CIS 82 Routing and Switching Essentials Chapter 6

CIS 82 Routing and Switching Essentials Chapter 6

CIS 82 Routing and Switching Essentials Chapter 6 VLANs CIS 82 Routing Protocols and Concepts Rick Graziani Cabrillo College [email protected] Spring 2018 Chapter 6: Objectives Explain the purpose of VLANs in a switched network. Analyze how a switch forwards frames based on VLAN configuration in a multi-switched environment. Configure a switch port to be assigned to a VLAN based on requirements. Configure a trunk port on a LAN switch. Configure Dynamic Trunk Protocol (DTP). Troubleshoot VLAN and trunk configurations in a switched network. Configure security features to mitigate attacks in a VLANsegmented environment. Explain security best practices for a VLAN-segmented environment. VLAN Segmentation Its all about the IP Address Emmalia, you are in my

neighborhood so I can take the letter to you! Lucia, I see by your address that you are somewhere else. So I have to take your letter to the Post Office. Lucia Capitola, Ca Rick Santa Cruz, Ca Emmalia Santa Cruz, Ca Rick Santa Cruz, Ca Emmalia Santa Cruz, Ca Even if two houses are on the same street, you only know the address

so must take it to the local post office 4 Understanding IP communications 192.168.10.0/24 Subnet A MAC aa.aa MAC bb.bb 192.168.10.10 255.255.255.0 Destination Address bb.bb B 192.168.10.0/24

Subnet 192.168.10.11 255.255.255.0 Source Address aa.aa Type IP DA 192.168.10.11 FCS Devices can only communicate with other devices on the same subnet A knows that it is on the 192.168.10.0/24 subnet (AND operation with its IP address and subnet mask). (Same subnet = Same subnet mask) A knows that B (192.168.1.11) is on its same subnet (AND operation with Bs IP address and As subnet mask) A 192.168.10.10 AND 255.255.255.0

-------------------192.168.10.0 SAME Subnet A can reach B directly without going through a router B 192.168.10.11 AND 255.255.255.0 -------------------192.168.10.0 Understanding IP communications 192.168.10.0/24 Subnet A MAC aa.aa MAC

cc.cc 192.168.10.10 255.255.255.0 Destination Address 192.168.20.0/24 Subnet C 192.168.20.12 255.255.255.0 Source Address Type IP DA 192.168.20.12 FCS Devices can only communicate with other devices on the same subnet

A knows that it is on the 192.168.10.0/24 subnet (AND operation with its IP address and subnet mask) (Same subnet = Same subnet mask) A knows that C (192.168.20.12) is on a different subnet (AND operation with Bs IP address and As subnet mask) Cant get there directly! A 192.168.10.10 AND 255.255.255.0 -------------------192.168.10.0 DIFFERENT Subnets A can NOT reach B directly. Must go through a router B 192.168.20.12 AND 255.255.255.0 -------------------192.168.20.0 192.168.10.0/24 Subnet

A MAC aa.aa 192.168.10.10 255.255.255.0 MAC 11.11 192.168.10.1 255.255.255.0 192.168.20.0/24 Subnet MAC 22.22 MAC cc.cc 192.168.20.1 255.255.255.0

C 192.168.20.12 255.255.255.0 Destination Address 11.11 Source Address aa.aa Type IP DA 192.168.20.12 FCS Destination Address cc.cc Source Address 22.22

Type IP DA 192.168.20.12 FCS A sends packet to devices in a DIFFERENT subnet directly to a router which is on the same subnet as A. The router will take care of it from there. 192.168.10.10 AND 255.255.255.0 -------------------192.168.10.0 DIFFERENT Subnets A can NOT reach B directly. Must go through a router 192.168.20.11 AND 255.255.255.0 -------------------192.168.20.0

Understanding IP communications A B 192.168.10.10 255.255.255.0 192.168.10.11 255.255.255.0 A C 192.168.10.10 255.255.255.0 192.168.20.12 255.255.255.0 A 192.168.10.10

255.255.255.0 C 192.168.10.1 255.255.255.0 192.168.20.1 255.255.255.0 192.168.20.12 255.255.255.0 Devices can only communicate with other devices on the same subnet Otherwise, they must go through a router, that is on its same subnet Definition: VLAN A VLAN is a virtual LAN that logically segments switched networks based on functions, project teams, or applications of the organization regardless of the physical location or connections to the network.

TO CLEAR A SWITCH ALWAYS DO THE FOLLOWING TO CLEAR A SWITCH!! S1# delete vlan.dat Delete filename [vlan.dat]? Delete flash:/vlan.dat? [confirm] S1# erase startup-config Erasing the nvram filesystem will remove all configuration files! Continue? [confirm] [OK] Erase of nvram: complete %SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvram S1# reload Proceed with reload? [confirm] Default VLAN Assignment Default: All ports in the same VLAN (subnet) Switch# show vlan VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------1 default active

Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10, Fa0/11, Fa0/12 Fa0/13, Fa0/14, Fa0/15, Fa0/16 Fa0/17, Fa0/18, Fa0/19, Fa0/20 Fa0/21, Fa0/22, Fa0/23, Fa0/24 Gig0/1, Gig0/2 Default VLAN Assignment Default: All ports in the same VLAN ARP Request Broadcast A B C D

192.168.10.10 192.168.10.11 192.168.10.12 192.168.10.13 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 Hosts can communicate with each other because: Same IP subnet Switch ports are on the same VLAN (subnet) Can A, B, C and D ping each other? If A did an ARP request for B, who would see this Ethernet broadcast? VLAN Definitions A VLAN is a logical partition of a Layer 2 network. Multiple partitions can be created, allowing for multiple VLANs to coexist. Each VLAN is a broadcast domain, usually with its own IP network. VLANs are mutually isolated and packets can only pass between them via a router. The partitioning of the Layer 2 network takes place inside a Layer 2 device, usually via a switch. The hosts grouped within a VLAN are unaware of the VLANs

existence. With a single VLANs (no VLANs) MAC aa.aa A 192.168.10.10 255.255.255.0 MAC B bb.bb 192.168.10.11 255.255.255.0 MAC cc.cc C 192.168.20.12 255.255.255.0

MAC dd.dd D 192.168.20.13 255.255.255.0 You can do this but devices can only communicate with each other that are on the same IP subnet. Unless you have a .. ROUTER (coming) Who can A Ping? B ping? C ping? D ping? A single VLAN (no VLANs) means no segmentation ARP Request Broadcast MAC aa.aa A 192.168.10.10

255.255.255.0 Wasted bandwidth MAC B bb.bb 192.168.10.11 255.255.255.0 MAC cc.cc C 192.168.20.12 255.255.255.0 MAC

dd.dd D 192.168.20.13 255.255.255.0 Who can A Ping? B ping? C ping? D ping? If A did an ARP request for B, who would see this Ethernet broadcast? If C did an ARP request for D, who would see this Ethernet broadcast? Remember: ARP requests are only when the source IP address and the destination IP address are on the SAME SUBNET. A single VLAN (no VLANs) means no segmentation ARP Request Broadcast B C D

192.168.10.10 255.255.255.0 192.168.10.11 255.255.255.0 192.168.20.12 255.255.255.0 192.168.20.13 255.255.255.0 A Who can A Ping? B ping? C ping? D ping? If A did an ARP request for B, who would see this Ethernet broadcast? If C did an ARP request for D, who would see this Ethernet broadcast? Remember: ARP requests are only when the source IP address and the destination IP address are on the SAME SUBNET.

VLANs and IP Addresses/Masks VLANs are configured on the switch port IP Addresses and subnet masks are configured on the devices that connect to the switch ports. VLAN on the switch must match the IP network address of the device. Configured for VLAN 10 Configured for VLAN 20 Configured for VLAN 10 Configured for VLAN 20 MAC aa.aa A 192.168.10.10

255.255.255.0 MAC B bb.bb 192.168.10.11 255.255.255.0 MAC cc.cc C 192.168.20.12 255.255.255.0 MAC dd.dd D 192.168.20.13 255.255.255.0 VLANs are configured on the switch port

IP Addresses and subnet masks are configured on the devices that connect to the switch ports. VLAN on the switch must match the IP network address of the device. BEFORE (DEFAULT CONFIGURATION) A 192.168.10.10 255.255.255.0 B 192.168.10.11 255.255.255.0 C D 192.168.10.12 192.168.10.13 255.255.255.0 255.255.255.0 Default: All ports in the same VLAN (subnet)

Switch# show vlan VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10, Fa0/11, Fa0/12 Fa0/13, Fa0/14, Fa0/15, Fa0/16 Fa0/17, Fa0/18, Fa0/19, Fa0/20 Fa0/21, Fa0/22, Fa0/23, Fa0/24 Gig0/1, Gig0/2 AFTER CONFIGURATION A B C D

192.168.10.10 255.255.255.0 192.168.10.11 255.255.255.0 192.168.20.12 255.255.255.0 192.168.20.13 255.255.255.0 Switch# show vlan VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------10 active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10, Fa0/11, Fa0/12, Gig0/1 20

active Fa0/13, Fa0/14, Fa0/15, Fa0/16 Fa0/17, Fa0/18, Fa0/19, Fa0/20 Fa0/21, Fa0/22, Fa0/23, Fa0/24, Gig0/2 VLANs give proper segmentation Like having separate switches VLANs do not have to be configured contiguously on the switch. ARP Request Broadcast ARP Request Broadcast

A B C D 192.168.10.10 255.255.255.0 192.168.10.11 255.255.255.0 192.168.20.12 255.255.255.0 192.168.20.13 255.255.255.0 VLANs segment switches in to different VLANs or Subnets Think of it like having separate switches Who can A Ping? B ping? C ping? D ping? If A did an ARP request for B, who would see this Ethernet broadcast?

If C did an ARP request for D, who would see this Ethernet broadcast? Router and subnets/VLANs MAC aa.aa A 192.168.10.10 255.255.255.0 MAC B bb.bb 192.168.10.11 255.255.255.0 MAC cc.cc C 192.168.20.12 255.255.255.0

MAC dd.dd D 192.168.20.13 255.255.255.0 Router is required to connect (route) between subnets/VLANs MAC 192.168.20.1 22.22 255.255.255.0 PCA> ping 192.168.20.12 MAC 192.168.10.1 11.11 255.255.255.0 MAC aa.aa A

MAC B bb.bb MAC cc.cc C MAC dd.dd D 192.168.10.10 192.168.10.11 192.168.20.12 192.168.20.13 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 Router is required to connect (route) between subnets/VLANs In this example, a single router with two IP addresses, one on each subnet, is connected to the switch.

Each of the routers interfaces is connected to a proper VLAN port on the switch to match its IP subnet. (Just like the host computers!) MAC 192.168.20.1 22.22 255.255.255.0 PCA> ping 192.168.20.12 MAC 192.168.10.1 11.11 255.255.255.0 MAC aa.aa A 192.168.10.10 255.255.255.0 MAC B bb.bb 192.168.10.11 255.255.255.0

ARP Cache 192.168.10.1 <-> 11.11 MAC cc.cc C 192.168.20.12 255.255.255.0 MAC dd.dd D 192.168.20.13 255.255.255.0 A does an ARP Request for 192.168.10.1 (Default gateway). Gets ARP Reply A adds MAC and IP to ARP Cache

MAC 192.168.20.1 22.22 255.255.255.0 PCA> ping 192.168.20.12 MAC 192.168.10.1 11.11 255.255.255.0 MAC aa.aa A 192.168.10.10 255.255.255.0 Destination Address 11.11 MAC B bb.bb 192.168.10.11 255.255.255.0 Source Address aa.aa

MAC cc.cc MAC dd.dd C 192.168.20.12 255.255.255.0 Type D 192.168.20.13 255.255.255.0 IP (ICMP) DA 192.168.20.12 A sends Ethernet frame to default gateway, the router FCS

ARP Cache MAC 192.168.20.1 192.168.20.12 <-> cc.cc 22.22 255.255.255.0 MAC 192.168.10.1 11.11 255.255.255.0 MAC aa.aa A 192.168.10.10 255.255.255.0 MAC B bb.bb MAC cc.cc 192.168.10.11 255.255.255.0

PCA> ping 192.168.20.12 C 192.168.20.12 255.255.255.0 MAC dd.dd D 192.168.20.13 255.255.255.0 Router does an ARP Request for 192.168.20.12 (Destination IP). Gets ARP Reply Router adds MAC and IP to ARP Cache MAC 192.168.20.1 22.22 255.255.255.0 PCA> ping 192.168.20.12

MAC 192.168.10.1 11.11 255.255.255.0 MAC aa.aa A 192.168.10.10 255.255.255.0 Destination Address cc.cc MAC B bb.bb 192.168.10.11 255.255.255.0 Source Address 22.22 MAC cc.cc

MAC dd.dd C 192.168.20.12 255.255.255.0 Type D 192.168.20.13 255.255.255.0 IP (ICMP) DA 192.168.20.12 Router sends Ethernet frame to final destination, PC-C FCS PCA> ping 192.168.20.12 .!!!!

MAC aa.aa A 192.168.10.10 255.255.255.0 MAC 192.168.20.1 22.22 255.255.255.0 MAC 192.168.10.1 11.11 255.255.255.0 MAC B bb.bb 192.168.10.11 255.255.255.0 MAC cc.cc MAC dd.dd

C 192.168.20.12 255.255.255.0 D 192.168.20.13 255.255.255.0 Destination Address 22.22 Source Address cc.cc Type IP (ICMP) DA 192.168.10.10 FCS Destination Address

aa.aa Source Address 11.11 Type IP (ICMP) DA 192.168.10.10 FCS Benefits of VLANs Security: Improved by isolating user access to sensitive data and applications. Cost reduction: Reduces the need for expensive network upgrades and more efficient use of existing bandwidth and uplinks. Smaller Broadcast Domains: Divide a network into smaller logical networks, resulting in lower susceptibility to broadcast storms. Better performance:

Divides the flat Layer 2 networks into multiple broadcast domains reducing unnecessary traffic on the network and boosts performance. Improved IT staff efficiency: Makes the network easier to manage. How many VLANs can you configure on a It depends. switch? on the switch and the switchs capabilities and what you require. Default VLAN Assignment Switch# show vlan VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4

Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10, Fa0/11, Fa0/12 Fa0/13, Fa0/14, Fa0/15, Fa0/16 Fa0/17, Fa0/18, Fa0/19, Fa0/20 Fa0/21, Fa0/22, Fa0/23, Fa0/24 Gig0/1, Gig0/2 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup VLAN ---1 1002 1003 1004 1005 Type ----enet fddi

tr fdnet trnet Switch# SAID ---------100001 101002 101003 101004 101005 MTU ----1500 1500 1500 1500 1500 Parent ------ RingNo

------ BridgeNo -------- Stp ---ieee ibm BrdgMode -------- Trans1 -----0 0 0 0 0 Trans2 -----0 0 0 0

0 Normal Range VLANs Switch# show vlan VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10, Fa0/11, Fa0/12 Fa0/13, Fa0/14, Fa0/15, Fa0/16 Fa0/17, Fa0/18, Fa0/19, Fa0/20 Fa0/21, Fa0/22, Fa0/23, Fa0/24 Gig0/1, Gig0/2 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default

act/unsup Used in small- and medium-sized business and enterprise networks. VLAN Range: 1 1005 Reserved VLANs: VLANs 1, 1002 1005 Configurations stored in vlan.dat in flash memory. Note: VLAN Trunking Protocol (VTP) can manage normal range VLANs. Extended Range VLANs Used in Service Provider networks (great number of customers) or large, global enterprises. VLAN Range: 1006 - 4094. Support fewer VLAN features than normal range VLANs. Saved in the running configuration file. It can support up to 255 normal range and extended range VLANs. Types of VLANs Default VLAN (VLAN 1 by default) Native VLAN (VLAN 1 by default)

Used for untagged traffic (later) User VLANs Each IP subnet is a separate VLAN Management VLAN VLAN to connect to infrastructure devices such a switches Voice VLAN VLAN used to connect IP phones Guest VLAN For to connect guests and others who do not have access to internal resources, perhaps Internet access only Garbage VLAN For unused ports not yet configured for a specific VLAN 36 User VLAN examples VLAN = Subnet Business VLANs IT VLAN HR VLAN Sales VLAN College Student VLAN Faculty VLAN

Guest VLAN 37 Default VLAN VLAN 1 Default VLAN Native VLAN Un-tagged (If trunking there is no 802.1Q or ISL encapsulation) CDP, VTP, PAgP, LACP, DTP, BPDUs By default all traffic is carried across VLAN 1. By default all ports are on VLAN 1 VLAN 1 is: The default VLAN (all user traffic) Native VLAN: No trunking encapsulation even if configured as a trunk coming). All Layer 2 control traffic (e.g., DTP, VTP, STP BPDUs, PAgP, LACP, CDP, etc.), are associated with VLAN 1 38

Default VLAN 1 S1# show vlan VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10, Fa0/11, Fa0/12 Fa0/13, Fa0/14, Fa0/15, Fa0/16 Fa0/17, Fa0/18, Fa0/19, Fa0/20 Fa0/21, Fa0/22, Fa0/23, Fa0/24 Gi0/1, Gi0/2 VLAN 1 cannot be deleted Security best practices: Avoid using VLAN 1 for all VLANs other that control traffic which must be on VLAN1 In other words, create additional VLANs User or Data VLANs

MAC aa.aa A 192.168.10.10 255.255.255.0 MAC B bb.bb 192.168.10.11 255.255.255.0 MAC cc.cc C

192.168.20.12 255.255.255.0 MAC dd.dd D 192.168.20.13 255.255.255.0 HR Department Sales Department These are VLANs used for different user VLANs/subnets For user data traffic What about the ports not in the Red or Blue VLAN? They are still in VLAN 1 (default VLAN) Change them to the Voice (VoIP) VLAN later. 41 Creating Static User VLANs

S1# configure terminal S1(config)# vlan 10 VLAN name is optional S1(config-vlan)# name HR S1(config-vlan)# exit Single host attached, not S1(config)# interface fastethernet 0/2 another switch (trunk) later S1(config-if)# switchport mode access S1(config-if)# switchport access vlan 10 VLAN 10 assigned to the port S1(config-if)# end S1# Ports on a switch are manually assigned (CLI) to a VLAN. If you assign an interface to a VLAN that does not exist, the new VLAN is created for you. Note: Dynamic VLANs can be configured using a special server called a VLAN Membership Policy Server (VMPS). Beyond the scope of this course. Configuring a Range of Ports S1(config)# interface range fastethernet 0/1 - 10

S1(config-if-range)# switchport mode access S1(config-if-range)# switchport access vlan 10 S1(config-if-range)# exit S1(config)# interface gigabitethernet 0/1 S1(config-if)# switchport mode access S1(config-if)# switchport access vlan 10 S1(config-if)# end S1# Configuring a Range of Ports S1(config)# vlan 20 S1(config-vlan)# name SALES S1(config-vlan)# exit S1(config)# interface range fastethernet 0/13 - 22 S1(config-if-range)# switchport mode access S1(config-if-range)# switchport access vlan 20 S1(config-if-range)# exit S1(config)# interface gigabitethernet 0/2 S1(config-if)# switchport mode access S1(config-if)# switchport access vlan 20 S1(config-if)# end S1#

Configuring a Range of Ports S1# show vlan VLAN ---1 10 Name -------------------------------default HR Status --------active active 20 SALES active Ports

------------------------------Fa0/11, Fa0/12, Fa0/23, Fa0/24 Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10, Gi0/1 Fa0/13, Fa0/14, Fa0/15, Fa0/16 Fa0/17, Fa0/18, Fa0/19, Fa0/20 Fa0/21, Fa0/22, Gi0/2 Verifying VLAN Port Parameters S1# show interface fa 0/1 switchport Name: Fa0/1 Switchport: Enabled Administrative Mode: static access Operational Mode: down Administrative Trunking Encapsulation: dot1q Negotiation of Trunking: Off Access Mode VLAN: 10 (HR) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Voice VLAN: none Operational private-vlan: none Trunking VLANs Enabled: ALL

S1# Verifying VLAN Port Parameters S1# show interface fa 0/11 switchport Name: Fa0/11 Switchport: Enabled Administrative Mode: dynamic auto Operational Mode: down Administrative Trunking Encapsulation: dot1q Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Voice VLAN: none Verifying VLANs S1# show vlan brief VLAN ---1 10

Name -------------------------------default HR Status --------active active 20 SALES active 1002 1003 1004 1005 S1# fddi-default token-ring-default fddinet-default trnet-default

act/unsup act/unsup act/unsup act/unsup Ports ------------------------------Fa0/11, Fa0/12, Fa0/23, Fa0/24 Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10, Gi0/1 Fa0/13, Fa0/14, Fa0/15, Fa0/16 Fa0/17, Fa0/18, Fa0/19, Fa0/20 Fa0/21, Fa0/22, Gi0/2 Verifying VLANs S1# show vlan id 10 VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------10 HR active Fa0/1, Fa0/2, Fa0/3, Fa0/4

Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10, Gi0/1 S1# show vlan name SALES VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------20 SALES active Fa0/13, Fa0/14, Fa0/15, Fa0/16 Fa0/17, Fa0/18, Fa0/19, Fa0/20 Fa0/21, Fa0/22, Gi0/2 S1# Verifying VLANs S1(config)# vlan 444 S1(config-vlan)# end S1# show vlan VLAN ---1 10

Name -------------------------------default HR Status --------active active 20 SALES active 444 VLAN0444 active S1# conf t S1(config)# no vlan 444 S1(config)# end S1# show vlan id 444 VLAN id 444 not found in current VLAN database S1#

Ports ------------------------------Fa0/11, Fa0/12, Fa0/23, Fa0/24 Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10, Gi0/1 Fa0/13, Fa0/14, Fa0/15, Fa0/16 Fa0/17, Fa0/18, Fa0/19, Fa0/20 Fa0/21, Fa0/22, Gi0/2 Management VLAN 1 VLAN 1 192.168.10.254 SSH to 192.168.10.254 S1(config)# inter vlan 1 S1(config-if)# description Management VLAN S1(config-if)# ip address 192.168.10.254 255.255.255.0 S1(config-if)# no shutdown A switch can be managed via HTTP, Telnet, SSH, or SNMP.

A management VLAN is used to manage the infrastructure devices including switches, routers, AP, etc. Security best practice is to change the management VLAN to a VLAN other than VLAN 1. We will discuss this later, because we will need to route to the management VLAN. Native VLAN A native VLAN is assigned to an IEEE 802.1Q trunk port (later). Incoming traffic can be tagged (VLAN) or untagged traffic. Native VLANs are set out in the IEEE 802.1Q specification to maintain backward compatibility with untagged traffic. Security best practice is to change the native VLAN to a VLAN other than VLAN 1. We will come back to this later Voice VLAN VoIP traffic requires:

Assured bandwidth to ensure voice quality. Transmission priority over other types of network traffic. Ability to be routed around congested areas on the network. Delay of less than 150 milliseconds (ms) across the network. Security best practice is that voice traffic must be placed in a separate VLAN. Power over Ethernet Cisco IP Phone like other devices requires power to operate. Power can come from one of two sources: An external AC adapter Power over Ethernet (DC) using the network data cable. 54 External Adapters

External Adapters External adapter are also known as wall warts. Disadvantage of IP Phones: If power failure the IP Phone will fail. Unlike the old days. 55 Power over Ethernet Inline power or Power over Ethernet (PoE) Advantages of PoE: Power where power may not be easily found. Managed Monitored Offered only to selected devices 56 switchport voice vlan vvid Voice: Tagged as vvid

Recommended Option 802.1Q trunk CoS in 802.1p bits Data: Untagged: Native VLAN Switch(config)# interface type mod/num Switch(config-if)# switchport voice vlan vlan-id Instructs the Cisco IP phone to forward all voice traffic through the specified VLAN. By default, the Cisco IP phone forwards the voice traffic with an 802.1Q priority of 5. Creates a special 802.1Q trunk (so called trunk later) Negotiated by DTP and CDP (provisioning of the vvid) CoS (Class of Service) in 802.1p bits (later) vvid puts: Voice packets on voice VLAN Voice VLAN is configured. Data packets in Native VLAN VLAN 1 by default unless modified on the switch Can configure the data VLAN to be a a VLAN other than Native or Voice. (coming) 57 Configuring Voice VLAN Operation

Voice: Tagged as voice VLAN 100 Recommended Option 802.1Q trunk CoS in 802.1p bits Data: Untagged: Native VLAN Tagged as VLAN 20 Switch(config)# interface FastEthernet0/24 Switch(config-if)# switchport voice vlan 100 Switch(config-if)# switchport access vlan 20 Portfast is automatically enabled with voice VLAN. Switch# show run interface FastEthernet0/24 switchport voice vlan 100 switchport access vlan 20 spanning-tree portfast More to come!

58 VLAN Trunks VLAN 1 Default VLAN Control traffic (STP, DTP, VTP, CDP, ) VLAN 10 VLAN 20 VLAN 100 VLAN 155 VLAN 199 VLAN 200 User VLAN HR 192.168.10.0/24 User VLAN Sales 192.168.20.0/24 Voice VLAN

VoIP 192.168.100.0/24 Management VLAN Guests 192.168.150.0/24 Garbage/Guest VLAN Garbage 192.168.199.0/24 Native VLAN Untagged traffic A point-to-point link that carries more than one VLAN. Extend VLANs across multiple switches Cisco supports 802.1Q standard Some older switches support legacy Cisco ISL 59 A The TAG is added by the switch before it goes over a trunk link.

The TAG is removed by the switch at the other end of the trunk link. Z 60 Priority Tag protocol ID VLAN ID (VID) Canonical Format Identifier (CFI) Used for QoS (802.1p (TPID) VLAN identification number Enables Token Ring frames to be standard) specifies how to that supports up to 4096 carried across Ethernet

expedite transmission of links Ethernet is 0x8100. VLAN IDs Layer 2 frames 61 Native VLAN Native VLAN For devices that do not support tagging. All trunks must have a native VLAN Native VLAN must be the same on both ends (both switches). Can be modified to be a VLAN other than VLAN 1. Should not be used for user VLAN or Management VLAN. Control traffic (CDP, VTP, PAgP, DTP) still transmitted over VLAN 1. If Native VLAN is other than VLAN 1 then control traffic on VLAN 1 is sent tagged. It is fine to leave VLAN 1 as the Native VLAN but should only carry control traffic and not user or management traffic. 62

Inter-switching links: Default and Trunking VLAN 1 All ports on VLAN 1 VLAN Trunk VLAN 1, 10, 20, 100, 155, 200 VLAN 1 All ports on VLAN 1 VLAN Trunk VLAN 1, 10, 20, 100, 155, 200 63 Configuring VLAN Trunks

VLANs 10, 20 Fa0/1 VLANs 10, 20 Fa0/1 S1 S2 S1# show vlan brief VLAN ---1 10 Name -------------------------------default HR Status

--------active active 20 SALES active S2# show vlan brief Ports ------------------------------Fa0/11, Fa0/12, Fa0/23, Fa0/24 Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10, Gi0/1 Fa0/13, Fa0/14, Fa0/15, Fa0/16 Fa0/17, Fa0/18, Fa0/19, Fa0/20 Fa0/21, Fa0/22, Gi0/2 VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------1

default active Fa0/21, Fa0/22, Fa0/23, Fa0/24 Gi0/1, Gi0/2 10 VLAN0010 active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10 20 VLAN0020 active Fa0/11, Fa0/12, Fa0/13, Fa0/14 Fa0/15, Fa0/16, Fa0/17, Fa0/18 Fa0/19, Fa0/20 64 Configuring VLAN Trunks VLANs 10, 20 Fa0/1

S1 VLANs 10, 20 Fa0/1 S2 S1(config)# inter fa 0/1 S1(config-if)# no switchport access vlan 10 S1(config-if)# switchport trunk encapsulation dot1q ! Only needed on switches that also support ISL S1(config-if)# switchport mode trunk S1(config-if)# S2(config)# inter fa 0/1 S2(config-if)# no switchport access vlan 10 S2(config-if)# switchport mode trunk S2(config-if)# Minimum configuration. 65

Configuring VLAN Trunks VLANs 10, 20 Fa0/1 VLANs 10, 20 Fa0/1 S1 S2 S1# show vlan VLAN ---1 10 Name -------------------------------default HR

Status --------active active 20 SALES active Ports ------------------------------Fa0/11, Fa0/12, Fa0/23, Fa0/24 Fa0/2, Fa0/3, Fa0/4, Fa0/5 Fa0/6, Fa0/7, Fa0/8, Fa0/9 Fa0/10, Gi0/1 Fa0/13, Fa0/14, Fa0/15, Fa0/16 Fa0/17, Fa0/18, Fa0/19, Fa0/20 Fa0/21, Fa0/22, Gi0/2 No trunking information. Fa 0/1 no longer included in VLAN 10 66 Configuring VLAN Trunks

VLANs 10, 20 Fa0/1 VLANs 10, 20 Fa0/1 S1 S2 S1# show interfaces trunk Port Fa0/1 Mode on Encapsulation 802.1q

Status trunking Native vlan 1 Port Fa0/1 Vlans allowed on trunk 1-4094 Port Fa0/1 Vlans allowed and active in management domain 1,10,20 Port Fa0/1 S1# Vlans in spanning tree forwarding state and not pruned none

67 Configuring VLAN Trunks VLANs 10, 20 Fa0/1 VLANs 10, 20 Fa0/1 S1 S2 S2#show interfaces trunk Port Fa0/1 Mode on

Encapsulation 802.1q Status trunking Native vlan 1 Port Fa0/1 Vlans allowed on trunk 1-4094 Port Fa0/1 Vlans allowed and active in management domain 1,10,20 Port Fa0/1

S2# Vlans in spanning tree forwarding state and not pruned 1,10,20 68 Configuring the Native VLAN VLANs 10, 20 Fa0/1 S1 VLANs 10, 20 Fa0/1 S2 S1(config)# inter fa 0/1 S1(config-if)# switchport trunk native vlan 200

*Mar 1 01:59:34.927: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on FastEthernet0/1 (200), with S2 FastEthernet0/1 (1) S1(config-if)# *Mar 1 02:00:39.267: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on FastEthernet0/1 (1), with S1 FastEthernet0/1 (200). S2(config)# inter fa 0/1 S2(config-if)# switchport trunk native vlan 200 S2(config-if)# VLAN 200 (Native VLAN) does not need to be created on either switch but It must match on both ends of the trunk! Control data (CDP, STP, etc.) is still sent across VLAN 1 but is now tagged. 69 Configuring the Native VLAN VLANs 10, 20 Fa0/1 VLANs

10, 20 Fa0/1 S1 S2 S1# show interfaces trunk Port Fa0/1 Mode on Encapsulation 802.1q Port Fa0/1 Vlans allowed on trunk 1-4094

Status trunking Native vlan 200 Status trunking Native vlan 200 S2# show interfaces trunk Port Fa0/1 Mode on Encapsulation 802.1q Port Fa0/1

Vlans allowed on trunk 1-4094 Happy native VLANs now! How about limiting which VLANs are allowed on the trunk? 70 Configuring Allowed VLANs VLANs 10, 20 Fa0/1 S1 VLANs 10, 20 Fa0/1 S2 S1(config)# inter fa 0/1

S1(config-if)# switchport trunk allowed vlan 10,20,200 S2(config)# inter fa 0/1 S2(config-if)# switchport trunk allowed vlan 10,20,200 No space between VLANs. If the native VLAN (200) is not on the list, it is not a problem. The trunk will not allow any data traffic for the native VLAN. 71 Configuring Allowed VLANs VLANs 10, 20 Fa0/1 VLANs 10, 20 Fa0/1 S1

S2 S1# show interfaces trunk Port Fa0/1 Mode on Encapsulation 802.1q Port Fa0/1 Vlans allowed on trunk 10,20,200 Status trunking Native vlan 200

Status trunking Native vlan 200 S2# show interfaces trunk Port Fa0/1 Mode on Encapsulation 802.1q Port Fa0/1 Vlans allowed on trunk 10,20,200 72

Whats in the running-config? VLANs 10, 20 Fa0/1 VLANs 10, 20 Fa0/1 S1 S2 interface FastEthernet0/1 Trunk link switchport trunk native vlan 200 switchport trunk allowed vlan 10,20,200 switchport mode trunk ! interface FastEthernet0/2 switchport access vlan 10 VLAN 10 access port

switchport mode access ! interface FastEthernet0/3 switchport access vlan 10 switchport mode access 73 Whats in the running-config? VLANs 10, 20 Fa0/1 Fa0/1 S1 ! interface FastEthernet0/11 ! interface FastEthernet0/12 ! interface FastEthernet0/13

switchport access vlan 20 switchport mode access ! interface FastEthernet0/14 switchport access vlan 20 switchport mode access ! interface FastEthernet0/15 switchport access vlan 20 switchport mode access VLANs 10, 20 S2 No configuring. Default VLAN 1 (Should be in garbage, temporary VLAN if port is not in use) VLAN 20 access port 74 Whats in the running-config?

VLANs 10, 20 Fa0/1 Fa0/1 S1 ! interface Vlan1 no ip address shutdown ! VLANs 10, 20 S2 SVI (Switched Virtual Interface) Management VLAN No current IP Address Still in VLAN 1

75 Configuring Management VLAN VLANs 10, 20 VLAN 155 192.168.155.1/24 Fa0/1 VLAN 155 192.168.155.2/24 Fa0/1 S1 VLANs 10, 20 S2 S1(config)# interface vlan 155 S1(config-if)# ip address 192.168.155.1 255.255.255.0 S1(config-if)# no shutdown

S1(config-if)# exit S1(config)# vlan 155 S1(config-vlan)# name MANAGEMENT S1(config-vlan)# S2(config)# interface vlan 155 S2(config-if)# ip add 192.168.155.2 255.255.255.0 S2(config-if)# no shutdown S2(config-if)# exit S2(config)# vlan 155 S2(config-vlan)# name MANAGMENT S2(config-vlan)# end S2# ping 192.168.155.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.158.155.2, timeout is 2 seconds: ..... ??? 76 Configuring Management VLAN VLANs 10, 20 VLAN 155

192.168.155.1/24 Fa0/1 S1 VLAN 155 192.168.155.2/24 Fa0/1 VLANs 10, 20 S2 S1(config)# inter fa 0/1 S1(config-if)# switchport trunk allowed vlan 10,20,200,155 S1(config)# inter fa 0/1 S1(config-if)# switchport trunk allowed vlan 10,20,200,155 S1(config-if)# end S2# ping 192.168.155.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.155.1, timeout is 2 seconds: !!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms S2# 77 Verifying VLANs Once More VLANs 10, 20 VLAN 155 192.168.155.1/24 Fa0/1 VLAN 155 192.168.155.2/24 Fa0/1 S1 VLANs 10, 20 S2 S1# show vlan

VLAN ---1 10 Name -------------------------------default HR Status --------active active 20 SALES active 155 MANAGEMENT active

Ports ------------------------------Fa0/11, Fa0/12, Fa0/23, Fa0/24 Fa0/2, Fa0/3, Fa0/4, Fa0/5 Fa0/6, Fa0/7, Fa0/8, Fa0/9 Fa0/10, Gi0/1 Fa0/13, Fa0/14, Fa0/15, Fa0/16 Fa0/17, Fa0/18, Fa0/19, Fa0/20 Fa0/21, Fa0/22, Gi0/2 78 Verifying VLANs Once More VLANs 10, 20 VLAN 155 192.168.155.1/24 Fa0/1 VLAN 155 192.168.155.2/24 Fa0/1 S1

VLANs 10, 20 S2 S1# show interfaces trunk Port Fa0/1 Mode on Encapsulation 802.1q Port Fa0/1 Vlans allowed on trunk 10,20,155,200 Status trunking

Native vlan 200 S1# show interface vlan 155 Vlan155 is up, line protocol is up Hardware is EtherSVI, address is 189c.5dff.fac1 (bia 189c.5dff.fac1) Internet address is 192.168.155.1/24 MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive not supported 79 Verifying VLANs Once More VLANs 10, 20 VLAN 155 192.168.155.1/24 Fa0/1

S1 VLAN 155 192.168.155.2/24 Fa0/1 VLANs 10, 20 S2 S1# show interface fa0/1 switchport Name: Fa0/1 Switchport: Enabled Administrative Mode: trunk Operational Mode: trunk Administrative Trunking Encapsulation: dot1q Operational Trunking Encapsulation: dot1q Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 200 (Inactive) Administrative Native VLAN tagging: enabled Voice VLAN: none

Trunking VLANs Enabled: 10,20,155,200 80 Dynamic Trunk Protocol Switch Ethernet Port Type VLANs 10, 20 Fa0/1 S1 VLANs 10, 20 Fa0/1 S2 Switch Ethernet ports can be set to: Access port: Non-trunking port used to connect to end-devices. Trunking: Trunking port to carry VLAN information to another

switch. By default, Layer 2 switch ports want to trunk. Access Port S1(config-if) # switchport mode access Forces the link into access port. It will never become a trunk! Use to connect a host, server, printer, Dynamic Trunking Protocol - DTP DTP DTP DTP By default, Catalyst 2960 and Catalyst 3560 Series switches have Dynamic Trunking Protocol (DTP) enabled. DTP is a Cisco proprietary protocol that negotiates trunking parameters between switches. Operates on a point-to-point basis only, between network devices.

Designed to make interconnecting switches with VLANs easier. DTP is only available on Cisco switches and not supported by other vendors. Four DTP Trunking Modes S1(config-if)# switchport mode ? access Set trunking mode to ACCESS unconditionally dynamic Set trunking mode to dynamically negotiate access or trunk mode trunk Set trunking mode to TRUNK unconditionally S1(config-if)# switchport mode dynamic ? auto Set trunking mode dynamic negotiation parameter to AUTO desirable Set trunking mode dynamic negotiation parameter to DESIRABLE S1(config-if)# switchport mode dynamic On (default): Default mode. Its locked into TRUNK mode. switchport mode trunk Dynamic Desirable: (default mode on Catalyst 2950 / 3550) switchport mode dynamic desirable Dynamic Auto: switchport mode dynamic auto Disabled: Nonegotiate. Turns off DTP.

switchport nonegotiate Non-trunking by default S2# show interfaces fastethernet 0/21 switchport Name: Fa0/21 Switchport: Enabled Administrative Mode: dynamic auto Operational Mode: static access Administrative Trunking Encapsulation: dot1q How the port was configured. Operational Trunking Encapsulation: native Negotiation of Trunking: On How the is operating. Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) VLANs 10, 20 Fa0/1 VLANs 10, 20

Fa0/1 S1 S2 Dynamic auto Dynamic auto Ports on the 2960 and 3560 are set to dynamic auto by default. Does not trunk if both sides default to dynamic auto This results in the interface being in access mode (non-trunking) 86 S1(config-if)# switchport mode ? Dynamic Trunking Protocol (DTP) Access - Puts the interface into permanent non-trunking mode and negotiates to convert the link into a non-trunk link. The interface becomes a non-trunk interface even if the neighboring interface does not agree to the change.

Trunk - Puts the interface into permanent trunking mode and negotiates to convert the link into a trunk link. The interface becomes a trunk interface even if the neighboring interface does not agree to the change. Nonegotiate - Puts the interface into permanent trunking mode but prevents the interface from generating DTP frames. You must configure the neighboring interface manually as a trunk interface to establish a trunk link. Use this mode when connecting to a device that does not support DTP. Dynamic desirable - Makes the interface actively attempt to convert the link to a trunk link. The interface becomes a trunk interface if the neighboring interface is set to trunk, desirable, or auto mode. Dynamic auto - Makes the interface willing to convert the link to a trunk link. The interface becomes a trunk interface if the neighboring interface is set to trunk or desirable mode. This is the default mode for all Ethernet interfaces in Cisco IOS. Trunk Modes Must be Compatible DTP Mode: On (default) S1(config-if) # switchport mode trunk Forces the link into permanent trunking (even if the neighbor doesn't agree) Enables DTP and exchanges DTP frames. Will trunk if remote is configured with: On switchport mode trunk Desirable switchport mode dynamic desirable

Dynamic Auto switchport mode dynamic auto Will not trunk if remote is configured with: Non-negotiate switchport nonegotiate Access switchport mode access DTP Dynamic Desirable S1(config-if) # switchport mode dynamic desirable Causes the port to proactively attempt to become a trunk. Enables DTP and exchanges DTP frames. Will trunk if remote is configured with: On switchport mode trunk Desirable switchport mode dynamic desirable Dynamic Auto switchport mode dynamic auto Will not trunk if remote is configured with: Non-negotiate switchport nonegotiate Access switchport mode access DTP Dynamic Auto S1(config-if) # switchport mode dynamic auto Causes the port to passively be willing to convert to trunking. Enables DTP and exchanges DTP frames. Will trunk if remote is configured with:

On switchport mode trunk Desirable switchport mode dynamic desirable Will not trunk if remote is configured with: Dynamic Auto switchport mode dynamic auto Non-negotiate switchport nonegotiate Access switchport mode access DTP Disabled S1(config-if) # switchport nonegotiate Forces the port to permanently trunk. Disables DTP and does not exchange any DTP frames. Use to trunk with a different vendors switch. #1 - Trunk or No Trunk S1(config)# interface fa0/1 S1(config-if)# switchport mode trunk F0/1 F0/1

S1 S2 S2(config)# interface fa0/1 S2(config-if)# switchport mode trunk Will the ports trunk automatically? #2 - Trunk or No Trunk S1(config)# interface fa0/1 S1(config-if)# switchport mode trunk F0/1 F0/1 S1 S2 S2(config)# interface fa0/1 S2(config-if)# switchport mode dynamic desirable

Will the ports trunk automatically? #3 - Trunk or No Trunk S1(config)# interface fa0/1 S1(config-if)# switchport mode trunk F0/1 F0/1 S1 S2 S2(config)# interface fa0/1 S2(config-if)# switchport mode dynamic auto Will the ports trunk automatically? #4 - Trunk or No Trunk X

S1(config)# interface fa0/1 S1(config-if)# switchport mode trunk F0/1 F0/1 S1 S2 S2(config)# interface fa0/1 S2(config-if)# switchport nonegotiate Will the ports trunk automatically? #5 - Trunk or No Trunk S1(config)# interface fa0/1 S1(config-if)# switchport mode dynamic desirable F0/1 F0/1

S1 S2 S2(config)# interface fa0/1 S2(config-if)# switchport mode trunk Will the ports trunk automatically? #6 - Trunk or No Trunk S1(config)# interface fa0/1 S1(config-if)# switchport mode dynamic desirable F0/1 F0/1 S1 S2 S2(config)# interface fa0/1 S2(config-if)# switchport mode dynamic desirable

Will the ports trunk automatically? #7 - Trunk or No Trunk S1(config)# interface fa0/1 S1(config-if)# switchport mode dynamic desirable F0/1 F0/1 S1 S2 S2(config)# interface fa0/1 S2(config-if)# switchport mode dynamic auto Will the ports trunk automatically? #8 - Trunk or No Trunk X

S1(config)# interface fa0/1 S1(config-if)# switchport mode dynamic desirable F0/1 F0/1 S1 S2 S2(config)# interface fa0/1 S2(config-if)# switchport nonegotiate Will the ports trunk automatically? #9 - Trunk or No Trunk S1(config)# interface fa0/1 S1(config-if)# switchport mode dynamic auto F0/1 F0/1

S1 S2 S2(config)# interface fa0/1 S2(config-if)# switchport mode trunk Will the ports trunk automatically? #10 - Trunk or No Trunk S1(config)# interface fa0/1 S1(config-if)# switchport mode dynamic auto F0/1 F0/1 S1 S2 S2(config)# interface fa0/1 S2(config-if)# switchport mode dynamic desirable

Will the ports trunk automatically? #11 - Trunk or No Trunk X S1(config)# interface fa0/1 S1(config-if)# switchport mode dynamic auto F0/1 F0/1 S1 S2 S2(config)# interface fa0/1 S2(config-if)# switchport mode dynamic auto Will the ports trunk automatically? #12 - Trunk or No Trunk X

S1(config)# interface fa0/1 S1(config-if)# switchport mode dynamic auto F0/1 F0/1 S1 S2 S2(config)# interface fa0/1 S2(config-if)# switchport nonegotiate Will the ports trunk automatically? #13 - Trunk or No Trunk X S1(config)# interface fa0/1 S1(config-if)# switchport nonegotiate F0/1 F0/1

S1 S2 S2(config)# interface fa0/1 S2(config-if)# switchport mode trunk Will the ports trunk automatically? #14 - Trunk or No Trunk X S1(config)# interface fa0/1 S1(config-if)# switchport nonegotiate F0/1 F0/1 S1 S2 S2(config)# interface fa0/1 S2(config-if)# switchport mode dynamic desirable

Will the ports trunk automatically? #15 - Trunk or No Trunk X S1(config)# interface fa0/1 S1(config-if)# switchport nonegotiate F0/1 F0/1 S1 S2 S2(config)# interface fa0/1 S2(config-if)# switchport mode dynamic auto Will the ports trunk automatically? #16 - Trunk or No Trunk

S1(config)# interface fa0/1 S1(config-if)# switchport nonegotiate F0/1 F0/1 S1 S2 S2(config)# interface fa0/1 S2(config-if)# switchport nonegotiate Will the ports trunk automatically? Verifying DTP Trunk Links S1# show dtp interface f0/1 DTP information for FastEthernet0/1: TOS/TAS/TNS: TOT/TAT/TNT: Neighbor address 1: Neighbor address 2: Hello timer expiration (sec/state): Access timer expiration (sec/state):

Negotiation timer expiration (sec/state): Multidrop timer expiration (sec/state): FSM state: # times multi & trunk Enabled: In STP: TRUNK/ON/TRUNK 802.1Q/802.1Q/802.1Q 0CD996D23F81 000000000000 12/RUNNING never/STOPPED never/STOPPED never/STOPPED S6:TRUNK 0 yes no TO CLEAR A SWITCH ALWAYS DO THE FOLLOWING TO CLEAR A SWITCH!! S1# delete vlan.dat

Delete filename [vlan.dat]? Delete flash:/vlan.dat? [confirm] S1# erase startup-config Erasing the nvram filesystem will remove all configuration files! Continue? [confirm] [OK] Erase of nvram: complete %SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvram S1# reload Proceed with reload? [confirm] Troubleshooting VLANs Troubleshooting VLANs and Trunks IP Addressing Issues with VLAN It is a common practice to associate a VLAN with an IP network. Because different IP networks only communicate through a router, all devices within a VLAN must be part of the same IP network to communicate. The figure displays that PC1 cannot communicate to the server because it has a wrong IP address configured.

Troubleshooting VLANs and Trunks Missing VLANs If all the IP addresses mismatches have been solved, but the device still cannot connect, check if the VLAN exists in the switch. Troubleshooting VLANs and Trunks Introduction to Troubleshooting Trunks Troubleshooting VLANs and Trunks Common Problems with Trunks Trunking issues are usually associated with incorrect configurations. The most common type of trunk configuration errors are: 1. Native VLAN mismatches 2. Trunk mode mismatches 3. Allowed VLANs on trunks If a trunk problem is detected, the best practice guidelines recommend to troubleshoot in the order shown above. Troubleshooting VLANs and Trunks

Trunk Mode Mismatches If a port on a trunk link is configured with a trunk mode that is incompatible with the neighboring trunk port, a trunk link fails to form between the two switches. Use the show interfaces trunk command to check the status of the trunk ports on the switches. To fix the problem, configure the interfaces with proper trunk modes. Troubleshooting VLANs and Trunks Incorrect VLAN List VLANs must be allowed in the trunk before their frames can be transmitted across the link. Use the switchport trunk allowed vlan command to specify which VLANs are allowed in a trunk link. Use the show interfaces trunk command to ensure the correct VLANs are permitted in a trunk. Troubleshooting VLAN Security Attacks on VLANs

Switch Spoofing Attack To prevent a basic switch spoofing attack, turn off trunking on all ports, except the ones that specifically require trunking. Attacks on VLANs Double-Tagging Attack The best approach to mitigating double-tagging attacks is to ensure that the native VLAN of the trunk ports is different from the VLAN of any user ports. Attacks on VLANs PVLAN Edge The Private VLAN (PVLAN) Edge feature, also known as protected ports, ensures that there is no exchange of unicast, broadcast, or multicast traffic between protected ports on the switch. What is Inter-VLAN routing? Layer 2 switches cannot forward traffic between VLANs without the

assistance of a router. Inter-VLAN routing is a process for forwarding network traffic from one VLAN to another, using a router. Legacy Inter-VLAN Routing Router-on-Stick Switch SVI Switch Routed Ports Legacy Inter-VLAN Routing Legacy Inter-VLAN Routing Routers used to route between VLANs. Each VLAN was connected to a different physical router interface. Packets would arrive on the router through one through interface, be routed and leave through another. Router interfaces connected to VLANs and have IP addresses from that specific VLAN. Large networks with large number of VLANs required many router interfaces. 124

192.168.20.1 255.255.255.0 Legacy Inter-VLAN Routing 192.168.10.1 255.255.255.0 A 192.168.10.10 255.255.255.0 GW 192.168.10.1 B 192.168.10.11 255.255.255.0 GW 192.168.10.1 C 192.168.20.12 255.255.255.0 GW 192.168.20.1 D

192.168.20.13 255.255.255.0 GW 192.168.20.1 Router is required to connect (route) between subnets/VLANs S1(config)# vlan 10 S1(config-vlan)# exit S1(config)# vlan 30 S1(config-vlan)# exit S1(config)# interface f0/11 S1(config-if)# switchport access vlan 10 S1(config-if)# exit S1(config)# interface f0/4 S1(config-if)# switchport access vlan 10 S1(config-if)# exit S1(config)# interface f0/6 S1(config)# switchport access vlan 30 S1(config-if)# exit S1(config)# interface f0/5 S1(config-if)# switchport access vlan 30 R1(config)# interface g0/0 R1(config-if)# ip address 172.17.10.1 255.255.255.0

R1(config-if)# no shutdown R1(config)# exit R1(config-if)# interface g0/1 R1(config-if)# ip address 172.17.30.1 255.255.255.0 R1(config-if)# no shutdown R1# show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP C L C L 172.17.0.0/16 is variably subnetted, 4 subnets, 2 masks 172.17.10.0/24 is directly connected, GigabitEthernet0/0 172.17.10.1/32 is directly connected, GigabitEthernet0/0 172.17.30.0/24 is directly connected, GigabitEthernet0/1 172.17.30.1/32 is directly connected, GigabitEthernet0/1 Router-on-a-Stick Router-on-a-Stick PC 2

172.17.10.30 172.17.10.1 172.17.30.1 VLAN 10 VLAN 30 PC 4 172.17.30.55 The router-on-a-stick approach uses a different path to route between VLANs. One of the routers physical interfaces is configured as a 802.1Q trunk port so it can understand VLAN tags. Logical subinterfaces are created; one subinterface per VLAN. Each subinterface is configured with an IP address from the VLAN it represents. VLAN members (hosts) are configured to use the subinterface address as a default gateway. 131 Only one of the routers physical interface is used. S1(config)# vlan 10 S1(config-vlan)# vlan 30 S1(config-vlan)# exit

S1(config)# interface f0/11 S1(config-if)# switchport access vlan 10 S1(config-if)# exit S1(config)# interface f0/6 S1(config)# switchport access vlan 30 S1(config-if)# exit S1(config-vlan)# interface f0/5 S1(config-if)# switchport mode trunk S1(config-if)# 132 R1(config)# interface g0/0.10 R1(config-subif)# encapsulation dot1q 10 R1(config-subif)# ip address 172.17.10.1 255.255.255.0 R1(config-subif)# exit R1(config)# interface g0/0.30 R1(config-subif)# encapsulation dot1q 30 R1(config-subif)# ip address 172.17.30.1 255.255.255.0 R1(config-subif)# exit R1(config)# interface g0/0 R1(config-if)# no shutdown 133

R1# show vlans Virtual LAN ID: 10 (IEEE 802.1Q Encapsulation) vLAN Trunk Interface: GigabitEthernet0/0.10 Protocols Configured: Address: IP 172.17.10.1 Virtual LAN ID: 30 (IEEE 802.1Q Encapsulation) vLAN Trunk Interface: Protocols Configured: IP Received: 11 Transmitted: 18

Received: 11 Transmitted: 8 GigabitEthernet0/0.30 Address: 172.17.30.1 134 R1# show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B BGP C L C L 172.17.0.0/16 is variably subnetted, 4 subnets, 2 masks 172.17.10.0/24 is directly connected, GigabitEthernet0/0.10 172.17.10.1/32 is directly connected, GigabitEthernet0/0.10

172.17.30.0/24 is directly connected, GigabitEthernet0/0.30 172.17.30.1/32 is directly connected, GigabitEthernet0/0.30 135 Problem #1 VLAN 10 S1(config)# interface fa0/4 S1(config-if)# switchport access vlan 10 138 Problem #2 Trunk S1(config)# interface fa0/5 S1(config-if)# switchport mode trunk 139 Problem #3 Trunk

VLAN 10 S1(config)# interface fa0/5 S1(config-if)# switchport access vlan 10 140 Problem #4 172.17.10.1/24 R1(config)# interface g0/0 R1(config-if)# ip address 172.17.10.1 255.255.255.0 142 Problem #5 172.17.10.21/24 143 Problem #6 172.17.10.21/24

144 Multi-layer Switches and InterVLAN Routing EXTRA (CIS 83) Routers vs Multilayer Switches Routers and multilayer switches both perform routing (connecting networks) Routers may have different types of interfaces (Ethernet, serial, ATM, etc.) while multilayer switches will only have Ethernet interfaces. While routers can be used to segment LAN devices, their major use is as WAN devices. Each devices does have its own advantages. Routers are: The backbone devices of large intranets and of the Internet They operate at Layer 3 (network layer) of the OSI model They make decisions based on network addresses (IPv4, IPv6). 147 Switched Network Design Core

Route/Switch packets quickly across between distribution multilayer switches. Distribution Route between VLANs/Subnets, ACLs Access Provide access to end devices and provide port security. 148 Multilayer Switch InterVLAN Routing Multilayer switches can perform Layer 2 and Layer 3 functions, replacing the need for dedicated routers. Multilayer switches support dynamic routing and inter-VLAN routing. A switch virtual interface (SVI) exists for VLAN 1 by default.

On a multilayer switch, a logical (layer 3) interface can be configured for any VLAN. With a multilayer switch, traffic is routed internal to the switch device. This routing process is a suitable and scalable solution. 149 Configure Router On A Stick: 802.1Q Trunk Link 172.16.10.100/ 24 172.16.20.100/ 24 interface GigabitEthernet 1/1 switchport mode trunk Router on a stick is very simple to implement. interface GigabitEthernet 0/0 no shutdown ! Does not show in config ! interface GigabitEthernet 0/0.2

description VLAN 2 encapsulation dot1Q 2 native ip address 172.16.1.2 255.255.255.0 ! interface GigabitEthernet 0/0.10 description VLAN 10 encapsulation dot1Q 10 ip address 172.16.10.1 255.255.255.0 ! interface GigabitEthernet 0/0.20 description VLAN 20 encapsulation dot1Q 20 ip address 172.16.20.1 255.255.255.0 ! interface GigabitEthernet 0/0.30 description VLAN 30 encapsulation dot1Q 30 ip address 172.16.30.1 255.255.255.0 ! interface GigabitEthernet 0/0.40 description VLAN 40 encapsulation dot1Q 40 ip address 172.16.40.1 255.255.255.0

150 Routed Ports versus Switched Virtual Interfaces Routed Ports Just like a router, the port has an IP address/mask that makes it a member of that subnet. SVI The switch is a member of that IP subnet/VLAN. All switch ports that are a 151 member of that VLAN can communicate with the switch Multilayer Switch Interfaces Layer 2: Access or Trunk Ports Logical Interface (SVI) Physical Interface Performs both Layer 2 switching and interVLAN routing. Layer 2 Interface: Access or Trunk ports Layer 3 Interface: Has an IP address assigned to it. The Default Gateway for any hosts connected to that interface or VLAN. Physical interface Same as a router

Aka Routed Port Example: interface gigabit 0/1 Logical Interface Represents an entire VLAN Switched Virtual Interface (SVI) Example: interface vlan 10 152 SVI VLAN 10 192.168.10.1 255.255.255.0 A 192.168.10.10 255.255.255.0 GW 192.168.10.1 SVI VLAN 20 192.168.20.1

255.255.255.0 B 192.168.10.11 255.255.255.0 GW 192.168.10.1 C 192.168.20.12 255.255.255.0 GW 192.168.20.1 D 192.168.20.13 255.255.255.0 GW 192.168.20.1 Layer 3 functionality can also be enabled for an entire VLAN. The IP address is assigned to the logical interface the VLAN. This is needed when routing is required between VLANs. SVI (Switched Virtual Interface) No physical connection VLANs must be created before the SVI can be used. The IP address associated of the VLAN interface is the default gateway of the

workstation. 153 SVI VLAN 10 192.168.10.1 255.255.255.0 A 192.168.10.10 255.255.255.0 GW 192.168.10.1 SVI VLAN 20 192.168.20.1 255.255.255.0 B 192.168.10.11 255.255.255.0 GW 192.168.10.1 C 192.168.20.12

255.255.255.0 GW 192.168.20.1 D 192.168.20.13 255.255.255.0 GW 192.168.20.1 S1(config)# interface range fastethernet 0/1 - 12 S1(config-if-range)# switchport mode access S1(config-if-range)# switchport access vlan 10 S1(config-if-range)# exit S1(config)# interface range fastethernet 0/12 - 24 S1(config-if-range)# switchport mode access S1(config-if-range)# switchport access vlan 20 S1(config-if-range)# end 154 SVI VLAN 10 192.168.10.1 255.255.255.0

A 192.168.10.10 255.255.255.0 GW 192.168.10.1 SVI VLAN 20 192.168.20.1 255.255.255.0 B 192.168.10.11 255.255.255.0 GW 192.168.10.1 C 192.168.20.12 255.255.255.0 GW 192.168.20.1 D 192.168.20.13 255.255.255.0 GW 192.168.20.1

DLS1(config)# inter vlan 10 DLS1(config-if)# description Engineering VLAN DLS1(config-if)# ip address 192.168.10.1 255.255.255.0 DLS1(config-if)# no shutdown DLS1(config)# inter vlan 20 DLS1(config-if)# description IT VLAN DLS1(config-if)# ip address 192.168.20.1 255.255.255.0 DLS1(config-if)# no shutdown 155 SVI VLAN 10 192.168.10.1 255.255.255.0 A 192.168.10.10 255.255.255.0 GW 192.168.10.1 SVI VLAN 20 192.168.20.1 255.255.255.0

B 192.168.10.11 255.255.255.0 GW 192.168.10.1 C 192.168.20.12 255.255.255.0 GW 192.168.20.1 D 192.168.20.13 255.255.255.0 GW 192.168.20.1 Alternative Configuration 156 SVI VLAN 10 192.168.10.1 255.255.255.0 SVI VLAN 20

192.168.20.1 255.255.255.0 Distribution Layer Switch Trunk Access Layer Switch A 192.168.10.10 255.255.255.0 GW 192.168.10.1 B 192.168.10.11 255.255.255.0 GW 192.168.10.1 C 192.168.20.12 255.255.255.0 GW 192.168.20.1

D 192.168.20.13 255.255.255.0 GW 192.168.20.1 DLS1(config)# inter gig 0/2 DLS1(config-if)# switchport mode trunk ALS1(config)# inter fa 0/9 ALS1(config-if)# switchport mode trunk 157 Multilayer Switch Interfaces Layer 2: Access or Trunk Ports Logical Interface (SVI L3) Physical Interface (L3) DLS1# show interface gig 0/2 switchport Name: Gig0/2 Switchport: Enabled

Layer 2 or Layer 3 Interface? Is it a switch port? Default on most Catalyst switches: Layer 2 Default on Catalyst 6500: Layer 3 Verify mode: Switch# show interface type mod/num switchport Switchport: Think Layer 2 Enabled: Layer 2 Disabled: Layer 3 158 Multilayer Switch Interfaces Is it a switch port? DLS1(config)# interface gig 0/2 DLS1(config-if)# no switchport Converts interface to Layer 3 DLS1(config-if)# end DLS1# show interface gig 0/2 switchport Name: Gig0/2 Switchport: Disabled Layer 3

DLS1# config t DLS1(config)# interface gig 0/2 Converts interface to Layer 2 DLS1(config-if)# switchport DLS1(config-if)# end DLS1# show interface gig 0/2 switchport Name: Gig0/2 Switchport: Enabled Layer 2 If in Layer 3 mode switchport interface command puts the port into Layer 2 mode. 159 SVI Interfaces - Logical Interfaces X Switch(config)# vlan vlan-number Switch(config-vlan)# name vlan-name SwitchA(config)# interface vlan vlan-number

SwitchA(config-if)# ip address ip-address mask SwitchA(config-if)# no shutdown Layer 3 functionality can also be enabled for an entire VLAN. The IP address is assigned to the logical interface the VLAN. This is needed when routing is required between VLANs. SVI (Switched Virtual Interface) No physical connection VLANs must be created before the SVI can be used. The IP address associated of the VLAN interface is the default gateway of 160 the workstation. Creating VLANs DLS1: Create and name the user VLANs: 10, 11, 20 and 21. DLS1: Create and name a Management VLAN (used to telnet into switches) DLS1: Create and name a NATIVE VLAN other

than VLAN 1 (default) DLS1: Create and name a Garbage VLAN (assigned to all unused ports.) All ports that are not used (trunks and access) will be assigned as an access port to this VLAN. DLS1 vlan 2 name NATIVE vlan 10 name Engineering vlan 11 name IT vlan 20 name Sales vlan 21 name Administration vlan 99 name ManagementVLAN vlan 222 name GarbageVLAN 161

Default Gateway (SVI) Configure DLS1 to be the default gateway for VLANs 10 and 11. All hosts on these VLANs will use these addresses as their default gateway addresses. DLS1(config)# inter vlan 99 DLS1(config-if)# description Management VLAN DLS1(config-if)# ip address 172.16.99.1 255.255.255.0 DLS1(config-if)# no shutdown DLS1(config)# inter vlan 10 DLS1(config-if)# description Engineering VLAN DLS1(config-if)# ip address 172.16.10.1 255.255.255.0 DLS1(config-if)# no shutdown DLS1(config)# inter vlan 11 DLS1(config-if)# description IT VLAN DLS1(config-if)# ip address 172.16.11.1 255.255.255.0 DLS1(config-if)# no shutdown 164 Default Gateway (SVI)

Configure DLS2 to be the default gateway for VLANs 20 and 21. All hosts on these VLANs will use these addresses as their default gateway addresses. DLS2(config)# inter vlan 20 DLS2(config-if)# description Sales VLAN DLS2(config-if)# ip address 172.16.20.1 255.255.255.0 DLS2(config-if)# no shut DLS2(config)# inter vlan 21 DLS2(config-if)# description Administration VLAN DLS2(config-if)# ip address 172.16.21.1 255.255.255.0 DLS2(config-if)# no shut 165 Default Gateway (SVI) 172.16.10.10 255.255.255.0 Statically or Dynamically assigned 172.16.10.1

166 Layer 3 Port Configuration Physical Interfaces DLS1(config)# interface gig 0/1 DLS1(config-if)# no switchport DLS1(config-if)# ip address 192.168.1.1 255.255.255.252 DLS2(config)# interface gig 0/1 DLS2(config-if)# no switchport DLS2(config-if)# ip address 192.168.1.2 255.255.255.252 Physical switch ports can operate as Layer 3 interfaces using the interface command: Switch(config)# interface type mod/num Switch(config-if)# no switchport Switch(config-if)# ip address ip-address mask 167 G0/0 10.10.10.1/24 G0/0

192.168.1.1/24 10.10.10.100/24 DF 10.10.10.1 168 interface vlan 10 172.16.10.1/24 interface vlan 20 172.16.20.1/24 interface vlan 11 172.16.11.1/24 interface vlan 21 172.16.21.1/24 Trunk = 169 Management VLAN (SVI)

For each device in the network we configured it to be a member of the management VLAN. On each switch Switch(config)# inter vlan 98 Switch(config-if)# description Management VLAN Switch(config-if)# ip address 172.16.98.x 255.255.255.0 Switch(config-if)# no shutdown Switch(config-if)# exit If you want to reach the management VLAN from other VLANs, assign this address to one of the multilayer switches (DLS1 and DLS2): DLS1(config)# ip default-gateway 172.16.98.1 170 Management VLAN (SVI) For each device in the network we configured it to be a member of the management VLAN. On each switch Switch(config)# inter vlan 99 Switch(config-if)# description Management VLAN

Switch(config-if)# ip address 172.16.99.x 255.255.255.0 Switch(config-if)# no shutdown Switch(config-if)# exit If you want to reach the management VLAN from other VLANs, assign this address to one of the multilayer switches (DLS1 and DLS2): DLS1(config)# ip default-gateway 172.16.99.1 171 interface vlan 98 172.16.98.1/24 On each switch DLS1(config)# inter vlan 98 DLS1(config-if)# ip address 172.16.98.1 255.255.255.0 DLS1(config-if)# no shutdown ALS10(config)# inter vlan 98 ALS10(config-if)# ip address 172.16.98.10 255.255.255.0 ALS10(config-if)# no shutdown ALS10(config)# ip default-gateway 172.16.98.1 172 interface vlan 98

172.16.98.1/24 interface vlan 99 172.16.99.1/24 Switched Network Design Core Route/Switch packets quickly across between distribution multilayer switches. Distribution Route between VLANs/Subnets, ACLs Access Provide access to end devices and provide port security. L3 = Routed Ports, over IP, separate subnets

L2 = SVI, VLANs over Trunks OR individual VLANs 174 Verifying Verify IP addresses DLS1#show ip inter brief Interface IP-Address OK? Method Status FastEthernet0/1 192.168.4.6 YES manual up up GigabitEthernet0/1 192.168.1.1

YES manual up up Vlan10 172.16.10.1 YES manual up up Vlan11 172.16.11.1 YES manual up up Protocol 175

InterVLAN Routing External Router No VLANs VLAN 1 External Router VLANs Router on a stick VLANs or No VLANs VLAN 2 VLAN 3 VLANs 1, 2, 3 Trunk VLAN 1 Multilayer Switch Multilayer Switch

VLAN 2 VLAN 3 Trunk 176 SDM Cisco Switch Database Manager (SDM) A Catalyst 2960 switch can function as a Layer 3 device and route between VLANs and a limited number of static routes. The Cisco Switch Database Manager (SDM) provides multiple templates for the 2960 switch. The templates can be enabled to support specific roles depending on how the switch is used in the network. For example, the sdm lanbase-routing template can be enabled to allow the switch to route between VLANs and to support static routing. 178 Switch Database Manager Template show sdm prefer command applies

the default template Default does not support static routing. If IPv6 addressing has been enabled, the template will be dual-ipv4-andipv6 default. S1# show sdm prefer The current template is "default" template. The selected template optimizes the resources in the switch to support this level of features for 0 routed interfaces and 255 VLANs. number number number number of of of of unicast mac addresses: IPv4 IGMP groups: IPv4/MAC qos aces:

IPv4/MAC security aces: 8K 0.25K 0.125k 0.375k SDM Template sdm prefer to change the template Switch must be reloaded for the new template to take effect. S1# configure terminal Enter configuration commands, one per line. End with CNTL/Z. S1(config)# sdm prefer ? default Default bias dual-ipv4-and-ipv6 Support both IPv4 and IPv6 lanbase-routing Supports both IPv4 and IPv6 Static Routing qos QoS bias S1(config)# sdm prefer lanbase-routing

Changes to the running SDM preferences have been stored, but cannot take effect until the next reload. Use 'show sdm prefer' to see what SDM preference is currently active. Switch(config)# do reload System configuration has been modified. Save? [yes/no]: yes Building configuration... [OK] Proceed with reload? [confirm] *Mar 20 00:10:24.557: %SYS-5-RELOAD: Reload requested by console. Reload Reason: Reload command. 2960 Static Route Support lanbase-routing template is active on S1. With this template, static routing is supported for up to 750 static routes. Switch# show sdm prefer The current template is "lanbase-routing" template. The selected template optimizes the resources in the switch to support this level of features for 0 routed interfaces and 255 VLANs. number of unicast mac addresses: number of IPv4 IGMP groups + multicast routes: number of IPv4 unicast routes:

number of directly-connected IPv4 hosts: number of indirect IPv4 routes: number of IPv6 multicast groups: number of directly-connected IPv6 addresses: number of indirect IPv6 unicast routes: number of IPv4 policy based routing aces: number of IPv4/MAC qos aces: number of IPv4/MAC security aces: number of IPv6 policy based routing aces: number of IPv6 qos aces: number of IPv6 security aces: 4K 0.25K 0.75K 0.75K 16 0.375k 0.75K 16 0 0.125k 0.375k 0

0.375k 127 Enabling IPv4 Routing Functionality on a 2960 Interface F0/6 on S1 is assigned to VLAN 2. The SVIs for VLANs 1 and 2 are also configured with IP addresses 192.168.1.1/24 and 192.168.2.1/24, respectively. IP routing is enabled with the ip routing global configuration mode command. S1(config)# interface f0/6 S1(config-if)# switchport access vlan 2 S1(config-if)# interface vlan 1 S1(config-if)# ip address 192.168.1.1 255.255.255.0 S1(config-if)# interface vlan 2 S1(config-if)# ip address 192.168.2.1 255.255.255.0 S1(config-if)# no shutdown Mar 20 01:00:25.021: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan2, changed state to up

S1(config)# ip routing S1(config)# do show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP + - replicated route, % - next hop override Gateway of last resort is not set C L C L 192.168.1.0/24 is 192.168.1.0/24 192.168.1.1/32 192.168.2.0/24 is 192.168.2.0/24 192.168.2.1/32 variably subnetted, 2 subnets, 2 masks

is directly connected, Vlan1 is directly connected, Vlan1 variably subnetted, 2 subnets, 2 masks is directly connected, Vlan2 is directly connected, Vlan2 Router Participating in Routing with a Switch R1 has two IPv4 networks configured: Interface G0/1 has IP address 192.168.1.10/24 loopback interface Lo0 has IP address 209.165.200.225/27 R1# show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP + - replicated route, % - next hop override Gateway of last resort is not set C L

C L 192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks 192.168.1.0/24 is directly connected, GigabitEthernet0/1 192.168.1.10/32 is directly connected, GigabitEthernet0/1 209.165.200.0/24 is variably subnetted, 2 subnets, 2 masks 209.165.200.224/27 is directly connected, Loopback0 209.165.200.225/32 is directly connected, Loopback0 Configuring a Static Route on a 2960 A default route is configured on S1 S1(config)# ip route 0.0.0.0 0.0.0.0 192.168.1.10 S1(config)# do show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP + - replicated route, % - next hop override Gateway of last resort is 192.168.1.10 to network 0.0.0.0

S* C L C L 0.0.0.0/0 [1/0] via 192.168.1.10 192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks 192.168.1.0/24 is directly connected, Vlan1 192.168.1.1/32 is directly connected, Vlan1 192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks 192.168.2.0/24 is directly connected, Vlan2 192.168.2.1/32 is directly connected, Vlan2 Final Routing Table on Router A static route to the remote network 192.168.2.0/24 (VLAN 2) is configured on R1 R1(config)# ip route 192.168.2.0 255.255.255.0 g0/1 R1(config)# do show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP + - replicated route, % - next hop override Gateway of last resort is not set C L S C L 192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks 192.168.1.0/24 is directly connected, GigabitEthernet0/1 192.168.1.10/32 is directly connected, GigabitEthernet0/1 192.168.2.0/24 is directly connected, GigabitEthernet0/1 209.165.200.0/24 is variably subnetted, 2 subnets, 2 masks 209.165.200.224/27 is directly connected, Loopback0 209.165.200.225/32 is directly connected, Loopback0 Host Connectivity 209.165.200.225/27 192.168.2.2/24 VLAN 2

192.168.1.2/24 VLAN 1 PC-A is configured with IP address 192.168.2.2/24 in VLAN 2 PC-B is configured with IP address 192.168.1.2/24 in VLAN 1. PC-B is able to ping both PC-B and the loopback interface on R1.

Recently Viewed Presentations

  • The Tudor Monarchs - Teaching Ideas

    The Tudor Monarchs - Teaching Ideas

    The Tudor Monarchs The Tudors The Tudors reigned from 1485 until 1603. There were five Tudor kings and queens: Henry VII, Henry VIII, Edward VI, Lady Jane Grey, Mary I and Elizabeth I. They were very powerful and are remembered...
  • Filtration and Backwashing

    Filtration and Backwashing

    A. Amirtharajah School of Civil and Environmental Engineering Georgia Institute of Technology Atlanta, GA 30332 FILTRATION: THE GREAT BARRIER TO PARTICLES, PARASITES, AND ORGANICS Particle Removal Improve taste, appearance Sorbed metals and pesticides Pathogens: bacteria, viruses, protozoa Organic Removal in...
  • Sports Nutrition Michael Puglisi, PhD, RD Estimation of

    Sports Nutrition Michael Puglisi, PhD, RD Estimation of

    Nutr. Exer. Metab. 2007. Protein Quality. Cuthbertsonet al. and Phillips et al. ~8.5-10g of EAAs maximally stimulates protein synthesis. Comes out to ~20-25 g of protein sources of high biological value ~40% EAAs ~20-25 oz milk, 3 ounces meat, fish...
  • Sumatra - California Institute of Technology

    Sumatra - California Institute of Technology

    Arial Times New Roman Comic Sans MS Default Design Adobe Acrobat Document On the relation between Geodetic strain, Seismicity and fault frictional properties Sumatra Nepal This model of interseismic strain (1995-2005) indicates an accumulation rate of deficit of seismic moment...
  • Chapter 2 Lesson 2 - Science with Mrs. Watson

    Chapter 2 Lesson 2 - Science with Mrs. Watson

    Science is always changing and evolving. Scientists must always keep an open mind and the ability to accept of new and different ideas. ... Only boys can be athletes. Florida is the best state. All southern boys are rednecks.
  • Why Metrics in Software Testing? - Kennesaw State University

    Why Metrics in Software Testing? - Kennesaw State University

    Metric for Gauging the Attribute Metric - a unit used for describing or for measuring an attribute Inches is a metric used for measuring the length attribute (simple metric) Miles per hour is a metric for measuring the speed attribute...
  • www.sjsu.edu

    www.sjsu.edu

    Created Date: 7/10/2009 6:12:13 PM Document presentation format: On-screen Show (4:3) Other titles: Arial Calibri Wingdings 2 Constantia Flow 1_Flow 2_Flow 3_Flow 4_Flow 5_Flow 6_Flow 7_Flow 8_Flow 9_Flow 10_Flow 11_Flow Herbivory Herbivory Results of vector plot Effects on Plant Fitness...
  • Teaching Struggling Writers in the Elementary School

    Teaching Struggling Writers in the Elementary School

    Wallace was the main character of the story. We learned that Wallace was a young city boy who was spending his summer with the crew on the ranch. His main problem was that he had to learn all of the...