cis188-4-CampusSwitchedNetworks

CIS 188 CCNP TSHOOT (Troubleshooting)Ch. 4 Maintaining and Troubleshooting Campus Switched Networks Rick GrazianiCabrillo [email protected]

Fall 2014

*MaterialsBook:Troubleshooting and Maintaining Cisco IP Networks (TSHOOT) Foundation Learning Guide: Foundation learning for the CCNP TSHOOT 642-832By Amir RanjbarBookISBN-10: 1-58705-876-6ISBN-13: 978-1-58705-876-9eBookISBN-10: 1-58714-170-1ISBN-13: 978-1-58714-170-6

Chapter 4 ObjectivesDiagnose VLAN, VTP, and trunking problems using the IOS command line interface.Diagnose spanning tree and EtherChannel problems using the IOS command line interface.Diagnose and resolve problems with SVIs and inter-VLAN routing.Diagnose and resolve problems related to first hop redundancy protocols such as HSRP, VRRP, and GLBP.

Troubleshooting VLANs*

LAN Switch OperationA good understanding of the processes involved in Layer 2 switching is essential to any engineer that is involved in network troubleshooting. Many times we try to memorize situations instead of understanding and analyzing network operations.To focus just on Layer 2 switching, assume that the two hosts reside on a common subnet (VLAN). Host A pings Host B*

Host A Needs to determine if 10.1.1.2 is on its subnet or another subnet.How does Host A knows its own network address? IP Address AND Subnet MaskHow does Host A know Host Bs network address?Host Bs IP Address AND Host As Subnet MaskWhy does Host A use its own Subnet Mask and not that of Host B?Does not know Host Bs Subnet MaskIf Host B is in same subnet as Host A they will have the same maskHost A compares the network address from both AND operationsSame network address: Need MAC Address of 10.1.1.2Different network addresses: Need MAC Address of Default Gateway*

LAN Switch OperationHost A and Host B are on the same subnetHost A will examine its Address Resolution Protocol (ARP) cache to find the MAC address of Host B. If there is an entry for 10.1.1.2 and its MAC Address: No ARP process neededEncapsulate the IP packet in an Ethernet frame with Destination MAC address of Host B*

If Host A does not have an ARP cache entry for 10.1.1.2:Sends out ARP Request (broadcast)ARP Request: Contains IP address of 10.1.1.2 but no MAC AddressSwitch C: LearnsChecks the VLAN of the incoming port (VLAN 10)Records (or resets 5 minute timer) for Source MAC address and Port Number*

Switch C: ForwardThe MAC address table never contains an entry for the broadcast MAC address (FFFF:FFFF:FFFF). Switch C will flood the frame on all ports:All access ports in that VLAN (VLAN 10)All trunks that this VLAN is allowed, active, and not pruned onExcept the port it came in from Switches D and E repeat this process as they receive the frame *

Host B receives the ARP request:Records the Host As IP address and MAC address in its own ARP cacheSends an ARP Reply (unicast) back to Host A *

Because all switches now have an entry in their MAC address table for the MAC address of Host A they will:LearnsRecord Host Bs MAC address and corresponding interface and VLAN in their MAC address table (if they did not already have that entry) ForwardsForward the frame containing the ARP reply on the path to Host A onlyNo flooding

*

Host A receives the ARP reply:Records the IP and MAC address of Host B in its ARP cache Now it is ready to send the original IP packet.Host A encapsulates the IP packet (ICMP echo request) in a unicast frame destined for Host B and sends it out. Note that the Ethernet type field of 0x0800 (IP packet) The switches examine their MAC address tables:Learn: Resets 5 minute timer Host As source MAC address Forward: Finds Host Bs MAC address and forward it towards Host B (no flooding) *

Host B receives the packet Responds to Host A (sends an ICMP echo reply packet)The switches examine their MAC address tables:Learn: Resets 5 minute timer Host Bs source MAC address Forward: Finds Host As MAC address and forward it towards Host A (no flooding) *

Host A receives the packet Ping program displays outputThe end. Question: If everything works as shown why might this first ping fail?Sometimes the very first ICMP echo request times out due to the requirement for an ARP RequestAlthough this process might seem trivial, listing the steps clearly shows that even for the simplest communication, an elaborate chain of events take place. If at any point this chain is broken due to faulty cabling, failing devices, or misconfiguration, the communication will fail. Important to leverage your knowledge of these processes to diagnose and solve problems in a switched environment. *

Firewall (host or switch)Physical problemsBad, missing, or miswired cablesBad portsPower failureDevice problemsSoftware bugsPerformance problemsMisconfigurationMissing or wrong VLANsMisconfigured VTP settingsWrong VLAN setting on access portsMissing or misconfigured trunksNative VLAN mismatchVLANs not allowed on trunk *Some possible issues that could cause the communication to fail

Verifying Layer 2 ForwardingA common method to troubleshoot Layer 2 switching problems is to follow the path of the frames through the switches. Takes time and effortObjective: To confirm that frames have passed through the switches and to verify how each switch made its forwarding decisions. Find the point where the trail stops.Possible to start at the endpoints.*

MAC Address Table key data structureFind the entry for a particular MAC address in this table it proves:Proves within the last five minutes this switch received frames from that source But nothing about a particular frame.Useful command: clear mac-address-table - Verify that the MAC address is learned again when you reinitiate the connection *

Many possible findings and conclusions :Frames are not received on the correct VLAN: Possible VLAN or trunk misconfiguration. Frames are received on a different port than you expected: Possible physical problem, spanning tree issues or duplicate MAC addresses.The MAC address is not registered in the MAC address table: Most likely problem is upstream from this switch. *

show vlan: Verifies VLAN existence and port-to-VLAN associations. Lists all VLANS that were created on the switch (either manually or through the VLAN Trunking Protocol [VTP]). Note: Trunks are not listed because they do not belong to any VLAN, in particular.

*

show interfaces trunk: Displays all interfaces that are configured as trunks. Displays for each trunk which VLANs are allowed and what the native VLAN is.

*

show interfaces switchport: Gives a quick summary of all VLAN related information for a single interface.

*

traceroute mac: You specify a source and destination MAC address Shows a list of switch hops that a frame from that source MAC address to that destination MAC address. Discovers the Layer 2. This command requires that Cisco Discovery Protocol (CDP) is enabled on all the switches in the network (or at least within the path).

*

Troubleshooting STP*

*Spanning Tree Protocol (STP)STP often accounts for more than 50 % of the configuration, troubleshooting, and maintenance headaches in real-world campus networks (especially if they are poorly designed). Complex protocol that is generally poorly understood.Radia Perlman Developer of STP

*L2 LoopsSwitch (Bridge) loops can occur any time there is a redundant path or loop in the bridge network.The switches will flip flop the MAC address table entries (creating extremely high CPU utilization).Unicasts, unknown unicasts and broadcasts are all problems.

*Spanning Tree AlgorithmSTP executes an algorithm called Spanning Tree Algorithm (STA). STA chooses a reference point, called a root bridge.Then determines the available paths to that reference point.If more than two paths exists, STA picks the best path and blocks the restX

*Two-key STP ConceptsSTP calculations make extensive use of two key concepts in creating a loop-free topology:Bridge IDPath Cost

Link SpeedCost (Revised IEEE Spec)Cost (Previous IEEE Spec)10 Gbps211 Gbps41100 Mbps191010 Mbps100100

*Five-Step STP Decision SequenceWhen creating a loop-free topology, STP always uses the same five-step decision sequence:

Five-Step decision Sequence Step 1 - Lowest BID Step 2 - Lowest Path Cost to Root Bridge Step 3 - Lowest Sender BID Step 4 Lowest Port Priority Step 5 - Lowest Port ID

Bridges use Configuration BPDUs during this five-step process.We will assume all BPDUs are configuration BPDUs

*The following STP slides are for your review of STP.

*Elect one Root BridgeLowest BID wins!Who wins?

*Elect one Root BridgeLowest BID wins!Who wins?My BID is 32768.0001.C945.A573 My BID is 32768.0005.5E0D.9315My BID is 32768.0060.47B0.5850My BID is 32768.0003.E461.46EC My BID is 32768.0001.964E.7EBBI win! Root Bridge

*STP Convergence Step 1 Elect one Root Bridge Step 2 Elect Root Ports Step 3 Elect Designated Ports

Next, each switch determines its Root Port: Its port closest to the Root BridgeBridges use the cost to determine closeness.Every non-Root Bridge will select one Root Port!Specifically, bridges track the Root Path Cost, the cumulative cost of all links to the Root Bridge.Elect Root PortsI will select one Root Port that is closest, best path to the root bridge.

*Root Bridge, Access2 sends out BPDUs, containing a Root Path Cost of 0.Switches receive these BPDUs and adds the Path Cost of the FastEthernet interface to the Root Path Cost contained in the BPDU.This value is used internally and used in BPDUs to other switches.Root BridgeBPDUCost=0BPDUCost=0+19=19BPDUCost=0+19=19BPDUCost=0+19=19000191919Path Cost

*Difference b/t Path Cost and Root Path CostPath Cost: The value assigned to each port.Added to BPDUs received on that port to calculate Root Path Cost.Root Path CostCumulative cost to the Root Bridge. This is the value transmitted in the BPDU.Calculated by adding the receiving ports Path Cost to the valued contained in the BPDU.Root BridgeBPDUCost=0BPDUCost=0+19=19BPDUCost=0+19=19BPDUCost=0+19=19000191919Path Cost

*Switches now send BPDUs with their Root Path Cost out other interfaces.Switches receive BPDU and add their path cost.Root BridgeBPDUCost=4+19=23BPDUCost=4+19=23191900019BPDUCost=19BPDUCost=19Path Cost

*Root BridgeBPDUCost=4+19=23BPDUCost=4+19=23191900019BPDUCost=19BPDUCost=19This process continues

*This process continues

Root Bridge1919192323BPDUCost=4+19=23000BPDUCost=4+19=23BPDUCost=19BPDUCost=19+19=3819Path Cost

*Final ResultsPorts show BPDU Received Root Path Cost + Path Cost = Root Path Cost of Interface, after the best BPDU is received on that port from the neighboring switch.This is the cost of reaching the Root Bridge from this interface towards the neighboring switch.Now lets see how this is used!Root Bridge191900019+4=2323+4=2719+19=3819+4=2319+4=2319+4=2319+4=2319+4=231923+4=2719+19=38Path Cost

*Next:Elect Root PortsElect Designated PortsNon-Designated Ports: All other portsElect Root PortsEvery non-Root bridge must select one Root Port.A bridges Root Port is the port closest to the Root Bridge.Bridges use the cost to determine closeness.Root Bridge19190002327382323232323192738Path CostThese values would be the Root Path Cost if this interface was used to reach the Root Bridge.

*Elect Root Ports: (Review)Ports show Root Path Cost of Interface, after the best BPDU is received on that port from the neighboring switch.This is the cost of reaching the Root Bridge from this interface towards the neighboring switch.Distribution 1 thought processIf I go through Core it costs 27.If I go through D2 it costs 38.If I go through A1 it costs 23.If I go through A2 it costs 19. This is the best path to the Root!Path Cost

*Elect Root PortsEvery non-Root bridge must select one Root Port.A bridges Root Port is the port closest to the Root Bridge.Bridges use the Root Path Cost to determine closeness.Root Bridge19190002327382323232323192738??RPRPRP

*Elect Root PortsCore switch has two equal Root Path Costs to the Root Bridge.Five-step decision process.Dist 1 switch has a lower Sender BID than Dist 2.Core chooses the Root Port of G 0/1. Five-Step decision Sequence Step 1 - Lowest BID Step 2 - Lowest Path Cost to Root Bridge Step 3 - Lowest Sender BID Step 4 - Lowest Port Priority Step 5 - Lowest Port ID Root Bridge19190002327382323232323192738??Lower BIDMy BID is 32768.0005.5E0D.9315My BID is 32768.0060.47B0.5850RPRPRPRP

*STP Convergence Step 1 Elect one Root Bridge Step 2 Elect Root Ports Step 3 Elect Designated Ports

A Designated Port functions as the single bridge port that both sends and receives traffic to and from that segment and the Root Bridge.Each segment in a bridged network has one Designated Port, chosen based on cumulative Root Path Cost to the Root Bridge.The switch containing the Designated Port is referred to as the Designated Bridge for that segment.To locate Designated Ports, lets take a look at each segment.Segments perspective: From a device on this segment, Which switch should I go through to reach the Root Bridge?Elect Designated Ports

*A Designated Port is elected for every segment.Segments perspective: From a device on this segment, Which switch should I go through to reach the Root Bridge?Ill decide using the advertised Root Path Cost from each switch!Root Bridge19190002319192319191919191919RPRPRPRP????????

*Because Access 2 has the lower Root Path Cost it becomes the Designated Port for that segment.Root Bridge19190002319192319191919191919RPRPRPRP?What is my best path to the Root Bridge, 19 via Access 1 or 0 via Access 2?My designated port will be 0 via Access 2 (Fa0/5). Its the best path, lowest Root Path, to the Root Bridge.DP

*Because Access 2 has the lower Root Path Cost it becomes the Designated Port for those segments.Root Bridge19190002319192319191919191919RPRPRPRPDP?DP?DP

*Segment between Distribution 1 and Access 1 has two equal Root Path Costs of 19.Using the Lowest Sender ID (first two steps are equal), Access 1 becomes the best path and the Designated Port. Five-Step decision Sequence Step 1 - Lowest BID Step 2 - Lowest Path Cost to Root Bridge Step 3 - Lowest Sender BID Step 4 - Lowest Port Priority Step 5 - Lowest Port ID Root Bridge19190002319192319191919191919RPRPRPRPDPDPDPWhat is my best path to the Root Bridge, 19 via Distribution 1 or 19 via Access 1? They are the same! Who has the lowest BID??32768.0005.5E0D.9315 32768.0003.E461.46EC DPLower BID

*After this process is finishedAll other ports, those ports that are not Root Ports or Designated Ports, become Non-Designated Ports.Non-Designated Ports are put in blocking mode. This is the loop prevention part of STP. Root Bridge19190002319192319191919191919RPRPRPRPDPDPDPDPDPDPNDPXNDPXDPNDPXNDPX

*show spanning-treeCore# show spanning-treeVLAN0001 Spanning tree enabled protocol ieee Root ID Priority 32769 Address 0001.964E.7EBB Cost 4 Port 25(GigabitEthernet0/1) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 0001.C945.A573 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 20

Interface Role Sts Cost Prio.Nbr Type---------------- ---- --- --------- -------- --------------------------------Gi0/1 Root FWD 4 128.25 P2pGi0/2 Altn BLK 4 128.26 P2pPath Cost

*show spanning-tree detailCore# show spanning-tree detail

VLAN0001 is executing the ieee compatible Spanning Tree Protocol Bridge Identifier has priority of 32768, sysid 1, 0001.C945.A573 Configured hello time 2, max age 20, forward delay 15 Current root has priority 32769 Root port is 25 (GigabitEthernet0/1), cost of root path is 4 Topology change flag not set, detected flag not set Number of topology changes 0 last change occurred 00:00:00 ago from FastEthernet0/1 Times: hold 1, topology change 35, notification 2 hello 2, max age 20, forward delay 15 Timers: hello 0, topology change 0, notification 0, aging 300Path Cost

*Port Cost/Port IDIf the path cost and bridge IDs are equal (as in the case of parallel links), the switch goes to the port priority as a tiebreaker.Lowest port priority wins (all ports set to 32).You can set the priority from 0 63.If all ports have the same priority, the port with the lowest port number forwards frames.Assume path cost and port priorities are default (32). Port ID used in this case. Port 0/1 would forward because its the lowest.0/10/2 Five-Step decision Sequence Step 1 - Lowest BID Step 2 - Lowest Path Cost to Root Bridge Step 3 - Lowest Sender BID Step 4 - Lowest Port Priority Step 5 - Lowest Port ID

*1919RPDPDPNDPPort Cost/Port IDFa 0/3 has a lower Port ID than Fa 04.More later (Fast EtherChannel) Five-Step decision Sequence Step 1 - Lowest BID Step 2 - Lowest Path Cost to Root Bridge Step 3 - Lowest Sender BID Step 4 - Lowest Port Priority Step 5 - Lowest Port ID

*Recall that switches go through three steps for their initial convergence: STP Convergence Step 1 Elect one Root Bridge Step 2 Elect Root Ports Step 3 Elect Designated Ports

Also, all STP decisions are based on a the following predetermined sequence: Five-Step decision Sequence Step 1 - Lowest BID Step 2 - Lowest Path Cost to Root Bridge Step 3 - Lowest Sender BID Step 4 Lowest Port Priority Step 5 - Lowest Port ID STP Convergence: Summary

Rick Graziani [email protected]*STP Port StatesDisabledBPDUsDataMAC AddressTableUpdatingBlockingListeningLearningForwarding

Port StateBPDUMAC-Add TableData framesDurationDisabledNone sent/receivedNo updateNone sent/receivedUntil no shutdownAdministratively shutdown; Not an STP port stateBlockingReceive onlyNo updateNone sent/receivedContinuous if loop detectedPort initializes; receives BPDUs onlyListeningReceive and sendNo updateNone sent/receivedForward delay 15 secBuilding active topology. Thinks port can be selected root or designated port. Returns to blocking (NDP) if cannot become root or designated port.Learning Receive and sendUpdating TableNone sent/receivedForward delay 15 secBuilding bridging table. Switch can now learn source MAC Addresses but is not formally receiving frames in order to forward them.ForwardingReceive and sendUpdating TableSent and receivedContinuous if up and no loop detectedSending/Receiving data, no loops detected. Port is either a root or designated port.

STP and RSTPUp to this point no distinction has been made between the classical (802.1D) and Rapid (802.1w) versions of the Spanning Tree Protocol. Similarities: Both versions execute the same algorithm when it comes to the decision making process. Differences: Classical 802.1D can take up to 50 seconds to transition a port to forwarding, whereas Rapid Spanning Tree can leverage additional mechanisms to transition a port in Blocking state to the Forwarding state in less than a second. *vs802.1D802.1w

Rick Graziani [email protected] (Reminder)Root Bridge: Same election process as 802.1D (lowest BID)PortsRoot Port (802.1D Root Port)The one switch port on each switch that has the best root path cost to the root.Designated Port (802.1D Designated Port)The switch port on a network segment that has the best root path cost to the root.Alternate Port (802.1D Blocking Port)A port with an alternate path the root.An alternate port receives more useful BPDUs from another switch and is a port blocked.Similar to how Cisco UplinkFast works.Backup Port (802.1D Blocking Port)A port that provides a redundant (but less desirable) connection to a segment where another switch port already connects.A backup port receives more useful BPDUs from the same switch it is on and is a port blocked.

Rick Graziani [email protected]

*RSTP Port States (Reminder)RSTP defines port states based on what it does with incoming data frames.DiscardingIncoming frames are droppedNo MAC Addresses learned Combination of 802.1D (Disabled), Blocking and ListeningLearningIncoming frames are droppedMAC Addresses learned ForwardingIncoming frames are forward.

Operational Port StateSTP Port StateRSTP Port StateDisabledDisabledDiscardingEnabledBlockingDiscardingEnabledListeningDiscardingEnabledLearningLearningEnabledForwardingForwarding

*RSTP BPDUs (Reminder)RSTP uses same 802.1D BPDU format for backward compatibility.802.1D and 802.1w switches can coexist.BPDUs sent out every switch port at Hello Time intervals regardless if BPDUs are sent on the port. When three BPDUs in a row (6 seconds) are missed:the neighbor switch is presumed downAll MAC address information pointing to that switch (out that port) is immediately aged out (flushed)Switch can detect a neighbor down in 6 seconds instead of MaxAge of 20 seconds.

STP Port StateSTP BPDUsRSTP Port StateRSTP BPDUsDisabledNot Sent/Received DiscardingNot Sent/ReceivedBlockingReceive onlyDiscardingSent/ReceivedListeningSent/ReceivedDiscardingSent/ReceivedLearningSent/ReceivedLearningSent/ReceivedForwardingSent/ReceivedForwardingSent/Received

Analyzing the STP TopologyKnow where the root bridge is.This may need to be changed if the network growsThe selection of the Root bridge may never have been determinedTypically near the central point of your network, near severs, core or distribution points.Remember, different VLANs can have different Root bridges (PVST+) to maximize the use of redundant links.The original STP timers (forward delay, max age) are based on the assumption that the network diameter is up to seven switches long.*

Show spanning tree detailDistribution1# show spanning-tree detail Port 26 (GigabitEthernet0/2) of VLAN0030 is designated blocking Port path cost 4, Port priority 128, Port Identifier 128.26 Designated root has priority 128, address 000C.CF0B.1503 Designated bridge has priority 32798, address 0003.E461.46EC Designated port id is 128.26, designated path cost 4 Timers: message age 16, forward delay 0, hold 0 Number of transitions to forwarding state: 1 Link type is point-to-point by default

*Port Cost/Port IDDistribution1# show spanning-treeVLAN0001 Spanning tree enabled protocol ieee Root ID Priority 32769 Address 0009.7c0b.e7c0 Cost 19 Port 3 (FastEthernet0/3) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 000b.fd13.9080 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300Interface Port ID Designated Port IDName Prio.Nbr Cost Sts Cost Bridge ID Prio.Nbr---------------- -------- --------- --- --------- -------------------- --------Fa0/1 128.1 19 BLK 19 32769 000b.befa.eec0 128.1Fa0/2 128.2 19 BLK 19 32769 000b.befa.eec0 128.2Fa0/3 128.3 19 FWD 0 32769 0009.7c0b.e7c0 128.1Fa0/4 128.4 19 BLK 0 32769 0009.7c0b.e7c0 128.2Fa0/5 128.5 19 FWD 19 32769 000b.fd13.9080 128.5Gi0/1 128.25 4 FWD 19 32769 000b.fd13.9080 128.25

Return here. Spanning Tree FailuresBiggest problem is NOT with STP.Main concern is when a problem related to STP exists.Two different types of failures. STP erroneously blocks certain ports that should have gone to the forwarding state.Cause problems that are similar to the OSPF problem: you might lose connectivity to certain parts of your network, but the rest of the network is unaffected. STP erroneously moves one or more ports to the Forwarding state (more disruptive)An Ethernet frame header does not include a Time To Live (TTL) field, forwarded by the switches indefinitely. Traffic will increase exponentiallyLoad on links and high CPU utilizationFrequent MAC address table changesRouters become unreachable*

Spanning Tree FailuresTroubleshooting STPRemove all redundancy Find the root cause of the problem.STP disabled on a switchCabling problem (unidirectional link)*

Troubleshooting Etherchannel*

*Spanning Tree and EtherChannelSpanning Tree only allows a single link between switches to prevent bridging loops.Ciscos EtherChannel technology allows for the scaling of link bandwidth by aggregating or bundling parallel links.Treated as a single, logical link.Access or Trunk linkAllows you to expand the links capacity without having to purchase new hardware (modules, devices).Etherchannel Bundle

There are three common EtherChannel problemsInconsistencies between the physical ports that are members of the channel The physical links in an EtherChannel must have the same operational characteristics. Same: speedduplextrunk or access port statusnative VLAN when trunkingsame access VLAN when they are access portsRecommended that the configuration of all physical links in the channel be identical. Otherwise this port will be suspended and removed from the EtherChannel bundle until consistency is restored: %EC-5-CANNOT_BUNDLE2 log message*DLS1(config)# interface range fa 0/11 - 12DLS1(config-if-range)# switchport trunk encapsulation dot1qDLS1(config-if-range)# switchport mode trunkDLS1(config-if-range)# switchport trunk native vlan 2DLS1(config-if-range)# switchport trunk allowed vlan 1, 10-99DLS1(config-if-range)# channel-protocol pagp DLS1(config-if-range)# channel-group 1 mode desirable

Inconsistencies between the ports on the opposite sides of the EtherChannel link If the switch is configured to bundle these links into an EtherChannel and the switch on the other side is notUse EtherChannel negotiation protocol (802.3ad Link Aggregation Control Protocol (LACP) or the Port Aggregation Protocol (PAgP)) Both sides must first agree to form the channel *DLS1(config)# interface range fa 0/11 - 12DLS1(config-if-range)# switchport trunk encapsulation dot1qDLS1(config-if-range)# switchport mode trunkDLS1(config-if-range)# switchport trunk native vlan 2DLS1(config-if-range)# switchport trunk allowed vlan 1, 10-99DLS1(config-if-range)# channel-protocol pagp DLS1(config-if-range)# channel-group 1 mode desirable

*Forming EtherChannelsEtherChannelononPAgP Negotiated EtherChanneldesirabledesirableautoLACP Negotiated EtherChannelactiveactivepassive

*Configuring PAgPDLS1(config)# port-channel load-balance dst-ipDLS1(config)# interface range fa 0/11 - 12DLS1(config-if-range)# switchport trunk encapsulation dot1qDLS1(config-if-range)# switchport mode trunkDLS1(config-if-range)# channel-protocol pagp DLS1(config-if-range)# channel-group 1 mode desirableNotice: Load balancing does not have to match but usually it does.DTP on DLS2 is dyanmic auto (result is trunk with DLS1)PAgP configured on both endsDLS2(config)# port-channel load-balance src-dst-ipDLS2(config)# interface range fa 0/11 - 12DLS2(config-if-range)# switchport trunk encapsulation dot1qDLS2(config-if-range)# channel-protocol pagp DLS2(config-if-range)# channel-group 1 mode auto

*VerifyingDLS1# show etherchannel protocol

Group: 1 ----------Protocol: PAgP

DLS1# show etherchannel load-balanceEtherChannel Load-Balancing Operational State (dst-ip):Non-IP: Destination MAC address IPv4: Destination IP address IPv6: Destination IP address

DLS1#DLS1(config)# port-channel load-balance dst-ipDLS1(config)# interface range fa 0/11 - 12DLS1(config-if-range)# channel-protocol pagp DLS1(config-if-range)# channel-group 1 mode desirable

*DLS1# show etherchannel summaryFlags: D - down P - in port-channel I - stand-alone s - suspended H - Hot-standby (LACP only) R - Layer3 S - Layer2 U - in use f - failed to allocate aggregator u - unsuitable for bundling w - waiting to be aggregated d - default port

Number of channel-groups in use: 1Number of aggregators: 1

Group Port-channel Protocol Ports------+-------------+-----------+-------------------------------1 Po1(SU) PAgP Fa0/11(P) Fa0/12(P)

DLS1#DLS1(config)# port-channel load-balance dst-ipDLS1(config)# interface range fa 0/11 - 12DLS1(config-if-range)# channel-protocol pagp DLS1(config-if-range)# channel-group 1 mode desirable

*DLS1# show etherchannel port

Group: 1 ----------

Port: Fa0/11------------

Port state = Up Mstr In-Bndl Channel group = 1 Mode = Desirable-Sl Gcchange = 0Port-channel = Po1 GC = 0x00010001 Pseudo port-channel = Po1Port index = 0 Load = 0x00 Protocol = PAgP

Flags: S - Device is sending Slow hello. C - Device is in Consistent state. Timers: H - Hello timer is running. Q - Quit timer is running.

Local information: Hello Partner PAgP Learning GroupPort Flags State Timers Interval Count Priority Method IfindexFa0/11 SC

Partner's information:

Partner Partner Partner Partner GroupPort Name Device ID Port Age Flags Cap.Fa0/11 DLS2 001b.8fc8.0080

Age of the port in the current state: 00d:00h:35m:29s

Port: Fa0/12------------...DLS1(config)# port-channel load-balance dst-ipDLS1(config)# interface range fa 0/11 - 12DLS1(config-if-range)# channel-protocol pagp DLS1(config-if-range)# channel-group 1 mode desirableCan help determine if the load balancing is being distributed equally across the links

*Verifying (only showing DLS1)DLS1#show run!port-channel load-balance dst-ip!interface Port-channel1 switchport trunk encapsulation dot1q switchport mode trunk!interface FastEthernet0/11 switchport trunk encapsulation dot1q switchport mode trunk lacp port-priority 99 channel-group 1 mode active!interface FastEthernet0/12 switchport trunk encapsulation dot1q switchport mode trunk lacp port-priority 99 channel-group 1 mode active!interface FastEthernet0/13 switchport trunk encapsulation dot1q switchport mode trunk channel-group 1 mode active!interface FastEthernet0/14 switchport trunk encapsulation dot1q switchport mode trunk channel-group 1 mode activeWe will discuss the significance of the Port-channel interface with MLS.

Uneven distribution of traffic between EtherChannel bundle membersEtherChannel traffic is not equally balanced across all physical links in the bundle. Hash of a combination of fields in the Ethernet and IP headers of a frameDistribution of traffic depends on two things: The distribution of hash values over the physical links The header fields that are used as a key into the hash calculation. *

The distribution of hash values over the physical links The Cisco EtherChannel hash algorithm results in a value between 0 and 7. Assuming a random mix of trafficUsing an eight port EtherChannel: Distribution of traffic will be equally balanced across all eight links. Using a six port EtherChannel:Distribution of traffic will be 2:2:1:1:1:1 insteadThe first two links in the channel will each handle twice as much traffic as the other links. *

The header fields that are used as a key into the hash calculation.The choice of header fields to be hashed does affect the distribution. Example: Only the destination MAC address is used If 90% of all frames are destined for a single MAC address (for instance, the MAC address of the default gateway)All of that traffic would end up on the same physical link. If you see an uneven distribution of traffic over the links in the channel, you should examine the hashing method and the traffic mix to determine the cause.

*Switch(config)# port-channel load-balance ? dst-ip Dst IP Addr bits dst-mac Dst Mac Addrbits src-dst-ip Src XOR Dst IP AddrXOR src-dst-mac Src XOR Dst Mac AddrXOR src-ip Src IP Addrbits src-mac Src Mac AddrbitsDefault 29xx 36xxDefault non-IP traffic

Troubleshooting Switched Virtual Interfaces and Inter-VLAN Routing*

*Multilayer Switch InterfacesPerforms both Layer 2 switching and interVLAN routing.Layer 2 Interface: Access or Trunk portsLayer 3 InterfaceHas an IP address assigned to it.The Default Gateway for any hosts connected to that interface or VLAN.Physical interfaceSame as a routerAka Routed PortExample: interface gigabit 0/1Logical InterfaceRepresents an entire VLANSwitched Virtual Interface (SVI)Example: interface vlan 10Physical InterfaceLogical Interface (SVI)Layer 2: Access or Trunk Ports

*Multilayer Switch InterfacesLayer 2 or Layer 3 Interface?Default on most Catalyst switches: Layer 2Default on Catalyst 6500: Layer 3Verify mode:Switch# show interface type mod/num switchportSwitchport: Think Layer 2Enabled: Layer 2Disabled: Layer 3Physical Interface (L3)Logical Interface (SVI L3)Layer 2: Access or Trunk PortsDLS1# show interface gig 0/2 switchportName: Gig0/2Switchport: Enabled

*Multilayer Switch InterfacesIf in Layer 3 mode switchport interface command puts the port into Layer 2 mode.DLS1# show interface gig 0/2 switchportName: Gig0/2Switchport: Disabled

DLS1# config tDLS1(config)# interface gig 0/2DLS1(config-if)# switchportDLS1(config-if)# endDLS1# show interface gig 0/2 switchportName: Gig0/2Switchport: Enabled

Layer 3Layer 2Converts interface to Layer 2

*Layer 3 Port Configuration Physical InterfacesThe port no longer belongs to any VLANPhysical switch ports can operate as Layer 3 interfaces using the interface command:Switch(config)# interface type mod/numSwitch(config-if)# no switchportSwitch(config-if)# ip address ip-address maskDLS1(config)# interface gig 0/1DLS1(config-if)# no switchportDLS1(config-if)# ip address 192.168.1.1 255.255.255.252

DLS2(config)# interface gig 0/1DLS2(config-if)# no switchportDLS2(config-if)# ip address 192.168.1.2 255.255.255.252

*SVI Interfaces- Logical InterfacesLayer 3 functionality can also be enabled for an entire VLAN.The IP address is assigned to the logical interface the VLAN.This is needed when routing is required between VLANs.SVI (Switched Virtual Interface)No physical connectionVLANs must be created before the SVI can be used.The IP address associated of the VLAN interface is the default gateway of the workstation.Switch(config)# vlan vlan-numberSwitch(config-vlan)# name vlan-nameSwitchA(config)# interface vlan vlan-numberSwitchA(config-if)# ip address ip-address maskSwitchA(config-if)# no shutdown

An SVI is not a physical interface so it generally doesnt failIts status is directly dependent on the status of the VLAN with which it is associated. The SVI stays up as long as there is at least one port associated to the corresponding VLAN.Access port or trunk port (in allowed list)That port has to be up and in the Spanning Tree forwarding state. When the SVI is down the corresponding connected subnet will be removed from the routing table

*

*Creating VLANsDLS1vlan 2 name NATIVEvlan 10 name Engineeringvlan 11 name ITvlan 20 name Salesvlan 21 name Administrationvlan 99 name ManagementVLANvlan 222 name GarbageVLANDLS1: Create and name the user VLANs: 10, 11, 20 and 21.DLS1: Create and name a Management VLAN (used to telnet into switches)DLS1: Create and name a NATIVE VLAN other than VLAN 1 (default)DLS1: Create and name a Garbage VLAN (assigned to all unused ports.)All ports that are not used (trunks and access) will be assigned as an access port to this VLAN.

*Management VLANOn each switch

Switch(config)# inter vlan 99Switch(config-if)# description Management VLANSwitch(config-if)# ip address 172.16.99.x 255.255.255.0Switch(config-if)# no shutdown

For each device in the network we configured it to be a member of the management VLAN.

*Default GatewayDLS1(config)# inter vlan 10DLS1(config-if)# description Engineering VLANDLS1(config-if)# ip address 172.16.10.1 255.255.255.0DLS1(config-if)# no shutdown

DLS1(config)# inter vlan 11DLS1(config-if)# description IT VLANDLS1(config-if)# ip address 172.16.11.1 255.255.255.0DLS1(config-if)# no shutdown

Configure DLS1 to be the default gateway for VLANs 10 and 11.All hosts on these VLANs will use these addresses as their default gateway addresses.

*Default GatewayConfigure DLS2 to be the default gateway for VLANs 20 and 21. All hosts on these VLANs will use these addresses as their default gateway addresses.

DLS2(config)# inter vlan 20DLS2(config-if)# description Sales VLANDLS2(config-if)# ip address 172.16.20.1 255.255.255.0DLS2(config-if)# no shut

DLS2(config)# inter vlan 21DLS2(config-if)# description Administration VLANDLS2(config-if)# ip address 172.16.21.1 255.255.255.0DLS2(config-if)# no shut

*VerifyingDLS1#show ip inter briefInterface IP-Address OK? Method Status Protocol FastEthernet0/1 192.168.4.6 YES manual up up

GigabitEthernet0/1 192.168.1.1 YES manual up up Vlan10 172.16.10.1 YES manual up up Vlan11 172.16.11.1 YES manual up up Port-channel 1 unassigned YES manual up upDLS1#Verify IP addresses

Differences between Routers and Multilayer SwitchesMedia and InterfacesRouters connect heterogeneous networks and support a wide variety of media and interfaces. Multilayer switches typically connect homogenous networks. LAN switches are mostly Ethernet only.Multilayer switches utilize specialized hardware (ASICs) to achieve wire-speed Ethernet-to-Ethernet packet switching. Routers usually support a wider range of features, mainly because switches need specialized hardware to be able to support certain data plane features or protocols.

*

CEFRouters and Multilayer Switches use Cisco Express Forwarding (CEF) as the main packet switching mechanism. Forwarding Information Base (FIB) and adjacency table are both stored in the routers main memory and are consulted by the router to forward packets using the CEF switching method. The router builds the CEF data structures by combining information from a number of control plane data structures like the routing table and Address Resolution Protocol (ARP) cache. *

The information in the CEF data structures should accurately reflect the information in the control plane data structures. When troubleshooting IP routing under normal circumstances:Check the control plane data structuresIf the control plane information is correct, but packets are not being forwarded as expected:Check the CEF data structures and verify that they are in line with the control plane information.*

*DLS1#show ip cefPrefix Next Hop Interface0.0.0.0/0 no route0.0.0.0/32 receive 1.1.1.0/24 192.168.1.5 FastEthernet0/1172.16.10.0/24 attached Vlan10172.16.10.0/32 receive Vlan10172.16.10.1/32 receive Vlan10172.16.10.255/32 receive Vlan10172.16.11.0/24 attached Vlan11172.16.11.0/32 receive Vlan11172.16.11.1/32 receive Vlan11172.16.11.255/32 receive Vlan11172.16.20.0/24 192.168.1.2 GigabitEthernet0/1172.16.21.0/24 192.168.1.2 GigabitEthernet0/1172.16.99.0/24 attached Vlan99172.16.99.0/32 receive Vlan99172.16.99.1/32 receive Vlan99172.16.99.255/32 receive Vlan99192.168.1.0/30 attached GigabitEthernet0/1192.168.1.0/32 receive GigabitEthernet0/1192.168.1.1/32 receive GigabitEthernet0/1192.168.1.2/32 192.168.1.2 GigabitEthernet0/1192.168.1.3/32 receive GigabitEthernet0/1192.168.1.4/30 attached FastEthernet0/1192.168.1.4/32 receive FastEthernet0/1192.168.1.5/32 192.168.1.5 FastEthernet0/1192.168.1.6/32 receive FastEthernet0/1192.168.1.7/32 receive FastEthernet0/1192.168.1.8/30 192.168.1.2 GigabitEthernet0/1224.0.0.0/4 drop 224.0.0.0/24 receive 255.255.255.255/32 receive DLS1#show ip cef: This command displays the content of the CEF FIB. The FIB reflects the content of the routing table with all the recursive lookups already resolved already, and the output interface determined for each destination prefix. The FIB also holds additional entries for: directly connected hoststhe routers own IP addressesmulticast and broadcast addresses

*DLS1# show adjacency detailProtocol Interface AddressIP Vlan99 172.16.99.2 0 packets, 0 bytes epoch 0 sourced in sev-epoch 3 Encap length 14 0000603E24584400055E6D393C0800 ARPIP GigabitEthernet0/1 192.168.1.2 0 packets, 0 bytes epoch 0 sourced in sev-epoch 3 Encap length 14 0000902B293019000C85B044190800 ARPIP FastEthernet0/1 192.168.1.5 0 packets, 0 bytes epoch 0 sourced in sev-epoch 3 Encap length 14 0000024A0A4301000C85B044010800 ARPDLS1#show adjacency: This command displays the content of the CEF adjacency table. This table contains the Layer 2 frame information, such as the destination MAC address.

Troubleshooting First-Hop Redundancy Protocols (FHRP)*

FHRPs such as HSRP, VRRP, and GLBP all serve the same purpose. These protocols provide services which are entirely transparent to the hosts: Redundant default gateway on a subnet Failover Load balancingThey do it by: Electing a single router that controls the virtual IP addressTracking availability of the active routerDetermining if control of the virtual IP address should be handed over to another router

*

Every 3 seconds (default) both the active and the standby router send hello packets. If hellos are not received for 10 seconds (the default hold time), the standby takes on the active role. This means that for a period of 10 seconds hosts will lose connectivity due to lack of an active router to forward packets. If the failure is caused by administrative actions such as a shutdown of an interface the active HSRP router sends a resign messageStandby router to assume the active role immediately. The10-second hold time does not come into play. *HelloHello

priority value (100 by default) - The router with the higher priority is elected as the active HSRP routerTie is broken using the IP address of the contenders. preempt option Router will take over the active role immediately. Sends out a coup message, telling the current active router that it will take over the active role due to its higher priority.

*

Verifying FHRP*

Useful to know the virtual MAC address used for the standby groupVerifies the correct operation of ARP and the Layer 2 connectivity between the end host and the active HSRP router. HSRP is usually not at the root of the problem Usually the underlying switched network. Example: A broadcast storm and you notice very frequent HSRP state changes on the Layer 3 switches that are connected to the affected VLANs. *

Look at configs to spot the problem*

debug standby terseR1 comes up on the segmentHas a higher priority than the current active router preempt option so it sends out a coup message to take over the active role.R2 loses its active role, causing it to step back to the role of a non-active, non-standby HSRP router. There is no standby router on the segment, R2 moves to the speak state to announce its eligibility for the standby role.R2 does not see another (better) candidate for the role of standby router for 10 seconds and, thus, promotes itself to the standby role.*

Alternatives to HSRPLike HSRP, VRRP is a default gateway redundancy method. RFC 2338Similar in functionality to HSRPThe virtual router, representing a group of routers, is known as a VRRP group.*

Ciscos GLBP (Gateway Load Balancing Protocol) allows automatic selection and simultaneous use of multiple available gateways without configuring multiple groups and managing multiple default gateway configurations.

*

For VRRP and GLBP troubleshooting commands, you have to simply replace the keyword standby with vrrp or glbp.

*

Understanding and Troubleshooting Common VTP Issues (EXTRA)

*VTP Domain = WestVTP Mode = ServerConfig Rev = 3VLANs = 1, 20, 21, 22VTP Domain = WestVTP Mode = ServerConfig Rev = 3VLANs = 1, 10, 11, 12Both switches are VTP Servers and in the same Domain, but different VLAN information. Lets see what happens when trunking is enabled between the switchesWe both have the same Config Rev number so no changesWe both have the same Config Rev number so no changes, 30When two switches with same Domain Name and same Configuration Revision Numbers exchange VTP information:No changeIf Switch A adds a new VLAN, VLAN 30, Config Rev is increased by 1.Switch A will send VTP information to Switch B who will synchronize its VLAN information with Switch A, losing current local VLANs4410, 11, 12, 30

*Example: Using DLS1 (Switch A) and DLS2 (Switch B)DLS1(config)# inter range fa 0/1 - 24DLS1(config-if-range)# switchport mode dynamic auto

DLS2(config)# inter range fa 0/1 - 24DLS2(config-if-range)# switchport mode dynamic autoDLS1# show inter trunk

DLS1#Note: Because Pod2 2690s and 3560s are incorrectly defaulting to dynamic desirable they will trunk by default, which we do not want in this example.This was also done on ALS1 and ALS2 to prevent any trunking.

*When DLS1 gets a higher Config Rev NumberDLS1# show vlan

VLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/9, Fa0/13 Fa0/14, Fa0/15, Fa0/16, Fa0/17 Fa0/18, Fa0/19, Fa0/20, Fa0/21 Fa0/22, Fa0/23, Fa0/24, Gi0/1 Gi0/21002 fddi-default active 1003 token-ring-default active 1004 fddinet-default active 1005 trnet-default active

Default VLANs

*When DLS1 gets a higher Config Rev NumberDLS1#show vtp statusVTP Version : 2Configuration Revision : 0Maximum VLANs supported locally : 1005Number of existing VLANs : 5VTP Operating Mode : ServerVTP Domain Name : VTP Pruning Mode : DisabledVTP V2 Mode : DisabledVTP Traps Generation : DisabledMD5 digest : 0x57 0xCD 0x40 0x65 0x63 0x59 0x47 0xBD Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00Local updater ID is 0.0.0.0 (no valid interface found)DLS1#Default VTP information:Configuration Revision Number = 0Increased by 1 whenever VLAN is added or deletedVTP Mode = ServerVTP Domain Name = (null)

*When DLS1 gets a higher Config Rev NumberDLS2# show vlan

VLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Gi0/1, Gi0/21002 fddi-default active 1003 token-ring-default active 1004 fddinet-default active 1005 trnet-default active

DLS2# show vtp statusVTP Version : 2Configuration Revision : 0Maximum VLANs supported locally : 1005Number of existing VLANs : 5VTP Operating Mode : ServerVTP Domain Name :

Same on DLS2.

*When DLS1 gets a higher Config Rev NumberDLS1(config)# vtp domain WestDLS1(config)# vlan 10DLS1(config-vlan)# name WestSalesDLS1(config-vlan)# vlan 11DLS1(config-vlan)# name WestEngDLS1(config-vlan)# vlan 12DLS1(config-vlan)# name WestAdmin

DLS1# show vtp statusVTP Version : 2Configuration Revision : 3Maximum VLANs supported locally : 1005Number of existing VLANs : 8VTP Operating Mode : ServerVTP Domain Name : West

Add VTP Domain Name and configure VLANsConfiguration Revision changed to 3 (one for each VLAN)Remember, no trunking (yet)

*When DLS1 gets a higher Config Rev NumberDLS1# show vlan

VLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Gi0/1, Gi0/210 WestSales active 11 WestEng active 12 WestAdmin active

Verified.

*When DLS1 gets a higher Config Rev NumberDLS2(config)# vtp domain West DLS2(config)# vlan 20 DLS2(config-vlan)# name WestAcctDLS2(config-vlan)# vlan 21DLS2(config-vlan)# WestMngtDLS2(config-vlan)# name WestMngtDLS2(config-vlan)# vlan 22DLS2(config-vlan)# name WestManuf

DLS2# show vtp statusVTP Version : 2Configuration Revision : 3Maximum VLANs supported locally : 1005Number of existing VLANs : 8VTP Operating Mode : ServerVTP Domain Name : West

Now on DLS2: Add VTP Domain Name and configure different VLANsConfiguration Revision changed to 3Still no trunking

*When DLS1 gets a higher Config Rev NumberDLS2# show vlan

VLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Gi0/1, Gi0/220 WestAcct active 21 WestMngt active 22 WestManuf active

Verified.

*When DLS1 gets a higher Config Rev NumberDLS1(config)# inter range fa 0/11 - 12DLS1(config-if-range)# switchport trunk encap dot1qDLS1(config-if-range)# switchport mode trunk

DLS1# show inter trunk

Port Mode Encapsulation Status Native vlanFa0/11 on 802.1q trunking 1Fa0/12 on 802.1q trunking 1

Trunking configured between DLS1 and DLS2.VTP messages can now be sent but no changes because Configuration Revision numbers are the same.

*When DLS1 gets a higher Config Rev NumberDLS1# show vtp statusVTP Version : 2Configuration Revision : 3Maximum VLANs supported locally : 1005Number of existing VLANs : 8VTP Operating Mode : ServerVTP Domain Name : West

DLS2# show vtp statusVTP Version : 2Configuration Revision : 3Maximum VLANs supported locally : 1005Number of existing VLANs : 8VTP Operating Mode : ServerVTP Domain Name : West

Configuration Revision still 3Number of existing VLANs (known by each switch) still 8

*When DLS1 gets a higher Config Rev NumberDLS1# show vlanVLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/23, Fa0/24, Gi0/1, Gi0/210 WestSales active 11 WestEng active 12 WestAdmin active

DLS2# show vlanVLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/23, Fa0/24, Gi0/1, Gi0/220 WestAcct active 21 WestMngt active 22 WestManuf active Verify that there are no DLS2 VLANs on DLS1.Verify that there are no DLS1 VLANs on DLS2.

*When DLS1 gets a higher Config Rev NumberDLS1(config)# vlan 30DLS1(config-vlan)# name Guest

DLS1# show vtp statusVTP Version : 2Configuration Revision : 4Maximum VLANs supported locally : 1005Number of existing VLANs : 9VTP Operating Mode : ServerVTP Domain Name : West

VLAN 30 added on DLS1.Configuration Revision increased by 1 to 4.DLS1 now has the higher Configuration Revision number between the two servers (the highest in the Domain).

*When DLS1 gets a higher Config Rev NumberDLS1# show vlan

VLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/23, Fa0/24, Gi0/1, Gi0/210 WestSales active 11 WestEng active 12 WestAdmin active 30 Guest active

Verified.

*When DLS1 gets a higher Config Rev NumberDLS2# show vtp statusVTP Version : 2Configuration Revision : 4Maximum VLANs supported locally : 1005Number of existing VLANs : 9VTP Operating Mode : ServerVTP Domain Name : West

DLS2 receives VTP update from DLS1 with higher Configuration Revision Number.DLS2 synchronizes its VLAN database with DLS1s information including Configuration Revision Number and VLAN information.

*When DLS1 gets a higher Config Rev NumberDLS2# show vlanVLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/23, Fa0/24, Gi0/1, Gi0/220 WestAcct active 21 WestMngt active 22 WestManuf active

DLS2# show vlanVLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/23, Fa0/24, Gi0/1, Gi0/210 WestSales active 11 WestEng active 12 WestAdmin active 30 Guest active

DLS2 lost previous VLANs 20, 21, and 22.DLS2s VLAN database overwritten with DLS1s information.Good news: Both Servers both in sync (identical) so any changes will mean the VLAN information is the same on both.Previous VLANSCurrent VLANS syncd with DLS1

*When DLS1 gets a higher Config Rev NumberDLS2(config)# vlan 20 DLS2(config-vlan)# name WestAcctDLS2(config-vlan)# vlan 21DLS2(config-vlan)# name WestMngtDLS2(config-vlan)# vlan 22DLS2(config-vlan)# name WestManuf

DLS2# show vtp statusVTP Version : 2Configuration Revision : 7Maximum VLANs supported locally : 1005Number of existing VLANs : 12VTP Operating Mode : ServerVTP Domain Name : WestTo correct this we need to add the VLANs back to DLS2.DLS2 will send VTP update to DLS1 so VLAN information will be the same.

*When DLS1 gets a higher Config Rev NumberDLS2# show vlan

VLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/23, Fa0/24, Gi0/1, Gi0/210 WestSales active 11 WestEng active 12 WestAdmin active 20 WestAcct active 21 WestMngt active 22 WestManuf active 30 Guest active Verified.

*When DLS1 gets a higher Config Rev NumberDLS1# show vtp statusVTP Version : 2Configuration Revision : 7Maximum VLANs supported locally : 1005Number of existing VLANs : 12VTP Operating Mode : ServerVTP Domain Name : West

DLS1# show vlanVLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/23, Fa0/24, Gi0/1, Gi0/210 WestSales active 11 WestEng active 12 WestAdmin active 20 WestAcct active 21 WestMngt active 22 WestManuf active 30 Guest activeDLS1 receives VTP update and updates VLAN information including Configuration Revision number.Domain is still in sync.

*What happens when Client/Server enters with higher Configuration Revision number?Both switches are in the same domain.Switch C can be Client OR ServerSwitch C has Higher Configuration Revision numberEven if Switch C is a Client when enters VTP domain it will overwrite DLS1s VLAN information because it has higher Configuration Revision number.VTP Domain = WestVTP Mode = Client (or Server)Config Rev = 13VLANs = 1, 20, 21, 22, 30VTP Domain = WestVTP Mode = ServerConfig Rev = 10VLANs = 1, 10, 11, 12, 20, 21, 22, 3013

*Client/Server enters with Higher RevisionDLS1(config)# inter fa 0/1DLS1(config-if)# switchport mode accessDLS1(config-if)# switchport access vlan 10DLS1(config-if)# exitDLS1(config)# inter fa 0/2DLS1(config-if)# switchport mode accessDLS1(config-if)# switchport access vlan 11DLS1# show vlanVLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/3, Fa0/4, Fa0/5, Fa0/6 Gi0/1, Gi0/210 WestSales active Fa0/111 WestEng active Fa0/212 WestAdmin active 20 WestAcct active 21 WestMngt active 22 WestManuf active 30 Guest active Assign VLANs to interfaces. (no specific reason)

*DLS1(config)# inter range fa 0/11 -12DLS1(config-if-range)# shutdownShutdown interface so we can modify DLS2 (Switch B)We will adding the trunk back to simulate a switch being entered into the network.Client/Server enters with Higher Revision

*Client/Server enters with Higher RevisionDLS1# show vtp statusVTP Version : 2Configuration Revision : 10Maximum VLANs supported locally : 1005Number of existing VLANs : 12VTP Operating Mode : ServerVTP Domain Name : West

DLS2#show vtp statusVTP Version : 2Configuration Revision : 10Maximum VLANs supported locally : 1005Number of existing VLANs : 12VTP Operating Mode : ServerVTP Domain Name : WestRight now both switches have same Configuration Revision number, lets change that.Note: Configuration Revision numbers not necessarily the same as previous example due to this was done in a different session.

*Client/Server enters with Higher RevisionDLS2#show vlan

VLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Gi0/1, Gi0/210 WestSales active 11 WestEng active 12 WestAdmin active 20 WestAcct active 21 WestMngt active 22 WestManuf active 30 Guest active We are going to remove these three VLANs on DLS2 so it has different VLANs and a higher Configuration Revision Number.Remember, DLS1 has same VLAN information and also has: Fa0/1 in VLAN 10Fa0/2 in VLAN 11

*Client/Server enters with Higher RevisionDLS2(config)# no vlan 10DLS2(config)# no vlan 11DLS2(config)# no vlan 12

DLS2(config)# vtp mode clientSetting device to VTP CLIENT mode.

DLS2# show vtp status VTP Version : 2Configuration Revision : 13Maximum VLANs supported locally : 1005Number of existing VLANs : 9VTP Operating Mode : ClientVTP Domain Name : West

Three VLANs deleted.Change VTP mode to ClientConfiguration Revision updated from 10 to 13

*Client/Server enters with Higher RevisionDLS2# show vlan

VLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Gi0/1, Gi0/220 WestAcct active 21 WestMngt active 22 WestManuf active 30 Guest active

Verify VLANs 10, 11, and 12 were deleted.

*Client/Server enters with Higher RevisionDLS1# show vtp statusVTP Version : 2Configuration Revision : 10Maximum VLANs supported locally : 1005Number of existing VLANs : 12VTP Operating Mode : ServerVTP Domain Name : West

DLS1 has a lower Configuration Revision number 10.DLS2s Configuration Revision number is 13.

*DLS1(config)# inter range fa 0/11 -12DLS1(config-if-range)# no shutdown

DLS1# show vtp statusVTP Version : 2Configuration Revision : 13Maximum VLANs supported locally : 1005Number of existing VLANs : 9VTP Operating Mode : ServerVTP Domain Name : West

DLS2# show vtp statusVTP Version : 2Configuration Revision : 13Maximum VLANs supported locally : 1005Number of existing VLANs : 9VTP Operating Mode : ClientVTP Domain Name : West

DLS2 (Switch B) is brought online (no shutdown on DLS1).DLS2 (Client) has higher Configuration Revision number 13.DLS1 (Switch A) with lower revision number (10) updates its VLAN information to be in sync with DLS2 including its Configuration Revision number to 13.

*VTP Revision NumberDLS1# show vlanVLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/3, Fa0/4, Fa0/5, Fa0/6 Gi0/1, Gi0/210 WestSales active Fa0/111 WestEng active Fa0/212 WestAdmin active 20 WestAcct active 21 WestMngt active 22 WestManuf active 30 Guest active

DLS1# show vlan

VLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/3, Fa0/4, Fa0/5, Fa0/6 Gi0/1, Gi0/220 WestAcct active 21 WestMngt active 22 WestManuf active 30 Guest active

Missing VLANs 10, 11, and 12.Previous VLANSCurrent VLANS syncd with DLS2

*Fix itDLS1(config)# vlan 10 DLS1(config-vlan)# name WestSalesDLS1(config-vlan)# vlan 11DLS1(config-vlan)# name WestEngDLS1(config-vlan)# vlan 12DLS1(config-vlan)# name WestAdmin

DLS1# show vlanVLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/3, Fa0/4, Fa0/5, Fa0/6 Gi0/1, Gi0/210 WestSales active Fa0/111 WestEng active Fa0/212 WestAdmin active 20 WestAcct active 21 WestMngt active 22 WestManuf active 30 Guest active To fix it must reconfigure VLANs on DLS1.Interfaces Fa0/1 and Fa0/2 brought from inactive to active

*DLS2# show vlan

VLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/23, Fa0/24, Gi0/1, Gi0/210 WestSales active 11 WestEng active 12 WestAdmin active 20 WestAcct active 21 WestMngt active 22 WestManuf active 30 Guest active

DLS2(config)# no vlan 10VTP VLAN configuration not allowed when device is in CLIENT mode.DLS2(config)#DLS2 gets VLANS 10, 11, 12 in VTP update from DLS1.DLS2 is a Client and can no longer delete (or add) VLANs.

*DLS1# show vtp statusVTP Version : 2Configuration Revision : 16Maximum VLANs supported locally : 1005Number of existing VLANs : 12VTP Operating Mode : ServerVTP Domain Name : West DLS2# show vtp statusVTP Version : 2Configuration Revision : 16Maximum VLANs supported locally : 1005Number of existing VLANs : 12VTP Operating Mode : ClientVTP Domain Name : West

Still in sync!VTP Domain = WestVTP Mode = Client (or Server)Config Rev = 16VLANs = 1, 10, 11, 12, 20, 21, 22, 30VTP Domain = WestVTP Mode = ServerConfig Rev = 16VLANs = 1, 10, 11, 12, 20, 21, 22, 30

*How to make sure switch has Lower Config Rev: VTP ModeSetting a switch to Transparent mode reset the configuration to 0.Then set it back to Client or Server.VTP Domain = WestVTP Mode = Client Config Rev = 16VLANs = 1VTP Domain = WestVTP Mode = ServerConfig Rev = 10VLANs = 1, 10, 11, 12, 20, 21, 22, 300TransparentClient1, 10, 11, 12, 20, 21, 22, 3010DLS2(config)# vtp mode ? client Set the device to client mode. server Set the device to server mode. transparent Set the device to transparent mode.DLS2(config)#Not all VTP Messages shown

*How to make sure switch has Lower Config Rev: VTP DomainChanging the Domain Name on a switch will reset the configuration to 0.Then set it back to the correct Domain Name.VTP Domain = WestVTP Mode = Client Config Rev = 16VLANs = 1VTP Domain = WestVTP Mode = ServerConfig Rev = 16VLANs = 1, 10, 11, 12, 20, 21, 22, 300EastWest1, 10, 11, 12, 20, 21, 22, 3016DLS2(config)# vtp domain WestChanging VTP domain name from East to WestNot all VTP Messages shown

CIS 188 CCNP TSHOOT (Troubleshooting)Ch. 4 Maintaining and Troubleshooting Campus Switched Networks Rick GrazianiCabrillo [email protected]

************************************DiscardingThis state is seen in both a stable active topology and during topology synchronization and changes. The discarding state prevents the forwarding of data frames, thus breaking the continuity of a Layer 2 loop.LearningThis state is seen in both a stable active topology and during topology synchronization and changes. The learning state accepts data frames to populate the MAC table in an effort to limit flooding of unknown unicast frames.ForwardingThis state is seen only in stable active topologies. The forwarding switch ports determine the topology. Following a topology change, or during synchronization, the forwarding of data frames occurs only after a proposal and agreement process.****Inconsistencies between the physical ports that are members of the channel: The physical links in an EtherChannel must have the same operational characteristics (speed, duplex, trunk or access port status, native VLAN when trunking, and same access VLAN when they are access ports).If one physical link changes such that a mismatch with the other physical links is created, this port will be suspended and removed from the EtherChannel bundle until consistency is restored.Inconsistencies between the ports on the opposite sides of the EtherChannel link:If one switch is configured to bundle these links into an EtherChannel and the switch on the other side is not, the switch that is configured for EtherChannel will detect this and move the port to an error-disabled state.The use of a Link Aggregation Control Protocol (LACP) or the Port Aggregation Protocol (PAgP) prevents this situation from happening because both sides must first agree to form the channel.Uneven distribution of traffic between EtherChannel bundle members: The Cisco EtherChannel hash algorithm results in a value between 0 and 7. An eight-port EtherChannel will be equally balanced across all eight links.However, if the channel consists of six links, the distribution will be 2:2:1:1:1:1 instead, meaning that the first two links in the channel will each handle twice as much traffic as the other links.Another factor in EtherChannel load balancing is which header fields are used as the base of the hash value. When only the destination MAC address is used as the input for the hash calculation, if 90% of all frames are destined for a single MAC address (for instance, the MAC address of the default gateway), then all of that traffic would end up on the same physical link.If you see an uneven distribution of traffic over the links in the channel, you should examine the hashing method and the traffic mix to determine the cause.

************The Catalyst multilayer switches support three different types of Layer 3 interfaces:Routed port A pure Layer 3 interface similar to a routed port on a Cisco IOS router.Switch virtual interface (SVI) A virtual VLAN interface for inter-VLAN routing. In other words, SVIs are the virtual routed VLAN interfaces.Bridge virtual interface (BVI) A Layer 3 virtual bridging interface. (Not discussed)

*****************************************