● Expand All
-
◦ Collapse All
● Print
|
 |
PART I: LAN SWITCHING
|
|
|
 |
Chapter 1 - Virtual LANs
|
|
|
 |
Virtual LAN Concepts
|
|
|
 |
Basics
|
|
|
 |
A LAN includes all devices in the same broadcast domain.
|
|
|
 |
A broadcast domain includes the set of all LAN-connected devices that when any of the devices sends a broadcast frame, all the other devices get a copy of the frame.
|
|
|
 |
With VLANs a switch can put some interfaces on different broadcast domains, this different broadcast domains are called VLANs.
|
|
|
 |
VLANs create flexible designs that group users by logical department instead of by physical location.
|
|
|
 |
Create smaller LANs and reduce the overhead caused by each host in the LAN. NOTE: Less broadcasts frames are processed by each host.
|
|
|
 |
Reduce the workload for the Spanning Tree Protocol (STP) by limiting the VLAN to a single access switch.
|
|
|
 |
Enforce better security by grouping hosts that work with sensitive data
|
|
|
 |
Separate VOIP traffic from PC traffic.
|
|
|
 |
Trunking with ISL and 802.1Q
|
|
|
 |
IP Subnets and VLANs
|
|
|
 |
The hosts in a VLAN need to be in the same subnet, hosts in different VLANs need to be in different subnets.
|
|
|
 |
VLAN is a layer 2 concept and Subnet is a layer 2 concept.
|
|
|
 |
For a host 1 in VLAN1 (subnet 1) to send a packet to host 2 in VLAN 2 (subnet 2) a router connected to the switch is needed. Host 1 sends the packet to de default gateway (router) with a VLAN 1 tag, the router receives the packet and discards the VLAN 1 tag, adds a VLAN 2 tag and sends the packet back trough the same interface it was received. NOTE: There are devices called multilayer switch or Layer 3 switch, combining the router and switch functions in the same device.
|
|
|
 |
VLAN Trunking Protocol (VTP)
|
|
|
 |
VTP is Cisco proprietary.
|
|
|
 |
Advertises each VLAN based on it's ID and name, but it does not advertise the interfaces assigned to the VLAN. VTP messages are sent only through ISL and 802.1Q trunk interfaces.
|
|
|
 |
VTP defines a layer 2 messaging protocol to exchange VLAN configuration information.
|
|
|
 |
There are three VTP modes a switch can operate: Server, Client, Transparent. VLAN information is entered/updated on a VTP server and all the other servers and clients learn the new configuration. VLAN changes cannot be performed on a VTP client. The transparent mode will cause a switch to ignore VTP but still forward VTP messages to other switches. It's possible to configure a VLAN on a transparent switch, but it will never update it's VTP database nor send VTP messages.
|
|
|
 |
VTP servers and clients will process VTP messages based on the "VLAN database configuration revision number". When a server updates it's VTP database it will increase the revision by 1 and send a VTP message with the new configuration listing the new revision number. The server/client will process the VTP message only if the revision number is higher than what it has. This process is called synchronization.
|
|
|
 |
VTP messages are also sent every 5 minutes.
|
|
|
 |
There are three types of VTP messages: Summary Advertisement, Subset Advertisement and Advertisement Request.
|
|
|
 |
There are three conditions for VTP to work between two switches: - The link between switches must be of VLAN trunk type. - The two switches' case sensitive VTP domain must match. - If configured on at least one of the switches, the two switches' case-sensitive password must match.
|
|
|
 |
The VTP database is stored in a file called vtp.dat in NVRAM, it contains VLAN ID, VLAN Name and other VTP configuration settings. The VTP configuration is not stored on the running-config nor startup-config files and there is no way to directly view the VLAN and VTP configuration, instead several show commands are required.
|
|
|
 |
Cisco supports VTP versions 1 2 and 3. VTP version 2 and above ignore the VTP domain and password when the switch is in transparent mode and forwards all VTP messages received. Version 1 only forwards VTP messages with matching VTP domain and password.
|
|
|
 |
By default VTP floods broadcasts in each active VLAN out all trunks. VTP pruning can be used in order to avoid some switches receiving frames for a VLAN they don't have. VTP Pruning allows VTP to dynamically determine which switches do not need frames from certain VLANs
|
|
|
 |
VTP pruning increases the available bandwidth by restricting flooded traffic. VTP pruning is one of the two most compelling reasons to use VTP, with the other reason being to make VLAN configuration easier and more consistent.
|
|
|
 |
chart_2
|
|
|
|
 |
VLAN and VLAN Trunking Configuration and Verification
|
|
|
 |
Creating VLANs and Assigning Access VLANs to an Interface
|
|
|
 |
For a VLAN to work in a Cisco switch we need to create a VLAN, have non-trunking interfaces assigned to the VLAN (access interfaces) and/or trunks that support the VLAN.
|
|
|
 |
STEP 1 To configure a new VLAN: - From configuration mode use vlan vlan-id global configuration command to create the VLAN. - (Optiona) Use the name name VLAN command to list a name for the VLAN.
|
|
|
 |
STEP 2 To configure a VLAN for each access interface: - Use the interface command to move to interface configuration mode for the desired interface. - Use the switchport access vlan id-number interface command to associate a VLAN to that interface. - (Optional) To disable trunking on the interface use the switchport mode access interface subcommand.
|
|
|
 |
The default VLAN and VTP configuration settings for a switch are: - VTP Server Mode. - No VTP domain name. - VLAN 1 and VLAN1002-1005 are automatically configured and cannot be deleted. - All access interfaces are assigned to VLAN 1
|
|
|
 |
VLAN Trunking Configuration
|
|
|
 |
Securing VLANs and Trunking
|
|
|
 |
Switches are exposed to several types of security vulnerabilities over both used and unused ports. Cisco recommends making the following changes to the default switch configuration: - Administratively disable the unused interface, using the shutdown interface command. - Prevent trunking from being negotiated when the port is enabled by using the switchport nonegotiate, or switchport mode access interface subcommands. - Assign the port to an unused VLAN, sometimes called a parking VLAN using switchport access vlan number interface subcommand.
|
|
|
 |
VTP Configuration and Verification
|
|
|
 |
Using VTP: Configuring Servers and Clients
|
|
|
 |
Caveats When Moving Away from Default VTP Configuration
|
|
|
 |
By default Cisco switches are configured as server mode with no domain name and no password but do not send VTP updates.
|
|
|
 |
As soon as a VTP domain is configured on a switch, it will start sending VTP updates to neighboring switches. These switches will overwrite their VLAN configuration to match the update received.
|
|
|
 |
This may cause problems, because id a VLAN was configured on the switch and the received update does not contain a definition for the VLAN, the configuration is overwritten and the switch will no longer forward packets to the lost VLAN.
|
|
|
 |
An external attacker can use this method to perform a DOS attack on the network by introducing a rogue switch with no VLAN configurations and forcing all the switches in the network to delete their VLAN configuration.
|
|
|
 |
Thus, if VTP is not used in the network, it is better to configure all the switches as VTP transparent mode.
|
|
|
 |
Avoiding VTP: Configuring Transparent Mode
|
|
|
 |
To avoid using VTP, you need to configure vtp transparent mode.
|
|
|
 |
A switch in transparent mode never updates its VLAN database and never causes other switches to update theirs VLAN database based on its database.
|
|
|
 |
A switch in transparent mode only forwards vtp messages received on one trunk out on all other trunks.
|
|
|
 |
To configure a switch as transparent mode, use the vtp mode transparent. No password nor domain name is needed.
|
|
|
 |
Troubleshooting VTP
|
|
|
 |
To troubleshoot VTP first we need to determine wether a problem exists. There is a VTP problem if two neighboring switches in the same domain have different VLAN definitions and different configuration revision numbers.
|
|
|
 |
To troubleshoot follow these steps: - STEP 1 Confirm the switch names, topology and switch VTP modes. - STEP 2 Identify sets of two neighboring switches that should be either VTP clients or servers that have different VLAN databases using the show vlan command. - STEP 3 On each par of switches perform the following tasks: a. Verify that an operational link exists between the switches using the show interfaces trunk, show interfaces switchport, or the show cdp neighbors commands. b. The switches must have the same (case-sensitive) VTP domain name and password. (show vtp status, show vtp password) c. VTP pruning should be enabled/disabled on all switches in the domain, but even if it's not consistent it should not prevent syncing. - STEP 4 For each pair of switches from STEP 3, solve the problem by either troubleshooting the trunking problem or correctly configure a switch with the correct VTP domain and password.
|
|
|
 |
There may be problems when connecting new switches and bringing up trunks in existing networks. If a new switch with a higher VTP database revision number is attached, it will overwrite the VLAN databases of all of the other switches. In order to avoid that it's recommended to zero-out the revision number on the new switch being connected. This can be achieved by either: - Configuring the new switch as transparent mode and back to client or server - Erasing the vlan.dat file in flash and reloading the switch.
|
|
|
 |
VTP best practices: - If VTP is not used, configure all the switches as transparent mode. - If using VTP, always use a VTP password. - Disable trunking with the switchport mode access and switchport nonegotiate command on all the interfaces that are not trunks to prevent VTP attacks.
|
|
|
 |
Chapter 2 - Spanning Tree Protocol
|
|
|
 |
Foundation Topics
|
|
|
 |
Without Spanning Tree Protocol (STP), a LAN with redundant links would cause ethernet frames to loop for an indefinite period of time. With STP enabled, some switches block ports so that these ports do not forward frames.
|
|
|
 |
Spanning Tree Protocol (IEEE 802.1d)
|
|
|
 |
The need for Spanning Tree
|
|
|
 |
What IEEE 802.1d Spanning Tree Does
|
|
|
 |
STP prevents loops by placing each bridge/switch port in either a Forwarding State or a Blocking State.
|
|
|
 |
All the ports in the Forwarding State are considered to be in the current spanning tree.
|
|
|
 |
The term STP convergence refers to the process by which the switches collectively realize that something has changed in the LAN topology, so the switches might need to change which ports block and which ports forward.
|
|
|
 |
How Spanning Tree Works
|
|
|
 |
Optional STP Features
|
|
|
 |
Rapid STP (IEEE 802.1w)
|
|
|
 |
RSTP Link and Edge Types
|
|
|
 |
RSTP Port States
|
|
|
 |
RSTP Port Roles
|
|
|
 |
RSTP Convergence
|
|
|
 |
STP Configuration and Verification
|
|
|
 |
Multiple Instances of STP
|
|
|
 |
Configuration Options That Influence the Spanning Tree Protocol Topology
|
|
|
 |
Verifying Default STP Operation
|
|
|
 |
Configuring STP Port Costs and Switch Priority
|
|
|
 |
Configuring PortFast and BPDU Guard
|
|
|
 |
Configuring EtherChannel
|
|
|
 |
Configuring RSTP
|
|
|
 |
STP Troubleshooting
|
|
|
 |
Determining the Root Switch
|
|
|
 |
Determining the Root Port on Non-root Switches
|
|
|
 |
Determining the Designated Port on Each LAN Segment
|
|
|
 |
STP Convergence
|
|
|
 |
Chapter 3 - Troubleshooting LAN Switching
|
|
|
 |
PART II: IP ROUTING
|
|
|
 |
Chapter 4 - IP Routing: Static and Connected Routes
|
|
|
 |
Chapter 5 - VLSM and Route Summarization
|
|
|
 |
Chapter 6 - IP Access Control Lists
|
|
|
 |
Chapter 7 - Troubleshooting IP Routing
|
|
|
 |
PART III: ROUTING PROTOCOLS CONFIGURATION AND TROUBLESHOOTING
|
|
|
 |
Chapter 8 - Routing Protocol Theory
|
|
|
 |
Chapter 9 - OSPF
|
|
|
 |
Chapter 10 - EIGRP
|
|
|
 |
Chapter 11 - Troubleshooting Routing Protocols
|
|
|
 |
PART IV: WIDE-AREA NETWORKS
|
|
|
 |
Chapter 12 - Point to Point WANs
|
|
|
 |
Chapter 13 - Frame Relay Concepts
|
|
|
 |
Chapter 14 - Frame Relay Configuration and Troubleshooting
|
|
|
 |
Chapter 15 - Virtual Private Networks
|
|
|
 |
PART V: SCALING THE IP ADDRESS SPACE
|
|
|
 |
Chapter 16 - Network Address Translation
|
|
|
 |
Chapter 17 - IP Version 6
|
|
|