Los Medanos College

@ONE Spring Hands-On Institute

2-1

Los Medanos CollegeLos Medanos College

Introduction to Cisco Network DevicesIntroduction to Cisco Network DevicesMark McGregor, InstructorApril, 2005


2-2

Module 2:Module 2:

Configuring Catalyst Configuring Catalyst SwitchesSwitches


2-3

Basic Layer 2 Switching Basic Layer 2 Switching and Bridging Functionsand Bridging Functions


2-4

The Stonge Age of LANsThe Stonge Age of LANs

thicknet

10Base5 802.3 Ethernet: Coax bus. Shared Media. CMSA/CD

10Mbps shared. Actual speeds per host may hover around 1 Mbps or even less.

Doesn’t scale. As you add nodes, you increase chance of collisions and reduce effective bandwidth.

repeater


2-5

Segment BravoSegment Alpha

The Dark Ages of LANsThe Dark Ages of LANs

Hub HubUTP

10BaseT 802.3 Ethernet: UTP star. Shared Media. CMSA/CD

Still 10Mbps shared. Broadcast problem – one broadcast domain.

Scales by “segmenting” network. As you add nodes to each segment, you increase chance of collisions and reduce effective bandwidth on that segment.

BRIDGE


2-6

Network Alpha Network Bravo

The Dark Ages of LANsThe Dark Ages of LANs

L3 Router

Hub HubUTP

10BaseT 802.3 Ethernet: UTP star. Shared Media. CMSA/CD

Still 10Mbps shared. But broadcasts are controlled – at the expense of added latency

Scales by “subnetting” network. Early L3 routers added significant latency. If hosts on Alpha need to send tons of data to the server on Bravo…bottleneck.


2-7

Today: Micro-SegmentationToday: Micro-Segmentation

10/100/1000BaseT 802.3 Ethernet: UTP star. Not shared.

10/100/1000 dedicated. But broadcasts are still a problem!

Scales by “microsegmenting” the network. Each host is on its own segment. No collisions if operating in full-duplex mode.


2-8

Broadcast IssuesBroadcast Issues

In a flat Layer 2 network, broadcast frames, such as ARP, or Windows NetBIOS (over IP), are sent everywhere. The probability of broadcast storms increases as the network and number of users grows.


2-9

L3 Broadcast FilteringL3 Broadcast Filtering

Layer 3 routers are used to create more manageable broadcast domains. Broadcasts do not pass through routers. This scenario can create a bottleneck in the network.


2-10

VLAN Broadcast FilteringVLAN Broadcast Filtering

VLANs also can be used to create more manageable broadcast domains. Traffic from one VLAN cannot cross into another VLAN unless it is routed at Layer 3.

Multilayer Switch (L3-capable switch)

VLAN Trunks


2-11

Today’s LANsToday’s LANs

• Hosts are mostly switched, few are shared (using hubs)

• Fast Layer-3 (L3) routers are used to provide scalability– L3 routing often built-in to backplane of switch

• Groups of users are determined by physical location– We are seeing a trend away from end-to-end

user grouping (end-to-end VLANs)


2-12

Today’s Campus LANsToday’s Campus LANs

A

From Host A’s point of view….

Local Service

Remote ServiceEnterprise Services

Campus Backbone


2-13

Switch OperationSwitch Operation


2-14

How Switches WorkHow Switches Work

• A switch can create a network that behaves like it only has two nodes - the sender and the receiver.

• These two nodes share the 10 Mbps bandwidth between them, available bandwidth can reach closer to 100%.


2-15

How Switches WorkHow Switches Work

• Switches are high speed multi-port bridges with one port for each node or segment of the LAN.

• A switch segments a LAN into microsegmentsmicrosegments creating collision free domains from one larger collision domain.


2-16

MicrosegmentationMicrosegmentation


2-17

Switch LatencySwitch Latency

• Switches add latency, but they can overcome this by forwarding frames before they are completely received.


2-18

Two Switching MethodsTwo Switching Methods


2-19

Cut-through v. Store & ForwardCut-through v. Store & Forward


2-20

Full-Duplex EthernetFull-Duplex Ethernet• Allows the transmission of a packet and the

reception of a different packet at the same time.

• Requires two pairstwo pairs of wires and a switched switched connectionconnection between each node.

• Point-to-point connection, nearly collision free.

• No negotiations for bandwidth.


2-21

Full-Duplex EthernetFull-Duplex Ethernet

• Offers 100% bandwidth in both directions (potential 20 Mbps, 200 Mbps, etc).


2-22

Switches and BroadcastsSwitches and Broadcasts


2-23

Switches Learn the NetworkSwitches Learn the Network


2-24

CAMCAM

• Content Addressable Memory• An Ethernet switch can learn the address of

each device on the network by – reading the source address of each packet

transmitted and – noting the port where the frame was heard

• Addresses are learned dynamically. – as new addresses are read they are learned and

stored in content addressable memory (CAM).– when a source is read that is not found in the

CAM it is learned/stored for future use.


2-25

Aging OutAging Out

• Each time an address is stored it is time stamped.– allows for addresses to be stored for a set period

of time– Each time an address is referenced or found in

the CAM, it receives a new time stamp– Addresses that are not referenced during set

period of time are removed from the list– By removing old addresses the CAM maintains

an accurate and functional forwarding database


2-26

Key Characteristics of Key Characteristics of Various Switching Various Switching

TechnologiesTechnologies


2-27

SwitchingSwitching

• Layer 2 Switching– Switches based on MAC address

• Layer 3 Switching– Switching at L2, hardware-based routing at

L3

• Layer 4 Switching– Switching at L2, hardware-based routing at

L3, with decisions optionally made on L4 information (port numbers)


2-28

Layer 2 SwitchingLayer 2 Switching


2-29



2-30



2-31

MLS (Multi-Layer Switching)MLS (Multi-Layer Switching)


2-32

MLSMLS

• Cisco’ specialized form of switching and routing, not generic L3 routing/L2 switching

• cannot be performed using LMC lab equipment


2-33

MLSMLS

• sometimes referred to as “route once, switch many”


2-34

Cisco Catalyst SwitchesCisco Catalyst Switches


2-35

Switch Block - ALSwitch Block - ALCatalyst 2950 Switch:

• Supports minimal L3 routing

• Up to 50 ports


2-36

Switch Block - ALSwitch Block - ALCatalyst 3550/3560 Switch:

• Supports L3 routing

• Up to 50 ports


2-37

Switch Block - ALSwitch Block - ALCatalyst 3750 Switch:

• Supports L3 routing

• Suports Cisco StackWise technology

•Provides 32-Gbps high-speed stacking bus


2-38

Switch Block - DLSwitch Block - DLCatalyst 4000 Switch:

• Supports L3 blades, high density access ports

• 4006 (6 slots) shown here


2-39

Switch Block - DLSwitch Block - DL

Catalyst 4500 Switch:


• Up to 10 slots


2-40

Switch Block - DLSwitch Block - DLCatalyst 6500 Switch:


• Can have up to 13 slots


2-41

Spanning TreeSpanning Tree


2-42

Spanning-Tree ProtocolSpanning-Tree Protocol

• allows redundant switched/bridged paths without suffering the effects of loops in the network.


2-43

STP StatesSTP States


2-44

IOS Switch ConfigurationIOS Switch Configuration


2-45

Catalyst SwitchesCatalyst Switches

• Catalyst Switching product line began as a Frankenstein of numerous acquisitions, including:– Crescendo (1993)– Kalpana (1994)– Grand Junction (1995)

• Result – the operating systems of Catalyst products did not look the same, nor did they initially align with Cisco IOS


2-46


• Catalyst derived from the Crescendo acquisition (Cat 5000) ran an OS known as CatOS.– Sometimes referred to as “set-based” OS

because (unlike the IOS) many configurations required the use of the set command.

• The 5000 evolved into other big Cats (5500, 6000, and 6500) which also initially ran CatOS.


2-47


• Smaller, “work-group” access switches ran various specialized Operating Systems– Most were menu-driven– 1700, 1900, etc.

• As this “work-group” Catalyst evolved, they dropped menus in favor of an IOS-like operating system.


2-48


• Today, all current Cisco Catalyst products have converged to use the Cisco IOS.

• You are very likely to see legacy CatOS out in the real world – so you should be aware of it.– Cisco has stopped testing on CatOS for

its CCNA, CCNP and CCIE R&S exams.


2-49

Configuring Cat SwitchesConfiguring Cat Switches

• Because Catalyst switches run IOS, you can apply the same configuration principles you’ve learned for configuring routers to configuring switches.


2-50

Configuring IOS-based Configuring IOS-based Catalyst SwitchesCatalyst Switches


2-51

Useful Useful showshow Commands Commands

• show version• show running-config• show interface• show interface status• show interface switchport• show ip interface brief• show mac-address-table• show post


2-52

show inteface statusshow inteface status

CORE-1>sho interface status

Port Name Status Vlan Duplex Speed TypeGi0/1 ADMIN-NET connected trunk a-full a-1000 1000BaseSXGi0/2 disabled 1 auto auto unknownGi0/3 ABNET & XYNET connected trunk a-full a-1000 1000BaseSXGi0/4 NOT IN USE disabled 1 auto auto unknownGi0/5 RANET connected trunk a-full a-1000 1000BaseSXGi0/6 NOT IN USE disabled 1 auto auto unknownGi0/7 NOT IN USE disabled routed auto auto unknownGi0/8 NOT IN USE disabled 1 auto auto unknownGi0/9 L3 CONNECTION TO C connected routed a-full a-1000 1000BaseSXGi0/10 disabled 1 auto auto unknownGi0/11 L3 CONNECTION TO E connected routed a-full a-100 10/100/1000BaseTXGi0/12 WIRELESS TO PIX connected 802 a-full a-100 10/100/1000BaseTXCORE-1>


2-53

Getting a “fresh” StartGetting a “fresh” Start

• Some Cat IOS switches keep track of VLAN information in a special file called vlan.dat– This file is separate from the running

configuration– Some switches have VLAN configuration as part

of config file – it depends on something called VTP (which we will cover in module 9)

• To bring a switch back to the default configuration, you may need to delete both its VLAN database and its startup-configuration file.


2-54

Getting a “fresh” StartGetting a “fresh” Startleftovers#dir flash:Directory of flash:/

2 -rwx 0 Jan 01 1970 00:01:20 env_vars 3 -rwx 342 Jan 01 1970 00:01:20 system_env_vars 4 -rwx 736 Mar 11 1993 17:25:25 vlan.dat 6 -rwx 5 Mar 01 1993 00:01:19 private-config.text 7 drwx 192 Mar 01 1993 00:03:20 c3550-i5q3l2-mz.121-11.EA1

15998976 bytes total (10913280 bytes free)leftovers#


2-55

Getting a “fresh” StartGetting a “fresh” Start

Sloppy_seconds#delete flash:vlan.datDelete filename [vlan.dat]?Delete flash:vlan.dat? [confirm]Sloppy_seconds#erase startup-configErasing the nvram filesystem will remove all files! Continue? [confirm][OK]Erase of nvram: completeSloppy_seconds#reload

System configuration has been modified. Save? [yes/no]: nProceed with reload? [confirm]

00:08:09: %SYS-5-RELOAD: Reload requested


2-56

Assigning a NameAssigning a Name

Switch#conf t

Enter configuration commands, one per line. End with CNTL/Z.

Switch(config)#hostname S1

S1(config)#


2-57

Assigning PasswordsAssigning PasswordsS1#conf tEnter configuration commands, one per line. End with CNTL/Z.

S1(config)#enable secret cisco

S1(config)#line vty 0 4S1(config-line)#password ciscoS1(config-line)#line con 0S1(config-line)#password ciscoS1(config-line)#loginS1(config-line)#exit

S1(config)#service password-encryptionS1(config)#

Use the service password-encryption command to encipher line and user passwords in the configuration file (prevents “shoulder surfing”). Bad news: The cipher is easily reversed.


2-58

Assigning an IP AddressAssigning an IP Address

S1(config)#interface vlan 1S1(config-if)#ip address 10.1.1.1 255.255.255.0S1(config-if)#exitS1(config)#ip default-gateway 10.1.1.254

What’s up with “interface vlan 1”?

Well, the default config for a switch is such that all of its ports are layer 2 “bridged” ports. The ports don’t have IP addresses.

The default config also places all switchports in VLAN 1.

When you assign an IP to VLAN 1, you can reach the switch’s “management” IP address on any of the ports in VLAN 1.

In practice, it is not secure to put an IP address on VLAN 1. You should configure another VLAN besides 1 for management purposes.


2-59

Nailing Down speed & duplexNailing Down speed & duplex

S1(config)#in f0/1

S1(config-if)#speed 100

S1(config-if)#duplex full

By default, switch ports will try to auto-negotiate speed and duplex mode. The auto-negotiation protocol (802.3u) attempts to set the highest possible speed and best duplex mode available on both link partners.

In the field, you may find that auto-negotiation fails – nail down important links when possible.


2-60

The Catalyst GUIThe Catalyst GUI

• Switches are far more prevalent than routers in an enterprise.

• Many members of an IT staff may need to configure workgroup or even distribution switches.– IOS command-line expertise is not always plentiful

• Cisco offers a web-based GUI for easy administration and configuration of Catalyst switches– Requires Java VM

• The GUI can also be used to command multiple switches from the same interface (cluster management suite, or CMS)


2-61

The Catalyst GUIThe Catalyst GUI

• Enabling the web-based GUI will open you up to additional network security vulnerabilities.

• Use this feature with caution!• On most workgroup Catalyst switches, this

feature is on by default.• Disable it until you know you are going to

use it:– no ip http server


2-62

Configuring the Web InterfaceConfiguring the Web Interface

S1(config)#ip http server

S1(config)#ip http port 8080

S1(config)#

The ip http port 8080 command changes the default TCP port of the web server to any valid port number you configure.

The default port is, of course, TCP 80 You can access your switch’s web server at http://ipaddress

In our example, it would be http://10.1.1.1:8080 (the port number was changed)


2-63

VLAN BasicsVLAN Basics


2-64

Early VLANsEarly VLANs

• Virtual Local Area Networks

• Promoted heavily by industry in mid-1990s

• Vendors also took varied approaches to creating VLANs, which led to incompatibility and confusion.


2-65

VLANsVLANs

• group of hosts with a common set of requirements– communicate as if they were attached to the

same wire, regardless of their physical location.

• same attributes as a physical LAN, but VLANs allow for end stations to be grouped together even if they are not located on the same LAN segment.


2-66

VLANsVLANs

• Each VLAN is typically assigned unique IP subnet– 1 VLAN = 1 IP subnet (almost always)

• Cisco VLANs typically run a separate instance of Spanning-Tree Protocol (STP) or Rapid STP (RSTP)– Per-VLAN spanning-tree (PVST)

• Segmentation can be based on– organizational functions– applications– physical / geographical basis


2-67

Campus-Wide, End-to-End VLANsCampus-Wide, End-to-End VLANs


2-68

Local/Geographic VLANsLocal/Geographic VLANs


2-69

Why VLANs?Why VLANs?

• With VLANs, administrators can:– control traffic patterns– react quickly to relocations– keep up with constant changes in the

network due to moving requirements and node relocation.

– increase security– contain broadcasts


2-70

VLANs and Network VLANs and Network SecuritySecurity


2-71

VLANs are secure*VLANs are secure*

• When a station transmits on a shared network (hub), all stations attached to the segment receive a copy of the frame, even if they are not the intended recipients.

• Anyone with such a network sniffer can capture passwords, sensitive e-mail, and any other traffic on the shared network.

• If the traffic is unencrypted…


2-72

Switched networks are secure*Switched networks are secure*

• Some TCP/IP protocols that send info in cleartext:– HTTP (not HTTPS)– Telnet (not SSH)– FTP– SMTP (mail)

• Some popular sniffers:– Ethereal (free)– Etherpeek (WildPackets)– tcpdump (free)– Sniffer Pro (Network Associates)– dsniff (free, Dug Song)


2-73


• Switches allow for microsegmentation– Each user that connects directly to a

switch port is on his or her own segment.• If every device has its own segment

(switchport) then only the sender and receiver will “see” unicast traffic.

• VLANs contain broadcast traffic– Only users on the same VLAN will see

broadcasts


2-74


• On a switched network, Host X should not see unicast traffic from Host A to Internet hosts:

INTERNET

XMan-in-the-middle: Attacker uses ARP to “become” Host A’s default gateway.

1.1.1.1

Update my ARP table.

Default gateway

changed at L2. A

ARP:1.1.1.1 my MAC

Hmm. Passwords,

email…yum!


2-75


• On a switched network, Host X should not see unicast traffic from Host A to Internet hosts:

INTERNET

XMAC flood: Attacker overwhelms switch with flood of bogus MACs. Switch “fails open” and acts like a hub.

My CAM table is jacked. I’ll have to flood traffic out all

ports.

A

Hey switch! Here’s 999,000

MAC addresses!

Smell those tasty

packets!


2-76


• By using VLANs, you can mitigate man-in-the-middle attacks and packet sniffing exposure

• Put public or less secure terminals in one VLAN, place administrative and/or mission critical hosts on a different VLAN

• Use VLANs to provide logical separation and security “zones”


2-77

VLANs and Broadcast VLANs and Broadcast DistributionDistribution


2-78

VLANs Control BroadcastsVLANs Control Broadcasts


2-79

VLANs Control BroadcastsVLANs Control Broadcasts

• Broadcast traffic is a necessary evil– Routing protocols and network services typically

rely on broadcasts– Multimedia applications may also use broadcast

frames/packets

• Each VLAN is its own broadcast domain– Traffic of any kind cannot leave a VLAN without

L3 services (a router)– Administrators can control the size of a

broadcast domain by defining the size of the VLAN


2-80

VLANs improve BW utilizationVLANs improve BW utilization

• Bandwidth is shared in legacy Ethernet; a switch improves BW utilization by eliminating collisions (microsegmentation).

• VLANs further improve BW utilization by confining broadcasts and other traffic

• Switches only flood ports that belong to the source port’s VLAN.


2-81

VLAN TypesVLAN Types


2-82

Types of VLANsTypes of VLANs

When scaling VLANs in the switch block, there are two basic methods of defining the VLAN boundaries:– End-to-end VLANs – Local VLANs


2-83

Types of VLANsTypes of VLANs

• Remember: a one-to-one correspondence between VLANs and IP subnets is strongly recommended!– Typically, this results in VLANs of 254

hosts or less.


2-84

End-to-End VLANsEnd-to-End VLANs

• Hosts are grouped into VLANs independent of physical location and dependent on group, job function, or application

• As a user moves around the campus, VLAN membership for that user’s PC should not change.

• Each VLAN has a common set of security requirements for all members.


2-85

End-to-End VLANsEnd-to-End VLANs


2-86


• As many corporate networks have moved to centralize their resources, end-to-end VLANs became more difficult to maintain.

• Users are required to use many different resources, many of which are no longer in their VLAN.

• Because of this shift in placement and usage of resources, VLANs are now more frequently being created around geographic boundaries rather than commonality boundaries.


2-87


• can span a geographic location as large as an entire building or as small a one switch

• 20/80 rule in effect with 80 percent of the traffic remote to the user and 20 percent of the traffic local to the user

• a user must cross a L3 device in order to reach 80 percent of the resources– However, this design allows the network to

provide for a deterministic, consistent method of accessing resources.


2-88

Establishing VLAN Establishing VLAN MembershipsMemberships


2-89

VLAN TypesVLAN Types

The two common approaches to assigning VLAN membership are:– Static VLANs (aka Port-Based)– Dynamic VLANs


2-90

Static VLANsStatic VLANs

• also referred to as port-based membership• VLAN assignments are created by assigning

ports to a VLAN• as a host enters the network, the switch

automatically tags that’s host traffic so that it belongs to the VLAN of the port. – If the user changes ports and needs access to

the same VLAN, the network administrator must manually make a port-to-VLAN assignment for the new connection.


2-91



2-92


• port is assigned to a specific VLAN independent of the user or system attached to the port.

• the port cannot send or receive from devices in another VLAN without the intervention of a L3 device.– The device that is attached to the port likely has

no understanding that a VLAN exists.

– The device simply knows that it is a member of a subnet.


2-93


• switch is responsible for identifying that the information came from a specific VLAN and for ensuring that the information gets to all other members of the VLAN.– The switch is further responsible for

ensuring that ports in a different VLAN do not receive the information.


2-94


• This approach is quite simple, fast, and easy to manage in that there are no complex lookup tables required for VLAN segmentation.

• If port-to-VLAN association is done with an application-specific integrated circuit (ASIC), the performance is very good.

• An ASIC allows the port-to-VLAN mapping to be done at the hardware level.


2-95

Configuring VLANsConfiguring VLANs


2-96

Configuring Static VLANsConfiguring Static VLANs

IOS-Based SwitchSwitch# vlan database

Switch(vlan)#vlan 10 name SALES

Switch(config)#interface fa0/1

Switch(config-if)#switchport access vlan 10

Switch(config)#interface range fa0/2 – 6

Switch(config-if-range)#switchport access vlan 10

VLAN database: Stored in the vlan.dat file, not config.text.

You can edit the VLAN database directly by entering VLAN database mode.

VLAN database: Stored in the vlan.dat file, not config.text.

You can edit the VLAN database directly by entering VLAN database mode.


2-97

Configuring Static VLANsConfiguring Static VLANs

IOS-Based Switchswitch>sho vlan brief

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

1 default active

2 MARKETING active Fa0/1, Fa0/2, Fa0/3, Fa0/4

3 PUBLIC active Fa0/5, Fa0/6, Fa0/7, Fa0/8,

Fa0/18

4 CORE active Fa0/13, Fa0/14, Fa0/15, Fa0/16,

Gi0/1

5 REDOG active Fa0/17, Fa0/19, Fa0/20

6 CALREN active Fa0/21, Fa0/22, Fa0/23, Fa0/24

802 WIRELESS active Fa0/9, Fa0/10, Fa0/11, Fa0/12

1002 fddi-default active

1003 token-ring-default active

1004 fddinet-default active

1005 trnet-default active

switch>


2-98

Configuring VLANsConfiguring VLANs

• When configuring VLANs, keep in mind that: – A created VLAN remains unused until it is

mapped to switch ports. – The default configuration has all of the

switch ports on VLAN 1.


2-99

Dynamic VLANsDynamic VLANs


2-100


• created through the use of software packages such as CiscoWorks 2000 VLAN Management Policy Server (VMPS)

• typically allows for membership based on the MAC address of the device

• as a device enters the network, the device queries a database for VLAN membership.


2-101



2-102


• With a VLAN Management Policy Server (VMPS), you can assign switch ports to VLANs dynamically, based on the source MAC address of the device connected to the port.

• When you move a host from a port on one switch in the network to a port on another switch in the network, the switch assigns the new port to the proper VLAN for that host dynamically.


2-103


• When you enable VMPS on a switch, a MAC address-to-VLAN mapping database downloads from a TFTP server and VMPS begins to accept client requests. – If you reset or power cycle the Catalyst 5000,

4000, 900, 3500, or 6000 Series Switch, the VMPS database downloads from the TFTP server automatically and VMPS is reenabled.


2-104


• VMPS opens a UDP socket to communicate and listen to client requests.

• The VMPS client communicates with a VMPS server through the VLAN Query Protocol (VQP).

• When the VMPS receives a VQP request from a client switch, it searches its database for a MAC-address-to-VLAN mapping.


2-105


• The server response is based on this mapping and whether or not the server is in secure mode.

• Secure mode determines whether the server shuts down the port when a VLAN is not allowed on it or just denies the port access to the VLAN.


2-106


• If a device is plugged into the network and its MAC address is not in the database, VMPS sends the fallback VLAN name to the client.

• If no fallback VLAN is configured and the MAC address does not exist in the database, VMPS sends an access-denied response.

• If VMPS is in secure mode, it sends a port-shutdown response.


2-107


• An administrator can also make an explicit entry in the configuration table to deny access to specific MAC addresses for security reasons by specifying a --NONE-- keyword for the VLAN name.

• In this case, VMPS sends an access-denied or port-shutdown response.


2-108

Strom ControlStrom Control


2-109

Storm ControlStorm Control

• Storm control prevents switchports on a LAN from being disrupted by a broadcast, multicast, or unicast storm on one of the physical interfaces.

• A LAN storm occurs when packets flood the LAN, creating excessive traffic and degrading network performance.

• Errors in the protocol-stack implementation or in the network configuration can cause a storm.


2-110

Storm ControlStorm Control

• Storm control (or traffic suppression) monitors incoming traffic statistics over a time period and compares the measurement with a predefined suppression level threshold.

• The threshold represents the percentage of the total available bandwidth of the port.

• Cisco switches support separate storm control thresholds for broadcast, multicast, and unicast traffic. – If the threshold of a traffic type is reached, further traffic of

that type is suppressed until the incoming traffic falls below the threshold level.


2-111

Configuring Storm ControlConfiguring Storm Control

S1# configure terminal

S1(config)# interface fa0/1

S1(config-if)# storm-control broadcast level 50.5

The storm-control command in this example sets the broadcast threshold to 50.5% of the interface’s bandwidth.


2-112

Access and Trunk LinksAccess and Trunk Links


2-113



2-114

Access LinksAccess Links

• An access link is a link on the switch that is a member of only one VLAN.

• This VLAN is referred to as the native VLAN of the port. – Any device that is attached to the port is

completely unaware that a VLAN exists.


2-115

Trunk LinksTrunk Links

• A trunk link is capable of supporting multiple VLANs.

• Trunk links are typically used to connect switches to other switches or routers.

• Switches support trunk links on both Fast Ethernet and Gigabit Ethernet ports.


2-116



2-117


• a trunk link does not belong to a specific VLAN. – acts as a conduit for VLANs between switches and

routers

• The trunk link can be configured to transport all VLANs or to transport a limited number of VLANs.

• A trunk link may, however, have a native VLAN. – The native VLAN of the trunk is the VLAN that the

trunk uses if the trunk link fails for any reason


2-118

VLAN TrunkingVLAN Trunking


2-119


• In Ethernet, the switch has two methods of identifying the VLAN that a frame belongs to:

– ISL – InterSwitch Link• (Cisco proprietary)

– IEEE 802.1Q (standards-based)• aka, dot1q


2-120

VLAN IdentificationVLAN Identification

• ISL - This protocol is a Cisco proprietary encapsulation protocol for interconnecting multiple switches; it is supported in switches as well as routers.

• Even though it’s Cisco proprietary, ISL is not natively supported by the Catalyst 4000.– The L3 blade give the Cat4000s router two

ISL-capable ports (Gig 1 and Gig 2).


2-121


• IEEE 802.1Q - This protocol is an IEEE standard method for identifying VLANs by inserting a VLAN identifier into the frame header. This process is referred to as frame tagging. – Note: In practice, both ISL and dot1q are

called frame tagging


2-122


• 802.10 - This standard is a Cisco proprietary method of transporting VLAN information inside the standard 802.10 frame (FDDI).– The VLAN information is written to the

security association identifier (SAID) portion of the 802.10 frame. This method is typically used to transport VLANs across FDDI backbones.


2-123


• LAN Emulation (LANE) - LANE is an ATM Forum standard that can be used for transporting VLANs over Asynchronous Transfer Mode (ATM) networks.


2-124



2-125

ISL (Frame Encapsulation)ISL (Frame Encapsulation)

Ethernet Frame1500 bytes plus 18 byte header

(1518 bytes)

Standard NIC cards and networking devices don’t understand this giant frame. A Cisco switch must remove this encapsulation before sending the frame out on an access link.


2-126

ISLISL

• an Ethernet frame is encapsulated with a header that transports VLAN IDs

• adds overhead to the packet as a 26-byte header containing a 10-bit VLAN ID.

• In addition, a 4-byte cyclic redundancy check (CRC) is appended to the end of each frame.– This CRC is in addition to any frame checking

that the Ethernet frame requires.


2-127

2-byte TPID

2-byte TCI

802.1q802.1q

SA and DA MACs

SA and DA MACs

802.1q Tag

Type/Length Field

Data (max 1500 bytes)

CRCNewCRC

NIC cards and networking devices can understand this “baby” giant frame (1522 bytes). However, a Cisco switch must remove this encapsulation before sending the frame out on an access link.

Tag Protocol Identifier

Tag Control Info (includes VLAN ID)


2-128

802.1q802.1q

• significantly less overhead than the ISL

• as opposed to the 30 bytes added by ISL, 802.1Q inserts only an additional 4 bytes into the Ethernet frame


2-129

802.1q802.1q

• A 4-byte tag header containing a tag protocol identifier (TPID) and tag control information (TCI) with the following elements: – A 2-byte TPID with a fixed value of 0x8100. This

value indicates that the frame carries the 802.1Q/802.1p tag information.

– A TCI containing the following elements: • Three-bit user priority • One-bit canonical format (CFI indicator) • Twelve-bit VLAN identifier (VID)-Uniquely identifies the

VLAN to which the frame belongs


2-130

TrunkingTrunking

• a trunk is a point-to-point link that supports several VLANs

• a trunk is to saves ports when creating a link between two devices implementing VLANs


2-131

TrunkingTrunking


2-132

TrunkingTrunking

• Before attempting to configure a VLAN trunk on a port, you should to determine what encapsulation the port can support.show interface switchport


2-133

TrunkingTrunking

alpha#show in g0/2 switchportName: Gi0/2Switchport: EnabledAdministrative mode: trunkOperational Mode: trunkAdministrative Trunking Encapsulation: dot1qOperational Trunking Encapsulation: dot1qNegotiation of Trunking: DisabledAccess Mode VLAN: 0 ((Inactive))Trunking Native Mode VLAN: 1 (default)Trunking VLANs Enabled: ALLTrunking VLANs Active: 1-6,802Pruning VLANs Enabled: NONEalpha#


2-134

TrunkingTrunking

• Dynamic Trunking Protocol (DTP) manages trunk negotiation


2-135

Configuring TrunkingConfiguring Trunking

• Ethernet trunk interfaces support several different trunking modes. – Access – Dynamic desirable (default mode on Catalyst

2950 and 3550) – Dynamic auto – Trunk – Non-negotiate – dotq-tunnel (Not an option on the Catalyst 2950.)


2-136


• On - This mode puts the port into permanent trunking. The port becomes a trunk port even if the neighboring port does not agree to the change.

• The on state does not allow for the negotiation of an encapsulation type. – You must, therefore, specify the

encapsulation in the configuration


2-137


• Access (Off) - This mode puts the port into permanent nontrunking mode and negotiates to convert the link into a nontrunk link.

• The port becomes a nontrunk port even if the neighboring port does not agree to the change.


2-138


• Desirable - This mode makes the port actively attempt to convert the link to a trunk link. The port becomes a trunk port if the neighboring port is set to on, desirable, or auto mode.


2-139


• Auto - This mode makes the port willing to convert the link to a trunk link.

• The port becomes a trunk port if the neighboring port is set to on or desirable mode.

• This is the default mode for Fast and Gigabit Ethernet ports. – if the default setting is left on both sides of the

trunk link, the link will not become a trunk


2-140


• Nonegotiate - This mode puts the port into permanent trunking mode but prevents the port from generating Dynamic Trunking Protocol (DTP) frames. – You must configure the neighboring port

manually as a trunk port to establish a trunk link.


2-141


• For trunking to be autonegotiated on Fast Ethernet or Gigabit Ethernet ports, the ports must be in the same VTP domain.

• However, you can use “on” or “nonegotiate” mode to force a port to become a trunk, even if it is in a different domain.


2-142


IOS-Based SwitchSwitch(config)# interface fastethernet 0

Switch(config-if)# switchport mode [access | multi | trunk]

Switch(config-if)# switchport mode dynamic [ auto | desirable]

Switch(config-if)# switchport trunk encapsulation {isl|dot1q}

Switch(config-if)# switchport trunk allowed vlan remove vlan-list

Switch(config-if)# switchport trunk allowed vlan add vlan-list


2-143

VLAN Trunking Protocol VLAN Trunking Protocol (VTP)(VTP)


2-144

VLAN Trunking ProtocolVLAN Trunking Protocol

• VTP maintains VLAN configuration consistency across the entire network.

• VTP is a messaging protocol that uses Layer 2 trunk frames to manage the addition, deletion, and renaming of VLANs on a network-wide basis.

• Further, VTP allows you to make centralized changes that are communicated to all other switches in the network.


2-145

VTP BenefitsVTP Benefits


2-146

VTPVTP

• All switches in the same management domain share their VLAN information with each other, and a switch can participate in only one VTP management domain.

• Switches in different domains do not share VTP information.

• Using VTP, switches advertise: – Management domain – Configuration revision number – Known VLANs and their specific parameters


2-147

VTPVTP

• switches can be configured not to accept VTP information.

• These switches will forward VTP information on trunk ports in order to ensure that other switches receive the update, but the switches will not modify their database, nor will the switches send out an update indicating a change in VLAN status. – This is referred to as transparent mode.


2-148

VTPVTP

• By default, management domains are set to a nonsecure mode, meaning that the switches interact without using a password.

• Adding a password automatically sets the management domain to secure mode. – A password must be configured on every

switch in the management domain to use secure mode.


2-149

VTPVTP

• The VTP database contains a revision number.

• Each time a change is made, the switch increments the revision number


2-150

VTPVTP

• A higher configuration revision number indicates that the VLAN information that is being sent is more current then the stored copy.

• Any time a switch receives an update that has a higher configuration revision number, the switch will overwrite the stored information with the new information being sent in the VTP update.


2-151

VTP ModesVTP Modes

• Switches can operate in any one of the following three VTP modes: – Server– Client– Transparent


2-152

VTP ModesVTP Modes

• Server - If you configure the switch for server mode, you can create, modify, and delete VLANs, and specify other configuration parameters (such as VTP version and VTP pruning) for the entire VTP domain.

• VTP servers:– advertise their VLAN configuration to other switches in

the same VTP domain– synchronize the VLAN configuration with other

switches based on advertisements received over trunk links.

• This is the default mode on the switch.


2-153

VTP ModesVTP Modes

• Client - VTP clients behave the same way as VTP servers. However, you cannot create, change, or delete VLANs on a VTP client.


2-154

VTP ModesVTP Modes

• Transparent - VTP transparent switches do not participate in VTP.

• A VTP transparent switch does not advertise its VLAN configuration, and does not synchronize its VLAN configuration based on received advertisements.– However, in VTP Version 2, transparent

switches do forward VTP advertisements that the switches receive out their trunk ports.


2-155

Configuring VTPConfiguring VTP


2-156


IOS-Based SwitchSwitch(vlan)# vtp domain domain-name

Switch(vlan)# vtp {server | client | transparent}

Switch(vlan)# vtp password password

Switch(vlan)# vtp v2-mode (version2)


2-157


Set-Based SwitchSwitch(enable) set vtp [domain domain-name] [mode {server | client

| transparent}[password password]

Switch(enable) set vtp v2 enable (version 2)


2-158

VTP PruningVTP Pruning

• VTP pruning enhances network bandwidth use by reducing unnecessary flooding of traffic, such as broadcast, multicast, unknown, and flooded unicast packets.

• VTP pruning increases available bandwidth by restricting flooded traffic to those trunk links that the traffic must use to access the appropriate network devices.

• By default, VTP pruning is disabled.


2-159



2-160


• Enabling VTP pruning on a VTP server enables pruning for the entire management domain.

• VTP pruning takes effect several seconds after you enable it.

• By default, VLANs 2 through 1000 are pruning eligible. – VLAN 1 is always pruning ineligible, so traffic from

VLAN 1 cannot be pruned.– You have the option to make specific VLANs

pruning eligible or pruning ineligible on the device.


2-161

Configuring VTP PruningConfiguring VTP Pruning

IOS-Based SwitchSwitch(vlan)# vtp pruning

Documents

Los Medanos College