Systems AdminSysAdmin

I recently sat my CCNP 300-115 – Switch exam. I spent months taking notes on all of the important information needed to pass the exam.

Please see other CCNP Switch Sudy Guides

Switch Hierarchical model

3 level design model – Access, Distribution and Core layers

Access layer – high port density, MAC address based filtering, Password security, end-user access. Devices found at Access layer include computers, phones, wireless access points. HA offered through redundant power, and first hop redundancy protocols. QoS and multicast support. Layer 2 Security via DAI, DHCP snooping, BPDU Guard, port-security, IP source-guard. Collision domains are found on the Access layer.

Distribution layer – Aggregation of access switches. HA through redundant connections to access layer switches and to core. Layer 3 boundary where routing meets the access layer VLANs. Can be default gateway for access devices.  Distribution layer handles media translations (token ring to ethernet / FDDI). QoS and security applied at this layer.  Combination of L2 and L3 switching.

Core layer – Aggregation of Distribution layer switches. Provide back-bone high-speed switching in a campus network High speed L3 pathing.  HA through redundant components. No policies such as ACL’s or filters to slow traffic. Fault tolerance is utmost importance.

  • Switch blocks comprise of Access and distribution layer switches, Core blocks comprise of core switches. 
  • You should include at least 2 distribution switches built into each switch block.
  • Other blocks can include Server farm block, Network management block, Enterprise edge block, ISP or Service provider block.
  • Which of the following are common types of core, or backbone designs – Multinode core, Collapsed core, Dual core
  • A switch block should be sized according to the study of the traffic patterns and flows and the number of access layer users. When a switch block is too large, broadcast traffic becomes excessive.
  • In a properly designed hierarchical network, broadcasts are confined to the one switch block.
  • Breaking up a campus network into a hierarchical design will make the network more predictable and scalable.
  • Routing may be performed at all layers but commonly done at core and distribution layers
  • Primary objective of core layer switches is to switch traffic as fast as possible
  • VTP and VLANs should be local to a switch and at Access Layer

Network design planning – PPDIOO

  • Prepare – Organisational requirements gathering, high level architecture, network strategy, business case strategy.
  • Plan – Network requirements gathering, network examination, gap analysis, project plan.
  • Design – Comprehensive, detailed design.
  • Implement – Detailed implementation plan, and implementation following its steps.
  • Operate – Day to day network operation and monitoring.
  • Optimise – Proactive network management and fault correction.

Switching Concepts

  • IEEE 802.3 standard defines Ethernet
  • Ethernet is based on the Carrier Sense Multiple Access Collision Detection technology
  • Characteristics of multi-layer switching.
    • Provides isolation of the collision domain
    • Provides network-layer and transport layer access ports
    • Determines the forwarding path  based on the network layer address.
  • Layer 3 switching uses hardware based routing.
  • No Switchport command must be configured on the physical ports of a layer 3 switch
  • Flat network topology – 1 broadcast domain.
  • Unicast – to one, Multicast – to many, Broadcast – to everyone
  • Multi-layer switching is based on the route once switch many principle
  • Collision domains can only occur – on a single switch port. When a PC is connected to a layer 2 switch, the collision domain will only spread on the one switchport.
  • Broadcast domains exist in a single VLAN
  • POE Commands – to enable POE – #power inline auto.  to show POE information- #show power inline
  • POE – 802.3af, 802.3at (POE+), uses CDP, delivers 7 – 15.4 watts per port, N/A means device belongs to POE class Zero.
  • POE admin states – Auto, Consumption, Never, Static
  • In a switch, switch frames are placed into the Egress Queue buffer after forwarding decisions are made.
  • Size of the mask and pattern fields in a TCAM entry – 134 bits
  • A switch block can contain access and distribution layer switches
  • Ethernet auto negotiation determines duplex mode. The link duplex mode cannot be automatically determined and set if the far end of the connection does not support auto negotiation. Command used to set port to half duplex – #duplex half
  • When one port does not have auto-negotiation set the port that is running auto-negotiation will detect speed but not duplex so will default to the slowest duplex which is half duplex.
  • 2 files commonly used in Cisco switches – ios image files, configuration files
  • Command to show config of interface – #show running-config int gix/x
  • Access list contents can be merged into the TCAM table. MAC address lookups and ACL lookups are performed at the same time or in parallel.
  • Traffic is filtered with access lists for security and QOS purposes at the same time simultaneously
  • Layer 2 switch – performs transparent bridging
  • Layer 2 commands can not be configured on layer 3 ports that has no switchport command used
  • The destination MAC address is used when forwarding frames in a layer 2 switch.
  • IPv6 provides a new ICMP type 134 packet for use in first hop redundancy
  • Ipv6 provides First hop redundancy through it’s router advertisement mechanism

MAC Addressing

  • Default aging time is 300 seconds
  • TCAM – Ternary Content Addressable Memory.
  • Syslog messages are created when a mac address of host moves between switches
  • Sticky, feature describes mac addresses that are dynamically learned or manually configured, stored in the address table, and added to the running configuration
  • Unicast MAC address filtering is used to drop traffic from specific source or destination addresses
  • Unicast MAC address can be dropped by a switch that is configured for MAC address filtering
  • Default behaviour of a Cisco MAC address table – Mac addresses are associated with a VLAN
  • #switchport block unicast – command used to block a frame with an unknown destination MAC address from being forwarded out of an interface
  • The primary reason for an admin to disable MAC address learning is to free up space in the MAC address table.
  • Mac flooding – attack technique that attempts to fill a switching table so that attackers can capture passing through traffic.
  • MAC address lookups and ACL lookups are performed at the same time or in parallel.
  • By default only 1 MAC address can be learnt at one time on a switch, If no MAC address is configured statically, a switch port learns the mac address dynamically.
  • Command to show size of CAM table – #show mac address-table count
  • If the frame contains a Layer 3 packet to be forwarded, the destination MAC address is that of a Layer 3 port on the switch. The Layer 2 forwarding table is used to decide that the frame should be processed at layer 3
  • Command used to set MAC address ageing time – Switch (config) #mac address-table ageing-time seconds.

DHCP Snooping and Dynamic ARP inpection

  • DHCP snooping – feature used to protect a layer 2 port from spoofed IP addresses.
  • DHCP snooping binding database contains untrusted hosts with leased IP addresses
  • Number of bindings dhcp snooping database can store – 8000
  • Dhcp snooping – it rate-limits dhcp traffic from trusted and untrusted sources and filters invalid messages from untrusted sources
  • DHCP acknowledge – type of packet that dhcp snooping will continuously check.
  • If you configure IP sourceguard and port security, dhcp option 82 must be used
  • If a switch is configured globally with DHCP snooping and receives a packet that has DHCP Option 82 set it forwards the packet normally.
  • Command to activate DIA – #IP arp inspection vlan x
  • Dynamic Arp Inspection – Used to prevent arp poisoning and man in the middle attacks. It’s a security feature that inspects arp packets based on valid IP to MAC address bindings
  • The command #IP arp inspection validate IP – is used to validate an IP in IP-MAC bindings database.


  • Delivers messages regarding network events, along with a timestamp that helps you determine when the event occurred.
  • Command #logging trap 5 – sends all messages level 5 and Lower.
  • Where can Netflow export Data – Collector

Syslog levels

  • Emergency
  • Alert
  • Critical
  • Error
  • Warming
  • Notification
  • Informational
  • Debugging

SNMPv1 – get next request, unsolicited agent alarm message

SNMPv2 – increased 64bit counters for new data types, informed request

SNMPv3 – security levels, usernames

Prioritising traffic order

  • Voice
  • Video interactive
  • Video streaming
  • Call signalling
  • IP routing
  • Network management

Leave a Reply

Your email address will not be published. Required fields are marked *