Cisco Fundamentals -- Street Ops

1. IOS CLI Survival

Navigation Heuristics

• enable gets you to privileged EXEC. configure terminal gets you to global config. If your prompt ends with >, you can only look. If it ends with #, you can do damage.
• show running-config | section interface is your best friend. Pipe to include, section, begin to filter output.
• do show lets you run show commands from config mode without backing out.
• Tab completion works. ? gives context-sensitive help. Use both relentlessly.

The Five Show Commands You Will Actually Use

1. show interface <name> -- physical/logical state, errors, counters
2. show vlan brief -- which ports are in which VLAN
3. show spanning-tree -- STP state per VLAN
4. show etherchannel summary -- port-channel membership and status
5. show ip route -- routing table (on L3 switches/routers)

2. Reading "show interface" Output

What to Look At First

GigabitEthernet0/1 is up, line protocol is up (connected)
  ...
  5 minute input rate 850000 bits/sec, 120 packets/sec
  5 minute output rate 920000 bits/sec, 130 packets/sec
  ...
  0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
  0 output errors, 0 collisions, 0 interface resets

Decision tree: 1. "is up, line protocol is up" = good. Anything else = problem. 2. "is up, line protocol is down" = Layer 1 ok, Layer 2 negotiation failed. Check speed/duplex mismatch. 3. "is administratively down" = someone shut the port. Check if intentional. 4. Non-zero CRC errors = cable problem, SFP problem, or duplex mismatch. CRC errors that increment = active problem. 5. "input errors" growing = frames arriving damaged. Look at the physical layer. 6. "output errors" growing = switch cannot send. Usually congestion or buffer issue. 7. Runts = frames too small. Usually collision-related (duplex mismatch). 8. Giants = frames too big. Usually MTU mismatch or jumbo frame misconfiguration.

Speed/Duplex Pitfalls

• Auto-negotiation failure is the #1 cause of "link is up but performance is terrible."
• If one side is hardcoded and the other is auto, auto will fall back to half-duplex. This causes late collisions and CRC errors.
• Rule: Both sides auto, or both sides hardcoded to the same values. Never mix.

3. VLANs and Trunking

VLAN Mental Model

A VLAN is a broadcast domain. Ports in VLAN 10 cannot talk to ports in VLAN 20 without a router (or L3 switch doing inter-VLAN routing).

Access vs Trunk

• Access port: belongs to exactly one VLAN. Server NICs connect to access ports.
• Trunk port: carries multiple VLANs, tagged with 802.1Q headers. Switch-to-switch and switch-to-hypervisor links are trunks.

Common Misconfigs That Bite You

1. Server in wrong VLAN. Symptom: server gets DHCP from wrong subnet or no DHCP at all. Check show vlan brief to verify port membership.
2. Trunk not allowing needed VLAN. show interface trunk shows allowed VLANs. If your VLAN is not in the allowed list, traffic is silently dropped.
3. Native VLAN mismatch. If two sides of a trunk disagree on native VLAN, STP will flag it and you get unpredictable behavior. show interface trunk shows native VLAN per trunk.
4. VLAN not created on switch. Just because a trunk allows VLAN 42 does not mean VLAN 42 exists. show vlan brief -- if it is not listed, it does not exist on that switch.

Trunking Debug Workflow

show interface <port> switchport     # Is it trunk or access?
show interface trunk                  # What VLANs are allowed/active?
show vlan brief                       # Does the VLAN exist?

4. Spanning Tree Protocol (STP)

Why You Care

STP prevents Layer 2 loops. When STP misbehaves, you get broadcast storms that take down entire VLANs. As a DevOps engineer, you care because STP reconvergence means your server loses connectivity for 30-50 seconds (classic STP) or 1-3 seconds (RSTP).

Port States

• Disabled: Admin shut.
• Blocking: Port is up but not forwarding. STP decided this port would create a loop.
• Listening: Transitional. Receiving BPDUs.
• Learning: Learning MAC addresses but not yet forwarding.
• Forwarding: Passing traffic. This is the only state where your server works.

Key Concepts

• Root bridge: One per VLAN. Elected by lowest bridge priority (then lowest MAC as tiebreaker). All traffic paths are calculated relative to the root.
• Root port: The port on a non-root switch that is closest to the root bridge.
• Designated port: The port on a segment that is closest to the root bridge.
• Blocked port: Every other port. No traffic.

STP Failure Modes That Cause Outages

1. Unexpected root bridge election. Someone plugs in a switch with lower priority. Traffic paths change globally. Symptom: widespread packet loss during reconvergence.
2. Unidirectional link. Fiber with one strand broken. Switch A sends BPDUs, Switch B never receives them. Switch B thinks it is the root. Loop forms. Fix: enable UDLD.
3. PortFast missing on server ports. Without PortFast, a server port goes through Listening->Learning->Forwarding (30 sec on classic STP). Server times out on DHCP or PXE boot.
4. BPDU guard triggered. PortFast port receives a BPDU (someone plugged in a switch). Port goes err-disabled. Symptom: server NIC shows link down.

Reading show spanning-tree

VLAN0010
  Root ID    Priority    4106
             Address     0050.0f00.0001
  ...
Interface        Role Sts   Cost      Prio.Nbr Type
---------------- ---- ---   --------- -------- ----
Gi0/1            Root FWD   4         128.1    P2p
Gi0/2            Desg FWD   4         128.2    P2p
Gi0/3            Altn BLK   4         128.3    P2p

- Role: Root, Desg (Designated), Altn (Alternate/Blocking) - Sts: FWD (Forwarding), BLK (Blocking), LIS (Listening), LRN (Learning) - If your server port shows BLK, that is the problem.

5. Port Channels (LACP/EtherChannel)

What They Are

Multiple physical links bundled into one logical link for bandwidth and redundancy. LACP (Link Aggregation Control Protocol) negotiates the bundle dynamically.

LACP Modes

• active: Actively sends LACP PDUs. Will form channel with active or passive peer.
• passive: Only responds to LACP PDUs. Two passive sides will never form a channel.
• on: Forces channel without LACP negotiation. Both sides must be "on." Dangerous because there is no health checking.

What LACP Negotiation Looks Like

show etherchannel summary:

Group  Port-channel  Protocol    Ports
------+-------------+-----------+------
1      Po1(SU)       LACP        Gi0/1(P)    Gi0/2(P)

- Flags: S=Layer2, U=in Use, P=bundled in port-channel, I=stand-alone, D=down, s=suspended - (P) = port is bundled and working - (I) = port is stand-alone, NOT bundled. This is your problem indicator. - (s) = suspended. Usually a config mismatch. - (D) = down. Physical layer issue.

Common Port-Channel Failures

1. One side LACP active, other side "on." Channel never forms. Ports go stand-alone.
2. Speed/duplex mismatch between member ports. Some ports bundle, others get suspended.
3. VLAN mismatch between member ports. All members must have identical VLAN config. One different port = suspended.
4. STP topology change on port-channel. If one member port flaps, it can trigger STP reconvergence on the whole channel depending on configuration.
5. Server-side bond misconfiguration. Switch is LACP, server bond is balance-rr (round-robin) without LACP. Traffic hashes unpredictably. Packets arrive out of order.

Server-Side Correlation

• Linux bonding mode 4 (802.3ad) = LACP. This is what matches switch-side LACP.
• Linux bonding mode 1 (active-backup) does NOT need a port-channel on the switch. Using a port-channel with mode 1 is a misconfiguration.
• If cat /proc/net/bonding/bond0 shows "MII Status: down" for a member, check the switch port status.

6. ACLs (Access Control Lists)

The Mental Model

ACLs are ordered rule lists. Packets are matched top-to-bottom. First match wins. Implicit deny at the end.

Standard vs Extended

• Standard ACL (1-99): Matches source IP only. Applied close to destination.
• Extended ACL (100-199): Matches source IP, destination IP, protocol, ports. Applied close to source.
• Named ACLs: Same as numbered but readable. Always prefer named.

Reading an ACL

ip access-list extended SERVER-ACCESS
 10 permit tcp 10.1.0.0 0.0.255.255 host 10.2.1.5 eq 443
 20 permit tcp 10.1.0.0 0.0.255.255 host 10.2.1.5 eq 22
 30 deny   ip any any log

- Wildcard masks are inverted subnet masks. 0.0.255.255 = match first two octets, ignore last two = /16. - host 10.2.1.5 = exactly that IP (wildcard 0.0.0.0). - eq 443 = destination port 443. - Line 30 denies everything else and logs it.

ACL Pitfalls

1. Forgetting the implicit deny. If your permit rules do not cover the traffic, it is dropped silently (unless you add an explicit deny with log).
2. Applied in wrong direction. ip access-group SERVER-ACCESS in on an interface means "filter packets ENTERING this interface." In vs out confusion causes rules to have no effect.
3. ACL exists but is not applied. The ACL is in running-config but never referenced by an ip access-group statement. It does nothing.
4. Order matters. A broad permit before a specific deny means the deny never fires.

Debug from Server Side

If you suspect an ACL is blocking traffic: 1. Ask the network team to check show access-lists for hit counters on deny lines. 2. Check if there is a log keyword on deny entries -- those show up in the switch log. 3. Traceroute stops at the hop where the ACL is applied. 4. Traffic works in one direction but not the other = ACL applied on one interface/direction.

7. Basic Routing: OSPF and BGP Concepts

OSPF (Open Shortest Path First)

• Link-state protocol. Every router knows the full topology of its area.
• Uses cost (based on bandwidth) to choose best path.
• Converges fast (sub-second with tuning).
• Typical use: internal datacenter routing, campus routing.
• DevOps relevance: if a server's default gateway is an OSPF router and OSPF adjacency drops, the route disappears and the server loses connectivity to remote subnets.

BGP (Border Gateway Protocol)

• Path-vector protocol. Used between autonomous systems (internet routing) and within large datacenter fabrics (iBGP, EVPN).
• Policy-driven. Chooses paths based on attributes (AS path, local preference, MED, etc.).
• Converges slower than OSPF by default but is more controllable.
• DevOps relevance: BGP peer down = your public IPs stop being announced = external traffic disappears. Or in datacenter fabrics, BGP session flap = leaf-spine path changes.

What to Know for Bridge Calls

• "OSPF adjacency is down" = two routers stopped talking. Check: interface down? MTU mismatch? Authentication mismatch? Area mismatch?
• "BGP session reset" = TCP session between peers dropped. Check: interface flap? Hold timer expired? Prefix limit exceeded? Someone cleared the session manually?
• show ip ospf neighbor / show ip bgp summary -- the key commands the network team will reference.
• OSPF neighbor states: FULL = good. Anything else = problem.
• BGP states: Established = good. Active = trying to connect but failing. Idle = not trying.

8. Decision Trees

"Server Cannot Reach Gateway"

1. Is the switch port up? (show interface)
   No -> Check cable, SFP, shut/no shut
   Yes -> 2
2. Is the port in the correct VLAN? (show vlan brief)
   No -> Move port to correct VLAN
   Yes -> 3
3. Is STP blocking the port? (show spanning-tree interface)
   Blocking -> Investigate why; check for loops
   Forwarding -> 4
4. Is there an ACL blocking traffic? (show access-lists)
   Denies hitting -> Fix ACL
   No denies -> 5
5. Is the gateway IP reachable from the switch? (ping from switch)
   No -> Routing problem upstream
   Yes -> 6
6. Is ARP resolving? (show ip arp | include <server IP>)
   No entry -> Server is not ARPing. Check server NIC config.
   Entry exists -> 7
7. Check for duplex mismatch, rate errors in show interface.

"Server Bond Flapping"

1. Check show etherchannel summary on switch.
   Members (I) or (s)? -> Config mismatch. Compare all member port configs.
   Members (P) but flapping? -> 2
2. Check show interface on each member.
   CRC/input errors? -> Cable/SFP issue on that member.
   No errors? -> 3
3. Check LACP timers (show lacp internal).
   Mismatched timers? -> Align short/long timer between switch and server.
   Matched? -> 4
4. Check server-side bonding config.
   Mode mismatch? -> Fix server bond mode to 802.3ad.
   Correct? -> Check for upstream STP issues.

9. Terminology Quick Reference

Term	Meaning
SVI	Switch Virtual Interface -- L3 interface for a VLAN
err-disabled	Port shut down by the switch due to a violation (BPDU guard, port security, etc.)
CDP/LLDP	Discovery protocols -- tell you what is connected to what
VTP	VLAN Trunking Protocol -- auto-propagates VLAN databases. Dangerous in the wrong mode.
Native VLAN	The VLAN that carries untagged traffic on a trunk
Wildcard mask	Inverted subnet mask used in ACLs and OSPF
BPDUs	Bridge Protocol Data Units -- STP control frames
UDLD	Unidirectional Link Detection -- prevents loops from one-way fiber failures

Pages that link here

• Anti-Primer: Cisco Fundamentals For Devops
• Cisco Fundamentals for DevOps