26% 1.

0 LAN Switching Technologies

Configure, verify, and troubleshoot VLANs (normal/extended range) spanning multiple switches
R1(config)# vlan 10
R1#show vlan (trunk links are not shown in the output)
R1(config)#interface fa0/1
R1(config-if)#switchport mode access
R1(config-if)#switchport access vlan 10

If there are multiple vlans (not all of the switchports to be in vlan1) there needs to be a Router on a stick or
SVI (L3 switch with allowed ip routing). The native vlan frames are not tagged.
Access ports (data and voice)
Access ports cannot become a trunk and can be assigned to only one VLAN. They are connected to end
devices. Links between switches should be trunks if there are more than 1 VLAN.
(config-if)#switchport mode access
(config-if)#switchport access vlan 10
ASW#show interfaces fastethernet 0/1 switchport

Voice VLANs are configured on the access ports only. However the trunk should be configure to carry the
traffic from the vlan that the voice traffic belongs to.
ASW(config)#interface fastethernet 0/1
ASW(config-if)#switchport voice vlan 11
ASW#show interfaces fastethernet 0/1 switchport

Default VLAN –
The Default VLAN is simply the VLAN which all Access Ports are assigned to until they are
explicitly placed in another VLAN. In the case of Cisco switches (and most other Vendors), the
Default VLAN is usually VLAN 1. Typically, this VLAN is only relevant on an Access port, which is a
port that sends and expects to receive traffic without a VLAN tag (also referred to an 'untagged
port' by other vendors).if sent via trunk the traffic from the native vlan is untagged. ”802.1q (ISL
was dropping untagged traffic)however, provided for a way to not only receive this traffic, but
also associate it to a VLAN of your choosing. This method is known as setting a Native VLAN.
Effectively, you configure your trunk port with a Native VLAN, and whatever traffic arrives on that
port without an existing VLAN tag, gets associated to your Native VLAN”
On a trunk interface-
#interface fa0/5
#switchport trunk native vlan 20
#show int fa0/5 switchport

Configure, verify, and troubleshoot interswitch connectivity

1.2.a Add and remove VLANs on a trunk

c3550(config-if)#switchport trunk encapsulation dot1q
c3550(config-if)#switchport mode trunk
c3550(config-if)#switchport trunk allowed vlan remove 5-10,12
c3550(config-if)#switchport trunk allowed vlan add 7
c3550(config-if)#end
c3550#show interfaces fastEthernet 0/2 trunk
c3550#show interfaces fastEthernet 0/2 switchport
1.2.b DTP and VTP (v1&v2)

DTP-By default, Cisco switches negotiate the type of trunking that will be used, using Dynamic Trunk Protocol
(DTP). They both use ISL if they support both trunking protocols.
ii. The type of trunking preferred on an interface is configured using the switchport trunk encapsulation {dot1q |
isl | negotiate} interface subcommand.

The DTP is used by Cisco switches to negotiate whether an interconnection between two switches
should be put into access or trunk mode. It is meant both to ease the initial deployment of a switched
network and to minimize configuration errors that result from mismatched port configuration on an
interconnection between two switches.

The DTP helps to automatically negotiate whether the port should be put into access or trunk mode and
what trunking protocol (802.1Q or ISL) should be used. The individual DTP modes are:

 dynamic auto - the port will negotiate the mode automatically, however, it prefers to be an
access port
 dynamic desirable - the port will negotiate the mode automatically, however, it prefers to be a
trunk port

DTP datagrams are also sent if the port is set statically to the trunk mode. However, if the port is set
statically to the access mode, both sending and processing DTP datagrams on that port is deactivated.

The individual combinations of port settings lead to following results:

 dynamic auto + dynamic auto = access

 dynamic auto + dynamic desirable = trunk
 dynamic desirable + dynamic desirable = trunk
 dynamic auto or dynamic desirable + trunk = trunk
 dynamic auto or dynamic desirable + access = access

As you can see, if both ports are dynamic auto, they will act as access ports. If either of them is dynamic
desirable, both will agree on trunking. If one of them is dynamic and the other is static, the mode is
dictated by the statically set port.

The DTP protocol is unauthenticated which means that a station can send false DTP packets, pretending
to be a switch. If the switchport is configured as a dynamic port, an attacker can lure the switchport to
become a trunk port and he will gain access to all VLANs allowed on that trunk. Therefore, after a
network has been installed, it is the best practice to set the mode statically and deactivate the DTP
protocol on a port using the command #switchport nonegotiate (this command is necessary only for
trunk ports, as the static access ports do not send DTP packets automatically).

VTP
VTP is a cisco proprietary protocol that allows switches to exchange vlan configuration information. VTP
advertises the existence of a VLAN (number + name), but it does not advertise the details about the switch
interfaces that are assigned to the VLAN. VTP sends messages as soon as their vlan configuration changes or every
5 minutes *VTP Summary messages*.
Switches use one of three VTP modes: server mode, client mode, or transparent mode. The engineer
sets some switches to use server mode and the rest to use client mode. VLAN configuration can be
added on the servers, with all other servers and clients learning about the changes to the VLAN
database.
vi. Clients cannot be used to configure VLAN information.
vii. Switches cannot disable VTP; they have to use transparent mode, which causes a switch to forward
VTP messages, but not process them.

Both VTP servers and clients process VTP messages, update their VTP configuration database, and then
independently send VTP updates out their trunks until all switches know all VLAN information.
 VTP servers and clients choose whether to react to VTP updates and update their VLAN configurations based on
whether the VLAN database configuration revision number increases.
 Each time a VTP server modifies its VLAN configuration, the VTP server increments the current configuration
revision number by 1.
 VTP servers and clients also send periodic VTP messages every 5 minutes, in case any newly added switches
need to know the existing VLAN configuration

Three Requirements for VTP to Work between Two Switches

 The link between the switches must be operating as a VLAN trunk (ISL or 802.1q).
 The two switches case-sensitive VTP domain name must match. Switches will only listen to VTP
messages that are within the same VTP domain.
 If configured on at least one switch, the two switches’ case-sensitive VTP password must match.
 Avoiding VTP by Using VTP Transparent Mode
 VTP transparent mode switches can configure VLANs, but they do not update their VLAN database
based on incoming advertisements.
 Switches that are configured to use VTP transparent mode forwards VTP updates received from
other switches, just to help with synchronization.
 Storing VLAN Configuration
 To forward traffic for a VLAN, switches need to know the VLAN’s ID and its VLAN name.
 When VTP clients and servers store VLAN configuration, it is stored in a file called vlan.dat in flash
memory.
 VLAN configuration is not in the running-config or startup-config file.
 Using the erase startup-config command will not remove VLAN database information; instead, you
have to use delete flash:vlan.dat.
 Switches in transparent mode store VLAN configuration in both running and start-up config (ex. The
interfaces are assigned to a particular VLAN. This information is stored in the running and startup-confi).

VTP Pruning
 VTP pruning allows VTP to dynamically determine which switches do not need frames from certain VLANs, and
then VTP prunes those VLANs from the appropriate trunks.
“The VTP feature by which switches dynamically choose interfaces on which to prevent the
flooding of frames in certain VLANs, when those frames do not need to go to every switch in the network”

Switch1(config)#vtp mode server

Switch1(config)#vtp domain boson
Switch1(config)#vtp password cisco
Switch2(config)#vtp mode client
Switch2(config)#vtp domain boson !Changing VTP domain from NULL to boson
Switch2(config)#vtp password cisco
Switch2#show vtp status
(transparent mode still forwards the messages; client cannot modify delte vlans)
forwards on trunk interfaces!
Switch2#show vlan
Switch2#show interfaces trunk

1.3 Configure, verify, and troubleshoot STP protocols

IEEE 802.1d – Spanning Tree Protocol (STP)

IEEE 802.1w – Rapid Spanning Tree Protocol (RSTP)

STP chooses which ports to block so that only one active path exists between any pair of LAN segments.
Problems caused by not using STP in redundant LANs- Broadcast storms, MAC table instability, multiple frame
transmission.
STP prevents loops by placing each bridge/switch port in either a Forwarding State or a Blocking State.
ii. Interfaces in the Forwarding State act as normal, forwarding and receiving frames, but interfaces in the Blocking
State do not process any frames except STP messages.

Spanning Tree Algorithm (STA), chooses the interfaces that should be placed in the Forwarding State. Any
interfaces not specified here are placed in Blocking State.
 STP uses three criteria to choose whether to put an interface in a Forwarding state:

1. STP elects a root switch( root bridge). STP puts all working interfaces on the root switch in Forwarding State.
(designated ports)
2. Each nonroot switch considers one of its ports to have the least administrative cost between itself and the root
switch. STP places the least-root-cost interface, called the switch’s root port (RP), in Forwarding State.
3. The lowest-cost switch on each segment is called the designated bridge, and that bridge’s interface, attached to
that segment, is called the designated port (DP).

STP bridge ID- 8 byte value- 2 byte priority, default one is 32768 and 6 byte MAC.

Switch BPDU- switches exchange information with each other. Hello BPDU contains:
Root Bridge ID, Sender’s bridge ID, cost to reach root, timer values on the root switch (hello timer, maxage timer
and forward delay). Hello BPDU timer by default is 2 sec; max age 10 times BPDU; Forward delay is 15 sec
Electing the Root Switch- the root switch with lowest BID(priority and MAC).
All switches claim to be the root by sending hello bpdu. If a switch hears a hello with a lower BID it stops
advertising itself as a root. Its called a Superior Hello.
After the election is complete, only the root switch continues to originate STP Hello BPDU messages. The other
switches receive the updates, updates the sender’s BID field (and cost-to-reach-the-root field), and forward the
Hellos out other interfaces.
Choosing the Root Port- each nonroot switch chooses its one and only root port. RP is its interface with the least
STP cost to reach the root switch.
 To calculate the cost of the RP, a switch adds the cost listed in the Hello BPDU to the STP port cost assigned to
that same interface

Choosing the Designated Port on Each LAN Segment

 STP’s final step to choose the STP topology is to choose the designated port on each LAN segment.
 The designated port on each LAN segment is the switch port that advertises the lowest-cost Hello onto a LAN
segment.
 When a nonroot switch forwards a Hello, the nonroot switch sets the cost field in the Hello to that switch’s cost
to reach the root. The switch with the lowest cost to reach the root (in the entire segment) becomes the DP on
that segment.
 All DP’s are placed into a forwarding state.
If advertised costs tied, switches use lowest bridge priority to assign the DP.

The root switch sends a new Hello BPDU every 2 seconds by default.
When 10 Hello BPDUs (max age time) are not received, switches react and start the process of changing the STP
topology (including electing a new root switch).
 The Hello timer is based on the configuration from the root switch.

STP (802.1d) cannot transition instantly, so it uses these statuses while transitioning from blocking to
forwarding:
1. Listening – like the Blocking State, the interface does not forward frames. Old, now incorrect MAC tables are
timed out during this state, because the old MAC entries would be the root cause of a loop. (stays in this stage for
15 seconds)
2. Learning – interfaces in this state still do not forward frames, but the switch begins to learn MACs of the frames
received on the interface. (stays in this stage for 15 seconds)
 STP moves an interface from Blocking -> Listening (15s) -> Learning (15s) -> Forwarding.

Spanning tree enabled protocol ieee- means that 802.1d stp is used

Rapid STP (IEEE 802.1w)

All you have to do to migrate from STP to RSTP is to configure the spanning-tree mode rapid-pvst global
command on all the switches
RSTP is compatible with STP;
RSTP adds new port roles of alternate and backup.
- an alternate port waits to become a root port
- a backup port waits to become a designated port
RSTP has the same tiebreakers and rules for root ports;

RSTP mainly improves network convergence topology when topology changes occur. RSTP works by adding an
alternative port and a backup port compared to STP. These ports are allowed to immediately enter the
forwarding state rather than passively wait for the network to converge.
RSTP only waits for 3 Hellos (6 seconds) as its MaxAge time. Also, RSTP eliminates the forward delay in both
Listening and Learning States.

RSTP Port Roles

i. The RSTP alternate port role identifies a switch’s best alternative to the root switch.
ii. The other new RSTP port type, backup port, applies only when a single switch has two links to the same
segment (collision domain), which is likely connected to a hub. This port also gets put into a discarding state.
RSTP Port Roles- Root, Designated, Alternate, Backup, Disabled (not part of STP)
RSTP States- Discarding, Learning, Forwarding
1.3.a STP mode (PVST+ and RPVST+)
The per-VLANpart of the name gives away the main feature: PVST+ creates a different STP topology per
VLAN,whereas 802.1D actually did not. PVST+ also introduced PortFast. Cisco switches often use PVST+
as the default STP mode per a default global command of spanning-tree mode pvst.

PVST+ gives engineers a load-balancing tool with STP. By changing some STP configuration parameters
differently for different VLANs, the engineer could cause switches to pick different RPs and DPs in
different VLANs. As a result, some traffic in some VLANs can be forwarded over one trunk, and traffic
for other VLANs can be forwarded over a different trunk. PVST uses the 802.1d convergence.

#spanning-tree mode rapid-pvst or

# spanning-tree mode pvst
#spanning-tree vlan 1-3 root(priority) primary

By default, Cisco switches use IEEE 802.1d, not RSTP, with a Cisco-proprietary feature called Per-VLAN Spanning
Tree Plus (PVST+).
ii. PVST+ creates a different instance of STP for each VLAN.
iii. By changing some STP configuration parameters in different VLANs, engineers could assign RPs and DPs to
different VLANs, providing load balancing.
iv. Using PVST+, some VLANs could be forwarded over one trunk, and traffic for another VLAN can use another
trunk.
v. Cisco implemented another proprietary solution to support one VLAN per RSTP, which is now called RPVST and
Per-VLAN Rapid Spanning Tree. (fast convergence per VLAN)

Regardless of using PVST+, PVRST, or MIST, two main configuration options can be used to achieve that kind of
load balancing: the bridge ID and the port cost.

 The Bridge ID and System ID Extension

 A bridge ID is formed by combining the switch’s 2-byte priority and 6-byte MAC address.
 The bridge priority can be from 0-65,535 and contains a bridge priority and a system ID extension, which is
typically holding a VLAN ID. (0, 4096, etc)
 Per-VLAN Port Costs
 On Cisco switches, the STP cost is based on the actual speed of the interface.
 Port cost- 100 for 10 Mbps, 19 for 100 Mbps, 4 for 1 Gbps, 2 for 10 Gbps –
Interface commands
#spanning-tree vlan 10 cost 200
#spanning-tree vlan 10 priority 150 (the default is 128; the lowest wins)
1.3.b STP root bridge selection
- Lowest BID; The root bridge then floods BPDU every 2 seconds; the root bridge dictates the hello interval and
timers – if there are multiple switches have the same Bridge priority it wins the switch with the lowest MAC

1.4 Configure, verify, and troubleshoot STP-related optional features

#show spanning-tree / details
#show vlan
#show spanning-tree summary
P2p edge ports are not receiving BPDU; if there is gig int from one side and fa on the other, they will agree on
100Mbps- cost will be 19. Gig=4
Discarding interfaces still receive BPDU .
When we have 2 switches that have equal cost to get to the Root Bridge it comes down to the lowest BID
(determine the designated switch and port for the segment).
When you have 2 redundant links between switches-
If cost= eq; bridge id=eq; port priority=eq; the lowest upstream port number wins. (we can use etherchannel to
avoid blocking one of the links and utilize the capacity)
Designated switch- the one with the lowest BID for the segment;
RSTP is compatible with STP;
RSTP adds new port roles of alternate and backup.

Configuring STP Port Costs and Switch Priority

i. The spanning-tree vlan <vlan-id> cost <cost> interface subcommand sets the port cost on a particular interface.
You can also change a port to become root port if you set a lower cost than the original root port.
ii. Sometimes, you can omit the “vlan <vlan-id>” in a command and it will set the cost or priority on all VLANs.
#spanning-tree vlan 10 cost 200
#spanning-tree vlan 10 priority 150 !! priority is from 0-255 higher priority is less preferred ; 128 is the default

1.4.a PortFast

PortFast allows a switch to immediately place a port in Forwarding State when the port becomes physically active,
bypassing any STP topology and bypassing the Listening and Learning States.
 PortFast can only be enabled on ports that no bridges, switches, or other STP-speaking devices are connected,
which is best for end-user devices.
Enable it globally-
Switch(config)#spanning-tree portfast default
Enable it under interface
(config-if)spanning-tree portfast

1.4.b BPDU guard

Sw1(config-if)#spanning-tree bpduguard enable

The Cisco BPDU Guard feature helps by disabling a port if any BPDUs are received on the port, particularly access
ports that should never connect to another switch.
 The Cisco Root Guard feature helps defeat the problem where a new rogue switch tries to become a root
switch.

When a switch interface with Root Guard enabled receives a superior BPDU from a neighboring switch, the switch
with Root Guard reacts. It also ignores the superior BPDU and disables the interface. When superior BPDU stops
arriving, the switch can start using the interface again.

1.5 Configure, verify, and troubleshoot (Layer 2/Layer 3) EtherChannel

Switch ports configured to be a member of a channel group must be configured the same way in order for the
port channel to operate correctly. EtherChannel addresses the unused bandwidth between DSW1 and
DSW2 by enabling the two links between the distribution switches to send and receive
simultaneously. Spanning tree will treat the bundled interfaces as a single interface and, thus, will not
transition any of the ports to the blocking state.Up to eight individual interfaces can be active members of
a port-channel group. A requirement of EtherChannel is that all ports must be identically configured before a
port-channel group can be created.
1.5.a Static –
You can issue the channel-group command to configure an interface to be a member of a port-channel
group. The channel-group 1 on command is used in interface configuration mode to enable Layer 2
EtherChannel on an interface and make it a member of channel group 1. In this lab, you will use the on mode
with the channel-group 1 mode command to enable Layer 2 EtherChannel. On mode forces the bundling of
the interface on a channel without using the Port Aggregation Protocol (PAgP) or the Link Aggregation Control
Protocol (LACP). When the port-channel group is configured by using the on mode, both ends of the links
must be configured to use the on mode.

DSW1(config)#interface range fastethernet 0/5 - 6

DSW1(config-if-range)#shutdown
DSW1(config-if-range)#channel-group 1 mode on

EtherChannel mode on will bundle interfaces irrespective of the configuration of the interfaces on the opposite
side of the link. Once interfaces are up and bundled, the port-channel interface will change to an up state and
will be added to the spanning tree as a single logical link, replacing the bundled member interfaces. You
should shut down the interfaces before configuring EtherChannel on mode to prevent a spanning tree loop;
you should then re-enable the interfaces.
You should issue the show ip interface brief command on each switch to verify that the new, automatically
created port-channel 1
Port-channel1 unassigned YES unset up up
EtherChannel will support traffic for only a single VLAN unless trunking is enabled. Because this lab uses
3550 switches, the default trunking mode is set to dynamic desirable and the trunk encapsulation is set to
auto. This means that a trunk will automatically form.
Once you create a port-channel group, all interfaces in the group are configured from the port-channel
interface for the group
DSW1(config)#interface port-channel 1
DSW1(config-if)#switchport trunk encapsulation dot1q
DSW1(config-if)#switchport mode trunk
Now that EtherChannel is operational, you should issue the show interfaces port-channel 1 command. The
output shows that a bandwidth of 200 Mbps is now available between DSW1 and DSW2
DSW1#show interfaces port-channel 1
DSW1#show etherchannel port-channel
1.5.b LACP
Link Aggregation Control Protocol (LACP) is defined in the IEEE 802.3ad standard. Because LACP is a
standards-based protocol, it can be used between Cisco and non-Cisco switches. Conversely, Port
Aggregation Protocol (PAgP) is a Cisco proprietary protocol and can only be used to create EtherChannels
between Cisco switches. Either one of these protocols will allow a switch to learn its partner’s
capabilities and dynamically group identically configured interfaces into a single logical link.
LACP can be configured in either active or passive mode. Active mode places an interface into a state where
it will initiate negotiation with its partner by sending out LACP packets. Passive mode places an interface into
a state where it will respond to LACP packets but not initiate any negotiation. Placing an interface in passive
mode will minimize LACP traffic; however, if both ends of a link are configured in passive mode, no
negotiation can take place and the interface will not be bundled. Both PAgP and LACP support up to eight
active links between devices in a negotiated channel. LACP allows a maximum of 16 ports to be
configured in a channel, but only eight can be active at any given time. Non-active links in an LACP
bundle are placed in hot standby mode, and if any active link becomes inactive, one of the hot standby links
will change to active mode and take its place in the channel.
LACP uses the port priority and port ID values to determine which hot standby port will become active. The
LACP port priority is set to 32768 by default for all interfaces. All ports in an EtherChannel must be
configured to use the same protocol: either PAgP or LACP, not both. Additionally, all ports must be
configured with the same speed and duplex settings. Ports in an LACP channel that are configured for
half-duplex mode are placed in a suspended state and not used in the channel.

ASW1(config)#interface range fastethernet 0/1 – 10

ASW1(config-if-range)#channel-protocol lacp
ASW1(config-if-range)#channel-group 1 mode passive/ active
ASW1(config)#interface port-channel 1
ASW1(config-if)#switchport trunk encapsulation dot1q
ASW1(config-if)#switchport mode trunk
ASW1#show etherchannel summary
DSW1#show etherchannel port

On ASW1, issue the following commands to change the LACP port priority of FastEthernet 0/9. By configuring
a port priority lower than the other interfaces, you can make sure that FastEthernet 0/9 is selected as an
active interface and not placed in hot standby.
ASW1(config)#interface fastethernet 0/9
ASW1(config-if)#lacp port-priority 100

1.5.c PAGP
Port Aggregation Protocol (PAgP) is a Cisco-proprietary protocol and can only be used to create
EtherChannels between Cisco switches. Both PAgP and LACP support up to eight links between devices and
can be configured to negotiate channels. Both protocols require that all ports in the group have equal
configurations before a channel can be created. Like PAgP, LACP identifies neighboring ports and their
group capabilities; however, LACP goes further by assigning roles to the EtherChannel’s endpoints.(active
and standby links based on the priority). All ports in an EtherChannel must be configured to use the same
protocol: either PAgP or LACP, not both. Additionally, all ports must be configured with the same speed and
duplex settings. Ports in an LACP channel that are configured for half-duplex mode are placed in a
suspended state and not used in the channel. When you make a change to a port-channel interface, the
changes are implemented on all physical interfaces. Conversely, if you make a configuration change on a
physical interface that is part of the channel group, the change is not implemented on any of the other
physical interfaces in the channel group or the group’s port-channel interface. Making a change to a physical
interface might unbundle it from the port channel and place it in a stand-alone state. Pagp modes- auto- not
initiating negotiations, desirable- initiates; if both ends are configured in auto- they wont form a channel

DSW1(config)#interface range fastethernet 0/5 – 6

DSW1(config-if-range)#channel-protocol pagp
DSW2(config)#interface range fastethernet 0/5 – 6
DSW2(config-if-range)#channel-protocol pagp
DSW1(config-if-range)#channel-group 1 mode auto/desirable ! creates interface port-
channel 1
DSW1#show interfaces port-channel 1
DSW1(config)#interface port-channel 1
DSW1(config-if)#switchport trunk encapsulation dot1q
DSW1(config-if)#switchport mode trunk

After you create a port-channel interface, all interfaces in the channel group are configured from the port-
channel interface for the group.
DSW1#show etherchannel summary

L3 Etherchannel-
You should issue the show cdp neighbors command to determine the number of links that are available to
form an EtherChannel. In addition to IP load balancing and bandwidth scalability, Layer 3 EtherChannel can
be advantageous in scenarios where you would like to achieve Layer 3 connectivity between switches but
keep Spanning Tree Protocol (STP) and other control traffic isolated. EtherChannel supports several
different methods for load balancing traffic across bundled links. You should select the load balancing
method that will provide you with the best distribution among links based on the network traffic. If, for
example, most of your traffic is destined for a single IP address, selecting the dst-ip method could result in
the same interface being selected each time. You might instead choose a method that involves the source
Media Access Control (MAC) or source IP address when selecting a link. You should issue the no
switchport command to convert a switched port to a routed port. When you make a change to a port-
channel interface, the changes are implemented on all physical interfaces. Conversely, if you make a
configuration change on a physical interface that is part of the channel group, the change is not implemented
on any of the other physical interfaces in the channel group or the group’s port-channel interface. Making a
change to the physical interface might unbundle it from the port channel and place it in a stand-alone state.
You can use the show etherchannel summary, show etherchannel load-balance, and show running-
config commands to verify that your EtherChannel configuration is correct. EtherChannel requires a minimum
of two links between devices

DSW1(config)#ip routing
DSW1(config)#router eigrp 100
DSW1(config-router)#auto-summary
DSW1(config-router)#network 172.16.0.0
DSW2(config)#router eigrp 100
DSW1(config-router)#auto-summary
DSW2(config-router)#network 172.16.0.0

DSW1(config)#interface range fastethernet 0/5 – 6

DSW1(config-if-range)#shutdown
DSW1(config-if-range)#channel-group 1 mode on
DSW1(config-if-range)#no shutdown
DSW1#show etherchannel summary
DSW1(config)#interface portchannel 1
DSW1(config-if)#ip address 172.16.1.1 255.255.255.252
DSW1#show ip route
DSW1#show etherchannel load-balance
DSW1(config)#port-channel load-balance src-dst-ip

1.6 Describe the benefits of switch stacking and chassis aggregation

Cisco StackWise technology provides an innovative new method for collectively utilizing the capabilities
of a stack of switches. Individual switches intelligently join to create a single switching unit with a 32-
Gbps switching stack interconnect. Configuration and routing information is shared by every switch in the
stack, creating a single switching unit. Switches can be added to and deleted from a working stack without
affecting performance.
The switches are united into a single logical unit using special stack interconnect cables that create a
bidirectional closed-loop path. This bidirectional path acts as a switch fabric for all the connected
switches. Network topology and routing information is updated continuously through the stack
interconnect. All stack members have full access to the stack interconnect bandwidth. The stack is
managed as a single unit by a master switch, which is elected from one of the stack member switches.
Each switch in the stack has the capability to behave as a master or subordinate (member) in the
hierarchy. The master switch is elected and serves as the control center for the stack. Both the master
member switches act as forwarding processors. Each switch is assigned a number. Up to nine separate
switches can be joined together. The stack can have switches added and removed without affecting stack
performance.

1.7 Describe common access layer threat mitigation techniques

1.7.a 802.1x-
IEEE 802.1X is an IEEE Standard for port-based Network Access Control (PNAC). It is part of the IEEE
802.1 group of networking protocols. It provides an authentication mechanism to devices wishing to
attach to a LAN or WLAN.
IEEE 802.1x defines a process to authenticate the user of the PC connected to a switch port. This can be used in
Network Admission Control (NAC).
With IEEE 802.1x, each user communicates with an AAA server. The switch blocks traffic until the AAA server
authenticates with the PC. AAA- authentication, authorization, accounting
Tacacs+ and RADIUS (they are both security protocols for an AAA server);
Tacacs+ cisco proprietary; now it’s open wide; uses tcp; separate processes for authentication, authorization and
accounting functions; tacacs is more secure and it uses 2 way authentication+ encrypts the entire packet.
Tacacs+ is normally used for network devices; command by command authorization; encrypts the entire
communication;
Radius-industry standard- uses udp; uses one process for authentication, authorization, accounting;
uses one way authentication; encrypts only the password; normally used for user auth
you can have couple of tacacs servers or radius; radius only encrypts passwords
basic AAA config;

#aaa new-model
#radius-server host   10.10.10.5 key cisco
for tacacs-
#aaa new-model
#tacacs-server 10.10.20.5 key cisco
#aaa group server radius R-Group
#server 10.10.10.5
#aaa authentication login default group R-GROUP local
1.7.b DHCP snooping
DHCP snooping is a layer 2 security technology built into the operating system of a capable network
switch that drops DHCP traffic determined to be unacceptable. The fundamental use case for DHCP
snooping is to prevent unauthorized (rogue) DHCP servers offering IP addresses to DHCP clients

dhcp spoofing- an attack where the attacker has a dhcp server which responds to a dhcp discover
message sent from a DHCP client.
to prevent it we can use dhcp snooping- which ports are trusted and which are not; Allows a cisco
catalyst switch port to reject packets coming in from a dhcp server if that port is set to an untrusted
state. If it hears dhcp packets from an untrusted ports; the packet s blocked (usually is setup on ASW);

configure dhcp snooping-

#ip dhcp snooping

#ip dhcp snooping vlan 1  (places all ports in vlan1 to untrusted state)
#int fa1/0/1
#ip dhcp snooping trust   (define the trusted ports)

denial dhcp attack mitigation-  to limit the maximum dhcp request on a port
#int fa1/0
#ip dhcp snooping limit rate 100

#show ip dhcp snooping

DHCP option 82
Causes a DHCP Request packet to contain information indicating the switch port from which the DHCP
request came

1.7.c Nondefault native VLAN

Native vlan- a VLAN on an IEEE 802.1q(4 bytes tag) trunk whose frames are untagged. If we keep the default
native vlan to 1 we are exposed to a vlan hopping attack. An attacker where an attacker’s device is able to attack a
device on another VLAN without crossing a router. Best practice do not use the default native vlan of 1. Double
tagging attacks. Do not use and leave ports in VLAN 1.

29% 2.0 Routing Technologies

2.1 Configure, verify, and troubleshoot Inter-VLAN routing.
When you want to forward packets from different VLANs you need a Router or a L3 switch.
2.1.a Router on a stick-
L2 switch connects to a router. L2 switch is configured as a trunk port with encapsulation dot1q and allows the
vlans on the trunk. On the other end the router has to create subinterface for each VLAN, matching the vlan id.

R1(config)#int fa0/0.10
R1(config-subif)#encapsulation dot1q 10
R1(config-subif)#ip address 172.10.2.1 255.255.255.0
R1(config-subif)#no shutdown

SW(config)#int fa0/0
SW(config)#switchport trunk encapsulation dot1q
SW(config)#switchport mode trunk

2.1.b SVI
Layer 3 switches. On l3 and L2switches we create a couple of virtual interfaces for the vlans; that’s how we
remove the need from a router to route between the vlans. These interfaces are called SVI. We assign an ip
addresses to them. It’s a virtual interface that represents all of the ports belonging to that vlan.
With SVIs the switch recognizes the packet destinations that are local to the sending VLAN and switches those
packets and packets destined for different VLANs are routed.

#interface vlan 10
#ip address ………
Another option is a routed port- we can have our L3 switch with its SVI ports and if we need to connect however
to a router we can create one of the switchports into a routed port. We will say its not a switchport; we will assign
him an ip address as well. That’s how we can route internally from the switch and if we need to go to the rest of
the world we will connect to the router.
One SVI can have a lot of ports assigned to it.
SW1(Confg)#int vlan 10 ( we create a virtual interface)
#ip address 192.168.1.1 255.255.255.0
#int vlan 20
#ip addres 172.16.1.1 255.255.255.0

SW1(Confg)#ip route (we enable the routing)

To connect SW1 to R1-

We can make the port that connects to the R to a routed port
Note: we cannot assign an ip address to a non routed switchport !
(config-if)# no switchport (converts it In a routed port)
#ip address ………….

2.2 Compare and contrast distance vector and link-state routing protocols

Distance vector use next hop count while the link-state use the bandwidth to determine the best path.
Distance Vector vs Link state protocols
Distance vector- Distance vector routing is so named because it involves two factors: the distance, or metric, of a
destination, and the vector, or direction to take to get there. Routing information is only exchanged between
directly connected neighbors. This means a router knows from which neighbor a route was learned, but it does
not know where that neighbor learned the route; a router can't see beyond its own neighbors. This aspect of
distance vector routing is sometimes referred to as "routing by rumor." Measures like split horizon and poison
reverse are employed to avoid routing loops.
(RIP, RIP2 , IGRP, partially EIGRP but it is an advanced/ hybrid) RIP2 multicast is 224.0.0.9' EIGRP multicast is
224.0.0.10
Link-state- Link-state routing, in contrast, requires that all routers know about the paths reachable by all other
routers in the network. Link-state information is flooded throughout the link-state domain (an area in OSPF or IS-
IS) to ensure all routers possess a synchronized copy of the area's link-state database. From this common
database, each router constructs its own relative shortest-path tree, with itself as the root, for all known routes.
(OSPF and IS IS ) OSPF multicast- 224.0.0.5 for all routers and 224.0.0.6 specifically for DR and BDR

2.3 Compare and contrast interior and exterior routing protocols

IGP- interior gateway protocol-
- Automatic neighbor discover
- Under control of a single organization (AS/ area)
- generally trust your IGP routers
- Routes go to all IGP routers
- Usually not filtered
EGP
- Specifically configured peers
- Connecting with outside networks (different AS)
- Neighbors are not trusted
- Set administrative boundaries
- Filters based on policy

EBGP is the only valid exterior gateway protocol as of now

2.4 Configure, verify, and troubleshoot single area and multiarea OSPFv2 for IPv4 (excluding
authentication, filtering, manual summarization, redistribution, stub, virtual-link, and LSAs)

OSPF Protocols and Operation

OSPF Multicast all routers 224.0.0.5

OSPF DR and BDR 224.0.0.6
a. OSPF features can be broken into three categories: neighbors, database exchange, and route calculation.
b. OSPF routers first form a neighbor relationship that provides a foundation for all continuing OSPF
communications. After becoming neighbors, they exchange LSDBs through database exchange.
c. After the OSPF routers have the topology information in its LSDB, it uses SPF algorithm to calculate the best
routes.
d. OSPF Neighbors
i. OSPF neighbors discover each other using OSPF Hello messages.
ii. The OSPF Hellos in turn list each router's Router ID (RID), which serves as the router's name or identifier for
OSPF. OSPF then checks the information in the Hello message to make sure the two routers should become
neighbors.
OSPF RID - either configured or using loopbacks highest interface/ normal int
Routers are ready to send multicast Hello messages once it has chosen its OSPF RID and on the same subnet as
another router.
 After routers exchange Hello messages, they exchange topology information through database exchange, and
then use the SPF algorithm to calculate best routes.
Hello messages includes the sending router's RID, Area ID, Hello Interval, dead interval, router priority, the RID
of the designated router, RID of the backup designated router, and a list of already known OSPF routers.
 Potential Problems in Becoming OSPF Neighbors
 The following must match prior to becoming OSPF neighbors:
1. Subnet mask used on the subnet.
2. Subnet number.
3. Hello interval.
4. Dead interval.
5. OSPF area ID.
6. Must pass authentication checks (if any).
7. Value of the stub area flag.
 When a router does not hear a Hello within the specified Dead interval, the router believes the neighbor is no
longer reachable, causing the network to re-converge.
 Cisco routers default to Hello intervals of 10 seconds, and the dead interval is 4 times the Hello, or 40
seconds.

Not all of the ospf neighbors will reach full state., mostly it will be two way state;
OSPF Topology Database Example
 Overview of the OSPF Database Exchange Process
 After OSPF routers agree that they should share topology information, they exchange topology data (LSAs).
 After they share LSAs, the following process goes into place:
1. Based on the OSPF interface type, the routers may or may not elect a Designated Router (DR) and a Backup
Designated Router (BDR). DR and BDR are present in a broadcast network type. In PPP network type there is no
need for DR.
2. For each pair of routers that need to become fully adjacent, mutually exchange LSDBs.
3. When completed, the neighbors monitor the network for changes and periodically flood LSAs.
Choosing a Designated Router
 Designated Routers and Backups are determined based on the OSPF interface type.
 The two OSPF interface types are point-to-point and broadcast. PPP is usually for WANs, broadcast interface
types are usually for LANs.
 You can configure the OSPF interface types using the ip ospf network <type> interface subcommand.
 After a DR is selected, database description packets go to the DR, and then the DR forwards the packet to the
other routers.
 The DR basically distributes topology information to other routers. It also prevents overloading the network
with OSPF traffic. When a change occurs to a non DR router the LSA is first sent to the DR/BDR (224.0.0.6) on the
network segment, and the DR will then in turn send the LSA out all its interfaces including the one that has
received the LSA (but addressed to a different IP address 224.0.0.5).
 Losing a DR could cause a delay in convergence, so a Backup DR is also included on each subnet.
 The default OSPF interface priority is set to 1.
 When choosing a DR, the routers look at two fields inside the Hello Packet and base the DR on the following
criteria:
1. The router sending the Hello with the highest OSPF interface priority becomes the DR.
2. If highest OSPF interface priority ties, then choose highest RID.
3. Typically, the router with the second highest OSPF interface priority becomes the BDR.
4. A priority of 0 means the router can never be considered for election.
5. The ranges of OSPF priorities are 1-255.
6. If a new and better router becomes involved after DR or BDR selection, the new router does not take over.
 An OSPF router will not elect a DR/BDR switch on a point-to-point network or point-to-multipoint. It will,
however, elect one of the two on a NBMA or broadcast network.
 When OSPF routers have all the same priorities, the one with the highest Loopback IP (if configured) will be
chosen as the Designated Router (DR).

Database Exchange
 After two routers exchange databases, each router only compares the other router's LSA list to its own LSDB.
Whichever LSA that it doesn't have, it asks the sending router to send a full LSA including details.
 Each LSA is only reflooded by the router that created the LSA, every 30 minutes.
f. Building the IP Routing Table
i. OSPF picks the least-cost route to add to its IP routing table. SPF runs against the LDSB (which contains Link LSAs
and Router LSAs).
g. Scaling OSPF Through Hierarchical Design
i. The purpose of using scalability features is to avoid having many routers have to recalculate the best route
using SPF should any links go down.
 OSPF Areas
 OSPF areas solve many issues in larger networks. OSPF breaks up areas so that routers in one area know less
topology information about subnets in other areas.
An OSPF Area Border Router (ABR) is a router that connects two areas.
 The router OSPF id of 0 is invalid.
 Area 0 is also called a backbone area. Backbone routers are routers that connect to area 0.
 Areas must use a hierarchical design and must connect back to Area 0.

OSPF Load Balancing

i. When metrics are a tie when determining best routes, OSPF routers can put up to 16 different equal-cost
routes in the routing table.
ii. The maximum-paths <number> command gives the router the limitation of only storing x amount of paths for a
particular route. The default setting is to store a max of 4 routes.
OSPF speaking routers must have a Router ID (RID).
i. You can configure the OSPF Router ID with the router-id <RID> OSPF subcommand. (or it will take the loopback;s
interface)

2.5 Configure, verify, and troubleshoot single area and multiarea OSPFv3 for IPv6 (excluding
authentication, filtering, manual summarization, redistribution, stub, virtual-link, and LSAs)

OSPFv3 Multicast all routers FF02::5

OSPFv3 multicast BDR and DR FF02::6
OSPFv3- RID uses the same 32 bit convention;
RouterA#show ipv6 protocols

If IPv6 packet forwarding is enabled on a router, you should see the configuration line ipv6 unicast-routing in the
output of the show running-config command

RouterA#configure terminal
RouterA(config)#ipv6 unicast-routing

You should issue the ipv6 router ospf process-id command, where process-id is the ID of the OSPFv3 process you
want to start. Because the process ID is locally significant to each router, you are not required to use the same
OSPFv3 process ID on adjacent routers.

RouterA(config)#ipv6 router ospf 100

RouterA(config-rtr)#router-id 1.1.1.1

Unlike the OSPF version 2 (OSPFv2) configuration process on a Cisco router, OSPFv3 networks cannot be
configured by issuing the network ip-address wildcard-mask area area-id command in router configuration mode.
OSPFv3 networks are instead configured at the interface level by issuing the ipv6 ospf process-id area area-id
command.
RouterA(config-rtr)#interface fastethernet 0/0
RouterA(config-if)#ipv6 ospf 100 area 0
RouterA(config-if)#interface fastethernet 0/1
RouterA(config-if)#ipv6 ospf 100 area 0
RouterA#show ipv6 route
 show ipv6 ospf interface
show ipv6 ospf neighbor
show ipv6 protocols

ospf cost conf

#int s1/0.1
#ip ospf cost 1000

ospf timers;
hello timer; dead timer
dead timerx4 hello timer

OSPF hello and dead timers should match in order for two router to become a neighbors
#int s 1/0.1
# ip ospf hello 30  
the network type should match as well!!! Otherwise we will become neighbors but won’t learn new
routes;
#int s 1/0.1
#ip ospf network <networktype>

show ip ospf interfaces

OSPF Passive interfaces
typically we can make passive interfaces interfaces that are not connected to another router
#router ospf 1
#(no)passive-interface fa0/0

2.6 Configure, verify, and troubleshoot EIGRP for IPv4 (excluding authentication, filtering, manual
summarization, redistribution, stub)

EIGRP Concepts and Operation

a. Neighbor discovery – EIGRP routers send Hello messages to discover potential neighboring EIGRP routers and
perform basic parameter checks to determine which routers should become neighbors.
b. Topology exchange – neighbors can exchange full topology updates when the neighbor relationship comes up,
and then only partial updates as needed based on changes to the network topology. (eigrp status is typically in a
passive state)
c. Choosing routes – each router analyzes its respective EIRGP topology tables, choosing the lowest metric route
to each subnet.
EIGRP Neighbors
i. EIGRP speaking routers send Hello messages to the 224.0.0.10 multicast address to dynamically discover
potential neighbors.
ii. When receiving an EIGRP Hello from another router, it must pass these checks before becoming a neighbor:
iii. It must pass the authentication process.
iv. It must use the same configured AS number.
v. The source IP address used by the neighbor’s Hello must be in the same subnet.

K-values should match!

vi. A router considers its EIGRP neighbor to be no longer reachable after the EIGRP Hold Timer – which is
equivalent to OSPF Dead Interval – is finished.
vii. The hold-time for a neighbor should not exceed 15 seconds or fall below 10 seconds.
viii. The hello interval is typically 5 seconds and the hold time is 15 seconds. The hold timer is 3* the Hello timer.
e. Exchange EIRGP Topology Information
i. EIGRP uses EIGRP Update messages to send topology information to neighbors, using Reliable Transport
Protocol (RTP).
ii. Full updates are updates that include information about all known routers, and are only sent when a
neighbor first comes up. Partial updates only send in reaction to changes to a route.

Calculating the Best Routes for the Routing Table

i. EIGRP calculates best route based on bandwidth and delay by default.
ii. An EIGRP update message lists the subnet number and mask, along with the cumulative delay, and minimum
bandwidth.
iii. If the metric is a tie, by default a router would place up to four equal-metric routes into the routing table,
load balancing.
iv. A “passive” state (show ip eigrp topology) is a state when the router has identified the successor(s) for the
destination.
v. The destination changes to the “active” state (show ip eigrp topology) when the current successor no longer
satisfies the Feasibility Condition and there are no feasible successors identified for that destination (no backup
destinations).
 Feasible Distance and Reported Distance
 Feasible Distance (FD) – the metric of the best route to reach a subnet, as calculated on a router.
 Reported Distance (RD) – the metric as calculated on a neighboring router and then reported and learned in an
EIGRP update.
 Caveats with Bandwidth on Serial Links
 IOS defaults to a bandwidth of 1544 and a delay of 20,000 microseconds. This does not change automatically
based on serial links. This has to be done manually.

EIGRP Convergence
i. The EIGRP convergence process uses two branches in its logic: based on whether the failed route does or does
not have a feasible successor route. If it does, the route immediately uses that route. If not, the router must use a
query and response process to find a loop-free alternative route.
 EIGRP Successors and Feasible Successors
 The route with the best metric is called the successor. The route’s metric is called the feasible distance.
 Feasible successor routes are loop-free backup routes in its topology table and use them if the best route fails.
 A feasible successor is determined by the reported distance from another router, if that other router has a
lower feasible distance than its own. This route is said to be in feasible condition.
 The Query and Reply Process
 When a route fails and has no feasible successor, EIGRP uses a distributed algorithm called Diffusing Update
Algorithm (DUAL).
DUAL sends queries looking for a loop-free route to the subnet in question and adds it to the routing table.
EIGRP Summary and Comparisons with OSPF
i. EIGRP does not have to create areas like OSPF.
ii. Unlike OSPF, EIGRP supports both equal-metric and unequal-metric load balancing. (variance)
iii. EIGRP is not a public standard like OSPF and allows manual summarization on any router.
II. EIGRP Configuration and Verification
a. Basic EIGRP Configuration
i. EIGRP routers have to use the same ASN (which is supplied at the end of the router eigrp <asn number>
command) across all the routers that are in the topology.
ii. EIGRP allocates its RID just like OSPF – based on the configured value, or the highest IP of the up/up loopback
interface.
iii. The EIGRP network command can be configured without a wildcard mask. If not used without wildcard, it
must use a classful network as the lone parameter.
EIGRP Metrics, Successors, and Feasible Successors
i. The reported distance is the second number in the parenthesis when using the show ip eigrp topology
command.
ii. The RD of a neighbor router must be lower than the current router's FD (metric) to be considered a feasible
route. FS= RD<FD of the current successor
EIGRP Maximum Paths and Variance
i. Variance allows routes whose metrics are relatively close to be considered equal, allowing multiple unequal-
metric routes to the same subnet to be added to the routing table.
ii. The router multiplies the variance times a router's FD – the best metric with which to reach that subnet.
iii. Any FS routes whose metrics is less than the product of the variance times the FD are considered to be equal
routes and may be placed in the routing table, depending on what the maximum-paths command is set to.
variance mulitiplies the successor route;
#router eigrp 1
# variance 2

#int s1/0

#ip hello-interval eigrp 1 2

#ip hold-time eigrp 1 6

Feasible successor route (alternate route)

An EIGRP route is a feasible successor route if its reported distance (RD) from our neighbor is less than the
feasible distance (FD of the successor route) of the successor route

The variance is multiplied by the current FD (the metric of the best route to reach the subnet).

Any FS routes whose calculated metric is less than or equal to the product of variance times the FD

are added to the IP routing table, assuming that the maximum-paths setting allows more routes.

Routes that are neither successor nor FS can never be added to the IP routing table, regardless of the

variance setting, because doing so may cause packets to loop.

EIGRP configuration

#router eigrp 1 (AS OF 1 ! should match)

#network 192.168.1.0 0.0.0.255 (int that will participate in EIGRP_

#network 192.168.2.0 0.0.0.255

#network 10.1.1.1 0.0.0.0 ( 0 means match)

#network 192.168.2.0 ( if we don’t use the wild card, eigrp will assume that we are using the classful mask /24
in this case)

#router eigrp 1

# network 0.0.0.0 all of the interfaces will participate

#show ip eigrp interfaces

#show ip eigrp neighbors

#show ip eigrp topology

#show ip protocols

#show ip eigrp int detail

Split-Horizon- a rule that states a router will not advertise a route out of the interface from which the route was
learned
#show ip protocols
#maximum-paths ....

eigrp data structure

-neighbor table- info about eigrp neigh routers
^#show eigrp neighbors
-interface table- participating interfaces for eigrp
^show ip eigrp interfaces
-topology table- the routes known to eigrp
^^show ip eigrp topology (successor and feasible successor)
2.7 Configure, verify, and troubleshoot EIGRP for IPv6 (excluding authentication, filtering, manual
summarization, redistribution, stub)
You must first enable IPv6 unicast routing before you can enable the EIGRPv6 routing process. By default,
IPv6 unicast routing is disabled.
Router1(config)#ipv6 unicast-routing

To enable the EIGRP for IPv6 routing process, you should issue the ipv6 router eigrp as-number command
from global configuration mode, where as-number is a number between 1 and 65535 that identifies the AS.
The AS identifier must match on neighboring EIGRP routers in order for the routers to establish an adjacency
and exchange routes with one another. The following command configures the EIGRPv6 routing process
using AS number 10 and places the router into router configuration mode:

Router1(config)#ipv6 router eigrp 10

Router1(config-rtr)#router-id 1.1.1.1

One difference between configuring EIGRP for IP version 4 (IPv4) and EIGRPv6 is that you cannot add
networks to EIGRPv6 by issuing the network ip-address wildcard-mask command in router configuration
mode. Instead, to specify the IPv6 link that should be advertised by EIGRPv6, you should issue the
ipv6 eigrp as-number command, where as-number is the number of the EIGRP AS, in interface
configuration mode. Issue the following commands on Router1:

Router1(config-rtr)#interface serial 0/0

Router1(config-if)#ipv6 eigrp 10
Router1(config-if)#interface fastethernet 0/0
Router1(config-if)#ipv6 eigrp 10
Router1(config-if)#interface loopback 0
Router1(config-if)#ipv6 eigrp 10

Router2(config)#ipv6 unicast-routing

Router2(config)#ipv6 router eigrp 10

Router2(config-rtr)#router-id 2.2.2.2

Router2(config-rtr)#no shutdown

Router3#show ipv6 protocols

Router1#show ipv6 eigrp neighbors

Router1#show ipv6 eigrp topology- This command is useful for determining the feasible distance (FD)
and advertised distance (AD) of a route. The EIGRPv6 topology database contains primary and backup
routes to each destination learned from EIGRP neighbors. The best routes (those with the lowest composite
metric) are termed successor routes and are inserted in the IPv6 routing table on the router; all others are
termed feasible successor routes. issue the following command to display all routes, both successor and
feasible successor, learned by the router. Sample output is below:
Router1#show ipv6 eigrp topology all-links
Router3#show ipv6 route
16% 3.0 WAN Technologies
3.1 Configure and verify PPP and MLPPP on WAN interfaces using local authentication
Implementing Multilink PPP

Network designers sometimes use multiple parallel serial links between two routers, rather than a single serial
link. That motivation may be to improve availability, so if one link fails, at least the others are working. MLPPP
makes the multiple physical links work like a single link by using a virtual interface called a multilink interface.
The Layer 3 configuration (like IPv4 and IPv6 addresses and routing protocol interface subcommands) is added
to the multilink interface. Then the configuration associates the physical serial interfaces with the multilink
interface, connecting the Layer 2 logic that works with the multiple serial links with the Layer 3 logic that works on
the single multilink interface.

Standard PPP
P1R1(config)#interface serial 0/1

P1R1(config-if)#encapsulation ppp

P1R1(config-if)#ppp authentication pap

CHAP

P1R1(config)username P1R2 password CCNA ‼! Should be configured on the oppsoite

router

P1R1(config)#interface serial 0/1

P1R1(config-if)#encapsulation ppp

P1R1(config-if)#ppp authentication chap

MultilinkPPP

P1R1(config)#interface multilink 1
#encapsulation ppp
#ppp multilink
#ip address 192.168.5.1 255.255.255.0
#ppp multilink group 1

#interface serial0/0/0
#encapsulation ppp
#ppp multilink
#no ip address
#ppp multilink group 1

Validate-

R1# show ip route

R1# show ip eigrp interfaces
R1# show ip interface brief
R1# show interfaces multilink 1
R1# show ppp multilink

3.2 Configure, verify, and troubleshoot PPPoE client-side interfaces using local authentication

(Typically for DSL connections)

#interface dialer 2
! Layer 3 details next
#ip address negotiated
#mtu 1492
! Layer 2 details next
#encapsulation ppp
#ppp chap hostname Fred
#ppp chap password Barney
! Layer 1 details next
#dialer pool 1
! Physical interface – the one connected towards the ISP
#interface G0/1
#no ip address ! Physical link has no layer 3 address
#pppoe-client dial-pool-number 1
#pppoe enable ! auto-generated by previous command
#mac-address 0200.0000.0011 ! Not required; personal choice
#no shutdown

3.3 Configure, verify, and troubleshoot GRE tunnel connectivity

Most people do a GRE tunnel inside an ipsec tunnel

GRE – generic routing encapsulation tunnel- a logical connection that can encapsulate a wide variety of data types

GRE tunnel theory and configuration- Gre is a type of tunnel that can encapsulate multiple layer 3 protocols( ip
unicast, multicast, broadcast, AppleTalk etc);by itself it does not do security; instead we can place gre tunnel
inside an ipsec tunnel

#int tunnel 1

#tunnel mode gre ip (optional; this is the default setting)

#ip address 192.168.0.1 255.255.255.252 (using a subnet from the secure network’s address range. The two
routers on the tunnel should use addresses from the same subnet)

#tunnel source loopback 0 (it could be an ip of the local router or an interface;)

#tunnel destination 4.4.4.4 (configure the tunnel’s destination IP address in the unsecured part of the network.
(This value must match the IP address used by the other router as its tunnel source IP address.)

We can assign routing protocols to the interface

#show ip int br

#show int tunnel 1

R2# show running-config

! tunnel mode gre multipoint is used when configuring Dynamic

Multipoint VPN (DMVPN),!

Traceroute will detects that there is only 1 hop route

Common gre tunnel issues-

Source ip address for tunnel not reachable by far end router

Destination ip address for tunnel no reachable by local router

Gre traffic blocked by acl

Fragmentation caused by inconsistent mtu settings

Best route to tunnel destination is through the tunnel

#show interfaces tunnel 1

We can see the tunnel source and destination, mtu size 1476 (to accommodate the 24 bytes gre header)

R1(config-ext-nacl)# permit gre any any

3.4 Describe WAN topology options

3.4.a Point-to-point (E-Line)- - interconnecting two sites; typically uses a L2 protocol. Could be a physical point
ot point connection. Could be a logical point to point connection

Definition of a header and trailer that allows delivery of a data frame over the link

Support for both synchronous and asynchronous links

A protocol Type field in the header, allowing multiple Layer 3 protocols to pass over the same link

Built-in authentication tools: Password Authentication Protocol (PAP) and Challenge Handshake

Authentication Protocol (CHAP)

Control protocols for each higher-layer protocol that rides over PPP, allowing easier integration

and support of those protocols

PPP introduces LCP and NCP

LCP- looped link detection, error detection, multilink support, and authentication
interface Serial0/0/0
ip address 192.168.2.1 255.255.255.0
encapsulation ppp
clockrate 2000000

Ethernet Line Service (Point-to-Point)

The Ethernet Line Service, or E-Line, is the simplest of the Metro Ethernet services. The customer

connects two sites with access links. Then the MetroE service allows the two customer devices to send

Ethernet frames to each other..

3.4.b Hub and spoke- (E-Tree) The center is the hub; spoke. Traffic goes from the hub to the spoke;
-cost effective for multiple sites

- could have suboptimal paths

The Ethernet Tree service (E-Tree) creates a WAN topology in which the central site device can send

Ethernet frames directly to each remote (leaf) site, but the remote (leaf) sites can send only to the central

site

- hub could be a single point of failure

3.4.c Full mesh- (E-LAN)
- Doesn’t scale well
- Optimal pathing
- Higher expense

The people who created MetroE anticipated the need for designs that allow a full mesh—that is, for each

pair of nodes in the service to send frames to each other directly. In fact, allowing all devices to send

directly to every other device sounds a lot like an Ethernet LAN, so the MetroE service is called an

Ethernet LAN service, or E-LAN.

3.4.d Single vs dual-homed

Single homed- one link to one Internet Service Provider (ISP)

Dual homed- two or more links to one ISP

Single Multihomed- one link per ISP to two or more iSP

Dual Multihomed- two or more links per two or more ISP

3.5 Describe WAN access connectivity options

3.5.a MPLS (a Layer 3 virtual private service)
MPLS- Multiprotocol label switching (makes forwarding decisions based on a 20 bit label in a 32 bit header) . uses
labels; because of the labels the service provider can separate the traffic between the customers; MPLS can do
QOS;

MPLS injects its header between the L2 and L3 header of the iPV4; 32bit(20 bit label) ;

CPE- customer premise equipment; a device at a customer site that connects to an MPLS provider;

The traffic that goes through the CPE doesn’t have to be labeled;

ELSR- edge label switch router; (sits at the edge of an MPLS cloud and adds labels to the traffic coming into the
cloud and removes labels from traffic leaving the clouds) elsr is also known as a PE – provider edge

LSR- label switch router; they make forward decision based on the labels; every lsr hop will change the label; lsr
can separate the customers traffic

MPLS network approaches some Layer 3 functions (as opposite to MetroEthernet). In particular, the SP’s MPLS
network:
Needs to know about the customer’s IP subnets
Will run IP routing protocols to learn those routes
Will use routes about the customer’s IP address space to make forwarding decisions.

As an aside, note that an MPLS VPN service does not encrypt data to make the network private, as it is
done in some VPN services. Instead, MPLS VPNs make the data private by ensuring that data sent by one
customer is not sent to a second customer, and vice versa, even though the packets for those two customers may
pass through the same devices and links inside the MPLS network .

MPLS must be aware of the customer IP addressing. The SP will even use routing protocols and advertise those
customer routes across the WAN. (EIGRP and OSPF)
3.5.b MetroEthernet
Metro Ethernet (MetroE) includes a variety of WAN services with some common features. Each MetroE service
uses Ethernet physical links to connect the customer’s device to the service provider’s device. Second, the service
is a Layer 2 service in that the WAN provider forwards Ethernet frames from one customer device to another.
(Metro Ethernet acts somewhat like a big Switch, connecting customers routers)

MetroEthernet Services- Point to Point- E-Line, Full Mesh- E-LAN, Hub and Spoke- Tree service

3.5.c Broadband PPPoE

3.5.d Internet VPN (DMVPN, site-to-site VPN, client VPN)

-------

3.6 Configure and verify single-homed branch connectivity using eBGP IPv4 (limited to peering and
route advertisement using Network command only)
BGP overview
It is an exterior gateway protocol

Routes between AS

BGP forms neighborships

- Neibogrs are not learnt dynamically we have to explicitly configure the neighbors
- A tcp session is established between neigbhbors
- Advertises address prefix and length (called network layer reachability information)
- Advertises a collection of pathe attributes. That can be used for path selection
- Path vector routing protocol
- It wont consider bandwidth when it makes a path decision ; the bgp consider the attributes;

AS_ path- a bgp path attribute that contains the list of autonomous systems into which packets must flow in order
to reach a specified destination network, where BGP prefer shorter AS paths

Local preference- a BGP path attribute that can be assigned to routers received from another autonomous sysem
and exchanged between router in an AS where BGP prefers routers with a higher Local Preference

Basic configuration and verification

eBGP

conf t

# router bgp 64500 (the AS number; with bgp we talk to ISP)

# neighbor 198.51.100.2 remote-as 64495 (bgp otherwise is not going to dynamically form neighborship)

#network 192,0,2.0 mask 255.255.255.0 (advertise this network! Not the interface to participate)

# end
#show ip bgp

14% 4.0 Infrastructure Services

4.1 Configure, verify, and troubleshoot basic HSRP –
FHRP first hop redundancy protocol- includes HSRP, VRRP and GLBP
Hsrp- creates a virtual address and MAC and both devices share them; one of the routers will be active and the
other on standby; they exchange hello messages; once every 3 seconds; in 10 sec the standby router will take
over;

HSRP – cisco proprietary

V1 mac:0000.0c07.AC….
V1 uses seconds; v1 has 256 groups
V2 mac: 0000.0c9F.F…
Uses mseconds it has 4096 groups
Configure HSRP

#int fa0/0
#standby 1 ip 10.1.55.1
# show standby
#standby version 2
#standby 1 priority 150 (highest priority wins the Active Router role; the default priority is 100; if it ties it will
pick the router with highest IP address; 0-255 priority; 0 means it won’t be selected as an active)
#standby 1 preempt   (enables the failover; its enabled from the active one router; if a router with higher priority
dies and then turns back it will be selected as an active router again; if there is no preemption it will not)
R2# conf t
#int fa0/0
#standby version 2
#standby 1 ip 10.1.55.1
#show standby

4.1.a Priority
#standby 1 priority 150
4.1.b Preemption
#standby 1 preempt  
4.1.c Version
#standby version 2

HSRP rules. When a router (call it the local router) has an HSRP-enabled interface, and that
interface comes up, the router sends HSRP messages to negotiate whether it should be active or standby.
When it sends those messages, if it...
Step 1. ...discovers no other HSRP routers in the subnet, the local router becomes the active router.
Step 2. ...discovers an existing HSRP router, and both are currently negotiating to decide which should
become the HSRP active router, the routers negotiate, with the router with the highest HSRP
priority becoming the HSRP active router.
Step 3. ...discovers an existing HSRP router in the subnet, and that router is already acting as the active
router:
A. If configured with no preemption (the default; no standby preempt), the local router
becomes a standby router, even if it has a better (higher) priority.
B. If configured with preemption (standby preempt), the local router checks its priority versus
the active router; if the local router priority is better (higher), the local router takes over
(preempts) the existing active router to become the new active HSRP router.

The following list details some important items to check to make sure the configurations
should work:
Routers must be configured with the same HSRP version (standby version {1 | 2})
Routers must be configured with the same HSRP group number (standby number ...).
Routers must configure the same virtual IP address (standby number ip address).
Virtual IP address must be (a) in the same subnet as the interface IP address and (b) not used by any
other device in the subnet (including the other HSRP routers) (standby number ip address).
In the attached Layer 2 network, the interfaces on the routers or Layer 3 switches must be in the
same VLAN.
No ACLs should filter HSRP messages between the two routers. (HSRP uses UDP, port 1985;
version 1 sends to multicast address 224.0.0.2, while version 2 sends to 224.0.0.102.)

4.2 Describe the effects of cloud resources on enterprise network architecture

4.2.a Traffic path to internal and external cloud services
How do we get from the enterrpise to the cloud provider? Easiest option- Internet.
Internet- security red flag; man in the middle danger; No QoS guaranteed. Positive side- we can connect quickly;
easy configuration; if you want to change the cloud provider; no changes from users side necessary;
We can have VPN setup across the internet- we can encrypt the data- we will get security;

- we can use private WAN – maybe MPLS, maybe metro Ethernet. They can give us security and QoS; it is harder
to get it configured; if you want to change the cloud providers you will have to changer oyu current connetion;
Intercloud exchange- lets an enterprise easily connect to different providers; if we want to change the cloud
provider we don’t change the link to the intercloud exchange
4.2.b Virtual services-
VMs;
For extralevel of control- we can run ASAV- virtual adaptive security appliance; virtual firewall; virtual router-
Cloud service router 1000v
4.2.c Basic virtual network infrastructure

4.3 Describe basic QoS concepts

4.3.a Marking
The first QoS tool discussed in this chapter, classification and marking, or simply marking, refers to a
type of QoS tool that classifies packets based on their header contents, and then marks the message by
changing some bits in specific header fields. Like ACLs, QoS tools are enabled on an interface. Also like ACLs, QoS
tools are
enabled for a direction: packets entering the interface (before the forwarding decision) or for messages
exiting the interface (after the forwarding decision).

better strategy, one recommended both by Cisco and by RFCs, suggests doing complex matching early
in the life of a packet, and then marking the packet. Marking means that the QoS tool changes one or more
header fields, setting a value in the header. Several header fields have been designed for the purpose of
marking the packets for QoS processing. Then, devices that process the packet later in its life can use
much simpler classification logic.

Switch SW1, the first networking device to forward the packet, does some
complex comparisons and marks the packet’s Differentiated Services Code Point (DSCP) field, a 6-bit
field in the IP header meant for QoS marking. The next three devices that process this message—SW2,
R1, and R2—then use simpler matching to classify the packet by comparing the packet’s DSCP value,
placing packets with one DSCP value in class 1, and packets with another DSCP value in class 2.

classification and marking- identify what the traffic is? is it voip? is it email traffic? etc NBAR- L7
either l2 marking- Class of service or either L3 marking Type of Service (5 is for VoIP; routers can see ToS) ;

4.3.b Device trust –

where you do the classification and marking-

Router- good
switch-better
phone- best; cisco ip phone can do the marking; (It is the ultimate way)

4.3.c Prioritization
4.3.c. (i) Voice
Audio Requirements-
Jitter <30 ms
Delay <150 ms
loss <1%
QOS: DSCP ef
bandwidth little

each packet of VoIp contains 20ms of audio

4.3.c. (ii) Video
QOS DSCP AF41
4.3.c. (iii) Data
4.3.d Shaping –
curve the traffic down- conform the traffic to some amount "im giving you 500 KB and if you exceed them i will
put you in a queue"
4.3.e Policing
sets the maximum bandwidth for a type of traffic; "as soon as you hit 200 KB you are cut off"

4.3.f Congestion management

- a QoS mechanism that attempts to prevent a queue from filling to capacity by randomly
discarding packets a the queue depth increases’ RID early prevention and drops packets early;

QOS
the ability to dictate traffic treatment
tools

-prioritization
-shaping/policing
-advanced strategies

what we try to mitigate with QOS-

-delay
-jitter (delay variation)
-packet loss
Queueing strategies

- Weighted fair queueing-  WFG- low traffic senders get priority over high traffic senders

- class based WFQ- divides bandwidth among classes that you define;
- low latency queueing - LLQ- combo of CB- WFQ but adds a strict priority element- 1 Queue is the priority queue-
it will move right in the front even if there are packets in the queue before it; however it will not allow  for the
priority queue to take more traffic (more percentage) of what is configured ; for instance 500 KB dedicated
4.4 Configure, verify, and troubleshoot IPv4 and IPv6 access list for traffic filtering
4.4.a Standard – traffic based only on source ip
Standard ACL confg 1 - 99
#access-list 1 permit host 10.1.1.101
#access-list 1 deny host 10.1.1.102
Apply it
#int fa0/0
#ip access-group 1 in
#show access-lists

traffic based only on source ip

4.4.b Extended
Extended ACLs 100 199
Both source and destination address and traffic type
#access-list 100 permit ip host 10.1.1.101 host 192.168.1.2
#access-list 100 permit tcp host 10.1.1.102 host 192.168.1.3 eq www    (80)
#int fa0/0
#ip access-group 100 in

4.4.c Named
(config)#ip access-list extended CCNA_Demo
(config-ext-nacl)#permit ip host 10.1.1.101 host 192.168.1.2
(config-ext-nacl)#permit tcp host 10.1.1.102 host 192.168.1.3 eq www
#interface fa0/0
#ip access-group CCNA_Demo in
Edit the sequence numbers in the ACL
Conf t)#ip access-list extended CCNA_Demo
R1(config-ext-nacl)#15 deny ip any any
# no 10

ACL considerations
Standard or extended
Inbound or outband
More specific acces control entries placed near the top;
Implicit deny any statement
Standard ACL-near the destination- closest to the destination
Extended ACL-near the source  )saves bandwidth
Can filter traffic
Can match traffic
ACL
troubleshooting ACL
in standard ipv6 acl you can specify destination address as well
ipv6 Acl uses named ACL
#conf t
#ipv6 access-list Block_Pc1
#deny ipv6 host 2001::2 host 2002::2
#permit ipv6 any any
#show ipv6 access-list

#int gig0/1
# ipv6 traffic-filter block_pc1 in

extended ipv6 acl

(witgh ipv6 acl you have to be careful for the NDP messages of ivp6! they are added by default; not visible though)
 #ipv6 access-list TELNET_PC2_R2
# permit tcp host 2001::3 host 2002::2 eq 23
#permit icmp any any router-advertisement
#permit icmp any any router-solicitation

#int gig0/3
#ipv6 traffic-filter telnet_pc2_r2 out
4.5 Verify ACLs using the APIC-EM Path Trace ACL analysis tool

15% 5.0 Infrastructure Maintenance

5.1 Configure and verify device-monitoring protocols
managers and agents;
snmp agent is software running inside earch device;
each agent keeps a database of variables that make up parameters status and counters for the operations of the
device; this database is called the management information base (MIB)
SNMP agents can initiate communications to the NMS. These messages, generally called
notifications, use two specific SNMP messages: Trap and Inform. SNMP agents send a Trap or Inform
SNMP message to the NMS to list the state of certain MIB variables when those variables reach a certain
state
inform messages are introduced in SNMPv2

community strings- RO and RW- clear text password

SNMPv3 is more secure and replace the communities with:
message integrity

Message integrity: This mechanism, applied to all SNMPv3 messages, confirms whether or not
each message has been changed during transit.
Authentication: An optional feature that adds authentication with both a username and password,
with the password never sent as clear text. Instead, it uses a hashing method like many other modern
authentication processes.
Encryption (privacy): An optional feature that encrypts the contents of SNMPv3 messages, so that
attackers who intercept the messages cannot read their contents.

there is no single command to disable the snmp agent- you remvoe all the commands with No and then reload
the router
SNMP manager
NMS- network management system the actual software that runs on the Manager which is the device that has
been assigned the task of managing a certain group of hardware, the managed devices.
the managed device is called agent
agent sends infro back to the manager either in a request to a Poll from the manager or on its own
Get- Message sent by Manager to agent, telling the agent to send the value of a variable or set of variables
(polling)

Set: sent by manager to agent, this is a request to actively change the value of a variable or set of variables

Trap: Sent by Agent to Manager; it is triggered urgent messagesl; notification that something bad happened.
could be anything.

SNMPv2c - poor security; uses community strings= passwords are in clear text;
the strings could be set to allow two kinds of access to the MIB variables- ReadOnly RO and read-write RW
however this version of SNMP the ability to limit SNMP access by ACL

SNMPv3- huge step forward security wise; provides;

encryption- MD5, or SHA
message integrity- making sure the message wasnt altered in any fashion during transmission

authentication- making sure the source of the message is atrusted valid source

origin authentication-making sure that the source of the data is who they say they are

snmpv2c security model and level- noAuthNoPriv-using the community string for authentication

V3- lowest level is also noAUthNoPriv which also uses a community string for authentication
next level for v3 is authNoPriv which uses MD5 or SHA
highest v3 is authPriv which offers a choice between MD5 and SHA and uses DES for encryption

commands

!! R1(config)#snmp-server community KLIBAN rw (we can assign with an acl to allow)

R1(config)#snmp-server contact Valentin
R1(config)#snmp-server location

5.1.a SNMPv2
(config)#snmp-server community PASS RO (we enable the agent and set RO string)
#snmp-server community PASS RW

in the snmp model the snmp agent acts like a server with the NMS action as an snmp client requesting
information

to enable traps:

(config)#snmp-server host 10.1.1.3 version 2c SECRETPW

#snmp-server enable traps

#show snmp community

5.1.b SNMPv3

read (Get) and write (Set) access

R1(config)# snmp-server group BookGroup v3 auth write v1default

R1(config)# snmp-server user Youdda BookGroup v3 auth md5 madeuppassword
R1(config)# snmp-server host 10.1.3.3 version 3 auth Youdda
snmp v3 sec levels

noauth- cheks for integrity

auth- checks message integrity, authentication
priv-- cheks for integrity, authentication and encryption

R3# show snmp group

! The group uses noauth, so the user Youdda1 has no auth nor priv keyword
snmp-server group BookGroup1 v3 noauth
snmp-server user Youdda1 BookGroup1 v3
! The next group uses auth, so the next two users use the auth keyword, but not priv
snmp-server group BookGroup2 v3 auth
snmp-server user Youdda2 BookGroup2 v3 auth md5 AuthPass2
snmp-server user Youdda3 BookGroup2 v3 auth sha AuthPass3
! The next group uses priv, so the next users use both the auth and priv keywords.
snmp-server group BookGroup3 v3 priv
snmp-server user Youdda4 BookGroup3 v3 auth md5 AuthPass3 priv des PrivPass4
snmp-server user Youdda5 BookGroup3 v3 auth md5 AuthPass3 priv 3des PrivPass5
snmp-server user Youdda6 BookGroup3 v3 auth sha AuthPass4 priv aes 128 PrivPass6

Implementing SNMPv3 Notifications (Traps and Informs

snmp-server enable traps

snmp-server host 10.1.3.3 version 3 noauth Youdda1 ! Traps w/ noauth
snmp-server host 10.1.3.4 informs version 3 auth Youdda2 ! Informs w/ auth
snmp-server host 10.1.3.5 version 3 priv Youdda4 ! Traps w/ priv

5.2 Troubleshoot network connectivity issues using ICMP echo-based IP SLA

R1(conf)#ip sla 1 (probe)
# icmp-echo 172.16.1.2
#timeout 1000
#frequency 3
#request-data-size 200
#exit
#ip sla schedule life forever start-time now
#show ip sla statistics

5.3 Use local SPAN to troubleshoot and resolve problems-

Local SPAN- switched port analyzer
Make a copy of the traffic incoming or outgoing on a port ; and this copy to be send to our “Sniffer”. We can
monitor a vlan; all of that packets;
Configure SPAN span session you can have multiple

#monitor session 1 source interface fa1/0/1 both  ; rx or tx;   (the port that will be monitorted)
#monitor session 1 destination interface fa1/0/12
5.4 Describe device management using AAA with TACACS+ and RADIUS
IEEE 802.1x defines a process to authenticate the user of the PC connected to a switch port. This can be used in
Network Admission Control (NAC).
With IEEE 802.1x, each user communicates with an AAA server. The switch blocks traffic until the AAA server
authenticates with the PC. AAA- authentication, authorization, accounting
Tacacs+ and RADIUS (they are both security protocols for an AAA server)
Tacacs+ cisco created it; now it’s open wide; uses tcp; separate process for authentication, authorization and
accounting functions; tacacs is more secure and it uses 2 way authentication- encrypts entire packet. Tacacs is
normally used for network devices; command by command authorization; encrypts the entire communication
radius-industry standard- uses udp; one proces authentication, authorization, accounting; uses one way
authentication; encrypts only the password; normally used for user auth
you can have couple of tacacs servers or radius; radius only encrypts passwords
basic AAA config;
#aaa new-model
#radius-server host   10.10.10.5 key cisco
in cases for tacacs
#tacacs-server 10.10.20.5 key cisco
#aaa group server radius R-Group
#server 10.10.10.5
#aaa authentication login default group R-GROUP local

5.5 Describe network programmability in enterprise network architecture

5.5.a Function of a controller

centralized control plane, with its foundations in a service called a controller.

A controller, or SDN controller, centralizes the control of the networking devices. The degree to which
control is centralized can vary, from the controller performing all control plane functions, to the other end
of the spectrum, in which the controller is simply aware of the ongoing work of the distributed control
plane. There are variations of the SDN controllers where they have the full control plane options; the local devices
don’t;, “Centralized Control Plane and a Distributed Data Plane”
5.5.b Separation of control plane and data plane
The term data plane refers to the tasks that a networking device does to forward a message. In other

words, anything to do with receiving data, processing it, and forwarding that same data—whether you call

the data a frame, packet, or, more generically, a message—is part of the data plane.

The term control plane refers to any action that controls the data plane. Most of these actions have to do

with creating the tables used by the data plane, tables like the IP routing table, an IP ARP table, a switch

MAC address table, and so on. By adding, removing, and changing entries to the tables used by the data

plane, the control plane processes control what the data plane does.

Control plane

Routing protocols (OSPF, EIGRP, RIP, BGP)

IPv4 ARP

IPv6 NDP

Switch MAC learning

STP

Management plane- like SSH or ftp

5.5.c Northbound and southbound APIs

application programming interface, or API.

An API is a method for one application (program) to exchange data with another application. Rearranging

the words to describe the idea, an API is an interface to an application program. Programs process data,

so an API lets two programs exchange data. While a protocol exists as a document, often from a standards

body, an API often exists as usable code—functions, variables, and data structures—that can be used by

one program to communicate and copy structured data between the programs across a network.

SBI- SBI: It is an interface between a program (the controller) and a program (on the
networking device) that lets the two programs communicate, with one goal being to allow the controller to
program the data plane forwarding tables of the networking device.

NBI-
A controller does much of the work needed for the control plane in a centralized control model. It gathers
all sorts of useful information about the network, like the items in the previous list. The controller itself
can create a centralized repository of all this useful information about the network.
A controller’s Northbound Interface (NBI) opens the controller so its data and functions can be used by
other programs, enabling network programmability, with much quicker development. Programs can pull
information from the controller, using the controller’s APIs. The NBIs also enable programs to use the
controller’s abilities to program flows into the devices using the controller’s SBIs.

5.6 Troubleshoot basic Layer 3 end-to-end connectivity issues