Tuesday, January 8, 2013

STP Rules


Rules of Operation

This section lists rules for how STP works. When the switches first come up, they start the root switch selection process. Each switch transmits a BPDU to the directly connected switch on a per-VLAN basis.
As the BPDU goes out through the network, each switch compares the BPDU that the switch sends to the BPDU that the switch receives from the neighbors. The switches then agree on which switch is the root switch. The switch with the lowest bridge ID in the network wins this election process.
Note: Remember that one root switch is identified per-VLAN. After the root switch identification, the switches adhere to these rules:
  • STP Rule 1—All ports of the root switch must be in forwarding mode.
    Note: In some corner cases, which involve self-looped ports, there is an exception to this rule.
    Next, each switch determines the best path to get to the root. The switches determine this path by a comparison of the information in all the BPDUs that the switches receive on all ports. The switch uses the port with the least amount of information in the BPDU in order to get to the root switch; the port with the least amount of information in the BPDU is the root port. After a switch determines the root port, the switch proceeds to rule 2.\

  • STP Rule 2—The root port must be set to forwarding mode.
    In addition, the switches on each LAN segment communicate with each other to determine which switch is best to use in order to move data from that segment to the root bridge. This switch is called the designated switch.

  • STP Rule 3—In a single LAN segment, the port of the designated switch that connects to that LAN segment must be placed in forwarding mode.

  • STP Rule 4—All the other ports in all the switches (VLAN-specific) must be placed in blocking mode. The rule only applies to ports that connect to other bridges or switches. STP does not affect ports that connect to workstations or PCs. These ports remain forwarded.

    Note: The addition or removal of VLANs when STP runs in per-VLAN spanning tree (PVST / PVST+) mode triggers spanning tree recalculation for that VLAN instance and the traffic is disrupted only for that VLAN. The other VLAN parts of a trunk link can forward traffic normally. The addition or removal of VLANs for a Multiple Spanning Tree (MST) instance that exists triggers spanning tree recalculation for that instance and traffic is disrupted for all the VLAN parts of that MST instance.
Note: By default, spanning tree runs on every port. The spanning tree feature cannot be turned off in switches on a per-port basis. Although it is not recommended, you can turn off STP on a per-VLAN basis, or globally on the switch. Extreme care should be taken whenever you disable spanning tree because this creates Layer 2 loops within the network.
Posted by at No comments:
Labels: , , ,

Cisco Catalyst Fixed Configuration Layer 2 and Layer 3 Switches


Introduction

This document describes the password recovery procedure for the Cisco Catalyst Layer 2 fixed configuration switches 2900XL/3500XL, 2940, 2950/2955, 2960, and 2970 Series, as well as the Cisco Catalyst Layer 3 fixed configuration switches 3550, 3560, and 3750 Series.

Step-by-Step Procedure

Follow the password recovery procedure below.
1.       Attach a terminal or PC with terminal emulation (for example, Hyper Terminal) to the console port of the switch.
Use the following terminal settings:
o    Bits per second (baud): 9600
o    Data bits: 8
o    Parity: None
o    Stop bits: 1
o    Flow Control: Xon/Xoff
  At the switch prompt, type en to enter enable mode.
                    Switch>en
                    Switch#
  Type rename flash:config.old flash:config.text to rename the configuration file with its original name. 
                    Switch#rename flash:config.old flash:config.text
                    Destination filename [config.text] 
 
!--- Press Return or Enter.
 
                    Switch#
Copy the configuration file into memory.
                    Switch#copy flash:config.text system:running-config
                    Destination filename [running-config]? 
 
!--- Press Return or Enter.
 
1131 bytes copied in 0.760 secs
Sw1#
 The configuration file is now reloaded.  Overwrite the current passwords that you do not know. Choose a strong password with at least one capital letter, one number, and one special character.
Note: Overwrite the passwords which are necessary. You need not overwrite all of the mentioned passwords.
                    Sw1# conf t
 
!--- To overwrite existing secret password
 
                    Sw1(config)#enable secret 
 
 
!--- To overwrite existing enable password
 
                    Sw1(config)#enable password 
 
 
!--- To overwrite existing vty password
 
                    Sw1(config)#line vty 0 15
                    Sw1(config-line)#password 
 
                    Sw1(config-line)#login
 
!--- To overwrite existing console password
 
                    Sw1(config-line)#line con 0
                    Sw1(config-line)#password 
 
Write the running configuration to the configuration file with the write memory command.
                    Sw1#write memory
                    Building configuration...
                    [OK]
                    Sw1#
 
Posted by at No comments:
Labels: , ,

Monday, January 7, 2013

Configuring Isolated Private VLANs on Catalyst Switches


Network Diagram

This document uses this network setup:
194-a.gif
In this scenario, the devices in the isolated VLAN ("101") have a restriction from communication at Layer 2 with one another. However, the devices can connect to the Internet. In addition, port "Gig 3/26" on the 4006 has the promiscuous designation. This optional configuration allows a device on GigabitEthernet 3/26 to connect to all devices in the isolated VLAN. This configuration also allows, for example, the backup of the data from all the PVLAN host devices to an administration workstation. Other uses for promiscuous ports include connection to an external router, LocalDirector, network management device, and other devices.

Configure the Primary and Isolated VLANs

Perform these steps to create the primary and secondary VLANs, as well as to bind the various ports to these VLANs. The steps include examples for both CatOS and Cisco IOS Software. Issue the appropriate command set for your OS installation.
  1. Create the primary PVLAN.
    • CatOS 
           
Switch_CatOS> (enable) set vlan primary_vlan_id 
pvlan-type primary name primary_vlan



!--- Note: Thise command should be on one line.

VTP advertisements transmitting temporarily stopped,
and will resume after the command finishes.
Vlan 100 configuration successful
    • Cisco IOS Software 
      Switch_IOS(config)#vlan primary_vlan_id

Switch_IOS(config-vlan)#private-vlan primary

Switch_IOS(config-vlan)#name primary-vlan

Switch_IOS(config-vlan)#exit
  2. Create the isolated VLAN or VLANs.
    • CatOS 
      Switch_CatOS> (enable) set vlan secondary_vlan_id 
pvlan-type isolated name isolated_pvlan



!--- Note: This command should be on one line.

VTP advertisements transmitting temporarily stopped,
and will resume after the command finishes.
Vlan 101 configuration successful
    • Cisco IOS Software 
      Switch_IOS(config)#vlan secondary_vlan_id

Switch_IOS(config-vlan)#private-vlan isolated

Switch_IOS(config-vlan)#name isolated_pvlan

Switch_IOS(config-vlan)#exit
  3. Bind the isolated VLAN/VLANs to the primary VLAN.
    • CatOS 
      Switch_CatOS> (enable) set pvlan primary_vlan_id secondary_vlan_id

Vlan 101 configuration successful
Successfully set association between 100 and 101.
    • Cisco IOS Software 
      Switch_IOS(config)#vlan primary_vlan_id

Switch_IOS(config-vlan)#private-vlan association secondary_vlan_id

Switch_IOS(config-vlan)#exit
  4. Verify the private VLAN configuration.
    • CatOS 
      Switch_CatOS> (enable) show pvlan
Primary Secondary Secondary-Type   Ports
------- --------- ---------------- ------------
100     101       isolated
    • Cisco IOS Software 
      Switch_IOS#show vlan private-vlan
Primary  Secondary  Type              Ports
------- --------- ----------------- -------
100     101       isolated

Assign Ports to the PVLANs

Tip: Before you implement this procedure, issue the show pvlan capability mod/port command (for CatOS) to determine if a port can become a PVLAN port.
Note: Before you perform Step 1 of this procedure, issue the switchport command in interface configuration mode to configure the port as a Layer 2 switched interface.
  1. Configure the host ports on all the appropriate switches.
    • CatOS 
      Switch_CatOS> (enable)set pvlan primary_vlan_id 
secondary_vlan_id mod/port


!--- Note: This command should be on one line.

Successfully set the following ports to Private Vlan 100,101: 2/20
    • Cisco IOS Software 
      Switch_IOS(config)#interface gigabitEthernet mod/port

Switch_IOS(config-if)#switchport private-vlan host 
primary_vlan_id secondary_vlan_id



!--- Note: This command should be on one line.

Switch_IOS(config-if)#switchport mode private-vlan host
Switch_IOS(config-if)#exit
  2. Configure the promiscuous port on one of the switches.
    • CatOS 
      Switch_CatOS> (enable) set pvlan mapping primary_vlan_id 
secondary_vlan_id mod/port


!--- Note: This command should be on one line.

Successfully set mapping between 100 and 101 on 3/26
      Note: For Catalyst 6500/6000 when the Supervisor Engine runs CatOS as the system software, the MSFC port on the Supervisor Engine (15/1 or 16/1) should be promiscuous if you wish to Layer 3 switch between the VLANs.
    • Cisco IOS Software 
      Switch_IOS(config)#interface interface_type mod/port

Switch_IOS(config-if)#switchport private-vlan 
mapping primary_vlan_id secondary_vlan_id



!--- Note: This command should be on one line.

Switch_IOS(config-if)#switchport mode private-vlan promiscuous 
Switch_IOS(config-if)#end
Posted by at No comments:
Labels: , ,

How to create VLAN trunk link and native VLAN


  Native VLAN
     

 



 
 The above picture shows that the trunk link is connected to port fa0/24 on both switches. To configure the trunk link, open console connection to Switch 1 and enter the commands as shown below.
chennaiinfoteam.sw01>enable
chennaiinfoteam.sw01#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
chennaiinfoteam.sw01(config)#interface fa0/24
chennaiinfoteam.sw01(config-if)#switchport mode trunk
chennaiinfoteam.sw01(config-if)#switchport trunk native vlan 10
chennaiinfoteam.sw01(config-if)#
%CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on FastEthernet0/24 (10), with chennaiinfoteam.sw02 FastEthernet0/24 (1).
chennaiinfoteam.sw01(config-if)#exit
chennaiinfoteam.sw01(config)#exit
chennaiinfoteam.sw01#
The CDP message "%CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on FastEthernet0/24 (10), with chennaiinfoteam.sw02 FastEthernet0/24 (1)." shows that the native VLAN on other side of the trunk is different from what we configured here.
To configure trunk link and native VLAN on Switch 2, open console connection to Switch 2 and enter the commands as shown below.
chennaiinfoteam.sw02>enable
chennaiinfoteam.sw02#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
chennaiinfoteam.sw02(config)#interface fa0/24
chennaiinfoteam.sw02(config-if)#switchport mode trunk
chennaiinfoteam.sw02(config-if)#switchport trunk native vlan 10
chennaiinfoteam.sw02(config-if)#exit
chennaiinfoteam.com.sw02(config)#exit
chennaiinfoteam.sw02#








Posted by at No comments:
Labels: , , ,
Subscribe to: Posts (Atom)