Professional Documents
Culture Documents
Objective:
1.
2.
3.
4.
5.
Understanding VLAN
Configuration VLAN
Understanding Trunking
Understanding and Configuring DTP
Understanding and Configuring VTP
Commands Introduced:
1.
2.
3.
4.
5.
i
.
c
t
Vlan
Name
Switchport mode
Vtp domain
Vtp mode
.
t
n
i
i
.
c
t
.
t
n
i
Hint: Ping was successful, which confirms that connectivity is there for all the PCs.
SW2#show mac-address-table
Mac Address Table
------------------------------------------Vlan Mac Address
Type
Ports
---- ------------------ ----1 0006.2a18.9883 DYNAMIC Fa0/24
1 000b.be75.3404 DYNAMIC Fa0/2
1 000d.bde1.c6c4 DYNAMIC Fa0/1
1 0030.a342.5418 DYNAMIC Fa0/24
Hint: Both switches know about all the devices connected. Observe the ports column, two mac
addresses are known via port fa0/24, which is connected to SW1 and SW2
n
i
Hint: Though the devices are connected across multiple switches, anyone can communicate with
any other. So if you have more number of hosts you shall connect them using multiple switches.
.
t
Hint: Though all the users can communicate with each other, it will create a problem in a huge
network. Assume that a network with a size of 1000 hosts, and one employee who belongs to
Finance department is sending a broadcast message to all the members of his team and it will
be sent to all the employees though it is not meant for them, which is a security issue.
3. Observe the following output.
i
.
c
t
Hint: A broadcast is sent from 10.0.0.10, and everyone connected are replying back for this
request. Observe the reply from section of each and every line to see the responded stations.
Here 10.0.0.20, 10.0.0.30 and 10.0.0.40 stations are replying back. If we allow this the entire
network may be filled with the broadcast and the confidential information may be shared with
unintended recipient. So we can understand the security issue here.
4. Why the broadcast sent to all the ports?
SW1#show vlan
3
VLAN Name
Status
Ports
---- -------------------------------- --------- ------------------------------1 default
active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
Gig1/1, Gig1/2
Hint: VLAN (Virtual LAN) is nothing but a LAN. This feature can be used to slice the switches
logically into multiple switches. By default all the switch ports associated to vlan 1. Since all
the interfaces belongs to the same port they can communicate with each other.
Check the same on switch 2
SW2#show vlan
.
t
n
i
VLAN Name
Status
Ports
---- -------------------------------- --------- ------------------------------1 default
active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
Gig1/1, Gig1/2
i
.
c
t
Hint: Even in switch2 all the ports belongs to vlan 1. This allows all the ports on switch1 and
switch2 can talk to each other.
Hint: VLAN1 is known as Native VLAN. If the switch receives traffic on a trunk port without VLAN
tag information, then it will be considered as native vlan traffic and it will be tagged.
5. Create two vlans 10 and 20 and name them as HR and Admin
a. Vlans can be created using two methods. Here I will be demonstrating you both the
methods. On switch 1 we will create the VLANs using the old method and on Switch2 we will
create the VLANs using the new method.
SW1#vlan database
4
.
t
n
i
Hint: After creating the vlan use exit command to save and exit the sub configuration
mode. If you press ctrl + z then you will exit the mode without saving the configuration.
b. Create the VLANS on switch 2
SW2(config)#vlan 10
SW2(config-vlan)#name HR
SW2(config-vlan)#exit
SW2(config)#vlan 20
SW2(config-vlan)#name Admin
SW2(config-vlan)#exit
i
.
c
t
VLAN Name
Status Ports
---- -------------------------------- --------- ------------------------------1 default
active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
Gig1/1, Gig1/2
10 HR
active
20 Admin
active
5
SW2#show vlan
VLAN Name
Status Ports
---- -------------------------------- --------- ------------------------------1 default
active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
Gig1/1, Gig1/2
10 HR
active
20 Admin
active
.
t
n
i
Hint: Now we have created two vlans on both switches. But if you need to create these vlans
on multiple switches then it will be a repetitive task. And even a small change in the vlan,
needs to be done on all the switches manually. To manage the vlan information on all the
switches, we shall make use of VTP (A cisco proprietory protocol) with which VLAN details
can be distributed on all the switches. Even a change done on a switch will be advertised to
all the switches, so that all the switches can update themselves.
6. Enable VTP on both the switches.
a. Verify the VTP status
i
.
c
t
:2
Configuration Revision
:2
Maximum VLANs supported locally : 255
Number of existing VLANs
:7
VTP Operating Mode
: Server
VTP Domain Name
:
VTP Pruning Mode
: Disabled
VTP V2 Mode
: Disabled
VTP Traps Generation
: Disabled
MD5 digest
: 0x82 0x0A 0x00 0xDF 0x6D 0xB6 0xB2 0xD6
Configuration last modified by 0.0.0.0 at 3-1-93 01:27:36
Local updater ID is 0.0.0.0 (no valid interface found)
n
i
Hint: No valid VTP domain has been configured on the switches. And both the switches are
acting as SERVER. By default all the switches will be kept in VTP Server Mode, which allows
the administrator to create on all the switches, but it needs to be distributed to other
switches. But the VTP messages are restricted to a single domain, hence you need to
configure the domain name on which this VTP updates are valid. By default the domain
name is blank. And hence no VTP messages can be processed.
.
t
Hint: Also observe the VTP Revision number; every change will increment the VTP Revision
number by one. We have created two VLAN hence two increments.
i
.
c
t
SW2: ___________
b. Create a vlan
SW1(config)#vlan 30
SW1(config-vlan)#name junisys
SW1#show vlan
VLAN Name
Status
Ports
---- -------------------------------- --------- ------------------------------1 default
active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
Gig1/1, Gig1/2
10 HR
active
20 Admin
active
30 junisys
active
SW2#show vlan
.
t
n
i
VLAN Name
Status Ports
---- -------------------------------- --------- ------------------------------1 default
active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
Gig1/1, Gig1/2
10 HR
active
20 Admin
active
i
.
c
t
Hint: vlan 30 information is not distributed to the neighboring switch. Either you shall create
the vlan on switch2 or you shall make use of VTP.
8. Configure VTP to distribute the VLAN informations.
a. Configure VTP domain name on SW1
SW1(config)#vtp domain junisys.in
Changing VTP domain name from NULL to junisys.in
Hint: Now the SW1 is configured as part of junisys.in domain.
8
.
t
n
i
Hint: Observe the VTP domain name updated with junisys.in. And also observe the
VTP Revision number got reset to 0, this is because now the switch is part of new vtp
domain.
c. Verify the vtp staus
i
.
c
t
Hint: We dint configure the vtp domain name on switch. It was null. When the VTP
domain is null, and it receive an update via VTP with a domain name configured and
then immediately the null domain changes to the domain name specified in the VTP
update message. Because of this the second switch auto configures himself to VTP
DOMAIN NAME OF junisys.in
9
.
t
n
i
Hint: Since both the switches are bound to the same vtp domain junisys.in, the vlan
what we created on sw2 (vlan 30, junisys) has been shared with SW2
9. Now create a VLAN on SW2
a. Create a vlan 40 and name it itcert
SW2(config)#vlan 40
SW2(config-vlan)#name itcert
i
.
c
t
VLAN Name
Status
Ports
---- -------------------------------- --------- ------------------------------1 default
active
Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18
Fa0/21, Fa0/22, Fa0/23, Gi0/1
Gi0/2
10 HR
active
20 Admin
active
30 junisys
active
10
40 itcert
active
c
t
.
t
n
i
Hint: vlan 40 is also available on SW1. Like this you will be able to create the vlan on any
switch and it will be shared with all the switches belongs to the same VTP domain.
i
.
Hint: But this is a problem, you dont have any control on it. Anyone who gains access to any
switch can modify this. You have to restrict the vlan configuration on only one switch.
10. Configure the SW1 as the only switch where the vlan configuration is possible and it can be
shared with SW2
:2
:0
: 255
:8
: Server
: junisys.in
: Disabled
: Disabled
: Disabled
MD5 digest
: 0xC8 0x40 0x1A 0xF6 0x2B 0xFB 0x00 0xC6
Configuration last modified by 0.0.0.0 at 3-1-93 02:33:15
Local updater ID is 0.0.0.0 (no valid interface found)
Hint: SW1 is in VTP Server mode, which means administration can manage the vlans on
this switch.
SW2#show vtp status
VTP Version
:2
Configuration Revision
:0
Maximum VLANs supported locally
: 255
Number of existing VLANs
:7
VTP Operating Mode
: Server
VTP Domain Name
: junisys.in
VTP Pruning Mode
: Disabled
VTP V2 Mode
: Disabled
VTP Traps Generation
: Disabled
MD5 digest
: 0x2A 0xC8 0x29 0x84 0x24 0xAC 0x10 0x32
Configuration last modified by 0.0.0.0 at 3-1-93 01:33:16
Local updater ID is 0.0.0.0 (no valid interface found)
c
t
.
t
n
i
Hint: Even SW2 is in VTP Server mode. So vlan configuration is possible on both the
switches. By default all the switches will be kept in VTP Server mode.
i
.
b. Configure the SW2 so that no vlan configuration is possible on it but It can learn the same
from SW1
:2
:4
: 250
:9
: Client
: junisys.in
: Disabled
: Disabled
.
t
n
i
i
.
c
t
VLAN Name
Status
Ports
---- -------------------------------- --------- ------------------------------1 default
active
Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23
10 HR
active
20 Admin
active
30 junisys
active
40 itcert
active
50 cisco
active
SW2#show vlan
VLAN Name
Status
Ports
---- -------------------------------- --------- ------------------------------1 default
active
Fa0/1, Fa0/2, Fa0/3, Fa0/4
13
HR
Admin
junisys
itcert
cisco
active
active
active
active
active
n
i
Hint: Now the VLAN configuration can be done only on SW1 and which can be shared to
all VTP Clients belongs to the same VTP Domain.
Hint: If the switch is kept in VTP Transparent mode it can receive and forward the VTP
messages but it will not process the same.
Hint: Now the problem is anyone can configure a switch with this vtp domain name and
connects to the existing network and he can modify the VLAN configuration from his
rogue switch.
11. Secure the VTP communication.
i
.
c
t
.
t
Hint: Now SW2 has been configured with a password, when it sends an update , the update
will be protected by this password.
HR
Admin
junisys
itcert
cisco
test
active
active
active
active
active
active
SW2#show vlan
n
i
VLAN Name
Status
Ports
---- -------------------------------- --------- ------------------------------1 default
active
Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Gi0/1
Gi0/2
10 HR
active
20 Admin
active
30 junisys
active
40 itcert
active
50 cisco
active
i
.
c
t
.
t
f.
.
t
n
i
Hint: First line says that SW2 has received an summary update on junisys.in domain.
Which is having greater revision number than SW2 (SW2 has revision number of 5). Hence
SW2 needs to update its VLAN Database. But SW2 cant update because the MD5 is not
matching.
i
.
c
t
Hint: Whenever an vtp update is send the hash value of VTP password will be appended.
The receiver will calculate his own has value, if both are matching then the update can be
processed.
SW2#
00:25:33: VTP LOG RUNTIME: Summary packet received, domain = junisys.in, rev = 8,
followers = 1
00:25:33: VTP LOG RUNTIME: Summary packet rev 8 greater than domain junisys.in rev 5
00:25:33: VTP LOG RUNTIME: Subset packet received, domain = junisys.in, rev = 8, seq = 1,
length = 356
00:25:33: VTP LOG RUNTIME: Transmit vtp summary, domain junisys.in, rev 8, followers 1
MD5 digest calculated = 19 A4 2A 34 B3 3B 83 39 8F 3D F9 6B 73 FE 12 00
n
i
Hint: Now calculated hash is matching for the update, so SW2 can process the updates.
j.
.
t
VLAN Name
Status
Ports
---- -------------------------------- --------- ------------------------------1 default
active
Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Gi0/1
Gi0/2
10 HR
active
20 Admin
active
30 junisys
active
40 itcert
active
50 cisco
active
70 test
active
80 test1
active
90 test2
active
i
.
c
t
17
.
t
n
i
Hint: Observe the highlighted area which doesnt have the details of the updater.
b. Configure an ip address for vlan1 interface on SW1
SW1(config)#interface vlan 1
SW1(config-if)#ip add
SW1(config-if)#ip address 10.0.0.1 255.0.0.0
SW1(config-if)#nos hut
SW1(config-if)#no shut
SW1(config-if)#no shutdown
i
.
c
t
OK?
YES
YES
YES
YES
Method
manual
unset
unset
unset
Status
up
down
down
down
.
t
n
i
c
t
VLAN Name
Status
Ports
---- -------------------------------- --------- ------------------------------1 default
active
Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Gi0/1
Gi0/2
10 HR
active
20 Admin
active
30 junisys
active
40 itcert
active
50 cisco
active
70 test
active
80 test1
active
90 test2
active
100 test3
active
i
.
19
n
i
Hint: Now we shall also note the ip address of the VTP message generator with this you can
confirm whether the updates are sent from the original source.
.
t
Hint: VTP always takes the lowest ip address of all the interface. If you want to have any
other interface IP then you shall use the following command.
13. Crete a vlan interface on SW1
c
t
SW1(config)#interface vlan 2
SW1(config-if)#ip address 11.0.0.1 255.0.0.0
SW1(config-if)#no shutdown
i
.
SW1(config)#vlan 101
SW1(config-vlan)#name test4
16. Check the VTP updater field on SW2
SW2#show vtp status
VTP Version
Configuration Revision
Maximum VLANs supported locally
Number of existing VLANs
VTP Operating Mode
20
:2
: 11
: 250
: 16
: Client
Hope you guys enjoyed this basic VLAN and VTP lab and Let us see rest of the advanced configuration
on next part of this lab.
21
i
.
c
t
.
t
n
i