Senior Acquisitions Editor: Kenyon Brown Development Editor: Kim Wimpsett



Yüklə 22,5 Mb.
Pdf görüntüsü
səhifə57/69
tarix26.10.2019
ölçüsü22,5 Mb.
#29436
1   ...   53   54   55   56   57   58   59   60   ...   69
Todd Lammle CCNA Routing and Switching

PART II

ICND 2

Chapter 15

Enhanced Switched Technologies

THE FOLLOWING ICND2 EXAM TOPICS ARE

COVERED IN THIS CHAPTER:

1.0 LAN Switching Technologies

1.1 Configure, verify, and troubleshoot VLANs (normal/extended

range) spanning multiple switches

1.1.a Access ports (data and voice)

1.1.b Default VLAN

1.2 Configure, verify, and troubleshoot interswitch connectivity

1.2.a Add and remove VLANs on a trunk

1.2.b DTP and VTP (v1&v2)

1.3 Configure, verify, and troubleshoot STP protocols

1.3.a STP mode (PVST+ and RPVST+)

1.3.b STP root bridge selection

1.4 Configure, verify, and troubleshoot STP-related optional

features

1.4.a PortFast

1.4.b BPDU guard

1.5 Configure, verify, and troubleshoot (Layer 2/Layer 3)

EtherChannel

1.5.a Static

1.5.b PAGP

1.5.c LACP

1.7 Describe common access layer threat mitigation techniques


1.7.c Nondefault native VLAN

2.0 Routing Technologies

2.1 Configure, verify, and troubleshoot Inter-VLAN routing

2.1.a Router on a stick

2.1.b SVI

Long ago, a company called Digital Equipment

Corporation (DEC) created the original version of Spanning Tree

Protocol (STP). The IEEE later created its own version of STP called

802.1d. Cisco has moved toward another industry standard in its newer

switches called 802.1w. We’ll explore both the old and new versions of

STP in this chapter, but first, I’ll define some important STP basics.

Routing protocols like RIP, EIGRP, and OSPF have processes for

preventing loops from occurring at the Network layer, but if you have

redundant physical links between your switches, these protocols won’t do

a thing to stop loops from occurring at the Data Link layer. That’s exactly

why STP was developed—to put an end to loop issues in a layer 2

switched network. It’s also why we’ll be thoroughly exploring the key

features of this vital protocol as well as how it works within a switched

network in this chapter.

After covering STP in detail, we’ll move on to explore EtherChannel.

To find up-to-the-minute updates for this chapter, please see

www.lammle.com/ccna

or the book’s web page at

www.sybex.com/go/ccna

.


VLAN Review

As you may remember from ICND1, configuring VLANs is actually pretty

easy. It’s just that figuring out which users you want in each VLAN is not,

and doing that can eat up a lot of your time! But once you’ve decided on

the number of VLANs you want to create and established which users you

want to belong to each one, it’s time to bring your first VLAN into the

world.

To configure VLANs on a Cisco Catalyst switch, use the global config



vlan

command. In the following example, I’m going to demonstrate how to

configure VLANs on the S1 switch by creating three VLANs for three

different departments—again, remember that VLAN 1 is the native and

management VLAN by default:

S1(config)#



vlan ?

WORD ISL VLAN IDs 1-4094

access-map Create vlan access-map or enter vlan access-map

command mode

dot1q dot1q parameters

filter Apply a VLAN Map

group Create a vlan group

internal internal VLAN

S1(config)#

vlan 2

S1(config-vlan)#



name Sales

S1(config-vlan)#



vlan 3

S1(config-vlan)#



name Marketing

S1(config-vlan)#



vlan 4

S1(config-vlan)#



name Accounting

S1(config-vlan)#



^Z

S1#


In this output, you can see that you can create VLANs from 1 to 4094. But

this is only mostly true. As I said, VLANs can really only be created up to

1001, and you can’t use, change, rename, or delete VLANs 1 or 1002

through 1005 because they’re reserved. The VLAN with numbers above

1005 are called extended VLANs and won’t be saved in the database

unless your switch is set to what is called VLAN Trunking Protocol (VTP)

transparent mode. You won’t see these VLAN numbers used too often in

production. Here’s an example of me attempting to set my S1 switch to

VLAN 4000 when my switch is set to VTP server mode (the default VTP

mode, which we’ll talk about shortly):

S1#

config t


S1(config)#

vlan 4000

S1(config-vlan)#



^Z

% Failed to create VLANs 4000

Extended VLAN(s) not allowed in current VTP mode.

%Failed to commit extended VLAN(s) changes.

After you create the VLANs that you want, you can use the

show vlan

command to check them out. But notice that, by default, all ports on the

switch are in VLAN 1. To change the VLAN associated with a port, you

need to go to each interface and specifically tell it which VLAN to be a

part of.


Remember that a created VLAN is unused until it is assigned

to a switch port or ports and that all ports are always assigned in

VLAN 1 unless set otherwise.

Once the VLANs are created, verify your configuration with the

show vlan

command (

sh vlan

for short):



S1#

sh vlan

VLAN Name Status Ports

---- ------------------------- --------- --------------------------

-----


1 default active Fa0/1, Fa0/2, Fa0/3,

Fa0/4


Fa0/5, Fa0/6, Fa0/7, Fa0/8

Fa0/9, Fa0/10, Fa0/11,

Fa0/12

Fa0/13, Fa0/14, Fa0/19,



Fa0/20

Fa0/21, Fa0/22, Fa0/23,

Gi0/1

Gi0/2


2 Sales active

3 Marketing active

4 Accounting active

[output cut]

If you want to see which ports are assigned to a particular VLAN (for

example, VLAN 200), you can obviously use the

show vlan

command as

shown above, or you can use the

show vlan id 200

command to get ports

assigned only to VLAN 200.



This may seem repetitive, but it’s important, and I want you to remember

it: You can’t change, delete, or rename VLAN 1 because it’s the default

VLAN and you just can’t change that—period. It’s also the native VLAN of

all switches by default, and Cisco recommends that you use it as your

management VLAN. If you’re worried about security issues, then change

the native VLAN! Basically, any ports that aren’t specifically assigned to a

different VLAN will be sent down to the native VLAN—VLAN 1.

In the preceding S1 output, you can see that ports Fa0/1 through Fa0/14,

Fa0/19 through 23, and the Gi0/1 and Gi02 uplinks are all in VLAN 1.

But where are ports 15 through 18? First, understand that the

command

show vlan



only displays access ports, so now that you know

what you’re looking at with the

show vlan

command, where do you think

ports Fa15–18 are? That’s right! They are trunked ports. Cisco switches

run a proprietary protocol called Dynamic Trunk Protocol (DTP), and if

there is a compatible switch connected, they will start trunking

automatically, which is precisely where my four ports are. You have to use

the

show interfaces trunk



command to see your trunked ports like this:

S1#


show interfaces trunk

Port Mode Encapsulation Status Native

vlan

Fa0/15 desirable n-isl trunking 1



Fa0/16 desirable n-isl trunking 1

Fa0/17 desirable n-isl trunking 1

Fa0/18 desirable n-isl trunking 1

Port Vlans allowed on trunk

Fa0/15 1-4094

Fa0/16 1-4094

Fa0/17 1-4094

Fa0/18 1-4094

[output cut]

This output reveals that the VLANs from 1 to 4094 are allowed across the

trunk by default. Another helpful command, which is also part of the

Cisco exam objectives, is the

show interfaces

interface switchport

command:

S1#


sh interfaces fastEthernet 0/15 switchport

Name: Fa0/15

Switchport: Enabled

Administrative Mode: dynamic desirable


Operational Mode: trunk

Administrative Trunking Encapsulation: negotiate

Operational Trunking Encapsulation: isl

Negotiation of Trunking: On

Access Mode VLAN: 1 (default)



Trunking Native Mode VLAN: 1 (default)

Administrative Native VLAN tagging: enabled

Voice VLAN: none

[output cut]

The highlighted output shows us the administrative mode of

dynamic


desirable

, that the port is a trunk port, and that DTP was used to

negotiate the frame-tagging method of ISL. It also predictably shows that

the native VLAN is the default of 1.

Now that we can see the VLANs created, we can assign switch ports to

specific ones. Each port can be part of only one VLAN, with the exception

of voice access ports. Using trunking, you can make a port available to

traffic from all VLANs. I’ll cover that next.



Assigning Switch Ports to VLANs

You configure a port to belong to a VLAN by assigning a membership

mode that specifies the kind of traffic the port carries plus the number of

VLANs it can belong to. You can also configure each port on a switch to

be in a specific VLAN (access port) by using the

interface

switchport

command. You can even configure multiple ports at the same time with

the

interface range



command.

In the next example, I’ll configure interface Fa0/3 to VLAN 3. This is the

connection from the S3 switch to the host device:

S3#


config t

S3(config)#



int fa0/3

S3(config-if)#



switchport ?

access Set access mode characteristics of the interface

autostate Include or exclude this port from vlan link up

calculation

backup Set backup for the interface

block Disable forwarding of unknown uni/multi cast

addresses

host Set port host

mode Set trunking mode of the interface

nonegotiate Device will not engage in negotiation protocol on

this

interface



port-security Security related command

priority Set appliance 802.1p priority

private-vlan Set the private VLAN configuration

protected Configure an interface to be a protected port

trunk Set trunking characteristics of the interface

voice Voice appliance attributes voice

Well now, what do we have here? There’s some new stuff showing up in

our output now. We can see various commands—some that I’ve already

covered, but no worries because I’m going to cover the

access


,

mode


,

nonegotiate

, and

trunk


commands very soon. Let’s start with setting an

access port on S1, which is probably the most widely used type of port

you’ll find on production switches that have VLANs configured:

S3(config-if)#



switchport mode ?

access Set trunking mode to ACCESS unconditionally

dot1q-tunnel set trunking mode to TUNNEL unconditionally

dynamic Set trunking mode to dynamically negotiate access

or trunk mode

private-vlan Set private-vlan mode

trunk Set trunking mode to TRUNK unconditionally

S3(config-if)#



switchport mode access

S3(config-if)#



switchport access vlan 3

By starting with the

switchport mode access

command, you’re telling the

switch that this is a nontrunking layer 2 port. You can then assign a

VLAN to the port with the

switchport access

command. Remember, you

can choose many ports to configure simultaneously with the

interface

range

command.


Let’s take a look at our VLANs now:

S3#


show vlan

VLAN Name Status Ports

---- ------------------------ --------- ---------------------------

----


1 default active Fa0/4, Fa0/5, Fa0/6,

Fa0/7


Fa0/8, Fa0/9, Fa0/10,

Fa0/11,


Fa0/12, Fa0/13, Fa0/14,

Fa0/19,


Fa0/20, Fa0/21, Fa0/22,

Fa0/23,


Gi0/1,Gi0/2



2 Sales active

3 Marketing active Fa0/3

Notice that port Fa0/3 is now a member of VLAN 3. But, can you tell me

where ports 1 and 2 are? And why aren’t they showing up in the output of

show vlan

? That’s right, because they are trunk ports!

We can also see this with the

show interfaces interface switchport

command:

S3#


sh int fa0/3 switchport

Name: Fa0/3

Switchport: Enabled

Administrative Mode: static access

Operational Mode: static access

Administrative Trunking Encapsulation: negotiate

Negotiation of Trunking: Off

Access Mode VLAN: 3 (Marketing)

The highlighted output shows that Fa0/3 is an access port and a member

of VLAN 3 (Marketing).

Before we move onto trunking and VTP, let’s add a voice VLAN on our

switch. When an IP phone is connected to a switch port, this port should

have a voice VLAN associated with it. By creating a separate VLAN for

voice traffic, which of course you would do, what happens when you have

a PC or laptop that connects via Ethernet into an IP phone? The phone

connects to the Ethernet port and into one port on the switch. You’re now

sending both voice and data to the single switch port.

All you need to do is add another VLAN to the same switch port like so to

fix this issue and separate the data at the switch port into two VLANs:

S1(config)#

vlan 10

S1(config-vlan)#



name Voice

S1(config-vlan)#



int g0/1

S1(config-if)#



switchport voice vlan 10

That’s it. Well, sort of. If you plugged devices into each VLAN port, they

can only talk to other devices in the same VLAN. But as soon as you learn

a bit more about trunking, we’re going to enable inter-VLAN

communication!

Configuring Trunk Ports


The 2960 switch only runs the IEEE 802.1q encapsulation method. To

configure trunking on a FastEthernet port, use the interface command

switchport mode trunk

. It’s a tad different on the 3560 switch.

The following switch output shows the trunk configuration on interfaces

Fa0/15–18 as set to

trunk

:

S1(config)#



int range f0/15-18

S1(config-if-range)#



switchport trunk encapsulation dot1q

S1(config-if-range)#



switchport mode trunk

If you have a switch that only runs the 802.1q encapsulation method,

then you wouldn’t use the encapsulation command as I did in the

preceding output. Let’s check out our trunk ports now:

S1(config-if-range)#

do sh int f0/15 switchport

Name: Fa0/15

Switchport: Enabled

Administrative Mode: trunk

Operational Mode: trunk

Administrative Trunking Encapsulation: dot1q

Operational Trunking Encapsulation: dot1q

Negotiation of Trunking: On

Access Mode VLAN: 1 (default)

Trunking Native Mode VLAN: 1 (default)

Administrative Native VLAN tagging: enabled

Voice VLAN: none

Notice that port Fa0/15 is a trunk and running 802.1q. Let’s take another

look:

S1(config-if-range)#



do sh int trunk

Port Mode Encapsulation Status Native

vlan

Fa0/15 on 802.1q trunking 1



Fa0/16 on 802.1q trunking 1

Fa0/17 on 802.1q trunking 1

Fa0/18 on 802.1q trunking 1

Port Vlans allowed on trunk

Fa0/15 1-4094

Fa0/16 1-4094

Fa0/17 1-4094

Fa0/18 1-4094

Take note of the fact that ports 15–18 are now in the trunk mode of on

and the encapsulation is now 802.1q instead of the negotiated ISL. Here’s

a description of the different options available when configuring a switch


interface:

switchport mode access

I discussed this in the previous section, but this

puts the interface (access port) into permanent nontrunking mode and

negotiates to convert the link into a nontrunk link. The interface becomes

a nontrunk interface regardless of whether the neighboring interface is a

trunk interface. The port would be a dedicated layer 2 access port.



switchport mode dynamic auto

This mode makes the interface able to

convert the link to a trunk link. The interface becomes a trunk interface if

the neighboring interface is set to trunk or desirable mode. The default is

dynamic auto

on a lot of Cisco switches, but that default trunk method is

changing to

dynamic desirable

on most new models.

switchport mode dynamic desirable

This one makes the interface actively

attempt to convert the link to a trunk link. The interface becomes a trunk

interface if the neighboring interface is set to

trunk

,

desirable



, or

auto


mode. This is now the default switch port mode for all Ethernet interfaces

on all new Cisco switches.



switchport mode trunk

Puts the interface into permanent trunking mode

and negotiates to convert the neighboring link into a trunk link. The

interface becomes a trunk interface even if the neighboring interface isn’t

a trunk interface.

switchport nonegotiate

Prevents the interface from generating DTP

frames. You can use this command only when the interface switchport

mode is access or trunk. You must manually configure the neighboring

interface as a trunk interface to establish a trunk link.

Dynamic Trunking Protocol (DTP) is used for negotiating

trunking on a link between two devices as well as negotiating the

encapsulation type of either 802.1q or ISL. I use the

nonegotiate

command when I want dedicated trunk ports; no questions asked.

To disable trunking on an interface, use the

switchport mode access

command, which sets the port back to a dedicated layer 2 access switch

port.


Defining the Allowed VLANs on a Trunk

As I’ve mentioned, trunk ports send and receive information from all

VLANs by default, and if a frame is untagged, it’s sent to the management

VLAN. Understand that this applies to the extended range VLANs too.

But we can remove VLANs from the allowed list to prevent traffic from

certain VLANs from traversing a trunked link. I’ll show you how you’d do

that, but first let me again demonstrate that all VLANs are allowed across

the trunk link by default:

S1#


sh int trunk

[output cut]

Port Vlans allowed on trunk

Fa0/15 1-4094

Fa0/16 1-4094

Fa0/17 1-4094

Fa0/18 1-4094

S1(config)#



int f0/15

S1(config-if)#



switchport trunk allowed vlan 4,6,12,15

S1(config-if)#



do show int trunk

[output cut]

Port Vlans allowed on trunk

Fa0/15 4,6,12,15

Fa0/16 1-4094

Fa0/17 1-4094

Fa0/18 1-4094

The preceding command affected the trunk link configured on S1 port

Fa0/15, causing it to permit all traffic sent and received for VLANs 4, 6,

12, and 15. You can try to remove VLAN 1 on a trunk link, but it will still

send and receive management data like CDP, DTP, and VTP, so what’s

the point?

To remove a range of VLANs, just use the hyphen:

S1(config-if)#



switchport trunk allowed vlan remove 4-8

If by chance someone has removed some VLANs from a trunk link and

you want to set the trunk back to default, just use this command:

S1(config-if)#



switchport trunk allowed vlan all

Next, I want to show you how to configure a native VLAN for a trunk

before we start routing between VLANs.

Changing or Modifying the Trunk Native VLAN


You can change the trunk port native VLAN from VLAN 1, which many

people do for security reasons. To change the native VLAN, use the

following command:

S1(config)#



int f0/15

S1(config-if)#



switchport trunk native vlan ?

<1-4094> VLAN ID of the native VLAN when this port is in

trunking mode

S1(config-if)#

switchport trunk native vlan 4

1w6d: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered

on FastEthernet0/15 (4), with S3 FastEthernet0/1 (1).

So we’ve changed our native VLAN on our trunk link to 4, and by using

the

show running-config



command, I can see the configuration under the

trunk link:

S1#

sh run int f0/15

Building configuration...

Current configuration : 202 bytes

!

interface FastEthernet0/15



description 1st connection to S3

switchport trunk encapsulation dot1q

switchport trunk native vlan 4

switchport trunk allowed vlan 4,6,12,15

switchport mode trunk

end


S1#!

Oops—wait a minute! You didn’t think it would be this easy and would

just start working, did you? Of course not! Here’s the rub: If all switches

don’t have the same native VLAN configured on the given trunk links,

then we’ll start to receive this error, which happened immediately after I

entered the command:

1w6d: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered

on FastEthernet0/15 (4), with S3 FastEthernet0/1 (1).

Actually, this is a good, noncryptic error, so either we can go to the other

end of our trunk link(s) and change the native VLAN or we set the native

VLAN back to the default to fix it. Here’s how we’d do that:

S1(config-if)#



Yüklə 22,5 Mb.

Dostları ilə paylaş:
1   ...   53   54   55   56   57   58   59   60   ...   69




Verilənlər bazası müəlliflik hüququ ilə müdafiə olunur ©azkurs.org 2024
rəhbərliyinə müraciət

gir | qeydiyyatdan keç
    Ana səhifə


yükləyin