● Expand All - ◦ Collapse All ● Print

Topic

PART I: LAN SWITCHING

Chapter 1 - Virtual LANs

Virtual LAN Concepts

Basics

A LAN includes all devices in the same broadcast domain.

A broadcast domain includes the set of all LAN-connected devices that when any of the devices sends a broadcast frame, all the other devices get a copy of the frame.

With VLANs a switch can put some interfaces on different broadcast domains, this different broadcast domains are called VLANs.

VLANs create flexible designs that group users by logical department instead of by physical location.

Create smaller LANs and reduce the overhead caused by each host in the LAN.
NOTE: Less broadcasts frames are processed by each host.

Reduce the workload for the Spanning Tree Protocol (STP) by limiting the VLAN to a single access switch.

Enforce better security by grouping hosts that work with sensitive data

Separate VOIP traffic from PC traffic.

Trunking with ISL and 802.1Q

VLAN trunking is needed when using VLANs that have multiple interconnected switches.

A trunk interface supports multiple different VLANs, as opposed to a regular interface that only supports one VLAN.

VLAN tagging is the process by which the sending switch adds an extra header to the frame before sending it. This extra header includes the VLAN identifier field, so that the receiving switch knows what VLAN each frame belongs to.
NOTE: Before sending the frame out of a trunking interface, the sending switch adds a VLAN tag id to the frame, The receiving switch reads the VLAN tag id and removes it before sending the frame to the corresponding interface(s)

CISCO switches support Inter-Switch Link (ISL) and IEEE 802.1Q trunking protocols.

ISL was the first protocol and is CISCO proprietary. ISL completely encapsulates the ethernet frame between ISL header and trailer, the source and destination MAC addresses in the new header are those of the sending and receiving switch.

IEEE 802.1Q standardizes many LAN protocols, including VLAN trunking. 802.1Q does not encapsulate the frame, instead it inserts a 4-byte VLAN header into the original ethernet header. The source and destination MAC addresses remain unchanged. Because of the header size increase, the CRC in the FCS trailer field is recalculated.
NOTE: Today, this is the more popular trunking protocol

chart_1

IP Subnets and VLANs

The hosts in a VLAN need to be in the same subnet, hosts in different VLANs need to be in different subnets.

VLAN is a layer 2 concept and Subnet is a layer 2 concept.

For a host 1 in VLAN1 (subnet 1) to send a packet to host 2 in VLAN 2 (subnet 2) a router connected to the switch is needed. Host 1 sends the packet to de default gateway (router) with a VLAN 1 tag, the router receives the packet and discards the VLAN 1 tag, adds a VLAN 2 tag and sends the packet back trough the same interface it was received.
NOTE: There are devices called multilayer switch or Layer 3 switch, combining the router and switch functions in the same device.

VLAN Trunking Protocol (VTP)

VTP is Cisco proprietary.

Advertises each VLAN based on it's ID and name, but it does not advertise the interfaces assigned to the VLAN. VTP messages are sent only through ISL and 802.1Q trunk interfaces.

VTP defines a layer 2 messaging protocol to exchange VLAN configuration information.

There are three VTP modes a switch can operate: Server, Client, Transparent. VLAN information is entered/updated on a VTP server and all the other servers and clients learn the new configuration. VLAN changes cannot be performed on a VTP client. The transparent mode will cause a switch to ignore VTP but still forward VTP messages to other switches. It's possible to configure a VLAN on a transparent switch, but it will never update it's VTP database nor send VTP messages.

VTP servers and clients will process VTP messages based on the "VLAN database configuration revision number". When a server updates it's VTP database it will increase the revision by 1 and send a VTP message with the new configuration listing the new revision number. The server/client will process the VTP message only if the revision number is higher than what it has. This process is called synchronization.

VTP messages are also sent every 5 minutes.

There are three types of VTP messages: Summary Advertisement, Subset Advertisement and Advertisement Request.

There are three conditions for VTP to work between two switches:
- The link between switches must be of VLAN trunk type.
- The two switches' case sensitive VTP domain must match.
- If configured on at least one of the switches, the two switches' case-sensitive password must match.

The VTP database is stored in a file called vtp.dat in NVRAM, it contains VLAN ID, VLAN Name and other VTP configuration settings. The VTP configuration is not stored on the running-config nor startup-config files and there is no way to directly view the VLAN and VTP configuration, instead several show commands are required.

Cisco supports VTP versions 1 2 and 3. VTP version 2 and above ignore the VTP domain and password when the switch is in transparent mode and forwards all VTP messages received. Version 1 only forwards VTP messages with matching VTP domain and password.

By default VTP floods broadcasts in each active VLAN out all trunks. VTP pruning can be used in order to avoid some switches receiving frames for a VLAN they don't have. VTP Pruning allows VTP to dynamically determine which switches do not need frames from certain VLANs

VTP pruning increases the available bandwidth by restricting flooded traffic. VTP pruning is one of the two most compelling reasons to use VTP, with the other reason being to make VLAN configuration easier and more consistent.

chart_2

VLAN and VLAN Trunking Configuration and Verification

Creating VLANs and Assigning Access VLANs to an Interface

For a VLAN to work in a Cisco switch we need to create a VLAN, have non-trunking interfaces assigned to the VLAN (access interfaces) and/or trunks that support the VLAN.

STEP 1 To configure a new VLAN:
- From configuration mode use vlan vlan-id global configuration command to create the VLAN.
- (Optiona) Use the name name VLAN command to list a name for the VLAN.

STEP 2 To configure a VLAN for each access interface:
- Use the interface command to move to interface configuration mode for the desired interface.
- Use the switchport access vlan id-number interface command to associate a VLAN to that interface.
- (Optional) To disable trunking on the interface use the switchport mode access interface subcommand.

The default VLAN and VTP configuration settings for a switch are:
- VTP Server Mode.
- No VTP domain name.
- VLAN 1 and VLAN1002-1005 are automatically configured and cannot be deleted.
- All access interfaces are assigned to VLAN 1

VLAN Trunking Configuration

Trunking configuration in Cisco switches involves two important configuration settings:
- Type of trunking: ISL or 802.1Q or negotiate which one to use. The default is to negotiate.
- The Administrative Mode: Whether to trunk, not trunk or negotiate. Negotiate is the default.

The type of trunking preferred on an interface is configured with switchport trunk encapsulation {dot1 | isl | negotiate}

The administrative mode of an interface is set with switchport mode

chart_3

chart_4

To limit the number of VLANs allowed on a trunk the allowed VLAN list feature can be used. By default all VLANs are allowed in each trunk.
switchport trunk allowed vlan {add | all | except | remove} vlan-list

In adition to to the allowed VLAN list, there are three other reasons to prevent a particular VLAN's traffic from crossing a trunk.
- A VLAN has been removed from the trunk's allowed list.
- A VLAN does not exist, or is not active in the switch's VLAN database.
- A VLAN has been automatically pruned by VTP.
- A VLAN's STP instance has placed the trunk interface into an state other than a Forwarding State.

VoIP phone's traffic is routed on a different VLAN than the data traffic and the voice traffic should use the 802.1Q. This is done to separate both types of traffic and to better manage, set QoS requirements and provide better security. The switch must know the voice VLAN id and that is set with the switchport voice vlan vlan-id interface subcommand.

Securing VLANs and Trunking

Switches are exposed to several types of security vulnerabilities over both used and unused ports. Cisco recommends making the following changes to the default switch configuration:
- Administratively disable the unused interface, using the shutdown interface command.
- Prevent trunking from being negotiated when the port is enabled by using the switchport nonegotiate, or switchport mode access interface subcommands.
- Assign the port to an unused VLAN, sometimes called a parking VLAN using switchport access vlan number interface subcommand.

VTP Configuration and Verification

Using VTP: Configuring Servers and Clients

VLAN Trunking Protocol (VTP) configuration is simple but can cause serious problems if not done properly

There are certain design decisions that need to be considered before configuring VTP such as with switches will be on the same VTP domain, the VTP domain name and a VTP domain password. Then there is the matter of deciding which switches will be servers and which ones will be clients.

The following steps can be used to configure VTP:
- STEP 1 Configure VTP mode using ftp mode { server | client } global configuration command.
- STEP 2 Configure the VTP domain name using ftp domain domain-name global configuration command.
- STEP 3 (Optional) On both clients and servers, configure the same case-sensitive password using ftp password password-value global configuration command.
- STEP 4 (Optional) Configure VTP pruning on the VTP servers using vtp pruning global configuration command.
- STEP 5 (Optional) Enable VTP version 2 using vtp version 2 global configuration command.
- STEP 6 Bring up the trunks between switches.

Cisco switches (servers and clients) store the VTP configuration commands in the vlan.dat file in flash. To verify these configuration commands, the show vtp status and show vlan commands are used.

chart_5

When the VTP domain is synchronized, the show vtp status should show the same revision on all switches. Also, the show vlan command should list the same VLANs and VLAN names.

Caveats When Moving Away from Default VTP Configuration

By default Cisco switches are configured as server mode with no domain name and no password but do not send VTP updates.

As soon as a VTP domain is configured on a switch, it will start sending VTP updates to neighboring switches. These switches will overwrite their VLAN configuration to match the update received.

This may cause problems, because id a VLAN was configured on the switch and the received update does not contain a definition for the VLAN, the configuration is overwritten and the switch will no longer forward packets to the lost VLAN.

An external attacker can use this method to perform a DOS attack on the network by introducing a rogue switch with no VLAN configurations and forcing all the switches in the network to delete their VLAN configuration.

Thus, if VTP is not used in the network, it is better to configure all the switches as VTP transparent mode.

Avoiding VTP: Configuring Transparent Mode

To avoid using VTP, you need to configure vtp transparent mode.

A switch in transparent mode never updates its VLAN database and never causes other switches to update theirs VLAN database based on its database.

A switch in transparent mode only forwards vtp messages received on one trunk out on all other trunks.

To configure a switch as transparent mode, use the vtp mode transparent. No password nor domain name is needed.

Troubleshooting VTP

To troubleshoot VTP first we need to determine wether a problem exists. There is a VTP problem if two neighboring switches in the same domain have different VLAN definitions and different configuration revision numbers.

To troubleshoot follow these steps:
- STEP 1 Confirm the switch names, topology and switch VTP modes.
- STEP 2 Identify sets of two neighboring switches that should be either VTP clients or servers that have different VLAN databases using the show vlan command.
- STEP 3 On each par of switches perform the following tasks:
a. Verify that an operational link exists between the switches using the show interfaces trunk, show interfaces switchport, or the show cdp neighbors commands.
b. The switches must have the same (case-sensitive) VTP domain name and password. (show vtp status, show vtp password)
c. VTP pruning should be enabled/disabled on all switches in the domain, but even if it's not consistent it should not prevent syncing.
- STEP 4 For each pair of switches from STEP 3, solve the problem by either troubleshooting the trunking problem or correctly configure a switch with the correct VTP domain and password.

There may be problems when connecting new switches and bringing up trunks in existing networks. If a new switch with a higher VTP database revision number is attached, it will overwrite the VLAN databases of all of the other switches. In order to avoid that it's recommended to zero-out the revision number on the new switch being connected.
This can be achieved by either:
- Configuring the new switch as transparent mode and back to client or server
- Erasing the vlan.dat file in flash and reloading the switch.

VTP best practices:
- If VTP is not used, configure all the switches as transparent mode.
- If using VTP, always use a VTP password.
- Disable trunking with the switchport mode access and switchport nonegotiate command on all the interfaces that are not trunks to prevent VTP attacks.

Chapter 2 - Spanning Tree Protocol

Foundation Topics

Without Spanning Tree Protocol (STP), a LAN with redundant links would cause ethernet frames to loop for an indefinite period of time. With STP enabled, some switches block ports so that these ports do not forward frames.

Spanning Tree Protocol (IEEE 802.1d)

The need for Spanning Tree

IEEE802.1d was the first public standard for STP

STP avoids three kind of problems:
- Broadcast storms that cause broadcast to loop in the LAN indefinitely.
- MAC table instability and
- Hosts getting multiple copies of the same frame.

chart_6

What IEEE 802.1d Spanning Tree Does

STP prevents loops by placing each bridge/switch port in either a Forwarding State or a Blocking State.

All the ports in the Forwarding State are considered to be in the current spanning tree.

The term STP convergence refers to the process by which the switches collectively realize that something has changed in the LAN topology, so the switches might need to change which ports block and which ports forward.

How Spanning Tree Works

The process used by STP is sometimes called Spanning Tree Algorithm. STA chooses which interfaces should be placed in forwarding state, any interface not chosen to forward is set to a Blocking State.

STP uses three criteria to choose what ports should be in Forwarding State:
- STP selects a root switch and puts all its interfaces to Forwarding State.
- Each non-root switch considers one of its ports to have the least administrative cost between itself and the root switch. STP places this least-root-cost interface, called that switch's root port (RP), in Forwarding State.
- Many switches can attach to the same Ethernet segment. The switch with the lowest administrative cost from itself to the root switch, as compared with the other switches in the same segment, is placed in Forwarding State. The lowest-cost switch on each segment is called the designated bridge, and that bridge's interface, attached to that segment, is called the designated port (DP).

All other interfaces at put in Blocking State.

chart_7

Optional STP Features

Rapid STP (IEEE 802.1w)

RSTP Link and Edge Types

RSTP Port States

RSTP Port Roles

RSTP Convergence

STP Configuration and Verification

Multiple Instances of STP

Configuration Options That Influence the Spanning Tree Protocol Topology

Verifying Default STP Operation

Configuring STP Port Costs and Switch Priority

Configuring PortFast and BPDU Guard

Configuring EtherChannel

Configuring RSTP

STP Troubleshooting

Determining the Root Switch

Determining the Root Port on Non-root Switches

Determining the Designated Port on Each LAN Segment

STP Convergence

Chapter 3 - Troubleshooting LAN Switching

PART II: IP ROUTING

Chapter 4 - IP Routing: Static and Connected Routes

Chapter 5 - VLSM and Route Summarization

Chapter 6 - IP Access Control Lists

Chapter 7 - Troubleshooting IP Routing

PART III: ROUTING PROTOCOLS CONFIGURATION AND TROUBLESHOOTING

Chapter 8 - Routing Protocol Theory

Chapter 9 - OSPF

Chapter 10 - EIGRP

Chapter 11 - Troubleshooting Routing Protocols

PART IV: WIDE-AREA NETWORKS

Chapter 12 - Point to Point WANs

Chapter 13 - Frame Relay Concepts

Chapter 14 - Frame Relay Configuration and Troubleshooting

Chapter 15 - Virtual Private Networks

PART V: SCALING THE IP ADDRESS SPACE

Chapter 16 - Network Address Translation

Chapter 17 - IP Version 6