2.1.d [ii] dot1Q

802.1Q tunneling enables service providers to use a single VLAN to support customers with multiple VLANs, while preserving customer VLAN IDs and keeping traffic in different customer VLANs segregated. A port configured to support 802.1Q tunneling is called a tunnel port. When you configure tunneling, you assign a tunnel port to a VLAN that you dedicate to tunneling, which then becomes a tunnel VLAN. To keep customer traffic segregated, each customer requires a separate tunnel VLAN, but that one tunnel VLAN supports all of the customer’s VLANs.

Adam, Paul (2014-07-12). All-in-One CCIE V5 Written Exam Guide (Kindle Locations 1622-1626).  . Kindle Edition.

2.1.d [i] VTPv1, VTPv2, VTPv3, VTP pruning

from: http://etherealmind.com/cisco-vtp-transparent-mode-discard-risk-transparent-client-server/

The Modes

A Switch in VTP Server mode will always actively participate in sending and receiving VTP and synchronising the VTP data file. Regardless of version.

A Switch in VTP Client mode will always actively participate in VTP data file synchronisation. Regardless of version.

A switch in VTP v1 Transparent Mode will not send, receive VTP data or participate in file synchronisation.

A switch in VTP v2 Transparent Mode will send, receive VTP data, but doesn’t participate in VTP file synchronisation.

The only configuration that DOES NOT pass VTP packets is a switch configured in VTPv1 Transparent Mode and VTPv3 in off mode.

For VTPv3, the difference is much clearer. VTPv3 has four modes: server, client, transparent and off. The difference between transparent and off is the termination of received VTP messages instead of relaying them. With VTP version 3, off mode can be configured globally or on a per port (for example trunk) base. The off mode was formerly only available with CAT OS. The configuration of off on an interface will apply to all VTP instances.

Also note that VTPv3 will propagate VLANs above 1024, while VTPv1 & 2 do not. Another historical artefact.

2.1.d Implement and troubleshoot trunking

A trunk is a point-to-point link between one or more Ethernet switch ports and another network device, such as a router or a switch. Trunks carry the traffic of multiple VLANs over a single link thus allowing you to extend VLANs across an entire network.

Two trunking encapsulations are available, depending on the hardware:

● Inter-Switch Link Protocol (ISL)— ISL is a Cisco-proprietary trunking encapsulation

● IEEE 802.1Q— 802.1Q is an industry-standard trunking encapsulation

The Dynamic Trunking Protocol (DTP) manages trunk negotiation. DTP supports auto-negotiation of both ISL and 802.1Q trunks. In 802.1Q trunking , all VLAN packets are tagged on the trunk link, except the native VLAN. The native VLAN packets are sent untagged on the trunk link. This way, you can determine to which VLAN a frame belongs when you receive a frame with no tag. Native VLAN should be the same on both switches configured for trunking.

By default, VLAN 1 is the native VLAN on all switches.

● In CatOS, the native VLAN can be changed by issuing the set vlan vlan-id mod/ port command, where mod/ port is the trunk port.

● In Cisco IOS Software, the native VLAN can be changed by issuing the switchport trunk native vlan vlan-id interface command which is configured on the trunk port.

On Catalyst switches running CatOS, use these commands to verify trunking:

● show port capabilities module/ port

● show port module/ port

● show trunk module/ port

● show vtp domain

On Catalyst 6000 switches running Cisco IOS Software , use the following commands to verify trunking:

● show interfaces interface-type module/ port trunk

● show vlan In order to troubleshoot trunking, make sure that:

● cable is connected and the correct type of cable is used

● trunk is enabled on both interfaces

● encapsulation at both ends using same protocol (802.1Q or ISL)

● to verify that there are no restrictions on the either side of the trunk that are preventing a VLAN traffic

Adam, Paul (2014-07-12). All-in-One CCIE V5 Written Exam Guide (Kindle Locations 1592-1603).  . Kindle Edition.

2.1.c [iii] Normal, extended VLAN, voice VLAN

Normal, extended VLAN, voice VLAN

Normal-range VLANs are VLANs with VLAN IDs 1 to 1005. If the switch is in VTP server or transparent mode, you can add, modify or remove configurations for VLANs 2 to 1001 in the VLAN database. When a switch is in VTP transparent mode (VTP disabled), you can create extended-range VLANs (in the range 1006 to 4094).

A voice VLAN port is an access port attached to a Cisco IP Phone, configured to use one VLAN for voice traffic and another VLAN for data traffic from a device such as a PC attached to the phone.

Adam, Paul (2014-07-12). All-in-One CCIE V5 Written Exam Guide (Kindle Locations 1562-1565).  . Kindle Edition.

2.1.c [ii] VLAN database

VLAN database

When the switch is in VTP server or transparent mode, you can configure VLANs in the VLAN database mode. When you configure VLANs in VLAN database mode, the VLAN configuration is saved in the vlan.dat file, not the running-config or startup-config files. To display the VLAN configuration, enter the show running-config vlan CLI.

User-configurable VLANs have unique IDs from 1 to 4094. Database mode supports configuration of IDs from 1 to 1001, but not the extended addresses from 1006 to 4094. To create a VLAN, enter the vlan command with an unused ID. To verify whether a particular ID is in use, enter the show vlan id ID command. To modify a VLAN, enter the vlan command for an existing VLAN.

Adam, Paul (2014-07-12). All-in-One CCIE V5 Written Exam Guide (Kindle Locations 1552-1559).  . Kindle Edition.

2.1.c [i] Access ports

Implement and troubleshoot VLAN

Access ports
Ethernet interfaces can be configured either as access ports or a trunk ports . An access port can have only one VLA N configured on the interface hence it can carry traffic for only one VLAN.

Adam, Paul (2014-07-12). All-in-One CCIE V5 Written Exam Guide (Kindle Locations 1550-1551).  . Kindle Edition.


2.1.b [ii] UDLD

Unidirectional Link Detection (UDLD) protocol can help to prevent forwarding loops and black holing of traffic in switched networks.

UDLD is a L2 protocol that works with the L1 mechanisms to determine the physical status of a link. At layer 1, auto-negotiation takes care of physical signaling and fault detection (FLP or fast link pulses are sent during auto-negotiation for copper Ethernet links). UDLD performs tasks that auto-negotiation cannot perform, such as detecting the identities of neighbors and shutting down misconnected ports. When you enable both auto-negotiation and UDLD, layer 1 and Layer 2 detections work together to prevent physical and logical unidirectional connections and the malfunctioning of other protocols.

UDLD works by exchanging protocol packets between the neighboring devices. In order for UDLD to work, both devices on the link must support UDLD and have it enabled on respective ports. Each switch port configured for UDLD sends protocol packets that contain the port’s own device/ port ID, and the neighbor’s device/ port IDs seen by UDLD on that port. Neighboring ports should see their own device/ port ID (echo) in the packets received from the other side. If the port does not see its own device/ port ID in the incoming UDLD packets for a specific duration of time, the link is considered unidirectional.

It is recommended to keep Tdetection < Treconvergence by choosing an appropriate message interval which ensures that UDLD is detected before STP forward delay expires.

Adam, Paul (2014-07-12). All-in-One CCIE V5 Written Exam Guide (Kindle Locations 1538-1545).  . Kindle Edition.


2.1.b [i] CDP, LLDP

Implement and troubleshoot layer 2 protocols


Cisco Discovery Protocol (CDP) is a Cisco proprietary data link layer protocol. It is used to share information about other directly connected Cisco equipment, such as the operating system version and IP address.

Link Layer Discovery Protocol (LLDP) is a vendor-neutral link layer protocol developed by IEEE . It is used by network devices for advertising their identity, capabilities, and neighbors on a local area network, principally wired Ethernet.

Adam, Paul (2014-07-12). All-in-One CCIE V5 Written Exam Guide (Kindle Locations 1527-1529).  . Kindle Edition.


2.1.a [iii] L2 MTU

There are 3 types of MTU that can be configured on a switch:
● Layer-2 MTU that affects 10 and 100 Mbps interfaces of a switch. Configured by system MTU {bytes} command in global config mode

● Layer-2 MTU that affects 1000 Mbps and higher speed interfaces of a switch. Configured by system MTU jumbo {bytes} command in global configuration mode

● Layer-3 MTU that affects SVIs and routed interfaces of a switch with IP addresses on them and originating or transit IP traffic that uses these interfaces as GW for routing between networks. Configured by system mtu routing {bytes} command in global config mode

Adam, Paul (2014-07-12). All-in-One CCIE V5 Written Exam Guide (Kindle Locations 1513-1521).  . Kindle Edition.

2.1.a [ii] errdisable recovery

Errdisable recovery

If the configuration shows a port as enabled, but software on the switch detects an error situation on the port, the software shuts down that port . In other words, the port is automatically disabled by the switch operating system software because of an error condition that is encountered on the port.

When a port is error disabled, it is effectively shut down and no traffic is sent or received on that port. The port LED is set to the amber and if you issue the show interfaces command, the port status shows err-disabled. Here is an example of what an error-disabled port looks like from the command-line interface (CLI) of the switch:

Switch# show interfaces gigabitethernet 5/ 1 status

Port   Name    Status    Vlan   Duplex   Speed   Type

Gi4/ 1 err-disabled 100 full 1000 1000BaseSX

Or, if the interface has been disabled because of an error condition, you can see messages that are similar to these in both the console and the syslog:


Received BPDU on port GigabitEthernet4/ 1 with BPDU Guard enabled. Disabling port.

%PM-SP-4-ERR_DISABLE: bpduguard error detected on Gi4/ 1, putting Gi4/ 1 in err-disable state

In order to recover a port from the errdisable state, first identify and correct the underlying cause, and then re-enable the port. If you re-enable the port before you fix the actual problem, the ports could just become error disabled again. After you fix the root problem, the ports are still disabled if you have not configured errdisable recovery on the switch. In this case, you must re-enable the ports manually.

Issue the shutdown command and then the no shutdown interface mode command on the associated interface in order to manually re-enable the ports.

Major reasons for errdisable are:

● EthernetChannel misconfiguration

● Duplex mismatch

● BPDU port guard


● Link-flap error

● Loopback error

● Port security violation

● L2tp guard

● Incorrect SFP cable

● 802.1X security violation

Adam, Paul (2014-07-12). All-in-One CCIE V5 Written Exam Guide (Kindle Locations 1492-1509).  . Kindle Edition.