Multiple Spanning Tree Protocol (MST)

Supports up to 4096 instances of Spanning Tree

(config)#spanning-tree mode mst
(config)#spanning-tree mst configuration
(config-mst)#revision 1
(config-mst)#instance 1 vlan 12, 34
(config-mst)#instance 2 vlan 56, 90
(config-mst)#name CCIE <--- MST REGION NAME

SW2#show spanning-tree mst configuration
Name      [ ]
Revision  1     Instances configured 3

Instance  Vlans mapped
--------  ---------------------------------------------------------------------
0         1-11,13-33,35-55,57-89,91-4094
1         12,34
2         56,90
-------------------------------------------------------------------------------

Check the ROOT:
#show spanning-tree root
                                        Root    Hello Max Fwd
MST Instance           Root ID          Cost    Time  Age Dly  Root Port
---------------- -------------------- --------- ----- --- ---  ------------
MST0             32768 aabb.cc00.0600         0    2   20  15
MST1                 1 aabb.cc00.0600         0    2   20  15
MST2              4098 aabb.cc00.0600         0    2   20  15

Advanced Spanning Tree

root primary - sets the priority to:
if ROOT > 24576 - sets to 24576 (priority 24576 sys-id-ext 12)
if ROOT =< 24576 - sets to 4096
root secondary - sets the priority to 28762

GREAT COMMAND:
#show spanning-tree bridge <- See the MAC address of the Switch
#show version | i Base 

Cat-1#show spanning-tree vlan 12
VLAN0012
  Spanning tree enabled protocol ieee
  Root ID    Priority    24588              <--- ABOUT THE ROOT BRIDGE, 24588 = 32768 + 12 (vlan 12) - 8192
             Address     ec44.768a.6d80
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    24588  (priority 24576 sys-id-ext 12)    <--- ABOUT THIS SWITCH (LOCAL Bridge)
             Address     ec44.768a.6d80 <-- ON ROOT BridgeID and RootID have the same MAC
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 300

Interface           Role Sts Cost      Prio.Nbr Type           <--- ABOUT INTERFACES IN THIS VLAN 
------------------- ---- --- --------- -------- ------
Gi3/0/19            Desg FWD 4         128.127  P2p     <--- COST IS 4 CAUSE THIS IS GigabitEthernet Port 
Gi3/0/20            Desg FWD 4         128.128  P2p          (on FastEth is would be 19)

Great command to check the ROOT>
#show spanning-tree root

                                        Root    Hello Max Fwd
Vlan                   Root ID          Cost    Time  Age Dly  Root Port
---------------- -------------------- --------- ----- --- ---  ------------
VLAN0001         32769 aabb.cc00.0600       200    2   20  15  Et2/2
VLAN0100         24676 aabb.cc00.0600       200    2   20  15  Et2/2
VLAN0200         24776 aabb.cc00.0700       100    2   20  15  Et2/2
VLAN0300         24876 aabb.cc00.0800       100    2   20  15  Et3/1
VLAN0400         24976 aabb.cc00.0900         0    2   20  15 <--- COST TO ROOT IS 0, SO I'm the ROOT!!!

BEST PRACTICE:
Change the COST on the interface level to change the PATH
Change the PORT PRIORITY to influence ONLY the NEIGHBORING SWITCH

Private VLANs


*REQUIRES VTP MODE to be set to TRANSPARENT!!!

This belongs to L2 SECURITY rather then L2 SWITCHING

1. Promiscuous - belongs to PRIMARY VLAN, can communicate with EVERYONE
(config)#vlan 10
(config-vlan)#private-vlan primary
(config-vlan)#private-vlan association add 20,30,40

(config-if)#switchport mode private-vlan promiscuous
(config-if)#switchport private-vlan mapping 10 add 30,40,50 <---map Promiscuous VLAN 10 to Community and Isolated VLANs

2. Isolated - can only communicate with Promiscuous
(config)#vlan 40
(config-vlan)#private-vlan isolated

(config-if)#switchport mode private-vlan host
(config-if)#switchport private-vlan host-association 10 40

3. Community - Can communicate within the SAME community or with Promiscuous
(config)#vlan 30
(config-vlan)#private-vlan community

(config-if)#switchport mode private-vlan host
(config-if)#switchport private-vlan host-association 10 20 <--- Associate Community VLAN 20 with Promiscuous VLAN 10

DONT FORGET TO ASSOCIATE Secondary VLANs to the Primary, so that they can all communicate with Promiscuous:
(config-vlan)#private-vlan association add 20,30,40

 #show vlan private-vlan

Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------
10      20        community   Et0/2
10      30        community   Et0/0
10      40        isolated            Et0/0

Primary VLAN can have MANY COMMUNITIES but ONLY ONE ISOLATED VLAN!!!

VMPS: VLAN Membership Policy Server

VLAN Membership Policy Server - provides a centralized server for selecting the VLAN for a port dynamically based on the MAC address of the device connected to the port.

VMPS uses a UDP port to listen to VQP (VLAN Query Protocol) requests from clients, so, it is not necessary for VMPS clients to know if the VMPS resides on a local or remote device on the network.

Upon receiving a valid request from a VMPS client, a VMPS server searches its database for an entry of a MAC-address to VLAN mapping.

When a port is configured as "dynamic," it receives VLAN information based on the MAC-address that is on the port.
The VLAN is not statically assigned to the port; it is dynamically acquired from the VMPS based on the MAC-address on the port.

SECURE MODE: If MAC has not been found in VMPS Server - shut down the port

On VMPS Server:
(config)# vmps server [ipaddress | hostname] primary

On all the switches in the LAN (VMPS Clients):
(config-if)# switchport access vlan dynamic

Define how many times you want Client to contact the Server, like if you want to retry 5 times:
(config)# vmps retry 5 
(config)# vmps reconfirm 30 <--- RETRY IN 30 MINUTES IF 5 ATTEMPTS FAIL

SDM (Switch Database Management) - L3 Switch Memory Optimization

Depending on the Switch purpose (If the switch is used only for L2 Switching or for  IP Routing), Memory allocations can be optimized. This is what SDM is all about.

SDM (Switch Database Management), and there are 4 templates:
- ACCESS - For QoS and Security
- ROUTING - for IP Routing
- VLAN - Sets Switch to L2 and disables IP Routing
- Extended Match - for WCCP and multiple VRF (reformats memory space to allow 144-bit L3 TCAM support)

 (config)#sdm prefer [routing | dual-ipv4-and-ipv6 | vlan]

(config)#sdm prefer  ?
  access              Access bias
  default             Default bias
  dual-ipv4-and-ipv6  Support both IPv4 and IPv6 <--- USE THIS MODE WHEN YOU HAVE BOTH, IPv4 and IPv6
  ipe                 IPe bias
  routing             Unicast bias <--- IF YOU USE THE SWITCH AS A ROUTER
  vlan                VLAN bias <--- ONLY L2 SWITCH


Check the achieved results:
#show sdm prefer
 The current template is "desktop default" template. <--- COMMAND NOT ACTIVE BEFORE THE SWITCH HAS BEEN REBOOTED
 The selected template optimizes the resources in the switch to support this level of features for 8 routed interfaces and 1024 VLANs.
  number of unicast mac addresses:                  6K
  number of IPv4 IGMP groups + multicast routes:    1K
  number of IPv4 unicast routes:                    8K
    number of directly-connected IPv4 hosts:        6K
    number of indirect IPv4 routes:                 2K
  number of IPv4 policy based routing aces:         0
  number of IPv4/MAC qos aces:                      0.5K
  number of IPv4/MAC security aces:                 1K

#show sdm prefer
 The current template is "desktop routing" template. <--- AFTER THE REBOOT THE SWITCH CHANGES THE SDM MODE
 The selected template optimizes the resources in  the switch to support this level of features for 8 routed interfaces and 1024 VLANs.

  number of unicast mac addresses:                  3K
  number of IPv4 IGMP groups + multicast routes:    1K <--- MEMORY ALLOCATION HAS BEEN CHANGED
  number of IPv4 unicast routes:                    11K
    number of directly-connected IPv4 hosts:        3K
    number of indirect IPv4 routes:                 8K
  number of IPv4 policy based routing aces:         0.5K
  number of IPv4/MAC qos aces:                      0.5K
  number of IPv4/MAC security aces:                 1K

Most Popular Posts