In my previous article, I discussed the concepts of the CCNP Route exam. Here we will look at the next exam. Based upon my own experience, this is one of the most difficult Cisco exams. There are so many concepts to learn, so many things to understand, and unlike the CCNP Route exam, it has more theory than configuration. The exam code for the CCNP SWITCH Exam is 642-813.

One hard part about switching topics as opposed to routing topics is that there is no cheap way to get hands-on experience. With the routing exam, it is possible to use an emulation product like dynamips/dynagen/gns3 and get a good amount of hands-on work. With switching; however, this is much harder to replicate without buying switch gear or having a job where hands-on practice is possible. At the professional level, it is almost a given to most candidates that some amount of equipment investment will need to be made to cover all of the areas that will be tested on an exam. Though emulating switch is possible on Gns3, it is difficult and requires a level of expertise.

Listed below are the topics covered in the CCNP Switch Curriculum:

Implement VLAN-based solution, given a network design and a set of requirements:

  • * Determine network resources needed for implementing a VLAN-based solution on a network
  • * Create a VLAN-based implementation plan
  • * Create a VLAN-based verification plan
  • * Configure switch-to-switch connectivity for the VLAN-based solution
  • * Configure loop prevention for the VLAN-based solution
  • * Configure Access Ports for the VLAN-based solution
  • * Verify the VLAN-based solution was implemented properly using show and debug commands
  • * Document results of VLAN implementation and verification

Implement a Security Extension of a Layer 2 solution, given a network design and a set of requirements:

  • * Determine network resources needed for implementing a Security solution
  • * Create an implementation plan for the Security solution
  • * Create a verification plan for the Security solution
  • * Configure port security features
  • * Configure general switch security features
  • * Configure private VLANs
  • * Configure VACL and PACL
  • * Verify that the Security-based solution was implemented properly using show and debug commands
  • * Document results of Security implementation and verification

Implement Switch-based Layer 3 services, given a network design and a set of requirements:

  • * Determine network resources needed for implementing a Switch-based Layer 3 solution
  • * Create an implementation plan for the Switch-based Layer 3 solution
  • * Create a verification plan for the Switch-based Layer 3 solution
  • * Configure routing interfaces Configure Layer 3 Security
  • * Verify that the Switch-based Layer 3 solution was implemented properly using show and debug commands
  • * Document results of Switch-based Layer 3 implementation and verification

Prepare infrastructure to support advanced services:

  • * Implement a wireless extension of a Layer 2 solution
  • * Implement a VoIP support solution
  • * Implement video support solution

Implement high availability, given a network design and a set of requirements:

  • * Determine network resources needed for implementing high availability on a network
  • * Create a high availability implementation plan
  • * Create a high availability verification plan
  • * Implement first hop redundancy protocols
  • * Implement switch supervisor redundancy
  • * Verify that high availability solution was implemented properly using show and debug commands
  • * Document results of high availability implementation and verification

Of all the topics, a couple of them stand out as challenging and difficult to understand. I will be looking at them:

Port Security:

A big part of any modern switched infrastructure is security. One of the features that can be configured on switches is port security, which offers the network designer the ability to limit who and how many devices are allowed on a specific switchport.

For example, it could be limited to only allow a single device with a specific MAC address. When studying this feature it is best to have a clear idea of what the options are, including the three different types of violation actions (shutdown, restrict and protect), the different types of learning (static, dynamic and sticky) and what the default settings are. Security is crucial and essential in today’s network.

This example below shows how to configure Fast Ethernet port 0/1 as a non-negotiating trunk and enable port security:

Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# interface fastethernet 0/1
Router(config-if)# switchport
Router(config-if)# switchport mode trunk
Router(config-if)# switchport nonegotiate
Router(config-if)# switchport port-security

To verify, use the “show port-security interface fastethernet 0/1″ command

To enable it on an Access port, Fast Ethernet port 0/12, use :

Router# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)# interface fastethernet 0/12
Router(config-if)# switchport 
Router(config-if)# switchport mode access
Router(config-if)# switchport port-security

When configuring port security violation modes, note the following information:

  • * protect — Drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value.
  • * restrict — Drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value and causes the Security Violation counter to increment.
  • * shutdown — Puts the interface into the error-disabled state immediately and sends an SNMP trap notification.

VLAN Trunking Protocol (VTP)

The VLAN Trunking Protocol (VTP) provides a method of configuring VLANs across a number of different connected switches. Each of the switches is connected via a trunking protocol (typically 802.1q). Via these trunks the different switches communicate to a single database of the VLANs. For example, if switch A is connected to switch B and VTP has been configured, a user on switch A could create a new VLAN 50 which would then be propagated to switch B, and a similar action would occur if a VLAN was deleted.

The one caveat that commonly gets new engineers is the way that switches determine which switch has the most updated version of the VLAN database. This is done via a configuration revision number; the switch with the highest number is considered to have the most recent database. The problem that can occur is when an engineer pulls a switch from a testing environment and inserts it into a live environment. Typically in this situation the revision number has been incremented many more times than the live network. Once this switch is inserted it can potentially overwrite the contents of the live networks VTP database. There are three (3) modes of VTP – client, transparent, and server.

  • * Server—In VTP server mode, you can create, modify, and delete VLANs and specify other configuration parameters, such as VTP version and VTP pruning, for the entire VTP domain. VTP servers advertise their VLAN configuration to other switches in the same VTP domain and synchronize their VLAN configuration with other switches based on advertisements received over trunk links. VTP server is the default mode.
  • * Client—VTP clients behave the same way as VTP servers, but you cannot create, change, or delete VLANs on a VTP client.
  • * Transparent—VTP transparent switches do not participate in VTP. A VTP transparent switch does not advertise its VLAN configuration and does not synchronize its VLAN configuration based on received advertisements, but transparent switches do forward VTP advertisements that they receive out their trunk ports.

WARNING: It is best practice to put a new switch in client or transparent mode when inserting it in a live network. Never put a switch as sever into a production network.

VLANs

While the concept of a Virtual LAN is not hard to understand, once a person has had the ability to see it in action, it can be a hard concept to visualize without actually putting it into action.

Essentially a VLAN provides the ability to have multiple LAN segments that exist outside the physical switchport on a device. For example, a single 24 port could be configured into 24 different separate logical networks which could not communicate without the assistance of a layer 3 device (whether that is a router or a multilayer switch). Typically, these are used to separate the different administrative parts of a network, for example, an accounting department and a marketing department; they can also be used on service provider’s networks to separate customer traffic.

Virtual LANs (VLANs) is a very interesting concept. Beyond the exam, it is essential to know it as you will be dealing with it daily in your networking career.

Spanning Tree Protocol (STP)

This topic is a nervy and difficult concept to understand. Spanning Tree Protocol (STP) is a Layer 2 protocol that runs on bridges and switches. The specification for STP is IEEE 802.1D. The main purpose of STP is to ensure that you do not create loops when you have redundant paths in your network. Loops are deadly to a network. The thing about studying spanning tree is that it really depends on how deep you are looking to understand it. A good amount of the STP topics covered on most exams can be learned without doing an extensive amount of STP testing on live equipment. This includes a general understanding of what STP does (prevents loops) and generally how this is done in terms of root switches and forwarding and blocking links.

It is also important to understand the differences between STP and Rapid STP (RSTP). RSTP was developed as a standard to accelerate the state changes of switchport when a change occurs. One common complaint about STP is that an interface can take a long time to transition from blocking to forwarding states. With STP, the key is for all the switches in the network to elect a root bridge that becomes the focal point in the network. All other decisions in the network, such as which port to block and which port to put in forwarding mode, are made from the perspective of this root bridge.

A switched environment, which is different from a bridge environment, most likely deals with multiple VLANs. When you implement a root bridge in a switching network, you usually refer to the root bridge as the root switch. Each VLAN must have its own root bridge because each VLAN is a separate broadcast domain. The roots for the different VLANs can all reside in a single switch or in various switches.

In conclusion, the Cisco SWITCH exam is not one to be taken lightly. For those with experience on this equipment in their professional life it should be rather easy to study for. For those without any significant switching equipment experience, take the time and invest the money to purchase used switching equipment (this can be gotten cheaply on eBay) and test every feature covered in the certification guides. The knowledge that comes from this studying will not only help in passing this specific exam but will also make the candidate a better rounded engineer and more valuable asset.

References:

http://www.trainsignal.com/blog/tips-and-tricks-for-passing-the-ccnp-switch-942-813-exam

http://www.trainsignal.com/blog/top-5-hardest-topics-on-the-ccnp-switch-exam-and-how-to-prepare-for-them

http://www.ccnpguide.com/ccnp-switch-642-813-wireless/

https://learningnetwork.cisco.com/docs/DOC-6566

http://www.cisco.com/en/US/tech/tk389/tk621/technologies_configuration_example09186a008009467c.shtml

http://www.cisco.com/en/US/tech/tk389/tk815/technologies_configuration_example09186a008019e74e.shtml

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/port_sec.html

http://www.cisco.com/en/US/tech/tk389/tk689/technologies_tech_note09186a0080094c52.shtml