Skip to content

Afroz Ahmad

My Official Blog


Archive for June, 2011

STP RootGuard Feature

§Root guard is useful in avoiding Layer 2 loops during network anomalies. The Root guard feature forces an interface to become a designated port to prevent surrounding switches from becoming root bridges.
§Root guard-enabled ports are forced to be designated ports. If the bridge receives superior STP BPDUs on a Root guard-enabled port, the port moves to a root-inconsistent STP state, which is effectively equivalent to the STP listening state, and the switch does not forward traffic out of that port. As a result, this feature enforces the position of the root bridge.
Here in the above picture:-
§Switches A and B comprise the core of the network. Switch A is the root bridge.
§Switch C is an access layer switch. When Switch D is connected to Switch C, it begins to participate in STP. If the priority of Switch D is 0 or any value lower than that of the current root bridge, Switch D becomes the root bridge.
§Having Switch D as the root causes the Gigabit Ethernet link connecting the two core switches to block, thus causing all the data to flow via a 100-Mbps link across the access layer. This is obviously a terrible outcome.
§After the root guard feature is enabled on a port, the switch does not enable that port to become an STP root port.
§Cisco switches log the following message when a root guard–enabled port receives a superior BPDU:

%SPANTREE-2-ROOTGUARDBLOCK: Port 1/1 tried to become non-designated in VLAN 77.

Moved to root-inconsistent state.

§The current design recommendation is to enable root guard on all access ports so that a root bridge is not established through these ports.
§In this configuration, Switch C blocks the port connecting to Switch D when it receives a superior BPDU. The port transitions to the root-inconsistent STP state. No traffic passes through the port while it is in root-inconsistent state.
§When Switch D stops sending superior BPDUs, the port unblocks again and goes through regular STP transition of listening and learning, and eventually to the forwarding state. Recovery is automatic; no intervention is required.

Enable Root Guard on Switches A, B, and C on the following ports:

•Switch A (Distribution/Core): Any access port
•Switch B (Distribution/Core): Any access port
•Switch C (Access): Any access port including the port connecting to Switch D

The configuration can be done:-

Switch(config)# interface FastEthernet 5/8

Switch(config-if)# spanning-tree guard root

Switch(config-if)# end

Switch# show running-config interface FastEthernet 5/8

Building configuration…

Current configuration: 67 bytes


interface FastEthernet5/8

switchport mode access

spanning-tree guard root


Important command to check the ports that are in Root-inconsistent state:-

Switch# show spanning-tree inconsistentports

Name   Interface   Inconsistency

——————–   ———————- ——————

VLAN0001   FastEthernet3/1   Port Type Inconsistent

VLAN0001   FastEthernet3/2   Port Type Inconsistent

VLAN1002   FastEthernet3/1   Port Type Inconsistent

VLAN1002   FastEthernet3/2   Port Type Inconsistent

Number of inconsistent ports (segments) in the system :4

•Ports in root inconsistent recover automatically with no human intervention after the port stop receiving superior BPDUs. The port goes through the listening state to the learning state, and eventually transitions to the forwarding state.

3560/3550 Recovery Procedure

Connect a PC to the console port of the switch,

Use a terminal emulation program such as Microsoft Windows HyperTerminal in order to establish the console session. These are the settings:

  • Bits per second: 9600
  • Data bits: 8
  • Parity: None
  • Stop bits: 1
  • Flow control: None


Step-by-Step Recovery Procedure

Use this solution to solve the problem.

Note: A PC must be attached to the console port of the switch.

1.If the switch is in a continuous reboot, complete one of the procedures in this step.

Note: If the switch is not in a continuous reboot, but is already at the switch: prompt, proceed directly to Step 2.

  1. Proceed to Step 2.
    • Catalyst 2970, 3550, 3560 and 3750 series switches192-c.gif
  1. Unplug the power cord.
  2. Hold down the MODEbutton while you reconnect the power cable to the switch.The MODE button is on the left side of the front panel.
  3. Release the MODE button after the LED that is above Port 1x goes out.Note: The LED position can vary slightly, which depends on the model.

    You are now at the switch: prompt.

2.Issue the flash_init command and the load_helper command.

  • If the Flash has already initialized, you see this:
    switch: flash_init
      Initializing Flash...
      ...The flash is already initialized.

    If the Flash has not initialized, you see this:

    switch: flash_init
    Initializing Flash...
    flashfs[0]: 21 files, 2 directories
    flashfs[0]: 0 orphaned files, 0 orphaned directories
    flashfs[0]: Total bytes: 7741440
    flashfs[0]: Bytes used: 4499456
    flashfs[0]: Bytes available: 3241984
    flashfs[0]: flashfs fsck took 7 seconds.
    ...done initializing flash.
    Boot Sector Filesystem (bs:) installed, fsid: 3
    Parameter Block Filesystem (pb:) installed, fsid: 4

    Issue the load_helper command in order to load any boot helper images. Here is an example:

    switch: load_helper

3.Issue the dir flash: command in order to view the contents of the Flash file system.

Determine if there are any Cisco IOS® image files or image directories in flash:. The Cisco IOS image files are .bin files, and the image directories are named with the image filename, excluding the .bin extension. If no Cisco IOS image files or image directories exist, you see this:

switch: dir flash:
Directory of flash:/
2    -rwx  5        <date>               private-config.text
3    -rwx  110       <date>               info
4    -rwx  976       <date>               vlan.dat
6    -rwx  286       <date>               env_vars
26   -rwx  1592      <date>               config.text
8    drwx  1088      <date>               html
19   -rwx  110       <date>               info.ver
4393472 bytes available (3347968 bytes used)
switch: !--- No Cisco IOS images or image directories exist in Flash. 

If your Flash directory looks like this, proceed directly to Step 4. Step 4 recovers the switch with an Xmodem file transfer.

If there is still an image in Flash, issue the boot command in order to try to recover the switch. Before you issue the boot command, verify where the Cisco IOS image is stored in the Flash directory. The location in which the image is stored can differ, which depends on your switch model.

  • Catalyst 2970, 3550, 3560, and 3750 Flash file systemThe organization of the Flash file system on a Catalyst 2970, 3550, 3560, and 3750 is a little different. You can store the Cisco IOS image file in the flash: directory. However, if you use the Cluster Management Suite (CMS) image in order to manage switches with a web interface, you can store the Cisco IOS image file in its own directory. Issue the dir flash:directory command in order to display the image file in this case.
    switch: dir flash:
    Directory of flash:/
    2    -rwx  976       <date>               vlan.dat
    3    -rwx  386       <date>               system_env_vars
    4    -rwx  5         <date>               private-config.text
    6    -rwx  1554      <date>               config.text
    24   drwx  192       <date>               c3550-i5q3l2-mz.121-13.EA1
     !--- You can store the Cisco IOS image file in its own directory. 
!--- Name the directory with the image name, but exclude the .bin extension. 
42   -rwx  33        <date>               env_vars
 !--- Output suppressed. 
switch: dir flash:c3550-i5q3l2-mz.121-13.EA1
 !--- Issue the dir flash:<directory> 
!--- command in order to view the Cisco IOS image file. 
Directory of flash:c3550-i5q3l2-mz.121-13.EA1/ 
25 drwx 832 <date> html 
40 -rwx 3993612 <date> c3550-i5q3l2-mz.121-13.EA1.bin 
!--- This is where the Cisco IOS image file is stored for a CMS image. 
41 -rwx 252 <date> info 
9992192 bytes available (6006784 bytes used) 
!--- This output is from a Catalyst 3550 switch. Output from a 
!--- Catalyst 2970, 3560, or 3750 varies slightly. 

Attempt to Boot the Image

After you have verified where the Cisco IOS image file resides, try to boot the image. Issue either the boot flash:filename command or the boot flash:directory/filename command.

  • Catalyst 3560

switch: boot flash:c3560-i5q3l2-mz.121-13.EA1/c3560-i5q3l2-mz.121-13.EA1.bin
!— This example uses the boot flash:<filename>/<directory> !— command on a 3550.
Loading “flash:c3560-i5q3l2-mz.121-13.EA1/c3560-i5q3l2-mz.121-13.EA1.bin”…####

!— Output suppressed. !— This command syntax is the same for Catalyst 2970, 3560, and 3750 !— series switches.

If you issue the boot command and the result is in a successful bootup, either the default switch> prompt or the hostname> prompt displays.

Press RETURN to get started!
 !--- The bootup was successful. 

Be sure to verify that you have configured the correct boot statement on the switch.

If you issue the boot command and the command does not result in a successful bootup, either the switch: prompt displays or you are stuck in a continuous reboot again. The only option to recover the switch is an Xmodem file transfer. Step 4 covers this file transfer.

4.If the boot command has failed or there is no valid image from which to boot in Flash, perform an Xmodem file transfer.

  1. A typical Xmodem file transfer can take up to 2 hours, which depends on the image size.

Note: Do not use a CMS image (.tar file). This image is a larger image and takes longer to transfer.

Issue the dir flash: command in order to compare the size of the image in bytes to the free space that remains in Flash. Here is an example:

switch: dir flash:
Directory of flash:/ 
!--- Output suppressed. 3132928 bytes available (4608512 bytes used)
!--- There are approximately 3 MB of Flash space available for 
a new image. 

If necessary, issue the delete command in order to delete any corrupt images that remain. Here is an example:

switch: delete flash:c2950-i6q4l2-mz.121-12c.EA1.bin
 !--- Issue the delete flash:<filename> !--- command in order to 
delete a Cisco IOS image.

Are you sure you want to delete “flash:c2950-i6q4l2-mz.121-12c.EA1.bin” (y/n)? y !— Enter y for yes if you want to delete the image. File “flash:c2950-i6q4l2-mz.121-12c.EA1.bin” deleted switch:

The next example shows an Xmodem procedure on a 2955 with the use of HyperTerminal. The procedure is the same for any of the Catalyst fixed configuration switches that this document covers.

  • Issue the copy xmodem: flash:filename command on the switch.Here is an example:
    switch: copy xmodem: flash:c2955-i6q4l2-mz.121-13.EA1.bin
    Begin the Xmodem or Xmodem-1K transfer now...
  • From the top of the HyperTerminal window, choose Transfer > Send File.192-d.gif
  • Choose the Xmodem protocol in the Send File dialog box and click Browse in order to select the Cisco IOS image (.bin file) that you downloaded previously.192-e.gif

Click Sendin order to begin the Xmodem transfer.


The Xmodem file transfer begins. This transfer can take up to 2 hours, which depends on the size of the image.

  • CCCCCCC………………………………………………………………. …………………………………………………………………….. …………………………………………………………………….. …………………………………………………………………….. …………………………………………………………………….. …………………………………………………………………….. …………………………………………………………………….. …………………………………………………………………….. …………………………………………………………………..

          File “xmodem:” successfully copied to “flash:c2955-i6q4l2-mz.121-13.EA1.bin”!— If the Xmodem file transfer fails for some reason,restart the process. 

!--- If the Xmodem file transfer is successful, 
 you return to the !--- switch: prompt. 
  • Boot the new image that you just copied over with the Xmodem procedure.Issue the boot flash:filename command, as this example shows:
    switch: boot flash:c2955-i6q4l2-mz.121-13.EA1.bin
    Loading "flash:c2955-i6q4l2-mz.121-13.EA1.bin"...###############################
     !--- Output suppressed. 
    Press RETURN to get started!
     !--- The bootup was successful. 

    Be sure to verify that your boot statements are set correctly.

How to Speed Up Xmodem Recovery

When a user tries to recover the switch from a corrupted or missing IOS, the copy xmodem: flash:[IOS filename] command might not be displayed under the switch: prompt. The copy command might be displayed under the switch: prompt, but not the copy xmodem: command.

Complete these steps in order to speed up the Xmodem recovery:

  1. Set the baud rate to 115200 on the switch: prompt.
    switch: set BAUD 115200
     !--- The screen goes blank after you enter this command. 
  2. Restart HyperTerminal.
  3. Under COM PORT properties, select the bits per second as 115200. The switch: prompt is displayed.
  4. Start the Xmodem recovery.
  5. After the Xmodem recovery, set the BAUD rate back to 9600. If the set BAUD 9600 command does not bring the baud rate to 9600, issue the unset BAUD command in order to bring the baud rate to a default value of 9600 bps.


Complete these steps:

  1. Issue the show versioncommand in order to verify the current version of software that you run.Here is an example:

2955#show version

Cisco Internetwork Operating System Software IOS ™

C2955 Software (C2955-I6Q4L2-M),

Version 12.1(13)EA1, RELEASE SOFTWARE !— This is the current version of software.

  1. Issue the dir flash:filename command in order to display the Cisco IOS image (.bin file) on a Catalyst 2940, 2950 or 2955.
2950#dir flash: 
Directory of flash:/ 
3 -rwx 5 Mar 01 1993 00:12:55 private-config.text 
4 -rwx 2905856 Jan 01 1970 03:06:25 c2955-i6q4l2-mz.121-13.EA1.bin 
!--- The Cisco IOS image (.bin file) 
is stored in flash: !--- 
 on a Catalyst 2940, 2950 or 2955. !--- Output suppressed. 

If you run a CMS image on a Catalyst 2970, 3550, 3560, or 3750, you can store the Cisco IOS image in an image directory. Here is an example:

3550#dir flash:
Directory of flash:/
2  -rwx         976   Mar 01 1993 21:47:00  vlan.dat
4  -rwx           5   Mar 06 1993 23:32:04  private-config.text
6  -rwx        1554   Mar 06 1993 23:32:04  config.text
7  drwx         192   Mar 01 1993 00:14:02  c3550-i5q3l2-mz.121-13.EA1 
!--- Notice the "d" for directory in the permission statement. !---
 This is an image directory that is installed when you upgrade the !--- 
switch with a CMS image. !--- The Cisco IOS image (.bin file) is 
 inside this directory. 
5  -rwx     3823261   Mar 01 1993 00:46:01  c3550-i5q3l2-mz.121-12c.EA1.bin !--- This is another Cisco IOS image (.bin file). 
8  -rwx          33   Mar 01 1993 00:14:06  env_vars
9  -rwx         384   Mar 01 1993 00:14:06  system_env_vars
15998976 bytes total (6168576 bytes free)
 !--- This output is from a Catalyst 3550 switch. Output from a !---
 Catalyst 2970, 3560, or 3750 varies slightly. 

You may need to issue the dir flash:directory command on a Catalyst 3550 in order to display the Cisco IOS image (.bin file). Here is an example:

3550#dir flash:c3550-i5q3l2-mz.121-13.EA1
Directory of flash:/c3550-i5q3l2-mz.121-13.EA1/
23  drwx         832   Mar 01 1993 00:12:00  html
40  -rwx     3993612   Mar 01 1993 00:14:02  c3550-i5q3l2-mz.121-13.EA1.bin
41  -rwx         252   Mar 01 1993 00:14:02  info
15998976 bytes total (6168576 bytes free)
 !--- This output is from a Catalyst 3550 switch. Output from a !--- 
 Catalyst 2970, 3560, or 3750 varies slightly. 
  1. Issue the show bootcommand in order to verify that the boot statement is set correctly.Here is an example:
    Switch#show boot
    BOOT path-list:
     !--- No boot system statement is set in this case. !--- Output suppressed. 

Note: Boot statements do not display in the configuration or when you issue the show run command on any of the fixed configuration switches that this document covers. You must issue the show boot command in order to display boot statements.

If no boot statement is set or if the boot statement points to an old or missing version of software, configure the correct boot statement. Issue the boot system flash:filename command.

2955#configure terminal
2955(config)#boot system flash:c2955-i6q4l2-mz.121-13.EA1.bin
 !--- This is how to set a boot system statement on a 
Catalyst 2940, 2950, or 2955. 
2955#show boot
BOOT path-list:       flash:c2955-i6q4l2-mz.121-13.EA1.bin
 !--- Output suppressed. 

If you use a CMS image on a Catalyst 2970, 3550, 3560, or 3750, you can store the Cisco IOS image (.bin file) in its own image directory. Issue the boot system flash:directory/filename command. Here is an example:

    3550#configure terminal

3550(config)#boot system flash:c3550-i5q3l2-mz.121-13.EA1/c3550i5q3l2-mz.121-13.EA1.bin

!— This command should be on one line. !— This is how to set a boot system statement on a Catalyst !— 3550 if the Cisco IOS image (.bin file) is in its own image directory.
3550#show boot
BOOT path-list: flash:c3550-i5q3l2-mz.121-13.EA1/c3550-i5q3l2-mz.121-13.EA1.bin!— Output suppressed.

Configure Replace


If you want to replace your running configuration with the configuration saved in your

router flash: memory , you can simply follow the procedure:-

First of all check with the available files in the Router flash: memory,issue the command:-

R1#dir flash:
Directory of flash:/

1  -rw-        1241  Feb 14 2011 17:19:34 +00:00  _DO_NOT_DELETE_baseconfig
2  -rw-    59478200   Sep 7 2010 22:50:24 +00:00  c2800nm-adventerprisek9-mz.124-24.T3.bin
3  -rw-    64652888   Sep 7 2010 23:00:30 +00:00  c2800nm-adventerprisek9-mz.151-2.T1.bin
4  drw-           0  Mar 31 2009 17:35:40 +00:00  ips
11  -rw-    59491364   Oct 6 2010 18:32:50 +00:00  c2800nm-adventerprisek9-mz.124-24.T4.bin
12  -rw-        2290  Jan 30 2011 17:50:32 +00:00  r1
13  -rw-    61731904  Jan 13 2010 17:40:32 +00:00  c2800nm-adventerprisek9-mz.150-1.M1.bin
14  -rw-        4326  Jan 26 2011 22:39:10 +00:00  r2
15  -rw-    59455672  Feb 17 2010 16:39:38 +00:00  c2800nm-adventerprisek9-mz.124-24.T2.bin
16  -rw-        1652   Apr 7 2011 19:27:20 +00:00  Nedumpillil
17  -rw-        1785  Mar 13 2011 02:51:50 +00:00  scsosna
18  -rw-        2540  Jun 12 2011 05:55:06 +00:00  Rack1R1
19  -rw-        1970  May 22 2011 13:09:20 +00:00  ice.txt
20  -rw-        2271  Jun 11 2011 19:06:52 +00:00  13.txt
21  -rw-         600   Jun 2 2011 15:45:14 +00:00  vlan.dat

1054457856 bytes total (749060096 bytes free)

And suppose you want to replace your running configuration with Rack1R1 file stored in flash:

Just follow the below method:-

R1#configure replace flash:Rack1R1
This will apply all necessary additions and deletions
to replace the current running configuration with the
contents of the specified configuration file, which is
assumed to be a complete configuration, not a partial
configuration. Enter Y if you are sure you want to proceed. ? [no]: Yes

Total number of passes: 0
Rollback Done


Note:The prompt before was R1# and after rollback the prompt is Rack1R1#

It is sometimes very useful suppose you have done a wrong QoS configuration and now you want it rollback to your old configuration just type

Rack1R1#configure replace nvram:
This will apply all necessary additions and deletions
to replace the current running configuration with the
contents of the specified configuration file, which is
assumed to be a complete configuration, not a partial
configuration. Enter Y if you are sure you want to proceed. ? [no]: Yes

Total number of passes: 0
Rollback Done


Note:If you have saved your configuration to the nvram: then it will not rollback,then you have

to manually clean your mess.

eBGP Peering

Jun 13

eBGP Peering

We can peer with a device in other Autonomous System using eBGP.
The AD(administrative distance) for eBGP peers is 20.
By default the time-to-live(TTL) is set to 1 for eBGP sessions.
If a eBGP session is configured between two non-directly connected peers,the TTL
must be increased or manipulated.
This is also applies when a loopback interface is used to connect two eBGP neighbors.
The common way to increase a eBGP TTL is by using command “ebgp multihop [TTL value]”.

There are Three ways to manipulate TTL field in eBGP sessions.

The syntax for eBGP peering with loopback interfaces is:-
Suppose here in figure R1 is in AS 100 and R2 is in AS 200,and we want to establish
connectivity using there respective loopbacks.
R1(conf)#router bgp 100
R1(config-router)#neighbor remote-as 200
R1(config-router)#neighbor update-source loopback0
R1(config-router)#neighbor ebgp-multihop 2

For R2
R2(conf)#router bgp 200
R2(config-router)#neighbor remote-as 100
R2(config-router)#neighbor update-source loopback0
R2(config-router)#neighbor ebgp-multihop 2

Here in the above scenario “update-source loopback0” command is used because
we are peering with loopback interfaces here and by default BGP takes the
connected interface as update source and if we have not updated the source
of the BGP packets by default it had taken the FastEthernet  interface.
Also we have taken “ebgp-multihop 2” because router counts loopback interface
as hops so the first hop is from R1 FastEthernet  to R2 FastEthernet and then the second
hop as R2 loopback0 interface,thats why we have used “ebgp-multihop 2”.
If we have not-mentioned the hop(2) in the command “ebgp-multihop “the BGP has

taken as maximum hop as 255.

There are two more ways to manipulate TTL field in eBGP,first i have mentioned
as “ebgp-multihop”.
The second is “disable-connected-check” feature,it is mostly used where the eBGP
session between two devices is routed over another transit router,the syntax is:-
R2(config-router)#neighbor disable-connected-check

The third option is “TTL-security hops [hop count]”,the syntax is:-
R2(config-router)#neighbor ttl-security hops 2
The “ttl-security” ,When this feature is enabled, BGP will establish and maintain
the session only if the TTL value in the IP packet header is equal to or greater
than the TTL value configured for the peering session. If the value is less than
the configured value, the packet is silently discarded and no Internet Control
Message Protocol (ICMP) message is generated. This feature is both effective and
easy to deploy.
Here in the above example we are saying to router that the TTL must be equal to
or greater than 2 to establish eBGP peering,if the TTL is less than 2 the
neighborship will not form.

Dot1x Authentication

Recently i have configured the Dot1x authentication in my network,
thought of posting on my blog.
It is a cool feature,with Dot1x authentication we can provide added security
at the access layer switches of the network,it uses username and password based
authentication,it takes the username and password list either from Radius server
or TACACs server.
First we need to issue the global command “aaa new-model” to enable AAA and it
is essential to enable Dot1x authentication.
Next we need to issue “aaa authentication login default none” here the”default”
group enables the aaa process for all interfaces and lines of the device.
Next we need to tell the router to use radius server username and password list
for Dot1x authentication,we can do this simply by issuing “aaa authentication dot1x
default group [radius|tacacs+]” command.
To define the radius-server or tacacs server parameters like host,key or anything
we can simply go into the radius-server or tacacs server in global configuration
mode,you can see the available commands by :-
SWITCH#[radius-server|tacacs-server] ?
Additionally,to force the router/switch to generate radius or tacacs packets from
a single interface instead of relying on the outgoing interface of routing table,
we can issue the command:-
SWITCH#ip [tacacs|radius] source-interface [name of the interface]

Now for the Dot1x part we need to enable this feature by issuing “dot1x system
auth-control” in global configuration mode(prior to 12.4(14)EA1 IOS release this
command was not required).
Next the Dot1x feature must be enabled on a per interface basis by the interface
level command:-
SWITCH(conf-if)#dot1x port-control [mode]
Here mode is of three types,Auto,Forced-authorized,or Forced-unauthorized.
Auto means Dot1x is enabled for username and password authentication
Forced-authorized is the default mode and indicates that authorization is not
Forced-unauthorized dictates that client can never access the network through
this port.
NOTE:-In some switch IOS versions like here i am using  Version 12.2(55)SE,here
in interface configuration mode although the command”dot1x port-control auto” is
taken by the switch however it is showing me as “authentication port-control auto”
so better to use “authentication port-control [mode]” to define aur different
dot1x port-control modes,i think Cisco is decaying this command.

Also we need to issue the “switchport mode access” followed by the “switchport
access vlan [vlan number]” like here in the figure we are configuring Dot1x
authentication for the clients in Vlan2 and Vlan3.

At last we can check our configuration with the commands:-
SWITCH#show dot1x all
SWITCH#show aaa servers

QinQ Tunneling


This is the method basically used by service providers to preserve Vlan-Ids and to segregate
traffic of different customers.It enables service providers to use a single VLAN to support
different customers who have a single or multiple VLANs need to connect across providers

Few things to remember while configuring QinQ tunnel:-
A tunnel port must be defined and assigned to a VLAN,different customers must be assign to
different tunnel ports and different tunnel ports must be configured in different provider
VLANs to keep the traffic of different customers segregated.
When a given tunnel port receives customer traffic,it then adds a 2 Byte Ether-Type field
of 0x8100 followed by a 2 Byte field containing CoS and the VLAN and then this traffic
put into the VLAN to which the tunnel port is assigned.The Egress tunnel port strips off the
4 Bytes that was added by the ingress tunnel port and then transmits the traffic to the
customer device.You can recall the MPLS lable imposition and disposition to understand this
concept as i did.
When Dot1q tunneling is configured,a layer 2 protocol tunneling can also be configured,a
layer2 protocol tuneling allows layer2 PDU’s(Protocol Data Units) to be tunneled through
the network,the layer 2 protocols that can be tunneled are:-CDP,STP, and VTP and they need
to be configured or else they will NOT get propagated accross the tunnel.
Note:Dont forget to increase the system MTU to support atleast 1504 bytes”system-mtu 1504″
and then reload the switch to take effect.


In this diagram, notice Customer A is sending VLANs 1 – 50 over the metro ethernet link to the Provider network,where it crosses the Provider network and is able to communicate on the other end with its remote switch.
Similarly Customer-B is sending VLANs 1 -100 over its metro ethernet links. Both the customer traffic kept separate with the use of the Q-in-Q.
The Provider Switch Ports connecting to the customer switch are configured as not trunk and the customer switches are configured as trunk ports, this is reason why the provider end of the switch is called as an asymmetric port, the provider port is configured as a tunnel port and not a trunk port. Also make note that the Provider Switch Port connecting to customer-A switch Port is configured in VLAN 25, this is also called as the Metro Ethernet Tag. Similarly the Metro Ethernet Tag for Customer-B is VLAN 50. Customers build standard 802.1 Q trunk ports and the provider builds a tunnel port with the VLAN tag, So the customer traffic is identified with this additional Q tag. Notice that the Metro VLAN tag is same for each of the same customer’s location and it is different for each customer identifying each customer’s location.
Provider Edge switches treat everything that comes in the tunnel port as untagged even if customer is sending tagged traffic and by default the Priority tag is set to 0.
Notice when 802.1Q trunks in Provider network are used, the native VLAN of these trunks cannot be the same as the native VLAN on any tunnel port to avoid double tagging of customer traffic.  Providers can use a native VLAN that is not being used by of the customers- beacuse this can cause issues later when some new customer or existing customer changes their VLAN which can match this Native VLAN, so the other two choices in Provider network will be to either use ISL trunks (possible only if Provider has all Cisco switches) or go ahead and tag the native vlan on all provider edge switches with command: “vlan dot1q tag native vlan”.

Few things to remember on Provider Tunnel Ports:-
1. Tunnel Ports cannot be routed
2. If SVI are used then only untagged frames (native vlan frames)  sent by the customer will be routed.
3. When a port is configured as an IEEE 802.1Q tunnel port, spanning-tree bridge protocol data unit (BPDU) filtering is automatically enabled on the interface. Cisco Discovery Protocol (CDP) and the Layer Link Discovery Protocol (LLDP) are automatically disabled on the interface,so we need to manually tunnel CDP.Also STP and VTP will not work we need to tunnel with the command “l2protocol-tunnel [cdp|vtp|stp]”

4.Layer 3 quality of service (QoS) ACLs and other QoS features related to Layer 3 information are not supported on tunnel ports. MAC-based QoS is supported on tunnel ports.

5.Port Aggregation Protocol (PAgP), Link Aggregation Control Protocol (LACP), and UniDirectional Link Detection (UDLD) are supported on IEEE 802.1Q tunnel ports.

Note: When using Q-in -Q increase the MTU on the frames, because of the addition of a new tag the ethernet frame size increases, so its recommended to increase the MTU of the ethernet frames by 1504 atleast “system-mtu 1504” and reload the switch to take effect the change.

Q-in-Q  Tunneling and L2TP Configuration.
Below is the Diagram we will utilize to configure a very simple Q-in-Q sample network.

Description C1-SW1 C1-SW2
Configuration of Customer Ports Connecting to Provider Edge Switches interface GigabitEthernet0/1
description To-Provider
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
interface GigabitEthernet0/1
description To-Provider
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
Customer Vlans VLANs 10,11,12,13,14,15,16 VLANs 10,11,12,13,14,15,16
Customer SVIs interface Vlan10
ip address
interface Vlan10
ip address
  P1-SW1 P1-SW2
Trunk Ports between Provider Switches interface GigabitEthernet0/24
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
interface GigabitEthernet0/24
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
Only Vlan on trunk Vlan 15 Vlan 15
Q-in-Q and L2TP configuration of Provider Edge switches interface GigabitEthernet0/1
description To-Cust1
switchport access vlan 15
switchport mode dot1q-tunnel
l2protocol-tunnel cdp
l2protocol-tunnel stp
l2protocol-tunnel vtp
no cdp enable
interface GigabitEthernet0/1
description To-Cust1
switchport access vlan 15
switchport mode dot1q-tunnel
l2protocol-tunnel cdp
l2protocol-tunnel stp
l2protocol-tunnel vtp
no cdp enable


Some of the things like pictures are copied from the internet due to non-availabilty of the appropriate tool , as i am sitting in my office right now,still i hope this will be informative.

MPLS Terminologies

>MPLS:-The evolution of MPLS was Cisco’s TAG Switching however as it seems
it was Cisco’s proprietary so it must be used in Cisco world only,to make it
open standard IEEE made a similar kind of Protocol not as similar as Cisco’s
Tag switching however the idea was the same and they named it MPLS.MPLS is a
forwarding mechanism in which packets are forwarded based on labels,it means
no more routing lookups only labels are looked and forwarded in the ISP cloud,
so the movement becomes faster and the security enhanced.
As it was the new idea so the new terms are also attached with the logic behind
the MPLS.
>LER :-Label Edge Router,is the router who is imposing or disposing the labels on
the each individual routes coming in or going out of the ISP cloud.LER is
commonly known as PE or Provider Edge Router.
>Ingress LER :-It is the PE router who is imposing the label in front of the IP
>Egress LER :-It is the PE router who is disposing the label and forwarding the IP
packet without label.
>LSR :-Label Switch Router,is a router that is doing forwarding of the packets
based on labels,also swapping the labels and tagging them with a new label,
commonly known as P or Provider router.
>CE :-Customer Edge router , is client site router connected to the ISP’s
MPLS cloud.
>Label :-It is 4-byte(32 bit,same bit as in IP packet) identifier used in MPLS to
make forwarding decisions.
>Label Binding :-Mapping a label to a FEC.
>FEC :-It is a group of packets forwarded in the same manner,over the same path,
or with same forwarding treatment.
>LSP :-Label Switch Path , is series of LSR’s that forward labeled packets based
on the FEC.
>PHP :- Penultimate-Hop-Popping,it is a mechanism where the popping(removing) of
label is done one hop before the Egress PE router.
>RIB :- (Routing Information Base)It is like the Datacentre of all the routes
available in the router,that is further transferred into FIB for further forwarding.
>LIB :- (Label Information Base)It is like the Datacentre of all the labels bound to
networks available in the router,the labels are further move from LIB to LFIB for
further forwarding.
You can check the LIB with the “Show mpls ldp bindings”
>FIB :- (Forwarding Information Base)Is a CEF(Cisco Express Forwarding) build table
from the information in the RIB,used for forwarding.
You can check the FIB with the “Show ip route”
>LFIB :- (Label Forwarding Information Base)Is a CEF table used for forward labeled
packets,the LFIB only stores the labels used to forward packets.
You can check LFIB with the “sh ip mpls forwarding-table”
>Control Plane :-Uses the configured routing protocols to build a routing table,
called the RIB,uses a label exchange protocol to maintain labels internally in a
table called the LIB.Is also responsible for building two tables in the Forwarding
Plane,the FIB and the LFIB tables.
>Data/Forwarding Plane :-It consists of two tables,the FIB and LFIB which is
responsible for forwarding incoming packets either based on IP(unlabeled)or
using the label.It is also responsible to push/pop/swap of labels.

>LDP:- Label Distribution Protocol used for transporting labels into MPLS cloud,IEEE standard.
>TDP:- Tag Distribution Protocol it is also used for transporting labels into MPLS
 cloud however it is Cisco’s proprietary.

Will be discussing the above topics scenario-wise in coming posts, so do watchout 🙂

OSPF /32 issue in MPLS VPN Scenario

Yesterday i and my office colleague were doing a MPLS-VPN scenario,where we stuck
at a place , the issue was really good , thats why thought of posting it on my blog.

The scenario was like


Here in this scenario Eigrp is running between R1 and R3 and R5 and R2.we have
taken vrf name RED,also OSPF is running as underline IGP between R3–R4–R5,here
BGP is not running on R4.
The loopback interfaces addresses are taken from the device id like for R1 the
loopback is likewise till R2
We have configured everything properly as per the diagram,means we have correctly
defined “ip vrf RED” with “RD 100:1” and imported and exported correctly from and to
BGP with “route-target export 100:1” and “route-target import 100:1” at both PE ends
Correctly defined the vpnv4 and ipv4 address-families in BGP,means everything was
configured correctly and with high accuracy.
Now here comes the issue we were seeing loopback routes in R1 from R2 and vice-versa.
It means that we have configured correctly however when we tried to ping ,the ping
was failing,we have rechecked the configuration by:-
R3#sh ip bgp vpnv4 all
All the routes were marked with *> means they are best routes indeed.
>We checked at both PE’s R3 and R5.
R3#sh ip route vrf RED
The routes were received properly.
>Also checked the MPLS LIB and LFIB.
R3#sh ip mpls ldp bindings
R5#sh ip mpls forwarding-table
They were also seems to look good.
>Even we checked the CEF table.
R3#sh ip cef
R3#sh ip cef vrf [NAME] {prefix} detail
>However the issue was same we were still not able to ping end to end.

After around two hours we have atlast figured the issue.
Here are the details.
>I was running OSPF as IGP between P/PE routers in the MPLS backbone and using
loopback interfaces on the PE routers for BGP updates and for testing.I did make these
interfaces use a /24 mask.The configuration is looks like
R3#show run
interface loopback 0
ip address
router ospf 1
network area 0

Checking the routing table on the second PE(R5) would show that a /32 mask has been
advertised for the network rather than as i had intended.

R5#show ip route
Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS
ia – IS-IS inter area, * – candidate default, U – per-user static
o – ODR, P – periodic downloaded static route

Gateway of last resort is not set is subnetted, 1 subnets
O [110/3] via, 00:03:55, FastEthernet 1/0

It is therefor not as i intended in the MPLS forwarding table as a /24 either.

R5#show mpls forwarding-table
Local  Outgoing    Prefix            Bytes tag  Outgoing   Next Hop
tag    tag or VC   or Tunnel Id      switched    interface
16     16 0          Fa1/0   
17     Untagged 0          Fa1/0
18     Pop tag 0      Fa1/0  

Although then i recalled my OSPF studies that this can be resolved by issuing
“ip ospf network point-to-point”command under the loopback interfaces in P/PE’s.
Or by simply taking /32 mask for loopback interfaces,because we are using OSPF and
in OSPF either we should use..”network point-to-point” under loopback interface or
use /32 mask ,because even if we are taking /24 mask the ospf will advertise
/32 mask by there may be instability in routing table..

Always watch for simple things first before going into complex scenarios 🙂

OSPF Cost Manipulation
The equation used for cost manipulation in OSPF is :-

OSPF Cost=Reference Bandwidth/Interface Bandwidth

It simply means that we can manipulate any one of the three parameters to
adjust our OSPF cost.
First of all we can apply the OSPF cost straight by the “ip ospf cost [1-65535]”
to the particular interface.Example:-
R1#conf t
R1(conf)#interface Serial0/0
R1(conf-if)#ip ospf cost 20

Second way to accomplish this by changing the Reference Bandwidth and this is done
under OSPF process:-
R1(conf)#router ospf 1
R1(config-router)#auto-cost reference bandwidth 20000

By default,OSPF calculates the cost of an interface by dividing the bandwidth
of the interface into 100 million(10 to the power 8).
So now our formula look like this:-

OSPF Cost=100000000/interface BW in BPS

NOTE:-Whenever you change Reference Bandwidth make sure it should be same across

all routers in your OSPF domain,also the router will prompt for this:-

R1(config-router)#auto-cost reference-bandwidth 20000
% OSPF: Reference bandwidth is changed.
        Please ensure reference bandwidth is consistent across all routers.

Also by default router will take auto-cost reference bandwidth in MBPS.

Rack1R1(config-router)#auto-cost reference-bandwidth ?
  <1-4294967>  The reference bandwidth in terms of Mbits per second

So thus using the default value and your network has interfaces with the bandwidth
greater than 100 million is not recommended,the reason is simple because OSPF
cannot differentiate between 100 mbps interface and an interface greater than
100 mbps,as in the above example “ip ospf cost”command enables you to change the
OSPF cost for an interface,but the better way to do this is to change the default
reference value.But always change the default behaviour of any protocol with
caution,so here in our scenario we need to change the default Reference cost in
every OSPF router in our routing domain.

The third way is also simple as here we need to manipulate the interface bandwidth,
to get our desired OSPF cost,it is simply done by the command:-
R1(conf)#interface Serial 0/0
R1(conf-if)#bandwidth [the numerical value]

Some Common OSPF Costs:-
Fast Ethernet=1
Gig Ethernet=1
10 Gig Ethernet=1

Detailed checklist for CCIE(Routing and Switching)Lab
exam from Cisco can be found Here
Note:-You must be logged in to see the content.