CLICK HERE TO DOWNLOAD PPT ON VTP
VTP Presentation Transcript
1. VTP (Trunking, VTP, Inter-VLAN Routing)
2.Basic Terms
Collision Domain: defines a set of interfaces whose frames could collide with each other
Broadcast Domain: defines a set of devices, whose frames are received by every device on the network when any one of them sends traffic
3.Virtual LANs (VLANS)
VLAN allows segmentation of a switch into multiple broadcast domains. Without VLANs, a switch can only function in a single broadcast domain. Due to the segmentation, VLANs offer the following advantages:
Ease of administration
Confinement of broadcast domains
Security
4.VLAN Trunking
Trunks allow carrying traffic for more than one VLAN on the same link. There are two types of trunks supported on Cisco switches:
1. Inter Switch Link (ISL): encapsulated original frame into 30-bytes ISL frame (26-bytes for ISL and 4-bytes for CRC). Cisco propriety method
2. IEEE 802.1Q: an open standard. Instead of encapsulating it embeds tag 4-bytes in the Ethernet frame. Also supports native VLAN
5.VLAN Trunking Protocol (VTP)
VTP manages the addition, deletion and renaming of VLANs across the network from central point of control
VTP Domains:
VTP is organized into management domains or areas with common VLAN requirements
A switch can belong to only one VTP domain
Switches in different domains don’t share the VTP information
VTP Modes: Server, Client and Transparent
Server: can create, delete, modify and advertise VLAN information
Transparent: can create, delete and modify VLAN information but does not advertise
Client: cannot delete, add or modify VLAN information. Accepts and advertise VTP updates
Collision Domain: defines a set of interfaces whose frames could collide with each other
Broadcast Domain: defines a set of devices, whose frames are received by every device on the network when any one of them sends traffic
3.Virtual LANs (VLANS)
VLAN allows segmentation of a switch into multiple broadcast domains. Without VLANs, a switch can only function in a single broadcast domain. Due to the segmentation, VLANs offer the following advantages:
Ease of administration
Confinement of broadcast domains
Security
4.VLAN Trunking
Trunks allow carrying traffic for more than one VLAN on the same link. There are two types of trunks supported on Cisco switches:
1. Inter Switch Link (ISL): encapsulated original frame into 30-bytes ISL frame (26-bytes for ISL and 4-bytes for CRC). Cisco propriety method
2. IEEE 802.1Q: an open standard. Instead of encapsulating it embeds tag 4-bytes in the Ethernet frame. Also supports native VLAN
5.VLAN Trunking Protocol (VTP)
VTP manages the addition, deletion and renaming of VLANs across the network from central point of control
VTP Domains:
VTP is organized into management domains or areas with common VLAN requirements
A switch can belong to only one VTP domain
Switches in different domains don’t share the VTP information
VTP Modes: Server, Client and Transparent
Server: can create, delete, modify and advertise VLAN information
Transparent: can create, delete and modify VLAN information but does not advertise
Client: cannot delete, add or modify VLAN information. Accepts and advertise VTP updates
6.VLAN Trunking Protocol (VTP)
VTP switches uses an index called VTP
Configuration Revision number
VTP revision always starts from Zero
Incremented before an advertisement is sent out
Is over-written if a higher revision number advertisement is received (either by VTP client or server)
Stored in NVRAM therefore cannot be altered
VTP advertisement can be secured with MD5 authentication
VTP switches uses an index called VTP
Configuration Revision number
VTP revision always starts from Zero
Incremented before an advertisement is sent out
Is over-written if a higher revision number advertisement is received (either by VTP client or server)
Stored in NVRAM therefore cannot be altered
VTP advertisement can be secured with MD5 authentication
7.Spanning Tree Protocol (STP) Terms
Bridging Loop: formed due to redundant paths in the network. These redundant paths cause the broadcast traffic to loop around indefinitely causing what is known as the broadcast storm.
Bridge ID: is an 8-byte field. Consists of bridge priority (2-byte) and MAC-address (6-byte). The bridge ID is now
extended to include the VLAN ID to avoid un-necessary consumption of MAC-addresses
8.Spanning Tree Protocol (STP) Terms
Bridging Loop: formed due to redundant paths in the network. These redundant paths cause the broadcast traffic to loop around indefinitely causing what is known as the broadcast storm.
Bridge ID: is an 8-byte field. Consists of bridge priority (2-byte) and MAC-address (6-byte). The bridge ID is now
extended to include the VLAN ID to avoid un-necessary consumption of MAC-addresses
8.Spanning Tree Protocol (STP) Terms
9.Spanning Tree Protocol Terms
Bridge Protocol Data Units (BPDU): STP uses special frames called BPDUs to pass STP information. Two types
Configuration BPDU: Used for STP computation
Topology Change Notification (TCN) BPDU: Used to announce changes in the network topology
Root Bridge: A reference point for all bridges in network
Root Port: One port for each non root switch that always points to the current root bridge.
Designated Port: One port for each segment
Blocking Port: A port that is neither a root port nor a designated port.
10.STP Convergence
Defined in IEEE 802.1 D standard. Used to avoid bridging loops. STP convergence takes place in three steps:
Elect the Root Bridge: the root bridge is selected with the lowest bridge ID. Essentially switch with lowest priority becomes the root. If the bridge priorities are equal, switch with lowest MAC-address becomes the root
Elect the Root Port: each non-root switch must select one Root Port. The root port is a port with least Root Path Cost (cumulative cost of all links leading to the root bridge).
Elect the Designated Port: for each LAN segment, a designated port is selected. It is responsible to forward traffic to and from that segment. A port is selected as designated when it has the least cumulative root path cost among all ports on
Bridge Protocol Data Units (BPDU): STP uses special frames called BPDUs to pass STP information. Two types
Configuration BPDU: Used for STP computation
Topology Change Notification (TCN) BPDU: Used to announce changes in the network topology
Root Bridge: A reference point for all bridges in network
Root Port: One port for each non root switch that always points to the current root bridge.
Designated Port: One port for each segment
Blocking Port: A port that is neither a root port nor a designated port.
10.STP Convergence
Defined in IEEE 802.1 D standard. Used to avoid bridging loops. STP convergence takes place in three steps:
Elect the Root Bridge: the root bridge is selected with the lowest bridge ID. Essentially switch with lowest priority becomes the root. If the bridge priorities are equal, switch with lowest MAC-address becomes the root
Elect the Root Port: each non-root switch must select one Root Port. The root port is a port with least Root Path Cost (cumulative cost of all links leading to the root bridge).
Elect the Designated Port: for each LAN segment, a designated port is selected. It is responsible to forward traffic to and from that segment. A port is selected as designated when it has the least cumulative root path cost among all ports on
11.STP Port States
There are five port states:
1. Disabled
Ports that are administratively shutdown by the network administrator or not enabled due to some error.
2. Blocking
A port after initialization, begins in Blocking state to avoid bridging loops
The port is not allowed to send or receive traffic and only allowed to receive STP
Ports that are put in standby mode to remove bridging loops after STP computation enter blocking state
12.STP Port States
3. Listening
A port is moved from blocking to listening if the switch thinks that the port can be selected as Root Port or Designated Port
Still cannot send and receive traffic but is now allowed to send BPDUs inaddition to receiving them.
In this state the port is allowed to become Root Port or designated port because the switch can advertise the port by sending BPDUs to other switches
If a port losses it status as Root Port or Designated port it is put in blocking state
13.STP Port States
4. Learning
After a period of time called FORWARD DELAY (15 seconds)u in listening state, the port is allowed to move in learning state
Port can send and receive BPDUs
Port can learn and add MAC addresses to CAM table which previously was not allowed.
Port cannot send and receive any data frames
There are five port states:
1. Disabled
Ports that are administratively shutdown by the network administrator or not enabled due to some error.
2. Blocking
A port after initialization, begins in Blocking state to avoid bridging loops
The port is not allowed to send or receive traffic and only allowed to receive STP
Ports that are put in standby mode to remove bridging loops after STP computation enter blocking state
12.STP Port States
3. Listening
A port is moved from blocking to listening if the switch thinks that the port can be selected as Root Port or Designated Port
Still cannot send and receive traffic but is now allowed to send BPDUs inaddition to receiving them.
In this state the port is allowed to become Root Port or designated port because the switch can advertise the port by sending BPDUs to other switches
If a port losses it status as Root Port or Designated port it is put in blocking state
13.STP Port States
4. Learning
After a period of time called FORWARD DELAY (15 seconds)u in listening state, the port is allowed to move in learning state
Port can send and receive BPDUs
Port can learn and add MAC addresses to CAM table which previously was not allowed.
Port cannot send and receive any data frames
14.STP Port States
5. Forwarding
After another FORWARD DELAY in learning state, the port is moved into forwarding state
Port can send and receive BPDUs
Port can learn MAC addresses
Port can send and receive data frames
Port can only be in forwarding if there is no loop and it is either designated port or root port
15.STP Path Selection Criteria
If a bridge receives multiple BDPUs with equal parameters, the following are used as a tie breakers for path selection:
1. Lowest Root Bridge ID
2. Lowest Root Path Cost to root bridge
3. Lowest Sender (neighbor) Bridge ID
4. Lowest Sender Port ID
5. Forwarding
After another FORWARD DELAY in learning state, the port is moved into forwarding state
Port can send and receive BPDUs
Port can learn MAC addresses
Port can send and receive data frames
Port can only be in forwarding if there is no loop and it is either designated port or root port
15.STP Path Selection Criteria
If a bridge receives multiple BDPUs with equal parameters, the following are used as a tie breakers for path selection:
1. Lowest Root Bridge ID
2. Lowest Root Path Cost to root bridge
3. Lowest Sender (neighbor) Bridge ID
4. Lowest Sender Port ID
16.Protecting STP Topology: Unexpected Loss of BPDUs
Loop Guard: It Keeps track of BPDU activity on non designated Ports. While BPDUs are received the port is allowed to behave normally. If there is loss of BPDUs, the Port is moved into Loop-inconsistent State.
UDLD: UDLD interactively monitors a port to see if the link is truly bidirectional. Unidirectional links result in loss of BPDUs on a port that may transition to forwarding state from blocking state
Loop Guard: It Keeps track of BPDU activity on non designated Ports. While BPDUs are received the port is allowed to behave normally. If there is loss of BPDUs, the Port is moved into Loop-inconsistent State.
UDLD: UDLD interactively monitors a port to see if the link is truly bidirectional. Unidirectional links result in loss of BPDUs on a port that may transition to forwarding state from blocking state
17.Switch Security
The following security method are support on Cisco Catalyst switches
Access Control List: Cisco IOS Switches support Standard and Extended ACLs and Named ACLs. In addition, Named MAC. ACLs are also supported to filter traffic based on layer-2 addresses. Named MAC ACLs also support filtering of Non-IP traffic
IEEE 802.1X Port Based Authentication: allows client-server based access control authentication. Prevents un-authorized access to network unless properly authenticated. Until the client is authentication only CDP, STP and Extensible Authentication Protocol over LAN (EAPoL) is allowed to pass through the specified port
Port Security: allows only specified number of MAC-address to access the port. MAC addresses must be defined or could be learned when the client is first connected to the port. If a port security violation occurs, one of the following three action can be configured:
The following security method are support on Cisco Catalyst switches
Access Control List: Cisco IOS Switches support Standard and Extended ACLs and Named ACLs. In addition, Named MAC. ACLs are also supported to filter traffic based on layer-2 addresses. Named MAC ACLs also support filtering of Non-IP traffic
IEEE 802.1X Port Based Authentication: allows client-server based access control authentication. Prevents un-authorized access to network unless properly authenticated. Until the client is authentication only CDP, STP and Extensible Authentication Protocol over LAN (EAPoL) is allowed to pass through the specified port
Port Security: allows only specified number of MAC-address to access the port. MAC addresses must be defined or could be learned when the client is first connected to the port. If a port security violation occurs, one of the following three action can be configured:
18.Switch Security
Protect: traffic from unknown MAC-address is dropped and no notification is generated Port can send and receive BPDUs
Restrict: traffic from unknown MAC-address is dropped and notification is generated. Usually an SNMP trap is
Generated Port can send and receive data frames
Shutdown: the port is transited to ERROR-DISABLED state and the port is shutdown. An SNMP trap or syslog message is also generated. A port can be recovered from ERROR-DISABLED by either configuring: “errdisable recovery cause” command or manually applying “shutdown” and “no shutdown” command to the interface
19.Configuration Example: Creating Vlans
1. configure terminal
2. vlan <vlan-id>`
3. name <name>
4. interface <int-id>
5. switchport mode access
6. switchport access vlan <vlan-id>
7. end
Protect: traffic from unknown MAC-address is dropped and no notification is generated Port can send and receive BPDUs
Restrict: traffic from unknown MAC-address is dropped and notification is generated. Usually an SNMP trap is
Generated Port can send and receive data frames
Shutdown: the port is transited to ERROR-DISABLED state and the port is shutdown. An SNMP trap or syslog message is also generated. A port can be recovered from ERROR-DISABLED by either configuring: “errdisable recovery cause” command or manually applying “shutdown” and “no shutdown” command to the interface
19.Configuration Example: Creating Vlans
1. configure terminal
2. vlan <vlan-id>`
3. name <name>
4. interface <int-id>
5. switchport mode access
6. switchport access vlan <vlan-id>
7. end
20.Configuration Example: Creating Vlans
1. configure term
2. vlan 100
3. name Sales
4. interface fastethernet 0/1
5. switchport mode access
6. switchport acces vlan 100
7. end
VLANs can also be created directly by applying the “switchport access vlan <vlan-id>” command to an interface
The “switchport mode access” command statically configures the port in access mode
1. configure term
2. vlan 100
3. name Sales
4. interface fastethernet 0/1
5. switchport mode access
6. switchport acces vlan 100
7. end
VLANs can also be created directly by applying the “switchport access vlan <vlan-id>” command to an interface
The “switchport mode access” command statically configures the port in access mode
21.Verification and Troubleshooting
1. show vlan brief
2. show switchport interface <int-id>
3. show running-configuration
1. show vlan brief
2. show switchport interface <int-id>
3. show running-configuration
22.Configuration Example: Trunking
configure terminal
interface <int-id>
switchport trunk encapsulation <isl | dot1q | negotiate>
switchport mode <trunk | dynamic desirable | dynamic auto>
switchport nonnegotiate
The “switchport nonegotiate” command disables the negotiation of trunking between the pair of switches. Usually used on interface that connect to routers as they don’t support the dynamic trunking protocol
configure terminal
interface <int-id>
switchport trunk encapsulation <isl | dot1q | negotiate>
switchport mode <trunk | dynamic desirable | dynamic auto>
switchport nonnegotiate
The “switchport nonegotiate” command disables the negotiation of trunking between the pair of switches. Usually used on interface that connect to routers as they don’t support the dynamic trunking protocol
23.Configuration Example: Trunking
24. Configuration Example: Trunking
Switch SW-1:
1. configure terminal
2. vlan 100
3. names Sales
4. interface range fastethernet 0/1 - 15
5. switchport mode access
6. switchport acces vlan 100
7. interface gigabitethernet 0/0
8. switchport trunk encapsulation dot1q
9. switchport mode trunk
Switch SW-1:
1. configure terminal
2. vlan 100
3. names Sales
4. interface range fastethernet 0/1 - 15
5. switchport mode access
6. switchport acces vlan 100
7. interface gigabitethernet 0/0
8. switchport trunk encapsulation dot1q
9. switchport mode trunk
25.Configuration Example: Trunking
Switch SW-2:
1. configure terminal
2. vlan 100
3. names Sales
4. interface range fastethernet 0/1 - 15
5. switchport mode access
6. switchport acces vlan 100
7. interface gigabitethernet 0/0
8. switchport trunk encapsulation dot1q
9. switchport mode dynamic desirable
Switch SW-2:
1. configure terminal
2. vlan 100
3. names Sales
4. interface range fastethernet 0/1 - 15
5. switchport mode access
6. switchport acces vlan 100
7. interface gigabitethernet 0/0
8. switchport trunk encapsulation dot1q
9. switchport mode dynamic desirable
26.Verification and Troubleshooting
1. show vlan brief
2. show interface status
3. show interfaces trunk
1. show vlan brief
2. show interface status
3. show interfaces trunk
27.Configuration Example: VTP
1. configure terminal
2. vtp mode <server | client | transparent>
3. vtp domain <name>
4. vtp version <1 | 2>
5. vtp password <value>
6. vtp pruning
7. end
1. configure terminal
2. vtp mode <server | client | transparent>
3. vtp domain <name>
4. vtp version <1 | 2>
5. vtp password <value>
6. vtp pruning
7. end
28.Configuration Example: VTP
Switch SW-1:
1. configure terminal
2. vlan 100,200,300,400,500,600
3. vtp mode server
4. vtp domain CCNA
5. vtp version 2
6. vtp password ccna-lab
7. vtp pruning
8. end
Switch SW-1:
1. configure terminal
2. vlan 100,200,300,400,500,600
3. vtp mode server
4. vtp domain CCNA
5. vtp version 2
6. vtp password ccna-lab
7. vtp pruning
8. end
29.Configuration Example: VTP
Switch SW-2:
1. configure terminal
2. vtp mode client
3. vtp domain CCNA
4. vtp version 2
5. vtp password ccna-lab
6. End
Switch SW-2:
1. configure terminal
2. vtp mode client
3. vtp domain CCNA
4. vtp version 2
5. vtp password ccna-lab
6. End
30.Verification and Troubleshooting: VTP
SW2# show vtp status
VTP Version : 2
Configuration Revision : 8
Maximum VLANs supported locally : 36
Number of existing VLANs : 11
VTP Operating Mode : Client
VTP Domain Name : CCNA
VTP Pruning Mode : Enabled
VTP V2 Mode : Enabled
VTP Traps Generation : Disabled
MD5 digest : 0xFD 0x93 0x2B 0xB2 0x8F 0x46 0xFD 0xC3
Configuration last modified by 10.1.1.1 at 3-1-02 00:06:17
SW2# show vtp status
VTP Version : 2
Configuration Revision : 8
Maximum VLANs supported locally : 36
Number of existing VLANs : 11
VTP Operating Mode : Client
VTP Domain Name : CCNA
VTP Pruning Mode : Enabled
VTP V2 Mode : Enabled
VTP Traps Generation : Disabled
MD5 digest : 0xFD 0x93 0x2B 0xB2 0x8F 0x46 0xFD 0xC3
Configuration last modified by 10.1.1.1 at 3-1-02 00:06:17
31.Verification and Troubleshooting: STP
SW1#show spanning-tree vl 100 root
Root ID Priority 4096
Address c204.0e00.0001
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
SW1#show spanning-tree vl 100 root
Root ID Priority 4096
Address c204.0e00.0001
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
32.Verification and Troubleshooting: STP
SW2#show spanning-tree vlan 100 brief
VLAN100
Spanning tree enabled protocol ieee
Root ID Priority 8192
Address c205.0e00.0001
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 8192
Address c205.0e00.0001
Hello Time 5 sec Max Age 20 sec Forward Delay 25 sec
Aging Time 300
SW2#show spanning-tree vlan 100 brief
VLAN100
Spanning tree enabled protocol ieee
Root ID Priority 8192
Address c205.0e00.0001
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 8192
Address c205.0e00.0001
Hello Time 5 sec Max Age 20 sec Forward Delay 25 sec
Aging Time 300
33.Configuration and Troubleshooting: Port Security
1. interface <int-id>
2. switchport mode access
3. swithcport security
4. swithcport security maximum <max-mac-addresses-value>
5. swithcport security mac-address [<mac-address> | sticky]
6. switchport port-security violation {protect | restrict | shutdown}
1. interface <int-id>
2. switchport mode access
3. swithcport security
4. swithcport security maximum <max-mac-addresses-value>
5. swithcport security mac-address [<mac-address> | sticky]
6. switchport port-security violation {protect | restrict | shutdown}
34.Configuration and Troubleshooting: Port Security
1. Show port-security
2. Show port-security [interface <int-id>]
3. Show port-security address
1. Show port-security
2. Show port-security [interface <int-id>]
3. Show port-security address
35. Show Port Security
SW1# show port-security interface fastethernet 1/1
Port Security: Enabled
Port status: SecureUp
Violation mode: Shutdown
Maximum MAC Addresses: 1
Total MAC Addresses: 1
Configured MAC Addresses: 1
Aging time: 20 mins
Aging type: Inactivity
SecureStatic address aging: Enabled
Security Violation count: 0
SW1# show port-security interface fastethernet 1/1
Port Security: Enabled
Port status: SecureUp
Violation mode: Shutdown
Maximum MAC Addresses: 1
Total MAC Addresses: 1
Configured MAC Addresses: 1
Aging time: 20 mins
Aging type: Inactivity
SecureStatic address aging: Enabled
Security Violation count: 0
Posts
0 comments