Last week wrapped up the first week of our new CCIE Routing & Switching Advanced Technologies Class, where I focused on Layer 2 Technologies such as Ethernet, Frame Relay, HCLC, and PPP. Next week I will be running week 2 of the class, focusing on Layer 3 Technologies such as RIP, EIGRP, OSPF, BGP, IPv6, and Multicast.
In our recent Implement Layer 2 Technologies series, we examined Q-in-Q tunneling in great detail. In this discussion, I mentioned a big caution about the Service Provider cloud with 802.1Q trunks in use for switch to switch trunking. This caution involved the use of an untagged native VLAN.
Catalyst switch port security is so often recommended. This is because of a couple of important points:
- There are many attacks that are simple to carry out at Layer 2
- There tends to be a gross lack of security at Layer 2
- Port Security can guard against so many different types of attacks such as MAC flooding, MAC spoofing, and rouge DHCP and APs, just to name a few
I find when it comes to port security, however, many students cannot seem to remember two main points:
- What in the world is Sticky Learning and how does it work?
- What is the difference between the different violation modes and how can I remember them?
Sticky learning is a convenient way to set static MAC address mappings for MAC addresses that you allow on your network. What you do is confirm that the correct devices are connected. You then turn on sticky learning and the port security feature itself, for example:
switchport port-security maximum 2
switchport port-security mac-address sticky
Do you want to see how a CCIE would handle a tricky EtherChannel and 802.1X scenario in the lab exam. Subscribers to the Interactive Video Companion for Volume 2 need to log in and watch the new training modules.
Here ye, here ye, VTP experts. (We are not referring to the Vandenberg Test Program, although they are very likely experts in their field as well. :))
Can you predict the results of a 3 switch VTP client/server scenario?
SW1-3, are connected, as shown in the diagram.
Here is the initial output of show VTP status, and show VLAN brief on each. Note that SW1 and SW3 are servers, while SW2 is a client. We will be adding a failure to the network in just a moment.
For some time, I believed a companion post to Understanding MSTP is required in order to completely cover all aspects of MSTP. The post should discuss convergence mechanisms employed in RSTP, which is a part of MSTP implementation. When I started that blog post originally, it appeared that it would be beneficial covering STP convergence mechanics beforehand. Word by word, the tutorial evolved into a document over 30 pages of size. In addition to this fact, many readers have been asking for PDF versions of my blog posts, and so I finally decided to make the new one entirely in PDF. You may find the link below:
Over time I was thinking of putting together the two blog posts made in the past about MSTP and adding more clarification for MSTP multi-region section. This new blog post recaps the information posted previously and provides more details this time. Additionally, it discusses some MSTP design-related questions. Both single-region and multiple-region MSTP configurations are reviewed in the post. The reader is assumed to have good understanding of classic STP and RSTP protocols as well as Cisco's PVST/PVST+ implementations.
Table of Contents
Due to the large size of the document, a table of contents is provided for the ease of navigation.
Logical and Physical Topologies
Caveats in MSTP Design
MSTP Single-Region Configuration Example
Common and Internal Spanning Tree (CIST)
Common Spanning Tree (CST)
Mapping MSTI’s to CIST
MSTP Multi Region Design Considerations
Interoperating with PVST+
Scenario 1: CIST Root and CIST Regional Root
Scenario 2: MSTIs and the Master Port
Scenario 3: PVST+ and MSTP Interoperation
Recently, there were discussions going around about Cisco’s new datacenter technology – Overlay Transport Virtualization (OTV), implemented in Nexus 7k data-center switches (limited demo deployments only). The purpose of this technology is connecting separated data-center islands over a convenient packet switched network. It is said that OTV is a better solution compared to well-known VPLS, or any other Layer 2 VPN technology. In this post we are going to give a brief comparison of two technologies and see what benefits OTV may actually bring to data-centers.
We are going to give a rather condensed overview of VPLS functionality here, just to have a baseline to compare OTV with. A reader is assumed to have solid understanding or MPLS and Layer 2 VPNs, as technology fundamentals are not described here.
We are putting the final touches together for the CCSP bootcamp that is launching soon. (PS, it is going to ROCK! :) ) As I was going through the demo’s on L2 security, I was reminded of how this topic is often an Achilles heel for many CCIE candidates, both R/S and Security.
This blog post is to refresh your memories and provide some examples for layer 2 security on the Catalyst switch. We will begin with DHCP snooping.