05-20-2010 11:19 PM - edited 03-01-2019 04:31 PM
>> AUTHOR : PRAMOD KG
>> I AM CONTRIBUTING THIS TO ALL MY FRIENDS IN CISCO SUPPORT COMMUNITY,
>> DEDICATING THIS TO VINOD KG,KARTHKA RADHAKRISHNAN,GOPINATHAN NAIR.K,GIRIJA S,RATHEESH RV,NANDHANA
VINOD,NANDHU,KUMAR SREEJITH,THIRTHA,RADHAKRISHNAN MG,PADMAJA RADHAKRISHNAN,SARAVANAKUMAR,HASSAN
AHAMED,HAFFIZULLA RAHMAN,SUDARSAN RAJAGOPLAN,BALAJIKUMARAN KK,VENKATESH,SCOTT
PETERMAN-SAM-ROWENA-BEN FROST(CRICKET COMMUNICATIONS DENVER USA),,LIST GOES :-)
>> MAINLY DEDICATING THIS TO MY INSTRUCTOR "AJAY PANDEY - TOPGUN NETWORKS BANGALORE" & "BEENA.G.NAIR -
TOPGUN NETWORKS" WHERE I STARTED MY NETWORKING CARREER IN 2005,FOR MY CCIE - ROUTING AND SWITCHING
TRACK.BOTH REALLY HELPED ME A LOT DURING MY TOUGH TIMES.
>> PLEASE TAKE IT AS A REFERENCE GUIDE TO BRUSH UP FORGOTTEN CONCEPTS.
>> PLEASE APOLOGIZE IF ANY TYPO ERRORS,REACH ME ANY TIME ON MY MOBILE:(91)-9176643232 OR
>> GUY'S PLEASE COME UP WITH UR SUGGESTIONS/FEEDBACKS,TO MAKE IT MORE POWERFUL FOR REFERENCE.
>> NOTE:I AM USING ALL IN CAPS,BEC I LIKE THIS STYLE,SO DURING CONFIG OF CISCO DEVICES U CAN USE NO
CAPS.
>> TOPIC:BRIDGING AND SWITCHING >>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>> BY DEFAULT SWITCH SENT TRAFFIC OUT OF ALL PORTS,NORMALLY CALLED BROADCASTS.CAN WE CREATE MULTIPLE
BROADCASTS ON A SWITCH ? YES, WE CAN WITH THE HELP OF VLAN'S. USING VLAN'S MULTIPLE BROADCAST
DOMAINS CAN BE CREATED.
>> EACH VLAN NEED A SEPERATE SUBNET.
>> VLAN'S CAN LOGICALLY SEGMENT THE USERS.
>> SO WAT'S TRUNK PORT ? HMM ! IT CARRIES ALL VLAN'S. 3COM / HP CALLS IT AS TAGGED PORTS. IN CISCO
WORLD WE CALL IT AS TRUNK PORTS.
>> VLAN'S CAN BE USED AS A SECURITY MECHANISM,- ACCESS CONTROL.
>> QOS FEATURES CAN BE APPLIED, LIKE ONE VLAN HAVE MORE PRIORITY THAN THE OTHER.
>> CISCO'S LOCAL VLAN - MEANS TO STOP VLANS TRAVELLING TO CORE!WHEN IT COMES TO HIERACHICAL DESIGN
LOCAL VLAN TRAFFIC IN ACCESS LAYER SHOULD STOP AT THE DISTRIBUTION LAYER.SO IF VLAN'S IN ONE ACCESS
LAYER WANTS TO COMMUNICATE WITH VLAN'S ON ANOTHER ACCESS LAYER,IT MUST BE ROUTED THROUGH THE CORE
USING ANY ROUTING PROTOCOLS (OSPF,EIGRP,,, - IT'S YOUR CHOISE GUY'S)
>> SHOW VLAN - WILL DISPLAY ALL VLANS, BY DEFAULT ALL INTERFACES WILL BE ASSOCIATED TO VLAN 1 EXCEPT
THE TRUNK LINKS.
>> HOW TO CREATE VLANS ? HMM ! TWO WAYS THERE...
>> GO TO VLAN DATABASE MODE UNDER PRIVILEDGE MODE,GIVE VLAN NO THEN NAME AND DONT USE CTRL+Z BEC IT
WONT SAVE THE VLANS U CREATED SO USE APPLY OR EXIT COMMAND
#VLAN DATABASE
#VLAN 2 NAME PRAMOD1
#APPLY
OR
#VLAN DATABASE
#VLAN 3 NAME PRAMOD2
#EXIT
SO NOW U CREATED VLANS WHICH IS AN OLD METHOD, I KNOW U WAITING TO KNOW THE NEW METHOD
#CONF T
#VLAN 1
#NAME PRAMOD1
#CTRL+Z OR USE EXIT !!!
>> HOW TO ASSOCIATE PORTS TO A VLAN ?
>> YOU CAN USE INTERFACE RANGE COMMAND FOR A GRP OF PORTS OR USE INTERFACE,THEN IF U CONNECT A HOST
MAKE IT AS AN ACCESS PORT BEC BY DEFAULT IT WILL BE DYNAMIC DESIRABLE MODE WHICH AUTOMATICALLY
NEGOTIATE AND FORM TRUNK WITH THE OTHER SIDE.
#INTERFACE RANGE INT FA0/0 - 10
#SWITCHPORT MODE ACCESS
#SWICHPORT ACCESS VLAN PRAMOD1
#EXIT
>> NORMALLY VLAN INFOS ARE NOT STORED ON RUNNNING CONFIG.IT WILL BE STORED ON VLAN.DAT IN FLASH.
MAKE SURE WHEN U ERASE THE CONFIG PLEASE DELETE VLAN.DAT FROM FLASH OTHERWISE OLD VLANS STILL EXISTS
AFTER U GIVE WRITE ERASE
#WRITE ERASE
#DELETE FLASH:VLAN.DAT
>> PLEASE RELOAD THE DEVICE OTHERWISE U WILL STILL SEE OLD VLAN'S UNDER "SHOW VLAN"
>> TRUNKING - IS A LAYER 2 FEATURE, NORMALLY PC'S ARE NOT INTELLIGENT AND ARE NOT AWARE OF WHAT A VLAN
IS,SO IT WILL JUST SENT TRAFFIC TO SWITCH,CISCO SWITCHES ARE INTELLIGENT,ONE THE SWITCH GETS THE
FRAME IT TAGS THE FRAME WITH A TAG(IN THIS CASE PRAMOD1),SO INTERFACES UNDER PRAMOD1 CAN COMMUNICATE
WITH EACH OTHER.PC-PC COMMUNICATION SWITCH STRIPS OF TAG,SWITCH-SWITCH ??? TRUNKING MEANS IT WONT
STRIP TAG.IT CARRIES TAGGED FRAMES.
>> TO MAKE IT MORE SIMPLER PC-PC - NO TAGS & SWITCH TO SWITCH - TAGGED FRAMES
>> THERE ARE TWO TYPES OF TAGGING OF FRAME
1.ISL
2.DOT1Q
>> ISL IS CISCO PROPRIETARY,ONLY SUPPORTED BY CISCO DEVICES,BEC CISCO WERE THE FIRST WHO CAME UP WITH
THE CONCEPT CALL VLAN,TRUNK ETC,,,ISL ENCAPSULATE ENTIRE FRAME BEFORE PASSING IT TO TRUNK LINKS,NOW
THIS FEATURE IS GOING AWAY AS INDUSTRY STD DOT1.Q CAME TO THE WORLD,ISL PUT A BRAND NEW HEADER AND
TRAILER DURING ENCAPSULATION.
>> ISL IS SOMETHING LOOK LIKE THIS
26BYTE HEADER - FRAME -4BYTE CRC
WHEN U LOOK DEEPER IN TO 26BYTE HEADER
JUNK-VLAN-JUNK
NORMALLY VLANS ARE 2 BYTES - 16 BITS
JUNKS ARE FOR SPECIAL PURPOSE WHEN CISCO INTRODUCED - FOR BPDU,CDP STUFF'S,SOURCE/DESTINATION MAC
ADDRESSES,BUT NOBODY USES ANY MORE !!!
>> DOT1Q IS AN INDUSTRY STANDARD,AS NAME IMPLIES IT WORK ON BOTH CISCO AND NON-CISCO DEVICES,INSTEAD OF
ENCAPSULATING THE ENTIRE.
>> DOT1Q IS SOMETHING LOOK LIKE THIS
DEST MAC-SOURCE MAC-4 BYTE TAG-ETHERNET FRAME - FCS
WHEN U LOOK DEEP IN TO 4 BYTE TAG
HAS 3 BIT PRIORITY - MAINLY COS - ITS A QOS FEATURE AND REMAINING FOR VLAN INFO
ITS SIMPLER OVERALL!!!
>> NATIVE VLAN ??? - OK, THIS IS A FEATURE IN DOT1Q ENCAPSULATION,IT'S NOT SUPPORTED IN ISL.
HAVE U EVER SEEN "NATIVE VLAN MISMATCH WHEN U WORKING ON SWITCH USING A CONSOLE? "
WHY IT'S IMPORTANT ? OK THERE ARE TWO SCENARIOS WHERE NATIVE VLAN PLAYS AN IMPORTANT ROLE.
1.CONSIDER AN EX, SWITCH A AND B ARE CONNECTED USING A TRUNK LINK.ONE DAY AN ADMIN PLACES A HUB IN
THE MIDDLE OF TWO SWITCHES TO CONNECT FEW PC'S MAY BE HE USED AS HE DOES'T HAVE PORTS ON SWITCH.
SO WHAT HAPPENS IS THE PC CONNECTED TO HUB WILL SEND UNTAGGED PACKETS TO THE TRUNK LINK OF THE
SWITCH,BEC TRUNK PORTS NORMALLY UNDERSTAND ONLY TAGGED FRAMES,SO WHAT THE TRUNK WILL DO IF IT GERT
AN UNTAGGED PACKET ? HERE COMES THE CONCEPT OF NATIVE VLAN,IF A TRUNK RECEIVES UNTAGGED PACKET BY
DEFAULT IT SEND TO DEFAULT VLAN 1, BASED ON UR PREFERENCE U CAN CHANGE IT TO OTHER VLANS AS WELL.
>> NATIVE VLAN MISMATCHES IF ONE END OF THE SWTCH TRUNK IS CONFIGURED FOR NATIVE VLAN 1 AND OTHER END
OF THE SWITCH IS CONFIGURED FOR NATIVE VLAN VLAN 2
>> SECOND SCENARIO IS VOIP WORLD.
SOMETHING LIKE THIS
SWITCH - CISCO IP PHONE - PC
>> CISCO IP PHONE CAN SEND TAGGED FRAMES. BUT PC'S CANT SENT TAGGED FRAMES.
HERE IF BOTH PC AND IP PHONE ARE IN SAME VLAN PROBLEMS COMMON ARE
1.SECURITY - PC CAN SPOOF VOIP CONVERSATIONS.
2.DEGRADED VOIP QUALITY - DURING VOIP COVERSATON,IF PC DOWNLOADS A HUGE FILE HAVE AN IMPACT ON VOIP
CONVERSATIONS.
>> WHAT'S DTP ? IT'S DYNAMIC TRUNKING PROTOCOL, USED TO AUTOMATICALLY NEGOTIATE AND FORM TRUNKS.
>> 5 MODES
1. ACCESS -> MAILY FOR ACCESS LAYER DEVICES LIKE A PC.
2.TRUNK -> CONNECTING FOR UPLINK SWITCHES
3.DYNAMIC DESIRABLE -> EVERY NEW SWITCH OUT OF BOX IS IN DYNAMIC DESIRABLE STATE.MEANS IF U PLUG A PC
IT AUTOMATICALLY BECOMES AN ACCESS PORT,IF U CONNECT SWITCH IT AUTOMATCALLY NEGOTIATE AND FORM TRUNK.
IT'S GOOD BUT HAVE SOME SECURTY ISSUES,
THINK U ARE ON UR CUBICLE,COMING WITH A SWITCH ( TRUST EMPLOYEES ,, ONLY FOR HACKERS) CONNECT TO PORT
ON UR DESK,BY DEFAULT DYNAMIC DESIRABLE MODE ALLOWS TO FORM TRUNK,SO U CAN ASSIGN PORTS TO WHATEVER
VLAN U LIKE AND HACK THE NETWORK!!!
4.DYNAMIC AUTO - THIS MEANS I AM AUTO, I WONT SEND ANY DTP PACKETS OUT OF MY INTERFACE.IF SOME ONE
REQUEST ME TO FORM TRUNK I WILL BECOME A TRUNK,IF SOME ONE REQUEST ME TO FORM ACCESS PORT I WILL
BECOME AN ACCESS PORT.
5.NON-NEGOTIATE-VERY GOOD MODE,CONSIDER A SCENARIO
ONE END IS TRUNK, OTHER END IS IN DYNAMIC AUTO/DYNAMIC DESIRABLE.SO TRUNK ENABLED PORT WILL SENT DTP
PACKETS AND FORM TRUNK WITH THE OTHER SIDE.
>> FOR HACKERS - IF A PORT IS ENABLED FOR TRUNK IF A HACKER CONNECTS A PC AND USE PACKET SNIFFERS ON
THAT TRUNK PORT AND CAPTURE THE DTP PACKETS SENDING OUT,HE CAN COME WITH A ROGUE SWITCH AND FORM
TRUNK.
>> HOW TO VERIFY THE TRUNK NEGOTIATIONS?
#SH INTERFACES INT FA0/0 SWITCHPORT
THEN CHECK THE ADMINISTRATIVE MODE AND OPERATIONAL MODE.
>> SH INTERFACES TRUNK OR SH INTERFACES INT FA0/0 TRUNK CAN BE USED TO FIND THE TRUNK
ENCAPSULATIONS,ALLOWED VLANS,NATIVE VLAN INFORMATIONS ETC.
>> HOW TO HARDCODE TRUNK ENCAP/TRUNKING ?
#SWITCHPORT TRUNK ENCAPSULATION DOT1Q OR ISL
THEN
#SWITCHPORT MODE TRUNK
>> FEW SWITCHES U WONT SEE TRUNK ENCAPSULATONS,IN SUCH CASE U NEED TO GIVE ONLY "SWITCHPORT MODE TRUNK"
>> BY DEFAULT SWITCH CARRIES ALL VLANS,CONSIDER SWITCH A HAS VLAN 11,12,13 AND SWITCH B HAS VLAN 13,SO
WHY WE NEED TO ALLOW 11 AND 12 VLANS TO DOWNSTREAM,NO NEED RIGHT ? YES IT IS,,, SO TO BLOCK U CAN
CHOOSE TWO WAYS
1.USING ALLOWED VLANS
2.PRUNING
#INT FA0/0
#SWITCHPORT TRUNK ALLOWED VLAN 13.
>> HOW TO STOP DTP PACKETS OUT OF THE INTERFACE ?
#INT FA0/0
#SWITCHPORT NONNEGOTIATE.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: