Hello rvg2k

In general:

DHCP snooping is disabled by default in all Catalyst platforms, it some additional configuration.

When should it be enabled?

There are many scenarios but they point is: enabled it when there may be a possibility of a rogue DHCP server.

Example:

In a company where employees bring their own devices to connect them to the network; chances are that an employee brings a home router, so that they can have more ports availability for their own benefit, if this router has DHCP capabilities, think of a possibility where this fake DHCP server starts providing IP addresses to other clients trying to connect to the network. As you can suppose the client will end up getting a duplicated ip address or maybe in an invalid ip address for the vlan they are, this will end up in a connectivity issue.

Solution and benefits:

The solution to that scenario is DHCP Snooping. Just like a firewall that inspects traffic, DHCP snooping is a layer 2 solution to protect against rogue DHCP servers. DHCP Snooping keeps track of DHCP messages, if a DHCP Offer message is receive coming in a untrusted interface it will be dropped, protecting clients from getting an ip address from a undesirable source.

Regards.

Wilson B

Hi, Wilson.
I have some questions considering private vlans. I understand how it had to be configured and how it works in general. But i have some questions considering its functionality in depth.
As i understand during the frame encapsulation process the secondary vlan is injecting to the frame, then when switch considering its CAM table decides to move the frame through uplink(promiscuous port) with primary vlan it removes the tag of secondary vlan from the frame and injects the tag of primary vlan. Am i right? If i am right this technology is very like dot1q tunneling with vlan transation.
If i am not right, please correct me. I need the explanation considering OSI model.
Unfortunatly nobody give me the answer on my question.

Sent from Cisco Technical Support iPad App

Hello Alexey.

Please don't mix the concept of double-tag tunneling (QinQ) with Private vlans. QinQ adheres an outer tag to the frames to keep track of where the traffic is source and where is it going.

Your comment:

With primary vlan it removes the tag of secondary vlan from the frame and injects the tag of primary vlan. Am i right?

That's not really how it works. Take in consideration the following topology:

Where:

Primary vlan is 10

Isolated vlan is 101

Community vlan is 102

When traffic from the secondary isolated vlan is being forward to the promiscuous port the trunk port in the switch will encapsulate the frame with the source vlan(meaning the secondary vlan), so if it was sourced from the isolated secondary vlan, it will be vlan 100, (if, sourced from the community vlan it will be encapsulated with vlan 101), remember never never double tags the frame, only the secondary vlan is encapsulated. The de-encapsulation process takes place later on.

Now when the traffic comes back from the promiscuous port to the end host, the router will encapsulate the frame with the primary vlan (router or promiscuous port are not pvlan aware), finally is up to the switch to check out the cam table find out the mac address and it's vlan assignment to switch the traffic vlan to the correct secondary vlan. Later on the de-encapsulation process takes place.

Please let me know if the answer is satisfactory.

Regards.

Wilson B

Thank you for your explanation, but it seems to me you don't understand my question.
I strongly realise that private vlan technology differs from double tagging.
By the way in your explanation you take 10, 101(isolated) and 102(comm) as example but later you change them to 100 isolated and 101 community it confused me a little.
I have attached my little drawing :) to this message to illustrate how i understand the private vlan technology is working. In this example the promiscuous port does not configured as trunk private vlan. It is just a private primary vlan promiscuous port.
So the questions are:
Does the tag changing while moving inside the switch from host port to promiscuous port?
And what tag will be the frame encapsulated with when it comes to uplink connected switch? 10 or 101(in my picture)?

Sent from Cisco Technical Support iPad App

Hello Alexey.

Thank you for your question.

Does the tag changing while moving inside the switch from host port to promiscuous port?

Never; an access port never tags traffic.

And what tag will be the frame encapsulated with when it comes to uplink connected switch? 10 or 101(in my picture)?

If the frame is incoming to the uplink connected to the switch it will come in the primary vlan the same if the frame is outgoing to the uplink it goes out with the primary vlan tag.

When the traffic arrives to the switchport, it's up to the mac address table what interface will it be destined.

Please let me know if that clarifies your question.

Regards.

Wilson B.

Hi Wilson,

Nice forum going on here. I just want to ask why VLAN replication takes some time from a switch in VTP server mode to a switch in VTP client mode.

I made a recent change in my network environment wherein I added a VLAN on the VTP server but I had to check and troubleshoot on the VTP client since the VLAN wasn't stil there. It popped up I'm assuming after less than a minute.

I did a Google search but wasn't able to find any solid technical explanation on this. Would you be able to explain this phenomena?

Sent from Cisco Technical Support iPad App

Hello John.

By default, Catalyst switches issue summary advertisements in five-minute increments. Summary advertisements inform adjacent Catalysts of the current VTP domain name and the configuration revision number.

When the switch receives a summary advertisement packet, the switch compares the VTP domain name to its own VTP domain name. If the name is different, the switch simply ignores the packet. If the name is the same, the switch then compares the configuration revision to its own revision. If its own configuration revision is higher or equal, the packet is ignored. If it is lower, an advertisement request is sent. If you add a new switch in the network it takes 5 minutes so that it hears any advertisement from the server.

If you want the VLAN propagated immediately (means before the advertisements are generated and send again) then you need to create a vlan so that the revision number will change and the new switch will be updated, once the control checkpoints I just described passed.

Regards.

Wilson B.

wilson,

thanks for this info! the 5 mins is way too long and i thought i was going crazy!

sorry my switching is not that advanced, is there a command on the switch to shorten the 5 min VTP advertisement?

is this the hello time/BDPU?

Hello John.

Actually BDPU timer is 2 seconds, BPDUs are sent used to calculate the layer 2 topology of spanning-tree. When talking about VTP packets like VTP advertisements, subsets and summary are the ones that comes into play.

Regards.

WIlson B.

Step by step secure your layer 2 network

http://aqlearninghub.blogspot.com/2017/12/cisco-layer-2-best-practice-step-by-step.html

Regards,

Hello Daryl.

I also want to be honest with you I don't have too much experience with MacSec troubleshooting in real troubleshotting scenarios; but let me share my knowledge about what I have studied about it.

MacSec is the standard for authenticating and encrypting packets between two MacSec capable devices.

MacSec implementation:

• Basically and the main function of MacSec is in any scenario where you want to encrypt end user’s traffic to avoid a spoofing attack, In a large environment you need to make sure the access layer switch supports MacSec,
• 2960, 3550, 3750G and 3750E access layer switches do not support MacSec.
• 3750x and 3560x switches with the addition of C3KX-SM-10G module, notice that only interface in the module are the ones that support macsec, not the onboard interfaces.
• 4900m and 4948E switches don't support MacSec.
• Non 6500-e chassis don't support MacSec.
• 4500 switches only support MacSec with supervisor Sup7E, Sup7LE.
• 4500x does support MacSec.
• Only 6500e chassis with VS-S2T-10GE and in WS-X6908 supports MacSec.

NOTE: In a large environment it is very important that you have knowledge of the hardware capabilities, pay attention that not all the Catalyst series switches supports this feature so there is some limitations.

Where should you use MacSec?

• MacSec is often used in the access layer, where end users have direct access to the switchport itself, now it doesn’t mean that it cannot be used between the access and distribution/core layers. (See the picture above for reference)

What do you need to implement MacSec?

• A supplicant: who is end client, it must be running an application (cisco anyconnect) to manage encryption and MacSec negotiation.
• Authenticator/Switch: this is the intermediate device that relays the client credentials to the authentication server.
• Authentication server: Just like a ACS.

What protocols does MacSec run?

• EAP(Extensible authentication protocol): defines authentication between the supplicant and the Authenticator.
• EAP over LAN: Encapsulation to transport EAP messages.
• Key agreement / Security association protocol: Discovers peers and negotiates MacSec keys.
• Radius/Tacacs: for communication between the switch and the authentication server.

Here is another example of how it works

Best regards.

Wilson B.