Showing posts from August, 2013

Multiple Spanning Tree Protocol (MST)

Supports up to 4096 instances of Spanning Tree

(config)#spanning-tree mode mst
(config)#spanning-tree mst configuration
(config-mst)#revision 1
(config-mst)#instance 1 vlan 12, 34
(config-mst)#instance 2 vlan 56, 90
(config-mst)#name CCIE <--- MST REGION NAME

SW2#show spanning-tree mst configuration
Name      [ ]
Revision  1     Instances configured 3

Instance  Vlans mapped
--------  ---------------------------------------------------------------------
0         1-11,13-33,35-55,57-89,91-4094
1         12,34
2         56,90

Check the ROOT:
#show spanning-tree root
                                        Root    Hello Max Fwd
MST Instance           Root ID          Cost    Time  Age Dly  Root Port
---------------- -------------------- --------- ----- --- ---  ------------
MST0             32768 aabb.cc00.0600         0    2   20  15
MST1                 1 aabb.cc00.0600         0    2   20  15
MST2              …

Advanced Spanning Tree

root primary - sets the priority to:
if ROOT > 24576 - sets to 24576 (priority 24576 sys-id-ext 12)
if ROOT =< 24576 - sets to 4096
root secondary - sets the priority to 28762

#show spanning-tree bridge <- See the MAC address of the Switch
#show version | i Base 

Cat-1#show spanning-tree vlan 12
  Spanning tree enabled protocol ieee
  Root ID    Priority    24588              <--- ABOUT THE ROOT BRIDGE, 24588 = 32768 + 12 (vlan 12) - 8192
             Address     ec44.768a.6d80
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    24588  (priority 24576 sys-id-ext 12)    <--- ABOUT THIS SWITCH (LOCAL Bridge)
             Address     ec44.768a.6d80 <-- ON ROOT BridgeID and RootID have the same MAC
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 300

Interface           Role Sts Cost      Prio.Nbr Type           <--- ABOUT I…

Private VLANs


This belongs to L2 SECURITY rather then L2 SWITCHING

1. Promiscuous - belongs to PRIMARY VLAN, can communicate with EVERYONE
(config)#vlan 10
(config-vlan)#private-vlan primary
(config-vlan)#private-vlan association add 20,30,40

(config-if)#switchport mode private-vlan promiscuous
(config-if)#switchport private-vlan mapping 10 add 30,40,50<---map Promiscuous VLAN 10 to Community and Isolated VLANs

2. Isolated - can only communicate with Promiscuous
(config)#vlan 40
(config-vlan)#private-vlan isolated

(config-if)#switchport mode private-vlan host
(config-if)#switchport private-vlan host-association 10 40

3. Community - Can communicate within the SAME community or with Promiscuous
(config)#vlan 30
(config-vlan)#private-vlan community

(config-if)#switchport mode private-vlan host
(config-if)#switchport private-vlan host-association 10 20 <--- Associate Community VLAN 20 with Promiscuous VLAN 10

DONT FORGET TO ASSOCIATE Secondary VLANs to the Prima…

VMPS: VLAN Membership Policy Server

VLAN Membership Policy Server - provides a centralized server for selecting the VLAN for a port dynamically based on the MAC address of the device connected to the port.

VMPS uses a UDP port to listen toVQP (VLAN Query Protocol) requests from clients, so, it is not necessary for VMPS clients to know if the VMPS resides on a local or remote device on the network.

Upon receiving a valid request from a VMPS client, a VMPS server searches its database for an entry of a MAC-address to VLAN mapping.

When a port is configured as "dynamic," it receives VLAN information based on the MAC-address that is on the port.
The VLAN is not statically assigned to the port; it is dynamically acquired from the VMPS based on the MAC-address on the port.

SECURE MODE: If MAC has not been found in VMPS Server - shut down the port

On VMPS Server:
(config)# vmps server [ipaddress | hostname] primary

On all the switches in the LAN (VMPS Clients):
(config-if)# switchport access vlan dynamic

Define how many…

SDM (Switch Database Management) - L3 Switch Memory Optimization

Depending on the Switch purpose (If the switch is used only for L2 Switching or for  IP Routing), Memory allocations can be optimized. This is what SDM is all about.

SDM (Switch Database Management), and there are 4 templates:
- ACCESS - For QoS and Security
- ROUTING - for IP Routing
- VLAN - Sets Switch to L2 and disables IP Routing
- Extended Match - for WCCP and multiple VRF (reformats memory space to allow 144-bit L3 TCAM support)

 (config)#sdm prefer [routing | dual-ipv4-and-ipv6 | vlan]

(config)#sdm prefer  ?
access              Access bias
default             Default bias
dual-ipv4-and-ipv6  Support both IPv4 and IPv6 <--- USE THIS MODE WHEN YOU HAVE BOTH, IPv4 and IPv6
ipe                 IPe bias
routing             Unicast bias <--- IF YOU USE THE SWITCH AS A ROUTER
vlan                VLAN bias <--- ONLY L2 SWITCH

Check the achieved results:
#show sdm prefer
 The current template is "desktop default" template. <--- COMMAND NOT ACTIVE BEFORE THE SWITCH HAS B…