CCNA3

Connecting to the network

The EtherChannel is seen as one logical link using an EtherChannel interface.
Most configuration tasks are done on the
Basic Router Show Commands
#show ip protocols {Displays information about the routing protocols
configured. If RIP is configured, this includes the version of RIP, networks the
router is advertising, whether or not automatic summarization is in effect,
the neighbors the router is receiving updates from, and the default
administrative distance, which is 120 for}
#show interfaces {Displays interfaces with line (protocol) status, bandwidth,
delay, reliability, encapsulation, duplex, and I/O statistics. If specified
without a specific interface designation, all interfaces will be displayed. If a
specific interface is specified after the command, information about that
interface only will be displayed}
#show ip interface brief {Displays all interfaces with IPv4 addressing
information and interface and line protocols status}
#show cdp neighbors {displays information on directly connected Cisco
devices including Device ID, the local interface the device is connected to,
capability (R = router, S = switch), the platform, and Port ID of the remote
device. The details option includes IP addressing information and the IOS
version}
Basic Switch Show Commands
#show port-security {Displays any ports with security activated. To examine a
specific interface, include the interface ID. Information included in the
output: the maximum addresses allowed, current count, security violation
count, and action to be taken}
#show port-security address {Displays all secure MAC addresses configured
on all switch interfaces}
#show interfaces {Displays one or all interfaces with line (protocol) status,
bandwidth, delay, reliability, encapsulation, duplex, and I/O statistics}
#show mac-address-table {Displays all MAC addresses that the switch has
learned, how those addresses were learned (dynamic/static), the port
number, and the VLAN assigned to the port}
#show cdp neighbors

VTP
VLAN Trunking Protocol (VTP) reduces administration in a switched network.
A switch in VTP server mode can manage additions, deletions and renaming
of VLANs across the domain. For example, when a new VLAN is added on the
VTP server, the VLAN information is distributed to all switches in the domain.
This eliminates the need to configure the new VLAN on every switch. VTP is a
Cisco-proprietary protocol that is available on most of the Cisco Catalyst
series products.
VLAN trunking protocol (VTP) allows a network administrator to manage
VLANs on a switch configured as a VTP server. The VTP server distributes and
synchronizes VLAN information over trunk links to VTP-enabled switches
throughout the switched network. This minimizes the problems caused by
incorrect configurations and configuration inconsistencies.

VTP Modes
A switch can be configured in one of three VTP modes, as described in Figure
1.
VTP Server
 Advertises the VTP domain VLAN information to other VTP-enabled
switches in the same VTP domain
 Stores the VLAN information for the entire domain in NVRAM
 Creates, deletes, or renames VLANs for the domain
  Default VTP mode
VTP Client
 Cannot create, change, or delete VLANs
 Stores the VLAN information for the entire domain in RAM
 Must be configured as VTP client
VTP Transparent
 Does not participate in VTP except to forward VTP advertisements to
VTP clients and VTP server
 VLANs that are created, renamed, or deleted on transparent switches
are local to that switch only
 Must be configured as VTP transparent
Note: A switch that is in server or client mode with a higher configuration
revision number than the existing VTP server updates all VLAN information in
the VTP domain. As a best practice, Cisco recommends deploying VTP in
transparent mode for better VLAN control, security, and manageability.
SUMMARY OF THE ABOVE
VTP Version 1 and Version 2 are described in the figure. Switches in the same
VTP domain must use the same VTP version.
Note: VTPv2 is not much different than VTPv1 and is generally only
configured if legacy Token Ring support is required. The newest version of
VTP is Version 3. However, VTP Version 3 is beyond the scope of this course.
#show vtp status {displays the VTP status}
steps to configure VTP:
Step 1: Configure the VTP Server
Step 2: Configure the VTP Domain Name and Password
Step 3: Configure the VTP Clients
Step 4: Configure VLANs on the VTP Server
Step 5: Verify the VTP Clients Have Received the New VLAN Information
 Confirm that all switches are configured with default settings to avoid
any issues with configuration revision numbers.
#vtp mode server {Configure Switch as the VTP server}
-show vtp status {confirm that S1 is a VTP server}
-vtp domain CCNA {the domain name is configured as CCNA}
-vtp password class {All switches in the VTP domain must use the same VTP
domain password}
-show vtp password {Verify the VTP password}
Configure the VTP Clients
#vtp mode client {Configure Switch as the VTP client}
-vtp domain CCNA
-vtp password class
Configure VLANs on the VTP Server
#vlan 10
-name SALES
#vlan 20
-name MARKETING
#vlan 30
-name ACCOUNTING
#show vlan status
Note
VLANs 100, 102, 105, 106, and 107: could be created at once i.e
S1(config)# vlan 100,102,105-107

Configuring Extended VLANs

 Note that a Catalyst 2960 Plus Switch does not support extended
VLANs. In order to configure an extended VLAN on a 2960 switch it
must be set to VTP transparent mode

#config t
#vtp mode transparent
#vlan 2000
#end
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@

DTP
DTP is a Cisco proprietary protocol that is automatically enabled on Catalyst
2960 and Catalyst 3560 Series switches. Switches from other vendors do not
support DTP. DTP manages trunk negotiation only if the port on the neighbor
switch is configured in a trunk mode that supports DTP.
Caution: Some internetworking devices might forward DTP frames
improperly, which can cause misconfigurations. To avoid this, turn off DTP on
interfaces on a Cisco switch connected to devices that do not support DTP.
The default DTP configuration for Cisco Catalyst 2960 and 3560 switches is
dynamic auto
 To enable trunking from a Cisco switch to a device that does not
support DTP, use
#switchport mode trunk {interface configuration mode command}
#switchport nonegotiate {interface configuration mode command}
 This causes the interface to become a trunk, but not generate DTP
frames.

Trunking modes
#switchport mode access - Puts the interface (access port) into permanent
non-trunking mode and negotiates to convert the link into a nontrunk link.
The interface becomes a nontrunk interface, regardless of whether the
neighboring interface is a trunk interface.
#switchport mode dynamic auto - Makes the interface able to convert the
link to a trunk link. The interface becomes a trunk interface if the neighboring
interface is set to trunk or desirable mode. The default switchport mode for
all Ethernet interfaces is dynamic auto.
#switchport mode dynamic desirable - Makes the interface actively attempt
to convert the link to a trunk link. The interface becomes a trunk interface if
the neighboring interface is set to trunk, desirable, or dynamic auto mode.
This is the default switchport mode on older switches, such as the Catalyst
2950 and 3550 Series switches.
#switchport mode trunk - Puts the interface into permanent trunking mode
and negotiates to convert the neighboring link into a trunk link. The interface
becomes a trunk interface even if the neighboring interface is not a trunk
interface.
#switchport nonegotiate - Prevents the interface from generating DTP
frames. You can use this command only when the interface switchport mode
is access or trunk. You must manually configure the neighboring interface as
a trunk interface to establish a trunk link.
 Note: A general best practice is to set the interface to trunk and
nonegotiate when a trunk link is required. On links where trunking is
not intended, DTP should be turned off.

#show dtp interface fa0/1 {To determine the current DTP mode}
Troubleshoot VTP Issues
Incompatible VTP Versions
  VTP versions are incompatible with each other.
 Ensure that all switches are capable of supporting the required VTP
version.
VTP Password Issues
 If VTP authentication is enabled, switches must all have the same
password configured to participate in VTP.
 Ensure that the password is manually configured on all switches in the
VTP domain.
Incorrect VTP Domain Name
 An improperly configured VTP domain affects VLAN synchronization
between switches and if a switch receives the wrong VTP
advertisement, the switch discards the message.
 To avoid incorrectly configuring a VTP domain name, set the VTP
domain name on only one VTP server switch.
 All other switches in the same VTP domain will accept and
automatically configure their VTP domain name when they receive the
first VTP summary advertisement.
All Switches set to VTP Client Mode
 If all switches in the VTP domain are set to client mode, you cannot
create, delete, and manage VLANs.
 To avoid losing all VLAN configurations in a VTP domain, configure two
switches as VTP servers.
Incorrect Configuration Revision Number
 If a switch with the same VTP domain name but a higher configuration
number is added to the domain, invalid VLANs can be propagated
and / or valid VLANs can be deleted.
 The solution is to reset each switch to an earlier configuration and then
reconfigure the correct VLANs.
 Before adding a switch to a VTP-enabled network, reset the revision
number on the switch to 0 by assigning it to another false VTP domain
and then reassigning it to the correct VTP domain name.
 DTP Troubleshooting

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@

SPANNING TREE PROTOCOL

STP is a Layer 2 protocol that ensures that there is only one logical path
between all destinations on the network by intentionally blocking redundant
paths that could cause a loop.
Multiple physical links between devices is called redundancy
The network can then continue to operate when a single link or port has
failed. Redundant links can also share the traffic Path redundancy provides
the necessary availability of multiple network services by eliminating the
possibility of a single point of failure, load and increase capacity.
 When multiple paths exist between two devices on a network, and
there is no spanning tree implementation on the switches, a Layer 2
loop occurs. A Layer 2 loop can result in the three primary issues.
Issues with Layer 1 Redundancy: MAC Database
Instability
Ethernet frames do not have a time to live (TTL) attribute. As a result, if
there is no mechanism enabled to block continued propagation of
these frames on a switched network, they continue to propagate
between switches endlessly, or until a link is disrupted and breaks the
loop. This continued propagation between switches can result in MAC
database instability. This can occur due to broadcast frames
forwarding.
Broadcast frames are forwarded out all switch ports, except the
original ingress port. This ensures that all devices in a broadcast
domain are able to receive the frame. If there is more than one path
for the frame to be forwarded out of, an endless loop can result. When
a loop occurs, it is possible for the MAC address table on a switch to
constantly change with the updates from the broadcast frames, which
results in MAC database instability.
 This process repeats over and over again until the loop is broken
by physically disconnecting the connections that are causing the
 loop or powering down one of the switches in the loop. This
creates a high CPU load on all switches caught in the loop.
Because the same frames are constantly being forwarded back
and forth between all switches in the loop, the CPU of the switch
must process a lot of data. This slows down performance on the
switch when legitimate traffic arrives.
 A host caught in a network loop is not accessible to other hosts
on the network. Additionally, due to the constant changes in the
MAC address table, the switch does not know out of which port
to forward unicast frames. In the example above, the switches
will have the incorrect ports listed for PC1. Any unicast frame
destined for PC1 loops around the network, just as the broadcast
frames do. More and more frames looping around the network
eventually creates a broadcast storm.

Issues with Layer 1 Redundancy: Broadcast Storms

A broadcast storm occurs when there are so many broadcast frames
caught in a Layer 2 loop that all available bandwidth is consumed.
Consequently, no bandwidth is available for legitimate traffic and the
network becomes unavailable for data communication. This is an
effective denial of service (DoS).
A broadcast storm is inevitable on a looped network. As more devices
send broadcasts over the network, more traffic is caught in the loop
and consumes resources. This eventually creates a broadcast storm
that causes the network to fail.
There are other consequences of broadcast storms. Because broadcast
traffic is forwarded out every port on a switch, all connected devices
have to process all the broadcast traffic that is being flooded endlessly
around the looped network. This can cause the end device to
malfunction because of the processing requirements needed to sustain
such a high traffic load on the NIC.

Issues with Layer 1 Redundancy: Duplicate Unicast

Frames
Broadcast frames are not the only type of frames that are affected by
loops. Unknown unicast frames sent onto a looped network can result
in duplicate frames arriving at the destination device. An unknown
 unicast frame is when the switch does not have the destination MAC
address in its MAC address table and must forward the frame out all
ports, except the ingress port.
 Most upper-layer protocols are not designed to recognize
duplicate transmissions. In general, protocols that make use of a
sequence-numbering mechanism assume that the transmission
has failed and that the sequence number has recycled for
another communication session.

Some Layer 3 protocols implement a TTL mechanism that limits the number
of times a Layer 3 networking device can retransmit a packet. Layer 2 devices
do not have this mechanism, so they continue to retransmit looping traffic
indefinitely. STP, a Layer 2 loop-avoidance mechanism, was developed to
address these problems.
To prevent these issues from occurring in a redundant network, some type of
spanning tree must be enabled on the switches. Spanning tree is enabled, by
default, on Cisco switches to prevent Layer 2 loops from occurring.

Spanning Tree Algorithm: Introduction

 Redundancy increases the availability of the network topology by
protecting the network from a single point of failure, such as a failed
network cable or switch. When physical redundancy is introduced into
a design, loops and duplicate frames occur. Loops and duplicate frames
have severe consequences for a switched network. The Spanning Tree
Protocol (STP) was developed to address these issues.
 STP ensures that there is only one logical path between all destinations
on the network by intentionally blocking redundant paths that could
cause a loop. A port is considered blocked when user data is prevented
from entering or leaving that port. This does not include bridge
protocol data unit (BPDU) frames that are used by STP to prevent
loops. Blocking the redundant paths is critical to preventing loops on
the network. The physical paths still exist to provide redundancy, but
these paths are disabled to prevent the loops from occurring. If the
path is ever needed to compensate for a network cable or switch
 failure, STP recalculates the paths and unblocks the necessary ports to
allow the redundant path to become active.
 STP prevents loops from occurring by configuring a loop-free path
through the network using strategically placed "blocking-state" ports.
The switches running STP are able to compensate for failures by
dynamically unblocking the previously blocked ports and permitting
traffic to traverse the alternate paths.

Spanning Tree Algorithm: Port Roles

IEEE 802.1D STP and RSTP use the Spanning Tree Algorithm (STA) to
determine which switch ports on a network must be put in blocking state to
prevent loops from occurring. The STA designates a single switch as the root
bridge and uses it as the reference point for all path calculations. In the
figure, the root bridge (switch S1) is chosen through an election process. All
switches that are participating in STP exchange BPDU frames to determine
which switch has the lowest bridge ID (BID) on the network. The switch with
the lowest BID automatically becomes the root bridge for the STA
calculations.
Note: For simplicity, assume until otherwise indicated that all ports on all
switches are assigned to VLAN 1. Each switch has a unique MAC address
associated with VLAN 1.
 A BPDU is a messaging frame exchanged by switches for STP. Each
BPDU contains a BID that identifies the switch that sent the BPDU. The
BID contains a priority value, the MAC address of the sending switch,
and an optional extended system ID. The lowest BID value is
determined by the combination of these three fields.
After the root bridge has been determined, the STA calculates the shortest
path to the root bridge. Each switch uses the STA to determine which ports
to block. While the STA determines the best paths to the root bridge for all
switch ports in the broadcast domain, traffic is prevented from being
forwarded through the network. The STA considers both path and port costs
when determining which ports to block. The path costs are calculated using
port cost values associated with port speeds for each switch port along a
given path. The sum of the port cost values determines the overall path cost
to the root bridge. If there is more than one path to choose from, STA
chooses the path with the lowest path cost.
When the STA has determined which paths are most desirable relative to
each switch, it assigns port roles to the participating switch ports. The port
roles describe their relation in the network to the root bridge and whether
they are allowed to forward traffic:

Root ports - Switch ports closest to the root bridge in terms of overall cost
to the root bridge.

Designated ports - All non-root ports that are still permitted to forward
traffic on the network.
 If one end of a segment is a root port, then the other end is a
designated port. All ports on the root bridge are designated ports.

Alternate and backup ports - Alternate ports and backup ports are in
discarding or blocking state to prevent loops.
 Alternate ports are selected only on links where neither end is a root
port.
 Blocking ports only come into play when two ports on the same switch
provide redundant links through the network.

Spanning Tree Algorithm: Root Bridge

Every spanning tree instance (switched LAN or broadcast domain) has a
switch designated as the root bridge. The root bridge serves as a reference
point for all spanning tree calculations to determine which redundant paths
to block. An election process determines which switch becomes the root
bridge.
The BID is made up of a priority value, an extended system ID, and the MAC
address of the switch. The bridge priority value is automatically assigned, but
can be modified. The extended system ID is used to specify a VLAN ID or a
multiple spanning tree protocol (MSTP) instance ID. The MAC address field
initially contains the MAC address of the sending switch.
All switches in the broadcast domain participate in the election process. After
a switch boots, it begins to send out BPDU frames every two seconds. These
BPDUs contain the switch BID and the root ID.
The switch with the lowest BID will become the root bridge. At first, all
switches declare themselves as the root bridge. Eventually, the switches
exchange BPDUs, and agree on one root bridge.
There is a root bridge elected for each spanning tree instance. It is possible to
have multiple distinct root bridges for different sets of VLANs. If all ports on
all switches are members of VLAN 1, then there is only one spanning tree
instance. The extended system ID includes the VLAN ID, and plays a role in
how spanning tree instances are determined.
The BID consists of a configurable bridge priority number and a MAC address.
Bridge priority is a value between 0 and 65,535. The default is 32,768. If two
or more switches have the same priority, the switch with the lowest MAC
address will become the root bridge.
Note: The reason the bridge priority value in Figure below is displays 32,769
instead of the default value of 32,768 is because STA algorithm also adds the
default VLAN number (VLAN 1) to the priority value.
 There is a root bridge elected for each spanning tree instance. It is
possible to have multiple distinct root bridges for different sets of
VLANs. If all ports on all switches are members of VLAN 1, then there is
only one spanning tree instance. The extended system ID includes the
VLAN ID.
Spanning Tree Algorithm: Root Path Cost
When the root bridge has been elected for the spanning tree instance, the
STA starts the process of determining the best paths to the root bridge from
all destinations in the broadcast domain. The path information, known as the
internal root path cost, is determined by summing up the individual port
costs along the path from the switch to the root bridge.
 Note: Switches send BPDUs, which include the root path cost. This is
the cost of the path from the sending switch to the root bridge. When
a switch receives the BPDU, it adds the ingress port cost of the
segment to determine its internal root path cost.

The default port costs

  defined by the speed at which the port operates.

As newer and faster Ethernet technologies enter the marketplace, the port
cost values may change to accommodate the different speeds available
 The values have already been changed to accommodate the 10 Gb/s
Ethernet standard. To illustrate the continued change associated with
high-speed networking, Catalyst 4500 and 6500 switches support a
longer port cost method; for example, 10 Gb/s has a 2000 port cost,
100 Gb/s has a 200 port cost, and 1 Tb/s has a 20 port cost.
Although switch ports have a default port cost associated with them, the port
cost is configurable. The ability to configure individual port costs gives the
administrator the flexibility to manually control the spanning tree paths to
the root bridge.
The internal root path cost is equal to the sum of all the port costs along the
path to the root bridge (as shown in Figure 3). Paths with the lowest cost
become preferred, and all other redundant paths are blocked.
Paths with the lowest cost become preferred, and all other redundant paths
are blocked.

Port Role Decisions for RSTP

The root bridge automatically configures all of its switch ports in the
designated role. Other switches in the topology configure their non-root
ports as designated or alternate ports.
When two switches are connected to the same LAN segment, and root ports
have already been defined, the two switches have to decide which port to
configure as a designated port and which port remains the alternate port.
 The switches on the LAN segment exchange BPDU frames, which
contain the switch BID. Generally, the switch with the lower BID has its
port configured as a designated port while the switch with the higher
BID has its port configured as an alternate port. However, keep in mind
that the first priority is the lowest path cost to the root bridge and that
the sender’s BID is used only if the port costs are equal

Designated and Alternate Ports

When determining the root port on a switch, the switch compares the path
costs on all switch ports participating in the spanning tree. The switch port
with the lowest overall path cost to the root bridge is automatically assigned
the root port role because it is closest to the root bridge.

A root bridge will not have any root ports. All ports on a root bridge will be
designated ports. A switch that is not the root bridge of a network topology
will have only one root port defined.
 Note on the above figure that S2 has two port ports, F0/1 and F0/2
with equal cost paths to the root bridge. In this case the bridge IDs of
the neighboring switches, S3 and S4, will be used to break the tie. This
is known as the sender’s BID. S3 has a BID of 24577.5555.5555.5555
and S4 has a BID of 24577.1111.1111.1111. Because S4 has a lower BID,
S2’s F0/1 port, the port connected to S4, will be the root port.
 STP determines whether S2’s F0/2 port or S3’s F0/2 port will be the
designated port for the shared segment. The switch with the lower
 cost path to the root bridge (root path cost) will have its port selected
as the designated port. S3’s F0/2 port has a lower cost path to the root
bridge so it will be the designated port for that segment.
 All STP port roles have been assigned except for S2’s F0/2 port. S2’s
F0/1 port has already been selected as the root port for that switch.
Because S3’s F0/2 port is the designated port for this segment, S2’s
F0/2 port will become an alternate port.
 The Designated Port is the port that sends and receives traffic, to and
from that segment to the Root Bridge. This is the best port on that
segment towards the root bridge. The alternate port will not send or
receive traffic on that segment.

Note: Bridge priority is the initial deciding factor when electing a root bridge.
If the bridge priorities of all the switches are the same, the device with the
lowest MAC address becomes the root bridge.
The priorities are equal, so the switch is forced to examine the MAC address
portion to determine which MAC address has a lower value.

Extended System ID
The bridge ID (BID) is used to determine the root bridge on a network. The
BID field of a BPDU frame contains three separate fields:
 Bridge priority
 Extended system ID
 MAC address
Each field is used during the root bridge election.
Bridge Priority
The bridge priority is a customizable value that can be used to influence
which switch becomes the root bridge. The switch with the lowest priority,
which implies the lowest BID, becomes the root bridge because a lower
priority value takes precedence. For example, to ensure that a specific switch
is always the root bridge, set the priority to a lower value than the rest of the
switches on the network. The default priority value for all Cisco switches is
the decimal value 32768. The range is 0 to 61440 in increments of 4096. Valid
priority values are 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768,
36864, 40960, 45056, 49152, 53248, 57344, and 61440. All other values are
rejected. A bridge priority of 0 takes precedence over all other bridge
priorities.

Extended System ID
Early implementations of IEEE 802.1D were designed for networks that did
not use VLANs. There was a single common spanning tree across all switches.
For this reason, in older Cisco switches, the extended system ID could be
omitted in BPDU frames. As VLANs became common for network
infrastructure segmentation, 802.1D was enhanced to include support for
VLANs, which required that the VLAN ID be included in the BPDU frame.
VLAN information is included in the BPDU frame through the use of the
extended system ID. All newer switches include the use of the extended
system ID by default.
The extended system ID value is a decimal value added to the bridge priority
value in the BID to identify the priority and VLAN of the BPDU frame.
When two switches are configured with the same priority and have the same
extended system ID, the switch having the MAC address with the lowest
value, expressed in hexadecimal, will have the lower BID. Initially, all
switches are configured with the same default priority value. The MAC
address is then the deciding factor as to which switch is going to become the
root bridge. To ensure that the root bridge decision best meets network
requirements, it is recommended that the administrator configure the
desired root bridge switch with a lower priority. This also ensures that the
addition of new switches to the network does not trigger a new spanning
tree election, which can disrupt network communication while a new root
bridge is being selected.
When all switches are configured with the same priority, as is the case with
all switches kept in the default configuration with a priority of 32768, the
MAC address becomes the deciding factor as to which switch becomes the
root bridge.
Note: In the example, the priority of all the switches is 32769. The value is
based on the 32768 default priority and the VLAN 1 assignment associated
with each switch (32768+1).

Overview of PVST+
The original IEEE 802.1D standard defines a CST that assumes only one
spanning tree instance for the entire switched network, regardless of the
number of VLANs. A network running CST has these characteristics:
 No load sharing is possible. One uplink must block for all VLANs.
 The CPU is spared. Only one instance of spanning tree must be
computed.
Cisco developed PVST+ so that a network can run an independent instance of
the Cisco implementation of IEEE 802.1D for each VLAN in the network. With
PVST+, it is possible for one trunk port on a switch to block for a VLAN while
forwarding for other VLANs. PVST+ can be used to implement Layer 2 load
balancing. The switches in a PVST+ environment require greater CPU process
and BPDU bandwidth consumption than a traditional CST implementation of
STP because each VLAN runs a separate instance of STP.
In a PVST+ environment, spanning tree parameters can be tuned so that half
of the VLANs forward on each uplink trunk.
  For each VLAN in a switched network, PVST+
performs four steps to provide a loop-free logical
network topology:

Step 1. Elects one root bridge - Only one switch can act as the root
bridge (for a given VLAN). The root bridge is the switch with the lowest
bridge ID. On the root bridge, all ports are designated ports (no root ports).

Step 2. Selects the root port on each non-root bridge - PVST+

establishes one root port on each non-root bridge for each VLAN. The root
port is the lowest-cost path from the non-root bridge to the root bridge,
which indicates the direction of the best path to the root bridge. Root ports
are normally in the forwarding state.

Step 3. Selects the designated port on each segment - On

each link, PVST+ establishes one designated port for each VLAN. The
designated port is selected on the switch that has the lowest-cost path to the
root bridge. Designated ports are normally in the forwarding state, and
forwarding traffic for the segment.

Step 4. The remaining ports in the switched network are

alternate ports - Alternate ports normally remain in the blocking state,
to logically break the loop topology. When a port is in the blocking state, it
does not forward traffic, but it can still process received BPDU messages.

Port States and PVST+ Operation

To facilitate the learning of the logical spanning tree, each switch port
transitions through five possible port states and three BPDU timers.
The spanning tree is determined immediately after a switch is finished
booting up. If a switch port transitions directly from the blocking state to the
forwarding state without information about the full topology during the
transition, the port can temporarily create a data loop. For this reason, STP
introduces five port states. PVST+ uses the same five port states.

The port states that ensure no loops are created during

the creation of the logical spanning tree:

 Blocking - The port is an alternate port and does not participate in

frame forwarding. The port receives BPDU frames to determine the
location and root ID of the root bridge switch and which port roles
each switch port should assume in the final active STP topology.

 Listening - Listens for the path to the root. STP has determined that
the port can participate in frame forwarding according to the BPDU
frames that the switch has received. The switch port receives BPDU
frames, transmits its own BPDU frames, and informs adjacent switches
that the switch port is preparing to participate in the active topology.
  Learning - Learns the MAC addresses. The port prepares to
participate in frame forwarding and begins to populate the MAC
address table.

 Forwarding - The port is considered part of the active topology. It

forwards data frames and sends and receives BPDU frames.

 Disabled - The Layer 2 port does not participate in spanning tree and
does not forward frames. The disabled state is set when the switch
port is administratively disabled.
Note that the number of ports in each of the various states (blocking,
listening, learning, or forwarding) can be displayed with the #show
spanning-tree summary command.

Extended System ID and PVST+ Operation

 In a PVST+ environment, the extended system ID ensures each switch

has a unique BID for each VLAN.

For example, the VLAN 2 default BID would be 32770 (priority 32768, plus the
extended system ID of 2). If no priority has been configured, every switch has
the same default priority and the election of the root bridge for each VLAN is
based on the MAC address. Because the bridge ID is based on the lowest
MAC address, the switch chosen to be root bridge might not be the most
powerful or the most optimal switch.

There are situations where the administrator may want a specific switch
selected as the root bridge. This may be for a variety of reasons, including:

 the switch is more optimally located within the LAN design in regards to
the majority of traffic flow patterns for a particular VLAN;
 the switch has higher processing power, or;
 the switch is simply easier to access and manage remotely.

To manipulate the root-bridge election, assign a lower priority to the switch

that should be selected as the root bridge for the desired VLAN(s).

Edge Ports
An RSTP edge port is a switch port that is never intended to be connected to
another switch. It immediately transitions to the forwarding state when
enabled.
 Note: Configuring an edge port to be attached to another switch is not
recommended. This can have negative implications for RSTP because a
temporary loop may result, possibly delaying the convergence of RSTP.

PortFast and BPDU Guard

PortFast is a Cisco feature for PVST+ environments. When a switch port is
configured with PortFast that port transitions from blocking to forwarding
state immediately, bypassing the usual 802.1D STP transition states (the
listening and learning states). You can use PortFast on access ports to allow
these devices to connect to the network immediately, rather than waiting for
IEEE 802.1D STP to converge on each VLAN. Access ports are ports which are
connected to a single workstation or to a server.
In a valid PortFast configuration, BPDUs should never be received, because
that would indicate that another bridge or switch is connected to the port,
potentially causing a spanning tree loop. Cisco switches support a feature
called BPDU guard. When it is enabled, BPDU guard puts the port in an
errdisabled (error-disabled) state on receipt of a BPDU. This will effectively
shut down the port. The BPDU guard feature provides a secure response to
invalid configurations because you must manually put the interface back into
service.
Cisco PortFast technology is useful for DHCP. Without PortFast, a PC can send
a DHCP request before the port is in forwarding state, denying the host from
getting a usable IP address and other information. Because PortFast
immediately changes the state to forwarding, the PC always gets a usable IP
address (if the DHCP server has been configured correctly and
communication with the DHCP server has occurred).
Note: Because the purpose of PortFast is to minimize the time that access
ports must wait for spanning tree to converge, it should only be used on
access ports. If you enable PortFast on a port connecting to another switch,
you risk creating a spanning tree loop.

Spanning Tree Failure Consequences

First, STP might erroneously block ports that should have gone into the
forwarding state. Connectivity might be lost for traffic that would normally
pass through this switch, but the rest of the network remains unaffected.
Second, STP might erroneously move one or more ports into the forwarding
state:
 Remember that an Ethernet frame header does not include a TTL field,
which means that any frame that enters a bridging loop continues to
be forwarded by the switches indefinitely. The only exceptions are
frames that have their destination address recorded in the MAC
address table of the switches. These frames are simply forwarded to
the port that is associated with the MAC address and do not enter a
loop. However, any frame that is flooded by a switch enters the loop.
This may include broadcasts, multicasts, and unicasts with a globally
unknown destination MAC address.

What are the consequences and corresponding symptoms

of STP failure
The load on all links in the switched LAN quickly starts increasing as more and
more frames enter the loop. This problem is not limited to the links that form
the loop, but also affects any other links in the switched domain because the
frames are flooded on all links. When the spanning tree failure is limited to a
single VLAN only links in that VLAN are affected. Switches and trunks that do
not carry that VLAN operate normally.
If the spanning tree failure has created a bridging loop, traffic increases
exponentially. The switches will then flood the broadcasts out multiple ports.
This creates copies of the frames every time the switches forward them.
When control plane traffic starts entering the loop (for example, routing
messages), the devices that are running these protocols quickly start getting
overloaded. Their CPUs approach 100 percent utilization while they are trying
to process an ever-increasing load of control plane traffic. In many cases, the
earliest indication of this broadcast storm in progress is that routers or Layer
3 switches are reporting control plane failures and that they are running at a
high CPU load.
The switches experience frequent MAC address table changes. If a loop
exists, a switch may see a frame with a certain source MAC address coming in
on one port and then see the other frame with the same source MAC address
coming in on a different port a fraction of a second later. This will cause the
switch to update the MAC address table twice for the same MAC address.

Repairing a Spanning Tree Problem

One way to correct spanning tree failure is to manually remove redundant
links in the switched network, either physically or through configuration,
until all loops are eliminated from the topology. When the loops are broken,
the traffic and CPU loads should quickly drop to normal levels, and
connectivity to devices should be restored.
Although this intervention restores connectivity to the network, it is not the
end of the troubleshooting process. All redundancy from the switched
network has been removed, and now the redundant links must be restored.
If the underlying cause of the spanning tree failure has not been fixed,
chances are that restoring the redundant links will trigger a new broadcast
storm. Before restoring the redundant links, determine and correct the cause
of the spanning tree failure. Carefully monitor the network to ensure that the
problem is fixed.
Spanning Tree and Switch Stacks {omitted refer back to
offline notes for more information}

Hello Timer (2 seconds) - The interval between BPDU updates.

Max Age Timer (20 seconds) - The maximum length of time a

switch saves BPDU information.

Forward Delay Timer (15 seconds) - The time spent in the

listening and learning state.

More Spanning Tree Commands

#interface fa0/1
#spanning-tree cost 25 {configure the port cost of an interface}
#interface fa0/1
#no spanning-tree cost 25 {restore the port cost to the default value}
#show spanning-tree {verify the port and internal root path cost to the root
bridge}
#show spanning-tree summary {displaying the number of ports in each of the
various states (blocking, listening, learning, or forwarding)}

#interface fastethernet 0/1

-spanning-tree portfast {for edge port configuration that will never have a
switch connected to it}
 When a switch port is configured with PortFast that port transitions
from blocking to forwarding state immediately, bypassing the usual
802.1D STP transition states (the listening and learning states). You can
use PortFast on access ports to allow these devices to connect to the
network immediately, rather than waiting for IEEE 802.1D STP to
converge on each VLAN. Access ports are ports which are connected to
a single workstation or to a server.
#The spanning-tree portfast default {global configuration mode command
enables PortFast on all nontrunking interfaces}
#Interface fa0/1
-spanning-tree bpduguard enable {preventing BPDU frames to reach an
access port}
#spanning-tree portfast bpduguard default {global configuration command
enables BPDU guard on all PortFast-enabled ports}
 #show running- config interface f0/1 {To verify that PortFast and BPDU
guard has been enabled for a switch port}

#spanning-tree link-type { point-to-point | shared } [Only Designated ports

make the most use of the link-type parameter. A rapid transition to the
forwarding state for the designated port occurs only if the link-type
parameter is set to point-to-point-this is to configure a port to immediately
transition to forwarding state]

Configuring and Verifying the Bridge ID

Method 1
#Spanning-tree VLAN 1 root primary {To ensure that the switch has the
lowest bridge priority so that it manually becomes the root bridge}
 The priority for the switch is set to the predefined value of 24,576 or to
the highest multiple of 4,096, less than the lowest bridge priority
detected on the network.
#spanning-tree vlan 1 root secondary {This ensures that the alternate switch
becomes the root bridge if the primary root bridge fails. This command sets
the priority for the switch to the predefined value of 28,672}
 This assumes that the rest of the switches in the network have the
default 32,768 priority value defined.

Method 2
#spanning-tree vlan vlan-id priority 24 576 {priority lower than other bridge
on the network}
 gives more granular control over the bridge priority value. The priority
value is configured in increments of 4,096 between 0 and 61,440.
#spanning-tree vlan 1 root secondary {entered on another switch}
#show spanning-tree {verify the bridge priority of a switch or even the
configurations}
 Note that the above backup root bridge only for one vlan it is not for
load balancing

PVST+ Load Balancing

Root Bridge Configurations for load balancing
S3#spanning-tree vlan 20 root primary
Or#spanning-tree vlan 20 priority 4096
S3#spanning-tree vlan 10 root secondary

S1#spanning-tree vlan 10 root primary

Or#spanning-tree vlan 10 priority 4096
S1#spanning-tree vlan 20 root secondary
 #show spanning-tree active {displays spanning tree configuration
details for the active interfaces only}

Rapid PVST+
 Note: The default spanning tree configuration on a Catalyst 2960 Series
switch is PVST+. A Catalyst 2960 switch supports PVST+, Rapid PVST+,
and MST, but only one version can be active for all VLANs at any time.
# spanning-tree mode rapid-pvst {enabling Rapid PVST+ global command}
# show spanning-tree vlan 10 {shows the spanning tree configuration for
VLAN 10}
 In most cases, the only difference between configuring PVST+ and
Rapid PVST+ is the spanning-tree mode rapid-pvst command.

Overview of Spanning Tree Status

 Using the #show spanning-tree command without specifying any
additional options provides a quick overview of the status of STP for all
VLANs that are defined on a switch. If interested only in a particular
VLAN, limit the scope of this command by specifying that VLAN as an
option.
 Use the #show spanning-tree vlan vlan_id command to get
STP information for a particular VLAN. Use this command to get
 information about the role and status of each port on the switch. Any
ports being blocked display the output status as “BLK”.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@

Link Aggregation
Link aggregation is the ability to create one logical link using multiple physical
links between two devices. This allows load sharing among the physical links,
rather than having STP block one or more of the links. EtherChannel is a form
of link aggregation used in switched networks.
An EtherChannel can be manually configured or can be negotiated by using the
Cisco-proprietary protocol Port Aggregation Protocol (PAgP) or Link
Aggregation Control Protocol (LACP).
 When an EtherChannel is configured, the resulting virtual interface is
called a port channel. The physical interfaces are bundled together into a
port channel interface.

Note: Because of the traffic aggregation, links with higher bandwidth must be
available between the access and distribution switches.
It may be possible to use faster links, such as 10 Gb/s, on the aggregated link
between the access and distribution layer switches.
 as the speed increases on the access links, even the fastest possible port
on the aggregated link is no longer fast enough to aggregate the traffic
coming from all access links meaning that even faster links may need
EtherChannel Technology.

Advantages of EtherChannel
 Most configuration tasks can be done on the EtherChannel interface
instead of on each individual port, ensuring configuration consistency
throughout the links.
  EtherChannel relies on existing switch ports. There is no need to
upgrade the link to a faster and more expensive connection to have
more bandwidth.
 Load balancing takes place between links that are part of the same
EtherChannel. Depending on the hardware platform, one or more load-
balancing methods can be implemented. These methods include source
MAC to destination MAC load balancing, or source IP to destination IP
load balancing, across the physical links.
 EtherChannel creates an aggregation that is seen as one logical link.
When several EtherChannel bundles exist between two switches, STP
may block one of the bundles to prevent switching loops. When STP
blocks one of the redundant links, it blocks the entire EtherChannel. This
blocks all the ports belonging to that EtherChannel link. Where there is
only one EtherChannel link, all physical links in the EtherChannel are
active because STP sees only one (logical) link.
 EtherChannel provides redundancy because the overall link is seen as
one logical connection. Additionally, the loss of one physical link within
the channel does not create a change in the topology; therefore a
spanning tree recalculation is not required. Assuming at least one
physical link is present; the EtherChannel remains functional, even if its
overall throughput decreases because of a lost link within the
EtherChannel.

Implementation Restrictions
Note: Interface types cannot be mixed; for example, Fast Ethernet and Gigabit
Ethernet cannot be mixed within a single EtherChannel.
 The EtherChannel provides full-duplex bandwidth up to 800 Mb/s (Fast
EtherChannel) or 8 Gb/s (Gigabit EtherChannel) between one switch and
another switch or host. Currently each EtherChannel can consist of up to
eight compatibly-configured Ethernet ports. The Cisco IOS switch can
currently support six EtherChannels.
 An EtherChannel link can be created between two switches or an
EtherChannel link can be created between an EtherChannel-enabled
server and a switch
  The individual EtherChannel group member port configuration must be
consistent on both devices. If the physical ports of one side are
configured as trunks, the physical ports of the other side must also be
configured as trunks within the same native VLAN.
 A configuration applied to the port channel interface affects all physical
interfaces that are assigned to that interface.
 A Layer 3 EtherChannel has a single IP address associated with the
logical aggregation of switch ports in the EtherChannel.

EtherChannels can be formed through negotiation using

one of two protocols, PAgP or LACP. These protocols
allow ports with similar characteristics to form a channel
through dynamic negotiation with adjoining switches.
 Note: It is also possible to configure a static EtherChannel without PAgP
or LACP.

PAgP
PAgP is Cisco-proprietary protocol that aids in the automatic creation of
EtherChannel links. When an EtherChannel link is configured using PAgP, PAgP
packets are sent between EtherChannel-capable ports to negotiate the forming
of a channel. When PAgP identifies matched Ethernet links, it groups the links
into an EtherChannel. The EtherChannel is then added to the spanning tree as
a single port.
 PAgP packets are sent every 30

Note: In EtherChannel, it is mandatory that all ports have the same speed,
duplex setting, and VLAN information. Any port modification after the creation
of the channel also changes all other channel ports.
PAgP helps create the EtherChannel link by detecting the configuration of
each side and ensuring that links are compatible so that the EtherChannel
link can be enabled when needed.
Modes for PAgP

 On - This mode forces the interface to channel without PAgP. Interfaces

configured in the on mode do not exchange PAgP packets.

 PAgP desirable - This PAgP mode places an interface in an active

negotiating state in which the interface initiates negotiations with other
interfaces by sending PAgP packets.

 PAgP auto - This PAgP mode places an interface in a passive

negotiating state in which the interface responds to the PAgP packets
that it receives, but does not initiate PAgP negotiation.

LACP
LACP allows several physical ports to be bundled to form a single logical
channel. LACP allows a switch to negotiate an automatic bundle by sending
LACP packets to the peer. It performs a function similar to PAgP but it can be
used to facilitate EtherChannels in multivendor environments. On Cisco
devices, both protocols are supported.
LACP provides the same negotiation benefits as PAgP. LACP helps create the
EtherChannel link by detecting the configuration of each side and making sure
that they are compatible so that the EtherChannel link can be enabled when
needed.

Modes for LACP

 On - This mode forces the interface to channel without LACP. Interfaces

configured in the on mode do not exchange LACP packets.

 LACP active - This LACP mode places a port in an active negotiating

state. In this state, the port initiates negotiations with other ports by
sending LACP packets.

 LACP passive - This LACP mode places a port in a passive

negotiating state. In this state, the port responds to the LACP packets
that it receives, but does not initiate LACP packet negotiation.

Configuration Guidelines
 EtherChannel support - All Ethernet interfaces on all modules must
support EtherChannel with no requirement that interfaces be physically
contiguous, or on the same module.
 Speed and duplex - Configure all interfaces in an EtherChannel to
operate at the same speed and in the same duplex mode.
  VLAN match - All interfaces in the EtherChannel bundle must be
assigned to the same VLAN, or be configured as a trunk (also shown in
the figure).
 Range of VLANs - An EtherChannel supports the same allowed range of
VLANs on all the interfaces in a trunking EtherChannel. If the allowed
range of VLANs is not the same, the interfaces do not form an
EtherChannel, even when set to auto or desirable mode.

Configuring Interfaces for EtherChannel

Note: EtherChannel is disabled by default

 A good practice is to start by shutting down those interfaces that are to
be part of EtherChannel, so that any incomplete configuration does not
create activity on the link.

LACP
#interface range fastethernet 0/1-2 {Specify the interfaces that compose
the EtherChannel group}
#channel-group 1 active {Create the port channel interface, The 1 specifies
a channel group number and can vary. The mode active keywords identify
this as an LACP EtherChannel configuration}
#interface port-channel 1 {To change Layer 2 settings on the port channel
interface, enter port channel interface similar to int fa0/x}
-switchport mode trunk {the EtherChannel is configured as a trunk
interface}
-switchport trunk allowed vlan 1,2,30 {allowed VLANs specified}

PAgP
#interface range fastethernet 0/1-2 {Specify the interfaces that compose
the EtherChannel group}
#channel-group 1 desirable {Create the port channel interface, The 1
specifies a channel group number and can vary. The mode desirable
keywords identify this as an PAgP EtherChannel configuration}
 #interface port-channel 1 {To change Layer 2 settings on the port channel
interface, enter port channel interface similar to int fa0/x}
-switchport mode trunk {the EtherChannel is configured as a trunk
interface}
-switchport trunk allowed vlan 1,2,30 {allowed VLANs specified}

Verifying EtherChannel
#show interfaces port-channel 1 {displays the general status of the port
channel interface}
#show etherchannel summary {When several port channel interfaces
are configured on the same device, display one line of information per
port channel}
#show etherchannel port-channel {display information about a specific
port channel interface}
#show interfaces f0/1 etherchannel {On any physical interface member
of an EtherChannel bundle,provide information about the role of the
interface in the EtherChannel}

Troubleshooting EtherChannel

All interfaces within an EtherChannel must have the same

configuration of speed and duplex mode, native and
allowed VLANs on trunks, and access VLAN on access
ports:
 Assign all ports in the EtherChannel to the same VLAN, or configure
them as trunks. Ports with different native VLANs cannot form an
EtherChannel.
 When configuring a trunk on an EtherChannel, verify the trunking
mode on the EtherChannel. It is not recommended that you
 configure trunking mode on individual ports that make up the
EtherChannel. But if it is done, verify that the trunking configuration
is the same on all interfaces.
 An EtherChannel supports the same allowed range of VLANs on all
the ports. If the allowed range of VLANs is not the same, the ports
do not form an EtherChannel even when PAgP is set to the auto or
desirable mode.
 The dynamic negotiation options for PAgP and LACP must be
compatibly configured on both ends of the EtherChannel.

Note: It is easy to confuse PAgP or LACP with DTP, because they both
are protocols used to automate behavior on trunk links. PAgP and LACP are
used for link aggregation (EtherChannel). DTP is used for automating the
creation of trunk links. When an EtherChannel trunk is configured, typically
EtherChannel (PAgP or LACP) is configured first and then DTP.

NOTE: If the EtherChannel Port is down because the configuration of the Port
Channel between two switches involved in incompatible modes. The
EtherChannel is changed to desirable or active depending on the current
mode so that both ends will be compatible using the procedure below.

Correcting a misconfigured Port Channel

#no interface port-channel 1 {interface Port-Channel 1 removed and
then re-added with the channel-group command, as opposed to
directly changed. If one tries to change the configuration directly,
spanning tree errors cause the associated ports to go into blocking or
errdisabled state}
#interface range f0/1 – 2
#channel-group 1 mode desirable {changing an EtherChannel to PAgP
Mode with mode desirable}
#no shutdown {if ports are shutdown}
#interface port-channel 1
#switchport mode trunk
 #switchport trunk allowed vlan 1,2,30

To verify if these switches can perform EtherChannel,

you visit the System Requirements to Implement
EtherChannel on Catalyst Switches. This site allows
you to gather more information to determine if
EtherChannel is a good option for the equipment and
network currently in place.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@

Default Gateway Limitations

If a router or router interface (that serves as a default gateway) fails, the hosts
configured with that default gateway are isolated from outside networks. A
mechanism is needed to provide alternate default gateways in switched
networks where two or more routers are connected to the same VLANs.
In a switched network, each client receives only one default gateway. There is
no way to use a secondary gateway, even if a second path exists to carry
packets off the local segment.
  traffic from the inside network associated with R1, including traffic from
workstations, servers, and printers configured with R1 as their default
gateway, are still sent to R1 and dropped.
 if a redundant router exists that could serve as a default gateway for
that segment, there is no dynamic method by which these devices can
determine the address of a new default gateway.

Router Redundancy
 One way to prevent a single point of failure at the default gateway, is to
implement a virtual router. To implement this type of router
redundancy, multiple routers are configured to work together to present
the illusion of a single router to the hosts on the LAN.
 By sharing an IP address and a MAC address, two or more routers can
act as a single virtual router.
 The IPv4 address of the virtual router is configured as the default
gateway for the workstations on a specific IPv4 segment.
 The ARP resolution returns the MAC address of the virtual router.
Frames that are sent to the MAC address of the virtual router can then
be physically processed by the currently active router within the virtual
router group.
 A redundancy protocol provides the mechanism for determining which
router should take the active role in forwarding traffic. It also
determines when the forwarding role must be taken over by a standby
router. The transition from one forwarding router to another is
transparent to the end devices.
Steps for Router Failover
When the active router fails, the redundancy protocol transitions the standby
router to the new active router role. These are the steps that take place when
the active router fails:
1. The standby router stops seeing Hello messages from the forwarding
router.
2. The standby router assumes the role of the forwarding router.
3. Because the new forwarding router assumes both the IPv4 and MAC
addresses of the virtual router, the host devices see no disruption in
service. Steps for Router Failover

The ability of a network to dynamically recover from the failure of a device

acting as a default gateway is known as first-hop redundancy.

First Hop Redundancy Protocols

 Hot Standby Router Protocol (HSRP) - A Cisco-proprietary

FHRP designed to allow for transparent failover of a first-hop IPv4
device. HSRP provides high network availability by providing first-hop
routing redundancy for IPv4 hosts on networks configured with an IPv4
 default gateway address. HSRP is used in a group of routers for selecting
an active device and a standby device. In a group of device interfaces,
the active device is the device that is used for routing packets; the
standby device is the device that takes over when the active device fails,
or when pre-set conditions are met. The function of the HSRP standby
router is to monitor the operational status of the HSRP group and to
quickly assume packet-forwarding responsibility if the active router fails.
HSRP is for IPv6 - Cisco-proprietary FHRP providing the same
functionality of HSRP

 Virtual Router Redundancy Protocol version 2

(VRRPv2) - A non-proprietary election protocol that dynamically
assigns responsibility for one or more virtual routers to the VRRP routers
on an IPv4 LAN. This allows several routers on a multiaccess link to use
the same virtual IPv4 address. A VRRP router is configured to run the
VRRP protocol in conjunction with one or more other routers attached
to a LAN. In a VRRP configuration, one router is elected as the virtual
router master, with the other routers acting as backups, in case the
virtual router master fails. VRRPv3 - Provides the capability to support
IPv4 and IPv6 addresses. VRRPv3 works in multi-vendor environments
and is more scalable than VRRPv2.

 Gateway Load Balancing Protocol (GLBP) - Cisco-

proprietary FHRP that protects data traffic from a failed router or circuit,
like HSRP and VRRP, while also allowing load balancing (also called load
sharing) between a group of redundant routers. GLBP for IPv6 - Cisco-
proprietary FHRP providing the same functionality of GLBP, but in an
IPv6 environment. GLBP for IPv6 provides automatic router backup for
IPv6 hosts configured with a single default gateway on a LAN. Multiple
first-hop routers on the LAN combine to offer a single virtual first-hop
IPv6 router while sharing the IPv6 packet forwarding load.

Hot Standby Router Protocol (HSRP)

Routers configured with HSRP work together to present themselves as a single
virtual default gateway (router) to end devices.
One of the routers is selected by HSRP to be the active router. The active
router will act as the default gateway for end devices. The other router will
become the standby router. If the active router fails, the standby router will
automatically assume the role of the active router. It will assume the role of
default gateway for end devices. This does not require any configuration
changes on the end devices.
The default gateway address is a virtual IPv4 address along with a virtual MAC
address that is shared amongst both HSRP routers.
End devices use this virtual IPv4 address as their default gateway address. The
HSRP virtual IPv4 address is configured by the network administrator. The
virtual MAC address is created automatically.
Only the active router will receive and forward traffic sent to the default
gateway. If the active router fails, or if communication to the active router
fails, the standby router will assume the role of the active router.

HSRP Versions
The default HSRP version for Cisco IOS 15 is version 1. HSRP version 2 provides
the following enhancements:
 HSRPv2 expands the number of supported groups. HSRP version 1
supports group numbers from 0 to 255. HSRP version 2 supports group
numbers from 0 to 4095.
 HSRPv1 uses the multicast address of 224.0.0.2. HSRP version 2 uses the
IPv4 multicast address 224.0.0.102 or the IPv6 multicast address
FF02::66 to send hello packets.
 HSRPv1 uses the virtual MAC address range 0000.0C07.AC00 to
0000.0C07.ACFF
 HSRPv2 uses the MAC address range from 0000.0C9F.F000 to
0000.0C9F.FFFF for IPv4 and 0005.73A0.0000 through 0005.73A0.0FFF
for IPv6 addresses.
Note: Group numbers are used for more advanced HSRP configurations that
are beyond the scope of this course. For our purposes, we will use group
number 1.
HSRP Priority and Pre-emption
HSRP Priority
HSRP priority can be used to determine the active router. The router with the
highest HSRP priority will be elected as active router. By default, the HSRP
priority is 100. If the priorities are equal, the router with the numerically
highest IPv4 address is elected as the active router.
HSRP Pre-emption
 By default, after a router becomes the active route, it will remain the
active router even if another router comes online with a higher HSRP
priority.
 To force a new HSRP election process, pre-emption must be enabled.
 Preemption is the ability of an HSRP router to trigger the re-election
process. With preemption enabled, a router that comes online with a
higher HSRP priority will assume the role of the active router.
 Preemption only allows a router to become the active router if it has a
higher priority. A router enabled for preemption, with equal priority but
a higher IPv4 address will not preempt an active router.
Due to a power failure affecting only R1, the active router is no longer available
and the standby router R2 assumes the role of the active router. After power is
restored, R1 comes back online. Because R1 has a higher priority and
preemption is enabled, it will force a new election process. R1 will re-assume
the role of the active router and R2 will fall back to the role of the standby
router.
Note: With preemption disabled, the router that boots up first will become the
active router if there are no other routers online during the election process.

HSRP Timers
The active and standby HSRP routers send hello packets to the HSRP group
multicast address every 3 seconds, by default. The standby router will become
active if it does not receive a hello message from the active router after 10
seconds. However, to avoid increased CPU usage and unnecessary standby
state changes, do not set the hello timer below 1 second or the hold timer
below 4 seconds.
HSRP Configuration Commands

R1#interface g0/1
R1#ip address 172.16.10.2 255.255.255.0
R1#standby version 2 {configures HSRP to use version 2. HSRP is version 1 by
default}
R1#standby 1 ip 172.16.10.1 {configure virtual ip address that will be used by a
specific group}
R1#standby priority 150 {Configure the priority for the desired active router to
be greater default priority of 100, range 0-255 so that it becomes the active
router range}
R1#standby 1 preempt {Configure the active router to preempt the standby
router in cases where the active router comes online after the standby router}
R1#no shutdown
R2#interface g0/1
R2#ip address 172.16.10.3 255.255.255.0
R2#standby version 2
R2#standby 1 ip 172.16.10.1 {configure virtual ip address that will be used by a
specific group}
R2#no shutdown

HSRP Verification
#show standby {verify that HSRP is configured correctly}
#show standby brief {verify that HSRP is configured correctly. P indicate pre-
empt is configured}

HSRP Failure
To troubleshoot HSRP, you need to understand the basic operation. Most
issues will arise during one of the following HSRP functions:
 Failing to successfully elect the active router that controls the virtual IP
for the group.
 Failure of the standby router to successfully keep track of the active
router.
 Failing to determine when control of the virtual IP for the group should
be handed over to another router.
 Failure of end devices to successfully configure the virtual IP address as
the default gateway.

HSRP Debug Commands

#debug standby packets {view the receiving and sending of hello packets every
3 seconds}
#debug standby terse {to view the HSRP events as R1 is powered down and R2
assumes the role of active}
Common HSRP Configuration Issues
You use the debug commands to detect common configuration issues:
 The HSRP routers may be not connected to the same network segment.
Although this could be a physical layer issue, it could also be a VLAN sub-
interface configuration issue.
 The HSRP routers may be not configured with IPv4 addresses from the
same subnet. HSRP hello packets are local. They are not routed beyond
the network segment. Therefore, a standby router would not know
when the active router fails.
 The HSRP routers may be not configured with the same virtual IPv4
address. The virtual IPv4 address is the default gateway for end devices.
 The HSRP routers may be not configured with the same HSRP group
number. This will cause each router to assume the active role.
 End devices may be not configured with the correct default gateway
address. Although not directly related to HSRP, configuring the DHCP
server with one of the HSRP router’s real IP addresses would mean that
end devices would only have connectivity to remote networks when that
HSRP router is active.