Академический Документы
Профессиональный Документы
Культура Документы
1.1.2. Messages:
Hello: for detecting of neighbors every 5 sec by default, after three hellos (15 sec) without response, the neighboring
will be considered down. The hello message is sent to multicast address 224.0.0.10
Update: the message of update is send on multicast address too, a new neighbor is send on unicast
1.1.3. Metric:
K1: bandwidth
K2 & K4: reliability
K3: delay
K5: charge
Theses K parameters can take a zero or 1 value
107
𝐵𝑊" =
𝐵𝑊
𝑀𝑒𝑡𝑟𝑖𝑐 = [𝐿𝑜𝑤𝑒𝑠𝑡 𝐵𝑊" + 𝑎𝑙𝑙 𝑙𝑖𝑛𝑘 𝑑𝑒𝑙𝑎𝑦]
1.1.4. Terminology:
P = passive, that mean able to send to this network (if A = active mean can’t send, so query message is ready to
send)
Set network:
Auto-summary:
Passive interface:
Load balancing:
- Broadcast: because frame relay is a NBMA network (no broadcast multi access)
- Split Horizon: this function stop the return of an update to the source (must be disabled)
- EIGRP by default use only 50% of bandwidth (we have 2 router 50% / 2 = 25% 25%), in case of
bandwidth problem, we have to force it to 80% (80% / 2 = 40% 40%)
Summarization
Configuration of period
Configuration
Summarization
Router stub
Allow an engineer to filter which routes are advertised in an EIGRP updates for this Reasons:
- Branches offices only need to communicate with HQ, not with each other’s
- Smaller routing table
- Security
By ACL
By Prefix-list
By Route-map
R1 (config) # access-list 1 permit 172.16.1.0 0.0.0.255 (route who want to block)
R1 (config) # route-map NAME_LIST deny 10
R1 (config-route-map) # match ip address 1
R1 (config) # route-map NAME_LIST permit 20 <cr>
R1 (config-router) # distribute-list route-map NAME_LIST out s0/0/0.1
R1 # show route-map
2. OSPF
2.1. Introduction
2.1.1. Basic Information
- Good for large area.
- Open standard IGP (interior gateway protocol).
- Routing inside autonomous system AS.
- Routing Link state protocol (global vision of the topology).
- Fast convergence.
- Do not use a lot of bandwidth but Greedy in RAM and CPU.
- Take on charge VLSM.
- Not easy to implement.
- Separate network with a zone (area) to alleviate process for router (all zone must be connected to zone
zero) cisco recommend 50 router per area.
- Multicast address 224.0.0.5 (for neighbors).
- Use Dijkstra algorithm for calculate best path.
- Router who is connect between two zones (areas) called ABR area border router (able to resume route,
distribute route, and block info about link to go outside of the zone).
ASBR autonomous system border router, used for router who have other routing protocol
- Addressing must be hierarchical (for summary between zones).
- AD = 110 administrative distance.
- Equal path load balancing.
8
- 𝑚𝑒𝑡𝑟𝑖𝑐 (𝑐𝑜𝑠𝑡) = 10𝐵𝑤
2.1.2. Messages:
Hello: for detecting of neighbors every 10 sec by default, after “4” four hellos (mean 40 sec) without response, the
neighboring is considering down state. The hello messages is sent to multicast address 224.0.0.5.
DBD database description: Summary of all the links that the router knows. When link missing ask with LSR.
LSR link state request: for asking for more info about a link (respond with LSA).
LSA link state advertisement: is a response to LSR, is an update containing an info about a link.
LSAck: acknowledgment for DBD, LSR, LSA, LSU (not for hello).
- 1# determination of ID router
Auto, router take a highest ip address of loopback, if else the highest address of physical interface
For submitting any change on OSPF configuration, ospf process must be reboot (cisco command above).
Used for sending hello packet, and which interface must the ospf process operate.
- 3# sending of hello message
For neighboring and creation of relationship (*timer hello dead, *net mask, *ID of area…).
This star field * in step #3 must matching for neighboring, if doesn’t match router ignore hello message.
- 5# Reply hello
Already neighbor: sending a REPLY, this neighbor's Dead timer reset to 0, end of the process
Not a neighbor yet: start of a new relationship -> move to step #6.
The router who have a highest priority become a master DR (designated router), if equal, the highest router-id. After
becoming a master a DBD message is sent to others (topology), BDR (backup designated router) slave do the same.
LSR and LSU will be sent, and LSAck between any LSR and LSU message.
- 8# synchronization of neighbors
After Master and Slave synchronized their database, all information’s knows by master, will be knows by slave too.
- Down: We have not received Hello from the neighbor yet, but we try to reach him.
- Init: We receive a Hello from the neighbor, but our router isn’t listed in the Neighbors field.
- 2-Way: The relationship is created (our router is listed in the Neighbors field). Election DR / BDR if
necessary.
- Exchange: Exchange DBD - Data Base Description.
- Loading: Exchange of LSU - Link State Update.
- Full: Synchronized databases (between DR/BDR).
To force R1 to be never becoming DR or BDR or participate in DR/BDR election, set priority zero, config below:
2.3.3. Summarization
Only on ABR router: area 20 is the loopback address or LAN network in this example.
R1 # show ip route
O E2 192.168.0.0/24 [110/20] via 172.16.1.1, 00:00:10, FastEthernet0/0
2.5. OSPF Metric
108
𝐶𝑜𝑠𝑡 =
𝐵𝑊 (𝑘𝑏𝑦𝑡𝑠)
The cost must be configured on each interface R1 interface S0/0/0 and R2 interface S0/0/0
Reminder
ABR do not distribute LSA messages (only type 3), but it distribute the routes.
- Usefulness of zones: locate the update to the zone, reduce the size of the topology to know
- All zones must be connected to zone 0
- Addressing must be hierarchical (for summary between zones)
- ABR: links several zones (other zones)
- ASBR: injects routes from other routing protocols (router who use other routing protocol)
- Type 1 and 2: they allow the routers of a zone to know each other, and to build a topological map of
the zone.
- Type 3: Summary Route Sent to Another Area by the ABR - Area Border Router.
- Type 4: it allows knowing the ASBR.
- Type 5: It allows the ASBR to distribute external routes in an area.
- Totally stubby area: block LSA type 3, 4 and 5 to come in (externals routes and externals routes of
other zones are replaced by default route).
- Not So Stubby area: NSSA is a zone who have an ASBR, LSA type 4 and 5 are replaced by LSA type 7 in
the zone, and converted in LSA type 4 and 5 in out.
- Totally Stubby Not So Stubby area: same like NSSA but in Totally Stubby area.
Standard Area Configuration
Router (config-router) #
area 10 nssa default-
information-originate
Router (config-router) #
area 10 nssa no-summary
Configuration of type of zones
After basic configuration of interface, OSPF process, and redistribution, creation of virtual link like this:
Virtual link is used to relay area 70 to area 0 (who is not connected physically to area 0)
Now we can see the external route are replaced by default route.
Indeed, it does not have redistributed routes (ie 172.16.0.0 / 22). We keep the advantages of the Stub mode, while
allowing the redistribution of road from inside the area.
R4 will therefore be unable to join the 172.16.0.0 / 22 networks. In NSSA mode, R2 does not announce a default
route. So we must configure:
On R4:
Here we keep the advantages of Totally Stubby mode (no LSA types 3, 4 and 5), but we have the opportunity to
redistribute routes. There is only one command to change.
R2 (config) # router ospf 1
R2 (config-router) # area 40 nssa no-summary
We know Multicast messages cannot pass, OSPF will not be able to establish a neighborhood relationship, and
therefore will not work. In order to overcome this problem, OSPF is able to operate in 5 different modes.
NBMA is the default mode of OSPF over frame relay, an election of DR and BDR is necessary (because Multi-access),
neighbor is made manually, because NBMA network do not allow multicast message transit (hello is transmitted en
multicast).
The same like NBMA function but more advanced, and it is used for resolving the multicast problem. It propose to
make the link functional like point to point.
That can avoid DR/BDR selection (automatic neighborhood detection). In addition, is used for partial mesh or star
topology (standard).
Broadcast
Cisco property. It function like LAN. Used for full mesh topology.
Point to Point
If your network works with multiple routing protocols, mastering the redistribution is essential. The goal is for
routes to propagate across the entire network, even if it uses multiple routing protocols.
Solutions:
- Distribution List: The principle is very simple, use an ACL to choose the routes to redistribute.
- Prefix List: The Prefix List is similar to the List Distribution. Except that, it does not use ACL. In addition, it
is possible to filter according to the subnet mask.
- Route map: The Route Map is the most complex solution, but also the most complete. It is possible to do
many things. Among the possibilities we can:
- Redistribute or not, depending on the destination of the road
- Choose the metric to announce
- Tag routes to avoid loops
If R1 is an ASBR, and it has a default route to internet and we want to propagate this route to all areas
Static route
NHRP next hop resolution protocol: used for full mesh DMVPN.
R1 is a HUB (NHS)
For security
R2 is a spoke (branch)
OSPF to EIGRP
EIGRP to OSPF
Subnets does not summarize the routes when they are redistributed.
Metric-type allows defining if the metric must grow after redistribution.
Metric-type 1 means that the metric increases after redistribution (every time a router advertises that route)
Metric-type 2 means that the metric remains the same after redistribution (all routers receiving this route will
see a metric of 50)
The Distribution List is based on an ACL to know whether or not to redistribute a route.
The Prefix List looks a little like the List distribution. Its operation is relatively simple.
Then, we choose a sequence number 10. This allows you to create multiple entries in a Prefix List. They will be
browsed from the lowest sequence number to the highest (a bit like an ACL)
"Age 24 on 32" means that the mask of the redistributed route must be at least 24, and at most 32
For example:
172.16.20.0 / 24 -> OK
172.16.20.0 / 26 -> OK
172.16.20.0 / 23 -> No
Here is the configuration to apply to R2 and R3, The second entry allows to refuse all the rest:
Map routes are a more advanced solution than the Distribution List or the Prefix List.
Each entry of a Route Map has a sequence number. Entries go from the lowest to the highest sequence number
until you find a match.
There is an implicit Deny ALL at the end of the Route Map.
We will make a Route Map to control EIGRP redistribution to OSPF and another one to OSPF to EIGRP. We have
created entry number 10 in the Route Map EIGRP-TO-OSPF:
Entry number 10 will apply to the routes leading to the networks captured by the PL_EIGRP-To-OSPF Prefix List.
The roads concerned by the entry 10 of the Route Map, will be redistributed with a metric of 50:
With this second entry, we allow the redistribution of all other routes, with a metric of 100 and type 2:
In the previous article, we saw that it is possible to create a routing loop by doing redistribution. Road tags will
prevent this.
Have a mutual redistribution. Here R2 and R3 are both redistribution, which allows the roads to be redistributed.
That a router (here R5) has two possible routes: a good (towards R6) and a bad one (the re-redistributed route).
That the re-redistributed route has a lower AD than the good road.
The Route Tag will allow routers not to redistribute already redistributed routes.
All distributed routes are now tagged. All that remains is to prevent EIGRP-TO-OSPF from redistributing the routes
tagged by OSPF-TO-EIGRP (and vice versa).
4.1.5. Modification of AD
AD 90 to 105
The routing protocol that used on the internet is the BGP, between AS (Autonomous System).
An AS is a set of networks under the same authority. For example, a corporate network is an AS. BGP allows to
connect this AS to the internet, and thus to other AS.
BGP is of the Vector Path type. It is a derivative of the distance vector type.
BGP uses TCP on port 179. Therefore, TCP is responsible for sending the Ack.
Convergence on a BGP network is very slow. Imagine what would happen on the internet with a fast convergence.
The slightest change would be immediately replicated around the world! In addition, routing updates are sent when
there is a change, and only what has changed is sent (when it necessary).
5.2. Neighboring
Manually configuration. In BGP it is necessary to inform the address of the neighbor, so as to establish the connection.
- Routing table:
5.5. Multi-homing:
The principle of Multi-homing is to be connected to multiple ISPs for high availability and load balancing for in/out
packets.
We have two ISP and every ISP give us a default route. However, we cannot promote (favor) an ISP or another
depending to the destination network. Load balancing, or keep one in relief.
We can also influence the choice of the ISP for incoming packets.
Here, the ISPs send us a partial update of their routing table; we have the possibility to choose the destination
route.
In this case, all ISPs send us all their routing tables; we can choose the best path for outgaining packet. This solution
consumes many resources. Especially a lot of RAM.
5.6. Configuration
iBGP
It is also possible to set up iBGP relations (within the same AS). For a BGP relationship, it is advisable to use a
Loopback IP as a neighbor's IP.
# AS-Path
# Weight
# Local preference
Some networks have redundant links. It can be useful to choose how the routers will exploit these links: load
distribution, reaction in case of breakdown, better performances, etc.
6.1. Theory
Policy Based Routing is about influencing the routing of data. We can force the router to send traffic to ISP_1 or
ISP_2. Subsequently, we will implement a system of fault tolerance.
Assume that ISP 1 (R4) is the fastest and most reliable. ISP 2 is slower and less reliable.
And here's how to redirect all traffic from customers (employees) to ISP_1, same thing with servers
Or
How is works?
Is testing the connectivity of the first ISP with PING, and switch to the second ISP is the first is down. And the
switching will be automatically.
Frequency 3: mean 3 seconds (Every how long a request is sent, default: 60)
start-time now life forever:(the test start now and never stop)
rtr: response time reporter (track objet to analyze the SLA, and we must implement it in last route-map)
Before:
Now:
10: mean the weight of the path, the higher the weight, the more the path is favored
The goal is to add an Offset to the metric of a route, Offset means time space interval.
The goal is to modify the metric of a path.
In our lab above, R7 have two path to reach 172.17.10.0/24 (R7R9 with 100 Mbs or R7R8R9 with 1 Gbs). In
this case the shortest path is favored which mean So R7R9 is the best path because it’s the shortest path.
For virtual router A, we select the interface whose will be connected to virtual router A
For virtual router B, we select the interface whose will be connected to virtual router B
After that, we set routing protocol (eigrp 100) for vrf A, same things for vrf B
NB: For this lab you must have in possession Router 7200 series, IOS Software release 15-3 (3) M.
VRF is one virtual router; the opposite in EVN is more than one.
First, we create two (02) vrf on R1 (R1.a R1.b), R0 (R0.a, R0.b) and R2 (R2.a, R2.b)
After that, you must relay router A, R1.a, R0.a, R2.a and A_DC with vrf technics (yellow routers).
Same thing in router B, R1.b, R0.b, R2.b, B_DC (blue-sky routers)
Trunk configuration R1, R0 and R2 (the link between R0, R1 and R2)
IPv4 IPv6
Unicast Unicast : One to one
Multicast Multicast : One to many
Broadcast Anycast : One To Nearest
Anycast work like multicast, unique IP address who represent many interfaces.
FFx2 ::/16 : can’t be routed (like 224.0.0.0 /24) useful for routing update
FF02 ::5 : OSPF
FF02 ::9 : RIP
FF02 ::a EIGRP
This type of address is valid only for interfaces connected on the same link (that is, without going through a router).
E.g. PPP or Ethernet … it is therefore not possible to route a packet with this type of address. This IP must of course
be unique. In general, it is auto-configured (a combination of prefix and MAC address).
This type of address is no longer used; it was more or less a private IPv6. However, as we said, IPv6 has removed the
notion of private / public. So finally, this type of address does not really interest anymore.
This is the type of address that interests us the most. It is routable on the internet and divided into several parts:
- The first 48 bits correspond to the global prefix. It is attributed to you by your ISP.
- The next 16 bits correspond to the Subnet ID, which allows you to create subnets.
- The last 64 bits represent the interface
It is therefore simple for an interface to configure this IP automatically. For this, it recovers the global prefix with
the Subnet ID, then adds the ID interface (calculated from the MAC address).
Most of the best technic. It can therefore send traffic in IPv4 or IPv6 depending on the source / destination. Machines
using IPv6 to communicate, if else, they use the IPv4.
Therefore, router work with IPv4 and IPv6 at the same interface (2 address at the same interface).
8.4.2. Tunneling
It used if you are forced to go through an IPv4 network to connect IPv6 networks (or vice versa).
- We talk about "6 to 4" when IPv6 packets go through a tunnel through an IPv4 network.
- We speak of "4 to 6" when IPv4 packets pass through a tunnel through an IPv6 network.
8.4.3. NAT-PT (NAT Protocol Translation)
This solution is not to be used if one of the other two previous solutions is possible.
The purpose of NAT-PT is to connect an IPv6 network directly to an IPv4 network (or vice versa). The router is
responsible for changing the source IPs and destinations of the packets.
8.5. Configuration
Network example.
Now, we must config 2 kind of address in each interface Link Local and Link Global,
- Global for standard communication.
- Local for neighboring discovery, routing protocol and others.
Ping
R1 # ping 2001:12::2
Static route
R1 (config) # ipv6 unicast-routing
R2 (config) # ipv6 unicast-routing
RIPng config
OSPFv3 config
1.1.Overview
Enterprise campus:
This is the most interesting part in this switching journey, and it is divide in 4 parts: access layer, distribution layer,
core layer, server farms. In access and distributions layers we found a separation of functionalities, example, every
building have a specific VLAN.
# Access:
- The access layer is the entry of the network; it allow to users for access to the network.
- The switch is layer 2 switch. The routing inter-vlan will be occur in distribution and core layer.
- In access layer, we found theses’ functionalities: fast and giga-Ethernet, VLAN, link-aggregation and
spanning tree, PoE, Port security, QoS.
# Distribution:
- The switch is layer 3 switch, for routing inter-vlan traffic in the building (to pass from VLAN to another
one even if the destination is in the same switch).
- The second role is to relay to the core layer.
- Functionalities: routing, giga-Ethernet and 10 giga-Ethernet, high availability, link-aggregation, spanning
tree, ACL, QoS.
# Core:
- We found layer 3 switches or routers. It is use for routing between branches, server farm, edge
enterprise… etc.
- Functionalities: routing, giga-Ethernet and 10 giga-Ethernet, high availability, link-aggregation, spanning
tree.
# Server farm:
Is like a Datacenter.
Hierarchical model:
We can found 03 (three) layers: core, distribution and access. Advantages:
Enterprise Edge:
This part is intended to connect the Campus Enterprise part to the WAN network.
1.2.Layer 3 Switch:
The command ip routing used to activate the routing protocol on the switch.
The layer 3 switch provide FIB Forward Information Base (the forwarding in layer 3 switch is faster than router).
- Configuration of port trunk between all accesses switches and switch layer 3:
- Attribute for each interface vlan (SVI) an IP address (same thing with vlan 20 and 30):
Advantage of VLAN:
Grouping users logically, will allow greater flexibility.
The physical location of the machine then no longer matters.
Reduce costs.
Segmentation.
Type of vlan:
vlan per port
vlan per MAC address
vlan per ip address
# Access port:
In a real case, a PC want to connect to switch via this address 192.168.1.0/24, according to our addressing plan it is
a VLAN 10.
First, you must create the vlan and name it, after that, you attribute the vlan in the port:
S1 (config) # vlan 10
S1 (config-vlan) # name 1st_floor
S1 (config) # interface FastEthernet0/1
S1 (config-if) # switchport access vlan 10
S1 (config-if) # switchport mode access
# Trunk port:
The port is connected between switches it named trunk port, configuration below (config between L2 & L3 switch):
# Native VLAN:
In trunk link, the native vlan is a vlan, which is placed the untagged frames received in the trunk.
- The frames of native vlan are sent without a tag in trunk interface (by default the native vlan is vlan 1).
- Best practice put that the native VLAN is not used anywhere else. For example, if we choose VLAN 666 to be
the native VLAN, it should never be used anywhere else. In this way, a hacker who sends untagged frames
on a trunk, can not reach any subnet.
- Also, the native vlan must be configured in each trunk port.
Function mode:
- “Dynamic Auto” and “Dynamic Desirable” modes aim to negotiate a trunk (by default, port trunk is in
mode dynamic auto).
- DTP (dynamic trunk protocol) protocol is used to negotiate, configuration below:
It is possible to unable the negotiation of DTP protocol with this command below (for security raisons):
Inter-vlan routing:
VTP propagates the following parameters: creating a VLAN, editing a VLAN (renaming), and deleting a VLAN.
# Server mode which where you can add, edit or delete vlans, the config is stocked in vlan.dat, after the VTP server
send an update vlan to other switches.
# Client mode this switch not able to edit, add or delete a vlan, it cannot conserve the configuration in the file vlan.dat
# Transparent mode does not participate in VTP process, vlans must be configured manually. (Revision number is
zero, and if it was greater than zero before, it will be zero)
# Number of revision it correspond the database if vlan. When changing happen, the number of revision increase
(zero at the beginning)
# Domain name must be the same in all switches in order to exchange updates, also password.
Update process:
- The updates are sent automatically when changes happens; also, the updates are sent every 300 sec
(summary advertisement). The number of revision and domain name are included in this update.
- If the switch have an update which number of revision greater or equal than the update received, it not
transmit the update also if the domain is not the same.
- The update pass only in trunk port.
- Only vlan from 1 to 1005 are announced.
VTP Pruning:
VTP pruning prevent the broadcast to propagate to switches that does not have an access ports in the vlan concerned
by the broadcast (pruning is cisco propriety).
Disadvantage:
- If you delete accidentally a vlan in VTP server, all vlan will be deleted.
Configuration:
S1 # delete flash:vlan.dat
Frame duplication:
Spanning tree will disable the links that can create a loop. It will take care of reactivating it if necessary (in case of
failure of another link).
Spanning Tree can also share load-balance using the redundant links (VLAN-based distribution).
The switches sent a BPDU Bridge Protocol Data Unit message to detect the loop, the BPDUs messages allow
discovering of the topology and electing the root bridge, (the root bridge is somehow the leader of the topology of
spanning tree). Once the root bridge is elected, all switch try to find the best path to reach the root bridge. In addition,
redundant paths will be disabled.
The switches will looking the port with the lowest metric to the root bridge, then they will disable the others ports.
# BPDU messages: BPDUs messages are sent in multicast on the address 01:80:C2:00:00:00
BPDU config: used to calculate the spanning tree. It contain the ID of the switch who send the message, the ID of
port and the cost of the link.
BPDU change notification: (TCN topology change notification) it sent by the switch when the topology change.
BPDU Ack: used to respond to BPDU TCN.
3.4. Type of ports:
So that the switches find the best way to the Root Bridge, criteria are based on the cost of each link. Spanning Tree
defines a cost depending on the type of link.
After that, switches add all cost of each link to reach the root
Link bandwidth STP cost RSTP cost
bridge in order to select the best path (the root port).
4 Mbps 250 5000000
However, why the port of S1 to S4 in blocked and not the port 10 Mbps 100 2000000
from S4 to S1? 16 Mbps 62 1250000
100 Mbps (fast-eth) 19 200000
Because the BID of port of S1 is higher than port of S4. So its 1 Gbps (giga-eth) 4 20000
blocked and, the port of S4 is designated. 10 Gbps 2 2000
100 Gbps 1 200
1 Tbps 1 20
3.6. STP process: 10 Tbps 1 2
Election of root bridge Select the best path (root port) Select designated port
* From BID in BPDU message, Lowest BID * The switches add the costs of the * All ports of root bridge is
is the root bridge (BID= priority + mac@). links to the root bridge. Other links, designated port.
* It is possible to select the root bridge by which cause a loop, will be blocked. * Lowest priority or lowest
modification of priority of switch. * Port can take 3 roles: root, MAC address will be
designated and blocked. designated port.
3.7. PVST Peer VLAN Spanning Tree:
# At first, the switch is in listening mode (state), it send and receive BPDU config (it is used for finding the root
bridge and to choose the role of port).
# The port become in learning mode (state), learning and filling the MAC address.
# If all it’s okay (30sec), the port is in forwarding mode or blocking role (blocked port role).
For going out of blocking mode you must wait 20 sec. Spanning tree is so slow.
4. Configuration:
4.1. Default configuration:
First, spanning tree is enabled by default in: Information displayed for vlan1
The root bridge in the topology (low priority and low MAC address)
S2 # show spanning-tree
VLAN0001
Root ID
this is bridge is the root
Bridge ID
Address 0001.9757.A70E
---------------------------------------------
interface role sts cost prio.nbr type
---------------------------------------------
fa0/1 desg FWD 19 128.1 p2p
fa0/2 desg FWD 19 128.1 p2p
S1 # show spanning-tree
VLAN0001
Root ID
Address 0001.9757.A70E
Bridge ID
Address 000B.BEA0.C3D8
---------------------------------------------
interface role sts cost prio.nbr type
---------------------------------------------
fa0/1 root FWD 19 128.1 p2p
fa0/2 altn BLK 19 128.1 p2p
The port fa0/2 in switch1 is blocked because the BID of this port is higher than switch4 fa0/2.
4.4. Portfast:
Portfast is configured in access port (port that connected to pc, hub, server…), used to disabling the spanning tree in
theses ports. The result: no BPDU message diffusion and no spanning tree state. Never used in trunk port.
s1 (config) # interface fastEthernet 0/3
s1 (config-if) # spanning-tree portfast
4.5. Rapid-PVST
Is a cisco proprietary, RSTP is faster than STP. The timer have been reduced or deleted. BPDUs are sent every hello-
time (2s by default).
# port state:
# port roles:
Root port: port offering the best path to the root bridge.
Designated Port: you need one and only one port designated by link.
Alternate Port: port blocked by spanning tree, but can very quickly go into forwarding in case of failure of primary
link.
Edge Port: is not connected to a switch (Portfast equivalent).
To boost spanning tree to be more faster than before you must implement the Rapid-PVST.
Rapid-pvst work like pvst but is faster. If you check if you shutdown the interface fa0/2. The interface blocked will
be forwarding state.
Open standard protocol of spanning-tree at the same way as PVST but it work in rapid spanning tree algorithm. The
config of MSTP require the creation of instance, each instance contain multiple vlans. A switch will then be the Root
Bridge for an instance, and thus potentially for multiple VLANs.
The previous topology, the creation of vlan 10, and vlan 20 in all switch.
Access port for vlan 10: s1 interface fa0/3 and s2 interface fa0/3.
Access port for vlan 20: s1 interface fa0/4 and s2 interface fa0/4.
Trunk ports between switch are configured. Also, Rapid-pvst is configured in all switchs.
Now, set vlan 10 primary in s2 and vlan20 primary in s3, configuration be like:
Check now with the command: show spanning-tree => s2 is the root bridge in vlan 10; s3 is root bridge in vlan
20.
4.8.2. BPDU filter: The BPDU Filter is used to disable the sending of BPDU on this port (access port). On the
other hand, if a BPDU is received on this same port, the port will again be part of the Spanning Tree
process (Portfast will also be disabled).
4.8.3. Backbone-fast and uplink-fast: Backbone-fast and Uplink-fast are two features (created by Cisco) that
improve Spanning Tree process convergence time. Configuring these features is unnecessary in Rapid-
PVST, RSTP, and MSTP because they are already supported.
By activating Uplink-fast, the convergence will be faster in case of failure. If the switch S3 fails, S1 will
automatically activate its port Fa0/2 because it has kept in mind that it is an alternative path to the
Root Bridge. The convergence will be faster, because it will not be necessary to go through the
different phases of listening and learning. This feature is to be activated on the Access level switches.
At the Distribution and Core levels, this can sometimes lead to loops. To improve security, the switch
priority is increased when Uplink-fast is activated. As is the cost of ports.
Conversely, Backbone-fast can detect remote faults (distant failure). That is, failures that occur on
remote switches that cause us to no longer access the Root Bridge. (Once failure detected) Upon
detection of such a failure, the switch directly passes the port concerned in Listening mode, and does
not wait for the expiration of the Max Age Timer (time after which the port goes Listening if we no
longer receive BPDU Root Bridge).
In this case, only 20% of the bandwidth of the link can be used to transmit broadcast. If the threshold is exceeded,
the entire broadcast will be blocked until the transmission rate drops below 20%. It is possible to do the same for
multicast and unicast. To disable the port in case of excess (error-disabled in shutdown):
In this case, broadcast traffic will be blocked if it exceeds 20%, and will only be allowed again if it falls below 15%.
# Hostname:
Router (config) # hostname R1
# Create password to privilege access (secret is better than password because it’s encrypted in configuration file):
Router (config) # enable secret PASSword
Router (config) # enable password PASSword
# For encryption:
Router (config) # service password-encryption
# Disabling the DNS Lookup will avoid blocking the CLI when you enter a wrong command in Enable mode.
Router (config) # no ip domain-lookup
# The MOTD banner is displayed at each connection to the equipment (SSH, Telnet, Console).
The banner Login is displayed if an identifier is requested.
Router (config) # banner motd !banner MOTD!
Router (config) # banner login !banner LOGIN!
# Console Access:
Router (config) # line console 0
Router (config-line) # password PASSword
Router (config-line) # login
Router (config-line) # logging synchronous