Showing posts with label L2 Protocols. Show all posts
Showing posts with label L2 Protocols. Show all posts

Thursday 17 October 2019

VLAN Translation

VLAN Translation is used to encapsulate one vlan (doq1q) in another vlan (dot1q)

So, it is also called q-in-q encapsulation

The original vlan is called C-VLAN (customer) and the translated vlan is called S-VLAN (standard-vlan)

To use vlan translation, 2 ways are there:
  1. Use vlan mapping both ways .ie.any traffic coming with vlan X will be converted to vlan Y and those with vlan Y will be converted to Vlan X

interface Ethernet14
   switchport mode trunk
   switchport vlan mapping 80 280
   switchport port-security maximum 4
   switchport port-security violation protect log
interface Ethernet16
   switchport trunk native vlan 80
   switchport mode trunk
   switchport vlan mapping 280 80

In above case, any traffic coming with vlan 80 on et14 will be converted to vlan 280. On et16, any traffic coming with vlan 280 will be converted to vlan 80 (both ingressing and egressing)

NOTE: In et14, compulsorily vlan280 must be allowed and on et16, compulsorily vlan 80 must be allowed since vlan translation ahppens very initially in pipeline. So, any traffic with original vlan will be converted to new vlan before any sort of processing happens.


  1. Another way is to use only 'in' and 'out' words in the mapping configuration, so that, only incoming or outgoing packets will be translated. Not other way around.

interface Ethernet14
   switchport mode trunk
y
   switchport port-security maximum 4
   switchport port-security violation protect log
interface Ethernet16
   switchport mode trunk
   switchport vlan mapping 280 80
   switchport vlan mapping out 280 80

In this case, on et 14, only incoming packets with vlan 80 will be translated to vlan 280. But, if a vlan 80 packet has to go out from et14,  it will be sent as vlan 80 only. Similarly, on et16, only egressing packets will be translated. So, if vlan 280 packet has to go out from et16, it will be translated to vlan80. But, if a incoming packet with vlan 280 hits et16, it will not be translated.
Posted by at No comments:
Labels:

Tuesday 21 August 2018

Subinterfaces

SUBINTERFACES

Subinterfaces: we need it when we have more vlans than physical links

As we know, we have  setup a trunking port between the switch and router, then configure the configure the interface and sub interfaces in your router:

Switch(config)#interface fa0/2

Switch(config-if)#switchport mode trunk

Router(config)#interface fa0/1

Router(config-if)#no shutdown

Router(config)#interface fa0/1.1

Router(config-subif)#encapsulation dot1q 1

Router(config-subif)#ip address 192.168.10.1 255.255.255.0

Router(config)#interface fa0/1.2

Router(config-subif)#encapsulation dot1q 15

Router(config-subif)#ip address 192.168.15.1 255.255.255.0

Router(config)#interface fa0/1.3

Router(config-subif)#encapsulation dot1q 35

Router(config-subif)#ip address 192.168.20.1 255.255.255.0

We configure sub interfaces because we have 3 vlan and just one physical link, for this reason we need that all data passing through a single link, how do we fix that?

Creating 3 sub-interfaces, one for each vlan, however it reduces the bandwidth one third.

Physical Interfaces: we need it when we have more physical links than vlans

We  configure a normal ip in each interface, (one per vlan), now in the switch instead of create trunk links, we create access links (one per vlan).

Router(config)#interface FastEthernet0/0

Router(config-subif)# ip address 10.10.10.1 255.255.255.0

Router(config)interface FastEthernet0/1

Router(config-subif)# ip address 10.10.20.1 255.255.255.0

Router(config)#interface FastEthernet0/3

Router(config-subif)#ip address 10.10.30.1 255.255.255.0

Switch(config)#interface range fa0/1, fa0/10

Switch(config-if)#switchport mode access

Switch(config-if)#switchport access vlan 10

Switch(config)#interface range fa0/5,fa0/20

Switch(config-if)#switchport mode access

Switch(config-if)#switchport access vlan 20

Switch(config)#interface range fa0/8, fa0/30

Switch(config-if)#switchport mode access

Switch(config-if)#switchport access vlan 30

Here we have one link per vlan and we  can use the full bandwidth of each interface.

Posted by at 1 comment:
Labels: ,

Friday 6 July 2018

L2 Layer Troubleshooting for Beginners

MAC ADDRESS, VLAN, ARP:
Important commands for troubleshooting:
  • Show lldp neighbors
  • Show interface status
  • Int et 1/1 →  show active
  • Note:
  • We should never try to ping any host from a switch since it will try to ping via management interface
  • Always check MAC address table on switches
  • Always check ARP table on hosts only (do not check on switches)
  • NOTE: Do the troubleshooting in same order as below:
  1. Check if shutdown
  2. Check vlans
  3. Check IP configurations
  • One method is to start ping from host A to host B. then, go to Host B and tcpdump on the interface. If we get both a request and reply. There is a trouble in the reply path.
  • Note that we cannot see the ping on in-between devices since unicasts do not go to control plane
Case 1: Interface Shut Down:
  • Go to each interface in topology and do
        #int et 1/1
        #show active
And check if it is shutdown
Case 2: Trunk and Access Mismatch:
  • Go to facing interfaces (both sides of a link) in topology and do
        #int et 1/1
        #show active
  • Check if both are trunk and allow the vlan used
  • If one of them is access vlan X and the other is trunk allowed vlan X, then, the untagged packet from access will go to the native vlan and get dropped
Case 3: IP Configuration on hosts:
  • Go to hosts and check the interface IP address
  • One of the hosts will be in different subnet (Then, host A will think that host B is also in same subnet. But, host B will know that it is not in same subnet...so will not reply)
Case 4: MAC Access Lists:
  • Do #show active on each interface
  • Check if there is a mac access-list for another mac-address ‘B’  which blocks packets from mac-address B (using ‘in’)
Case 5: Another host ‘C’ is also receiving the ping requests that was sent for another host ‘D’. Check if true?
  • Start tcpdump on both hosts C and D . (we may see that no ping packets are shown….control plane)
  • But, if we checked on an in-between switch’s interface #show active , we see that mac address learning is set to NO. So, there is always a broadcast due to Unknown Unicast (#no switchport mac address learning)
  • Now that we know that it is supposed to be getting broadcasts, we can confirm it by going to host C and doing
  • #clear counter et 49
  • #watch diff show int et 49 // Other traffic will be there also...so use the other command(OR) #watch diff show int et 49 counter bins
  • Go to host A and start ping for host D using large repeat count and size
Case 6: MAC Flapping:
  • Use command #show logging to see mac flaps
  • #show event-monitor mac can be used to see when a mac-address entry was added and removed
Posted by at No comments:
Labels: ,

Saturday 23 June 2018

Link Aggregation(LAG) and LACP Protocol:


LAG (Link Aggregation):

  • It is a virtual concept

Thus, the LAG makes two links appear as one in STP

  • The basic concept of LAG is that multiple physical links are combined into one logical bundle. This provides two major benefits, depending on the LAG configuration:
    • Increased capacity – traffic may be balanced across the member links to provide aggregated throughput
    • Redundancy – the LAG bundle can survive the loss of one or more member link
  • LAG makes two connections appear as one to STP, so the second connection won’t be blocked.
  • Load sharing among the LAG links: Traffic from each flow of packets goes through a single link. So, even if we get a flow of 20G, it will go via a single link only. So, the throughput is limited to the bandwidth of the single link only (here: 10G).

Note: The physical type (SFP,...) and speeds(10G,...) of all links in a port-channel should be the same.

#int et 17-18

#channel-group mode on //static configuration of link aggregation

Where channelgroupnumber = 1

#show span //we can see the port channel 1 in show spanning-tree

#show int port-Channel 1 (OR) #show port-channel

  • Now, if we make the port-channel of et17 and 18 in vlan 51. And now, if we make individual et17 and et 18 in van 30. Then, even then the port-channel only will take effect as it will act as a single interface. Thus, ALWAYS port-channel configuration overrides any interface specific configuration.
  • Even after link aggregation, show lldp nei will show the individual interfaces only, since lldp considers only the physical topology.
  • If we tcpdump on int et 17, we can only see the lldp protocols. If we do tcpdump on port-channel 1, we can see all other protocols like STP, etc

#tcpdump int po1

  • If we use link aggregation on one side (MT701) and stop link aggregation on other side (MT703), then:In EOS,
  • On MT701, the STP will not even consider the individual ports. It only considers the port-channel as an interface and it only has the port channel’s state.
  • On MT703, the interfaces are considered different. So, if any ARP request broadcast comes from the port-channel on MT701, then, MT703 receives it on both the interfaces and floods it again via the other link.
  • RTAG 7:
    • RTAG7 is a hashing algorithm that load balances the traffic.
    • Hash engine comes out with a number for each flow.
    • Using the number, the flow is sent through that port.
    • This ensures that the flows are distributed among all the links
    • #show port-channel load-balance trident fields //we can see which all fields of a packet participate in the hashing.
    • #port-channel load-balance trident fields ? //we can configure which all fields we can disable or enable to influence the hashing.
  • Why is the spanning tree cost of port channel comes down? (et 18, 19 have cost of 2000 each but if we use port-channel the cost of port-channel becomes 1999)
    • Because of bandwidth since cost depends on bandwidth
    • 10G links have cost of 2000 by default. Higher the bandwidth, lower is the cost.
    • But, if another 10G link is there, cost will be 2000, so STP may consider that link. So, we use cost of 1999 on the port-channel link.
    • If any speed mismatch is there among the links in a port channel, then, only the higher bandwidth link is active.

DYNAMIC LINK AGGREGATION:

  • LACP (Link Aggregation Control Protocol)
  • #int et 17-18

#channel-group mode active //dynamic lacp active

(OR)

#channel-group mode passive //dynamic lacp passive

  • If both the sides are configured as active, then, both sides can start LACP transmission. If one side is configured as passive, then, it can only receive lacp, not send. (both sides cannot be passive, since both sides will only be waiting for lacp)
  • Passive LACP: the port prefers not transmitting LACPDUs. The port will only transmit LACPDUs when its counterpart uses active LACP (preference not to speak unless spoken to).
  • Active LACP: the port prefers to transmit LACPDUs and thereby to speak the protocol, regardless of whether its counterpart uses passive LACP or not (preference to speak regardless).
  • In L2 header, the type will be a Slow Protocol and the subtype in slow protocols will be LACP. It is a slow protocol since if one side LACP is configured, then, it will keep sending LACP PDUs every 30 seconds.
  • The LACP rate fast feature is used to set the rate (once every second) at which the LACP control packets are sent to an LACP-supported interface. The normal rate at which LACP packets are sent is 30 seconds.

#lacp rate fast //1 seconds

(OR)

#lacp rate normal //30 seconds

  • The above timeout is used to configure the timeout for the partner. If we use rate fast, then, within 3 seconds if it doesn’t get a reply, it knows that the link is not active. It tears down the port-channel.

(OR)

In the rate fast timeout configuration, an LACPDU is sent every second. If no response comes from its partner after 3 LACPDUs are sent, a timeout event occurs and the port channel is removed.

    • Key: Tells the port-channel number (there are two separate fields for both the actor and partner)
    • Port: tells the port number .eg. et 17 (there are two separate fields for both the actor and partner)
    • Actor State:
      • LACP Activity: tells whether the actor is in active (1) or passive state (0)
      • LACP Timeout: tells whether the timeout is normal (1) or fast (0)
      • Aggregation: 1 tells whether the port is a part of port channel. 0 tells that it is operating as a single link.
      • Synchronization: the flag is set when we get back a LACPDU from the partner.

(1 Means it has been allocated to the correct link aggregation group, the group has been associated with a compatible aggregator, and the identity of the link aggregation group is consistent with the system ID and operational key information transmitted. If the value is 0, the link is not synchronized .ie. it is currently not in the right aggregation.)


      • Collecting: after sync, if we receiver data from partner, accept it.
      • Distributing: after sync, even send data.
      • Default: 1 indicates that the actor’s receive machine is using the default operational partner information, administratively configured for the partner. 0 indicates the operational partner information in use has been received in an LACP PDU.
      • Expired: 1 indicates the actor or partner is in an expired state. 0 indicates the actor or partner is not in an expired state .ie. no lacpdu received within timeout
  • Now, a case when we aggregate many links into a port channel but the links are connected to different switches. Then, when the actor sends out a LACPDU, whichever partner sends the first reply, that link will become active. The other links connected to different partners will get inactive state.
  • #show lacp internal detailed //shows the current switch’s details. Also we can see all the flags which are set and not set. We can also see the port-priorities, so that we choose which link should come up in case of mismatched-aggregate
  • #show lacp neighbor detailed  //shows the system id, port number and key of the neighbor
  • #show port-channel //in this itself we can see the reason for the port channel not active
  • #show lacp neighbor all-port //shows details about the neighbour for each of the physical port. We can then use the oper-key value to know if the port-channel link is connected to same port-channel on other side also.
    • If oper-key is different and admin-key is same, then, this port channel is connected to 2 different port-channels on the other side. But, they are in same switch
    • If oper-key and admin-key are both different, then, this port-channel is connected to 2 different switches.
  • #show lacp interface all-port //shows details for lacp not working...If the partner’s sys-id is same and oper-key is different, then, it means same port channel on our side is connected to two port-channels to same partner on other side. (mismatched-aggregate)
  • NOTE: Oper-key is the number assigned to port-channel. For eg, if I give my channel-group 100, then, port channel number is 100 and oper-key will be shown as 64 (since: 100 in decimal is 64 in hex)
  • #show lacp interface detailed all-ports and #show etherchannel detailed all-ports are two ultimate troubleshooting commands if we can’t find out issue
Posted by at
Labels: , ,

Saturday 16 June 2018

STP (Spanning Tree Protocol)

INTRO TO SPANNING TREE:
  • To see current STP configuration: #show run section span
  • To configure STP, #spanning-tree mode rstp
    • There are many modes of spanning tree but legacy is unsupported. Only rapid STP is supported
    • To use STP per vlan, #spanning-tree mode r-pvst //don’t use this, use rstp itself
  • #show spanning-tree detail
  • If we tcpdump the interface (et 18) , we see some frames having same source mac address (this mac address is the physical interface’s mac address...not the Switch’s MAC. Thus the interface mac address is used for L2 communications) and a multicast destnation MAC address (that are assigned for Spanning Tree as per wireshark). These frames are called BPDU (Bridge Protocol Data Unit)
    • BPDU stands for bridge protocol data unit. BPDUs are data messages that are exchanged across the switches within an extended LAN that uses a spanning tree protocoltopology. BPDU packets contain information on ports, addresses, priorities and costs and ensure that the data ends up where it was intended to go. BPDU messages are exchanged across bridges to detect loops in a network topology. The loops are then removed by shutting down selected bridge interfaces and placing redundant switch ports in a backup, or blocked, state.
  • To see port mac address, use (config)#show interface et 19
  • The format of BDPU is:
    • Protocol Identifier: STP
    • Version: Rapid
    • BDPU flags: “tell whether it is a forwarding or blocked port”
    • Root Identifier: “It is the system MAC of the switch that is taken as the root for STP calculation”
    • Root Path Cost: “tells the cost to the root switch to the current switch that is sending the configuration message”
    • Bridge Identifier: “tells the mac address of the current switch”
    • Port Identifier: “tells the current port from which the configuration message was sent. Eg) et 18”
  • Each link has a cost. Higher the Bandwidth, lower is the cost.
  • Steps:
    • First each switch sees it own mac address and sends a BPDU by taking its own mac address as root Identifier and as bridge Identifier
    • Then, with all the BPDUs from all the switches, the switch that has a lower mac address is taken as root. This information is shared to all the switches and they change their root identifier if a lower mac address is there in BPDU of another switch. For example, in figure, the switch A is taken as root identifier as it has a lower mac.
    • Also, when B sends BPDUs with B as root identifier, the cost will be 0. Then, after it gets to know that A is the root bridge, it sends cost as 10. Also, it will send in other directions other than the direction of root bridge (this is compulsory for all the switches).
    • Note: The order in which the port to be blocked is decided:
      • 1. Higher cost path is blocked
      • 2. Higher Uplink- MAC address port is blocked
      • 3. Higher Uplink- Port Number port is blocked.
  • To check current spanning-tree root bridge. (conf)#show spanning-tree
  • To force a switch to become root, set the priority to zero: (conf)#spanning-tree priority 0. The max value is 65536. The default value is 32768 (half of max priority).
  • Reason of why the priority should be multiple of 16?
    • Initially, we had 1 Byte for Port number and 1 byte for Priority.
    • But, the 256 ports were not enough after some time. SO, we borrowed 4 bits from priority for port number.
    • So, we have only 4 bits left in priority and the 4th bit is 16. Hence, any change should be in multiple of 16.
PORT IDENTIFIER FORMAT:

    • Similarly, for the same reason, the max number of vlans can be 4096 due to similar format in the BRIDGE IDENTIFIER format where


Legacy STP or Common STP:

  • Older version, not used much now.
  • There are 3 timers- Hello (2 sec), Forward Delay (15 sec) , Max. Age (20 sec).
Thus, minimum of 32 seconds is taken to create a converged topology.
  • There are 3 states-
    • Blocking—The interface does not participate in frame forwarding.
    • Listening—The first transitional state after the blocking state when the spanning tree determines that the interface should participate in frame forwarding.
    • Learning—The interface prepares to participate in frame forwarding.
    • Forwarding—The interface forwards frames to other switches.
  • Once a topology is converged and then there is a change in topology of one switch, then, that particular switch sends a TCN (Topology Change BPDU). This TCN is sent continuously every 2 sec till it receives an acknowledgement from its root.
  • In CSTP, only the root bridge can generate a BPDU. Others will only relay it. Thus, it is called relayed.
  • We can see the no. of topology changes in last X seconds using (config)#show spanning-tree detail
  • To stop this unnecessary TCN and flushing process, we can configure spanning-tree port-fast on the ports where the hosts are connected. Since, the hosts do not participate in STP, there is no need to send TCN for connection and removal of hosts.
  • Even if we port fast the ports where switch is connected, then, even then since both the switches will send BPDU, it will get converged and automatically the command is overridden. But, during the convergence, we will have a loop for sometime.
  • If we enable BPDU guard and, if we get a BPDU on a FastPort, it immediately error disables that port. #show interface status error-disabled to see the reason why a port was disabled.
  • BPDU filter is used to control the BPDU in and out. For eg, if we don’t want to show the BPDU to other connected devices on a port.
  • The root guard feature provides a way to enforce the root bridge placement in the network.
    • The root guard ensures that the port on which root guard is enabled is the designated port. Normally, root bridge ports are all designated ports, unless two or more ports of the root bridge are connected together.
    • If the bridge receives superior STP Bridge Protocol Data Units (BPDUs) on a root guard-enabled port, root guard moves this port to a root-inconsistent STP state. This root-inconsistent state is effectively equal to a listening state. No traffic is forwarded across this port. In this way, the root guard enforces the position of the root bridge.

RSTP:

    • EDGE- connected to a host
    • ALTERNATE- state is discarding. .ie. blocked (alternate path to root)
    • BACKUP- state is discarding..ie. blocked (backup path to designated)
    • ROOT- connected to root bridge
    • DESIGNATED- connected to non-root bridge
  • If any topology changes after convergence,
    • We don’t have a TCN BPDU in RSTP.
    • Here, we use the normal BPDU by setting the TC (Topology Change) bit and send to other switches.
    • Note that the BPDU is sent only by the switch that notices the topology change on all the forwarding ports (.ie. both root and designated) to other switches.
    • After this, the entire mac address table is NOT cleared. Only the designated port on that mac address table is cleared and relearnt.
  • To set the max time interval for a BPDU to be valid : #span max-age <time in sec. Eg:10> . Similarly, we have max-hops which is the max hops the bpdu can travel (max- hops is shown in wireshark as message age).
  • Indicators to notice a loop:
  • One is seeing the mac flap in #show mac-address table
  • Another is checking an interface #show interface et19 status . If we see very high no. of broadcasts than unicasts, then, looping is happening.
  • Note: One easy way to make a switch as the root is by changing priority. It can be done automatically using the command #span root primary (OR) #span priority <priority_number>



(Q) Configuring MT701 to MT705.

Mn431        #int et 43

#ip addresss 10.1.10.1/24

MT701        #span mode rstp

        #span priority 0 //setting it as root bridge

        

------------

MT702        #int et 1/1, 1/2, 1/3

        #span cost 8000   //If it checks the cost, then, et ¼ will have the lowest cost. Hence, it will become root port

-----

MT702# terminal monitor //use this on the switch where we are going to configure BPDU guard

        #show log

        

MT701        #int et 20

        #span bpdufilter enable

MN701        #ping  //to send broadcasts

MT702        #watch diff show int et ⅓ //we see that there is very high broadcast which shows that there is looping

        (OR) #watch diff show int et ⅓ counters //this command shows unicast, multicast and broadcasts separately

        #int et ⅓

        #span bpduguard enable //enabling the BPDU guard

MT701        #int et 20

        #no span bpdufilter enable //disabling BPDU filter on port 20 of MT701

MT702         #show int status //we will see that the interface et ⅓ will be shown as error-disabled due to BPDU guard which disables it due to the broadcasts

        #show int et ⅓ status error //we can see the reason for the error-disabled- shown as bpduguard

-------

MT704        #int et 19

        #shutdown

        #no shutdown

In another computer,

MT704   #watch diff show span \\we can see how fast an port is changing from alternate to root and to original again

MT704   #watch diff show span detail \\we can the number of topology changes and the time

In another computer,

MT704   #tcpdump int et 20

------

MT701        #watch diff show mac add //we will see that only the mac addresses on designated ports are cleared. The mac addresses on root port are unaffected.

MT702        #int et1/1

#shut //we will see that the mac table on MT701 is cleared for the interface et 19 (since et 19 is connected to 1/1)

#no shut

-------

MT702        #int et ½

        #span guard root

MT704        #span priority 0

//thus, now for MT702, it gets a superior BPDU to a root bridge MT704. But, already it thinks MT701 is the root bridge

MT702        #show span //it shows inconsistent state on et ½ since we have configured root guard. If we had not configured, then, this port would have become root port and MT704 would have become the root bridge.

-------

MT701        #int et23

        #span fastport auto

        

MN431        #ping 10.1.10.2

In another computer first type this and watch,

MT701  #logging console 7

             #logging monitor debugging

             #terminal monitor

//this command displays the debugging and changes on the monitor (no need to use show logging separately)

MT701        #int et 23

        #shut

        #no shut

        

//we will see that in debugging, it takes around 20 seconds to move the port to listening port and then to designated port.

MT701        #int et23

        #span fastport edge

 & repeat the above steps   // we will see that the moving only takes 1 second.

--------

ASSIGNMENT QUESTIONS:

  1. Diameter of spanning tree= 7 (by using the default configurations of IEEE802.1D). If we tune the timers, then, it is possible to increase the diameter.

  1. Problem with RSTP:

Counting to Infinity http://blog.ine.com/wp-content/uploads/2011/11/understanding-stp-rstp-convergence.pdf

  1. RSTP Sync Process:

Proposal and Agreement

http://blog.ine.com/wp-content/uploads/2011/11/understanding-stp-rstp-convergence.pdf

4) Difference b/w STP and RSTP:

https://cciethebeginning.wordpress.com/2008/11/20/differences-between-stp-and-rstp/

(Q) Configuring MT701 to MT705.

Mn431        #int et 43

#ip addresss 10.1.10.1/24

MT701        #span mode rstp

        #span priority 0 //setting it as root bridge

        

------------

MT702        #int et 1/1, 1/2, 1/3

        #span cost 8000   //If it checks the cost, then, et ¼ will have the lowest cost. Hence, it will become root port

-----

MT702# terminal monitor //use this on the switch where we are going to configure BPDU guard

        #show log

        

MT701        #int et 20

        #span bpdufilter enable

MN701        #ping  //to send broadcasts

MT702        #watch diff show int et ⅓ //we see that there is very high broadcast which shows that there is looping

        (OR) #watch diff show int et ⅓ counters //this command shows unicast, multicast and broadcasts separately

        #int et ⅓

        #span bpduguard enable //enabling the BPDU guard

MT701        #int et 20

        #no span bpdufilter enable //disabling BPDU filter on port 20 of MT701

MT702         #show int status //we will see that the interface et ⅓ will be shown as error-disabled due to BPDU guard which disables it due to the broadcasts

        #show int et ⅓ status error //we can see the reason for the error-disabled- shown as bpduguard

-------

MT704        #int et 19

        #shutdown

        #no shutdown

In another computer,

MT704   #watch diff show span \\we can see how fast an port is changing from alternate to root and to original again

MT704   #watch diff show span detail \\we can the number of topology changes and the time

In another computer,

MT704   #tcpdump int et 20

------

MT701        #watch diff show mac add //we will see that only the mac addresses on designated ports are cleared. The mac addresses on root port are unaffected.

MT702        #int et1/1

#shut //we will see that the mac table on MT701 is cleared for the interface et 19 (since et 19 is connected to 1/1)

#no shut

-------

MT702        #int et ½

        #span guard root

MT704        #span priority 0

//thus, now for MT702, it gets a superior BPDU to a root bridge MT704. But, already it thinks MT701 is the root bridge

MT702        #show span //it shows inconsistent state on et ½ since we have configured root guard. If we had not configured, then, this port would have become root port and MT704 would have become the root bridge.

-------

MT701        #int et23

        #span fastport auto

        

MN431        #ping 10.1.10.2

In another computer first type this and watch,

MT701  #logging console 7

             #logging monitor debugging

             #terminal monitor

//this command displays the debugging and changes on the monitor (no need to use show logging separately)

MT701        #int et 23

        #shut

        #no shut

        

//we will see that in debugging, it takes around 20 seconds to move the port to listening port and then to designated port.

MT701        #int et23

        #span fastport edge

 & repeat the above steps   // we will see that the moving only takes 1 second.

--------

ASSIGNMENT QUESTIONS:

  1. Diameter of spanning tree= 7 (by using the default configurations of IEEE802.1D). If we tune the timers, then, it is possible to increase the diameter.

  1. Problem with RSTP:

Counting to Infinity http://blog.ine.com/wp-content/uploads/2011/11/understanding-stp-rstp-convergence.pdf

  1. RSTP Sync Process:

Proposal and Agreement

http://blog.ine.com/wp-content/uploads/2011/11/understanding-stp-rstp-convergence.pdf

4) Difference b/w STP and RSTP:

https://cciethebeginning.wordpress.com/2008/11/20/differences-between-stp-and-rstp/

Posted by at
Labels:

Tuesday 5 June 2018

ARP and types of ARP

INTRODUCTION TO ARP:
* ARP is used to find the MAC address of the device for which we already know the IP address.
* The address resolution protocol (arp) is a protocol used by the IP, specifically IPv4, to map IP network addresses to the hardware addresses used by a data link protocol.
* The protocol operates on the Datalink layer (L2) but carries L3 information (IP addresses)
* There are four types of arp messages that may be sent by the arp protocol. These are identified by four values in the "operation" field of an arp message. The types of message are:
1. ARP request
2. ARP reply
3. RARP request
4. RARP reply
* The format of an arp message is shown below:
*

ARP Cache: * To reduce the number of address resolution requests, a client normally caches resolved addresses for a (short) period of time.
* The arp cache is of a finite size, and would become full of incomplete and obsolete entries for computers that are not in use if it was allowed to grow without check.
* The arp cache is therefore periodically flushed of all entries.
* This deletes unused entries and frees space in the cache.
* It also removes any unsuccessful attempts to contact computers which are not currently running.
* The arp request message ("who is X.X.X.X tell Y.Y.Y.Y", where X.X.X.X and Y.Y.Y.Y are IP addresses) is sent using the Ethernet broadcast address, and an Ethernet protocol type of value 0x806. Since it is broadcast, it is received by all systems in the same collision domain (LAN). This is ensures that is the target of the query is connected to the network, it will receive a copy of the query. Only this system responds. The other systems discard the packet silently.

GRATUITOUS ARP:
* Gratuitous ARP is used when a node (end system) has selected an IP address and then wishes to defend its chosen address on the local area network (i.e. to check no other node is using the same IP address). It can also be used to force a common view of the node's IP address (e.g. after the IP address has changed).
* Use of this is common when an interface is first configured, as the node attempts to clear out any stale caches that might be present on other hosts. The node simply sends an arp request for itself.


STATIC ARP:
* We can manually map an Ip address to a specific IP address.
* In switch (conf)#arp <ip address> <mac address> ARPA
* Then, we can see in ARP table using #show arp
* Note: if we don’t see the mapping, it is because the switch thinks the Ip address is in different subnet. So, we can use #ip address <ip address>/24 and then try the above show command

PROXY ARP:
http://www.cisco.com/c/en/us/support/docs/ip/dynamic-address-allocation-resolution/13718-5.html
* Proxy ARP is the technique in which one host, usually a router, answers ARP requests intended for another machine.
* Proxy ARP is the name given when a node responds to an arp request on behalf of another node. This is commonly used to redirect traffic sent to one IP address to another system.
* Proxy ARP works when the hosts are not configured with a default gateway.
* Thus, if A has to send packet to another Ip address on a different network (or different subnet also)

REVERSE ARP:
* Reverse ARP (RARP) as defined by RFC 903 works the same way as the Address Resolution Protocol (ARP), except that the RARP request packet requests an IP address instead of a media access control (MAC) address.
* RARP often is used by diskless workstations because this type of device has no way to store IP addresses to use when they boot. The only address that is known is the MAC address because it is burned in to the hardware.
* RARP requires a RARP server on the same network segment as the device interface. The figure below illustrates how RARP works.

* Because of the limitations with RARP, most businesses use Dynamic Host Configuration Protocol (DHCP) to assign IP addresses dynamically. DHCP is cost-effective and requires less maintenance than RARP. The most important limitations with RARP are as follows:
* Because RARP uses hardware addresses, if the internetwork is large with many physical networks, a RARP server must be on every segment with an additional server for redundancy. Maintaining two servers for every segment is costly.
* Each server must be configured with a table of static mappings between the hardware addresses and the IP addresses. Maintenance of the IP addresses is difficult.
* RARP only provides IP addresses of the hosts but not subnet masks or default gateways.


UNICAST ARP REQUEST:
* As per RFC 1122: Unicast Poll -- Actively poll the remote host by periodically sending a point-to-point ARP Request to it, and delete the entry if no ARP Reply is received from N successive polls. Again, the timeout should be on the order of a minute, and typically N is 2.
* This is one of four mechanism to timeout the stale ARP entries.
Posted by at No comments:
Labels: , ,

Tuesday 29 May 2018

SVI (Switch Virtual Interface)


  • It is used for Inter-Vlan routing
  • Using SVI, without using a router, we can route packets to different networks and vlans

  • Traditionally, switches send traffic only to hosts within the same broadcast domain (Single VLAN) and routers handled traffic between different broadcast domains (Different VLANs). This meant that network devices in different broadcast domains could not communicate without a router.
  • With SVIs the switch will use virtual Layer 3 interface to route traffic to other Layer 3 interface thus eliminating the need for a physical router.
  • VLANs reduce the load on a network by dividing a LAN into smaller segments and keeping local traffic within a VLAN. However, because each VLAN has its own domain, a mechanism is needed for VLANs to pass data to other VLANs without passing the data through a router.
  • The solution is to use switched virtual interface – SVI.


Posted by at 1 comment:
Labels: ,
Subscribe to: Posts (Atom)