Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
99
Views
0
Helpful
0
Comments

Briding and Switching

pramod
Level 1
Level 1

‎05-20-2010 11:19 PM - edited ‎03-01-2019 04:31 PM

>> AUTHOR : PRAMOD KG

>> I AM CONTRIBUTING THIS TO ALL MY FRIENDS IN CISCO SUPPORT COMMUNITY,

>> DEDICATING THIS TO VINOD KG,KARTHKA RADHAKRISHNAN,GOPINATHAN NAIR.K,GIRIJA S,RATHEESH RV,NANDHANA   

   VINOD,NANDHU,KUMAR SREEJITH,THIRTHA,RADHAKRISHNAN MG,PADMAJA RADHAKRISHNAN,SARAVANAKUMAR,HASSAN   

   AHAMED,HAFFIZULLA RAHMAN,SUDARSAN RAJAGOPLAN,BALAJIKUMARAN KK,VENKATESH,SCOTT   

   PETERMAN-SAM-ROWENA-BEN FROST(CRICKET COMMUNICATIONS DENVER USA),,LIST GOES :-)

>> MAINLY DEDICATING THIS TO MY INSTRUCTOR "AJAY PANDEY - TOPGUN NETWORKS BANGALORE" & "BEENA.G.NAIR - 

   TOPGUN NETWORKS" WHERE I STARTED MY NETWORKING CARREER IN 2005,FOR MY CCIE - ROUTING AND SWITCHING   

   TRACK.BOTH REALLY HELPED ME A LOT DURING MY TOUGH TIMES.

>> PLEASE TAKE IT AS A REFERENCE GUIDE TO BRUSH UP FORGOTTEN CONCEPTS.

>> PLEASE APOLOGIZE IF ANY TYPO ERRORS,REACH ME ANY TIME ON MY MOBILE:(91)-9176643232 OR   

      CISCOMAN2010@GMAIL.COM.

>> GUY'S PLEASE COME UP WITH UR SUGGESTIONS/FEEDBACKS,TO MAKE IT MORE POWERFUL FOR REFERENCE.

>> NOTE:I AM USING ALL IN CAPS,BEC I LIKE THIS STYLE,SO DURING CONFIG OF CISCO DEVICES U CAN USE NO   

   CAPS.

>> TOPIC:BRIDGING AND SWITCHING >>
   >>>>>>>>>>>>>>>>>>>>>>>>>>>>

>> BY DEFAULT SWITCH SENT TRAFFIC OUT OF ALL PORTS,NORMALLY CALLED BROADCASTS.CAN WE CREATE MULTIPLE   

   BROADCASTS ON A SWITCH ? YES, WE CAN WITH THE HELP OF VLAN'S. USING VLAN'S MULTIPLE BROADCAST      

   DOMAINS CAN BE CREATED.

>> EACH VLAN NEED A SEPERATE SUBNET.

>> VLAN'S CAN LOGICALLY SEGMENT THE USERS.

>> SO WAT'S TRUNK PORT ? HMM ! IT CARRIES ALL VLAN'S. 3COM / HP CALLS IT AS TAGGED PORTS. IN CISCO   

   WORLD WE CALL IT AS TRUNK PORTS.

>> VLAN'S CAN BE USED AS A SECURITY MECHANISM,- ACCESS CONTROL.

>> QOS FEATURES CAN BE APPLIED, LIKE ONE VLAN HAVE MORE PRIORITY THAN THE OTHER.

>> CISCO'S LOCAL VLAN - MEANS TO STOP VLANS TRAVELLING TO CORE!WHEN IT COMES TO HIERACHICAL DESIGN   

   LOCAL VLAN TRAFFIC IN ACCESS LAYER SHOULD STOP AT THE DISTRIBUTION LAYER.SO IF VLAN'S IN ONE ACCESS   

   LAYER WANTS TO COMMUNICATE WITH VLAN'S ON ANOTHER ACCESS LAYER,IT MUST BE ROUTED THROUGH THE CORE   

   USING ANY ROUTING PROTOCOLS (OSPF,EIGRP,,, - IT'S YOUR CHOISE GUY'S)

>> SHOW VLAN - WILL DISPLAY ALL VLANS, BY DEFAULT ALL INTERFACES WILL BE ASSOCIATED TO VLAN 1 EXCEPT   

   THE TRUNK LINKS.

>> HOW TO CREATE VLANS ? HMM ! TWO WAYS THERE...

>> GO TO VLAN DATABASE MODE UNDER PRIVILEDGE MODE,GIVE VLAN NO THEN NAME AND DONT USE CTRL+Z BEC IT   

   WONT SAVE THE VLANS U CREATED SO USE APPLY OR EXIT COMMAND

#VLAN DATABASE
#VLAN 2 NAME PRAMOD1
#APPLY

OR

#VLAN DATABASE
#VLAN 3 NAME PRAMOD2
#EXIT

SO NOW U CREATED VLANS WHICH IS AN OLD METHOD, I KNOW U WAITING TO KNOW THE NEW METHOD

#CONF T
#VLAN 1
#NAME PRAMOD1
#CTRL+Z OR USE EXIT !!!

>> HOW TO ASSOCIATE PORTS TO A VLAN ?

>> YOU CAN USE INTERFACE RANGE COMMAND FOR A GRP OF PORTS OR USE INTERFACE,THEN IF U CONNECT A HOST   

MAKE IT AS AN ACCESS PORT BEC BY DEFAULT IT WILL BE DYNAMIC DESIRABLE MODE WHICH AUTOMATICALLY   

NEGOTIATE AND FORM TRUNK WITH THE OTHER SIDE.

#INTERFACE RANGE INT FA0/0 - 10
#SWITCHPORT MODE ACCESS
#SWICHPORT ACCESS VLAN PRAMOD1
#EXIT

>> NORMALLY VLAN INFOS ARE NOT STORED ON RUNNNING CONFIG.IT WILL BE STORED ON VLAN.DAT IN FLASH.
   MAKE SURE WHEN U ERASE THE CONFIG PLEASE DELETE VLAN.DAT FROM FLASH OTHERWISE OLD VLANS STILL EXISTS

   AFTER U GIVE WRITE ERASE

#WRITE ERASE
#DELETE FLASH:VLAN.DAT

>> PLEASE RELOAD THE DEVICE OTHERWISE U WILL STILL SEE OLD VLAN'S UNDER "SHOW VLAN"

>> TRUNKING - IS A LAYER 2 FEATURE, NORMALLY PC'S ARE NOT INTELLIGENT AND ARE NOT AWARE OF WHAT A VLAN 

   IS,SO IT WILL JUST SENT TRAFFIC TO SWITCH,CISCO SWITCHES ARE INTELLIGENT,ONE THE SWITCH GETS THE   

   FRAME IT TAGS THE FRAME WITH A TAG(IN THIS CASE PRAMOD1),SO INTERFACES UNDER PRAMOD1 CAN COMMUNICATE   

   WITH EACH OTHER.PC-PC COMMUNICATION SWITCH STRIPS OF TAG,SWITCH-SWITCH ??? TRUNKING MEANS IT WONT   

   STRIP TAG.IT CARRIES TAGGED FRAMES.

>> TO MAKE IT MORE SIMPLER PC-PC - NO TAGS & SWITCH TO SWITCH - TAGGED FRAMES

>> THERE ARE TWO TYPES OF TAGGING OF FRAME


1.ISL
2.DOT1Q

>> ISL IS CISCO PROPRIETARY,ONLY SUPPORTED BY CISCO DEVICES,BEC CISCO WERE THE FIRST WHO CAME UP WITH  

   THE CONCEPT CALL VLAN,TRUNK ETC,,,ISL ENCAPSULATE ENTIRE FRAME BEFORE PASSING IT TO TRUNK LINKS,NOW  

   THIS FEATURE IS GOING AWAY AS INDUSTRY STD DOT1.Q CAME TO THE WORLD,ISL PUT A BRAND NEW HEADER AND  

   TRAILER DURING ENCAPSULATION.

>> ISL IS SOMETHING LOOK LIKE THIS

26BYTE HEADER - FRAME -4BYTE CRC
WHEN U LOOK DEEPER IN TO 26BYTE HEADER
JUNK-VLAN-JUNK
NORMALLY VLANS ARE 2 BYTES - 16 BITS
JUNKS ARE FOR SPECIAL PURPOSE WHEN CISCO INTRODUCED - FOR BPDU,CDP STUFF'S,SOURCE/DESTINATION MAC

ADDRESSES,BUT NOBODY USES ANY MORE !!!

>> DOT1Q IS AN INDUSTRY STANDARD,AS NAME IMPLIES IT WORK ON BOTH CISCO AND NON-CISCO DEVICES,INSTEAD OF

   ENCAPSULATING THE ENTIRE.

>> DOT1Q IS SOMETHING LOOK LIKE THIS

   DEST MAC-SOURCE MAC-4 BYTE TAG-ETHERNET FRAME - FCS

   WHEN U LOOK DEEP IN TO 4 BYTE TAG
   HAS 3 BIT PRIORITY - MAINLY COS - ITS A QOS FEATURE AND REMAINING FOR VLAN INFO
   ITS SIMPLER OVERALL!!!

>> NATIVE VLAN ??? - OK, THIS IS A FEATURE IN DOT1Q ENCAPSULATION,IT'S NOT SUPPORTED IN ISL.
   HAVE U EVER SEEN "NATIVE VLAN MISMATCH WHEN U WORKING ON SWITCH USING A CONSOLE? "
   WHY IT'S IMPORTANT ? OK THERE ARE TWO SCENARIOS WHERE NATIVE VLAN PLAYS AN IMPORTANT ROLE.
   1.CONSIDER AN EX, SWITCH A AND B ARE CONNECTED USING A TRUNK LINK.ONE DAY AN ADMIN PLACES A HUB IN  

   THE MIDDLE OF TWO SWITCHES TO CONNECT FEW PC'S MAY BE HE USED AS HE DOES'T HAVE PORTS ON SWITCH.
   SO WHAT HAPPENS IS THE PC CONNECTED TO HUB WILL SEND UNTAGGED PACKETS TO THE TRUNK LINK OF THE   

   SWITCH,BEC TRUNK PORTS NORMALLY UNDERSTAND ONLY TAGGED FRAMES,SO WHAT THE TRUNK WILL DO IF IT GERT   

   AN UNTAGGED PACKET ? HERE COMES THE CONCEPT OF NATIVE VLAN,IF A TRUNK RECEIVES UNTAGGED PACKET BY   

   DEFAULT IT SEND TO DEFAULT VLAN 1, BASED ON UR PREFERENCE U CAN CHANGE IT TO OTHER VLANS AS WELL.

>> NATIVE VLAN MISMATCHES IF ONE END OF THE SWTCH TRUNK IS CONFIGURED FOR NATIVE VLAN 1 AND OTHER END  

   OF THE SWITCH IS CONFIGURED FOR NATIVE VLAN VLAN 2

>> SECOND SCENARIO IS VOIP WORLD.

   SOMETHING LIKE THIS

   SWITCH - CISCO IP PHONE - PC

>> CISCO IP PHONE CAN SEND TAGGED FRAMES. BUT PC'S CANT SENT TAGGED FRAMES.
   HERE IF BOTH PC AND IP PHONE ARE IN SAME VLAN PROBLEMS COMMON ARE
   1.SECURITY - PC CAN SPOOF VOIP CONVERSATIONS.
   2.DEGRADED VOIP QUALITY - DURING VOIP COVERSATON,IF PC DOWNLOADS A HUGE FILE HAVE AN IMPACT ON VOIP 

   CONVERSATIONS.

>> WHAT'S DTP ? IT'S DYNAMIC TRUNKING PROTOCOL, USED TO AUTOMATICALLY NEGOTIATE AND FORM TRUNKS.

>> 5 MODES

1. ACCESS -> MAILY FOR ACCESS LAYER DEVICES LIKE A PC.
2.TRUNK -> CONNECTING FOR UPLINK SWITCHES
3.DYNAMIC DESIRABLE -> EVERY NEW SWITCH OUT OF BOX IS IN DYNAMIC DESIRABLE STATE.MEANS IF U PLUG A PC  

  IT AUTOMATICALLY BECOMES AN ACCESS PORT,IF U CONNECT SWITCH IT AUTOMATCALLY NEGOTIATE AND FORM TRUNK.
  IT'S GOOD BUT HAVE SOME SECURTY ISSUES,
  THINK U ARE ON UR CUBICLE,COMING WITH A SWITCH ( TRUST EMPLOYEES ,, ONLY FOR HACKERS) CONNECT TO PORT

  ON UR DESK,BY DEFAULT DYNAMIC DESIRABLE MODE ALLOWS TO FORM TRUNK,SO U CAN ASSIGN PORTS TO WHATEVER  

  VLAN U LIKE AND HACK THE NETWORK!!!
4.DYNAMIC AUTO - THIS MEANS I AM AUTO, I WONT SEND ANY DTP PACKETS OUT OF MY INTERFACE.IF SOME ONE  

  REQUEST ME TO FORM TRUNK I WILL BECOME A TRUNK,IF SOME ONE REQUEST ME TO FORM ACCESS PORT I WILL  

  BECOME AN ACCESS PORT.
5.NON-NEGOTIATE-VERY GOOD MODE,CONSIDER A SCENARIO
  ONE END IS TRUNK, OTHER END IS IN DYNAMIC AUTO/DYNAMIC DESIRABLE.SO TRUNK ENABLED PORT WILL SENT DTP 

  PACKETS AND FORM TRUNK WITH THE OTHER SIDE.

>> FOR HACKERS - IF A PORT IS ENABLED FOR TRUNK IF A HACKER CONNECTS A PC AND USE PACKET SNIFFERS ON   

   THAT TRUNK PORT AND CAPTURE THE DTP PACKETS SENDING OUT,HE CAN COME WITH A ROGUE SWITCH AND FORM   

   TRUNK.

>> HOW TO VERIFY THE TRUNK NEGOTIATIONS?


#SH INTERFACES INT FA0/0 SWITCHPORT
THEN CHECK THE ADMINISTRATIVE MODE AND OPERATIONAL MODE.

>> SH INTERFACES TRUNK OR SH INTERFACES INT FA0/0 TRUNK CAN BE USED TO FIND THE TRUNK   

   ENCAPSULATIONS,ALLOWED VLANS,NATIVE VLAN INFORMATIONS ETC.

>> HOW TO HARDCODE TRUNK ENCAP/TRUNKING ?
#SWITCHPORT TRUNK ENCAPSULATION DOT1Q OR ISL
THEN
#SWITCHPORT MODE TRUNK

>> FEW SWITCHES U WONT SEE TRUNK ENCAPSULATONS,IN SUCH CASE U NEED TO GIVE ONLY "SWITCHPORT MODE TRUNK"

>> BY DEFAULT SWITCH CARRIES ALL VLANS,CONSIDER SWITCH A HAS VLAN 11,12,13 AND SWITCH B HAS VLAN 13,SO 

   WHY WE NEED TO ALLOW 11 AND 12 VLANS TO DOWNSTREAM,NO NEED RIGHT ? YES IT IS,,, SO TO BLOCK U CAN   

   CHOOSE TWO WAYS
   1.USING ALLOWED VLANS
   2.PRUNING

#INT FA0/0
#SWITCHPORT TRUNK ALLOWED VLAN 13.

>> HOW TO STOP DTP PACKETS OUT OF THE INTERFACE ?


#INT FA0/0
#SWITCHPORT NONNEGOTIATE.


Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents