Senior Acquisitions Editor: Kenyon Brown Development Editor: Kim Wimpsett

S3(config-if#

switchport port-security

S3(config-if#

switchport port-security maximum 3

S3(config-if#

switchport port-security violation restrict

S3(config-if#

Switchport mode-security aging time 10

A.

switchport mode-security aging time 10

B.

switchport port-security

C.

switchport port-security maximum 3

D.

switchport port-security violation restrict

9.  Which if the following is not an issue addressed by STP?

A.  Broadcast storms

B.  Gateway redundancy

C.  A device receiving multiple copies of the same frame

D.  Constant updating of the MAC filter table

10.  What issue that arises when redundancy exists between switches is

shown in the figure?

A.  Broadcast storm

B.  Routing loop

C.  Port violation

D.  Loss of gateway

11.  Which two of the following switch port violation modes will alert you

via SNMP that a violation has occurred on a port?

A.

restrict

B.

protect

C.

shutdown

D.

err-disable

12.  ___________is the loop avoidance mechanism used by switches.

13.  Write the command that must be present on any switch that you need

to manage from a different subnet.

14.  On which default interface have you configured an IP address for a

switch?

A.

int fa0/0

B.

int vty 0 15

C.

int vlan 1

D.

int s/0/0

15.  Which Cisco IOS command is used to verify the port security

configuration of a switch port?

A.

show interfaces port-security

B.

show port-security interface

C.

show ip interface

D.

show interfaces switchport

16.  Write the command that will save a dynamically learned MAC address

in the running-configuration of a Cisco switch?

17.  Which of the following methods will ensure that only one specific host

can connect to port F0/3 on a switch? (Choose two. Each correct

answer is a separate solution.)

A.  Configure port security on F0/3 to accept traffic other than that of

the MAC address of the host.

B.  Configure the MAC address of the host as a static entry associated

with port F0/3.

C.  Configure an inbound access control list on port F0/3 limiting

traffic to the IP address of the host.

D.  Configure port security on F0/3 to accept traffic only from the

MAC address of the host.

18.  What will be the effect of executing the following command on port

F0/1?

switch(config-if)# switchport port-security mac-address

00C0.35F0.8301

A.  The command configures an inbound access control list on port

F0/1, limiting traffic to the IP address of the host.

B.  The command expressly prohibits the MAC address of

00c0.35F0.8301 as an allowed host on the switch port.

C.  The command encrypts all traffic on the port from the MAC

address of 00c0.35F0.8301.

D.  The command statically defines the MAC address of

00c0.35F0.8301 as an allowed host on the switch port.

19.  The conference room has a switch port available for use by the

presenter during classes, and each presenter uses the same PC

attached to the port. You would like to prevent other PCs from using

that port. You have completely removed the former configuration in

order to start anew. Which of the following steps is not required to

prevent any other PCs from using that port?

A.  Enable port security.

B.  Assign the MAC address of the PC to the port.

C.  Make the port an access port.

D.  Make the port a trunk port.

20.  Write the command required to disable the port if a security violation

occurs. Write only the command and not the prompt.

Chapter 11

VLANs and Inter-VLAN Routing

THE FOLLOWING ICND1 EXAM TOPICS ARE

COVERED IN THIS CHAPTER:

2.0 LAN Switching Technologies

2.4 Configure, verify, and troubleshoot VLANs (normal range)

spanning multiple switches

2.4.a Access ports (data and voice)

2.4.b Default VLAN

2.5 Configure, verify, and troubleshoot interswitch connectivity

2.5.a Trunk ports

2.5.b 802.1Q

2.5.c Native VLAN

3.0 Routing Technologies

3.4 Configure, verify, and troubleshoot inter-VLAN routing

3.4.a Router on a stick

I know I keep telling you this, but so you never

forget it, here I go, one last time: By default, switches break up collision

domains and routers break up broadcast domains. Okay, I feel better!

Now we can move on.

In contrast to the networks of yesterday that were based on collapsed

backbones, today’s network design is characterized by a flatter

architecture—thanks to switches. So now what? How do we break up

broadcast domains in a pure switched internetwork? By creating virtual

local area networks (VLANs). A VLAN is a logical grouping of network

users and resources connected to administratively defined ports on a

switch. When you create VLANs, you’regiven the ability to create smaller

broadcast domains within a layer 2 switched internetwork by assigning

different ports on the switch to service different subnetworks. A VLAN is

treated like its own subnet or broadcast domain, meaning that frames

broadcast onto the network are only switched between the ports logically

grouped within the same VLAN.

So, does this mean we no longer need routers? Maybe yes; maybe no. It

really depends on what your particular networking needs and goals are.

By default, hosts in a specific VLAN can’t communicate with hosts that

are members of another VLAN, so if you want inter-VLAN

communication, the answer is that you still need a router or Inter-VLAN

Routing (IVR).

In this chapter, you’re going to comprehensively learn exactly what a

VLAN is and how VLAN memberships are used in a switched network.

You’ll also become well-versed in what a trunk link is and how to

configure and verify them.

I’ll finish this chapter by demonstrating how you can make inter-VLAN

communication happen by introducing a router into a switched network.

Of course, we’ll configure our familiar switched network layout we used

in the last chapter for creating VLANs and for implementing trunking

and Inter-VLAN routing on a layer 3 switch by creating switched virtual

interfaces (SVIs).

To find up-to-the-minute updates for this chapter, please see

www.lammle.com/ccna

or the book’s web page at

www.sybex.com/go/ccna

.

VLAN Basics

Figure 11.1

illustrates the flat network architecture that used to be so

typical for layer 2 switched networks. With this configuration, every

broadcast packet transmitted is seen by every device on the network

regardless of whether the device needs to receive that data or not.

FIGURE 11.1

Flat network structure

By default, routers allow broadcasts to occur only within the originating

network, while switches forward broadcasts to all segments. Oh, and by

the way, the reason it’s called aflat network is because it’s one broadcast

domain, not because the actual design is physically flat. In

Figure 11.1

we

see Host A sending out a broadcast and all ports on all switches

forwarding it—all except the port that originally received it.

Now check out

Figure 11.2

. It pictures a switched network and shows

Host A sending a frame with Host D as its destination. Clearly, the

important factor here is that the frame is only forwarded out the port

where Host D is located.

FIGURE 11.2

The benefit of a switched network

This is a huge improvement over the old hub networks, unless having one

collision domain by default is what you really want for some reason!

Okay—you already know that the biggest benefit gained by having a layer

2 switched network is that it creates individual collision domain segments

for each device plugged into each port on the switch. This scenario frees

us from the old Ethernet density constraints and makes us able to build

larger networks. But too often, each new advance comes with new issues.

For instance, the more users and devices that populate and use a

network, the more broadcasts and packets each switch must handle.

And there’s another big issue—security! This one is real trouble because

within the typical layer 2 switched internetwork, all users can see all

devices by default. And you can’t stop devices from broadcasting, plus

you can’t stop users from trying to respond to broadcasts. This means

your security options are dismally limited to placing passwords on your

servers and other devices.

But wait—there’s hope if you create a virtual LAN (VLAN)! You can solve

many of the problems associated with layer 2 switching with VLANs, as

you’ll soon see.

VLANs work like this:

Figure 11.3

shows all hosts in this very small

company connected to one switch, meaning all hosts will receive all

frames, which is the default behavior of all switches.

FIGURE 11.3

One switch, one LAN: Before VLANs, there were no

separations between hosts.

If we want to separate the host’s data, we could either buy another switch

or create virtual LANs, as shown in

Figure 11.4

.

FIGURE 11.4

One switch, two virtual LANs (logical separation between

hosts): Still physically one switch, but this switch acts as many separate

devices.

In

Figure 11.4

, I configured the switch to be two separate LANs, two

subnets, two broadcast domains, two VLANs—they all mean the same

thing—without buying another switch. We can do this 1,000 times on

most Cisco switches, which saves thousands of dollars and more!

Notice that even though the separation is virtual and the hosts are all still

connected to the same switch, the LANs can’t send data to each other by

default. This is because they are still separate networks, but no worries—

we’ll get into inter-VLAN communication later in this chapter.

Here’s a short list of ways VLANs simplify network management:

Network adds, moves, and changes are achieved with ease by just

configuring a port into the appropriate VLAN.

A group of users that need an unusually high level of security can be

put into its own VLAN so that users outside of that VLAN can’t

communicate with the group’s users.

As a logical grouping of users by function, VLANs can be considered

independent from their physical or geographic locations.

VLANs greatly enhance network security if implemented correctly.

VLANs increase the number of broadcast domains while decreasing

their size.

Coming up, we’ll thoroughly explore the world of switching, and you

learn exactly how and why switches provide us with much better network

services than hubs can in our networks today.

Broadcast Control

Broadcasts occur in every protocol, but how often they occur depends

upon three things:

The type of protocol

The application(s) running on the internetwork

How these services are used

Some older applications have been rewritten to reduce their bandwidth

consumption, but there’s a new generation of applications that are so

bandwidth greedy they’ll consume any and all they can find. These

gluttons are the legion of multimedia applications that use both

broadcasts and multicasts extensively. As if they weren’t enough trouble,

factors like faulty equipment, inadequate segmentation, and poorly

designed firewalls can seriously compound the problems already caused

by these broadcast-intensive applications. All of this has added a major

new dimension to network design and presents a bunch of new challenges

for an administrator. Positively making sure your network is properly

segmented so you can quickly isolate a single segment’s problems to

prevent them from propagating throughout your entire internetwork is

now imperative. And the most effective way to do that is through strategic

switching and routing!

Since switches have become more affordable, most everyone has replaced

their flat hub networks with pure switched network and VLAN

environments. All devices within a VLAN are members of the same

broadcast domain and receive all broadcasts relevant to it. By default,

these broadcasts are filtered from all ports on a switch that aren’t

members of the same VLAN. This is great because you get all the benefits

you would with a switched design without getting hit with all the

problems you’d have if all your users were in the same broadcast domain

—sweet!

Security

But there’s always a catch, right? Time to get back to those security

issues. A flat internetwork’s security used to be tackled by connecting

hubs and switches together with routers. So it was basically the router’s

job to maintain security. This arrangement was pretty ineffective for

several reasons. First, anyone connecting to the physical network could

access the network resources located on that particular physical LAN.

Second, all anyone had to do to observe any and all traffic traversing that

network was to simply plug a network analyzer into the hub. And similar

to that last, scary, fact, users could easily join a workgroup by just

plugging their workstations into the existing hub. That’s about as secure

as a barrel of honey in a bear enclosure!

But that’s exactly what makes VLANs so cool. If you build them and

create multiple broadcast groups, you can still have total control over

each port and user! So the days when anyone could just plug their

workstations into any switch port and gain access to network resources

are history because now you get to control each port and any resources it

can access.

And that’s not even all—VLANs can be created in harmony with a specific

user’s need for the network resources. Plus, switches can be configured to

inform a network management station about unauthorized access to

those vital network resources. And if you need inter-VLAN

communication, you can implement restrictions on a router to make sure

this all happens securely. You can also place restrictions on hardware

addresses, protocols, and applications. Now we’re talking security—our

honey barrel is now sealed tightly, made of solid titanium and wrapped in

razor wire!

Flexibility and Scalability

If you’ve been paying attention so far, you know that layer 2 switches only

read frames for filtering because they don’t look at the Network layer

protocol. You also know that by default, switches forward broadcasts to

all ports. But if you create and implement VLANs, you’re essentially

creating smaller broadcast domains at layer 2.

As a result, broadcasts sent out from a node in one VLAN won’t be

forwarded to ports configured to belong to a different VLAN. But if we

assign switch ports or users to VLAN groups on a switch or on a group of

connected switches, we gain the flexibility to exclusively add only the

users we want to let into that broadcast domain regardless of their

physical location. This setup can also work to block broadcast storms

caused by a faulty network interface card (NIC) as well as prevent an

intermediate device from propagating broadcast storms throughout the

entire internetwork. Those evils can still happen on the VLAN where the

problem originated, but the disease will be fully contained in that one

ailing VLAN!

Another advantage is that when a VLAN gets too big, you can simply

create more VLANs to keep the broadcasts from consuming too much

bandwidth. The fewer users in a VLAN, the fewer users affected by

broadcasts. This is all good, but you seriously need to keep network

services in mind and understand how the users connect to these services

when creating a VLAN. A good strategy is to try to keep all services,

except for the email and Internet access that everyone needs, local to all

users whenever possible.

Identifying VLANs

Switch ports are layer 2–only interfaces that are associated with a

physical port that can belong to only one VLAN if it’s an access port or all

VLANs if it’s a trunk port.

Switches are definitely pretty busy devices. As myriad frames are

switched throughout the network, switches have to be able to keep track

of all of them, plus understand what to do with them depending on their

associated hardware addresses. And remember—frames are handled

differently according to the type of link they’re traversing.

There are two different types of ports in a switched environment. Let’s

take a look at the first type in

Figure 11.5

.

FIGURE 11.5

Access ports

Notice there are access ports for each host and an access port between

switches—one for each VLAN.

Access ports An access port belongs to and carries the traffic of only

one VLAN. Traffic is both received and sent in native formats with no

VLAN information (tagging) whatsoever. Anything arriving on an access

port is simply assumed to belong to the VLAN assigned to the port.

Because an access port doesn’t look at the source address, tagged traffic—

a frame with added VLAN information—can be correctly forwarded and

received only on trunk ports.

With an access link, this can be referred to as the configured VLAN of the

port. Any device attached to an access link is unaware of a VLAN

membership—the device just assumes it’s part of some broadcast domain.

But it doesn’t have the big picture, so it doesn’t understand the physical

network topology at all.

Another good bit of information to know is that switches remove any

VLAN information from the frame before it’s forwarded out to an access-

link device. Remember that access-link devices can’t communicate with

devices outside their VLAN unless the packet is routed. Also, you can only

create a switch port to be either an access port or a trunk port—not both.

So you’ve got to choose one or the other and know that if you make it an

access port, that port can be assigned to one VLAN only. In

Figure 11.5

,

only the hosts in the Sales VLAN can talk to other hosts in the same

VLAN. This is the same with the Admin VLAN, and they can both

communicate to hosts on the other switch because of an access link for

each VLAN configured between switches.

Voice access ports Not to confuse you, but all that I just said about

the fact that an access port can be assigned to only one VLAN is really

only sort of true. Nowadays, most switches will allow you to add a

second VLAN to an access port on a switch port for your voice traffic,

called the voice VLAN. The voice VLAN used to be called the auxiliary

VLAN, which allowed it to be overlaid on top of the data VLAN,

enabling both types of traffic to travel through the same port. Even

though this is technically considered to be a different type of link, it’s

still just an access port that can be configured for both data and voice

VLANs. This allows you to connect both a phone and a PC device to

one switch port but still have each device in a separate VLAN.

Trunk ports Believe it or not, the term trunk port was inspired by the

telephone system trunks, which carry multiple telephone conversations at

a time. So it follows that trunk ports can similarly carry multiple VLANs

at a time as well.

A trunk link is a 100, 1,000, or 10,000 Mbps point-to-point link between

two switches, between a switch and router, or even between a switch and

server, and it carries the traffic of multiple VLANs—from 1 to 4,094

VLANs at a time. But the amount is really only up to 1,001 unless you’re

going with something called extended VLANs.

Instead of an access link for each VLAN between switches, we’ll create a

trunk link, demonstrated in

Figure 11.6

.

FIGURE 11.6

VLANs can span across multiple switches by using trunk

links, which carry traffic for multiple VLANs.

Trunking can be a real advantage because with it, you get to make a single

port part of a whole bunch of different VLANs at the same time. This is a

great feature because you can actually set ports up to have a server in two

separate broadcast domains simultaneously so your users won’t have to

cross a layer 3 device (router) to log in and access it. Another benefit to

trunking comes into play when you’re connecting switches. Trunk links

can carry the frames of various VLANs across them, but by default, if the

links between your switches aren’t trunked, only information from the

configured access VLAN will be switched across that link.

It’s also good to know that all VLANs send information on a trunked link

unless you clear each VLAN by hand, and no worries, I’ll show you how to

clear individual VLANs from a trunk in a bit.

Okay—it’s finally time to tell you about frame tagging and the VLAN

identification methods used in it across our trunk links.

Yüklə 22,5 Mb.

Dostları ilə paylaş: