Pages

network cisco ccna gns3 certification arteq

network cisco ccna gns3 certification arteq
a network runs through it

Search insearchofthecert

Tuesday, January 31, 2012

gagging vlsm...

forcing a vlsm capable routing protocol to use auto-summary is a bad practice...
without auto-summary.. very pretty...

Gateway of last resort is 192.168.1.100 to network 0.0.0.0


     1.0.0.0/24 is subnetted, 1 subnets
C       1.1.1.0 is directly connected, Loopback0
     2.0.0.0/24 is subnetted, 1 subnets
D       2.2.2.0 [90/2297856] via 10.0.20.2, 2d05h, Serial0/0
     100.0.0.0/24 is subnetted, 1 subnets
D       100.0.0.0 [90/156160] via 192.168.1.100, 2d05h, FastEthernet0/0
                  [90/156160] via 172.16.50.100, 2d05h, FastEthernet0/0.2
D    3.0.0.0/8 [90/156160] via 192.168.1.130, 2d05h, FastEthernet0/0
               [90/156416] via 172.16.50.100, 2d05h, FastEthernet0/0.2
               [90/2297856] via 10.0.30.2, 2d05h, Serial0/1
C    172.16.0.0/16 is directly connected, FastEthernet0/0.2
     10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
D       10.0.0.0/8 [90/2172416] via 192.168.1.130, 00:00:15, FastEthernet0/0
                   [90/2172672] via 172.16.50.100, 00:00:15, FastEthernet0/0.2
C       10.0.30.0/30 is directly connected, Serial0/1
C       10.0.20.0/30 is directly connected, Serial0/0
C    192.168.1.0/24 is directly connected, FastEthernet0/0
S*   0.0.0.0/0 [1/0] via 192.168.1.100

with auto-summary, not pretty...


r2620_01(config-router)#auto-summ
r2620_01(config-router)#
*Mar 27 15:31:52.354: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 192.168.1.50 (F
astEthernet0/0) is resync: peer graceful-restart
*Mar 27 15:31:52.370: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.0.30.1 (Seri
al0/0) is resync: peer graceful-restart
r2620_01(config-router)#do sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 192.168.1.100 to network 0.0.0.0

     1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C       1.1.1.0/24 is directly connected, Loopback0
D       1.0.0.0/8 is a summary, 00:00:11, Null0
     2.0.0.0/24 is subnetted, 1 subnets
D       2.2.2.0 [90/2297856] via 10.0.20.2, 2d05h, Serial0/0
     100.0.0.0/24 is subnetted, 1 subnets
D       100.0.0.0 [90/156160] via 192.168.1.100, 2d05h, FastEthernet0/0
                  [90/156160] via 172.16.50.100, 2d05h, FastEthernet0/0.2
D    3.0.0.0/8 [90/156160] via 192.168.1.130, 2d05h, FastEthernet0/0
               [90/156416] via 172.16.50.100, 2d05h, FastEthernet0/0.2
               [90/2297856] via 10.0.30.2, 2d05h, Serial0/1
C    172.16.0.0/16 is directly connected, FastEthernet0/0.2
     10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
D       10.0.0.0/8 is a summary, 00:00:13, Null0
C       10.0.30.0/30 is directly connected, Serial0/1
C       10.0.20.0/30 is directly connected, Serial0/0
C    192.168.1.0/24 is directly connected, FastEthernet0/0
S*   0.0.0.0/0 [1/0] via 192.168.1.100
r2620_01(config-router)#


any questions...

Sunday, January 29, 2012

mode bouncing...

i've been switching between negotiation modes in channel groups...
some things...

setting the channel group mode to on results in default etherchannel; no negotiation, similar to trunk mode on...
switching around protocols doesn't have to be performed with channel-priority, it can be done simply by choosing the channel group mode:


sw2950_01(config-if-range)#channel-group 6 mode ?
  active     Enable LACP unconditionally
  auto       Enable PAgP only if a PAgP device is detected
  desirable  Enable PAgP unconditionally
  on         Enable Etherchannel only
  passive    Enable LACP only if a LACP device is detected

when the interfaces go into errdisable, shut and no shut needs to be performed on the poX to bring the aggregated port back...

sw2950_01#sh etherch summ
Flags:  D - down        P - in port-channel
        I - stand-alone s - suspended
        H - Hot-standby (LACP only)
        R - Layer3      S - Layer2
        u - unsuitable for bundling
        U - in use      f - failed to allocate aggregator
        d - default port

Number of channel-groups in use: 2
Number of aggregators:           2

Group  Port-channel  Protocol    Ports
------+-------------+-----------+-----------------------------------------------

1      Po1(SU)         LACP      Fa0/5(Pd)   Fa0/6(P)
2      Po2(SU)         LACP      Fa0/7(Pd)   Fa0/8(P)





Saturday, January 28, 2012

bundles...

  etherchannel can be configured with 2 to 8 connections per bundle.  this means at the high end a bundle could potentially carry 1600Mbps given fastethernet technology; arguably 200Mbps per link at capacity. this is probably not realistic, but a theoretical yardstick measure of performance..

that given, it is also not realistic that each link in the bundle will carry it's max weight, in fact the reality is that the distribution across the individual links in the bundle will be uneven at best...

it is also true that in the event of single link failure, an adjacent link will pick up the traffic as needed, and so on... conversely, as links are restored, traffic is redistributed back to the once failed links...

bundles are comprised of up to 8 of the same physical type ethernet... they should be in the same vlan and if trunks, they should share the same native vlan, as well as speed, duplex and spanning tree settings...

to be continued...

for vtpete's sake...


  vtp is vlan trunking protocol, which really has nothing to do with trunking, or anything else... vtp allows for the creation of a vlan management domain that can be password protected and which assists (cough) the administrator in creating vlans (and only vlans) from a server and distributing them to designated clients throughout the domain... wow

  a vtp revision number is the hallmark of the ability to create vlans on clients... a higher number at the server will force the clients to update their vlan.dat files with the freshly minted vlans.  however, if the client has a higher revision number, the update will be ignored... a device in transparent mode will not participate in vtp processing...

  vtp pruning can be used to avoid unnecessary broadcasts to devices connected to trunks that have the intended vlan, but that do not contain any ports.  this is rendered useless by stp which runs an instance for every vlan.  the guidance is to manually prune unnecessary vlans manually, and transparent mode switches are yet unaffected...

so much for vtp...

l2 to l3/bridging the gap...

  a vlan is a layer 2 construct, a pointer to layer 3, an association by layer 2 to layer 3...
vlan=network=subnet=broadcast domain

  a broadcast domain is the set of devices which may receive broadcasts... a layer 3 device is the defining element of the broadcast domain... a switch creates more and smaller collision domains with each additional port it places within the domain... a layer 3 device creates an additional broadcast domain with each port it introduces...  a switch floods broadcasts, multi-casts and unknown unicasts to every device in the domain... a layer 3 device recieves all broadcasts from a connected switch, and drops them (unless otherwise defined)... a layer 3 device defines the broadcast domain with that action...this layer 3 device is affectionately known as a router... vlan=network=subnet=broadcast domain


  a vlan number is the only requirement when creating a vlan. of course it's fairly useless without ports added to it, and a descriptive name would be nice also, but these are not required...

  an end-to-end vlan spans the entire switched network and should be avoided as such, a local vlan remains local (within its group) and is preferred...

  a vlan trunk can carry multiple vlans' traffic across the network

 isl encapsulates a frame for tagged transit whereas the preferred method of tagging is 802.1q, which injects a 4 byte field into the frame... 802.1q does not tag the native vlan; the native vlan is identified by the lack of a tag...

  dtp is dynamic trunking protocol.  it is a trunking negotiation mechanism...

  the native vlan is a settable parameter and is vlan1 by default... it is recommended to change the native vlan to something other than 1 after bringing the switch up... it is important to match the native vlans between switches to avoid annoying cdp messages, and sometimes derailed traffic...

of channels and trunks...

this is very exciting...

i got some more crossed cables today specifically to experiment with etherchannel, and trunking at the same time without losing connectivity...

i now have a 4 wire trunk and a 4 wire etherchannel across the 3 switches... trunk = 2 xcables from s2 to s1, then 2 xcables from s1 to 3550... likewise for the etherchannel, 2 xcables from s2 to s1, then 2 from s1 to 3550...

as i thought would happen, the etherchannel took over and put the trunk ports in alt/blk... see below


sw2950_02#sh spann

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/1            Altn BLK 19        128.1    P2p
Fa0/2            Altn BLK 19        128.2    P2p
Po1              Root FWD 12        128.65   P2p


when i shut down the etherchannel, the network converges on the trunk, like so...


sw2950_02(config)#int po1
sw2950_02(config-if)#shut

05:46:32: %LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel1, changed
 state to down
05:46:33: %LINK-5-CHANGED: Interface FastEthernet0/5, changed state to administr
atively down
05:46:33: %LINK-5-CHANGED: Interface FastEthernet0/6, changed state to administr
atively down



the trunk is back in business...


sw2950_02(config-if)#


Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/1            Root FWD 19        128.1    P2p
Fa0/2            Altn BLK 19        128.2    P2p




then



sw2950_02(config-if)#no shut
05:50:10: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/5, chang
ed state to up
05:50:10: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/6, chang
ed state to up
sw2950_02(config-if)#
05:50:11: %LINK-3-UPDOWN: Interface Port-channel1, changed state to up
05:50:12: %LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel1, changed
 state to up

and the etherchannel takes over once again...


sw2950_02(config-if)#do sh ether summ
Flags:  D - down        P - in port-channel
        I - stand-alone s - suspended
        H - Hot-standby (LACP only)
        R - Layer3      S - Layer2
        u - unsuitable for bundling
        U - in use      f - failed to allocate aggregator
        d - default port

Number of channel-groups in use: 1
Number of aggregators:           1

Group  Port-channel  Protocol    Ports
------+-------------+-----------+-----------------------------------------------

1      Po1(SU)          -        Fa0/5(Pd)   Fa0/6(P)


but you knew this would happen...

mismatched 802.3's...

duplex mode for a switchport can take one of two states, half or full.  half duplex describes essentially that a port can send or receive one way at a time.  full duplex allows a switchport to send and receive simultaneously.

autonegotiation is a mode that will allow each end of a transmission to detect the others duplex setting and adjust to it, to agree to it, to allow the best negotiation that can be achieved for that segment.  for example, if one side is physically limited to half duplex, and the other capable of full duplex operation, the autonegoriation will adjust the full side to agree with the half duplex side for best performance under that limitation.

A duplex mismatch will occur between ports set for conflicting duplex modes.  this does not mean that communication is lost, there will still be lights on both sides of the connection, but this will manifest in errors across the line, particularly, cdp errors... suboptimal...


sw2950_02#
03:15:48: %CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on FastEthernet0/1
(not half duplex), with sw2950_01 FastEthernet0/3 (half duplex).
03:15:48: %CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on FastEthernet0/1


ieee 802.3 is the standard that defined 10Mbps 802.3 ethernet,  and its later incarnations fast, gig and 10gig

anatomy of a mac (cam) table...


bold on right are associations from arp below...

sw2950_02#sh mac-add
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
 All    0009.b73f.ce80    STATIC      CPU         Base ethernet MAC Address: 00:09:B7:3F:CE:80
 All    0100.0ccc.cccc    STATIC      CPU          dest addresses for 
 All    0100.0ccc.cccd    STATIC      CPU          CDP  UDLD/DTP/VTP/Pagp
 All    0100.0cdd.dddd    STATIC      CPU           CGMP
   1    0009.b752.d783    DYNAMIC  Fa0/1      sw 1 port 3 192.168.1.111 
   1    984b.e1fb.2940    DYNAMIC    Fa0/17    printer  192.168.1.250    984b.e1fb.2940  
   1    c03f.0eab.d1ec    DYNAMIC     Fa0/1      internet 192.168.1.1       c03f.0eab.d1ec
   1    e89a.8f98.a703    DYNAMIC     Fa0/19    host 192.168.1.5            e89a.8f98.a703 
  10    0009.b752.d783    DYNAMIC  Fa0/1      sw 1 port 3 192.168.1.111 
  20    0009.b752.d783    DYNAMIC  Fa0/1      sw 1 port 3 192.168.1.111 



sw2950_02#sh arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  192.168.1.111           0   0009.b752.d780  ARPA   Vlan1
Internet  192.168.1.100           2   000f.8ffe.0980  ARPA   Vlan1
Internet  192.168.1.112           -   0009.b73f.ce80  ARPA   Vlan1
Internet  192.168.1.50           57   000f.2394.6c40  ARPA   Vlan1
Internet  192.168.1.11            0   000d.4b36.717b  ARPA   Vlan1
Internet  192.168.1.1             1   c03f.0eab.d1ec  ARPA   Vlan1
Internet  192.168.1.5             0   e89a.8f98.a703  ARPA   Vlan1
Internet  192.168.1.250           1   984b.e1fb.2940  ARPA   Vlan1

switch discussion 01

  a collision domain is defined by a network segment that has the potential for a  collision during a frame's transit... these segments are shared media, half duplex...
Carrier Sense Multiple Access/Collision Detection is the mechanism that allows for symbiosis among the collision domain's participants...

before transit, the media is listened to
if the media is determined clear, a frame is transmitted
if a collision is detected, all transmission stops
a backoff algrithm is performed to stop further transmission by the participants
after the completion of the backoff, transmission will recommence beginning with step1

this is known as a contention network

flooding, and the unknown unicast
  when a switch receives a frame, and it is broadcast or multicast, ship on all ports except that upon which it was received...
  if the destination is unicast and not in the mac-table, again, ship on all ports except that upon which it was received... in other words, flood the unkown unicast...
  if the destination is unicast, the address is in the table, and the associated interface is not that upon which it was received, ship to that interface
  if the above criteria are not met, drop the frame

multicast, broadcast and unknown unicast are always flooded

  multi-layer switching using specialized hardware is known as topology-based switching... layer 3 routing populates a database that delineates the network topology... this database is consulted so that packets can be forwarded at high speeds (wire speed)... this is also known as CEF... this table evolves dynamically

  mac table versus cam table
  these terms are interchangeable... a cam table lookup is a mac-address-table lookup... a cam (mac) table is a database of source and destination addresses associated by ingress and egress ports... this table changes dynamically and is constantly being consulted for proper layer 2 switching to occur...

  tcam (ternary content addressable memory) table is an extension of the mac (cam) table.  tcam allows for a third state for lookup, or don't care lookup, associated with layer 3 (ip addresses)


sw3550_01#sh tcam ?
  inacl   Show Ingress ACL TCAM
  outacl  Show Egress ACL TCAM
  pbr     Show PBR TCAM
  qos     Show Ingress QoS TCAM


  it is in these last three that we begin the journey to multi-layer switching...






Friday, January 27, 2012

a funny thing happened on the way to the forum...

   one of the first things i did after passing ccna was to check out the cisco cert forums... i'd never been a fan of these in the past as i didn't want to roll around in ccnaland discussing the OSI model and csma/cd the rest of my worldly existence, but i also believed i had no business jumping ahead to a more advanced cert forum until i earned my stripes... i still believe that... it's a personal thing, an integrity thing, just as i now believe i have no business poking my head around the ccie forums... now that i've earned my way into the middle, i will stay in the middle until i fight my way out...

  what i did was take it slow... i signed on for two groups at cisco;  ccna voice and ccnp... i belong in those groups... another thing i did was to set up email notification...this has proved enlightening... i get emails throughout the day, questions, comments, etc. and i read through them as i can, reply to the ones when i feel confident of adding an intelligble remark, and use them as a source of study material... when questions and comments come along i like to prove their veracity with example output from my equipment... this helps me get out of my particular study rut of the moment and back on to practical application...

  if you don't have a cco account yet, i'm not sure what you're waiting for... you know how it is; there's the right answer, the wrong answer, and cisco's answer... no point in pooh-poohing the issue; this is what we signed on for, better or worse... get it from the horse's mouth  and then dispute it at length... and always dispute it... question everything... just because it's printed by cisco, just because it's in cisco's database doesn't always mean it's correct...

  the other truly great thing is you never know when a rock star is going to pop in and sample some content...
our rock stars, like keith barker, paul geschw(fill in the blanks), scott morris, narbik and other designated vip's and decorated ccie's... it happens more often than you think... you can almost feel the written type become reverential... paul geschw actually laughed at one of my technical jokes last night...

i'm a geek, so sue me... but i'm a happy geek...


Thursday, January 26, 2012

the wired wiry wireless...

it's astounding how many wires it takes to make a wireless network...

independant basic service set- pc's connecting to each other; no ap

basic service set- pc's communicating wirelessly with a single ap

extended service set- two or more ap's

wow... this is very exciting

an ap creates a bridge in the air to allow clients (pc's) to get to a wired network... or is it a rainbow...

a wireless client outside the cell range is lonely...

a rogue ap has lost it's mind, and escaped from the asylum

wireless is like blowy and stuff...

Wednesday, January 25, 2012

cst...

common spanning tree

the original iteration of  802.1q defined a single instance of spanning tree regardless of the amount of vlans; a common tree for the entire network.  when a path is blocked due to convergence, as it will be, there is but one path for the vlans to traverse toward their destination.

this is hardly fair for the multiple vlans that could potentially take more than one path if given the opportunity.

so the common tree does not allow for load balancing although this is ultimately less cpu intensive.

enter mst

by definition mst supports multiple trees similar to pvst, which supports an instance per vlan.  however, unlike pvst, a reduction in the total amount of instances can be achieved by balancing, grouping, vlans together and shipping them across different paths; many vlans; less instances; less cpu cycles...

shit's getting deep... baby steps...

Tuesday, January 24, 2012

rapid trees...

new roles

root port - each switch determines the lowest cost path to the root switch; that is its root port

designated - the lowest cost path to the root that is not the root port

alternate - the lowest cost path to the root that takes a different path to the root than the root port

backup - a redundant path to another segment that is already connected by a port

wow... take human bites...

what is the only switch in the tree that doesn't have a root port?
this is the root switch

is it ok to call it a switch now?

sw2950_01(config)#spann mode rapid-pvst

sw2950_01(config)#do sh spann vlan 50

VLAN0050
  Spanning tree enabled protocol rstp
  Root ID    Priority    24626
             Address     0009.b752.d780
             This bridge is the root (its really a switch)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    24626  (priority 24576 sys-id-ext 50)
             Address     0009.b752.d780
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 300

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/1            Desg FWD 19        128.1    P2p
Fa0/2            Desg FWD 19        128.2    P2p
Fa0/3            Desg FWD 19        128.3    P2p Peer(STP)
Fa0/4            Desg FWD 19        128.4    P2p Peer(STP)

what is 24576 plus 50

Monday, January 23, 2012

you're out of your tree...

a disabled port does not participate in spanning tree; it is either administratively down, or faulty... it does not block,  it is down

a blocked port is participating in spanning tree; it blocks, yet receives bpdu's

a port moves to the listening state when determined it has the potential to forward; it is transitioning.  it is not
   sending or receiving frames, and like blocking it is receiving bpdu's but it is not sending bpdu's; it is
   transitioning to the learning state

a port transitions from listening to learning before it gets to forwarding.  in the learning state the port is now
   adding mac's to it's table. it is one step closer to forwarding.  if it loses its potential, it will revert to blocking.

forwarding... the port has made it to the show after the requisite delays in the tranistory states.  it is adding mac addresses to its table, it is sending and receiving frames and bpdu's... it is in the big's...

spanning tree, i do love thee...


Sunday, January 22, 2012

transparent bridging...

this term always annoyed me... one of those things in this game that is taken for granted, repeated over and over until it finally means nothing at all...

yeah, that's a transparent bridge... you can look right through it...

it's made of glass, that's why you can see on the other side...

you know how like water you can see down in it...

a transparent bridge is like, your car windshield, kind of...

frames across a bridge cannot be modified; this effectively makes the bridge process transparent...


ok... no... i am still not satisfied...

my members...



etherchannel configuration...  it's a good idea if both sides match...


interface FastEthernet0/1
 switchport mode trunk
 speed 100
 duplex full
 channel-group 1 mode on
!
interface FastEthernet0/2
 switchport mode trunk
 speed 100
 duplex full
 channel-group 1 mode on
!
interface FastEthernet0/3
 switchport mode trunk
 speed 100
 duplex full
 channel-group 2 mode on
!
interface FastEthernet0/4
 switchport mode trunk
 speed 100
 duplex full
 channel-group 2 mode on

nice way to keep track of membership...


sw2950_01#sh int port-chan 1 | inc Members
  Members in this channel: Fa0/1 Fa0/2
sw2950_01#


sw2950_01#sh int port-chan 2 | incl Members
  Members in this channel: Fa0/3 Fa0/4
sw2950_01#

don't let spanning tree decide root... the root id is the id of the root and the bridge id is the id of this switch... if  the priority of the two is equal, this is the root... if the mac's are the same, this is the root... if it says this is the root, this is the root... if all ports are forwarding, this is the root... how do you like my root...


sw2950_01(config)#spann vlan 50 root primary

sw2950_01(config)#do sh spann vlan 50

VLAN0050
  Spanning tree enabled protocol rstp
  Root ID    Priority    24626
             Address     0009.b752.d780
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    24626  (priority 24576 sys-id-ext 50)
             Address     0009.b752.d780
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 300

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Po2              Desg FWD 12        128.65   P2p
Po1              Desg FWD 12        128.66   P2p

sw2950_01(config)#

and some aggregation up inside..


sw2950_01(config)#do sh int port-channel1
Port-channel1 is up, line protocol is up (connected)
  Hardware is EtherChannel, address is 0009.b752.d781 (bia 0009.b752.d781)
  MTU 1500 bytes, BW 200000 Kbit, DLY 1000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Full-duplex, 100Mb/s, media type is unknown media type
  input flow-control is off, output flow-control is off
  Members in this channel: Fa0/1 Fa0/2



does dtp ever stop...

there's this idea floating around that if nonegotiate is NOT used along with the sw mode access command, that somehow dtp will still leak through trunks or vlans, or osmosis, or something to the access port...  ok... not sure if dtp is that stealthy...


sw2950_02#sh run int fa0/19
Building configuration...

Current configuration : 58 bytes
!
interface FastEthernet0/19
 speed 100
 duplex full
end

sw2950_02#sh int fa0/19 sw
Name: Fa0/19
Switchport: Enabled
Administrative Mode: dynamic desirable
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: On

notice the administrative mode and operational mode...

sw2950_02#
1d10h: DTP-pkt:Fa0/2:  ID: 0009B752D784 ../dyntrk/dyntrk_core.c:1462
1d10h: DTP-pkt:Fa0/19:Sending packet ../dyntrk/dyntrk_process.c:1235
1d10h: DTP-pkt:Fa0/19:  TOS/TAS = ACCESS/DESIRABLE ../dyntrk/dyntrk_process.c:12
38
1d10h: DTP-pkt:Fa0/19:  TOT/TAT = 802.1Q/802.1Q ../dyntrk/dyntrk_process.c:1241
1d10h: DTP-pkt:Fa0/19:datagram_out ../dyntrk/dyntrk_process.c:1273
1d10h: DTP-pkt:Fa0/19:datagram_out encap ../dyntrk/dyntrk_process.c:1285
sw2950_02#
1d10h: DTP-pkt:Fa0/18:Sending packet ../dyntrk/dyntrk_process.c:1235
1d10h: DTP-pkt:Fa0/18:  TOS/TA

now we turn on sw mode access explicitly

sw2950_02(config)#int fa0/19
sw2950_02(config-if)#sw mode access
sw2950_02(config-if)#do sh run int fa0/19
Building configuration...

Current configuration : 82 bytes
!
interface FastEthernet0/19
 switchport mode access
 speed 100

sw2950_02(config-if)#do sh int fa0/19 sw
Name: Fa0/19
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Voice VLAN: none

sw2950_02(config-if)#
1d10h: DTP-pkt:Fa0/2:  ID: 0009B752D784 ../dyntrk/dyntrk_core.c:1462
sw2950_02(config-if)#
1d10h: DTP-pkt:Fa0/18:Sending packet ../dyntrk/dyntrk_process.c:1235
1d10h: DTP-pkt:Fa0/18:  TOS/TAS = ACCESS/DESIRABLE ../dyntrk/dyntrk_process.c:12
38
1d10h: DTP-pkt:Fa0/18:  TOT/TAT = 802.1Q/802.1Q ../dyntrk/dyntrk_process.c:1241
1d10h: DTP-pkt:Fa0/18:datagram_out ../dyntrk/dyntrk_process.c:1273
1d10h: DTP-pkt:Fa0/18:datagram_out encap ../dyntrk/dyntrk_process.c:1285
sw2950_02(config-if)#
1d10h: DTP-pkt:Fa0/2:Sending packet ../dyntrk/

no more dtp packets...

and this...

sw2950_02(config-if)#do sh dtp int fa0/19
DTP information for FastEthernet0/19:
  TOS/TAS/TNS:                              ACCESS/OFF/ACCESS
  TOT/TAT/TNT:                              NATIVE/802.1Q/NATIVE
  Neighbor address 1:                       000000000000
  Neighbor address 2:                       000000000000
  Hello timer expiration (sec/state):       never/STOPPED
  Access timer expiration (sec/state):      never/STOPPED
  Negotiation timer expiration (sec/state): never/STOPPED
  Multidrop timer expiration (sec/state):   never/STOPPED
  FSM state:                                S1:OFF
  # times multi & trunk                     0
  Enabled:                                  no
  In STP:                                   no

sw2950_02(config)#do sh run int fa0/18
Building configuration...

Current configuration : 58 bytes
!
interface FastEthernet0/18
 speed 100
 duplex full
end

sw2950_02(config)#do sh dtp int fa0/18
DTP information for FastEthernet0/18:
  TOS/TAS/TNS:                              ACCESS/DESIRABLE/ACCESS
  TOT/TAT/TNT:                              NATIVE/802.1Q/802.1Q
  Neighbor address 1:                       000000000000
  Neighbor address 2:                       000000000000
  Hello timer expiration (sec/state):       28/RUNNING
  Access timer expiration (sec/state):      never/STOPPED
  Negotiation timer expiration (sec/state): never/STOPPED
  Multidrop timer expiration (sec/state):   never/STOPPED
  FSM state:                                S2:ACCESS
  # times multi & trunk                     0
  Enabled:                                  yes

sw2950_02(config)#do sh int fa0/18 sw
Name: Fa0/18
Switchport: Enabled
Administrative Mode: dynamic desirable
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
  In STP:                                   no

dtp stops when put in access mode explicitly, so i don't know what that guy is talking about with nonegotiate



Saturday, January 21, 2012

he-lans...


vlan tagging and 802.1q

802.1q introduced the concept of the native vlan. the native vlan passes untagged frames
and are recognized as belonging to it as such.  other vlans are tagged, thereby
identified, via a two byte tag identifier or TPID which always has a value of 0x8100
(802.1q tag) and another two bytes are used for Tag Control Information (TCI), bringing the total to 4
bytes.  the tci contains a 3 bit priority field (PCP, priority code point) to identify class of service
(COS) and a 12 bit VID (vlan identifier). the single bit remaining and sandwiched between
the pcp and vid is the canonical format identifier (allowing compatibility for ethernet and
token ring). this will be set to 0 for ethernet (if it is set to 1, token ring, you are
working on a network from the last century) I actually supported a token ring network in
the 90's and it was great--back then.

802.1q does not encapsulate the frame although some authors refer to it as such.  it adds
(injects) this two byte field between the source mac and ether type field.  encapsulation
of frames for vlan identification is the purview of that other thing (isl) that cisco
should finally make go away and stop mentioning in cisco press books.

DTP as well as VTP are technologies that also should go away... Are you going to trust your
trunks to discover each other... no... are you going to deploy a new switch without
configuring the proper vlans... no... of course, no... will you save bandwidth and retain
your sanity... yes

even mentioning these things, you can almost see the authors cringing;

    "On critical trunk links in a network, manually configuring the trunking mode on both    
    ends is best so that the link never can be negotiated to any other state."

when is a trunk not critical... good Lord... it's embarrassing...

ethercanal...


etherchannel...  there's a lot to it...

sw2950_02#sh etherch 2 ?
  detail        Detail information
  port          Port information
  port-channel  Port-channel information
  protocol      protocol enabled
  summary       One-line summary per channel-group

sw2950_02#sh etherch 2 summ
Flags:  D - down        P - in port-channel
        I - stand-alone s - suspended
        H - Hot-standby (LACP only)
        R - Layer3      S - Layer2
        u - unsuitable for bundling
        U - in use      f - failed to allocate aggregator
        d - default port

Number of channel-groups in use: 1
Number of aggregators:           1

Group  Port-channel  Protocol    Ports
------+-------------+-----------+-----------------------------------------------

2      Po2(SU)          -        Fa0/1(Pd)   Fa0/2(P)


sw2950_02#sh etherch 2 port
                Ports in the group:
                -------------------
Port: Fa0/1
------------

Port state    = Up Mstr In-Bndl
Channel group = 2           Mode = On/FEC          Gcchange = -
Port-channel  = Po2         GC   =   -             Pseudo port-channel = Po2
Port index    = 0           Load = 0x00            Protocol =    -

Age of the port in the current state: 0d:00h:17m:12s

Port: Fa0/2
------------

Port state    = Up Mstr In-Bndl
Channel group = 2           Mode = On/FEC          Gcchange = -
Port-channel  = Po2         GC   =   -             Pseudo port-channel = Po2
Port index    = 0           Load = 0x00            Protocol =    -

Age of the port in the current state: 0d:00h:17m:12s


sw2950_02#

again with errdisable...

it is safe to say that the errdisable state that a switchport may go through is inconvenient at best and a pain in the ass mostly...
make a mistake with channel groups or port security and you'll find the ports you're working on go belly up with this silliness, and the default recovery time interval is 300 seconds... damn...

this is the link that explains the reasoning and recovery procedures for errdisable...
you have to reset the timer, then enable the timer, and still wait a minimum of 30 seconds for recovery...

http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00806cd87b.shtml

a simple no shut will not do... the procedures in the link outline recovery, but there is an easier way... once the port is errdisabled, go to the interface, issue shut, then no shut and the interface will come back... who'd a thought...

download this pdf now to your local drive... you don't want to get all twisted up with something like this, especially under pressure...

Friday, January 20, 2012

phone 2012...

the baby...



dtp and native trunk mismatch...


this was an interesting exercise, and it's not pretty... below is before dynamic desirable and before changing the native vlan...

Bridge ID  Priority    20481  (priority 20480 sys-id-ext 1)
             Address     0009.b752.d780
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 300


Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/1            Desg FWD 19        128.1    P2p
Fa0/2            Desg FWD 19        128.2    P2p
Fa0/3            Desg FWD 19        128.3    P2p
Fa0/4            Desg FWD 19  


now to change to dynamic desirable on both ends...


sw2950_01(config-if-range)#sw mode dyn des


sw2950_02(config-if-range)#sw mode dyn des




sw2950_02#sh int trunk


Port        Mode         Encapsulation  Status        Native vlan
Fa0/1       desirable    802.1q         trunking      1
Fa0/2       desirable    802.1q         trunking      1


sw2950_01#sh int trunk


Port        Mode         Encapsulation  Status        Native vlan
Fa0/1       desirable    802.1q         trunking      1
Fa0/2       desirable    802.1q         trunking      1
Fa0/3       desirable    802.1q         trunking      1
Fa0/4       desirable    802.1q         trunking      1


dtp packets are good...


1d23h: DTP-pkt:Fa0/2:Good DTP packet received: ../dyntrk/dyntrk_core.c:1451
1d23h: DTP-pkt:Fa0/2:  Domain: ozlan ../dyntrk/dyntrk_core.c:1454
1d23h: DTP-pkt:Fa0/2:  Status: TOS/TAS = TRUNK/DESIRABLE ../dyntrk/dyntrk_core.c
:1457
1d23h: DTP-pkt:Fa0/2:  Type: TOT/TAT = 802.1Q/802.1Q ../dyntrk/dyntrk_core.c:145
9
1d23h: DTP-pkt:Fa0/2:  ID: 0009B752D784 ../dyntrk/dyntrk_core.c:1462
1d23h: DTP-pkt:Fa0/1:Good DTP packet received: ../dyntrk/dyntrk_core.c:1451
1d23h: DTP-pkt:Fa0/1:  Domain: ozlan ../dyntrk/dyntrk_core.c:1454
1d23h: DTP-pkt:Fa0/1:  Status: TOS/TAS = TRUNK/DESIRABLE ../dyntrk/dyntrk_core.


now change the native vlan...


sw2950_02(config)#int range fa0/1 - 2
sw2950_02(config-if-range)#sw trunk native vlan 50


Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/1            Desg BKN*19        128.1    P2p *PVID_Inc
Fa0/2            Desg FWD 19        128.2    P2p
Fa0/3            Desg FWD 19        128.3    P2p
Fa0/4            Desg BKN*19        128.4    P2p *PVID_Inc


dtp packets are still good


sw2950_01#
3w2d: DTP-pkt:Fa0/4:  ID: 0009B73FCE82 ../dyntrk/dyntrk_core.c:1462
sw2950_01#
3w2d: DTP-pkt:Fa0/3:Good DTP packet received: ../dyntrk/dyntrk_core.c:1451
3w2d: DTP-pkt:Fa0/3:  Domain: ozlan ../dyntrk/dyntrk_core.c:1454
3w2d: DTP-pkt:Fa0/3:  Status: TOS/TAS = TRUNK/ON ../dyntrk/dyntrk_core.c:1457
3w2d: DTP-pkt:Fa0/3:  Type: TOT/TAT = 802.1Q/802.1Q ../dyntrk/dyntrk_core.c:1459


3w2d: DTP-pkt:Fa0/3:  ID: 000F8FFE0983 ../dyntrk/dyntrk_core.c:1462


here comes the nasty vlan errors...


sw2950_01#
3w2d: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on FastEthern
et0/1 (1), with sw2950_02 FastEthernet0/1 (50).


and this doesn't look too good...  i couldn't ping and lost connectivity...

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/1            Desg BKN*19        128.1    P2p *PVID_Inc
Fa0/2            Desg BKN*19        128.2    P2p *PVID_Inc


my conclusion is that although dtp is passing good packets, doesn't matter... the trunk is no good... then i changed the native vlan back, and...


sw2950_02#
1d23h: %SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking FastEthernet0/1 on VLAN0001.
Port consistency restored.
1d23h: %SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking FastEthernet0/1 on VLAN0050.
Port consistency restored.
1d23h: %SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking FastEthernet0/2 on VLAN0001.
Port consistency restored.
1d23h: %SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking FastEthernet0/2 on VLAN0050.
Port consistency restored.

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/1            Root FWD 19        128.1    P2p
Fa0/2            Altn BLK 19        128.2    P2p

so dtp still works, but the trunk is broken...