Advanced STP Features

PortFast

Allows a port running STP to go directly from blocking to forwarding mode.
This will bypass the 50 second timer (20 seconds max age, 15 seconds listening, 15 seconds learning).

sh spanning-tree interface fastEthernet 0/1
SW(config)#spanning-tree portfast ?
 bpdufilter Enable portfast bpdu filter on this switch
 bpduguard Enable portfast bpdu guard on this switch
 default Enable portfast by default on all access ports

SW(config-if)#spanning-tree portfast ?
 disable Disable portfast for this interface
 trunk Enable portfast on the interface even in trunk mode
 <cr>

UplinkFast

Switch01 has two paths to the root (sw0) where one is FWD and one is BLCK.
With UplinkFast the port that could potentially reach the rootswitch is collectivly refered as an uplinkgroup (includes FWD and BLCK ports). If the FWD port goes down, the other ports will transition to FWD immediately (between 1-3 seconds).
Not recommended on core and distribuition switches making it “PortFast on the access layer”.
UplinkFast is enabled globally and for all VLANs on the switch.

(more…)

TSHOOT switch

Basics:

  • sh log
  • show interface
  • show cdp neighbors
    • show cdp neighbors details

Port Security

  • show port-security
  • show port-security interface fa0/1
  • show port-security address

Etherchannel

  • sh cdp nei
  • show etherchannel sum
  • show int portchannel

 

SNMP & NTP

SNMP – Simple network management protocol

  • Manager – Monitoring device
  • Agent – Devices being monitored
  • MIB – management information Base
  • UDP port 161
  • Uses GETs and SETs
  • SNMP Traps
    • Agent informs the manager.
  • SNMPv1 and 2c have community strings.
  • SNMPv3 has encryption and authentication.
    • auth – Group using the AuthNoPriv Security Level
      • Authentication: yes
      • Privacy ( encryption ): no
    • noauth – Group using the noAuthNoPriv Security Level
      • Authentication: no
      • Privacy ( encryption ): no
    • Priv – Group using the AuthPriv Security Level
      • Authentication: yes
      • Privacy ( encryption ): yes
  • If no read view is defined , all objects can be read.
  • If no write view is defined , no objects can be written.
  • If no notify view is defined , group members are not sent notifications.

(more…)

DMVPN

LAB III ( DMVPN, MGRE, NHRP, EIGRP)

  • Point-to-multipoint layer 3 overlay VPN
  • Logical hub and spoke topology
  • Direct spoke to spoke is support

DMVPN uses a combination of:

  • Multipoint GRE tunnels (mGRE)
  • Next Hop Resolution Protocol ( NHRP )
  • IPsec Crypto Profiles
  • Routing

(more…)

VPN

  • Virtual Private Network
    • Route exchange privacy
    • Path determination for packets
    • Data Security
      • IPSec IP security
    • Collection of standized protocols that provide
      • Confidentiality
      • Integrity
      • Authentication
      • Anti-Reply

(more…)

NAT64

  • Transition technique designed to allow native IPv6 hosts to access IPv4-only content.
    • (Translation technique not a tunneling technique).
  • Primarily used to allow v6 hosts to initiate connections to IPv4 content.
    • Mechanisms do exist to allow the reverse.
  • Stateful and stateless versions.
    • stateful can use any prefix
    • stateless has restriction on prefix

NAT64 and DNS64 co-existance.

  1. IPv6 host sends AAAA DNS Query
  2. DNS64 server tries AAAA lookup and fails
  3. DNS64 server successfully resolves IPv4 address
  4. DNS64 server generates AAAA DNS response of <IPv6 prefix:IPv4 adress> and sends it back to the client.

(more…)

IPv6 Tunnels

  • point-to-point tunnels
  • MCT ( manually configured tunnel )
  • GRE ( Generic Routing Encapsulation )
  • Virtual point-to-point between two IPv4 routers
  • IPv6 iGP routing protocols can run over these virtual links.

(more…)

IPv6 iGP redistribution

Similarities to IPv4

  • Redistribution takes routes from the IP routing table, not from the iGP databases.
  • Route maps can be used for filtering, metrics, route tags.
  • Admnistrative distance has not changed.
  • Options to prevent routing loops; Administrative distance, route tags, filtering.
  • Syntax is the same.

Differences to IPv4

  • Supported “match” commands in route-maps vary on iGP
    • OSPF/RIP cannot match op “route-type” with a Route-map
      • EIGRP has no problems using “route-type”
    • Route-map matching IPv6 ACLs must have IPv6 prefix as source portion and “any” as destination of ACL.
  • IPv6 redistribute connected does not include interfaces running the iGP;
    • redistribute include-connected

 

 

 

IPv6 RIPng EIGRP OSPFv3

RIPng

  • UPD port number 521
  • No autosummarization for IPv6
  • Destination address FF02::9
  • Link-Local next-hops
  • IPv6 uses IPv6 AH/ESP Authentication
  • Enable it on the interface
    • ipv6 rip CCNP enable fa0/0
  • No network command

EIGRP IPv6

  • EIGRP uses the neighbor’s link local address as the next-hop
  • Destination FF02::AA
  • Authentication relies on the IPv6 built-in authentication nad privacy
  • IPv4 defaults to auto summarization, IPv6 doesn’t
    • ipv6 unicast-routing
    • ipv6 route eigrp 100
    • (config-if)#ipv6 eigrp 100
    • eigrp router-id RID

(more…)