Presentation is loading. Please wait.

Presentation is loading. Please wait.

@ONE Spring Hands-On Institute 2-1 Los Medanos College Introduction to Cisco Network Devices Mark McGregor, Instructor April, 2005.

Similar presentations


Presentation on theme: "@ONE Spring Hands-On Institute 2-1 Los Medanos College Introduction to Cisco Network Devices Mark McGregor, Instructor April, 2005."— Presentation transcript:

1 @ONE Spring Hands-On Institute 2-1 Los Medanos College Introduction to Cisco Network Devices Mark McGregor, Instructor April, 2005

2 @ONE Spring Hands-On Institute 2-2 Module 2: Configuring Catalyst Switches

3 @ONE Spring Hands-On Institute 2-3 Basic Layer 2 Switching and Bridging Functions

4 @ONE Spring Hands-On Institute 2-4 The Stonge Age of LANs thicknet 10Base Ethernet: Coax bus. Shared Media. CMSA/CD 10Mbps shared. Actual speeds per host may hover around 1 Mbps or even less. Doesn’t scale. As you add nodes, you increase chance of collisions and reduce effective bandwidth. repeater

5 @ONE Spring Hands-On Institute 2-5 Segment BravoSegment Alpha The Dark Ages of LANs Hub UTP 10BaseT Ethernet: UTP star. Shared Media. CMSA/CD Still 10Mbps shared. Broadcast problem – one broadcast domain. Scales by “segmenting” network. As you add nodes to each segment, you increase chance of collisions and reduce effective bandwidth on that segment. BRIDGE

6 @ONE Spring Hands-On Institute 2-6 Network AlphaNetwork Bravo The Dark Ages of LANs L3 Router Hub UTP 10BaseT Ethernet: UTP star. Shared Media. CMSA/CD Still 10Mbps shared. But broadcasts are controlled – at the expense of added latency Scales by “subnetting” network. Early L3 routers added significant latency. If hosts on Alpha need to send tons of data to the server on Bravo…bottleneck.

7 @ONE Spring Hands-On Institute 2-7 Today: Micro-Segmentation 10/100/1000BaseT Ethernet: UTP star. Not shared. 10/100/1000 dedicated. But broadcasts are still a problem! Scales by “microsegmenting” the network. Each host is on its own segment. No collisions if operating in full-duplex mode.

8 @ONE Spring Hands-On Institute 2-8 Broadcast Issues In a flat Layer 2 network, broadcast frames, such as ARP, or Windows NetBIOS (over IP), are sent everywhere. The probability of broadcast storms increases as the network and number of users grows.

9 @ONE Spring Hands-On Institute 2-9 L3 Broadcast Filtering Layer 3 routers are used to create more manageable broadcast domains. Broadcasts do not pass through routers. This scenario can create a bottleneck in the network.

10 @ONE Spring Hands-On Institute 2-10 VLAN Broadcast Filtering VLANs also can be used to create more manageable broadcast domains. Traffic from one VLAN cannot cross into another VLAN unless it is routed at Layer 3. Multilayer Switch (L3-capable switch) VLAN Trunks

11 @ONE Spring Hands-On Institute 2-11 Today’s LANs Hosts are mostly switched, few are shared (using hubs) Fast Layer-3 (L3) routers are used to provide scalability –L3 routing often built-in to backplane of switch Groups of users are determined by physical location –We are seeing a trend away from end-to-end user grouping (end-to-end VLANs)

12 @ONE Spring Hands-On Institute 2-12 Today’s Campus LANs A From Host A’s point of view…. Local ServiceRemote ServiceEnterprise Services Campus Backbone

13 @ONE Spring Hands-On Institute 2-13 Switch Operation

14 @ONE Spring Hands-On Institute 2-14 How Switches Work A switch can create a network that behaves like it only has two nodes - the sender and the receiver. These two nodes share the 10 Mbps bandwidth between them, available bandwidth can reach closer to 100%.

15 @ONE Spring Hands-On Institute 2-15 How Switches Work Switches are high speed multi-port bridges with one port for each node or segment of the LAN. microsegmentsA switch segments a LAN into microsegments creating collision free domains from one larger collision domain.

16 @ONE Spring Hands-On Institute 2-16 Microsegmentation

17 @ONE Spring Hands-On Institute 2-17 Switch Latency Switches add latency, but they can overcome this by forwarding frames before they are completely received.

18 @ONE Spring Hands-On Institute 2-18 Two Switching Methods

19 @ONE Spring Hands-On Institute 2-19 Cut-through v. Store & Forward

20 @ONE Spring Hands-On Institute 2-20 Full-Duplex Ethernet Allows the transmission of a packet and the reception of a different packet at the same time. two pairsswitched connectionRequires two pairs of wires and a switched connection between each node. Point-to-point connection, nearly collision free. No negotiations for bandwidth.

21 @ONE Spring Hands-On Institute 2-21 Full-Duplex Ethernet Offers 100% bandwidth in both directions (potential 20 Mbps, 200 Mbps, etc).

22 @ONE Spring Hands-On Institute 2-22 Switches and Broadcasts

23 @ONE Spring Hands-On Institute 2-23 Switches Learn the Network

24 @ONE Spring Hands-On Institute 2-24 CAM Content Addressable Memory An Ethernet switch can learn the address of each device on the network by –reading the source address of each packet transmitted and –noting the port where the frame was heard Addresses are learned dynamically. –as new addresses are read they are learned and stored in content addressable memory (CAM). –when a source is read that is not found in the CAM it is learned/stored for future use.

25 @ONE Spring Hands-On Institute 2-25 Aging Out Each time an address is stored it is time stamped. –allows for addresses to be stored for a set period of time –Each time an address is referenced or found in the CAM, it receives a new time stamp –Addresses that are not referenced during set period of time are removed from the list –By removing old addresses the CAM maintains an accurate and functional forwarding database

26 @ONE Spring Hands-On Institute 2-26 Key Characteristics of Various Switching Technologies

27 @ONE Spring Hands-On Institute 2-27 Switching Layer 2 Switching –Switches based on MAC address Layer 3 Switching –Switching at L2, hardware-based routing at L3 Layer 4 Switching –Switching at L2, hardware-based routing at L3, with decisions optionally made on L4 information (port numbers)

28 @ONE Spring Hands-On Institute 2-28 Layer 2 Switching

29 @ONE Spring Hands-On Institute 2-29 Layer 3 Switching

30 @ONE Spring Hands-On Institute 2-30 Layer 4 Switching

31 @ONE Spring Hands-On Institute 2-31 MLS (Multi-Layer Switching)

32 @ONE Spring Hands-On Institute 2-32 MLS Cisco’ specialized form of switching and routing, not generic L3 routing/L2 switching cannot be performed using LMC lab equipment

33 @ONE Spring Hands-On Institute 2-33 MLS sometimes referred to as “route once, switch many”

34 @ONE Spring Hands-On Institute 2-34 Cisco Catalyst Switches

35 @ONE Spring Hands-On Institute 2-35 Switch Block - AL Catalyst 2950 Switch: Supports minimal L3 routing Up to 50 ports

36 @ONE Spring Hands-On Institute 2-36 Switch Block - AL Catalyst 3550/3560 Switch: Supports L3 routing Up to 50 ports

37 @ONE Spring Hands-On Institute 2-37 Switch Block - AL Catalyst 3750 Switch: Supports L3 routing Suports Cisco StackWise technology Provides 32-Gbps high-speed stacking bus

38 @ONE Spring Hands-On Institute 2-38 Switch Block - DL Catalyst 4000 Switch: Supports L3 blades, high density access ports 4006 (6 slots) shown here

39 @ONE Spring Hands-On Institute 2-39 Switch Block - DL Catalyst 4500 Switch: Supports L3 blades, high density access ports Up to 10 slots

40 @ONE Spring Hands-On Institute 2-40 Switch Block - DL Catalyst 6500 Switch: Supports L3 blades, high density access ports Can have up to 13 slots

41 @ONE Spring Hands-On Institute 2-41 Spanning Tree

42 @ONE Spring Hands-On Institute 2-42 Spanning-Tree Protocol allows redundant switched/bridged paths without suffering the effects of loops in the network.

43 @ONE Spring Hands-On Institute 2-43 STP States

44 @ONE Spring Hands-On Institute 2-44 IOS Switch Configuration

45 @ONE Spring Hands-On Institute 2-45 Catalyst Switches Catalyst Switching product line began as a Frankenstein of numerous acquisitions, including: –Crescendo (1993) –Kalpana (1994) –Grand Junction (1995) Result – the operating systems of Catalyst products did not look the same, nor did they initially align with Cisco IOS

46 @ONE Spring Hands-On Institute 2-46 Catalyst Switches Catalyst derived from the Crescendo acquisition (Cat 5000) ran an OS known as CatOS. –Sometimes referred to as “set-based” OS because (unlike the IOS) many configurations required the use of the set command. The 5000 evolved into other big Cats (5500, 6000, and 6500) which also initially ran CatOS.

47 @ONE Spring Hands-On Institute 2-47 Catalyst Switches Smaller, “work-group” access switches ran various specialized Operating Systems –Most were menu-driven –1700, 1900, etc. As this “work-group” Catalyst evolved, they dropped menus in favor of an IOS-like operating system.

48 @ONE Spring Hands-On Institute 2-48 Catalyst Switches Today, all current Cisco Catalyst products have converged to use the Cisco IOS. You are very likely to see legacy CatOS out in the real world – so you should be aware of it. –Cisco has stopped testing on CatOS for its CCNA, CCNP and CCIE R&S exams.

49 @ONE Spring Hands-On Institute 2-49 Configuring Cat Switches Because Catalyst switches run IOS, you can apply the same configuration principles you’ve learned for configuring routers to configuring switches.

50 @ONE Spring Hands-On Institute 2-50 Configuring IOS-based Catalyst Switches

51 @ONE Spring Hands-On Institute 2-51 Useful show Commands show version show running-config show interface show interface status show interface switchport show ip interface brief show mac-address-table show post

52 @ONE Spring Hands-On Institute 2-52 show inteface status CORE-1>sho interface status Port Name Status Vlan Duplex Speed Type Gi0/1 ADMIN-NET connected trunk a-full a BaseSX Gi0/2 disabled 1 auto auto unknown Gi0/3 ABNET & XYNET connected trunk a-full a BaseSX Gi0/4 NOT IN USE disabled 1 auto auto unknown Gi0/5 RANET connected trunk a-full a BaseSX Gi0/6 NOT IN USE disabled 1 auto auto unknown Gi0/7 NOT IN USE disabled routed auto auto unknown Gi0/8 NOT IN USE disabled 1 auto auto unknown Gi0/9 L3 CONNECTION TO C connected routed a-full a BaseSX Gi0/10 disabled 1 auto auto unknown Gi0/11 L3 CONNECTION TO E connected routed a-full a /100/1000BaseTX Gi0/12 WIRELESS TO PIX connected 802 a-full a /100/1000BaseTX CORE-1>

53 @ONE Spring Hands-On Institute 2-53 Getting a “fresh” Start Some Cat IOS switches keep track of VLAN information in a special file called vlan.dat –This file is separate from the running configuration –Some switches have VLAN configuration as part of config file – it depends on something called VTP (which we will cover in module 9) To bring a switch back to the default configuration, you may need to delete both its VLAN database and its startup- configuration file.

54 @ONE Spring Hands-On Institute 2-54 Getting a “fresh” Start leftovers#dir flash: Directory of flash:/ 2 -rwx 0 Jan :01:20 env_vars 3 -rwx 342 Jan :01:20 system_env_vars 4 -rwx 736 Mar :25:25 vlan.dat 6 -rwx 5 Mar :01:19 private-config.text 7 drwx 192 Mar :03:20 c3550-i5q3l2-mz EA bytes total ( bytes free) leftovers#

55 @ONE Spring Hands-On Institute 2-55 Getting a “fresh” Start Sloppy_seconds#delete flash:vlan.dat Delete filename [vlan.dat]? Delete flash:vlan.dat? [confirm] Sloppy_seconds#erase startup-config Erasing the nvram filesystem will remove all files! Continue? [confirm] [OK] Erase of nvram: complete Sloppy_seconds#reload System configuration has been modified. Save? [yes/no]: n Proceed with reload? [confirm] 00:08:09: %SYS-5-RELOAD: Reload requested

56 @ONE Spring Hands-On Institute 2-56 Assigning a Name Switch#conf t Enter configuration commands, one per line. End with CNTL/Z. Switch(config)#hostname S1 S1(config)#

57 @ONE Spring Hands-On Institute 2-57 Assigning Passwords S1#conf t Enter configuration commands, one per line. End with CNTL/Z. S1(config)#enable secret cisco S1(config)#line vty 0 4 S1(config-line)#password cisco S1(config-line)#line con 0 S1(config-line)#password cisco S1(config-line)#login S1(config-line)#exit S1(config)#service password-encryption S1(config)# Use the service password-encryption command to encipher line and user passwords in the configuration file (prevents “shoulder surfing”). Bad news: The cipher is easily reversed.

58 @ONE Spring Hands-On Institute 2-58 Assigning an IP Address S1(config)#interface vlan 1 S1(config-if)#ip address S1(config-if)#exit S1(config)#ip default-gateway What’s up with “interface vlan 1”? Well, the default config for a switch is such that all of its ports are layer 2 “bridged” ports. The ports don’t have IP addresses. The default config also places all switchports in VLAN 1. When you assign an IP to VLAN 1, you can reach the switch’s “management” IP address on any of the ports in VLAN 1. In practice, it is not secure to put an IP address on VLAN 1. You should configure another VLAN besides 1 for management purposes.

59 @ONE Spring Hands-On Institute 2-59 Nailing Down speed & duplex S1(config)#in f0/1 S1(config-if)#speed 100 S1(config-if)#duplex full By default, switch ports will try to auto-negotiate speed and duplex mode. The auto-negotiation protocol (802.3u) attempts to set the highest possible speed and best duplex mode available on both link partners. In the field, you may find that auto-negotiation fails – nail down important links when possible.

60 @ONE Spring Hands-On Institute 2-60 The Catalyst GUI Switches are far more prevalent than routers in an enterprise. Many members of an IT staff may need to configure workgroup or even distribution switches. –IOS command-line expertise is not always plentiful Cisco offers a web-based GUI for easy administration and configuration of Catalyst switches –Requires Java VM The GUI can also be used to command multiple switches from the same interface (cluster management suite, or CMS)

61 @ONE Spring Hands-On Institute 2-61 The Catalyst GUI Enabling the web-based GUI will open you up to additional network security vulnerabilities. Use this feature with caution! On most workgroup Catalyst switches, this feature is on by default. Disable it until you know you are going to use it: –no ip http server

62 @ONE Spring Hands-On Institute 2-62 Configuring the Web Interface S1(config)#ip http server S1(config)#ip http port 8080 S1(config)# The ip http port 8080 command changes the default TCP port of the web server to any valid port number you configure. The default port is, of course, TCP 80 You can access your switch’s web server at In our example, it would be (the port number was changed)http:// :8080

63 @ONE Spring Hands-On Institute 2-63 VLAN Basics

64 @ONE Spring Hands-On Institute 2-64 Early VLANs Virtual Local Area Networks Promoted heavily by industry in mid- 1990s Vendors also took varied approaches to creating VLANs, which led to incompatibility and confusion.

65 @ONE Spring Hands-On Institute 2-65 VLANs group of hosts with a common set of requirements –communicate as if they were attached to the same wire, regardless of their physical location. same attributes as a physical LAN, but VLANs allow for end stations to be grouped together even if they are not located on the same LAN segment.

66 @ONE Spring Hands-On Institute 2-66 VLANs Each VLAN is typically assigned unique IP subnet –1 VLAN = 1 IP subnet (almost always) Cisco VLANs typically run a separate instance of Spanning-Tree Protocol (STP) or Rapid STP (RSTP) –Per-VLAN spanning-tree (PVST) Segmentation can be based on –organizational functions –applications –physical / geographical basis

67 @ONE Spring Hands-On Institute 2-67 Campus-Wide, End-to-End VLANs

68 @ONE Spring Hands-On Institute 2-68 Local/Geographic VLANs

69 @ONE Spring Hands-On Institute 2-69 Why VLANs? With VLANs, administrators can: –control traffic patterns –react quickly to relocations –keep up with constant changes in the network due to moving requirements and node relocation. –increase security –contain broadcasts

70 @ONE Spring Hands-On Institute 2-70 VLANs and Network Security

71 @ONE Spring Hands-On Institute 2-71 VLANs are secure* When a station transmits on a shared network (hub), all stations attached to the segment receive a copy of the frame, even if they are not the intended recipients. Anyone with such a network sniffer can capture passwords, sensitive , and any other traffic on the shared network. If the traffic is unencrypted …

72 @ONE Spring Hands-On Institute 2-72 Switched networks are secure* Some TCP/IP protocols that send info in cleartext: –HTTP (not HTTPS) –Telnet (not SSH) –FTP –SMTP (mail) Some popular sniffers: –Ethereal (free) –Etherpeek (WildPackets) –tcpdump (free) –Sniffer Pro (Network Associates) –dsniff (free, Dug Song)

73 @ONE Spring Hands-On Institute 2-73 Switched networks are secure* Switches allow for microsegmentation –Each user that connects directly to a switch port is on his or her own segment. If every device has its own segment (switchport) then only the sender and receiver will “see” unicast traffic. VLANs contain broadcast traffic –Only users on the same VLAN will see broadcasts

74 @ONE Spring Hands-On Institute 2-74 Switched networks are secure* On a switched network, Host X should not see unicast traffic from Host A to Internet hosts: INTERNET X Man-in-the-middle: Attacker uses ARP to “become” Host A’s default gateway Update my ARP table. Default gateway changed at L2. A ARP:  my MAC Hmm. Passwords, …yum !

75 @ONE Spring Hands-On Institute 2-75 Switched networks are secure* On a switched network, Host X should not see unicast traffic from Host A to Internet hosts: INTERNET X MAC flood: Attacker overwhelms switch with flood of bogus MACs. Switch “fails open” and acts like a hub. My CAM table is jacked. I’ll have to flood traffic out all ports. A Hey switch! Here’s 999,000 MAC addresses! Smell those tasty packets!

76 @ONE Spring Hands-On Institute 2-76 Switched networks are secure* By using VLANs, you can mitigate man-in-the-middle attacks and packet sniffing exposure Put public or less secure terminals in one VLAN, place administrative and/or mission critical hosts on a different VLAN Use VLANs to provide logical separation and security “zones”

77 @ONE Spring Hands-On Institute 2-77 VLANs and Broadcast Distribution

78 @ONE Spring Hands-On Institute 2-78 VLANs Control Broadcasts

79 @ONE Spring Hands-On Institute 2-79 VLANs Control Broadcasts Broadcast traffic is a necessary evil –Routing protocols and network services typically rely on broadcasts –Multimedia applications may also use broadcast frames/packets Each VLAN is its own broadcast domain –Traffic of any kind cannot leave a VLAN without L3 services (a router) –Administrators can control the size of a broadcast domain by defining the size of the VLAN

80 @ONE Spring Hands-On Institute 2-80 VLANs improve BW utilization Bandwidth is shared in legacy Ethernet; a switch improves BW utilization by eliminating collisions (microsegmentation). VLANs further improve BW utilization by confining broadcasts and other traffic Switches only flood ports that belong to the source port’s VLAN.

81 @ONE Spring Hands-On Institute 2-81 VLAN Types

82 @ONE Spring Hands-On Institute 2-82 Types of VLANs When scaling VLANs in the switch block, there are two basic methods of defining the VLAN boundaries: –End-to-end VLANs –Local VLANs

83 @ONE Spring Hands-On Institute 2-83 Types of VLANs Remember: a one-to-one correspondence between VLANs and IP subnets is strongly recommended! –Typically, this results in VLANs of 254 hosts or less.

84 @ONE Spring Hands-On Institute 2-84 End-to-End VLANs Hosts are grouped into VLANs independent of physical location and dependent on group, job function, or application As a user moves around the campus, VLAN membership for that user ’ s PC should not change. Each VLAN has a common set of security requirements for all members.

85 @ONE Spring Hands-On Institute 2-85 End-to-End VLANs

86 @ONE Spring Hands-On Institute 2-86 Local/Geographic VLANs As many corporate networks have moved to centralize their resources, end-to-end VLANs became more difficult to maintain. Users are required to use many different resources, many of which are no longer in their VLAN. Because of this shift in placement and usage of resources, VLANs are now more frequently being created around geographic boundaries rather than commonality boundaries.

87 @ONE Spring Hands-On Institute 2-87 Local/Geographic VLANs can span a geographic location as large as an entire building or as small a one switch 20/80 rule in effect with 80 percent of the traffic remote to the user and 20 percent of the traffic local to the user a user must cross a L3 device in order to reach 80 percent of the resources –However, this design allows the network to provide for a deterministic, consistent method of accessing resources.

88 @ONE Spring Hands-On Institute 2-88 Establishing VLAN Memberships

89 @ONE Spring Hands-On Institute 2-89 VLAN Types The two common approaches to assigning VLAN membership are: –Static VLANs (aka Port-Based) –Dynamic VLANs

90 @ONE Spring Hands-On Institute 2-90 Static VLANs also referred to as port-based membership VLAN assignments are created by assigning ports to a VLAN as a host enters the network, the switch automatically tags that ’ s host traffic so that it belongs to the VLAN of the port. –If the user changes ports and needs access to the same VLAN, the network administrator must manually make a port-to-VLAN assignment for the new connection.

91 @ONE Spring Hands-On Institute 2-91 Static VLANs

92 @ONE Spring Hands-On Institute 2-92 Static VLANs port is assigned to a specific VLAN independent of the user or system attached to the port. the port cannot send or receive from devices in another VLAN without the intervention of a L3 device. –The device that is attached to the port likely has no understanding that a VLAN exists. –The device simply knows that it is a member of a subnet.

93 @ONE Spring Hands-On Institute 2-93 Static VLANs switch is responsible for identifying that the information came from a specific VLAN and for ensuring that the information gets to all other members of the VLAN. –The switch is further responsible for ensuring that ports in a different VLAN do not receive the information.

94 @ONE Spring Hands-On Institute 2-94 Static VLANs This approach is quite simple, fast, and easy to manage in that there are no complex lookup tables required for VLAN segmentation. If port-to-VLAN association is done with an application-specific integrated circuit (ASIC), the performance is very good. An ASIC allows the port-to-VLAN mapping to be done at the hardware level.

95 @ONE Spring Hands-On Institute 2-95 Configuring VLANs

96 @ONE Spring Hands-On Institute 2-96 Configuring Static VLANs IOS-Based Switch Switch# vlan database Switch(vlan)#vlan 10 name SALES Switch(config)#interface fa0/1 Switch(config-if)#switchport access vlan 10 Switch(config)#interface range fa0/2 – 6 Switch(config-if-range)#switchport access vlan 10 VLAN database: Stored in the vlan.dat file, not config.text. You can edit the VLAN database directly by entering VLAN database mode.

97 @ONE Spring Hands-On Institute 2-97 Configuring Static VLANs IOS-Based Switch switch>sho vlan brief VLAN Name Status Ports default active 2 MARKETING active Fa0/1, Fa0/2, Fa0/3, Fa0/4 3 PUBLIC active Fa0/5, Fa0/6, Fa0/7, Fa0/8, Fa0/18 4 CORE active Fa0/13, Fa0/14, Fa0/15, Fa0/16, Gi0/1 5 REDOG active Fa0/17, Fa0/19, Fa0/20 6 CALREN active Fa0/21, Fa0/22, Fa0/23, Fa0/ WIRELESS active Fa0/9, Fa0/10, Fa0/11, Fa0/ fddi-default active 1003 token-ring-default active 1004 fddinet-default active 1005 trnet-default active switch>

98 @ONE Spring Hands-On Institute 2-98 Configuring VLANs When configuring VLANs, keep in mind that: –A created VLAN remains unused until it is mapped to switch ports. –The default configuration has all of the switch ports on VLAN 1.

99 @ONE Spring Hands-On Institute 2-99 Dynamic VLANs

100 @ONE Spring Hands-On Institute Dynamic VLANs created through the use of software packages such as CiscoWorks 2000 VLAN Management Policy Server (VMPS) typically allows for membership based on the MAC address of the device as a device enters the network, the device queries a database for VLAN membership.

101 @ONE Spring Hands-On Institute Dynamic VLANs

102 @ONE Spring Hands-On Institute Dynamic VLANs With a VLAN Management Policy Server (VMPS), you can assign switch ports to VLANs dynamically, based on the source MAC address of the device connected to the port. When you move a host from a port on one switch in the network to a port on another switch in the network, the switch assigns the new port to the proper VLAN for that host dynamically.

103 @ONE Spring Hands-On Institute Dynamic VLANs When you enable VMPS on a switch, a MAC address-to-VLAN mapping database downloads from a TFTP server and VMPS begins to accept client requests. –If you reset or power cycle the Catalyst 5000, 4000, 900, 3500, or 6000 Series Switch, the VMPS database downloads from the TFTP server automatically and VMPS is reenabled.

104 @ONE Spring Hands-On Institute Dynamic VLANs VMPS opens a UDP socket to communicate and listen to client requests. The VMPS client communicates with a VMPS server through the VLAN Query Protocol (VQP). When the VMPS receives a VQP request from a client switch, it searches its database for a MAC-address-to-VLAN mapping.

105 @ONE Spring Hands-On Institute Dynamic VLANs The server response is based on this mapping and whether or not the server is in secure mode. Secure mode determines whether the server shuts down the port when a VLAN is not allowed on it or just denies the port access to the VLAN.

106 @ONE Spring Hands-On Institute Dynamic VLANs If a device is plugged into the network and its MAC address is not in the database, VMPS sends the fallback VLAN name to the client. If no fallback VLAN is configured and the MAC address does not exist in the database, VMPS sends an access-denied response. If VMPS is in secure mode, it sends a port- shutdown response.

107 @ONE Spring Hands-On Institute Dynamic VLANs An administrator can also make an explicit entry in the configuration table to deny access to specific MAC addresses for security reasons by specifying a --NONE-- keyword for the VLAN name. In this case, VMPS sends an access- denied or port-shutdown response.

108 @ONE Spring Hands-On Institute Strom Control

109 @ONE Spring Hands-On Institute Storm Control Storm control prevents switchports on a LAN from being disrupted by a broadcast, multicast, or unicast storm on one of the physical interfaces. A LAN storm occurs when packets flood the LAN, creating excessive traffic and degrading network performance. Errors in the protocol-stack implementation or in the network configuration can cause a storm.

110 @ONE Spring Hands-On Institute Storm Control Storm control (or traffic suppression) monitors incoming traffic statistics over a time period and compares the measurement with a predefined suppression level threshold. The threshold represents the percentage of the total available bandwidth of the port. Cisco switches support separate storm control thresholds for broadcast, multicast, and unicast traffic. –If the threshold of a traffic type is reached, further traffic of that type is suppressed until the incoming traffic falls below the threshold level.

111 @ONE Spring Hands-On Institute Configuring Storm Control S1# configure terminal S1(config)# interface fa0/1 S1(config-if)# storm-control broadcast level 50.5 The storm-control command in this example sets the broadcast threshold to 50.5% of the interface’s bandwidth.

112 @ONE Spring Hands-On Institute Access and Trunk Links

113 @ONE Spring Hands-On Institute Access and Trunk Links

114 @ONE Spring Hands-On Institute Access Links An access link is a link on the switch that is a member of only one VLAN. This VLAN is referred to as the native VLAN of the port. –Any device that is attached to the port is completely unaware that a VLAN exists.

115 @ONE Spring Hands-On Institute Trunk Links A trunk link is capable of supporting multiple VLANs. Trunk links are typically used to connect switches to other switches or routers. Switches support trunk links on both Fast Ethernet and Gigabit Ethernet ports.

116 @ONE Spring Hands-On Institute Access and Trunk Links

117 @ONE Spring Hands-On Institute Trunk Links a trunk link does not belong to a specific VLAN. –acts as a conduit for VLANs between switches and routers The trunk link can be configured to transport all VLANs or to transport a limited number of VLANs. A trunk link may, however, have a native VLAN. –The native VLAN of the trunk is the VLAN that the trunk uses if the trunk link fails for any reason

118 @ONE Spring Hands-On Institute VLAN Trunking

119 @ONE Spring Hands-On Institute Trunk Links In Ethernet, the switch has two methods of identifying the VLAN that a frame belongs to: –ISL – InterSwitch Link (Cisco proprietary) –IEEE 802.1Q (standards-based) aka, dot1q

120 @ONE Spring Hands-On Institute VLAN Identification ISL - This protocol is a Cisco proprietary encapsulation protocol for interconnecting multiple switches; it is supported in switches as well as routers. Even though it ’ s Cisco proprietary, ISL is not natively supported by the Catalyst –The L3 blade give the Cat4000s router two ISL-capable ports (Gig 1 and Gig 2).

121 @ONE Spring Hands-On Institute VLAN Identification IEEE 802.1Q - This protocol is an IEEE standard method for identifying VLANs by inserting a VLAN identifier into the frame header. This process is referred to as frame tagging. –Note: In practice, both ISL and dot1q are called frame tagging

122 @ONE Spring Hands-On Institute VLAN Identification This standard is a Cisco proprietary method of transporting VLAN information inside the standard frame (FDDI). –The VLAN information is written to the security association identifier (SAID) portion of the frame. This method is typically used to transport VLANs across FDDI backbones.

123 @ONE Spring Hands-On Institute VLAN Identification LAN Emulation (LANE) - LANE is an ATM Forum standard that can be used for transporting VLANs over Asynchronous Transfer Mode (ATM) networks.

124 @ONE Spring Hands-On Institute VLAN Identification

125 @ONE Spring Hands-On Institute ISL (Frame Encapsulation) Ethernet Frame 1500 bytes plus 18 byte header (1518 bytes) Standard NIC cards and networking devices don’t understand this giant frame. A Cisco switch must remove this encapsulation before sending the frame out on an access link.

126 @ONE Spring Hands-On Institute ISL an Ethernet frame is encapsulated with a header that transports VLAN IDs adds overhead to the packet as a 26-byte header containing a 10-bit VLAN ID. In addition, a 4-byte cyclic redundancy check (CRC) is appended to the end of each frame. –This CRC is in addition to any frame checking that the Ethernet frame requires.

127 @ONE Spring Hands-On Institute byte TPID 2-byte TCI 802.1q SA and DA MACs 802.1q Tag Type/Length Field Data (max 1500 bytes) CRCNew CRC NIC cards and networking devices can understand this “baby” giant frame (1522 bytes). However, a Cisco switch must remove this encapsulation before sending the frame out on an access link. Tag Protocol Identifier Tag Control Info (includes VLAN ID)

128 @ONE Spring Hands-On Institute q significantly less overhead than the ISL as opposed to the 30 bytes added by ISL, 802.1Q inserts only an additional 4 bytes into the Ethernet frame

129 @ONE Spring Hands-On Institute q A 4-byte tag header containing a tag protocol identifier (TPID) and tag control information (TCI) with the following elements: –A 2-byte TPID with a fixed value of 0x8100. This value indicates that the frame carries the 802.1Q/802.1p tag information. –A TCI containing the following elements: Three-bit user priority One-bit canonical format (CFI indicator) Twelve-bit VLAN identifier (VID)-Uniquely identifies the VLAN to which the frame belongs

130 @ONE Spring Hands-On Institute Trunking a trunk is a point-to-point link that supports several VLANs a trunk is to saves ports when creating a link between two devices implementing VLANs

131 @ONE Spring Hands-On Institute Trunking

132 @ONE Spring Hands-On Institute Trunking Before attempting to configure a VLAN trunk on a port, you should to determine what encapsulation the port can support. show interface switchport

133 @ONE Spring Hands-On Institute Trunking alpha#show in g0/2 switchport Name: Gi0/2 Switchport: Enabled Administrative mode: trunk Operational Mode: trunk Administrative Trunking Encapsulation: dot1q Operational Trunking Encapsulation: dot1q Negotiation of Trunking: Disabled Access Mode VLAN: 0 ((Inactive)) Trunking Native Mode VLAN: 1 (default) Trunking VLANs Enabled: ALL Trunking VLANs Active: 1-6,802 Pruning VLANs Enabled: NONE alpha#

134 @ONE Spring Hands-On Institute Trunking Dynamic Trunking Protocol (DTP) manages trunk negotiation

135 @ONE Spring Hands-On Institute Configuring Trunking Ethernet trunk interfaces support several different trunking modes. –Access –Dynamic desirable (default mode on Catalyst 2950 and 3550) –Dynamic auto –Trunk –Non-negotiate –dotq-tunnel (Not an option on the Catalyst 2950.)

136 @ONE Spring Hands-On Institute Configuring Trunking On - This mode puts the port into permanent trunking. The port becomes a trunk port even if the neighboring port does not agree to the change. The on state does not allow for the negotiation of an encapsulation type. –You must, therefore, specify the encapsulation in the configuration

137 @ONE Spring Hands-On Institute Configuring Trunking Access (Off) - This mode puts the port into permanent nontrunking mode and negotiates to convert the link into a nontrunk link. The port becomes a nontrunk port even if the neighboring port does not agree to the change.

138 @ONE Spring Hands-On Institute Configuring Trunking Desirable - This mode makes the port actively attempt to convert the link to a trunk link. The port becomes a trunk port if the neighboring port is set to on, desirable, or auto mode.

139 @ONE Spring Hands-On Institute Configuring Trunking Auto - This mode makes the port willing to convert the link to a trunk link. The port becomes a trunk port if the neighboring port is set to on or desirable mode. This is the default mode for Fast and Gigabit Ethernet ports. –if the default setting is left on both sides of the trunk link, the link will not become a trunk

140 @ONE Spring Hands-On Institute Configuring Trunking Nonegotiate - This mode puts the port into permanent trunking mode but prevents the port from generating Dynamic Trunking Protocol (DTP) frames. –You must configure the neighboring port manually as a trunk port to establish a trunk link.

141 @ONE Spring Hands-On Institute Configuring Trunking For trunking to be autonegotiated on Fast Ethernet or Gigabit Ethernet ports, the ports must be in the same VTP domain. However, you can use “ on ” or “ nonegotiate ” mode to force a port to become a trunk, even if it is in a different domain.

142 @ONE Spring Hands-On Institute Configuring Trunking IOS-Based Switch Switch(config)# interface fastethernet 0 Switch(config-if)# switchport mode [access | multi | trunk] Switch(config-if)# switchport mode dynamic [ auto | desirable] Switch(config-if)# switchport trunk encapsulation {isl|dot1q} Switch(config-if)# switchport trunk allowed vlan remove vlan-list Switch(config-if)# switchport trunk allowed vlan add vlan-list

143 @ONE Spring Hands-On Institute VLAN Trunking Protocol (VTP)

144 @ONE Spring Hands-On Institute VLAN Trunking Protocol VTP maintains VLAN configuration consistency across the entire network. VTP is a messaging protocol that uses Layer 2 trunk frames to manage the addition, deletion, and renaming of VLANs on a network-wide basis. Further, VTP allows you to make centralized changes that are communicated to all other switches in the network.

145 @ONE Spring Hands-On Institute VTP Benefits

146 @ONE Spring Hands-On Institute VTP All switches in the same management domain share their VLAN information with each other, and a switch can participate in only one VTP management domain. Switches in different domains do not share VTP information. Using VTP, switches advertise: –Management domain –Configuration revision number –Known VLANs and their specific parameters

147 @ONE Spring Hands-On Institute VTP switches can be configured not to accept VTP information. These switches will forward VTP information on trunk ports in order to ensure that other switches receive the update, but the switches will not modify their database, nor will the switches send out an update indicating a change in VLAN status. –This is referred to as transparent mode.

148 @ONE Spring Hands-On Institute VTP By default, management domains are set to a nonsecure mode, meaning that the switches interact without using a password. Adding a password automatically sets the management domain to secure mode. –A password must be configured on every switch in the management domain to use secure mode.

149 @ONE Spring Hands-On Institute VTP The VTP database contains a revision number. Each time a change is made, the switch increments the revision number

150 @ONE Spring Hands-On Institute VTP A higher configuration revision number indicates that the VLAN information that is being sent is more current then the stored copy. Any time a switch receives an update that has a higher configuration revision number, the switch will overwrite the stored information with the new information being sent in the VTP update.

151 @ONE Spring Hands-On Institute VTP Modes Switches can operate in any one of the following three VTP modes: –Server –Client –Transparent

152 @ONE Spring Hands-On Institute VTP Modes Server - If you configure the switch for server mode, you can create, modify, and delete VLANs, and specify other configuration parameters (such as VTP version and VTP pruning) for the entire VTP domain. VTP servers: –advertise their VLAN configuration to other switches in the same VTP domain –synchronize the VLAN configuration with other switches based on advertisements received over trunk links. This is the default mode on the switch.

153 @ONE Spring Hands-On Institute VTP Modes Client - VTP clients behave the same way as VTP servers. However, you cannot create, change, or delete VLANs on a VTP client.

154 @ONE Spring Hands-On Institute VTP Modes Transparent - VTP transparent switches do not participate in VTP. A VTP transparent switch does not advertise its VLAN configuration, and does not synchronize its VLAN configuration based on received advertisements. –However, in VTP Version 2, transparent switches do forward VTP advertisements that the switches receive out their trunk ports.

155 @ONE Spring Hands-On Institute Configuring VTP

156 @ONE Spring Hands-On Institute Configuring VTP IOS-Based Switch Switch(vlan)# vtp domain domain-name Switch(vlan)# vtp {server | client | transparent} Switch(vlan)# vtp password password Switch(vlan)# vtp v2-mode (version2)

157 @ONE Spring Hands-On Institute Configuring VTP Set-Based Switch Switch(enable) set vtp [domain domain-name] [mode {server | client | transparent}[password password] Switch(enable) set vtp v2 enable (version 2)

158 @ONE Spring Hands-On Institute VTP Pruning VTP pruning enhances network bandwidth use by reducing unnecessary flooding of traffic, such as broadcast, multicast, unknown, and flooded unicast packets. VTP pruning increases available bandwidth by restricting flooded traffic to those trunk links that the traffic must use to access the appropriate network devices. By default, VTP pruning is disabled.

159 @ONE Spring Hands-On Institute VTP Pruning

160 @ONE Spring Hands-On Institute VTP Pruning Enabling VTP pruning on a VTP server enables pruning for the entire management domain. VTP pruning takes effect several seconds after you enable it. By default, VLANs 2 through 1000 are pruning eligible. –VLAN 1 is always pruning ineligible, so traffic from VLAN 1 cannot be pruned. –You have the option to make specific VLANs pruning eligible or pruning ineligible on the device.

161 @ONE Spring Hands-On Institute Configuring VTP Pruning IOS-Based Switch Switch(vlan)# vtp pruning


Download ppt "@ONE Spring Hands-On Institute 2-1 Los Medanos College Introduction to Cisco Network Devices Mark McGregor, Instructor April, 2005."

Similar presentations


Ads by Google