ICND2 Flashcards
Two VLAN tagging protocols.
ISL- Cisco proprietary
802.1Q - Open IEEE
Static vs Dynamic VLAN
Static- Port is assigned a VLAN
Dynamic- VLAN is assigned according to MAC address connected to port. Use VMPS Vlan Management Policy Server.
What domain is each separate VLAN in?
Broadcast
Hosts in one VLAN cannot reach hosts in another VLAN, by default
A Layer 3 device is needed for inter-VLAN communication (this will be
covered later)
Each VLAN needs its own subnet, for example, VLAN 1 –
192.168.1.0/24, VLAN 2 – 192.168.2.0/24
All hosts in a VLAN should belong to the same subnet
Which VLAN is generally native by default?
VLAN 1
At what point are frames tagged with VLAN ID?
At trunk port based on access port it originated from.
Vlan tagging only occurs on the trunk, not access port. It just states that if the port is an access port and not trunk, the frame will not be tagged. The switch will strip off the vlan tag at the end of the trunk and switch it in hardware to the correct access port it needs to go to.
Is Native VLAN traffic tagged?
No.
3 types of switchports?
Access links or ports
Trunk links or ports
Dynamic (this will be discussed shortly)
How many VLANs can be created?
4096
VLAN 802.1Q trunking commands
Sw(config)#interface FastEthernet 0/1
Sw(config-if)#switchport
Sw(config-if)#switchport mode trunk
Sw(config-if)#switchport trunk encapsulation dot1q
5 trunk modes:
- On – forces the port into permanent trunking mode. The port becomes a trunk, even if the connected device does not agree to convert the link into a trunk link.
- Off – the link is not used as a trunk link, even if the connected device is set to “trunk.”
- Auto – the port is willing to become a trunk link. If the other device is set to “on” or “desirable,” then the link becomes a trunk link. If both sides are left as “auto,” then the link will never become a trunk, as neither side will attempt to convert.
- Desirable – the port actively tries to convert to a trunk
link. If the other device is set to “on,” “auto,” or “desirable,” then the link will become a trunk link. - No-negotiate – prevents the port from negotiating a trunk connection. It will be forced into an access or trunk mode as per the configuration.
Switchport: Auto -> Auto
Access
Switchport: Auto -> Desirable
Trunk
Switchport: Auto -> Trunk
Trunk
Switchport: Auto -> Access
Access
Switchport: Desirable -> Auto
Trunk
Switchport: Desirable -> Desirable
Trunk
Switchport: Desirable -> Trunk
Trunk
Switchport: Desirable -> Access
Access
Switchport: Trunk -> Auto
Trunk
Switchport: Trunk -> Desirable
Trunk
Switchport: Trunk -> Trunk
Trunk
Switchport: Trunk -> Access
Limited Connectivity
Switchport: Access -> Auto
Access
Switchport: Access -> Desirable
Access
Switchport: Access -> Trunk
Limited Connectivity
Switchport: Access -> Access
Access
Command show port trunk info. i.e auto, desirable
show interface trunk
or
show interfaces switchport
What file is VLAN info stored in?
VLAN.dat in flash memory.
SwitchA#dir flash:
Signs of duplex mismatches?
input and CRC errors on the interface
755 input errors, 739 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
Inter-VLAN routing not working:
Check to ensure that the link between the switches and the routers is set up correctly, and the relevant VLANs
are allowed and not pruned (see VTP pruning). The show interface trunk command will provide the required information. Also, check to ensure that the router’s sub interfaces are configured with correct encapsulation and
VLAN, and the sub interface’s IP address is the default gateway for the hosts.
VLANs cannot be created:
Check whether the VTP mode on the switch is
set to “client.” VLANs cannot be created if the VTP mode is client. Another important factor is the number of VLANs allowed on the switch.
The show vtp status command will provide the information required (see the Troubleshooting Trunking and VTP section below).
Hosts within the same VLAN cannot reach each other:
It is important that hosts in a VLAN have an IP address that belongs to the same subnet. If the subnet is different, then they will not be able to reach each other. Another factor to consider is whether the hosts are connected to the same switch. If they are not connected to the same switch, then ensure that the trunk
link(s) between the switches is/are working correctly and that the VLAN is not excluded/not pruned from the allowed list. The show interface trunk command will show needed information regarding the trunk link.
Commands to configure a voice vlan
SW1(config-vlan)#interface FastEthernet0/6
SW1(config-if)#switchport mode access
SW1(config-if)#switchport access vlan20
SW1(config-if)#switchport voice vlan10
Command to turn off DTP
switchport nonegotiate
Is DTP still on when you create a trunk port?
Yes. Must turn off with switchport nonegotiate
What is native VLAN used for?
used by the switch to carry specific protocol traffic, like Cisco Discovery Protocol (CDP), VLAN Trunking Protocol (VTP), Port Aggregation Protocol (PAgP), and Dynamic Trunking Protocol (DTP) information.
Commands to change trunk native VLAN
Switch(config)#interface FastEthernet0/1
Switch(config-if)#switchport trunk native vlan ?
Turning on VTP
Switch(config)#vtp mode server ‹this is on by default
Switch(config)#vtp domain in60days
Turning on VTP password
Switch(config)#vtp password Cisco321
Setting device VLAN database password to Cisco321
VTP modes
Server (default)
Client
Transparent
VTP Server
In Server mode, the switch is authorized to create, modify, and delete VLAN
information for the entire VTP domain. Any changes you make to a server
are propagated throughout the whole domain. VLAN configuration is stored
in the VLAN database file “vlan.dat” located on the flash memory.
VTP Client Mode
In Client mode, the switch will receive VTP information and apply any changes, but it does not allow adding, removing, or changing VLAN information on the switch. The client will also send the VTP packet received
out of its trunk ports. Remember that you cannot add a switch port on a VTP client switch to a VLAN that does not exist on the VTP server. VLAN configuration is stored in the VLAN database file “vlan.dat” located on the
flash memory
VTP Transparent Mode
In Transparent mode, the switch will forward the VTP information received out of its trunk ports, but it will not apply the changes. A VTP Transparent mode switch can create, modify, and delete VLANs, but the changes are not propagated to other switches. VTP Transparent mode also requires configuration of domain information. A VTP transparent switch is needed when a switch separating a VTP server and client needs to have a different VLAN database. Transparent mode is needed to configure the extended VLAN range (1006 to 4096).
How to reset VTP config number on switch
In order to reset the configuration revision of a switch,
change the VTP domain name, and then change the name back to the original name.
VTP configuration number
The configuration revision number is a 32-bit number that indicates the level
of revision for a VTP packet (see the show vtp status output above). This
information is used to determine whether the received information is more
recent than the current version.
If switch with higher VTP config # is connected to network it can wipe out all other VLAN database files and bring network down.
STP IEEE
IEEE 802.1D
STP Data units?
BPDU (Bride Protocol Data Unit) tagged with VLAN ID
How often are STP messages sent?
BPDUs sent every 2 seconds
How many Designated Ports can be on a LAN segment?
- That means if two are facing eachother, one must block.
STP Port States. How many? What are they?
Blocking – BPDUs received only (20 seconds)
Listening – BPDUs sent and received (15 seconds)
Learning – Bridging table is built (15 seconds)
Forwarding – Sending/receiving data
Disabled – Administratively down
Port State Movement
- From Initialization to Blocking
- From Blocking to either Listening or Disabled
- From Listening to either Learning or Disabled
- From Learning to either Forwarding or Disabled
- From Forwarding to Disabled
STP timer values
STP timers are used in the process to control convergence:
Hello – 2 seconds (time between each Configuration BPDU)
Forward Delay – 15 seconds (controls durations of Listening/Learning
states)
Max Age – 20 seconds (controls the duration of the Blocking state)
Default convergence time is 30 to 50 seconds.
STP Bride ID. Composed of what?
Priority (16 bits) + MAC Address (48 bits)
Default STP priority
32768
STP priority values multiplier value?
4096
Command to set switch as STP root?
spanning-tree vlan 2 root {primary | secondary}
spanning-tree vlan 2 priority 0
in increment of 4096 starting at 0
Metrics used in calculating STP.
Cost and Priority
Better is lower # based on better bandwidth
STP Root Port Election tiebreaker metrics
- Lowest Root Bridge ID
- Lowest Root path cost to Root Bridge
- Lowest sender Bridge ID
- Lowest sender Port ID
STP Root port
The Spanning Tree Root Port is the port that provides the best path, or lowest cost, when the device forwards packets to the Root Bridge. In other words,
the Root Port is the port that receives the best BPDU for the switch, which indicates that it is the shortest path to the Root Bridge in terms of path cost.
The Root Port is elected based on the Root Bridge path cost.
STP Designated Port
Designated Port is a port that points away from the STP Root. This port is the one in which the designated device is attached to the LAN.
Portfast
Port Fast is a feature that is typically enabled only for a port or interface that connects to a host. When the link comes up on this port, the switch skips the first stages of the STA and directly transitions to the Forwarding state.
Generally do when connected to a non-BPDU sending device like a computer.
BPDU guard
The BPDU Guard feature is used to protect the Spanning Tree domain from external influence. BPDU Guard is disabled by default but is recommended for all ports on which the Port Fast feature has been enabled. When a port that is configured with the BPDU Guard feature receives a BPDU, it immediately transitions to the errdisable state. This prevents false information from being injected into the Spanning Tree domain on ports that have Spanning Tree disabled.
RSTP
IEEE 802.1W
RSTP Port states
RSTP port states can be mapped against STP port states as follows: Disabled – Discarding Blocking – Discarding Listening – Discarding Learning – Learning Forwarding – Forwarding
RSTP port roles
RSTP port roles include the following: Root (Forwarding state) Designated (Forwarding state) Alternate (Blocking state) Backup (Blocking state)
RSTP Alternate Port
Backup port
Non-forwarding port that backs up a root bridge
Non-forwarding port that backs up a designated port
BGP Neighbor syntax
neighbor 1.1.1.1 remote-as 56
OSPF process-id
Only matters locally.
show ip protocols
OSPF router-id
If not configured is the highest loopback interface ip
HSRP priority. What is best, high or low?
Highest number is best.
Command used to enable 802.1X on a single interface
authentication port-control
Default HSRP value
100
Etherchannel characteristics
EtherChannel can consist of up to eight ports. Physical links in an EtherChannel must share similar characteristics, such as be defined in the same VLAN or have the same speed and duplex settings, for example.
What are the Etherchannel protocols
LACP- Link Aggregation Control Protocol 802.3ad
PAgP- Port Aggregation Protocol
PAgP modes
Auto mode is a PAgP mode that will negotiate with another PAgP port only if the port receives a PAgP packet. When this mode is enabled, the port(s)
will never initiate PAgP communications but will instead listen passively for any received PAgP packets before creating an EtherChannel with the neighboring switch.
Desirable mode is a PAgP mode that causes the port to initiate PAgP negotiation for a channel with another PAgP port. In other words, in this mode, the port actively attempts to establish an EtherChannel with another
switch running PAgP.
Etherchannel Command
show etherchannel summary
BPDU Filter
The BPDU Filter feature has dual functionality. When configured at interface level it effectively disables STP on the selected ports by preventing them from sending or receiving any BPDUs.
Different than BPDU guard in that guard can still send. Filter won’t send or receive.
Loop Guard
???
Root Guard
The Root Guard feature prevents a Designated Port from becoming a Root Port. If a port on which the Root Guard feature is enabled receives a superior BPDU, it moves the port into a root-inconsistent state, thus maintaining the current Root Bridge status quo.
Uplink Fast
The Uplink Fast feature provides faster failover to a redundant link when the primary link fails (i.e., direct failure of the Root Port). The primary purpose
of this feature is to improve the convergence time of STP in the event of a failure of an uplink. This feature is of most use on Access Layer switches with redundant uplinks to the Distribution Layer; hence, the name.
When the Uplink Fast feature is enabled, the backup port to the Distribution Layer is immediately placed into
a Forwarding state, resulting in no network downtime instead of taking 30 seconds.
Can you run LACP on one side and PAgP on the other?
No.
LACP has to have half or full duplex?
Full.
Half-duplex ports in an LACP EtherChannel are
placed into the suspended state.
LACP Modes
Active
Passive
LACP Active
LACP active mode places a switch port into an active negotiating state in which the switch port initiates negotiations with remote ports by sending
LACP packets. Active mode is the LACP equivalent of PAgP desirable mode. In other words, in this mode, the switch port actively attempts to establish an EtherChannel with another switch that is also running LACP.
LACP Passive
When a switch port is configured in passive mode, it will negotiate with an LACP channel only if it receives another LACP packet. In passive mode, the
port responds to LACP packets that the interface receives but does not start LACP packet negotiation. This setting minimizes the transmission of LACP
packets. In this mode, the port channel group attaches the interface to the EtherChannel bundle. This mode is similar to the auto mode that is used with PAgP.
How many interfaces can be used with PAgP and LACP etherchannel
PAgP == 8
LACP > 8 Max 16 are hot-standby
Create etherchannel command
channel-group 1 mode on
on selected interface
Create PAgP Etherchannel
channel-group 1 mode {desirable | auto}
Create LACP Etherchannel
Switch-1(config-if-range)#channel-protocol lacp
Switch-1(config-if-range)#channel-group 1 mode {active | passive}
Etherchannel show command
show etherchannel summary
Switch stacking
Switch stacking enables you to physically connect a number of Cisco switches with special cables so that they logically appear on the network as one switch. This group of switches has a single IP address for management, a single MAC address table, and one instance of STP.
802.1X
In summary, the switch, acting as the 802.1X authenticator, queries the AAA server if the supplied username and password are correct, and the AAA
server provides the appropriate response. If there is a match, the switch will then enable the port for use. If there is no match, the port will not forward traffic to or from the device connected to it.
DHCP Snooping
DHCP snooping provides network protection from rogue DHCP servers by creating a logical firewall between untrusted hosts and DHCP servers. When
DHCP snooping is enabled, the switch builds and maintains a DHCP snooping table (which is also referred to as the DHCP binding table), and it is used to prevent and filter untrusted messages from the network.
DHCP snooping uses the concept of trusted and untrusted interfaces. This means that incoming packets received on untrusted ports are dropped if the
source MAC address of those packets does not match the MAC address in the binding table.
SVI
Switched virtual interfaces. Used on Layer 3 switch.
SVI command
Switch(config)#interface vlan 10
Switch(config-if)#description “SVI for VLAN 10”
Switch(config-if)#ip address 10.10.10.1 255.255.255.0
Making an access port on layer 3 switch
Make sure to use switchport command and enable ip routing
Switch(config-if)#int f0/1
Switch(config-if)#switchport
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 20
Switch(config)#ip routing
EIGRP Distance Vector or Link State? Open or proprietary?
Distance Vector
Proprietary- Cisco
Result of:
R1(config)#router eigrp 150
R1(config-router)#network 10.1.1.0
R1(config-router)#network 10.3.3.0
Will give network 10.0.0.0
Must add wildcard to get granular
R1(config)#router eigrp 150
R1(config-router)#network 10.1.1.0 0.0.0.255
R1(config-router)#network 10.3.3.0 0.0.0.255
EIGRP wildcard 0.0.0.0
When configuring EIGRP in production networks, it is common practice to use a wildcard mask of all zeros or a subnet mask of all 1s. For example, the network 10.1.1.1 0.0.0.0 and network 10.1.1.1 255.255.255.255 commands
perform the same actions.
BGP port
TCP 179
For HSRP, which part of the MAC address is the GROUP number? 0000.0c07.ac0b
0b
Highest group number is 255
Default serial encapsulation method?
HDLC
802.1x auto
If can’t authorize, no traffic.
How are pap passwords sent?
In cleartext
How does ppp authentication pap chap work?
Uses pap if chap is not available
OSPF max number of equal cost paths?
4 unless overridden with maximum-paths command
What OSPF things must be the same for adjacency?
Hello Interval
Dead Interval
Area ID
What algorithm does OSPF use?
When a router has received all the LSAs and built its local link-state database, OSPF uses Dijkstra’s shortest path first (SPF) algorithm to create an SPF tree.
Adding networks to OSPF differences.
Advertising networks
OSPFv2 Configured using the network router configuration command
OSPFv3 Configured using the ipv6 ospf area
interface configuration command
Area Border Router?
An OSPF router with interfaces connected to the backbone area and to at least one other area.
Backbone router?
A router connected to the backbone area (includes ABRs).
Internal router
A router in one area.
Autonomous System Boundary Router (ASBR)
A router that has at least one interface connected to an external network.
An external network is a network that is not part of the routing domain, such as EIGRP, BGP, or one with static routing to the Internet.
Backbone area
A special OSPF area to which all other areas must connect, such as Area 0.
OSPFv3 router ID
However, notice that both OSPFv2 and OSPFv3 use an IPv4 address for the router ID.
This means that before a router can start an OSPFv3 routing process, there must be an IPv4 address
configured—either an interface or a router ID. If not, the router will return the following syslog message
when you attempt to enable the OSPFv3 routing process with the ipv6 router ospf command
How to enable OSPFv3 on interfaces?
R1(config)# interface GigabitEthernet 0/0
R1(config-if)# ipv6 ospf 10 area 0
EIGRP not working
Mismatched EIGRP authentication parameters (if configured)
Mismatched EIGRP K values
Mismatched EIGRP autonomous system number
Using secondary addresses for EIGRP neighbor relationships
The neighbors are not on a common subnet
How is HSRP priority determined?
By default, the router with the numerically highest IPv4 address is elected as the active HSRP router.
What is the default HSRP priority?
- Highest priority is active router.
Access list config
R1(config)# access-list 1 permit 172.16.0.0 0.0.255.255
R1(config)# interface gigabitethernet 0/0
R1(config-if)# ip access-group 1 out
CHAP commands (and PAP)
R1(config)# username R2 password itsasecret
R1(config)# interface serial 0/0/1
R1(config-if)# ppp authentication chap
R2(config)# username R1 password itsasecret
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/1/1, changed state to up
R2(config)# interface serial 0/1/1
R2(config-if)# ppp authentication chap
Notice that each router refers to the other router’s hostname in the username command, but both routers must configure the same password value.
(for pap Use ppp authentication pap instead)
PPPoE is used on what medium?
Ethernet
Setting up PPoE
R1(config)# interface dialer 5
R1(config-if)# encapsulation ppp
R1(config-if)# ip address negotiated
R1(config-if)# ip mtu 1492
R1(config-if)# dialer pool 5
R1(config-if)# ppp chap hostname customer2222
R1(config-if)# ppp chap password ConnectMe
R1(config-if)# no shutdown
R1(config-if)# interface GigabitEthernet 0/0
R1(config-if)# no ip address
R1(config-if)# pppoe enable
R1(config-if)# pppoe-client dial-pool-number 5
R1(config-if)# no shutdown
R1(config-if)# end
R1# show ip interface brief
GRE Tunneling
Generic routing encapsulation (GRE) is one example of a basic, nonsecure, site-to-site VPN
tunneling protocol.
Set up GRE tunnel commands.
R1(config)# interface Tunnel0
R1(config-if)# tunnel mode gre ip
R1(config-if)# ip address 192.168.2.1 255.255.255.0
R1(config-if)# tunnel source s0/0/0
R1(config-if)# tunnel destination 198.133.219.87
Set up BGP commands.
Company-A(config-if)# router bgp 65000
Company-A(config-router)# neighbor 209.165.201.1 remote-as 65001
Company-A(config-router)# network 198.133.219.0 mask 255.255.255.0
Versions of SNMP
n SNMPv1: The Simple Network Management Protocol defined in RFC 1157.
n SNMPv2c: Defined in RFCs 1901 to 1908. Utilizes a community string–based administrative
framework.
n SNMPv3: Interoperable standards-based protocol originally defined in RFCs 2273 to 2275.
Provides secure access to devices by authenticating and encrypting packets over the network.
Where should QoS be applied?
As close to the network edge as possible.
What plane intelligent WAN?
Application plane. Uses API to send request to control plane.
What plane apic?
Control plane
Which plane router and switch?
Data plane
RSTP interface states
Discarding
Learning
Forwarding
HSRPv1 MAC address
0000.0C07.ACxx
HSRPv2 MAC address
0000.0C9F.Fxxx
ISL encapsulation
only between cisco devices
HSRP modes
Init, learn, listen, speak, standby, active
HDLC open or proprietary
Cosco proprietary
Default OSPF timers
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Default eigrp k values.
010100
How often does a link state protocol send routing updates?
Every 30 min and when topo changes
HSRP priority higher or lower better
higher
RSPAN
can monitor traffic on a network be capturing and sending traffic from a set of source port on one device to a set of destination ports on a non-routed network.
SNMPv3
SHA/MD5 is authentication, and AuthPriv uses DES/AES stuff.
Proxy Arp
Hosts do not require default gateway config when used.
DMVPN
DMVPN essentially creates a mesh VPN topology. This means that each site (spoke) can connect directly with all other sites, no matter where they are located.
