Archive for Virtual LAN

The (Necessary) Evils of Spanning Tree, Part II

Posted in Cisco Certification with tags , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , on June 13, 2011 by jjrinehart

Timing Is Everything

One of the more important aspects of 802.1d Spanning Tree Protocol operation has to do with the use of specific timers, three of them specifically.  These critical timers are as follows:

  1. Hello Timer: As the name suggests, this timer is concerned with the frequency at which hello messages are sent from the root switch and subsequently propagated throughout the switched network.  By default, the interval is set at two (2) seconds, and the root switch sends out the Hello BPDU out all of its actively functioning interfaces.
  2. Max Age Timer: The Max Age timer is not the point at which a worker should retire, but rather the length of time switches should wait before triggering changes in the spanning-tree topology.  This happens in response to events in which the hello messages are failing to appear.  Rather than being dependent on a “Max Age” setting, this timer is derived by multiplying the hello interval by 10, yielding a default setting of twenty (20).
  3. Forward Delay: Ever paranoid about loops, spanning-tree sets yet another timer as a blocked port moves to a full forwarding state (more about port states later).  There are two steps in this process, each of which are allocated fifteen (15) seconds each.

For spanning-tree to converge, the Max Age (20 seconds and Forward Delay (15+15=30 seconds) timers have to expire, which ensures that no accidental path loops will be introduced during a topology change (50 seconds total).  I would imagine you cannot think of anyone that would be willing to wait as long as a full minute for network resources to become available again, right?  To get around this issue, Cisco created some new feature to trim or eliminate the ridiculously long convergence time, as follows:

  1. Etherchannel: Since spanning-tree blocks multiple links, why not bond ports to create a single, larger logical connection?  This is exactly what Etherchannel does, it creates a bundle of similar interfaces into a larger entity “Port Channel” with the benefits of greater bandwidth and nullifying the blocking issue of multiple ports.  If one link drops, spanning-tree never has to reconverge.
  2. Portfast: Many devices connected to the network (workstations, servers, etc.) pose no loop threat and do not even participate in spanning tree, so the portfast feature puts the port into forwarding mode immediately.
  3. Uplinkfast: Miss America pageants have first runner-up contestants that can immediately be promoted to first place without having to stage an entirely new pageant.  Uplinkfast tracks secondary root (alternate) and designated (backup) ports for this very purpose.
  4. Backbonefast: If indirect links upstream/downstream of the switch fail, the switch can query its neighbors for new path information without waiting for the Max Age timer to expire.

Next time, we will look at 802.1d port states and improvements created in a newer version of spanning-tree, Rapid Spanning Tree (802.1w).

– Joe

The (Necessary) Evils of Spanning Tree, Part I

Posted in Cisco Certification with tags , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , on June 9, 2011 by jjrinehart

The Network Without STP: Chaos

My wife and I had the privilege of getting to visit Europe, specifically Italy, Croatia, Spain, France and Italy several years ago, and got to stand in the middle of St. Mark’s Square (pictured above).  You can clearly see the chaos of clouds of birds descending on the square having no restraint of any kind and the wild disarray as a result.  This very same kind of chaos can result if there are no traffic safeguards in the network, when frames (later 2) run through the network with no protection whatsoever.  These “storms” can literally halt a network in its tracks and prevent any legitimate traffic from getting through.  I personally witnessed this at my workplace, a faulty switch was throwing out bad packets that slowed everything to a standstill.  The global NOC thought there was a virus, but eventually they tracked it down to a cheap switch in one of the conference rooms.

Traditional Spanning Tree (IEEE standard 802.1d) was designed to create a loop free path throughout the network, to prevent situations like the one described above.  Remember that unknown unicast, multicast, and broadcast frames are all flooded out all interfaces (except the originating one) by default, so controlling the paths that frames travel is no trivial matter.  The basic principle is that there is only a single active path allowed end to end; any redundant links are put into a blocking state, meaning that they cannot pass any traffic.  If you only have one set of interfaces active between switches then that precludes the possibility of loops, but then you are susceptible to link failures.

The very center of the Spanning-Tree universe is the root switch, and like human being, it firmly believes that everything rotates around it!  Other switches connected to the network have ports pointing either toward or away from the root switch.  Those pointing back to the root are referred to as root ports, and those leading away (which forward hello messages from the root) are called designated ports.

Now let’s talk just briefly about those hello messages.  Only the root switch sends them out, and they are forwarded by each switch throughout the network.  These messages act as keepalives, help detect link failures, and help elect the root switch when spanning tree starts up.  When switches power up, they all start sending out hello frames claiming to be the best switch for the root, until they hear a better (technical term is superior) hello, usually based on a preconfigured priority and/or the MAC address of the switch.  Eventually the rest of the switches stop sending out hello messages and just wait for the root to send them out.

More to come…

– Joe

Invisible Networks (No Kidding), the World of Virtual LANs (VLANS), Part III

Posted in Cisco Certification with tags , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , on June 7, 2011 by jjrinehart

Oops...I Forgot to Turn Off VTP

The history of technology and innovation is full of attempts to create greater efficiencies and automate tasks, a good example is DHCP; this protocol hands out IP address information with little intervention needed.  Any engineer/technician that has had to renumber a network can certainly appreciate this particular task being simplified.  On the other hand, if someone brings in a home router and plugs it in, it can wreak havoc for every other user.

The focus of this post centers on a switching technology that also had good intentions but can create outages that turn an engineer’s hair gray or loose, namely, Virtual Trunking Protocol, or VTP.  The intention of VTP was to simplify the configuration of VLANs across multiple switches.  In a network of less than a dozen devices, manually configuring VLANs is not that big of a deal, but in a large campus environment of a hundred or more switches this becomes ridiculously difficult.  Why not just configure this once and let it propagate automatically?  Seems like a win-win right?  Hold that thought while we go through some specifics.

There are three operational modes of VTP on a Cisco switch (yes, this is a Cisco proprietary protocol), as follows:

  1. Server: This switch serves in a master operational mode, where all the changes are made and then passed out to switches.  To ensure that the latest data is propagated accurately, each time the database changes, the revision number is incremented.
  2. Client: This switch does not store any VLAN information locally, nor can any changes be made to the information it contains.  Think of it as a “read only” mode of operation.
  3. Transparent: A switch in transparent mode operates independently, just as it would if VTP didn’t even exist.  It ignores all updates, though it does pass those updates to all other switches it has trunk links too.  Since VTP cannot be shut off, this is about the closest you can get to off.  If all switches are in a network are configured in this mode it effectively negates any effect it could have on the environment.

Now that you have an idea of how VTP operates, you can appreciate the “gotchas” that come with using it.  If only one switch operates as the server and the rest are all clients, then life is good.  But what happens when you add a new switch in server mode?  Hopefully nothing, unless the configuration revision number just so happens to be higher than the one that all the other switches have.  At that point, “poof” (see picture above), the database on every single switch is immediately erased.  The technical term for this is RGE–Resume Generating Event.  Best practices recommend just operating in transparent mode.

Talk to you later…

– Joe

CCNA Lab Projects

Posted in Cisco Certification with tags , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , on June 2, 2011 by jjrinehart

I normally do not post more than once a day but wanted to get these documents back out there, I have created another CCNA Lab Project that was an absolute blast to come up with.  It’s amazing what you can create with just a pen and paper while taking off in an airplane!

Here are the highlights:

  1. Simulated Metro-Ethernet Primary Network
  2. Internet Access at Remote Sites
  3. VPN/GRE Backup Network
  4. Multiple Routing Protocols
  5. A Few Mind Bending Twists Thrown In

Here are the links to the documents, I deployed this in my own lab and will be compiling an answer key for #2.  Enjoy!

Project 1:

CCNA Lab Project Document 12-18-2010

Project 2:

** Just Added Project #3 **

– Joe

Invisible Networks (No Kidding), the World of Virtual LANs (VLANS), Part II

Posted in Cisco Certification with tags , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , on June 2, 2011 by jjrinehart


Words are funny things, and if you start using the word trunk at a cocktail party, people will probably look at you strangely, as it evokes images of luggage, large animals, or the back of an automobile (pictured above).  As I mentioned previously, this term comes from the telephony world, and it is worthy of a bit of explanation.  The analog line between a residential home is typically referred to as a local loop or subscriber loop and is designed to carry a single phone conversation.  These lines all terminate at the central office, and if the call is destined for someone else served by that office, a connection is made locally.  If the call is destined to another location, it is bundled together with other calls and sent over a single connection to another central office–multiple calls on a single line…this is essential the definition of a trunk.  In the LAN switching world the principle is the same–if the destination is local, the switch passes the traffic out the correct port, otherwise, it is sent across a single connection to another switch or switches, and a trunk link carries multiple VLANs across a single line.

As you would see in looking at a compact car next to an SUV, all trunks are not created equal, and there are actually two types in the Cisco networking world. These two types are Cisco’s InterSwitch Link (ISL) and the IEEE’s 802.1Q (dot1q), and each have their own distinctive characteristics.  Understanding the differences is a critical factor to both passing the CCNA exam and surviving in the real world of networking.

  1. ISL

To begin with, ISL is a Cisco-proprietary trunking protocol, meaning it will only work on Cisco switches.  If you operate a mixed environment, then ISL will not be your friend.  ISL (like some tunneling protocols) operates by taking the existing frame and wrapping it in a completely new frame and header.  This makes things simple when the header is stripped off at the destination switch/VLAN because the original frame is left intact (no FCS recalculations).  The VLAN id is carried in the ISL header, and there is no concept of a native VLAN.  Pretty straightforward, right?

        2. 802.1Q

802.1Q (referred to as dot1q in command-line syntax) is an industry-standard trunking protocol, so all switches are able to use it.  Unlike ISL, 802.1Q inserts a VLAN tag into the existing frame, which requires that the FCS be recalculated when altering the frame.  The only exception to this is the native VLAN, which in plain English just means that the frame is left untouched, or more properly, untagged.

Next, we will talk about a protocol that seems like a good idea on the surface, but can have disastrous consequences.  Just remember it’s not a bug, it’s a feature!

– Joe

Invisible Networks (No Kidding), the World of Virtual LANs (VLANS), Part I

Posted in Cisco Certification with tags , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , on May 31, 2011 by jjrinehart

As mentioned previously, LANs became the victims of their own success when more and more users became added, creating congestion, collisions, and such.  While the advent of Layer 2 switches solved most of those problems, there were still some issues just due to the nature of layer two devices, namely broadcasts.  If you recall our earlier discussions, a switch floods (sends out all ports except the originating one) unknown unicast, multicast, and broadcast traffic, which can still create congestion issues.  Only Layer 3 devices (e.g., L3 switches and routers) block broadcasts, giving use of the term broadcast domain.

To segment up networks, you can certainly build physically separate LAN segments, but it doesn’t take a math genius to see how pricey that option would quickly become.  This is essentially the thought process behind Virtual Local Area Networks, or VLANs., which are created logically rather than physically.  VLANs create logically separate (“invisible”) network segments on a switch, and even across switches, and thus contain broadcasts in that particular segment.  Aside from broadcast containment, they also have other advantages, as follows:

  1. Design Flexibility: Grouping users by location, function, departments, and such.
  2. Spanning Tree Simplicity: Limiting the use of STP (covered later)
  3. Security: Isolation of servers or sensitive network segments.
  4. IP Telephony: Separation of Voice and Data Traffic.

So if VLANs are so amazing, what are the drawbacks?  I have what I call three immutable laws of life, namely, it will always cost more than you think, it will always cost more than you think, and if it’s too good to be true, it probably is!  VLANs isolate networks at Layer 2, so the challenge is allowing them to communicate with one another, so if there is a catch, this is it.  A smart way to look at it is to consider the Hawaiian islands.

Why is living in Hawaii more expensive?  The simple answer is that it has to do with living on islands, namely that everything has to be shipped in from the mainland, and that traveling between islands requires more expensive transportation.  Someone wanting to travel from Oahu to Maui has to get on a plane or boat, it’s not simply a matter of jumping in a car and driving a few hours.  In the Florida Keys, this is accomplished through a series of very long bridges.

Think of VLANs as islands…isolated segments of the network that are self-contained and stand on their own.  For this to be communicated across multiple switches, a set of virtual connections (analogous to traveling between islands, whether by plane or bridge) has to be built, referred to as Trunks.  The term trunk comes from old world telephony, where specialized lines between central offices carried multiple conversations at once.  Next time, we will delve into the different types of trunks used on Cisco switches.

– Joe