ONE Spring Hands-On Institute
Download
Report
Transcript ONE Spring Hands-On Institute
@ONE Spring Hands-On Institute
Los Medanos College
Introduction to Cisco Network Devices
Mark McGregor, Instructor
April, 2005
2-1
@ONE Spring Hands-On Institute
Module 2:
Configuring Catalyst
Switches
2-2
@ONE Spring Hands-On Institute
Basic Layer 2 Switching
and Bridging Functions
2-3
@ONE Spring Hands-On Institute
The Stonge Age of LANs
thicknet
repeater
Doesn’t scale. As you add nodes, you increase chance of collisions and
reduce effective bandwidth.
10Base5 802.3 Ethernet: Coax
bus. Shared Media. CMSA/CD
10Mbps shared. Actual speeds per host
may hover around 1 Mbps or even less.
2-4
@ONE Spring Hands-On Institute
The Dark Ages of LANs
Hub
Segment Alpha
UTP
BRIDGE
Hub
Segment Bravo
Scales by “segmenting” network. As you add nodes to each segment, you increase
chance of collisions and reduce effective bandwidth on that segment.
10BaseT 802.3 Ethernet: UTP star.
Shared Media. CMSA/CD
Still 10Mbps shared. Broadcast problem
– one broadcast domain.
2-5
@ONE Spring Hands-On Institute
The Dark Ages of LANs
UTP
Hub
Hub
L3
Router
Network Alpha
Network Bravo
Scales by “subnetting” network. Early L3 routers added significant latency. If hosts
on Alpha need to send tons of data to the server on Bravo…bottleneck.
10BaseT 802.3 Ethernet: UTP star.
Shared Media. CMSA/CD
Still 10Mbps shared. But broadcasts are
controlled – at the expense of added latency
2-6
@ONE Spring Hands-On Institute
Today: Micro-Segmentation
Scales by “microsegmenting” the network. Each host is on its own segment. No collisions
if operating in full-duplex mode.
10/100/1000BaseT 802.3
Ethernet: UTP star. Not shared.
10/100/1000 dedicated. But broadcasts are
still a problem!
2-7
@ONE Spring Hands-On Institute
Broadcast Issues
In a flat Layer 2 network, broadcast frames, such as ARP, or
Windows NetBIOS (over IP), are sent everywhere. The
probability of broadcast storms increases as the network and
number of users grows.
2-8
@ONE Spring Hands-On Institute
L3 Broadcast Filtering
Layer 3 routers are used to create more manageable
broadcast domains. Broadcasts do not pass through routers.
This scenario can create a bottleneck in the network.
2-9
@ONE Spring Hands-On Institute
VLAN Broadcast Filtering
VLAN
Trunks
Multilayer Switch
(L3-capable switch)
VLANs also can be used to create more manageable
broadcast domains. Traffic from one VLAN cannot cross into
another VLAN unless it is routed at Layer 3.
2-10
@ONE Spring Hands-On Institute
Today’s LANs
• Hosts are mostly switched, few are shared
(using hubs)
• Fast Layer-3 (L3) routers are used to
provide scalability
– L3 routing often built-in to backplane of switch
• Groups of users are determined by physical
location
– We are seeing a trend away from end-to-end
user grouping (end-to-end VLANs)
2-11
@ONE Spring Hands-On Institute
Today’s Campus LANs
From Host A’s point of view….
A
Local Service
Campus
Backbone
Remote Service
Enterprise
Services
2-12
@ONE Spring Hands-On Institute
Switch Operation
2-13
@ONE Spring Hands-On Institute
How Switches Work
• A switch can create a network that
behaves like it only has two nodes the sender and the receiver.
• These two nodes share the 10 Mbps
bandwidth between them, available
bandwidth can reach closer to 100%.
2-14
@ONE Spring Hands-On Institute
How Switches Work
• Switches are high speed multi-port
bridges with one port for each node or
segment of the LAN.
• A switch segments a LAN into
microsegments creating collision free
domains from one larger collision
domain.
2-15
@ONE Spring Hands-On Institute
Microsegmentation
2-16
@ONE Spring Hands-On Institute
Switch Latency
• Switches add latency, but they can
overcome this by forwarding frames before
they are completely received.
2-17
@ONE Spring Hands-On Institute
Two Switching Methods
2-18
@ONE Spring Hands-On Institute
Cut-through v. Store & Forward
2-19
@ONE Spring Hands-On Institute
Full-Duplex Ethernet
• Allows the transmission of a packet and the
reception of a different packet at the same time.
• Requires two pairs of wires and a switched
connection between each node.
• Point-to-point connection, nearly collision free.
• No negotiations for bandwidth.
2-20
@ONE Spring Hands-On Institute
Full-Duplex Ethernet
• Offers 100% bandwidth in both directions
(potential 20 Mbps, 200 Mbps, etc).
2-21
@ONE Spring Hands-On Institute
Switches and Broadcasts
2-22
@ONE Spring Hands-On Institute
Switches Learn the Network
2-23
@ONE Spring Hands-On Institute
CAM
• Content Addressable Memory
• An Ethernet switch can learn the address of
each device on the network by
– reading the source address of each packet
transmitted and
– noting the port where the frame was heard
• Addresses are learned dynamically.
– as new addresses are read they are learned and
stored in content addressable memory (CAM).
– when a source is read that is not found in the
CAM it is learned/stored for future use.
2-24
@ONE Spring Hands-On Institute
Aging Out
• Each time an address is stored it is time
stamped.
– allows for addresses to be stored for a set period
of time
– Each time an address is referenced or found in
the CAM, it receives a new time stamp
– Addresses that are not referenced during set
period of time are removed from the list
– By removing old addresses the CAM maintains
an accurate and functional forwarding database
2-25
@ONE Spring Hands-On Institute
Key Characteristics of
Various Switching
Technologies
2-26
@ONE Spring Hands-On Institute
Switching
• Layer 2 Switching
– Switches based on MAC address
• Layer 3 Switching
– Switching at L2, hardware-based routing at
L3
• Layer 4 Switching
– Switching at L2, hardware-based routing at
L3, with decisions optionally made on L4
information (port numbers)
2-27
@ONE Spring Hands-On Institute
Layer 2 Switching
2-28
@ONE Spring Hands-On Institute
Layer 3 Switching
2-29
@ONE Spring Hands-On Institute
Layer 4 Switching
2-30
@ONE Spring Hands-On Institute
MLS (Multi-Layer Switching)
2-31
@ONE Spring Hands-On Institute
MLS
• Cisco’ specialized form of switching
and routing, not generic L3 routing/L2
switching
• cannot be performed using LMC lab
equipment
2-32
@ONE Spring Hands-On Institute
MLS
• sometimes referred to as “route once,
switch many”
2-33
@ONE Spring Hands-On Institute
Cisco Catalyst Switches
2-34
@ONE Spring Hands-On Institute
Switch Block - AL
Catalyst 2950 Switch:
• Supports minimal L3 routing
• Up to 50 ports
2-35
@ONE Spring Hands-On Institute
Switch Block - AL
Catalyst 3550/3560 Switch:
• Supports L3 routing
• Up to 50 ports
2-36
@ONE Spring Hands-On Institute
Switch Block - AL
Catalyst 3750 Switch:
• Supports L3 routing
• Suports Cisco StackWise technology
•Provides 32-Gbps high-speed stacking bus
2-37
@ONE Spring Hands-On Institute
Switch Block - DL
Catalyst 4000 Switch:
• Supports L3 blades, high density access ports
• 4006 (6 slots) shown here
2-38
@ONE Spring Hands-On Institute
Switch Block - DL
Catalyst 4500 Switch:
• Supports L3 blades, high density access ports
• Up to 10 slots
2-39
@ONE Spring Hands-On Institute
Switch Block - DL
Catalyst 6500 Switch:
• Supports L3 blades, high density access ports
• Can have up to 13 slots
2-40
@ONE Spring Hands-On Institute
Spanning Tree
2-41
@ONE Spring Hands-On Institute
Spanning-Tree Protocol
• allows redundant switched/bridged paths
without suffering the effects of loops in the
network.
2-42
@ONE Spring Hands-On Institute
STP States
2-43
@ONE Spring Hands-On Institute
IOS Switch Configuration
2-44
@ONE Spring Hands-On Institute
Catalyst Switches
• Catalyst Switching product line began as a
Frankenstein of numerous acquisitions,
including:
– Crescendo (1993)
– Kalpana (1994)
– Grand Junction (1995)
• Result – the operating systems of Catalyst
products did not look the same, nor did they
initially align with Cisco IOS
2-45
@ONE Spring Hands-On Institute
Catalyst Switches
• Catalyst derived from the Crescendo
acquisition (Cat 5000) ran an OS known as
CatOS.
– Sometimes referred to as “set-based” OS
because (unlike the IOS) many configurations
required the use of the set command.
• The 5000 evolved into other big Cats (5500,
6000, and 6500) which also initially ran
CatOS.
2-46
@ONE Spring Hands-On Institute
Catalyst Switches
• Smaller, “work-group” access switches
ran various specialized Operating
Systems
– Most were menu-driven
– 1700, 1900, etc.
• As this “work-group” Catalyst evolved,
they dropped menus in favor of an
IOS-like operating system.
2-47
@ONE Spring Hands-On Institute
Catalyst Switches
• Today, all current Cisco Catalyst
products have converged to use the
Cisco IOS.
• You are very likely to see legacy
CatOS out in the real world – so you
should be aware of it.
– Cisco has stopped testing on CatOS for
its CCNA, CCNP and CCIE R&S exams.
2-48
@ONE Spring Hands-On Institute
Configuring Cat Switches
• Because Catalyst switches run IOS,
you can apply the same configuration
principles you’ve learned for
configuring routers to configuring
switches.
2-49
@ONE Spring Hands-On Institute
Configuring IOS-based
Catalyst Switches
2-50
@ONE Spring Hands-On Institute
Useful show Commands
•
•
•
•
•
•
•
•
show
show
show
show
show
show
show
show
version
running-config
interface
interface status
interface switchport
ip interface brief
mac-address-table
post
2-51
@ONE Spring Hands-On Institute
show inteface status
CORE-1>sho interface status
Port
Gi0/1
Gi0/2
Gi0/3
Gi0/4
Gi0/5
Gi0/6
Gi0/7
Gi0/8
Gi0/9
Gi0/10
Gi0/11
Gi0/12
CORE-1>
Name
ADMIN-NET
Status
connected
disabled
ABNET & XYNET
connected
NOT IN USE
disabled
RANET
connected
NOT IN USE
disabled
NOT IN USE
disabled
NOT IN USE
disabled
L3 CONNECTION TO C connected
disabled
L3 CONNECTION TO E connected
WIRELESS TO PIX
connected
Vlan
trunk
1
trunk
1
trunk
1
routed
1
routed
1
routed
802
Duplex
a-full
auto
a-full
auto
a-full
auto
auto
auto
a-full
auto
a-full
a-full
Speed
a-1000
auto
a-1000
auto
a-1000
auto
auto
auto
a-1000
auto
a-100
a-100
Type
1000BaseSX
unknown
1000BaseSX
unknown
1000BaseSX
unknown
unknown
unknown
1000BaseSX
unknown
10/100/1000BaseTX
10/100/1000BaseTX
2-52
@ONE Spring Hands-On Institute
Getting a “fresh” Start
• Some Cat IOS switches keep track of VLAN
information in a special file called vlan.dat
– This file is separate from the running
configuration
– Some switches have VLAN configuration as part
of config file – it depends on something called
VTP (which we will cover in module 9)
• To bring a switch back to the default
configuration, you may need to delete both
its VLAN database and its startupconfiguration file.
2-53
@ONE Spring Hands-On Institute
Getting a “fresh” Start
leftovers#dir flash:
Directory of flash:/
2
3
4
6
7
-rwx
-rwx
-rwx
-rwx
drwx
0
342
736
5
192
Jan
Jan
Mar
Mar
Mar
01
01
11
01
01
1970
1970
1993
1993
1993
00:01:20
00:01:20
17:25:25
00:01:19
00:03:20
env_vars
system_env_vars
vlan.dat
private-config.text
c3550-i5q3l2-mz.121-11.EA1
15998976 bytes total (10913280 bytes free)
leftovers#
2-54
@ONE Spring Hands-On Institute
Getting a “fresh” Start
Sloppy_seconds#delete flash:vlan.dat
Delete filename [vlan.dat]?
Delete flash:vlan.dat? [confirm]
Sloppy_seconds#erase startup-config
Erasing the nvram filesystem will remove all files! Continue? [confirm]
[OK]
Erase of nvram: complete
Sloppy_seconds#reload
System configuration has been modified. Save? [yes/no]: n
Proceed with reload? [confirm]
00:08:09: %SYS-5-RELOAD: Reload requested
2-55
@ONE Spring Hands-On Institute
Assigning a Name
Switch#conf t
Enter configuration commands, one per line.
with CNTL/Z.
Switch(config)#hostname S1
S1(config)#
End
2-56
@ONE Spring Hands-On Institute
Assigning Passwords
S1#conf t
Enter configuration commands, one per line.
End with CNTL/Z.
S1(config)#enable secret cisco
S1(config)#line vty 0 4
S1(config-line)#password cisco
S1(config-line)#line con 0
S1(config-line)#password cisco
S1(config-line)#login
S1(config-line)#exit
S1(config)#service password-encryption
S1(config)#
Use the service password-encryption command to encipher
line and user passwords in the configuration file (prevents
“shoulder surfing”). Bad news: The cipher is easily reversed.
2-57
@ONE Spring Hands-On Institute
Assigning an IP Address
S1(config)#interface vlan 1
S1(config-if)#ip address 10.1.1.1 255.255.255.0
S1(config-if)#exit
S1(config)#ip default-gateway 10.1.1.254
What’s up with “interface vlan 1”?
Well, the default config for a switch is such that all of its ports are layer 2 “bridged”
ports. The ports don’t have IP addresses.
The default config also places all switchports in VLAN 1.
When you assign an IP to VLAN 1, you can reach the switch’s “management” IP
address on any of the ports in VLAN 1.
In practice, it is not secure to put an IP address on VLAN 1. You should configure
another VLAN besides 1 for management purposes.
2-58
@ONE Spring Hands-On Institute
Nailing Down speed & duplex
S1(config)#in f0/1
S1(config-if)#speed 100
S1(config-if)#duplex full
By default, switch ports will try to auto-negotiate speed and duplex
mode. The auto-negotiation protocol (802.3u) attempts to set the
highest possible speed and best duplex mode available on both
link partners.
In the field, you may find that auto-negotiation fails – nail down
important links when possible.
2-59
@ONE Spring Hands-On Institute
The Catalyst GUI
• Switches are far more prevalent than routers in an
enterprise.
• Many members of an IT staff may need to configure
workgroup or even distribution switches.
– IOS command-line expertise is not always plentiful
• Cisco offers a web-based GUI for easy
administration and configuration of Catalyst
switches
– Requires Java VM
• The GUI can also be used to command multiple
switches from the same interface (cluster
management suite, or CMS)
2-60
@ONE Spring Hands-On Institute
The Catalyst GUI
• Enabling the web-based GUI will open you
up to additional network security
vulnerabilities.
• Use this feature with caution!
• On most workgroup Catalyst switches, this
feature is on by default.
• Disable it until you know you are going to
use it:
– no ip http server
2-61
@ONE Spring Hands-On Institute
Configuring the Web Interface
S1(config)#ip http server
S1(config)#ip http port 8080
S1(config)#
The ip http port 8080 command changes the default TCP port of
the web server to any valid port number you configure.
The default port is, of course, TCP 80 You can access your
switch’s web server at http://ipaddress
In our example, it would be http://10.1.1.1:8080 (the port number
was changed)
2-62
@ONE Spring Hands-On Institute
VLAN Basics
2-63
@ONE Spring Hands-On Institute
Early VLANs
• Virtual Local Area Networks
• Promoted heavily by industry in mid1990s
• Vendors also took varied approaches
to creating VLANs, which led to
incompatibility and confusion.
2-64
@ONE Spring Hands-On Institute
VLANs
• group of hosts with a common set of
requirements
– communicate as if they were attached to the
same wire, regardless of their physical location.
• same attributes as a physical LAN, but
VLANs allow for end stations to be grouped
together even if they are not located on
the same LAN segment.
2-65
@ONE Spring Hands-On Institute
VLANs
• Each VLAN is typically assigned unique IP subnet
– 1 VLAN = 1 IP subnet (almost always)
• Cisco VLANs typically run a separate instance of
Spanning-Tree Protocol (STP) or Rapid STP
(RSTP)
– Per-VLAN spanning-tree (PVST)
• Segmentation can be based on
– organizational functions
– applications
– physical / geographical basis
2-66
@ONE Spring Hands-On Institute
Campus-Wide, End-to-End VLANs
2-67
@ONE Spring Hands-On Institute
Local/Geographic VLANs
2-68
@ONE Spring Hands-On Institute
Why VLANs?
• With VLANs, administrators can:
– control traffic patterns
– react quickly to relocations
– keep up with constant changes in the
network due to moving requirements and
node relocation.
– increase security
– contain broadcasts
2-69
@ONE Spring Hands-On Institute
VLANs and Network
Security
2-70
@ONE Spring Hands-On Institute
VLANs are secure*
• When a station transmits on a shared
network (hub), all stations attached to the
segment receive a copy of the frame, even if
they are not the intended recipients.
• Anyone with such a network sniffer can
capture passwords, sensitive e-mail, and
any other traffic on the shared network.
• If the traffic is unencrypted…
2-71
@ONE Spring Hands-On Institute
Switched networks are secure*
• Some TCP/IP protocols that send info in cleartext:
–
–
–
–
HTTP (not HTTPS)
Telnet (not SSH)
FTP
SMTP (mail)
• Some popular sniffers:
–
–
–
–
–
Ethereal (free)
Etherpeek (WildPackets)
tcpdump (free)
Sniffer Pro (Network Associates)
dsniff (free, Dug Song)
2-72
@ONE Spring Hands-On Institute
Switched networks are secure*
• Switches allow for microsegmentation
– Each user that connects directly to a
switch port is on his or her own segment.
• If every device has its own segment
(switchport) then only the sender and receiver
will “see” unicast traffic.
• VLANs contain broadcast traffic
– Only users on the same VLAN will see
broadcasts
2-73
@ONE Spring Hands-On Institute
Switched networks are secure*
• On a switched network, Host X should not
see unicast traffic from Host A to Internet
hosts:
INTERNET
Update my ARP
table. Default
gateway
changed at L2.
1.1.1.1
A
Man-in-the-middle: Attacker uses
ARP to “become” Host A’s default
gateway.
Hmm.
ARP:
Passwords,
1.1.1.1
email…yum
my MAC
!
X
2-74
@ONE Spring Hands-On Institute
Switched networks are secure*
• On a switched network, Host X should not
see unicast traffic from Host A to Internet
hosts:
My CAM table
is jacked. I’ll
have to flood
traffic out all
ports.
INTERNET
A
MAC flood: Attacker overwhelms switch
with flood of bogus MACs. Switch “fails
open” and acts like a hub.
Hey switch!
Smell
those
Here’s 999,000
tasty
MAC
packets!
addresses!
X
2-75
@ONE Spring Hands-On Institute
Switched networks are secure*
• By using VLANs, you can mitigate
man-in-the-middle attacks and packet
sniffing exposure
• Put public or less secure terminals in
one VLAN, place administrative and/or
mission critical hosts on a different
VLAN
• Use VLANs to provide logical
separation and security “zones”
2-76
@ONE Spring Hands-On Institute
VLANs and Broadcast
Distribution
2-77
@ONE Spring Hands-On Institute
VLANs Control Broadcasts
2-78
@ONE Spring Hands-On Institute
VLANs Control Broadcasts
• Broadcast traffic is a necessary evil
– Routing protocols and network services typically
rely on broadcasts
– Multimedia applications may also use broadcast
frames/packets
• Each VLAN is its own broadcast domain
– Traffic of any kind cannot leave a VLAN without
L3 services (a router)
– Administrators can control the size of a
broadcast domain by defining the size of the
VLAN
2-79
@ONE Spring Hands-On Institute
VLANs improve BW utilization
• Bandwidth is shared in legacy
Ethernet; a switch improves BW
utilization by eliminating collisions
(microsegmentation).
• VLANs further improve BW utilization
by confining broadcasts and other
traffic
• Switches only flood ports that belong
to the source port’s VLAN.
2-80
@ONE Spring Hands-On Institute
VLAN Types
2-81
@ONE Spring Hands-On Institute
Types of VLANs
When scaling VLANs in the switch
block, there are two basic methods of
defining the VLAN boundaries:
– End-to-end VLANs
– Local VLANs
2-82
@ONE Spring Hands-On Institute
Types of VLANs
• Remember: a one-to-one
correspondence between VLANs and
IP subnets is strongly recommended!
– Typically, this results in VLANs of 254
hosts or less.
2-83
@ONE Spring Hands-On Institute
End-to-End VLANs
• Hosts are grouped into VLANs independent
of physical location and dependent on
group, job function, or application
• As a user moves around the campus, VLAN
membership for that user’s PC should not
change.
• Each VLAN has a common set of security
requirements for all members.
2-84
@ONE Spring Hands-On Institute
End-to-End VLANs
2-85
@ONE Spring Hands-On Institute
Local/Geographic VLANs
• As many corporate networks have moved to
centralize their resources, end-to-end
VLANs became more difficult to maintain.
• Users are required to use many different
resources, many of which are no longer in
their VLAN.
• Because of this shift in placement and
usage of resources, VLANs are now more
frequently being created around geographic
boundaries rather than commonality
boundaries.
2-86
@ONE Spring Hands-On Institute
Local/Geographic VLANs
• can span a geographic location as large as
an entire building or as small a one switch
• 20/80 rule in effect with 80 percent of the
traffic remote to the user and 20 percent of
the traffic local to the user
• a user must cross a L3 device in order to
reach 80 percent of the resources
– However, this design allows the network to
provide for a deterministic, consistent method of
accessing resources.
2-87
@ONE Spring Hands-On Institute
Establishing VLAN
Memberships
2-88
@ONE Spring Hands-On Institute
VLAN Types
The two common approaches to
assigning VLAN membership are:
– Static VLANs (aka Port-Based)
– Dynamic VLANs
2-89
@ONE Spring Hands-On Institute
Static VLANs
• also referred to as port-based membership
• VLAN assignments are created by assigning
ports to a VLAN
• as a host enters the network, the switch
automatically tags that’s host traffic so that it
belongs to the VLAN of the port.
– If the user changes ports and needs access to
the same VLAN, the network administrator must
manually make a port-to-VLAN assignment for
the new connection.
2-90
@ONE Spring Hands-On Institute
Static VLANs
2-91
@ONE Spring Hands-On Institute
Static VLANs
• port is assigned to a specific VLAN
independent of the user or system attached
to the port.
• the port cannot send or receive from
devices in another VLAN without the
intervention of a L3 device.
– The device that is attached to the port likely has
no understanding that a VLAN exists.
– The device simply knows that it is a member of a
subnet.
2-92
@ONE Spring Hands-On Institute
Static VLANs
• switch is responsible for identifying
that the information came from a
specific VLAN and for ensuring that
the information gets to all other
members of the VLAN.
– The switch is further responsible for
ensuring that ports in a different VLAN do
not receive the information.
2-93
@ONE Spring Hands-On Institute
Static VLANs
• This approach is quite simple, fast, and
easy to manage in that there are no
complex lookup tables required for VLAN
segmentation.
• If port-to-VLAN association is done with an
application-specific integrated circuit (ASIC),
the performance is very good.
• An ASIC allows the port-to-VLAN mapping
to be done at the hardware level.
2-94
@ONE Spring Hands-On Institute
Configuring VLANs
2-95
@ONE Spring Hands-On Institute
Configuring Static VLANs
IOS-Based Switch
Switch# vlan database
Switch(vlan)#vlan 10 name SALES
VLAN database:
Stored in the vlan.dat file,
not config.text.
You can edit the VLAN
database directly by
entering VLAN database
mode.
Switch(config)#interface fa0/1
Switch(config-if)#switchport access vlan 10
Switch(config)#interface range fa0/2 – 6
Switch(config-if-range)#switchport access vlan 10
2-96
@ONE Spring Hands-On Institute
Configuring Static VLANs
IOS-Based Switch
switch>sho vlan brief
VLAN Name
---- -------------------------------1
default
2
MARKETING
3
PUBLIC
Status
--------active
active
active
4
active
CORE
5
REDOG
6
CALREN
802 WIRELESS
1002 fddi-default
1003 token-ring-default
1004 fddinet-default
1005 trnet-default
switch>
active
active
active
active
active
active
active
Ports
------------------------------Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8,
Fa0/18
Fa0/13, Fa0/14, Fa0/15, Fa0/16,
Gi0/1
Fa0/17, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
Fa0/9, Fa0/10, Fa0/11, Fa0/12
2-97
@ONE Spring Hands-On Institute
Configuring VLANs
• When configuring VLANs, keep in
mind that:
– A created VLAN remains unused until it is
mapped to switch ports.
– The default configuration has all of the
switch ports on VLAN 1.
2-98
@ONE Spring Hands-On Institute
Dynamic VLANs
2-99
@ONE Spring Hands-On Institute
Dynamic VLANs
• created through the use of software
packages such as CiscoWorks 2000 VLAN
Management Policy Server (VMPS)
• typically allows for membership based on
the MAC address of the device
• as a device enters the network, the device
queries a database for VLAN membership.
2-100
@ONE Spring Hands-On Institute
Dynamic VLANs
2-101
@ONE Spring Hands-On Institute
Dynamic VLANs
• With a VLAN Management Policy Server
(VMPS), you can assign switch ports to
VLANs dynamically, based on the source
MAC address of the device connected to the
port.
• When you move a host from a port on one
switch in the network to a port on another
switch in the network, the switch assigns the
new port to the proper VLAN for that host
dynamically.
2-102
@ONE Spring Hands-On Institute
Dynamic VLANs
• When you enable VMPS on a switch, a
MAC address-to-VLAN mapping database
downloads from a TFTP server and VMPS
begins to accept client requests.
– If you reset or power cycle the Catalyst 5000,
4000, 900, 3500, or 6000 Series Switch, the
VMPS database downloads from the TFTP
server automatically and VMPS is reenabled.
2-103
@ONE Spring Hands-On Institute
Dynamic VLANs
• VMPS opens a UDP socket to communicate
and listen to client requests.
• The VMPS client communicates with a
VMPS server through the VLAN Query
Protocol (VQP).
• When the VMPS receives a VQP request
from a client switch, it searches its database
for a MAC-address-to-VLAN mapping.
2-104
@ONE Spring Hands-On Institute
Dynamic VLANs
• The server response is based on this
mapping and whether or not the server
is in secure mode.
• Secure mode determines whether the
server shuts down the port when a
VLAN is not allowed on it or just
denies the port access to the VLAN.
2-105
@ONE Spring Hands-On Institute
Dynamic VLANs
• If a device is plugged into the network and
its MAC address is not in the database,
VMPS sends the fallback VLAN name to the
client.
• If no fallback VLAN is configured and the
MAC address does not exist in the
database, VMPS sends an access-denied
response.
• If VMPS is in secure mode, it sends a portshutdown response.
2-106
@ONE Spring Hands-On Institute
Dynamic VLANs
• An administrator can also make an
explicit entry in the configuration table
to deny access to specific MAC
addresses for security reasons by
specifying a --NONE-- keyword for the
VLAN name.
• In this case, VMPS sends an accessdenied or port-shutdown response.
2-107
@ONE Spring Hands-On Institute
Strom Control
2-108
@ONE Spring Hands-On Institute
Storm Control
• Storm control prevents switchports on a
LAN from being disrupted by a broadcast,
multicast, or unicast storm on one of the
physical interfaces.
• A LAN storm occurs when packets flood the
LAN, creating excessive traffic and
degrading network performance.
• Errors in the protocol-stack implementation
or in the network configuration can cause a
storm.
2-109
@ONE Spring Hands-On Institute
Storm Control
• Storm control (or traffic suppression) monitors
incoming traffic statistics over a time period and
compares the measurement with a predefined
suppression level threshold.
• The threshold represents the percentage of the total
available bandwidth of the port.
• Cisco switches support separate storm control
thresholds for broadcast, multicast, and unicast
traffic.
– If the threshold of a traffic type is reached, further traffic of
that type is suppressed until the incoming traffic falls below
the threshold level.
2-110
@ONE Spring Hands-On Institute
Configuring Storm Control
S1# configure terminal
S1(config)# interface fa0/1
S1(config-if)# storm-control broadcast level 50.5
The storm-control command in this example
sets the broadcast threshold to 50.5% of the
interface’s bandwidth.
2-111
@ONE Spring Hands-On Institute
Access and Trunk Links
2-112
@ONE Spring Hands-On Institute
Access and Trunk Links
2-113
@ONE Spring Hands-On Institute
Access Links
• An access link is a link on the switch
that is a member of only one VLAN.
• This VLAN is referred to as the native
VLAN of the port.
– Any device that is attached to the port is
completely unaware that a VLAN exists.
2-114
@ONE Spring Hands-On Institute
Trunk Links
• A trunk link is capable of supporting
multiple VLANs.
• Trunk links are typically used to
connect switches to other switches or
routers.
• Switches support trunk links on both
Fast Ethernet and Gigabit Ethernet
ports.
2-115
@ONE Spring Hands-On Institute
Access and Trunk Links
2-116
@ONE Spring Hands-On Institute
Trunk Links
• a trunk link does not belong to a specific VLAN.
– acts as a conduit for VLANs between switches and
routers
• The trunk link can be configured to transport all
VLANs or to transport a limited number of
VLANs.
• A trunk link may, however, have a native VLAN.
– The native VLAN of the trunk is the VLAN that the
trunk uses if the trunk link fails for any reason
2-117
@ONE Spring Hands-On Institute
VLAN Trunking
2-118
@ONE Spring Hands-On Institute
Trunk Links
• In Ethernet, the switch has two
methods of identifying the VLAN that a
frame belongs to:
– ISL – InterSwitch Link
• (Cisco proprietary)
– IEEE 802.1Q (standards-based)
• aka, dot1q
2-119
@ONE Spring Hands-On Institute
VLAN Identification
• ISL - This protocol is a Cisco
proprietary encapsulation protocol for
interconnecting multiple switches; it is
supported in switches as well as
routers.
• Even though it’s Cisco proprietary, ISL
is not natively supported by the
Catalyst 4000.
– The L3 blade give the Cat4000s router
two ISL-capable ports (Gig 1 and Gig 2).
2-120
@ONE Spring Hands-On Institute
VLAN Identification
• IEEE 802.1Q - This protocol is an
IEEE standard method for identifying
VLANs by inserting a VLAN identifier
into the frame header. This process is
referred to as frame tagging.
– Note: In practice, both ISL and dot1q are
called frame tagging
2-121
@ONE Spring Hands-On Institute
VLAN Identification
• 802.10 - This standard is a Cisco
proprietary method of transporting
VLAN information inside the standard
802.10 frame (FDDI).
– The VLAN information is written to the
security association identifier (SAID)
portion of the 802.10 frame. This method
is typically used to transport VLANs
across FDDI backbones.
2-122
@ONE Spring Hands-On Institute
VLAN Identification
• LAN Emulation (LANE) - LANE is an
ATM Forum standard that can be used
for transporting VLANs over
Asynchronous Transfer Mode (ATM)
networks.
2-123
@ONE Spring Hands-On Institute
VLAN Identification
2-124
@ONE Spring Hands-On Institute
ISL (Frame Encapsulation)
Ethernet Frame
1500 bytes plus 18 byte header
(1518 bytes)
Standard NIC cards and networking devices don’t understand
this giant frame. A Cisco switch must remove this
encapsulation before sending the frame out on an access link.
2-125
@ONE Spring Hands-On Institute
ISL
• an Ethernet frame is encapsulated with a
header that transports VLAN IDs
• adds overhead to the packet as a 26-byte
header containing a 10-bit VLAN ID.
• In addition, a 4-byte cyclic redundancy
check (CRC) is appended to the end of
each frame.
– This CRC is in addition to any frame checking
that the Ethernet frame requires.
2-126
@ONE Spring Hands-On Institute
802.1q
NIC cards and networking devices can understand this “baby”
giant frame (1522 bytes). However, a Cisco switch must
remove this encapsulation before sending the frame out on an
access link.
SA and DASA and
802.1q
DA
MACs
MACsTag
Type/Length
Field
Data (max 1500
bytes)
2-byte TPID
Tag Protocol Identifier
2-byte TCI
Tag Control Info (includes
VLAN ID)
CRC
New
CRC
2-127
@ONE Spring Hands-On Institute
802.1q
• significantly less overhead than the
ISL
• as opposed to the 30 bytes added by
ISL, 802.1Q inserts only an additional
4 bytes into the Ethernet frame
2-128
@ONE Spring Hands-On Institute
802.1q
• A 4-byte tag header containing a tag
protocol identifier (TPID) and tag control
information (TCI) with the following
elements:
– A 2-byte TPID with a fixed value of 0x8100. This
value indicates that the frame carries the
802.1Q/802.1p tag information.
– A TCI containing the following elements:
• Three-bit user priority
• One-bit canonical format (CFI indicator)
• Twelve-bit VLAN identifier (VID)-Uniquely identifies the
VLAN to which the frame belongs
2-129
@ONE Spring Hands-On Institute
Trunking
• a trunk is a point-to-point link that
supports several VLANs
• a trunk is to saves ports when creating
a link between two devices
implementing VLANs
2-130
@ONE Spring Hands-On Institute
Trunking
2-131
@ONE Spring Hands-On Institute
Trunking
• Before attempting to configure a VLAN
trunk on a port, you should to
determine what encapsulation the port
can support.
show interface switchport
2-132
@ONE Spring Hands-On Institute
Trunking
alpha#show in g0/2 switchport
Name: Gi0/2
Switchport: Enabled
Administrative mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: Disabled
Access Mode VLAN: 0 ((Inactive))
Trunking Native Mode VLAN: 1 (default)
Trunking VLANs Enabled: ALL
Trunking VLANs Active: 1-6,802
Pruning VLANs Enabled: NONE
alpha#
2-133
@ONE Spring Hands-On Institute
Trunking
• Dynamic Trunking Protocol (DTP)
manages trunk negotiation
2-134
@ONE Spring Hands-On Institute
Configuring Trunking
• Ethernet trunk interfaces support several
different trunking modes.
– Access
– Dynamic desirable (default mode on Catalyst
2950 and 3550)
– Dynamic auto
– Trunk
– Non-negotiate
– dotq-tunnel (Not an option on the Catalyst 2950.)
2-135
@ONE Spring Hands-On Institute
Configuring Trunking
• On - This mode puts the port into
permanent trunking. The port becomes
a trunk port even if the neighboring
port does not agree to the change.
• The on state does not allow for the
negotiation of an encapsulation type.
– You must, therefore, specify the
encapsulation in the configuration
2-136
@ONE Spring Hands-On Institute
Configuring Trunking
• Access (Off) - This mode puts the port
into permanent nontrunking mode and
negotiates to convert the link into a
nontrunk link.
• The port becomes a nontrunk port
even if the neighboring port does not
agree to the change.
2-137
@ONE Spring Hands-On Institute
Configuring Trunking
• Desirable - This mode makes the port
actively attempt to convert the link to a
trunk link. The port becomes a trunk
port if the neighboring port is set to on,
desirable, or auto mode.
2-138
@ONE Spring Hands-On Institute
Configuring Trunking
• Auto - This mode makes the port willing to
convert the link to a trunk link.
• The port becomes a trunk port if the
neighboring port is set to on or desirable
mode.
• This is the default mode for Fast and Gigabit
Ethernet ports.
– if the default setting is left on both sides of the
trunk link, the link will not become a trunk
2-139
@ONE Spring Hands-On Institute
Configuring Trunking
• Nonegotiate - This mode puts the port
into permanent trunking mode but
prevents the port from generating
Dynamic Trunking Protocol (DTP)
frames.
– You must configure the neighboring port
manually as a trunk port to establish a
trunk link.
2-140
@ONE Spring Hands-On Institute
Configuring Trunking
• For trunking to be autonegotiated on
Fast Ethernet or Gigabit Ethernet
ports, the ports must be in the same
VTP domain.
• However, you can use “on” or
“nonegotiate” mode to force a port to
become a trunk, even if it is in a
different domain.
2-141
@ONE Spring Hands-On Institute
Configuring Trunking
IOS-Based Switch
Switch(config)# interface fastethernet 0
Switch(config-if)# switchport mode [access | multi | trunk]
Switch(config-if)# switchport mode dynamic [ auto | desirable]
Switch(config-if)# switchport trunk encapsulation {isl|dot1q}
Switch(config-if)# switchport trunk allowed vlan remove vlan-list
Switch(config-if)# switchport trunk allowed vlan add vlan-list
2-142
@ONE Spring Hands-On Institute
VLAN Trunking Protocol
(VTP)
2-143
@ONE Spring Hands-On Institute
VLAN Trunking Protocol
• VTP maintains VLAN configuration
consistency across the entire network.
• VTP is a messaging protocol that uses
Layer 2 trunk frames to manage the
addition, deletion, and renaming of VLANs
on a network-wide basis.
• Further, VTP allows you to make centralized
changes that are communicated to all other
switches in the network.
2-144
@ONE Spring Hands-On Institute
VTP Benefits
2-145
@ONE Spring Hands-On Institute
VTP
• All switches in the same management
domain share their VLAN information with
each other, and a switch can participate in
only one VTP management domain.
• Switches in different domains do not share
VTP information.
• Using VTP, switches advertise:
– Management domain
– Configuration revision number
– Known VLANs and their specific parameters
2-146
@ONE Spring Hands-On Institute
VTP
• switches can be configured not to accept
VTP information.
• These switches will forward VTP information
on trunk ports in order to ensure that other
switches receive the update, but the
switches will not modify their database, nor
will the switches send out an update
indicating a change in VLAN status.
– This is referred to as transparent mode.
2-147
@ONE Spring Hands-On Institute
VTP
• By default, management domains are
set to a nonsecure mode, meaning
that the switches interact without using
a password.
• Adding a password automatically sets
the management domain to secure
mode.
– A password must be configured on every
switch in the management domain to use
secure mode.
2-148
@ONE Spring Hands-On Institute
VTP
• The VTP database contains a revision
number.
• Each time a change is made, the
switch increments the revision number
2-149
@ONE Spring Hands-On Institute
VTP
• A higher configuration revision number
indicates that the VLAN information that is
being sent is more current then the stored
copy.
• Any time a switch receives an update that
has a higher configuration revision number,
the switch will overwrite the stored
information with the new information being
sent in the VTP update.
2-150
@ONE Spring Hands-On Institute
VTP Modes
• Switches can operate in any one of the
following three VTP modes:
– Server
– Client
– Transparent
2-151
@ONE Spring Hands-On Institute
VTP Modes
• Server - If you configure the switch for
server mode, you can create, modify, and
delete VLANs, and specify other
configuration parameters (such as VTP
version and VTP pruning) for the entire VTP
domain.
• VTP servers:
– advertise their VLAN configuration to other
switches in the same VTP domain
– synchronize the VLAN configuration with other
switches based on advertisements received over
trunk links.
2-152
@ONE Spring Hands-On Institute
VTP Modes
• Client - VTP clients behave the same
way as VTP servers. However, you
cannot create, change, or delete
VLANs on a VTP client.
2-153
@ONE Spring Hands-On Institute
VTP Modes
• Transparent - VTP transparent switches do
not participate in VTP.
• A VTP transparent switch does not advertise
its VLAN configuration, and does not
synchronize its VLAN configuration based
on received advertisements.
– However, in VTP Version 2, transparent switches
do forward VTP advertisements that the
switches receive out their trunk ports.
2-154
@ONE Spring Hands-On Institute
Configuring VTP
2-155
@ONE Spring Hands-On Institute
Configuring VTP
IOS-Based Switch
Switch(vlan)#
Switch(vlan)#
Switch(vlan)#
Switch(vlan)#
vtp
vtp
vtp
vtp
domain domain-name
{server | client | transparent}
password password
v2-mode (version2)
2-156
@ONE Spring Hands-On Institute
Configuring VTP
Set-Based Switch
Switch(enable) set vtp [domain domain-name] [mode {server |
client | transparent}[password password]
Switch(enable) set vtp v2 enable (version 2)
2-157
@ONE Spring Hands-On Institute
VTP Pruning
• VTP pruning enhances network bandwidth
use by reducing unnecessary flooding of
traffic, such as broadcast, multicast,
unknown, and flooded unicast packets.
• VTP pruning increases available bandwidth
by restricting flooded traffic to those trunk
links that the traffic must use to access the
appropriate network devices.
• By default, VTP pruning is disabled.
2-158
@ONE Spring Hands-On Institute
VTP Pruning
2-159
@ONE Spring Hands-On Institute
VTP Pruning
• Enabling VTP pruning on a VTP server
enables pruning for the entire management
domain.
• VTP pruning takes effect several seconds
after you enable it.
• By default, VLANs 2 through 1000 are
pruning eligible.
– VLAN 1 is always pruning ineligible, so traffic
from VLAN 1 cannot be pruned.
– You have the option to make specific VLANs
pruning eligible or pruning ineligible on the
device.
2-160
@ONE Spring Hands-On Institute
Configuring VTP Pruning
IOS-Based Switch
Switch(vlan)# vtp pruning
2-161