Chapter 3: VLANs. Routing & Switching

Similar documents
CHAPTER 1: VLANS. Routing & Switching

1. Which two statements are true about VLAN implementation? (Choose two.)

Configuring VLANs. Understanding VLANs CHAPTER

Configuring VLANs. Understanding VLANs CHAPTER

Configuring VLANs. Understanding VLANs CHAPTER

Configuring VLANs. Understanding VLANs CHAPTER

Configuring VLANs. Understanding VLANs CHAPTER

Configuring VLANs. Understanding VLANs CHAPTER

VLANs. Traditional Campus Networks. Performance Issues. Broadcast Issues. Bridges terminate collision domains

VLANs. 2003, Cisco Systems, Inc. All rights reserved. 2-1

VLANs. 2003, Cisco Systems, Inc. All rights reserved. 2-1

Maintaining Specific VLAN Identification. Comparing ISL and 802.1Q. VLAN Trunking

Configuring VLANs. Understanding VLANs CHAPTER

Cisco Exploration 3 Module 3 LAN Switching and Wireless Jim Johnston Class Notes September 9, 2008

Configuring VLANs. Understanding VLANs CHAPTER

Configuring VLANs. Understanding VLANs CHAPTER

VLAN Configuration. Understanding VLANs CHAPTER

Configuring VLAN Trunks

Sybex CCENT Chapter 11: VLANs and Inter-VLAN Routing. Instructor & Todd Lammle

Configuring Private VLANs

Configuring Private VLANs

Ch. 9 VTP (Trunking, VTP, Inter-VLAN Routing) CCNA 3 version 3.0

CCENT Study Guide. Chapter 11 VLANs and Inter-VLAN Routing

VLANs. CCNA Exploration Semester 3 Chapter Sep-13

VLANs and Trunking C H A P T E R. 6-1: VLAN Configuration. Section 6-1

Chapter 3. Virtual Local Area Networks (VLANs) Part II

itexamdump 최고이자최신인 IT 인증시험덤프 일년무료업데이트서비스제공

Internetwork Expert s CCNP Bootcamp. VLANs, Trunking, & VTP. VLANs Overview

Configuring Interface Characteristics

Introduction to Switched Networks Routing And Switching

For information about configuring these settings from Cluster Management Suite (CMS), refer to the online help.

Configuring Interface Characteristics

Configuring Voice VLAN

Configuring Cisco IP Phone Support

VLANs Level 3 Unit 9 Computer Networks

Question No : 1 Which three of these statements regarding 802.1Q trunking are correct? (Choose three.)

Configuring Interface Characteristics

Configuring Interfaces

Configuring IEEE 802.1Q Tunneling

Configuring Interfaces

Configuring VLANs. Finding Feature Information. Prerequisites for VLANs

Lab 5: Inter-VLANs Routing

Configuring SPAN and RSPAN

: Building Cisco Multilayer Switched Networks

Configuring Private VLANs

Configuring Access and Trunk Interfaces

Lab Catalyst 2950T and 3550 Series VTP Domain and VLAN Trunking

Lab - Troubleshooting VLAN Configurations (Instructor Version Optional Lab)

Configuring SPAN and RSPAN

Lab - Configuring VLANs and Trunking (Solution)

Configuring SPAN and RSPAN

Configuring SPAN. Understanding SPAN CHAPTER. This chapter describes how to configure Switched Port Analyzer (SPAN) and on the Catalyst 2960 switch.

Configuring IEEE 802.1Q Tunneling and Layer 2 Protocol Tunneling

Configuring Private VLANs

Configuring SPAN and RSPAN

Configuring SPAN and RSPAN

Switches running the LAN Base feature set support only static routing on SVIs.

Chapter 2 Lab 2-1, Static VLANS, VLAN Trunking, and VTP Domains and Modes

Lab Catalyst 2950T and 3550 Series VTP Domain and VLAN Trunking

Lab - Configuring VLANs and Trunking

Lab - Configuring VLANs and Trunking

Implement VTP. LAN Switching and Wireless Chapter 4 Modified by Tony Chen 10/01/2008

Understanding and Configuring Private VLANs

Configuring Interface Characteristics

Configuring VLANs. Finding Feature Information. Prerequisites for VLANs

Note: Use two 2960 switches for ALS1 and ALS2 and two 3560 switches for DLS1 and DLS2

LAN Troubleshooting. Ethernet Troubleshooting

Configuring EtherChannels and Layer 2 Trunk Failover

Lab Catalyst 2950T and 3550 Series Static VLANS

The following graphic shows a single switch VLAN configuration.

Configuring EtherChannels and Link-State Tracking

Table of Contents. Cisco Using One DHCP Server for Voice and Data Networks

Configuring SPAN and RSPAN

CCNA Cisco Certified Network Associate CCNA (v3.0)

Interface and Hardware Components Configuration Guide, Cisco IOS XE Everest 16.6.x (Catalyst 9300 Switches)

Configuring EtherChannels and Layer 2 Trunk Failover

Configuring Link Aggregation

VLANs. LAN Switching and Wireless Chapter 3. Version Cisco Systems, Inc. All rights reserved. Cisco Public 1

Configuring Port-Based Traffic Control

Lab 5: Basic VLAN Configuration

Configuring EtherChannels

University of Jordan Faculty of Engineering & Technology Computer Engineering Department Advance Networks Laboratory Exp.4 Inter-VLAN Routing

Lab Configuring EtherChannel

Configuring Port Security

Configuring SmartPort Macros

Configuring Flex Links

Configuring EtherChannels and Link-State Tracking

Configuring VTP. Understanding VTP CHAPTER

CCIE Foundation. WorkBooks.com. Narbik Kocharians CCIE #12410 R&S, Security, SP. 3550/3560 Switching. Answers

Configuring Private VLANs Using NX-OS

Chapter 3 Lab 3-3, Per-VLAN Spanning Tree Behavior

Q&As Implementing Cisco IP Switched Networks (SWITCH v2.0)

CCNA( ) Dumps V2.0( ) CCNA

the larger the number of users and devices, the more broadcasts and packets each switch must handle.

Configuring Link Aggregation

examcollection.premium.exam.157q. Exam code: Exam name: Implementing Cisco IP Switched Networks. Version 15.0

Exam Implementing Cisco IP Switched Networks (SWITCH)

PASS4TEST IT 인증시험덤프전문사이트

Configuring Resilient Ethernet Protocol

VLAN Configuration via CLI on 300/500 Series Managed Switches

Transcription:

Chapter 3: VLANs Routing & Switching

VLAN Definitions A VLAN is a logical partition of a Layer 2 network. VLANs logically group hosts, regardless of physical location. Multiple partitions can be created, allowing for multiple VLANs to co-exist. Each VLAN is a broadcast domain, usually with its own IP network. Devices in one VLAN do not hear the broadcasts from devices in another VLAN. VLANs are mutually isolated and packets can only pass between them via a router. The partitioning of the Layer 2 network takes place inside a Layer 2 device, usually via a switch. The hosts grouped within a VLAN are unaware of the VLAN s existence. After the initial boot of an unconfigured switch, all ports are members of the default VLAN. 2

VLAN Definitions 3

Benefits of VLANs Security Cost reduction Better performance Shrink broadcast domains Improved IT staff efficiency Simpler project and application management 4

Types of VLANs Data VLAN is a VLAN that is configured to carry user-generated traffic. Default VLAN contains all unconfigured switch ports after the initial boot up of a switch loading the default configuration and are part of the same broadcast domain. Native VLAN is assigned to an 802.1Q trunk port. Trunk ports are the links between switches that support the transmission of traffic associated with more than one VLAN (both tagged and untagged traffic) Management VLAN is any VLAN that is configured to access management features of the switch. 5

Voice VLANs VoIP traffic is time-sensitive and requires: Assured bandwidth to ensure voice quality. Transmission priority over other types of network traffic. Ability to be routed around congested areas on the network. Delay of less than 150 ms across the network. The voice VLAN feature enables access ports to carry IP voice traffic from an IP phone. The switch can connect to a Cisco IP phones and carry IP voice traffic. The sound quality of an IP phone call can deteriorate if the data is unevenly sent; the switch supports quality of service (QoS). 6

Voice VLANs The Cisco IP phone has two RJ-45 ports that each support connections to external devices. Network Port (10/100 SW) - Use this port to connect the phone to the network. The phone can also obtain inline power from the Cisco Catalyst switch over this connection. Access Port (10/100 PC) - Use this port to connect a network device, such as a computer, to the phone. 7

Voice VLANs 8

VLAN Trunks A VLAN trunk carries more than one VLAN. A VLAN trunk is usually established between switches so same-vlan devices can communicate, even if physically connected to different switches. A VLAN trunk is not associated to any VLANs; neither is the trunk ports used to establish the trunk link. Cisco IOS supports IEEE802.1Q, a popular VLAN trunk protocol. Types of point-to-point connections that utilize VLAN trunking: between two switches that utilize multiple VLANs between a switch and a server that has an 802.1Q NIC 9

VLAN Trunks 10

Controlling Broadcast Domains with VLANs VLANs can be used to limit the reach of broadcast frames. A VLAN is a broadcast domain of its own. A broadcast frame sent by a device in a specific VLAN is forwarded within that VLAN only. VLANs help control the reach of broadcast frames and their impact in the network. Unicast and multicast frames are forwarded within the originating VLAN. 11

Tagging Ethernet Frames for VLAN Identification Frame tagging is the process of adding a VLAN identification header to the frame. It is used to properly transmit multiple VLAN frames through a trunk link. Switches tag frames to identify the VLAN to that they belong. Different tagging protocols exist; IEEE 802.1Q is a vey popular example. The protocol defines the structure of the tagging header added to the frame. Switches add VLAN tags to the frames before placing them into trunk links and remove the tags before forwarding frames through nontrunk ports. When properly tagged, the frames can transverse any number of switches via trunk links and still be forwarded within the correct VLAN at the destination. 12

Tagging Ethernet Frames for VLAN Identification 13

Tagging Ethernet Frames for VLAN Identification A frame is traveling between PC-A and PC-B through the switch. What VLAN tagging is added to the frame? No VLAN tag is added to the frame 14

Native VLANs and 802.1Q Tagging Frames that belong to the native VLAN are not tagged. Frames received untagged remain untagged and are placed in the native VLAN when forwarded. If there are no ports associated to the native VLAN and no other trunk links, an untagged frame is dropped. In Cisco switches, the native VLAN is VLAN 1, by default. Two types of point-to-point connections utilize VLAN trunking: between two switches that utilize multiple VLANs between a switch and a server that has an 802.1Q NIC An 802.1Q trunk port, with a native VLAN assigned, supports both tagged and untagged traffic. 15

Voice VLAN Tagging 16

VLAN Ranges on Catalyst Switches Cisco Catalyst 2960 and 3560 Series switches support over 4,000 VLANs. VLANs are split into two categories: Normal range VLANs VLAN numbers from 1 to 1,005 Configurations stored in the vlan.dat (in the flash memory) VTP can only learn and store normal range VLANs Extended Range VLANs VLAN numbers from 1,006 to 4,096 Configurations stored in the running configuration (NVRAM) VTP does not learn extended range VLANs 17

Resetting a Switch How do you clear all VLAN information from the switch? 1. Delete the startup configuration 2. Delete the vlan.dat file in the flash memory 3. Reboot the switch 18

Creating a VLAN 19

Assigning Ports to VLANs 20

Assigning Ports to VLANs What is the effect of issuing a switchport access vlan 20 command on the Fa0/18 port of a switch that does not have this VLAN in the VLAN database? VLAN 20 will be created automatically 21

Assigning a Voice VLAN 22

Changing VLAN Port Membership Port Fa0/11 on a switch is assigned to VLAN 30. If the command no switchport access vlan 30 is entered on the Fa0/11 interface, what will happen? Port Fa0/11 will be returned to VLAN 1 23

Changing VLAN Port Membership What must the network administrator do to remove Fast Ethernet port fa0/1 from VLAN 2 and assign it to VLAN 3? Enter the switchport access vlan 3 command in interface configuration mode. 24

Deleting VLANs What happens to a port that is associated with VLAN 20 when the administrator deletes VLAN 20 from the switch? The port becomes inactive. 25

Verifying VLAN Information The show vlan command displays the VLAN assignment for all ports as well as the existing VLANs on the switch. 26

Verifying VLAN Information 27

Verifying VLAN Information Which command displays the encapsulation type, the voice VLAN ID, and the access mode VLAN for the Fa0/1 interface? show interfaces Fa0/1 switchport 28

Verifying VLAN Information PC-C broadcasts a packet. Which PCs will receive the broadcast sent by PC-C? PC-D, PC-E 29

Configuring IEEE 802.1q Trunk Links A Cisco switch currently allows traffic tagged with VLANs 10 and 20 across trunk port Fa0/5. What is the effect of issuing a switchport trunk allowed vlan 30 command on Fa0/5? It allows only VLAN 30 on Fa0/5 30

Resetting the Trunk To Default State 31

Resetting the Trunk To Default State 32

Verifying Trunk Configuration What VLANs are allowed across a trunk when the range of allowed VLANs is set to the default value? All VLANs will be allowed across the trunk. 33

Troubleshooting VLANs DLS1 is connected to another switch, DLS2, via a trunk link. A host that is connected to DLS1 is not able to communicate to a host that is connected to DLS2, even though they are both in VLAN 99. Which command should be added to Fa0/1 on DLS1 to correct the problem? switchport trunk native vlan 66 34

Troubleshooting VLANs PC-A and PC-B are both in VLAN 60. PC-A is unable to communicate with PC-B. What is the problem? The VLAN that is used by PC-A is not in the list of allowed VLANs on the trunk. 35

Troubleshooting VLANs Interface Fa0/1 is connected to a PC. Fa0/2 is a trunk link to another switch. All other ports are unused. Which security best practice did the administrator forget to configure? All user ports are associated with VLANs distinct from VLAN 1 and distinct from the 'black-hole' VLAN. 36

Introduction to Dynamic Trunking Protocol Switch ports can be manually configured to form trunks. Switch ports can also be configured to negotiate and establish a trunk link with a connected peer. The Dynamic Trunking Protocol (DTP) manages trunk negotiation. DTP is a Cisco proprietary protocol and is enabled, by default, in Cisco Catalyst 2960 and 3560 switches. If the port on the neighbor switch is configured in a trunk mode that supports DTP, it manages the negotiation. The default DTP configuration for Cisco Catalyst 2960 and 3560 switches is dynamic auto. 37

Dynamic Trunking Protocol Cisco Catalyst 2960 and 3560 support the following trunk modes: Switchport mode dynamic auto makes the interface become a trunk interface if the neighboring interface is set to trunk or desirable mode. Switchport mode dynamic desirable makes the interface actively attempt to convert the link to a trunk link. Switchport mode trunk puts the interface into permanent trunking mode and negotiates to convert the neighboring link into a trunk link. Switchport mode nonegotiate prevents the interface from generating DTP frames. 38

Dynamic Trunking Protocol Under which two occasions should an administrator disable DTP while managing a local area network? When connecting a Cisco switch to a non-cisco switch On links that should not be trunking Which command should the network administrator implement to prevent the transfer of DTP frames between a Cisco switch and a non-cisco switch? S1(config-if)# switchport nonegotiate 39

IP Addressing Issues with VLAN It is a common practice to associate a VLAN with an IP network. Because different IP networks only communicate through a router, all devices within a VLAN must be part of the same IP network to communicate. The figure displays that PC1 cannot communicate to the server because it has a wrong IP address configured. 40

Common Problems with Trunks Trunking issues are usually associated with incorrect configurations. The most common type of trunk configuration errors are: Native VLAN mismatches Trunk mode mismatches Allowed VLANs on trunks If a trunk problem is detected, the best practice guidelines recommend to troubleshoot in the order shown above. 41

Trunk Mode Mismatches If a port on a trunk link is configured with a trunk mode that is incompatible with the neighboring trunk port, a trunk link fails to form between the two switches. Use the show interfaces trunk command to check the status of the trunk ports on the switches. To fix the problem, configure the interfaces with proper trunk modes. 42

Incorrect VLAN List VLANs must be allowed in the trunk before their frames can be transmitted across the link. Use the switchport trunk allowed vlan command to specify which VLANs are allowed in a trunk link. Use the show interfaces trunk command to ensure the correct VLANs are permitted in a trunk. 43

Incorrect VLAN List PC-A and PC-B are both in VLAN 60. PC-A is unable to communicate with PC-B. What is the problem? The VLAN that is used by PC-A is not in the list of allowed VLANs on the trunk 44

Incorrect VLAN List DLS1 is connected to another switch, DLS2, via a trunk link. A host that is connected to DLS1 is not able to communicate to a host that is connected to DLS2, even though they are both in VLAN 99. Which command should be added to Fa0/1 on DLS1 to correct the problem? switchport trunk native vlan 66 45

Switch Spoofing Attack There are a number of different types of VLAN attacks in modern switched networks; VLAN hopping is one example. The default configuration of the switch port is dynamic auto. In a basic VLAN hopping attack, attackers take advantage of the default automatic trunking configuration switch feature. By configuring a host to act as a switch and form a trunk, an attacker could gain access to any VLAN in the network. Because the attacker is now able to access other VLANs, this is called a VLAN hopping attack. To prevent a basic switch spoofing attack, turn off trunking on all ports, except the ones that specifically require trunking. Change the native VLAN number to one that is distinct from all user VLANs and is not VLAN 1 Disable DTP auto negotiation on end-user ports. 46

PVLAN Edge The Private VLAN (PVLAN) Edge feature, also known as protected ports, ensures that there is no exchange of unicast, broadcast, or multicast traffic between protected ports on the switch. Local relevancy only. A protected port only exchanges traffic with unprotected ports. A protected port does not exchange traffic with another protected port. 47

Per-VLAN Spanning Tree (PVST) Switch 1 Configuration Switch# conf t Switch(config)# spanning-tree mode pvst Switch(config)# spanning-tree vlan 1 priority 4096 Switch(config)# interface FastEthernet0/2 Switch(config-if)# switchport access vlan 2 Switch(config-if)# interface FastEthernet0/21 Switch(config-if)# switchport mode trunk Switch(config-if)# interface FastEthernet0/22 Switch(config-if)# switchport mode trunk Switch(config-if)# interface FastEthernet0/23 Switch(config-if)# switchport mode trunk Switch(config-if)# interface FastEthernet0/24 Switch(config-if)# switchport mode trunk Switch(config-if)# interface GigabitEthernet0/1 Switch(config-if)# switchport mode trunk Switch(config-if)# interface GigabitEthernet0/2 Switch(config-if)# switchport mode trunk Per-VLAN Spanning Tree (PVST) maintains a spanning tree instance for each VLAN configured in the network. It uses ISL Trunking and allows a VLAN trunk to be forwarding for some VLANs while blocking for other VLANs. Since PVST treats each VLAN as a separate network, it has the ability to load balance traffic (at layer-2) by forwarding some VLANs on one trunk and other Vlans on another trunk without causing a Spanning Tree loop. 48

VLAN Design Guidelines Move all ports from VLAN 1 and assign them to a not-in-use VLAN Shut down all unused switch ports. Separate management and user data traffic. Change the management VLAN to a VLAN other than VLAN 1. (The same goes to the native VLAN.) Ensure that only devices in the management VLAN can connect to the switches. The switch should only accept SSH connections. Disable autonegotiation on trunk ports. Do not use the auto or desirable switch port modes. 49

Inter-VLAN Routing Switch Configuration Switch# conf t Switch(config)# interface FastEthernet0/1 Switch(config-if)# switchport mode trunk Switch(config-if)# interface FastEthernet0/3 Switch(config-if)# switchport access vlan 10 Switch(config-if)# interface FastEthernet0/5 Switch(config-if)# switchport access vlan 20 Switch(config-if)# interface FastEthernet0/7 Switch(config-if)# switchport access vlan 30 Switch(config-if)# interface Vlan1 Switch(config-if)# ip address 10.1.1.2 255.255.255.0 Switch(config-if)# ip default-gateway 10.1.1.1 50

Inter-VLAN Routing Router Configuration Router# conf t Router(config)# interface FastEthernet0/0.1 Router(config-if)# description Management VLAN 1 Router(config-if)# encapsulation dot1q 1 native Router(config-if)# ip address 10.1.1.1 255.255.255.0 Router(config-if)# interface FastEthernet0/0.10 Router(config-if)# description Accounting VLAN 10 Router(config-if)# encapsulation dot1q 10 Router(config-if)# ip address 10.1.10.1 255.255.255.0 Router(config-if)# interface FastEthernet0/0.20 Router(config-if)# description Marketing VLAN 20 Router(config-if)# encapsulation dot1q 20 Router(config-if)# ip address 10.1.20.1 255.255.255.0 Router(config-if)# interface FastEthernet0/0.30 Router(config-if)# description Engineering VLAN 30 Router(config-if)# encapsulation dot1q 30 Router(config-if)# ip address 10.1.30.1 255.255.255.0 51

Virtual Trunking Protocol (VTP) Switch 2 Configuration Switch(config)#int vlan 1 Switch(config-if)#ip address 172.16.1.2 255.255.255.0 Switch(config-if)#no shut Switch(config)# vtp mode server Switch(config)# vtp domain group1 Switch(config)# vtp password cisco Switch(config)#int fa0/1 Switch(config-if)#switchport mode trunk Add VLANs to this switch Switch 2 Configuration Switch(config)#int vlan 1 Switch(config-if)#ip address 172.16.1.3 255.255.255.0 Switch(config-if)#no shut Switch(config)# vtp mode client Switch(config)# vtp domain group1 Switch(config)# vtp password cisco Switch(config)#int fa0/1 Switch(config-if)#switchport mode trunk 52

53

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback