mac
Use the destination MAC address in the frame
src-dst-mac
Use both the source and destination MAC addresses in the frame
src-ip
Use the source IP address in the packet
dst-ip
Use the destination IP address in the packet
src-dst-ip
Use both the source and destination IP addresses in the packet
src-port
Use the source TCP or UDP port number in the segment header
dst-port
Use the destination TCP or UDP port number in the segment

header
src-dst-port
Use both the source and destination TCP or UDP port numbers in
the segment header
Verification Commands
You can use a variety of commands to examine the configuration and operation of your EtherChannels. This section takes a look at a few of them.
To view EtherChannel information for a specific interface, use the following
command:
Switch> show interfaces [type slot_#/port_#] etherchannel
Heres an example:
Switch> show interfaces etherchannel
---GigabitEthernet0/1:
Port state = Down Not-in-Bndl
Channel group = 1 Mode = Desirable-Sl Gcchange = 0
Port-channel = null GC = 0x00000000 Pseudo port-channel = Po1
Port index = 0 Load = 0x00
Flags: S - Device is sending Slow hello. C - Device is in Consistent state.
A - Device is in Auto mode. P - Device learns on physical port.
d - PAgP is down.
Timers: H - Hello timer is running. Q - Quit timer is running.
S - Switching timer is running. I - Interface timer is running.
Local information:
Hello Partner PAgP Learning Group
Port Flags State Timers Interval Count Priority Method Ifindex
Gi0/1 d U1/S1 1s 0 128 Any 0
Age of the port in the current state: 4d:02h:12m:15s
If you specify a specific interface, you can see more details concerning the
channeling functions, including LACP and PAgP.
05 9911 ch05 10/10/03 1:57 PM Page 131
131
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enhancements
. . . . . . . . to
. .STP
. .
If you want to see information concerning the logical EtherChannel connection (port-channel), use the following command:
Switch> show etherchannel [channel_#] [port-channel|load-balance]
Heres an example:
Switch> show etherchannel 1 port-channel
Port-channels in the group:
---------------------Port-channel: Po1
-----------Age of the Port-channel = 00d:00h:03m:29s
Logical slot/port = 1/0 Number of ports = 2
GC = 0x00010001 HotStandBy port = null
Port state = Port-channel Ag-Inuse
Ports in the Port-channel:
Index Load
Port
EC state
------+------+------+-----------0
00
Gi0/1 desirable-sl
0
00
Gi0/2 desirable-sl
Time since last port bundled: 00d:00h:03m:21s Gi0/1
At the bottom of the display, you can see that this port-channel has two interfaces, with no current load on the connection. Also, PAgP is being used with
desirable mode configured.
To see what type of load balancing youre using on your channel, use the
parameter with the show command you saw earlier:
load-balance
Switch> show etherchannel load-balance

Source XOR Destination IP address
In this example, both the source and destination IP addresses are used for
load balancing purposes.
Other STP Enhancement Features

The remainder of this chapter focuses on other enhancements that Cisco has
included in its IOS switches to help with STP issues. These features include
BPDU skewing, Root Guard, Unidirectional Link Detection, Loop Guard,
and some additional troubleshooting tips and tools to assist you in scaling
STP to a large number of switches.
BPDU Skewing
BPDU skewing refers to the time differential between when BPDUs are
expected to be received by a switch and when they are actually received.
BPDU skewing can occur in any of the following situations:
05 9911 ch05 10/10/03 1:57 PM Page 132
132 Chapter 5
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
STP topology changes occur
One of STPs timers expires
A BPDU is not received within the expected time interval
When any of these three occurrences happens, switches flood the network
with BPDUs to ensure that the most up-to-date information is contained in
the STP topology table.
When skewing occurs, a syslog message can be generated to indicate a possible problem. Of course, if its a time of very high network activity, and if
you are using PVST (BPDUs for each VLAN), this could create a lot of
unnecessary syslog messages.
BPDU skewing is disabled by default. When its enabled, BPDU skewing
ensures that syslog messages are generated only once every 60 seconds. To
enable BPDU skewing, you cannot use the IOSyou must use the CatOSs
set spantree bpdu-skewing command.
Root Guard
Root Guard is a Cisco feature that you can use to force a particular port to be
a designated port to ensure that any switch connected to it does not become
a root switch. Root Guard enables you to create an STP topology in which
you explicitly control which switch becomes and stays the root switch (barring
any failures). This is typically done to maintain an optimal configuration.
Lets look at an example in which Root Guard can help. Ill use the network
shown in the top-left portion of Figure 5.5. In this figure, there are two distribution layer switches and one access layer switch, with the left-side distribution layer switch being the root. In the bottom-right portion of the figure,
a new switch is directly connected to the access layer switch. This switch has
a lower switch ID than the current root, so the new switch is promoted as
root and a new topology is created. In this example, if you have other switches connected to the two distribution layer switches like switch 3, and if these
switches previously used switch 1 to reach the distribution layer, any
resources off of switch 2 would require a switching path of switch 1, switch
3, and then switch 2. This is not an optimal configuration; especially with
traffic flowing through a lower model, worse performing access layer switch.
During high traffic volumes, the performance of switch 3 could be affected
drastically.
Cisco highly stresses the use of this feature in switched networks.
05 9911 ch05 10/10/03 1:57 PM Page 133
133
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enhancements
. . . . . . . . to
. .STP
. .

X

!
Figure 5.5 STP root bridge problem.
Root Guard can be used to prevent this problem. It is configured on a perport basis and prevents a port from becoming a root port. When configured,
if a Root Guard port receives a BPDU with a better path to the root, the port
is disabled and the BPDU information is ignored. Heres the message that
you would see if this occurs:
%SPANTREE-2-ROOTGUARDBLOCK: Port 0/5 tried to become non-designated
in VLAN 3. Moved to root-inconsistent state.
Given our example in Figure 5.5, when switch 4 is connected to switch 3, and
if Root Guard is enabled on this port, switch 3 would disable the offending
port and ignore switch 4s BPDU. By doing this, the current STP topology
shown in the top-left corner of the figure would be preserved.
To enable Root Guard, use the following configuration:
Switch(config-if)# spanning-tree guard root
By default, Root Guard is disabled on all interfaces. To fix the problem

shown in Figure 5.5, enable Root Guard on all ports of switch 3 except the
two uplink ports to switch 1 and switch 2.
05 9911 ch05 10/10/03 1:57 PM Page 134
134 Chapter 5
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
To examine your ports Root Guard configuration, use the show runningconfig interface command. To actually see the list of ports where Root Guard
has detected a violation, use this command:
Switch>
Name
------VLAN001
VLAN002
VLAN003
show spanning-tree inconsistentports

Interface
Inconsistency
----------------- ---------------------FastEthernet 0/5 Port Type Inconsistent
FastEthernet 0/5 Port Type Inconsistent
FastEthernet 0/5 Port Type Inconsistent
In this example, FastEthernet 0/5 has an inconsistency for VLANs 13. This
indicates that this is a trunk connection to another switch and that the other
switch is advertising a lower switch ID than the current root.
Root Guard forces a particular port to be a designated port to ensure that a switch
connected to it does not become a root switch. If a Root Guard port receives a BPDU
with a better path to the root, the port is disabled (marked as inconsistent) and the
BPDU information is ignored. Use the spanning-tree guard root command to enable
this feature.
Unidirectional Link Detection

Unidirectional Link Detection (UDLD) checks to see whether unidirectional links exist between two switches and disables them. UDLD checks the
physical configuration of the connection between two switches.
Unidirectional connections can occur on a full-duplex connection (fiber and
copper) if either the transmit wire or the receive wire is broken. By shutting
down the unidirectional connection, UDLD prevents inadvertent loops and
black holes (one switch is accessible, but another is not).
Even though UDLD examines Layer 1 information, it operates at Layer 2 and
deals with certain things that Layer 1 cannot perform or detect. For instance,
one function of Layer 1 is to perform auto-negotiation to determine the
duplexing and speed of an interface, as well as fault detection. UDLD performs
some additional tasks, such as learning the identity of a neighboring device and
disabling interfaces where only one direction of the connection is functioning.
UDLD performs its detection process by periodically sending UDLD packets
on enabled interfaces. If a UDLD packet is not received from a neighbor, the
interface is disabled. Therefore, its important that UDLD be enabled on both
sides of the connection to prevent inadvertent interface shutdowns.
By default, UDLD is enabled only for fiber-optic connections. You can enable
or disable it globally, or enable or disable it on an interface-by-interface basis.
To globally enable or disable UDLD, use the following configuration:
Switch(config)# [no] udld enable
05 9911 ch05 10/10/03 1:57 PM Page 135
135
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enhancements
. . . . . . . . to
. .STP
. .
To enable or disable UDLD on copper interfaces, use the following

configuration:
Switch(config-if)# [no] udld enable
To disable UDLD on fiber-optic interfaces, use the following configuration:

Switch(config-if)# udld disable
If an interface has been disabled by UDLD and youve fixed the problem, use
the udld reset command to re-enable these interfaces. They will be automatically re-enabled when the problem is fixed and the timeout period expires.
To examine your UDLD configuration and operation, use this command:
Switch> show udld [type slot_#/port_#]
Heres an example of this command:

Switch> show udld gigabitethernet0/1
Interface gi0/1
--Port enable administrative configuration setting: Follows device default
Port enable operational state: Enabled
Current bidirectional state: Bidirectional
Current operational state: Advertisement - Single Neighbor detected
Message interval: 60
Time out interval: 5
Entry 1
Expiration time: 146
Device ID: 1
Current neighbor state: Bidirectional
Device name: 0050e2827111
Port ID: Gi0/12
Neighbor echo 1 device: SAD03160123
Neighbor echo 1 port: Gi0/11
Message interval: 5
CDP Device name: 066527888
Loop Guard
The Loop Guard feature is similar to UDLD. Loop Guard is used to detect
loops caused typically by unidirectional connections. Lets take a look at the
example shown in Figure 5.6. In the left side of this example, there has been
a connection failure between switch 1 and switch 3, causing a unidirectional
connection where switch 3 can send to switch 1, but switch 1 cant send to
switch 3. Given this situation, switch 3 assumes a failure on its root port and
goes through the process of taking its backup port (to switch 2) and moving
it through the different port states, eventually ending in the forwarding state.
This would cause a one-direction loop in a clockwise direction.
05 9911 ch05 10/10/03 1:57 PM Page 136
136 Chapter 5
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Switch 1
Switch 2
XSTP Blocked
Unidirectional
Connection
PortMoved
To Forwarding
Switch 1
XSTP Blocked
Unidirectional
Connection
Switch 3
Unidirectional
Connection
Problem Without
Loop Guard
Switch 2
Switch 3
PortLoop
Inconsistent
State
Unidirectional
Connection
Problem with
Loop Guard
Figure 5.6 Unidirectional connections and Loop Guard.
Loop Guard can be used to prevent this kind of problem. Loop Guard performs an additional check: If BPDUs are no longer being received on a nondesignated port, instead of moving a port through listening, learning, and
forwarding, Loop Guard instead places the port in a blocked state, marking
it as inconsistent. When this occurs, youll see the following message logged
to your console:
SPANTREE-2-LOOPGUARDBLOCK: No BPDUs were received on port 0/2 in
vlan 1. Moved to loop-inconsistent state.
One nice feature of Loop Guard, as compared to UDLD, is that when the
problem is fixed, Loop Guard has the ports transition back to the correct
states, as well as generate a message on the console indicating this process:
SPANTREE-2-LOOPGUARDUNBLOCK: port 0/2 restored in vlan 1.
Loop Guard is disabled by default. If you want to use this feature, you should
enable it on ports that are in a blocking state by default. For EtherChannels,
Loop Guard ensures that the entire channel is blocked for the appropriate
VLANs if a problem occurs (not just one interface in the channel). Use this
command to enable Loop Guard:
Switch(config-if)# spanning-tree guard loop
Notice that this is the same command that enabled Root Guard. Loop Guard
and Root Guard are mutually inclusiveif you enable one, the other is
automatically enabled.
As you can see from this and the last section, Loop Guard and UDLD are
similar in function. Table 5.7 compares these two features.
05 9911 ch05 10/10/03 1:57 PM Page 137
137
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enhancements
. . . . . . . . to
. .STP
. .
Table 5.7 Comparing UDLD and Loop Guard
Operation
UDLD
Loop Guard
Configuration?
Per port or global
Per port or global
Enabled on which ports?

state (redundant ports)
Uplink ports
All ports in a blocked
Blocking affects?
Single port
Single port or VLAN
Re-enabling inconsistent
ports?
After timeout
period expires
After problem is fixed
Unidirectional link
protection?
Yes
Yes
Protects against missing

BPDUs from neighbor?
No
Yes
Protects from wiring

configuration
problems?
Yes
No
As you can see in Table 5.7, UDLD and Loop Guard have some similar functions, but differ in what they accomplish. If there is a software problem in
which a switch is prevented from sending BPDUs, Loop Guard will detect
it, but UDLD wont. However, if there is a shared medium connection, Loop
Guard wont function, but UDLD will. Another advantage of UDLD is that
if a connection failure causes a unidirectional connection on one connection
in an EtherChannel, UDLD disables only the specific connection in the
channel, whereas Loop Guard disables the entire channel for the specific
VLAN.
Choosing a Solution: UDLD Versus Loop Guard

Given the differences between the two, Cisco recommends that you use both UDLD and Loop
Guard to protect yourself completely against STP software issues as well as unidirectional
connections.
Know the similarities and differences between UDLD and Loop Guard features shown
in Table 5.7.
Additional Troubleshooting Tips and Tools

As you saw in the preceding chapter and this one, setting up STP is not a
simple process. Many problems can occur that can complicate the operation
05 9911 ch05 10/10/03 1:57 PM Page 138
138 Chapter 5
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
of STP. The previous section discussed issues with unidirectional connections;

however, there are many other networking problems that can create havoc
with STP. When troubleshooting STP, potential problems include duplex
mismatch, unidirectional link failure, frame corruption, and resource errors.
Problems
One of the first STP enhancement features discussed in this chapter was the
use of Ciscos PortFast feature to reduce the amount of times STP is run
based on port state changes. With PortFast, a port is kept in a forwarding
state and a change of state in PortFast doesnt cause STP to rerun. However,
if you attach a switch to a PortFast port and this switch has connections to
other parts of your network, you would inadvertently be creating Layer 2
loops. When using PortFast, you should complement it with the BPDU
Guard or filtering features.
Something as simple as mismatched duplexing can also create STP problems.
If one side is set to half-duplex and the other to full duplex through an autonegotiation problem, and both sides are sending frames simultaneously, a
collision occurs. Unfortunately, the collision detection mechanism on the fullduplex side wont be able to detect this. If this causes BPDUs to be missed, the
STP algorithm might rerun itself. In a worst-case situation, a loop might occur
while a port in a blocking state is accidentally brought to a forwarding state.
If a bad wire connection is corrupting some of your frames, it can also lead
to STP issues, especially if its the BPDUs that are being corrupted. Or, if
your switch is continually performing STP functions (which are done in software), this could create an over-utilization problem on your switch, causing
STP instability problems.
Troubleshooting Steps
Whenever you experience STP problems in your network, you should
approach the problem in a methodical manner. Use the following steps to
help you with your troubleshooting:
1. Have a network diagram in front of you that describes the physical
connections between the switches as well as the default STP topology:

who the root switch is, what ports are root and designated ports, and
what ports are redundant links and in a blocked state. Youll also want
to create a diagram with the MAC addresses for the root switch and
other switches in the network for handy reference.
2. Use
commands to verify whether a Layer 2 loop exists and which

switch or switches are causing the loop problem. Check the port utilizationif it is running high, it might indicate a loop.
show
05 9911 ch05 10/10/03 1:57 PM Page 139
139
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enhancements
. . . . . . . . to
. .STP
. .
3. Examine the status of the interfaces to see the STP state that theyre in
as well as whether theyre operating correctly. If they arent, pinpoint

the problem and fix it. In the meantime, if a loop exists, break it by disabling a port in the loop.
4. Make sure that the CPU utilization is not running high, which could
be causing STP software problems. If this is a problem, disable all

unnecessary features to reduce your CPU load.
5. When troubleshooting certain STP problems, you might want to dis-
able certain STP features to simplify your troubleshooting process. For

instance, you might want to disable all interfaces in an EtherChannel
to ensure that it isnt the problem.
Remember the five steps of troubleshooting STP problems, especially the step of
temporarily disabling ports involved in a loop.
debug Commands
Like Cisco routers, Catalyst switches support the debug command. This command enables you to display detailed events that are concerned with a specific
process. Care must be taken when using these commands because theyre very
resource-intensive. Use of these commands requires that you be in Privilege
EXEC mode when you execute them. Table 5.8 displays some of the more
common debug commands that you would use to troubleshoot STP problems.
Table 5.8 STP debug Commands
Command
Explanation
debug spanning-tree all
Displays all messages for STP
debug spanning-tree events
Displays a message only when an STP event

occurs
debug spanning-tree
backbonefast
Displays messages related to the operation of

BackboneFast
debug spanning-tree
uplinkfast
Displays messages related to the operation of

UplinkFast
debug spanning-tree bpdu
Displays messages when sending or receiving

BPDUs
To disable a debug command, preface it with the no parameter. To disable all

debugging on the switch, use the no debug all command.
05 9911 ch05 10/10/03 1:57 PM Page 140
140 Chapter 5
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Summary
PortFast, UplinkFast, and BackboneFast are Cisco proprietary STP
enhancement features. All are disabled by default. PortFast keeps a port in
forwarding mode, where it is not included in the STP algorithm. Nonswitch
and nonbridge devices should be connected to PortFast ports. To enable
PortFast, use the spanning-tree portfast interface command. To prevent
inadvertent switch connections to PortFast ports, you can use the BPDU
Guard and filter features. BPDU Guard shuts down a PortFast port if a
BPDU is received on it. If BPDU filtering detects more than 10 BPDUs on
a port, it disables PortFast on the port and treats it as a normal STP port.
UplinkFast provides fast convergence for uplink ports. If the root port fails,
a secondary uplink port can be immediately taken from a blocking state and
placed in a forwarding state. Use the spanning-tree uplinkfast command to
enable UplinkFast on your switch.
Unlike UplinkFast, BackboneFast can detect failures on connections not
directly connected to a switch. BackboneFast detects this condition by looking
for inferior BPDUs on blocking ports. When it sees an inferior BPDU show
up on a blocking port, it starts the STP process of moving the port from
blocking to listening and eventually to a forwarding state. Use the spanningtree backbonefast command to enable BackboneFast.
IEEE enhanced the 802.1D STP into RSTP (802.1W). RSTP provides better performance than Ciscos proprietary Fast features. RSTP only has three
port states: discarding, learning, and forwarding. There are two additional
port roles. An alternate port is a standby port for the primary root port. A
backup port is a standby port for a designated port. RSTP determines which
ports are edge ports and places them into a forwarding state. An edge port is
connected to a nonswitch device. This is similar to PortFast.
MST is IEEEs version of Ciscos PVST. MST is more scalable than Ciscos
PVST because MST uses instances for STP, and an instance can contain
multiple VLANs. Switches in an MST region have the same region name,
revision number, and VLAN table contents. For backward-compatibility
when connecting to a CST switch, MST has an IST, which makes the MST
region look like a single virtual switch to the CST switch.
EtherChannels enable you to take up to eight FastEthernet or Gigabit
Ethernet connections to supply 1.616Gbps of bandwidth (in a full-duplex
configuration). Connections in the channel must be configured identically to
be part of the EtherChannel. Channels provide an advantage in an STP
environment: If one connection fails in the channel, the link still remains
05 9911 ch05 10/10/03 1:57 PM Page 141
141
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enhancements
. . . . . . . . to
. .STP
. .
operational. PAgP (a Cisco protocol) and LACP (an IEEE protocol) allow
channels to be dynamically formed by sharing configuration information
across channel-capable connections. For PAgP, one side has to be set to
desirable and the other side has to be set to auto or desirable. For LACP, one
side has to be set to active and the other side has to be set to active or passive.
An on mode enables channeling, but disables PAgP and LACP. Use the
channel-group command to include an interface in a channel.
Root Guard enables you to force a particular port to be a designated port so
that a connected switch does not become a root switch. When a violation
occurs, the offending port is placed into an inconsistent state and an error
message is generated. This feature is disabled by default, but can be enabled
with the spanning-tree guard root command.
The UDLD feature checks to see whether any unidirectional connections
exist on the switchs interfaces. If any are found, the switch disables the interfaces. Unidirectional connections can cause one-way bridging loops. To
enable UDLD, use the udld enable command. UDLD is automatically
enabled on fiber-optic interfaces. Loop Guard is similar to UDLD. Loop
Guard typically detects STP software issues, whereas UDLD detects Layer
1 issues. To enable Loop Guard, use the spanning-tree guard loop command.
When troubleshooting STP issues, you should first have a network diagram
of your network layout, including your STP setup. Use show commands to
discover loops. Any loops that you discover should be broken up by disabling
interfaces. Examine the status of your interfaces to determine where loops
are, as well as the CPUs and interfaces utilization. In certain cases, you
might want to disable certain STP features to pinpoint a problem. The debug
spanning-tree events command is a useful command when youre troubleshooting STP issues, including loops.
05 9911 ch05 10/10/03 1:57 PM Page 142
142 Chapter 5
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Exam Prep Questions

Question 1
Which STP enhancement takes a port out of the STP topology and always keeps
it in a forwarding state?
A. UplinkFast
B. PortFast
C. Rapid STP
D. Edge port
Answer B is correct. PortFast is a Cisco-proprietary STP feature that places

a port in a forwarding state and removes it from the STP topologychanges
on this port do not affect the STP topology. UplinkFast is used to detect a
failed root port connection and immediately use a backup link that is currently in blocking mode. Therefore, answer A is incorrect. RSTP is an
enhancement to the STP (802.1D) algorithm, which makes answer C incorrect. Answer D is similar to PortFast, but is a part of RSTP. An edge port is
connected to a nonswitch device and kept in a forwarding state. If a switch is
detected off of the port, the port is included in the RSTP topology and the
algorithm is rerun, making answer D incorrect.
Question 2
In order for UplinkFast to function, the redundant port must be in a __________
state.
A. Blocking
B. Listening
C. Learning
D. Forwarding
Answer A is correct. The redundant port must be in a blocked state for

UplinkFast to use it when the root port fails. If a port is in any other state,
UplinkFast cannot use the backup port, making answers B, C, and D incorrect.
05 9911 ch05 10/10/03 1:57 PM Page 143
143
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enhancements
. . . . . . . . to
. .STP
. .
Question 3
In RSTP, what type of port is similar to Ciscos PortFast enhancement?
A. Backup
B. Secondary
C. Uplink
D. Edge
Answer D is correct. An edge port is a port connected to a nonswitch device.

It is kept in a forwarding state and is not part of the STP topology unless
BPDUs are seen on the port. Answers A and B are nonexistent port types. An
uplink port is a connection from a lower layer switch (like access) to a higher
one (like distribution), making answer C incorrect.
Question 4
Which RSTP port role allows a port to be a redundant designated port?
A. Root
B. Alternate
C. Backup
D. Secondary
Answer C is correct. A backup port is a redundant designated port that is

placed in a blocking state. If the designated port fails, the backup port can be
activated. Answer A is incorrect because the root port is the best port on the
switch used to reach the root switch. Answer B is incorrect because the alternate port is a backup of the root port. Answer D is incorrect because it is a
nonexistent port role.
Question 5
Which STP allows multiple VLANs to share the same STP instance?
A. MST
B. CST
C. PVST
D. IST
05 9911 ch05 10/10/03 1:57 PM Page 144
144 Chapter 5
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Answer A is correct. IEEEs MST uses instances to group VLANs in order

to share a common STP configuration. Answer B is incorrect because CST
supports only a single instance of STP. Answer C is incorrect because PVST
supports a separate instance for each VLAN, not shared instances. Answer D
is incorrect because MST uses IST to make MST appear as a single virtual
switch to other switches that only support CST.
Question 6
Which of the following does not have to match in order for switches to belong
to the same MST region?
A. Region name
B. Revision number
C. VLAN table contents
D. Priority
Answer D is correct. The priority affects a switchs ID or a ports priority

when choosing port types. Answers A, B, and C must be the same in order for
two switches to belong to the same region, making these answers incorrect.
Question 7
You can have up to _________ connections in an EtherChannel.
A. 2
B. 4
C. 8
D. 16
Answer C is correct. You can have up to 8 connections (half- or full duplex)

in an EtherChannel. Therefore, answers A, B, and D are incorrect.
05 9911 ch05 10/10/03 1:57 PM Page 145
145
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enhancements
. . . . . . . . to
. .STP
. .
Question 8
Which EtherChannel protocol is used to negotiate channeling between a Cisco
and non-Cisco switch?
A. PAgP
B. DTP
C. VTP
D. LACP
Answer D is correct. LACP is used to negotiate the dynamic forming of an

EtherChannel between a Cisco or non-Cisco switch and another non-Cisco
switch. Answer A is incorrect because PAgP is proprietary to Cisco. Answer
B is incorrect because DTP, a Cisco-proprietary protocol, is used to dynamically form trunks between two switches. Answer C is incorrect because VTP,
a Cisco-proprietary protocol, shares VLAN information across trunk ports.
Question 9
When youre using Root Guard and a port receives a BPDU with a better path to
the root, what happens to the port?
A. The port is marked as inconsistent and disabled.
B. The port is moved to a forwarding state.
C. The port is kept in the current state.
D. The port is placed in a discarding state.
Answer A is correct. When configured, if a Root Guard port receives a

BPDU with a better path to the root, the port is disabled and the BPDU
information is ignored. Answer B would be true if Root Guard were disabled.
Answer C is incorrect because the port changes states. Answer D is incorrect
because the port is disabled (shut down), not partially enabled, as in a discarding (blocking) state.
05 9911 ch05 10/10/03 1:57 PM Page 146
146 Chapter 5
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 10
Which STP feature detects Layer 1 unidirectional connections and disables the
connection, even if it is part of an EtherChannel?
A. Loop Guard
B. Root Guard
C. UDLD
D. PortFast
Answer C is correct. UDLD can detect unidirectional connections and disable them. One advantage that UDLD has over Loop Guard is that UDLD
disables the particular connection, whereas Loop Guard disables the entire
channel, making answer A incorrect. Answer B is incorrect because Root
Guard is used to force a particular port to be a designated port, ensuring that
the switch it is connected to doesnt become a root switch. Answer D is
incorrect because the PortFast feature is used to place a nonswitch port into
a forwarding state and remove it from the STP topology.
Need to Know More?

For information about enhancements to STP, visit
http://
www.cisco.com/pcgi-bin/Support/browse/psp_view.pl?p=
Internetworking:Spanning_Tree
For information about EtherChannels, visit http://www.cisco.com/

pcgi-bin/Support/browse/psp_view.pl?p=
Internetworking:Etherchannel
06 9911 ch06 10/10/03 1:56 PM Page 147
6
Multilayer Switching
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Internal and external route processors (RPs)
Routed interface and Switched Virtual Interface (SVI)
Router-on-a-stick
Multilayer switching (MLS)
Application-specific integrated circuit (ASIC)
Centralized, distributed, and topology-based switching
NetFlow and Cisco Express Forwarding (CEF) switching
Forward Information Base (FIB) and adjacency tables
Ternary CAM (TCAM) or CEF table
ARP throttling

Understand the issues when routing between VLANs
Configuring routing between VLANs on an internal RP used
routed and SVI interfaces
Configuring routing between VLANs on a router-on-a-stick
Understand centralized, distributed, and topology-based
switching
Using NetFlow and CEF switching
Know the fields rewritten in hardware in the Ethernet frame
and IP packet
Enabling and verifying CEF operation
06 9911 ch06 10/10/03 1:56 PM Page 148
148 Chapter 6
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
VLANs contain broadcasts, which enable you to scale your switched networks to much larger sizes. One of the downsides of this is that to pass traffic between VLANs (different subnets), youll need a Layer 3 device, such as
a traditional router or multilayer switch. This Layer 3 switching process is
defined in the network layer of the seven-layer OSI Reference Model. This
chapter covers both a traditional approach to this problem, using external
routers, as well as multilayer switching (MLS) with internal routers.
Because of the shift toward client/server applications, the deployment of
bandwidth-intensive multicasting applications, the need for improved
response time, the need for high-speed switching, and the centralization of
servers have all become critical components in a network design. To provide
the necessary scalability in todays large campus environments, new technologies are needed to enhance both Layer 2 and Layer 3 performance.
The last chapter discussed many enhancements that you can configure on
your switches to deal with STP. With the introduction of MLS, networks can
scale their applications to any size and contain their broadcast and multicast
problems. This enables them to take advantage of Layer 2 switching speeds
and price and still take advantage of the redundancy, convergence, and load
balancing of Layer 3 routing protocols, such as IS-IS, OSPF, and EIGRP.
Routing Considerations
When implementing VLANs, youll need some type of route processor (RP).
An RP is a device that can switch information either between logical subnets
(VLANs) or physical subnets (as in the traditional router). If the RP is performing a traditional routing role, it could be switching packets between different LAN media types, such as fiber distributed data interface (FDDI),
Ethernet, and token ring. For WAN connections, it provides access to
ISDN, frame relay, ATM, and dedicated circuit networks.
The RP is the main system processor in a Layer 3 device. It contains the
main CPU, the operating system software, and most of the system memory
components. Its primary function is to maintain and execute the management functions that control the Layer 3 device, including any routing protocols. The RP can be either an internal or external device. An example of an
external RP is a Cisco 3600 or 7600 Series router. An example of an internal
RP is the Multilayer Switch Feature Card (MSFC) thats installed on the
Supervisor Engine card in a Catalyst 6500 Series switch. For the purposes of
this book, all these Layer 3 functions are referred to as RPs.
06 9911 ch06 10/10/03 1:56 PM Page 149
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Multilayer
. . . . . .Switching
. . . . .
Before you sit down and start configuring your RPs, youll first have to plan
out your VLANs and configure them on your switches. During this VLAN
planning process, keep the following items in mind:
Your Layer 3 addressing scheme
How many VLANs you have
What types of traffic are moving between VLANs
How much traffic is moving between VLANs
What kind of redundancy is required
Your choice of routing protocols
Layer 3 convergence issues
Load balancing Layer 3 traffic
The preceding list is important for the Switching exam.
Its important to point out one major difference between a Layer 2 and a
Layer 3 device. If a Layer 2 device, such as a switch, doesnt know how to
reach a destination, it will flood the frame. If a Layer 3 device, such as a
router, doesnt know how to reach a destination, it drops the frame.
Client End Station Issues

When youre implementing a Layer 3 routing protocol, clients must be able
to find a router that can move their information to the destination subnet or
VLAN. The most common method of accomplishing this is by assigning a
default gateway address to every client. The default gateway address represents the Layer 3 address of the RP, in the same subnet, that the clients will
use. For end stations, clients normally acquire this dynamically, such as using
DHCP in an IP-based network. For more critical services, this is typically
physically assigned to the end station. One problem that arises with this
approach is redundancy. If the end stations know about only one RP, and that
RP fails, how can the network move the traffic to its final destination? Cisco
has solved this problem with a proprietary protocol called the Hot Standby
Routing Protocol (HSRP). This protocol is discussed in Chapter 7,
Availability and Redundancy.
149
06 9911 ch06 10/10/03 1:56 PM Page 150
150 Chapter 6
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Route Processor Issues

Because an RP needs to route between different subnets, the question arises
as to how it will accomplish this. Traditionally, each subnet requires a physically separate interface on the RP. This is okay if you have only a few subnets. But as your network grows, you eventually run out of ports on your RP.
Another downside of this approach is that interfaces on an RP are expensive.
Depending on your traffic patterns, some VLANs might not have very much
inter-VLAN traffic, thus underutilizing an expensive interface.
A better approach to solving this problem is to use an interface on the RP
that supports trunkingthat is, one interface that supports multiple VLANs,
such as ISL or 802.1Q. If you remember from Chapter 3, VLANs, Trunks,
and VTP, ISL and 802.1Q use an encapsulation/tagging mechanism that
identifies which VLAN a frame originated from. This is needed by the RP
so that it can correctly distinguish which VLAN the frame came from and
forward the frame to the correct destination.
Chapter 2, Designing Switched Networks, discussed the roles of the three
different layers of the campus model: access, distribution, and core. That
chapter mentioned that VLAN boundaries need to be terminated at the distribution layer, thereby preventing broadcasts created in the access layers
from propagating into the core layer and wasting valuable bandwidth.
Therefore, your RPs should provide this wall at the distribution layer. To
provide for the same traffic behavior and predictability, your RPs should
have the same functionality and contain the same features. This also helps
when youre performing your configuration and troubleshooting tasks by
easing your administration of these devices. Your choice of RPs will be either
external or internal.
An external RP would be a 2600, 3600, 7100, or some other type of router.
An internal RP has both Layer 2 and Layer 3 components built into it, such
as the Catalyst 3550 switch or the 6500 switch with the MSFC installed.
Configuring Routing
Between VLANs
Configuring routing for the Catalyst 3550 switch is similar to configuring
any Cisco router because all three use a similar IOS-based interface. This
section covers basic inter-VLAN routing with an internal RP (Catalyst 3550
switch) and an external RP. The purpose of this material is not to cover all
the routing commands you can execute or configure within the IOS, but
06 9911 ch06 10/10/03 1:56 PM Page 151
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Multilayer
. . . . .
rather to show you how to configure the IOS to support inter-VLAN routing. Its assumed that you are familiar with configuring Cisco routers and
their command-line interface (CLI).
To route between VLANs, you first need to set up your VLANs and associate your
users to these VLANs. Second, set up any trunks between devices. Third, configure
routing on an internal or external RP.
Configuring an Internal RP
Youll first need to access the CLI of your switch. Im assuming that youre
using a Catalyst 3550 switch. Youll set up routing in two steps. First, configure Layer 2 connectivity by creating your VLANs and placing ports in
them. This was discussed in Chapter 3. Second, set up Layer 3 connectivity
by creating VLAN interfaces and enabling a routing protocol.
Before you begin your Layer 3 setup, youll first need to configure your
Layer 2 information. This includes creating your VLANs, placing ports in
them, creating trunks, and tuning STP.
Types of Switch Interfaces

The switchs interfaces can operate in various modes, which are as follows:
Access interface
Trunk interface
Routed interface
Switch Virtual Interface (SVI)
If you recall from Chapter 3, an access port is a Layer 2 interface associated

with a single VLAN. End user devices are typically connected to this port.
But you can also connect routers and other switches. This is set with the
switchport mode access command on the specific interface.
If you recall from Chapter 3, a trunk port is a Layer 2 interface capable of carrying traffic for multiple VLANs. Each frame is tagged with the sources
VLAN number. Cisco supports two trunking modes: Ciscos ISL and IEEE
802.1Q. Other switches can be connected to this port as well as routers. This
is set with the switchport mode trunk command on the specific interface.
A routed port is a port on the switch where its behavior is changed from a
Layer 2 interface to a Layer 3. In a Layer 3 mode, the interface acts like an
151
06 9911 ch06 10/10/03 1:56 PM Page 152
152 Chapter 6
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
interface on a router. You would typically set up a port as a routed port if you
need to directly connect your switch to a router, and you want to make the
switch appear as a router (not a switch) to its connected neighboring router.
Youll first have to enable IP routing with the ip routing command. Next,
configure the appropriate Layer 2 port as a routed port, enter the interface,
and disable Layer 2 functions with the no switchport command. Then assign
an IP address to it with the ip address command. To route between routed
interfaces, youll have to enable a routing protocol with the router command.
An SVI interface is a logical interface on the switch. This interface is similar
to a loopback interface on a router. A loopback interface is an imaginary
interface on a router that is always in an up-and-up state. Loopback interfaces
are typically used for testing purposes as well as terminating connections on
the router. On the switch, a virtual interface is typically used to associate the
switchs personal IP address with a VLAN (placing it in a management
VLAN). This is accomplished by creating a VLAN with the vlan command,
creating the virtual interface with the interface vlan command, and then
assigning an IP address to it with the ip address command. Only one SVI
can be associated to each VLAN. SVIs can also be used to handle internal
routing on the switch. If you want to enable Layer 3 routing on your switch,
use the ip routing command and enable a routing protocol with the router
command.
There is no software restriction on the switch for the number of routed and/or SVI
ports. However, the more of these types of ports that you have on the switch, the
more affect youll have on your switchs CPU utilization. Therefore, you should carefully watch your CPU utilization after you set up these ports to ensure that you dont
overburden your switch.
Use the no switchport command to enable Layer 3 processing on a physical interface of a 3550 switch. To create an SVI interface, use the interface vlan command.
Routing Configuration on a Switch

To configure routing on your IOS Catalyst switch, use the following commands as shown in Listing 6.1.
Listing 6.1 IOS Catalyst Configuration Commands
Switch(config)# router routing_protocol [options]
Switch(config-router)# network network_# [options]
(continued)
06 9911 ch06 10/10/03 1:56 PM Page 153
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Multilayer
. . . . .
Listing 6.1 IOS Catalyst Configuration Commands (continued)
Remember the preceding syntax for setting up routing on your Catalyst switch.
First, enable IP routing on your Catalyst switch with the ip routing command. Next, configure a routing protocol with the router and network commands. The network commands should include the IP addresses configured
on your SVI interfaces.
For each VLAN that youve already created on your Catalyst switch, youll have
to create a separate VLAN interface (interface vlan). The interface number
must match the number of the corresponding VLAN. When within the SVI,
configure your Layer 3 addressing information as well as bring the interface up
with the no shutdown command. The VLAN interface will remain administratively down until you execute this command. Remember to save your configuration with the copy running-config startup-config Privilege EXEC command.
Lets look at an example to clarify this configuration. Ill use the network
shown on the left side of Figure 6.1. In this example, the Catalyst switch is
performing the routing function. Ill assume that RIP is the routing protocol
that this switch is running.
The routing configuration for the switch is shown in Listing 6.2.
Listing 6.2 Routing for an Internal RP
Switch(config)# router rip
Switch# copy running-config startup-config
153
06 9911 ch06 10/10/03 1:56 PM Page 154
154 Chapter 6
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Figure 6.1 Internal and external RP routing example.
In this example, the ip routing command enables IP routing and the router
rip and network statements include VLAN 1 and VLAN 2 for routing. The
two vlan commands create VLAN 1 and VLAN 2. The two SVI interfaces
have an IP address configured on them and have been enabled. Remember
that devices in VLAN 1 and 2 should use these IP addresses as their respective default gateway addresses.
Configuring an External RP
There are two ways to set up an external RP: traditional (normal) router
setup and a router-on-a-stick setup. The following two sections cover both
methods of configuration.
Traditional Router Setup

With a traditional, or normal, router setup, your router has access connections to the switch. Therefore, for each VLAN that the router will be routing for, the router will need a separate access connection. For instance, if you
have five VLANs, your router will need five Ethernet interfaces. The middle
part of Figure 6.1 shows a traditional router setup.
When setting up a traditional router for routing, on your switch, youll need
to configure all of your router connections as access links. Youll need to
06 9911 ch06 10/10/03 1:56 PM Page 155
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Multilayer
. . . . .
assign each of these interfaces to the appropriate VLANthis was discussed

in Chapter 3. When this is done, youll need to configure your router. Heres
a simple configuration of a router using RIP for the middle network, as
shown in Figure 6.1 and Listing 6.3.
Listing 6.3 Routing for an External RP
Router(config)# router rip
Router(config-router)# network 192.168.1.0
Router(config-router)# exit
Router(config)# interface ethernet 0
Router(config-if)# ip address 192.168.1.1 255.255.255.0
Router(config-if)# no shutdown
Router(config-if)# exit
Router(config)# interface ethernet 1
Router(config-if)# end
Router# copy running-config startup-config
There are two important differences when comparing this example to the
internal RP example. First, notice that there is no ip routing command
thats because IP routing is enabled, by default, on Cisco routers. Second, the
IP addressing configuration is done on the appropriate physical Ethernet
interfaces; because there are two VLANs, you need two interfaces.
Router-on-a-Stick Setup
One problem with a traditional router setup is that it doesnt scale very well.
The more VLANs you have, the more interfaces you need on your router.
This solution becomes very costly when you reach 5 or 10 interfacesyou
need Ciscos higher-end routers to provide this number of interfaces.
To solve this problem, you can use a router-on-a-stick. The right side of
Figure 6.1 shows an example of a router-on-a-stick. In this example, there is
a trunk connection between the router and the switch. The trunk is terminated on the router on a trunk-capable interface. Not all Cisco routers support trunking. For instance, the 1750 and higher routers, with the correct
interfaces, support trunking. 802.1Q and ISL are supported on the routers,
but ISL is supported only on Fast Ethernet or faster ports.
Advantages: A router-on-a-stick is available on a wide-range of Cisco router platforms; it only requires a single interface.
Disadvantages: Based on the topology of your network, a router-on-a-stick can
cause performance issues. Because a single connection is used, there is a single
point of failure as well as an increased likelihood that youll experience congestion
when routing between VLANs.
155
06 9911 ch06 10/10/03 1:56 PM Page 156
156 Chapter 6
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring a router-on-a-stick requires you to first configure the interface

on the switch that the router is connected to as a trunk connection. After this
is done, you need to configure your router.
The configuration of the router is done in a slightly different way than the
traditional method. With the traditional method, you use a separate interface
for each VLAN. With a router-on-a-stick, you use the same physical interface. However, to process VLAN information correctly, youll have to take
the routers trunking interface and break it up into multiple subinterfaces. A
subinterface is a logical interface associated with a physical interface. Certain
things, such as duplexing and speed, are configured on the physical interface.
However, Layer 3 addressing and VLAN information are configured on the
subinterfaces. Heres a breakdown of the commands youd use to set up a
router-on-a-stick, as shown in Listing 6.4.
Listing 6.4 Routing for a Router-on-a-Stick
Router(config)# router routing_protocol [options]
Router(config-router)# network network_# [options]
Router(config)# interface type slot_#/port_#
Router(config-if)# [no] full-duplex
Router(config)# interface type slot_#/port_#.subinterface_#
Router(config-if)# ip address IP_address subnet_mask
Router(config-if)# encapsulation isl|dot1q VLAN_#
On the physical interface, youll want to configure your interface characteristics, such as duplexing and speed, and then enable the physical interface
with the no shutdown command. The rest of the configuration will be done on
subinterfacesone subinterface per VLAN.
Next, create your subinterface. This is done by specifying the physical interface and following it with a period and then a subinterface number. A common convention is to use the VLAN number as the subinterface number;
however, these two numbers have nothing in common and you can use any
unique subinterface number. To associate a VLAN to a subinterface, use the
encapsulation isl command followed by the VLAN number associated with
the subinterface. If the preceding trunk is using 802.1Q, you would replace
the isl encapsulation parameter with dot1q. You do not need to enable the
subinterfaces: Theyre automatically enabled when you create them (assuming that the physical interface is enabled). However, you can shut down an
individual subinterface without affecting the rest of the processing on the
other subinterfaces.
06 9911 ch06 10/10/03 1:56 PM Page 157
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Multilayer
. . . . .
When setting up a router-on-a-stick, create a subinterface for each VLAN and place
your Layer 3 addressing there. Also, specify the trunking encapsulation type with the
encapsulation isl|dot1q command, followed by the VLAN number that the subinterface is responsible for.
Based on the network example shown on the right side of Figure 6.1, heres
the RPs configuration, shown in Listing 6.5.
Listing 6.5 Router-on-a-Stick Example
Router(config)# router rip
Router(config)# interface fastethernet 0/0
Router(config-if)# full-duplex
Router(config)# interface fastethernet 0/0.1
Router(config-if)# encapsulation dot1q 1
Router(config)# interface fastethernet 0/0.2
Router(config-if)# encapsulation dot1q 2
Router(config-if)# end
Router# copy running-config startup-config
Verifying Your Routing Configuration

When youve completed your routing configuration on your RP, you can test
it by going to a client in one of the VLANs (including the switch), and using
the ping command. For that matter, you can use the ping command from the
RP to ensure that the RP can see devices in all of its connected VLANs.
To examine which routing protocols are running on your RP, as well as their
configurations, use the show ip protocols command. Heres an example:
Router# show ip protocols
Routing Protocol is rip
Sending updates every 30 seconds, next due in 5 seconds
Invalid after 180 seconds, hold down 180, flushed after 240
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Redistributing: rip
Default version control: send version 1, receive any version
Interface
Send Recv
Key-chain
Vlan1
1
1 2
Vlan1
1
1 2
Routing for Networks:
192.168.1.0
192.168.2.0
157
06 9911 ch06 10/10/03 1:56 PM Page 158
158 Chapter 6
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Routing Information Sources:
Gateway
Distance
192.168.2.2
120
Distance: (default is 120)
Last Update
00:00:22
The preceding example is output from an internal RPnotice the VLAN

interfaces in the middle of the display.
To see the IP routing table on the RP, use the show
an example:
ip route
command. Heres
Router# show ip route

Codes: C - connected, S - static, I - IGRP, R - RIP,
M - mobile, B - BGP, D - EIGRP, EX - EIGRP external,
O - OSPF, IA - OSPF inter area, N1 - OSPF NSSA
external type 1, N2 - OSPF NSSA external type 2,
E1 - OSPF external type 1, E2 - OSPF external type 2,
E - EGP, i - IS-IS, L1 - IS-IS level-1,
L2 - IS-IS level-2, * - candidate default,
U - per-user static route, o - ODR,
T - traffic engineered route
Gateway of last resort is not set
192.168.1.0/24 is subnetted, 1 subnets
C
192.168.1.0 is directly connected, Vlan1
C
192.168.2.0 is directly connected, Vlan2
R
172.16.1.0 [120/1] via 192.168.1.2, 00:00:31, Vlan1
R
172.16.2.0 [120/1] via 192.168.1.2, 00:00:31, Vlan1
In this example, the internal RP is learning about two remote RIP routes
from a neighboring RP (192.168.1.2).
MLS Overview
Multilayer switching (MLS) is a technology that implements both Layer 3
and Layer 2 switching in hardware application-specific integrated circuits
(ASICs). To provide for Layer 3 speeds, the hardware ASICs handle the
process-intensive switching thats normally done by a central processor.
Because ASICs are less expensive than CPUs, MLS switches provide a decided cost advantage over the traditional CPU-based router.
Given the advantage of price and performance, you might wonder why anyone would still purchase a traditional router. Unfortunately, ASICs can do
only a small number of tasks, but they do those tasks very efficiently. Cisco
currently supports IP and IPX Layer 3 switching in its Catalyst switches.
Therefore, for a multiprotocol campus that includes protocols such as
AppleTalk, DECNet, or others, a Layer 3 switch would not be a good solution. When it comes to support for almost every flavor of media typesuch
06 9911 ch06 10/10/03 1:56 PM Page 159
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Multilayer
. . . . .
as serial, fiber-distributed data interface (FDDI), token ring, ATM, and others
the traditional router is still the platform of choice. Please note that some
Cisco router platforms support advanced switching technologies, which are
discussed in this chapter.
Switching Architectures
Switching refers to the movement of traffic from one interface to another.
This process can occur at Layer 2 or Layer 3. At Layer 2, switches look at
the destination MAC address to make switching decisions. At Layer 3, RPs
look at the destination network address, such as an IP address, to make
switching decisions.
A handful of switching architectures are used in todays switching and routing equipment: processor, ASIC, route caching (NetFlow-based switching),
centralized, distributed, and topology based. The following sections discuss
each of these in more depth.
Processor and ASIC Switching

Two types of hardware devices can perform switching: processors and ASICs.
Processors are general types of chips that can handle many functions, but are
not capable of executing all those functions equally well. A good example of
a processor is the CPU found in your PC. That general-purpose processor
can handle all of your operating systems tasks, execute applications, and
manipulate files, but it wont provide the most optimized and efficient
process for doing so.
ASICs are specialized processors that perform only one or a few functions
very fast. One limitation of ASICs is that they arent plug-and-playyou
cant use just any ASIC for a certain task. However, because ASICs perform
only a small number of tasks, their cost is much less than a processor and
their speed is much faster. As an example, if you were to use a processor to
switch frames between interfaces, you would get forwarding rates in the high
thousands or low millions of packets per second (pps). Whereas with a specially designed ASIC, you could get forwarding rates in the tens or hundreds
of millions of pps.
It is not uncommon to see both types of hardware devices in the same chassis. ASICs are typically used for switching traffic, whereas either an ASIC or
a processor will be used for general-purpose functions, such as running STP
or handling a routing protocol such as OSPF. By separating your data
(switching traffic) and control (management functions) components, you can
optimize your device to obtain high levels of forwarding rates at a lower cost.
159
06 9911 ch06 10/10/03 1:56 PM Page 160
160 Chapter 6
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Remember the differences between processors and ASICs: ASICs are used for
multilayer switching, rewriting, and switching frames in hardware.
Route Caching and NetFlow-Based Switching

With route caching, the first time a destination is seen by the router, the
CPU processes the packet and forwards the packet to the destination.
During this process, the router places the routing information for this destination in a high-speed cache. The second time that the router needs to forward traffic to the destination, it will consult its high-speed cache before
using the CPU to process the packet. There are many different types of
route caching, including flow-based switching and demand-based switching.
NetFlow switching is a Cisco-proprietary form of route caching. Route
caching is a process normally used on low-level routers to enhance performance. With NetFlow switching, the RP and ASICs work hand-in-hand. Like
route caching, the first packet is handled by the main processor or ASIC. If
the destination MAC address matches the RPs (the Layer 3 address doesnt
have to match), the processor programs its interface ASICs to process further
traffic for this connection at wire speeds. The main processor will update the
interfaces cache with the appropriate connection information: source and
destination MAC addresses, IP addresses, and IP protocol information. This
is done for each direction of a connection; in other words, the table is unidirectional. So, for two devices sharing data with each other, two connections
would be listed in this table. The interface ASIC would use this information
to forward traffic without having to interrupt the CPU.
With Ciscos NetFlow switching, the first packet is routed by the processor and all
remaining packets are switched by the interfaces on the device.
Centralized Switching
In a centralized switching architecture, all switching decisions are handled by
a central, single forwarding table. A centralized switching device can contain
both Layer 2 and Layer 3 functionality. In other words, this table can contain both Layer 2 and Layer 3 addressing and protocol information as well as
access control list (ACL) and quality of service (QoS) information. The main
concern with centralized switching is that the MLS switch must handle a lot
of traffic, including Layer 3 processing. Therefore, performance is a concern. A central forwarding engine (a special type of ASIC) is typically used to
handle processing of this table at very high speeds.
06 9911 ch06 10/10/03 1:56 PM Page 161
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Multilayer
. . . . .
The Catalyst 4000 and 6500 support centralized forwarding.
Distributed Switching
In a distributed switching architecture, switching decisions are decentralized.
As a simple example, a 6500 switch has each port (or module) make its own
switching decision for inbound frames while a main processor or ASIC handles routing functions and ensures that each port has the most up-to-date
switching table.
With the centralized approach, the central switching device has a single
switching table containing all Layer 2 and Layer 3 switching information.
One advantage of the distributed implementation approach is that by having
each port or module make its own switching decision, youre placing less of
a burden on your main CPU or forwarding ASICyoure distributing the
processing across multiple ASICs. In this case, a separate forwarding engine
(ASIC) is used for each port and each port has its own small switching table.
With this approach, you can achieve much greater speeds than a switch that
uses central forwarding for switchingrates of more than 100 mpps.
The main downside of distributed switching is maintaining the information
in each ports switching table. To handle this function, a primary forwarding
engine is used. When topology changes occur, the forwarding engine makes
sure that the appropriate port tables are updated.
The Catalyst 3550 and 6500 with the distributed forwarding card (DFC) support
distributed switching.
Topology-Based Switching
Topology-based switching uses a forward information base (FIB) to assist in
Layer 3 switching. This type of switching pre-populates the cache by using
the information in the RPs routing table. If there is a topology change and
the routing table is updated, the RP will mirror the change in the FIB.
Basically, the FIB contains a list of routes with next-hop addresses to reach
those routes.
The advantage of topology-based switching over route caching or NetFlow
switching is that because the information is pre-populated, the cache table
doesnt have to be built, which speeds up access. However, one problem with
161
06 9911 ch06 10/10/03 1:56 PM Page 162
162 Chapter 6
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
topology-based switching is the efficiency of the search algorithm to find a

match for the destination. The slower the search, the worse the bottleneck
that is created. ASICs are sometimes used to speed up this process. To overcome this, the FIBs can be distributed to individual interfaces or modules to
decentralize the switching process.
Cisco has developed a proprietary topology-based switching FIB called
Cisco Express Forwarding (CEF). CEF also includes a second table, called
an adjacency table. This table contains a list of networking devices directly
adjacent (within one hop) to the RP. CEF uses this table to prepend Layer 2
addressing information when rewriting Ethernet frames during MLS.
CEF uses a FIB and adjacency table to perform MLS. MPLS is an open standard for
multilayer switching in an ATM network, whereas CEF is Cisco-proprietary.
MLS Implementation
Before I begin explaining how an MLS device performs its switching, lets
take a quick overview of how a normal Layer 2 switch performs its switching
function. When a Layer 2 switch receives an inbound frame on a port, the
first thing the switch does is look up the destination MAC address in the
CAM table. The switch then compares the inbound frame with any ACL
applied to the interface. Assuming that the frame is permitted by the ACL,
the switch then checks its inbound QoS policy to see how to process the
frame. After this, the switch checks to see whether the outbound port has an
outbound ACL. If so, the switch checks to see whether the frame is permitted to exit the outbound port. If the frame is permitted, the switch examines
its QoS policies to see what type of queuing is required for this frame. The
frame is then queued up and eventually forwarded out of the interface.
Multilayer switching is more complicated. When dealing with Layer 3 information encapsulated in a frame, there are two ways a multilayer switch can
handle this information. If the Layer 3 source and destination are in the same
VLAN, the process I described in the previous section for Layer 2 switches
is applied. If the inbound frame contains an encapsulated packet where the
source and destination addresses are in different VLANs, the process
involves more steps. In this case, the following steps are performed:
1. When an inbound frame is received on a port, the MLS switch looks
up the destination MAC address in the CAM table.
06 9911 ch06 10/10/03 1:56 PM Page 163
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Multilayer
. . . . .
2. If a Layer 2 ACL is applied inbound on the interface, the MLS switch
performs an ACL check to see whether the packet is permitted.

3. If an inbound QoS policy exists, the MLS switch queues up the
inbound frame appropriately.

4. The MLS switch examines the source and destination IP addresses in
the encapsulated packet to determine whether routing is required. It

does this by examining its FIB. If not, the frame is processed at Layer
2. If so, the frame is processed at Layer 3.
5. If Layer 3 processing is required, the internal RP handles any inbound
Layer 3 ACL or QoS policies and determines which VLAN the packet
should be forwarded to. If any outbound Layer 3 ACL or QoS polices
have been configured, theyre applied.
6. The RP, in hardware, rewrites the Layer 2 information in the Ethernet
frame and passes the frame to the Layer 2 component of the MLS switch.
7. The Layer 2 component applies any outbound Layer 2 ACLs and/or
QoS policies and then queues up the frame appropriately. The Layer 2
component then forwards the frame.
Rewriting Frame and Packet Contents

One of the interesting things that occurs in MLS is performed in step 6.
With a traditional router, when a Layer 2 frame comes in, the frame is
processed, the frames header and trailer are stripped off, and the encapsulated Layer 3 packet is then processed by the Layer 3 function of the router.
An outbound interface is chosen and the Layer 3 packet is encapsulated in
the appropriate Layer 2 frame. In other words, traditional routers use an
encapsulation and de-encapsulation process to move data between interfaces.
MLS uses a rewrite process. The fields rewritten in hardware are shown in
Figure 6.2. As you can see, five fields are changed. In the encapsulated IP
packet, the TTL field in the header is decremented (indicating that the packet traveled through an RP) and the CRC is recalculated. In the Ethernet
frame, the source and destination MAC addresses are rewritten. The source
MAC address is the RPs address in the next-hop VLAN and the destination
MAC address is the next-hop devices address (which could be another RP or
the final destination). Because the packet contents and MAC header addresses changed, the CRC for the frame is recalculated. To handle this in a realtime fashion, ASICs are used to provide wire-speed processing of the rewrites.
163
06 9911 ch06 10/10/03 1:56 PM Page 164
164 Chapter 6
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

!

!

"
Figure 6.2 MLS rewrite process.
With MLS, in the Ethernet frame, the source and destination MAC addresses and the
CRC are changed. In the IP packet, the TTL field is decremented and the CRC is
changed.
Routable and Nonroutable Traffic

Another important item to point out is how an MLS switch handles routable
and nonroutable traffic. An MLS switch can move traffic between interfaces
by either using routing or fallback bridging. In either case, to maintain a
high level of performance, all the switching (Layer 2 or Layer 3) is done in
hardware.
The MLS switch can handle routing on SVI and routed interfaces, assuming
that Layer 3 addresses have been configured on these interfaces and appropriate entries are found in the MLS switchs routing table.
Fallback bridging enables you to bridge either nonroutable traffic across
routed interfaces, or routable traffic where a Layer 3 address was not configured on the SVI or routed interfaces. With fallback bridging, you allow traffic to be bridged between multiple VLANs in the same bridge group. A
06 9911 ch06 10/10/03 1:56 PM Page 165
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Multilayer
. . . . .
bridge group is a group of routed or SVI interfaces that are to be associated

with each other. Fallback bridging is disabled by default and requires configuration on your part.
By default, when routing is enabled on an MLS switch, the switch will
attempt to route all traffic on a routed or an SVI interface. If you have nonrouted traffic on these interfaces and dont have fallback bridging enabled,
this traffic is dropped by the router. If you have fallback bridging enabled,
the router will bridge the traffic that you specify for the interfaces that
belong to the bridge group or groups, but route the remaining traffic.
Address Tables
By now, you should be very familiar with what a CAM table is and how a
Layer 2 switch uses it to make switching decisions. However, depending on
the architecture of your switch, it might contain only a CAM table, or a
CAM table plus a ternary CAM (TCAM) table.
As a refresher, a CAM table is a special form of high-speed memory where the
switchs Layer 2 switching table is stored. This table contains a list of MAC
addresses, which ports they are located off of, and which VLAN they belong
to. With MLS switches, these tables can also include Layer 3 protocol and
addressing information. To make a switching decision when a frame comes
into a port, an efficient search algorithm is used to find the destination
address in the CAM table. An exact match must be found in the CAM table
in order to forward the frame intelligently. Matching is performed by comparing the binary value of the destination MAC address in the frame with the
entries in the CAM table. If the destination address is not found in the CAM
table, the frame is flooded out all remaining ports in the VLAN.
The problem with a standard CAM table is that it must examine all entries in
the table for a match and it always looks for an exact match. This can be problematic for very large CAM tables because searching these tables can be slow.
Plus, there might be instances in which you want to match on some things in
the CAM table, but not all things. For example, you might want to match on
the first 24 bits of a MAC address and dont care about the last 24 bits.
A TCAM table is a part of memory reserved for quick table lookups of information that need to be processed by an access control list (ACL). An ACL
looks for matches on certain components, which sometimes fall in a range or
are wildcarded. These components can include the protocol, source and destination addresses, and protocol information. TCAM tables have a small
number of entries in them that are necessary for ACL processing. These
entries, 32 to 128 bits in length, contain pattern values and mask values along
165
06 9911 ch06 10/10/03 1:56 PM Page 166
166 Chapter 6
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
with a matching result. Cisco calls these Value, Mask, and Result (VMR) entries.
Values include IP addresses, IP protocols, and IP protocol information. Masks
include wildcard masks that tell what components of the values are important.
The result of a match can be a simple permit or deny, or a pointer to another entry in the TCAM table. When matching packet contents to TCAM
entries, the MLS switch can base matches on three values, as compared to a
CAM tables two values (0 or 1 in binary). With a TCAM match, the MLS
switch can look for a 0 in a bit position, a 1, or either a 0 or a 1.
One unique thing about TCAM tables is that when finding a match in the
TCAM table, all TCAM entries are processed in parallel. Therefore, performance of a lookup is independent of the number of entries in the TCAM
table. The length of the search is based on not how many entries exist in the
TCAM table, but the number used. When performing a search, only those
table entries that are required for processing are used.
To assist in this process, a TCAM table is broken into three general types of
regions, shown in Table 6.1. The following Cisco Catalyst switches use
TCAM tables for Layer 3 switching: Catalyst 3550, 4000, and 6500.
Table 6.1 TCAM Regions
Region Type
Explanation
Exact-Match
Looks for an exact match in entries. Contains Layer 3 entries

for multiple protocol regions, including IP adjacencies and
IPX nodes.
Longest-Match
Each of these regions is broken up into groups of Layer 3

addresses sorted in decreasing order based on the mask
length.
First-Match
Contains ACL entriesprocessing stops on the first match.
MLS Using CEF

Ciscos switches support many types of MLS. However, Ciscos current crop
of high-end switches, including the 3550, the 4000s, and the 6500, use CEF.
A Layer 3 switching engine (sometimes referred to as the main processor) handles the control functions, such as building and maintaining the FIB, and
pushes table information down to the line cards or ports, where data ASICs
use this information to perform switching decisions in hardware. Its important to point out that CEF is used for hardware switching of unicast frames
not broadcasts.
06 9911 ch06 10/10/03 1:56 PM Page 167
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Multilayer
. . . . .
CEF separates switching into two components: control and data. Control components handle things such as building and maintaining the routing and FIB tables. Data
components handle Layer 3 switching in hardware.
CEF Limitations
There are situations where switching decisions must be performed in software by the main processor. If your CEF switch sees any of the following
traffic, the main processor is interrupted to handle it:
IEEE 802.3 packets (for IP, make sure that all devices are using
Ethernet II as a MAC-layer encapsulation)

Nonsupported Layer 2 encapsulation types
Packets that need fragmenting
Packets destined to a tunnel interface
IP header options enabled in the IP packet header
An IP header in which the TTL field has expired
Internet Group Management Protocol (IGMP) redirects
CEF Tables
CEF uses three tables to make its switching decisions: FIB, adjacency, and
TCAM (commonly called CEF) tables. The FIB is built from the MLS
switchs routing table and is sorted to optimize searches. The FIB table
lookup for a destination is based on finding the longest matching prefix for
the destination Layer 3 (IP) address. The FIB table is updated whenever one
of the following three things occurs:
The next-hop address for a routing entry changes
A prefix changes for a routing entry
ARP information changes for a next-hop address
A route is no longer reachable
The adjacency table is built from the MLS switchs ARP table. This table
contains Layer 2 information of neighbors MAC addresses that will help the
MLS switch rewrite Ethernet frames. The adjacency table is stored in
double-data-rate DRAM. If the adjacency table becomes full, neighbors not
167
06 9911 ch06 10/10/03 1:56 PM Page 168
168 Chapter 6
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
listed in the adjacency table will have packets switched by the main processor whenever packets are sent to these neighbors (that is, theyll be software
switched).
The CEF table contains IP destination prefixes that are sorted from the most
specific to least specific to speed up searches. To provide for accurate tracking of statistics, the CEF table contains a separate entry for each adjacency.
If the CEF table becomes full, a special entry, called a wildcard entry, is used
to redirect switching decisions to the main processor (or ASIC), where
switching occurs in software.
CEF Operation
The operation of CEF is similar to the process described earlier in the MLS
Implementation and Rewriting Frame and Packet Contents sections.
This section covers the operation of CEF as it relates to multilayer switching. Three basic steps occur during CEFs operation:
1. When a Layer 3 packet is received, find a match in the CEF (TCAM)
table.
2. Based on the CEF entry, find the adjacent information that will be
used to rewrite the frame.

3. The frame and packet are rewritten and forwarded to the next hop.
Of course, CEFs process is not as simple as the preceding three steps. Before
any user frames are handled by CEF, the MLS switch first needs a MAC
address that will represent itself when sending rewritten frames to a destination. The Layer 3 engine on the MLS switch assigns this MAC address from
the chassis MAC address range and this address is used by all VLANs
remember that a MAC address has to be unique only in a broadcast domain
(VLAN). Anytime frames are rewritten, the MLS switch will use this MAC
address as the source MAC address in the frame.
Second, the MLS switch will install wildcard entries in its CEF table, which
are for when a lookup occurs and connection information is not found.
Basically, this tells the data ASICs that to switch the frame, the Layer 3 forwarding engine will have to handle the task (at a much slower rate).
Third, the Layer 3 forwarding engine will notify each interface that has been
set up for CEF, as well as any CEF-specific features for that interface. Only
interfaces enabled with CEF can have data ASICs (the ones on interfaces or
line cards) perform the rewriting of frames. The MLS switch then sends the
06 9911 ch06 10/10/03 1:56 PM Page 169
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Multilayer
. . . . .
Layer 2 CAM table to the Layer 3 forwarding engine, which is used to build
the CEF table.
Once traffic begins to cross VLAN boundaries, the MLS process begins. For
each initial packet from a source to a specific destination, called a flow, the
data ASICs must have the Layer 3 forwarding engine handle the switching
of the frame. The Layer 3 forwarding engine will then populate the CEF and
adjacency tables and forward the frame. At this point, any flow from the same
source to the same destination can be rewritten by the data ASIC for the
inbound port.
Load Balancing
MLS with CEF supports per-flow load balancing (sharing). Load balancing
can be done on both an equal or unequal cost basis to a destination. For
example, if your MLS switchs routing table has three paths to a destination,
CEF can use all three paths in load balancing. CEFs FIB can contain up to
six pointers to entries in the adjacency table for load balancing.
When load balancing, the MLS switch takes the source and destination IP
addresses, as well as the transport layer source and destination port numbers,
and runs them through a hash function. The result of this function is used to
pick one of the multiple paths to the destination. As you can see from this
function, this is more of a flow load balancing process. In other words, load
balancing is not done on a packet-by-packet basis. Load sharing becomes
more distributed as traffic from different sources and applications is sent to
a single destination. Also, load sharing is automatically enabled when you
configure IP routing on the Layer 3 forwarding engine.
CEF, by default, load balances across six paths to a destination. This load balancing
is done on a connection-by-connection basis.
CEF Example
To illustrate this process in a little more depth, lets take a look at an example. Ill use the network shown in Figure 6.3. In this example:
1. PC-1 creates an IP packet destined to PC-2: 192.168.1.11
192.168.2.22. If PC-1 doesnt know the default gateways MAC

address, it ARPs for it and the MLS switch responds with its chosen
MAC address. The PC then creates an Ethernet frame with its own
169
06 9911 ch06 10/10/03 1:56 PM Page 170
170 Chapter 6
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
MAC address as the source and the MLS switchs MAC address as the
destination and forwards the frame.
2. The MLS switch receives the frame and begins processing it. Because this
is the first time that PC-1 sent something to PC-2, the data ASIC on the
inbound interface cant find an entry in the CEF table, so it interrupts the
Layer 3 forwarding engine (L3FE) to process the inbound frame.
3. In step 3, the L3F3 examines its ARP table to see whether it knows
about PC-2. If not, the L3FE ARPs for PC-2s MAC address, using its
chassis address as the source. During this ARP process, the L3FE
implements an ARP throttling policy. While waiting for the ARP
response, if the L3FE receives any other packets to PC-2, it will not
generate additional ARPs. This is used to prevent the L3FE from creating excessive ARPs and thereby possibly creating an ARP denial-ofservice (DoS) attack. After the ARP response is received, the L3FE
adds this information to its ARP table and creates an adjacency entry in
its adjacency table. When the adjacency information is built, the L3FE
uses the information in PC-1s frame and packet to create an entry in
the CEF table that points to the newly created entry in the adjacency
table. After the entry has been built, the L3FE rewrites the frame and
packet with this information and forwards it to the destination.
4. In step 4, PC-2 receives PC-1s information. If PC-2 were to respond
to PC-1, steps 2 and 3 would happen again. Remember that entries in

the CEF table are unidirectional.
5. After the entry has been placed in the CEF table by the L3FE, any
subsequent traffic from PC-1 to PC-2 would have the data ASIC
directly rewrite PC-1s frame and packet information in hardware and
forward it out the interface to PC-2. Note that in this situation, the
L3FE isnt involved in the forwarding process.
CEF entries are unidirectionalfor communications between two devices, youll
have two entries. To repress unnecessary ARPs, the L3FE will generate only one ARP
and wait for the response to that ARP.
06 9911 ch06 10/10/03 1:56 PM Page 171
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Multilayer
. . . . .
MLS Switch
with CEF
VLAN 1
IP = 192.168.1.1
MAC = 0011.3333.3333
VLAN 2
IP = 192.168.2.1
MAC = 0011.4444.4444
2
3
SRC IP = 192.168.1.11
DST IP = 192.168.2.22
SRC IP = 192.168.1.11
DST IP = 192.168.2.22
SRC MAC = 0011.1111.1111

DST MAC = 0011.3333.3333
SRC MAC = 0011.4444.4444

DST MAC = 0011.2222.2222
1
4
5
PC-1
PC-2
VLAN 1
IP = 192.168.1.11
MAC = 0011.1111.1111
VLAN 2
IP = 192.168.2.22
MAC = 0011.2222.2222
Figure 6.3 CEF example.
CEF Configuration
One of the great features of configuring CEF is that the Catalyst switches
that support it already assume that youll be using it. Therefore, CEF is
enabled by default. On the Catalyst 6500 with the Supervisor Engine II,
CEF cannot be disabled if you have any of the following cards: Policy
Feature Card 2 (PFC2), Multilayer Switch Feature Card 2 (MSFC2), or the
Distributed Feature Card 2 (DFC2).
With the Catalyst 4000, you can disable CEF with the no ip cef command
at Global Configuration modethis disables CEF on the entire switch. You
can also use this command to disable CEF on an interface by first going into
the interface and then executing this command. With the Catalyst 3550, you
can disable CEF with the no ip route-cache cef command at Global
Configuration modethis disables CEF on the entire switch. You can also use
this command to disable CEF on an interface by first going into the interface and then executing this command.
171
06 9911 ch06 10/10/03 1:56 PM Page 172
172 Chapter 6
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
CEF, by default, is enabled on the Catalyst 3550, 4000, and 6500 switches. You can
disable CEF on the 4000 with the no ip cef command and disable it on the 3550 with
the no ip route-cache cef command. You cannot disable it on the 6500.
CEF Verification
After youve enabled CEF, there are a handful of show commands that you can
use to examine its operation. To display general statistics about Layer 3 traffic switched in hardware, use this command:
Switch> show interfaces type slot_#/port_# | begin L3
Heres an example of the output of this command:

Switch> show interface fastethernet 3/1 | begin L3
L3 in Switched: ucast: 0 pkt, 0 bytes - mcast: 13 pkt, 760 bytes mcast
L3 out Switched: ucast: 0 pkt, 0 bytes - mcast: 0 pkt, 0 bytes
4012302 packets input, 350170138 bytes, 0 no buffer
Received 3385211 broadcasts, 2 runts, 0 giants, 0 throttles
...output omitted...
To display CEF entries in the FIB table, use the show

an example of the use of this command:
ip cef
command. Heres
Switch> show ip cef ethernet 0/1 detail

IP Distributed CEF with switching (Table Version 2338), flags=0x0
1380 routes, 0 reresolve, 0 unresolved (0 old, 0 new)
1380 leaves, 198 nodes, 370422 bytes, 2162 inserts, 942 invalidations
0 load sharing elements, 0 bytes, 0 references
universal per-destination load sharing algorithm, id 9B6C8123
2 CEF resets, 0 revisions of existing leaves
refcounts: 54376 leaf, 51514 node
192.168.2.2/32 version 1987, cached adjacency 192.168.2.2 0 packets,
0 bytes, adjacency-prefix
via 192.168.2.2 Ethernet0/1, 0 dependencies
next hop 192.168.2.2, Ethernet0/1
...output omitted...
The detail parameter lists all FIB information for all FIB entries.
To see the adjacency table, use the show adjacency command. These statistics
are updated every 60 seconds. Heres an example of this command with the
detail parameter:
Switch> show adjacency detail
Protocol Interface
Address
IP
FastEthernet3/3 192.168.2.2(3045)
0 packets, 0 bytes
000000000FF9200003
00605C865B2800D0BB
ARP 02:48:09
06 9911 ch06 10/10/03 1:56 PM Page 173
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Multilayer
. . . . .
IP
FastEthernet3/3
192.168.2.3(11)
0 packets, 0 bytes
000000000FF9200003
00801C93804000D0BB
ARP 02:48:03
In addition to listing the next-hop address for the adjacency, other types of
adjacencies can appear, as shown in Table 6.2.
Table 6.2 Adjacency Types
Adjacency
Explanation
Discard
Drop the packet.
Drop
Check the prefix, but drop the packet.
Glean
For hosts directly connected to the RP, the subnet prefix is listed.
Null
Forward packets to the Null0 interface to filter packets (drop them).
Punt
Features are not supported in CEF and require the L3FE to

process the packets.
CEF Troubleshooting
If youre experiencing problems with CEF, you can use debug and ping commands to troubleshoot the problem. Use this command to perform detailed
troubleshooting of CEF:
Switch# debug ip cef drops|receive|events|prefix-ipc|table|
ipc|interface-ipc
Table 6.3 explains the different parameters for this command.

Table 6.3 debug ip cef Options
Options
Explanation
drops
Displays dropped packets
receive
Displays packets that didnt use the FIB
events
Displays general CEF events
prefix-ipc
Displays updates to IP prefix information n the FIB
table
Displays processing on the FIB table, such as updates, flushing,

and so on
Optionally, you can add an ACL to the debug command to limit the amount
of output you see in your terminal session.
173
06 9911 ch06 10/10/03 1:56 PM Page 174
174 Chapter 6
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
You can also use Ciscos extended ping command. This command is executed by itself at Privilege EXEC mode, and it prompts you for all the ICMP
information for IP. One nice feature is that you can change the source IP
address that will be used with the ping. This is normally the IP address of the
exit interface of the IOS device, but you can change it to any IP address on
the IOS device. This is useful for advanced testing of the reachability of a
device.
Summary
To route between VLANs, you need an RP. When setting up routing between
VLANs, first create your VLANs and assign switch ports to them; second,
create your trunks; third, configure routing. An RP can be internal or external. If the RP is external and has a trunk connection to a switch, it is called a
router-on-a-stick. This type of RP is configured using subinterfaces. For an
internal RP, a Catalyst switch supports two routing interfaces: routed and
SVI. An SVI is typically used and is created with the interface vlan command.
MLS allows Layer 2 and Layer 3 hardware switching to exist in the same
chassis. The first packet is routed in software and all other packets in the
same connection are rewritten in hardware and switched at Layer 2 speeds.
The source MAC, destination MAC, and CRC in the frame are rewritten
and the IP TTL field and CRC are rewritten.
NetFlow switching is a Cisco-proprietary form of route caching. This type
of switching has the RP and the ASICs work together to cache and switch
packets. With centralized switching, all Layer 2 and Layer 3 switching information is maintained in a central location in the switch. With distributed
switching, each port or module contains part of the switching tables and can
make switching decisions locally.
Ciscos CEF is an example of topology-based switching. This type of switching uses a FIB. A FIB contains information from the routing table. Ciscos
CEF also has an adjacency table (neighboring devices) and a TCAM table
(contains connection information). The combination of these tables helps
CEF perform MLS. By default, CEF is enabled on all of Ciscos Catalyst
switchesit cannot be disabled on the 6500. CEF can load balance traffic to
a destination across a maximum of six links.
06 9911 ch06 10/10/03 1:56 PM Page 175
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Multilayer
. . . . .
Exam Prep Questions

Question 1
Which of the following items are not necessary when setting up routing in a
VLAN environment?
A. Creating VLANs and associating user ports to them
B. Building trunks
C. Tuning STP
D. Configuring routing on an RP
Answers B and C are correct. Tuning STP is not necessary to set up routing
in a VLAN environment. B is required only for a router-on-a-stick, but you
can use access links or MLS also. Answers A and D are required, and therefore are incorrect answers.
Question 2
You need to create an SVI interface for VLAN 10 on your Catalyst switch. Enter
the command to do this: _________.
interface vlan 10.
An SVI interface is a logical interface on the switch. To

create an SVI interface, use the interface vlan command followed by the
VLAN number. Activate the interface with the no shutdown command and
assign your Layer 3 address with the ip address command.
Question 3
Which command enables routing on a physical port of a Catalyst switch?
A. switchport mode routing
B. no switchport
C. no switchport mode access
D. switchport mode route
Answer B is correct. To change a physical interface from Layer 2 to Layer 3 processing, use the no switchport command. Answers A and D are incorrect because
these are nonexistent commands. Answer C is incorrect because this command
changes the interface to automatically sense for an access link or trunk port.
175
06 9911 ch06 10/10/03 1:56 PM Page 176
176 Chapter 6
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 4
Which form of switching pre-populates the switching table with information
from the routing table?
A. NetFlow
B. Distributed
C. Centralized
D. Topology-based
Answer D is correct. Topology-based switching pre-populates the FIB with

information from the routing tablethis gives it an advantage over a
NetFlow switch, which must see packets to build the switching table.
Therefore, Answer A is incorrect. Answers B and C are incorrect because
these switching architectures refer to the location of the tables within the
chassis, not how theyre populated.
Question 5
Which Catalyst switches support centralized forwarding?
A. 3550
B. 3550 and 4000
C. 6500
D. 4000 and 6500
Answer D is correct. Both the 4000 and 6500 support centralized forwarding. Answers A and B are incorrect because they include the 3550, which
supports only distributed switching. Answer C is incorrect because it doesnt
include the 4000.
Question 6
When MLS rewrites frames in hardware, which of the following information is
not changed?
A. Source IP address
B. Destination MAC address
C. MAC frames CRC
D. IP TTL
06 9911 ch06 10/10/03 1:57 PM Page 177
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Multilayer
. . . . .
Answer A is correct. The IP addresses are not changed when MLS rewrites
frame and packet information. Answers B, C, and D are rewritten by an MLS
switch.
Question 7
CEF will work for IP if which of the following is true?
A. Ethernet II frames are used
B. Packets require fragmentation
C. Packets forwarded out a tunnel interface
D. IP packet contains header options
Answer A is correct. If you want to use CEF with IP traffic, the data link
layer must use an Ethernet II frame type. Answers B, C, and D will cause
CEF to pass these packets to the RP to be processed in software.
Question 8
Which CEF table is built from the ARP table?
A. CAM
B. TCAM
C. Adjacency
D. FIB
Answer C is correct. The CEF adjacency table is built from the ARP table.
Answer A is incorrect because the Layer 2 switch builds this when performing its learning function. Answer B is incorrect because CEF builds this
based on connection information in the frames and packets it sees. Answer D
is incorrect because the FIB is built from the routing table.
Question 9
CEF can load balance across a maximum of _____ paths.
A. One
B. Four
C. Six
D. Eight
177
06 9911 ch06 10/10/03 1:57 PM Page 178
178 Chapter 6
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Answer C is correct. CEF supports up to six equal or unequal cost paths for
load balancing, making answers A, B, and D incorrect.
Question 10
Which command must you execute to enable CEF on a Cisco switch?
A. ip cef
B. ip cef enable
C. cef enable
D. No command is required
Answer D is correct. No command is required to enable CEF on a Catalyst

switchit is enabled by default. Answer A is correct if you had disabled CEF
on a 4000 and want to re-enable it. Answers B and C are nonexistent commands and are therefore incorrect.
Need to Know More?

For information about MLS, visit http://www.cisco.com/pcgi-bin/
Support/browse/psp_view.pl?p=Internetworking:Layer-Three_
Switching.
For information about CEF, visit http://www.cisco.com/pcgi-bin/

Support/browse/psp_view.pl?p=Internetworking:CEF.
07 9911 ch07 10/10/03 1:59 PM Page 179
7
Availability and
Redundancy
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Route Processor Redundancy (RPR) and RPR+
Proxy ARP and ICMP Router Discover Protocol (IRDP)
Hot Standby Routing Protocol (HSRP)
Virtual Router Redundancy Protocol (VRRP)

Knowing the similarities and differences between RPR and
RPR+
Using uplink interfaces for redundant switch connections
Understanding the different methods of default gateway
redundancy
Knowing the HSRP components, its operation, and configuration
Understanding the components and operation of VRRP
07 9911 ch07 10/10/03 2:00 PM Page 180
180 Chapter 7
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
As you deploy more and more critical services in your network, redundancy
and availability become key issues. There are many types of availability and
redundancy. This chapter focuses on three: hardware, Layer 2, and Layer 3.
With hardware redundancy, youre concerned with the reliability of your
hardware components within a chassis. For example, if your networking
device has only one power supply, and it fails, the network device would fail.
Depending on your product, you might have several choices of hardware
redundancy options: redundant power supplies, redundant supervisor
engines, redundant RP cards, and redundant line cards. The first section of
this chapter focuses on Cisco solutions for hardware redundancy.
In Layer 2 redundancy, youre concerned about either switching paths or
switches in your network failing. This could be problematic if you have only
a single path to use between two devices. The second part of this chapter
focuses on Layer 2 redundancy solutions.
Recall from Chapter 2, Designing Switched Networks, that traffic that
needs to leave a switch block travels through the distribution layer, where an
RP handles the path decisions. The use of a router at the distribution layer
contains many networking problems and issues. If you have only a single RP
and it fails, networking resources in other parts of the network will not be
reachable. Layer 3 redundancy can be accomplished in many ways. Your end
stations could use IRDP or Proxy ARP, or they could run a routing protocol
that is compatible with the RP distribution devices. However, each of these
possibilities presents its own set of problems. Ciscos Hot Standby Routing
Protocol (HSRP) solves these problems. It provides a backup solution for
default gateways that is transparent to the end stations. Other solutions
include the Virtual Router Redundancy Protocol (VRRP), Gateway Load
Balancing Protocol (GLBP), Single Router Mode (SRM), and Server Load
Balancing (SLB). The third, and most important part of this chapter focuses
on these Layer 3 redundancy and availability solutions.
Introduction to Availability
and Redundancy
There are two methods of providing basic redundancy services: chassis
redundancy and component redundancy. Chassis redundancy has another
networking device, with the same functionality, that provides redundant
services in case the primary device fails. Component redundancy provides for
redundant components inside the same chassis. Six key components are used
to reach a high level of availability (as close to 100% as possible):
07 9911 ch07 10/10/03 2:00 PM Page 181
181
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Availability
. . . . . . and
. . Redundancy
. . . . . . .
Network device reliabilityRedundant hardware components and
intelligent software should be able to deal with a failed component.

Device redundancyRedundant devices are used in case one device fails.
Link redundancyBackup network connections are used in case a
primary network connection fails.

Fast convergenceIntelligent software is used to converge very quickly
if a component, Layer 2, or Layer 3 failure occurs.

Good network designFor convergence to take place in an acceptable
timeframe, a network design must exist to make use of a fast convergence solution, such as UplinkFast for STP or component redundancy
in key networking devices.
Documented networkA well-documented network helps to pinpoint
weaknesses so that corrective measures can be taken.

Of the preceding bullet points, the most important is the creation of a network
design that minimizes any weak points by providing an appropriate level of
redundancy. In other words, it is sometimes too costly, and unnecessary, to
provide 100% redundancy. The important point is that you need to rank
your networking resources from critical to nonessential, and then determine
what level of redundancy is needed and what type of solutions you should use
to provide that redundancy. The following two sections discuss the two
approaches that can be used to provide redundancy.
Remember the six bullet points to provide a high level of availability.
Component Redundancy
One type of redundancy is component redundancy. This type of redundancy
provides protection against component failures inside the same chassis.
Components that can be protected in some Catalyst switches include
Supervisor Engines, modules (hot-swappable), power supplies, and fans.
If you decide to implement only component redundancy (no backup devices),
your network would look something like the one shown on the left side of
Figure 7.1. Notice that there are no redundant devices in this example.
However, there are redundant connections between the devices, which you
can see in the figure, and redundant components within those devices.
07 9911 ch07 10/10/03 2:00 PM Page 182
182 Chapter 7
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Component Redundancy
Chassis Redundancy
Server
Distribution
MLS Switch
Server
Distribution
MLS Switches
Core
Switch
Distribution
MLS Switch
Core
Switches
Distribution
MLS Switches
Access
Switch
Access
Switches
User
User
Figure 7.1 Component versus chassis redundancy.
Using a component redundancy design provides these benefits:

All single points of failure have been eliminated.
The different switches do not have to be located in the same geographic
area.
Minimizes convergence because this process takes place within a device
and not necessarily between devices.

However, there are downsides to using only component redundancy:
Redundant components in a chassis are typically in a standby state and
cannot be used unless the primary component fails.

Because all components must be duplicated, the cost of the switch
becomes very expensive.

Component redundancy cannot deal with all types of failure, especially
application layer processes, backplane failures, and complete device failures.
07 9911 ch07 10/10/03 2:00 PM Page 183
183
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Availability
. . . . . . and
. . Redundancy
. . . . . . .
Chassis Redundancy
Chassis redundancy provides redundant networking devices. An example of
this is shown on the right side of Figure 7.1. In this example, there are redundant switches at each layer of the design. Enhanced STP features are used to
provide quick STP convergence in case of a Layer 2 failure, and an intelligent routing protocol such as OSPF or EIGRP provides quick Layer 3
convergence.
This type of design provides the following advantages:
You do not need to provide a high-level of fault tolerance within one
device because a secondary device provides it for you, in most instances.

Any software configuration issue or software bug that results from an
upgrade can be localized, assuming that only primary devices are

upgraded first and the secondary devices are not.
The primary and secondary devices do not need to be at the same location,
which provides better redundancy in case of a catastrophic emergency,

such as a fire.
Layer 2 and Layer 3 protocols provide convergence. By picking the
right protocol with the right feature, you can ensure quick convergence.
A correct network design and implementation should enable you to use
both the primary and secondary devices. For example, with STP, you
can load-balance VLANs across uplink connections by having different
root switches at the distribution layer by using PVST or MST.
Given these advantages, there are two main disadvantages to chassis redundancy: You need more data link layer connections, and because there are
more devices, managing and troubleshooting this kind of network is much
more difficult than with component redundancy.
Its important to point out that a well-designed redundant solution can
include both types of redundancy. Remember that you need to determine
what level of redundancy is required for the different components in your
network.
Hardware Redundancy
This section focuses on the Catalyst 6500 switches hardware redundancy
capabilities. These features include redundant power supplies, a hotswappable fan, hot-swappable modules, redundant Supervisor Engines, and
07 9911 ch07 10/10/03 2:00 PM Page 184
184 Chapter 7
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
redundant Route Processors. Please note that the Catalyst 4500s, 3550s, and
2950s support some of these features, but not necessarily all of them.
Power Supplies
Some of the first things considered in redundancy are your power source and
power supplies. Without an Uninterruptible Power Supply (UPS) system, a
loss of power, even with redundant power supplies, is going to do no good.
Likewise, if you have redundant power supplies, you want to ensure that they
are connected to different power circuits. If you connect both power supplies
to the same circuit and that circuit fails, your switch also fails. In addition, a
fluctuation in a power source can affect the lifetime of a power supply or even
destroy it.
Most of Ciscos Catalyst switches support either internal redundant power
supplies, or have the option of connecting a redundant external power supply to the switch. On Catalyst 6500 switches, the power supplies can operate
in two modes: combined and redundant.
In combined mode, the power is generated from both power supplies and
supplied to the switch. This mode is necessary if a single power supply
doesnt have sufficient power to supply to all the cards in the switchs chassis.
In this mode, if one of the two power supplies fails and the remaining power
supply doesnt have enough power to power up the cards in the chassis, the
switch shuts down enough modules so that it can remain up.
In redundant mode, the primary power supply supplies power to the switch
while the other is in standby mode. If the primary power supply fails, the
standby power supply supplies power to the chassis. In this mode, no power
sharing occurs between the two power supplies.
To configure redundant power supplies on a 6500 switch, use the following
command:
Switch(config)# power redundancy-mode combined|redundant
If you want to power-down a module in the chassis of the switch, use the
following command:
Switch(config)# no power enable module slot_#
Enter the slot number of the card that you want to power-down. If you just
want to power-cycle a card without rebooting the switch, use the following
command:
Switch(config)# power cycle module slot_#
07 9911 ch07 10/10/03 2:00 PM Page 185
185
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Availability
. . . . . . and
. . Redundancy
. . . . . . .
This command turns off the specified card for 5 seconds and then turns it
back on.
To display the status of the power supplies, use the show
this:
Router# show
system power
system power
system power
system power
FRU-type
power-supply
module
module
module
power
command, like
power
redundancy mode = redundant
total = 27.460A
used = 13.990A
available = 13.470A
# current admin state oper
1 27.460A on
on
1 3.300A
on
on
5 2.800A
on
on
6 1.900A
on
on
Supervisor Engines
The Supervisor Engines (SEs) support two types of redundancy: redundancy for the SEs themselves and redundancy for the feature cards installed on
the SEs. The Supervisor Engine is the brains of the switch and contains the
IOS software. SEs are installed in slots 1 and 2 in the 6500 chassis. By
default, when the switch boots up, the first slot becomes the primary SE and
the second slot becomes the secondary SE. The secondary SE is in standby
mode and doesnt do anything except monitor the primary SE. The one
exception to this is that the Gigabit Ethernet uplink interfaces on the standby SE are active and they can process traffic. If the primary SE fails, the secondary SE initiates a switchover within seconds.
When setting up redundant SEs, the SEs must go in slots 1 and 2. One SE is active
and the other is in standby mode. The uplink interfaces of the standby SE can be
used even though the SE is in a standby state.
RPR
Starting with IOS 12.1(13)E and later, the Catalyst 6500 supports SE redundancy with both Route Processor Redundancy and Route Processor
Redundancy Plus (RPR+). These two features allow hardware redundancy
for the Multilayer Switch Feature Card (MSFC) and Policy Feature Card
(PFC or PFC2). This essentially provides Layer 3 redundancy for the
Catalyst 6500.
RPR provides a Supervisor Engine redundancy for route processing (routing). One SE is primary and the other is secondary. When the switch boots,
the RPR that boots up first (slot 1 or slot 2), becomes the primary SE. The
07 9911 ch07 10/10/03 2:00 PM Page 186
186 Chapter 7
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
MSFC and PFC/PFC2 are used on the primary while these cards are in a
standby mode on the secondary SE. When the primary MSFC/PFC fails, it
can take between 24 minutes for the secondary SEs MSFC/PFC to take
over. The reason for the slow switchover is that when the secondary SE boots
up, it does not initialize its MSFC/PFC cards.
RPR Features
RPR supports automatic startup of both SEs and has the primary SE automatically synchronize the bootvar files with the secondary SE. (The bootvar
files are used to boot up and configure the SEs.) The two SEs use hardware
signals to detect each other and to determine who will be playing the primary
and secondary roles. Every 60 seconds, the primary SE synchronizes its clock
with the secondary SE. When the MSFC and PFC fail on the primary SE
and the secondary SE promotes itself to a primary role, the former primary
SE becomes the secondary. In this role, even if its MSFC/PFC have failed, it
can still provide SE redundancy. Another nice feature of RPR is that it supports fast software upgrades. Upgrading the primary unit automatically causes the secondary to by synchronized with the same information. This is also
true of configuration changes: making a configuration change on the primary
is automatically copied to the secondary.
RPR Events
Any of the following events causes RPR to perform a switchover:
A manual switchover is initiated from the CLI.
Either the MSFC or PFC fails on the primary SE.
There is a clock synchronization failure between the primary and
secondary SEs.
Remember the three items that can cause RPR to perform a switchover.
When a switchover occurs, the secondary SE (now the primary) recycles

power on all switching modules (except itself). As this is occurring, the
MSFC card, with its Layer 2 and Layer 3 protocol configurations, is activated.
All ACLs are then reprogrammed by the now-primary SE to be processed in
hardware by the MSFC/PFC.
07 9911 ch07 10/10/03 2:00 PM Page 187
187
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Availability
. . . . . . and
. . Redundancy
. . . . . . .
RPR+ Overview
The main difference between RPR and RPR+ is that the secondary SE is
fully initialized and configuredthe MSFC and PFC on the secondary are
operational. When the primary fails, the secondary almost immediately handles these functions. It takes only between 3060 seconds for this switchover
to occur.
Its important to point out that with RPR+, the secondary SEs MSFC and
PFC are operational. When you make configuration changes on the primary
SE, theyre automatically synchronized to the secondary SE. This includes
both running and startup configurations. Please note that during the bootup
of the SEs, the primary SE copies both of these configurations to the secondary. After bootup, any configuration changes done on the primary are
copied to the secondaryonly the change itself is copied, which reduces
overhead processing on the SEs.
Actually, you can make configuration changes only on the primarythe secondary only keeps tabs on the primary and accepts and processes synchronization information. Also, card state information is synchronized between
the primary and secondary SEs, including MSFC and PFC information.
Here is a list of advantages that RPR+ has over RPR:
Faster switchover time: 3060 seconds instead of 24 minutes.
The promoted secondary SE does not reset its modules.
You can hot-swap SEs without causing problems. Cisco calls this online
insertion and removal (OIR). You can easily add or remove SEs without
affecting the RPR+ process. When hot-swapping, the same switchover
time period applies.
Remember the advantages that RPR+ has over RPR as listed in the bullet points.
Its important to point out that during an SE switchover or an RPR or RPR+

switchover, there will be some disruption. Some traffic could be dropped and FIB,
adjacency, and CEF tables must be rebuilt.
RPR+ Guidelines and Restrictions

Both SEs must be in slots 1 and 2 of the chassis. Each SE has its own components, including console ports and flash memory. When making a console
07 9911 ch07 10/10/03 2:00 PM Page 188
188 Chapter 7
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
connection to the switch, dont use a Y cable to connect to both console

portsuse separate cables. Both SEs must have the same version of the IOS
installed. If not, when the two SEs boot up, the secondary SE operates in
RPR mode. Also, the configuration register (controls the bootup process of
the SE) must be set to autobootfailure to do this will disable RPR+. The
network boot option is not supported if you want to use RPR+.
There are a few restrictions when configuring an SE using RPR+. First, you
must wait until after the initial synchronization takes place when the two SEs
have just booted up. If you try to make a configuration change during this
time period, youll get the following message:
Config mode locked out till standby initializes.
Second, you cannot use the VLAN Database Privilege EXEC mode commands to configure your VLANsyou must do it from Configuration mode.
Third, SNMP changes made on the primary are not automatically synchronized to the secondary SE. You must execute the copy running-config startupconfig command on the primary SE.
While using RPR+, only the primary SE is processing traffic while the secondary is in a standby state. The exception to this is the Gigabit uplink ports,
which are in an active state. There will be a disruption in traffic during a
switchover. When a failure occurs on the primary SEs MSFC/PFC, the primary first performs a core dump. When the core dump is completed, the secondary SE can start processing.
It can take up to 15 minutes for a core dump to complete! Therefore, if youre concerned about convergence, you might want to disable core dumps on your switch.
The disadvantage of this is that if there is a problem, you wont have any detailed
information to send to Cisco.
If youre entering a configuration command on the primary when a

switchover occurs, the configuration change is lost. During a switchover, the
FIB and routing tables are cleared and must be rebuilt by the newly promoted SE. The exceptions to this are any static routes that have been configured.
Basically, any dynamically learned information is lost, but statically configured information is maintained.
RPR+ Configuration and Verification

Enabling RPR+ and verifying its operation is a simple process. To enable
redundancy, use the following command:
Switch(config)# redundancy
07 9911 ch07 10/10/03 2:00 PM Page 189
189
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Availability
. . . . . . and
. . Redundancy
. . . . . . .
This enables RPR. To enable RPR+, also execute the following command:
Switch(config)# mode rpr-plus
All configuration is done on the primary SE. Use the redundancy command followed
by the mode rpr-plus command to enable RPR+.
When youve enabled either RPR or RPR+, use the show

command to verify the operation of RPR/RPR+. Using the
parameter produces this output:
redundancy
switchover
Switch# show redundancy switchover

Switchovers this system has experienced : 1
Uptime since this supervisor switched to active : 1 minute
Total system uptime from reload : 2 hours, 47 minutes
In this example, you can see that one switchover has taken place. Using the
states parameter produces this output:
Switch# show redundancy states
my state = 13 -ACTIVE
peer state = 1 -DISABLED
Mode = Simplex
Unit = Primary
Unit ID = 1
Redundancy Mode (Operational) = Route Processor Redundancy
Redundancy Mode (Configured) = Route Processor Redundancy
Split Mode = Disabled
Manual Swact = Disabled Reason: Simplex mode
Communications = Down Reason: Simplex mode
client count = 11
client_notification_TMR = 30000 milliseconds
keep_alive TMR = 4000 milliseconds
keep_alive count = 0
keep_alive threshold = 7
RF debug mask = 0x0
In this example, this switch is the primary switch (ACTIVE state) and RPR
has been configured and is operational.
Layer 2 Redundancy
This section discusses some basics about Layer 2 redundancy design methods and Cisco solutions. Because STP and its operation and enhancements
were already discussed in Chapters 3 and 4, they are not mentioned here.
07 9911 ch07 10/10/03 2:00 PM Page 190
190 Chapter 7
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Uplink Interfaces
A switchs SE contains two Gigabit Ethernet uplink interfaces. Cisco assumes
that youll use these interfaces to connect to a switch at either a higher or
lower layer in Ciscos three-layer hierarchy: core, distribution, and access. Of
course, you can connect anything you want to these interfaces. However, you
do have to take care of setting up redundant connections between a higher
and lower layer.
For example, lets look at the right side of Figure 7.1, where there are redundant connections between a switch and its lower- or upper-layer neighbor.
Ill focus on the Distribution MLS switches at the bottom of this diagram.
Lets assume that the distribution layer is using Catalyst 6500 switches with
dual SE cards: primary and secondary. The left side of Figure 7.2 shows a
diagram of the connections on the Catalyst 6500 to the two switches at the
core layer (the backbone switches). Notice that the primary SEs two Gigabit
uplinks are used in this design. The main problem with this approach is that
if the primary (top slot) SE fails and the secondary is promoted, all connectivity to the backbone is lost because both connections were connected to the
SE in the top slot.
Same Module Uplink
Different Module Uplink
Left Core Right Core

Switch
Switch
Left Core
Switch
Right Core
Switch
Figure 7.2 Redundant connections and modules.
A better solution is shown in the right side of Figure 7.2. In this example, the
two connections to the two core switches are placed on different cards (the
two uplink ports on the SEs). Remember that you can do this with the
07 9911 ch07 10/10/03 2:00 PM Page 191
191
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Availability
. . . . . . and
. . Redundancy
. . . . . . .
secondary SE because the Gigabit ports are activated, even in a standby

mode. In this example, if the primary SE fails in the top slot, the Gigabit
uplink on the secondary SE is still functional.
Remember that this example applied to SEs, but you should follow the same
practice for other line cards in your chassis. One uplink connection should
be in one line card and a second connection should be in a different line card.
Switch Redundancy
In most situations, if youre really concerned about redundancy, you should
use chassis redundancy rather than component redundancy. Chassis redundancy provides a more robust form of redundancy, but requires you to buy
two switches at the distribution and core layers, which can be costly. The
right side of Figure 7.1 shows an example of this approach.
Remember that in this design, the distribution layer contains a Layer 3
process that provides a boundary between the access layers and the core
layer. This is used to contain Layer 2 problems, such as STP issues, broadcast storms, and so on. You must create your VLANs correctly, tune STP, set
up a routing protocol, and possibly configure MLS to create a well-designed,
highly optimized, redundant topology. All of these tasks were covered in
chapters leading up to this one.
Layer 3 Redundancy
The remainder of this chapter focuses on Layer 3 redundancy issues. When
you think of Layer 3 redundancy, youre normally dealing with having multiple paths to a destination. This section, however, deals with another type of
Layer 3 redundancy: default gateways and server load balancing. Ill begin by
talking about some of the issues of default gateway redundancy and some of
the solutions that are available, but dont work very well. The main part of
this section deals with Ciscos Hot Standby Routing Protocol (HSRP), as
well as other solutions that are better at dealing with default gateway redundancy, such as the Single Router Mode (SRM) redundancy and Gateway
Load Balancing Protocol (GLBP) solutions.
Problems of Traditional RP Redundancy

You can easily place two RPs at the distribution layer of each switch block to
provide redundancy for end stations to leave their VLAN. However, this
might not provide a true fault-tolerant solution. This is especially true for
07 9911 ch07 10/10/03 2:00 PM Page 192
192 Chapter 7
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
situations in which end stations do not support a router discovery protocol

to learn which routers they can use or they cant be configured to use more
than one default gateway address.
Proxy ARP Issues

Some end stations can use Proxy ARP to discover the IP address of the
default gateway. In this situation, the end station dynamically acquires the IP
address and MAC address of the default gateway and sends all its interVLAN traffic to this RP. To begin, the end station doesnt know how to reach
the destination, and generates an ARP request for the destination. Obviously,
if the destination is not in the same VLAN, no one responds and the end station assumes that the destination is not reachable. However, a Cisco router
can proxy this ARP by sending back its own MAC address to the end station,
and the end station can then use the router to send traffic out of the subnet.
From the end stations perspective, it thinks its sending traffic directly to the
destination, but its actually being relayed by the router. On Cisco RPs, Proxy
ARP is enabled by default.
However, a problem arises when the default gateway fails. In this situation,
the end station still sends its information to the failed default gateway, where
the traffic is dropped. Sometimes a client re-performs the ARP after a
lengthy period of time to verify the destinations (default gateways) existence. (At this point, it will have discovered that the default gateway has
failed and then another RP can perform the proxy.) However, in most implementations of ARP, the end station continues to use the same failed default
gateway MAC address unless it is rebooted.
Proxy ARP is used when an end station ARPs for a destination devices MAC address
that is on a different subnet. A Cisco RP can respond back to the end station with its
own MAC address, making it appear that the destination is on the same segment.
This behavior is enabled by default on Cisco RPs. The main disadvantage is that if
the RP fails, the end station wont discover this unless it reboots or re-ARPs.
ICMP Router Discover Protocol Issues

The ICMP Router Discover Protocol (IRDP) is not a routing protocol like
OSPF or RIP, but is an extension to ICMP that allows an end station to automatically discover the default gateways connected to the same VLAN. IRDP
is covered in RFC 1256. In this environment, the RPs periodically generate
special multicast packets that announce the routers existence to the clients.
This time period is usually between 5 and 10 minutes. Learned information
usually has a maximum lifetime of 30 minutes on the client if no more IRDP
messages are heard from the advertising RP. The multicast packet includes
the RPs address and a lifetime value.
07 9911 ch07 10/10/03 2:00 PM Page 193
193
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Availability
. . . . . . and
. . Redundancy
. . . . . . .
With IRDP, end stations can dynamically discover other RPs when their primary default gateway fails. However, this might take up to 30 minutes, based
on the lifetime value in the original multicast packet from the RP. And even
if you might consider using IRDP with your access layer devices, most endstation IP protocol stacks do not support IRDP.
IRDP extends ICMP by allowing an end station to dynamically learn the default gateways that exist in the VLAN. RPs announce themselves every 510 minutes and end
stations hold this information for up to 30 minutes. The main problem with IRDP is
that if the primary RP fails, it might take up to 30 minutes before using a different RP.
Routing Protocol Issues

To overcome these two previous problems, you might be able to run a routing protocol on the end station, if the client supports this type of function.
With IP, the only routing protocol that most end stations might support is
RIP. In RIP, the end station could make intelligent decisions about which
Layer 3 RP to use to access other subnets. However, the issue with RIP is
that its convergence is very slowit could take up to 180 seconds before an
alternative RP is chosen when the current primary RP fails. With TCP sessions, this would cause a timeout. Because of this, as well as all the additional overhead that RIP creates, this solution is not very desirable for your end
stationsand this assumes that your end stations and other network devices
support a routing protocol such as RIP.
User Device Issues

In most campus environments, end stations are assigned a single IP address for
the default gateway (which is usually done via DHCP). In this environment, if
the RP were to fail, the end station would lose its capability to access other networking devices outside of its VLAN. Unfortunately, there is no redundancy in
this implementation because an end station can have only one default gateway
address configured (whether it is assigned via DHCP or statically configured).
HSRP
HSRP is a Cisco-proprietary protocol that provides a single definition of a
default gateway on the end station and Layer 3 redundancy for overcoming
the issues of IRDP, Proxy ARP, and end-station routing protocols. Unlike
the four previous solutions, HSRP is completely transparent to the end stationsyou do not have to perform any additional configuration on the end
stations themselves. HSRP allows Cisco RPs to monitor each others status,
which provides a very quick failover when a primary default gateway fails.
This is done by establishing HSRP groups.
07 9911 ch07 10/10/03 2:00 PM Page 194
194 Chapter 7
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
With HSRP, a group of RPs represent a single virtual default gateway. This
virtual default gateway has a virtual IP address and a virtual MAC address. If
the primary RP fails, another RP in the HSRP group takes over and processes the frames sent by the end stations to the virtual MAC address.
An advantage of HSRP groups is that different subnets (VLANs) can have different default gateways, thus providing load balancing. Also, within each
HSRP group, there is a primary default gateway and the capability to use multiple routers to perform a backup function. You can have up to 255 standby
groups per RP, providing up to 255 default gateways. RPs can provide backup for multiple primary default gateways. Each standby group keeps track of
the primary RP thats currently forwarding traffic sent to the virtual MAC
address. Note that only one RP is actually forwarding traffic with HSRP.
Once nice feature of HSRP is that you can customize it based on the size of
your network. For instance, if you have a VLAN with 1,000 devices in it, you
can set up two HSRP groups: one group for 500 devices and another group
for the other 500 devices. You can then assign RPs to each group. For example, if you had only two RPs, you could have RP1 be the active RP for group
1, but the standby for group 2 and vice versa for RP2. Through this process,
you can have both of your RPs forwarding traffic while still providing redundancyif the active RP in either group fails, the other RP promotes itself to
an active state.
HSRP is a Cisco-proprietary protocol that provides default gateway redundancy. You
can create a total of 255 groups, allowing for load balancing between RPs. A router
can belong to several groups.
HSRP Operation
As mentioned in the previous section, only one RP actually forwards traffic
for an HSRP group. Using a priority scheme, one RP is elected as the forwarding router and the others perform as backups for a group. Each RP has
a default priority of 100, which you can manipulate. The RP with the highest priority in the group is elected as the active router, and the other RPs are
placed in standby mode. The active RP responds to any ARP packets from
end stations and replies with the virtual MAC address of the group.
Each HSRP group must have a unique virtual IP address and a virtual MAC
address, which means these numbers must be unique across different groups.
This MAC address is 0000.0c07.acXX. The 0000.0c is Ciscos vendor code.
The 07-ac is HSRPs well-known address. The XX is the group number (in
hexadecimal) for the HSRP group. Therefore, each HSRP group must have
a unique number to ensure that the MAC address is unique in a VLAN.
07 9911 ch07 10/10/03 2:00 PM Page 195
195
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Availability
. . . . . . and
. . Redundancy
. . . . . . .
With HSRP, the end stations would perform an IP-ARP with the virtual IP
address, requesting the virtual MAC address of the default gateway RP. Note
that in this setting, the end stations are completely unaware of the actual RPs
handling traffic destined for a virtual router. Even when the primary fails and
the standby RP starts handling traffic for the broadcast domain, the end stations still think theyre talking to the same RP.
Types of RPs
Every HSRP group contains RPs that perform certain roles. Each HSRP
group of RPs contains the following types of RPs:
Virtual RP
Active RP
Standby RP
Other HSRP RPs
The role of the virtual RP is to provide a single RP thats always available to

the end stations. It is not a real RP because the IP and MAC addresses of the
virtual RP are not physically assigned to any one interface on any of the RPs
in the broadcast domain.
The role of the active and standby RPs is based on the priority of the RPs in
the HSRP group. The RP with the highest priority is elected as the active RP,
and the one with the second highest priority is elected as standby RP. If the
priorities are the same, the IP address of the RP is used as a tiebreaker. In
this situation, the RP with the higher IP address is elected for the role.
The active RP is responsible for forwarding all traffic destined to the virtual
RPs MAC address. A second RP is elected as a standby RP. The standby RP
keeps tabs on the active RP by looking for HSRP multicast messages, called
HSRP hellos. The active RP generates a hello every 3 seconds. If the standby
RP does not see any hellos for 10 seconds from the active RP, the standby RP
promotes itself and begins performing the functions of the active RP. Like
the active RP, the standby RP also announces itself every 3 seconds so that if
it fails, one of the other HSRP routers in the standby group can assume the
standby RP role.
The other RPs in the HSRP group, if any exist, listen for the hello multicasts
from the standby and active RPs to ensure that they are performing their
respective roles. When the active RP fails, the view from the end stations
perspective is the sametheyre still forwarding their frames to the virtual
MAC address. When this happens, the standby RP starts processing the
07 9911 ch07 10/10/03 2:00 PM Page 196
196 Chapter 7
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
frames sent to the virtual MAC address and one of the other HSRP routers
in the group is elected to the standby role.
Each group has a virtual IP and MAC address associated with it, which end stations
use to send traffic. The MAC address is 0000.0c07.acXX, where XX represents the
HSRP group number in hex. The active RP forwards traffic to and from the VLAN.
The standby RP watches to make sure that the active RP sends out its hellosif it
doesnt, the standby RP promotes itself to an active state.
If any end station uses a real MAC address of one of the RPs in the broadcast domain,
that specific RPwhether it is active, standby, or another RPprocesses and
forwards the frame.
HSRP Multicast Messages

To determine which RPs will become the active and standby RPs, all the RPs
in the HSRP group initially send out HSRP multicast messages. These UDP
messages, using port number 1985, are addressed to the all-router multicast
address (224.0.0.1) with a Time-To-Live (TTL) value of 1. A TTL of 1
ensures that any multicast routing protocol thats running will not forward
the message to a different subnet. The HSRP message contains the following information:
HSRP version number
Op code message type:
Hello messagesThese messages are used by the RPs for the election
process as well as by the active and standby RPs when they have
been elected.
Resign messagesThese messages are used by an RP when it wants to
stop performing the function of the active RP.

Coup messagesThese messages are used by an RP that wants to
become the active RP.

Current HSRP state (see the next section).
Hello time interval of HSRP messages (defaults to 3 seconds)that is,
how often HRSP messages are generated.

Hold-down time interval (defaults to 10 seconds)the length of time
that a hello message is considered valid.

Priority of the RPused to elect the active and standby RPs.
Standby group number (0255).
07 9911 ch07 10/10/03 2:00 PM Page 197
197
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Availability
. . . . . . and
. . Redundancy
. . . . . . .
Authentication password, if configured.
Virtual IP address of the HSRP groupthe default gateway IP address
that your end stations should use.
HSRP States
HSRP supports six different states. An RP may go through all these states or
only a few of them, depending on whether it becomes an active or standby RP.
Initial
Learning
Listening
Speaking
Standby
Active
When the RPs are enabled, they start in an initial state. Note that they have
not begun the HSRP process in an initial stateonly the RPs themselves and
their associated interfaces have been activated. In a learning state, an RP listens for an active RP. The RP initially has no knowledge of any other HSRP
routers. In this state, its purpose is to discover the current active and standby RPs and the virtual IP address for the group.
After the RP sees a multicast from the active/standby RP, it learns about the
virtual IP address. This is called the listening state. In this state, the RP is
neither the active nor standby RP. If theres already a standby and active RP,
the listening RP remains in this state and does not proceed to any of the next
three states. The exception to this is if youve configured preemption. With
preemption, a new RP with a higher priority can usurp an existing active or
standby RP.
If the RP enters the speaking state, the RP propagates multicast messages so
that it can participate in the election process for the standby or active role.
These hellos are sent out periodically so that other RPs in the group know
about everyones existence. Note that for an RP to enter this state, it must
have the virtual IP address configured on it.
Based on the RPs priority, it either becomes a standby or active RP. In a
standby state, the RP is the next in line to assume the role of the active RP if
the active RP fails. In an active state, the RP is responsible for forwarding all
traffic sent to the virtual MAC address of the broadcast domain. There can
be only one active and one standby RP. Both of these RPs generate periodic
07 9911 ch07 10/10/03 2:00 PM Page 198
198 Chapter 7
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
hellos to other RPs in the group to guarantee that end stations always have a
default gateway that can forward their traffic if either of them fails.
Its important to point out that if you dont configure preemption, the first
RP that comes up takes on the active role and the second RP takes on the
standby role. Therefore, if youre setting up load balancing between RPs so
that certain RPs handle traffic for certain VLANs and other RPs handle traffic for other VLANs, youll want to use preemption so that whenever a failed
RP comes back online, it resumes its former role.
Remember the HSRP states, the order in which they are processed, and what
happens in each state.
HSRP Configuration
Only one command is necessary to enable HSRP. To do so, execute the following standby command on the RPs interface. Use a subinterface for a trunk
port and a VLAN interface for an internal RP:
Router(config)# interface type [slot_#/]port_#
or
Switch(config-if)# standby [group_#] ip IP_address
After you execute this command on an active interface, the RP enters the
learning state. In this command, group_# is optional. If you omit it, it defaults
to 0. Note that group_# is required if you have multiple standby groups.
Remember that the IP address you specify in the standby command is not the
actual IP address thats on the interface, but rather the virtual IP address. You
need to take the virtual IP address and either hard-code it as the default gateway address on end stations or put it in your DHCP server configuration.
To ensure that the end stations do not discover the real MAC address of the
RPs LAN interface, enabling HSRP disables ICMP redirects. Youll see the
no ip redirects command appear on the RPs interface.
To influence which RPs perform the active and standby roles, you can
increase the RPs priorities. To do so, execute the following standby command
on the RPs interface:
Switch(config-if)# standby [group-number] priority new_priority
Remember that the higher the priority, the more likely it is that the RP will
become a standby or active RP. The priority defaults to 100 but can be set
07 9911 ch07 10/10/03 2:00 PM Page 199
199
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Availability
. . . . . . and
. . Redundancy
. . . . . . .
from 0 to 255. To configure an RP so that it can preempt the current standby or active RP, use the preempt parameter:
Switch(config-if)# standby [group-number] preempt [delay delay_value]
The default delay is 0 seconds, which causes the RP to immediately begin the
preemption process. You can delay this by putting in a delay value from 0 to
3,600 seconds (one hour). The one problem with preemption is that it causes a slight disruption in traffic as the currently active RP demotes itself and
the new RP promotes itself.
To modify the hello and hold-down times, execute the following
command:
standby
Switch(config-if)# standby [group_#] timers hello_time holddown_time
Here, hello_time defaults to 3 seconds and can range from 0 to 255 seconds.
holddown_time defaults to 10 seconds and has the same range of valid values.
Note that holddown_time should be at least three times greater than hello_time
to ensure proper functioning of HSRP.
It is a common practice to adjust these timers to smaller values to speed up HSRP
convergence. However, care must be taken to not set these values too small, which
might cause inadvertent switchovers.
If you want to configure authentication, execute the following

mand on the interface:
standby
com-
Router(config-if)# standby [group-number] authentication password
The password can be up to eight characters; if omitted, the password defaults

to cisco. The password needs to match on all HSRP routers in the same group.
Use the standby ip command to activate HSRP on your RP. Use the standby priority
command to change the RPs prioritythe highest priority becomes the active RP
and the second highest priority becomes the standby RP. The default priority is 100.
Use the standby preempt command to enable preemption (disabled by default). HSRP
routers send out hellos every 3 seconds, with a hold-down period of 10 seconds.
Interface Tracking
In certain cases, it might be necessary for the active RP to step down from its
role and let another RP assume the role. Consider the example shown in Figure
7.3. In this example, RP-B is the active RP for VLAN 20. If RP-B fails, RP-A
notices this after missing the hello messages from RP-B. RP-A promotes itself
and starts forwarding frames that are destined to the virtual MAC address.
07 9911 ch07 10/10/03 2:00 PM Page 200
200 Chapter 7
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Interface vlan40
Interface vlan20
RP-A
Interface vlan40
Interface vlan20
RP-B
Interface vlan40
Interface vlan30
RP-C
Interface vlan40
Interface vlan30
RP-D
Figure 7.3 HSRP example.
Lets assume, however, that RP-B does not fail but instead its interface vlan40
fails (connected to the core), as shown in Figure 7.4. Without HSRP running, RP-B would detect the failure and generate an ICMP redirect message
to RP-A. This would allow RP-A to handle the redirected traffic. However,
if RP-A and RP-B are participating in an HSRP group, ICMP redirects are
disabled. This means that RP-B still functions as the active RP and handles
all traffic sent to the virtual MAC address. The problem that this causes is
that after the Layer-3 routing protocol has converged, the traffic still reaches its destination. However, to reach the destination, the traffic must pass
through both RP-B and RP-A, thus introducing unnecessary latency.
X
Interface vlan40
Interface vlan20
RP-A
Interface vlan40
Interface vlan20
RP-B
Interface vlan40
Interface vlan30
RP-C
Figure 7.4 HSRP example without interface tracking.
Interface vlan40
Interface vlan30
RP-D
07 9911 ch07 10/10/03 2:00 PM Page 201
201
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Availability
. . . . . . and
. . Redundancy
. . . . . . .
To overcome this problem and still be able to deploy HSRP, you can employ
the HSRP interface tracking feature. Interface tracking allows the active RP
to lower its priority when one of the interfaces that its tracking fails. This
would allow another RP to assume the active role. In the example shown in
Figure 7.4, RP-B, with interface tracking configured, would lower its priorityessentially telling the other RPs that it no longer wants to serve as the
active RP. When RP-A sees that RP-B is advertising a lower priority than
itself, RP-A promotes itself and handles all traffic destined for the virtual
MAC address. The advantage of this approach is that the traffic from the
user will only traverse one RP: RP-A.
To configure interface tracking, execute the following command on the
HSRP group interface:
Switch(config-if)# standby [group_#] track interface_type interface_#
[decrement_value]
The track parameter is used to enter the interface that you want the HSRP
RP to track. If this interface fails, for whatever reason, the active RP decrements its HSRP priority by the configured value. Note that decrement_value
is optional and, if omitted, defaults to a decrement of 10 for the priority.
Verifying HSRP
To verify the overall operation of HSRP, use the
the RP:
show standby
command on
Switch# show standby

Vlan 1 - Group 1
Local state is Active, priority 110, may preempt
Hellotime 3 holdtime 10
Next hello sent in 0:00:01
Hot standby IP address is 172.16.10.1 configured
Active router is local
Standby router is 172.16.10.2 expires in 0:00:07
Standby virtual mac address is 0000.0c07.ac01
Tracking interface states for 3 interfaces, 3 up:
Up Vlan1 Priority decrement: 10
In the preceding output, you can see that the active RP is 172.16.10.1 and
the standby RP is 172.16.10.2
For a shorter description, add the
mand:
brief
parameter to the preceding com-
Router# show standby brief

Interface
Vlan1
Grp Prio P State

1
100
Standby
Active
Standby Group
addr
addr
addr
172.17.10.2 local
172.16.10.254
07 9911 ch07 10/10/03 2:00 PM Page 202
202 Chapter 7
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
In this example, this router, for VLAN 1, is in a standby state and the virtual IP address for the standby group is 172.16.10.254.
For additional troubleshooting, you can use the debug standby command from
Privilege EXEC mode. This command displays all HSRP messages that have
been sent and received by the RP.
Single Router Mode Redundancy

Single Router Mode (SRM) provides an alternative type of redundancy in
which dual MSFC cards are installed on dual SEs and both MSFC cards are
in the active state and processing traffic. One of the problems of using two
active MSFC cards in the same chassis is that you have to configure them
separately unless youre using RPR or RPR+. SRM is different from RPR
and RPR+. SRM provides Layer 3 redundancy while RPR and RPR+ provide
card-level redundancy.
SRM has the following requirements:
The dual MSFC cards must run the same IOS software and have the
same configuration.
The SEs must be configured for high availability.
SRM Basics
With SRM, one MSFC card is the designated RP and the other is the nondesignated RP. The designated RP is responsible for forwarding all Layer 3
traffic. The nondesignated RP has the same configuration as the designated
RP and supports auto-synchronization between the designated and nondesignated RPs. Actually, you can configure only the designated RP. The nondesignated RP is in an operational state, but all of its interfaces are disabled
(down and down). The nondesignated card is invisible to other Layer 3
devices in the network; its basically in a passive state. The nondesignated
card keeps tabs on the designated card.
SRM has the following advantages over HSRP:
Only one set of IP addresses is used, which conserves address space
both the designated and nondesignated RPs use the same IP addresses.
Because only one RP is active at a time, there are fewer routing peers to
deal with, which simplifies the Layer 3 topology.

Configuration is simplified because only the designated RP has to be
configured, and its configuration is automatically synchronized with the

nondesignated RP.
07 9911 ch07 10/10/03 2:00 PM Page 203
203
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Availability
. . . . . . and
. . Redundancy
. . . . . . .
SRM Operation
If the designated card fails, the nondesignated card enables its interfaces,
builds a routing table, and starts forwarding traffic. Here is a detailed list of
the steps that occur when the designated RP fails:
1. The nondesignated RP activates its interfaces.
2. The new designated RP begins to build a routing table.
3. The SE maintains the old FIB table for two minutes and uses this
information for multilayer switching.

4. After the new designated RP has built a routing table, a new CEF table
is built and downloaded from the MSFC to the SE. This is true
whether or not the RP has completed Layer 3 convergence.
SRMs advantages include the following: only one set of IP addresses, fewer RP
peers, and less configuration. Remember the four steps that SRM goes through
when the active MSFC card fails and the redundant card takes over.
SRM Configuration and Verification

Before you enable SRM, Cisco recommends that you save the configuration
on both MSFC cards (assuming that there is a preexisting configuration). Do
so by using the following command:
Switch# copy running-config bootflash:no_srm_config
You can actually use any name you want for the backup file. When this is
done, youre ready to enable SRM. The configuration of SRM is very simple:
Switch(config)# redundancy
Switch(config-r)# high-availability
Switch(config-r)# single-router-mode
Notice that you are taken into a Subconfiguration mode where you must
enter the high-availability and single-router-mode commands. After this is
done, you can use the show redundancy command to verify the configuration
of SRM:
Switch# show redundancy
Designated Router: 1
Non-designated Router:2
Redundancy Status: non-designated
Config Sync AdminStatus : enabled
Config Sync RuntimeStatus: enabled
07 9911 ch07 10/10/03 2:00 PM Page 204
204 Chapter 7
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Virtual Router Redundancy Protocol

Virtual Router Redundancy Protocol (VRRP) performs a similar function as
Ciscos proprietary HSRP. The one major downside to HSRP is that it is a
proprietary protocol. VRRP, however, is an open standard and is defined in
IETFs RFC 2338. Like HSRP, VRRP has end stations that use a virtual
router for a default gateway. VRRP is supported for Ethernet media types as
well as in VLANs and MPLS VPNs.
VRRP and HSRP are very similar protocols. One main difference between
VRRP and HSRP is that HSRP uses a virtual IP address for the default gateway, whereas VRRP can use either a virtual IP address or the interface
address of the master router. If a virtual IP address is used, an election
process takes place to choose a master router. The router with the highest
priority is chosen as the master. All other routers are backup routers. If a real
IP address is used, the router that has that address assigned to its interface
must be the master router.
VRRP is an IP protocol and has an IP protocol number of 112. The VRRP
master router is responsible for generating VRRP multicast messages. It
sends these messages to a multicast address of 224.0.0.18. The master typically generates these messages every second. If the master VRRP router fails,
a backup VRRP router seamlessly processes the traffic sent to the master
routers IP address. VRRP supports preemption so that a failed master, after
it has been repaired, can resume its role as master.
VRRP supports Ethernet, VLANs, and MPLS VPNs. There is a master RP and backup RPs. VRRP can use either a virtual IP address or an address from a router to
serve as the default gateway address. If a virtual address is used, the RP with the
highest priority is elected as masterif a physical IP address is used, the RP with
the configured address becomes the master. Hello messages are typically generated
as multicasts every second.
Gateway Load Balancing Protocol

The Gateway Load Balancing Protocol (GLBP) is a Cisco-proprietary protocol, like HSRP. One of the limitations of HSRP and VRRP is that only one
router in the HSRP group is active and can forward traffic for the group
the rest of the routers sit idle. This is not an efficient process where one or
more RPs are not processing any traffic, nor are you taking advantage of the
bandwidth of the connections that these other RPs are connected to.
Cisco designed GLBP to rectify this issue. GLBP allows the dynamic assignment of a group of virtual addresses to end stations. With GLBP, up to four
RPs in the group can participate in the forwarding of traffic. Plus, if a GLBP
07 9911 ch07 10/10/03 2:00 PM Page 205
205
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Availability
. . . . . . and
. . Redundancy
. . . . . . .
RP fails, fault detection occurs automatically and another GLBP RP picks up

the forwarding of packets for the failed RP.
GLBP Operation
In GLBP, there are two types of routers: Active Virtual Gateway (AVG) and
Active Virtual Forwarder (AVF). The AVG is the master gateway device and
is responsible for assigning virtual MAC addresses to end stations when the
end stations perform an ARP for the GLBP default gateway address. Basically,
the AVG is responsible for address management in the GLBP group.
An AVF is an RP that forwards traffic for a GLBP group. The AVG is also an
AVF. Basically, up to four RPs configured in the same GLBP group are AVFs.
Ill use Figure 7.5 to give a basic illustration of how GLBP works. In this
example, RP-A is the master (AVG). When PC-A sends an ARP request for
the default gateway MAC address, the AVG is responsible for responding
back with a virtual MAC address to the end station. In this example, it
responded back with its own virtual MAC address. PC-B then ARPs for the
same gateway address. RP-A responds back with a virtual MAC address.
Based on the load-balancing algorithm used by GLBP, RP-A responds back
with a different virtual MAC address (RP-Bs). Load balancing is discussed in
the next section. As you can see from this example, both RP-A and RP-B are
forwarding traffic for the same VLAN.

!!!!!!!!!!!

!!!!!!!!!!!
"# $%

!!!!!!!!!!!
"# $%

!!!!!!!!!!!
Figure 7.5 GLBP operation.

07 9911 ch07 10/10/03 2:00 PM Page 206
206 Chapter 7
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
GLBP also supports interface tracking. With interface tracking, if a tracked

interface on an AVF fails, the AVF demotes itself and has another AVF pick
up the processing associated with this failed interface. This process is similar
to HSRPs interface tracking feature.
GLBP is an enhanced version of HSRP. It enables you to have multiple RPs in the
group forwarding traffic. The AVG is responsible for address management in the
GLBP group. An AVF is an RP that forwards traffic for a GLBP group. The AVG is also
an AVF. Up to four RPs in the same GLBP group are AVFs.
Load Balancing with GLBP

Multiple RPs can be used to forward traffic with GLBP to perform load balancing. GLBP supports three methods of load balancing:
Round-robin
Weighted
Host-dependent
The default method of load balancing is round-robin. With round-robin

load balancing, the AVG assigns a different AVF default gateway address to
each client. If you have two RPs and six clients, three clients will use the AVG
and three will use the AVF.
With weighted load balancing, a weighting factor is used to determine which
AVFs address the AVG RP assigns to an end station. This enables you to
tune GLBP so that a certain amount of hosts use one RP rather than another if there is a difference in processing power between the RPs.
With host-based load balancing, a host is assigned the same virtual gateway
address each time. However, if the RP associated with this address fails,
another RP within GLBP can pick up the processing so that redundancy is
provided.
Server Load Balancing

Server Load Balancing (SLB) provides a simple form of load balancing for
critical services in your network. In SLB, you have two types of servers: virtual and real. The virtual server is the server that end stations send their
TCP/IP requests to. The IOS SLB software then redirects this request to a
real server in your network. Because most clients use DNS to resolve DNS
names to IP addresses, make sure that your DNS server contains the virtual
IP address used by SLB.
07 9911 ch07 10/10/03 2:00 PM Page 207
207
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Availability
. . . . . . and
. . Redundancy
. . . . . . .
SLB provides the following advantages:

Its easy to perform maintenance on a physical server in the server group
by removing the redirection entry in the IOS.

The real addresses are not known to outside devices, thus enhancing
your security.
Because end-station requests are distributed among a group of servers,
higher performance can be achieved.

If you need to move your group of servers or change their IP addresses,
end stations dont need to know about these changes because theyre
made on the IOS device performing SLB.
SLB Operation
SLB operates by having end stations send their traffic to a virtual IP address.
SLB has a group of real servers associated with the virtual IP address and
redirects the request to one of the internal servers. Two load-balancing algorithms can be used with SLB:
Directed mode
Dispatched mode
With directed mode, the IP address chosen for the virtual address is not configured on any of the servers in the SLB group. In this sense, it is similar to
the virtual address used by HSRP. In directed mode, SLB performs Network
Address Translation (NAT) on the packets to and from the real server.
In dispatched mode, an IP address you choose is known to all the real servers.
When in dispatched mode, SLB uses the real MAC address of the server that
will have traffic redirected to it. The best way to remember the difference
between directed and dispatched mode is that directed mode basically performs at Layer 3 while dispatched mode performs at Layer 2.
SLB has end stations send their traffic to a virtual IP address. SLB has a group of
real servers associated with the virtual IP address and redirects the request to one
of the real servers. In directed mode, the virtual IP address is unknown to the real
servers: SLB performs NAT on the packet. In dispatch mode, the real servers know
about the virtual IP address. SLB changes the MAC address to one of the real
servers MACs.
SLB Configuration and Verification

When configuring SLB, you actually perform two sets of configurations: You
define the real servers and define the virtual address. The first thing you need
07 9911 ch07 10/10/03 2:00 PM Page 208
208 Chapter 7
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
to do is to define your server farm, which specifies the IP addresses your real
servers are using. Heres the configuration to use:
Switch(config)# ip slb serverfarm server_farm_name
Switch(config-slb-sfarm)# real real_IP_address_of_the_server
Switch(config-slb-real)# inservice
Switch(config-slb-real)# exit
The first command, ip slb serverfarm, assigns a name to the group of real
servers and takes you into a subconfiguration mode to specify your real servers IP addresses. Use the real command to specify the IP address used on the
servers NIC. When youve entered the real command, youre taken into a
sub-subconfiguration mode, where you must enable the use of the real server with the inservice command. To add another server, use the exit command to back up one level and use the real command again to enter the next
servers IP address.
When youve created your group of servers, youre ready to associate them
with a virtual IP address. Use the following configuration to do so:
Switch(config)# ip slb vserver virtual_server_name
Switch(config-slb-vserver)# virtual IP_address [tcp|udp port_#]
Switch(config-slb-vserver)# serverfarm server_farm_name
Switch(config-slb-vserver)# inservice
Switch(config-slb-vserver)# client IP_address [subnet_mask]
To create your virtual server information, use the ip slb vserver command.
This command assigns a name to your virtual server and takes you into a subconfiguration mode. In the subconfiguration mode, use the virtual command to assign the virtual IP address used by the end stations. You can
optionally specify that only traffic destined to the configured TCP or UDP
port number should be redirectedyou can specify the port number or its
name.
Follow this with the serverfarm command, which references the name of the
server farm you created with the ip slb serverfarm command discussed previously. The inservice command activates the use of SLB with the virtual
address. Optionally, you can use the client command to restrict which end
stations can use SLBby default, all end stations use SLB if they have the
virtual IP address in their packets. You can use the subnet mask value to cover
a single client or clients from a range of addresses.
After youve configured SLB, you can use a handful of show commands to verify your configuration:
Switch# show ip slb vserver|cons|stats
07 9911 ch07 10/10/03 2:00 PM Page 209
209
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Availability
. . . . . . and
. . Redundancy
. . . . . . .
Heres an example of the preceding show command with the vserver parameter:
Switch# show ip
slb vserver
--------------HTTP_Server
slb vserver
prot virtual
state
cons
----- -------------- ----------- ---TCP
192.168.1.5:80 OPERATIONAL
0
In this example, one virtual server is configured, 192.168.1.5, for TCP 80

(www) traffic and it is enabled with the inservice command (OPERATIONAL).
Heres an example with the cons parameter:
Switch# show ip slb cons
Vserver
prot client
real
state
nat
------------------------------------------------------------HTTP_Server TCP
200.200.200.20 192.168.1.10 CLOSING none
This command shows the connections that SLB is monitoring. In this example, a TCP HTTP connection is completing between an end station
(200.200.200.20) and a real server (192.168.1.10).
Summary
To reach a high level of availability, you have to focus on these areas: network
device reliability, device redundancy, link redundancy, fast convergence, a
correct network design, and a well-documented network. There are two
general types of redundancy: component and chassis. Component redundancy provides protection against a component failing inside a chassis. Chassis
redundancy protects against failure of a device.
In hardware redundancy, if youre going to have dual SEs, they must be in
slots 1 and 2. The secondary SE is in a standby state, with the exception of
its uplink interfaces, which can be used. RPR provides hardware redundancy
for the MSFC and PFC cards. The primary SE uses its own MSFC card,
whereas the secondary is in a standby state. When a switchover occurs, it can
take from 24 minutes because the MSFC card must be initialized. A
switchover occurs if the MSFC and PFC fail on the primary, there is a clock
synchronization problem, or a manual switchover is initiated. RPR+ has the
secondary MSFC fully operational, which means the switchover takes only
between 3060 seconds. To configure RPR+, use the redundancy and mode rprplus commands.
Proxy ARP allows for a basic level of redundancy for default gatewaysif a
device ARPs for a destination that is not on the same segment, a Cisco router
07 9911 ch07 10/10/03 2:00 PM Page 210
210 Chapter 7
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
can respond back with its own personal MAC address. Proxy ARP has problems with dealing of failures of the default gatewayit is typically used to
dynamically discover it, though. IRDP uses ICMP to dynamically discover
default gateways. RPs announce themselves and then end stations use them.
The problem with IRDP is that when an active RP fails, it can take up to 30
minutes for the end station to start using another RP.
HSRP is a Cisco-proprietary protocol that provides default gateway redundancy and is invisible to the end stations in the VLAN. A single virtual IP
and MAC address is used per group. An active RP, elected by the RP with the
highest priority (or IP address, if a tie occurs), forwards traffic. A standby RP
monitors the active RP. There are six stages an HSRP might go through: initial, learning, listening, speaking, standby, and active. An RP goes into a
speaking state when an election occurs, or if it is the active or standby RP.
The active RP can tell the rest of the RPs about the virtual addresses. To
enable HSRP, use the standby ip command on an RPs interface. HSRP supports both preemption and interface tracking.
SRM provides Layer 3 redundancy between dual MSFC cards. One is the
designated RP and the other is nondesignated. The nondesignated RP is
operational, but all of its interfaces are disabled. SRMs advantages include
using only one set of IP addresses, fewer RP peers, and configuration needs
to be done only on the designated RP.
VRRP is an open standard for default gateway redundancy and works on
Ethernet, VLANs, and MPLS VPN media types. VRRP has a master and
backup RPs. Either a virtual IP address or a real IP address (of the master) is
used.
GLBP is an enhanced version of HSRP. It allows for up to four RPs to forward traffic from the group. RPs are grouped together and each group is
assigned one or more virtual addresses. The AVG is responsible for address
management, whereas the AVFs forward trafficthe AVG can also be an
AVF. GLBP supports three types of load balancing: round-robin (default),
weighted, and host-dependent.
SLB allows an IOS RP to load-balance traffic across a group of real servers.
An end station sends traffic to a virtual IP address and the RP forwards this
traffic to one real server in the SLB group. In directed mode, SLB performs
NAT on the end-stations packet; in dispatched mode, SLB puts a real servers MAC address in the packet, but leaves the virtual IP address as is (it is
assumed that the real server understands about the virtual address).
07 9911 ch07 10/10/03 2:00 PM Page 211
211
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Availability
. . . . . . and
. . Redundancy
. . . . . . .
Exam Prep Questions

Question 1
You currently have a primary SE in slot 1. Youve purchased a second SE. What
slot or slots can you put this card in to provide redundancy with your SEs?
A. Slot 2
B. Slot 2 or 5
C. Any slot
D. No redundancy is supported
Answer A is correct. To provide redundancy SEs, the two SEs must be in

slots 1 and 2. Therefore, answers B and C are incorrect. Answer D is incorrect because redundancy is supported.
Question 2
Youve configured RPR on your Catalyst 6500 switch. Which of the following
does not cause a switchover?
A. Failed PFC
B. Clock synchronization failure
C. Failed line card
D. None of these
Answer C is correct. RPR provides redundancy for the MSFC and PFC, not
line cards. Answers A and B will cause a failover and are therefore incorrect.
Because there is a correct answer, answer D is incorrect.
Question 3
Which of the following uses ICMP to discover default gateways?
A. Proxy ARP
B. IRDP
C. RIP
D. DHCP
07 9911 ch07 10/10/03 2:00 PM Page 212
212 Chapter 7
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Answer B is correct. IRDP allows RPs to announce themselves via ICMP

multicast messages. A is incorrect because Proxy ARP has an RP pretend to
be a destination on a different subnet, responding to an end-stations ARP
request with the RPs MAC address. Answer C is incorrect because RIP is a
routing protocol that uses UDP, not ICMP. DHCP uses BOOTP, making
answer D incorrect.
Question 4
If a default gateway fails and youre using IRDP, it can take up to __________
minutes to discover an alternative default gateway.
A. 5
B. 10
C. 15
D. 30
Answer D is correct. The hold-down timer for IRDP is typically 30 minutes,

making answers A, B, and C incorrect.
Question 5
Which of the following MAC addresses is an example of a MAC address used by
HSRP group 10?
A. 0000.0c07.ac10
B. 0000.0c07.ac0a
C. 0000.aaaa.ac0a
D. 0000.0c11.ac0a
Answer B is correct. HSRP addresses begin with 0000.0c07.ac and are followed by the group number in hex. Answer A is incorrect because it represents 16 in decimal. Answers C and D are incorrect because they begin with
the wrong MAC address value.
07 9911 ch07 10/10/03 2:00 PM Page 213
213
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Availability
. . . . . . and
. . Redundancy
. . . . . . .
Question 6
HSRP routers send out hellos every _________ seconds.
A. 1
B. 3
C. 5
D. 10
Answer B is correct. HSRP routers send out hellos every 3 seconds, by

default. Therefore, answers A, C, and D are incorrect.
Question 7
In which HSRP state does an election process occur?
A. Listening
B. Speaking
C. Standby
D. Initial
Answer B is correct. Answer A is incorrect because RPs learn the virtual

addresses in this state. Only the standby RP enters the state in answer C,
making it an incorrect answer. In an initial state, the RP is not participating
in HSRP yet, making answer D incorrect.
Question 8
Which command enables HSRP on an RP?
A. (config)# hsrp enable
B. (config-if)# standby enable
C. (config-if)# standby ip
D. (config-if)# hsrp enable
Answer C is correct. Use the standby ip command on an interface to enable

HSRP. Answers A, B, and D are invalid commands, making them incorrect
answers.
07 9911 ch07 10/10/03 2:00 PM Page 214
214 Chapter 7
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 9
What type of redundancy can use either a virtual or real address for a default
gateway?
A. HSRP
B. VRRP
C. GLBP
D. SLB
Answer B is correct. VRRP can use either a virtual or real address of a default
gateway when providing redundancy. Answers A and C are incorrect because
only a virtual address can be used. SLB can use both sets of addresses, but
only for load balancing to servers, not for default gateway redundancy, making answer D incorrect.
Question 10
With GLBP, how many RPs in a group can forward traffic?
A. 1
B. 2
C. 4
D. As many as there are in the VLAN
Answer C is correct. GLBP supports up to 4 AVFs in a group. Answer A

would be true for HSRP, but false for GLBP. Answer B is not true. Answer
D might be true if there were only four RPs in the VLAN, but the question
asks for a group, making this answer false.
Need to Know More?

For information about power redundancy, visit http://www.cisco.
com/en/US/products/hw/switches/ps708/products_configuration_
guide_chapter09186a0080179594.html
For information about SE redundancy and RPR and RPR+, visit

http://www.cisco.com/en/US/products/hw/switches/ps708/
products_configuration_guide_chapter09186a0080179595.html
07 9911 ch07 10/10/03 2:00 PM Page 215
215
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Availability
. . . . . . and
. . Redundancy
. . . . . . .
For general information about redundancy and SRM on the

Catalyst 6500, visit http://www.cisco.com/en/US/products/
hw/switches/ps708/products_configuration_guide_
chapter09186a008007fb28.html
For information about HSRP, visit http://www.cisco.com/univercd/

cc/td/doc/product/software/ios122/122cgcr/fipr_c/ipcprt1/
1cfip.htm#19804
For information about VRRP, visit http://www.cisco.com/en/

US/products/sw/iosswrel/ps1612/products_feature_
guide09186a0080080a60.html
For information about GLBP, visit http://www.cisco.com/en/

US/products/sw/iosswrel/ps1839/products_feature_
guide09186a00801541c8.html
For information about SLB, visit http://www.cisco.com/en/US/

products/sw/iosswrel/ps1835/products_configuration_guide_
chapter09186a00800ca75d.html
07 9911 ch07 10/10/03 2:00 PM Page 216
08 9911 ch08 10/10/03 1:59 PM Page 217
8
Multicasts
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Unicast, broadcast, and multicast
Internet Group Management Protocol (IGMP)
Source-based and shared distribution trees
Protocol Independent Multicast (PIM) routing protocol
IGMP snooping
Cisco Group Management Protocol (CGMP)

Using multicast addresses
Knowing the similarities and differences between IGMPv1, v2,
and v3
Knowing the differences between PIM sparse and dense
modes
Configuring and verifying PIM
08 9911 ch08 10/10/03 1:59 PM Page 218
218 Chapter 8
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The bulk of communications in campus networks today involve unicast traffic. Because of the deployment of video applications in a campus network, as
well as broader use of multicast applications on the Internet, bandwidth on
campus networks is becoming saturated. Those campus network video applications might include desktop video conferencing, LAN TV and radio, and
collaborative computing. A multicast, like a unicast, is both a Layer 2 and
Layer 3 process. However, with a multicast, a group of machines can be the
destination of the traffic, whereas a unicast has only one destination.
As an example, consider a LAN-based TV multicast application that generates 1Mbps of traffic from the server. By default, this traffic must be dispersed to every segment that has a participating multicast client. Because of
the increased use of these applications, it is critical to understand traffic and
bandwidth characteristics when designing a scalable network that wont
affect every end station.
Overview of Traffic Types

Before getting too far ahead, lets first discuss the three methods used to send
data: unicasts, broadcasts, and multicasts.
Unicasts
Unicasts are the most common form of communication because most traffic
that is generated is sent to a specific machine, such as accessing a Web page
or sending an email to an SMTP server.
With unicasts, a separate packet must be sent to each destination. In a shared environment, every network device on the segment will see the packet, but only the actual destination will process it. In a switched environment, only devices on the source
and destination segments will actually see the frame.
In an environment in which the server must send the same information to

numerous clients, a scalability problem is createdespecially if the information is a live video feed. As an example, assume that a video server will be
sending a 1Mbps video feed to its participating clients. If 100 clients are participating, the video server would have to generate 100 1Mbps video feeds,
totaling 100Mbps of bandwidth. Because of this scalability problem, unicasting is typically used in environments where very few end stations need to see
the information from the server. Unicasting is also used when two or more
clients need different kinds of information from the same server.
08 9911 ch08 10/10/03 1:59 PM Page 219
219
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Multicasts
. . . . .
Broadcasts
To solve the scalability problem of unicasts, you could use broadcasts to disseminate the servers information to all the participating clients.
When a broadcast packet is generated, everyone in the broadcast domain will see
this packet and process it.
In a broadcast design, the server generates a single packet that every client
will see. One advantage of this approach is that no matter how many clients
are participating in the application, the server generates only one feed. Using
the previous example of 100 clients, only 1Mbps of bandwidth is created to
generate the video feed.
Unfortunately, broadcasts have some downsides. Because of the way broadcasts are implemented, they traverse every segment in a VLAN. Also, when
an end station receives this broadcast, the NIC assumes that the frame is to
be processed, even if the application isnt running on the end station, which
affects its CPU cycles. Another problem is that if the server is in one broadcast domain and the clients are in another, an RP, by default, will not forward
the broadcast traffic. Recall that an RP is a Layer 3 device with a route
processor.
Multicasts
Because of the issues associated with unicasts and broadcasts for disseminating information to many end stations, the recommended approach is to use
multicasts.
When a multicast frame is generated, everyone in the broadcast domain will see this
packet, but only a group of machinesthose running that multicast applicationwill
process it. Multicasting is the transmission of a packet to a host group, which can
contain from zero to many end stations. Like broadcasts, they are sent with a best
effort reliabilitytheres no guarantee that all the machines will see the multicast.
A multicast combines the advantages of broadcasts and unicasts. The server

generates only a single data feed that will be received by all the end stations,
thus reducing the bandwidth impact of your network. As with broadcasts, the
server has no idea as to which end stations are actually participating and their
addresses. To reduce the impact of processing cycles that broadcasts generate on an end station, multicasts give the NIC the capability to determine, at
08 9911 ch08 10/10/03 1:59 PM Page 220
220 Chapter 8
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Layer 2, whether to send the frame to the CPU for further processing or to
discard it. This creates a more user-friendly environment for the end station.
Like unicasts, multicast traffic can be intelligently routed to only those segments that have participating end stations.
Here are some important characteristics of multicast traffic:
Capability to send traffic from zero to an infinite number of end stations.
Designed to accommodate clients dynamically joining and leaving the
multicast application.
Allows an end station to simultaneously participate with multiple multi-
cast applications.
Like broadcasts, multicasts provide a best effort delivery of information;
theres no guarantee that all the server information will get to the end
station.
Uses a separate multicast address for each multicast application.
With TCP/IP, multicasting is implemented using UDP. UDP provides no error correction, no flow control, and no reliabilityunlike TCP. However, UDP has much less
overhead in its packet header, making it a more efficient protocol to use when disseminating a large multicast stream of data.
To receive multicast information, a device joins a multicast group. A multicast group is a loose grouping of devices that want to receive the same information. The membership of the group is dynamicend stations can come
and go as they choose. When an end station joins a particular multicast
group, it processes traffic sent to the destination multicast address. When an
end station leaves a multicast group, it ignores multicast information sent to
it for the old group.
Multicast Addressing
Because networking devices talk to each other with both Layer 3 and Layer
2 addresses, multicasting must address both these issues. There must be a
Layer 3 destination address that the multicast server can use to send out its
traffic feed to any participating end stations. There also must be a Layer 2
address that NICs can use to correctly process the information. Within IP,
Class D addresses have been reserved for Layer 3 addressing.
08 9911 ch08 10/10/03 1:59 PM Page 221
221
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Multicasts
. . . . .
With Class D addresses, the first four high-order bits are 1110, providing addresses
ranging from 224.0.0.0 through 239.255.255.255. To provide a Layer 2 MAC
address, part of the corresponding IP multicast address will be mapped to the end
of a reserved range of MAC addresses: 28 bits.
The Internet Assigned Numbers Authority (IANA) is responsible for the

assignment of multicast addresses for vendors that need them for multicast
applications. Multicast addresses are broken into the following groups:
Reserved link local addressesThey range from 224.0.0.0224.0.0.255,
which are used to communicate with devices on the same LAN segment.
The TTL (Time-To-Live) field is set to 1 and routers never forward
these multicasts. Table 8.1 displays some of the most often used reserved
link local multicast addresses.
Globally scoped addressesThey range from 224.0.1.0238.255.255.255,
and are like public IP addresses: Theyre used to transmit multicast

information across a public network.
Source-specific addressesThey range from 232.0.0.0232.255.255.255.
Theyre used by an extension of the Protocol Independent Multicast

(PIM) routing protocol, called Source Specific Multicast (SSM).
GLOP addressesThey range from 233.0.0.0233.255.255.255, reserved
in RFC 2770. These addresses are reserved for sites with assigned
autonomous system (AS) numbers. The autonomous system number (16
bits) is converted into hexadecimal and the resulting four hexadecimal
digits are broken into two sets. These two hexadecimal sets of numbers
are then converted to decimal and are inserted into the second and third
octets of the multicast address. The fourth octet can then be used for
specific multicast addresses for the AS. For example, if you had an AS
number of 62009, it would be F230 in hex. Convert F2 and 30 to decimal and you have 242 and 57, which results in the following multicast
range: 233.242.57.0233.242.57255.
Limited score addressesThey range from 239.0.0.0239.255.255.255.
Theyre private multicast addresses assigned in RFC 2365 and can be

used only within an organization: They cannot be used in a public network. In this sense, theyre like private IP addresses.
08 9911 ch08 10/10/03 1:59 PM Page 222
222 Chapter 8
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Table 8.1 Common Multicast Addresses
Address
Description
224.0.0.1
Used to send information to all multicast devices in a subnet
224.0.0.2
Used to send information to all multicast RPs in a subnet
224.0.0.5
Used by OSPF routers
224.0.0.6
Used to send routing information to OSPF designated routers
224.0.0.13
Used by PIM RPs
All messages sent to the group address 224.0.0.1 (the all-host group) have their TTL
field in the IP packet set to 1. This ensures that the RP will not forward them to other
segments.
Client Registration
One of the issues that must be dealt with in multicasting is the discovery of
the end stations that will be participating in a multicast group. Preferably,
you want the end stations to advertise the fact that they will be participating
and have your RPs and switches use this information to intelligently forward
multicast traffic from the multicast server to the end stations. Without this
type of information, the network would have to flood the traffic to every
segment.
The solution provided for IP networks is called the Internet Group
Management Protocol (IGMP), which works between end stations and RPs.
End stations send out advertisements to the RPs, denoting which multicast
application (or applications) theyre participating in. The RPs then forward
the multicast traffic from the server to the clients segment. The RP maintains a list of participating clients, updating it as clients join and leave multicast groups. To ensure the validity of its client list, the RP periodically sends
out a query to the end stations on its different segments. In this manner, the
RP forwards multicast traffic only to segments that have active multicast
clients. RPs then share this information with each other via a multicast routing protocol so that multicast traffic from a server can be routed to participating end stations. As long as theres one active station on a given segment,
the RP continues to forward the multicast stream to the segment.
Overview
IGMP provides a standardized, dynamic, client registration process in which
clients advertise the multicast applications they want to participate in to their
08 9911 ch08 10/10/03 1:59 PM Page 223
223
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Multicasts
. . . . .
connected RPs. The three different versions of IGMP are v1, v2, and v3. In all
versions of IGMP, youll find two basic components: multicast hosts and multicast queriers. These two components share two different types of messages:
Query messages are used by the RP to discover the end stations on a
segment that are participating in a multicast group.

Report messages are used by end stations in response to the RPs query
message to notify the RP of its participation in a multicast group.

The relationship between multicast querier and host is a loose one. Hosts
come and go as they please, based on the user starting or stopping a multicast application. Likewise, senders of multicast informationthe RPsdo
not have to be members of the multicast group to participate in the multicast
process. All versions rely on the use of Class D IP multicast addresses to differentiate between the multicast applications.
IGMPv1
IGMP is an IP protocol. Using 28-byte IP packets, information is transmitted to members of the multicast groups. The top part of Figure 8.1 displays
the format of an IGMPv1 message.
IGMPv1
IGMPv2
Version
Type
Unused
CRC
IGMP Group Multicast Address
4 bits
4 bits
8 bits
16 bits
32 bits
Type
Maxium
Response Time
CRC
IGMP Group Multicast Address
8 bits
8 bits
16 bits
32 bits
Figure 8.1 IGMPv1 and v2 packet formats.
Theres a 4-bit version field, which is set to 1 for IGMPv1 messages and
defines which of the two message types this iseither a host membership
query or a host membership report. The last part of the message is the multicast group address of the application. For query messages, this field contains
zeroes and is ignored by the end stations. For report messages, the field contains the multicast address of the application that the host is participating in.
Joining a Group Using IGMPv1

Membership in a multicast group is a dynamic processusers join and leave
with a click of a button on their desktop. To begin with, hosts do not have to
08 9911 ch08 10/10/03 1:59 PM Page 224
224 Chapter 8
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
wait for the RP to generate a query message. When a host wants to join a
multicast group, it generates an IGMP message that contains the group
address of the multicast application in which it wants to participate. This
message is called a host membership report and is sent to the all-router group
(224.0.0.2). By doing this, the end station speeds up the process by notifying
the RP that the RP needs to start forwarding multicast information to the
segment.
The second way that a host can join a multicast group is if an RP generates
a query message and the host responds back with the multicast application
address it wants to access. This message is called a host membership query and
is sent to the all-hosts group. It uses a destination address of 224.0.0.1 in the
IP packet to do this. The querys TTL is set to 1 so that any other RP on the
segment does not inadvertently forward it to a different segment. Any packet with a destination IP address ranging from 224.0.0.0 through 224.0.0.255
should never be forwarded by an RP. By default, Cisco RPs generate this
query every 60 seconds.
If multiple RPs are on the same segment as the hosts, its left to the implementation of the multicast routing protocol to limit the number of RPs that
actively participate in the query process. If the interface on the RP has just
been enabled, the RP, instead of using its 60-second timer for generating
queries, will fire off a handful of IGMP queries to speed up the discovery
process and the forwarding of multicast traffic. After so many of these quickfire queries, the RP will settle down and generate queries based only on its
configured timer.
Maintaining a Group Using IGMPv1

The multicast-enabled RP will periodically generate IGMP queries to verify whether there are still any hosts on a given segment participating in a multicast application. The RP will do this on each of its configured interfaces.
Because the RP is generating the message, the group address in the IGMP
message is set to 0.0.0.0 and the destination IP address is 224.0.0.1. This is
the host membership query discussed in the previous section.
To reduce the amount of IGMP traffic, only one host will respond to the
RPs query by generating a host membership report message. This process,
sometimes referred to as response suppression, reduces the amount of bandwidth needed by IGMP and also reduces the amount of processing that the
hosts must perform.
When the hosts on the segment receive the RPs query, they use a timer to
start counting down the seconds from a random starting point. In IGMPv1,
the range of seconds in the timer can be from 0 to 10. After choosing the
08 9911 ch08 10/10/03 1:59 PM Page 225
225
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Multicasts
. . . . .
random time value between 0 and 10 and then counting down the seconds,
the host checks whether another host has generated a membership report in
response to the RPs query. If the host sees a response, it cancels its countdown timer and does not generate a report. However, if the hosts timer
expires and it has not seen a response from another host, it generates the
report itself and sends it to the all-router group.
Leaving a Group Using IGMPv1

IGMPv1 has no defined leave mechanism through which a host can dynamically inform the RP that it is quitting the multicast group. The RP discovers that no hosts are participating in a multicast group via the periodic query
messages it generates. If the RP misses a certain number of query messages
from the multicast group, the RP will stop forwarding multicast traffic for
the specific application to the segment.
IGMPv2
IGMP version 2 adds some additional features and improvements to the earlier version. Like IGMPv1, IGMPv2 uses IP packets to transfer its messages.
Also just like IGMPv1, the IGMPv2 messages are 28 bytes long. The bottom
part of Figure 8.1 displays the format of IGMPv2 messages. The Type field
describes the different message types. The four message types are as follows:
Membership query, IGMPv1 membership report, IGMPv2 membership
report, and a leave report. The second field, Maximum Response Time, is
used to specify the maximum time allowed before sending a responding
report. The default value is 10 seconds.
IGMPv2 deals with the deficiencies of the join-and-leave process in
IGMPv1. One of the issues with IGMPv1 is that it might take a while before
an IGMP RP discovers the fact that no end stations are participating in a
multicast group or that an end station wants to participate in a multicast
group. In addition, theres no process to ensure that only one RP plays an
active role and forwards multicast traffic to the segment. When theres more
than one RP on a segment, it could create the unnecessary forwarding of
multicast traffic.
One new addition to IGMPv2 is the group-specific query message. This
allows an RP to send a specific query to only one multicast group on a segment. In IGMPv1, the RP can discover whether an end station has left only
after it has sent its periodic query. To speed up the process, the end station
can send a leave report message, thus reducing the latency involved for the
RP to stop forwarding multicast traffic to segments that no longer have
participating hosts. Version 2 RPs can generate version 1 messages for
08 9911 ch08 10/10/03 1:59 PM Page 226
226 Chapter 8
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
backward-compatibility purposes. This is proven by the two different membership report message types that the IGMPv2 packet supports.
Joining a Group with IGMPv2

The join process occurs in IGMPv2 the same as it does in IGMPv1. When
a user starts a multicast application, the end station generates a multicast
message to the all-router group. The RP looks at the IGMP group multicast
address in the IGMPv2 message. If it does not already contain this address in
its multicast table, it adds the address and starts forwarding multicast traffic
from the multicast server to the segment. If the end stations do not advertise
the fact that they want to participate in a multicast application, the multicast
RP uses periodic queries and the response reports from the end stations to
build its multicast table. The multicast table contains the multicast application addresses and the port off of which there are participating end stations.
Maintaining a Group with IGMPv2

In IGMPv1, theres no defined process as to which RP should play the active
role. Initially, all IGMPv2 RPs assume that they are the active querier and
periodically generate query messages.
Every RP on a segment will see the others query messages. Through this process,
the RP with the lowest IP address on the segment is automatically elected as the
querier for the segment. If a new RP with a lower IP address is introduced to the segment, it will be promoted as the active querier.
In IGMPv1, a random timer is used to determine which end station will

respond back to the RPs query. The end station timer that expires first is the
one that responds. IGMPv2 takes a different approach to the election process.
When an active RP generates a query, it expects a response back from a participating multicast end station within the time interval specified in the
Maximum Time Response field in the IGMP packet. This is sometimes
referred to as the query-interval response period. Likewise, IGMPv2 allows the
querying RP to send a query message to a single multicast group instead of
every group on the segment. With IGMPv1, the RP forwards its queries to
the all-hosts multicast address of 224.0.0.1. With IGMPv2, the RP forwards
the query to the group multicast address.
As with IGMPv1, only one end station will respondall other members of
the multicast group suppress their reports. When the end station responds
with its v2 membership report, it sets the TTL field in the IP packet to 1.
This ensures that the RP will not forward it to other segments. One member
08 9911 ch08 10/10/03 1:59 PM Page 227
227
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Multicasts
. . . . .
from each group will respond to each specific multicast group address query.
If there are five different multicast applications with five unique multicast
addresses, the RP generates five IGMP queries and expects five different
responses.
Leaving a Group with IGMPv2

With IGMPv2, the client can stop participating in a multicast application by
sending an IGMP leave request to the RP. This is different from IGMPv1,
in which the RP discovers a lack of participation by checking for responses
to its queries.
This special leave group message has a destination IP address of 224.0.0.2
and enters the multicast application address in the Multicast Group Address
field in the IGMP packet. When the RP receives this, it immediately generates an IGMP group-specific query report to check for any participating end
stations. This speeds up the process of the RP discovering when the last end
station leaves a multicast group, causing the RP to stop forwarding the multicast traffic to the segment.
An RP, with IGMPv1, discovers an end station has left a group by examining the
responses to its queries. In IGMPv2, the end station generates a special leave message.
IGMPv3
IGMPv3 is an enhancement of IGMPv2. IGMPv3 allows an end station to
tell an RP which multicast groups it wants to participate in as well as from
which source servers it wants to receive this information. The RP can then
forward multicast traffic to the end station from one of the specified source
servers. This is called source filtering.
IGMPv3 Message Types

IGMPv3 supports two general types of messages: membership query and
membership report. Figure 8.2 displays the format of the two message types.
The membership query message is used by an RP to determine which end
stations are participating in a multicast group or groups. With this message
type, there is a group multicast address field, a number of sources field, and
a list of source addresses. This allows the RP to advertise all the sources for
a particular multicast group so that clients can indicate whether theyre using
source filtering and tell the RP which source or source of these messages
they want to receive the multicast information from.
08 9911 ch08 10/10/03 1:59 PM Page 228
228 Chapter 8
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IGMPv3
Query
Report:
INCLUDE
Report:
EXCLUDE

!!

)$

!!
" #

$$
%!
%!

&' (

* +,#

!!

!!&'

*

)$

)$
Figure 8.2 IGMPv3 packet formats.
The membership report message is generated by an end station. There are

two types of membership report messages: INCLUDE and EXCLUDE. If
the end station is not performing source filtering, it sends an INCLUDE
message. The INCLUDE message lists all the multicast groups the end station wants to participate in. If the end station is performing source filtering,
it generates an EXCLUDE message, which indicates, for a particular multicast group address, the source addresses the end station wants to receive data
from. This tells the RP which multicast sources it should use when forwarding multicast traffic for the group address to the end station.
IGMP v3lite
Because many vendors have not included support for IGMPv3 in their operating systems, Cisco has developed a proprietary version of IGMPv3 as a
temporary solution. IGMP v3lite, which contains a subset of IGMPv3 features and functions, allows Cisco partners to develop applications that take
advantage of PIM and SSM, allowing for a very scalable multicast solution.
If you install v3lite on an end station that already supports IGMPv3, the
v3lite software will have the IGMPv3 component of the operating system
handle IGMP processing.
IGMPv3 is disabled by default on Cisco routers. You can enable it by using
the following configuration:
Router(config)# interface type [slot#/]port_#
Router(config-if)# ip igmp v3lite
08 9911 ch08 10/10/03 1:59 PM Page 229
229
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Multicasts
. . . . .
Multicast Routing
The sending of multicast traffic and the reception of this traffic by end stations will require you to coordinate the actions of your RPs and switches.
The previous section discussed how the RPs discovered the end stations and
the multicast applications in which theyre participating. This section discusses how information gets from the server to the end stations, along with
the following multicast routing issues:
RPs discovering multicast end stations and servers
RPs sharing multicast information with each other and establishing a
path from the server to the end stations

RPs sharing their list of end stations with switches
RPs forwarding multicast traffic to end-station segments
Switches receiving multicast traffic from the RPs and intelligently for-
warding it out only ports that have participating end stations
Overview of Routing Multicast Traffic

One of the problems of traditional routing protocols is that the RPs will not
forward local broadcast and multicast traffic. Therefore, the multicast end
stations never see the traffic that they want. With traditional routing protocols such as RIP, OSPF, and others, RPs make their routing decisions based
on a specific destination IP address, using their routing tables to help them
correctly forward their packets. Unfortunately, multicast traffic does not fit
very well into this scheme because the actual destination can be many end
stations. To overcome this, the RP could flood the multicast traffic. The
downside of that approach is that the RP would forward traffic to every segment in the networkeven segments that have no participating end stations,
which wastes bandwidth.
A more preferable solution is one in which the RPs interact with each other
to share information about their knowledge of multicast end stations. RPs
could then make intelligent forwarding decisions based on this information,
thus minimizing the effect of the multicast traffic on the network.
Multicast Distribution Trees

To forward multicast traffic intelligently, the RPs must be able to build a distribution tree. A distribution tree is somewhat similar to the spanning tree
08 9911 ch08 10/10/03 1:59 PM Page 230
230 Chapter 8
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
used by switches to remove Layer 2 loops. Using a distribution tree, the RPs
can ensure that a multicast frame traverses a segment only once in the network. This minimizes the bandwidth impact, which is accomplished by making sure that theres one and only one path from the source of the multicast
traffic to each of the end stations that wants to see it.
These trees are loop-free, which means that multicast frames are replicated
only when the tree branches, and then its guaranteed that the multicast
frame will not return to a branch that it has already traversed. Only segments
that have either multicast clients or the paths required to reach those multicast clients will have multicast traffic traversing them. Because group members can join and leave at any time, the distribution tree thats built by the
RPs must have the capability to be updated based on these changes. When a
segment no longer has participating multicast end stations, the RP connected to it should prune that segment from the tree.
Shared Distribution Tree

With a shared tree, only one copy of each multicast frame is forwarded to
those segments that have participating multicast end stations.
A shared distribution tree contains a router, sometimes referred to as a rendezvous
point, thats the central point of the tree for all multicast traffic. All traffic from every
multicast application in your network is first forwarded to the rendezvous point.
From there, the multicast traffic uses a single-tree structure for the dissemination of
the traffic, creating less overhead on the RP. The downside is that for certain multicast streams, suboptimal paths can exist.
This tree structure is very similar to common STP: For the entire switched
network, theres only one tree structure, with the rendezvous point functioning as the root of the tree.
One advantage of this approach is that theres only the overhead of creating
and maintaining a single-tree structure. The downside, however, is that in
many instances, suboptimal paths exist between the source application server and the destination end stations, thus resulting in undesirable latency.
This could be problematic for delay-sensitive multicast applications. The
other disadvantage of this approach is that the rendezvous router could create a bottleneck if your multicast servers are generating a large amount of
multicast traffic.
08 9911 ch08 10/10/03 1:59 PM Page 231
231
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Multicasts
. . . . .
Source-Based Distribution Tree

Like shared distribution trees, source-based distribution trees guarantee that
multicast traffic will traverse a given segment only once. However, unlike
shared trees, where theres a single tree for the whole network, source-based
implementations have a separate distribution tree for each multicast group.
A source-based distribution tree builds a single, optimal, shortest-path tree from the
multicast source (the root of the tree) to each of the participating end stations (the
leaves of the tree). There is a separate tree for each multicast group (address), allowing for optimal delivery of multicast streams, but this creates more overhead on
the RP.
This process is more similar to Ciscos PVSTtheres one instance of STP

per VLAN. In this case, theres one source-based tree per multicast group.
Source-based trees use a technique called reverse path forwarding (RPF) when
building their trees. This process has the RPs building the tree from the
leaves (the end stations) back to the root (the multicast server). With unicast
routing, the routing path is built from the source to the destination, but its
the reverse for source-based trees.
A large advantage of this approach is that the tree created for a multicast
application will be optimal. The downside, however, is that theres a lot more
overhead (many more trees that have to be managed) than using a shared
distribution tree.
Multicast Routing Protocols

The type of distribution tree you should use is dependent on the multicast routing protocol you choose to run on your RPs. Some use a shared tree, whereas
others use a source-based tree. The choice of your multicast routing protocol
can have a very large effect on the performance of your network. Because normal unicast routing protocols cannot route traffic to multiple, dynamically
changing destinations, a multicast routing protocol is needed. Several multicast
routing protocols are available, including the Distance Vector Multicast
Routing Protocol (DVMRP), Multicast Extensions to OSPF (MOSPF), CoreBased Trees (CBT), and Protocol Independent Multicast (PIM).
Each of these routing protocols uses distribution trees for building its multicast routing tables. These distribution trees fall into two basic categories:
dense mode (DM) and sparse mode (SM). Your choice of a routing protocol
will be determined by whether the multicast end stations are densely or
sparsely distributed throughout your campus network as well as the available
bandwidth that exists in your campus.
08 9911 ch08 10/10/03 1:59 PM Page 232
232 Chapter 8
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Dense Mode Routing Protocols

DM routing protocols assume that there are many multicast end stations
spread across most of your segments in your campus network and that your
network infrastructure has a lot of available bandwidth. This means that
most, if not all, of your RPs will need to be forwarding multicast traffic from
the multicast servers to the multicast end stations.
DM protocols initially flood the network with multicast traffic and then, based on the
discovery of participating end stations, prune back the distribution tree to include
only those segments with participating end stations. The RPs use IGMP to discover
these end stations.
DM protocols use source-based trees. The DM routing protocol learns

about the participation of end stations by flooding multicast traffic across the
entire network, as shown on the left side of Figure 8.3. This process guarantees that participating end stations get the multicast traffic quickly. Also, very
little communication needs to take place between the different RPs, thus
reducing your management overhead. However, the downside of this
approach is that, initially, every segment is flooded with multicast traffic. In
Figure 8.3, even PC-A (left side), which doesnt want to see the multicast
stream, still receives it. Through a learning process, RPs learn via IGMP
which devices want to see the multicast stream and prune off segments that
dont want to see it, as shown on the right side of Figure 8.3.
DM protocols are typically used in LAN, not WAN, environments. Examples of DM
protocols include DVMRP, MOSPF, and PIM-DM.
Sparse Mode Routing Protocols

Because of the scalability problems of DM routing protocols, they are not
the preferred method of transporting multicast traffic to end stations. As an
example, assume that you have 100 VLANs in your campus, and three people in the campus start up a multicast video-conferencing application. In a
DM environment, all 100 VLANs would initially be hit by this very large
video stream, severely affecting the performance of your networkjust
because of the actions of only three people. Because of the limited number
of people in this example, a better solution would be the use of an SM routing protocol.
08 9911 ch08 10/10/03 1:59 PM Page 233
233
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Multicasts
. . . . .
Multicast
Server
Multicast
Server
Multicast
Stream
Multicast
Stream
X
X
PC A
(Doesnt want
to see multicast
Information)
PC B
(Wants
to see multicast
Information)
PC A
(Doesnt want
to see multicast
Information)
PC B
(Wants
to see multicast
Information)
Figure 8.3 Dense mode multicasting.

SM protocols use join messages to construct a distribution tree, ensuring that only
those segments with participating end stations will have traffic forwarded to them by
their connected RPs. Therefore, SM protocols scale much better and are more suited
for large, geographically dispersed environments. Unlike DM protocols, SM protocols
do not waste bandwidth by flooding multicasts everywhere. Traffic is not forwarded
to a segment until an end station joins a multicast group.
SM assumes that only a handful of RPs will be forwarding multicast traffic.

It also assumes that the participating end stations are widely dispersed across
your campus network (possibly located across your WAN), and that the
amount of bandwidth in your network is limited. In this approach, the distribution tree is empty and, as end stations are discovered, branches are
added to the tree. As you can see in the left side of Figure 8.4, the multicast
stream is initially not flooded through the network. As end stations, such as
PC-B, send IGMP join messages, RPs builds a path back to the multicast
source so that the multicast stream can be sent to only participating multicast clients. This is shown on the right side of Figure 8.4.
08 9911 ch08 10/10/03 1:59 PM Page 234
234 Chapter 8
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Multicast
Server
Multicast
Server
Multicast
Stream
Multicast
Stream
X
X
X
PC A
(Doesnt want
to see multicast
Information)
PC B
(Wants
to see multicast
Information)
PC A
(Doesnt want
to see multicast
Information)
PC B
(Wants
to see multicast
Information)
Figure 8.4 Sparse mode multicasting.

Most of the industry uses SM routing protocols to set up multicast distribution trees
because SM works well in environments both with only a few clients and with many,
many clients. SM routing protocols include PIM-SM and Core-Based Trees (CBTs).
Protocol Independent Multicast

Protocol Independent Multicast (PIM) is a multicast routing protocol thats
currently being defined by a draft RFC. Its ongoing development is being
discussed by the Internet Engineering Task Force (IETF). PIM is unique in
that it supports both dense and sparse modes, making it much more flexible
than other multicast routing protocols. PIM uses IGMP to transport its
routing information.
PIM can coexist with any type of unicast routing protocol, including RIP, IGRP,
Enhanced IGRP, and even OSPF. PIM can support both dense and sparse modes
simultaneously to more adequately meet multicasting requirements in any network.
08 9911 ch08 10/10/03 1:59 PM Page 235
235
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Multicasts
. . . . .
PIM-DM
Dense mode should be used when your campus network meets one of the
following criteria:
The multicast servers and end stations are located close to each other.
The number of multicast servers is few, but the number of end stations
is very many.
Multicast traffic is constantly being generated and forwarded.
The amount of multicast traffic is very large.
PIM-DM uses a source-based, shortest-path distribution tree. It uses reverse

path forwarding to build its distribution tree. PIM-DM assumes that all segments are participating. The multicast routing protocol floods the campus
network with multicast traffic from the multicast servers and then prunes off
segments from the distribution tree when its IGMP-capable RPs do not
receive any reports in response to their queries. This means that each multicast application you deploy will have its own separate tree structure. This
works quite well in environments in which the multicast traffic needs to be
forwarded to many, if not most, end stations in your campus.
PIM-SM
Sparse mode should be used when your campus network meets one of the
following criteria:
The multicast servers and clients are separated by a WAN.
Each multicast group in your campus has very few clients.
The multicast traffic that the servers generate is not constant.
PIM-SM is useful when you have a campus environment with many small
bandwidth-generating multicast applications: The number of participants is
small and the amount of traffic is small.
Unlike PIM-DM, PIM-SM does not use reverse path forwarding. Actually,
in this type of setting, implementing reverse path forwarding does not make
any sense. To flood your campus network with a stream of multicast traffic
to deliver it to only a handful of end stations is very wasteful of your networks resources.
To be more efficient, PIM-SM uses a rendezvous point. The RP performing
this responsibility serves as a registration point. It contains a list of all multicast applications and their respective servers that are generating the multicast
08 9911 ch08 10/10/03 1:59 PM Page 236
236 Chapter 8
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
traffic. Information is always forwarded to the rendezvous point RP and is then

disseminated to all the segments that have participating multicast end stations.
Intervening RPs ensure that the best path (usually the one with the lowest
number of hops) is used to connect the rendezvous point to the end stations.
Multicasting and Switches

After the RP discovers multicast end stations off a given segment and begins
receiving multicast traffic from the server, it forwards this traffic to the segment. In todays networks, that usually means that the first networking device
that receives this traffic is a switch. Switches flood the traffic throughout the
VLAN, treating it like a local broadcast. This could have a serious effect on
the performance of a VLAN, especially if the multicast information is a video
stream.
Controlling Multicast Traffic

With the use of a multicast routing protocol running on your RPs, youve
solved your Layer 3 problems in the intelligent forwarding of your multicast
traffic. Now youll have to deal with the issues of your switches and how they
can intelligently forward the multicast stream coming from their connected
RPs. There are four basic ways of controlling the flood of multicast traffic:
You can create VLANs for each multicast application.
You can manually configure static multicast entries in the port address
table of the switch.

Switches can snoop IGMP queries and reports to learn end-station
locations.
Switches can gather IGMP end station information from an IGMP RP.
As you learned in Chapter 3, VLANs, Trunks, and VTP, creating VLANs

and assigning ports to them is an easy task. However, the problem with
grouping users together based on their participation in a multicast group is
that if end stations are constantly joining and leaving the group, maintaining
the VLAN membership becomes a headache, if not an impossible task.
Therefore, this is only used in environments where the multicast end stations
remain constant members of a group.
The second solution is just as nonscalable as using VLANs: You can manually enter the multicast address and the end stations port numbers in the
switchs address table, thereby limiting the number of ports that will actually
08 9911 ch08 10/10/03 1:59 PM Page 237
237
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Multicasts
. . . . .
forward the multicast data stream. The problem with this approach is that if
the membership of the multicast group is constantly changing, manually
updating the address table becomes an impossible task.
IGMP Snooping
The third solution to controlling multicast traffic is to have the switch
dynamically keep track of joining and leaving members of a multicast group.
The switch does this by snooping the IGMP queries that RPs generate and
the reports that multicast end stations reply with. The problem with this
approach is that the switch must examine every multicast frame, which is
very process intensive and introduces a lot of latency in the switching of
everyones frames, including the multicast traffic. Therefore, IGMP snooping should not be used on lower-end switches, but only on higher-end
switches that can perform snooping in hardware using ASICs.
Cisco Group Management Protocol

The fourth solution to controlling multicast traffic is the preferred one: a
dynamic process that updates the switchs address tableas with snooping
but without the performance penalty of snooping. Cisco has a proprietary
protocol called CGMP that performs this function.
CGMP allows Ciscos switches to learn from Ciscos IGMP-enabled RPs about the list
of end stations participating in the different multicast groups. The switches take this
address information and appropriately update their CAM tables. This solution has
very little overheadonly a minimal amount of management traffic is relayed
between the RP and the switch. After the switch has updated its CAM table with the
multicast addresses, it can intelligently forward the multicast traffic to only participating end stations. Unlike snooping, CGMP has no effect on the Layer 2 switching
speeds. This is the recommended approach.
CGMP is based on a client/server model. In this model, the RP is considered

the server and the attached switches in the switch fabric are considered the
clients. The IGMP RPs know about all the end stations participating in a
multicast group. They learn this information from the end station responses
to their queries or from the information that the end station initially generates when it wants to participate in a multicast application. With CGMP, the
RP periodically shares this information with its attached switches. Anytime
the RP detects the joining or leaving of an end station from a multicast
group, the RP shares it with the switches.
The CGMP multicast frame that the RP shares with the switches contains
the multicast group address of the application and the real MAC address of
08 9911 ch08 10/10/03 1:59 PM Page 238
238 Chapter 8
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
the end station. Switches take this information and examine their CAM table
for a matching MAC address and an associated port. If a switch finds the endstations address in its port address table, it adds an additional entry for the
Layer 2 multicast address and the same port number that the client resides
off of. If the switch does not find the end-stations address, it basically ignores
the CGMP message. With CGMP enabled, however, the switch will not
flood multicast trafficit depends on the RP to tell the switch which end stations are participating in multicast groups.
Configuring Your RPs

Because your RPs are responsible for forwarding multicast traffic to segments with participating end stations, they play the most critical role.
Choosing an inappropriate multicast routing protocol can have serious performance ramifications for your campus network. To help you with these
issues, Ciscos IOS on its RPs support IGMP, PIM, and CGMP. The following sections discuss their configuration.
Basic PIM Configuration

To configure PIM, youll need to enable multicast routing as well as PIM on
each interface, like this:
Switch(config)# ip multicast-routing
Switch(config)# interface interface_type [slot_#/]port_#
Switch(config-if)# ip pim dense-mode|sparse-mode|sparse-dense-mode
Remember that an RP can be a traditional router or Layer 3 switch. The configurations

in this chapter assume the latter. Also, remember that a Layer 3 switch can operate
its interfaces using either a Layer 2 or Layer 3 process. This chapter focuses on the
latter. For switches with Layer 2 physical interfaces, use logical VLAN interfaces to
place your configuration commands.
The ip multicast-routing command allows the RP to perform multicast operations.
However, note that you must enable multicasting on an interface with the ip pim
command to have an interface process and forward multicast traffic. The execution
of the ip pim command on the interface also enables IGMP. Theres no default mode
setting on the interfacemulticast traffic is disabled on all interfaces. To view the
multicast routing table, use the show ip mroute command.
dense-mode
If you choose dense-mode, the RP adds the interface to its multicast routing
table and forwards multicast traffic out of all interfaces with PIM dense mode
enabled. Through a discovery process, segments without any participating
end stations are eventually pruned from the distribution tree.
08 9911 ch08 10/10/03 1:59 PM Page 239
239
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Multicasts
. . . . .
sparse-mode
If you enter sparse-mode, interfaces are included in the table only if they
receive downstream join messages from other PIM RPs or if IGMP report
responses to the RPs IGMP queries. Forwarding will occur for multicast
traffic only if a rendezvous point is known. When the rendezvous point is
known, the RP connected to the multicast server encapsulates the multicast
packets into unicast packets and forwards them to the rendezvous point. On
receiving these encapsulated multicasts, the rendezvous point strips off the
encapsulation and forwards the multicast traffic. The rendezvous point is
essentially acting as a central point of distribution for the multicast traffic. If
theres no known rendezvous point, the RP will act in a dense-mode fashion.
Therefore, when you configure interfaces in sparse-mode, youll need to set up
at least one rendezvous point.
sparse-dense-mode
When youre configuring the mode on the interface, specifying sparse-mode
or dense-mode forces the interface to act accordingly. However, this might not
be very efficient in some campus networks. There might be certain parts of
your campus where dense mode is appropriate and other parts where sparse
mode is more desirable. If you configure the interface in sparse-dense-mode,
the interface is set up in dense-mode if the multicast group is operating in
dense mode or sparse-mode if its operating in sparse mode. Note that for you
to use sparse mode, you must configure a rendezvous point.
Designated Routers
PIM uses designated routers (DRs) on a segment to reduce the number of
IGMP queries created and the number of IGMP reports sent back in
response. Each PIM-enabled interface on an RP periodically generates a
PIM router-query message. The PIM RP on a LAN segment with the highest IP address is automatically elected as the DR. If the DR fails, a new DR
will be elected using the same election process. As mentioned with the show
ip pim interface command, theres no need to have DRs on point-to-point
links such as serial connections. Theyre needed only for multiaccess segments such as Ethernet. Show commands are discussed in more depth later in
this chapter.
The DRs responsibility is to generate IGMP queries to determine which, if
any, end stations are participating in any multicast applications. Note that
only the DR will generate IGMP queries, but all RPs on the segment will
process the responding IGMP reports from participating clients. To view the
list of neighbors for a PIM RP, use the show ip pim neighbor command.
08 9911 ch08 10/10/03 1:59 PM Page 240
240 Chapter 8
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring Rendezvous Points

In sparse-mode configurations, you need at least one rendezvous point RP to
disseminate your multicast traffic. All your leaf and branch RPs must know
the IP address of the rendezvous point. Leaf RPs are RPs connected to multicast end stations. Branch RPs make up the distribution tree.
To provide a more efficient distribution of your multicast traffic, you can have
more than one rendezvous point for a multicast group. This also provides
redundancy. You have two ways to specify which RP is the rendezvous point
RP: You can hard-code this on your RPs or you can use the auto-discovery
process.
Specifying Rendezvous Points Manually

If you choose to hard-code the rendezvous point on your RPs, use the following command:
Switch(config)# ip pim rp-address rendevous_points_IP_address
[multicast_group_access_list_number]
[override]
The multicast_group_access_list_number optional parameter is a standard IP

access list number. In this access list, you list the multicast application
addresses that you want this rendezvous RP to be responsible for. If youve
hard-coded these addresses and also have learned of a rendezvous point RP
for the same multicast group via auto-discovery, the override parameter
forces the RP to use the hard-coded rendezvous point RP.
One problem of manually configuring these IP addresses is that theyre prone
to error in large-scale campuses. Also, to efficiently propagate your multicast
traffic requires a lot of configuration and management on your part.
Heres a simple example of specifying a rendezvous point:
Switch(config)# ip pim rp-address 192.168.1.1
In this example, 192.168.1.1 is the rendezvous point for all sparse-mode multicast streams.
Auto-Discovery of Rendezvous Points

For auto-discovery to work correctly, youll have to determine which RPs
will be rendezvous points for which multicast addresses and configure autodiscovery on the RPs in your campus network. By default, auto-discovery is
disabled. Youll have to configure it on your RPs in your campus. The first
step is to configure the following command on the RPs youve chosen as
rendezvous points:
08 9911 ch08 10/10/03 1:59 PM Page 241
241
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Multicasts
. . . . .
Switch(config)# ip pim send-rp-announce
interface_type interface_number
scope time_to_live
[group-list access_list_number]
The interface_type and interface_number fields indicate which IP address on

the specified interface of the RP will be used in its announcements of its
capability to perform as a rendezvous point. All messages sent to or from the
rendezvous point use this IP address. The scope parameter specifies the number of hops that the announcement messages the rendezvous point creates
can propagate. You can use the group-list parameter to specify which multicast addresses this RP can perform rendezvous point functions for. This is a
standard IP access list.
With this command, you can have an RP be responsible for a range of multicast addresses, where different RPs can be rendezvous points for different
multicast addresses, thereby more efficiently disseminating your multicast
traffic. Likewise, you can have primary and backup rendezvous points for
redundancy. The auto-rendezvous point will periodically send out
announcement messages on the Cisco reserved multicast address
(224.0.1.39), announcing its candidacy for becoming a rendezvous point; this
is called a Cisco RP announce message.
Here is a simple example:
Switch(config)# ip pim send-rp-announce ethernet 0/1 scope 4
In this example, the rendezvous point generates announcement messages on

Ethernet0/1, which travel no more than four hops. For each interface that you
want to include in the multicast tree, specify it with the preceding command.
A mapping agent is an RP that can dynamically discover who the rendezvous
point is and the multicast addresses for which its responsible. It does this by
listening for announcement messages by the rendezvous point(s). This information can be passed downstream to other mapping agents and, eventually,
to designated RPs on segments that have multicast clients. The mapping
agents do this by creating a multicast message called a Cisco RP discovery message. The multicast address used for this is 224.0.1.40. DRs listen for this
message to determine which rendezvous point(s) they can use to get their
multicast information from. They then go through the process of building a
branch back to the rendezvous point to become part of the distribution tree.
When configured, mapping agents listen for announcements that candidate
rendezvous points generate on 224.0.1.39. The mapping agent then takes
this information and forwards it in a discovery message on 224.0.1.40 so that
designated RPs can learn about the rendezvous points. By default, RPs are
08 9911 ch08 10/10/03 1:59 PM Page 242
242 Chapter 8
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
not mapping agents. To configure an RP as a mapping agent, execute the

following command:
Router(config)# ip pim send-rp-discovery scope time_to_live
The scope parameter is used to keep the discovery messages within a certain
hop count, perhaps preventing these messages from leaving the campus to a
remote location. For example, to restrain the messages from traveling more
than four hops, use this configuration:
Switch(config)# ip pim send-rp-discovery scope 4
Configuring PIMv2
PIMv2 is an extension of PIMv1 and is currently on track to becoming an
IETF standard. It has the following enhancements:
Sparse and dense modes are defined per group, not per interface.
PIM uses its own packet format instead of IGMP to transport routing
information.
Dynamic rendezvous point discovery is provided by a bootstrap router
(BSR), which also provides fault tolerance.

Uses hellos instead of queries.
Auto-discovery of rendezvous points (auto-RP) and BSR in PIMv2 are mutually exclusive. Auto-RP is Cisco-proprietary, whereas BSR will shortly be an
IETF standard. Using BSR is recommended if you have only PIMv2 routers;
otherwise, use auto-RP.
Interoperability
If you have a mixture of PIMv1 and v2 RPs in the same network, the v2 RPs
downgrade themselves to v1. This enables you to slowly migrate from v1 to
v2. During this process, you should perform the following:
Use sparse-dense mode for PIM.
Use auto-RP.
For a rendezvous point, use a v2 or v1 PIM RP; however, in a mixed
environment, Cisco recommends using a v2 RP.
08 9911 ch08 10/10/03 1:59 PM Page 243
243
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Multicasts
. . . . .
Configuration
Use the following configuration to set up PIMv2:
Switch(config)# interface type [slot_#/]port_#
Switch(config-if)# ip pim version 1|2
You can either specify version 1 or 2. For example, if you want to run PIM
version 1 on Ethernet0/1, use this configuration:
Switch(config)# interface ethernet 0/1
Switch(config-if)# ip pim version 1
After youve configured the version, you need to configure the following
rendezvous point as well as the BSR:
Switch(config)# ip pim rp-candidate
time_to_live
[group-list access_list_number]
Switch(config)# ip pim bsr-candidate
[priority]
For example, if you had only PIMv2 routers, use the latter command, like
this:
Switch(config)# ip pim bsr-candidate ethernet0/1
Switch(config)# ip pim bsr-candidate ethernet0/2
This enables PIMv2 rendezvous points (BSR) for both Ethernet interfaces
on this RP.
Configuring CGMP
Configuring CGMP on an RP is a simple process. On your RP, configure the
following:
Switch(config)# interface type [slot_#/]port_#
Switch(config-if)# ip cgmp
Here is a simple example of setting up CGMP on an RPs Ethernet interface:

Switch(config)# interface ethernet 0/1
Switch(config-if)# ip cgmp
To verify the RPs configuration, use

cussed in the previous section.
show ip igmp interface,
which we dis-
You do not need to configure CGMP on your Catalyst switchits already

enabled by default.
08 9911 ch08 10/10/03 1:59 PM Page 244
244 Chapter 8
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Verifying Your Multicast Configuration

To verify that the commands you entered actually enabled PIM, use the following show command:
Switch# show ip pim interface
Address
Interface
Mode
192.168.1.1
192.168.3.1
192.168.4.1
VLAN10
VLAN20
VLAN30
Dense
Dense
Dense
Neighbor
Count
1
1
1
Query
Interval
30
30
30
DR
192.168.1.2
192.168.3.2
192.168.4.2
The first IP address listed is the IP address of the next-hop RP off of the
interface listed after it. The Mode field describes the mode that the interface
on the RP is operating as. The Neighbor Count field lists the number of
down/upstream neighbors off this interface. The Query Interval field lists
the interval, in seconds, of how often the RP generates PIM router-query
messages on the interface. The default is 30 seconds. The last field, DR, lists
the designated RP for the LAN segment. This is important for determining
which RP on a LAN segment will be generating IGMP query messages.
Serial links do not have DRs; therefore, you would see an IP address of
0.0.0.0.
To see a list of PIM neighbors, use the show
is an example:
ip pim neighbor
command. Here
Switch# show ip pim neighbor

PIM Neighbor Table
Neighbor
Interface
Uptime/Expires
192.168.1.2 Ethernet0/1 00:02:20/250 msec
Ver DR Address Prio/Mode

v2
1 / S
In this example, the router has one PIM neighbor (192.168.1.2) off of
Ethernet0/1. This neighbor has been reachable for more than two hours.
The version of PIM is 2 (v2) and is running in sparse mode (S).
To verify that PIM is learning about multicast groups and updating its routing table correctly, use the show ip mroute command. In the following example, youll look at a multicast routing table to examine an RSM that has
dense-mode interfaces:
Switch# show ip mroute
IP Multicast Routing Table
Flags: D - Dense, S - Sparse, C - Connected, L - Local,
P - Pruned, R - RP-bit set, F - Register flag,
T - SPT-bit set
Timers: Uptime/Expires
Interface state: Interface, Next-Hop, State/Mode
(*, 224.0.252.1), uptime 1:37:38, expires 0:01:43,
08 9911 ch08 10/10/03 1:59 PM Page 245
245
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Multicasts
. . . . .
RP is 0.0.0.0, flags: DC
Incoming interface: Null, RPF neighbor 0.0.0.0
Outgoing interface list:
VLAN10, Forward/Dense, 0:15:31/0:00:00
(192.168.1.1/32, 224.0.252.1), uptime 2:00:21, expires 0:03:32,
flags: C
Incoming interface: Vlan10, RPF neighbor 192.168.3.17
Outgoing interface list:
There are two entries in parentheses for each multicast route. The first entry
is the IP address of the source RP, followed by the IP address of the multicast application. If you see an asterisk (*) as in the first entry, it means that all
interfaces are sources. This basically means that the source router is
unknown at this point, and will flood the multicast traffic out all its interfaces. The second listing knows of the source router, which is 192.168.1.1.
There are two types of timers. The uptime timer displays the amount of time
since the multicast application has been discovered, and the expires timer displays how long until the entry in the routing tabled will be removed without
receiving information from a downstream RP or IGMP-capable end station.
The RP field after the expired timer represents the rendezvous point RP, if
known. This will more than likely contain an entry if the mode specified is
sparse-mode. The flags following this describe the type of route. In the case of
the first one, DC, the route is dense mode and is directly connected to the RP.
The Incoming Interface field describes the expected source interface for the
multicast packet, given the listed multicast application address. If the packet
is not received on this interface, its discarded. The RP assumes in this
instance that the incoming interface is where the multicast server is located
and that any other interfaces are branches from this root interface. The RPF
neighbor field is the IP address of the next upstream RP thats closest to the
source multicast server.
The outgoing interface field lists the interfaces to which the multicast packets will be forwarded. The fields listed contain the outgoing interface, the
forwarding mode, and the update and expiration timers.
Summary
There are three ways of disseminating information: unicasts, broadcasts, and
multicasts. With a unicast, a packet is sent to each destination individually.
With a broadcast, a single packet is generated and every destination receives
it. With a multicast, a single packet is sent to a group of devices. Class D
08 9911 ch08 10/10/03 1:59 PM Page 246
246 Chapter 8
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
addresses are used in IP for multicasting: 224.0.0.0239.255.255.255. These

addresses are broken into groups, such as reserved link local, globally scoped,
source specific, GLOP, and limited score addresses. 224.0.0.1 is the all-host
group and has the IP TTL set to 1. 224.0.0.2 is the all-router group for a
segment.
IGMP is used by clients and RPs to determine which clients want to see specific multicast feeds. There are three versions of IGMP: v1, v2, and v3. v2
supports an active querier, which forwards multicasts to a segment and is
elected based on the lowest IP address. v2 also supports client leave messages. v3 supports source filtering, allowing the client to specify a list of
sources that it wants to receive a multicast feed from. Cisco has created a
v3lite version of IGMP, which provides a transition for those clients whose
operating system doesnt support v3.
Multicast routing protocols are used to route multicast packets between a
source and end stations. A shared distribution tree has a rendezvous point
thats used as the central point of dissemination of multicast traffic: A singletree structure is used for all multicast traffic. Source-based distribution trees
have a separate tree structure for each multicast application, which allows for
optimal paths but causes more overhead on the RPs.
Cisco uses PIM to route multicast traffic. PIM supports both sparse and
dense modes. Dense mode is typically used in LAN environments where
most stations need to see the multicast traffic: Multicasts are flooded and the
distribution tree is pruned back based on IGMP messages (not) received
from end stations. Sparse mode is used when not many clients are participating in multicasts or theyre geographically dispersed. The distribution
tree starts out empty and is built based on IGMP messages received from
clients.
To enable multicasting, use the ip multicast-routing command. To enable
PIM on an interface, use the ip pim dense-mode|sparse-mode|sparse-dense-mode
command. To examine the multicast routing table, use the show ip mroute
command.
08 9911 ch08 10/10/03 1:59 PM Page 247
247
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Multicasts
. . . . .
Exam Prep Questions

Question 1
With a _________, each destination receives a separate packet.
A. Unicast
B. Broadcast
C. Multicast
Answer A is correct. With a unicast, each destination receives a separate

packet. With a broadcast or multicast, each destination receives the same
packet, making answers B and C incorrect.
Question 2
Which multicast address is used to send information to all RPs in a subnet?
A. 224.0.0.1
B. 224.0.0.2
C. 224.0.0.5
D. 224.0.0.6
Answer B is correct. When information needs to be sent to all RPs on a segment, use 224.0.0.2 as a multicast address. 224.0.0.1 is the all-host group (all
devices), making answer A incorrect. Answers C and D are incorrect because
OSPF uses these addresses.
Question 3
What protocol is used by an RP to discover which end stations want to receive
multicast traffic?
A. PIM
B. CGMP
C. ICMP
D. IGMP
08 9911 ch08 10/10/03 1:59 PM Page 248
248 Chapter 8
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Answer D is correct. IGMP is used to determine what clients are participating in multicast groups. Answer A is incorrect because PIM is used to route
multicast traffic. Answer B is incorrect because CGMP is used to help
switches learn locations of multicast clients. Answer C is incorrect because
this is used to test IP connections.
Question 4
In IGMPv2, the router with the _________ IP address is elected as the active
querier.
A. Lowest
B. Highest
Answer A is correct. The IGMPv2 active querier is elected based on the RP

with the lowest IP address. Because it is the lowest, answer B is incorrect.
Question 5
Which version of IGMP allows a client to determine which sources can be used
for multicast feeds?
A. v1
B. v2
C. v3
D. v2 and v3
Answer C is correct. IGMPv3 supports INCLUDE and EXCLUDE report

messages, where an EXCLUDE report message can be used to specify the
source addresses wanted for a specific multicast feed. Therefore, answers A,
B, and D are incorrect.
Question 6
Which distribution tree uses a rendezvous point to build a single-tree structure
for multicast routing?
A. PIM
B. Source
C. Shared
D. CGMP
08 9911 ch08 10/10/03 1:59 PM Page 249
249
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Multicasts
. . . . .
Answer C is correct. Shared distribution trees have a rendezvous point thats

used to build a single-tree instance for all multicast traffic. Answer A is incorrect because PIM is used to route multicast trafficit isnt a tree structure.
Answer B is incorrect because source-based trees have a separate tree structure for each multicast feed. Answer D is incorrect because CGMP is used
by switches to learn about participating multicast clients.
Question 7
The president of your company will be making a live presentation on Friday at 3
p.m. and every employee needs to see it. In what mode would you configure
PIM for this multicast feed?
A. Sparse
B. Dense
Answer B is correct. Use dense mode if most clients need to see the multicast feed. Sparse mode is used when only a few, geographically dispersed
clients need to see a feed, making answer A incorrect.
Question 8
PIM-DM uses ______ to build its distribution tree.
A. Spanning tree
B. IGMP
C. Reverse path forwarding
D. Rendezvous point
Answer C is correct. Reverse path forwarding is used to build PIM-DMs

tree. Answer A is incorrect because spanning tree is used by switches to
remove Layer 2 loops. Answer B is incorrect because IGMP is used to discover multicast participating clients. Answer D is incorrect because a rendezvous point is used in PIM-SM.
08 9911 ch08 10/10/03 1:59 PM Page 250
250 Chapter 8
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 9
Which method is recommended to control the switching of multicast traffic?
A. VLANs
B. IGMP snooping
C. Static multicast CAM entries
D. CGMP
Answer D is correct. CGMP is recommended to intelligently switch multicast traffic. VLANs and static multicast CAM entries dont scale well, making answers A and C incorrect. IGMP snooping has performance problems
on lower-end switches, making answer B incorrect.
Question 10
If you have two multicast feeds, one where everyone needs to see the multicast
feed and the other where only a handful need to see it, which PIM mode would
you use with the ip pim Interface command?
A. dense-mode
B. sparse-mode
C. sparse-dense-mode
D. spare-and-dense-mode
Answer C is correct. When you have different multicast feeds with different
user needs, use the ip pim sparse-dense-mode command. Answer A is incorrect
because dense-mode should be used only when all devices need to see all multicast feeds. Answer B is incorrect because sparse-mode should be used when
only a small number of users need to see all multicast feeds. Answer D is
incorrect because it is a nonexistent parameter.
08 9911 ch08 10/10/03 1:59 PM Page 251
251
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Multicasts
. . . . .
Need to Know More?

For more information on multicasting, read Developing IP Multicast
Networks: The Definitive Guide to Designing and Deploying CISCO IP
Multi-cast Networks by Beau Williamson. Cisco Press, 1/2000,
ISBN: 1578700779.
Also read Multicast Networking & Applications, by C. Kenneth Miller.
Addison-Wesley, 10/1998, ISBN: 0201309793.
For information on multicasting, visit http://www.cisco.com/
pcgi-bin/Support/browse/psp_view.pl?p=Internetworking:
Multicast
08 9911 ch08 10/10/03 1:59 PM Page 252
09 9911 ch09 10/10/03 2:02 PM Page 253
9
Quality of Service
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Quality of Service (QoS)
Delay, jitter, and packet loss
Packetization, serialization, and propagation
Classification, marking, and queuing
Weighed random early detection
Custom, priority, weighted fair, and low latency queuing

Understanding issues with IP telephony
Understanding QoS issues and prioritization
Understanding the similarities and differences between the
various queuing methods
Configuring modular QoS CLI and queuing solutions
09 9911 ch09 10/10/03 2:02 PM Page 254
254 Chapter 9
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
In network environments that have voice, video, and data, quality of service
(QoS) becomes an important issue. Certain applications, especially voice and
video, need to have a necessary infrastructure to support their needs. For
instance, if not enough bandwidth is given to these applications, or if too
much delay or jitter occurs, voice and video quality suffers. QoS provides
solutions to these problems. QoS solutions can be something as complex as
providing end-to-end guarantees for a connection or something as simple as
prioritizing traffic through queuing. This chapter starts off by discussing IP
telephony and some of its issues and solutions, and then delves into QoS in
more depth, discussing QoS components and architecture of QoS, and the
configuration of various QoS solutions.
Voice and Telephony

IP telephony is a component of Ciscos AVVID frameworkintegrating
voice, video, and data in the same infrastructure. AVVID was discussed in
Chapter 2, Designing Switched Networks. Like multicasting, which was
discussed in Chapter 8, Multicasts, IP telephony presents its own set of
problems and issues. Designing a scalable network with support for IP
telephony is not a simple task. During the design phase, youll have to
address the following questions:
Will your current cable plant support IP phones? At a minimum, youll
need Category 5 cabling.

Do your switches provide inline power for IP phones? IP phones require
a powered connection, which a normal switch cannot provideyou can

purchase inline powered cards for Catalyst switches to support IP
phones or buy separate power supplies for your IP phones.
What features does your networking equipment require to support IP
telephony? VLANs are typically used to separate data and voice traffic.
QoS solutions are required to ensure that the necessary amount of bandwidth and minimal delay are provided for IP telephony.
Do you have enough bandwidth for call control and voice traffic?
Without enough bandwidth, the quality of phone calls can be seriously

affected: QoS is an important component in dealing with bandwidth and
latency issues.
The following sections deal with these questions in more depth.
09 9911 ch09 10/10/03 2:02 PM Page 255
255
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Quality
. . . .of. Service
. . . .
Key Services
When implementing an IP telephony solution, you need to consider the four
following areas:
Network management
High availability
Security
QoS
Remember the preceding four components when developing an IP telephony solution.
One component of your network management strategy should deal with

Voice over IP (VoIP)IP telephonyas well as traditional data. Actually,
your network management solution should be able to easily integrate both of
these data types.
In a Cisco environment, IP phones use Ciscos CallManager product for setting up, maintaining, and tearing down phone connections. Because this is a
critical component in voice communications and is required to set up voice
connections, implementing CallManager redundancy is critical. Actually,
you need to look at not only your voice components when it comes to redundancy, but also your data components, such as routers and switches, and
examine the amount of time it takes for convergence to take place at both
Layer 2 and Layer 3. Any downtime experienced, even if it is for a brief period of time, can be detrimental for your phone solution.
Because VoIP uses a LAN/WAN medium to deliver voice traffic, who has
access to this traffic stream becomes critical: You dont want just anyone to
use a protocol analyzer or packet sniffer to capture this traffic and listen in
on a phone conversation. Therefore, a security policy must be drafted and
security solutions must be implemented based on this policy. At a minimum,
voice traffic is usually segregated from data traffic by using different VLANs.
One of the most important components in ensuring a reliable and quality
voice connection is QoS. QoS guarantees the following:
Necessary bandwidthAmount of bandwidth required to support both
signaling and voice connections.
09 9911 ch09 10/10/03 2:02 PM Page 256
256 Chapter 9
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Acceptable delayMinimal amount of time it takes to transport voice traf-
fic to a destination; too much time can create echo in the conversation.
Acceptable jitterAverage amount of time between the receipt of each
packet; too much jitter can make the voice conversation sound choppy.
Acceptable lossLoss of some packets in a voice conversation does not
typically affect the quality of the phone call. However, dropping too
many packets will be obvious to the person listening on the other end.
QoS includes solutions such as traffic classification and traffic prioritization
and queuing, detecting and avoiding congestion, shaping traffic to avoid congestion, and using compression to more fully utilize available bandwidth.
Picking the right solution or solutions can be a difficult task because each has
its own advantages and disadvantages. Later sections in this chapter deal with
these topics.
Bandwidth
One key component in providing scalable, yet reliable, IP telephony solutions is ensuring that your voice traffic receives adequate bandwidth. IP
telephony consists of two connections: a call control signaling connection
and a voice connection.
The call control signaling connection is used to establish the voice connection, which carries the actual voice traffic. This control connection can use
many different standards, such as H.323 or the Media Gateway Control
Protocol (MGCP), to establish the voice connection.
As to design issues, both of these connections require bandwidth inside your
network. A normal rule of thumb is to ensure that each of your links do not,
on average, exceed 75% of the total capacity of a link. This leaves ample
room for bursts in traffic as well as handling QoS issues for voice traffic.
However, for networks that have little bandwidth, youll have to determine
how much bandwidth you need for voice connections to ensure that you can
support them. VoIP connections typically use the Real Time Transport
Protocol (RTP) to set up and maintain voice connections. This information
is encapsulated in a UDP segment at the transport layer and an IP packet at
the network layer. All of these protocols incur additional overhead (header
information), as well as the overhead involved with the Layer 2 transport,
which is typically Ethernet. RTP uses 12 bytes, UDP has an 8-byte header, IP
has a 20-byte header, and Ethernet has a 14-byte header (plus an ending
CRC). All of this additional information must be included in your calculation.
09 9911 ch09 10/10/03 2:02 PM Page 257
257
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Quality
. . . .of. Service
. . . .
Use this formula to figure out how much bandwidth you need to support a
single voice connection:
Bandwidth = (packet payload + all overhead) * packets generated per second
The number of packets generated per second is based on the amount of time
to generate a packet. For example, if you have a 20-millisecond packet period, this allows an IP phone to generate 50 pps. Of course, youll need to figure out how many simultaneous voice connections youll need to support for
uplink and backbone connections.
Power
Similar to a normal phone, an IP phone requires some sort of power to function. A normal phone draws a small amount of current so that features such
as dial tone, ringing, and so on, can be provided. An IP phone is no different. Without some sort of power, an IP phone does not function. You need
to consider two components when dealing with power: a power source and
an uninterruptible power supply (UPS).
First, you need some type of power source for your IP phones. Ciscos
Catalyst switches can provide this power over a Category 5 cablethe same
cable provides both power to the IP phone as well as Ethernet connectivity.
On Ciscos Catalyst switches, this requires you to purchase an Ethernet module that supports inline power on each of its Ethernet ports. Your second
option is to use a special form of patch panel that can provide a power source
to the IP phones when connecting the IP phones to a patch panel. A third
choice is to use an external power supply that is directly attached to the
phone (assuming that the phone supports this option).
The second issue deals with UPS systems and redundancy. One of the reasons that a normal telephone doesnt use an electrical outlet for power is that
if you lose electricity in your home, the phone still works because the power
it receives is from a separate connection from power you get from the electric company. This enables you to make phone calls in emergency situations
when youve lost power. Power for IP phones is just as important. If your
Catalyst switch or patch panel loses power, you wont be able to use your IP
phone. Therefore, you need to implement a very reliable UPS system to prevent against power loss (which is why using an external power supply for an
IP phone is not recommended). This should include a robust UPS and generator backup system, 247 UPS monitoring, and a 4-hour service-level
agreement with your UPS vendor to deal with UPS problems.
09 9911 ch09 10/10/03 2:02 PM Page 258
258 Chapter 9
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Auxiliary VLANs
Auxiliary VLANs are a feature of Cisco Catalyst switches that allow IP
phones to be placed in their own VLANs. You normally want to separate
your VoIP traffic from your data traffic. You can easily do so with static
VLAN configurations, but it becomes an issue if your IP phones are constantly being moved around the network.
With auxiliary VLANs, no end-user intervention is required to put the IP
phone in the correct VLAN. Auxiliary VLANs use 802.1Q and 802.1P in
order to put IP phones in the correct VLAN. Using DHCP, IP phones can
correctly be assigned the right IP addressing information for the auxiliary
VLAN theyre associated with. A physical connection can even be associated
with an auxiliary VLAN for IP phones and a separate VLAN for data traffic.
Notice that you are taken into a Subconfiguration mode, where you must
enter the high-availability and single-router-mode commands.
Good Design Practices

There are two main issues that you have to deal with when designing a scalable VoIP solution: Layer 2 (access layer) and Layer 3 (distribution layer)
convergence. Within the access layer, use auxiliary VLANs with 802.1P and
802.1Q when deploying IP telephony as well as the following STP features:
PortFast, UplinkFast, UDLD, and Root Guard.
At the distribution layer, use the following features:
Use OSPF or EIGRP to provide for fast convergence
Use passive interfaces for connections to the access layers so that routing
updates are not propagated here

Use HSRP or GLBP for default gateway redundancy with interface
tracking and preemption enabled
QoS Issues and Architectures

With VoIP, QoS has to deal with issues such as bandwidth, delay, jitter, and
data loss when providing an acceptable level of service. Cisco can provide the
following QoS advantages:
Use and control of resources efficiently in the network
Adapt QoS based on customers and their applications
Allow VoIP and mission-critical resources to exist side by side
09 9911 ch09 10/10/03 2:02 PM Page 259
259
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Quality
. . . .of. Service
. . . .
To deal with QoS issues, you first need to classify your traffic based on issues
such as bandwidth, delay, jitter, and loss requirements. Based on this information, youll want to implement one or more QoS solutions for important
traffic to ensure that it gets its necessary level of service. As youll see
throughout the rest of this chapter, Catalyst switches and routers support
many QoS features that allow for traffic prioritization.
Some QoS features dynamically prioritize traffic for you, whereas others require
manual configuration of prioritization, giving you the ability to create your own QoS
policies. If you have three kinds of traffic, such as voice/video, transactional applications, and data transfers, the three would typically be prioritized as listed.
Problems
QoS needs to deal with four basic problems: amount of bandwidth, delay, jitter, and packet loss. Bandwidth is the amount of throughput a connection
needs to support its level of service. However, delay, jitter, and packet loss
can also affect a connections level of service. The next sections cover the last
three items.
Delay
Delay is the amount of time it takes for a packet to go from the source to the
destination. Within this transmission, there are two general types of delays
that affect the total delay: fixed delay and variable delay. Fixed delay deals with
the amount of time it takes to encapsulate and de-encapsulate information as
well as to physically transfer information on a wire. Variable delay occurs with
devices handling traffic where things such as congestion can occur. Here is a
list of all the factors for both types of delay that your traffic is subject to:
PacketizationThe time it takes to segment information, sample and
encode any signals, process the traffic, and then encapsulate the data in
packets
SerializationThe time it takes to encapsulate a packet in a frame and
put the bits of a frame on a wire

PropagationThe time it takes to transmit the bits of a frame across a
wire to the next networking device

ProcessingThe time it takes for a networking device to receive a frame,
place the frame in the input queue, and take the frame from the input
queue and place it in the output queue of the outbound interface
QueuingThe time a packet stays in the output queue before being for-
warded on the outbound interface to the next device
09 9911 ch09 10/10/03 2:02 PM Page 260
260 Chapter 9
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
With VoIP traffic, its important to minimize delay to prevent echo problems.
Remember the different types of delay in the preceding bulleted list, especially
packetization, serialization, and propagation delays.
Jitter
Jitter, or delay variation, is the amount of delay between receiving two packets. The delay variation is the difference between the amounts of time. For
example, if it takes only 135ms to receive one packet and 128ms to receive a
second packet, the delay variation is 7ms. Cisco uses a buffer to reduce jitter
issues. The buffer essentially smoothes out the differences before forwarding
the traffic to the application so that it appears the packets are being received
within the same time delay variation. The jitter buffer can dynamically adjust
itself for changing delay variations. This kind of buffering is very important
for voice and video traffic; otherwise, the conversation or picture appears
choppy. If your internal buffer has issues handling incoming packets, one of
the following problems is occurring:
OverrunThe jitter buffer cannot resize itself to handle the changes in
delay variation, causing dropped packets.

UnderrunThe variation in delay between packets becomes so large
that the jitter buffer cannot smooth out the delay variation, causing
choppiness.
Either of these situations degrades the quality of a voice or video connection.
Packet Loss
Packet loss is when a networking device has to drop packets, typically because
of a queuing problem. Queuing occurs on the ingress (entering an interface)
and egress (leaving an interface) of a networking device. Most queuing problems occur on the egress because of congestion issues. With egress queuing
and congestion, tail drop packet loss is common. With a tail drop, the first
part of the data from a connection is queued, but when the queue has filled
up, the remaining data from the connection must be dropped. Specialized
queuing and congestion avoidance methods should be implemented to deal
with packet loss of sensitive data, such as voice and video.
If youre experiencing ingress packet loss based on ignore, input, no buffer,
or overrun problems, you probably need to upgrade your hardware to deal
with these problems.
09 9911 ch09 10/10/03 2:02 PM Page 261
261
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Quality
. . . .of. Service
. . . .
When dealing with VoIP, packet loss should be less than 1%, one-way delay should
be less than 60ms per call leg, and jitter should be less than 20ms in order to provide
a good-quality voice connection.
QoS Solutions
Using QoS solutions in your network can deal with the three problems that
were just mentioned. QoS should be able to predict the amount of time it
takes to transmit information between two devices for delay-sensitive applications and ensure that delay and jitter are minimized. A prioritization
scheme is typically used to prioritize time-sensitive traffic (voice and video)
over traffic that isnt time-sensitive (data).
Likewise, for certain applications, such as data transfers, data loss is not acceptable because dropped information must be re-sent. With video and voice, some
packets can be dropped without affecting the quality of the connection.
Therefore, a QoS solution should provide enough bandwidth for applications
and should balance packet loss based on the type of application being used.
A well-designed QoS solution should be able to deal with all of these issues.
At best, it should avoid congestion, and at worst, manageably deal with congestion without affecting application function. When providing a solution,
QoS typically has to deal with the following components:
ClassificationSorts, or classifies, traffic into different distinct groups.
MarkingPlaces information in a packet or frame indicating the priority
(or class) of the information.

ForwardingSwitches traffic from one interface to another (process, fast
switching, and CEF).

PolicingCompares received packets and determines whether theyre
following expected patterns (amount of bandwidth, jitter, delay, packet

loss, and so on) or are breaking them. Packets breaking policing policies
are typically dropped.
QueuingExamines the classification of traffic to determine how it
should be placed in the egress queue.

SchedulingDetermines how traffic should be processed from the egress
queue.
Shaping trafficSends traffic out at a constant, even pace (essentially
removing the jitter from a traffic stream and enforcing a bandwidth limit).
DroppingDrops packets in an intelligent way to reduce congestion, yet
not cause a major problem with the connection.
09 9911 ch09 10/10/03 2:02 PM Page 262
262 Chapter 9
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Please note that all of these components have to be dealt with not just within a single networking device, but across all network devices between the
beginning and end points of a connection.
QoS Architectures
QoS architectures fall under one of three services, as listed in Table 9.1. Best
Effort services should be used only in environments where QoS is not needed. If you have voice and/or video traffic, youll probably have to implement
QoS solutions, especially if you experience temporary congestion problems
in your network.
Table 9.1 QoS Architectures
Architecture
Explanation
When to Use
Best Effort
Lacks QoS; first

in, first out
(FIFO) queuing
When QoS is not

necessary
Integrated Services
(IntServ, or
hard QoS)
Reserves resources
via the Resource
Reservation
Protocol (RSVP)
from end-to-end for
each connection
Absolute guarantees
for traffic
Differentiated
Services (DiffServ,
or soft QoS)
Reserves resources
on a hop-by-hop
basis for traffic
classifications
through queuing
and congestion
avoidance techniques
Optimal guarantees;
costs less than
IntServ and is
easier to implement
Remember the Best Effort, IntServ, and DiffServ information in Table 9.1.
Best Effort
Best Effort tries its very best to get information to a destination in a timely
fashion, but doesnt provide any guarantees. It typically uses a FIFO (first-infirst-out) queuing method. FIFO doesnt provide any type of QoSthe first
packet or frame received is the first one queued. It is typically used for
09 9911 ch09 10/10/03 2:02 PM Page 263
263
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Quality
. . . .of. Service
. . . .
connections that dont require QoS, such as data transfers. FIFO is discussed
later in this chapter in more depth.
IntServ
IntServ is defined in RFC 1633 and provides a guarantee for QoS for an
application connection. This is different from DiffServ, which does this
based on traffic classifications, not specific connections. IntServ is implemented using RSVP on all devices handling the connection, including the
source and destination. RSVP uses signaling to set up the connection and to
maintain QoS. When a new connection is being established, RSVP has to
determine what paths and devices are used to support the connection. The
Common Open Policy Service (COPS) is used to centralize the setup and
maintenance of the connection.
The two main problems with IntServ are that it is not very scalable (you have to
enable RSVP on all devices) and extra bandwidth is required for each connection
to handle RSVP signaling. However, its main advantage is that it provides a guarantee for a data connection that DiffServ cant. For example, if you have a
hospital application that sets up connections between devices that transmit data
in a real-time fashion, and this data is monitoring someones vital signs in an
intensive care unit, you absolutely need to guarantee that each connection for
this critical application is serviced so as not to cause any type of data disruption.
DiffServ
DiffServ uses a multiple-service model to implement QoS. With DiffServ,
applications do not signal their QoS requirements before sending their data.
Instead, DiffServ is implemented within your network infrastructure: routers
and switches. This provides an advantage over IntServ because you dont
need to modify any end stations.
DiffServ marks the Type of Service (TOS) field in the IP packet as well as the
Tag field (three bits are used for Class of Service, or CoS) in an IEEE 802.1Q/P
frame. When performing its marking, DiffServ can assign up to 64 traffic classifications called Differentiated Services Code Points (DSCPs), which are used
to prioritize traffic. In the TOS field, the six higher-order bits are used for the
DSCP value and the two lower-order bits are used to indicate congestion.
Each networking device along the way to the destination uses this information
to handle the packet or frame, providing a hop-by-hop QoS implementation.
This is different from IntServ, which implements QoS on a connection-byconnection basis. DiffServ is preferred in the campus backbone environment
because it typically deals with types of traffic, versus the complex management
of QoS on a connection-by-connection basis.
09 9911 ch09 10/10/03 2:02 PM Page 264
264 Chapter 9
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Assured Forwarding (AF), defined in RFC 2597, implements QoS per-hop

behaviors. AF defines four classes, AF1xAF4x, where a DSCP number is associated with each class. Within each of these classes, a drop probability is
assigned: high, medium, or low. For example, AF1 has four drop levels: AF11,
AF12, AF13, and AF14. Based on the classification of trafficjitter, bandwidth, throughput, delay, and losstraffic is assigned to a particular class with
the associated drop rate. Networking devices then examine frames and packets
for the DSCP numbers and know the class that the traffic is associated with
along with the likelihood of dropping this traffic during congestion problems.
Expedited Forwarding (EF), defined in RFC 2598, defines how to use
DiffServ to construct an optimal QoS solution that provides guaranteed
bandwidth, low latency, low jitter, and end-to-end services.
QoS Implementation
Implementing QoS covers these categories: classification and marking of traffic, choosing a queuing method, conditioning traffic (shaping and policing),
and efficiently using bandwidth. The following section deals with these categories, and examines how these components are implemented in a network.
Classification and Marking of QoS

Classification is the process of grouping traffic based on its QoS needs. Two
methods are used to break up traffic into classes: access control lists (ACLs)
and network-based application recognition (NBAR). Marking is then used to
tag the packet and frame with the traffic groups classification value.
You typically want to classify and mark traffic as close to the source as possible. This means that, optimally, you want to perform this process as soon as
the traffic enters the network at the access layer. For server farms grouped at
the distribution layer, the classification and marking occur here for traffic
sourced from these devices. This boundary is referred to as a trust boundary.
Trusted devices are devices that understand and implement QoS; untrusted
devices dont. All of your routers and switches between sources and destinations that need QoS should implement QoS solutions and are therefore considered to be trusted devices.
Classification Methods
With IP traffic, the TOS field is used to classify traffic. The TOS field
enables you to assign traffic to one of six classes (05). Non-IP traffic is more
difficult to classify because non-IP Layer 3 traffic typically doesnt have a
09 9911 ch09 10/10/03 2:02 PM Page 265
265
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Quality
. . . .of. Service
. . . .
TOS (Type of Service field in the IP packet header) function. Therefore,

non-IP traffic is typically classified based on the source and/or destination
port number used at the transport layer unless a CoS (Class of Service) value
exists in an 802.1Q/P frame. In this situation, the CoS value is used if it is
trusted. This assumes that a trusted device, like one of your switches or
routers configured with QoS, has marked this frame. Table 9.2 lists the classification methods that QoS can use as well as how traffic is sorted into different classes within the IOS.
Table 9.2 Classification Methods and Classifying Traffic
Classification Method
Class Selection Method
Policy-Based Routing (PBR)
Route maps
Priority and Custom Queuing
ACLs, ingress interface, Layer 3 protocol, and/or

size of the packet
Committed Access Rate (CAR)

and Class-Based Policing
ACLs, DSCP, QoS group, and rate limit ACLs
All methods, including the

other methods in this table
Class maps (includes use of ACLs, NBAR,

ingress interface, source/destination MAC
addresses, QoS group, MPLS information,
DSCP, and IP ToS field)
PBR enables you to route packets based on more than just the destination
address in the packet. For instance, if a packet is going to a certain destination and is coming from a particular source address or network, you might
want to route it across a different path than what is currently in the routing
table. ACLs and route maps are typically used to perform the matching. PBR
is beyond the scope of this book, but it is covered in Ciscos BSCI course.
Priority and custom queuing are used to queue and service traffic on egress
ports based on a configured prioritization. CAR and class-based policing
affect how traffic is transmitted to ensure that it operates under expected
conditions, like using an expected amount of bandwidth. These methods are
discussed later in this chapter.
Marking Options
After traffic is classified by a trusted device, it must be marked so that other
trusted devices can implement the appropriate QoS policy. Marking can
occur at Layer 2, Layer 3, or both.
At Layer 2, the CoS (tag) field is used in the IEEE 802.1P frame. This field
is also used by 802.1Q and contains a priority field (CoS) as well as a VLAN
ID. CoS supports the seven different priorities displayed in Table 9.3.
09 9911 ch09 10/10/03 2:02 PM Page 266
266 Chapter 9
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Table 9.3 802.1P CoS Priorities
Priority
Explanation
Best effort delivery
Medium priority
High priority
Call signaling information
Video conferencing
Voice channel
67
Reserved
A Layer 3 device typically uses ACLs to place traffic into the appropriate traffic class. Assuming that the Layer 3 protocol is IP, marking in an IP packet is
done in the ToS field, which is 1 byte in length. There are two methods to
implement marking: IP precedence, which is used in IPv4, and DiffServ. Both
of these marking methods use the ToS field. With IP precedence, the three
high-order bits are used to mark the traffics class and the remaining five bits
are not used. In DiffServ, the six high-order bits are used to contain the DSCP
class value and the lower two bits contain flow control information.
802.1Q/P is used to mark Layer 2 frames with CoS information. The IP TOS field is
used to carry QoS information in IP packets. This can be accomplished by using IP
precedence or DiffServ.
Managing Congestion with Queuing

After traffic is classified and marked, trusted devices can use the information
to queue information appropriately. There are three components to queuing:
classification, insertion, and service (scheduling).
When a packet is received on an interface, the first step that takes place is
classifying the traffic, if it is not already associated with a class. After the traffic is classified, it must be queued up, based on its classification, on the egress
interface. Once placed in the queue, the queue needs to be serviced
removed from the queue, encapsulated in a frame, possibly marked, and then
sent out the interface. If packets must be dropped from the queue, tail dropping is used. With tail dropping, the last packets in a connection are
dropped.
There are many different queuing solutions available to the IOS. However,
each queuing solution will be different based on how traffic is classified, how
09 9911 ch09 10/10/03 2:02 PM Page 267
267
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Quality
. . . .of. Service
. . . .
traffic is inserted in the queue, and how the queue is processed. Table 9.4 displays some of the queuing methods available and the DiffServ method they
are grouped under.
Table 9.4 Queuing Methods
Queuing Method
DiffServ Method
Class-based weighted-fair queuing (CB-WFQ)
AF
Weighed random early detection (WRED)
AF
Custom Queuing (CQ)
AF
Class-based low latency queuing (CB-LLQ)
EF
IP RTP prioritization
EF
Priority queuing (PQ)
EF
The following sections cover different types of queuing, including the ones
just mentioned.
FIFO Queuing
FIFO, first-in-first-out, doesnt provide any type of QoSthe first packet or
frame received is the first one queued up. Traffic is not associated with any
class; instead, priority is defined by when the packet comes into an interface.
The default queuing method on Cisco Catalyst switches is FIFO queuing,
which performs queuing in hardware.
Cisco supports a software-based version of FIFO queuing, which breaks up
RAM into four queueseach serviced with best-effort delivery. Each queue
is processed in a weighted round-robin (WRR) fashion. This enables you to
implement a very basic form of QoS and give general preference to one
queue over another.
Priority Queuing
Priority queuing (PQ) also has four queues. However, each queue has a distinct priority: high, medium, normal, or low. Strict priority is enforced in this
scheme. First, the high queue is emptied. When the high priority queue is
emptied, the IOS checks to make sure that no new packets have been added
to it. If so, the high queue is processed again. The medium queue is
processed only when the IOS checks the high queue and finds it empty. Both
the high and medium queues must be empty for the normal queue to be
processed and the high, medium, and low queues must be emptied before the
low queue is processed.
09 9911 ch09 10/10/03 2:02 PM Page 268
268 Chapter 9
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Therefore, given this priority scheme, there is a chance that the lower-end
queues might never be processed. It is therefore very important to know what
traffic is placed into what queues. This is typically done based on the protocol of the packet, the ingress interface, the size of the packet, and ACLs.
The one advantage that priority queuing has is that any traffic classified and placed in
the high queue is always guaranteed to be serviced.
Custom Queuing
Unlike priority queuing, custom queuing (CQ) has 16 queues. The same
classification techniques used in PQ are used to place packets into one of the
16 queues in CQ. The main difference between PQ and CQ is that PQ guarantees only that the high queue will be processed; CQ guarantees that every
queue will be processed. In CQ, queues are processed in a round-robin fashion. To give preference to one queue over another, you specify the amount
of traffic that is allowed to be processed from a given queue.
As an example, if you wanted to give preference to queue 1 over 2, you can
allow queue 1 to process twice as much information as queue 2 when the IOS
is servicing the queues. Because CQ processes all queues, no one type of traffic will ever be starved for bandwidth. The main problem of CQ and PQ is
that they cannot adjust to changing network conditions; how traffic is placed
into queues and how much traffic is processed from the queues is hardconfigured.
Weighted Fair Queuing

Weighted fair queuing (WFQ) examines traffic flows to determine how
queuing occurs. A flow is basically a connection that Cisco calls a conversation.
The IOS examines the Layer 3 protocol type, such as IP, ICMP, OSPF, and
so on, the source and destination address, and the source and destination
port numbers to determine how data should be classified. Based on this
information, the traffic is either classified as high or low priority.
Traffic such as well-known voice and video applications, as well as interactive
applications like telnet, are typically given higher priority. Traffic such as file
transfers (FTP) and Web connections (HTTP) are given lower priority.
Within the higher-priority traffic, different traffic flows are processed in a
round-robin manner. This is also true of the lower-priority traffic: Traffic of
the same priority is treated equally. WFQ is the default queuing method used
on IOS routers with E1 or slower WAN links.
09 9911 ch09 10/10/03 2:02 PM Page 269
269
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Quality
. . . .of. Service
. . . .
Class-Based Weighted Fair Queuing

Class-based weighted fair queuing (CB-WFQ) is an extension of WFQ. In
WFQ, the IOS automatically determines what goes into the higher and
lower queue structures: You have no control over this process. With CBWFQ, you can configure up to 64 classes and control which traffic is placed
in which class. You can also restrict a class to a certain amount of bandwidth
on the egress interface. CB-WFQ gives you much more prioritization control on queuing on the egress interface, but requires configuration on your
part. The one nice feature of WFQ is that it doesnt require any configuration on E1 or slower WAN link connections because it is already enabled and
the IOS performs the prioritization for you automatically.
Low Latency Queuing

Low latency queuing (LLQ) uses two forms of queuing: PQ and CB-WFQ.
The first thing that LLQ checks is to see whether the classification of the
egress traffic is high. You can reserve either a percentage of bandwidth or a
block of bandwidth for the high priority queue. If the traffic is high priority,
it is processed first. Otherwise, CB-WFQ is used to process the traffic. One
advantage that LLQ has over WFQ or CB-WFQ is that you specify which
traffic is classified as high priority, and it is always given preference over the
other types of traffic, even ensuring that its configured bandwidth allocation
is met.
LLQ uses a combination of PQ and CB-WFQ. The PQ has the highest priority and is
processed first. All other traffic is processed using CB-WFQ.
Real-Time Transport Protocol Priority Queuing

RTP, an IP protocol, is used to provide transport services for voice and video
information. Cisco supports a queuing method called real time transport protocol priority queuing (RTP-PQ), which provides a strict prioritization scheme
for delay-sensitive traffic. Delay-sensitive traffic is given higher prioritization and is processed before other queues. This queuing scheme is normally
used for WAN connections.
In RTP-PQ, there are four queues, just as in PQ. The highest priority queue,
voice, is always processed first. This is the first queue. The IOS looks at the
UDP port numbers to determine whether traffic should be placed in this queue.
Data is typically placed in the other three queues. These queues use either
the CB-WFQ or WFQ method to process and dispatch packets from the
09 9911 ch09 10/10/03 2:02 PM Page 270
270 Chapter 9
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
queue. If packets are classified using an IP precedence value, queuing is

processed based on class structures. Data with an IP precedence value of 4 is
placed in the second queue, which is sometimes referred to as the high data
queue. An IP precedence value of 2 means the data is placed in the third
queue, which is sometimes referred to as the medium data queue. Data with
an IP precedence value of 0 is placed in the fourth queue, which is sometimes
referred to as the low data queue. If the IP precedence value is not used (all
packets have this value set to 0), normal WFQ is used.
Weighted Round-Robin Queuing

Weighted round-robin queuing (WRRQ) is a queuing solution used on the
egress ports of Layer 3 switches, such as the Catalyst 3550. Like RTP-PQ,
WRRQ has four queues and traffic is placed in the queues based on its IP
precedence value. Each queue is assigned a weight value. Whenever congestion occurs in the egress direction of the port, the weight value is used to
service the queues. Higher-priority queues (more weight) are given preference over lower-priority queues (less weight); however, no queue is ever
starved. In other words, all queues get at least some bandwidth, but the higherpriority queues get more bandwidth than lower-priority queues. This is
somewhat similar to CQ.
One option that you can specify in WRRQ is an expedite queue, which performs a similar function as the high queue in PQ. With this enabled, the
expedited queues traffic is always processed first and the other queues are
processed in a round-robin fashion. In a sense, this is a combination of PQ
and CQ: PQ with the high queue and CQ on the remaining three queues.
Like WFQ for routers, WRRQ is automatically enabled in the egress direction on Ciscos Layer 3 switches.
WRRQ is the default queuing method on egress interfaces for Layer 3 Catalyst
switches.
Avoiding Congestion
Congestion avoidance is a QoS technique that allows packet dropping, but it
presumes that dropping certain packets will not cause problems for the connections on which the packets were dropped as well as decrease congestion
issues. This section covers three types of congestion avoidance techniques.
09 9911 ch09 10/10/03 2:02 PM Page 271
271
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Quality
. . . .of. Service
. . . .
Tail Dropping
Tail dropping is one of the most common forms of dealing with congestion
during egress queuing. When queuing up packets during a period of heavy
congestion, the queue will fill up at some point in time, leaving no room for
more packets. During this period, any newly arrived packets for the egress
queue are dropped. With tail dropping, all traffic is treated equally. In other
words, the IOS doesnt look at whether this is UDP or TCP traffic, or data
or voice. This can be detrimental for TCP-based connections because dropping one packet from a connection can cause the retransmission of multiple
packets. In a network that heavily utilizes TCP, using tail dropping can actually create more congestion than it reduces.
Tail dropping has the following problems:
Tail dropping doesnt differentiate between different traffic types.
When congestion occurs and dropping begins, delay- and jitter-sensitive
applications will suffer.

For TCP connections, tail dropping causes both dropped and already-
received packets to be re-sent, creating inefficient bandwidth utilization.

If tail dropping occurs across many TCP connections and these TCP
connections resend their packets, it can create an additional burst of

congestion.
TCP has a poor feedback mechanism: It doesnt retransmit only dropped
packets, it retransmits packets based on the negotiated window size.

However, the main advantage of using the tail dropping method is that it
requires very little processing of the device to drop the packets or frames.
Tail dropping is typically used in environments where congestion is minimal
or nonexistent, or the dropping of packets or frames is acceptable and wont
cause major disruptions for connections. As an example, you might have a
large number of file transfers that are not time-sensitive. Dropping packets
from these connections, which would cause retransmissions, wont be an
issue (assuming that most of the packets are successfully transmitted).
If youre using WFQ when congestion occurs, WFQ uses a more intelligent
mechanism to deal with the dropping of packets: congestion discard threshold (CDT). CDT weights dropping. It drops packets from high-bandwidth
connections before it drops those using low amounts of bandwidth.
However, the main downside of WFQ and CDT is that they dont scale at
both the distribution and core layers.
09 9911 ch09 10/10/03 2:02 PM Page 272
272 Chapter 9
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Random Early Detection

With tail dropping, dropping occurs when the egress queue is filled up, and all
traffic trying to enter the queue is dropped; no preference is given to dropping
one type over another. Random early detection (RED) is a mechanism that
handles congestion slightly better than tail dropping. With RED, a threshold
is assigned to the queue. When this threshold is reached, traffic being placed
into the queue is randomly dropped; some traffic is allowed to enter the queue
and other traffic is dropped. RED, therefore, tries to deal with congestion
before the queue is filled up and everything has to be dropped.
However, RED has one main problem: It doesnt look at the class of traffic
(CoS or IP precedence) when dropping trafficit just randomly drops certain packets. If RED were dropping TCP traffic, congestion could typically
be averted before it gets worse. However, because RED doesnt look at the
type of traffic it is dropping, it can create problems for other applications.
Weighted Random Early Detection

Weighted random early detection (WRED) is an extension of RED. Like
RED, the egress queues have a threshold assigned to them and when the
threshold is reached, packets are randomly dropped. However, WRED is a
bit more discrete in what it defines as random. WRED, unlike RED, is CoSaware. When the queue threshold is reached, WRED drops packets based on
their CoS values. For packets that have a CoS value of 0 or 1, the threshold
is set to 1 (50%). When the threshold value reaches 50%, WRED begins to
randomly drop packets with a CoS value of 0 or 1. The second threshold, 2,
causes WRED to start dropping packets with a CoS value of 2 or 3 when
80% of the buffer is filled. Given this scheme, packets with a low priority
(CoS 0 or 1) are dropped before higher-priority traffic.
WRED is used to avoid congestion. It does this by examining CoS information and
dropping packets when traffic for a specified CoS reaches its configured threshold.
This is done to reduce the likelihood that upcoming congestion will cause problems
with important applications or data.
Conditioning Traffic
There are two basic methods to conditioning traffic: policing and shaping.
Both methods are used to limit the rate of traffic leaving an interface. These
methods are typically used in WAN environments, such as ATM or Frame
Relay, where the virtual circuits are guaranteed only a certain amount of
bandwidth inside the carriers network. To enforce a rate limit on the interface, the IOS has to measure (meter) traffic rate. It then enforces rates by
09 9911 ch09 10/10/03 2:02 PM Page 273
273
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Quality
. . . .of. Service
. . . .
comparing traffic to limits assigned to it. The IOS handles this process by
using tokens and buckets.
Of the two methods, policing is the simplest to implement. In policing, if traffic exceeds its assigned rate limit, the IOS either drops or marks the offending
traffic. As an example, a certain type of traffic, such as FTP, might be assigned
a bandwidth limit of 1Mbps. With policing, any traffic sent beyond the limit is
either dropped or marked as low priority. This process requires few resources
on the IOS device because the device doesnt need to use memory to buffer
traffic. However, policing can cause problems with connection-oriented protocols such as TCP. There are two policing methods the IOS uses:
Class-based policing
Committed access rate
Shaping, on the other hand, buffers traffic that exceeds its assigned rate limit
and transmits the traffic when bandwidth is available. Because shaping
buffers traffic, it requires more resources on the device. However, shaping is
more user-friendly to traffic than policing because it doesnt drop traffic
unless its buffer is filled up. During this buffering period, the traffic is
delayed. Therefore, shaping is not typically used for voice or video traffic
because a delay occurs. In addition, the delay can lead to jitter, which creates
problems for voice and video. Shaping is best used for data types that dont
react to data loss very well, such as TCP and other connection-oriented protocols. There are three shaping methods used by the IOS:
Class-based shaping
Frame relay traffic shaping
Generic traffic shaping
Increasing Link Efficiency

One of the main issues of QoS is that it doesnt create more bandwidth for
your network. Instead, it uses your bandwidth more efficiently. If you need
more bandwidth, you essentially have two options: install faster links or use
compression or link efficiency mechanisms.
Compression is really a short-term solution, especially if your bandwidth
needs are growing linearly. Compression is a CPU-intensive process and
adds delay to each packet. However, because the resulting packets are smaller in length, the serialization delay is reduced. There are three types of compression or link efficiency methods:
09 9911 ch09 10/10/03 2:02 PM Page 274
274 Chapter 9
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Header compression
Payload compression
Link fragmentation and interleaving (LFI)
Header compression compresses the headers of data. Certain headers, such

as MAC and IP, cant be compressed because they must be readable by Layer
2 and Layer 3 devices to make path decisions. Instead, header compression is
performed at the transport layer, like the TCP header. Also, header compression is performed on a hop-by-hop basisnot for the entire connection.
The IETF has created two standard header compression methods:
TCP header compressionUses the Van Jacobson compression algorithm
to compress only the TCP header portion

RTP header compressionCompresses the UDP and RTP headers for
multimedia connections, such as voice or video

Payload compression compresses the payload, or data, and leaves the headers intact. This compression can occur at Layer 3 or Layer 2. At Layer 3, the
IP Payload Compression Protocol (PCP) is typically used. It compresses
everything but the IP header.
At Layer 2, the encapsulated packet (or payload) is compressed, leaving the
frame header uncompressed. Cisco supports three compression algorithms
for link compression: STAC (Stacker), Predictor, and Microsofts Point-toPoint Compression (MPPC).
LFI fragments Layer 2 frames into small, equal-sized pieces and transmits
these fragments in an interleaved process across the link. One advantage of
this approach is that by fragmenting the Layer 2 frame, each of the fragments
waits a smaller amount of time while being queued, thereby reducing delay
and jitter. The downside of fragmentation is that the remote site must
reassemble the fragments into a frame. Cisco supports the following LFI
solutions: PPP Multilinks interleaving, FRF.11 Annex C for voice over
Frame Relay, and FRF.12 LFI for data connections.
Campus QoS
Now that you have a better understanding of QoS, lets take a look at where
QoS should be implemented in a campus network: access, distribution,
and core.
At the access layer, switches are the typical devices connected to end users.
Switches provide segmentation through the use of VLANs, and switches can
09 9911 ch09 10/10/03 2:02 PM Page 275
275
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Quality
. . . .of. Service
. . . .
perform the creation of CoS values, at Layer 2, for ingress frames. If the
access layer device is a router, it can also mark DSCP information in the IP
packet header.
The distribution layer typically contains Layer 3 devices. This is where most
of your QoS setup occurs. Here is where you enable QoS, set up a CoS-toDSCP table to correctly map Layer 2 QoS information into the IP ToS field,
and configure policies that classify any traffic not already marked by your
access layer devices. The access layer, the distribution layer, or both layers
are responsible for the following QoS functions:
Classifying packets based on configured policies
Admitting and managing connections
Managing QoS configuration
The function of the core layer is to not classify or mark any traffic; this
should already have been done at either the access or distribution layer. The
core layer should instead enforce QoS policies. With a high-speed backbone,
this should be a moot point. In most instances, low-latency queuing is used
to process egress traffic. The core and the distribution layers are responsible
for managing and avoiding congestion.
Classification and marking should occur as close to the source as possible, which is
typically the access layer.
QoS Configuration and Verification

This section covers the configuration of some of the QoS methods mentioned earlier in this chapter. Its important to point out that the configuration and verification coverage in this section covers only the basicsthere is
much more to QoS configuration than what is in this book.
Modular QoS CLI

Modular QoS CLI (MQC) is the term Cisco uses to define the implementation
of QoS on an IOS device. MQC is used to create your QoS traffic policies
and then to associate these policies to the devices interface(s). Each traffic
policy you create has two components: a traffic class that classifies (or
groups) traffic, and a traffic policy that defines how the traffic should be
processed.
09 9911 ch09 10/10/03 2:02 PM Page 276
276 Chapter 9
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Creating Classes
When dealing with MQC, one of the first things you do is define what traffic
is to be grouped together within a class. Here are the commands youll use:
match-all|m
match-any]
Switch(config)# class-map class_map_name [m
name ACL_name
Switch(config-cmap)# match access-group ACL_#|n
Switch(config-cmap)# match input-interface interface_name
Switch(config-cmap)# match protocol protocol_name
The class-map command associates a grouping of match commands that group

specified traffic together into a single class. The match-all parameter says that
for traffic to be included, the traffic must match on all match statements in the
class. The match-any parameter says that traffic has to match against only one
match statement to be included in the class.
Ive listed three common match commands in the preceding code listing.
Please note that there are many parameters that you can match on with the
match command that I havent included (such as cos, ip precedence, and dscp,
to name a few). The match access-group command enables you to specify the
number or name of an ACL, including traffic that matches permit statements
in the ACL. The match input-interface command specifies the name and
number of the interface that traffic is received on; any traffic received on this
interface is included in the class. The match protocol specifies a particular
protocol to include in the class.
Actually, NBAR extends the match protocol command. NBAR works with
QoS features to ensure that traffic receives a guaranteed amount of bandwidth, doesnt exceed bandwidth limits by shaping it, and marks packets with
the appropriate QoS information. New classifications with NBAR include
the following, which provide a lot of additional grouping flexibility:
Classifying applications that use dynamic TCP or UDP port numbers
Classifying Citrix ICA traffic
Classifying application traffic that uses subport information
Classifying HTTP traffic by URL, host, or MIME type
Creating Policies
The second thing you do when configuring MQC is to define your traffic
policies. This is done with the policy-map command:
Switch(config)# policy-map policy_map_name
Switch(config-pmap)# class class_map_name
Switch(config-pmap-c) bandwidth Kbps_value
Switch(config-pmap-c) queue-limit #_of_packets
09 9911 ch09 10/10/03 2:02 PM Page 277
277
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Quality
. . . .of. Service
. . . .
The policy-map command creates your policies. The class command within
the policy configuration specifies the name of the class of traffic that should
be processed by this policy (created with the class-map command). This takes
you into a subconfiguration mode in which you can limit the amount of
bandwidth (bandwidth) and the number of packets in the queue (queue-limit)
for the class. You can include multiple classes in the same policy map. Please
note that there are additional policy commands that you can use for your
included classes. Listing 9.1 shows a simple example.
Listing 9.1 A Policy Map Example
Switch(config)# class-map map-one match-all
Switch(config-cmap)# match access-group 1
Switch(config-cmap)# exit
Switch(config)# policy-map policy-one
Switch(config-pmap)# class map-one
Switch(config-pmap-c)# bandwidth 1000
Switch(config-pmap-c)# queue-limit 150
In this example, any traffic from 192.168.1.0 is associated with a map class
called map-one. That class is then associated with a policy, called policy-one,
that restricts the traffic to 1Mbps and a queue limit of 150 packets.
Classification and marking are used to mark packets and/or frames with QoS
prioritization information. At Layer 2, CoS information is included. With IP,
the TOS field is either marked using IP precedence or DSCP. This process
is sometimes referred to as coloring. Listing 9.2 shows the configuration performed within your policy map.
Listing 9.2 Policy Map Configuration
Switch(config-pmap-c) set cos cos_value
Switch(config-pmap-c) set ip precedence precedence_value
Switch(config-pmap-c) set dscp DSCP_value
If you dont use the set commands, no traffic is marked as it exits an interface. Listing 9.3 shows a simple example.
Listing 9.3 A Coloring Example
Switch(config)# class-map map-two match-all
Switch(config)# policy-map policy-two
Switch(config-pmap)# set cos 1
09 9911 ch09 10/10/03 2:02 PM Page 278
278 Chapter 9
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
called map-two. That class is then associated with a policy, called policy-two,
that marks this traffic with a COS value of 1.
Activating Policies
After youve created your classes and associated them with a policy map, you
need to activate your policy map on an interface:
output policy_map_name
Switch(config-if)# service-policy input|o
After you enter an interface, use the service-policy command to activate the
name of the policy map created with the policy-map command. Note that you
can specify the direction of the policy on the interface: inbound (input) or
outbound (output).
To activate the two policies created in the last section, use this configuration:
Switch(config)# interface fastethernet0/1
Switch(config-if)# service-policy input policy-one
Switch(config-if)# service-policy input policy-two
By default, QoS is disabled on your switch. You can enable it with the following command:
Switch(config)# mls qos
When enabled, the default is to not trust any classifications or markings

(CoS and DSCP) in frames or packets. You can enable the trust option with
Switch(config-if)# mls qos trust [dscp|cos]
If you dont specify any parameters, both DSCP and CoS parameters are
examined. Please note that there are match commands within a class-map configuration that enable you to match on this kind of traffic.
Given our previous configuration examples, heres how you would enable
QoS:
Notice that because I didnt execute the mls qos trust command on fastethernet0/1, any QoS markings coming into this interface will be ignored and
the policy and class maps I created earlier will be used instead.
09 9911 ch09 10/10/03 2:02 PM Page 279
279
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Quality
. . . .of. Service
. . . .
Classification of traffic is done with the class-map commands. The policy-map commands associate your QoS parameters to your traffic classes. The service-policy
command activates your QoS policies on an interface. To enable QoS, use the mls
qos command.
Verifying the Configuration

When youve configured your classes and policies and activated your policies
on your switchs interfaces, you can use various show commands to examine
your configuration and operation. The show class-map command displays all
class maps that youve created:
Switch# show class-map
Class Map match-any class1
Match access-group 101
Class Map match-all class2
Match protocol ip
Match input-interface Ethernet1/1
In this example, there are two map classes: class1 and class2. class1 includes
all traffic specified by permit statements in ACL 101. class2 specifies that all
IP traffic coming into Etherent1/1 is included.
The show
policy-map
command displays all the policy maps that youve created:
Switch# show policy-map

Policy Map policy1
Weighted Fair Queueing
Class class1
Bandwidth 64 (kbps) Max thresh 64 (packets)
Class class2
Bandwidth 64 (kbps) Max thresh 64 (packets)
In this example, there is one policy map, policy1, on the switch. It uses WFQ
for queuing and contains two classes. Each class is allowed 64Kbps of bandwidth and each is allowed to queue up 64 packets. To see whether a policy
map has been activated on an interface, use the show policy-map interface
command:
Switch# show policy-map interface Ethernet1/1
Ethernet1/1
Service-policy output: policy1
Class-map: class1 (match any)
0 packets, 0 bytes
5 minute rate 5ps
Match: access-group 101
09 9911 ch09 10/10/03 2:02 PM Page 280
280 Chapter 9
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Queuing Methods
This section covers the configuration of six different queuing methods:
WFQ, PQ, CQ, IP RTP-PQ, LLQ, and WRRB. Please note that the configuration discussed here provides only the very basic information to set up
these queuing methods.
Configuring WFQ
WFQ is the default queuing method on serial interfaces. WFQ breaks traffic streams into conversations of two types: low volume (such as telnets) and
high volume (such as file transfers). It gives preference to the low volume
over high volume. But within a conversation type, such as two file transfers,
WFQ uses a round-robin and treats the streams equally. WFQ dispatches
information based on conversations.
WFQ is the default queuing method on routers with a serial interface at E1
(2.048Mbps) speeds or less. You dont need to do anything to enable it, but
you can change the threshold at which WFQ begins dropping packets.
The default congestive discard threshold for WFQ is 64 packets. This
threshold is used to queue packets for a conversation. A conversation is
essentially a single connection. If a conversation reaches this limit, the conversations newly arriving packets are dropped. This threshold ensures that
one conversation doesnt hog all the buffer space. The configuration to
change this threshold is as follows:
Router(config-if)# priority-group packet_threshold
The packet threshold can be from 1512, where 64 is the default.

Router(config)# interface serial0
Router(config-if)# priority-group 75
In this example, the routers WFQ congestive discard threshold is set to 75

packets for serial0.
To verify queuing on your interfaces, you can either use show interfaces or
show queueuing fair commands. Notice that queueing is misspelledthis is
correct.
WFQ is the default queueing method on serial interfaces of routers with speeds of E1
or less. WFQ works by breaking up traffic into high and low priority conversations.
The default congestive discard threshold is 64.
09 9911 ch09 10/10/03 2:02 PM Page 281
281
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Quality
. . . .of. Service
. . . .
Configuring PQ
To prioritize your traffic for PQ, use priority-list commands:
Router(config)# priority-list list_# protocol name of protocol
high|m
medium|n
normal|l
low additional_parameters
Router(config)# priority-list list_# interface interface_name
The first command specifies, by protocol, what information is placed into

what queue: high, medium, normal, and low (remember that PQ has only four
queues). For additional parameters, you can specify TCP or UDP as well as
the port number, or you can specify an ACL.
The second command specifies that traffic for the specified interface should
be placed into the denoted queue. The commands are processed top-down
by the IOS which places the traffic in the appropriate queue. You can create
up to 16 lists in 11.x and later. Traffic not specified for a certain queue is
placed into the normal priority queue.
The default size of the different queues for PQ, in packets, is as follows: high
queue (20 packets), medium queue (40 packets), normal queue (60 packets),
and low queue (80 packets). You can change this with the following command:
Router(config)# priority-list list # queue-limit high_queue_packets
medium_queue_packets normal_queue_packets low_queue_packets
Heres an example of changing the sizes:

Router(config)# priority-list 7 queue-limit 20 40 120 80
In this example, weve doubled the size of the normal queue.

When youve created your priority list, you need to activate it on one (or
more) of your interfaces:
Router(config-if)# priority-group list_#
After you do this, the router no longer uses WFQ on the interface, but uses
PQ instead.
Here is a simple example of a PQ configuration:
Router(config)# priority-list 1 protocol appletalk high
Router(config)# priority-list 1 protocol ip normal
Router(config-if)# priority-group 1
In this example, a priority list was created placing AppleTalk traffic in the
high queue and IP traffic in the normal queue. The list was then activated on
the routers serial interface.
09 9911 ch09 10/10/03 2:02 PM Page 282
282 Chapter 9
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
To verify queuing on your interfaces, you can use either

show queueuing priority.
show interfaces
or
PQ has four queues: high, medium, normal, and low. The high queue is guaranteed
to be serviced. Use the priority-list commands to specify what traffic goes into what
queue and activate the PQ list with the priority-group command.
Configuring CQ
To prioritize your traffic for CQ, use queue-list commands:
Router(config)# queue-list list_# protocol name_of_protocol
Queue_# additional_parameters
Router(config)# queue-list list_# interface interface_name
The first command specifies, by protocol, what information is placed into

what queue. The second command does this on an interface-by-interface basis.
Please note that these commands are similar to the configuration of PQ.
Heres an example that places AppleTalk traffic in queue 1 and IP traffic in
queue 2:
Router(config)# queue-list 1 protocol appletalk 1
Router(config)# queue-list 1 protocol ip 2
The commands are processed top-down by the router, which places the traffic in the appropriate queue. You can create up to 16 lists in CQ. Unlike PQ,
there is no default queue in CQ. Traffic that is not specified for a certain
queue is dropped. However, you can create a default queue. To change the
default queue, use the following command:
Router(config)# queue-list list_# default queue_#
Given our previous example, all other traffic will be placed in queue 3:
Router(config)# queue-list 1 default 3
The default number of packets that a CQ queue can hold is 20. If youre
dropping packets, you want to increase that number with the following
command:
Router(config)# queue-list list # queue queue # limit #_of_packets
For our previous example, lets increase the size of the queue IP traffic is held
in, doubling its size:
Router(config)# queue-list 1 queue 2 limit 40
09 9911 ch09 10/10/03 2:02 PM Page 283
283
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Quality
. . . .of. Service
. . . .
CQ processes queues in a round-robin fashion. When CQ is processing a

queue, it processes at least the number of bytes specified by the byte-count
threshold, assuming that there is enough traffic in the queue. It does not
fragment packets, but instead discards the whole packet. As an example, if the
threshold is 500 bytes and the packet in the queue is 600 bytes, CQ forwards
the entire packet. The default threshold is 1500 bytes. You can change this
with the following command:
Router(config)# queue-list list_# queue queue_# byte-count #_of_bytes
Given our previous example, lets double the threshold for AppleTalk traffic,
giving it preference over IP traffic:
Router(config)# queue-list 1 queue 1 byte-count 1500
Note that this is the command in which you can give larger or smaller
amounts of bandwidth to specific traffic typesits not traffic shaping, but it
comes somewhat close to it.
After youve created your queue list for CQ, you need to activate it on one
(or more) of your interfaces:
Router(config-if)# custom-queue-list list_#
After you do this, the router no longer uses WFQ on the interface, but uses
CQ instead.
To complete our previous example of CQ list 1, heres how to activate it on
serial0:
Router(config-if)# custom-queue-list 1
To verify queuing on your interfaces, you can use either

show queueuing custom commands.
show interfaces
or
CQ has 16 queues that are processed in a round-robin fashion. Use the queue-list
command to configure CQ. You can give preference to a queue by specifying the
amount of traffic a queue can process with the byte-count parameter. Use the
custom-queue-list command to active CQ.
Configuring IP RTP-PQ
RTP handles real-time data streams, such as voice and video. RTP-PQ is a
combination of PQ and WFQ methods to handle the prioritization of RTP
traffic in a mixed-traffic network. RTP packet streams are given a strict priority over other types of packets. When the IOS processes the RTP-PQ
09 9911 ch09 10/10/03 2:02 PM Page 284
284 Chapter 9
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
queue, all traffic in the RTP, or priority queue, is processed first. All other
traffic is processed using WFQ or CBWFQ, depending on what you have
enabled on the interfacethese are the only other two queuing methods
supported with RTP-PQ. One nice feature of RTP-PQ is that this process
does not occur on the interface until the interface experiences congestion.
To configure RTP-PQ, use the following configuration:
Switch(config-if)# ip rtp priority starting_port_# total_#_of_ports
bandwidth
Switch(config-if)# max-reserved-bandwidth percentage
The ip rtp priority command specifies the starting port number of the RTP
application(s) and the total number of ports, beginning with the starting port
number, that should be included in the prioritization. This is followed by the
amount of total bandwidth, in Kbps, that is reserved for this RTP traffic on
the interface.
The total amount of bandwidth available to RTP-PQ, LLQ, and other types
of queuing cannot exceed 75% of the total bandwidth of the interface, by
default. This takes into account overhead such as the headers of IP, RTP, and
UDP. However, it doesnt take into account the Layer 2 overhead.
Therefore, if youre trying to squeeze as much bandwidth as possible from a
link, and you realize that you can get another 5% out of the link (perhaps
through compression or some other means), you can change the maximum
percentage with the max-reserved-bandwidth command. However, care must be
taken when changing this value: If you set it too high, you might be starving
other types of traffic, including control traffic.
Heres a simple example of prioritizing traffic for RealNetworks RealPlayer
product:
Switch(config-if)# ip rtp priority 6970 200 10000
In this example, RTP traffic (ports 6,970 to 7,170) for interface VLAN 3 is
reserved 10Mbps of bandwidth (10,000Kbps) if it needs it.
After youve configured RTP-PQ, you can examine the queuing configuration on your interface with the show queue command.
Configuring LLQ
Configuring LLQ is fairly simple: Its configuration is done within a priority
map, which was explained earlier. Heres the configuration for LLQ:
percent percentage [bust_value]
Switch(config-pmap-c) priority BW_Kbps|p
09 9911 ch09 10/10/03 2:02 PM Page 285
285
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Quality
. . . .of. Service
. . . .
As you can see from this example, LLQ configuration is done with the
priority command within the class configuration in the policy map. You have
two options for configuring the priority: maximum amount of bandwidth
allocated to the prioritized information, or a percentage of the total interface
bandwidth. You can optionally specify a burst value, which allows the prioritized traffic to burst up to this level temporarily. If you dont specify a burst
value, it defaults to one of the two configured values.
One interesting thing about this bandwidth allocation is that it applies only
during times of congestion. During congestion, traffic is processed up to the
configured level, and then temporarily up to the burst level. Traffic above
these levels is dropped. However, if no congestion is occurring on the interface, the prioritized traffic can exceed the configured parameters.
The priority command serves a similar function compared to the bandwidth
command. However, the bandwidth class command doesnt prioritize one type
of traffic over another. Within the class configuration, you can use either the
priority or bandwidth command, but not both. However, multiple classes can
use the priority command. In this situation, all the classes with a configured
priority are associated with the high priority queuein other words, you
cant give different levels of priority to different classes of traffic. Listing 9.4
shows a simple example.
Listing 9.4 Using the priority Command
Switch(config)# class-map map-three match-all
Switch(config)# policy-map policy-three
Switch(config-pmap)# class map-three
Switch(config-pmap-c)# priority 10000
called map-three. That class is then associated with a policy, called policythree, that gives this traffic 10Mbps of bandwidth over other types of traffic
that might be associated with policy map policy-three.
Use the priority command to enable a priority queue with LLQ.
Table 9.5 lists three show commands that you can use to verify your LLQ
configuration and operation.
09 9911 ch09 10/10/03 2:02 PM Page 286
286 Chapter 9
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Table 9.5 802.1P CoS Priorities
Command
Explanation
show queue
Displays the queuing configuration and statistics for

queuing on the specified interface
show policy interface
Displays the class configurations for policy queuing on the

specified interface
show policy-map
Displays the configuration of all classes in your policy maps
Configuring WRRQ
WRRQ is the default queuing method used on Layer 3 Catalyst switches. To
use WRRQ, you must first enable QoS; by default, QoS is disabled on your
switch. Globally enable QoS with the mls qos command:
When WRRQ is enabled, youre ready to configure it. Listing 9.5 shows
WRRQs configuration done at the interface level.
Listing 9.5 Configuring WRRQ
Switch(config-if)# wrr-queue random-detect max-threshold queue_#
threshold-percentage1 threshold-percentage2
Switch(config-if)# wwr-queue cos-map
queue_# COS_value1 COS_value2...COS_value_8
Switch(config-if) priority-queue out
Switch(config-if)# wrr-queue bandwidth queue_1_weight
queue_2_weight queue_3_weight queue_4_weight
Switch(config-if)# wrr-queue queue-limit weight1 weight2 weight3 weight4
The wrr-queue random-detect max-threshold command enables WRRQ on the

switchs interface. You can specify a threshold value for each queue. There
are two threshold values: 1 and 2. Value 1 must be less than value 2. Any time
queue space is filled between the percentages of value 1 and value 2, tail
dropping occurs. For example, if you have 50 and 100 as threshold values for
queue 2, WRRQ starts dropping traffic for queue 2 when the queue is filled
between 50100% capacity. You typically want to leave the second threshold
at 100%. The default thresholds are listed in Table 9.6.
Table 9.6 WRRQ Thresholds
Queue Number
Minimum Threshold
Maximum Threshold
50
100
70
100
50
100
70
100
09 9911 ch09 10/10/03 2:02 PM Page 287
287
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Quality
. . . .of. Service
. . . .
The wrr-queue cos-map command assigns a COS to one of the four queues
used by WWRQ. Queue numbers can range from 14. By default, queue 4
is the expedite (high priority queue) and COS 67 are assigned to it. COS
45 are assigned to queue 3, COS 23 are assigned to queue 2, and COS 01
are assigned to queue 1.
Please note that you do not have to use all four queues. By default, the expedite queue is disabled. You can enable it with the priority-queue out command.
The wrr-queue bandwidth command enables you to change the weights of the
four queues. The weights are used to determine the ratio of the frequency of
how often each queues is serviced. By default, each weight is set to 25, meaning that each queue gets 1/4 of the bandwidth. The exception to this is when
the expedite queue is enabled. In that case, the expedite queue is always emptied before the other three queues are processed.
The wrr-queue queue-limit command specifies the amount of buffer space
assigned to each of the four queues. The weight value specifies the ratio of
queue space assigned to the queue when compared to all four weights. The
weight value is between 1100. By default, all four queues have a weight of
25, which means that each queue gets 25% of the queue space. Listing 9.6
Listing 9.6 Assigning Buffer Space
Switch(config)# interface gigabit0/1
Switch(config-if)# wrr-queue cos-map
1
2
3
4
6
4
2
0
7
5
3
1
In this example, queue 1 is has COS 6 and 7 traffic placed in it; queue 2 has
COS 4 and 5; queue 3 has COS 2 and 3; and queue 4 has COS 0 and 1.
Use the show mls
and operation.
qos interface
command to view your WRRQ configuration
Congestion Avoidance Methods: WRED

The IOS can use WRED to implement congestion avoidance. WRED uses
both RED and IP precedence to prioritize traffic and discard low priority
traffic when congestion begins. WRED is different from queueing in that
WRED attempts to determine when congestion begins and then begins
dropping low priority traffic.
09 9911 ch09 10/10/03 2:02 PM Page 288
288 Chapter 9
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The configuration of WRED is done on the switchs interface:

dscp-based|p
prec-based]
Switch(config-if)# random-detect [d
Switch(config-if)# random-detect dscp dscp_value min_threshold max_threshold
By default, WRED is disabled on the switchs interfaces. It is enabled with

the random-detect command. Without any parameters, the random-detect command enables WRED and causes it to use the IP precedence value when performing congestion avoidance (this is the optional prec-based parameter).
You can optionally override this and have WRED use the DSCP value when
performing congestion avoidance by specifying the dscp-based parameter.
The random-detect dscp command specifies the congestion avoidance behavior based on the type of traffic. The DSCP value specifies the type of traffic
and can be specified by either a number (063) or a name (af11, af12, af13,
af21, af22, af23, af31, af32, af33, af41, af42, af43, cs1, cs2, cs3, cs4, cs5, or cs7).
The minimum threshold value for the specified DSCP traffic denotes when
WRED will begin randomly dropping packets. When the average queue
length reaches this threshold, WRED begins to drop packets. When the
average queue length reaches the maximum threshold, WRED drops all
packets (of the DSCP type) that exceed the threshold.
Heres a simple example:
Switch(config-if)# random-detect prec-based
In this example, WRED is enabled on interface VLAN 3 and uses the IP

precedence value when performing congestion avoidance.
Use the show
configuration.
queueing
interface
command to verify your WRED
debug Commands
There are many debug commands that you can use to troubleshoot your QoS
configuration and operation. However, Im only mentioning two of the more
important ones. The debug ip rsvp command debugs RSVP QoS. You must
be very careful with this command because it can be very resource-intensive.
The debug priority command displays information about priority queuing. It
displays priority queuing operations, in a real-time fashion, including what
traffic is placed in what queue and when that traffic gets serviced.
There are many, many other commands that you can use to troubleshoot
QoS, but these commands are beyond the scope of this book. See the Need
to Know More? section at the end of this chapter for a reference to Ciscos
site on debug commands.
09 9911 ch09 10/10/03 2:02 PM Page 289
289
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Quality
. . . .of. Service
. . . .
Use the debug priority command to troubleshoot in PQ.
Summary
IP telephony is one of the three components of Ciscos AVVID framework.
When implementing an IP telephony solution, you must consider network
management, high availability, security, and QoS. QoS can guarantee necessary bandwidth and acceptable delay, jitter, and packet loss. For VoIP traffic,
packet loss should be less than 1%, one-way delay less than 60ms per leg, and
jitter less than 20ms. QoS does this through prioritization. Voice and video,
transactional applications, and data transfers are typically prioritized as listed.
QoS includes classification, marking, forwarding, policing, queuing, scheduling, shaping, and dropping of traffic. FIFO lacks QoS. IntServ provides
QoS on a connection-by-connection basis, whereas DiffServ provides QoS
on a hop-by-hop basis. DiffServ uses CoS with IEEE 802.1Q/P frames and
either DSCP or IP precedence in the IP TOS packet field. Classification is
the process of grouping traffic into classes by using the class-map command.
Traffic policies are defined within the policy-map command. You activate
your policies with the service-policy command. Marking can be used so that
other devices in the network know how to prioritize traffic. Queuing can
then be used to implement your QoS policies.
WFQ is the default queuing method used on serial interfaces running at E1
speeds or less. It separates conversations into low and high priority based on
Layer 3 and Layer 4 header information. PQ has four queues and the high
queue always has precedence over the lower queues. Use the priority-list
command to associate traffic with one of the four queues. CQ has 16 queues
and processes them in a round-robin fashion. You can change the byte count
for a queue to allow it to process more or less information when its turn
arrives. Use the queue-list command to associate traffic with one of the
queues. LLQ uses both PQ and CB-WFQ. WRRQ is the default queuing
method on Ciscos Layer 3 switches. Use the priority command to specify an
expedite queue. In WRRQ, there are four queues with weights assigned to
them. The better the weight value, the more preference the queue is given.
If packets must be dropped, it is typically the tail end of the conversations
that are dropped. WRED is used to drop packets before congestion becomes
an issue, which is different from queuing. Conditioning of traffic shapes it to
remove the burstiness from it, thereby reducing jitter problems.
09 9911 ch09 10/10/03 2:02 PM Page 290
290 Chapter 9
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Exam Prep Questions

Question 1
What is the maximum acceptable amount of one-way delay (per leg) for VoIP
connections?
A. 20ms
B. 60ms
C. 100ms
D. 200ms
Answer B is correct. The maximum acceptable amount of delay for voice

connections, per leg, is 60ms. Anything greater than this could cause echo
problems making answers A, C, and D incorrect.
Question 2
______ is the amount of time it takes to encapsulate a packet in a frame and put
the bits on a wire.
A. Packetization
B. Serialization
C. Propagation
D. Processing
Answer B is correct. Serialization is the amount of time it takes to encapsulate a packet in a frame and put the bits of a frame on a wire. Answer A is
incorrect because packetization is the amount of time it takes to segment
information, sample and encode any signals, process the traffic, and then
encapsulate the data in packets. Propagation is the amount of time it takes to
transmit the bits of a frame across a wire to the next networking device, making C incorrect. Processing is the amount of time it takes a networking
device to process a received frame, including queuing, making answer D
incorrect.
09 9911 ch09 10/10/03 2:02 PM Page 291
291
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Quality
. . . .of. Service
. . . .
Question 3
Which QoS architecture guarantees QoS parameters on a connection-byconnection basis?
A. FIFO
B. DiffServ
C. IntServ
D. LLQ
Answer C is correct. IntServ reserves resources via RSVP to provide a connection-guaranteed QoS. FIFO provides no QoS, making A incorrect.
DiffServ provides QoS on a hop-by-hop basis, making B incorrect. LLQ is a
queuing method, not a QoS architecture, making D incorrect.
Question 4
Which marking option is used to denote QoS information in an IEEE frame?
A. 802.1P
B. 802.3P
C. 802.1D
D. 802.1W
Answer A is correct. 802.1P provides for marking of QoS information in IEEE

frames. 802.3P is a nonexistent standard, making B incorrect. 802.1D defines
STP, making C incorrect and 802.1W defines RSTP, making D incorrect.
Question 5
What command specifies which traffic goes into which queue with priority
queuing?
A. queue-list
B. priority-queue
C. fair-queue
D. priority-list
Answer D is correct. The priority-list command is used to define queuing

policies for PQ. Answer A is used for CQ, making it incorrect. Answer B is
a nonexistent command. Answer C is used for WFQ, making it incorrect.
09 9911 ch09 10/10/03 2:02 PM Page 292
292 Chapter 9
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 6
What is the default queuing method used on serial interfaces clocked at E1
speeds or less?
A. WRRQ
B. CQ
C. WFQ
D. PQ
Answer C is correct. WFQ is the default IOS queuing method on serial E1

interface speeds or less. Answer A is true of Ciscos Layer 3 switches, making
it incorrect. Answers B and D require manual configuration, making them
incorrect.
Question 7
Which QoS tool can be used to avoid congestion?
A. WRED
B. LLQ
C. WFQ
D. WRRQ
Answer A is correct. WRED is a congestion-avoidance QoS technique.

Answers B, C, and D are used for queuing, which doesnt avoid congestion,
but prioritizes traffic.
Question 8
Marking of traffic should occur where?
A. Access layer
B. Distribution layer
C. Access and distribution layer
D. Core layer
Answer A is correct. Marking should occur as close to the source as possible,

which is the access layer. Therefore, answers B, C, and D are incorrect.
09 9911 ch09 10/10/03 2:02 PM Page 293
293
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Quality
. . . .of. Service
. . . .
Question 9
Which command specifies your traffic policing policies for QoS?
A. class-map
B. policy-map
C. match
D. service-policy
Answer B is correct. The policy-map command specifies your policing policies for classes of traffic. The class-map command is used to classify traffic,
not assign policies, making answer A incorrect. The match command is used
within the class-map command to match on classes of traffic; therefore,
answer C is incorrect. The service-policy command is used to activate your
QoS policies, making answer D incorrect.
Question 10
QoS, by default, is enabled on Ciscos Layer 3 switches.
A. True
B. False
Answer B is correct. You must use the mls qos command to enable QoS on
Cisco Layer 3 switchesanswer A is therefore incorrect.
Need to Know More?

For information on QoS, visit http://www.cisco.com/en/US/
products/sw/iosswrel/ps5187/prod_configuration_
guide09186a008017d8e5.html#1000913
For information on configuring QoS on a Catalyst 3550, visit

products_configuration_guide_chapter09186a00801a6b55.html
For information on debug commands for the Catalyst 6500, visit

products_command_reference_chapter09186a0080179bb4.
html#882864
09 9911 ch09 10/10/03 2:02 PM Page 294
10 9911 ch10 10/10/03 2:01 PM Page 295
10
MLS Optimization
and Security
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

SPAN, VSPAN, and RSPAN
Network Analysis Module and RMON
AAA and 802.1X
VLAN ACLs
Private VLANs

Configuring SPAN and RSPAN
Securing your switch
Configuring AAA, port security, and 802.1X
Using VACLs to secure your network
Understanding the components and configuration of
private VLANs
10 9911 ch10 10/10/03 2:01 PM Page 296
296 Chapter 10
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
This chapter focuses on two areas: capturing traffic to optimize your network
and switch security features. The first half of this chapter is dedicated to the
SPAN feature of Catalyst switches. This feature enables you to capture traffic from one or more ports and redirect it to a port with a protocol analyzer
or probe attached to it. The captured information can then be analyzed to
assist you in troubleshooting and capacity planning.
The second half of this chapter covers some of the security features included with the IOS switching software. This includes basic security, such as
assigning passwords, restricting access, and authenticating users (AAA and
802.1x). It also includes restricting traffic between ports on the switch by
using VLAN access control lists (ACLs), port security, and private VLANs.
Performance
Networks will always experience problems. One of your goals is to make sure
that you maximize your performance while minimizing your problems. You
have to deal with three main issues while balancing networking performance
and problems: application performance, capacity planning, and fault
management.
The first thing youll want to do is to develop a baseline of the performance
of your existing network. You need to document your existing network,
including the layout of your devices and their current operation, CPU and
buffer utilization, memory usage, and throughput. You also need to determine adequate response times for your users and their applications.
After building a baseline, you need to take the growth in your network into
consideration and perform capacity planning. You also need to use monitoring tools so that you can closely watch the operation of your network.
Monitoring tools can also be used to help troubleshoot networking problems
and issues, from connection problems to bandwidth issues.
The following sections discuss the use of the switched port analyzer (SPAN)
feature and the Network Analysis Module (NAM).
Switched Port Analyzer

The Switched Port Analyzer enables you to mirror traffic from one or more
interfaces on a switch to a port that is connected to a network analyzer, packet sniffer, or remote monitoring (RMON) probe. This traffic can then be
analyzed and processed for reporting.
10 9911 ch10 10/10/03 2:01 PM Page 297
297
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .MLS
. . Optimization
. . . . . . . and
. . .Security
. . . .
One nice feature of SPAN on Ciscos Catalyst switches is that it does not
affect the performance of the switch, which is based on the switching process
in the switch. For example, the Cisco 6000 moves a frame from an interface
to the bus. Any other switch port can move that frame from the bus to the
ports outbound buffer. The switching engine in the switch then tells which
interfaces to drop the frame, indicating that the frame is not to be further
processed by those interfaces. With SPAN, there is no extra overhead
involved in the switching process because the frame is already copied into the
buffer by the SPAN port.
SPAN enables you to capture traffic on one or more ports, including VLANs, and redirect it to a port with a protocol analyzer or probe connected to it. When capturing
traffic from a VLAN, this process is commonly referred to as VSPAN.
SPAN Types
There are two basic types of SPAN: local and remote. Local span has interfaces on the local switch redirected to a local port with an analyzer connected to it. The local SPAN feature supports the mirroring of traffic from both
source ports and VLANs to one or more destination ports. If youre mirroring traffic in the inbound direction, it is called ingress SPAN. If youre mirroring traffic in the outbound direction, this is called egress SPAN. Remote
SPAN is discussed later.
SPAN Configuration
Before you set out to configure local SPAN on your Catalyst switch, you
should be aware of the following:
After you enable SPAN, all traffic from the associated ports is mirrored,
including broadcasts and multicasts, such as BPDUs.

A SPAN port, once enabled, cannot have traffic specifically directed to
it. Only mirrored traffic is sent out the SPAN port.

The SPAN port itself can be either an access link or trunk port. If it is a
trunk port, the analyzer connected to it must understand trunking. If the

SPAN port is an access link, it does not have to be in the same VLAN as
the ports that are being mirrored.
The source ports of a port channel interface (EtherChannel) can be
included in SPAN, but not a specific interface in the channel.

Both Layer 2 and Layer 3 interfaces can be included as source ports with
SPAN.
10 9911 ch10 10/10/03 2:01 PM Page 298
298 Chapter 10
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
You cannot have both individual ports and VLANs as a source.
You cannot have VLANs as a source and performing filtering of VLANs
in a SPAN session; its one or the other.

When specifying a source VLAN, only Layer 2 traffic is monitored.
Remember the preceding bulleted items in regard to SPAN configuration limitations.
Setting up SPAN is a two-step process: You must first specify which traffic to
mirror and then specify which interface is the SPAN port. Use this command
to specify the mirrored traffic:
Switch(config)# monitor session session_#
{source interface type/port_#}|{vlan VLAN_#}
[,|-|rx|tx|both]
The session number is used to group your monitor session commands.

Following this is the port, ports, VLAN, or VLANs that you want to mirror.
If you have multiple sources, separate them with a comma (,). For a range of
ports or VLANs, separate them with a dash (-). If you dont specify which
direction to capture traffic on the source port or ports, it defaults to both, for
both the transmit and the receive directions. You can override this with the
rx (receive) and tx (transmit parameters).
Here is a simple example of capturing traffic from fastethernet0/1:
Switch(config)# monitor session 1 source interface fastethernet0/1 both
After youve specified the mirrored traffic, you next need to specify the
SPAN port itself:
Switch(config)# monitor session session_# destination interface type/port_#
[encapsulation isl|dot1q]
The session number you specify here references the session number of the
source ports. You follow this with the destination interface. If the interface is
a trunk, you can optionally specify the encapsulation type (this is only for IOS
switches that support both trunking types). For the 2950, you dont need to
specify the trunking encapsulation because the 2950 supports only 802.1Q.
Heres a simple example of specifying the SPAN port for our previous monitoring session (1):
Switch(config)# monitor session 1 destination interface fastethernet0/5
10 9911 ch10 10/10/03 2:01 PM Page 299
299
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .MLS
. . Optimization
. . . . . . . and
. . .Security
. . . .
When youve configured the monitor session destination command, your

switch is mirroring traffic from the specified source ports to the specified
SPAN port.
Use the monitor session command to configure SPAN.
Remote SPAN
Remote SPAN (RSPAN) is an extension of local SPAN. With local SPAN,
all the source and destination ports are on the same switch. With RSPAN,
these ports can be on different switches. This is very handy if you have only
a limited number of network analyzers or RMON probes, but still want to
see certain traffic across all your switches in an area.
RSPAN enables you to capture traffic on one switch, but redirect it to a port on another
switch.
Please note that not all Cisco switches support RSPAN.
The configuration of RSPAN is a three-step process. First, you must create

a dedicated VLAN for RSPAN traffic that travels between the switches. Use
Switch(config-vlan)# remote-span
Assuming that youre using VTP in a server/client configuration, execute

this command on the server switch. If youre using transparent mode with
VTP, youll have to configure the preceding command on all your switches
that will see the RSPAN VLAN: the source, intermediate, and destination
switches.
The RSPAN VLAN is treated differently on the switches as compared to
other VLANs. First, no MAC address learning occurs on the RSPAN VLAN
because this is only mirrored traffic for network analysis purposes. Second,
the RSPAN VLAN shows up on your trunks. Therefore, it is highly recommended that you either use VTP pruning or manual pruning to ensure that
10 9911 ch10 10/10/03 2:01 PM Page 300
300 Chapter 10
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
RSPAN traffic is not flooded across your entire network, but is contained
within only those switches from the source port(s) to the destination. Third,
to reduce any STP issues, BPDUs are not mirrored with RSPAN. If you have
any performance issues with the amount of RSPAN traffic youre mirroring,
you can use ACLs to filter information that is sent to the destination port
with the analyzer or probe.
In this example, VLAN 100 is set up as the RSPAN VLAN:
Switch(config-vlan)# remote-span
After youve configured your RSPAN VLAN, you must set up monitoring
for your source ports. This is the same command that you used in the local
SPAN configuration (monitor session source). After defining the source ports
on a switch, you have to specify the destination port. If the network analyzer or RMON probe is on a different switch, use the following command:
Switch(config)# monitor session session_# destination remote vlan VLAN_#
This command specifies the RSPAN VLAN to use to get the mirrored traffic to the destination.
The RSPAN VLAN traffic traverses trunk links. If performance is a problem, manually
prune this VLAN from your trunks and set up a dedicated access-link connection to
carry this traffic.
Heres a simple example where traffic from session 1 is sent out any interface(s) associated with the RSPAN VLAN:
Switch(config)# monitor session 1 destination remote vlan 100
On the switch that has the network analyzer or probe connected to it, use the
following configuration:
Switch(config)# monitor session session_# remote vlan VLAN_#
Switch(config)# monitor session session_# destination interface type/port_#
The first command specifies that traffic coming into the switch in the
RSPAN VLAN should be mirrored. That traffic is mirrored to the port specified by the second command.
Heres a simple example:
Switch(config)# monitor session 1 remote vlan 100
Switch(config)# monitor session 1 destination interface fastethernet0/5
10 9911 ch10 10/10/03 2:01 PM Page 301
301
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .MLS
. . Optimization
. . . . . . . and
. . .Security
. . . .
Its important to point out that you do not have to configure anything special on intermediate switches that do not have any source portsjust make
sure that these switches have the RSPAN VLAN in their configuration.
SPAN Verification
When youve configured SPAN or RSPAN, you can verify your configuration with this command:
Switch(config)# show monitor session
Heres an example of the output of this command:

Switch# show monitor session 1
Session 1
--------Type: Local Source Session
Source Ports:
RX Only: None
TX Only: None
Both: Fa0/1-3
Source VLANs:
RX Only: None
TX Only: None
Both: None
Source RSPAN VLAN: None
Destination Ports: Fa0/5
Encapsulation: DOT1Q
Ingress: Enabled, default VLAN=5
Reflector Ports: None
Filter VLANs: None
Dest RSPAN VLAN: None
This is an example of local SPAN, where the source ports are fa0/1-3 and the
destination port is fa0/5 (attached probe).
Network Analysis Module

Instead of using an external network analyzer or RMON probe to analyze or
gather your traffic, the Catalyst 6000 Series switches support a Network
Analysis Module (NAM). A NAM is similar to an RMON probe. You can use
it to gather RMON (RFC 1757) and RMON2 (RFC 2021) information. A
NAM cannot perform analysis on the captured data. However, you can use
Ciscos TrafficDirector or any IETF-based RMON-gathering product. A
NAM can only gather traffic from Ethernet-based ports or statistics exported from NetFlow data.
Initial Configuration
The purpose of this section is not to show you the complete configuration
process that you have to go through to set up a NAM. Instead, Ill cover the
10 9911 ch10 10/10/03 2:01 PM Page 302
302 Chapter 10
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
very basic configuration steps pertaining to the NAM. After you have the
NAM up and running, most of the configuration is typically done via an
SNMP-based product, such as CiscoWorks 2000, and all the data gathering
is done from TrafficDirector or a similar RMON product.
Basic NAM Configuration

Unlike the configuration discussed so far in this book, the configuration of
the NAM is done within the NAM module. The NAM module actually runs
its own operating system and has its own disk drive. Figure 10.1 shows a picture of the NAM module.
PCMCIA
LEDs
Shutdown
Button
PCMCIA
Slots
M
TE
S
SY
HD
SHUTDOWN
System Status
LED
Hard Drive
LED
Figure 10.1 Network analysis module.
As youll notice in Figure 10.1, the NAM does not have external connections,
like a console or Ethernet interfaces. Instead, all interaction with the NAM
is done across the backplane of the Catalyst 6000 Series switch.
To log in to the NAM, you first log in to your Catalyst switch and use the
following command:
Switch# session slot slot_# processor 1
You are then logged in to the NAM, where youll be prompted for a username and password. To make configuration changes on the NAM, youll
have to log in to the root account.
If you arent sure which slot your NAM is located in, use the
command:
show module
10 9911 ch10 10/10/03 2:01 PM Page 303
303
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .MLS
. . Optimization
. . . . . . . and
. . .Security
. . . .
Switch# show module
Mod Ports Card Type
--- ----- -----------------------------------2
2
Catalyst 6000 supervisor 2 (Active)
3
48
48 port 10/100 mb RJ-45 ethernet
5
0
Switching Fabric Module (Active)
6
2
Model
----------------WS-X6K-SUP2-2GE
WS-X6248-RJ-45
WS-C6500-SFM
WS-X6380-NAM
Serial No.
----------SAD04450LF2
SAD03181469
SAD04420JR3
SAD05130AXD
In this example, the NAM is in slot 6.

Use the show module command to list installed modules and the session slot
command to gain access to the NAM.
When youre in the NAM, youll have to enable basic IP connectivity. Doing
so allows an external management device, such as TrafficDirector, to access
the NAM. Heres the basic IP configuration you should perform, shown in
Listing 10.1.
Listing 10.1 NAM IP Configuration Commands
root@localhost#
root@localhost#
root@localhost#
root@localhost#
root@localhost#
root@localhost#
ip
ip
ip
ip
ip
ip
address IP_address subnet_mask

broadcast IP_network_broadcast_address
gateway router_default_gateway_address
host name_of_NAM
domain domain_name
nameserver DNS_server_address
The ip address command in Listing 10.1 assigns an IP address to the NAM.

The ip broadcast command assigns the IP broadcast address for the network
number that the NAM is associated with. The ip gateway command assigns
the address of the router that will function as the default gateway for the
VLAN that the NAM is associated with. The ip host command assigns a
name to the NAM used within IP and the ip domain command assigns the
domain name. The ip nameserver command assigns the DNS server address
that the NAM should use to resolve fully qualified domain names to IP
addresses. Listing 10.2 shows a simple example.
Listing 10.2 Using the ip nameserver Command
root@localhost#
root@localhost#
root@localhost#
root@localhost#
root@localhost#
root@localhost#
ip
ip
ip
ip
ip
ip
address 172.16.254.8 255.255.255.0

broadcast 172.16.254.255
gateway 172.16.254.254
host nam1
domain dealgroup.com
nameserver 172.16.253.2
10 9911 ch10 10/10/03 2:01 PM Page 304
304 Chapter 10
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
To view your IP configuration, use the show
ip
command:
root@localhost# show ip
IP address: 172.16.254.8
Subnet mask: 255.255.255.0
IP Broadcast: 172.16.254.255
DNS Name: nam1.dealgroup.com
Default Gateway: 172.16.254.254
Nameserver(s): 172.16.253.2
To have TrafficDirector or an SNMP manager access your NAM, you must

configure SNMP on the NAM, as shown in Listing 10.3.
Listing 10.3 NAM SNMP Configuration Commands
root@localhost#
root@localhost#
root@localhost#
root@localhost#
root@localhost#
snmp
snmp
snmp
snmp
snmp
location descriptive_location_information
contact name_of_a_contact_person
name SNMP_name_of_NAM
community string_value rw
community string_value ro
The snmp location command specifies a descriptive location of where the

NAM is located (the switch, the floor of the building, the building itself, and
the like). The snmp contact command lists the person someone should contact if there is a problem with the NAM. The snmp name command assigns a
name to the NAM used with SNMP interaction. The snmp community commands assign the read/write and read-only community strings used to gain
access to the NAM. To view your SNMP configuration, use this command:
root@localhost# show snmp
SNMP Agent: nam1.dealgroup.com 172.16.254.8
SNMPv1: Enabled
SNMPv2C: Enabled
SNMPv3: Disabled
community check read
community mate write
sysDescr Catalyst 6000 Network Management Module (WS-X6380-NAM)
sysObjectID 1.3.6.1.4.1.9.5.1.3.1.1.2.223
sysContact The Big Cheese, Administrator: 555-1212
sysName 6500-NAM - Slot 3
sysLocation Building 1, Floor 1, Data Center
If you experience connectivity problems with the NAM, reboot it and try
again.
After youve finished your IP configuration, you must enable the HTTP
server on the NAM:
root@localhost# ip http server enable
This enables you to access the NAM via a Web browser interface. You can
optionally use a secure HTTP server, but its configuration is beyond the
10 9911 ch10 10/10/03 2:01 PM Page 305
305
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .MLS
. . Optimization
. . . . . . . and
. . .Security
. . . .
scope of this book. Please refer to the NAM reference in the Need to Know
More? section at the end of this chapter for additional information.
Autostart Configuration
Autostart is a NAM feature that enables you to gather RMON statistics of
the Catalyst 6000 switch that the NAM is installed in (without having to set
up SPAN). As soon as your switch is booted up and the NAM initializes, the
NAM can begin gathering these statistics. However, this function is disabled
by default. To enable it, use the following command:
root@localhost# autostart collection_name enable
The collection names you can specify include addressmap, art, etherstat,
priostats, and vlanstats. The art collection state is for gathering application
response time information based on sending and receiving data at the transport layer of the OSI Reference Model. This feature is not included with the
basic NAM module; it requires the purchase of an additional software
license. You can disable a collection name by using the keyword disable
instead of enable.
When youve either enabled or disabled a specific collection name, youll
have to reboot the NAM.
The NAM can gather RMON statistics for the Catalyst switch it is installed in. The processing of traffic must be done by a remote RMON management station, such as
TrafficDirector.
Switch Configuration
After youve prepared the NAM for gathering traffic, you can set up the
Catalyst 6000 Series switch to interface with the NAM. This requires two
different configurations. First, you have to associate the NAMs IP address
with a VLAN. Second, you have to associate it as a destination port for
SPAN.
In Figure 10.1, you can see that the NAM doesnt have any physical interfaces. Instead, it has two logical interfaces: 0 and 1. Interface 0 is associated
with IP and interface 1 is associated with the SPAN function.
Because the NAM has an IP address, youll want to associate the IP interface
with the VLAN where your management devices are located by using the
following configuration:
Switch(config)# interface gigabit slot_#/0
Switch(config-if)# switchport access vlan VLAN_#
10 9911 ch10 10/10/03 2:01 PM Page 306
306 Chapter 10
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Remember to use a port number of 0 for the IP interface.

Next, you need to associate the NAMs logical SPAN interface with the destination port for traffic mirroring:
Switch(config)# monitor session session_#
destination interface gigabit slot_# /1
This is the same command we discussed earlier in the SPAN

Configuration section. Remember to use a port number of 1 for the SPAN
port on the NAM.
Heres a simple example associating it with the management VLAN, which
is VLAN1:
Switch(config)# interface gigabit 3/0
Switch(config-if)# switchport access vlan 1
Switch(config)# monitor session 3 destination interface gigabit 3/1
In this example, gigabit 3/1 (the NAMs monitoring port) has traffic from
session 3 mirrored to it.
The NAM has two logical ports: 0 is for the IP addressing information and 1 captures
traffic.
Securing Your Switch

The last half of this chapter discusses how to secure your switch as well as the
additional security features that the switch supports to secure your network.
This section is by no means an all-inclusive discussion of all the Catalyst
switches security features, but it does describe some of the major ones.
What to Secure
With a basic security setup, youll want to secure access to the EXEC modes
on the Catalyst switch. Listing 10.4 shows the basic commands to do so.
Listing 10.4 Basic Security Setup
Switch(config)# line
Switch(config-line)#
Switch(config)# line
console 0
password password
exit
vty 0 4
login
(continued)
10 9911 ch10 10/10/03 2:01 PM Page 307
307
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .MLS
. . Optimization
. . . . . . . and
. . .Security
. . . .
Listing 10.4 Basic Security Setup (continued)
Switch(config-line)# access-class standard_ACL_# in
Switch(config-line)# access-list 1-99 permit source_address [wildcard_mask]
Switch(config)# enable secret Privilege_EXEC_password
By default, the switch has no preconfigured passwords. To assign a password

to console access, go into the console line (line console 0) and use the password
command. To restrict Telnet access, access your VTYs (line vty 0 4), enable
password authentication with the login command, and assign a password
with the password command. Optionally, create a standard ACL (access-list)
that defines management stations and activate it on your VTYs with the
access-class command. To restrict Privilege EXEC access, assign a password
with the enable secret command. You should already be familiar with these
commands from preparing for your CCNA exam.
Remember how to configure these commands on a switch, including how to restrict
Telnet access.
Table 10.1 lists some other things you should do to secure your switch.
Table 10.1 Securing Your Switch
Security Component
Explanation
Login Warnings
When someone tries to access the switch, he should be

greeted by a login banner explaining ownership, usage
policies, and punishment to violators.
Unnecessary Services
Disable all unnecessary services, such as unused TCP and

UDP services (no service tcp-small-servers, no service
udp-small-servers, no finger). If you arent using the integrated HTTP server for management functions, disable it.
SNMP
Dont use SNMPv1 or v2 because passwords are sent in

clear text; use SNMPv3 instead.
SSH
Telnet access sends usernames and passwords in clear

text. Use SSH, which encrypts information between the
administrator and the switch.
Cisco Discovery
Protocol (CDP)
CDP is used to help troubleshoot Layer 2 problems.

Disable it completely or at least on interfaces connected to
non-Cisco devices.
(continued)
10 9911 ch10 10/10/03 2:01 PM Page 308
308 Chapter 10
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Table 10.1 Securing Your Switch (continued)
Security Component
Explanation
Logging
When problems occur, you can record them with the

switchs logging feature, which also enables you to log
information to a remote server using syslog. This is an
extremely useful troubleshooting tool.
Trunking
Trunking is set to auto-detection, by default, which can

create security issues by allowing a third-party device to
set up trunk connections to your switch. Disable trunking
on all nontrunk ports (hard-code them as access link
connections).
STP
Configure STP to tune it to your network: set the priorities

on the root and backup root. Also use the BPDU Guard
feature. Use the PortFast feature on all nonswitch ports.
Doing so prevents third-party switches from creating malicious BPDU broadcast storms.
Authentication, Authorization,
and Accounting
One of the problems with authentication in the previous section is that no matter who accesses your switch, that person uses the same password based on the
type of EXEC access she is attempting. For example, all administrators accessing Privilege EXEC mode must use the same password. First, this creates
accountability problems: You never know who made what changes on the
switch because you dont know specifically who logged in to the switch. Second,
you cant limit what an administrator does on the switch. Privilege EXEC access
is an all-or-nothing proposition. Third, its difficult to manage your passwords.
If you need to change the Privilege EXEC password for administrator access,
you probably need to do it on all of your switches, which is cumbersome.
Overview of AAA
AAA centralizes authentication, authorization, and accounting functions and
solves the three problems just discussed. AAA breaks up security into three
components:
AuthenticationProvides a means for identifying an individual and vali-
dating that persons access to a device

AuthorizationVerifies what specific tasks a user can perform on a device
AccountingKeeps a record of what users did on a device
10 9911 ch10 10/10/03 2:01 PM Page 309
309
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .MLS
. . Optimization
. . . . . . . and
. . .Security
. . . .
Enable AAA
Before I begin a discussion of how to implement AAA, I must mention that
the configuration information is a brief overview of setting up AAA. For a
more thorough discussion, review Ciscos SECUR materials (formerly
MCNS). The configuration of AAA on an IOS-based switch is actually the
same as configuring it on an IOS-based router. Please see the Need to
Know More? section at the end of this book for more information regarding AAA.
The very first thing you need to do is to activate AAA on your switch:
Switch(config)# aaa new-model
Use the aaa new-model command to enable AAA.
There are two basic ways that you can use AAA on your switch: have the
switch itself act as a security server or use an external security server, such as
Cisco Secure ACS. To configure the switch to hold usernames and passwords, use the username command:
Switch(config)# username users_name password password
The username command creates a users name and password that will be used
to authenticate access to the switch.
One major disadvantage of using the switch as a server is that, unfortunately,
it can only perform AAA functions for itselfit cant act as a server for other
devices. To use an external AAA server, youll have to specify a security protocol to use, the AAA server itself, and a key used to authenticate access to the
server. There are two security protocols: TACACS+ (Cisco-proprietary) and
RADIUS (open-standard). The following commands accomplish this:
Switch(config)# tacacs-server host AAA_servers_IP_address key string
Switch(config)# radius-server host AAA_servers_IP_address key string
The aaa new-model command enables AAA. The tacacs-server command specifies access to a TACACS+ server, and the radius-server command specifies
access to a RADIUS server.
Heres a simple example of using 192.168.1.5 as a security server:
Switch(config)# tacacs-server host 192.168.1.5 key ThisPasswordIsSecret
10 9911 ch10 10/10/03 2:01 PM Page 310
310 Chapter 10
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Authentication Configuration
When youve enabled AAA and either defined a local username database or
an external security server, youre ready to configure login authentication
and how it should be performed. This is accomplished with the aaa
authentication login command:
Switch(config)# aaa authentication login default|list_name method1 method2...
There are actually many things AAA can authenticate, but this book focuses
only on login authentication using the aaa authentication login command. If
you specify the default parameter, this command is used for all login authentication processes on the switch. You can override this by specifying a list
name and then, for specific type of access, referencing the list for authentication, like this:
Switch(config)# aaa authentication login telnet tacacs+
Switch(config-line)# login authentication telnet
In this example, Im overriding the default authentication process for VTY

access and specifying the aaa authentication login command with the list
name of telnet.
The last thing you specify with the aaa authentication login command is how
login authentication can be checked. There are actually many ways you can
check authentication, but Im only going to cover three of them: local, group
tacacs+, and group radius. If you specify local for a method, the username commands are used to verify authentication. If you use group tacacs+ or group
radius, the appropriate external AAA server is used.
Please note that you can list more than one method. If more than one
method is listed, the switch processes them in the order that you specified
them. The switch tries the first method, and if it cannot access or find the
information, it tries the second method. For example, you might list group
tacacs+ and then local to specify that if the TACACS+ server isnt reachable,
username commands on the switch should be used as a backup. Listing 10.5
Listing 10.5 AAA Authentication Example
Switch(config)# username administrator password cisco
Switch(config)# aaa authentication login telnet group tacacs+
Switch(config)# aaa authentication login default group tacacs+ local
Switch(config-line)# login authentication telnet
10 9911 ch10 10/10/03 2:01 PM Page 311
311
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .MLS
. . Optimization
. . . . . . . and
. . .Security
. . . .
In this example, the VTYs use TACACS+ to perform authentication. Any

other form of access (such as the console) uses the default method: try the
TACACS+ server first, and if that fails, use the local username database.
Authorization
Authorization is used to restrict what tasks a user can perform after he is
authenticated. The aaa authorization command is used. You can again enable
authorization for many functions of the switch and router. However, Im
going to discuss only three of them. Heres the command you should use to
enable authorization:
Switch(config)# aaa authorization exec|commands command_level|configuration
default|list_name method1 method2...
Specifying the exec parameter has the switch verify authorization as to

whether the user is allowed to access an EXEC level, such as Privilege
EXEC. The commands parameter enables you to specify which levels of commands users are allowed to execute. These numbers can range from 015,
where 1 is User EXEC and 15 is Privilege EXEC. You can assign commands
to different levels than their defaults with the privilege command, but doing
so is beyond the scope of this book. The configuration parameter authorizes
access to Configuration mode. The remainder of the command is the same
as the aaa authentication login command.
Heres a simple authorization example:
Switch(config)# aaa authorization configuration default group tacacs+
In this example, anyone attempting to configure the switch must first be

authorized via the configured TACACS+ server.
Accounting
AAAs accounting is used to keep track of what a user has done. Unlike
authentication and authorization, to keep track of AAA events, you must
have an external AAA security server. You cant record AAA events local to
the switch itself. Use the aaa accounting command to set up accounting:
Switch(config)# aaa accounting event_type record_method
default group tacacs+|group radius
Table 10.2 lists the types of events that you can capture accounting information for. Please note that there are more events in addition to those listed,
but Table 10.2 covers the most common ones.
10 9911 ch10 10/10/03 2:01 PM Page 312
312 Chapter 10
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Table 10.2 AAA Accounting Events
Event Name
Description
commands command_level
Record accounting information whenever someone

executes a command at the specified level
connection
Record an accounting event when someone tries to telnet from the switch to another device
exec
Record an accounting event when someone gains a

specific EXEC level access
system
Record an accounting event for system events, such as

a reboot or an interface change
There are three ways the event can be recorded, as shown in Table 10.3.
After specifying the recording method, you need to specify the type of AAA
server: RADIUS or TACACS+.
Table 10.3 Accounting Recording Methods
Method
Action
stop-only
Create a record upon finishing the event.
start-stop
Create a record at the beginning and ending of the event.
wait-start
If the AAA server is not reachable, dont allow the user to perform
the action; otherwise, act like start-stop.
Heres a simple example of setting up accounting that records a single record

to a TACACS+ server whenever a system event takes place:
Switch(config)# aaa accounting system stop-only default group tacacs+
Please note that the AAA information in this book provides a crash course on implementing AAA on an IOS-based switch. There are many more features and functions to
AAA in addition to those discussed here.
Security for Your Network

The preceding section dealt with security access to the switch itself. This
section covers some security features that affect traffic as it flows through the
switch, including port security, VLAN ACLs, and private VLANs.
10 9911 ch10 10/10/03 2:01 PM Page 313
313
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .MLS
. . Optimization
. . . . . . . and
. . .Security
. . . .
Basic Port Security

The users initial access to the network is typically via a switch port. Because
this is the users initial access, the port on the switch becomes your first line
of defense. There are two security tools that you can use to restrict the users
access: port security and port authentication using IEEEs 802.1x. The following sections discuss these solutions.
Port Security
The port security feature is also known as MAC address lockdown and works
on access link portsit is not supported on trunks. Likewise, not all Catalyst
switches support port security.
With Catalyst switches, by default, all addresses are allowed to be associated
with any particular port. In port security, a users MAC address is associated
with a specific port. If a different source MAC address is seen off of the port
than those allowed, the switch can disable the port and turn the ports LED
to amber.
There are two ways that you can associate an address with a port with port
security:
StaticYou manually assign which MAC addresses should be off of
which port.
DynamicYou allow the switch to learn which address or addresses are
allowed to be off of a port, and then have the switch save them in its
permanent configuration.
Static configuration is not very manageable in a large network. Most administrators use the dynamic method, sometimes referred to as sticky learning.
With the dynamic method, between 1132 MAC addresses can be dynamically learned from a port (you control the number of addresses). Dynamically
learned addresses are placed in the switchs configuration and saved. If the
switch is rebooted, the dynamically learned addresses will still be in the
switchs configuration.
Two things can cause a security violation:
When the switch learns the maximum configured number of addresses,
any other addresses over the maximum value are seen as security violations
A MAC address associated with a secured port is seen off of another port
10 9911 ch10 10/10/03 2:01 PM Page 314
314 Chapter 10
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
When a security violation occurs, the switch can take one of the three actions
listed in Table 10.4.
Table 10.4 Security Violation Actions
Parameter
Action
protect
All nonsecured MAC addresses have their frames dropped by the

switch, but secured MAC addresses are allowed access through
the switch.
restrict
A syslog message is created, an SNMP trap is generated, and the

violation counter is incremented.
shutdown
The interface is disabled and placed in an error-disable state. To

enable the interface, remove the security violation and use the
no shutdown command.
To enable port security, use the configuration in Listing 10.6.

Listing 10.6 Port Security Configuration
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum #_of_addresses
Switch(config-if)# switchport port-security mac-address sticky|MAC_address
Switch(config-if)# switchport port-security violation protect|restrict|
shutdown
Port security is enabled with the switchport port-security command. The

default maximum number of secured addresses that can be associated with a
port is 132. You can change this value from 1132 with the maximum parameter.
Sticky learning is enabled by default. However, you can statically configure
secured MAC addresses by using the mac-address parameter. The default violation mode is restrict. You can modify this with the violation parameter.
In Listing 10.7, port security restricts fastethernet0/1 to just a single address
learned via sticky learning, and shuts down the port if a violation occurs.
Listing 10.7 A Sticky Learning Example
Switch(config)# interface fastethernet0/1
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 1
Switch(config-if)# switchport port-security mac-address sticky
Switch(config-if)# switchport port-security violation shutdown
10 9911 ch10 10/10/03 2:01 PM Page 315
315
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .MLS
. . Optimization
. . . . . . . and
. . .Security
. . . .
To verify your port security configuration and operation, use the following
command:
Switch# show port security [address|interface type slot_#/port_#]
Without any options, the show

for all interfaces, like this:
Switch# show port security
Secure Port MaxSecureAddr
(Count)
Fa0/1
10
Fa0/2
1
port security
CurrentAddr
(Count)
10
1
command displays information
SecurityViolation
(Count)
0
0
Security Action
Restrict
Restrict
In this example, you can see the maximum allowed secured addresses, the
current number, the number of violations, and the security action for each
port.
To view port security information for a particular interface, use the interface
parameter, like this:
Switch# show port-security interface fastethernet0/1
Port Security: Enabled
Port status: SecureUp
Violation mode: Shutdown
Maximum MAC Addresses :50
Total MAC Addresses: 10
Configured MAC Addresses: 1
Sticky MAC Addresses :9
Aging time: 20 mins
Aging type: Inactivity
SecureStatic address aging: Enabled
Security Violation count: 0
In this example, you can see that nine addresses were learned via sticky learning
and one was statically configured.
To see the CAM table information related to port security, use the
parameter, like this:
Switch# show port-security address
= Secure Mac Address Table
----------------------------------------------------------Vlan Mac Address Type
Ports Remaining Age
(mins)
---- ----------- -------- ------------1 0000.0a00.1234 SecureDynamic
Fa0/1 1 0000.0a02.5678 SecureDynamic
Fa0/1 1 0000.0200.1111 SecureConfigured Fa0/1 <--output omitted-->
----------------------------------------------------------Total Addresses in System :10
Max Addresses limit in System :10
address
10 9911 ch10 10/10/03 2:01 PM Page 316
316 Chapter 10
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
In this example, the first two addresses were learned via sticky learning and
the third one was statically configured.
Port security allows up to 132 devices to be secured on a port. If done dynamically,
it is called sticky learning. Use the switchport port-security command to configure
port security. There are three violation types: protect, restrict (default), and
shutdown (disables the interface).
Port-Based Authentication with 802.1X

IEEEs 802.1X standard defines how to authenticate and control port access.
There are three devices involved with 802.1X:
ClientRuns the 802.1X software and requests access to the network
SwitchControls access to the network by acting as a proxy between the
client and the server

ServerAuthenticates the user (the RADIUS protocol is used between
the switch and the server)

A switchs port state (with 802.1X enabled) is initially in an unauthorized
state. The switch only allows Extensible Authentication over LAN (EAPOL)
traffic through the port until the user is authenticated. 802.1X uses EAPOL
to perform authentication. After the user is authenticated, all of his traffic is
permitted. If the user doesnt support the 802.1X protocol, the port remains
in an unauthorized state. If the switch doesnt support EAPOL, but the client
does, the client sends EAPOL frames, but when it doesnt get a response
from the switch, the client assumes that the switch is not configured for
802.1X and continues by forwarding normal frames.
To enable 802.1X, use the following configuration:
Switch(config)# aaa authentication dot1x default group radius
Switch(config-if)# dot1x port-control auto|force-authorized|forceunauthorized
As I mentioned earlier, an external authentication server and RADIUS are

used to handle authentication. This is specified with the aaa authentication
dot1x command. You must still enable AAA and specify the RADIUS server.
After that, you have to enable 802.1x on your switchs interfaces using the
dot1x port-control command. There are three authentication modes, as listed in Table 10.5. To enable 802.1X, you have to specify the auto parameter.
10 9911 ch10 10/10/03 2:01 PM Page 317
317
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .MLS
. . Optimization
. . . . . . . and
. . .Security
. . . .
Table 10.5 802.1X Port Modes
Authentication Mode
Description
auto
Enable 802.1x and require client authentication
force-authorized
Disable 802.1x on the port and allow client traffic without

authentication (default mode)
force-unauthorized
Drop all frames and ignore all authentication attempts by

the client
After youve configured 802.1X, use the

configuration and operation:
Switch# show dot1x
Global 802.1X Parameters
reauth-enabled yes
reauth-period 3600
quiet-period 60
tx-period 30
supp-timeout 30
server-timeout 30
reauth-max 2
max-req 2
802.1X Port Summary
Port Name Status
Mode
Fa0/1
disabled n/a
n/a
Fa0/2
enabled
Auto (negotiate)
802.1X Port Details
802.1X is disabled on FastEthernet0/1
802.1X is enabled on FastEthernet0/2
Status Unauthorized
Port-control Auto
Supplicant 0060.b0f8.1234
Multiple Hosts Disallowed
Current Identifier 2
Authenticator State Machine
State AUTHENTICATING
Reauth Count 1
show dot1x
command to verify its
Authorized
yes
802.1X performs user authentication using AAA with RADIUS to authenticate users
before the switch enables its port to the users traffic.
VLAN Access Lists

Cisco MLS switches support three types of access control lists (ACLs):
Router ACLs (RACLs), such as standard and extended ACLs
QoS ACLs (QoS was discussed in the last chapter)
VLAN ACLs (VACLs)
10 9911 ch10 10/10/03 2:01 PM Page 318
318 Chapter 10
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
You should be familiar with standard and extended ACLs from your CCNA
studies. With standard and extended ACLs, you build a list of statements and
then apply the list of statements to an interface. The configuration of VACLs
is conceptually different from standard and extended ACLs. First, you create
a VACL map that specifies what traffic to match on and what to do when
there is a match. The VACL is then activated for a VLAN or list of VLANs
or one or more of the switchs interfaces.
There are three types of ACLS supported by Layer 2 switches: router ACLs, QoS
ACLs, and VLAN ACLs.
VACL Configuration
To create a VACL map, use the configuration in Listing 10.8.
Listing 10.8 VACL Map Configuration
Switch(config)# vlan access-map name_of_map [sequence_#]
Switch(config-access-map)# match ip address 1-199|1300-2699|ACL_name
Switch(config-access-map)# match ipx address 800-999|ACL_name
Switch(config-access-map)# match mac address ACL_name
Switch(config-access-map)# action {drop [log]}|{forward [capture]}|
{redirect (type slot_#/port_# | port-channel channel_#)}
The vlan access-map command is similar to a statement in a standard or

extended ACL. There are a few differences. First, these statements can be
ordered by giving them sequence numbers. This enables you to insert or
delete a specific entry. The order of the VACL maps is important because
they are processed in order of their sequence numbers: 1, 2, 3, and so on and
so forth. Sequence numbers can range from 065,535.
The match commands specify which traffic is important to the VACL and have
the action performed on it. You can match on IP, IPX, or MAC address
information. Notice from the syntax of the match command that you must configure a normal ACL (numbered or named) to match on traffic. A permit
parameter in an ACL statement indicates that a successful match has occurred.
A deny parameter in an ACL statement means that the traffic should be
ignored. If the switch goes through each match statement with a corresponding
ACL and doesnt find a match, the packet or frame is automatically dropped.
If there is a match in a VACL map, the indicated action in the action command is performed. The drop parameter causes the matching traffic to be
dropped. Only on the 6500 can you log dropped traffic with the log parameter. The forward parameter specifies that matching traffic should be
forwarded. You can specify the capture parameter only on the 6500, which
10 9911 ch10 10/10/03 2:01 PM Page 319
319
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .MLS
. . Optimization
. . . . . . . and
. . .Security
. . . .
can be used with SPAN. The redirect parameter has two options: redirect
matching traffic to a specific interface or an EtherChannel.
VACL Activation
After youve created your VACL map, activate it with the following command:
Switch(config)# vlan filter VACL_map_name
{vlan-list vlan_list|interface type slot_#/port_#}
Notice that with this command, you can activate a VACL on a VLAN or list
of VLANs, or for a specified interface. Please note that you can use the interface option only for WAN interfaces installed on the Catalyst 6500s. Listing
10.9 shows a simple example.
Listing 10.9 Using the vlan filter Command
Switch(config)# vlan access-map VMAP 10
Switch(config-access-map)# match ip address 1
Switch(config-access-map)# action forward
Switch(config-access-map)# exit
Switch(config)# vlan filter VMAP vlan-list 5
In this example, traffic from 192.168.1.0 will be allowed to travel to/through

VLAN 5.
When your configuration is done, you can use the show
show vlan filter commands to examine your VACLs.
vlan access-map
and
Private VLANs
VLANs are used to group ports together in a broadcast domain. Private
VLANs (PVLANs) provide Layer 2 isolation between devices within the same
private VLAN. At first, this sounds confusing. Probably the best way of looking at a bunch of devices is in a broadcast domain, where rules dictate how
traffic travels between devices. Private VLANs are used to enforce these rules.
For example, you might have a group of devices that you want to put in the
same broadcast domain, but you want to limit what each of these devices can
access within the same domain. One solution would be to use ACLs, which
are not very scalable in a dynamic and growing network. PVLANs, on the
other hand, provide flexibility. In our example, you might have a server farm
and users accessing the server farm. The rules are that the devices in the server farm should be able to communicate with themselves and the users. The
users should be able to communicate with only the servers, but not each
other. PVLANs can provide this type of cookie-cutter process to Layer 2
separation within the same broadcast domain.
10 9911 ch10 10/10/03 2:01 PM Page 320
320 Chapter 10
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PVLANs provide Layer 2 isolation between devices within the same private VLAN.
Advantages
PVLANs provide the following advantages:
Because devices are in the same broadcast domain, but still allow logical
separation, you need fewer VLANs.

Because you need a fewer number of VLANs, you need fewer IP subnets.
Because you have fewer subnets, you need fewer IP default gateway
addresses.
You can still maintain VLAN integrity across trunks.
Remember the advantages that PVLANs provide.
Components
There are two sets of components in private VLANs: PVLAN type and port
type. There are two types of PVLANS with private VLANs: primary, which
is used to connect multiple secondary PVLANs together, and secondary,
which is used to separate devices with PVLANs.
In addition to the two PVLAN types, there are three types of ports:
PromiscuousCan communicate with all ports in a PVLAN; these are
typically router and server ports

CommunityCan communicate with other ports in the community as
well as a promiscuous port; these are typically user and/or server ports
IsolatedCan communicate only with a promiscuous port; these are
typically user ports

Remember the three PVLAN port typespromiscuous, community, and isolated
as well as which type of port can communicate to other ports.
Primary PVLANs contain promiscuous ports. These ports enable connectivity between devices in the PVLAN, if it is allowed. Community and
10 9911 ch10 10/10/03 2:01 PM Page 321
321
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .MLS
. . Optimization
. . . . . . . and
. . .Security
. . . .
isolated ports belong to secondary PVLANs. There is a trust hierarchy, with

primary PVLANs at the top and secondary PVLANs at the bottom.
Figure 10.2 shows a PVLAN example. In this example, there is one primary
PVLAN (100), which includes the router (promiscuous port) at the distribution layer. Below that, at the access layer, are two secondary PVLANs associated with the primary PVLAN: 101 and 102. PVLAN 101 is an isolated
PVLAN. The PCs in this VLAN cannot share information with each other
or PVLAN 102they can share information only with the devices in
PVLAN 100 (in this case, the router). PVLAN 102 is a community PVLAN.
Notice that this PVLAN is spread across two switches. In a community
PVLAN, the devices can share information with each other and the promiscuous port(s) in the primary PVLAN (the router). One important thing to
point out concerning this example is that all of these devices are in the same
broadcast domain and same subnet address scheme. You could use normal
VLANs to solve this problem, but doing so would require one VLAN for the
community of devices and a separate VLAN for each isolated device. With
hundreds of devices, using normal VLANs doesnt scale.
Router
Private VLAN
Promiscuous Port
Secondary
VLAN 102
COMMUNITY
Primary
VLAN 100
Distribution
Layer Switch
Trunk
Trunk
Access Layer
Switch
Secondary
VLAN 102
COMMUNITY
Access Layer
Switch
PC-A
PC-F
Secondary
VLAN 101
ISOLATED
PC-B
PC-C
Figure 10.2 Private VLAN example.
PC-D
PC-E
10 9911 ch10 10/10/03 2:01 PM Page 322
322 Chapter 10
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PVLAN Configuration Requirements

Before I begin discussing the configuration of PVLANs, I need to cover
some configuration requirements:
If youre using VTP, all switches must be in transparent modeVTP
does not support PVLANs. Because VTP pruning requires server

switches, and you must configure switches in transparent mode, VTP
pruning wont work: Youll have to manually prune PVLANs from
trunks to optimize your network.
VLAN 1 cannot be a PVLAN.
Layer 3 interfaces should be placed only in the primary PVLAN and
should be promiscuous ports.

The primary PVLAN can have one isolated secondary PVLAN and
multiple community secondary PVLANs associated with it. You can

associate a community or isolated PVLAN to only a single primary
PVLAN.
You cannot place a SPAN port or an EtherChannel in a PVLAN.
Remember the PVLAN configuration requirements listed in the preceding bulleted
items.
Creating PVLANs
After youve placed your switch in VTP transparent mode, youre ready to
create your PVLAN:
Switch(config-vlan)# private-vlan primary|isolated|community
First, create a VLAN with the vlan command, and then specify the PVLAN
type with the private-vlan command. The isolated and community parameters
specify that the PVLAN is a secondary PVLAN.
Given our example in Figure 10.1, the configuration would look like that
shown in Listing 10.10 on the three switches.
Listing 10.10 PVLAN Example
Switch(config)# vlan
Switch(config-vlan)#
100
private-vlan primary
exit
101
(continued)
10 9911 ch10 10/10/03 2:01 PM Page 323
323
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .MLS
. . Optimization
. . . . . . . and
. . .Security
. . . .
Listing 10.10 PVLAN Example (continued)
private-vlan isolated
exit
102
private-vlan community
exit
After youve created all of your primary and secondary PVLANs, you must
associate the secondary PVLANs with their respective primary PVLANs.
This is accomplished by going into the primary PVLAN and using the
private-vlan association command, shown in Listing 10.11.
Listing 10.11 PVLAN Association Configuration
VLAN_#_of_primary_PVLAN
private-vlan primary
private-vlan association secondary_PVLAN_#(s)
private-vlan association add secondary_PVLAN_list(s)
private-vlan association remove secondary_PVLAN_list(s)
The first association command specifies the list of secondary PVLANs that
are associated with this primary PVLAN. By using the add parameter, you
can add other secondary PVLANs to your existing list. The remove parameter removes secondary PVLANs from the association. To list multiple
PVLANs, separate them by a comma, like so: 105, 108, 110. You can also use
a range by specifying the beginning PVLAN number, immediately followed
by a dash, and then the ending PVLAN number; for example: 100-102. You
can also mix the two types, like 100-102, 105, 108, 110.
Going with our previous example shown in Figure 10.2, heres the association
configuration:
Switch(config-vlan)# private-vlan primary
Switch(config-vlan)# private-vlan association 101-102
To view your PVLANs, use the show

Switch#
Primary
------100
100
show vlan
Secondary
--------101
102
vlan private-vlan
command:
private-vlan
Type
Interfaces
----------------- ---------------------------isolated
community
Associating Ports with PVLANs

Now that youve created your PVLANs, you can begin associating ports to
them. This configuration is done under the switchs interface configuration.
There are actually three ways of doing this, based on the type of interface.
10 9911 ch10 10/10/03 2:01 PM Page 324
324 Chapter 10
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
If the interface is a Layer 2 promiscuous interface, like one connected to a

file server, use the following configuration:
Switch(config-if)# switchport mode private-vlan promiscuous
Switch(config-if)# switchport private-vlan mapping
primary_vlan_ID secondary_vlan_ID_list
The switchport mode private-vlan promiscuous command specifies that the

interface is in promiscuous mode (and therefore in a primary PVLAN). The
switchport private-vlan mapping command specifies the primary PVLAN that
this port is associated with, along with the secondary PVLAN(s) that are associated with the primary PVLAN. With this command, you can insert the add
and remove parameters, which function like those discussed in the last section.
If the interface is in a Layer 2 isolated or community secondary PVLAN, use
the following:
Switch(config-if)# switchport mode private-vlan host
Switch(config-if)# switchport private-vlan host-association
primary_vlan_ID secondary_vlan_ID
The switchport mode command specifies that this is a secondary PVLAN port.
The switchport private-vlan host-association port specifies the primary
PVLAN that this port is associated with and the secondary PVLAN assigned
to it.
If the interface is a Layer 3 interface (performing routing), use the following:
Switch(config-if)# private-vlan mapping secondary_VLAN_list
To view your configured interface settings, use the following command:

Switch# show interfaces type slot_#/port_# switchport
Summary
SPAN enables you to capture traffic on one or more ports, including
VLANs, and to redirect the captured traffic to a port with a protocol analyzer or probe connected to it. RSPAN has the destination port located on a
different switch. You can capture traffic from Layer 2 and Layer 3 interfaces,
including EtherChannels. Use the monitor session command to set up SPAN.
The NAM is an RMON probe that fits into the chassis of a Catalyst 6500
switch. It has no physical ports, but two logical ports. It requires an RMON
management station to process the captured traffic.
10 9911 ch10 10/10/03 2:01 PM Page 325
325
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .MLS
. . Optimization
. . . . . . . and
. . .Security
. . . .
You should assign passwords to your switch with the password and enable
secret commands as well as restricting telnets with the access-list and
access-class commands.
You can implement AAA (authentication, authorization, and accounting) to
create a more robust security solution. AAA can be performed by the switch
or by an external security server running TACACS+ or RADIUS. 802.1X
can be used to authenticate users before theyre allowed access to the
switched network. Until authenticated, the users port allows only EAPOL
authentication trafficall other traffic is dropped.
Port security can be used to lock down which users are allowed to be connected to which ports. This can be done statically or dynamically. You can
have a maximum of 132 secured addresses associated with a port. Use the
switchport port-security command to enable port security. If the switch port
is disabled because of a security violation, it turns amber.
VACLs enable you to filter VLAN traffic. You create a VLAN map with the
command. This map specifies matching traffic (match command) and the action to perform when a match occurs (action command).
The VACL is then activated with the vlan filter command.
vlan access-map
PVLANs are used to restrict traffic flows within a broadcast domain.

PVLANs have primary (promiscuous ports) and secondary (isolated and
community ports) PVLANs. They are used because they reduce your
addressing requirements as compared to normal VLANs.
10 9911 ch10 10/10/03 2:01 PM Page 326
326 Chapter 10
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Exam Prep Questions

Question 1
SPAN is supported on which of the following source interfaces?
A. Layer 2 only
B. Layer 3 only
C. Layer 2 and Layer 3
D. Layer 2, Layer 3, and specific EtherChannel interfaces
Answer C is correct. The source ports that you can capture traffic from
include Layer 2, Layer 3, and EtherChannels. Answers A and B are incorrect
because both are supported. D is incorrect because you cant capture traffic
from a specific interface in a channelonly the entire channel.
Question 2
Enter the switch command to display the slot the NAM is installed in:
___________.
show module.
Use the show

Catalyst switch.
module
command to display the cards installed in the
Question 3
You want to restrict Telnet access to the switch based on source addresses.
What command would you use to activate your restrictions on your VTYs?
A. password
B. access-group
C. vacl-filter
D. access-class
Answer D is correct. Use the access-class command to activate a standard ACL

on your VTYs in order to restrict Telnet access to the switch. The password
command only assigns a password to a line, making answer A incorrect. The
access-group command activates an ACL on a Layer 3 interface, making
answer B incorrect. Answer C is a nonexistent command.
10 9911 ch10 10/10/03 2:01 PM Page 327
327
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .MLS
. . Optimization
. . . . . . . and
. . .Security
. . . .
Question 4
Enter the switch command to enable AAA: __________.
aaa new-model.
AAA is disabled by defaultenable it with the
aaa new-model
command.
Question 5
With port security, up to _________ addresses off a port can be secured.
A. 1
B. 10
C. 64
D. 132
Answer D is correct. Up to 132 MAC addresses can be secured for a port

enabled with port security, making answers A, B, and C incorrect.
Question 6
The IEEE ______ standard defines user authentication for switch port access
using EAPOL for communication.
A. 802.1D
B. 802.1X
C. 802.11
D. 802.3Z
Answer B is correct. 802.1X defines per-user authentication to gain access to

a switched network. It requires the use of RADIUS. Answer A specifies STP,
making it incorrect. Answer C specifies wireless, making it incorrect. Answer
D specifies Gigabit Ethernet, making it incorrect.
10 9911 ch10 10/10/03 2:01 PM Page 328
328 Chapter 10
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 7
Which is not an ACL type supported by Layer 3 switches?
A. Private ACL
B. Router ACL
C. VLAN ACL
D. QoS ACL
Answer A is correct. There is no such thing as a private ACL. Answers B, C,

and D are supported by Layer 3 switches, making them incorrect answers.
Question 8
Which PVLAN port type is supported only in a secondary PVLAN?
A. Restricted
B. Promiscuous
C. Secured
D. Community
Answer D is correct. Community and isolated ports are associated with secondary PVLANs. Answers A and C are incorrect because they are not
PVLAN port types. Answer B is incorrect because promiscuous ports are in
primary PVLANs.
Question 9
You have an isolated port in a primary PVLAN. What other ports can it talk to?
A. Promiscuous
B. Isolated
C. Community
D. None of these
Answer D is correct. Isolated ports can be in only secondary PVLANs, not

primary PVLANs. Therefore, answers A, B, and C are incorrect.
10 9911 ch10 10/10/03 2:01 PM Page 329
329
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .MLS
. . Optimization
. . . . . . . and
. . .Security
. . . .
Question 10
Which command enables port security on a switch?
A. switchport secure
B. switchport port-security
C. port-security
D. security
Answer B is correct. Use the switchport port-security command to enable port

security on an interface. Answers A, C, and D are nonexistent commands.
Need to Know More?

For information about various switch optimization and security
features and their configuration, visit http://www.cisco.com/en/
US/products/hw/switches/ps708/products_configuration_guide_
book09186a0080179683.html
For information about NAM, visit http://www.cisco.com/en/US/

products/hw/switches/ps708/products_installation_and_
configuration_guide09186a00800f56d6.html
For information on AAA and router security, visit http://www.cisco.com/

en/US/products/sw/iosswrel/ps5187/prod_configuration_
guide09186a008017d583.html#1000714
10 9911 ch10 10/10/03 2:01 PM Page 330
11 9911 ch11 10/10/03 2:04 PM Page 331
11
Metro Ethernet
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

MAN, SONET, DWDM, and CWDM
Transparent LAN (TLS) and directed VLAN (DVS) services
Q-in-Q tunneling and tag stacking
Ethernet over MPLS

Choosing a MAN service
Understanding the similarities and differences in access
methods to MANs: access links, 802.1Q trunks, Q-in-Q,
and EoMPLS
Understanding how Q-in-Q and EoMPLS tags frames
Understanding STP issues with redundant MAN connections
11 9911 ch11 10/10/03 2:04 PM Page 332
332 Chapter 11
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Until recently, most WAN and MAN (metropolitan area network) connections required you to use WAN connection services, such as Frame Relay,
ATM, and dedicated leased lines. There are problems with deploying these
solutions, though. First, you must use some type of Layer 3 device that supports these WAN connections. This means that for a MAN, you cannot connect one Ethernet switch at one site directly to an Ethernet switch at a
remote siteyoure forced to purchase a router. Second, youre introducing
a delay in your traffic streams because your Layer 3 device must encapsulate
your users data in a different Layer 2 frame format. This can create problems for delay-sensitive traffic such as voice and video.
To deal with these and other problems, carriers have developed MAN solutions that more easily fit into a customers network. Basically, carriers allow
their customers to send Ethernet frames into the carriers networks. However,
this presents problems to carriers in how Ethernet frames should be transferred over a Layer-2 transport that is not typically used for Ethernet and how
the carrier should establish and maintain these connections for hundreds of
customers at a time. This chapter focuses on the problems and solutions that
carriers use to transport Ethernet across their MAN backbones.
Layer 1 and Layer 2

Many service providers implement MANs by using Synchronous Optical
Network (SONET) or Ethernet. SONET is a physical layer standard, and is
described later in this chapter. It provides more bandwidth than Ethernet,
and supports multiple Layer 2 technologies, such as ATM, IP, and even
Ethernet. Ethernet, as a standalone solution, is used typically for the following reasons:
Scales to very high speeds (10Gbps)
Is inexpensive
Is a widely used and proven technology
Supports multiple services, including voice, video, and data
Cisco Metro Solutions

Cisco sells many metro solutions. Actually, many of the products that you
would find at the distribution and core layers of an enterprise network are
considered candidates for metro products for MANs. Table 11.1 compares
some of Ciscos different metro solutions. As you can see from this table,
11 9911 ch11 10/10/03 2:04 PM Page 333
333
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Metro
. . . .Ethernet
. . . .
Cisco provides both Catalyst switch and router solutions. Routers are sometimes used when complex queuing mechanisms are required or when you
already have a router in place that performs the connectivity job adequately.
Table 11.1 Cisco Metro Solutions
Features
Catalyst
3550
Catalyst
4000
Catalyst
6500
7600 Router
Maximum ports
96
240
576
Flexible
Forwarding rate
(pps)
13 million
24
million
210
million
Hardware
dependent
Bandwidth policing
Yes
No
Yes
Yes
Queues per port
1,000
Real-Time
Streaming Protocol
(RSTP)
Yes
Yes
Yes
Yes
UplinkFast and
BackboneFast
Yes
Yes
Yes
Yes
Port Security
Yes
No
No
No
UDLD
Yes
Yes
Yes
Yes
Jumbo frames
Yes
Yes
Yes
Yes
Etherchannels
Yes
Yes
Yes
Yes
Services
Ethernet is set up over SONET services by carriers that offer MAN services. Carriers use SONET because of its flexibility in its capability to transport
multiple services, such as Ethernet and ATM, and because of its ability to
reach across long distances. For a company that has a large Ethernet infrastructure, this makes it easy to extend Ethernet connectivity across a carriers
network to other remote sites. This can be done using either routers or
switches. For smaller companies, this reduces the number of Layer 3 devices
that you need because Layer 2 Ethernet switches can be used for the MAN
connections. Therefore, you dont need to deploy a separate router for each
site, but deploy them only where theyre necessary.
When using Ethernet as a MAN solution, you should consider the following
five items:
Cost
Scalability
11 9911 ch11 10/10/03 2:04 PM Page 334
334 Chapter 11
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Transparency
Level of service
Connection type
When choosing a MAN service, consider cost, scalability, transparency, level of
service, and the type of connection needed.
One of the foremost items you should consider is how cost effective an
Ethernet service is for MAN connectivity. When evaluating costs, you
should examine both the equipment costs as well as the ongoing connection
and maintenance costs.
The second thing you should consider is scalability. Scalability is not an issue
when youre connecting a small number of sites together across a MAN.
However, you should weigh how scalable a service providers solution is if
your network is dynamic and/or growing. From a dynamic perspective, how
easy and quick is it to connect to the carrier? How fast can the service
provider change services for you if your bandwidth needs change?
The third item you should consider is transparency. One of the main reasons
customers enjoy Ethernet services in a MAN environment is that the MAN
is treated as a transparent networkits invisible to the customers equipment, whether the equipment be a switch or a router. In other words, the
service provider creates a logical connection between two or more peering
devices. From the customers perspective, it appears that the equipment is
directly connected together via the same physical layer connection. If you
want multiple devices (Layer 2 or Layer 3) to appear to be on the same segment, the service provider makes it appear that these devices are connected
via a hub even though the carrier is typically using other methods to provide
for this connectivity.
The fourth item you should consider is level of service. As you saw in
Chapter 9, Quality of Service, Ciscos switches can support a level of service infrastructure, favoring some types of traffic over others by enforcing
Quality of Service (QoS) policies. Based on the behavior and needs of your
traffic, you should consider a service provider that can meet these needs.
The last item you should consider is the type of connection that youll need
across the MAN. There are two basic types of connections: point-to-point
and multipoint. Point-to-point connections are very common in WAN and
11 9911 ch11 10/10/03 2:04 PM Page 335
335
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Metro
. . . .Ethernet
. . . .
MAN environments because they are simple to set up for the service
provider. However, there might be situations in which you want the
providers network to appear as a hub, where all your edge MAN devices
appear to be directly connected together. If this is the case, youll need to
choose a MAN provider that can deal with issues such as trunking between
devices as well as maintaining your STP topologyboth of these issues
should be dealt with transparently by the service provider. The next section
covers the two different services that providers use for these connections:
Transparent LAN services
Directed VLAN services
Transparent LAN Services

With transparent LAN services (TLS), the connection between switches in
the MAN is done transparently by the service provider. In other words, the
providers equipment is hidden from your equipments view. For example,
lets look at the network in Figure 11.1. In this example, your switches have
an access link connection to the carriers network, and all of these connections are in the same VLAN. The switches dont actually see the service
providers switch; instead, it appears that all of your switches are connected
together via a hub.
Because of this structure, TLS is simple to implement from the carriers side.
From your side, you need only an access link connection and place the devices
connected to the MAN in the same VLAN (subnet/broadcast domain).
When implementing TLS, you should remember that your MAN connection is an access link. Therefore, for traffic to traverse the MAN, you must
put all of your sites in the same VLAN, which doesnt scale from a broadcast
perspective. This is especially true if you have a lot of multimedia applications that generate a lot of multicast traffic, such as real-time video.
You could also break up the single-VLAN implementation into multiple
VLANs by using a router at one or more sites to route traffic between the
VLANs. If you have only one router, located at one site, to handle inter-VLAN
traffic, it could cause a broadcast and multicast problem on the MAN because
most inter-VLAN traffic will have to traverse the MAN to reach the router.
This can be solved by placing a router at each site, which obviously increases
costs. In addition, with a router at each MAN site, you might experience Layer
3 peering problems with certain routing protocols, such as OSPF.
A third problem with TLS is that because youre using an access link connection to the provider, the provider has to associate all of your devices by
11 9911 ch11 10/10/03 2:04 PM Page 336
336 Chapter 11
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
placing them in a providers VLAN. This is used to separate your traffic from
other customers traffic. However, one serious limitation that the service
provider faces is the number of VLANs that its switches can support. With
802.1Q, the VLAN limit is 4,096. Therefore, the service provider wouldnt
be able to support more than 4,096 customers with this implementation.
802.1Q functions at Layer 2. Multiprotocol label switching (MPLS) also
allows tunneling if information crosses a carriers backbone. MPLS functions
at Layer 3. Both solutions are covered later.
However, even given these problems, TLS does have a place in a network
design. If you have only a small number of sites that need to be connected
and not much traffic is sent between sites, TLS provides an excellent fit.
Switch 1
Access Link
Ac
ce
ss
Li
nk
Service Provider
Switch
Switch 2
Ac
ce
ss
Li
nk
Switch 3
Figure 11.1 Transparent LAN service.

TLS provides a transparent access link connection through the carriers network,
where the carriers connection appears as a logical segment. TLS doesnt scale well
because of the use of access link connections. Plus, if the provider is using 802.1Q,
it is limited to 4,096 VLANs to segregate its customers.
Directed VLAN Services

With a directed VLAN service (DVS), the edge switches connect to the carrier via a trunk link. From the edge switchs perspective, it knows that it is
connecting to a service provider switch and is setting up a trunk connection
to the carriers switch, as shown in Figure 11.2. Connections by the carrier
can be set up as either point-to-point or multipoint.
11 9911 ch11 10/10/03 2:04 PM Page 337
337
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Metro
. . . .Ethernet
. . . .
TR
UN
TRUNK
Service Provider
Switch
Switch 2
VLAN
10
VLAN
20
Switch 3
VLAN
20
VLAN
30
TR
UN
Switch 4
VLAN
10
VLAN
30
Figure 11.2 Directed VLAN service.
You can use two basic design approaches for connectivity: put a router at a
single location for inter-VLAN routing, or put a router at each location.
Because DLS uses trunks, its safe to assume that you have multiple VLANs
in your network. Therefore, youll need some type of Layer 3 device to handle
inter-VLAN traffic. If you have a router at only a single location, inter-VLAN
traffic from other sites will have to travel across the MAN to be routed, as
shown in Figure 11.3. This is an example of a hub-and-spoke design.
In this example, for VLAN 1 off of Switch1 to reach VLAN 2 off of Switch2,
the traffic must be sent across the MAN to the router to be routed. Plus,
broadcast traffic that occurs at remote sites will have to traverse the MAN.
For example, a broadcast in VLAN 1 will be sent to all your devices connected to the MAN: the router, Switch1, Switch2, and Switch3. For multicast traffic, this can seriously affect your performance.
If you place a router at each site, youre increasing your equipment costs.
Therefore, youll have to look carefully at your traffic characteristics when
deciding how many routers you should purchase and the location(s) at which
they should be installed.
One concern with DVS is that the carrier switch that is connected to your
switch must know what VLANs are being used in your network so that
PVST+ and pruning can be implemented efficiently. This brings up a problem: If a carriers network supports only 4,096 VLANs with 802.1Q, and
11 9911 ch11 10/10/03 2:04 PM Page 338
338 Chapter 11
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
each customer has about 100 VLANs, only 40 customers could be supported
in the carriers network. From a carriers point-of-view, this is even more limiting than TLS. However, as youll see later in this chapter, Cisco can tunnel
802.1Q trunking information between two sites. This allows the carrier
switches to tunnel your VLAN information inside the carriers tagged frames,
which enables the carrier to keep different customers traffic separate while
still maintaining the VLAN infrastructure youve built for your own network.
Service Provider
Switch
Trunk
Tr
u
nk
Trunk
Router
Switch 1
VLAN
10
Switch 2
VLAN
20
Tr
u
nk
Switch 3
VLAN
30
Figure 11.3 Directed VLAN service and a single router.

DVS provides a trunk link into a service provider, where the providers infrastructure
is seen as a single logical switch. It provides more flexibility, but presents problems
in connecting multiple customers with multiple VLANs. To overcome this issue,
802.1Q tunneling is used.
Delivery Mechanisms
When a service provider designs a MAN solution, the physical layer contains
fiber cabling. Actually, there are many solutions that the carrier could use on
the fiber cabling to transport Ethernet between a customers various sites.
However, the carrier typically doesnt use a physical layer implementation of
Ethernet. Instead, the carrier will use SONET, dense wave division multiplexing (DWDM), or coarse wave division multiplexing (CWDM). The following sections briefly cover these three implementations.
11 9911 ch11 10/10/03 2:04 PM Page 339
339
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Metro
. . . .Ethernet
. . . .
Ethernet over SONET

There are two main standards for transmitting signals across fiber: SONET
(Synchronous Optical Network) and SDH (Synchronous Digital Hierarchy).
SONET is defined by the Exchange Carriers Standards Association (ECSA)
and American National Standards Institute (ANSI) and is used in North
America. SDH is an international standard and is used throughout most of
the world. Both standards define the physical layer framing used to transmit
light sources.
SONET can be used to transport Ethernet frames. Physically, SONET uses
a ring topology, as shown in Figure 11.4. Actually, a dual-ring topology is
used to provide redundancy. This is similar to FDDIs dual-ring implementation. Unlike in Ethernet, fault protection is built into SONET, providing
less than a 50ms cutover when a failure takes place in the MAN. Cisco ONS
15454 devices can be used to build the SONET ring. Theyre popular
among carriers because the ONS 15454 devices support both Ethernet and
SONET interfaces and can provide time division multiplexing (TDM) and
DWDM solutions. The ONS product supports multiplexing, optical networking, and switching networking elements all in one chassis.
CPE Switch 1
ONS
15454
CPE Switch 2
ONS
15454
ONS
15454
ONS
15454
CPE Switch 3
Figure 11.4 SONET connections.
SONET
Ring
11 9911 ch11 10/10/03 2:04 PM Page 340
340 Chapter 11
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
In the example shown in Figure 11.4, the solid lines indicate the physical
connections, and the dotted lines indicate the logical connections. Notice that
from the customer premise equipment (CPE) switchs perspective, it looks
like a hub-and-spoke design, with a provider switch in the middle. Ciscos
ONS 15454 switches can provide 802.1Q trunk or access link connections to
the user, and transfer Ethernet frames around the ring using SONET.
SONET is generally available in MAN services, supports multiple connection types (such as Ethernet, ATM, IP, and leased circuits), and has built-in
redundancy. However, SONET does have its drawbacks. It supports bandwidth only in increments of 51.84 Mbps, which is typically too much bandwidth for a customer. This results in poor bandwidth usage by the provider.
In addition, SONET was not developed for carrying Ethernet traffic: It was
developed for low-speed voice connections. Also, as part of its redundancy
mechanism, one ring sits idle, which is a waste of bandwidth.
The dual ring mechanism has one huge advantage: redundancy. For example, imagine a situation in which a carrier employee accidentally damages a fiber connection in
the ring during a maintenance check. In that example, the ring would wrap and maintain connectivity, causing little, if any, disruption for customers.
SONET, which uses fiber-optic cabling, can carry multiple transports, including
Ethernet, IP, ATM, and other services. It supports a dual-ring topology for redundancy.
Its main disadvantage is that it uses bandwidth inefficiently.
Ethernet over DWDM

DWDM, like SONET, runs over fiber. However, the similarities between
SONET and DWDM radically diverge from this point. DWDM is an
enhancement of wave division multiplexing (WDM). One of the main issues
of SONET, as mentioned in the last section, is that bandwidth is associated
in blocks of 51.84Mbps. This is not very efficient in carrier networks that
have more data traffic than voice traffic.
WDM deals with this issue by using a wavelength frequency to transmit
information. Multiple connections can be used on the same fiber by assigning them a different wavelength frequency. With WDM, youre somewhat
limited in the number of frequencies and, therefore, the number of connections. DWDM extends this number to more than 200 frequencies. One
advantage of using a frequency rather than the time-division multiplexing
(TDM) technique that SONET uses is that you are no longer constrained to
blocks of 51.84Mbps of bandwidth. As a carrier, you can be more granular in
allotting bandwidth to customers.
11 9911 ch11 10/10/03 2:04 PM Page 341
341
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Metro
. . . .Ethernet
. . . .
Two transmissions are used with DWDM: 1310 nanometer and 1550
nanometer (nm). These transmissions refer to the gap in wavelengths. 1310
transmissions are more popular in short-distance environments, such as
MANs, because of their lower cost. 1550 transmissions cost more, but can
span larger distances. Both types of transmission support redundancy.
With DWDM, point-to-point connections are built between sites. The CPE
typically connects via Fast or Gigabit Ethernet to the carrier, and the carrier uses an optical switch to convert the Ethernet frames into a wavelength
frequency. From the CPEs perspective, it appears that the two devices connected via the MAN are really directly connected to each other via a pointto-point Ethernet connection. And because point-to-point connections are
used, as long as you use a hub-and-spoke design (no Layer 2 loops), you
should not have to deal with STP issues across the MAN.
Cisco supports two DWDM products: ONS 15200 and ONS 15540. Ciscos
product provides the following advantages: it has a low cost for connecting
to buildings with a small number of customers; it doesnt require Gigabit
Ethernet connectivity within the carriers network; and it is easy to install,
test, and maintain.
DWDMs advantages include high data rates (Gbps) and scalability, easy
setup, transparency to the CPE, and optical protection (similar to SONET).
However, DWDM needs its own fiber connection and cannot run over
SONET. Therefore, if youre already using a SONET connection for voice
and want to integrate data, youll have to do it on different fiber cable. In that
situation, youll need to hope that the carrier has some spare dark fiber for
your data connection. Dark fiber is extra fiber that the carrier has run, but is
not currently using.
Ethernet over CWDM

CWDM is a last-mile technology. That means the service provider typically
uses CWDM from its switches to the customer, and not for its backbone
technology. CWDM, which cannot be optically amplified, has a much shorter operating distance than DWDM and is very cost-effective for connecting
a small number of customers in a small area.
CWDM maximizes a carriers fiber infrastructure at a very attractive price. CWDM and
DWDM mainly differ in the spacing of wavelengths, the number of channels, and the
capability (or lack thereof) to amplify optical signals. Up to 1632 wavelengths are
supported with CWDM.
11 9911 ch11 10/10/03 2:04 PM Page 342
342 Chapter 11
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
CWDM uses optical add/drop multiplexors (mux) to provide for the physical ring topology. These multiplexors are connected to the ring and the customers equipment is then connected to the multiplexor.
Instead of deploying expensive 10Gb Ethernet connections that would
require DWDM, CWDM enables you to deploy multiple 1Gb Ethernet connections that you can form into an EtherChannel. CWDM is supported by
the Catalyst 6500, 4000, 3550, and 2950 switches as well as the ONS 154xx
and 153xx optical switches. Cisco switches support 8 CWDM wavelengths.
DWDM supports multiple wavelength frequencies on a single strand of fiber (up to
200). It supports very high data rages (Gbps). One advantage that it has over SONET
is that SONET uses TDM, which wastes bandwidth. CWDM is a last-mile technology
and supports up to 8 wavelength frequencies. It is used for short distances, such as
customers located in the same building.
802.1Q Tunneling
A carrier can use four methods to transport your Ethernet frames between
MAN sites:
Access link
802.1Q
802.1Q tunneling (802.1Q-in-Q [or Q-in-Q, for short])
Ethernet over MPLS (EoMPLS) using Layer 3 tunneling
Access links and 802.1Q were discussed previously. The access link method
is equivalent to TLS and is typically implemented using SONET. One problem with access link connections is that they dont scale: The service provider
is limited to 4,096 801.1Q VLANs on his trunk, which limits the number of
customers it can support. Another problem with access links is that it
becomes more difficult for a service provider to manage as you continually
add MAN connections. The more connections you have, the more impact
they will have on the providers network. Your connected switches flood
broadcasts and multicasts into the carriers network. And because the carrier
typically uses SONET, it becomes difficult for the carrier to implement service level agreements and traffic policing.
The 802.1Q method is equivalent to DVS. As a service provider MAN transport method, 802.1Q actually provides many advantages. First, it is costeffective and can easily be integrated into an existing network. Because
connectivity within a customer is done within a VLAN or VLANs, it is easy
11 9911 ch11 10/10/03 2:04 PM Page 343
343
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Metro
. . . .Ethernet
. . . .
to set up either point-to-point or multipoint connections: The carriers

802.1Q switches perform like normal Ethernet switches.
The main problem with 802.1Q is the limited number of VLANs that the
provider can support: 4,096. The 802.1Q method is also more difficult for
the provider to implement: The provider has to know which VLAN numbers
youre using (or it assigns them to you) and must then configure its trucks to
restrict your traffic to just these VLANs. If you need more VLANs, the
provider must manually change its configuration for your trunk connections.
Therefore, VLANs are not transparent: A service provider really doesnt
want to deal with your VLANsjust the connections between your sites.
Because your traffic, as well as other customers traffic, is using the same
trunking infrastructure inside the providers networks, problems that other
customers create (such as broadcast storms) could indirectly affect your
bandwidth throughput.
The remainder of this section discusses the third method, Q-in-Q, and the
last part of the chapter briefly discuses EoMPLS tunneling.
Overview
Before I begin discussing the Q-in-Q transport method, Id like to quickly
refresh you on some important aspects of 802.1Q itself because Q-in-Q solely relies on 802.1Q for transporting your information across the MAN.
Recall from Chapter 3, VLANs, Trunks, and VTP, that 802.1Q is a trunking mechanism. For trunk connections, there are two types of frames: tagged
and untagged. Untagged frames are associated with the native VLAN. These
frames are unmodified Ethernet frames. Tagged frames carry VLAN information in them and have a 4-byte tag inserted into them. Given these supported framing types, 802.1Q and normal Ethernet devices can coexist on
the same segment.
For tagged trunk connections, 802.1Q inserts a 4-byte value between the
source MAC address and the length or type field of the Ethernet frame. This
4-byte value contains two components: a 2-byte TPID field and a 2-byte
TCI field. The TCI fields first 3 bits are used to assign a priority (802.1P),
the next bit is a canonical form indicator, and the last 12 bits are for VLAN
identifiers (4,096 VLANs can be specified here). When inserting this 4-byte
value, the length of the frame is extended to a maximum of 1522 bytes. And
because the frame is modified, 802.1Q devices will recompute the FCS
(checksum) value at the end of the frame.
11 9911 ch11 10/10/03 2:04 PM Page 344
344 Chapter 11
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
802.1Q actually specifies much more than just the frame encapsulation. It
also includes the General Attribute Registration Protocol (GARP), 801.1P
QoS tagging, and STP enhancements.
802.1Q inserts a 4-byte value between the source MAC address and the length/type
field: a 2-byte TPID and a 2-byte TCI. The first 3 bits of the TCI field contain the
priority (802.1Q/P) and the next 12 bits are for VLANs (4,096).
Tag Stacking: Q-in-Q Tunneling

Q-in-Q tunneling is commonly referred to as tag stacking. When you send
tagged VLAN traffic into a service providers network, the service providers
switches add their own VLAN tag to isolate your traffic from other customers traffic. This is accomplished by inserting another 802.1Q tag (the
service providers) into your 802.1Q tagged frame. The link between the customer device and the service provider edge switch is called an asymmetric link
because one end is a trunk port (your end) and the other is a tunnel port (the
providers end).
Actually, all of your traffic can be tagged, including STP BPDUs and CDP
frames, making the service providers network appear completely transparent. The Generic Bridge PDU Tunneling (GBPT) solution allows the tunneling of protocol data units through a service provider cloud. Note that this
requires the service provider to enable this feature.
The advantage of this approach is that you can have your own VLAN numbering scheme that is transparent to the service provider, who can be using
the same numbers. The one downside of tag stacking is that the originator
of the original frame is hidden from the service provider because the
provider doesnt examine your tagged information.
Q-in-Q (tag stacking) is proprietary to Cisco. Its basically an 802.1Q enhancement.
Q-in-Q is accomplished by inserting another 802.1Q tag (the service providers) into
your 802.1Q tagged frame. The advantage of Q-in-Q is that the providers VLAN numbering scheme is transparent to your own numbering scheme. Q-in-Q allows STP
BPDUs and CDP information to be tunneled.
Encapsulation Process
Lets look at the encapsulation process used in tag stacking. Ill use Figure
11.5 as an example. At the top of the figure is the users original Ethernet
frame. When this frame hits your switched network and traverses your internal 802.1Q trunks, it is tagged with your personal VLAN information, as
shown in the middle part of the figure.
11 9911 ch11 10/10/03 2:04 PM Page 345
345
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Metro
. . . .Ethernet
. . . .
Original Ethernet Frame
Destination
MAC
Source
MAC
Length or
Type
Original
FCS
Data
Your 802.1Q Tagged Frame

Destination
MAC
Source
MAC
Your
Tag
Length or
Type
Data
Your New
FCS
Your 802.1Q Tagged Frame

Destination
MAC
Source
MAC
SPs
Tag
Your
Tag
Length or
Type
Data
SPs
FCS
Figure 11.5 Tag stacking process.
When this frame traverses an 802.1Q trunk and is received by the provider,
the provider inserts its own tag before yours and recomputes a new FCS. This
is shown in the bottom part of Figure 11.5. This tag includes both a TPID
and TCI 4-byte field, as described in Chapter 3. At this point, the frame has
two tags: the providers and your own. The service provider uses its tag to
make switching decisions inside its network.
Before the frame leaves the providers network, the provider strips off its tag
and recomputes the FCS value. When your remote network receives this
frame, it appears as it did when it left the other side of your network.
STP
As I mentioned in the Tag Stacking: Q-in-Q Tunneling section, Q-in-Q
tunnels STP BPDUs. This is important for networks like the one shown in
Figure 11.6. In this example, two networks are connected via 802.1Q trunks,
and are transparently connected via Q-in-Q. The providers network is
transparent, so from the networks perspective, it appears that Switch1 and
Switch4 are on the same segment.
As I mentioned earlier, you have two choices with STP: have the provider tunnel your CDP and BPDUs between sites or have the provider drop these frames.
If you choose the former case, one switch in this network is chosen as the root.
Based on the root, accumulated path costs, and priorities, a single loop-free
topology is created. However, STP never guarantees a loop-free topology. So,
the topology that STP comes up with might be optimal for one site but not
another. Therefore, youll have to spend a lot of time tuning STP to optimize it.
11 9911 ch11 10/10/03 2:04 PM Page 346
346 Chapter 11
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Service Provider
Switch
Switch 1
Trunk
Trunk
Switch 5
Switch 2
Switch 3
Switch 4
Switch 6
Figure 11.6 Tag stacking and STP.
Your other choice is to have the provider drop BPDU and CDP frames. In this
instance, each site is its own STP island, with its own root and its own STP
topology. Using this approach, it becomes much easier to tune STP on a siteby-site basis. Care must be taken in this example if you have a partially meshed
design in the MAN. For instance, you might have three sites connected
together: sites 1, 2, and 3. Site 1 is connected to site 2, site 2 is connected to
site 3, and site 3 is connected to site 1. In this situation, there is a Layer 2 loop
within the providers network. If you have this type of design, you must enable
BPDUs across the providers network to detect and remove loops from your
own infrastructure. Otherwise, youll create a broadcast storm between your
sites and wasting bandwidth.
STP issues can become complicated when using Q-in-Q. Lets look at another
example by examining Figure 11.7. Lets assume that these are three separate
companies, where Switches 1, 2, and 3 are in one company, Switches 4, 5, and
6 are in a second company, and Switches 7, 8, and 9 are in a third company.
In the first company, there are redundant links to the carrier via Switch 1 and
Switch 3, where a loop is formed between Switch 1, 3, and the providers
switch (SP Switch 1). You have to remember that the providers switches will
not participate in your STP processthey either drop your BPDUs or tunnel them. If the provider drops the frames, you have a Layer 2 loop that STP
11 9911 ch11 10/10/03 2:04 PM Page 347
347
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Metro
. . . .Ethernet
. . . .
will not detect. If the carrier tunnels the frames, Switch 1 and Switch 3 will
see two connections to themselves, and either use the direct connection or
disable one of the provider connections.
Service Provider
Switch
Switch 1
SP Switch 1
Trunk
Switch 2
Trunk
k
Tru
n
Trunk
Tru
n
SP Switch 2
EtherChannel
Switch 8
Switch 3
Switch 7
Switch 4
Switch 9
Switch 5
Switch 6
Figure 11.7 Service provider connections and STP.
If you want to use both connections, you might want to consider using an
EtherChannel between you and the provider, as shown with Switch 7 in
Figure 11.7. This increases your bandwidth, but its main disadvantage is a
single point of failure: both with your switch and the providers switch.
I already talked about dual-homing your location to the MAN in the last
paragraph, so lets discuss your second option: having your switch connected
to two different provider switches, as shown by Switch 4 in Figure 11.7. If
the provider is dropping your BPDUs, youve created a loop from Switch 4
to itself. And if you have the provider tunnel STP information, the switch
will see that it has a connection, via the provider, that appears to be connected back to itself on a different port. In this situation, STP will disable
one of the two ports to the carrier.
As you can see from these examples, dealing with STP in a MAN is not a
simple task.
11 9911 ch11 10/10/03 2:04 PM Page 348
348 Chapter 11
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Q-in-Q Versus 802.1Q

Q-in-Q has many advantages and disadvantages, just like any network solution.
Its advantages include
The service providers network is transparent to your devices.
Your VLAN implementation doesnt affect the providers VLAN
implementation.
Service providers can easily offer and implement it.
Supports multiple STPs if you have multiple VLANs on your trunks.
Providers offer both point-to-point and point-to-multipoint solutions.
The disadvantages of Q-in-Q include the following:

Q-in-Q is a Layer 2 process, not a Layer 3 process.
It is difficult to set up and maintain in regard to redundancy and STP
problems.
It is proprietary to Cisco.
It is supported only for Ethernet connections.
The provider is limited to 4,096 VLANs.
The main advantage of Q-in-Q is that the providers network is transparent. The main
disadvantages of Q-in-Q are dealing with Layer 2 loop issues, attempting to implement redundancy on a large scale, and using a provider that supports Ciscos
proprietary Q-in-Q feature.
Ethernet over MPLS

Multiprotocol Label Switching (MPLS) is used by service providers to
implement QoS, tag switching, service levels, and many other features. The
service is very popular, especially in Europe and Asia. Ethernet over MPLS
(EoMPLS) is a Cisco solution that is currently in an RFC draft state with
IETF. It extends MPLS by tunneling Layer 2 Ethernet frames across a service providers Layer 3 core. Doing so provides two advantages:
The service provider has more scalability because it has a Layer 3 core.
Your Layer 2 information, including STP, can be tunneled through the
service provider.
Because of these two advantages, service providers prefer EoMPLS over
Q-in-Q. EoMPLS, like Q-in-Q, is a tunneling mechanism that tunnels your
11 9911 ch11 10/10/03 2:04 PM Page 349
349
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Metro
. . . .Ethernet
. . . .
VLAN information across a service providers network. The main advantage

that EoMPLS has over Q-in-Q is that EoMPLS supports more than 4,096
VLANs by the service provider.
EoMPLS extends MPLS by tunneling Layer 2 Ethernet frames across a service
providers Layer 3 core. EoMPLS has more scalability because it has a Layer 3 core
and Layer 2 information, including STP, can be tunneled through the service
provider. EoMPLS scales better than Q-in-Q.
Overview
EoMPLS can deliver Transport Layer Security (TLS) for customers
Ethernet connections. TLS provides a logical connection between two sites
across a point-to-point connection. From the customers perspective, this
logical connection appears as an Ethernet segment. Some of the advantages
that EoMPLS have are that because EoMPLS is based on a Layer 3 process,
Layer 2 problems and management are not an issue for the service provider.
For instance, with Q-in-Q, which is a Layer 2 process, the provider must
deal with internal STP, MAC address learning and forwarding, and other
Layer 2 processes. EoMPLS with TLS doesnt have this limitation because
the provider deals with internal traffic from a Layer 3 perspective. This provides much more scalability and control over traffic.
Process
Before I begin discussing how EoMPLS functions, you need to be familiar
with some important terms that MPLS uses, as shown in Table 11.2.
Table 11.2 MPLS Terms
Term
Definition
Label distribution
protocol (LDP)
LDP is a protocol that defines labels that are used to

classify traffic and how the traffic should be treated inside
the network.
Label switch router

(LSR)
The LSR switches labeled frames between interfaces and

can be either a router or a switch (like an ATM switch).
Edge label switch router

(Edge LSR or LER)
The LER takes traffic from the customer, labels it, and
switches the labeled frames; it is also responsible for
stripping off labels on egress ports.
Label switch controller

(LSC)
The LSC is typically a router that controls an ATM switch;

in other words, it is an MLS-based ATM switch that
perform Layer 3 switching.
11 9911 ch11 10/10/03 2:04 PM Page 350
350 Chapter 11
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Remember the terms in Table 11.2.
Figure 11.8 displays a sample provider network. In this example, an LER

takes ingress traffic from the customer and labels it. Cisco 7600 routers can
function as an LER. LSRs inside the network use these labels to perform
switching. LDP determines how the service providers gear will treat and
process the labeled frame. An LSC is an MLS-based switch that can perform
switching of Layer 3 information at Layer 2 speeds. It is typically a hybrid
router/ATM switch.
Service Provider
LDP
LER
LER
LSR
LSC
LER
Figure 11.8 Service provider and EoMPLS.
Protocol Labeling
EoMPLS is implemented by a service provider and is a point-to-point connection, with LERs being the endpoints of the connection. The ingress LER
attaches two labels to incoming frames: a tunnel and a virtual circuit (VC)
label. The tunnel label is used to determine what egress LER device the traffic should be forwarded to. The VC label determines the egress port on the
egress device.
11 9911 ch11 10/10/03 2:04 PM Page 351
351
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Metro
. . . .Ethernet
. . . .
It is important to point out that each customer needs its own physical interface on an LER. Each customer typically has one VC associated with the
interface. However, if more than one VC is associated with the interface, the
customer must tell the serviced provider how traffic should be mapped to
specific VCs.
The ingress LER performs two functions on a frame received from the customer: frame marking/classification and encapsulation. On receiving a
frame, the LER first maps the frame to a tunnel label switch path (LSP),
which is the path that the frame will take through the providers network.
Next, the LER marks the frame with a CoS value, which becomes part of the
tunnel tag. With DiffServ, the frame is marked either E-LSP (queuing,
scheduling, and drop policy information) or L-LSP (drop policy information). The CoS information is inserted into a tunnel label in a 3-bit field
called EXP. The CoS can be statically assigned by the provider based on how
the customer purchased the service, or the provider can map the 802.1Q/P
information from the customers frame into the equivalent CoS that the
provider has configured.
The ingress LER then adds the VC label, which is used by the egress LER to
forward the traffic out the correct destination port. Both the tunnel and VC
labels are included in an EoMPLS encapsulation, as shown in Figure 11.9.
EoMPLS Frame
Destination Source
MAC
MAC
Ethernet
Type
0x8847
Tunnel
Label
VC
Label
Original
Ethernet
Header
Original
Ethernet
Payload
Figure 11.9 EoMPLS encapsulation.
When an internal LSR receives the labeled frame, it examines the destination MAC address to determine whether it needs to process the frame. The
LSR then examines the tunnel tag to determine how to switch the frame.
When switching the frame, it rewrites the Layer 2 header according to its
own source and next-hops destination MAC addresses.
When the egress LER receives the labeled frame, it removes the header and
tunnel label. The LER examines the VC label to determine which physical
interface the frame should exit, and then strips this off and queues up the
frame on the egress port.
11 9911 ch11 10/10/03 2:04 PM Page 352
352 Chapter 11
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
EoMPLS uses two tags: a tunnel tag and a VC tag. The tunnel tag describes how to
get the users data across the EoMPLS network, and contains CoS information. The
VC tag is used by the egress carrier device to determine the exit port to use to
forward the frame to the customer.
Connection Types
EoMPLS currently offers point-to-point connections. Development on
point-to-multipoint is being worked on. The next two sections examine
these two types of connection solutions.
Point-to-Point
Providers like point-to-point solutions because theyre easy to provision and
maintain, and are compatible with a backbone solution that uses MPLS.
With EoMPLS, you have better service provider scalability than with Q-inQ because you arent limited to 4,096 VLANs in the providers core. The
provider can actually use up to 20 bits to differentiate between customers,
even in a fully meshed network.
However, point-to-point connections have problems fully meshing a network because it cannot be done via trunking. You have to use separate
VLANs for separate sites for connectivity, where the provider separates the
traffic across different VCs. You then need an RP to route between the
VLANs. You could use separate physical connections between different sites,
but this would increase your costs. Either way, there are customer scalability
problems with point-to-point connections.
Multipoint
In a multipoint EoMPLS solution, the service provider emulates an Ethernet
switch. This is typically done via a point-to-multipoint VC, which emulates
a broadcast medium. From a providers perspective, the main problem with
this approach is that it is difficult to set up and maintainespecially with
QoS support. When many sites must be meshed, customers like this type of
solution because it simplifies their connection process and the operation of
their switches across the MAN.
11 9911 ch11 10/10/03 2:04 PM Page 353
353
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Metro
. . . .Ethernet
. . . .
Summary
When choosing a MAN solution, you should consider cost, scalability, transparency, level of service, and type of connection(s) needed. There are many
solutions to provide MAN services, including SONET, DWDM, CWDM,
Ethernet, IP, and ATM. SONET is good for point-to-point connections.
CWDM is used for last-mile connections and DWDM is used as the infrastructure for a MAN backbone.
There are different methods of attaching to a MAN: TLS (access link) and
DVS (802.1Q trunk). Both have problems with scalability. The service
provider can support only 4,096 VLANs for all customers. Q-in-Q (tag stacking) and EoMPLS address this issue. All of these solutions have issues when
customer redundancy is implemented, especially when it comes to STP.
Q-in-Q has the provider insert an additional 4-byte VLAN tag before your
trunking tag. This is a proprietary Cisco method that is currently in an RFC
draft state. Q-in-Q allows the tunneling of BPDUs and CDP frames. One
limitation of Q-in-Q is that the provider is still limited to 4,096 internal
VLANs. EoMPLS overcomes this by using a larger tag value. EoMPLS utilizes a tunnel and VC tag. The tunnel tag is used to switch the frame through
the providers network and the VC tag is used to find the exit interface on the
providers egress device.
11 9911 ch11 10/10/03 2:04 PM Page 354
354 Chapter 11
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Exam Prep Questions

Question 1
When choosing a MAN service, which of the following is something you typically dont consider?
A. Level of service
B. Scalability
C. Connection type
D. Hardware
Answer D is correct. Hardware is typically not a main consideration when

choosing a MAN service. When choosing a MAN service, you normally consider cost, scalability, transparency, level of service, and the type of connection needed, which makes answers A, B, and C incorrect.
Question 2
Which type of MAN service uses access link connections?
A. Directed VLAN service
B. Directed LAN service
C. Transparent LAN service
D. Transparent VLAN service
Answer C is correct. Transparent LAN services use access link connections.

Directed VLAN services use trunk connections, which makes answer A
incorrect. Answers B and D are nonexistent services.
Question 3
Which is true concerning SONET?
A. Uses fiber cabling
B. Uses a single ring
C. Uses copper cabling
D. Uses a dual ring
Answers A and D are correct. SONET uses fiber cabling and a dual ring (for
redundancy), which makes answers B and C incorrect.
11 9911 ch11 10/10/03 2:04 PM Page 355
355
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Metro
. . . .Ethernet
. . . .
Question 4
Which of the following MAN services is the most scalable?
A. SONET
B. DWDM
C. CWDM
Answer B is correct. DWDM is the most scalableit uses bandwidth more

efficiently than SONET, which makes answer A incorrect. DWDM supports
up to 200 wavelength frequencies for connections. CWDM only supports 8,
which makes answer C incorrect.
Question 5
With Q-in-Q, the service provider
A. Replaces your 802.1Q VLAN tag with its own
B. Inserts its VLAN tag before yours
C. Encapsulates your VLAN frame in its own
D. None of these answers
Answer B is correct. With Q-in-Q (tag stacking), the provider inserts its own
VLAN tag before yours and recomputes the FCS value. Therefore, answers
A and C are incorrect. C is incorrect because the frame is tagged, not encapsulated. And because there is a correct answer, D is also incorrect.
Question 6
With tag stacking, CDP and BPDU information can be tunneled through a
providers network.
A. True
B. False
Answer A is correct. STP information, including BPDUs and CDP information, can be tunneled through a providers network with Q-in-Q (tag
stacking). Therefore, answer B is incorrect.
11 9911 ch11 10/10/03 2:04 PM Page 356
356 Chapter 11
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 7
Which of the following is not an advantage of Q-in-Q?
A. PVST is supported.
B. The providers VLAN implementation is transparent to your
implementation.
C. It supports both point-to-point and point-to-multipoint connections.
D. It is an open standard.
Answer D is correct. Q-in-Q is Cisco-proprietary, but is currently being

worked on by IETF. Answers A, B, and C are advantages and therefore are
incorrect answers.
Question 8
Q-in-Q supports how many VLANs by the provider?
A. 64
B. 256
C. 4,096
D. No restrictions
Answer C is correct. With Q-in-Q, the provider supports up to 4,096

VLANs. Therefore, answers A, B, and D are incorrect.
Question 9
Which of the following is true concerning EoMPLS?
A. Uses a Layer 2 core
B. Users MAN connections appear as a logical switch
C. Requires multipoint connections
D. Supports more than 4,096 VLANs
Answer D is correct. EoMPLS is more scalable than Q-in-Q because it supports more than 4,096 internal VLANs for the provider. EoMPLS provides
a Layer 3 core, making answer A incorrect. The users MAN connections
appear as a logical segment, not a switch, which makes answer B incorrect.
EoMPLS supports point-to-point connections, which makes answer C
incorrect.
11 9911 ch11 10/10/03 2:04 PM Page 357
357
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Metro
. . . .Ethernet
. . . .
Question 10
How many tags does EoMPLS use?
A. 1
B. 2
C. 3
D. None
Answer B is correct. EoMPLS uses two tags: a tunnel and a VC tag.

Therefore answers A, C, and D are incorrect.
Need to Know More?

For information about optical services, visit http://www.cisco.com/
en/US/tech/tk482/tech_topology_and_network_serv_and_
protocol_suite_home.html
For information about 802.1Q and Q-in-Q, visit http://

www.cisco.com/en/US/products/hw/switches/ps646/products_
configuration_guide_chapter09186a00801a6b31.html
For information about MPLS, visit http://www.cisco.com/en/US/

tech/tk436/tech_topology_and_network_serv_and_protocol_
suite_home.html
11 9911 ch11 10/10/03 2:04 PM Page 358
12 9911 ch12
10/14/03
12:32 PM
Page 359
12
Sample Test 1
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
In this chapter, I provide pointers to help you develop a successful test-taking

strategy, including how to choose proper answers, how to decode ambiguity,
how to work within the testing framework, how to decide what you need to
memorize, and how to prepare for the test. At the end of the chapter, I
include 60 questions on subject matter pertinent to Cisco Exam 642-811,
Building Cisco Multilayer Switched Networks v2.0. In Chapter 13, youll
find the answer key to this test. Good luck!
Questions, Questions, Questions

There should be no doubt in your mind that youre facing a test full of specific and pointed questions. The version of the exam that you take is fixedlength. It includes 60 to 70 questions, and youre allotted 90 minutes to
complete the exam. You cannot mark questions or go back to prior questions
on the exam.
The exam questions will belong to one of three basic types:
Multiple choice with a single answer
Multiple choice with multiple answers
Drag and drop, in which you drag items over their definitions or
descriptions
Simulations in which you type configuration commands to simulate
using the Cisco IOS
12 9911 ch12
10/14/03
12:32 PM
Page 360
360 Chapter 12
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
You should always take the time to read a question at least twice before
selecting an answer, and you should always look for an Exhibit button as you
examine each question. Exhibits include graphics information related to a
question. An exhibit is usually a screen capture of program output or GUI
information that you must examine to analyze the questions contents and
formulate an answer. The Exhibit button displays graphics and charts used to
help explain a question, provide additional data, or illustrate page layout or
program behavior.
Not every question has only one answer; many questions require multiple
answers. Therefore, you should read each question carefully, determine how
many answers are necessary or possible, and look for additional hints or
instructions when selecting answers. Such instructions often appear in brackets immediately following the question itself (for multiple-answer questions).
Picking Proper Answers

Obviously, the only way to pass any exam is to select enough of the right
answers to obtain a passing score. However, Ciscos exams are not standardized
like the SAT and GRE exams; theyre far more diabolical and convoluted. In
some cases, questions are strangely worded and deciphering them can be a real
challenge. In those cases, you might need to rely on answer-elimination skills.
Almost always, at least one answer out of the possible choices for a question
can be eliminated immediately because it matches one of these conditions:
The answer does not apply to the situation.
The answer describes a nonexistent issue, an invalid option, or an
imaginary state.
The answer can be eliminated because of information in the question
itself.
After you eliminate all answers that are obviously wrong, you can apply your
retained knowledge to eliminate further answers. Look for items that sound
correct but refer to actions, commands, or features that are not present or
not available in the situation that the question describes.
If youre still faced with a blind guess among two or more potentially correct
answers, reread the question. Try to picture how each of the possible remaining answers would alter the situation. Be especially sensitive to terminology;
sometimes the choice of words (remove instead of disable) can be the difference between a right answer and a wrong one.
12 9911 ch12
10/14/03
12:32 PM
Page 361
361
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sample
. . . . .Test
. . 1.
Only when youve exhausted your ability to eliminate answers but remain
unclear about which of the remaining possibilities is correct should you guess
at an answer. An unanswered question offers you no points, but guessing
gives you at least some chance of getting a question right; just dont be too
hasty when making a blind guess.
Decoding Ambiguity
Cisco exams have a reputation for including questions that can be difficult to
interpret, confusing, or ambiguous. In my experience with numerous exams,
I consider this reputation to be completely justified. The Cisco exams are
tough, and theyre deliberately made that way.
The only way to beat Cisco at its own game is to be prepared. Youll discover that many exam questions test your knowledge of things that are not
directly related to the issue raised by a question. This means that the answers
you must choose from, even incorrect ones, are just as much a part of the skill
assessment as the question itself. If you dont know something about most
aspects of the IOS and protocols, you might not be able to eliminate answers
that are wrong because they relate to the definition of an acronym other than
the one thats addressed by the question at hand. In other words, the more
you know about the acronyms, the easier it will be for you to tell right from
wrong.
Questions often give away their answers, but you have to be Sherlock
Holmes to see the clues. Subtle hints often appear in the question text in
such a way that they seem almost irrelevant to the situation. You must realize that each question is a test unto itself and that you need to inspect and
successfully navigate each question to pass the exam.
Another common difficulty with certification exams is vocabulary. Cisco has
an entire language using acronyms. Be very comfortable with all the
acronyms and their meanings. Be sure to brush up on the key terms presented at the beginning of each chapter of this book. You might also want to read
the glossary at the end of this book on the day before you take the test.
Working Within the Framework

When youre taking a Cisco exam and you see something in a question or in
one of the answers that jogs your memory on a topic, or that you feel you
should record that the topic appears in another question, write it down on
your piece of paper. Just because you cant go back to a question in an exam
12 9911 ch12
10/14/03
12:32 PM
Page 362
362 Chapter 12
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
doesnt mean you cant take notes on what you see early in the test in the
hope that it might help you later in the test.
For Cisco exams, dont be afraid to take notes on what you see in various questions.
Sometimes, what you record from one question can help you on later questions,
especially if its not as familiar as it should be or it reminds you of the name or use
of some utility or interface details.
Deciding What to Memorize

The amount of memorization you must undertake for an exam depends on
how well you remember what youve read and how well you know the software by heart. If youre a visual thinker and can see the command-line interface in your head, you wont need to memorize as much as someone whos
less visually oriented. However, the exam will stretch your abilities to memorize the theory behind the command line, such as design approaches, quality of service, and the protocols.
At a minimum, youll want to memorize the following kinds of information:
Enterprise composite model for designing networks
STP functionality and deployment
Various switches and modules
VLAN trunking protocols and management
Redundancy and HSRP
Fast and Gigabit EtherChannels
IP telephony general design
If you work your way through this book while accessing the IOS interface as
well as diagramming the topologies as theyre discussed throughout, you
should have little or no difficulty mastering this material. Also, dont forget
that the Cram Sheet at the front of the book is designed to capture the material thats most important to memorizeuse it to guide your studies as well.
12 9911 ch12
10/14/03
12:32 PM
Page 363
363
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sample
. . . . .Test
. . 1.
Preparing for the Test

The best way to prepare for the testafter youve studiedis to take at least
one practice exam. Ive included one here in this chapter for that reason; the
test questions are located in the pages that follow. Unlike the questions in the
preceding chapters in this book, the answers dont immediately follow the
questions; youll have to flip to Chapter 13 to review the answers separately.
Give yourself 105 minutes to take the exam, and keep yourself on the honor
systemdont look at earlier text in the book or jump ahead to the answer
key. When your time is up or youve finished the questions, you can check
your work in Chapter 13. Pay special attention to the explanations of the
incorrect answers; they can also help to reinforce your knowledge of the
material. Knowing how to recognize correct answers is good, but understanding why incorrect answers are wrong can be equally valuable.
Taking the Test

Relax. After youre sitting in front of the testing computer, theres nothing
more you can do to increase your knowledge or preparation. Take a deep
breath, stretch, and start reading that first question.
You dont need to rush, either. You have plenty of time to complete each
question. If youre stuck on a question, give it your best guessyou wont
lose any pointsand move on. Easy and difficult questions are intermixed
throughout the test in random order. Dont cheat yourself by spending too
much time on a hard question early in the test, thereby depriving yourself of
the time you need to answer the questions at the end of the test. Set a maximum time limit for questions, and watch your time on long or complex questions. If you hit your limit, its time to guess and move on. Dont deprive
yourself of the opportunity to see more questions by taking too long to puzzle over questions, unless you think you can figure out the answer.
Otherwise, youre limiting your opportunities to pass.
Thats it for pointers. Here are some questions for you to practice on. Good luck!
12 9911 ch12
10/14/03
12:32 PM
Page 364
364 Chapter 12
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 1
You issue the following command on your Catalyst 4000 Series switch:
Switch# show spanning-tree vlan 1
VLAN1 is executing the ieee
compatible Spanning Tree protocol
Bridge Identifier has priority 8192, address 0030.94fc.0a00
Configured hello time 2, max age 20, forward delay 15
We are the root of the spanning tree
Topology change flag set, detected flag set
Number of topology changes 3 last
change occurred 00:00:09 ago
Times: hold 1, topology change 35, notification 2
hello 2, max age 20, forward delay 15
Timers:hello 0, topology change 25,
notification 0, aging 15
Port 323 (FastEthernet6/3) of VLAN1 is forwarding
Port path cost 19, Port priority 128,
Port Identifier 129.67.
Designated root has priority 8192, address 0030.94fc.0a00
Designated bridge has priority 8192, address 0030.94fc.0a00
Designated port id is 129.67, designated path cost 0
Timers:message age 0, forward delay 0, hold 0
Number of transitions to forwarding state:1
BPDU:sent 9, received 105
Port 324 (FastEthernet6/4) of VLAN1 is listening
Port path cost 19, Port priority 128,
Port Identifier 129.68.
Designated root has priority 8192, address 0030.94fc.0a00
Designated bridge has priority 8192, address 0030.94fc.0a00
Designated port id is 129.68, designated path cost 0
Timers:message age 0, forward delay 5, hold 0
Number of transitions to forwarding state:0
BPDU:sent 6, received 102
Switch#
What can you determine from this output? (Choose all that apply.)
A. This switch is the designated bridge.
B. This switch is the root bridge.
C. The spanning tree timers have been modified.
D. The default diameter is set.
12 9911 ch12
10/14/03
12:32 PM
Page 365
365
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sample
. . . . .Test
. . 1.
Question 2
The Cisco AVVID framework supports the key components of network infrastructure, intelligent network services, and network solutions. Which of the
following are examples of network solutions? (Choose all that apply.)
A. Quality of service
B. IP multicast
C. Content networking
D. Storage networking
E. Network management
Question 3
The Campus Infrastructure model includes three modules: Building Access,
Building Distribution, and Campus Backbone. Which of these submodules provides aggregation of Layer 2 devices, often using Layer 3 switching and also
features quality of service and access control?
A. Building Access
B. Building Distribution
C. Campus Backbone
D. Enterprise Core
Question 4
Youre considering implementing a high-speed, VLAN-based switched network
for your Enterprise Campus. What mechanism provides the ability to transmit
traffic between VLANs?
A. Core switch
B. Software-based bridge
C. Route processor
D. Switch fabric card
12 9911 ch12
10/14/03
12:32 PM
Page 366
366 Chapter 12
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 5
The Campus Infrastructure model includes three modules: Building Access,
Building Distribution, and Campus Backbone. Which of these submodules typically includes Layer 2 switching?
A. Building Access
B. Building Distribution
C. Campus Backbone
D. Enterprise Core
Question 6
Youre configuring a new campus network and are encountering a major problem.
Youre working in the Building Access layer and a host cannot communicate
with the Layer 2 Catalyst switch. Youve verified that other hosts connected to
this switch can communicate fine, and youve also verified that the NIC on the
client system is fully functional. What other steps should you take to correct this
problem? (Choose all that apply.)
A. Ensure that the host speed and duplex setting match that of the
switch.
B. Ensure that the switch is learning the MAC address of the host.
C. Check the status of the port connection.
D. If the host is in the same subnet as the switch interface, ensure that
the default gateway is properly configured on the host.
Question 7
Youre considering implementing VLANs in your campus network. How does the
use of VLANs improve the design of your network? (Choose all that apply.)
A. The VLAN design enables you to reduce the number of collision
domains that must be created.
B. The VLAN design enables you to increase the number of broadcast
domains.
C. The VLAN design can help you increase security in the campus network.
D. The VLAN design eliminates the need for Layer 3 routing of traffic.
12 9911 ch12
10/14/03
12:32 PM
Page 367
367
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sample
. . . . .Test
. . 1.
Question 8
Youre responsible for designing a new campus network infrastructure within
your company. Youre designing your Enterprise Campus network with the centralization of key resources in mind. Given this design goal, what type of VLAN
model should you consider implementing?
A. Auxiliary VLANs
B. Dynamic VLANs
C. End to end VLANs
D. Local VLANs
Question 9
Which of the following commands creates a VLAN in your campus network?
(Choose all that apply.)
A. Switch(config-if)# vlan 3
B. Switch# vlan 3
C. Switch(vlan)# vlan 3
D. Switch(config)# vlan 3
Question 10
Examine the following configuration. You want to configure the Fast Ethernet
port 5/6 as an access port in VLAN 200. What is the correct command that is
missing from this configuration?
Switch(config)# interface fastethernet 5/6
Switch(config-if)# switchport mode access
MISSING COMMAND
Switch# exit
A. Switch(config-if)# vlan 200 static

B. Switch(config-if)# vlan 200 access static
C. Switch(config-if)# switchport access vlan 200
D. Switch(config-if)# switchport 200
12 9911 ch12
10/14/03
12:32 PM
Page 368
368 Chapter 12
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 11
Which switch port Dynamic Trunking Protocol mode sets the switch port to
actively send and respond to DTP negotiation frames without tagging frames?
A. trunk
B. nonegotiate
C. dynamic desirable
D. dynamic auto
Question 12
Which trunking protocol adds a tag to a standard Layer 2 Ethernet data frame,
recalculates the CRC for the entire frame with the tag, and inserts a new CRC
value in the FCS field?
A. ISL
B. 802.1Q
C. DTP
D. VTP
Question 13
Which of the following VTP modes allows for the creation, modification, and
deletion of VLANs on the local switch? (Choose all that apply.)
A. Server
B. Slave
C. Client
D. Transparent
E. Master
12 9911 ch12
10/14/03
12:32 PM
Page 369
369
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sample
. . . . .Test
. . 1.
Question 14
Which of the following statements are correct with regard to VTP pruning?
A. VTP pruning increases available bandwidth by restricted flooded traffic.
B. VTP pruning must be set on all switches that participate in VLANs.
C. VTP pruning might have a negative impact on network update
performance.
D. VTP pruning eliminates the propagation of all Spanning Tree Protocol
information.
Question 15
What are the port states of Rapid Spanning Tree Protocol? (Choose all that
apply.)
A. Blocking
B. Forwarding
C. Listening
D. Learning
E. Discarding
Question 16
RSTP defines additional roles for ports in order to encourage quicker convergence for topology changes. Which port role allows a port to quickly assume the
role of root port?
A. Root port
B. Designated port
C. Alternate port
D. Backup port
E. Disabled port
12 9911 ch12
10/14/03
12:32 PM
Page 370
370 Chapter 12
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 17
Which Spanning Tree Protocol enhancement seeks to reduce the total number
of spanning-tree instances to match the physical topology of the network and
thus reduce CPU cycles on a switch?
A. PVST+
B. CST
C. MST
D. PVST
Question 18
Which switching technology relies on a forwarding information base and adjacency tables in order to accomplish high-speed data transfers?
A. Netflow-based switching
B. Distributed forwarding
C. Topology-based switching
D. Centralized forwarding
Question 19
Which interface/port type represents a VLAN of switch ports as one interface to
the routing or bridging function in the system?
A. Access port
B. Trunk port
C. Switch virtual interface
D. Routed port
12 9911 ch12
10/14/03
12:32 PM
Page 371
371
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sample
. . . . .Test
. . 1.
Question 20
Which HSRP state causes the route processor to send periodic hello messages,
participate in the election of the active and standby router, and know the virtual
router IP address?
A. Initial state
B. Listen state
C. Speak state
D. Standby state
E. Active state
Question 21
Which multicast protocol is a Cisco-developed transitional solution for application developers to immediately start programming source-specific multicast
applications?
A. CGMP
B. IGMP v3lite
C. PIM DM
D. IGMP Snooping
Question 22
Youve configured various enhancements to the Spanning Tree Protocol in your
campus network. What enhancement mechanism can be verified with the command show spanning-tree inconsistent ports?
A. Unidirectional Link Detection
B. Root Guard
C. BPDU Guard
D. EtherChannel
12 9911 ch12
10/14/03
12:32 PM
Page 372
372 Chapter 12
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 23
What is the purpose of the following switch configuration?
Switch(config)# interface fastethernet 5/8
Switch(config-if)# spanning-tree vlan 200 cost 20
A. The spanning tree VLAN port cost of the Fast Ethernet interface is modified to 20 to make the port less likely to be placed in forwarding mode
when compared to a Fast Ethernet port in the default configuration.
B. The spanning tree VLAN port cost of the Fast Ethernet interface is modified to 20 to make the port more likely to be placed in forwarding mode
when compared to a Fast Ethernet port in the default configuration.
C. The spanning tree VLAN port cost of the Fast Ethernet interface is
modified to 20; this configuration has no basis on root bridge
selection.
D. The spanning tree VLAN port cost of the Fast Ethernet interface is
modified to 20 to make the switch more likely to be elected the root
bridge.
Question 24
Which of the following bridge priority values is commonly used to set a switch
to the role of secondary root bridge?
A. 32768
B. 4096
C. 24982
D. 8192
Question 25
Which of the following spanning tree transition states are based on the forward
delay timer value? (Choose all that apply.)
A. Blocking
B. Listening
C. Learning
D. Forwarding
12 9911 ch12
10/14/03
12:32 PM
Page 373
373
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sample
. . . . .Test
. . 1.
Question 26
What is the correct order of the decision-making process used in spanning tree
topology calculations?
A. Lowest port ID lowest sender bridge ID lowest path cost to the
root bridge lowest root bridge ID
B. Lowest sender bridge ID - lowest port ID lowest path cost to the root
bridge lowest root bridge ID
C. Lowest root bridge ID - lowest path cost to the root bridge lowest
sender bridge ID - lowest port ID
D. Lowest root bridge ID - lowest path cost to the root bridge - lowest
port ID - lowest sender bridge ID
Question 27
Youre interested in fine-tuning the timers used in spanning tree. What is the
default value of the maximum-aging time used with spanning tree?
A. 15
B. 20
C. 30
D. 50
Question 28
Which of the following commands enables IP multicast routing on a Cisco route
processor?
A. multicast-routing
B. ip multicast-routing
C. ip mcast
D. set ip multicast-routing enable
12 9911 ch12
10/14/03
12:32 PM
Page 374
374 Chapter 12
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 29
You must configure an ISL Ethernet trunk link between two of your Cisco
switches. Which of the following is not required for the trunk to operate
correctly?
A. Identical speed settings at each end of the link
B. Identical duplex settings at each end of the link
C. Identical trunk encapsulation parameters at each end of the link
D. Identical trunk negotiation parameters at each end of the link
Question 30
Youre a network consultant assisting a local company. The existing network is
in need of additional bandwidth. However, you do not want to make the network
overly complicated and the company has a limited budget. Youre considering
the implementation of hardware-based bridging. Which OSI layer is associated
with these functions?
A. Presentation
B. Network
C. Data Link
D. Transport
Question 31
A company has followed your recommendations and redesigned its campus
network to support three switch blocks. These switch blocks include broadcast
domains that are confined within each individual switch block. Your design also
allows inter-VLAN routing within and between switch blocks. What is the most
appropriate device at the access layer within these switch blocks if the end-user
base consists of less than 100 desktops?
A. 8500
B. 4000
C. 6500
D. 2900
12 9911 ch12
10/14/03
12:32 PM
Page 375
375
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sample
. . . . .Test
. . 1.
Question 32
Which of the following are valid guidelines or restrictions for the use of local
SPAN? (Choose all that apply.)
A. Only Layer 2 switched ports may function as SPAN sources.
B. A port specified as a destination port in one SPAN cannot be a destination
port for another SPAN.
C. A port channel interface can be a source.
D. A port configured as a destination port cannot be configured as a
source port.
Question 33
Which of the following are valid guidelines or restrictions for the use of remote
SPAN? (Choose all that apply.)
A. Networks impose a limit of one RSPAN VLAN per LAN.
B. RSPAN VLANs can be used only for RSPAN traffic.
C. Do not configure any ports in an RSPAN VLAN except those selected
to carry RSPAN traffic.
D. RSPAN does not support BPDU monitoring.
Question 34
What module for the 6000 and 6500 Series switches provides a network
management and monitoring solution?
A. FlexWAN module
B. RMON probe
C. IDS Sensor module
D. Network Analysis module
12 9911 ch12
10/14/03
12:32 PM
Page 376
376 Chapter 12
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 35
Examine the following configuration. What does the configuration accomplish?
Switch(config)# aaa authentication login
securelist tacacs+ local
Switch(config)# line con 0
Switch(config-line)# login authentication securelist
A. TACACS+ is used to provide authentication on logins for the console

port. If the service is not available, the local security database is used.
B. TACACS+ is used to provide authentication on logins for the console
port. If the service is not available, no logins are permitted.
C. TACACS+ or the local database is used to provide authentication on
logins for the console port. If the account does not exist in one, the
other is attempted.
D. The configuration is erroneous; a default authentication policy must be
created first.
Question 36
Which of the following Cisco switch prompts indicates that youre in a VLAN
database configuration mode?
A. Switch(config)#
B. Switch(config-if)#
C. Switch(vlan)#
D. Switch(config-vlan)#
Question 37
Which of the following is not a valid definition of an 802.1Q native VLAN?
A. The VLAN that receives untagged frames on an 802.1Q trunk link
B. The VLAN that a port belongs to when not in trunking mode
C. The VLAN from which untagged frames source over an 802.1Q trunk
link
D. The VLAN used to represent multiple spanning tree instances to a
common spanning tree domain
12 9911 ch12
10/14/03
12:32 PM
Page 377
377
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sample
. . . . .Test
. . 1.
Question 38
Youre interested in tunneling traffic such as CDP, VTP, and STP through a service provider network to your remote switches. Which technology option is
appropriate?
A. GBPT
B. RSTP
C. MST
D. PVST+
Question 39
Which of the following statements are true regarding ISL versus 802.1Q trunking protocols? (Choose all that apply.)
A. ISL is Cisco proprietary.
B. 802.1Q is protocol independent.
C. ISL demonstrates true encapsulation.
D. The 802.1Q frame contains two FCS fields.
Question 40
Which switch port DTP mode puts the interface into permanent trunking mode
and prevents the interface from generating DTP frames?
A. access
B. nonegotiate
C. dynamic desirable
D. dynamic auto
Question 41
802.1Q tunneling allows service providers to transmit VLAN traffic for multiple
customers. What type of link is used between the customer device and the service provider edge switch?
A. Trunk
B. Asymmetric
C. Tunnel
D. Access
12 9911 ch12
10/14/03
12:32 PM
Page 378
378 Chapter 12
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 42
Youre having problems configuring a trunk between two of your switches. What
troubleshooting steps should you consider? (Choose all that apply.)
A. Check the interface mode at each end of the link.
B. Check the encapsulation type at each end of the link.
C. Check the native VLAN configuration at each end of the link.
D. Check the ISL to 802.1Q VLAN mapping statements.
Question 43
Which of the following commands sets the native VLAN of an 802.1Q trunk port
to VLAN 10?
A. native 10
B. switchport encapsulation dot1Q native 10
C. switchport trunk native vlan 10
D. switchport trunk vlan 10
E. switchport trunk vlan 10 native
Question 44
Youre in the process of verifying VTP on your Catalyst 2950 access layer
switch. You issue the following command:
Switch# show vtp status
VTP Version : 2
Configuration Revision : 25
Maximum VLANs supported locally : 250
Number of existing VLANs : 69
VTP Operating Mode : Server
VTP Domain Name : test
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x59 0xBA 0x92 0xA4 0x74 0xD5 0x42 0x29
Configuration last modified by 0.0.0.0 at 3-1-93 00:18:42
Local updater ID is 10.1.1.59 on interface Vl1
(lowest numbered VLAN interface found)
12 9911 ch12
10/14/03
12:32 PM
Page 379
379
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sample
. . . . .Test
. . 1.
Based on the preceding output, which of the following statements are true?
A. The switch is running VTP version 2.
B. VTP pruning is not enabled on the switch.
C. VLANs cannot be created on this switch.
D. The VLAN domain name is test.
Question 45
Youre troubleshooting VTP in your campus network. If you notice that VLAN
information is not propagating throughout your domain, which items should
you check? (Choose all that apply.)
A. Ensure that all devices are in VTP server mode.
B. Ensure that all VTP versions are set to 3 or higher.
C. Ensure that trunks are appropriately configured between all devices.
D. Ensure that the VTP domain name is properly configured on all
devices.
Question 46
What statements are correct in regard to transparent bridging? (Choose all that
apply.)
A. Transparent bridges must not modify the frames that are forwarded.
B. MAC addresses are learned by examining source MAC addresses.
C. Transparent bridges must forward all broadcasts out all ports except
for the port from which the broadcast originated.
D. Transparent bridges must forward unknown unicast packets out of the
interface specified in the CAM table.
Question 47
Which two components make up a Bridge ID in Spanning Tree Protocol?
(Choose two.)
A. Bridge Priority
B. Port Cost
C. MAC address
D. Instance ID
12 9911 ch12
10/14/03
12:32 PM
Page 380
380 Chapter 12
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 48
What are two advantages of metro Ethernet over DWDM? (Choose all that apply.)
A. Transparency
B. Scalability
C. Distance capabilities
D. Ease of configuration
E. Statistical multiplexing provisions
Question 49
Which of the following features are congestion management tools? (Choose all
that apply.)
A. LFI
B. LLQ
C. WFQ
D. CBWFQ
Question 50
Youre configuring low-latency queuing. Which command reserves a strict priority queue for CBWFQ traffic?
A. fair-queue
B. priority bandwidth
C. class-map class-name
D. policy-map policy-name
Question 51
You would like to display priority queuing output in real time on your Cisco
switch. Which command should you use?
A. debug ip rsvp
B. debug priority
C. debug multilink ppp
D. debug ppp multilink fragments
12 9911 ch12
10/14/03
12:32 PM
Page 381
381
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sample
. . . . .Test
. . 1.
Question 52
The Cisco IOS switches support various types of ACL implementations. Which
of the following is not an ACL type supported by the IOS?
A. Ether ACL
B. VACL
C. Router ACL
D. QoS ACL
Question 53
Private VLANs feature a port that is completely separated from other ports
except one. What is this type of port called?
A. Isolated
B. Separated
C. Community
D. Promiscuous
Question 54
You need to enable the preferred mode of PIM for IP multicast on your Catalyst
switch. Which command should you use?
A. ip pim dense-mode
B. ip pim sparse-mode
C. ip pim sparse-dense-mode
D. ip pim dense-sparse-mode
Question 55
Which of the following Cisco proprietary Spanning Tree enhancements reduces
the time to convergence when a directly connected link fails?
A. PortFast
B. UplinkFast
C. BackboneFast
D. RSTP
12 9911 ch12
10/14/03
12:32 PM
Page 382
382 Chapter 12
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 56
Which of the following IEEE standards support VLAN trunking? (Choose all that
apply.)
A. 802.10
B. 802.1d
C. 802.1q
D. 802.4
Question 57
Youre comparing trunk ports in your campus network to access ports. Which
of the following statements best describes an access link?
A. An access link can carry multiple VLANs.
B. An access link belongs to only one VLAN.
C. An access link can receive both tagged and untagged frames.
D. An access link is typically used to connect access layer switches with
distribution layer switches.
Question 58
You need to connect a switch to another switch in your campus network topology. What cable type should you use?
A. Straight-through
B. Rollover
C. Crossover
D. Null-modem
Question 59
What prefix indicates a multicast frame?
A. 01:5e:00
B. 01:00:5e
C. 5e:00:01
D. 00:01:5e
12 9911 ch12
10/14/03
12:32 PM
Page 383
383
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sample
. . . . .Test
. . 1.
Question 60
Which of the following protocols are multicast routing protocols? (Choose all
that apply.)
A. CBT (Core Based Trees)
B. PIM (Protocol Independent Multicast)
C. DVMRP (Distance Vector Multicast Routing Protocol)
D. IGMP (Internet Group Management Protocol)
12 9911 ch12
10/14/03
12:32 PM
Page 384
13 9911 ch13
10/14/03
12:33 PM
Page 385
13
Answer Key 1
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1. B, D
21. B
41. B
2. C, D
22. B
42. A, B, C
3. B
23. A
43. C
4. C
24. D
44. B, D
5. A
25. B, C
45. C, D
6. A, B, C
26. C
46. A, B, C
7. B, C
27. B
47. A, C
8. D
28. B
48. A, D
9. C, D
29. D
49. B, C, D
10. C
30. C
50. B
11. C
31. D
51. B
12. B
32. B, C, D
52. A
13. A, D
33. B, C, D
53. A
14. A, C
34. D
54. C
15. B, D, E
35. A
55. B
16. C
36. C
56. A, C
17. C
37. D
57. B
18. C
38. A
58. C
19. C
39. A, C
59. B
20. C
40. B
60. A, B, C
13 9911 ch13
10/14/03
12:33 PM
Page 386
386 Chapter 13
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 1
Answers B and D are correct. The output shows that the switch is the root
bridge. This can be learned from the line, We are the root of the spanning tree. The diameter value has not been modified from the default as
evidenced by the spanning tree timers that are at their default parameters.
This is evidenced by the line, hello 2, max age 20, forward delay 15.
Answer A is incorrect because this switch is functioning as the root bridge; it
is not the designated bridge. Answer C is incorrect. The output hello 2,
max age 20, forward delay 15 shows us that the spanning tree timers have
not been modified.
Question 2
Answers C and D are correct. Examples of network solutions are IP telephony, multi-unit applications, content networking, and storage networking.
Answer A is incorrect because quality of service is an example of an intelligent network service. Answer B is also incorrect because it is an intelligent
network service. Finally, answer E is also incorrect because it is an intelligent
network service as well.
Question 3
Answer B is correct. The Building Distribution layer provides aggregation of
Building Access devices often using Layer 3 switching. Answer A is incorrect
because the Building Access layer provides connectivity to end-user systems
in the campus. Answers C and D are incorrect because the Enterprise Core
and the Campus Backbone each describe the same layers. They provide
redundant and fast-converging connectivity between buildings.
Question 4
Answer C is correct. A route processor is required to move traffic between
VLANs in a campus network. That route processor can be internal in a multilayer switch, or it can be an external device such as a classic Cisco router.
An example of an internal route processor would be a route switch module
(RSM) or a multilayer switch feature card (MSFC). Answer A is incorrect. A
core layer switch does not necessarily contain a route processor, which is
13 9911 ch13
10/14/03
12:33 PM
Page 387
387
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Answer
. . . . Key
. . 1.
required. Answer B is also incorrect. Software-based bridges do not possess

a route processor. Finally, answer D is incorrect because a switch fabric card
enables the increase of throughput on a switch, but does not provide route
processor functionality.
Question 5
Answer A is correct. The Building Access layer typically contains Layer 2
switching that provides simple and fast access for end users systems in need
of network connectivity. Answer B is incorrect. The Building Distribution
layer also typically features Layer 3 switching because this is an aggregation
point that requires routing. Answers C and D are incorrect. The Enterprise
Core and the Campus Backbone each describe the same layers. They provide
redundant and fast-converging connectivity between buildings and utilize
either Layer 2 or Layer 3 switching.
Question 6
Answers A, B, and C are correct. Speed and duplex mismatches are a common misconfiguration between the host and switches. You should ensure that
this isnt the problem. Use the show mac dynamic command to ensure that
the switch is properly learning the MAC address of the host as it should. You
should also check the status of the port connectionthe status should appear
as connectedyou can use the show interfaces command. Answer D is
incorrect because the host does not need a default gateway configured to
communicate with its local switch port.
Question 7
Answers B and C are correct. The VLAN design enables you to increase the
number of broadcast domains and allows for greater security. The increase of
broadcast domains means smaller broadcast domains overall and a far lighter
burden on end user systems due to large amounts of broadcast traffic. Answer
A is incorrect because the creation of VLANs does not reduce the number of
collision domains. Collision domains are increased with switching in general;
in fact, this is a benefit of using switches in your design. Answer D is also
incorrect. Using VLANs actually requires that you use Layer 3 routing in
your design. With todays fast Layer 3 switches, this is not a disadvantage.
13 9911 ch13
10/14/03
12:33 PM
Page 388
388 Chapter 13
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 8
Answer D is correct. The local VLAN approach is used most often now in
campus networksespecially ones that feature centralized resources. As corporations have moved to centralize their resources, end-to-end VLANs have
become more difficult to maintain. Users might use many different
resources, including many that are no longer in their VLAN. Answer A is
incorrect. Auxiliary VLANs are typically used for voice traffic. Answer B is
incorrect because dynamic VLANs are not typically used due to the high
administrative overhead involved as well as potential performance issues.
Answer C is also incorrect because end-to-end VLANs are too difficult to
maintain in most modern networks.
Question 9
Answers C and D are correct. You can create VLANs in two main ways on
Catalyst switches. Some switches allow the creation of VLANs in global configuration mode, whereas others require the use of the VLAN database mode.
Answers A and B are both incorrect. You cannot create VLANs in Privilege
EXEC mode, nor can you create VLANs in Interface configuration mode.
Question 10
Answer C is correct. The switchport access vlan 200 command places the
port in VLAN 200. If the VLAN you specify does not exist, the port will not
become operational until you create the VLAN. Answers A, B, and D are
incorrect. Each of these commands is invalid and will produce syntax error.
Question 11
Answer C is correct. The dynamic desirable switch port DTP setting doesnt
tag frames, but does cause the switch port to actively send and respond to
DTP negotiation frames. Answer A is incorrect. The trunk mode sets the
switch port to unconditional trunking mode and negotiates the port to
become a trunk link. Answer B is also incorrect. The Nonegotiate option
specifies that DTP negotiation packets are not sent on the interface. Finally,
answer D is also incorrect. The Dynamic Auto setting has the port respond,
but not to actively send DTP negotiation frames.
13 9911 ch13
10/14/03
12:33 PM
Page 389
389
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Answer
. . . . Key
. . 1.
Question 12
Answer B is correct. The 802.1Q Trunking protocol actually modifies the
original Ethernet data frame. Answer A is incorrect. ISL encapsulation does
not modify the original data frame. It adds a new header to the frame as it is
carried over the trunk link. Answer C is incorrect because DTP allows for
the dynamic negotiation of trunk links. Finally, answer D is also incorrect
because VTP allows for the management of VLAN information in a campus
network.
Question 13
Answers A and D are correct. Both server mode and transparent mode allow
for the creation, deletion, and modification of VLANs on the switch.
Transparent mode will not propagate this information to other switches,
however. Answer B is incorrect. There is no such mode as slave mode.
Answer C is also incorrect because client mode does not allow for the creation, modification, and deletion of VLANs on the switch. Answer E is
incorrect because there is no such mode as master mode.
Question 14
Answers A and C are correct. VTP pruning increases available bandwidth by
restricting the flooding of traffic to those trunk links that the traffic must use
to access the appropriate network devices. It might have a negative impact on
network update performance. Answer B is incorrect. You can implement
VTP pruning only on VTP serversthe setting cannot be configured on a
client. Also answer D is incorrect. VTP pruning does not block spanning
tree information.
Question 15
Answers B, D, and E are correct. The three port states identified in RSTP
(802.1w) are discarding, learning, and forwarding. Answers A and C are
incorrect. The blocking and listening states are used in STP (802.1D) and
are not used in RSTP.
13 9911 ch13
10/14/03
12:33 PM
Page 390
390 Chapter 13
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 16
Answer C is correct. An alternate port is a port blocked by receiving more
useful BPDUs from another bridge. The alternate port becomes the root
port if the active root port fails. Answer A is incorrect because the root port
is the closet to the root bridge. Answer B is also incorrect. The designated
port is the port on the designated bridge for each segment. Answer D is
incorrect because the backup port becomes the designated port if the existing designated port fails. Finally, answer E is incorrect because the disabled
port has no role within the operation of spanning tree.
Question 17
Answer C is correct. The Multiple Spanning Tree enhancement from the
IEEE enables the network administrator to map VLANs to spanning tree
topologies as needed to properly model the physical topology. This enables
the administrator to reduce the number of spanning tree topologies but still
load-balance. Answer A is incorrect. PVST+ features a separate spanning
tree instance for each VLAN. Answer B is incorrect because CST features a
single instance of spanning tree for all VLANs. Finally, answer D is incorrect
because PVST features a separate spanning tree instance for each VLAN.
Question 18
Answer C is correct. Cisco relies on CEF (Cisco Express Forwarding) to
implement topology-based switching. Answer A is incorrect. NetFlow-based
switching uses multilayer forwarding engines. ASICs and the route processor work together to forward data at high speeds. Answer B is also incorrect.
With distributed forwarding, the switching decision is made at the port or
module level. Finally, answer D is also incorrect. With centralized forwarding, a single central forwarding table is used.
Question 19
Answer C is correct. A switch virtual interface must be created when you
want to route between VLANs, fallback-bridge non-routable protocols
between VLANs, or to provide IP host connectivity to the switch. Answer A
is incorrect because an access port carries the traffic of and belongs to only
13 9911 ch13
10/14/03
12:33 PM
Page 391
391
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Answer
. . . . Key
. . 1.
one VLAN. Answer B is also incorrect. A trunk port carries the traffic of
multiple VLANs and is a member of all VLANs by default. Finally, answer
D is incorrect. A routed port acts just like the port of a router.
Question 20
Answer C is correct. In the speak state, the route processor sends periodic
hello messages and actively participates in the election of the active and/or
standby router. Answer A is incorrect. HSRP is not running in the initial
state. Answer B is also incorrect. In the listen state, the router listens for hello
messages. Answer D is also incorrect. In the standby state, the route processor is a candidate to become the next active router. Finally, answer E is also
incorrect. In the active state, the router is currently forwarding packets that
are sent to the virtual MAC address of the group.
Question 21
Answer B is correct. In SSM deployment cases where IGMPv3 cannot be
used because it isnt supported by the receiver host or the receiver applications, there are two Cisco-developed transition solutions that enable the
immediate deployment of SSM services: URL Rendezvous Directory (URD)
and IGMP Version 3 lite (IGMP v3lite). Answer A is incorrect. Cisco Group
Management Protocol (CGMP) limits the forwarding of IP multicast packets to only those ports associated with IP multicast clients. Answer C is also
incorrect. Protocol Independent Multicast is a routing protocol for multicast
traffic, there are two types of PIM protocols: Dense Mode (DM) and Sparse
Mode (SM). Finally, answer D is also incorrect. IGMP snooping allows a
switch to snoop or capture information from IGMP packets being sent back
and forth between hosts and a router.
Question 22
Answer B is correct. The show spanning-tree inconsistentports command
enables you to quickly determine whether any ports are in the root-inconsistent
state under root guard. Answers A, C, and D are incorrect. Unidirectional
Link Detection does not place ports in the inconsistent state, nor does
BDPU Guard or EtherChannel.
13 9911 ch13
10/14/03
12:33 PM
Page 392
392 Chapter 13
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 23
Answer A is correct. The default port cost for Fast Ethernet is 19. Setting the
VLAN port cost to 20 makes it less likely to be placed in forwarding mode
when compared to a default configuration of Fast Ethernet. Answer B is
incorrect. Because the default cost is 19, this port is less likely to be in forwarding mode. Answer C is incorrect. Although manipulating the port cost
value does not directly influence root bridge selection, it does manipulate the
forwarding state of the port. Finally, answer D is incorrect. To influence the
root bridge selection, you should use bridge priority.
Question 24
Answer D is correct. The standard value for secondary root bridge operation
is 8192. Answer A is incorrect. The value 32768 is the default priority value.
Answer B is incorrect. The value of 4096 is typically used to set the device as
the root bridge. Answer C is also incorrect. 24982 is not a typical priority
setting.
Question 25
Answers B and C are correct. The listening and learning states are affected
by the Forward Delay timer, which has a default of 15 seconds. Answer A is
incorrect. The blocking state is directly affected by the Max Age value.
Answer D is also incorrect. The forwarding state is not directly attributed to
a timer.
Question 26
Answer C is correct. Four criteria are used in the decision-making process,
and they are used in the following order: lowest root bridge ID; lowest path
cost to the root bridge; lowest sender bridge ID; lowest port ID. Answers A,
B, and D are incorrect. These options do not convey the correct order of the
four criteria that are used in the decision-making process.
13 9911 ch13
10/14/03
12:33 PM
Page 393
393
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Answer
. . . . Key
. . 1.
Question 27
Answer B is correct. The default timer setting for Max Age is 20 seconds; the
possible range is 6 to 40 seconds. Answer A is incorrect. 15 seconds is the
default value for the forward delay value, not max age. Answer C is also
incorrect. 30 seconds is not a valid timer default. Finally, answer D is also
incorrect. 50 seconds is the default time that a port takes to transition from
the blocking state to the forwarding state.
Question 28
Answer B is correct. To globally enable the IP multicast routing protocol, use
the global configuration command: ip multicast-routing. Answers A, C, and
D are incorrect. These commands are invalid and all produce syntax errors.
Question 29
Answer D is correct. Negotiation parameters do not need to be identical. For
example, one side of the trunk may be set to desirable, while the other is set
to auto. In fact, this is the most common configuration with Cisco equipment.
Answers A, B, and C are incorrect. Identical speed settings, identical duplex
settings, and identical trunk encapsulation parameters are all required.
Question 30
Answer C is correct. The data link layer encompasses hardware-based bridging. Answer A is incorrect. The presentation layer is concerned with data
encryption and presentationincluding formatting issues. Answer B is also
incorrect. The network layer involves routing. Finally, answer D is also incorrect. The transport layer encompasses an addressing system used for delivery.
Question 31
Answer D is correct. The 2900 series switches are perfect for the access layer
and provide high port densities at a low cost. Answer A is incorrect. The
Catalyst 8500 family of Cisco devices is often found in the core layer in order
13 9911 ch13
10/14/03
12:33 PM
Page 394
394 Chapter 13
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
to provide very high data transfers from one area of the network to another.
Answer B is incorrect. The Catalyst 4000 series provides control from the
backbone to the network edge. This series of switches has the ability to provide intelligent network services including advanced quality of service (QoS),
scalable performance, security, and simple manageability. Answer C is also
incorrect. Although the 6500 Series can function at any layer of the campus,
it is most often appropriate for the distribution or core layers.
Question 32
Answers B, C, and D are all correct. A destination port in one SPAN cannot
be a destination port for another SPAN. EtherChannel interfaces can be
SPAN sources. Ports cannot be configured as both sources and destinations.
Answer A is incorrect. Layer 2 switched ports and Layer 3 ports may function as SPAN sources or destinations.
Question 33
Answers B, C, and D are correct. RSPAN VLANs can be used only for
RSPAN traffic, and you cannot configure any ports in an RSPAN VLAN
except those selected to carry RSPAN traffic. Finally, RSPAN does not support BPDU monitoring. Answer A is incorrect. Networks impose no limit on
the number of RSPAN VLANs that the network can carry.
Question 34
Answer D is correct. The Network Analysis module gathers multilayer information about data and voice flows. Answer A is incorrect. The FlexWAN
module allows WAN connectivity via the 6000/6500 series switches. Answer
B is also incorrect. An RMON probe is a dedicated hardware device for monitoring the network and is not a module. Answer C is also incorrect. An IDS
module allows the 6000/6500 to monitor traffic for security breaches.
Question 35
Answer A is correct. These commands create an authentication list named
securelist. It is applied to the console port and indicates that TACACS+
should authenticate logins. If the service is not available, the local security
13 9911 ch13
10/14/03
12:33 PM
Page 395
395
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Answer
. . . . Key
. . 1.
database is used. Answer B is incorrect. If TACACS+ is not available, logins

may still be permitted thanks to the local security accounts database. Answer
C is incorrect. The services are attempted in order. If an account does not
exist in one of them, the login fails. Answer D is incorrect. This is a valid
configuration. No default list must be created.
Question 36
Answer C is correct. To enter VLAN database configuration mode, the
VLAN database command is issued from Privilege EXEC mode. Answer A
is incorrect. (config) indicates global configuration mode. Answer B is
incorrect. (config-if) indicates interface configuration mode. Answer D is
also incorrect. (config-vlan) indicates VLAN configuration mode.
Question 37
Answer D is correct. The native VLAN is not used to represent multiple
spanning tree instances to common spanning tree domains. Answers A, B,
and C are incorrect because they are valid statements. The native VLAN
allows untagged frames to be sourced and received over 802.1Q trunks. This
VLAN also becomes the VLAN of a trunk port if it is in nonoperational
trunk mode.
Question 38
Answer A is correct. The Generic Bridge PDU Tunneling (GBPT) solution
allows the tunneling of protocol data units through a service provider cloud.
Answer B is incorrect. RSTP enhanced standard spanning tree technologies
for faster convergence. Answer C is incorrect. Multiple spanning tree
enhances the 802.1Q protocol to support multiple instances of spanning
tree. Finally, answer D is also incorrect. PVST+ is Ciscos implementation of
multiple spanning trees.
Question 39
Answers A and C are correct. ISL is proprietary to Cisco and is not supported on switches from many other vendors. It demonstrates true encapsulation
by placing a new header and frame check sequence (FCS) on the original
13 9911 ch13
10/14/03
12:33 PM
Page 396
396 Chapter 13
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
frame. Answer B is incorrect because 802.1Q is not protocol-independent; it

must be used with Ethernet-type VLANs such as 802.3 Ethernet and 802.5
token ring. Also, answer D is not correctISL contains two FCS fields, not
802.1Q.
Question 40
Answer B is correct. Nonegotiate causes the port not to participate in DTP.
You must configure the other port in the trunk link for trunking manually.
Answer A is incorrectaccess causes permanent nontrunking mode and
DTP frames are sent. Answer C is also incorrect. Dynamic desirable causes
the link to attempt to trunkDTP frames are sent. Finally, answer D is also
incorrect. Dynamic auto makes the interface willing to trunkDTP frames
are used.
Question 41
Answer B is correct. The link between the customer device and the service
provider edge switch is called an asymmetric link because one end is a trunk
port and the other is a tunnel port. Answer A is incorrect. A trunk link is not
used between the enterprise and the service provider. Answers C and D are
incorrect. A tunnel link is not used in 802.1Q tunneling, nor is an access link.
Question 42
Answers A, B, and C are correct. Common troubleshooting steps include
verifying encapsulations, switch port modes, and native VLAN configurations in the case of 802.1Q. Answer D is incorrect. VLAN mapping is not a
valid troubleshooting step.
Question 43
Answer C is correct. Use the switchport trunk native VLAN command to
specify the native VLAN. VLAN 1 is the default. Answers A, B, D, and E are
incorrect. Native 10 produces a syntax error, as does every other option
presented.
13 9911 ch13
10/14/03
12:33 PM
Page 397
397
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Answer
. . . . Key
. . 1.
Question 44
Answers B and D are correct. VTP pruning is disabled on this switch as evidenced by the VTP Pruning Mode : Disabled output. Also, the domain name
is test as evidenced by the output: VTP Domain Name : test. Answers A and
C are incorrect. The switch is not running VTP version 2 as evidenced by
the output VTP V2 Mode : Disabled. Because this switch is running in server mode, VLANs can be created, modified, and deleted on this device.
Question 45
Answers C and D are correct. The most common cause for the nonpropagation of VLAN information over VTP domains is the misconfiguration of
trunk links or domain names on devices. Answer A is incorrect. Only one or
two VTP server systems should exist in the network. Answer B is also incorrect. Currently, only two versions of VTP exist: version 1 and version 2.
Question 46
Answers A, B, and C are correct. All of these statements accurately describe
transparent bridging. Answer D is incorrect. Unknown unicast destination
addresses are floodedKnown unicast destination addresses are intelligently forwarded.
Question 47
Answers A and C are correct. Each switch in a Spanning Tree topology has
a unique Bridge ID value. It is made up of a Bridge Priority value and a MAC
address. Answer B is incorrect. Port Cost is a Spanning Tree value, but it is
not part of the Bridge ID. Answer D is also incorrectinstance ID is not a
valid Spanning Tree component.
Question 48
Answers A and D are correct. Metro Ethernet over DWDM is an implementation option that provides gigabit rates with easy configuration and
transparency. It is typically used in the long-distance, ultra-high-bandwidth
13 9911 ch13
10/14/03
12:33 PM
Page 398
398 Chapter 13
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
transport market. Answer B is incorrect. Scalability is not viewed as an

advantage. Also, answer C is incorrect. Distance capabilities are not viewed
as an advantage for Metro Ethernet over DWDM. Also, answer E is incorrect. Statistical multiplexing provisions are not viewed as an advantage.
Question 49
Answers B, C, and D are all correct. Low latency queuing, weighted fair
queuing, and class-based weighted fair queuing are all congestion management tools available for use in campus networks. Answer A is incorrect
because link fragmentation and interleaving is considered a link efficiency
mechanism, not a congestion management tool.
Question 50
Answer B is correct. The priority command is used to allow delay-sensitive
data to be dequeued and sent first. Answer A is incorrect. You use the fairqueue interface configuration command to enable weighted fair queuing
(WFQ) for an interface. Answer C is incorrect. You use the class-map global configuration command to create a class map to be used for matching
packets to a specified class. Finally, answer D is incorrect. You use the policymap command to access the QoS policy map configuration mode to configure
the QoS policy map.
Question 51
Answer B is correct. You should use the debug priority command in order to
display priority queuing output. Answer A is incorrect. The debug ip rsvp
command displays information about Subnetwork Bandwidth Manager (SBM)
message processing and other RSVP-related parameters. Answer C is incorrect. The debug multilink ppp command is not valid. Finally, answer D is
incorrect. Use the debug ppp multilink fragments command to display information about individual multilink fragments and important multilink events.
Question 52
Answer A is correct. An Ether ACL is a non-existent ACL type. Answers B, C,
and D are incorrect because router, VLAN, and QoS are valid types of ACLs.
13 9911 ch13
10/14/03
12:33 PM
Page 399
399
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Answer
. . . . Key
. . 1.
Question 53
Answer A is correct. Private VLAN infrastructures define isolated, community, and promiscuous ports. An isolated port features complete Layer 2 separation from other ports within the same private VLAN except for the
promiscuous port. Answer B is incorrect. There is no separated port in a private VLAN. Answer C is also incorrect. Community ports feature the ability to communicate amongst themselves and with promiscuous ports. Answer
D is also incorrect. Promiscuous ports (as their name implies) communicate
with all interfaces.
Question 54
Answer C is correct. The recommended configuration of PIM on a specific
interface is to use ip pim sparse-dense-mode. In this case, the interface is
treated as dense mode if the group is in dense modeor sparse mode if the
group is in sparse mode. Answer A is incorrect. ip pim dense-mode configures the interface for dense mode. Answer B is also incorrect. ip pim
sparse-mode configures the interface for sparse mode. Finally, answer D is
also incorrect. ip pim dense-sparse-mode is not a valid command.
Question 55
Answer B is correct. If UplinkFast is enabled on a root port and the link that
is directly connected to that port fails, the port can transition from the blocking state to the forwarding state in as little as 3 seconds after the detection of
the failure. Answer A is incorrect. PortFast eliminates the delay encountered
by computers that are connected directly to a switch in an STP network.
Enabling PortFast on a port allows it to begin forwarding as soon as the connected computer boots, rather than waiting the default 50 seconds. Answer
C is incorrect. BackboneFast reduces the convergence time that results when
an inferior Bridge Protocol Data Unit (BPDU) is detected. Finally, answer
D is also incorrect. RSTP is not a Cisco proprietary mechanism.
Question 56
Answers A and C are correct. VLAN trunking is supported by the IEEE
standards 802.10 and 802.1q. IEEE 802.10 defines VLAN trunking over
13 9911 ch13
10/14/03
12:33 PM
Page 400
400 Chapter 13
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
FDDI. IEEE 802.1q defines a standardized method of trunking between different vendors devices. Answers B and D are incorrect. 802.1d defines
Spanning Tree Protocol, and 802.4 defines the Token Bus standard.
Question 57
Answer B is correct. An access link can be a member of only one VLAN.
Answer A is incorrect. A trunk link (not an access link) carries multiple
VLAN traffic. Answer C is also incorrect. 802.1Q trunk ports may receive
tagged and untagged frames. Answer D is also incorrect. Trunk ports are typically used to connect access layer and distribution layer switches.
Question 58
Answer C is correct. A crossover cable is used to connect like devices; in this
case, two switches. Answer A is incorrect. A straight-through cable is used to
connect unlike devices. For example, a switch and an end-user workstation.
Answer B is incorrect. A rollover cable is used to connect to the console port of
the switch. Finally, answer D is incorrect. A null-modem cable is not used to
connect switches to other switches, but is sometimes used for serial connections.
Question 59
Answer B is correct. All multicast frames have the same prefix of 01:00:5e.
This is the first 24 bits of the MAC address in question. The remainder of
the MAC address is derived from the IP multicast address. Answers A, C, and
D are incorrect because they do not specify 01:00:5e.
Question 60
Answers A, B, and C are correct. Core-Based Trees (CBT) is not typically
implemented today. It was the first initial and experimental center-based tree
multicast routing protocol. Protocol Independent Multicast is commonly
used, however. DVMRP is a multicast routing protocol that uses a technique
known as reverse path forwarding. Answer D is incorrect. IGMP is used with
multicast, but it is not a routing protocol. IGMP provides a way for an
Internet computer to report its multicast group membership to adjacent
routers.
14 9911 ch14
10/14/03
12:33 PM
Page 401
14
Sample Test 2
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 1
Which definition correctly describes the broadcast transmission method?
A. One copy of each frame is sent to every client that requires the data.
B. A single copy of each frame is sent, using an address that reaches all
clients.
C. A single copy of each frame is sent, using a special address that
allows each client to decide whether it wants to receive the frame.
D. No frames are sent.
Question 2
In which transmission method are frames replicated as needed for transmission
to specific hosts?
A. Unicast
B. Multicast
C. Broadcast
D. Anycast
14 9911 ch14
10/14/03
12:33 PM
Page 402
402 Chapter 14
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 3
Which statement about multicast transmission is true?
A. One copy of each packet is sent to every client.
B. A new packet is sent each time the client requests it.
C. Only one copy of each packet is sent, using an address that reaches all
the clients.
D. One copy of each packet is sent, using a special address that allows
each client to choose whether it receives the packet.
Question 4
Which of the following MAC addresses is a multicast address?
A. 00-00-5E-0A-08-05
B. 00-01-5E-0A-08-05
C. 01-00-5E-0A-08-05
D. 01-00-5F-0A-08-05
Question 5
IGMP query messages are addressed to the all-host group (224.0.0.1) with the
TTL set to 1. What is the purpose of setting the TTL to 1?
A. This ensures that all multicast routers see the query message.
B. This ensures that all multicast routers forward the query message.
C. This ensures flooding of the query message.
D. This ensures the query message remains in the subnetwork.
Question 6
Which of the following multicast address ranges are reserved?
A. 224.0.0.0 to 239.255.255.255
B. 192.168.2.1 to 192.168.2.100
C. 224.0.0.0 to 224.0.0.255
D. 234.0.0.0 to 234.0.0.255
14 9911 ch14
10/14/03
12:33 PM
Page 403
403
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sample
. . . . .Test
. . 2.
Question 7
________ is a Cisco-developed protocol that allows Catalyst switches to learn
about the existence of multicast clients from Cisco routers and Layer 3 switches.
A. IGMP Version 1
B. IGMP Version 2
C. CGMP
D. MCAST
Question 8
You have a network monitoring probe installed in your campus LAN. You would
like to monitor all the packets that emanate from a particular VLAN. What should
you configure?
A. SPAN
B. RSPAN
C. VSPAN
D. IGMP
Question 9
What is the purpose of the following command?
Switch(config)# monitor session 1 source
interface fastethernet 5/1 both
A. This command configures the FastEthernet 5/1 interface for SPAN

monitoring inbound and outbound traffic.
B. This command configures the FastEthernet 5/1 interface as the destination SPAN portmonitoring inbound and outbound traffic.
C. This command configures the FastEthernet 5/1 interface as the source
and destination port in SPAN.
D. This command configures the FastEthernet 5/1 interface in switchport
monitor mode.
14 9911 ch14
10/14/03
12:33 PM
Page 404
404 Chapter 14
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 10
Youre contemplating the purchase of a Network Analysis module for your
Catalyst 6500. What protocol does the NAM utilize to monitor and analyze
traffic?
A. ICMP
B. SMTP
C. TFTP
D. CDP
E. RMON
Question 11
Examine the following command output. Which command was used to generate the output?
my state = 13 -ACTIVE
peer state = 1 -DISABLED
Mode = Simplex
Unit = Primary
Unit ID = 1
Redundancy Mode (Operational) = Route Processor
Redundancy Plus
Redundancy Mode (Configured) = Route Processor
Redundancy Plus
Split Mode = Disabled
Manual Swact = Disabled Reason: Simplex mode
Communications = Down Reason: Simplex mode
client count = 11
client_notification_TMR = 30000 milliseconds
keep_alive TMR = 4000 milliseconds
keep_alive count = 0
keep_alive threshold = 7
RF debug mask = 0x0
A. show redundancy
B. show redundancy counters
C. show redundancy switchover
D. show redundancy states
14 9911 ch14
10/14/03
12:33 PM
Page 405
405
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sample
. . . . .Test
. . 2.
Question 12
You need to configure redundancy for the two supervisor engines youve
installed. Youre interested in a solution that allows switchover in two to four
minutes. Which solution meets this requirement?
A. RPR
B. RPR+
C. HSRP
D. VRRP
Question 13
Youre responsible for the network security of your campus network infrastructure. Which of the following are recommended security configurations for your
Catalyst switches? (Choose all that apply.)
A. Secure access to VTY ports
B. Secure SNMP
C. Secure physical access to the console
D. Enable HTTP services and choose a non-default HTTP port
E. Engage in CDP trimming
Question 14
Which component of AAA services provides a method of collecting and sending
security server information used for billing, auditing, and reporting?
A. Authorization
B. Accounting
C. Authentication
D. Auditing
14 9911 ch14
10/14/03
12:33 PM
Page 406
406 Chapter 14
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 15
Youre considering port security in your Catalyst switch environment. Youre
examining the command:
Switch(config-if)# switchport port-security [maximum value]
violation {protect | restrict | shutdown}
What does the maximum value option permit?

A. The duration that a secured port permits workstation access
B. The maximum number of MAC addresses that can be supported by
the port
C. The maximum number of frames that the port can receive in a given
time interval
D. The maximum number of frames that the port can send in a given time
period
Question 16
Youre considering implementing 802.1X port-based authentication in your network. What role does your Catalyst switch play in this security scheme?
A. Client
B. Authentication server
C. Authenticator
D. Workstation
Question 17
What command produces the following output?
Secure Mac Address Table
----------------------------------------------------------Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- ------------1 0001.0001.0001 SecureDynamic Fa5/1 15 (I)
1 0001.0001.0002 SecureDynamic Fa5/1 15 (I)
1 0001.0001.1111 SecureConfigured Fa5/1 16 (I)
1 0001.0001.1112 SecureConfigured Fa5/1 1 0001.0001.1113 SecureConfigured Fa5/1 1 0005.0005.0001 SecureConfigured Fa5/5 23
1 0005.0005.0002 SecureConfigured Fa5/5 23
1 0005.0005.0003 SecureConfigured Fa5/5 23
14 9911 ch14
10/14/03
12:33 PM
Page 407
407
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sample
. . . . .Test
. . 2.

----------------------------------------------------------Total Addresses in System: 10
Max Addresses limit in System: 1024
A. show port-security
B. show port-security interface fastethernet 5/1
C. show port-security address
D. show port-security MAC
Question 18
Which of the following are valid actions that are permitted when using VACLs?
A. Permit
B. Redirect
C. Deny
D. Log
Question 19
Youre considering the implementation of private VLANs in your campus network. Which of the following is the correct description of a community port?
A. A port that can communicate with all interfaces
B. A port that has complete separation from other ports in the private
VLAN, with the exception of the promiscuous port
C. A port that communicates with other ports and the promiscuous port
D. A port that cannot communicate with any other port
Question 20
IP telephony, multiunit applications, content networking, and storage networking are all examples of what part of the Cisco AVVID architecture?
A. Network infrastructure
B. Intelligent network services
C. Network solutions
D. Vertical solutions
14 9911 ch14
10/14/03
12:33 PM
Page 408
408 Chapter 14
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 21
Which of the following are best practices for the server farm distribution layer?
A. Deploy caching systems where appropriate
B. Implement server load balancing
C. Implement server content routing
D. Deploy a single device with redundant logical elements
Question 22
Youre having trouble communicating with your switch from a terminal thats
connected to the console port. Which of the following troubleshooting steps are
appropriate? (Choose all that apply.)
A. Ensure that the cable type is correct
B. Ensure the terminal configuration matches the switch console port
configuration
C. Ensure that there is a console password configured
D. Ensure that the cable pinouts are correct for the supervisor engine
Question 23
Which of the following issues do VLAN designs help solve in a campus network? (Choose all that apply.)
A. Efficient bandwidth utilization
B. Security
C. Load balancing
D. Increased availability
E. Isolation of failure domains
14 9911 ch14
10/14/03
12:33 PM
Page 409
409
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sample
. . . . .Test
. . 2.
Question 24
You need to assign the Fast Ethernet 5/1 port to VLAN number 20. What is the
correct command to make this configuration?
A. Switch(config-if)#switchport access vlan 20
B. Switch(config-if)#switchport vlan 20
C. Switch(config-if)#vlan 20
D. Switch(config-if)#switchport mode access vlan 20
Question 25
Youre verifying the VLAN configuration in your campus network. Which of the
following commands produces the output shown here?
Name: Gi0/1
Switchport: Enabled
Administrative Mode: dynamic desirable
Operational Mode: static access
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: On
Port Protected: Off
Unknown Unicast Traffic: Allowed
Unknown Multicast Traffic: Allowed
Broadcast Suppression Level: 100
Multicast Suppression Level: 100
Unicast Suppression Level: 100
A. show interface switchport gigabitEthernet 0/1

B. show gigabitEthernet 0/1
C. show interface vlan gigabitEthernet 0/1
D. show interface gigabitEthernet 0/1 switchport
14 9911 ch14
10/14/03
12:33 PM
Page 410
410 Chapter 14
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 26
Which Dynamic Trunking Protocol option places an interface in permanent
trunking mode and prevents the interface from generating DTP frames?
A. access
B. trunk
C. nonegotiate
D. dynamic desirable
E. dynamic auto
Question 27
Which of the following statements regarding 802.1Q native VLANs are correct?
A. The native VLAN is the VLAN that a port is in when not in operational
trunking mode.
B. Native VLAN traffic is sent untagged on the network.
C. The default native VLAN is 1000.
D. Every 802.1Q port is assigned a PVID value based on the port ID.
Question 28
Youre being forced to troubleshoot your campus network because a trunk link
cannot be established between two of your Catalyst switches. Youre attempting
to configure 802.1Q as the trunking mechanism. What are troubleshooting
steps that you should perform?
A. Ensure the interface mode configured at each end is valid
B. Ensure compatible trunk encapsulation types
C. Verify the VTP domain name and password at each end of the link
D. Ensure the native VLAN matches at each end of the link
14 9911 ch14
10/14/03
12:33 PM
Page 411
411
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sample
. . . . .Test
. . 2.
Question 29
One of the most critical components of VTP is the configuration revision number.
What is the configuration revision number on a transparent mode VTP device?
A. 1
B. 2
C. Unknown
D. 0
Question 30
Youre examining the different features available with VLAN Trunking Protocol.
What is the purpose of VLAN pruning?
A. VTP pruning uses VLAN advertisements to determine when a trunk
connection is flooding traffic needlessly.
B. VTP pruning reduces the number of VTP advertisements that switches
must send.
C. VTP pruning eliminates the need for a configuration revision number.
D. VTP pruning eliminates the propagation of native VLAN frames.
Question 31
Youre troubleshooting your VTP configuration in your campus network. You
cannot get VLAN information shared between two devices in the network.
Youve taken the following steps:
Ensured that the VTP domain name is properly configured on both devices
Verified that the devices are not in VTP transparent mode
Verified that the password is set on both devices
What else should you troubleshoot?

A. Verify that all switches are set to server mode
B. Verify that all switches are VTP version 2 compatible
C. Ensure that the switches are connected via at least one trunk link
D. Verify that all switches are set to client mode
14 9911 ch14
10/14/03
12:33 PM
Page 412
412 Chapter 14
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 32
What is the default spanning tree priority value for a Cisco switch?
A. 4096
B. 8192
C. 32,768
D. 0
Question 33
Which of the following describes the Building Distribution block of the campus
infrastructure?
A. A module that contains end-user workstations, IP phones, and Layer 2
access switches that connect devices to the server farm
B. A module that contains email and corporate servers providing application, file, print, email, and DNS services to internal users
C. Aggregates the connectivity from the various elements of the
Enterprise Edge functional area and routes the traffic into the Campus
Backbone
D. Aggregates the building access devices, often using Layer 3 switching;
it also performs routing, QoS, and access control
Question 34
VLANs operate at Layer 2 of the OSI model. Which of the following devices allow
communication between VLANs? (Choose all that apply.)
A. Hub
B. Layer 2 switch
C. Layer 3 switch
D. Translational bridge
E. Router
14 9911 ch14
10/14/03
12:33 PM
Page 413
413
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sample
. . . . .Test
. . 2.
Question 35
Which of the following commands assigns a port to a VLAN?
A. Switch(config)# interface FastEthernet 0/1 vlan 3
B. Switch(config)# switchport mode access 3 vlan
C. Switch(config-if)# switchport mode access 3 vlan
D. Switch(config-if)# switchport vlan 3 static
E. Switch(config-if)# switchport access vlan 3
Question 36
Which of the following trunking protocols encapsulates the frame?
A. 802.1Q
B. ISL
C. VTP
D. 802.10
Question 37
Spanning Tree Protocol (STP) helps prevent bridging loops in Cisco campus
networks. Which of the following would cause STP to fail in its efforts to prevent loops? (Choose all that apply.)
A. Duplex mismatch
B. Frame corruption
C. Broadcasts
D. Corrupted CAM table
E. Unidirectional link failure
Question 38
Which type of multilayer switching uses a FIB? (Choose all that apply.)
A. Route caching
B. Flow-based switching
C. Demand-based switching
D. Topology-based switching
E. CEF
14 9911 ch14
10/14/03
12:33 PM
Page 414
414 Chapter 14
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 39
Youre examining the adjacency table in CEF-based multilayer switching through
the use of the show adjacency command. Which type of adjacency entry is used
for features that require special handling or for features that are not yet supported in conjunction with CEF switching paths?
A. null adjacency
B. punt adjacency
C. glean adjacency
D. next-hop adjacency
Question 40
Youre comparing redundancy features for your Catalyst 6500 Series switch.
Youve invested in dual supervisor engines for your Catalyst 6509. Which is not
an advantage that RPR+ has over RPR?
A. Reduced switchover time
B. Online insertion and removal of the redundant supervisor engine
C. Auto VLAN database configuration
D. Running configuration is saved
Question 41
Which technology uses ICMP router advertisements and router solicitation
messages to allow a host to discover the addresses of operational routers on a
subnet?
A. HSRP
B. VRRP
C. IRDP
D. OSPF
14 9911 ch14
10/14/03
12:33 PM
Page 415
415
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sample
. . . . .Test
. . 2.
Question 42
Youre configuring HSRP in the redundant distribution layer of your campus network. You have routers configured with the following settings:
RouterA:
Priority 200
IP address: 172.16.10.169
MAC: 0010.0c07.ac2f
Group 47
RouterB:
Priority 150
IP address: 172.16.10.169
MAC: 0010.0c07.d000
Group 47
RouterC:
Priority 125
IP address: 172.16.10.169
MAC: 0010.0c07.23a0
Group 47
RouterD:
Priority 200
IP address: 172.16.10.82
MAC: 0010.0c07.45c3
Group 48
If RouterA fails, which system becomes the active router?

A. RouterA
B. RouterB
C. RouterC
D. RouterD
E. None of the above
14 9911 ch14
10/14/03
12:33 PM
Page 416
416 Chapter 14
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 43
Which of the following HSRP states indicates that the router is a candidate for
active router, causes the router to send periodic hello messages, and ensures
that the router knows the virtual router IP address?
A. initial
B. listen
C. standby
D. speak
E. active
Question 44
What protocol provides redundancy for either a real IP address of a router or a
virtual IP address shared among its members, and considers all nonmaster
routers as backups?
A. VRRP
B. HSRP
C. IRDP
D. GLBP
Question 45
Youre interested in designing a redundant distribution layer in your campus
network. Youd like to ensure that the standby members of the redundant group
are not underutilized along with their upstream bandwidth. Which protocol
should you consider?
A. HSRP
B. VRRP
C. GLBP
D. SRM
14 9911 ch14
10/14/03
12:33 PM
Page 417
417
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sample
. . . . .Test
. . 2.
Question 46
Youre interested in configuring single router mode on your Catalyst 6500
switch. Which of the following commands enables this configuration?
A. Switch(config)# single-router-mode
B. Switch(config-r)# single-router-mode
C. Switch(config-r-ha)# single-router-mode
D. Switch(config-r)# srm
Question 47
Which of the following commands correctly specifies an IP address of a server
to be a member of an SLB server farm?
A. Switch(config)# real 10.64.164.1
B. Switch(config-slb-sfarm)# real 10.64.164.1
C. Switch(config)# ip slb serverfarm 10.64.164.1
D. Switch(config-slb-sfarm)# ip slb serverfarm 10.64.164.1
Question 48
What is a benefit of the auxiliary VLAN feature of Catalyst switches?
A. Increased availably
B. Easier network management
C. Reduced bandwidth utilization
D. Network segmentation and control
Question 49
Which is not a network availability issue that QoS addresses?
A. Jitter
B. Delay
C. Reliability
D. Packet loss
14 9911 ch14
10/14/03
12:33 PM
Page 418
418 Chapter 14
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 50
Which queuing method provides strict priority queuing, enabling you to configure the priority status for a class within class-based weighted fair queuing?
A. CQ
B. PQ
C. FIFO
D. LLQ
E. WFQ
F. WRR
Question 51
What is the purpose of the ToS field in an IP header?
A. Identifies the type of payload in the IP packet
B. Identifies network control information for the packet
C. Assigns a priority to an IP packet as it traverses the network
D. Indicates the proper queue for an IP packet as it traverses the network
Question 52
On which network links is LFI especially useful?
A. On fast links whose speed is greater than 1.544Mbps
B. On slow-speed links whose speed is less than 64Kbps
C. On slow-speed links whose speed is less than 768Kbps
D. On slow-speed links whose speed is less than 1.544Mbps
Question 53
Weighted random early detection (WRED) generally drops packets selectively
based on what value?
A. Queue size
B. IP precedence or DSCP
C. TCP congestion control
D. Random early detection (RED)
14 9911 ch14
10/14/03
12:33 PM
Page 419
419
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sample
. . . . .Test
. . 2.
Question 54
Which Cisco IOS command displays priority queuing output?
A. debug ip rsvp
B. debug priority
C. debug multilink ppp
D. debug ppp multilink fragments
Question 55
Youre interested in assigning a traffic policy that youve created to an interface
in your campus network. What is the correct command to accomplish this?
A. class-map
B. policy-map
C. service-policy
D. mls qos
E. mls qos trust
Question 56
What module for the 6000 and 6500 Series switches provides a network management and monitoring solution?
A. FlexWAN module
B. IDS Sensor
C. Network Analysis module
D. Supervisor Engine
Question 57
Which command correctly configures a SPAN interface to monitor only ingress
traffic?
A. monitor session 1 source interface fastethernet 5/1 rx
B. monitor session 1 source interface fastethernet 5/1 tx
C. monitor session 1 destination interface fastethernet 5/1
D. monitor session 1 source interface fastethernet 5/1 both
14 9911 ch14
10/14/03
12:33 PM
Page 420
420 Chapter 14
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 58
Which of the following commands globally enables AAA on a Cisco switch?
A. aaa authentication login
B. ppp authorization
C. new aaa model
D. aaa new-model
Question 59
Youre considering the use of port security to help secure your enterprise campus network. Youd like an interface to enter an error-disabled state when a
security violation occurs. What command should you use?
A. Switch(config-if)# switchport port-security 1 violation protect
B. Switch(config-if)# switchport port-security 1 violation restrict
C. Switch(config-if)# switchport port-security 1 violation shutdown
D. Switch(config-if)# switchport port-security 1 violation null
Question 60
Which of the following Metro Ethernet tunneling options features the drawback
of poor scalability?
A. 802.1Q
B. 802.1Q-in-Q
C. EoMPLS
D. EoMPLS Encapsulation Point-to-Multipoint
15 9911 ch15
10/14/03
12:33 PM
Page 421
15
Answer Key 2
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1. B
21. A, B, C
41. C
2. A
22. A, B, D
42. B
3. D
23. A, B, C, E
43. C
4. C
24. A
44. A
5. D
25. D
45. C
6. C
26. C
46. C
7. C
27. A, B
47. B
8. C
28. A, B, D
48. D
9. A
29. D
49. C
10. E
30. A
50. D
11. D
31. C
51. C
12. A
32. C
52. C
13. A, B, C, E
33. D
53. B
14. B
34. C, E
54. B
15. B
35. E
55. C
16. C
36. B
56. C
17. C
37. A, B, E
57. A
18. A, B, C
38. D, E
58. D
19. C
39. B
59. C
20. C
40. C
60. A
15 9911 ch15
10/14/03
12:33 PM
Page 422
422 Chapter 15
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 1
Answer B is correct. In a broadcast design, an application sends only one
copy of each packet using a broadcast address. Answer A is incorrect. In a
unicast design, one copy of each frame is sent to every client that requires the
data. Answer C is incorrect. In a multicast design, a single copy of each frame
is sent using a special address that allows each client to decide whether it
wants to receive the frame. Finally, answer D is incorrect. Frames are sent in
a broadcast design.
Question 2
Answer A is correct. Unicast transmissions involve the replications of frames
for the specific clients that require the data. Answers B, C, and D are incorrect. In a multicast, broadcast, or anycast design, packets do not require
replication for transmission to multiple hosts.
Question 3
Answer D is correct. Multicast designs involve sending one copy of each
packet, using a special address that allows each client to choose whether it
receives the packet. Answer A is incorrect. Under multicast, packets are not
replicated and sent to clients. Answer B is also incorrect. New packets are not
sent per client requests. Also answer C is incorrect. Under multicast, a
broadcast address is not used.
Question 4
Answer C is correct. Multicast MAC addresses begin with the prefix 01-005E. Answers A, B, and D are incorrect. All the other MAC address examples
here do not begin with 01-00-5E.
Question 5
Answer D is correct. Setting the TTL value to 1 ensures that the query message stays within the local subnetwork. Remember, routers decrement the
TTL when they forward packets. Answer A is incorrect. A TTL of 1 ensures
15 9911 ch15
10/14/03
12:33 PM
Page 423
423
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Answer
. . . . Key
. . 2.
that all multicast routers do not see the message. Answer B is incorrect.
Multicast routers will not forward the query message due to the TTL of 1.
Answer C is also incorrect. This message is also not flooded by multicast
routers.
Question 6
Answer C is correct. Addresses ranging from 224.0.0.0 to 224.0.0.255 are
reserved for local purposesmulticast routers do not forward datagrams
destined for this range of addresses. Answer A is incorrect because 224.0.0.0
to 239.255.255.255 describes the entire range of Class D addresses. Answer
B is incorrect because 192.168.2.1 to 192.168.2.100 is not a valid multicast
address range. Finally, answer D is incorrect because 234.0.0.0 to
234.0.0.255 is a valid multicast range, but it is not reserved.
Question 7
Answer C is correct. Cisco Group Management Protocol (CGMP) limits the
forwarding of IP multicast packets to only those ports associated with IP
multicast clients. Switches learn about multicast members from multicast
route processors. Answers A and B are incorrect. Internet Group
Management Protocol (IGMP) versions 1 and 2 are protocols used by IPv4
systems to report IP multicast memberships to neighboring multicast
routers. These are not Cisco proprietary protocols. Finally, answer D is
incorrect as well. MCAST is not a valid protocol name.
Question 8
Answer C is correct. VSPAN refers to using a source VLAN for the SPAN
configuration. You may monitor all the traffic leading into or coming from a
VLAN. This is the easiest way to configure the requirement presented in this
question. Answer A is incorrect. SPAN enables you to monitor port(s).
Answer B is incorrect. Remote SPAN enables you to monitor ports from several switches. Finally, answer D is also incorrect. IGMP is a multicast protocol and has nothing to do with port monitoring.
15 9911 ch15
10/14/03
12:33 PM
Page 424
424 Chapter 15
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 9
Answer A is correct. With this command, the FastEthernet 5/1 interface is
configured as a SPAN sourceinbound and outbound traffic is monitored.
Answer B is incorrect because this command does not configure a destination SPAN port. Answer C is incorrect because it does not configure both
sources and destinations. Finally, answer D is incorrect because there is no
such mode as switchport monitor mode.
Question 10
Answer E is correct. The NAM uses remote monitoring (RMON) to monitor and analyze network traffic. Answer A is incorrect. ICMP (Internet
Control Message Protocol) is a message control and error-reporting protocol between a host server and a gateway to the Internet. Answer B is incorrect. Simple Mail Transfer Protocol (SMTP) is used to move mail via the
Internet. Answer C is incorrect. Trivial File Transfer Protocol (TFTP) is
used to move files via the Internet. Answer D is incorrect. The Cisco
Discovery Protocol (CDP) is used to discover connected devices.
Question 11
Answer D is correct. This output is a result of the show redundancy states
command. It displays the redundancy facility state information. Answer A is
incorrect. The show redundancy command is not a valid command without
parameters. Answer B is incorrect. The show redundancy counters command displays the redundancy facility counter information. Answer C is
incorrect. The show redundancy switchover command displays the
switchover counts, the uptime since active, and the total system uptime.
Question 12
Answer A is correct. RPR supports a switchover time of 2 to 4 minutes.
Answer B is incorrect. RPR+ supports a switchover time of 30 to 60 seconds.
Also, answers C and D are incorrect. HSRP and VRRP are not used for
supervisor engine redundancytheyre used for router redundancy for client
systems.
15 9911 ch15
10/14/03
12:33 PM
Page 425
425
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Answer
. . . . Key
. . 2.
Question 13
Answers A, B, C, and E are correct. You should protect your VTY ports to
secure Telnet access. This includes assigning passwords and using ACLs. You
should secure SNMP by prohibiting read/write access wherever possible.
You must also secure access to the console port. Physical access to this port
allows a user to circumvent all security mechanisms. You should also trim
CDP by disabling the protocol on ports that connect to external users.
Answer D is incorrect. To secure your system, you should disable the builtin HTTP server.
Question 14
Answer B is correct. Accounting services are a component of AAA. Security
experts can use this information gained from this service to audit and
improve security. Answer A is incorrect. Authorization provides the method
for remote access control. Answer C is incorrect. Authentication provides
the method of identifying users, including login and password information.
Answer D is incorrect. Auditing is not one of the AAA services.
Question 15
Answer B is correct. The Maximum Value option allows the network administrator to define the maximum number of MAC addresses that can be supported by the port. Answer A is incorrect. The value has nothing to do with
the duration of connections. Answers C and D are also incorrect. The value
does not control the number of frames that may be received or sent.
Question 16
Answer C is correct. The switch is called the authenticator in the 802.1X
security environment. Answer A is incorrect. The client is the workstation
that requests access to the LAN. Answer B is incorrect. The authentication
server performs the actual authentication. Answer D is incorrect. The workstation is the client in the 802.1X environment.
15 9911 ch15
10/14/03
12:33 PM
Page 426
426 Chapter 15
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 17
Answer C is correct. When used with the show port-security command, the
address parameter displays the MAC address table security information.
Answer A is incorrect. show port-security displays security information for
all interfaces. Answer B is also incorrect. The interface argument restricts the
output to a specific interface. Answer D is incorrect because there is no such
parameter as the MAC keyword.
Question 18
Answers A, B, and C are correct. Three VACL actions are permitted: Permit,
Redirect, and Deny. Answer D is incorrect. There is no such VACL option
as Log. Deny with logging is capable on the Cat 6500 only.
Question 19
Answer C is correct. A community port can communicate with other community ports and the promiscuous ports. Answer A is incorrect. The promiscuous port can communicate with all interfaces. Answer B is incorrect. An
isolated port has complete Layer 2 separation from other ports except the
promiscuous port. There is no port that features complete isolation as indicated in answer D.
Question 20
Answer C is correct. Network solutions allow enterprises to make business
decisions about the business itself as well as about networks and the technologies and applications that run on them. Answers A, B, and D are incorrect. Examples of network infrastructure components include devices such as
routers, LAN switches, WAN switches, and PBXs. Intelligent network services include security, network management, quality of service, IP multicast,
and high availability. Vertical solutions and markets include health care,
retail, and financial services.
15 9911 ch15
10/14/03
12:33 PM
Page 427
427
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Answer
. . . . Key
. . 2.
Question 21
Answers A, B, and C are correct. Cisco recommends caching systems, server
load balancing, and server content routing in the distribution layer of the
server farm. These are all possible with Ciscos Content Networking solutions. Answer D is incorrect. In a very large network, you should deploy multiple network devices. In smaller networks, a single device with redundant
logical elements is appropriate.
Question 22
Answers A, B, and D are correct. When youre troubleshooting console port
connectivity, you should make sure that youre using the correct type of
cable. You should also ensure the terminal configuration matches the switch
console port configuration. This is typically 9600 baud, 8 data bits, no parity, 1 stop bit. You should also make sure that the cable pinouts are correct for
your supervisor engine. Answer C is incorrect. A console password does not
need to be configured on the switch.
Question 23
Answers A, B, C, and E are correct. Through the division of the network into
smaller broadcast domains, bandwidth is used more efficiently. VLANs
improve security by segregating frames into smaller groups. Combined with
routing, VLANs can be used to improve load balancing over multiple paths.
VLANs also help to reduce the impact of network problems. Answer D is
incorrect. VLANs do not directly improve the availability of network
resources.
Question 24
Answer A is correct. To add the interface to the VLAN, use the switchport
access vlan command. Answers B, C, and D are incorrect. All other syntax
examples here produce errors on the switch because theyre invalid commands.
15 9911 ch15
10/14/03
12:33 PM
Page 428
428 Chapter 15
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 25
Answer D is correct. The show interface gigabitEthernet 0/1 switchport command displays switch port information for the gigabitEthernet 0/1
interface. Answers A, B, and C are incorrect. All other syntax examples here
produce errors on the switch because theyre invalid commands.
Question 26
Answer C is correct. The nonegotiate option can be used to force trunking,
and prevents an interface from sending DTP frames. Answer A is incorrect.
Access places an interface into nontrunking mode. Answer B is incorrect.
Trunk does force trunking, but also sends DTP frames. Answer D is incorrect. Dynamic desirable sends DTP frames. Finally, answer E is incorrect
because dynamic auto does not force trunking.
Question 27
Answers A and B are correct. A native VLAN is the VLAN that a port
belongs to when not in operational trunking mode. Also, when in trunking
mode, the port sends traffic from this VLAN untagged. Answers C and D are
incorrect. The default native VLAN is VLAN 1. Each physical port does
have a PVID value, but it is based on the native VLAN ID.
Question 28
Answers A, B, and D are correct. To troubleshoot a trunk link issue, you
should ensure that the interface modes are properly configured; for example,
dynamic desirable at one end and dynamic auto at the other. You should also
ensure the trunk encapsulation type configured at each end is compatible.
Finally, ensure that the native VLAN configuration matches at each end.
Answer C is incorrect. The VTP configuration does not affect the trunk
configuration.
15 9911 ch15
10/14/03
12:33 PM
Page 429
429
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Answer
. . . . Key
. . 2.
Question 29
Answer D is correct. The configuration revision number is used to track
VLAN changes. The configuration revision number in transparent mode is
always 0. This ensures the device does not participate in VTP. Answers A, B,
and C are incorrect. The configuration revision number in transparent mode
is always 0, and therefore cannot be any other value.
Question 30
Answer A is correct. VTP pruning increases available bandwidth by restricting flooded traffic to those trunk links that the traffic must use to access the
appropriate network devices. Answer B is incorrect. VTP does not affect the
number of VLAN advertisements that are sent. Answer C is incorrect. VTP
does not eliminate the need for a configuration revision number. Finally,
answer D is incorrect. VTP pruning does not affect the propagation of native
VLAN frames.
Question 31
Answer C is correct. For VTP information to pass from switch to switch, the
switches must be connected by trunks. Answer A is incorrect. It is recommended that you configure at least two switches in server mode. However, it
is not recommended for all switches to be in such a configuration. Answer B
is incorrect. All switches do not need to be VTP version 2 compatible.
Finally, answer D is incorrect. Configuring all switches as clients is not a
valid configuration.
Question 32
Answer C is correct. The default spanning tree priority value is 32,768.
Answer A is incorrect. 4096 is the recommended root bridge priority value.
Answer B is incorrect. 8192 is the recommended secondary root bridge priority value. Answer D is also incorrect. 0 is never recommended by Cisco.
15 9911 ch15
10/14/03
12:33 PM
Page 430
430 Chapter 15
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 33
Answer D is correct. The Building Distribution block connects end users
with the campus backbone and provides routing, QoS, and access control.
Answer A is incorrect. The Building Access module contains end user workstations and IP phones. Answer B is incorrect. The Server Farm module contains email and other such servers. Answer C is incorrect. The Edge
Distribution module aggregates the connectivity from the various elements
at the enterprise edge and routes the traffic into the campus backbone.
Question 34
Answers C and E are correct. Inter-VLAN communication requires the use
of a router or Layer 3 switch. This is due to inter-VLAN communications
requiring routing. Answer A is incorrect. A hub is a Layer 1 device that is
incapable of routing traffic. Answers B and D are incorrect. A Layer 2 switch
also does not possess routing capabilities, nor does a translational bridge.
Question 35
Answer E is correct. The correct command to assign an access port to a
VLAN is Switch(config-if)# switchport access vlan vlan-id. Answers
A, B, C, and D are incorrect. All other syntax examples in this question
would produce a syntax error.
Question 36
Answer B is correct. ISL engages in true encapsulation. It places a new header and trailer on a frame prior to transporting the frame over a trunk link.
Answer A is incorrect. 802.1Q tags frames with VLAN informationit does
not encapsulate the data frame. Answer C is incorrect. VTP is not a trunk
protocol. Answer D is incorrect. 802.10 is used for the transmission of
VLAN information in FFDI environments. Once again, true encapsulation
is not used.
15 9911 ch15
10/14/03
12:33 PM
Page 431
431
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Answer
. . . . Key
. . 2.
Question 37
Answers A, B, and E are correct. When troubleshooting STP, potential problems include duplex mismatch, unidirectional link failure, frame corruption,
resource errors, PortFast configuration errors, and exceeding STP diameters. Answer C is incorrect. Broadcasts do not cause problems for STP; in
fact, STP helps to ensure that broadcasts do not negatively impact the network. Also, answer D is incorrect. CAM table corruption also does not cause
STP-related issues.
Question 38
Answers D and E are correct. Topology-based switching relies on a forwarding information base (FIB) and an adjacency table. Ciscos implementation of
topology-based switching is called Cisco Express Forwarding (CEF). Answers
A, B, and C are incorrect. Route caching, flow-based switching, and demandbased switching are descriptions of legacy multilayer switching technologies
that rely on packet flows for cached forwarding information.
Question 39
Answer B is correct. Punt adjacency deals with features that require special
handling or features that are not yet supported. For example, if the packet
requires CPU processing. Answer A is incorrect. A null adjacency refers to
packets destined for the Null0 interface. These packets are dropped. Answer
C is incorrect. The glean adjacency is used for the subnet prefix when more
than one host is attached to the switch from the same VLAN. Answer D is
incorrect because there is no such adjacency as the next-hop adjacency.
Question 40
Answer C is correct. RPR+ does not feature auto VLAN database configuration. Answers A, B, and D are incorrect. RPR+ features many improvements
over RPR. These include reduced convergence time, online insertion and
removal of the redundant Supervisor Engine, synchronization of running configurations and startup configurations, and the synchronization of OIR events.
15 9911 ch15
10/14/03
12:33 PM
Page 432
432 Chapter 15
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 41
Answer C is correct. IRDP uses Internet Control Message Protocol (ICMP)
router advertisements and router solicitation messages to allow a host to discover the addresses of operational routers on the subnet. Hosts must discover routers before they can send IP datagrams outside their subnet. Router
discovery allows a host to discover the addresses of operational routers on
the subnet. Answer A is incorrect. HSRP is a routing protocol that provides
backup to a router in the event of failure. Answer B is incorrect. The Virtual
Router Redundancy Protocol (VRRP) eliminates the single point of failure
inherent in the static default routed environment. VRRP specifies an election protocol that dynamically assigns responsibility for a virtual router to
one of the VPN Concentrators on a LAN. Answer D is incorrect. Open
Shortest Path First (OSPF) is a routing protocol developed for Internet
Protocol (IP) networks by the interior gateway protocol (IGP) working
group of the Internet Engineering Task Force (IETF).
Question 42
Answer B is correct. The router in the group with the next highest priority
takes over the active router role in an HSRP group. In this case, that router
is RouterB. Answer A is incorrect. RouterA was the active router that failed.
Answers C and D are also incorrect. RouterC does not have the highest
remaining priority, and RouterD is not in the HSRP group where the failure
occurred. Answer E is also incorrect. RouterB becomes the active router.
Question 43
Answer C is correct. When a router is in the standby state, the router is a
candidate to become the next active router and sends periodic hello messages. There must be one standby router in the HSRP group. Answer A is
incorrect. The initial state indicates that HSRP is not running. Answer B is
incorrect. The listen state indicates the router is not the active or the standby router. Answer D is incorrect. The speak state indicates the router is participating in the election of the active router. Answer E is also incorrect. The
active state indicates the router is the active router.
15 9911 ch15
10/14/03
12:33 PM
Page 433
433
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Answer
. . . . Key
. . 2.
Question 44
Answer A is correct. Virtual Router Redundancy Protocol (VRRP) can provide redundancy for a real IP address of a router or a virtual IP address
shared among the VRRP group members. Answer B is incorrect. HSRP is a
routing protocol that provides backup to a router in the event of failure.
Answer C is incorrect. IRDP uses Internet Control Message Protocol
(ICMP) router advertisements and router solicitation messages to allow a
host to discover the addresses of operational routers on the subnet. Answer
D is incorrect. Gateway Load Balancing Protocol (GLBP) protects data traffic from a failed router or circuit, like Hot Standby Router Protocol (HSRP)
and Virtual Router Redundancy Protocol (VRRP), while allowing packet
load sharing between a group of redundant routers.
Question 45
Answer C is correct. GLBP allows automatic selection and simultaneous use of
multiple, available gateways, and to provide automatic detection and failover to
a redundant path in the event of failure to any active gateway. Answers A and
B are incorrect. HSRP and VRRP both provide gateway resiliency. The standby members of the redundancy group are underutilized along with their
upstream bandwidth. Answer D is also incorrect. Single router mode allows for
redundancy of supervisor engines in a single switch chassis.
Question 46
Answer C is correct. To configure single router mode, you use the singlerouter-mode command in high availability configuration mode. Answers A
and B are incorrect. The single-router-mode command produces a syntax
error if attempted in another mode. Answer D is also incorrect. There is no
such command as srm.
Question 47
Answer B is correct. You use the real command in server farm configuration
mode to specify the IP address of a real server in the server farm. Answer A
is incorrect. The real command is not a global configuration command.
Answers C and D are incorrect. The ip slb serverfarm command creates a
server farm definition and enters server farm configuration mode.
15 9911 ch15
10/14/03
12:33 PM
Page 434
434 Chapter 15
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question 48
Answer D is correct. The advantage that auxiliary VLANs bring for voice
traffic is increased network segmentation and control. Answer A is incorrect.
Auxiliary VLANs by themselves do not increase availability. Answer B is
incorrect. They increase the amount of network management that must be
performed. Answer C is incorrect. They also do not reduce the bandwidth
that is consumed due to voice.
Question 49
Answer C is correct. Reliability is not directly impacted by QoS. Answers A,
B, and D are incorrect. As Cisco defines QoS, it addresses delay, jitter (variable delay), and packet loss.
Question 50
Answer D is correct. Low latency queuing provides strict priority queuing.
This feature enables you to configure the priority status for a class within
class-based weighted fair queuing. Answer A is incorrect. CQ allows a fairness not provided with priority queuing (PQ). With CQ, you can control the
available bandwidth on an interface when it is unable to accommodate the
aggregate traffic that is enqueued. Answer B is incorrect. PQ ensures that
important traffic gets the fastest handling at each point where it is used. It
was designed to give strict priority to important traffic. Answer C is incorrect. First In, First Out (FIFO) queuing packets are forwarded in the same
order in which they arrive at the interface. Answer E is incorrect. WFQ is
one of Ciscos premier queuing techniques. It is a flow-based queuing algorithm that does two things simultaneously: It schedules interactive traffic to
the front of the queue to reduce response time, and it fairly shares the
remaining bandwidth between high-bandwidth flows. Finally, Answer F is
incorrect. WRR provides bandwidth to higher priority applications (using IP
precedence) and also grants access to lower-priority queues. The frame
schedule affords each queue the bandwidth allotted to it by the network
administrator. This mapping is configurable both at the system and interface
levels.
15 9911 ch15
10/14/03
12:34 PM
Page 435
435
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Answer
. . . . Key
. . 2.
Question 51
Answer C is correct. The ToS field in an IP packet is used to assign a priority
to the packet. Answer A is incorrect. The ToS field does not identify the type
of payloadit indicates priority. Answers B and D are also incorrect. It neither
identifies network control information, nor indicates a particular queue.
Question 52
Answer C is correct. Link fragmentation and interleaving is appropriate for
slow linkslinks with a bandwidth of less than 768 Kbps. Answers A, B, and
D are incorrect. LFI is not appropriate for high-speed links. Cisco considers
slow-speed links to be less than 768 Kbps.
Question 53
Answer B is correct. Weighted Random Early Detection uses IP precedence
or DSCP values to selectively drop packets. Answers A, C, and D are incorrect. WRED uses IP precedence or DSCP to selectively drop packetsit
uses no other mechanism for this determination.
Question 54
Answer B is correct. To display priority queuing output, use the debug
Privilege EXEC command. Answer A is incorrect. Use the debug
ip rsvp command to enable logging of significant Resource Reservation
Protocol (RSVP) events. Answer C is incorrect. There is no such command
as debug multilink ppp. Answer D is also incorrect. Use the debug ppp
multilink fragments command to display information about individual
multilink fragments and important multilink events.
priority
Question 55
Answer C is correct. The service-policy command is used to apply a policy to a particular interface. Answer A is incorrect. The class-map command
15 9911 ch15
10/14/03
12:34 PM
Page 436
436 Chapter 15
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
is used to identify traffic. Answer B is incorrect. The policy-map command

is used to define the behavior of the traffic. Answer D is incorrect. Use the
mls qos global configuration command to enable quality of service (QoS) for
the entire switch. Finally, answer E is incorrect. Use the mls qos trust
interface configuration command to configure the port trust state.
Question 56
Answer C is correct. The Network Analysis Module (NAM) provides monitoring functions for your 6000/6500 Series Catalyst switch. Answer A is
incorrect. The FlexWAN module provides T1 WAN interfaces for distribution layer capabilities. Answer B is incorrect. The IDS sensor adds security
monitoring. Answer D is incorrect. The Supervisor Engine is the required
brains of the 6000/6500 Series switch.
Question 57
Answer A is correct. The appropriate command to monitor ingress traffic for
a SPAN session is monitor session 1 source interface fastethernet 5/1
rx. This command monitors traffic inbound on the Fast Ethernet interface
5/1. Answer B is incorrect. The command monitor session 1 source
interface fastethernet 5/1 tx monitors traffic on the Fast Ethernet interface, but monitors only traffic that is transmitted. Answer C is incorrect.
monitor session 1 destination interface fastethernet 5/1 configures
a SPAN destination interface, not a SPAN source interface. Finally, answer
D is incorrect. monitor session 1 source interface fastethernet 5/1
monitors the Fast Ethernet interface for both ingress and egress traffic.
Question 58
Answer D is correct. The aaa new-model command enables AAA globally on
the switch. Answer A is incorrect. The aaa authentication login command
creates a new authentication list. Answer B is incorrect. The ppp authorization command applies a names authorization list to an interface. Answer C
is also incorrect. There is no such command as new aaa model.
15 9911 ch15
10/14/03
12:34 PM
Page 437
437
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Answer
. . . . Key
. . 2.
Question 59
Answer C is correct. To cause a port to enter the error-disable state with port
security, you must use the shutdown keyword. Answer A is incorrect. The
protect keyword causes packets with unknown source addresses to be
dropped until a sufficient number of MAC addresses are removed. Answer B
is incorrect. With the restrict option, data is restricted and the
SecurityViolation counter increments. Answer D is incorrect. There is no
such option as the null option.
Question 60
Answer A is correct. With no encapsulation, this Metro Ethernet tunneling
option does not scale well. It is sometimes efficient to support a network of
a single enterprise. Answer B is incorrect. Tag stacking provides isolation of
enterprise traffic through the service provider. Answers C and D are incorrect. Ethernet over multiprotocol label switching is a scalable tunneling
mechanism that maps VLANs through an MPLS core.
15 9911 ch15
10/14/03
12:34 PM
Page 438
16 9911 app a
10/14/03
12:34 PM
Page 439
A
Whats on the CD-ROM
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
This appendix provides a brief summary of what youll find on the CD-ROM
that accompanies this book. For a more detailed description of the PrepLogic
Practice Exams, Preview Edition exam simulation software, see Appendix B,
Using the PrepLogic Practice Exams, Preview Edition Software. In
addition to the PrepLogic Practice Exams, Preview Edition software, the
CD-ROM includes an electronic version of the book in portable document
format (PDF) and the source code used in the book.
The PrepLogic Practice Exams,

Preview Edition Software
PrepLogic is a leading provider of certification training tools. Trusted by certification students worldwide, PrepLogic is the best practice exam software
available. In addition to providing a means of evaluating your knowledge of
this books material, PrepLogic Practice Exams, Preview Edition features several innovations to help you improve your mastery of the subject matter.
For example, the practice tests enable you to check your score by exam area
or domain to determine which topics you need to study further. Another feature enables you to obtain immediate feedback on your responses in the form
of explanations for the correct and incorrect answers.
16 9911 app a
10/14/03
12:34 PM
Page 440
440 Appendix A
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PrepLogic Practice Exams, Preview Edition exhibits all the full-test simulation
functionality of the Premium Edition, but offers only a fraction of the total
questions. To get the complete set of practice questions, visit www.preplogic.com
and order the Premium Edition for this and other challenging exam training
guides.
For a more detailed description of the features of the PrepLogic Practice
Exams, Preview Edition software, see Appendix B.
An Exclusive Electronic Version of

the Text
As mentioned previously, the CD-ROM that accompanies this book also
contains an electronic PDF version of this book. This electronic version
comes complete with all figures as they appear in the book. You can use
Acrobats handy search capability for study and review purposes.
17 9911 app b
10/14/03
12:34 PM
Page 441
B
Using the PrepLogic
Practice Exams, Preview
Edition Software
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
This book includes a special version of the PrepLogic Practice Exams software, a revolutionary test engine designed to give you the best in certification exam preparation. PrepLogic offers sample and practice exams for many
of todays most in-demand and challenging technical certifications. A special
Preview Edition of the PrepLogic Practice Exams software is included with
this book as a tool to use in assessing your knowledge of the training guide
material while also providing you with the experience of taking an electronic
exam.
This appendix describes in detail what PrepLogic Practice Exams, Preview
Edition is, how it works, and what it can do to help you prepare for the exam.
Note that although the Preview Edition includes all the test simulation functions of the complete retail version, it contains only a single practice test.
The Premium Edition, available at www.preplogic.com, contains a complete set
of challenging practice exams designed to optimize your learning experience.
The Exam Simulation

One of the main functions of PrepLogic Practice Exams, Preview Edition is
exam simulation. To prepare you to take the actual vendor certification exam,
PrepLogic is designed to offer the most effective exam simulation available.
17 9911 app b
10/14/03
12:34 PM
Page 442
442 Appendix B
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Question Quality
The questions provided in PrepLogic Practice Exams, Preview Edition are
written to the highest standards of technical accuracy. The questions tap the
content of this books chapters and help you review and assess your knowledge
before you take the actual exam.
The Interface Design

The PrepLogic Practice Exams, Preview Edition exam simulation interface
provides you with the experience of taking an electronic exam. This enables
you to effectively prepare to take the actual exam by making the test experience familiar. Using this test simulation can help eliminate the sense of
surprise or anxiety you might experience in the testing center because you
will already be acquainted with computerized testing.
The Effective Learning Environment

The PrepLogic Practice Exams, Preview Edition interface provides a learning
environment that not only tests you through the computer, but also teaches
the material you need to know to pass the certification exam. Each question
includes a detailed explanation of the correct answer, and most of these
explanations provide reasons as to why the other answers are incorrect. This
information helps to reinforce the knowledge you already have and also provides practical information you can use on the job.
Software Requirements
PrepLogic Practice Exams requires a computer with the following:
Microsoft Windows 98, Windows Me, Windows NT 4.0, Windows
2000, or Windows XP
A 166MHz or faster processor
A minimum of 32MB of RAM
10MB of hard drive space
17 9911 app b
10/14/03
12:34 PM
Page 443
443
. . . . . . . . . . . . . . . Using
. . . the
. . PrepLogic
. . . . . . Practice
. . . . .Exams,
. . . .Preview
. . . . Edition
. . . . Software
. . . . .
Performance
As with any Windows application, the more available memory, the better the performance.
Installing PrepLogic Practice

Exams, Preview Edition
You install PrepLogic Practice Exams, Preview Edition by following these steps:
1. Insert the CD-ROM that accompanies this book into your CD-ROM
drive. The AutoRun feature of Windows should launch the software. If

you have AutoRun disabled, select Start, Run. Go to the root directory
of the CD-ROM and select setup.exe. Click Open and then click OK.
2. The Installation Wizard copies the PrepLogic Practice Exams, Preview
Edition files to your hard drive. It then adds PrepLogic Practice Exams,
Preview Edition to your desktop and the Program menu. Finally, it
installs test engine components to the appropriate system folders.
Removing PrepLogic Practice

Exams, Preview Edition from
Your Computer
If you elect to remove the PrepLogic Practice Exams, Preview Edition, you
can use the included uninstallation process to ensure that it is removed from
your system safely and completely. Follow these instructions to remove
PrepLogic Practice Exams, Preview Edition from your computer:
1. Select Start, Settings, Control Panel.
2. Double-click the Add/Remove Programs icon. Youre presented with a
list of software installed on your computer.

3. Select the PrepLogic Practice Exams, Preview Edition title you want
to remove. Click the Add/Remove button. The software is removed

from your computer.
17 9911 app b
10/14/03
12:34 PM
Page 444
444 Appendix B
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
How to Use the Software

PrepLogic is designed to be user friendly and intuitive. Because the software
has a smooth learning curve, your time is maximized because you start
practicing with it almost immediately. PrepLogic Practice Exams, Preview
Edition has two major modes of study: Practice Exam and Flash Review.
Using Practice Exam mode, you can develop your test-taking abilities as well
as your knowledge through the use of the Show Answer option. While youre
taking the test, you can expose the answers along with detailed explanations
of why answers are right or wrong. This helps you better understand the
material presented.
Flash Review mode is designed to reinforce exam topics rather than quiz you.
In this mode, youre shown a series of questions but no answer choices. You
can click a button that reveals the correct answer to each question and a full
explanation for that answer.
Starting a Practice Exam Mode Session

Practice Exam mode enables you to control the exam experience in ways that
actual certification exams do not allow. To begin studying in Practice Exam
mode, you click the Practice Exam radio button from the main exam customization screen. This enables the following options:
Enable Show AnswerClicking this button activates the Show Answer
button, which makes it possible for you to view the correct answer(s)
and full explanation for each question during the exam. When this
option is not enabled, you must wait until after your exam has been
graded to view the correct answer(s) and explanation for each question.
Enable Item ReviewClicking this button activates the Item Review but-
ton, which enables you to view your answer choices. This option also
facilitates navigation between questions.
Randomize ChoicesYou can randomize answer choices from one exam
session to the next. This makes memorizing question choices more difficult, thereby keeping questions fresh and challenging longer.
On the left side of the main exam customization screen, youre presented
with the option of selecting the preconfigured practice test or creating your
own custom test. The preconfigured test has a fixed time limit and number
of questions. Custom tests enable you to configure the time limit and the
number of questions in your exam.
17 9911 app b
10/14/03
12:34 PM
Page 445
445
. . . . . . . . . . . . . . . Using
. . . the
. . PrepLogic
. . . . .Exams,
. . . .Preview
. . . . Edition
. . . . Software
. . . . .
The Preview Edition on this books CD-ROM includes a single preconfigured

practice test. You can get the compete set of challenging PrepLogic practice
exams at www.preplogic.com to make certain that youre ready for the big exam.
You click the Begin Exam button to begin your exam.
Starting a Flash Review Mode Session

Flash Review mode provides an easy way to reinforce topics covered in the
practice questions. To begin studying in Flash Review mode, click the Flash
Review radio button on the main exam customization screen. Then select
either the preconfigured practice test or create your own custom test.
Click the Best Exam button to begin a Flash Review mode session.
Standard PrepLogic Practice Exams,

Preview Edition Options
The following list describes the function of each of the buttons you see
across the bottom of the screen.
Button Status
Depending on the options, some of the buttons will be grayed out and inaccessibleor they
might be missing completely. Buttons that are appropriate are active.
ExhibitThis button is visible if an exhibit is provided to support the
question. An exhibit is an image that provides supplemental information

that is necessary to answer a question.
Item ReviewThis button leaves the question window and opens the
Item Review screen, from which you can see all questions, your answers,
and your marked items. You can also see correct answers listed here,
when appropriate.
Show AnswerThis option displays the correct answer, with an explana-
tion about why it is correct. If you select this option, the current question is not scored.
Mark ItemYou can check this box to flag a question that you need to
review further. You can view and navigate your marked items by clicking
the Item Review button (if it is enabled). When your exam is being
graded, youre notified if you have any marked items remaining.
17 9911 app b
10/14/03
12:34 PM
Page 446
446 Appendix B
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Previous ItemYou can use this option to view the previous question.
Next ItemYou can use this option to view the next question.
Grade ExamWhen youve completed your exam, you can click Grade
Exam to end your exam and view your detailed score report. If you have
unanswered or marked items remaining, you are asked whether you
would like to continue taking your exam or view the exam report.
Seeing Time Remaining

If your practice test is timed, the time remaining is displayed on the upperright corner of the application screen. It counts down the minutes and seconds remaining to complete the test. If you run out of time, youre asked
whether you want to continue taking the test or if you want to end your
exam.
Getting Your Examination Score Report

The Examination Score Report screen appears when the Practice Exam
mode endsas a result of time expiration, completion of all questions, or
your decision to terminate early.
This screen provides a graphical display of your test score, with a breakdown
of scores by topic domain. The graphical display at the top of the screen
compares your overall score with the PrepLogic Exam Competency Score.
The PrepLogic Exam Competency Score reflects the level of subject competency required to pass the particular vendors exam. Although this score
does not directly translate to a passing score, consistently matching or
exceeding this score suggests that you possess the knowledge needed to pass
the actual vendor exam.
Reviewing Your Exam

From the Your Score Report screen, you can review the exam that you just
completed by clicking the View Items button. You can navigate through the
items, viewing the questions, your answers, the correct answers, and the
explanations for those answers. You can return to your score report by clicking the View Items button.
17 9911 app b
10/14/03
12:34 PM
Page 447
447
. . . . . . . . . . . . . . . Using
. . . the
. . PrepLogic
. . . . .Exams,
. . . .Preview
. . . . Edition
. . . . Software
. . . . .
Contacting PrepLogic
If you would like to contact PrepLogic for any reason, including getting
information about its extensive line of certification practice tests, you can do
so online at www.preplogic.com.
Customer Service
If you have a damaged product and need to contact customer service, please call
800-858-7674.
Product Suggestions and Comments

PrepLogic values your input! Please email your suggestions and comments
to feedback@preplogic.com.
License Agreement
YOU MUST AGREE TO THE TERMS AND CONDITIONS OUTLINED IN THE END USER LICENSE AGREEMENT (EULA)
PRESENTED TO YOU DURING THE INSTALLATION PROCESS.
IF YOU DO NOT AGREE TO THESE TERMS, DO NOT INSTALL
THE SOFTWARE.
17 9911 app b
10/14/03
12:34 PM
Page 448
18 9911 glos
10/14/03
12:34 PM
Page 449
Glossary
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
802.1D
See Spanning Tree Protocol.
802.1Q
802.1Q is an IEEE trunking mechanism that is an open standard.
Both ISL and 802.1Q add VLAN
information to the Ethernet frames
explicitly. However, the way in
which they perform this process is
different. With ISL, a 26-byte
header and a 4-byte trailer are
added to the frame: The original
frame is not modified. This process
is referred to as encapsulation. With
802.1Q, the actual frame is modified, or tagged. To denote VLAN
information, a 4-byte Tag Protocol
Identifier (TPID) and a 2-byte Tag
Control Information (TCI) are
inserted between existing fields in
the Ethernet frame.
802.1Q Tunneling
Q-in-Q tunneling, proprietary to
Cisco, is commonly referred to as
tag stacking. When you send tagged
VLAN traffic into a service
providers network, the service

providers switches add their own
VLAN tag to isolate your traffic
from other customers traffic. This
is accomplished by inserting another 802.1Q tag (the service
providers) into your 802.1Q
tagged frame. Actually, all of your
traffic can be tagged, including
BPDUs and CDP frames, making
the service providers network
appear completely transparent.
802.1W
See Rapid STP.
802.1X
IEEEs 802.1x standard defines
how to authenticate and control
port access. A switchs port state
(with 802.1x enabled) is initially in
an unauthorized state. The switch
allows only Extensible
Authentication over LAN
(EAPOL) traffic through the port
until the user has been authenticated. 802.1x uses EAPOL to perform
authentication. When the user is
18 9911 glos
10/14/03
12:34 PM
Page 450
450 802.1X
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
authenticated, all of his traffic is

permitted. If the user doesnt support the 802.1x protocol, the port
will remain in an unauthorized
state.
second RP is elected as a standby

RP. The standby RP keeps tabs on
the active RP by looking for HSRP
multicast messages, called HSRP
hellos.
Access Layer
Alternate Port
The access layer is one of three

layers of Ciscos hierarchical design
model. The access layer provides
the user entry point into the
switched network. It allows for the
connection of different users and
their servers. At this layer, you can
provide shared or switched access.
This RSTP port serves as a secondary root port in case the primary root port failsit is in a
discarding port state unless a failure
of the root port or connection
occurs, in which case it is moved
to a forwarding state.
Access Link
An access link is a connection that
belongs to a single VLAN and is
completely transparent to the
users. They have no knowledge of
the existence of the VLAN.
However, to maintain VLAN
information, the originating frame
from a user must contain VLAN
information that the switch fabric
can use to forward the frame.
Active RP
In HSRP, the role of the active and
standby RPs is based on the priority of the RPs in the HSRP group.
The RP with the highest priority is
elected as the active RP and the
one with the second highest is
elected as standby RP. If the priorities are the same, the IP address of
the RP is used as a tiebreaker. In
this situation, the RP with the
higher IP address is elected for the
role. The active RP is responsible
for forwarding all traffic destined
to the virtual RPs MAC address. A
Application Specific Integrated

Circuit (ASIC)
ASICs are specialized processors
that perform only one or a few
functions very fast. One limitation
of ASICs is that they arent plugand-playyou cant use just any
ASIC for a certain task. However,
because ASICs perform only a
small number of tasks, their cost is
much less than a processor and
their speed is much faster. As an
example, if you were to use a
processor to switch frames between
interfaces, you would get forwarding rates in the high thousands or
low millions of packets per second
(pps). But with a specially designed
ASIC, you could get forwarding
rates in the tens or hundreds of
millions of pps.
Architecture for Voice, Video, and

Integrated Data (AVVID)
AVVID is a process that Cisco
developed to help design complex
networks with multiple coexisting
technologies. Cisco created this
18 9911 glos
10/14/03
12:34 PM
Page 451
451
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . BPDU
. . . .Guard
. . .
architecture to simplify the planning, designing, and implementing

of networks for companies. AVVID
has three main components: network infrastructure, intelligent
network services, and network
solutions.
Authentication, Authorization,
and Accounting (AAA)
AAA centralizes authentication,
authorization, and accounting
functions. Authentication provides
a means for identifying an individual and validating her access to a
device. Authorization verifies what
specific tasks a user can perform on
a device. Accounting keeps a
record of what a user did on a
device.
BackboneFast
BackboneFast is a Cisco-proprietary
enhancement to STP that provides
scalability to STP on your backbone switches (core and distribution layer). BackboneFast and
UplinkFast are complementary
STP enhancements. One major
difference between UplinkFast and
BackboneFast is that UplinkFast
works only for directly connected
links that fail, whereas BackboneFast
has the capability to detect indirect
link failuresthat is, links not
physically associated with a
switch.
Backup Port
This RSTP port serves as a secondary designated port in case the
primary designated port fails. It is
in a discarding port state unless a
failure of the designated port

occurs, in which case it is moved to
a forwarding state.
Blocking Port
In STP, a blocking port listens only
for BPDUs from other switches; it
does not forward any user frames.
A port enters this state when it
doesnt detect a BPDU within the
maximum age timer interval.
Bridge Identifier
Each bridge has a unique identifier
that it uses when it multicasts its
BPDUs. The identifier is made up
of a bridge (switch) priority and
one of the switchs MAC addresses.
Bridge Protocol Data Unit (BPDU)

Switches periodically send out a
special multicast packet, called a
BPDU, that helps them to advertise
themselves, their configurations,
and any changes that have occurred.
BPDUs help switches discover the
topology of the network, including
loops. If the cost of a link changes, a
new switch or segment is added to
the network, or an existing switch
or segment fails, this information is
propagated via BPDUs and will
cause the switches to run the STP
algorithm. This is done to remove
any existing loops that those
changes might have created or to
ensure that there is still one active
path between any two destinations.
BPDU Guard
BPDU Guard is a Cisco feature
that will shut down a PortFast port
if a BPDU is received on it. After
18 9911 glos
10/14/03
12:34 PM
Page 452
452 BPDU Guard

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
the port is shut down, the status of

the interface is error disabled.
BPDU Guard is disabled by
default.
Cisco Express Forwarding (CEF)
BPDU Skewing
CGMP, a Cisco-proprietary multicasting protocol, is a dynamic

process that updates the switchs
address table with multicast
addressesas with snoopingbut
without the performance penalty of
snooping. CGMP allows Ciscos
switches to learn from Ciscos
IGMP-enabled RPs about the list
of end stations participating in the
different multicast groups. Switches
take this address information and
appropriately update their CAM
tables. This solution has very little
overheadonly a minimal amount
of management traffic is relayed
between the RP and the switch.
BPDU skewing refers to the time

difference between when a switch
expects to receive BPDUs and
when they are actually received.
BPDU skewing can occur in any of
the following situations: STP
topology changes occur, one of
STPs timers expires, or a BPDU is
not received within an expected
time interval. When any of these
three occurrences happen, switches
flood the network with BPDUs to
ensure that the most up-to-date
information is contained in the
STP topology table.
Broadcast
When a broadcast packet is generated, everyone in the broadcast
domain sees this packet and
processes it. However, theres no
guarantee that any or all destinations will receive the broadcast.
Centralized Switching
In a centralized switching architecture, all switching decisions are
handled by a central, single forwarding table. A centralized
switching device can contain both
Layer 2 and Layer 3 functionality.
In other words, this table can contain both Layer 2 and Layer 3
addressing and protocol information as well as access control list
(ACL) and quality of service (QoS)
information.
See Topology-Based Switching.
Cisco Group Management

Protocol (CGMP)
Class-Based Weighed Fair

Queuing (CB-WFQ)
CB-WFQ is an extension of WFQ.
With WFQ, the IOS automatically
determines what goes into the higher
and lower queue structures; you have
no control over the process. With
CB-WFQ, you can configure up to
64 classes and control which traffic is
placed in which class. Within a class,
you can restrict it to a certain
amount of bandwidth on the egress
interface. CB-WFQ gives you much
more prioritization control on queuing on the egress interface, but
requires configuration on your part.
The one nice feature of WFQ is that
it doesnt require any configuration
on E1 or slower WAN link connections because it is already enabled
18 9911 glos
10/14/03
12:34 PM
Page 453
453
. . . . . . . . . . . . . . . . . . . . . . . . . Dense
. . . .Wave
. . .Division
. . . . Multiplexing
. . . . . . . (DWDM)
. . . . .
and the IOS automatically performs

the prioritization for you.
Coarse Wave Division

Multiplexing (CWDM)
CWDM is a last-mile MAN technology and supports up to eight
wavelength frequencies. It is used
for short distances, such as customers located in the same building.
Common Spanning Tree (CST)

With CST, only one instance of
STP runs for all the VLANs. STP
runs in the default management
VLAN, which is typically VLAN 1.
Because only one instance of STP
exists, one root switch is elected
and all loops are removed.
Content Addressable Memory

(CAM)
CAM is a special type of highspeed memory used in transparent
bridges to store source MAC
address and port identifier information. The term is still used
today even though switches use
some form of dynamic RAM.
Core Layer
The core layer is one of three layers of Ciscos hierarchical design
model. The function of the core
layer is to offer an extremely highspeed Layer 2 switching backbone
between different distribution layers to provide packet switching that
is as fast as possible.
Custom Queuing (CQ)

CQ has 16 queues. The same classification techniques used in priority queuing (PQ) is used to place
packets into one of the 16 queues.

The main difference between PQ
and CQ is that priority queuing
guarantees only that the high
queue will be processed, whereas
CQ guarantees that every queue
will be processed. Queues are
processed in a round-robin fashion.
To give preference to one queue
over another, you specify the
amount of traffic that is allowed to
be processed from a queue.
Dense Mode (DM)

DM multicast routing protocols
assume that there are many multicast end stations spread across most
of your segments in your campus
network and that your network
infrastructure has a lot of available
bandwidth. This means that most if
not all of your RPs must be forwarding multicast traffic from the
multicast servers to the multicast
end stations. DM protocols initially
flood the network with multicast
traffic and then, based on the discovery of participating end stations, prune back the distribution
tree to include only those segments
with participating end stations.
The RPs use IGMP to discover the
end stations.
Dense Wave Division

Multiplexing (DWDM)
DWDM supports multiple wavelength frequencies on a single
strand of fiber (up to 200). It supports very high data ranges (Gbps).
One advantage it has over SONET
is that SONET uses TDM, which
wastes bandwidth.
18 9911 glos
10/14/03
12:34 PM
Page 454
454 Designated Port

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Designated Port
Directed VLAN Services (DVS)
After the root ports for each bridge

have been determined by running
the STP algorithm, designated
bridges and designated ports are
resolved. Each LAN segment has a
designated switch, which has the
lowest accumulated path cost to
the root switch. All frames that are
forwarded to that particular segment go through the designated
switch via its designated port, and
no other ports. If two or more
switches have the same path cost to
the root switch for a given segment, the bridge with the lower
switch identifier will be chosen as
the designated switch. Through the
process of elimination, eventually
only one switch will remain that
has a designated port for each
LAN segment.
With DVS, edge switches connect

to the MAN carrier via a trunk
link. From the edge switches perspective, they know that they are
connecting to a service provider
switch and are setting up a trunk
connection to the carriers switch,
typically with 802.1Q. Connections
by the carrier can be set up as
either point-to-point or multipoint.
Designated Switch
See Designated Port.
DiffServ
DiffServ uses a multiple-service
model to implement QoS. With
DiffServ, applications do not signal
their QoS requirements before
sending their data. Instead,
DiffServ is implemented within
your network infrastructure and
groups related traffic types together, marking them with classification
information. This provides an
advantage over IntServer because
you dont need to modify any end
stations.
Distributed Switching
In a distributed switching architecture, switching decisions are decentralized. As a simple example, a
6500 switch has each port (or module) make its own switching decision for inbound frames while a
main processor or ASIC handles
routing functions and ensures that
each port has the most up-to-date
switching table. One advantage of
the distributed implementation
approach is that by having each
port or module make its own
switching decision, youre placing
less of a burden on your main CPU
or forwarding ASIC because youre
distributing the processing across
multiple ASICs. In this case, a separate forwarding engine (ASIC) is
used for each port and each port
has its own small switching table.
With this approach, you can
achieve much greater speeds than a
switch that uses central forwarding
for switchingrates of more than
100Mpps.
18 9911 glos
10/14/03
12:34 PM
Page 455
455
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Enterprise
. . . . . Edge
. . .
Distribution Layer
The distribution layer is one of
three layers of Ciscos hierarchical
design model. The distribution
layer is the demarcation point
between the core and the access
layers of a campus network. The
distribution layer switches should
perform all Layer 3 and policy
functions. These include the following tasks: connecting to access
switches to provide workgroup and
department access; implementing
VLANs to handle broadcast issues;
routing between VLANs; designing
addressing and address summarization; enforcing security policies;
translating between different media
types such as FDDI, Ethernet, and
token ring.
Distribution Tree
To forward multicast traffic intelligently, RPs must be able to build a
distribution tree. A distribution
tree is somewhat similar to the
spanning tree used by switches to
remove Layer 2 loops. Using a distribution tree, RPs can ensure that
a multicast frame traverses a segment only once in the network.
This minimizes the bandwidth
impact, which is accomplished by
making sure that theres one and
only one path from the source of
the multicast traffic to each of the
end stations that wants to see it.
Dynamic Trunk Protocol (DTP)

DTP is a Cisco-proprietary protocol that automatically negotiates
whether trunking can be performed
on a connection. DTP supports

automatic negotiation of both ISL
and 802.1Q on trunk-capable links.
Dynamic VLANs
Dynamic VLANs require you to
assign a user to a VLAN once, and
switches dynamically use this information to configure the port on
the switch automatically. Dynamic
VLANs can be based on the following items: the MAC addresses
of workstations, the Layer 3
addresses (such as IP addresses),
the protocol type (such as IP or
IPX), or directory information
stored in Novells NDS or
Microsofts Active Directory.
Enterprise Campus
The Enterprise Campus provides
the three-layer hierarchical campus
model, but doesnt include remote
or Internet connections (these are
in the Enterprise Edge). Within
the Enterprise Campus model,
youll find the following submodules: Campus Infrastructure,
Network Management, Server
Farms, and Edge Distribution.
Enterprise Edge
The Enterprise Edge controls traffic between the Service Provider
Edge and the Enterprise Campus.
The Enterprise Edge contains four
sub-modules: E-commerce,
Internet Connectivity, Remote
Access and VPNs, and WAN
Access.
18 9911 glos
10/14/03
12:34 PM
Page 456
456 Enterprise Model

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Enterprise Model
One of the limitations of the threelayer hierarchical model is that it
covers only a single campus design.
Cisco has expanded on this and
created the Enterprise Composite
Network Model (ECNM), which
breaks up a network into three
functional areas: Enterprise
Campus, Enterprise Edge, and
Service Provider Edge. The main
purpose of the ECNM is to define
clear boundaries, or demarcation
points, between different modules,
or areas, of your network.
EtherChannel
EtherChannels are technology that
allows you up to 8 Fast Ethernet or
Gigabit Ethernet connections that
provide up to 1,600Mbps or
16Gbps of bandwidth in fullduplex mode. The channel is treated as one logical connection
between two switches. Even if one
of the connections fails in the
EtherChannel, the other connection(s) still operate properly.
Ethernet over MPLS (EoMPLS)

EoMPLS extends MPLS by tunneling Layer 2 Ethernet frames
across a service providers Layer 3
core. EoMPLS has more scalability
than Q-in-Q because it has a Layer
3 core and Layer 2 information,
including STP, can be tunneled
through the service provider.
First-In First-Out (FIFO) Queuing

FIFO queuing doesnt provide any
type of QoSthe first packet or
frame received is the first one
queued. Traffic is not associated

with any class; instead, priority is
defined by when the packet comes
into an interface. The default
queuing method on Cisco Catalyst
switches is FIFO queuing, which
performs queuing in hardware.
Forwarding Port
After finally completing the learning state in STP, a port is placed
into a forwarding state in which
the bridge performs its normal
functioning. It learns source MAC
addresses and updates the switchs
CAM table as well as forward user
frames through the switch itself.
Gateway Load Balancing Protocol

(GLBP)
GLBP is a Cisco-proprietary protocol, like HSRP. One of the limitations of HSRP and VRRP is that
only one router in the HSRP group
is active and can forward traffic for
the groupthe rest of the routers
sit idle. GLBP allows the dynamic
assignment of a group of virtual
addresses to end stations. With
GLBP, up to four RPs in the group
can participate in the forwarding of
traffic. In addition, if a GLBP RP
fails, fault detection occurs automatically and another GLBP RP
will pick up the forwarding of packets for the failed RP.
Hot Standby Routing Protocol

(HSRP)
HSRP is a Cisco-proprietary protocol that provides Layer 3 redundancy to overcome the issues of
IRDP, Proxy ARP, end station
18 9911 glos
10/14/03
12:34 PM
Page 457
457
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .IGMP
. . .Snooping
. . . . .
routing protocols, and a single definition of a default gateway on the

end station. Unlike the four previous solutions, HSRP is completely
transparent to the end stations
you do not have to perform any
additional configuration on the end
stations themselves. HSRP allows
Cisco RPs to monitor each others
status, providing a very quick
failover when a primary default
gateway fails: by establishing
HSRP groups.
Internet Group Management

Protocol (IGMP)
IRDP extends ICMP, allowing an

end station to dynamically learn the
default gateways that exist in the
VLAN. RPs announce themselves
every 510 minutes and end stations hold this information for up
to 30 minutes. The main problem
with IRDP is that if the primary
RP fails, it might take up to 30
minutes before using a different RP.
IGMP provides a standardized and

dynamic client registration process
in which clients advertise the multicast applications they want to participate in to their connected RPs.
You find two basic components in
all three versions of IGMP: multicast hosts and multicast queriers.
Those two components share two
different types of messages: Query
messages are used by the RP to
discover the end stations on a segment that are participating in a
multicast group. Report messages
are used by end stations in
response to the RPs query message
to notify the RP of its participation
in a multicast group. The relationship between multicast querier and
host is a loose one. Hosts come
and go as they please, based on the
user starting or stopping a multicast application.
Internal STP (IST)
IGMP Snooping
ICMP Redirect Protocol (IRDP)
IST is an internal STP process

running on an MST switch. IST is
used to handle interaction between
MST and CST switches. Because
802.1Q is an IEEE standard, MST
must be backward compatible with
switches that support only CST.
IST is used to implement this
functionality and interact with
CST switches. IST essentially
treats the entire MST region as a
virtual bridge when interacting
with CST switches.
In IGMP snooping, the switch

dynamically keeps track of the joining and leaving by members of a
multicast group. The switch does
this by snooping the IGMP queries
that RPs generate and the reports
that multicast end stations reply
with. The problem with this
approach is that the switch must
examine every multicast frame,
which is very process intensive and
introduces a lot of latency in the
switching of everyones frames,
including the multicast traffic.
18 9911 glos
10/14/03
12:34 PM
Page 458
458 InterSwitch Link (ISL)

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
InterSwitch Link (ISL)

ISL is a Cisco-proprietary technology for trunking VLANs at Layer
2. Unlike normal Ethernet NICs,
ISL cards cost more because specialized ASICs and processors are
included to support the framing
encapsulation at gigabit speeds.
ISL adds a 26-byte header and a
4-byte trailer (which is a CRC to
the original Ethernet frame) for a
total of 30 bytes.
IntServ
IntServ is defined in RFC 1633 and
provides a guarantee for QoS for
an application connection. This is
different from DiffServ, which does
this based on traffic classifications,
not specific connections. IntServ is
implemented using RSVP on all
devices handling the connection,
including the source and destination. RSVP uses signaling to set up
the connection and to maintain
QoS. When a new connection is
being established, RSVP needs to
determine what paths and devices
are used to support the connection.
The Common Open Policy Service
(COPS) is used to centralize the
setup and maintenance of the
connection.
Layer 3 Switch
A Layer 3 switch is an enhanced
router. One problem of traditional
routers is that a generic processor
performs most of the switching
decisions. Using a generic processor allows the router to perform
all tasks, but it doesnt perform all
of them well. To overcome this
inefficiency, Layer 3 switches use

inexpensive ASICs to perform forwarding of frames. This allows
Layer 3 switches to achieve very
high forwarding rates and, in tandem with a generic process, still
allows the Layer 3 switch to offer
many of the other features of a traditional router.
Learning Port
Upon the completion of the listening state in STP, a port moves into
a learning state. In this state, a port
examines user frames for source
MAC addresses and places them in
the switchs CAM table. Still, no
user frames are forwarded through
the switch.
Link Aggregation Control Protocol

(LACP)
LACP is IEEEs version of dynamically forming trunks. LACP is
defined in 802.3ad and is similar to
Ciscos PAgP. Like PAgP, LACP is
used to interact with a remote
switch to determine whether they
have multiple connections between
them that can be bound together
into a single EtherChannel.
Listening Port
Passing from a blocking state in
STP, a port enters into a listening
state. In this state, a port listens for
frames to detect available paths to
the root switch, but does not take
any source MAC addresses of end
stations and place them in the
CAM table. Likewise, the switch
does not forward any user frames.
18 9911 glos
10/14/03
12:34 PM
Page 459
459
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Multiple
. . . . . STP
. . .(MST)
. . .
Loop Guard
Multicast
The Loop Guard feature is similar

to UDLD. Loop Guard is used to
detect the loops typically caused by
unidirectional connections. Loop
Guard performs an additional check
compared to UDLD: If BPDUs are
no longer being received on a nondesignated port, instead of moving a
port through the listening, learning,
and forwarding states, Loop Guard
instead places the port in an blocked
state, marking it as inconsistent.
One nice feature of Loop Guard, as
compared to UDLD, is that when
the problem is fixed, Loop Guard
has the ports transition back to the
correct states.
When a multicast frame is generated, everyone in the broadcast

domain sees the packet, but only a
group of machinesthose running
that multicast applicationprocess
it. Multicasting is the transmission
of a packet to a host group, which
can contain from zero to many end
stations. Like a broadcast, a multicast is sent with a best effort reliabilitytheres no guarantee that all
the machines will see it.
Low Latency Queuing (LLQ)

LLQ uses two forms of queuing:
PQ and CB-WFQ. The first thing
that LLQ checks is whether the
classification of the egress traffic is
high. You can also reserve either a
percentage of bandwidth or a block
of bandwidth for the high-priority
queue. If the traffic is high priority,
it is processed first. Otherwise,
CB-WFQ is used to process traffic.
Modular QoS CLI (MQC)

MQC is the term that Cisco uses to
define the implementation of QoS
on an IOS device. MQC is used to
create your QoS traffic policies and
then to associate these policies to
the devices interface(s). Each traffic policy you create has two components: a traffic class that classifies (or groups) traffic and a traffic
policy that defines how the traffic
should be processed.
Multilayer Switch
Multilayer switching combines
Layer 2, Layer 3, and Layer 4
switching, all in one chassis. These
switches can examine information
in the transport layer segment
(TCP and UDP) to help make
intelligent switching decisions. To
do this, a multilayer switch routes
the first packet in a packet stream
but switches the rest, sometimes
referred to as route once, switch
many.
Multiple STP (MST)

MST is an enhancement to IEEEs
RSTP. MST is similar to Ciscos
PVST. The main purpose of MST
is to allow multiple instances of
STP, but to reduce the amount of
overhead associated with Ciscos
PVST. Instead of having a separate
instance of STP for each VLAN,
MST uses a concept of an MST
instance, in which multiple VLANs
can be associated with an instance.
18 9911 glos
10/14/03
12:34 PM
Page 460
460 Native VLAN

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
802.1Q trunks support a native

VLAN. A native VLAN is a VLAN
that does not tag frames. This is
different from ISL, in which all
VLANs that traverse the trunk
carry VLAN information. One
advantage that native VLANs provide is that you can have both
802.1Q and non-802.1Q devices
on the same trunk connection.
support a Network Analysis

Module (NAM). A NAM is similar
to an RMON probe. You can use it
to gather RMON (RFC 1757) and
RMON2 (RFC 2021) information.
The NAM itself cannot perform
analysis on the captured data.
However, you can use either
Ciscos TrafficDirector product or
any IETF-based RMON-gathering
product.
NetFlow Switching
Path Costs
NetFlow switching is a Cisco-proprietary form of route caching.

With NetFlow switching, the RP
and ASICs work hand-in-hand.
The first packet is handled by the
main processor or ASIC. If the
destination MAC address matches
the RPs address (the Layer 3
address doesnt have to match), the
processor will program its interface
ASICs to process further traffic for
this connection at wire speeds. The
main processor will update the
interfaces cache with the appropriate connection information: the
source and destination MAC
addresses, IP addresses, and IP
protocol information. This is done
for each direction of a connection;
in other words, the table is unidirectional. The interface ASIC will
use this information to forward
traffic without having to interrupt
the CPU.
Each port has an associated cost,

which is usually the inverse of the
actual bandwidth of the port.
When youre choosing ports to
place into forwarding mode in
STP, lower accumulated port costs
of the paths to the root switch are
preferred.
Native VLAN
Network Analysis Module (NAM)

Instead of using an external network analyzer or RMON probe to
analyze or gather your traffic, the
Catalyst 6000 Series switches
Per-VLAN STP (PVST)

To solve the scalability and convergence problems of CST, Ciscos
PVST uses a separate instance of
STP per VLAN. This means that
for each VLAN, you have a root,
port costs, path costs, and prioritiesand all these can be different
per VLAN. To ensure unique
bridge IDs for each VLAN, Cisco
switches have a pool of MAC
addresses to choose from.
PVST+
PVST+ is a Cisco extension to its
PVST protocol. PVST+ allows the
incorporation of both IEEEs
802.1Q CST and Ciscos PVST in
a switched network. One nice feature of PVST+ is that you do not
have to configure anything on your
18 9911 glos
10/14/03
12:34 PM
Page 461
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Proxy
. . . .ARP
. .
switches to use itit works automatically. It detects CST and

PVST and makes the appropriate
changes or adjustments.
Priority Queuing (PQ)

PQ has four queues, where each
queue has a distinct priority: high,
medium, normal, and low. Strict
priority is enforced in this scheme.
First, the high queue is emptied.
After the high queue has been
emptied, the IOS checks to make
sure that no new packets have been
added to it. If so, the high queue is
processed again. Only when the
IOS checks the high queue and
finds it empty is the medium queue
processed. Both the high and
medium queues must be empty for
the normal queue to be processed
and the high, medium, and low
queues must be emptied before the
low queue is processed.
Private VLANs (PVLANs)

PVLANs provide Layer 2 isolation
between devices within the same
private VLAN.
Protocol Independent
Multicast (PIM)
PIM is a multicast routing protocol
thats currently being defined by a
draft RFC. The Internet
Engineering Task Force (IETF) is
discussing PIMs ongoing development. PIM is unique in that it supports both dense and sparse modes,
making it much more flexible than
other multicast routing protocols.
PIM uses IGMP to transport its
routing information.
Port Aggregation Protocol (PAgP)

PAgP, a Cisco-proprietary protocol, allows the dynamic creation of
EtherChannels between switches
without your intervention. Using
this Cisco protocol, switches send
special frames out of ports capable
of forming EtherChannels to discover whether neighboring switches
support this feature. If so, a channel
is formed between the ports if the
necessary configuration conditions
have been met.
PortFast
PortFast, a Cisco-proprietary STP
enhancement, reduces the size of
the STP database by excluding
ports that do not have bridges or
switches connected to them and
removing them from the STP
topology, thereby minimizing
downtime when changes occur in a
switched network. PortFast should
only be used to connect to nonbridge and nonswitch devices, like
a PC, router, or file server; otherwise, you might inadvertently
create Layer 2 loops.
Proxy ARP
Proxy ARP is used when an end station ARPs for a destination devices
MAC address that is on a different
subnet. A Cisco RP can respond
back to the end station with its own
MAC address, making it appear that
the destination is on the same segment. Proxy ARP is enabled, by
default, on Cisco RPs. The main
disadvantage is that if the RP fails,
the end station wont discover this
unless it reboots or re-ARPs.
461
18 9911 glos
10/14/03
12:34 PM
Page 462
462 Q-in-Q Tunneling

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Q-in-Q Tunneling
See 802.1Q Tunneling.
Random Early Detection (RED)

RED is a mechanism that handles
congestion slightly better than tail
dropping. With RED, a threshold
is assigned to the queue. When this
threshold is reached, traffic being
placed into the queue is randomly
dropped: Some traffic is allowed to
enter the queue, but other traffic is
dropped. RED, therefore, tries to
deal with congestion before the
queue is filled up and everything
has to be dropped. However, RED
has one main problem: It doesnt
look at the class of traffic (CoS or
IP Precedence) when dropping
trafficit just randomly drops certain packets.
Rapid STP (RSTP)

Because of convergence issues in
the 802.1D STP algorithm, IEEE
developed 802.1W. 802.1W, also
called RSTP, includes enhancements to speed up the convergence
with STP. One of the main problems of using Ciscos STP
enhancementsPortFast,
UplinkFast, and BackboneFastis
that they are proprietary and function only on Cisco switches. In
most instances, you can use RSTP
instead of Ciscos proprietary STP
enhancements and get the same or
better performance from your STP
process.
Real-Time Transport Protocol

Priority Queuing (RTP-PQ)
RTP, an IP protocol, is used to
provide transport services for voice
and video information. Cisco supports a queuing method called
RTP-PQ, which provides a strict
prioritization scheme for delaysensitive traffic. Delay-sensitive
traffic is given higher prioritization
and is processed before other
queues. This queuing scheme is
normally used for WAN connections. With RTP-PQ, there are
four queues, just as in PQ. The
highest priority queue, voice, is
always processed first. Voice is the
first queue. The IOS looks at the
UDP port numbers to determine
whether traffic should be placed in
this queue. Data is typically placed
in the other three queues. These
queues use either the CB-WFQ or
WFQ method to process and dispatch packets from the queue.
Remote SPAN (RSPAN)

RSPAN is an extension of local
SPAN. With local SPAN, all the
source and destination ports are on
the same switch. With RSPAN,
these ports can be on different
switches. This is very handy if you
have only a limited number of network analyzers or RMON probes,
but still want to see certain traffic
across all your switches in an area.
RSPAN enables you to capture
traffic on one switch, but redirects
it to a port on another switch.
18 9911 glos
10/14/03
12:34 PM
Page 463
463
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Server
. . . Load
. . . Balancing
. . . . . .(SLB)
. . .
Root Guard
Root Guard is a Cisco feature that
you can use to force a particular
port to be a designated port to
ensure that switches connected to
it do not become a root switch.
Root Guard enables you to create
an STP topology in which you
explicitly control which switch
becomes and stays the root switch
(barring any failures).
Root Port
After the root switch is elected,
each switch determines which port,
called the root port, it uses to reach
the root switch. The root port is a
port on a switch that has the lowest
accumulated cost to the root
switch.
Route Caching
In route caching, the first time a
destination is seen by the router,
the CPU processes the packet and
forwards the packet to the destination. During that process, the
router places the routing information for this destination in a highspeed cache. The second time that
the router needs to forward traffic
to the destination, it consults its
high-speed cache before using the
CPU to process the packet.
LAN media types, such as fiber

distributed data interface (FDDI),
Ethernet, and token ring. For
WAN connections, it provides
access to ISDN, frame relay, ATM,
and dedicated circuit networks.
Route Processor Redundancy

(RPR)
Starting with IOS 12.1(13)E and
later, the Catalyst 6500 supports
SE redundancy with both Route
Processor Redundancy and Route
Processor Redundancy Plus
(RPR+). These two features allow
hardware redundancy for the
Multilayer Switch Feature Card
(MSFC) and Policy Feature Card
(PFC or PFC2). Basically, this provides Layer 3 redundancy for the
Catalyst 6500. RPR provides a
Supervisor Engine (SE) redundancy for route processing (routing).
One SE is primary and the other is
secondary.
Router-on-a-Stick
A router-on-a-stick is a trunk connection between an external router
and a switch. The trunk is terminated on the router on a trunkcapable interface and the router
uses this single interface to route
between VLANs.
Route Processor (RP)
Server Load Balancing (SLB)
An RP is a Layer 3 device that can

switch information either between
logical subnets (VLANs) or physical subnets (as in the traditional
router). If the RP is performing a
traditional routing role, it could be
switching packets between different
SLB provides a simple form of load

balancing for critical services in
your network. In SLB, you have
two types of servers: virtual and
real. The virtual server is the server
that end stations send their
TCP/IP requests to. The IOS SLB
18 9911 glos
10/14/03
12:34 PM
Page 464
464 Server Load Balancing (SLB)

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
software then redirects that request

to a real server in your network.
Because most clients use DNS to
resolve DNS names to IP addresses,
make sure that your DNS server
contains the virtual IP address
used by SLB.

The Service Provider Edge provides WAN and MAN connections
to private and public networks for
customers and is connected to a
companys Enterprise Edge. There
are three submodules in the
Service Provider Edge: ISP, PSTN,
and WAN technologies.
Shared Distribution Tree

With a shared tree, only one copy
of each multicast frame is forwarded to those segments that have participating multicast end stations. A
shared distribution tree contains a
rendezvous point thats the central
point of the tree for all multicast
traffic. All traffic from every multicast application in your network is
first forwarded to the rendezvous
point. From there, the multicast
traffic uses a single-tree structure
for the dissemination of the traffic,
creating less overhead on the RP.
The downside is that for certain
multicast streams, suboptimal paths
can exist. This tree structure is
very similar to common STP: For
the entire switched network, theres
only one tree structure, with the
rendezvous point functioning as
the root of the tree.
Single Router Mode (SRM)

Redundancy
SRM provides an alternative type
of redundancy in which dual
MSFC cards are installed on dual
SEs and both MSFC cards are in
the active state and processing traffic. One of the problems of using
two active MSFC cards in the same
chassis is that you have to configure them separately unless youre
using RPR or RPR+. SRM is different from RPR and RPR+. SRM
provides Layer 3 redundancy while
RPR and RPR+ provide card-level
redundancy.
Sparse Mode (SM)

SM protocols use join messages to
construct a distribution tree, ensuring that only those segments with
participating end stations have
traffic forwarded to them by their
connected RPs. SM protocols
therefore scale much better and are
more suited for large, geographically
dispersed environments. Unlike
DM protocols, SM protocols do
not waste bandwidth by flooding
multicasts everywhere. Traffic is
not forwarded to a segment until
an end station joins a multicast
group. SM assumes that only a
handful of RPs are forwarding
multicast traffic. It also assumes
that the participating end stations
are widely dispersed across your
campus network (possibly located
across your WAN), and that the
amount of bandwidth in your network is limited. In this approach,
18 9911 glos
10/14/03
12:34 PM
Page 465
465
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Switched
. . . . . .Port
. . Analyzer
. . . . . (SPAN)
. . . .
the distribution tree is empty and,

as end stations are discovered,
branches are added to the tree.
Source-Based Distribution Tree

Source-based distribution trees
guarantee that multicast traffic
traverses a given segment only
once. However, unlike shared trees,
where theres a single tree for the
whole network, source-based
implementations have a separate
distribution tree for each multicast
group. Theres a separate tree for
each multicast group (address),
allowing for optimal delivery of
multicast streams, but this creates
more overhead on the RP. This
process is more similar to Ciscos
PVST in that theres one instance
of STP per VLAN. In this case,
theres one source-based tree per
multicast group.
Spanning Tree Protocol (STP)

STP is a self-configuring Layer 2
algorithm thats responsible for
removing loops in a switched network while still providing path
redundancy. Because a switch automatically forwards broadcasts and
multicasts, STP is necessary to
make sure that this traffic is not
continuously forwarded throughout a switched network. Another
problem with loops is that with the
switchs learning function, it might
mistakenly update its address table
with incorrect information concerning an end station as a frame
traverses a loop. STP was developed by DEC and later incorporated into IEEEs standards as
802.1D. However, the two protocols are not compatible. In a

bridged or switched network, all
Layer 2 devices must run the same
STP algorithm.
Standby RP
See Active RP.
Static VLAN
Ciscos initial implementation of
VLANs is based on the port that a
user was assigned to. This is sometimes referred to as port-based membership. Using this initial implementation, you configure every
port on a switch to reflect the
appropriate VLAN for the users.
This could easily be done either via
a command-line interface or an
SNMP-based product using a
graphical interface.
Switch Fabric Module (SFM)

The Catalyst 6500 switches support a special card called a Switch
Fabric Module (SFM), which
comes in two versions: 1 and 2. In
combination with the Supervisor
Engine II, the backplane capacity
of the 6500 is upgraded from 32
Gbps to 256 Gbps. The SFM
delivers 30Mpps throughput using
Cisco Express Forwarding (CEF)
and 210Mpps throughput with
Distributed Feature Card (DCF)
installed.
Switched Port Analyzer (SPAN)

SPAN enables you to mirror traffic
from one or more interfaces on a
switch to a port that is connected to
a network analyzer, packet sniffer,
18 9911 glos
10/14/03
12:34 PM
Page 466
466 Switched Port Analyzer (SPAN)

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
or remote monitoring (RMON)

probe. This traffic can then be analyzed and processed for reporting.
Synchronous Optical Network

(SONET)
SONET, which uses fiber-optic
cabling, can carry multiple transports, including Ethernet, IP, ATM,
and other services. It supports a
dual-ring topology for redundancy.
Its main disadvantage is that it uses
bandwidth inefficiently.
Tail Dropping
Tail dropping is one of the most
common forms of dealing with
congestion during egress queuing.
When queuing packets during a
period of heavy congestion, the
queue will at some point fill up,
leaving no room for more packets.
During this period, any newly
arrived packets for the egress
queue are dropped. With tail dropping, all traffic is treated equally. In
other words, the IOS doesnt look
at whether this is UDP or TCP
traffic, or data or voice. This can
be detrimental for TCP-based connections because dropping one
packet from a connection can cause
the retransmission of multiple
packets. In a network that heavily
utilizes TCP, using tail dropping
could actually create more congestion than it reduces.
Topology-Based Switching
Topology-based switching uses a
forward information base (FIB) to
assist in Layer 3 switching. This
type of switching pre-populates the
cache by using the information in

the RPs routing table. If there is a
topology change and the routing
table is updated, the RP will mirror
the change in the FIB. Basically, the
FIB contains a list of routes with
next-hop addresses to reach those
routes. Cisco has developed a proprietary topology-based switching
FIB called Cisco Express Forwarding
(CEF). CEF also includes a second
table, called an adjacency table. This
table contains a list of networking
devices directly adjacent (within
one hop) to the RP. CEF uses this
table to prepend Layer 2 addressing
information when rewriting
Ethernet frames during MLS.
Transparent Bridging
A transparent bridge is used to
connect similar media types
together to solve bandwidth and
collision problems, but to still
maintain the same broadcast
domain. The term transparent
bridge is used because the bridge is
completely transparent to the end
stations that it is interconnecting.
Frames that pass through a transparent bridge are not modified:
What comes in on an interface
leaves exactly the same way on
another interface. Transparent
bridges perform three basic functions: They make forwarding and
filtering decisions based on the
destination MAC address in a
frame, they learn where end stations reside in the network, and
they remove loops.
18 9911 glos
10/14/03
12:34 PM
Page 467
467
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . UplinkFast
. . . . . .
Transparent LAN Services (TLS)
Unicast
With a TLS, the connection

between switches on the MAN is
done transparently by the service
provider. In other words, the
providers equipment is hidden
from your equipments view. Your
switches dont actually see the service providers switch; instead, it
appears that all of your switches
are connected together via a hub.
When implementing TLS, you
should remember that your MAN
connection is an access link.
Therefore, for traffic to traverse
the MAN, you must put all of your
sites in the same VLAN.
With unicasts, a separate packet

must be sent to each destination. In
a shared environment, every network device on the segment sees
the packet, but only the actual destination processes it. In a switched
environment, only devices on the
source and destination segments
actually see the frame.
Trunk Link
A trunk link is a connection
between two trunk-capable devices.
These could be two switches, a
switch and a router, or even a
switch and an end station.
Trunking basically extends the
backplane of the switch. Normally,
only traffic from one VLAN can be
associated with a port. The exception to this is a trunk port. A trunk
port allows multiple VLANs to
cross it to a neighboring device,
unlike an access link. Trunking is
performed by encapsulating or tagging frames in hardware by the
ASICs on each port. Encapsulating
or tagging adds information, such
as the VLAN number (referred to
as the VLANs color) to help in the
forwarding of the frame by other
switches.
Unidirectional Link Detection

(UDLD)
UDLD checks to see whether unidirectional links exist between two
switches and disables them. UDLD
checks the physical configuration
of the connection between two
switches. Unidirectional connections can occur on a full-duplex
connection (fiber and copper) if
either the transmit or receive wire
or circuit is broken. By shutting
down the unidirectional connection,
UDLD prevents inadvertent loops
and black holes (that is, one switch is
accessible but another is not).
UplinkFast
STP guarantees a loop-free environment; however, one large disadvantage of STP is the 3050
second convergence time before
redundant links can be used when
failures occur. This is problematic
in environments where real-time or
bandwidth-intensive applications
are deployed. UplinkFast, a Ciscoproprietary STP enhancement,
allows the almost-immediate use of
18 9911 glos
10/14/03
12:34 PM
Page 468
468 UplinkFast
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
a redundant bridged connection (a

blocked port) without recalculating
STP when the primary path fails.
This reduces the transition period
from 50 seconds to less than 4 seconds. The name of the feature
describes its purpose: Its used on
uplink ports that connect access
layer switches to distribution layer
switches.
Virtual LAN (VLAN)

A VLAN can be described as a
grouping of ports on a switch or a
grouping of ports on different
switches. It can also be characterized as a group of related users in a
data network or as a group of users
at the same geographic location
(which is the most common).
VLAN ACL (VACL)

A VACL is used to restrict traffic
within a VLAN or VLANs.
VLAN Membership Policy

Server (VMPS)
A VMPS associates MAC addresses
to VLANs. When a user connects
to a switch and the switch sees the
users MAC address, the switch
sends the users MAC address to the
VMPS server. The server responds
back with the users VLAN and the
switch associates this VLAN with
the users interface.
Virtual RP
In HSRP, the role of the virtual RP
is to provide a single RP thats
always available to the end stations.
It isnt a real RP because the IP
and MAC addresses of the virtual
RP are not physically assigned to

any one interface on any of the
RPs in the broadcast domain.
Virtual Router Redundancy

Protocol (VRRP)
VRRP performs a function thats
similar to Ciscos proprietary
HSRP. VRRP is an open standard
and is defined in IETFs RFC
2338. Like HSRP, VRRP has end
stations use a virtual router for a
default gateway. VRRP is supported for Ethernet media types as well
as in VLANs and MPLS VPNs.
VRRP can use either a virtual IP
address or the interface address of
the master router. If a virtual IP
address is used, an election process
takes place to choose a master
router. The router with the highest
priority is chosen as the master. All
other routers are backup routers.
VLAN Trunk Protocol (VTP)

VTP is a Cisco-proprietary messaging protocol that occurs
between devices on trunk ports. It
allows VLAN information to be
propagated across your switched
network, providing a consistent
VLAN configuration in your network. This process makes it easy to
add, change, and delete VLANs as
well as to add new devices to the
network because your VLAN
information is automatically propagated by switches that understand
VTP on their trunk ports.
18 9911 glos
10/14/03
12:34 PM
Page 469
469
. . . . . . . . . . . . . . . . . . . . . . . . . . Weighted
. . . . . Round-Robin
. . . . . . . .Queuing
. . . . (WRRQ)
. . . . .
VTP Pruning
VTP pruning allows a switch to
make more intelligent decisions
concerning the forwarding of multicast, broadcast, and unknown destinations across trunk ports. VTP
pruning is a method of traffic control that reduces unnecessary broadcast, multicast, and flooded unicast
packets. This feature restricts traffic
that is normally flooded out all
trunks to only those trunk links
where the connected switches (or
other networking devices) also have
ports in the associated VLAN.
Weighted Fair Queuing (WFQ)

WFQ examines traffic flows to
determine how queuing occurs. A
flow is basically a connection that
Cisco calls a conversation. The IOS
examines the Layer 3 protocol type
(such as IP, ICMP, OSPF, and so
on), the source and destination
address, and the source and destination port numbers to determine
how data should be classified.
Based on this information, the traffic is either classified as high or low
priority.
Weighted Random Early

Detection (WRED)
WRED is an extension of RED
and is used to avoid congestion. It
does this by examining CoS information and begins dropping packets when traffic for a specified CoS
reaches its configured threshold.
This is done to reduce the likelihood that upcoming congestion
will cause problems with important
applications or data.
Weighted Round-Robin Queuing

(WRRQ)
WRRQ is a queuing solution used
on the egress ports of Layer 3
switches, such as the Catalyst 3550.
Like RTP-PQ, WRRQ has four
queues, and traffic is placed in the
queues based on its IP precedence
value. Each queue is assigned a
weight value. Whenever congestion occurs in the egress direction
of the port, the weight value is
used to service the queues. Higherpriority queues (more weight) are
given preference over lower-priority
queues (less weight). However, no
queue is ever starved. In other
words, all queues get at least some
bandwidth, but the higher-priority
queues get more bandwidth than
lower-priority queues. This is
somewhat similar to CQ.
18 9911 glos
10/14/03
12:34 PM
Page 470
19 9911 ndx
10/14/03
12:34 PM
Page 471
Index
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Numbers
10 Gigabit Ethernet, physical
implementation, 25
802.1P, CoS priorities, 265
802.1Q
compared to Q-in-Q transport,
348
native VLANs, 61
trunks, configuring, 66-67
tunneling, MANs and, 342-343
tunneling feature, 62-64
VLANs, 59-61
supported ranges, 62
802.1W. See RSTP
802.1X, port-based authentication,
316-317
A
aaa accounting command, 311
aaa authentication login command,
310
aaa authorization command, 311
access layer, 15
access links, VLANs, 56

access ports, 151
accounting
AAA, configuring, 311-312
Catalyst switches, 308
ACLs (Access Control Lists), IP
telephony, 264. See also VACLs
active RP (HSRP), role of, 195
active state (HSRP state), 197
addressing, multicasts, 220-222
AF (Assured Forwarding), 264
alternate root ports, 117
Architecture for Voice, Video, and
Integrated Data (AVVID), components of, 12-13
ASICs (application-specific integrated circuits), MLS and, 158
Assured Forwarding (IP telephony),
264
authentication
AAA, configuring, 310-311
HSRP, configuring, 199
authorization
AAA, configuring, 311
19 9911 ndx
10/14/03
12:34 PM
Page 472
472 autostart
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
autostart (NAM), configuring, 305

availability. See redundancy
AVVID (Architecture for Voice,
Video, and Integrated Data),
components of, 12-13
bridged networks, broadcast

domains, 46
broadcast domains
bridged networks, 46
VLANs, 46
broadcasts, 219
VLANs, 47-48
B
BackboneFast (STP), 112-114
enabling, 114
nonconnected interfaces, 114
backup ports, 117
bandwidth
calculating need for VoIP
connections, 257
increasing, compression methods,
273-274
IP telephony, QoS (Quality of
Service), 256-257
Best Effort architecture, IP telephony,
262
blocking state (switch ports), 92
BPDU (Bridge Protocol Data Unit),
88
frame fields, 88
filtering (FastPort), 110
Guard (FastPort), 109
inferior, 113
RSTP, propagating information,
118-119
RSTP use of, 115-116
skewing (STP), 131-132
staggered convergence, preventing,
93
STP (Spanning Tree Protocol)
and, 86-87
bridge (switch) identifier (BPDU
frame field), 88
bridge identifiers (STP), 87
C
cabling
Ethernet, 22
Fast Ethernet, 23
call control signaling connections
(telephony), 256
CallManager (IP telephony), 255
CAM (content addressable memory)
tables, 84
automatically updating, 85
CAM tables, 165-166
multicasting traffic control,
CGMP and, 237
Campus Infrastructure module, 17
campus intranets
implementation, 25
access layer, 15
AVVID components, 12-13
core layer, 14
design recommendations, 26
Enterprise Edge module, 29
large campus, 28
medium campus, 28
Server Farm module, 29
small campus, 27
devices, 19
Layer 2 switches, 19-20
multilayer switches, 22
19 9911 ndx
10/14/03
12:34 PM
Page 473
473
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . chassis
. . . . .redundancy
. . . . . .
routers, 20-21
usage recommendations, 26
distribution layer, 14-15
Enterprise Campus, 17-18
Enterprise Composite Network
Model (ECNM), 16-17
Ethernet, physical implementation,
22-23
Fast Ethernet, physical
implementation, 23
Gigabit Ethernet, physical
implementation, 24-25
Long Reach Ethernet, physical
implementation, 25
Metro Gigabit Ethernet, physical
implementation, 25
requirements, 12
Service Provider Edge module, 18
three-layer hierarchical model, 13
campus networks, QoS
CAR (Committed Access Rate), IP
telephony, 265
Catalyst switches
AAA, 308
accounting configuration,
311-312
authentication configuration,
310-311
authorization configuration,
311
enabling, 309
debug commands, 139
enabling/disabling STP, 97
NAM (Network Analysis
Module), configuring, 302-306
autostart, 305
switch interface, 305-306
port priority, 100
port security, 313-316

802.1X authentication,
316-317
powering IP telephony, 257
security
components, 307-308
configuring, 306-307
SPAN (Switched Port Analyzer),
296-297
types, 297
CatOS
compared to IOS, 30-31
converting to IOS, 36-37
CB-WFQ (class-based weighted fair
queuing), 269
CD with book, contents, 439-440
CDP (Cisco Discovery Protocol),
Catalyst switch security, 307
CEF, MLS and
configuration, 171
example, 169-170
limitations, 167
load balancing, 169
operation, 168-169
overview, 166
tables, 167-168
troubleshooting, 173-174
verification, 172-173
centralized switching architecture),
160
CGMP (traffic control protocol)
configuring, 243
multicasting traffic control,
237-238
channel modes, PAgP and LACP,
125
channel-group command, 128
channel-protocol command, 128
chassis redundancy, 183
How can we make this index more useful? Email us at indexes@quepublishing.com
19 9911 ndx
10/14/03
12:34 PM
Page 474
474 Cisco RP discovery message

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Cisco RP discovery message, 241

Class D addresses, multicasting, 221
class-based weighted fair traffic
queuing, IP telephony, 269
class-map command, 276
classes, MQC, creating, 276
CLI (command-line interface)
CatOS compared to IOS, 30-31
configuration, 31
converting CatOS to IOS,
36-37
sample, 32-33
viewing configuration files, 34
client registration (multicasting), 222
IGMP, 222-223
IGMPv1, 223
joining multicast groups,
223-224
leaving multicast groups, 225
maintaining multicast groups,
224-225
IGMPv2, 225-226
joining multicast groups, 226
leaving multicast groups, 227
maintaining multicast groups,
226-227
IGMPv3, 227
message types, 227-228
IGMPv3lite, 228
clients, routing issues, 149
Common Open Policy Service
(COPS), 263
component redundancy, 181-182
configure terminal command, switch
configuration, 32
configuring
AAA
accounting, 311-312
authentication, 310-311
authorization, 311
authentication
AAA, 310-311
HSRP, 199
Catalyst switches, redundant
power supplies, 184
CEF, 171
CQ (custom queuing), 282-283
EtherChannel, 127
guidelines for, 127-128
Layer 2 commands, 128-129
Layer 3 commands, 129
verifying configuration,
130-131
FastPort, 109
HSRP, 198-199
LLQ (low latency queuing),
284-286
MQC
activating policies, 278
creating classes, 276
creating policies, 276-278
verifying, 279
MST (Multiple Spanning Tree),
123-124
multicasting, verifying, 244-245
Module), 301-305
autostart, 305
switch interface, 305-306
port security, 314
PQ (priority queuing),
281-282
PVLANs, 322
associating ports, 323-324
creating, 322-323
routing, 150
external RPs, 154-155
internal RPs, 151-154
router-on-a-stick, 155-157
verifying, 157
19 9911 ndx
10/14/03
12:34 PM
Page 475
475
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . dense
. . . .mode
. . . protocols
. . . . .
RPR+ (Route Processor

Redundancy Plus), 188-189
RPs
CGMP, 243
designated routers, 239
PIM (Protocol Independent
Multicast), 238-239
PIMv2, 242-243
rendezvous points, 240, 242
RSPAN (Remote Switched Port
Analyzer), 299-301
RTP-PQ (real-time transport
protocol priority queuing),
283-284
security, Catalyst switches, 306-307
SFM (Switch Fabric Module), 38
SLB (Server Load Balancing),
207-209
297-299
verification, 301
SRM (Single Router Mode), 203
STP (Spanning Tree Protocol), 97
enabling/disabling, 97
path selection, 98-99
port cost, 99-100
port priority, 100
root switch selection, 98
switches
CLI (command-line interface),
31
sample, 32-33
trunks, 66-67
VACLs, 318-319
VLANs, 53-55
VTP (VLAN Trunk Protocol)
domains, 75
verifying, 75-76
WFQ (weighted fair queuing),

280
WRRQ (weighted round-robin
queuing), 286-287
congestion avoidance, WRED
(weighted random early detection),
287-288
connections, MANs, Ethernet
considerations, 334
COPS (Common Open Policy
Service), 263
core layer, 14
CoS priorities, IP telephony, 265
cost, MANs (metropolitan area networks), Ethernet considerations,
334
coup messages (HSRP), 196
CPU utilization, routed and SVI
ports, 152
CQ (custom queuing), 268
CST (Common Spanning Tree),
94-95
custom traffic queuing, IP telephony,
268
CWDM, Ethernet over, 341-342
D
database (STP), reducing size, 108
debug commands
QoS, 288
switches, troubleshooting, 36
default gateways, failover protection,
194
delay issues (IP telephony), 259-260
dense mode protocols, multicast
routing, 232
19 9911 ndx
10/14/03
12:34 PM
Page 476
476 design issues

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
design issues
campus intranets, 26-28
IP telephony, 258
telephony networks, 254-255
designated routers, PIM, 239
devices
campus intranets, 19
routers, 20-21
chassis redundancy, 183
Differentiated Services Code Points
(DSCPs), 263
DiffServ architecture, IP telephony,
263-264
disabled state (switch ports), 93
distributed switching architecture),
161
switches as root switches, 98
distribution trees, multicasts, 229-230
shared distribution trees, 230
source-based distribution trees,
231
domains
broadcasts and, 219
configuring, VTP (VLAN Trunk
Protocol), 75-76
VTP (VLAN Trunk Protocol),
management domains, 69
DSCPs (Differentiated Services
Code Points), 263
DTP (Dynamic Trunk Protocol)
principles of operation, 64-65
trunking modes, 65
dual-ring topology, SONET, 339
DVS (directed VLAN services),
MANs and, 336-338
DWDM, Ethernet over, 340-341

Dynamic Trunk Protocol. See DTP
dynamic VLANs, 51-52
E
ECNM (Enterprise Composite
Network Model), 16-17
Enterprise Campus functional
area, 17-18
Edge Distribution module, 17
edge port component (RSTP),
118-119
EF (Expedited Forwarding), 264
enable command, switch configuration, 32
encapsulation isl command, 156
end-to-end VLANs, 48-51
Model (ECNM), 16-17
Enterprise Edge module, campus
intranets, 29
EoMPLS (Ethernet over MPLS),
348-349
multipoint connections, 352
point-to-point connections, 352
protocol labeling, 350-351
terminology, 349-350
usefulness of, 349
EtherChannel, 125
configuring, 127
guidelines for, 127-128
Layer 2 commands, 128-129
Layer 3 commands, 129
verifying configuration,
130-131
load balancing, 129-130
19 9911 ndx
10/14/03
12:34 PM
Page 477
477
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .hardware
. . . . .redundancy
. . . . . .
operation, 125
PAgP (Port Aggregation
Protocol), 125-127
Ethernet
campus intranets, physical
MANs (metropolitan area networks), planning considerations,
333-335
802.1Q Q-in-Q transport,
343-344
802.1Q tunneling, 342-343
tag stacking, 344-345
over CWDM, 341-342
over DWDM, 340-341
over SONET, 339-340
events
AAA accounting, 311
RPR (Route Processor
Redundancy), 186
exams
question format, 4-5
strategies, 6-7
question handling, 7
test exams, 359, 401
answer keys, 385, 421
test-taking environment, 2-3
Expedited Forwarding (IP telephony), 264
external RPs, 148
configuration, 154
router-on-a-stick, 155-157
usual setup, 154-155
FIFO traffic queuing, IP telephony,

267
filtering, frames, 84-85
flags (BPDU frame field), 88
flat networks, 47
forward delay (BPDU frame field),
89
Forward Delay timer, 93
forwarding, frames, 84-85
forwarding state (switch ports), 93
frame tagging, VLANs, 56-57
frames
BPDU fields, 88
forwarding and filtering, 84-85
VLAN tagging information,
adding, 60-61
G
gateways, failover protection for, 194
GBPT (Generic Bridge PDU
Tunneling) protocol, 64
GLBP (Gateway Load Balancing
Protocol), 204-205
load balancing with, 206
operation of, 205-206
globally scoped addresses,
multicasting, 221
GLOP addresses, multicasting, 221
H
F
failovers, HSRP and, 193-194
Fast Ethernet, physical implementation, 23
hardware redundancy, 180

power supplies, 184-185
SEs (Supervisor Engines),
185-189
19 9911 ndx
10/14/03
12:34 PM
Page 478
478 header compression

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
header compression, 274

hello messages (HSRP), 196
hello time (BPDU frame field), 89
hostname command, switch
configuration, 32
host membership queries (multicast
groups), 224
host membership reports (multicast
groups), 224
hosts, multicast groups, joining, 224
HSRP (Hot Standby Routing
Protocol)
client routing issues, 149
failover protection and, 193-194
interface tracking, 199-201
multicasting, 196-197
RPs, types of, 195-196
states, 197-198
verifying operation, 201-202
virtual addresses, 196
HTTP server, NAM, enabling, 304
I-J-K
IANA (Internet Assigned Numbers
Authority), multicast addresses, 221
ICMP Router Discovery Protocol
issues, redundancy issues, 192-193
IGMP (Internet Group Management
Protocol), multicasting client registration, 222-228
IGMP snooping, multicasting traffic
control, 237
in-band management, 33
inferior BPDUs, 113
information resources, 9
initial state (HSRP state), 197
installing PrepLogic Practice Exams,

443
interface tracking, HSRP, 199-201
interface vlan command, 152
interfaces, routers, subinterfaces,
156
internal RPs, 148
configuration, 151-154
Internal Spanning Tree. See IST
Internet Assigned Numbers
Authority (IANA), 221
Internet Group Management
Protocol (IGMP), 222-228
intranets
implementation, 25
access layer, 15
AVVID components, 12-13
core layer, 14
design recommendations, 26
large campus, 28
medium campus, 28
small campus, 27
devices, 19
routers, 20-21
Enterprise Campus, 17-18
Model (ECNM), 16-17
Ethernet, physical implementation,
22-23
Fast Ethernet, physical
implementation, 23
19 9911 ndx
10/14/03
12:34 PM
Page 479
479
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .jitter
. .

implementation, 25
implementation, 25
requirements, 12
IntServ architecture, IP telephony,
263
IOS
compared to CatOS, 30-31
converting from CatOS, 36-37
routing configuration, 150
internal RPs, 151-154
switch configuration, 31
sample, 32-33
ip address command, 152
IP addresses, assigning to switches,
33
ip commands, NAM (Network
Analysis Module), 303
ip multicast-routing command, 238
ip pim command, 238
ip routing command, 152
IP routing table, displaying, 158
IP telephony
auxiliary VLANs, 258
congestion avoidance
RED (random early detection),
272
tail dropping, 271
WRED (weighted random
early detection), 272, 287-288
network design considerations,
254-255
network management strategy,
255
policing traffic, 273

power requirements, 257
QoS (Quality of Service)
architectures, 262
bandwidth, 256-257
Best Effort architecture, 262
components, 255-256
delay issues, 259-260
DiffServ architecture, 263-264
IntServ architecture, 263
jitter, 260
overview, 258-259
packet loss, 260
solution characteristics,
261-262
scalability, design issues, 258
shaping traffic, 273
traffic congestion
class-based weighted fair
queuing, 269
custom queuing, 268
FIFO queuing, 267
low latency queuing, 269
priority queuing, 267-268
queuing, 266-267
real-time transport protocol
priority queuing (RTP-PQ),
269-270
weighted fair queuing, 268
weighted round-robin queuing
(WRRQ), 270
IRDP (ICMP Router Discovery
Protocol), redundancy issues,
192-193
ISL (InterSwitch Link), 58-59
trunks, 66-67
VLANs, supported ranges, 62
IST (Internal Spanning Tree), 122-123
jitter (IP telephony), 260
19 9911 ndx
10/14/03
12:34 PM
Page 480
480 LACP
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
L
LACP (Link Aggregation Control
Protocol), channel modes, 125-126
lacp commands, 129
Layer 2
addresses, multicasting, 220
devices, compared to Layer 3, 149
EtherChannel configuration commands, 128-129
network model, 14
networks, VLANs, 46
redundancy, 180
switch redundancy, 191
uplink interfaces, 190-191
switches, campus intranets, 19-20
switching, principles of operation,
162
telephony, convergence with
Layer 3, 258
Layer 3
addresses, multicasting, 220
devices, compared to Layer 2, 149
EtherChannel configuration
commands, 129
network model, 14
redundancy, 180, 191
end station issues, 193
ICMP Router Discovery
Protocol issues, 192-193
Proxy ARP issues, 192
routing protocol issues, 193
routers, 20
switches, campus intranets, 21-22
telephony, convergence with
Layer 2, 258
learning state (HSRP state), 197
learning state (switch ports), 92
limited scope addresses, multicasting,
221
link efficiency methods, 273-274

link type component (RSTP),
118-119
listening state (HSRP state), 197
listening state (switch ports), 92
LLQ (low latency queuing), 269
load balancing
EtherChannel, 129-130
Protocol), 206
MLS with CEF, 169
logging, Catalyst switch security, 308
logical setup, end-to-end VLANs, 49
login, NAM (Network Analysis
Module), 302
logon warnings (Catalyst switches),
307
implementation, 25
Loop Guard (STP), 135-136
compared to UDLD, 136-137
loopback interfaces, 152
low latency traffic queuing, IP
telephony, 269
M
MAC addresses
associating to VLANs, 51
Layer 2, multicasting, 221
lockdown, 313
root switch election and, 90
switches, updating CAM tables
automatically, 85
VLANs, show mac-address-table
command, 55
management domains, VTP (VLAN
Trunk Protocol), 69
19 9911 ndx
10/14/03
12:34 PM
Page 481
481
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .multicasts
. . . . .
MANs (metropolitan area networks)

802.1Q tunneling, 342-343
Cisco solutions, listing of, 332-333
connection service problems, 332
DVS (directed VLAN services),
336-338
EoMPLS, 348-349
multipoint connections, 352
point-to-point connections,
352
protocol labeling, 350-351
terminology, 349-350
usefulness of, 349
Ethernet, planning considerations,
333-335
Ethernet over CWDM, 341-342
Ethernet over DWDM, 340-341
Ethernet over SONET, 339-340
Q-in-Q transport, 343-344
compared to 802.1Q, 348
SONET (Synchronous Optical
Network), 332
STP, 345-347
tag stacking, 344
encapsulation, 344-345
TLS (transparent LAN services),
335-336
mapping agents, multicasting, 241
match commands, 276
VACLs, 318
maximum age (BPDU frame field),
89
Media Gateway Control Protocol
(MGCP), 256
message age (BPDU frame field), 89
message type (BPDU frame field), 88
implementation, 25
MGCP (Media Gateway Control
Protocol), 256
MLS (multilayer switching)

architecture, 159-162
CEF, 166-174
overview, 158-159
rewriting frame and packet
contents, 163
TCAM tables, 165-166
traffic handling, 164-165
Modular QoS CLI. See MQC
MPLS (Multiprotocol Label
Switching), EoMPLS, 348-352
MQC (Modular QoS CLI)
classes, creating, 276
configuration verification, 279
policies
activating, 278
creating, 276-278
MST (Multiple Spanning Tree), 120
advantages/disadvantages, 121
IST and, 122-123
regions, 121-122
multicast groups, 220
joining
IGMPv1, 223-224
IGMPv2, 226
leaving
IGMPv1, 225
IGMPv2, 227
maintaining
IGMPv1, 224-225
IGMPv2, 226-227
multicasting, 222-228
configuration, verifying, 244-245
multicasts, 219-220
addressing, 220-222
HSRP protocol, 196-197
routing protocols, 231
dense mode, 232
19 9911 ndx
10/14/03
12:34 PM
Page 482
482 multicasts
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Multicast), 234
PIM-DM, 235
PIM-SM, 235-236
sparse mode, 232-233
switches, 236
CGMP traffic control protocol,
237-238
IGMP snooping, 237
traffic control methods,
236-237
TCP/IP, 220
traffic routing, 229
distribution trees, 229-230
shared distribution trees, 230
231
UplinkFast (STP), 112
multilayer switches, campus
intranets, 22
multilayer switching. See MLS
multipoint connections, EoMPLS,
352
N-O
native VLANs, 802.1Q, 61
NBAR (network-based application
recognition), IP telephony, 264
NetFlow switching (switching
architecture), 160
Network Management module, 18
networks
segments, designated ports and
switches, 91
STP, tracking, 101
TCNs (topology change
notifications), 86
NICs (network interface cards),

VLANs, 57
no ip cef command, 172
no ip redirects command, 198
no shutdown command, 156
no switchport command, 152
nonroutable traffic, MLS handling,
164-165
operating system files, viewing in
Flash, 34-35
overrun, IP telephony, 260
P
packetization (IP telephony), 259
packets
broadcasts, 219
IP telephony
packet loss, 260
multicasts, 219
Module), 301-306
Analyzer), 299-301
296-301
unicasts, 218
PAgP (Port Aggregation Protocol),
125-127
password command, switch
configuration, 32
passwords
HSRP configuration, 199
path costs (STP), 87
payload compression, 274
PBR (Policy-Based Routing), IP
telephony, 265
19 9911 ndx
10/14/03
12:34 PM
Page 483
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ports
. . .
performance
CPU utilization, routed and SVI
ports, 152
Module), 301
configuring autostart, 305
configuring switch interface,
305-306
planning, 296
router-on-a-stick issues, 155
Analyzer), 299
296-297
types, 297
physical setup, end-to-end VLANs,
49
Multicast), 234
RPs, 238-239
PIM-DM multicast protocol, 235
PIM-SM multicast protocol, 235-236
PIMv2, configuring, 242-243
ping command, testing routing
configuration, 157
point-to-point connections,
EoMPLS, 352
policies (MQC), 276-278
policy-map command, 277
port address tables, forwarding and
filtering frames, 84
Port Aggregation Protocol. See PAgP
port identifier (BPDU frame field),
89
port priority (STP), 88

port-based membership, VLANs, 52
PortFast (STP), 108
BPDU filtering, 110
BPDU Guard, 109
configuring, 109
operation, 108-109
ports
associating to VLANs, 53
forwarding and filtering frames,
84
forwarding mode, keeping in,
108-109
Module), 301
configuring autostart, 305
configuring switch interface,
305-306
PortFast (STP), 108
BPDU filtering, 110
BPDU Guard, 109
configuration, 109
operation, 108-109
PVLANs, associating, 323-324
root, selection, 90-91
routing, types of, 151
Analyzer), 299
RSTP, 116-118
security
316-317
Catalyst switches, 313-316
296-297
types, 297
483
19 9911 ndx
10/14/03
12:34 PM
Page 484
484 ports
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
states, 92-93
STP
bridging loops, 92
cost, 99-100
designation, 91
priority, 100
timer values, changing, 93-94
UplinkFast (STP), 110-112
VLANS, trunk ports, 56
power sources, IP telephony and,
257
power supplies, Catalyst switches,
184-185
PQ (priority queuing), 267-268
PrepLogic Practice Exams
contact information, 447
Flash Review Mode sessions, 445
installing, 443
options, 445-446
overview, 441-442
removing, 443
requirements, software, 442
reviewing exams, 446
running, 444
priority and custom queuing (IP
telephony), 265
priority command, 285
priority traffic queuing, IP telephony,
267-268
processing (IP telephony), 259
propagation (IP telephony), 259
protocol identifier (BPDU frame
field), 88
Protocol Independent Multicast.
See PIM
protocols
DTP (Dynamic Trunk Protocol),
multicast traffic routing, 231

dense mode protocols, 232
Multicast), 234
PIM-DM, 235
PIM-SM, 235-236
sparse mode protocols,
232-233
routing, displaying running, 157
VLANs, 58
802.1Q, 59-61
tunneling 802.1Q, 62-64
Proxy ARPs, 192
pruning, VTP (VLAN Trunk
Protocol), 73-74
PVLANs (private VLANs), 319-324
PVST (Per-VLAN Spanning Tree),
94-97
PVST+ (Per-VLAN Spanning Tree
Plus), 97
Q
Q-in-Q transport
advantages/disadvantages, 348
compared to 802.1Q, 348
MANs and, 343-344
campus network implementation,
274-275
debug commands, 288
IP telephony, 261-264
272
19 9911 ndx
10/14/03
12:34 PM
Page 485
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Route
. . . .Processor
. . . . . Redundancy
. . . . . . .
tail dropping, 271

traffic congestion, 266-270
WRED (weighted random early
detection), 272
query-interval response period
(IGMPv2 multicasting), 226
questions
answering strategies, 7
types of, 4-5
queuing (IP telephony), 259
traffic congestion management,
266-270
R
random early detection (RED), IP
telephony traffic congestion
avoidance, 272
random-detect dscp command,
288
rapid STP. See RSTP
Rapid Transition to Forwarding
(RTF), 118
Real-Time Transport Protocol
(RTP), 256
real-time transport protocol priority
queuing (RTP-PQ), IP telephony,
269-270
congestion avoidance, 272
redundancy
chassis, 183
component, 181-182
dual-ring topology, MANs and,
340
Protocol), 204-205
load balancing with, 206
hardware, 180
HSRP, 193-196
Layer 2, 180, 190-191
Layer 3, 180, 191-193
SRM (Single Router Mode),
202-203
types of, 180-181
VRRP (Virtual Router
Redundancy Protocol), 204
redundancy command, 189
regions, MST (Multiple Spanning
Tree), 121-122
rendezvous points, 230
reserved link local addresses,
multicasting, 221
resign messages (HSRP), 196
resources, information resources, 9
response suppression (IGMP traffic),
224
reverse path forwarding (RPF),
231
root identifier (BPDU frame field),
88
Root Link Query PDU (RPDU),
114
root path cost (BPDU frame field),
88
root switches
election by STP, 89-90
timer control by, 89
RootGuard (STP), 132-134
routable traffic, MLS handling,
164-165
route caching (switching architecture), 160
Route Processor Redundancy (RPR),
485
19 9911 ndx
10/14/03
12:34 PM
Page 486
486 Route Processor Redundancy Plus

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Route Processor Redundancy Plus,

routed ports, 151
router-on-a-stick configuration,
155-157
routers
MANs (metropolitan area networks), list of Cisco solutions,
332-333
routing. See also MLS; switching
client issues, 149
multicast traffic, 229-236
protocols, displaying running, 157
route processors, 148-150
subinterfaces, 156
routing table, displaying, 158
RPDU (Root Link Query PDU),
114
RPF (reverse path forwarding), 231
RPR (Route Processor Redundancy),
RPR+ (Route Processor Redundancy
Plus), 187-189
RP (routing processor), 148-150
configuring
CGMP, 243
Multicast), 238-239
PIMv2, 242-243
rendezvous points, 240
rendezvous points, automatically, 240-242
rendezvous points, manually,
240
external, 154-157
HSRP protocol, 195-198
internal, configuring, 151-154
multicasting, IGMP (Internet

Group Management Protocol),
222
Proxy ARP redundancy issues,
192
Analyzer), 299-301
RSTP (Rapid STP), 115
BPDU, 115-119
convergence enhancement
features, 117
MST and, 120
port roles, 117
port states, 116
topology changes, 119-120
RTF (Rapid Transition to
Forwarding), RSTP, 118
RTP (Real-Time Transport
Protocol), 256
RTP header compression, 274
RTP-PQ (real-time transport
protocol priority queuing), 269-270
S
sample tests, 359, 401
scalability
MANs (metropolitan area networks), Ethernet considerations,
334
unicasting and, 218
security
Catalyst switches
316-317
AAA, 308
components, 307-308
19 9911 ndx
10/14/03
12:34 PM
Page 487
487
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .spanning-tree
. . . . . . . uplinkfast
. . . . . .command
. . . . .
configuring AAA, 311-312
enabling AAA, 309
VACLs, 317
activating, 319
segments (networks), designated
ports and switches, 91
serialization (IP telephony), 259
campus intranets, 29
Server Load Balancing. See SLB
service level (MANs), Ethernet
considerations, 334
service password-encryption command, switch configuration, 32
services, Catalyst switch security, 307
SEs (Supervisor Engines), 185-189
set spantree bpdu-skewing command,
132
SFM (Switch Fabric Module), 37-38
shared access (access layer), 15
shared distribution trees, multicasts,
230
shared environments, unicast
packets, 218
Shared Spanning Tree. See PVST
show commands, troubleshooting
switches, 35
show interface switchport command,
trunk configuration, 67
show interface trunk command,
show interfaces command, 54
show ip pim interface command, 239
show ip pim neighbor command, 239
show ip protocols command, 157
show ip route command, 158

show mac-address-table command,
55
show module command, NAM, 302
show port security command, 315
show power command, 185
show redundancy command, 189
show running-config interface
command, 54
FastPort configuration, 109
show spanning tree command, 101
show spanning-tree summary
command
BPDU Guard, 110
FastPort configuration, 109
show vlan command, 54
SLB (Server Load Balancing),
206-209
SNMP
NAM, configuration commands,
304
SONET (Synchronous Optical
Network), 332
Ethernet over, 339-340
redundancy mechanism, 340
source filtering (IGMPv3
multicasting), 227
multicasts, 231
source-specific addresses, multicasting,
221
296-301
Spanning Tree Protocol. See STP
spanning-tree portfast command,
110
spanning-tree uplinkfast command,
112
19 9911 ndx
10/14/03
12:34 PM
Page 488
488 sparse mode protocols

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
sparse mode protocols, multicast

routing, 232-233
speaking state (HSRP state), 197
SRM (Single Router Mode),
redundancy, 202-203
SSH, Catalyst switch security,
307
standby command, 198
standby RP (HSRP), role of, 195
standby state (HSRP state), 197
static VLANs, 52
sticky learning, port security, 313
advantages, 87
BackboneFast feature,
112-114
BPDU (Bridge Protocol Data
Unit) and, 86-87
BPDU skewing, 131-132
configuring, 97-101
convergence time, 94
CST and, 95
features, 87
Loop Guard, 135-137
MANs, 345-347
MST and, 120
network topology changes,
preventing staggered
convergence, 93
operation, 89-93
overview, 86
PortFast feature, 108-110
PVST, 96-97
PVST+, 97
RootGuard, 132-134
switches, disabling loops, 86
timer values, 93-94
types of, 94
UDLD (Unidirectional Link

Detection), 134-135
UplinkFast feature, 110-112
strategies (test-taking), 6-7
subinterfaces, creating, 156
SVI interfaces, 152
switch interface, internal RPs,
151-154
switched access (access layer), 15
switched environments, unicast
packets, 218
switched networks (Layer 2), 46
Switched Port Analyzer. See SPAN
switches. See also transparent bridges
advantages of, 20
BackboneFast (STP), 112-114
BPDUs and STP, 86-87
CAM tables, automatically
updating, 85
Catalyst
316-317
AAA, 308
configuring AAA, 310-312
debug commands, 139
enabling AAA, 309
Module), 302-306
powering IP telephony, 257
redundancy capabilities of,
184-189
security components, 307-308
security setup, 306-307
SPAN (Switched Port
Analyzer), 296-299
CLI (command-line interface)
CatOS compared to IOS,
30-31
19 9911 ndx
10/14/03
12:34 PM
Page 489
489
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . TCP/IP
. . . .
configuration, 31
converting CatOS to IOS,
36-37
sample configuration, 32-33
CST (Common Spanning Tree),
95
designated port and switch
resolution, 91
forwarding and filtering frames,
84-85
identifiers, 89
IP addresses, assigning to, 33
Layer 2 redundancy, 191
MANs, list of Cisco solutions,
332-333
MST (Multiple Spanning Tree),
IST and, 122-123
multicasting, 236
CGMP traffic control
protocol, 237-238
IGMP snooping, 237
traffic control methods,
236-237
multilayer, campus intranets, 22
PVST, 96-97
PVST+, 97
root
election by STP, 89-90
timer control by, 89
root port selection, 90-91
RSTP behavior in an STP
network, 115
SFM, 37-38
bridging loops, 92
configuring, 97
enabling/disabling, 97
overview, 86
path selection, 98-99
port cost, 99-100

port priority, 100
root switch selection, 98
TCNs (topology change
notifications), 86
transparent, loop elimination, 85
Detection), 134-135
VLANs, adding, 72
switching
architecture, 159-162
Layer 2, principles of operation,
162
MLS, 162-174
switchport access vlan command, 53
switchport mode access command,
53
switchport native command, 66
switchport trunk allowed command,
66
switchport trunk encapsulation
command, 66
T
tag stacking
encapsulation, 344-345
MANs and, 344
tail dropping (congestion avoidance),
271
TC While timers, 119
TCAM tables, 165-166
TCNs (topology change notifications),
eliminating loops, 86
TCP header compression, 274
TCP/IP, multicasting, 220
19 9911 ndx
10/14/03
12:34 PM
Page 490
490 telephony
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
telephony
auxiliary VLANs, 258
congestion avoidance
272
tail dropping, 271
WRED (weighted random
early detection), 272, 287-288
network design considerations,
254-255
network management strategy,
255
power requirements, 257
architectures, 262
bandwidth, 256-257
Best Effort architecture, 262
components, 255-256
DiffServ architecture, 263-264
IntServ architecture, 263
jitter, 260
overview, 258-259
packet loss, 260
solution characteristics,
261-262
scalability, design issues, 258
traffic congestion
class-based weighted fair
queuing, 269
custom queuing, 268
FIFO queuing, 267
low latency queuing, 269
priority queuing, 267-268
queuing, 266-267
real-time transport protocol
priority queuing (RTP-PQ),
269-270
weighted fair queuing, 268

(WRRQ), 270
test-taking environment, 2-3
testing
routing configuration, 157
STP port verification, 100-101
tests, sample tests, 359, 401
timers (STP), changing values, 93-94
TLS (transparent LAN services),
MANs and, 335-336
token-ring support, VLANs, 58-59
topology (RSTP), changes, 119-120
topology-based switching architecture,
161-162
traffic
broadcasts, 219
multicast routing, 229-236
multicasts, 219-220
unicasts, 218
transparency, MANs, 334-336
transparent bridges, 84
automatic address table updating
capability, 85
functions, 84
loop elimination, 85
troubleshooting
CEF, 173-174
STP
steps to take, 138-139
types of problems, 138
switches, 35-36
trunk connections, 68
VLANs, 55
VTP (VLAN Trunk Protocol), 76
trunk links, VLANs, 56
trunk ports, 151
VLANs, 56
19 9911 ndx
10/14/03
12:34 PM
Page 491
491
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VLANs
. . . .
trunking
PR interfaces and, 150
router-on-a-stick configuration,
155
trunks
configuring, 66
verifying configuration, 66-67
troubleshooting connections, 68
VTP (VLAN Trunk Protocol),
68-72
tunneling, 802.1Q (VLANs), 62-64
U
Detection), 134-135
compared to Loop Guard,
136-137
UDP, multicasts, 220
underrun (IP telephony), 260
unicasts, 218
Uninterruptible Power Supply.
See UPS
uplink interfaces, Layer 2
redundancy, 190-191
UplinkFast (STP), 110-112
UPS (Uninterruptible Power Supply)
importance of, 184
IP telephony, 257
username command, AAA and, 309
V
VACLs, 317-319
verification
CEF, 172-173
HSRP operation, 201-202
MQC configuration, 279

VLAN configuration, 54-55
version (BPDU frame field), 88
virtual addresses
HSRP protocol, 196
SLB (Server Load Balancing), 207
virtual default gateways, 194
virtual LANs. See VLANs
virtual RP (HSRP), role of, 195
vlan command, 53, 152
VLAN Management Policy Server
(VMPS), 51
VLAN Trunk Protocol (VTP), 68
advantages, 68-69
domains
configuring, 75
management domain, 69
message processing, 71-72
message types, 71
messages, 70-71
modes, 69-70
pruning, 73-74
troubleshooting, 76
versions, 72-73
VLANs, 46. See also PVLANs
access links, 56
advantages, 46-47
broadcasts, 47-48
configuring
RSPA (Remote Switched Port
Analyzer), 299-301
creating, 53
deleting, 53
directed services (DVS), MANs
and, 336-338
frame tagging, 56-57
GBPT (Generic Bridge PDU
Tunneling) protocol, 64
19 9911 ndx
10/14/03
12:34 PM
Page 492
492 VLANs
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IOS routing configuration,
150-154
IP telephony and, 258
NICs, 57
port-based membership, 52
ports, associating, 53
protocols, 58
802.1Q, 59-61
tunneling 802.1Q, 62-64
removing from trunks, 73-74
route processors, 148-149
switches, adding, 72
token-ring support, 58-59
troubleshooting, 55
trunk links, 56
trunk ports, 56
user assignment, 51-52
VMPS (VLAN Management Policy
Server), 51
VMR entries (TCAM tables), 166
VoIP, 256. See also IP telephony
VRRP (Virtual Router Redundancy
Protocol), 204
VTP (VLAN Trunk Protocol), 68
advantages, 68-69
domains, 75-76
management domain, 69
message processing, 71-72

message types, 71
messages, 70-71
modes, 69-70
pruning, 73-74
troubleshooting, 76
versions, 72-73
vtp command, 75
W-X-Y-Z
weighted fair traffic queuing, IP
telephony, 268
weighted random early detection
(WRED), IP telephony traffic
congestion avoidance, 272
(WRRQ), IP telephony, 270
WFQ (weighted fair queuing), 268
configuring, 280
WRED (weighted random early
detection), congestion avoidance,
272, 287-288
wrr-queue bandwidth command, 287
wrr-queue queue-limit command,
287
WRRQ (weighted round-robin
queuing), 270
20 QUESafari6x9.QXD
10/14/03
12:35 PM
Page 493
What if Que
joined forces to deliver the best

technology books in a common
digital reference platform?
We have. Introducing
InformIT Online Books
powered by Safari.
Specific answers to specific questions.
Immediate results.
With InformIt Online Books, you can select the

book you want and view the chapter or section
you need immediately.
Cut, paste, and annotate.
Paste code to save time and eliminate

typographical errors. Make notes on the material
you find useful and choose whether or not to
share them with your workgroup.
As an InformIT partner,
Que has shared the
Customized for your enterprise.
Customize a library for you, your department,

or your entire organization. You pay only
for what you need.
knowledge and handson advice of our

authors with you online.
Visit InformIT.com to see
what you are missing.
Get your first 14 days FREE!

InformIT Online Books is offering its members a 10-book
subscription risk free for 14 days.
Visit http://www.informit.com/onlinebooks for details.
informit.com/onlinebooks
InformIT Online Books powerful search engine gives

you relevance-ranked results in a matter of seconds.
21 QUEInformIT6x9.qxd
10/14/03
12:35 PM
Page 494
Your Guide to
Information Technology
www.informit.com
Training and Reference
Que has partnered with InformIT.com to bring technical

information to your desktop. Drawing on Que authors
and reviewers to provide additional information on
topics youre interested in, InformIT.com has free,
in-depth information you wont find anywhere else.
Articles
Keep your edge with thousands of free articles, in-depth
features, interviews, and information technology reference
recommendations all written by experts you know and trust.
Online Books
Answers in an instant from InformIT Online Books
600+ fully searchable online books. Sign up now
and get your first 14 days free.
Catalog
Review online sample chapters and author biographies
to choose exactly the right book from a selection of more than
5,000 titles.
As an InformIT partner, Que has shared the knowledge and

hands-on advice of our authors with you online.
Visit InformIT.com to see what you are missing.
w w w. q u e p u b l i s h i n g . c o m
22 vue ad 6x9
10/14/03
12:35 PM
Page 495
23 CS_ad_6x9.qxd
10/14/03
12:35 PM
Page 496
"On top of everything

else, I find the best
deals on training
products and services
for our CramSession
members".
CramSession.com is #1
for IT Certification on the 'Net.
Jami Costin,
Product Specialist
There's no better way to prepare for

success in the IT Industry. Find the best
IT certification study materials and
technical information at CramSession.
Find a community of hundreds of thousands of IT Pros just like you who help
each other pass exams, solve realworld problems, and discover friends
and peers across the globe.
CramSession
#1 Rated Certification Site!
#1 by TechRepublic.com
#1 by TechTarget.com
#1 by CertMags Guide to Web Resources.
CramSession has IT all!

The #1 study guides on the 'Net. With over
250 study guides for IT certification exams, we
are the web site every techie visits before
passing an IT certification exam.
Practice questions. Get the answers and
explanations with our CramChallenge practice
questions delivered to you daily.
The most popular IT Forums. Cramsession
has over 400 discussion boards loaded with
certification infomation where our subscribers
study hard, work hard, and play harder.
e-Newsletters. Our IT e-Newsletters are
written by techs for techs: IT certification,
technology, humor, career and more.
Technical Papers and Product Reviews.
Find thousands of technical articles and
whitepapers written by industry leaders,
trainers, and IT veterans.
Exam reviews. Get the inside scoop before
you take that expensive certification exam.
And so much more!
www.cramsession.com

Electronic Book

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Electronic Book

Uploaded by

Copyright:

Available Formats

00 9911 fm

BCMSN Exam Cram 2 (Exam Cram 642-811)

Copyright 2004 by Que Publishing

All rights reserved. No part of this book shall be reproduced, stored in

Printed in the United States of America

First Printing: November 2003

Warning and Disclaimer

For sales outside the U.S., please contact

Que Certification 201 West 103rd Street Indianapolis, Indiana 46290

A Note from Series Editor Ed Tittel

The Smartest Way To Study for Your CCNP Certification!

CD that includes a PrepLogic Practice Exam

Check out these other CCNP Exam Cram 2 titles:

Buy the pack and SAVE!

Books are available online or at your favorite bookstore.

I would like to dedicate this book to my wife, Natalie, who is the

About the Author

About the Technical Editors

Cisco Certification Exams 1

Designing Switched Networks 11

VLANs, Trunks, and VTP 45

Spanning Tree Protocol 83

Enhancements to STP 107

Multilayer Switching 147

Availability and Redundancy 179

Quality of Service 253

MLS Optimization and Security 295

Metro Ethernet 331

Sample Test 1 359

Answer Key 1 385

Sample Test 2 401

Answer Key 2 421

Whats on the CD-ROM 439

Using the PrepLogic Practice Exams, Preview

Layer 3 Redundancy 191

VLAN Access Lists 317

We Want to Hear from You!

Who Is This Book For?

be it configuration, policy, or network design.

tion from Cisco.

with the Cisco IOS, networking concepts, and IP addressing.

experience or explicitly router-related job duties or responsibilities.

cepts necessary to understand basic networking.

to explore a potential career change.

Cisco Certifications Requiring the

tion demonstrates competency in IP networking pertaining to service

certifies advanced or journeyman knowledge of network design. This

Signing Up to Take the Exam

Signing Up with Prometric

Signing Up with Pearson VUE

Scheduling the Cisco BCMSN Exam

exam number is 642-811 and the exam name is BCMSN.

Taking the Test

About This Book

Know More? that provides direct pointers to Cisco routing resources

Some script fragments include boldface, which indicates commands that

How to Use This Book

Based on recent statistics, as many as half a million individuals are at some

Networking Professionals in the

The Ideal BCMSN Candidate

To ultimately achieve a Cisco Career Certification, you have to read and

Put Yourself to the Test

is a key ingredient to certification success.

years)? [Yes or No]