Tag Archives: ICND2: 640-816

More Spanning Tree Protocol

A couple more things for spanning tree. Just to recap, STP is the mechanism by which we prevent switching loops on switches. Not much of an issue with small switch networks but important on larger switch networks.

We saw in previous posts that when STP needs to bring up a link that is in blocking mode, it can take almost a minute to complete that reconfiguration. This is where RSTP or Rapid Spanning Tree Protocol comes in.

Rapid Spanning Tree Protocol

Rapid STP (802.1w) is a variation of 802.1d, the STP. So why rapid? Well the basic concept is the same with a root bridge election, but the port roles are different, and the operation is slightly different.

Each switch on the network, connects to the root device, with the lowest port cost connection. This is the Root Port, just like STP, and the root switch ports connected will be designated ports.

But there is a third and fourth type of port, the alternate port, and the backup port. The only time we will see a backup port is when we have more than one connection to a single network segment.

Port Type      STP   RSPT
Root            x     x
Designated      x     x
Alternative           x
Backup                x
Edge                  x
P2P                   x

So what makes it Rapid?

In spanning tree protocol, when a topology change is detected, it takes three missing hello packets to trigger STP (at 2 seconds per packet) and the port(s) must go through the 15 seconds of listening and 15 seconds of learning.

In RSTP, the stp states, disabled, blocking and listening are combined into a new state – discarding.

STP: Disabled > Blocking > Listening > Learning > Forwarding
RSTP:                     discarding > Learning > Forwarding

You’ll notice the port type table also referenced edge ports and P2P (point to point) ports, which are also new port types for RSTP.

Edge ports are ports on the edge of the network. Most often these are ports for hosts. Now in STP, when a port moves into forwarding mode, it triggered an STP recalculation, and for many ports this was unnecessary, after all if one has just connected or disconnected a host, no recalculation is necessary. RSTP recognizes this by ignoring edge ports.

Point to point ports are any port connected to another switch and is running in full duplex mode.

BPDUs are handled differently as well. With STP, the root bridge generates a BPDU every two seconds, and the non root devices forward that BPDU, but in RSTP, every switch generates a BPDU every two seconds. … and this is where the rapid part comes in.

In STP, when the switches have not received 3 BPDUs from the root (6 seconds) the max age time starts (20 seconds) and at the end of that cycle, the link info is aged out and recalculation starts, followed by learning and listening (30 seconds). With RSTP, if three hello packets have not been received, the link information is immediately aged out (6 seconds) and the switches start the recalculations. This is what makes it rapid – 26 seconds in STP verses 6 seconds in RSTP.


Per VLAN spanning tree is the version of STP we usually run, often abbreviated to PVST. In fact my 2950 switches run this version of spanning tree by default as can be seen from the start up config:

spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id

Load Balancing

We can use some of the features of PVST to create load balancing when we have multiple links between two switches. We could create an etherchannel as well, but its good to know alternative methods.

Usually when we have multiple single links between switches, STP will put all but one of the ports on the non root switch into blocking mode, which means all VLAN traffic is crossing a single link.

If we go into the interface config, we can change the cost per vlan to force STP to pass that VLAN traffic through a non default link. When this happens, the port concerned becomes the root for for that VLAN (or range of VLANs) only.

Tweet about this on TwitterShare on Google+Share on LinkedInShare on FacebookShare on RedditShare on StumbleUponEmail this to someone

Point to Point and Point to Multipoint

I’ve been really enjoying working with frame relay, but one thing I couldn’t keep straight was point to point and point to multi-point sub interfaces, and the role of the DLCI. For some reason this was a confusing mass that I just could not untangle, so here is what I finally managed to come up with to keep it straight

Point to Point Frame Relay Connections

pp2mp1Lets take a simple three router set up. We can easily configure three serial links to connect all three routers.

The problem with it of course, is that it does not scale, requiring one serial interface for each router connection. A full mesh on a reasonable sized network could incredibly complex and even a large hub and spoke will require a great deal of hardware. Each link in the network has to have a serial interface and each serial link has to be on it’s own subnet. (See the /30 IP addresses)

The other thing to remember is that frame relay is a layer two protocol, so IP addressing is not used in the frame relay switch. For the frame relay to work we must remember to use Data Link Connection Identifiers (DLCIs). For each logical connection or circuit, there is one DLCI specified. Because there is only one DLCI, there are no frame relay map statements and no inverse arp required.

Point to Point sub interface, Frame Relay Connection


The point to point sub interface configuration is the same as the configuration above, but we logically segment our serial interface, reducing the hardware requirements. However, like the example above there is some subnetting to be done.

This also uses frame-relay interface-dlci command for each sub interface connection.

Remember that the DLCI is supplied by the service provider, and are locally significant only. They are simply flags that indicate the ends of our virtual circuits.

Point to Multi-Point Frame Relay Connections


With point to multipoint, we have a hub router using a single serial connection to the frame relay switch, but; we have multiple DLCIs specified through either frame map statements for static configuration, or inverse arp for dynamic configuration.

Subnetting can be done or not, depending on the network configuration. In the example here, all three connections are on one subnet.

Frame-relay map <IP address> <DLCI #>

So how do we know what method of connection to use?

Personally, I prefer the point to multipoint as there is less fuss with and fewer IP addresses used. For a small configuration, (maybe up to three serial links) I could see using sub interfaces, but for larger configurations, I think the p2mp wins just on the fewer IP addresses required.

From the Cisco Library:


  • Subinterfaces act as default NBMA network
  • Can save subnets because uses single subnet
  • Good for full-mesh topology


  • Subinterfaces act as leased line
  • Each point-to-point connection requires its own subnet
  • Good for star or partial-mesh topologies
  • In Point to Point More IP Addresses are consumed than the Multipoint Subinterfaces.


Tweet about this on TwitterShare on Google+Share on LinkedInShare on FacebookShare on RedditShare on StumbleUponEmail this to someone

Introduction to VPNs

VPN Types

We don’t need to be able to configure VPN for the CCNENT or CCNA, but we should be familiar with them. Essentially a VPN is a tunnel, and that tunnel is secured at either end. VPNs are required for secure communications across WANs; for remote user or telecommuter to central office or even remote office to central office communications.

Also the use of VPNs over WAN is a more cost effective solution for central office to remote offices networking, instead of using dedicated point to point WAN links, which can be expensive.

VPNs have three functions

  • Data origin Authentication – happens at the receiver end, and makes sure the source of the packet is is not spoofing.
  • Encryption – sender encrypts the packets
  • integrity – the receiver ensures the data was not touched as it came across the wire.

There are three protocols used for VPNs. They are:

  • RFC1701, the Generic Routing Encapsulation, or GRE – not used, has no encryption
  • RFC2661, Layer Two Tunneling Protocol or L2TP – no encryption
  • Internet Protocol Security or IPSEC offers encryption and authentication and is widely used.

IPSEC has one drawback, and that is the lack of a tunneling protocol, and there are several we can choose from:

  • Secure Shell or SSH which operates at Layer 7
  • Secure Sockets or SSL which operates at layer 4
  • L2TP or L2F that run at layer 2

Be aware the IPSEC can only support unicast IP traffic.

Remote Access VPN Types

There are two types of VPN;

  • Client initiated
  • Network access server initiated VPN

Both are started by the remote host, but the NASIVPN is accessed in unencrypted, and the NAS (Network

VPN Terminology

  • Data Confidentiality – this means that only the devices supposed to see the data, will see the data, and usually implies some sort of encryption process on the link.
  • Data integrity – means the received data is the same as the transmitted data and that the data has not been modified as it crosses the network.
  • Data Origin Authentication – guarantees the starting point for the data.
  • Anti Reply Protection – this protects against replay attacks. A replay attack is where a malicious host or device, either delays or replays packets in order to penetrate or otherwise gain access to a network.

Data Encryption Types

  • DES – 56 bit key, easily broken
  • Triple DES – 3 x 56 bit DES keys, making it more secure
  • AES – The Advanced Encryption Standard is currently being adopted and can run on any Cisco router that has IPSEC DES/3DES capability

Key Encryption Schemes

Keys are important to encryption, and we need to understand or at least recognize the different key schemes,

1. Symmetric encryption

Otherwise known as secret key encryption is where the key is used for both encryption and decryption. Given that the key is used in two places, this makes it a little less secure than other encryption key schemes. There are two types of encryption (and decryption) schemes used in symmetric encryption:

  • stream algorithms – the encrypt/decrypt is performed serially, one bit at a time
  • block algorithms (usually 64 bit blocks) – where the encryp/decrypt is performed on a per block basis.

2. Asymmetric Encryption

Asymmetric encryption uses two keys per user; a public key and private key. Before any encryption or decryption can take place, the public keys have to be certified by a third party.


Tweet about this on TwitterShare on Google+Share on LinkedInShare on FacebookShare on RedditShare on StumbleUponEmail this to someone

Lab Practice – Routing

So now that we have our switching working, lets get the router up and running, get our addressing scheme defined and figure out what else we need to do to get this show on the road.

sw5Lets assume that:

  • our ISP gave us 1 IP address
  • All hosts require access to the internet
  • We have been asked to create a subnet scheme that allows for expansion.

Our IP address is /24
(You may recognize this from my frame relay lab)

Our local addressing scheme is:


This needs to be split into subnets, so lets take a look at that. We have 5 VLANs and that can translate into 5 subnets. Five is not a great binary number so lets make that 8 subnets, which would give us 30 hosts per subnet.

128 63 32 16 8 4 2 1
 1  1  1  0  0 0 0 0 - subnets (8)
 0  0  0  1  1 1 1 1 - hosts (32)

Subnet mask = 224
# hosts per subnet = 32 - 2 = 30

Remember that we can’t use the all 0’s and all 1’s host addresses as these are the network address and broadcast addresses.

So this gives us the following address scheme:

1.   -      Finance
2.  -      HR
3.  -      Sales
4.  -     R&D
5. -     IT
6. -     not used
7. -     not used
8. -     not used
 with a subnet mask of

… and lets assign these to the subnet groups defined by our VLANs.

The Router

I have a Cisco 1760 with the serial port connected to the frame relay network, and the Fast Ethernet port connected to our LAN.

So we need to do the following:

  • Implement our addressing scheme
  • Implement routing
  • control access though ACLs
  • Implement NAT and PAT for host access to the internet

Implementing the addressing Scheme

So lets bring our VLANs to the router via a logically segmented fast ethernet port.

interface FastEthernet0/0
 no ip address
 speed auto
interface FastEthernet0/0.1
 encapsulation dot1Q 10
 ip address
 no snmp trap link-status
interface FastEthernet0/0.2
 encapsulation dot1Q 20
 ip address
 no snmp trap link-status
interface FastEthernet0/0.3
 encapsulation dot1Q 30
 ip address
 no snmp trap link-status
interface FastEthernet0/0.4
 encapsulation dot1Q 40
 ip address
 no snmp trap link-status
interface FastEthernet0/0.5
 encapsulation dot1Q 50
 ip address
 no snmp trap link-status

and then set up our default gateway:

ip default-network


At this point, it looks like no routing protocols are required. A quick look at show ip route, shows that all of our nets and subnets are direct connections.

r2#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
 D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
 N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
 E1 - OSPF external type 1, E2 - OSPF external type 2
 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
 ia - IS-IS inter area, * - candidate default, U - per-user static route
 o - ODR, P - periodic downloaded static route
Gateway of last resort is not set is subnetted, 5 subnets
C is directly connected, FastEthernet0/0.4
C is directly connected, FastEthernet0/0.3
C is directly connected, FastEthernet0/0.2
C is directly connected, FastEthernet0/0.1
C is directly connected, FastEthernet0/0.5 is variably subnetted, 2 subnets, 2 masks
S [1/0] via
C is directly connected, Serial1/0

Now if I fire up router three and use its ethernet port as a host, lets see if we can ping around:

vlan switch    port ip
 10  3550     1- 6   
 20  3550    13-18  
 30  2950-12  4- 8  
 40  3550     9-12  
 50  2950-24  9-16

… and yes, i can ping out onto the network to other routers on the frame relay network.

Network Access

Now we need to set up network access. Given that we only have one routable IP address, we have to use port address translation.

So we need to define:

  • inside address(es)
  • Outside address
  • inside source list

… and we do this as follows:

  • Add ip nat inside to each sub interface
  • Add ip nat outside to the serial interface

and here is our source list:

r2(config)#access-list 1 permit 

This is list 1, and we are selecting all of the hosts from the network 192.128.20 (our inside addresses) with the wildcard mask of

As we only have the one routable address, the NAT command is pretty simple because there is no pool option, we just specify the interface to use:

r2(config)#ip nat inside source list 1 interface serial1/0 overload

… and the key word here is overload. that should be it



Tweet about this on TwitterShare on Google+Share on LinkedInShare on FacebookShare on RedditShare on StumbleUponEmail this to someone

Lab Practice – Switching Part 3

So just to recap, we have our three switches with a router as follows:


We have verified the VLANS, the trunks, Etherchannels and the operation of spanning tree protocol. So What do we do next? Lets add a few scenarios:

Scenario 1.

Some users complain that it takes time for their PCs to boot every morning. Apparently the network is really really slow. So how do we fix that?

Well, one the likely culprits is spanning tree protocol. When there is connection activity at a port, STP will run through its algorithm (listening, learning, forwarding) regardless of what it is connection to the switch. When a hosts connects however there is no need for this so STP has a command to prevent host ports (and only host ports) from doing this:

s2950(config-if)#int fa0/10
s2950(config-if)#spanning-tree portfast 
%Warning: portfast should only be enabled on ports connected to a single
 host. Connecting hubs, concentrators, switches, bridges, etc... to this
 interface when portfast is enabled, can cause temporary bridging loops.
 Use with CAUTION
%Portfast has been configured on FastEthernet0/10 but will only
 have effect when the interface is in a non-trunking mode.

The portfast option is placed on a per port basis and immediately puts the port into forwarding mode. This helps to bring hosts onto the network much faster, and can help in speeding up the DHCP process.

Scenario 2.

During a management meeting, it was noted that the backup link from the 2950-12 to the 3550 was not adequate to cope with the network traffic in the event that one of the other switch Etherchannel links goes down. How do we fix this?

What we need to do is define another Etherchannel link, by stealing one or two ports from the sales VLAN, and move those users over to the 3550 which has extra capacity.

s3550(config)#int range fa0/9 - 12
s3550(config-if-range)#switchport access vlan 40

This gets me my ports on the 3550 and then to remove them from the 2950-12:

s2950-12(config)#int range fa0/9 - 12
s2950-12(config-if-range)#no switchport access vlan 40

and a couple of show interface vlan brief commands to confirm.
So now we build the Etherchannel link.

Currently we are connecting the 3550 and 2950-12 together via one link, and I’m going to add another two to make a three channel link.

2950-12     3550
 fa0/3   -  fa0/24
 fa0/9   -  fa0/23
 fa0/10  -  fa0/22

And now we have an etherchannel link forming a mesh for all three switches.


One of the aspects of both routing and switching that I have had trouble with is knowing what is running on the network at any given time. We talk a great deal about broadcast and multicast packets, BPDUs and so on. So just what exactly is floating around when our network is idling? Well, I decided to try and figure that out:

Protocol  Sends           every      Multicast address
STP       BPDU            2s         01:80:C2:00:00:00
VTP       Summary Advert  300s       01:00:0C:CC:CC:CC
CDP       CDP packet      60s        01:00:0c:cc:cc:cc

Note: STP might be a mix of both version 1 and 2, and there might even be some RSTP floating around there too. In addition there might be protocols running on a per port basis like DTP for instance.

A final note

While this was fun, this was sort of thrown together as I went along. Frankly with this equipment I would never have arranged the switches this way. However, we also know that in the real world, things evolve, and by this I mean that initially the company may have purchased the 2950-12 because at that time, that was all they needed. Later someone added the 2950-24 and then the 3550 because it said POE on the box, and some hotshot decided he needed POE for his IP phone.  And so we end up with the above. Yes you could go into work one Saturday when no one else is there and rewire the whole thing, but what if these switchboxes are in different parts of the building ….

You see where I am going with this 🙂

Tweet about this on TwitterShare on Google+Share on LinkedInShare on FacebookShare on RedditShare on StumbleUponEmail this to someone