CCIE RS – Written – Network Principles – Explain General Network Challenges

Explain General Network Challenges

Unicast Flooding

  • Occurs when destination MAC address of the packet is not in the L2 forwarding table of the switch
  • Packet is forwarded out all forwarding ports in that VLAN except the originating port packet was received on
  • Reasons MAC address many not be known
    • Asymmetric routing
    • STP Topology Changes
    • Forwarding Table Overflow

How to Detect

  • No special commands used to detect flooding
  • Unicast Flood Protection – allows switch to monitor amount of unicast flooding per VLAN and take a specified action if flooding exceeds specified amount
  • Actions
    • Syslog
      • %UNICAST_FLOOD-4-DETECTED: Host 0000.0000.2100 on vlan 1 is flooding
        to an unknown unicast destination at a rate greater than/equal to 1 Kfps
    • Limit or shutdown VLAN
  • Show mac-address-table unicast-flood
  • Captures during time of slowdown / outage
    • See packets that are not destined for the workstation

Asymmetric Routing

  • Packets follow different paths depending on the traffic direction
  • Approaches to limit flooding
    • Bring routers ARP timeout and switches forwarding table aging time close to each other
      • Scenario – L3 switch with HSRP configured to LB different vlans
  • Traffic does not stop flooding even after the destination replies

How to detect

  • Follow the routing path
  • Traceroutes

STP Topology changes

TCN – Topology Change Notification

  • Designed to correct the forwarding table after forwarding table changes
  • Used to avoid connectivity outages. If a port goes down and the destination is available over a different port.
  • TCN operates by shortening the forwarding table aging time and if the MAC address is not relearned flooding will occur
  • TCNs are triggered by a port transitioning to or from the forwarding state
  • Issues arise when TCNs are occurring repeatedly with short intervals
    • Switch is constantly fast-aging forwarding table so flooding will be nearly constant
  • Limit TCN’s with the use of portfast

Forwarding Table Overflow

  • New MAC addresses cannot be learned and packets destined to such MAC are flooded until space becomes available
  • Can be caused by an attack on the network where a host starts generating frames sourced with different MAC addresses
  • Detected by examining the switches forwarding table
    • MAC addresses will point to a single port
  • Prevent by limiting the number of MAC addresses that can be learned on an untrusted port
    • See Switchport Security
  • High amount of packets or normal packets with high number of different source MAC addresses

Out of Order Packets

Using per-packet load balancing to share the traffic load across available paths to a given destination can lead to out-of-order packets for a given data flow.

Impact of Microbursts

  • Patterns or spikes of traffic causing interfaces to ne temporally oversubscribed and drop traffic
  • Typically buffers can handle bursts of traffic. This is in excess the buffers can handle
  • Detect by looking at Total Output Drops under show interface
    • Drops increment but utilization stays the same
  • Burst of traffic occur in microseconds
  • Show up as ignores and/or overruns
    • Input errors on show interface
  • Detect by capturing traffic over a long period of time

CCIE RS – Written – L2 – Implement and Troubleshoot Switch Administration

Implement and Troubleshoot Switch Administration

Managing MAC Address Table

The MAC address table contains address information that a switch uses to forward traffic between ports

  • MACs are associated with 1 or more ports
  • Dynamic address
    • Switch learned addresses that will age out when not in use
  • Static Addresses
    • Manually entered, does not age and not lost during switch reset

Disabling MAC Address Learning on Interface or VLAN

  • Causes flooding on network
  • Disabling on SVI, all IP packets are flooded in L2 domain
  • No mac address-table learning [interface]
  • Show vlan internal usage
  • Show mac address-table learning [interface]
  • Default mac address-table learning (Global config)

Errdisable Recovery

Software on switch that detects an error situation and diables the port

  • Port is effectivly shutdown
  • LED is set to amber
  • Show interface
cat6knative#show interfaces gigabitethernet 4/1 status

PortName Status Vlan DuplexSpeed Type
Gi4/1err-disabled 100full 1000 1000BaseSX
  • Syslog Message example (BPDU Guard)
         Received BPDU on port GigabitEthernet4/1 with BPDU Guard enabled. Disabling port.
         bpduguard error detected on Gi4/1, putting Gi4/1 in err-disable state
  • Causes of error disable
    • Duplex mismatch
    • Port channel misconfiguration
    • BPDU guard violation
    • UniDirectional Link Detection (UDLD) condition
    • Late-collision detection
    • Link-flap detection
    • Security violation
    • Port Aggregation Protocol (PAgP) flap
    • Layer 2 Tunneling Protocol (L2TP) guard
    • DHCP snooping rate-limit
    • Incorrect GBIC / Small Form-Factor Pluggable (SFP) module or cable
    • Address Resolution Protocol (ARP) inspection
    • Inline power
  • Error disable detection is enabled by default
    • Disable – no errdisable detect cause
    • Show errdisable detect
cat6knative#show errdisable recovery
ErrDisable ReasonTimer Status
udld Enabled
dtp-flap Enabled
gbic-invalid Enabled
arp-inspection Enabled

Timer interval: 300 seconds

Interfaces that will be enabled at the next timeout:

InterfaceErrdisable reasonTime left(sec)
  • Recover port from error disable
    • Identify root cause of errdisable
    • Correct the problem
    • Re enable the port
      • Shutdown , no shutdown on the interface
      • Cmd: Errdisable recovery
cat6knative#errdisable recovery cause ?
all Enable timer to recover from all causes
arp-inspectionEnable timer to recover from arp inspection error disable
bpduguard Enable timer to recover from BPDU Guard error disable
channel-misconfig Enable timer to recover from channel misconfig disable
dhcp-rate-limit Enable timer to recover from dhcp-rate-limit error
disable state
dtp-flapEnable timer to recover from dtp-flap error disable state
gbic-invalidEnable timer to recover from invalid GBIC error disable
l2ptguard Enable timer to recover from l2protocol-tunnel error
disable state
link-flap Enable timer to recover from link-flap error disable
mac-limit Enable timer to recover from mac limit disable state
pagp-flap Enable timer to recover from pagp-flap error disable
psecure-violation Enable timer to recover from psecure violation disable
security-violationEnable timer to recover from 802.1x violation disable
udldEnable timer to recover from udld error disable state
unicast-flood Enable timer to recover from unicast flood disable state


The MTU on a switch may need to be adjusted based on protocols being used. Example: 802.1q tunnel requires extra header space, adjusting the MTU from 1500 to 1504 would prevent fragmentation.

CCIE RS – Written – Network Principles – Explain UDP Operations

Explain UDP Operations

User Datagram Protocol

  • Traffic is connectionless
    • No handshake or reliability
    • No guarantee of message delivery
  • Smaller than TCP traffic
  • Ideal for Voice and Video
    • Cannot wait on delayed packets
    • Lack of retransmission delays
  • Transaction oriented
  • Simple – used by DHCP and TFTP
  • Stateless – Suitable for large number of clients
  • Unidirectional communication
  • UDP header – 4 fields, each 2 bytes (16 bits)
    • Source port number – ID’s senders port
      • Assumed to be the port to reply on
    • Destination port number – ID’s receivers port and is required
    • Length – Length in bytes of the UDP header and data
      • Min is 8 bytes
    • Checksum – May be used for error-checking of header and data
      • Optional in IPv4
      • Mandatory in IPv6


TCP Starvation / UDP Dominance

Occurs when TCP and UDP streams are assigned to the same QOS class

  • UDP has no flow control to cause it to back off when congestion occurs
  • TCP ends up backing off allowing more bandwidth for UDP to the point where UDP completely takes over

Avoid by assigning TCP and UDP to different classes and separate in the best possible way


End to end delay

Jitter is a variance of latency

  • Jitter resolved through buffering

RTP/RTCP Concepts

RTP – Real-time Transport Protocol

  • Delivers voice and video over IP networks
  • Runs over UDP
  • Used in conjunction with RCTP
  • Often used with signaling protocols (SIP, Session Initiation Protocol)
  • Header
    • Min size of 12 bytes
      • Version (2 bits) – Version of protocol
      • P (Padding, 1 bit)
      • X (Extension) 1 bit
      • CC (CSRC count) 4 bits
      • M (Marker) 1 bit
      • PT (Payload Type) 7 bits – Format of payload for application
      • Sequence Number (16 bits) – Used by receiver to detect packet loss. RTP does not specify an action on packet loss
      • Timestamp (32 bit)
      • SSRC 32 bits – Synchronization source
      • CSRC – 32bits each
      • Header Extension (optional)
  • RFC 3550

From CCNA Collab Notes

  • Operates at transport level of OSI model
    • UDP based traffic, does not require acknowledgement
  • UDP provides port numbers and header checksum
  • RTP adds timestamps and sequence numbers to header information
  • Random port – 16,384 <> 32,767
    • Always even number
  • Devices setup point to point RTP stream, one in each direction

RTCP – RTP Control Protocol

  • Monitor transmission stats and QOS
  • Aids in synchronization of multiple streams
  • Stats include
    • Transmitted octect and packet counts
    • Packet loss, delay variation and RTD
  • Application can use this information to take an action
    • Such as – Choose different codec

From CCNA Collab Notes

  • Reports statistics between 2 devices in the call
    • Packet count
    • Packet delay
    • Packet loss
    • Jitter (delay variations)
  • UDP based traffic
    • Random port – 16,384 <> 32,767
      • Always odd number
  • Separate session from RTP
  • Devices send RTCP packet once every 5 seconds