CCIE Topic: 1.1a Switch Administration

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey everyone and welcome to my first video where i'm sharing with you some topics i'm learning about for my ccie enterprise infrastructure studies so my initial game plan is to just go right down the blueprint that's provided by cisco and take a pass over all of those topics i'm going to dive in to review things in some cases things that i feel like i know pretty well and in other cases i'll be drilling down and learning new concepts and new topics with other items that are listed there so if we take a look at that blueprint the first major section is network infrastructure so i'm just going to start right at the top and work my way down but i think it might be more appropriate to say i'm starting at the bottom because we start out with some fairly simple topics namely layer 2 switching so let's take a look at item 1.1 a which is switch administration so let's talk about the first topic that we see on the list which is the mac address table on a cisco switch this contains address information used to forward traffic between the ports every address found in the table is associated with one or more ports and that can include both dynamically and statically learned addresses so here if we use the command show mac address hyphen table we can see that structure on our switch you can see first here the associated vlan we can see the destination mac address for each attached device we can see the type of address whether that's static or dynamic and we can see the port number which for this particular mac address is gig 0 0 on this switch now we can also specifically filter these results if i just choose one of these mac addresses and i copy that and then i use a variation of that command i say show mac address hyphen table address and then i paste in the mac address you'll see that now my output only contains information for this single mac address why might we want to filter this well maybe we're looking through some logs or maybe we have a console error message about a particular mac address this is going to let us dig deeper and look at more information about the device if we just have the mac address that isn't always super helpful so we can use this command to find out which vlan and which port this device is attached to without having to look through the entire mac address table so that's true even if the attached device is an uplink to another switch and if it is you would just jump onto that switch and continue to follow the chain until you track down that device the next feature to talk about is the air disable feature which automatically disables a port on a cisco switch when an error condition is detected when a port goes into the air disabled state it is effectively shut down so that no traffic can be sent or received on that port and if you're using a physical switch the port led is going to turn orange to indicate that there's an error condition now what could cause an error disable state well there's actually a long list of things that can do that things like a duplex mismatch a broadcast storm or a violation of any port security that we've configured and a lot of other things there are two ways that we can recover from an error disabled state we can simply bounce the interface which means we issue a shutdown command at the interface configuration level followed by a no shutdown command or we can use an error disable recovery option so on my switch let's say show air disable recovery and this is going to show us a list of all of those options now you'll notice here that if i complete the output all of these options are currently disabled on this switch and that's by default there's going to be nothing enabled also notice here that our default timer interval is set to 300 seconds or 5 minutes so this output shows any places that we've defined any automatic air disable recovery on our switch again i don't have any configured here just yet but you can see that we do have quite a long list of those options so let's take a look at this in action let's use port security to cause an error disable state and see what that looks like so if we again say show mac address hyphen table you can see our addresses that are currently in there and what we're seeing here notice we have two mac addresses on gig zero slash zero what we're seeing is the fact that i have an additional switch which is connected to gig 0 0 on the switch that i am connected over the console port to so i have a layer 2 switch that's allowing me to connect to other devices and these are the two devices we see here by mac address so let's now go under global configuration mode under interface gig 0 0 and if we want to enable port security the first thing we have to do is make sure this is an access port so we can say switch port mode access next let's say switch port port hyphen security and if we take a look at contextual help we can see those options uh the first one i'm going to start with is mac hyphen address and we have three options for that we can manually specify an allowed mac address for this interface we can configure a forbidden mac address that we don't want to be allowed to connect over this interface or we can use a dynamic option to learn which mac address we want to be allowed which is the sticky option and that's exactly what i'm going to configure in this case the next thing we can do we can say port hyphen security if we look at those options again the one i want to use is maximum and i'm going to set that to one so what's going to happen here is that the first mac address learned on the switch ports will be the only one allowed to connect the sticky option is going to tell the switchboard to dynamically learn and attach mac address the maximum is set to one so it's going to only allow that first learned mac address any other mac addresses that appear are going to trigger our port security and it's going to put the interface into an error disabled state now we can further configure what's called our violation mode so if we say switch port port hyphen security violation we have three options we have protect restrict and we have shutdown protect is only going to work with the sticky option where we configure a sticky mac address as we did here any frames from non-allowed mac addresses would be dropped and a log entry would be created restrict mode does the same thing but it also generates a security violation alert and shutdown will generate a violation alert and also disable the port so if we don't specify a particular violation mode here it's going to default to shutdown so issuing that command is actually redundant but i'll go ahead and do that just so that you can see that now if we go back a level and say do show port hyphen security you'll see that we don't currently have anything in here and that's because i still have to enable port security on this interface so if i go back under interface gig slash zero actually before i do that let me go back a level and i'm gonna run that show command specifically for interface gig zero slash zero just so you can see what that looks like you see that the violation mode is set to shut down but port security is currently disabled so let's go back under interface gig zero zero and we'll say switch port port hyphen security and entering that command is going to turn on our port security so if we just quickly run that show command again you'll see that now it says port security is enabled so pretty soon i suspect we'll get a message in our console an error message stating that we have a port security violation because remember we do have multiple devices connected via a layer 2 switch and there you just saw that coming into the console port we see there is an air disable message a p secure violation error detected on gig zero slash zero we see our security violation and it tells us that interface gig zero slash zero has changed to the down state so that's working exactly as we would expect it to now as for automatic recovery options under global configuration mode let's say air disable actually i shouldn't have put a space there we'll say air disable recovery cause and if we look at contextual help we have many options here that we can see so you can get pretty specific if you use up the top we see the generic term for all if we use that very generic variation of that that means that the port is going to attempt to restore itself from the air disable state for any reason that happens now again by the way this automatic recovery option is disabled by default so we would need to explicitly configure that if we wanted to do that another option would be changing the recovery time so if we say error disable recovery and we can see the contextual help options one of those is interval this is going to allow us to set the interval as low as 30 seconds so if we have an error disable state and 30 seconds goes by it's gonna try to correct that air disable state of course you can also perform a simple shut and no shut command at the port configuration level to balance the port and try to recover it that way now again also remember that by default this timer is set to 300 seconds or five minutes if we go back under interface gig zero slash zero we do a quick shut and no shut that is how we would bounce the port and you see we are back in the upstate but again since we do have this sticky mac address with a maximum of one configured here eventually in our console we're gonna see another error message letting us know that we've had another port security violation it's gonna take that port back into the down state and there is exactly what we see happening we've had a violation occurred it went we see our security violation we see that an error is detected on gig 0-0 it's gone into the down state do one more show command here we'll again say show port hyphen security for interface gig zero slash zero and you can see this time our port security is enabled but we are in secure shutdown because we have had a violation another important place to look is here at the very bottom the security violation count so we've now had two violations so that's going to give us an idea of what's going on that's a couple of ways that we can look at automatic recovery options and also verify if poor security is enabled and if that port is currently in the secure shutdown state the last topic under this subsection is layer 2 mtu mtu stands for maximum transmission unit and that simply refers to the largest possible ethernet frame that a device is able to forward the original ieee 802.3 standard outlined the minimum size for an ethernet frame as 64 bytes such as an icmp message and the maximum size as 1518 bytes the 18 bytes of that maximum frame size would be overhead consisting of a header and a frame check sequence so the mtu is 1500 bytes plus the 18 byte header information now later this was increased to 1522 bytes to allow for vlan tagging we also have the concept of jumbo frames which is a frame with a payload larger than fifteen hundred bytes these are used on local networks that support at least one gigabit per second and they can be as large as nine thousand bytes we also have baby jumbo frames yes that's a real thing those are only slightly larger than the ieee standard and we also have super jumbo frames with a payload of over 9000 bytes so what's relevant here as far as mtu well the ccie blueprint tells us we need to know about layer 2 mtu so let's talk about the ways we can configure that first on a 100 megabit per second interface which hopefully you don't have a lot of in your network we can issue the command system mtu followed by the size and bytes for 1 000 megabit per second interfaces we use the command system mtu jumbo followed by the size and bytes so the 1 000 megabit per second and faster interfaces is where we start to see support for jumbo frames so both of those options are ways we can configure layer 2 mtu but we can also do that at layer 3 as well for switched virtual interfaces or svis and for routed interfaces we say system mtu routing and we again follow that with the size in bytes so that's a look at the section of the ccie blueprint on switch administration hope you found this content useful and i'll see you very soon with some more things that i've been learning
Info
Channel: Charles Judd
Views: 3,983
Rating: undefined out of 5
Keywords: cisco, ccie, cisco enarsi, ccie enterprise infrastructure, cisco enarsi 300-410, cisco encor 350-401, ccie lab, my ccie journey, ccie training, layer 2 switch, switch administration, 1.1a switch administration, ccie blueprint
Id: UHeN26jG_wk
Channel Id: undefined
Length: 13min 32sec (812 seconds)
Published: Fri Jul 17 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.