Chapter 14 – Managing Switches with SNMP

  • What is the purpose of SNMP?
    • Simple Network Management Protocol shares information about the host router and its activities.
  • What 2 parts do SNMP have?
    • SNMP manager: This is a network management system that polls information from the SNMP agent. This is usually runs on a central location.
    • SNMP agent: The process that runs on the network device being monitored.
  • Where does the switch gather data for SNMP?
    • From the Management Information Base (MIB). Data contained in memory and updated in real time.
  • How does the SNMP manager communicate with the SNMP agent? What is the 4 request type?
    • The communication uses UDP port 161
    • get request: the value of one specific MIB is needed
    • get next request: the next or subsequent value following an initial get request is needed
    • get bulk request: whole table or list of values in a MIB is needed
    • set request: a specific MIB variable needs to be set to a value
  • How can the SNMP agent notify the manager? What communications types exist?
    • The communication uses UDP port 162
    • SNMP trap: News of some event is sent without any acknowledgement that the trap has been received
    • Inform request: News of some event is sent, but the SNMP manager need to acknowledge
  • What are the differences between SNMP versions?
    • SNMPv1:
      • Get/Set requests plus SNMP traps
      • 32 bit variable counters
      • Authentication with clear text community string
    • SNMPv2C:
      • 64 bit variable counters
      • Get/Set requests, SNMP traps + Bulk requests
      • Authentication still with clear text community strings
    • SNMPv3:
      • Authentication through usernames
      • “views” can be used to limit what MIB variables can an SNMP manager read/write
  • What security levels are available in SNMPv3?
    • noAuthNoPriv: SNMP packets are neither authenticated nor encrypted
    • authNoPriv: SNMP packets are authenticated but not encrypted
    • authPriv: SNMP packets are authenticated and encrypted


  • How do you configure SNMPv1?
    • (global)# snmp-server community COMMUNITY [ro|rw] [ACL]
      (global)# snmp-server host HOST COMMUNITY [TRAP-TYPE]
  • How do you configure SNMPv2?
    • (global)# snmp-server community COMMUNITY [ro|rw] [ACL]
      (global)# snmp-server host HOST [informs] version 2c COMMUNITY 
    • The config is almost the same as with SNMPv1, but if you would like to use informs instead of traps, you must use the informs keyword.
  • How do you configure SNMPv3?
    • snmp-server view: You can specify a view for the users, so they can only access a certain part of the MIB.
      (global)# snmp-server view VIEW-NAME OID-TREE
    •  snmp-server-group:
      (global)# snmp-erver group GROUP-NAME v3 { noauth | auth | priv } [read READ-VIEW]  [ write WRITE-VIEW] [notify NOTIFY-VIEW] [access ACL]

      • noauth, auth = Authentication
      • priv = Encryption
    • snmp-server user:
      (global)# snmp-server user USER-NAME  GROUP-NAME v3 auth {md5 | sha} AUTH-PASSWORD priv { des | 3des | aes {128|192|256}} PRIV-PASS [ACL]
    • snmp-server host:
      (global)# snmp-server host HOST-IP [informs] version 3 {noauth | auth | priv} USERNAME [trap-type] 

Chapter 13 – Logging Switch Activity

Syslog Messages

  • What is the format of a Syslog message?
    • Timestamp
    • Facility code: This is an identifier that specifies the switch function or module that has generated the message.
    • Severity: A number to 0 – 7
    • Mnemonic: A category within the facility code
    • Message Text: Description of the event.
    • syslog
  • What does each severity level mean?
    • message loggging
  • How can you modify the severity level of logging (into internal buffer)?
    • Default: 6 = Informational
    • (global)# logging buffered SEVERITY-LEVEL
  • How can you change the log size of the internal buffer?
    • Same command but the number start from 4096
    • (global)# logging buffered SIZE
  • How can you modify the severity level for the console port? What is the default value?
    • Default: 7 = Debugging
    • (global)# logging console SEVERITY
  • What port and what protocol do syslog use?
    • Port 514
    • Protocol: UDP
  • Why do the syslog server need to send acknowledge messages?
    • Because the communication is using UDP and the switch cannot know whether the log message arrived to the server.
  • How do you configure remote syslog?
    • (global)# logging host IP
      (global)# logging trap SEVERITY
  • What is the problem with interface state changes and remote syslog (on an access layer switch)? 
    • Every time when host devices start/stop the switch will send syslog messages to the server.
    • no logging event link-status


Adding Time Stamps to Syslog Messages

  • How do you configure time zone on a switch?
    • (global)# clock timezone  NAME OFFSET-HOURS
  • How do you configure summer time?
    • (global)# clock summer-time NAME recurring
  • How do you configure time?
    • clock set HH:MM:SS
  • What is a stratum value?
    • Stratum number indicates the number of NTP “hops” needed to reach the top.
    • Range: 0-15
  • What are the 4 modes that NTP can propagate time?
    • Server (or NTP master): Can be configured using
      (global)#ntp master STRATUM  
    • Client: Synchronizes its time with the NTP server.
      (global)#ntp server IP
    • Peers: This is called symmetric mode. Peers exchange time synchronization information with each other.
      This is often used between two or more servers operating as mutually redundant group.
      (global)#ntp peer IP
    • Broadcast/multicast: The NTP server pushes time information out to any listening device.
      (interface) ntp broadcast client
  • What is the difference between ntp version 3 and 4? Which one is default?
    • Version 3 is default
    • Version 4 give IPv6 capabilities
  • If you specify more than 1 ntp server, how can you decide which should be the primary?
    • (global)# ntp server IP prefer [version 3|4]
  • How can you verify NTP functionality?
    • show ntp status
    • show ntp associations


  • How can you secure NTP?
    • (global)# ntp authentication-key KEY-NUMBER md5 KEY-STRING
      (global)# ntp authenticate
      (global)# ntp trusted-key KEY-NUMBER
      (global)# ntp server IP-ADDRESS key KEY-NUMBER
  • What else security method are you aware of? How can you configure it?
    • Using ACLs
    • (global)# access-list ACL-NUM permit IP MASK
      (global)# ntp access-group {serve-only | serve | peer | query-only } ACL-NUM
    • serve-only: Only synchronization request permitted
    • serve:  Synchronization and control requests are permitted. The device is not permitted to synchronize its own time clock.
    • peer: Synchronization and control requests are permitted. The device can synchronize its own time clock.
    • query-only: Only control queries permitted.
  • What is SNTP?
    • Simplified Network Time Protocol
    • When a device is configured as SNTP, it operates as an NTP client only. Other devices cannot synchronize with its clock.
  • How can you configure SNTP?
    • The same way as NTP, but with the keyword “sntp” instead of “ntp”.


  • How can you add timestamps to the log?
    • (global)# service timestamps log datetime [localtime] [show-timezone] [msec] [year]
    • The “localtime” parameter will use the locally configured timezone.
      By default UTC is set.

Chapter 12 – Configuring DHCP

Using DHCP with a Multilayer Switch

  • How does DHCP negotiation work? What steps do it have?
    • DHCP discovery (client): Without any valid source IP the client sends a broadcast message to find a working DHCP server.
    • DHCP offer (server): The server sends a reply destined to the client’s MAC address offering:
      • IP address
      • subnet mask
      • default gateway
      • some additional parameters
        The server sends a broadcast since the client do not have an IP yet, only the MAC.
    • DHCP request (client): The client makes an official request for the proposed IP/subnet/gateway.. This is still a broadcast.
    • DHCP ACK (server): The server sends an acknowledgement, so the client can start using the IP.
  • How do you configure a DHCP server?
    • (global)# ip dhcp excluded-address STAR-IP END-IP
      (global)# ip dhcp pool POOL-NAME
      (dhcp)# network IP SUBNET-MASK
      (dhcp)# default-router IP [IP2] [IP3] ...
      (dhcp)# lease {infinite | days { hours { minutes }}}
  • How can you verify DHCP activites?
    • show ip dhcp binding


  • What is Manual Address Binding?
    • This way the DHCP server will give the same IP address for a specific host.
  • How do you configure manual address binding?
    • (global)# ip dhcp pool POOL-NAME
      (dhcp)# host IP  MASK
      (dhcp)# client-identifier ID
      (dhcp)# hardware-address MAC
  • What is a DHCP option?
    • In some cases the clients need more information than simple IP, mask, gateway… You can specify these information with DHCP options:
      (dhcp)# option OPTION-NUMBER
  • What is DHCP relay?
    • In case the DHCP server is located outside of the LAN, you have the chance to forward the DHCP broadcast messages as unicast packets to the DHCP server.
  • How do you configure it?
    • (interface)# ip helper-address IP


Configuring DHCP to Support IPv6

  • How does Statless Autoconfiguration work (IPv6)?
    • The client will receive a globally unique address (advertised from the router) and fill the rest 64bits with EUI-64.
      EUI-64:  First half of the MAC address (24 bits) + FFFE (16 bits) + second half of the MAC (24 bits)
    • The router periodically send the advertisements but the client can request also.
  • How do you configure Stateless Autoconfiguration?
    • You don’t really have to. Just configure a L3 interface with IPv6 address on the switch and the rest is automated.


  • Why do we need DHCPv6 if we already have Stateless Autoconfiguration?
    • Because the client might need additional information, but Stateless Autoconfiguration can provide the basic information (ie.: DNS server address)
  • How do you configure a DHCPv6?
    • (global)# ipv6 dhcp pool POOL-NAME
      (dhcpv6)# address prefix IPV6-PREFIX
      (dhcpv6)# dns-server DNS-ADDRESS
      (dhcpv6)# domain-name NAME
      (global)# interface INTERFACE-NAME
      (interface)# ipv6 address IP
      (interface)# ipv6 dhcp server POOL-NAME
      (interface)# no shut
  • What is DHCPv6 Lite? 
    • It combines Stateless Autoconfiguration with DHCPv6.
      The clients use Stateless Autoconfig to get their IP, but will receive other information from the server.
  • How do you configure DHCPv6 Lite?
    • The interface command “ipv6 nd other-config-flag” will notify the clients that they should receive their IP from Stateless Autoconfiguration and not DHCPv6.
    • (global)# ipv6 dhcp pool NAME
      (dhcp)# dns-server DNS-ADDRESS
      (dhcp)# domain-name DOMAIN
      (global)# interface INTERFACE-NAME
      (interface)# ipv6 address IP
      (interface)# ipv6 dhcp server POOL-NAME
      (interface)# ipv6 nd other-config-flag
      (interface)# no shut
  • How do you configure DHCPv6 Relay ?
    • (interface)# ipv6 dhcp relay destination IPV6
  • How do you verify IPv6 DHCP?
    • show ipv6 dhcp pool


Chapter 11 – Multilayer Switching

  • What is Inter-VLAN routing?
    • When a device transports packets between VLANs that is called Inter-VLAN routing.
  • How do you configure L2 or L3 port operation mode?
    • L2: (interface)# switchport
    • L3: (interface)# no switchport
  • How can you verify it?
    • Layer 2 mode
      Switch1#sho int gi0/2 switchport
      Name: Gi0/2
      Switchport: Enabled
      Administrative Mode: dynamic desirable
      Operational Mode: static access
      Administrative Trunking Encapsulation: negotiate
      Operational Trunking Encapsulation: native
      Negotiation of Trunking: On
      Access Mode VLAN: 1 (default)
      Trunking Native Mode VLAN: 1 (default)
      Administrative Native VLAN tagging: enabled
      Voice VLAN: none
      Administrative private-vlan host-association: none
      Administrative private-vlan mapping: none
      Administrative private-vlan trunk native VLAN: none
      Administrative private-vlan trunk Native VLAN tagging: enabled
      Administrative private-vlan trunk encapsulation: dot1q
      Administrative private-vlan trunk normal VLANs: none
      Administrative private-vlan trunk associations: none
      Administrative private-vlan trunk mappings: none
      Operational private-vlan: none
      Trunking VLANs Enabled: ALL
      Pruning VLANs Enabled: 2-1001
      Capture Mode Disabled
      Capture VLANs Allowed: ALL
      Protected: false
      Appliance trust: none
    • Layer 3 mode:
      Switch1#sho int gi0/2 switchport
      Name: Gi0/2
      Switchport: Disabled
  • How can you create VLAN interface 100 on a brand new Multilayer Switch?
    • First create the vlan:
      (global)# vlan 100
      (vlan)#  exit
    • Then create the VLAN interface:
      (global)# interface vlan 100
      (interface)# ip address
      (interface)# no shut
    • Creating a VLAN interface will NOT create the VLAN itself.
  • When does an SVI become active?
    • When at least 1 L2 port, which is assigned to the same VLAN, becomes active and STP has converged.
  • What is SVI autostate?
    • None of the switching or routing fuctions can use the SVI interface until the SVI becomes active.
  • How can you disable SVI autostate, so it become active even if L2 ports are down?
    • (interface)# switchport autostate exclude
  • What is FIB?
    • Forwarding Information Base
    • The calculations of the routing table are inserted into the FIB, so when the switch receives a packet it can easily examine the destination and find the longest match in the FIB.
    • When the L3 engines sees changes in the routing topology it sends an update to the FIB.
    • If a next-hop address is changed / aged out of the ARP table, it send update to the FIB
  • How can you find a prefix in the CEF?
    • sho ip cef IP-ADDRESS MASK
    • or you can do a wider “search”
      show ip cef IP-ADDRESS MASK longer-prefixes
  • What happens when a packet cannot be switched in hardware according to the FIB?
    • Those packets are marked as: CEF punt
    • They are sent to the L3 engine for further processing
  • What can cause such situation (CEF punt)? 
    • entry cannot be located in FIB
    • FIB is full
    • TTL has expired
    • MTU exceeded, packet must be fragmented
    • ICMP redirect is involved
    • encapsulation type not supported
    • packets are tunneled
    • ACL with log option triggered
    • NAT needed
  • What types of CEF do you know of? How do they work?
    • aCEF (Accelerated CEF): Only a portion of the FIB is downloaded to them at any time because they are not capable of storing the entire FIB.
      This way the CEF is accelerated on the line cards, but not necessarily at sustained wire-speed rate.
    • dCEF (Distributed CEF):  FIB is replicated across multiple independent L3 forwarding engines.  A central L3 engine maintains the routing table and generates the FIB, which is then dynamically downloaded in full to each of the line cards.

Adjacency Table

  • What is adjacency table?
    • FIB contains the L3 next-hop address for each entry.
    • Adjacency table contains the L2 information for every FIB next-hop.
  • How can you verify it?
    • SW1#show  adjacency 
      Protocol Interface                 Address
      IP       GigabitEthernet0/1/6
      IP       GigabitEthernet0/1/6
      IP       GigabitEthernet0/1/7
      IP       GigabitEthernet0/1/7 (incomplete)
      IP       GigabitEthernet0/1/7


  • What does “CEF glean” mean?
    • When an ARP entry does not exists, the FIB entry is marked as CEF glean. So the packet is sent to L3 forwarding engine to generate an ARP request and receive an ARP reply.
  • What type of entries are in the Adjacency table?
    • Null adjacency: Switch packets for the null interface. No response sent to sender.
    • Glean adjacency: Packets sent to L3 engine to generate ARP request
    • Drop adjacency:  Switch packets that cannot be forwarded normally. (checksum error, unresolved address, encapsulation failure etc..).
      Send response back to sender.
      show cef drop
    • Discard adjacency: Packets are discarded because of an ACL or other policy.
      Response sent sometimes (depends on policy)
    • Punt adjacency: Packets are sent to L3 engine for further processing.
      show cef not-cef-switched
  • What is the packet rewrite engine? What does it do?
    • When the next-hop address is decided, the L2 and L3 headers are need to be rewritten. The precomputed entries in the Adjacency table will make this process fast.
      • L2 destination MAC: Changed to the next-hop MAC
      • L2 source MAC: Changed to the outbound L3 switch interface’s MAC
      • L3 IP TTL: Decremented by one
      • L3 IP checksum: Recalculated to include changes in the IP header
      • L2 frame checksum: Recalculated to include L2 and L3 header


Verifying Multilayer Switching

  • How can you check the configured VLANs?
    • sho-vlan.PNG


Chapter 10 – Aggregating Switch Links

Switch Port Aggregation with EtherChannel

  • Why cant we simple use multiple links for redundancy in L2?
    • Simply putting redundant links between 2 devices would not work because STP would Block the redundant ports.
  • How many links can participate in an EtherChannel?
    • 2 – 8
  • How does STP reacts when ports are bundled into an EtherChannel?
    • It switches the port state from Blocking into Forwarding.
  • What happens when a link fails within an EtherChannel?
    • The traffic is automatically moved to an adjacent link. The failover happens in less than a few milliseconds.
  • How can you increase the effectiveness of redundancy when using EtherChannels (beside using multiple links)?
    • Use multiple switches at each end of the EtherChannel (stackable Catalyst).
    • This is called Multichassis EtherChannel (MEC)
  • 2 switch have 5-5 Gigabit interfaces bundled into an EtherChannel. When PC-1 is transferring 10Gbyte of traffic to PC-2 what is the maximal speed it can achieve? Why?
    • 1 Gbps
    • The connections are balanced between the 5 lines but one connection can use 1 line at a time.
  • What are the general configuration requirement of the bundling ports? (!!)

    • the ports must belong to the same VLAN
    • if used as trunk, all ports must be in trunking mode having the same native VLAN and VLAN set
    • the ports must have the same duplex and speed settings
    • the ports must be configured with the identical STP settings
  • How does EtherChannel distributes traffic?
    • EtherChannel not always balances traffic equally
    • The frame distribution can be selected by:
      • source/destination IP address
      • source/destination MAC address
      • TCP/UDP port numbers
  • How does the EtherChannel selects which link should use for a specific connection?
    • It is using a hash algorithm which selects the link:load-distribution-etherchannel.PNG
    • XOR reminder:
    • Conversations between 2 devices always sent on the same link.
    • Useful article
  • What type of EtherChannel Load-Balancing methods do you know of?
    • Method Value Hash Input Hash Operation
      src-ip Source IP address Bits
      dst-ip Destination IP Bits
      src-dst-ip Source and destination IPs XOR
      src-mac Source MAC Bits
      dst-mac Destination MAC Bits
      src-dst-mac Source and destination MACs XOR
      src-port Source port Bits
      dst-port Destination port Bits
      src-dst-port Source and destination ports XOR
  • How can you configure the load balancing method?
    • (global)# port-channel load-balance METHOD
    • By default: src-mac, but it depends on the switch model
  • How can you verify the load balancing method?
    • show etherchannel load-balance
  • What happens if you configure src-ip as balancing method, but the switch receives a non-IP frame (ie.: SNA)?
    • The switch will automatically fall back to the “next-lowest” method (ie.:MAC).
  • Why broadcast/multicast messages do not cause bridging loops?
    • Because broadcast/multicast messages are being balanced the same way as unicast messages.
      A broadcast messages will become part of the hashing calculation to choose an outbound channel link.
  • What are the 2 types of EtherChannel negotiation protocols +1 that is not a protocol?
    • Port Aggregation Protocol (PAgP)
      Cisco propriatary
    • Link Aggregation Control Protocol (LACP)
    • Link Aggregation (LAG) (Cisco calls this EtherChannel) – This is the manual type of link aggregation.
  • How can these protocols operate? What modes do they have?
    • PAgP LACP Negotiation packets sent Characteristics
      On On No All port channeling
      Auto (default) Passive Yes Waits to channel until asked
      Desireable Active Yes Actively asks to form a channel
    • Mnemonic: LACP => LACtiveP,   Active <=> Passive
  • How does PAgP reacts if you modify the VLAN/duplex/speed value of a port which is a member of the EtherChannel?
    • It will reconfigure that parameter for all ports in the bundle
  • How do you configure PAgP?
    • (interface)# channel-protocol pagp
      (interface)# channel-group NUMBER mode { on | auto | desirable } [non-silent]
  • What happens in PAgP silent mode?
    • PAgP will allow ports to be added to the EtherChannel, even if no PAgP packets received from the far end (silent).
    • By default PAgP operates in silent mode.
  • What is the point of silent mode?
    • This allows a switch to form EtherChannel with another device that do not participate in PAgP (ie.: fileserver, network analyzer etc.)
  • How long does the switch waits until it considers the far end device silent?
    • 15 sec
  • When should you use non-silent mode?
    • When you expect a PAgP capable device on the far end.
    • This will require each port to receive PAgP packets before adding them to a channel.
  • What if PAgP is in non-silent mode, but no PAgP packets received?
    • The port will remain in up state but PAgP will report it to STP that the port is down.
  • How can you verify EtherChannel functionality?
    • Switch5#sho etherchannel summary
      Flags:  D - down        P - bundled in port-channel
              I - stand-alone s - suspended
              H - Hot-standby (LACP only)
              R - Layer3      S - Layer2
              U - in use      f - failed to allocate aggregator
              M - not in use, minimum links not met
              u - unsuitable for bundling
              w - waiting to be aggregated
              d - default port
      Number of channel-groups in use: 1
      Number of aggregators:           1
      Group  Port-channel  Protocol    Ports
      1      Po1(SU)         PAgP      Gi0/1(P)    Gi0/2(P)



  • How do you configure LACP?
    • (global)# lacp system-priority PRIORITY
      (interface)# channel-protocol lacp
      (interface)# channel-group NUMBER mode { on | passive | active }
      (interface)# lacp port-priority PRIORITY
  • What if both switches have the same LACP priority?
    • The lower MAC address is going to be the tie breaker
  • What if you configure more than 8 interfaces in a single channel group?
    • The extra ports are going to be in standby mode. In case an active interface fails the standby will take it’s place.
  • How can you decide which port should be active and which standby?
    • Interfaces with lower port priority are going to be active while interfaces with higher port priority are going to be standby.
    • Default priority: 32768
  • What if no port priority configured?
    • In such case the port with the lower port number is going to be the active one.
  • What is the purpose of EtherChannel Guard?
    • If a misconfiguration is detected on an enabled interface the switch will automatically shut down (err-disabled) the port.
  • How can EtherChannel Guard detect a misconfiguration?
    • etherchannel-guard.PNG
    • It relies on STP
    • Left switch receives BPDUs on all 3 ports even if it’s an EtherChannel. However all 3 BPDUs must have the same “Sending port ID” values (PortchannelX).
      When the switch receives a BPDU on an interface which is a member of an EtherChannel group and the BPDU has other “Sending port ID” value then the BPDUs which were received on the rest of the EtherChannel member interfaces, then it knows there is a misconfiguration.
  • How do you configure and verify it?
    • It is enabled by default
    • (global)# spanning-tree etherchannel guard misconfig
    • show interfaces status err-disabled



  • How can you create a L3 EtherChannel?
    • By using the “no switchport” command on the EtherChannel and physical interfaces
  • What happens when the EtherChannel is configured L3 but the pyhsical interfaces are not?
    • The switch will reject the command!
    • Both of the physical interfaces and the PortChannel must be configured with “no switchport” command.


Troubleshooting an EtherChannel

  • EtherChannel on mode does not send or receive PAgP or LACP packets. Therefore, both ends should be set to on mode before the channel can form.
  • EtherChannel desirable (PAgP) or active (LACP) mode attempts to ask the far end to bring up a channel. Therefore, the other end must be set to either desirable or auto mode.
  • EtherChannel auto (PAgP) or passive (LACP) mode participates in the channel protocol, but only if the far end asks for participation. Therefore, two switches in the auto or passive mode will not form an EtherChannel.
  • PAgP desirable and auto modes default to the silent submode, in which no PAgP packets are expected from the far end. If ports are set to non-silent submode, PAgP packets must be received before a channel will form.


It’s good idea to shut down the future bundle ports before configuring EtherChannel to avoid bridging loop.


Useful commands:

  • show etherchannel summary
  • show etherchannel port
  • show etherchannel load-balance

Advanced Spanning Tree Protocol

Rapid Spanning Tree Protocol

  • What kind of port roles exist in RSTP?
    • Root port: Best root path cost to the root.
    • Designated port: Forwards traffic for a given LAN segment.
    • Alternate port: Alternate path to the root bridge (ie.: redundant links)
    • Backup port: (ie.: redundant links but with designated ports)
  • What kind of port states exist in RSTP?
    • Discarding: Everything is dropped except BPDU. (no MACs learned)
    • Learning: Incoming frames are dropped, but MAC addresses are learned
    • Forwarding: All traffic is forwarded.
  • What are the differences between RSTP BPDU mechanism?
    • There are some unused bits in the STP BPDU message type field, so the RSTP BPDU is sending the port role also + distinguishes version:
      – version 0 = STP
      – version 2 = RSTP
    • Not only the Root Bridge sends BPDU messages.
      BPDUs are sent out every switch port at hello time intervals, regardless of whether BPDUs are received from the root.
    • When three BPDUs are missed in a row, that neighbor is presumed to be down. This mean 6 seconds instead of STP’s Max Age mechanism which is 20 seconds.
  • How does STP and RSTP work together in a segment?
    • Each port attempts to operate according to the version number in the BPDU that is received.
  • What happens in the time when you finished configuring RSTP on SwitchA but SwitchB is not yet ready (still in STP)?
    • The switch hold the last protocol type for a the duration of the migration delay timer. After this timer expires, the port is free to change protocol if needed.
      (sys-id-ext 1 = VLAN 1)
    • Switch1(config)#spanning-tree mode rapid-pvst
      Switch1#sho span
        Spanning tree enabled protocol rstp
        Root ID    Priority    32769
                   Address     5002.0001.0000
                   This bridge is the root
                   Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
        Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)
                   Address     5002.0001.0000
                   Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
                   Aging Time  300 sec
      Interface           Role Sts Cost      Prio.Nbr Type
      ------------------- ---- --- --------- -------- --------------------------------
      Gi0/2               Desg FWD 4         128.3    Shr Peer(STP)
      Gi0/3               Desg FWD 4         128.4    Shr Peer(STP)



  • What kind of port types does RSTP have?
    • Edge port: This port connects to a single host so it cannot form a loop. However, if a BPDU ever is received on an edge port, the port immediately loses its edge port status.
    • Point-to-point port: Any ports that connects to another switch and becomes a designated port. BPDUs are exchanged back and forth: one switch proposes that its port becomes a designated port; if the other switch agrees, it replies with an agreement message.
    • Root port: The port with the best cost to the root bridge. If alternative paths are detected, those ports are identified as alternative root ports and immediately can be placed into Forwarding state when the existing root port fails.
  • How does RSTP synchronizes?
    • The RSTP convergence begins with a switch sending a proposal message. The recipient of the proposal must synchronize itself by effectively isolating itself from the rest of the topology. All nonedge ports are blocked until a proposal message can be sent.
    • The entire convergence process happens quickly, at the speed of BPDU transmission without the use of any timers.
    • In case the designated port that sends a proposal message do not receive an agreement message because ie.: the neighboring switch does not understand RSTP or has problem replying. In such situation the sending switch’s port must be moved through the legacy Listening and Learning states.
  • How does RSTP react to a topology change?
    • RSTP notices topology change when a nonedge port switches into forwarding mode (not when a link goes down).
    • When topology change is detected, the switch will send BPDUs, with their TC bit set, out on every nonedge designated ports.
    • This mechanism is done until the TC timer expires (2 intervals of Hello time).
    • In addition all MAC addresses associated with the nonedge designated ports are flushed from the CAM table. This forces the addresses to be relearned after the change, in case hosts now appear on a different link.
    • All neighboring switches that receive the TC messages flush their MACs learned on all ports except the on that received the TC message. Those switches then must send TC messages out their nonedge designated ports, and so on.


  • How do you configure RSTP?
    • By default a switch operates in Per-VLAN Spanning Tree Plus.
    • You can configure a port as an RSTP Edge port:
      (interface)# spanning-tree portfast
    • You can enable RSTP with this command:
      (global)# spanning-tree mode rapid-pvst
    • Enabling RSTP will restart any STP that is currently running on the switch which will preventing data from flowing for a short time.


Multiple Spanning Tree Protocol

  • What are the backdraws of STP and PVST+ ?
    • STP cannot use redundant links.
    • PVST+ can use redundant links (separated by VLANs).  As the number of VLANs increase, the number of PVSPT processes are increase also and every process uses some amount of CPU and memory.
      Moreover there are only a couple of spanning tree topologies exist within a L2 network. For example 300 VLANs using 300 PVST+ processes to create 2-3 different spanning tree topologies.
  • What is the advantage of MSTP?
    • It is designed to decrease the number of spanning tree processes.
      In example there are 2 possible ways of creating spanning tree topologies within the network and you have 300 VLANs. With MSTP you can group the VLANs and use only 2 spanning tree processes (Topology A with 150 VLANs and Topology B with 150 VLANs).
  • How does the switches know which of its neighbors are using MST and which region?
    • All MST switches are configured with the following values:
      • MST configuration name (32 characters)
      • MST configuration revision number (0  – 65535)
      • MST instance-to-VLAN mapping table (4096 entries)
    • If two switches have the same attributes, they belong to the same MST region.
    • These parameters are contained in the BPDUs.
      NOTE: Not the exact values, but a hash. If 2 hash matches, the parameters are matching.
  • How do Common Spanning Tree and MST work together?
    • Within a single MST region an Internal Spanning Tree instance is running. BPDUs are exchanged at the region boundary only over the native VLAN of trunks, as if a CST was in operation.
  • How many MST Instance are supported by Cisco?
    • 16 MSTI in each region
    • MSTI number 0 is dedicated for IST

      The below image shows 3 MST Instance: MSTI 0 (IST), MSTI 1 (top right), MSTI 2
      Inside the MST Region there is only 1 BPDU needed for all 3 MSTI instances.
      MSTI combine with the IST only at the region boundary and only IST BPDUs are sent out of a region.

  • How does MST handles a PVST neighbor?
    • When MST sends a BPDU to PVST switch, the IST BPDUs are repliated into all the VLANs on the PVST switch trunk.


  • How do you configure MST?
    • MST configuration attributes must be configured on each switch:
      • 1st enable MST
        (global)# spanning-tree mode mst
      • 2nd enter MST configuration mode
        (global)# spanning-tree mst configuration
      • Then assign name and revision number
        (mst)# name NAME
        (mst)# revision REVISION
      • Map VLANs to an MST Instance
        (mst)# instance INSTANCE-ID vlan VLAN-LIST
        Instance-ID: 1 – 15
      • Show the pending changes you have made
        show pending
    • After the MST is enabled and configured, PVST+ operation stop and the switch changes to RSTP operation.

Chapter 8 – Protecting the Spanning Tree Protocol Topology

Protecting against unexpected BPDUs

  • List all STP port roles!
    • Root port: The one port on a switch that is closest to the root bridge (with the lowest root path cost)
    • Designated port: The port on a LAN segment that is closest to the root. This port relays, or transmits, BPDUs down the tree.
    • Blocking port: Ports that are neither root nor designated.
    • Alternate port: Ports that are candidate root ports, but are in the Blocking state.  (UplinkFast)
    • Forwarding port: Ports where no other STP activity is detected or expected. These are ports with normal end-user connections.
  • What is the purpose of Root Guard? How it works?
    • When a new switch joins to the network and it has the lowest BridgeID, it will take over the Root Bridge role. This can cause problems, so you can configure Root Guard.
    • Root Guard learns the current Root Bridge’s bridge ID, so if another superior BPDU is received it will not consider it the new Root Bridge. Instead the switch will put the port, where superior BPDU was received, into root-inconsistent STP state. No data can be sent/received only BPDU (like blocked state).
  • How do you enable Root Guard?
    • It can be enabled only on per-port basis, but all VLANs on that port. It is disabled by default.
    • (interface)#spanning-tree guard root
  • What is BPDU Guard? How it works?
    • It prevents unwanted switches on ports where only workstations should be (Portfast). If a BPDU is received on a port where BPDU Guard is enabled, the port immediately is put into errdisable state.
      You can reenable it manually or through errdisable timeout function.
      Best practice: BPDU Guard should be enabled on all Portfast interfaces.
  • How do you enable BPDU Guard?
    • By default BPDU Guard is disabled on all switch ports.
    • spanning-tree portfast bpduguard default
      This command enables BPDU Guard on every switch port that has Portfast enabled.
    • (interface)# spanning-tree bpduguard enable
      This command enables it per-port basis.

Protecting against sudden loss of BPDUs

  • What happens if SwitchC stops receiving BPDUs from the direction of SwitchB?
    • default-behaviour2
      In normal case even if the connection between SwitchA and SwitchB fails, SwitchB should send BPDUs to SwitchC, considering itself the new Root Bridge.
    • In case SwitchC absolutely stops receiving BPDUs from SwitchB, it will unblock its port after the Max Age timer expires. This will cause bridging loop.
  • What is Loop Guard? How does it work?
    • Loop Guard keeps track of the BPDU activity on nondesignated ports. When the port stops receiving BPDUs, Loop Guard will put the port into loop-inconsistent state. In this state the port will block traffic. When BPDUs are received again it will go through the normal STP states and become active.
    • Loop Guard does not blocks the whole port only the offended VLANs.
  • How do you enable Loop Guard?
    • By default it is disabled on all switch ports.
    • You can enable globally:
      spanning-tree loopguard default
    • or you can enable per-port basis:
      (interface)# spanning-tree guard loop


*Jan  4 13:18:55.001: %SPANTREE-2-LOOPGUARD_BLOCK: Loop guard blocking port GigabitEthernet0/1 on VLAN0001.
Switch5#sho span

  Spanning tree enabled protocol ieee
  Root ID    Priority    49153
             Address     5002.0005.0000
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    49153  (priority 49152 sys-id-ext 1)
             Address     5002.0005.0000
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  15  sec
  Uplinkfast enabled

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/0               Desg FWD 3004      128.1    Shr
Gi0/1               Desg BKN*3004      128.2    Shr *LOOP_Inc


  • What is UDLD? Why do we need it?
    • Cisco Proprietary 
    • There might be some rare cases when the link between 2 switches are become unidirectional instead of bidirectional (ie.: GBIC/SFP transmit circuit failure). Or simple one line of the fiber optic cable is cut.
      When the faulty switch is not able to send traffic, the other switch does not receive BPDU so it will change the receiving port into forwarding state. This will cause a one-way loop.
    • Unidirectional Link Detection is meant to solve this problem.
  • How does UDLD work?
    • UDLD monitors the port and sends L2 UDLD frames at regular intervals. The far-end switch replies back, so the local switch knows that the link is bidirectional.
    • Since both switch ports (on each sides) must have this function enabled, it means 2 echo process on the given link.
    • By default UDLD messages are sent every 15 seconds.
    • Since the goal is to detect unidirectional link condition before STP can switch a blocked port to forwarding state, the UDLD messages must be sent within the Max Age + Listening + Learning time interval (by default 20+15+15 = 50 sec).
    • Twisted-pair or copper media does not able for the unidirectional problem, so UDLD is important only in the case of fiber-optic.
      However you can enable on non-fiber interfaces too.
  • What operational modes does UDLD have?
    • Normal mode: When a unidirectional link is detected, the port continues operation. Only a syslog message is generated.
    • Aggressive mode: When a unidirectional link is detected, the switch tries to reestablish the link. UDLD messages are sent out once a second for 8 sec. If no echo received, the port is placed into errdisable state (no traffic, no BPDU, nothing).
  • How do you configure UDLD?
    • You can configure it globally that will enable UDLD on all fiber-optic (!) switch ports:
      udld  { enable | agressive | message time SECONDS }
    • or per-port basis:
      (interface)# udld {enable | agressive | disable}
    • Default timer: 15 sec Available range: 1 – 90
      (timers differ among catalyst platforms)
  • How do you reenable a port that has been put into errdisabled mode by UDLD?
    • (global)#udld reset
  • What happens in the time when you configured UDLD on SwitchA but not yet on SwitchB?
    • UDLD will not put the port into errdisabled mode until it does not have knowledge of a neighbor.


Using BPDU Filtering to Disable STP on a Port

  • What is BPDU filter? How does it work?
    • In some special cases you need to prevent BPDUs from being sent/processed.
      With BPDU filter you effectively disable STP on those ports. BPDUs are not processed/received on the port.
  • How do you configure BPDU filter?
    • By default it is disabled on all switch ports
    • The global command with the default paramter enable BPDU filter on all Portfast interfaces:
      (global)# spanning-tree portfast bpdufilter default
    • (interface)# spanning-tree bpdufilter {enable|disable}
  • What is the difference between Portfast, BPDU Guard and BPDU Filter?
    • Portfast: no Listening/Learning time
    • BPDU Guard: the port will be put into errdisabled mode in case any BPDUs are received
    • BPDU Filter: BPDUs are not processed, traffic still allowed. Briding loop can happen!


Convert py to executable

To create an executable file from my python script I’ve used cx_Freeze.

Installing cx_Freeze

Just simply run from cmd:

python -m pip install cx_Freeze --upgrade


Create a new file with the following content:

import sys
from cx_Freeze import setup, Executable

base = None

if sys.platform == "win32":
	base = "Win32GUI"

setup(name="ITergo - Traceroute Interpreter",
	description="Traceroute Interpreter",
	executables=[Executable("", base=base)]


Creating executable 

Now you can start the conversion:

python build

And it’s done.
Do not forget that cx_Freeze will not copy the files that your code uses (I/O).

Blog at

Up ↑