CCIE RS Lab blog – Week 33

Hours Studied – 12, little short of what I was hoping


I started off with flash cards again early in the morning. For labbing, I started a little later than I wanted, but worked on CA22. The start of this was very similar to CA21. The L2 was easy to work through. The L3 was very confusing as there was a lot of back and forth and additions of multiple VRF’s. After about 3 hours I lost focus and decided to call it a day. I believe the lack of focus came from the poor nights sleep.

While reflecting on how I was doing I remembered that I am not following the strategy I would do in the actual lab. For the next coming labs I will be implementing the practical lab techniques I would like to perfect.

With a fresh head I am going to revisit this lab as it was more challenging and I’d like to be able to dissect what is being asked and when.


Monday was my first day back to work and boy were there a lot of emails to get through….

I am back to my normal labbing time at night. An afternoon coffee didn’t seem to help keep me awake to get more than 1.5 hours of labbing in before I couldn’t focus anymore.

I worked on CA20 and it was getting very specific in what it wanted for OSPF which showed a lot of gaps that I had in some of the nuances of this protocol that I want to explore further.

I saved all my configurations and plan to load it up before work on Tuesday to see if some sleep will help.


I tried doing some labbing in the morning continuing with CA20. I wasn’t able to get very far due to other things coming up.


Same as Tuesday… Re-evaluated what’s possible for during the week. I’ll be doing smaller pointed labs.


I got into the office early and worked on TA05. This lab was, meh. Not all that challenging and the solutions given go against what I’ve been taught. I’ve been on the assumption of never remove config and that was the 360 solution multiple times.


I only had time for flashcards


I worked on my first graded lab, pre-assessment on Cisco 360. This lab was fairly straight forward in what it was asking. There was only 1 part that stumped me and I ended up just ignoring the restriction and at least getting connectivity.

The grade came back and I got a 73/100, 80 was considered passing. I am happy with this score and after going through where I missed, there were a couple of typos (5 instead of a 6), the redistribution thing I did on purpose and then some messed up math on subnetting.

Nothing was over surprising on what I screwed up on and where I need to focus my attention to. Since this assessment didn’t take as long as I expected I loaded up an INE troubleshooting lab which went ok.

CCIE RS Random Lab Generator

I’ve been looking for a way to easily randomize a blueprint topic to lab as it’s been getting daunting on what thing to do next. One of my Routergod friends (Thanks Dustin!) mentioned using Anki as this tool to do the randomization. 

I took my existing excelsheet of the blueprint, changed some formating around and imported it into a new Anki flashcard deck and set it for 5 cards each day (may adjust as I use). I figure I can’t be the only one with this issue and wanted to share with the community.

If you have any suggestions for improvement please let me know if a comment below!

CCIE RS – L2 WAN Circuit Technology – MLPPP

Multilink PPP

  • Provides load balancing functionality over multiple WAN links
  • RFC 1990
  • Allows packets to be fragmented and sent at same time over multiple p2p links

Link Fragmentation and Interleaving (LFI)

  • Type of Cisco QoS
  • Prevent small delay sensitive packets from having to wait on longer, delay insensitive packets to be completely serialized out an interface
  • Fragments larger packets
  • Ppp multilink interleave
  • Ppp multilink fragment-delay [#]


Interface multilink [#]
Ip address
Ppp multilink
Ppp multilink group [#]

CCIE RS – Written – L2 – Implement and Troubleshoot VLANs

CCIE RS – Written – L2 – Implement and Troubleshoot VLANs

VLAN – Virtual LAN

  • Administratively defined subset of switch ports that are in the same broadcast domain
  • Broadcast domain – devices that can receive broadcast sent by another device
  • Best Practice – 1 to 1 relationship between IP subnet and VLAN


  • Vlan [id]
  • Under interface > switchport access vlan [id]
  • Modify VLAN operational state (L2 only)
    • Can be suspended globaly for entire VTP or to local switch
    • Vlan [id] > state suspend (global) | shutdown (local)

Access Ports

Belongs and carries traffic for only 1 VLAN 


interface > switchport access vlan [#]

VLAN Database

  • Vlan 0 – Reserved, not available for use
  • Vlan 1 – Default vlan for all access ports
    • Cannot be deleted or pruned
  • Vlan 4095 – Reserved, not available for use

Switch#sh vlan

VLAN Name                             Status    Ports
—- ——————————– ——— ——————————-
1    default                          active    Gi0/0, Gi0/1, Gi0/2
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup 

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
—- —– ———- —– —— —— ——– —- ——– —— ——
1    enet  100001     1500  –      –      –        –    –        0      0   
1002 fddi  101002     1500  –      –      –        –    –        0      0   
1003 tr    101003     1500  –      –      –        –    –        0      0   
1004 fdnet 101004     1500  –      –      –        ieee –        0      0   
1005 trnet 101005     1500  –      –      –        ibm  –        0      0   

Primary Secondary Type              Ports
——- ——— —————– ——————————————


Normal VLAN

1 – 1001

  • Can be advertised with VTPv1 and 2
  • Configured in vlan database, global config
  • Details stored in vlan.dat
  • Can be pruned

1002 – 1005 Special uses

  • Cannot be pruned
  • 1002 fddi-default
  • 1003 token-ring-default
  • 1004 fddinet-default
  • 1005 trnet-default

Extended VLAN

1006 – 4094

VTPv1 and 2 must be in transparent mode

Voice VLAN

Enables access ports to carry traffic from an IP Phone

  • Portfast is automatically enabled when voice vlan is configured
    • Not disabled if voice vlan is removed

Configure how the Cisco IP Phone carries voice traffic:

  • vlan-id —Configure the phone to forward all voice traffic through the specified VLAN. By default, the Cisco IP Phone forwards the voice traffic with an IEEE 802.1Q priority of 5. Valid VLAN IDs are 1 to 4094.
  • dot1p —Configure the phone to use IEEE802.1p priority tagging for voice traffic and to use the default native VLAN (VLAN 0) to carry all traffic. By default, the Cisco IP Phone forwards the voice traffic with an IEEE 802.1p priority of 5.
  • none —Allow the phone to use its own configuration to send untagged voice traffic.
  • untagged —Configure the phone to send untagged voice traffic.

CCIE RS – Written – L2 – Implement and Troubleshoot Trunking

Implement and Troubleshoot Trunking


  • Allows devices to send traffic for multiple vlans across a single link
  • Trunking protocols must match on both ends


  • Cisco Proprietary
  • Supports normal and extended vlans
  • Encapsulates original frame
    • 26 byte header + trailer for FCS
  • No concept of native vlan


  • Open Standard (IEEE)
  • Supports normal and extended vlans
  • Inserts tag into original frame
    • 4 byte header
    • Frame tagging
  • Concept of native vlan
    • Traffic in native vlan is untagged
    • All received untagged frames are sent over native vlan
    • Must match on both ends of trunk
    • Detection for mismatch
      • Cisco Switches – Proprietary extension in PVST+ and Rapid PVST+
      • CDP Neighbor can detect and report (syslog)
    • Default native vlan is 1
      • Best practice is to change to prevent vlan hopping attacks

DTP – Dynamic Trunking Protocol

  • Dynamically learn if device on other end wants to perform trunking and negotiate what protocol to use
  • Modes
    • Dynamic Auto – negotiate automatically
      • Prefers to be access port
    • Dynamic Desirable
      • Prefers to be a trunk port
      • Highest priority
      • Will choose ISL is both sides support
    • Different switch models have different default behaviors
    • DTP and VTP are independent
      • DTP carries the VTP domain name
  • Reduce number of vlans on trunk
    • Vlans must be configured on switch before being considered active
    • Administratively configure or use VTP pruning
      • Switchport trunk allowed [add | remove ]
  • Config
    • Switchport mode [trunk | dynanmic desirable / auto | access
    • Switchport nonegotiate
      • Port no longer sends DTP messages
    • Switchport trunk encapsulation [isl | dot1q]

Q in Q Tunneling

  • VLANs traditionally do not extend past WAN boundary
  • Standard 802.1ad – Provider Bridges
  • Allow SP to preserve 802.1q vlan tag across WAN service
  • CDP and VTP can be configured to pass transparently over Q-in-Q
  • New tagging concept
    • C-Tag – Original customer tagged frame
    • S-Tag – Additional tag added to C-Tag frame at ingress of SP
      • Tag is removed at egress of SP, preserving original C-Tag
      • Different customers get different S-Tags
  • Configuration
    • Change MTU to 1504 for extra header size

Manual VLAN Pruning

Manually specify which vlans are allowed across a trunk link

VTP – VLAN Trunking Protocol

  • Advertises vlan config information to neighboring switches
  • Allows vlan config to be done from 1 switch in the domain (dynamic)
  • Advertises VLAN ID, name and type
  • Does not forward which ports are in the vlan
  • Sends updates out all active trunk links by default
    • Without domain name switches do not send any VTP updates
  • VTP starts working when there is an active trunk link and domain name
  • Configuration
    • Vtp domain [name]
    • Show vtp status
    • Options
      • Domain – sets domain name
        • Switch can only belogn to one domain
      • Password – sets password to prevent unauthorized switches from joining domain
      • Mode [server | client | transparent]
      • Version [1 | 2 | 3]
        • Can configure on server switch and will sync with other switches
        • V3 must be manually configured and have domain name configured
      • Pruning
        • Prevent flooding per-VLAN to switches that do not have the VLAN configured
        • Only applied to normal VLAN range
      • Interface
        • Sets interface whos IP is used to ID the switch
        • Default is to use IP of lowest numbered SVI


Version 1 is default

  • Supports only normal vlan range

Message Types (v1 and v2)

  • Summary advertise
    • Originated by VTP server and client every 5 minutes and after each modification to vlan database
    • Carries domain name, revision number, ID of updater, timestamp, MD5, password & number of subset advertise
    • Does not carry vlan database contents
  • Subset Advertise
    • Originated by server and client after modification of vlan database
    • Carries full vlan database contents
  • Advertise Request
    • Request neighbors complete vlan database or part of it
    • Request sent when switch enters client mode or client switch is restarted
  • Join
    • Every 6 seconds if VTP pruning is active

Update Process (v1 and v2)

  • Begins when a modification is made on a vlan
  • VTP server will increment revision number by 1 and advertise entire vlan database with new revision number
  • Revision number allow switches to know when vlan database changes have occurred
    • Switches replace their vlan database when a larger revision shows up

VTP Modes

  • Server –
    • Default with no domain name
    • Updates to not occur until a domain name is configured
  • Client
    • Will assume first received domain name
    • Default domain is NULL
  • Transparent / Off
    • Prevents switches from listening to other switches VTP updates
  • Protect VTP domain – VTP password
    • Summary adv – carries MD5 hash computed over the vlan database contents and VTP password if configured


Enhanced version of v1

  • Supports token ring concentrator relay function and bridge relay function
    • Not used in ethernet based networks
  • Supports unknown TLV (Type Length Value)
    • V1 would drop unrecognized TLV’s which would stop propagation to other switches
  • Optimized vlan database consistency checking
    • Implementation optimization
    • Skips consistency check if change was received by a VTP message


Introduced to IOS release 12.2(52)SE

  • New server roles – Addresses problem of inadvertent rewrites to the vlan database
    • Primary – Only 1 at a time
      • Can modify VTP domain contents
      • Only switch who’s vlan database is propagated through domain
      • Database will be shared if switch agrees on domain name and ID of primary server (MAC address)
    • Secondary –
      • Cannot make changes,
      • but can be promoted
      • All other server switches in domain are secondary
    • Primary role is a runtime state. Does not get saved into configuration
    • Server role helps prevent unwanted changes to VTP domain
  • Password storage and usage improved
    • Encrypted and cannot be displayed in plaintext
    • Promotion of secondary required entering password in plaintext
    • String is carried encrypted to different switches
  • Capable of distributing full range of vlans and private vlans
    • No longer need to be in transparent mode when using extended vlan range and private vlans
    • Pruning only applied to normal vlan range
  • Supports VTP off
    • Switch does not participate in VTP and drops all VTP messages
  • Distributes content of MST region config
  • Client switches cannot make changes to domain or be promoted
  • Both Secondary and Client store copy of primaries vlan database and share with neighboring server and client if they agree on the primaries ID
  • Secondary or client servers with higher revision number can overwrite vlan database, but must match on domain name, primary ID and password
  • Conflicts
    • Server or client in domain having different primary server IDs
    • Conflciting switches do not sync the vlan database even if all other parameters match
  • Promotion to primary sever done in exec mode
    • Vtp primary
  • Cannot reset revision number to 0 by switching mode to transparent
    • Only will be reset by modifying the domain name or configuring password
  • Switches that cannot run v3, the port will revert to v2
    • V3 to v1 is not supported

VTP Pruning

Reduces unnecessary flooded traffic such as broadcasts, multicast and unicast packet

  • Disabled by default
  • Enabling on server enables for entire domain
  • Vlans 2 – 1000 are eligible for pruning
  • Cmd: vtp pruning

CCIE RS – Written – L2 – Implement and Troubleshoot Layer 2 Protocols

Implement and Troubleshoot Layer 2 Protocols

CDP – Cisco Discovery Protocol

  • Propriety, runs on all Cisco equipment
  • Used to obtain protocol address of neighboring devices and discover the platform of those devices
  • Media and protocol-independent
  • Sends periodic messages – advertisements, every 60 seconds
  • Multicast Address: 01-00-0C-CC-CC-CC
  • CDPv2 is latest version

TLV – Type Length Value: Embedded in CDP advertisements

  • Device-ID TLV: Identifies the device name in the form of a character string.
  • Address TLV: Contains a list of network addresses of both receiving and sending devices.
  • Port-ID TLV: Identifies the port on which the CDP packet is sent.
  • Capabilities TLV: Describes the functional capability for the device in the form of a device type, for example, a switch.
  • Version TLV: Contains information about the software release version on which the device is running.
  • Platform TLV: Describes the hardware platform name of the device, for example, Cisco 4500.
  • IP Network Prefix TLV: Contains a list of network prefixes to which the sending device can forward IP packets. This information is in the form of the interface protocol and port number, for example, Eth 1/0.
  • VTP Management Domain TLV: Advertises the system’s configured VTP management domain name-string. Used by network operators to verify VTP domain configuration in adjacent network nodes.
  • Native VLAN TLV: Indicates, per interface, the assumed VLAN for untagged packets on the interface. CDP learns the native VLAN for an interface. This feature is implemented only for interfaces that support the IEEE 802.1Q protocol.
  • Full/Half Duplex TLV: Indicates status (duplex configuration) of CDP broadcast interface. Used by network operators to diagnose connectivity problems between adjacent network elements.

LLDP – Link Layer Discovery Protocol

  • Open Standard – IEEE 802.1AB
  • Switch supports basic management TLV’s
    • Port description TLV
    • System name TLV
    • System description TLV
    • System capabilities TLV
    •  Management address TLV
    • These organizationally specific LLDP TLVs are also advertised to support LLDP-MED.
      • Port VLAN ID TLV ((IEEE 802.1 organizationally specific TLVs)
      • MAC/PHY configuration/status TLV(IEEE 802.3 organizationally specific TLVs)

Link Layer Discovery Protocol – Media Endpoint Discovery (LLDP-MED)

  • Extension of LLDP that operates between endpoint devices (IP Phones)
  • TLVs
    • Capabilities
    • Network Policy
    • Power Management
    • Inventory
    • Location

UDLD – UniDirectional Link Detection

  • Cisco Proprietary
  • Allows devices connected through fiber or copper to monitor the physical configuration of the cables and detect when a unidirectional link exists
  • Layer 2 protocol that works with layer 1 protocol to determine physical status of a link
  • RFC 5171

Aggressive Mode

  • Disabled by default
  • Configure only on p2p links
  • Bidirectional lnik send UDLD messages, if stops receiving, UDLD tries to reestablish connection. After 8 retriesthe port is disabled
    • Error Disables

Normal Mode

  • Default
  • Does not disable the port when unidirectional link is detected

Configuration Defaults

  • UDLD global enable state — Globally disabled
  • UDLD aggressive mode — Disabled
  • UDLD per-port enable state for fiber-optic media — Enabled on all Ethernet fiber-optic LAN ports
  • UDLD per-port enable state for twisted-pair (copper) media — Disabled on all Ethernet 10/100 and 1000BASE-TX LAN ports

CCIE RS – Written – L2 – Implement and Troubleshoot Switch Administration

Implement and Troubleshoot Switch Administration

Managing MAC Address Table

The MAC address table contains address information that a switch uses to forward traffic between ports

  • MACs are associated with 1 or more ports
  • Dynamic address
    • Switch learned addresses that will age out when not in use
  • Static Addresses
    • Manually entered, does not age and not lost during switch reset

Disabling MAC Address Learning on Interface or VLAN

  • Causes flooding on network
  • Disabling on SVI, all IP packets are flooded in L2 domain
  • No mac address-table learning [interface]
  • Show vlan internal usage
  • Show mac address-table learning [interface]
  • Default mac address-table learning (Global config)

Errdisable Recovery

Software on switch that detects an error situation and diables the port

  • Port is effectivly shutdown
  • LED is set to amber
  • Show interface
cat6knative#show interfaces gigabitethernet 4/1 status

PortName Status Vlan DuplexSpeed Type
Gi4/1err-disabled 100full 1000 1000BaseSX
  • Syslog Message example (BPDU Guard)
         Received BPDU on port GigabitEthernet4/1 with BPDU Guard enabled. Disabling port.
         bpduguard error detected on Gi4/1, putting Gi4/1 in err-disable state
  • Causes of error disable
    • Duplex mismatch
    • Port channel misconfiguration
    • BPDU guard violation
    • UniDirectional Link Detection (UDLD) condition
    • Late-collision detection
    • Link-flap detection
    • Security violation
    • Port Aggregation Protocol (PAgP) flap
    • Layer 2 Tunneling Protocol (L2TP) guard
    • DHCP snooping rate-limit
    • Incorrect GBIC / Small Form-Factor Pluggable (SFP) module or cable
    • Address Resolution Protocol (ARP) inspection
    • Inline power
  • Error disable detection is enabled by default
    • Disable – no errdisable detect cause
    • Show errdisable detect
cat6knative#show errdisable recovery
ErrDisable ReasonTimer Status
udld Enabled
dtp-flap Enabled
gbic-invalid Enabled
arp-inspection Enabled

Timer interval: 300 seconds

Interfaces that will be enabled at the next timeout:

InterfaceErrdisable reasonTime left(sec)
  • Recover port from error disable
    • Identify root cause of errdisable
    • Correct the problem
    • Re enable the port
      • Shutdown , no shutdown on the interface
      • Cmd: Errdisable recovery
cat6knative#errdisable recovery cause ?
all Enable timer to recover from all causes
arp-inspectionEnable timer to recover from arp inspection error disable
bpduguard Enable timer to recover from BPDU Guard error disable
channel-misconfig Enable timer to recover from channel misconfig disable
dhcp-rate-limit Enable timer to recover from dhcp-rate-limit error
disable state
dtp-flapEnable timer to recover from dtp-flap error disable state
gbic-invalidEnable timer to recover from invalid GBIC error disable
l2ptguard Enable timer to recover from l2protocol-tunnel error
disable state
link-flap Enable timer to recover from link-flap error disable
mac-limit Enable timer to recover from mac limit disable state
pagp-flap Enable timer to recover from pagp-flap error disable
psecure-violation Enable timer to recover from psecure violation disable
security-violationEnable timer to recover from 802.1x violation disable
udldEnable timer to recover from udld error disable state
unicast-flood Enable timer to recover from unicast flood disable state


The MTU on a switch may need to be adjusted based on protocols being used. Example: 802.1q tunnel requires extra header space, adjusting the MTU from 1500 to 1504 would prevent fragmentation.