Back to the Grind! Finished review, bullet points of major details of most topics covered up to GLBP segment!


Not sure why the Batman slapping Robin picture, but I just had to use it 🙂

For the sake of lighting a fire under myself to get back on the grind to finish my CCNP, I’ve paid for the 300-115 SWITCH exam in 6 weeks, so I will be pounding through some review each day until I am caught off to where I left off at GLBP.

I do remember most of this information as I go through it, however review is never a bad thing for Cisco exams, so I decided to post it on my page here to help anyone who wants to review important points in each topic in a very condensed format.

I will publish this for now, and continue editing it until I am fully caught up, so I hope this helps anyone who checks it out, any feedback / corrections to info in the comments section is always appreciated!

Switching Decisions – Flood, Forward, Filter (discard) frames – Frame Types

  • Unknown Unicast Frame = Frame Flooding if host dest MAC not present in MAC table
  • Known Unicast  Frame = Frame Forwarding if host dest MAC present in MAC table
  • Filtered Frame = Frame arriving on the same dest interface in MAC table
  • Broadcast Frames (ffff.ffff.ffff) are treated the same as Unknown Unicast Frames, however Broadcast Frames are MEANT FOR ALL HOSTS whereas Unknown Unicast Frames hit all hosts in the broadcast domain as a result of “flooding”
  • Multicast Frames = MAC begins with 0100.5eXX.XXXX, the actual range being 0100.5e00.0000 – 0100.5e7f.ffff and are treated the same as Broadcast Frames

MAC Address Table info

  • Dynamically learned MAC addresses stay in the MAC table for 300 seconds, and the timer is reset every time a frame is received from that MAC
  • “mac address-table aging-time #” use ? to check time intervals for # value
  • To disable MAC table age-out timer, enter 0 for # value
  • “sh mac address-table aging-time” to verify value set
  • If a Frame is received off a new port than its existing entry in the MAC table, it will immediately be updated in the MAC table, old entry does NOT need to time out
  • When changing ports for hosts, may need to manually configure VLAN for new port
  • MAC table AKA CAM (Content Addressable Memory) Table for Layer 2 switch, Layer 3 MLS Switching requires TCAM (Ternary CAM) for ACL’s / QoS / Routing

SDM – Switching Database Manager – Templates and info

  • SDM Templates allow to allocate resources on MLS switches to make them more aimed towards roles such as Routing, Switching, Security, and IP4-IPv6
  • Default Template – Every process gets fairly equal resources
  • Access Template – Resources allocated to allow maximum number of ACLs
  • Dual-ipv4-and-ipv6 – Aimed for MLS running “Dual-Stack” IPv6 technology, though does not run all IPv6 functionality (like IPv6 multicast for example)
  • Routing – Allocates resources to IPv4 Unicast routing
  • VLAN – Allocates resources to allow CAM tables growth to max # of Unicast MAC addresses, VERY IMPORTANT – DISABLES HARDWARE ROUTING!!!
  • “sh sdm prefer” shows the current SDM template running on an MLS
  • “sdm prefer (type)” to set the template to use in global config, must reload switch for new template to take effect!
  • “sh sdm prefer” will still show current template running until reloaded, but will mention toward bottom of output the next template it will boot into upon reload

Port Speed, Duplexing, Autonegotiation

  • Autonegotiation is the preferred configuration for an interface
  • Autonegotiation supports both half and full duplex, will prefer full duplex
  • Autonegotiation supports the highest common speed between ports if their highest speeds vary (ie FastEthernet connected to a GigEthernet interface)
  • “speed 10/100/1000/auto” on interface config to hard code
  • “duplex half/full/auto” on interface config to hard code
  • If one end of the link is set to “autonegotiation” and the other end is hard coded values, a mechanism called “Parallel Detection”
  • Parallel Detection can detect the speed for autonegotiation to adjust on the auto side, but it CANNOT detect the duplex config, so it will automatically set it to the lower end of Half Duplex
  • “sh run int faX/X” to view configurations, “sh int faX/X” to see the current speed / duplex in use on the interface

PoE information and commands

  • Original PoE standard from Cisco (not IEEE), Cisco Inline Power
  • Cisco Inline Power uses CDP to negotiate power up to 7 watts, works on Ethernet and FastEthernet (no GigEthernet)
  • Next was IEEE 802.3af, theoretically support 15.4 watts though 2.4 watts lost during transmission, does support GigEthernet links
  • Next was IEEE 802.3at, referred to as PoE+, it is backwards compatible and can deliver up to 25.5 watts to devices
  • ^^^ The above standards use 2 wire pairs to deliver PoE to devices
  • The latest iteration of PoE, Cisco UPoE or Universal PoE can deliver up to 60 watts to devices by using 4 wire pairs instead of just 2 – This is a Cisco Standard!
  • “sh power inline (int)” interface is optional, sh power inline shows all interfaces
  • “power inline (auto/consumption/never/static)” on interface to configure power delivered to device
  • Auto can deliver up to 30 watts max, to change the value add “power inline auto max #” to set the max allowed watts to be provided, may be in mW so check with ?
  • When the switch detects a PoE devices connected, it sends all the power it is allowed to provide, then CDP on the device sends back information on how much power is needed, so the switch can throttle back to the needed amount to conserve power
  • THAT BEING SAID – “power inline consumption #” on the interface is used if CDP is not running on the interface, which will not use CDP to negotiate power, it will provide the configured # of power to the device – May void switch warranty.
  • Default Power Inline Consumption value is 15400mW or 15.4 Watts
  • “power inline static (max) (#)” gives priority to the interface to provide power to the device plugged into it, also has the Max # option like “Auto” admin mode
  • “power inline never” on the interface to completely disable PoE on the interface

VLAN Fundamentals

  • A single VLAN network is referred to as a “Flat” network, with a single Broadcast domain, and the point of creating multiple VLANs is to limit the scope of Broadcast traffic to their own VLANs (as each VLAN is its own Broadcast Domain)
  • Best Practice – One VLAN per subnet in the network, VLANs should not reach beyond the Distribution layer in the 3-Layer switch model
  • By default, every port is in VLAN 1
  • Static VLANs are configured, and then the port is configured to be in that VLAN with the command “switchport access vlan #” (make sure port is access port)
  • There are 5 default VLANs on a switch that cannot be deleted: 1, 1002 – 1005
  • “sh vlan” to get full vlan info, or “sh vlan brief” to get a quick overview of vlan info
  • The terms “static” and “dynamic” for VLANs refers to how a port join them, not how the VLAN is created
  • Communication across VLANs requires either a Layer 3 device, or an MLS with SVI interfaces to allow for Layer 3 routing across VLANs
  • “no switchport access vlan #” will place port back into the default / Native VLAN

Dynamic VLAN info

  • VLAN Membership Policy Server (VMPS) is the core of dynamic VLAN configuration
  • Portfast is automatically enabled on VMPS enabled ports
  • VMPS dynamically updates the ports VLAN when it sees a frame from a known MAC on another port come into a new port, it will automatically update the VLAN configuration for the new port the device is plugged into
  • Must disable Port Security entirely to use Dynamic VLAN assignment
  • Trunk ports also cannot get a Dynamic VLAN assignment because they are members of all VLANs by default

Trunking Fundamentals

  • Trunks are members of all VLANs by default, so all VLANs traffic are allowed to traverse them, including broadcasts (not good)
  • Trunks used to require a cross-over cable (for similar devices), but recent switch models have Auto-sense that allows a straight through cable to be used as well
  • “sh int trunk” to get all active trunk information, “sh int faX/X trunk” to see similar output on a Trunk that is not active to troubleshoot the issue
  • Interfaces configured as Trunks will not show up in VLAN brief
  • IEEE 802.1q or dot1q is Industry Standard, performs frame tagging when exiting a switch over a trunk with a VLAN ID, so the receiving switch knows which VLAN to forward the frame to

ISL vs Dot1Q

  • ISL is Cisco Proprietary, will not work in multi-vendor environments
  • ISL performs “Double Tagging” for every frame going over an ISL Trunk, encapsulating the Frame with both a Header and a Trailer, which causes tremendous overhead as compared to single frame tagging of Dot1q
  • ISL does not understand or use Native VLAN concepts
  • ISL has 30 byte overhead, 26 byte VLAN ID Header, 4 byte CRC value
  • Dot1q uses only a 4 byte VLAN ID tag embedded in the frame, and if no tag is present on a Frame received by a downstream switch, the switch assumes its destination is the Native VLAN
  • It is very important both switches have the same Native VLAN for this reason!
  • Dot1q IEEE industry standard Trunking protocol
  • Dot1q may be referred to as “single tagging” because of the way it only tags frames once, and also as “internal tagging” as it embeds the VLAN ID information within the frame instead of adding a header to the frame itself

Native VLAN information

  • The Default Native VLAN is VLAN 1
  • “switchport trunk native vlan #” to configure new Native VLAN, should match across the network Trunk ports
  • Native VLAN should ideally be the VLAN containing the most throughput, to avoid the need for frame tagging on the high volume of frames

Trunk modes / DTP information

  • “switchport mode trunk” = Trunking ON, actively attempting to form Trunk
  • “switchport mode dynamic desirable” = Actively attempting to form a Trunk with either ON, auto, or Desirable configured remote Trunk ports
  • “switchport mode dynamic auto” = Will form a Trunk if the remote end initiates the formation of the Trunk
  • “switchport nonegotiate” – Disables DTP from dynamically forming Trunk
  • Trunk encap is negotiate by default, must set static encap type before switch will allow interface to be configured with “switchport mode trunk”
  • “switchport trunk encap (dot/isl/negotiate) are all valid options the first two being encap types, the third options configures the interface to negotiate the encap type
  • If a switch shows “n-802.1q” or “n-isl” in “sh int trunk”, this is the side that negotiated AKA is in some sort of dynamic trunking mode
  • DTP (Dynamic Trunking Protocol) is a Cisco Proprietary PtP protocol that attempts to negotiate a trunk with the remote switchport it is connected to
  • DTP does this by sending frames every 30 seconds attempting to form the Trunk
  • DTP should be turned off (and used as little as possible), as it can pose a huge security risk as it actively tries to form a Trunk with any device plugged in!
  • “sh dtp” will show how many interfaces are running DTP, “sh dtp int” will give a lot of output on each interface running DTP
  • From the above command, in the middle of interface output will be “Negotiation of Trunking: on/off” to confirm if DTP is active
  • To disable DTP using “switchport nonegotiate” the ports must be configured as static Trunking ON mode, cannot turn off DTP while in a dynamic Trunk mode
  • If a Trunk is not dynamically forming between Trunk On and a Dynamic mode, it is because DTP is disabled with “switchport nonegotiate” on the Trunk On side, watch for this on exam day!!
  • VERY IMPORTANT TAKEAWAY: If a Trunk is not dynamically forming, you can verify by either “sh run int FaX/X”, “sh interface switchport” to check if Negotiation is enabled, and if no verification cmds are allowed (exam day) issue “no switchport nonegotiate” on the failing trunk interfaces!

VLAN filtering over Trunk Ports (Not VTP Pruning)

  • VLANs should be filtered if the remote switch does not contain a VLAN from the local switch, to prevent unnecessary broadcast traffic from traversing the trunk
  • “switchport trunk allowed vlan (WORD/add/all/except/none/remove)” on Trunk interfaces
  • WORD = VLAN ID’s of allowed VLANs when this port is in Trunking mode
  • Add = Add VLANs to current allowed list
  • All = Allow all VLANs over the Trunk
  • Except = All VLANs allowed except the following input
  • None = No VLANs allowed over the Trunk
  • Remove = Remove VLAN from current allowed list
  • Many of these are redundant, for example, “except” and “remove” will have the same result

Voice VLAN info

  • ASIC (inside IP Phone) makes it appear as a switch to PC devices, allowing for different switch port configurations to separate the traffic
  • Jitter is the variation / measurement of delay between received packets, like a phone breaking up, the human ear starts to realize jitter at 140-150ms of delay
  • Links to phones can be configured either as an Access Link or Dot1q Trunk
  • Trunking links will give the advantage of a Voice VLAN (VVID) dedicated to carrying voice traffic only, with the highest QoS available, giving delay sensitive voice traffic priority over normal data traffic (Not sure if dot1q IP phone trunks is still relevant)
  • Access links with no additional configuration will send both data and delay sensitive voice traffic on the same VLAN, which can cause Jitter issues
  • “switchport voice vlan (#/dot1p/none/untagged)” on the interface to configure
  •  VLAN # – Configures the VLAN # that voice traffic will be sent over
  • Dot1p – Allows for high priority of Voice Traffic, and voice traffic is sent to VLAN 0, so for exam day know dot1p sends traffic to VLAN 0!
  • Untagged – This means the traffic will be using the Native VLAN # as its VLAN
  • None – The Voice VLAN will use whatever access VLAN # that is configured on the switch port, mixing with the data traffic
  • Untagged and None both show up as Voice VLAN: Untagged in “sh int switchport” however there will be no Voice VLAN entry in the output for “None” configuration
  • Postfast is automatically enabled on any switchport that a Voice VLAN is configured

VTP Version 2 info (some Ver 1 misc info)

  • VTP does not send any traffic to hosts, only switch to switch Trunk links
  • VTP is disabled by default on a switch until configured with necessary parameters
  • VTP creates a common domain (VTP Management Domain) that passes information between switches within the domain via advertisements when VLANs are created, changed, or deleted
  • “sh vtp status” to see full VTP details running on the local switch
  • “vtp ver 2” from global config to change to verison 2
  • “vtp domain (name)’ from global config to set domain name from (blank) default
  • “vtp password (word)” to set Ver 2 password, however not secure due to this:
  • “sh vtp password” will display the VTP Ver 2 Domain password in clear text
  • VTP Version 2 info (including password) can be seen in plain text with the command “more vlan.dat” from User Exec prompt!
  • VTP will only shares advertisements with switches in the same VTP domain
  • A switch will automatically join a named Domain if it receives a VTP ad from another switch running the same version #, even across a ‘Transparent’ switch
  • When a switch joins a VTP Domain, it defaults into “Server” role
  • VTP Domain names are case sensitive to be part of the same Domain
  • VTP version 2 has 3 modes it can run in:
  • Server mode – Server mode switches can create, delete, and modify VLANs which will then be broadcast to other VTP switches in the domain, (modify VLAN means change its name – not add / remove ports from a VLAN)
  • Client mode – Cannot create, delete, or modify VLANs, only updates their VTP Database upon receiving VTP advertisements from VTP servers
  • Transparent mode – Switches in Transparent mode do not participate fully in VTP Domain, as it does not Synch its Database via VTP advertisements (though it does forward them out of its Trunk links), and it can create / delete / modify VLANs
  • VTP Servers originate ads for the VTP Domain, may be multiple VTP Servers in a VTP Domain
  • VTP Transparent switches running VTP Version 1 require the Version and Domain name to match on downstream switches to forward ads, whereas running VTP Version 2 it will forward VTP ads regardless of Domain names matching on downstream VTP switches
  • Configuration Revision # enables VTP switches to ensure they have the latest information for their Database, the higher the number, the more recent it is
  • That being said, if a Server / Client receives a VTP advertisement with a lower config revision # than it currently has, it is ignored
  • Transparent VTP switches have a Config Rev # of 0
  • VTP Subset Advertisements are ads triggered immediately upon any VLAN change (add / delete / modify), which increases the config revision #
  • When a switch receives a VTP ad with a higher config rev #, it accepts the ad and overwrites its own VTP DB with the ads info, and adjusts its config rev #
  • There are two ways to reset a VTP Server switch to Config Rev back to 0: Change it to transparent mode then back to server mode, or change domain name to non-existent domain and back to desired VTP domain
  • “VTP Synch Issue” is when a new switch in the same Domain / Ver # is plugged into the network as a Server with a higher config #, and nukes current network with its own configs, to prevent this make sure the Config Rev is 0 before connecting
  • There are 3 types of VTP advertisements:
  • Summary Advertisements = Sent by VTP Servers every 5 minutes or when triggered by a change to the VTP DB, Summary ad will contain Domain Name / Ver # / MD5 Hash code / timestamp / # of subset advertisements that will follow
  • Subset Advertisements = Sent by VTP Servers when there is a VLAN change, subset ads give info specific to the VLAN change whether it was created / deleted / modified / suspended, the VLAN type (Ethernet, Token-Ring, FDDI, etc), and any new values such as VLAN name or MTU if those were changed
  • Client Advertisement Requests = These are not “Advertisements” but rather “Requests” sent by VTP Clients if their VLAN DB becomes corrupt, is deleted, etc.

VTP Version 3 info

  • Ver 3 introduces the mode “Off” to disable VTP from sending advertisements
  • Ver 3 can be disabled not only globally with “Off” mode, but on a port by port basis
  • Ver 3 has 3 options for password config:
  • “vtp password (word)” = Clear text like Ver 2 unless other options are applied to it
  • “vtp password hidden” = Encrypts configured password and only keep hash output of the password entered
  • “vtp password secret” = Encrypts configured password but password minimum length must be 32 characters long
  • “vtp primary vlan” from User Exec prompt to configure a VTP Ver 3 server as the Primary server, which resolves the VTP Synch issue from occurring, as the Primary server will be the only device that can update other VTP devices on the network
  • When configuring “vlan primary vlan” it will prompt for the configured VTP password, and set as Primary if no conflicts / other Primary servers found

Misc VTP Version info

  • VTP Ver 3 will work with Ver 2, but not V1. If a Version 1 switch detects it is connected to a switch running VTP Ver 3, it will attempt to upgrade itself to Ver 2, if it only works with Ver 1 it will not join the VTP V3 Domain
  • VTP V1 and V2 only support VLANs 1-1005, whereas V3 supports 1-4094 (extended VLAN range)
  • Best practice, all switches should run V3, or at least the same VTP Version

VTP Pruning info

  • Cannot Prune default VLANS 1, 1002-1005
  • “vtp pruning” at Global Config level enables VTP Pruning, configuring on a single VTP Server switch will enable it / propagate across all VTP Domain switches
  • To configure the VLANs to Prune, you will need to configure on the trunk interface(s) with “switchport trunk pruning vlan (word/add/except/etc)
  • Configuring the VLANs to Prune with VTP is the EXACT same login as VLANs allowed over a Trunk port configuration, except the word “pruning” is used instead of “allowed” in the command syntax!

STP (PVST+) info

  • During an election the lowest BID (Bridge Priority:MAC) will become the root bridge
  • The Bridge Priority is 32768 by default + VLAN #
  • Port state “Disabled” is a port that is shut down or participating in STP at all
  • Config BPDUs are sent every 2 seconds to check for Superior BPDUs to elect a new Root Bridge, TCN (Topology Change Notification) BPDUs are triggered by changes
  • Superior BPDU is considered a BPDU containing the lowest BID
  • Cost: Cost 2 = 10gbps, Cost 4 = 1gbps, Cost 19 = 100mbps, Cost 100 = 10mbps
  • Which ports are chosen to be FWD / BLK depends on the following in order: Port receiving a Superior BPDU, if tied then Port with lowest Root Path cost, if tied then lowest Sender BID, and finally if all those match then the lowest sender Port Priority (Pri.Nbr)
  • If the Priority is not changed on the interface similar to cost with “span vlan port-pri vlan (#’s) #”, the lowest value port goes into FWD while the higher value goes into BLK
  • Port Priority is 128 by default, and can be incremented by multiples of 16 at the interface level with “span vlan # priority #” command, which if the Priority is lowered on the remote end of a BLK interface it will allow the BLK interface to come into FWD to load-balance!
  • To change / load balance per-vlan with STP, issue “span vlan (vlan #’s) cost #” to change the cost for the specified VLANs on that interface, this allows for per vlan load balancing
  • Default Timers (in seconds): Hello 2, Max Age 20, Forward Delay 15, Aging Time (specific to local Bridge for later concepts) 300
  • Hello time = How often Config BPDU is sent, Forward Delay = Timer for LIS / LRN states, Max Age = Time a switch will retain Superior BPDU before changing states back to LIS
  • All STP switch timers are dynamically set by the timers set on the Root Bridge
  • “spanning vlan # (hello / forward / max) #” from global config prompt to change STP timers, this is locally significant only, the only way these will ever be used is if this switch becomes the Root Bridge – Root ID field will show timers set on Root Bridge
  • “span vlan # root primary” to guarantee a switch will become to Primary Root for that VLAN # immediately, can set a backup Root by issuing “span vlan # root secondary” on a second switch in case the original Root disappears – These are config’d in global config

RSTP (Rapid PVST+) info

EtherChannel / Port-Channel info

  • EtherChannel is logical bundling of links (link aggregation) of 2-8 links, which can be FastEthernet/GigEthernet/10GigEthernet ports
  • All links must have same speed / duplex settings to be part of the EtherChannel
  • STP considers an Etherchannel as a single link, so if a single physical link in the bundle goes down, STP will slightly raise the Path Cost but the link will stay Up
  • “channel-group # mode (mode type)” on the interface(s) that will be part of the EtherChannel, the channel-group # is locally significant only!
  • Channel Group Modes explained:
  • On = Static “On” mode, unconditionally trying to form an EtherChannel
  • Auto = PAgP dynamic EtherChannel, only forms if other side initiates
  • Desirable = PAgP dynamic EtherChannel, actively attempts to form a Trunk
  • Passive = Open Industry standard, only forms EtherChannel if other side initiates
  • Active = Open Industry standard, actively tries to form EC with remote side
  • Both sides of the EtherChannel must be running in the same mode!
  • More info:
  • LACP IEEE Standard is 802.3ad
  • “sh pagp neighbor” for detailed PAgP Etherchannel information
  • “sh lacp neighbor” for detailed LACP Etherchannel information
  • With LACP, you can designate up to 16 ports to be bundled into the Etherchannel, but only 8 ports will be active in the Etherchannel at any time
  • “sh etherchannel brief” – Gives summary info of Etherchannel in use
  • “sh etherchannel summary” – Gives detailed output for current Etherchannel
  • Etherchannel does ‘load-sharing’ per data flow (not per packet) by running a Cisco proprietary hash algorithm that will produce a result between 0-7, these values are used to determine which link will handle the data flow
  • This algorithm may use src/dst IP, MAC, Port #
  • XOR is a load sharing operation used by Etherchannel, it uses lowest order bits to determine the link used for the data flow by using both src and dst IP or MAC addys
  • “sh etherchannel load-balance” to see what factors are being used for load sharing
  • “port-channel load-balance (options)” to change parameters to load share by, within this prompt it shows XOR as using both src and dst IP or MAC addy
  • “spanning etherchannel guard misconfig” is a Misconfig Guard for the dynamic Etherchannel modes, however they would not form if there was an issue so its relatively useless outside of the exam

Multilayer Switching info

  • Both packet switching and routing is performed on a “Router Processor” or “L3 Engine”, this processor must download routing information to the hardware
  • MLS switches allow for inter-vlan communication, so two VLANs can talk to eachother, without involving another Layer 3 device (Router-on-a-Stick)
  • Either MLS (Multilayer Switching) or CEF (Cisco Express Forwarding) will be used in packet switching decisions
  • ASICs (Application Specific Integrated Circuits) take care of the L2 re-writing of MAC information of packets as they traverse the MLS
  • CAM table handles the L2 information (like a MAC table), but for Routing / QoS / ACL’s / etc there is the TCAM table which stores everything the CAM table doesn’t
  • Route Caching is the first MLS method, which has the route processor determine the destination for a data flow, then the switching engine takes over and continues forwarding the data flow
  • A flow is a unidirectional stream of packets from any given source to a destination address using the same port / protocol. If HTTP and SMTP are being sent from the same source to the same destination, those are two different flows of traffic
  • Route Caching has the drawback that the first packet is always software switched, which is where CEF come in to save the day
  • CEF is made up of the FIB (Forwarding Information Base) and the AT (Adjacency Table), CEF utilizes both FIB for Layer 3 and AT for Layer 2 simultaneously to forward all traffic, unless it requires QoS or additional TCAM features
  • SVI’s are created as a 1:1 mapping for every VLAN on the switch to work as a Layer 3 gateway for that VLAN, which allows for inter-vlan communication
  • “int vlan #” to create the SVI interface, then configure with an IP address / Subnet Mask for the subnetwork of the VLAN, remember to “no shut” if needed!
  • Put ports in VLANs first, then create SVI, or the Line Protocol of the SVI will show as down – This isn’t needed for config but a good order of operation
  • Must enable IP Routing for SVI’s to allow for inter-vlan routing to work by issuing “ip routing” command in global config, IP Routing is disabled by default on switches so make sure to issue this command to allow for routing!
  • Hosts must also have their Default Gateway IP set to the SVI IP Address as well to allow for inter-vlan routing as well
  • A Layer 3 or “Routed Port” is created on a switchport with the command “no switchport” – This makes it a Layer 3 routed port to connect to another L3 device
  • “ip routing” must be enabled in global config for L3 Routed Ports as well!
  • For the remote L3 device to reach multiple subnets, a dynamic routing protocol is best to use between the switch and router, though static routes can work as well

Stackwise info

  • A “Master” switch is elected upon boot, and the criteria considered is as follows:
  • Network Admin configures Master manually
  • Best Feature Set
  • If thats a tie, which switch is pre-configured (over not configured at all)
  • If thats a tie, which switch with highest uptime
  • Finally if all those tie, the lowest MAC address wins
  • Master switch lets other stack members know when a switch is added or removed
  • Master switch keeps a Master MAC Table that it distributes copies to all slave switches
  • Master switch handles connections such as telnet sessions or pings to the switch
  • Entire stack has one IP Address shared among all devices, and one common config file given to all switches in the stack
  • When a new stack member is added, it is provided a copy of the common config file by the Master
  • There is no single point of failure in a switch stack, but will take a 50% throughput hit if a cable / port fails
  • Failover takes literally microseconds in the event of an issue due to NSF (NonStop Forwarding) keeping packets flowing
  • NSF works with RPR+ to keep everything moving if the Master fails or is cutover to another switch
  • Every stack member must be running the same IOS image, and highly advised to have the same feature sets, IP Service or IP Base
  • If a new switch is added to the stack has the same IOS image, it is sent the config file, and it joins the stack
  • If a new switch is added to the stack with a different IOS image, the Master downloads the IOS from it own Flash memory to the new member, then sends config file, then the new switch joins the switch stack
  • Can also configure a TFTP that the Master pulls the IOS image from
  • If new switch stack member cannot take new IOS, Master will put it in suspension until Manually addressed
  • The Master will expect ot be provided with the IOS that is supported by the new switch and the Master, so the Master can then update the entire stack with that IOS image, so all stack members are running the exact same IOS image


  • MLS switches are used, and called Routers in all FHRP materials, as they act as network gateways
  • HSRP is Cisco Proprietary RFC 2281 in which routers are put into HSRP router groups
  • In the group, one router is elected the Active router, all others are Standby Routers
  • Active routers handle all traffic in the HSRP Group, Standby routers do not handle any (unless Active in a separate HSRP Group)
  • HSRP ensures High availability / uptime because there is a group of multiple routers that share a single gateway IP
  • The actual IP / MAC Addresses of individual routers are unkown to downstream devices, they only see a single “Virtual Router”
  • Each MLS must have SVI interface configured with an IP Address and Up, Virtual Router IP CANNOT be same as SVI IP of any router in group
  • Technically all you need is the “standby group IP Address” for an HSRP group to become active, however there are other commands to configure it fully
  • “standby # ip x.x.x.x” on SVI interface to set a standby group # along with the Virtual Router IP Address for the HSRP Group
  • “sh standby” to see HSRP info of local MLS switch
  • The MAC Address in “sh standby” is a mix of the well known HSRP MAC 0000.0c07.acXX where XX is the Group # is Hex format!
  • Review Hex to Decimal conversion table here – – compare to loopedback hex conversion to confirm correct conversion theory
  • Default Hello time 3 seconds, Hold time 10 seconds
  • HSRP Election first consider priority, which is 100 by default, so if this is left at default then Highest IP on SVI interface wins election
  • “standby 5 priority #” to change the priority (0-255) to manually set Active router, but will not automatically take over upon config
  • “Preemption” is configured to ‘Overthrow’ the Active Router if the Priority of the Standby router becomes a higher value
  • “standby 5 preempt” to configure preemption on the SVI interface participating in HSRP, and it will quickly update to Active Router status
  • HSRP States:
  • Initial (INIT) = Interface enters INIT once HSRP is enabled, HSRP not yet actually running
  • Listen = Router knows of Virtual Router address, but is listening for Hello packets from Active / Standby routers
  • Speak = The router is sending Hellos and participating in the Active / Standby election itself
  • Standby = Router is now a candidate to become active, continues sending Hellos every 3 seconds by default
  • Active = Router is forwarding packets sent to the Virtual Router IP Address
  • To Load-Blanace, essentially you make a secondary HSRP Router Group, with the Standy Router from Group 1 as the Active Router for Group 2
  • For load balancing to work, the actual hosts themselves will have to be configured to point a certain amount at the different Virtual Router IPs to split up the traffic
  • HSRP uses interface tracking to raise and lower Priority in the event an interface goes down / up, this is NOT object tracking!
  • “standby # track FaX/X (#)” on the SVI interface to set tracking, default decrement value is 10, however can be changed from 1-255 if the defined interface goes down
  • Preemption must be enabled for failover to Standby and back to Active to occur, Preemption is Disabled by default
  • “standby # timers # #” to adjust timers, Hello then Hold, from their defaults of 3 and 10, cannot change Hold time value to be less than Hello, all timers should be the same around all HSRP timers for best practice
  • “standby # authentication (word / md5 / text) …” are the options for authentication, 2 of those are plain text, will cover md5 key-string ONLY
  • “standby # auth md5 key-string (word)” to set your MD5 authentication passphrase
  • Must use “service password-encryption” to encrypt the MD5 passphrase in the running config, otherwise it will show as plain text
  • Key Chain is NOT NEEDED for authentication, can configure key-string only
  • HSRP Advertisements are sent to multicast address

Key Chain configuration

  • “key chain (word)” to name your Key Chain that will hold your different keys
  • “key #” to define the key # you are going to configure
  • “key-string (password)” to set the password for that key #
  • You can continue making different keys to be used with the original “key chain” by backing out, and configuring a new “key #” with another “key-string (password)”


  • Configuration is the exact same, with some slight changes explained below
  • VRRP is an Open Standard RFC 2338 of HSRP, as HSRP is Cisco Proprietary
  • Preemption is enbaled by default on VRRP
  • VRRP Master Router = HSRP Active Router, VRRP Backup Router = HSRP Standby
  • VRRP Advertisements are multicast to
  • The well known VRRP MAC Address is 0000.5e00.01XX where XX is the Hex group #
  • To configure, replace the word ‘standby’ with ‘vrrp’, it is that similar literally
  • Hello Timer = Mater Advertisement timer, default is every 1 second
  • Hold Timer = Master Down timer, default is 3 seconds
  • Load-Balancing configuration is the exact same as HSRP configuration by creating two Virtual Routers and dividing which hosts are pointed at which Virtual Router

Object Tracking configuration with VRRP

  • “track # interface FaX/X line-protocol” from global config
  • Object tracking has many parameters that can be set for tracking
  • “vrrp # track # (decrement)” First # is VRRP Group #, second # is Track object #, default decrement value is also 10 for VRRP but can change value between 1-255


  • Gateway Load-Balancing Protocol is Cisco Proprietary
  • GLBP allows every router in the group to handle some load of the traffic in a round robin matter
  • Hosts only see one default gateway, no pointing them to different Virtual Router IPs
  • The router with the highest GLBP Priority is chosen as the Active Virtual Gateway, if tied (all default) the highest IP Address becomes the AVG
  • The AVG responds to ARP requests with the Virtual MAC Addresses assiged to AVFs or Active Virtual Forwarder routers in the GLBP Group
  • The well known MAC address is 0007.b400.XXYY where XX is the GLBP Group # in Hex and YY is the AVF number in Hex – The AVG holds all these virtual MAC addys
  • Maximum # of 4 AVF Routers in a GLBP Group
  • The default Load-Balancing is Round Robin, so the AVG will respond to ARP requests with Virtual MAC for MLS1, MLS2, MLS3, then finally MLS4
  • If the AVG fails, a standby router with the highest GLBP Priority or Highest IP Address will
  • If an AVF fails, another available router in the group will handle the traffic load, using Hellos to Multicast group to detect if they are available
  • “Weighted Assignments” can also be used on AVF routers, where the higher the weight, the more the AVF router will be utilized for data throughput (instead of default Round Robin load balancing), there is another method called “host-dependent load balancing” that is used if a machine requires the same MAC gateway address every time it sends an ARP request

From here I will be picking up on GLBP where I left off, see you there!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s