====== Cisco Best Practice ======
or **What we really use!**

   * vlans (802.11q)
   * stp
   * snmp -> mrtg
   * security - dhcp helper
   * more static arp


===== STP - What it solves? =====
//Something's missing, something's redundant?//
  * missing - broken cable, lost connection, broken switch
  * redundant - badly placed cable, circles the network
STP can fix all of the above.

{{ :linux:skoleni:stp-broadcast-storm.png |}}

Redundant layer 2 redundacy problems
  * broadcast storm
  * multiple frame copies - which is basicly the same
  * ARP table instabilities (Cisco: CAM table)

Magic question - what is //32768//?

Time tracking
  * 20 waiting for no BPDU
  * 15 unblock blocked ports and listening state for new BPDUs - topology change
  * 15 learning state, accepts all ethernet frames, learns MAC, but doesn't forward


First we obviously need to know, how to disable stp for end host device (designated forwarding port).
<code>
conf t
int fa 0/5
    spanning-tree portfast
end
</code>


==== Creating broadcast storm====
First create a loop, then we disable stp and finaly one ping will send arp broadcast. Lets suppose the loop goes from port fa0/5 somewhere. Clear the counters and check the state of interface
<code>
   show interface fa0/5
   clear counters
   show interface fa0/5
</code>
   no spanning-tree vlan 1
And check vlans by
   show vlan brief
Assign random IP to layer 3 interface vlan 1 and ping
<code>
   conf t
      int vlan 1
         ip 1.0.0.1 255.0.0.0
         no shut
         end
</code>
Check it by
   show ip int brief | ex una
and ping, just once
    ping 1.0.0.2 repeat 1
Check the interface with loop on vlan 1
    show interface fa0/5
=====STP=====
{{ :linux:skoleni:stp-cost.png |}}

=====PVST+ - VLAN time=====
{{ :linux:skoleni:stp-pvst.png |}}
We make switch **A** root for VLAN 10
<code>
spanning-tree mode pvst
spanning-tree vlan 10 priority 16384
</code>

And switch **B** root for VLAN 20
<code>
spanning-tree mode pvst
spanning-tree vlan 20 priority 16384
</code>

See what happens:
{{ :linux:skoleni:stp-pvst-solved.png |}}
===== RSTP - Is STP slow?=====
Yes, it is. New version Rapid STP doesn't have ''blocking'' port, rather has ''alternate'' port. Theory goes on the table, practicaly you doesn't have to know anything. Just type
<code>
spanning-tree mode rapid-pvst
</code>


===== Can I see STP?======
<code>
show spanning-tree vlan 98
</code>


===== Little security ========
Let's suppose you're running an office network with STP. What if someone sent bad ''BPDU'' frames to you switches? He could re-route all the traffic throught his black-hat-notebook
{{ :linux:skoleni:black-hat-notebook.jpeg|}}

You can filter or guard incomming ''BPDU'' packets
  * filter - ignores and discard the packet
  * guard - the port is put in the error-disabled state
<code>
Switch(config-if)# spanning-tree portfast bpdufilter default
Switch(config-if)# spanning-tree bpduguard enable
</code>

There is no //more or less// static arp, but the interval could be longer.